Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Raw scanning as an unprivileged user on Mac OS X

From: David Fifield <david () bamsoftware com>
Date: Sat, 10 May 2008 13:45:09 -0600
Hello,

I said back in http://seclists.org/nmap-dev/2008/q2/0189.html that I
would investigate whether Nmap really needs root to run privileged scans
as long as it can read and with the /dev/bpf* devices. It turns out root
is not required, as long as you use --send-eth.

By default, users don't have read and write access to the bpf devices.
Wireshark on Mac OS X ships with a startup script called ChmodBPF that
gives access to users in the admin group:
http://anonsvn.wireshark.org/wireshark/trunk-1.0/packaging/macosx/ChmodBPF/README.macosx
http://anonsvn.wireshark.org/wireshark/trunk-1.0/packaging/macosx/ChmodBPF/ChmodBPF
I had this startup item installed when I ran the following commands.

        ~$ nmap scanme.nmap.org

        Starting Nmap 4.62 ( http://nmap.org ) at 2008-05-10 13:17 MDT

        ~$ nmap -sS scanme.nmap.org
        You requested a scan type which requires root privileges.
        QUITTING!
        ~$ nmap -sS --privileged scanme.nmap.org

        Starting Nmap 4.62 ( http://nmap.org ) at 2008-05-10 13:18 MDT
        socket troubles in Init: Operation not permitted (1)
        ~$ nmap -sS --privileged --send-eth scanme.nmap.org

        Starting Nmap 4.62 ( http://nmap.org ) at 2008-05-10 13:18 MDT
        Interesting ports on scanme.nmap.org (64.13.134.52):
        Not shown: 1709 filtered ports
        PORT    STATE  SERVICE
        22/tcp  open   ssh
        25/tcp  closed smtp
        53/tcp  open   domain
        70/tcp  closed gopher
        80/tcp  open   http
        113/tcp closed auth

        Nmap done: 1 IP address (1 host up) scanned in 83.744 seconds

So Nmap works just fine without root, but you have to know how to tell
it to ignore the fact that you're not root. Except I notice that the -A
option doesn't run all the things that option can run (just -sC I
think), even though -O and --traceroute work on their own. These
observations may apply to other BSDs as well.

David Fifield

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Previous By Date Next
Previous By Thread Next

Current thread: