Nmap error: nmap: netutil.cc:3285: int route_dst_netlink(const sockaddr_storage*...

[tokyoneon]

Describe the bug:

Using privileged scan types (-sU) with Nmap returns the following error:

nmap: netutil.cc:3285: int route_dst_netlink(const sockaddr_storage*, route_nfo*, const char*, const sockaddr_storage*): Assertion `p != NULL` failed.

To Reproduce:

1. Create a Debian App.

2. Add Kali repos:

    echo 'deb https://http.kali.org/kali kali-rolling main contrib non-free' >> /etc/apt/sources.list
   

3. Add Kali signing key:

    wget -q -O - https://www.kali.org/archive-key.asc | apt-key add -
   

4. Update and install Nmap:

    apt-get update && apt-get install nmap -y
   

5. Perform Nmap scan as root:

    nmap -Pn -n -sU -A --top-ports 10 <target ip address>
   

Screenshot:

Device Information:

Device: Nexus 6P
Android Version: 8.1.0
UserLAnd Version 1.0.0

Some network/routing info:

# android/userland can see the router
$ ping 10.42.0.1

PING 10.42.0.1 (10.42.0.1) 56(84) bytes of data.
64 bytes from 10.42.0.1: icmp_seq=1 ttl=64 time=12.3 ms
64 bytes from 10.42.0.1: icmp_seq=2 ttl=64 time=14.0 ms
64 bytes from 10.42.0.1: icmp_seq=3 ttl=64 time=13.3 ms
64 bytes from 10.42.0.1: icmp_seq=4 ttl=64 time=3.62 ms
64 bytes from 10.42.0.1: icmp_seq=5 ttl=64 time=106 ms
64 bytes from 10.42.0.1: icmp_seq=6 ttl=64 time=67.10 ms
64 bytes from 10.42.0.1: icmp_seq=7 ttl=64 time=3.54 ms
64 bytes from 10.42.0.1: icmp_seq=8 ttl=64 time=8.27 ms

# normal routing table; only one gateway
$ route -n 

Kernel IP routing table
Destination     Gateway         Genmask         Flags Metric Ref    Use Iface
10.42.0.0       0.0.0.0         255.255.255.0   U     0      0        0 wlan0

# dns requests go over 10.42.0.1
$ cat /etc/resolv.conf 
nameserver 10.42.0.1

# access to internet without errors
$ curl 'https://wtfismyip.com/json'

 {
   "YourFuckingIPAddress": "185.220.100.252",
   "YourFuckingLocation": "Germany",
   "YourFuckingISP": "F3 Netze e.V.",
   "YourFuckingCountryCode": "DE"
}

[corbinlc]

Hmm... looks like it had trouble getting the name associated with the network interface. Can you enable proot logging (from settings enable it and turn the verbosity level to 9), then rerun the failing commands and then grab the PRoot_Debug_Log file from your (real or emulated) sdcard and send it to us one way or the other?

[tokyoneon]

Thanks! Here you go:

[corbinlc]

Sorry, can you provide the list of commands you ran when you were creating that debug log file. I am seeing a bit more than just the nmap call. If you don't remember exactly, can you delete the old debug log (from the settings) and repeat what you did and provide both the PRoot_Debug_Log and the copy and paste of what you ran in the term and what responses you got.

[corbinlc]

PRoot logs are very low level so I need to understand what is going on at a higher level to unravel it. If will probably ultimately be trying flow out myself, but if you could provide this one more piece of data for now, that would help.

[tokyoneon]

PRoot_Debug_Log.txt.zip
Sorry about that, I wasn't sure if the 50M came from older logs or generated after increasing verbosity. Attached is an updated log. Here's every command I ran:

1. entered ssh password via ConnectBot
2. $ su need root for nmap
3. $ nmap -Pn -n -sTUV --reason -T4 -A --top-ports 15 -vv 10.42.0.1
4. $ cd /sdcard
5. $ python3 -m http.server 9999 created an http server to access the debug log from another device on the network

[tokyoneon]

@corbinlc is there anything I can do to help with this?

[corbinlc]

Not now. I am sorry. This specific issue is a little lower down in the priority list right now. That being said, I will update you as soon as I am looking at it and as soon as I need anything. Thanks!

[corbinlc]

@tokyoneon we still don't have a solution for this, but we saw your article. It is well written. Can we get your permission to use part of the step by step instructions in our README?