Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

4.22SOC6 Crash With Connect() Scan

From: "Rob Nicholls" <robert () everythingeverything co uk>
Date: Thu, 13 Sep 2007 17:37:24 +0100 (BST)
Hi Everyone,

I finally got around to testing the new 4.22SOC6 win32 binary (using the
zip file) and spotted that it crashed when I asked it to perform a
Connect() Scan.

I was running Vista Ultimate Edition x86 using the laptop's built in
Broadcom NetXtreme 57xx Gigabit Controller. The built in wireless card had
been disabled. I also had a couple of VMWare network adapters. I'm
repeatedly getting:

Problem signature:
  Problem Event Name:   BEX
  Application Name:     nmap.exe
  Application Version:  4.22.0.6
  Application Timestamp:        46d5355b
  Fault Module Name:    nmap.exe
  Fault Module Version: 4.22.0.6
  Fault Module Timestamp:       46d5355b
  Exception Offset:     000b4918
  Exception Code:       c000000d
  Exception Data:       00000000
  OS Version:   6.0.6000.2.0.0.256.1
  Locale ID:    2057
  Additional Information 1:     28a5
  Additional Information 2:     fb30009229d99db816b6ecae13f38e8d
  Additional Information 3:     640f
  Additional Information 4:     6e80f61cc1fbdbdc088f1fa9a06d51ff


C:\Users\Robert>nmap.exe xxxx.xxxx.co.uk -P0 -sT -vv -debug -packet_trace
Winpcap present, dynamic linked to: WinPcap version 4.0.1 (packet.dll
version 4.
0.0.901), based on libpcap version 0.9.5

Starting Nmap 4.22SOC6 ( http://insecure.org ) at 2007-09-13 17:04 GMT
Daylight
Time
Warning: File ./nmap-services exists, but Nmap is using
C:\tools\win32\nmap-4.22
SOC6\nmap-services for security and consistency reasons.  set NMAPDIR=. to
give
priority to files in your local directory (may affect the other data files
too).

--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
---------------------------------------------
mass_rdns: Using DNS server xxx.xxx.x.x
mass_rdns: Using DNS server xxx.xx.xxx.xx
mass_rdns: Using DNS server xxx.xx.xxx.xx
NSOCK (0.1660s) msevent_new (IOD #1) (EID #8)
NSOCK (0.1660s) UDP connection requested to xxx.xx.xxx.xx:53 (IOD #1) EID 8
NSOCK (0.1660s) msevent_new (IOD #1) (EID #18)
NSOCK (0.1660s) Read request from IOD #1 [xxx.xx.xxx.xx:53] (timeout:
-1ms) EID
18
NSOCK (0.2070s) msevent_new (IOD #2) (EID #24)
NSOCK (0.2070s) UDP connection requested to xxx.xx.xxx.xx:53 (IOD #2) EID 24
NSOCK (0.2070s) msevent_new (IOD #2) (EID #34)
NSOCK (0.2070s) Read request from IOD #2 [xxx.xx.xxx.xx:53] (timeout:
-1ms) EID
34
NSOCK (0.2130s) msevent_new (IOD #3) (EID #40)
NSOCK (0.2130s) UDP connection requested to xxx.xxx.x.x:53 (IOD #3) EID 40
NSOCK (0.2130s) msevent_new (IOD #3) (EID #50)
NSOCK (0.2130s) Read request from IOD #3 [xxx.xxx.x.x:53] (timeout: -1ms)
EID 50

Initiating Parallel DNS resolution of 1 host. at 16:50
NSOCK (0.2130s) msevent_new (IOD #1) (EID #59)
NSOCK (0.2130s) Write request for 44 bytes to IOD #1 EID 59
[xxx.xx.xxx.xx:53]:
.............xxx.xxx.xxx.xxx.in-addr.arpa.....
NSOCK (0.2220s) nsock_loop() started (timeout=500ms). 7 events pending
NSOCK (0.2220s) wait_for_events
NSOCK (0.2220s) PCAP read_on_nonselect
NSOCK (0.2220s) PCAP END read_on_nonselect
NSOCK (0.2250s) Callback: CONNECT SUCCESS for EID 40 [xxx.xxx.x.x:53]
NSOCK (0.2250s) msevent_delete (IOD #3) (EID #40)
NSOCK (0.2250s) Callback: CONNECT SUCCESS for EID 24 [xxx.xx.xxx.xx:53]
NSOCK (0.2250s) msevent_delete (IOD #2) (EID #24)
NSOCK (0.2250s) Callback: CONNECT SUCCESS for EID 8 [xxx.xx.xxx.xx:53]
NSOCK (0.2250s) msevent_delete (IOD #1) (EID #8)
NSOCK (0.2250s) Callback: WRITE SUCCESS for EID 59 [xxx.xx.xxx.xx:53]
NSOCK (0.2250s) msevent_delete (IOD #1) (EID #59)
NSOCK (0.2340s) wait_for_events
NSOCK (0.2340s) PCAP read_on_nonselect
NSOCK (0.2340s) PCAP END read_on_nonselect
NSOCK (0.2400s) Callback: READ SUCCESS for EID 18 [xxx.xx.xxx.xx:53] (138
bytes)

