nmap crash

classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

nmap crash

Mike .
so in scanning my TIVO box that was said to have standard http ports open i went ahead with a script scan for http info. ran it as a wildcard and in the output i got this and an exception thrown



Initiating NSE at 22:10
NSE Timing: About 2.97% done; ETC: 22:27 (0:16:52 remaining)
NSE Timing: About 3.11% done; ETC: 22:42 (0:31:40 remaining)
Assertion failed: nse_status(nse) == NSE_STATUS_SUCCESS, file ..\nse_nsock.cc, l
ine 737



anyone ever see this? ty
m|ke

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Reply | Threaded
Open this post in threaded view
|

Re: nmap crash

Daniel Miller-10
Mike,

Thanks for the report. I have not seen this, but from digging into the code, it looks like it could happen if a Nsock timer (such as is created in stdnse.sleep) is canceled in such a way that still fires the sleep callback function. I can't really see a way to make that happen, but I'd guess it has something to do with host timeouts. I see a few different ways ahead:

1. In the meantime, if you are using -T5 and running lots of scripts, increase your host timeout from the default of 15 minutes, since you probably don't want it to timeout anyway.

2. We can add an additional condition to the assertion so that NSE_STATUS_CANCELLED is valid, too. This would result in the thread which called the cancelled sleep to be resumed, so I don't know if that's what we want either.

3. We can dig into the specific conditions which caused this crash and correct the underlying problem. If you want to help with this, please let us know the exact command line you used, whether you can reproduce the crash, and any information (open ports, services, etc) about the target that may be relevant.

Thanks again!
Dan



On Sun, Feb 8, 2015 at 10:14 PM, Mike . <[hidden email]> wrote:
so in scanning my TIVO box that was said to have standard http ports open i went ahead with a script scan for http info. ran it as a wildcard and in the output i got this and an exception thrown



Initiating NSE at 22:10
NSE Timing: About 2.97% done; ETC: 22:27 (0:16:52 remaining)
NSE Timing: About 3.11% done; ETC: 22:42 (0:31:40 remaining)
Assertion failed: nse_status(nse) == NSE_STATUS_SUCCESS, file ..\nse_nsock.cc, l
ine 737



anyone ever see this? ty
m|ke

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Reply | Threaded
Open this post in threaded view
|

Re: nmap crash

Daniel Miller-10
Mike,

I just reproduced the problem: it was caused by pressing Ctrl+C while a script is sleeping. I reproduced it with a super-simple prerule script which just sleeps for 10 seconds. Now we just need to come up with a proper fix.

I do want to caution you that 'http*' includes a few scripts that you probably don't want to run for just information gathering:

dos (denial of service) category: http-slowloris. This is probably the script that crashed, since it calls sleep a lot. This will run for 30 minutes by default, and will conflict with other scripts since it tries to prevent the target from responding to anyone (even NSE!).

brute category: http-brute, http-form-brute, http-iis-short-name-brute, http-joomla-brute, http-proxy-brute, and http-wordpress-brute. If there are any authorization forms or 401 codes, some these scripts will try to brute-force logins. http-iis-short-name-brute will try to brute-force names of files on the target, too.

external category: http-google-malware, http-icloud-findmyiphone, http-icloud-sendmsg, http-open-proxy, http-proxy-brute, http-robtex-reverse-ip, http-robtex-shared-ns, http-virustotal, and http-xssed. These will all request information about your target from external sources, or attempt to contact external servers through your target.

Dan

On Fri, Feb 20, 2015 at 8:18 AM, Mike . <[hidden email]> wrote:

thanks for looking into this and getting back to me! yes, i can reproduce this, as i did here:

Initiating NSE at 07:49
NSE Timing: About 3.10% done; ETC: 08:05 (0:16:08 remaining)
NSE Timing: About 3.24% done; ETC: 08:20 (0:30:21 remaining)
NSE Timing: About 3.24% done; ETC: 08:36 (0:45:16 remaining)
NSE Timing: About 3.24% done; ETC: 08:51 (1:00:12 remaining)
Assertion failed: nse_status(nse) == NSE_STATUS_SUCCESS, file ..\nse_nsock.cc, l
ine 737


cmd was:  nmap -n -vv -T4 -Pn -reason -max-retries 2 192.168.0.10  -script http*


and like i said, not just an nmap crash, but i get the kernel catching it fron an exception window  on win7


Date: Thu, 19 Feb 2015 14:11:18 -0600
Subject: Re: nmap crash
From: [hidden email]
To: [hidden email]
CC: [hidden email]


Mike,

Thanks for the report. I have not seen this, but from digging into the code, it looks like it could happen if a Nsock timer (such as is created in stdnse.sleep) is canceled in such a way that still fires the sleep callback function. I can't really see a way to make that happen, but I'd guess it has something to do with host timeouts. I see a few different ways ahead:

1. In the meantime, if you are using -T5 and running lots of scripts, increase your host timeout from the default of 15 minutes, since you probably don't want it to timeout anyway.

2. We can add an additional condition to the assertion so that NSE_STATUS_CANCELLED is valid, too. This would result in the thread which called the cancelled sleep to be resumed, so I don't know if that's what we want either.

3. We can dig into the specific conditions which caused this crash and correct the underlying problem. If you want to help with this, please let us know the exact command line you used, whether you can reproduce the crash, and any information (open ports, services, etc) about the target that may be relevant.

Thanks again!
Dan



On Sun, Feb 8, 2015 at 10:14 PM, Mike . <[hidden email]> wrote:
so in scanning my TIVO box that was said to have standard http ports open i went ahead with a script scan for http info. ran it as a wildcard and in the output i got this and an exception thrown



Initiating NSE at 22:10
NSE Timing: About 2.97% done; ETC: 22:27 (0:16:52 remaining)
NSE Timing: About 3.11% done; ETC: 22:42 (0:31:40 remaining)
Assertion failed: nse_status(nse) == NSE_STATUS_SUCCESS, file ..\nse_nsock.cc, l
ine 737



anyone ever see this? ty
m|ke

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/



_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Reply | Threaded
Open this post in threaded view
|

Re: nmap crash

Henri Doreau
2015-02-20 17:45 GMT+01:00 Daniel Miller <[hidden email]>:

> Mike,
>
> I just reproduced the problem: it was caused by pressing Ctrl+C while a
> script is sleeping. I reproduced it with a super-simple prerule script which
> just sleeps for 10 seconds. Now we just need to come up with a proper fix.
>
> I do want to caution you that 'http*' includes a few scripts that you
> probably don't want to run for just information gathering:
>
> dos (denial of service) category: http-slowloris. This is probably the
> script that crashed, since it calls sleep a lot. This will run for 30
> minutes by default, and will conflict with other scripts since it tries to
> prevent the target from responding to anyone (even NSE!).
>
> brute category: http-brute, http-form-brute, http-iis-short-name-brute,
> http-joomla-brute, http-proxy-brute, and http-wordpress-brute. If there are
> any authorization forms or 401 codes, some these scripts will try to
> brute-force logins. http-iis-short-name-brute will try to brute-force names
> of files on the target, too.
>
> external category: http-google-malware, http-icloud-findmyiphone,
> http-icloud-sendmsg, http-open-proxy, http-proxy-brute,
> http-robtex-reverse-ip, http-robtex-shared-ns, http-virustotal, and
> http-xssed. These will all request information about your target from
> external sources, or attempt to contact external servers through your
> target.
>
> Dan
>
Hi,

This was on windows, right? Dan, could you reproduce on Linux as well?
If so can you share the details because simply interrupting a sleeping
script does not crash here. Also, canceling NSE timers seems to work
properly (sleeping script + short --host-timeout value).

Henri
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/