Re: Problem while running nmap as root

[Colin Beckingham <colbec () start ca>]

On 08/16/2010 07:23 PM, David Fifield wrote:
> On Mon, Aug 09, 2010 at 10:43:18AM -0400, Colin Beckingham wrote:
> > # nmap -n -sP -d3 scanme.nmap.org
> >
> > Starting Nmap 5.21 ( http://nmap.org ) at 2010-08-09 10:37 EDT
> > The max # of sockets we are using is: 0
> > --------------- Timing report ---------------
> >    hostgroups: min 1, max 100000
> >    rtt-timeouts: init 1000, min 100, max 10000
> >    max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
> >    parallelism: min 0, max 0
> >    max-retries: 10, host-timeout: 0
> >    min-rate: 0, max-rate: 0
> > ---------------------------------------------
> > Initiating Ping Scan at 10:37
> > Scanning scanme.nmap.org (64.13.134.52) [4 ports]
> > pcap_open_live(eth0, 100, 0, 200) FAILED. Reported error: socket:
> > Address family not supported by protocol.  Will wait 5 seconds then
> > retry.
> > pcap_open_live(eth0, 100, 0, 200) FAILED. Reported error: socket:
> > Address family not supported by protocol.  Will wait 25 seconds then
> > retry.
> > ... then subsequent output as in above re af_packet and SOCK_PACKET
> >
> > # nmap -iflist
> >
> > Starting Nmap 5.21 ( http://nmap.org ) at 2010-08-09 10:39 EDT
> > ************************INTERFACES************************
> > DEV  (SHORT) IP/MASK          TYPE     UP MAC
> > lo   (lo)    127.0.0.1/8      loopback up
> > lo   (lo)    127.0.0.2/8      loopback up
> > eth0 (eth0)  192.168.0.101/24 ethernet up 00:02:55:BF:11:5C
> >
> > **************************ROUTES**************************
> > DST/MASK      DEV  GATEWAY
> > 192.168.0.0/0 eth0
> > 169.254.0.0/0 eth0
> > 127.0.0.0/0   lo
> > 0.0.0.0/0     eth0 192.168.0.1
> >
> > # nmap -V
> >
> > Nmap version 5.21 ( http://nmap.org )
>
> I can't reproduce this on OpenSUSE 11.2, running in QEMU, with either
> Nmap 5.21 or 5.31DC18. Are you running in a virtualization environment
> or anything else weird?
>
> I found a couple references of this happening on SUSE with a much older
> release of Nmap (3.30).
>
> http://www.rapid7.com/vulndb/lookup/linuxrpm-suse-nmap-3.30-70-90_i386
> http://archive.cert.uni-stuttgart.de/suse-security/2004/01/msg00501.html
>
> They made a patched release that fixed it, but that release has been
> removed from their public FTP server so I can't find out what they did.
> (Search removed-find-ls.txt.bz2 for "3.30-70".)
>
> http://ftp.suse.com/pub/suse/discontinued/deleted-20070817/README.txt
> http://ftp.suse.com/pub/suse/discontinued/deleted-20070817/removed-find-ls.txt.bz2
>
> Here is a recent message saying the same thing happens with iftop.
>
> http://lists4.suse.de/opensuse/2010-01/msg00548.html
>
> Do you get the same error if you use iftop, tcpdump, or other programs
> that use libpcap?
>
> David Fifield

Looks like the fault was in my custom kernel.

I installed Opensuse 11.2 and nmap 5.00 on the default 2.6.31.5 kernel 
on my Toshiba Satellite 1110 and nmap/zenmap works fine both as user and 
root. Main workstation works fine too if I boot into the default kernel.

So the nmap error output is correct in pointing me at a potential 
problem in the kernel. However searching the kernel config for 
SOCK_PACKET comes up empty, and SOCKET is also not helpful. However 
"PACKET" seemed to find a missing section. I checked this and lo and 
behold it generated an af_packet and now nmap works under root.

Looks like I picked up a bad .config at some point.

Thanks for assistance.

--
---
Colin Beckingham
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/