You are not logged in.
Hi, i just installed Arch on my VM and have been trying to do nbtscan on my network but receiving " Segmentation fault (core dumped) " on running the command, i have been a debian user for quite long and never received such error on nbtscan, i thought it must be some dependency file error of my distro so tried the same command on Manjaro and received the same message.
Later i tried this on Black arch and it worked like a charm but i dont want to switch to black arch as it contains loads of tool which i am in no need of, as a security guy i want my distro with applications of my choices only so switched from Kali to Arch.
Any help will be appreciated resolving this segmentation fault issue.
Thank you.
Offline
How did you install nbtscan, and how are you trying to run it? What is the full output?
Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD
Making lemonade from lemons since 2015.
Offline
i installed it with command " sudo pacman -S nbtscan "
and ran it with command " nbtscan <IP> "
[root@archlinux ~]# nbtscan 192.168.0.1/24
Doing NBT name scan for addresses from 192.168.0.1/24
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.0.0 Sendto failed: Permission denied
Segmentation fault (core dumped)
[root@archlinux ~]#
This is the o/p i got.. But instead of segementation fault i should have got all other ip's which are connected to my network.
Offline
Take a look at the core dump, and see what the backtrace looks like.
Sakura:-
Mobo: MSI MAG X570S TORPEDO MAX // Processor: AMD Ryzen 9 5950X @4.9GHz // GFX: AMD Radeon RX 5700 XT // RAM: 32GB (4x 8GB) Corsair DDR4 (@ 3000MHz) // Storage: 1x 3TB HDD, 6x 1TB SSD, 2x 120GB SSD, 1x 275GB M2 SSD
Making lemonade from lemons since 2015.
Offline
[root@archlinux ~]# coredumpctl info match
No coredumps found.
[root@archlinux ~]# coredumpctl gdb match
No match found.
[root@archlinux ~]# (gdb)
GNU gdb (GDB) 8.2
Copyright (C) 2018 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.
Type "show copying" and "show warranty" for details.
This GDB was configured as "x86_64-pc-linux-gnu".
Type "show configuration" for configuration details.
For bug reporting instructions, please see:
<http://www.gnu.org/software/gdb/bugs/>.
Find the GDB manual and other documentation resources online at:
<http://www.gnu.org/software/gdb/documentation/>.
For help, type "help".
Type "apropos word" to search for commands related to "word".
(gdb) bt
No stack.
(gdb)
This is what i got on backtrace.
Offline
Also on using "coredumpctl list"
TIME PID UID GID SIG COREFILE EXE
Thu 2018-09-13 01:38:07 IST 1627 1000 985 11 missing /usr/bin/gnome-co>
Thu 2018-09-13 10:52:10 IST 1288 0 0 11 missing /usr/bin/nbtscan
it's saying missing on corefile..
Offline
Please try the following
gdb nbtscan
run 192.168.0.1/24 #wait for the segmentation fault
bt
Offline
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.0.0 Sendto failed: Permission denied
Program received signal SIGSEGV, Segmentation fault.
0x00005555555557fd in ?? ()
(gdb) bt
#0 0x00005555555557fd in ?? ()
#1 0x00007ffff7de6223 in __libc_start_main () from /usr/lib/libc.so.6
#2 0x0000555555555eba in ?? ()
Here's the output.
Offline
See Debug_-_Getting_Traces for steps to rebuild the nbtscan package with debug symbols.
Offline
I filled a bug report a month ago, which however didn't receive attention.
FS#59669
Offline
Permission is denied on the broadcast address (.0) and it segfaults on the gateway (.1) - all other addresses seem fine here.
So to mitigate the problem: nbtscan 192.168.0.2-255
Is nbtscan actually still maintained? The upstream domain seems down.
It segfaults in nbtscan.c:537 "delta = rtt - srtt;"
Trying to inject printf("%f - %f - %f\n", rtt, srtt, delta); causes the segfault to move to line 532, so we got a nice stack overflow here.
If somebody has a valgrind that does not run into https://bugs.archlinux.org/task/59551, you might want to throw that against nbtscan.
Offline
valgrind nbtscan 192.168.0.1/24
==20862== Memcheck, a memory error detector
==20862== Copyright (C) 2002-2017, and GNU GPL'd, by Julian Seward et al.
