Nmap Development mailing list archives

A summary of Windows Vista interface troubles and a proposed fix

From: David Fifield <david () bamsoftware com>
Date: Thu, 29 Nov 2007 13:28:51 -0700

Hi all. This is a summary of troubles people have been having that
relate to wireless interfaces on Windows Vista. For some background see
http://seclists.org/nmap-dev/2007/q4/0290.html and
http://seclists.org/nmap-dev/2007/q4/0331.html.

The immediate cause of the problem is that Windows Vista uses a
different interface type number for wireless interfaces than previous
versions of Windows did. See
http://msdn2.microsoft.com/en-us/library/aa366058.aspx. Previously the
number was IF_TYPE_THERNET_CSMACD (6), now it's IF_TYPE_IEEE80211 (71).
That particular interface type is not supported by libdnet; instead of
being mapped to a name starting with "eth", it gets mapped to a name
starting with "net".

The problem with this is that the interfaces are stored in a table by
their number, so wireless devices go in row 71. But when you look up an
interface by name (through intf_get or similar), an inverse mapping is
performed. All "net" devices map to IF_TYPE_OTHER (1), not 71 where the
entries are stored. Accessing the uninitialized memory causes a crash.

If you want to simulate this experience on Windows XP, just change
'name = "eth";' to 'name = "net";' in _ifcombo_name in
libdnet-stripped/src/intf-win32.c. Trying to scan over your Ethernet
interface will cause a crash.

A solution I came up with is to canonicalize interface numbers before
they are used to store anything in the table. This is done by first
mapping the number to a name, then mapping the name back to a number.
This has the effect of mapping all unknown interface types to
IF_TYPE_OTHER (1), but at least they all can be found. The
canonicalization is internal to libdnet; when you get an interface from
the library it will have its original interface type.

On its own this isn't enough because wireless devices also get mapped to
IF_TYPE_OTHER, so Nmap doesn't know that they're Ethernet devices and
tries to use raw sockets on the interface, which doesn't work. So
another part of the change is to map IF_TYPE_IEEE80211 to "eth". Then
all wired and wireless Ethernet devices map to row 6 in the table, just
as in Windows XP.

I've attached a patch. Windows Vista wireless users please give it a try
and tell us how it goes.

David Fifield

P.S. Vista users, wireless or not, were also seeing interfaces with a
type of IF_TYPE_TUNNEL (131). Gianluca Varenni told me that these are
IPv6-over-IP tunnel interfaces, enabled by default in Vista. This patch
does not address them.

Attachment: intf-types.diff
Description:


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

A summary of Windows Vista interface troubles and a proposed fix David Fifield (Nov 29)
- RE: A summary of Windows Vista interface troubles and a proposed fix Rob Nicholls (Nov 29)
- Re: A summary of Windows Vista interface troubles and a proposed fix David Fifield (Dec 03)