Re: Nmap crash under Vista

["Gianluca Varenni" <gianluca.varenni () gmail com>]

Guys,

I'd really like to understand what's going on here. First of all, as Rob 
pointed out, I don't understand the meaning of the output. It says it cannot 
open net0, but nmap --iflist lists only these WINDEVICEs

> DEV  WINDEVICE
> net2 \Device\NPF_{D744CB9D-F791-4C60-AA04-851443B57BD4}
> net3 \Device\NPF_{14EFA483-1F71-4688-BD5D-3880992943F5}

Also, I tried running nmap SOC7 (nmap 1.2.3.4 -vv) on a Vista machine with 
an Intel abgn card (4965), and it simply crashes. The call stack doesn't 
point to anything in winpcap.

Have a nice day
GV



----- Original Message ----- 
From: "Rob Nicholls" <robert () everythingeverything co uk>
To: <nmap-dev () insecure org>
Sent: Wednesday, October 31, 2007 4:32 PM
Subject: RE: Nmap crash under Vista


> Hi,
>
> I've done a little bit of research in my spare time after bob's original
> email about using nmap on Vista with a wireless network card, and it 
> appears
> that nmap's failing because pcap can't open the wireless adapter (connect
> scans work okay).
>
> I've tried WinPcap 4.0.1 with SOC7 and the latest WinPcap beta (4.1) with
> SOC8, and I get the same error. I get an error in 4.11 too, but it 
> complains
> immediately about getinterfaces, rather than failing to open the adapter:
>
> > nmap 192.168.1.13 -vv
>
> Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2007-10-24 23:57 
> GMT
> Dayl
> ight Time
> getinterfaces: intf_loop() failed
> QUITTING!
>
> > nmap 192.168.1.13 -vv
>
> Starting Nmap 4.22SOC7 ( http://insecure.org ) at 2007-10-24 23:57 GMT
> Daylight
> Time
> Initiating Ping Scan at 23:57
> Scanning 192.168.1.13 [2 ports]
> pcap_open_live(net0, 100, 0, 2) FAILED. Reported error: Error opening
> adapter: T
> he system cannot find the device specified. (20).  Will wait 5 seconds 
> then
> retr
> y.
> > nmap 192.168.1.13 -vv -P0
>
> If I avoid using WinPcap, it's able to perform the scan:
>
> > nmap 192.168.1.13 -vv -P0 -sT
>
> Starting Nmap 4.22SOC7 ( http://insecure.org ) at 2007-10-25 00:01 GMT
> Daylight
> Time
> Initiating Parallel DNS resolution of 1 host. at 00:01
> Completed Parallel DNS resolution of 1 host. at 00:01, 0.07s elapsed
> Initiating Connect Scan at 00:01
> Scanning 192.168.1.13 [1705 ports]
> Discovered open port 3389/tcp on 192.168.1.13
> Discovered open port 139/tcp on 192.168.1.13
> Connect Scan Timing: About 12.04% done; ETC: 00:05 (0:03:39 remaining)
> Increasing send delay for 192.168.1.13 from 0 to 5 due to 11 out of 13
> dropped p
> robes since last increase.
> Discovered open port 135/tcp on 192.168.1.13
> Discovered open port 445/tcp on 192.168.1.13
> Completed Connect Scan at 00:04, 156.59s elapsed (1705 total ports)
> Host 192.168.1.13 appears to be up ... good.
> Interesting ports on 192.168.1.13:
> Not shown: 1701 filtered ports
> PORT     STATE SERVICE
> 135/tcp  open  msrpc
> 139/tcp  open  netbios-ssn
> 445/tcp  open  microsoft-ds
> 3389/tcp open  ms-term-serv
>
> So it looks like anything that relies upon WinPcap is failing on Vista, 
> I'm
> not sure why, but it looks like it's having trouble with the interface. I
> initially got weird behaviour using --iflist (this may just be a
> coincidence?), but after disabling all of the other network adapters (LAN, 
> a
> couple of VMWare ones), SOC7 then presented the wireless interface. NB: I
> still get the intf_loop() error in 4.11.
>
> > nmap --iflist
>
> Starting Nmap 4.22SOC7 ( http://insecure.org ) at 2007-10-25 00:24 GMT
> Daylight
> Time
> ************************INTERFACES************************
> DEV  (SHORT) IP/MASK         TYPE     UP   MAC
> net0 (net0)  (null)/0        other    down
> eth0 (eth0)  (null)/0        ethernet up   D0:84:20:52:41:53
> eth1 (eth1)  (null)/0        ethernet up   D0:84:20:52:41:53
> eth2 (eth2)  (null)/0        ethernet up   D0:84:20:52:41:53
> eth3 (eth3)  (null)/0        ethernet up   D0:84:20:52:41:53
> eth4 (eth4)  (null)/0        ethernet down 00:19:B9:7F:5E:39
> eth5 (eth5)  (null)/0        ethernet down 00:1A:6B:3E:59:93
> eth6 (eth6)  (null)/0        ethernet down 00:50:56:C0:00:01
> eth7 (eth7)  (null)/0        ethernet down 00:50:56:C0:00:08
> eth8 (eth8)  (null)/0        ethernet down 00:1A:6B:3E:59:93
> ppp0 (ppp0)  (null)/0        other    up
> ppp1 (ppp1)  (null)/0        other    up
> lo0  (lo0)   127.0.0.1/8     loopback up
> net0 (net0)  192.168.1.14/24 other    up
> net1 (net1)  (null)/0        other    up
> net2 (net2)  (null)/0        other    up
> net0 (net0)  (null)/0        other    up
> net1 (net1)  (null)/0        other    up
> net2 (net2)  (null)/0        other    up
> net3 (net3)  (null)/0        other    up
>
> DEV  WINDEVICE
> net2 \Device\NPF_{D744CB9D-F791-4C60-AA04-851443B57BD4}
> net3 \Device\NPF_{14EFA483-1F71-4688-BD5D-3880992943F5}
>
> **************************ROUTES**************************
> DST/MASK           DEV  GATEWAY
> 192.168.1.14/32    net0 192.168.1.14
> 255.255.255.255/32 lo0  127.0.0.1
> 127.0.0.1/32       lo0  127.0.0.1
> 127.255.255.255/32 lo0  127.0.0.1
> 192.168.1.255/32   net0 192.168.1.14
> 255.255.255.255/32 net0 192.168.1.14
> 192.168.1.0/0      net0 192.168.1.14
> 127.0.0.0/0        lo0  127.0.0.1
> 224.0.0.0/0        net0 192.168.1.14
> 224.0.0.0/0        lo0  127.0.0.1
> 0.0.0.0/0          net0 192.168.1.1
>
> You might have spotted that net0 seems to be listed as both down (on the
> first line, no IP) and up (with an IP address) further down the list. 
> After
> re-enabling all the network adapters, I still got all of the interfaces
> listed correctly in SOC7.
>
> I can see a device labelled "Microsoft" (Microsoft:
> \Device\NPF_{14EFA483-1F71-4688-BD5D-3880992943F5}) in Wireshark, which 
> has
> the right IP address and is showing packets being captured and suggests
> WinPcap/Wireshark is coping with Vista's presentation of the wireless card
> (which, IIRC, is different to how it's presented under XP/2003). The odd
> thing is the device's ID appears to be that of "net3" in nmap's --iflist
> output, which doesn't have an IP address assigned to it. Trying to force 
> it
> to use net0 (or net1-3), in a last ditch attempt to fool it into using the
> one that's up, doesn't appear to work either.
>
> Does anyone have any other ideas/suggestions I can try? If any fixes are
> committed to SVN, I'm quite happy to compile and test it whenever I've got 
> a
> few spare minutes.
>
>
> Rob
>
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org 


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org