==20862== Using Valgrind-3.14.0.GIT and LibVEX; rerun with -h for copyright info
==20862== Command: nbtscan 192.168.0.1/24
==20862==
Doing NBT name scan for addresses from 192.168.0.1/24
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.0.0 Sendto failed: Permission denied
192.168.0.3 REDACTED <server> <unknown> REDACTED
==20862==
==20862== HEAP SUMMARY:
==20862== in use at exit: 4,951 bytes in 151 blocks
==20862== total heap usage: 158 allocs, 7 frees, 7,630 bytes allocated
==20862==
==20862== LEAK SUMMARY:
==20862== definitely lost: 3,652 bytes in 146 blocks
==20862== indirectly lost: 0 bytes in 0 blocks
==20862== possibly lost: 0 bytes in 0 blocks
==20862== still reachable: 1,299 bytes in 5 blocks
==20862== suppressed: 0 bytes in 0 blocks
==20862== Rerun with --leak-check=full to see details of leaked memory
==20862==
==20862== For counts of detected and suppressed errors, rerun with: -v
==20862== ERROR SUMMARY: 0 errors from 0 contexts (suppressed: 0 from 0)
Offline
Yeahno, beyond valgrind. Linking in ASAN
==19889==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000040 (pc 0x562730adcf6c bp 0x7ffe6e5a6d20 sp 0x7ffe6e5a67e0 T0)
==19889==The signal is caused by a READ memory access.
==19889==Hint: address points to the zero page.
#0 0x562730adcf6b in main /tmp/nbtscan-1.5.1a/nbtscan.c:534
#1 0x7f3fff2c2222 in __libc_start_main (/usr/lib/libc.so.6+0x24222)
#2 0x562730addd5d in _start (/tmp/nbtscan-1.5.1a/nbtscan+0x6d5d)
AddressSanitizer can not provide additional info.
SUMMARY: AddressSanitizer: SEGV /tmp/nbtscan-1.5.1a/nbtscan.c:534 in main
==19889==ABORTING
So it would seem hostinfo->header->transaction_id is invalid, likely because parse_response() is parsing some nonsense.
The code says "Copyright (C) Andrew Tridgell 1992-199" resp. " Copyright (C) 1999-2003 Alla Bezroutchko" what does not sound very promising…
Offline
What do you suggest i should now? As per my knowledge nbtscan is still maintained and works fine in Debian and Black Arch. As a security guy nbtscan is one of the basic tool which i need during my work.
Offline
Contact the maintainer, report a bug. Apparently something in the gateway response changed, likely kernel version related.
But the upstream URL is down, the wikipedia page links some über-dated version and the copyright notes in the code are 15 years and older - I frankly wouldn't hold my breath for a response.
As mentioned before, to mitigate the issue shortterm, you can exclude the gateway from scanning.
A crude "fix" would be to
return NULL;
instead of
return hostinfo;
in statusq.c:328
The code leaks like shit anyway and this is more robust, since the structure writes cause some overflow, moving the hostinfo memory address to 0x40…
Offline
If its so, then why does the same package works in Black Arch, its a arch linux distro only right !
Maybe if you want i can check on black arch and compare the results on vanilla to solve this issue??
Offline
@ColdFusionX at best that would be another workaround. nbtscan takes input from the network and does not parse it safely for all possible input values.
Even if it does parse the input it still leaks memory.
Edit:
grammar missing and
Last edited by loqs (2018-09-17 17:46:03)
Offline
The memory leaks are semi-neglectable, it's not a daemon and the processed information is small (at least by todays standards)
As for black arch: since it seems to be some repo on top of arch, but seems to distribute an own version of nbtscan(?) i'd look up that PKGBUILD and compare it w/ that in the community repo.
Also I'd link ASAN into that one just to see whether it's really bug-free.
Still, I doubt this code is maintained. Netbios is pretty much dead (ok: dying since a decade or so ;-)
Offline
@seth tell me if you need something, maybe i'll be able to help
PS: not a arch pro yet so try to give me a easy task
Offline
The PKGBUILD from blackarch (or a link to their repo, couldn't find it on their website)
If they use the same sources and no patch, you'll have to build nbtscan locally and link in ASAN, by adding " -fsanitize=address -fno-omit-frame-pointer" to the CFLAGS. Then run it. ASAN should tell you if there's something wrong.
Offline
Package from blackarch gives segmentation fault to me.
http://blackarch.mirror.garr.it/mirrors … pkg.tar.xz
...anyway, i found another tool, named nbtscan too, that does the same thing, and works:
http://unixwiz.net/tools/nbtscan.html
Tried the precompiled binary, works pretty much the same with the following:
./nbtscan-1.0.35-redhat-linux -w 1 -T 0 -m 192.168.0.1-254
Last edited by kokoko3k (2018-10-15 09:16:43)
Help me to improve ssh-rdp !
Retroarch User? Try my koko-aio shader !
Offline
Windows 9x, NT and 2000
binary works on Red Hat Linux 6.0 - 8.0, Debian "woody", and Mandrake 8.1
It's what I had considered the dated version, linked on wikipedia. But on a glimpse, the code looks different (and the copyright info does as well)
I'd however try to compile it, this binary is ~16 years old.
Offline
It builds flawlessly
Help me to improve ssh-rdp !
Retroarch User? Try my koko-aio shader !
Offline
You might want to raise that w/ the nbtscan maintainer and either incorporate the workaround or switch to the different source base (whatever he feels more comfortable with - also might depend on usage compatibility)
Usually this isn't a valid downstream bug, but again: I'd say *both* projects are as rotten as netbios, so this is unlikely ever to be fixed upstream.
Offline