Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Npcap(win) Diagreport runs amok if SMB server not running #338

Closed
jb-wisemo opened this issue Sep 23, 2019 · 2 comments
Closed

Npcap(win) Diagreport runs amok if SMB server not running #338

jb-wisemo opened this issue Sep 23, 2019 · 2 comments

Comments

@jb-wisemo
Copy link

@jb-wisemo jb-wisemo commented Sep 23, 2019

On Windows, Npcap's DiagReport.bat starts by running the command "net session" and assumes any error from this requires that it asks the OS to rerun it as an Administrator.

This has two fatal flaws:

  1. If "net session" fails for any other reason, "DiagReport.bat" will relaunch itself as administrator in an infinite recursive loop, essentially DOS-ing the shell and window manager, as each relaunch pops up a console window on top of all regular windows, stealing keyboard focus away from any attempts to kill the madness other than an external power off. (Test note: The runaway happens once it is already running as administrator, as there will be no further UAC prompt).

  2. At least on Windows 8.1, if the SMB server service named "LanmanServer" or just "Server" is stopped (as a general OS hardening measure), "net session" will fail with an explicit error message to this effect, triggering this npcap bug.

Manual workaround:

Step 0: If already runaway, log off or power off the computer.
Step 1: Convert DiagReport.bat from LF to CRLF format.
Step 2: Comment out the line "net session >nul 2>&1" near the top of the file.
Step 3: Manually run DiagReport.bat as Administrator ("elevated").

This was seen in WireShark bundled Npcap 0.995, 64 bit. As of today, the broken code is still at https://github.com/nmap/npcap/blob/master/installer/DiagReport.bat

@dmiller-nmap
Copy link
Contributor

@dmiller-nmap dmiller-nmap commented Sep 24, 2019

Thanks for reporting this! I'll investigate alternatives. This article seems to be a well-researched discussion of the topic of detecting elevated privileges: https://www.robvanderwoude.com/battech_elevation.php

@dmiller-nmap
Copy link
Contributor

@dmiller-nmap dmiller-nmap commented Sep 24, 2019

Ended up using the whoami /Groups method to check for SID S-1-16-12288, high integrity level, which works from Vista onwards. Npcap is not supported on systems older than Windows Vista.

@fyodor fyodor transferred this issue from nmap/nmap May 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
2 participants