Nmap Development mailing list archives

Re: NMap 4.2 and Vista

From: "Rob Nicholls" <robert () everythingeverything co uk>
Date: Wed, 28 Feb 2007 11:26:31 -0000 (GMT)

Hi everyone,

Using WinPcap 4.0, nmap 4.20, Vista Ultimate and an elevated Command
Prompt, I was able to get nmap to work okay under Vista (it appears to
work fine if you have UAC disabled and you're logged on with an Admin
account).

But here's the trick if you have UAC enabled: once you've installed
WinPcap and nmap, you need to run an elevated Command Prompt.

If you use a normal command prompt it'll run just like a standard user and
you'll get:

Initiating ARP Ping Scan at 16:45
dnet: Failed to open device eth4
QUITTING!

But if you use an elevated Command Prompt you'll be able to start namp
correctly and do your scan as per normal. Once you've started a
scan, it appears that you can now run nmap from ANY Command Prompt,
elevated or as a standard user.

Every time you reboot Vista (probably far more of an annoyance for those
of you that don't use Hibernate), you'll therefore need to run an elevated
Command Prompt and start nmap again. Unless you decide to disable UAC,
which is generally frowned upon, but if this is your pentest build then
you can probably get away with it (although I suspect most pentesters will
stick with Linux and/or XP).

I've also tried running nmap as a standard user, and as long as you
initially run nmap somewhere in an elevated Command Prompt (either by
supplying your admin user's details when logged on as the standard user,
or by successfully running nmap in an Admin account before switching users
or logging off), you can now run nmap in any standard Command Prompt.

Because nmap appears to work anywhere after you successfully run it once
as an elevated Admin, it sounds to me like the issue is that nmap can't
initially start/use WinPcap unless it's elevated; but once WinPcap has
started running, any instance of nmap will work correctly. Until you
reboot.

My assumption (and hopefully I'm not making a fool of myself here...) is
that the WinPcap Netgroup Packet Filter (npf.sys) driver can't load itself
into the kernel unless the parent process (in this case, nmap.exe) has
Admin privileges, but once it's loaded into the kernel it remains there
for any subsequent user (in any user session) to use (via packet.dll). So
I think that means WinPcap probably has to do something to ensure NPF can
load into the kernel when Vista is initially started (perhaps install
itself as a service? I believe that's what PeerGuardian 2 does). Or we all
have to put up with(/workaround) this "feature".


Regards,

Rob Nicholls




_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

NMap 4.2 and Vista Sean McClanahan (Feb 22)
- Re: NMap 4.2 and Vista majek04 (Feb 23)
  - Re: NMap 4.2 and Vista Gianluca Varenni (Feb 23)
    - Re: NMap 4.2 and Vista majek04 (Feb 23)
  - RE: NMap 4.2 and Vista Sean McClanahan (Feb 23)
- <Possible follow-ups>
- Re: NMap 4.2 and Vista Rob Nicholls (Feb 28)
  - Re: NMap 4.2 and Vista Gianluca Varenni (Feb 28)