NSE Windows Raw Socket Fatal Error for Non-Admin (or UAC is Enabled)

[Rob Nicholls <robert () robnicholls co uk>]

I'm having trouble with Nmap on Windows. It seems that Nmap has 
previously been fairly quietly failing with an error when I run the 
following command with a "low privileged" account (an Admin user with 
UAC enabled):

nmap xxx.xxxxxx.xxx -p 80 --script ipidseq -n -Pn -vv --reason -sCV -d2

For example, I get the following error with r29915:

Initiating NSE at 11:51
NSE: 'ipidseq' (thread: 02FF52D8) against xxx.xxx.xxx.xxx threw an
error!
C:\Program Files\Nmap/scripts\ipidseq.nse:213: failed to open raw
socket: An attempt was made to access a socket in a way forbidden by 
its
access permissions.
(errno 10013)
stack traceback:
         [C]: in function 'ip_open'
         C:\Program Files\Nmap/scripts\ipidseq.nse:213: in function
<C:\Program Files\Nmap/scripts\ipidseq.nse:204>
         (...tail calls...)

Completed NSE at 11:51, 0.00s elapsed

This appears to be a lua error generated when udata->sock == -1. But
I've noticed that r30017 onwards seems to have a fatal error message:

Initiating NSE at 09:46
socket troubles in nmap_raw_socket: An attempt was made to access a
socket in a way forbidden by its access permissions.
  (10013)

This kills the scan completely. Is it possible that revisions
29931-29936 are responsible for the fatal change in behaviour, when
nmap_raw_socket was introduced? I noticed that r29931 added:

   if (devname != NULL) {
     fatal("Only ethernet devices can be used for raw scans on Windows,
and\n"
           "\"%s\" is not an ethernet device. Use the --unprivileged
option\n"
          "for this scan.", devname);
   } else {
     fatal("Only ethernet devices can be used for raw scans on Windows.
Use\n"
           "the --unprivileged option for this scan.", devname);
   }

nse_dnet.cc replaced:

   udata->sock = socket(AF_INET, SOCK_RAW, IPPROTO_RAW);

with:

   udata->sock = nmap_raw_socket(NULL);

I'm guessing that an error occurred and was detected in earlier 
revisions resulting in a lua error; but now we're using nmap_raw_socket 
and passing NULL it's triggering a fatal error first?

I've been able to reproduce this on Windows hosts where UAC is enabled 
and I'm not using an elevated command prompt. As soon as I "run as an 
administrator" on the command prompt everything works fine (including 
older versions, IIRC from testing this afternoon). Because Nmap on 
Windows uses the NPF service, the user's privilege shouldn't matter on 
Windows (until WinPcap is modified to take into account user privileges, 
which probably won't happen anytime soon) and shouldn't affect the 
results or execution of Nmap AFAIK. Is this some sort of logic error 
around whether the user is root, or something like that?

Rob


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/