NSOCK (0.2400s) msevent_new (IOD #1) (EID #66)
NSOCK (0.2400s) Read request from IOD #1 [xxx.xx.xxx.xx:53] (timeout:
-1ms) EID
66
NSOCK (0.2400s) msevent_delete (IOD #1) (EID #66)
NSOCK (0.2400s) msevent_delete (IOD #2) (EID #34)
NSOCK (0.2400s) msevent_delete (IOD #3) (EID #50)
mass_rdns: 0.08s 0/1 [#: 3, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
NSOCK (0.2400s) msevent_delete (IOD #1) (EID #18)
Completed Parallel DNS resolution of 1 host. at 16:50, 0.03s elapsed DNS
resolution of 1 IPs took 0.09s. Mode: Async [#: 3, OK: 1, NX: 0, DR: 0,
SF:
0, TR: 1, CN: 0]
Initiating Connect() Scan at 16:50
Scanning xxxx.xxxx.xxxx.net (xx.xxx.xxx.xx) [1705 ports]
CONN (0.2540s) TCP localhost > xx.xxx.xxx.xx:113 => Unknown error
CONN (0.2550s) TCP localhost > xx.xxx.xxx.xx:21 => Unknown error
CONN (0.2560s) TCP localhost > xx.xxx.xxx.xx:389 => Unknown error
CONN (0.2570s) TCP localhost > xx.xxx.xxx.xx:1723 => Unknown error CONN
(0.2580s) TCP localhost > xx.xxx.xxx.xx:25 => Unknown error
CONN (2.2550s) TCP localhost > xx.xxx.xxx.xx:25 => Unknown error
CONN (2.2580s) TCP localhost > xx.xxx.xxx.xx:1723 => Unknown error CONN
(2.2600s) TCP localhost > xx.xxx.xxx.xx:389 => Unknown error
CONN (2.2620s) TCP localhost > xx.xxx.xxx.xx:21 => Unknown error
CONN (2.2650s) TCP localhost > xx.xxx.xxx.xx:113 => Unknown error
CONN (3.2560s) TCP localhost > xx.xxx.xxx.xx:22 => Unknown error
CONN (3.2590s) TCP localhost > xx.xxx.xxx.xx:636 => Unknown error
CONN (3.2610s) TCP localhost > xx.xxx.xxx.xx:554 => Unknown error
CONN (3.2630s) TCP localhost > xx.xxx.xxx.xx:443 => Unknown error
CONN (3.2650s) TCP localhost > xx.xxx.xxx.xx:80 => Unknown error
CONN (4.2570s) TCP localhost > xx.xxx.xxx.xx:22 => Unknown error
CONN (4.2600s) TCP localhost > xx.xxx.xxx.xx:636 => Unknown error
CONN (4.2630s) TCP localhost > xx.xxx.xxx.xx:554 => Unknown error
CONN (4.2650s) TCP localhost > xx.xxx.xxx.xx:443 => Unknown error
CONN (4.2680s) TCP localhost > xx.xxx.xxx.xx:80 => Unknown error
CONN (5.2580s) TCP localhost > xx.xxx.xxx.xx:23 => Unknown error
CONN (5.2610s) TCP localhost > xx.xxx.xxx.xx:53 => Unknown error
CONN (5.2640s) TCP localhost > xx.xxx.xxx.xx:3389 => Unknown error CONN
(5.2670s) TCP localhost > xx.xxx.xxx.xx:256 => Unknown error
CONN (5.2690s) TCP localhost > xx.xxx.xxx.xx:61439 => Unknown error


Running the exact same command with nmap 4.11, 4.21-A1, 4.22SOC2,
4.22SOC3, 4.22SOC5 appears to work fine. This seems to have started with
4.22SOC6.

I decided to try it from a Windows 2003 SP2 Enterprise Edition x86 machine
and I saw a similar crash:

The exception unknown software exception (0xc000000d) occurred in the
application at location 0x004b4918.

