Nmap Development mailing list archives

Re: Limit WinPcap use by unprivileged users

From: Patrik Karlsson <patrik () cqure net>
Date: Sat, 25 Sep 2010 11:17:28 +0200


On 25 sep 2010, at 03.30, David Fifield wrote:

On Fri, Sep 24, 2010 at 08:23:46PM -0500, DePriest, Jason R. wrote:

Wouldn't stopping npf would also prevent regular users from using
anything else that uses winpcap like Wireshark / tshark / windump.


Yes but that's the point of the TODO: to see if it's possible to limit
sniffing to certain users as is possible on other operating systems. I
don't think that stopping NPF is a good solution but it's the best I've
been able to think of.


Taken from the Wireshark FAQ [1]

"
Q-7: Do I need to be Administrator in order to execute programs based on WinPcap on Windows NT/2000/XP?

A: Yes/no. The security model of WinPcap is quite poor, and we plan to work on it in the future. At the moment, if you 
execute a WinPcap-based application for the first time since the last reboot, you must be administrator. At the first 
execution, the driver will be dynamically installed in the system, and from that moment every user will be able to use 
WinPcap to sniff the packets.
"

If I stop NPF and then run Wireshark it's started again, but Wireshark does not stop it when I exit the application.
This is expected behavior to me at least and I wouldn't want Wireshark or Nmap to stop NPF upon completion.
The foremost reason being that there could be other "legitimate" process running that make use of it.
I don't know if this would actually be a problem or not as attempting to stop NPF during the time Wireshark is running 
gives me:
"The NetGroup Packet Filter Driver service could not be stopped."

Anyway, even if Nmap would attempt to stop NPF when it quits, any user would be able to run a sniffer during the entire 
time of the scan.
In my opinion this problem needs to be addressed in WinPcap rather than in Nmap.


David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/



//Patrik

[1] http://www.winpcap.org/misc/faq.htm
--
Patrik Karlsson
http://www.cqure.net
http://www.twitter.com/nevdull77





_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/

Current thread:

Limit WinPcap use by unprivileged users David Fifield (Sep 24)
- Re: Limit WinPcap use by unprivileged users DePriest, Jason R. (Sep 24)
  - Re: Limit WinPcap use by unprivileged users David Fifield (Sep 24)
    - Re: Limit WinPcap use by unprivileged users Patrik Karlsson (Sep 25)
    - Re: Limit WinPcap use by unprivileged users Gianluca Varenni (Sep 27)
    - Re: Limit WinPcap use by unprivileged users David Fifield (Sep 27)
    - Re: Limit WinPcap use by unprivileged users Fyodor (Sep 28)
    - Re: Limit WinPcap use by unprivileged users Gianluca Varenni (Sep 30)