Re: NMap 4.2 and Vista

["Gianluca Varenni" <gianluca.varenni () gmail com>]

----- Original Message ----- 
From: "Rob Nicholls" <robert () everythingeverything co uk>
To: <nmap-dev () insecure org>
Sent: Wednesday, February 28, 2007 3:26 AM
Subject: Re: NMap 4.2 and Vista


> Hi everyone,
>
> Using WinPcap 4.0, nmap 4.20, Vista Ultimate and an elevated Command
> Prompt, I was able to get nmap to work okay under Vista (it appears to
> work fine if you have UAC disabled and you're logged on with an Admin
> account).
>
> But here's the trick if you have UAC enabled: once you've installed
> WinPcap and nmap, you need to run an elevated Command Prompt.
>
> If you use a normal command prompt it'll run just like a standard user and
> you'll get:
>
> Initiating ARP Ping Scan at 16:45
> dnet: Failed to open device eth4
> QUITTING!
>
> But if you use an elevated Command Prompt you'll be able to start namp
> correctly and do your scan as per normal. Once you've started a
> scan, it appears that you can now run nmap from ANY Command Prompt,
> elevated or as a standard user.
>
> Every time you reboot Vista (probably far more of an annoyance for those
> of you that don't use Hibernate), you'll therefore need to run an elevated
> Command Prompt and start nmap again. Unless you decide to disable UAC,
> which is generally frowned upon, but if this is your pentest build then
> you can probably get away with it (although I suspect most pentesters will
> stick with Linux and/or XP).
>
> I've also tried running nmap as a standard user, and as long as you
> initially run nmap somewhere in an elevated Command Prompt (either by
> supplying your admin user's details when logged on as the standard user,
> or by successfully running nmap in an Admin account before switching users
> or logging off), you can now run nmap in any standard Command Prompt.
>
> Because nmap appears to work anywhere after you successfully run it once
> as an elevated Admin, it sounds to me like the issue is that nmap can't
> initially start/use WinPcap unless it's elevated; but once WinPcap has
> started running, any instance of nmap will work correctly. Until you
> reboot.
>
> My assumption (and hopefully I'm not making a fool of myself here...) is
> that the WinPcap Netgroup Packet Filter (npf.sys) driver can't load itself
> into the kernel unless the parent process (in this case, nmap.exe) has
> Admin privileges, but once it's loaded into the kernel it remains there
> for any subsequent user (in any user session) to use (via packet.dll). So

Your assumption is correct. packet.dll verifies that the kernel driver 
npf.sys is loaded into memory and if not loads it with a call to the service 
control manager. As far as UAC is concerned, the "issue" is quite easy to 
explain. When UAC is enabled, a normal application runs as an admin *but* 
reduced privileges. More or less as you are running as a normal user. An 
only a REAL administrator (and for vista and UAC I mean elevated privileges) 
can start the winpcap driver (as with any other kernel driver). This 
limitation is present in pre-vista OSes: you need to be an administrator to 
start the WinPcap driver.

PreVista -->admin group
Vista+UAC-->admin+elevated privileges.

I should probably updated FAQ Q-7 on the WinPcap website

http://www.winpcap.org/misc/faq.htm#Q-7

Also,

http://www.winpcap.org/misc/faq.htm#Q-18

explains how to enable npf.sys to load automatically at boot time, thus 
avoiding the need of the elevated privileges.

Have a nice day
GV


> I think that means WinPcap probably has to do something to ensure NPF can
> load into the kernel when Vista is initially started (perhaps install
> itself as a service? I believe that's what PeerGuardian 2 does). Or we all
> have to put up with(/workaround) this "feature".
>
>
> Regards,
>
> Rob Nicholls
>
>
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org 


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org