Home page logo

nmap-dev logo Nmap Development mailing list archives

RE: Nmap crash under Vista
From: "Rob Nicholls" <robert () everythingeverything co uk>
Date: Thu, 1 Nov 2007 00:32:29 -0000


I've done a little bit of research in my spare time after bob's original
email about using nmap on Vista with a wireless network card, and it appears
that nmap's failing because pcap can't open the wireless adapter (connect
scans work okay).

I've tried WinPcap 4.0.1 with SOC7 and the latest WinPcap beta (4.1) with
SOC8, and I get the same error. I get an error in 4.11 too, but it complains
immediately about getinterfaces, rather than failing to open the adapter:

nmap -vv

Starting Nmap 4.11 ( http://www.insecure.org/nmap ) at 2007-10-24 23:57 GMT
ight Time
getinterfaces: intf_loop() failed

nmap -vv

Starting Nmap 4.22SOC7 ( http://insecure.org ) at 2007-10-24 23:57 GMT
Initiating Ping Scan at 23:57
Scanning [2 ports]
pcap_open_live(net0, 100, 0, 2) FAILED. Reported error: Error opening
adapter: T
he system cannot find the device specified. (20).  Will wait 5 seconds then
nmap -vv -P0

If I avoid using WinPcap, it's able to perform the scan:

nmap -vv -P0 -sT

Starting Nmap 4.22SOC7 ( http://insecure.org ) at 2007-10-25 00:01 GMT
Initiating Parallel DNS resolution of 1 host. at 00:01
Completed Parallel DNS resolution of 1 host. at 00:01, 0.07s elapsed
Initiating Connect Scan at 00:01
Scanning [1705 ports]
Discovered open port 3389/tcp on
Discovered open port 139/tcp on
Connect Scan Timing: About 12.04% done; ETC: 00:05 (0:03:39 remaining)
Increasing send delay for from 0 to 5 due to 11 out of 13
dropped p
robes since last increase.
Discovered open port 135/tcp on
Discovered open port 445/tcp on
Completed Connect Scan at 00:04, 156.59s elapsed (1705 total ports)
Host appears to be up ... good.
Interesting ports on
Not shown: 1701 filtered ports
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
3389/tcp open  ms-term-serv

So it looks like anything that relies upon WinPcap is failing on Vista, I'm
not sure why, but it looks like it's having trouble with the interface. I
initially got weird behaviour using --iflist (this may just be a
coincidence?), but after disabling all of the other network adapters (LAN, a
couple of VMWare ones), SOC7 then presented the wireless interface. NB: I
still get the intf_loop() error in 4.11.

nmap --iflist

Starting Nmap 4.22SOC7 ( http://insecure.org ) at 2007-10-25 00:24 GMT
DEV  (SHORT) IP/MASK         TYPE     UP   MAC
net0 (net0)  (null)/0        other    down
eth0 (eth0)  (null)/0        ethernet up   D0:84:20:52:41:53
eth1 (eth1)  (null)/0        ethernet up   D0:84:20:52:41:53
eth2 (eth2)  (null)/0        ethernet up   D0:84:20:52:41:53
eth3 (eth3)  (null)/0        ethernet up   D0:84:20:52:41:53
eth4 (eth4)  (null)/0        ethernet down 00:19:B9:7F:5E:39
eth5 (eth5)  (null)/0        ethernet down 00:1A:6B:3E:59:93
eth6 (eth6)  (null)/0        ethernet down 00:50:56:C0:00:01
eth7 (eth7)  (null)/0        ethernet down 00:50:56:C0:00:08
eth8 (eth8)  (null)/0        ethernet down 00:1A:6B:3E:59:93
ppp0 (ppp0)  (null)/0        other    up
ppp1 (ppp1)  (null)/0        other    up
lo0  (lo0)     loopback up
net0 (net0) other    up
net1 (net1)  (null)/0        other    up
net2 (net2)  (null)/0        other    up
net0 (net0)  (null)/0        other    up
net1 (net1)  (null)/0        other    up
net2 (net2)  (null)/0        other    up
net3 (net3)  (null)/0        other    up

net2 \Device\NPF_{D744CB9D-F791-4C60-AA04-851443B57BD4}
net3 \Device\NPF_{14EFA483-1F71-4688-BD5D-3880992943F5}

DST/MASK           DEV  GATEWAY    net0 lo0       lo0 lo0   net0 net0      net0        lo0        net0        lo0          net0

You might have spotted that net0 seems to be listed as both down (on the
first line, no IP) and up (with an IP address) further down the list. After
re-enabling all the network adapters, I still got all of the interfaces
listed correctly in SOC7. 

I can see a device labelled "Microsoft" (Microsoft:
\Device\NPF_{14EFA483-1F71-4688-BD5D-3880992943F5}) in Wireshark, which has
the right IP address and is showing packets being captured and suggests
WinPcap/Wireshark is coping with Vista's presentation of the wireless card
(which, IIRC, is different to how it's presented under XP/2003). The odd
thing is the device's ID appears to be that of "net3" in nmap's --iflist
output, which doesn't have an IP address assigned to it. Trying to force it
to use net0 (or net1-3), in a last ditch attempt to fool it into using the
one that's up, doesn't appear to work either.

Does anyone have any other ideas/suggestions I can try? If any fixes are
committed to SVN, I'm quite happy to compile and test it whenever I've got a
few spare minutes. 


Sent through the nmap-dev mailing list
Archived at http://SecLists.Org

  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]