C:\Documents and Settings\Robert\Desktop\nmap-4.22SOC6>nmap -P0 -vv -sT
xxx.xxx.xxx.xxx -debug -packet_trace
Winpcap present, dynamic linked to: WinPcap version 3.1 (packet.dll
version 3, 1
, 0, 27), based on libpcap version 0.9[.x]

Starting Nmap 4.22SOC6 ( http://insecure.org ) at 2007-09-13 17:20 GMT
Daylight
Time
Warning: File ./nmap-services exists, but Nmap is using C:\Documents and
Setting
s\Robert\Desktop\nmap-4.22SOC6\nmap-services for
security and consistency reasons.  set NMAPDIR=. to give priority to files
in yo
ur local directory (may affect the other data files too).
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000
  parallelism: min 0, max 0
  max-retries: 10, host-timeout: 0
---------------------------------------------
mass_rdns: Using DNS server xxx.xxx.xxx.xxx
mass_rdns: Using DNS server xxx.xxx.xxx.xxx
NSOCK (0.1090s) msevent_new (IOD #1) (EID #8)
NSOCK (0.1090s) UDP connection requested to xxx.xxx.xxx.xxx:53 (IOD #1) EID 8
NSOCK (0.1090s) msevent_new (IOD #1) (EID #18)
NSOCK (0.1090s) Read request from IOD #1 [xxx.xxx.xxx.xxx:53] (timeout:
-1ms) EID 18
NSOCK (0.1090s) msevent_new (IOD #2) (EID #24)
NSOCK (0.1090s) UDP connection requested to xxx.xxx.xxx.xxx:53 (IOD #2)
EID 24
NSOCK (0.1090s) msevent_new (IOD #2) (EID #34)
NSOCK (0.1090s) Read request from IOD #2 [xxx.xxx.xxx.xxx:53] (timeout:
-1ms) EID 34
Initiating Parallel DNS resolution of 1 host. at 17:20
NSOCK (0.1090s) msevent_new (IOD #1) (EID #43)
NSOCK (0.1090s) Write request for 44 bytes to IOD #1 EID 43
[xxx.xxx.xxx.xxx:53]: ...
..........xxx.xxx.xxx.xxx.in-addr.arpa.....
NSOCK (0.1250s) nsock_loop() started (timeout=500ms). 5 events pending
NSOCK (0.1250s) wait_for_events
NSOCK (0.1250s) PCAP read_on_nonselect
NSOCK (0.1250s) PCAP END read_on_nonselect
NSOCK (0.1250s) Callback: CONNECT SUCCESS for EID 24 [xxx.xxx.xxx.xxx:53]
NSOCK (0.1250s) msevent_delete (IOD #2) (EID #24)
NSOCK (0.1250s) Callback: CONNECT SUCCESS for EID 8 [xxx.xxx.xxx.xxx:53]
NSOCK (0.1250s) msevent_delete (IOD #1) (EID #8)
NSOCK (0.1250s) Callback: WRITE SUCCESS for EID 43 [xxx.xxx.xxx.xxx:53]
NSOCK (0.1250s) msevent_delete (IOD #1) (EID #43)
NSOCK (0.1250s) wait_for_events
NSOCK (0.1250s) PCAP read_on_nonselect
NSOCK (0.1250s) PCAP END read_on_nonselect
NSOCK (0.2500s) Callback: READ SUCCESS for EID 18 [xxx.xxx.xxx.xxx:53]
(120 bytes)
NSOCK (0.2500s) msevent_new (IOD #1) (EID #50)
NSOCK (0.2500s) Read request from IOD #1 [xxx.xxx.xxx.xxx:53] (timeout:
-1ms) EID 50
NSOCK (0.2500s) msevent_delete (IOD #1) (EID #50)
NSOCK (0.2500s) msevent_delete (IOD #2) (EID #34)
mass_rdns: 0.14s 0/1 [#: 2, OK: 0, NX: 0, DR: 0, SF: 0, TR: 1]
NSOCK (0.2500s) msevent_delete (IOD #1) (EID #18)
Completed Parallel DNS resolution of 1 host. at 17:20, 0.14s elapsed
DNS resolution of 1 IPs took 0.16s. Mode: Async [#: 2, OK: 0, NX: 1, DR:
0, SF:
0, TR: 1, CN: 0]
Initiating Connect() Scan at 17:20
Scanning xxx.xxx.xxx.xxx [1705 ports]
CONN (0.2650s) TCP localhost > xxx.xxx.xxx.xxx:636 => Unknown error
CONN (0.2650s) TCP localhost > xxx.xxx.xxx.xxx:256 => Unknown error
CONN (0.2650s) TCP localhost > xxx.xxx.xxx.xxx:23 => Unknown error
CONN (0.2650s) TCP localhost > xxx.xxx.xxx.xxx:1723 => Unknown error
CONN (0.2650s) TCP localhost > xxx.xxx.xxx.xxx:3389 => Unknown error


Can anyone else replicate this? Anyone have any ideas why it's happening?

It sounds to me like a recently introduced bug in nmap, I suspect we can
rule out WinPcap (I'm still using 3.1 on the 2003 box, but using 4.0.1 on
Vista) and the OS.

Cheers,


Rob


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: