Home page logo
/

nmap-dev logo Nmap Development mailing list archives

Re: nmap: nsock_core.c:294: handle_connect_result: Assertion `0' failed.
From: "Fabio" <fabio.ped () libero it>
Date: Mon, 4 May 2009 12:04:04 +0200

On Thu, Apr 30, 2009 at 09:19:07AM +0200, Fabio wrote:
On Wed, Apr 29, 2009 at 03:29:20PM +0200, Fabio wrote:
When trying to scan some hosts to search for the Conficker virus I get
the following assertion. This is nmap 4.85BETA8 compiled from source on
a SPARC machine under Linux, gcc 4.0.3.

$ ./nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args 
checkconficker=1,safe=1 -T4 192.168.29.55

Starting Nmap 4.85BETA8 ( http://nmap.org ) at 2009-04-29 15:44 CEST
Strange connect error from 192.168.29.55 (42): Operation now in progress
nmap: nsock_core.c:294: handle_connect_result: Assertion `0' failed.
Aborted

This is a strange error. Errno 42 is ENOMSG, "No message of desired
type". But perror is printing out the message for EINPROGRESS,
"Operation now in progress". I suppose it is possible for errno and the
error code returned by getsockopt to be different in this part of the
code.

Does this assertion failure happen every time? If so, it would help if
you could send a packet capture created with tcpdump or a similar tool.

The assertion is 100% reproducible with that host. A packet capture
(with tcpdump -vvv) is attached.

Thanks. The packet trace is pretty strange. Here you send the TCP ping
probes, so far so good.

09:29:05.777093 IP (tos 0x0, ttl  56, id 3417, offset 0, flags [none], proto: TCP (6), length: 44) 192.168.29.1.49218 
192.168.29.55.139: S, cksum 0x5feb (correct), 1691702033:1691702033(0) win 1024 <mss 1460>
09:29:05.777462 IP (tos 0x0, ttl  52, id 4850, offset 0, flags [none], proto: TCP (6), length: 44) 192.168.29.1.49218 
192.168.29.55.445: S, cksum 0x5eb9 (correct), 1691702033:1691702033(0) win 1024 <mss 1460>

The remote host says that it doesn't understand TCP?

09:29:05.777795 IP (tos 0x0, ttl 128, id 25678, offset 0, flags [none], proto: ICMP (1), length: 56) 192.168.29.55 > 
192.168.29.1: ICMP 192.168.29.55 protocol 6 unreachable, length 36

Then the scanning machine sends back another TCP packet, this time with
no header.

      IP (tos 0x0, ttl  56, id 3417, offset 0, flags [none], proto: TCP (6), length: 44) 192.168.29.1.49218 > 
192.168.29.55.139:  tcp 24 [bad hdr length 0 - too short, < 20]

What is the operating system of 192.168.29.55?

It's a 3Com Network Jack.

Is there anything special
about the scanning SPARC machine?

Nothing I know about. Note however that the same error happens on a
x86 machine against the same target. I found at least another Network
Jack giving the same error.

Has anyone seen traffic like that and
can provide an explanation?

I guess the ENOMSG is caused by the "protocol 6 unreachable" replies.
Can you try the attached patch and see if it fixes the problem?

The patch does not help.


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault