Nmap Development mailing list archives
Re: from netscantools fin rst ack
From: 食肉大灰兔V5 <hsluoyz () gmail com>
Date: Wed, 19 Aug 2015 00:23:33 +0800
Hi Kirk, I have analyzed your pcap file. It seems that NetScanTools has specified a physical Ethernet interface IP (192.168.0.200) for the loopback interface. Actually this is not the right usage. First of all, Windows TCP/IP stack didn't allow a loopback packet to pass through with Src-IP and Dst-IP from different adapters. Like you can ping from 192.168.0.200 to 192.168.0.200, it's loopback. You can ping from 127.0.0.1 to 127.0.0.1 (or even 127.0.0.2, they are the same). But you can't ping from 192.168.0.200 to 127.0.0.1. Windows just ignores this kind of packets, and Npcap has no magic to let these packets go. Like the experiment below, 192.168.0.107 is my physical Ethernet Card IP. ------------------------------------------------------------------------------------------------- C:\Windows\system32>ping -S 192.168.0.107 127.0.0.1 Pinging 127.0.0.1 from 192.168.0.107 with 32 bytes of data: PING: transmit failed. General failure. PING: transmit failed. General failure. PING: transmit failed. General failure. PING: transmit failed. General failure. Ping statistics for 127.0.0.1: Packets: Sent = 4, Received = 0, Lost = 4 (100% loss), ------------------------------------------------------------------------------------------------- Using Wireshark, I have confirmed these ICMP requests didn't go to "Npcap Loopback Adapter" interface or the physical Ethernet interface. They are just discarded by Windows. Then I have tested with Nmap: 1) nmap -v -sS -S 192.168.0.107 -e lo0 -Pn 127.0.0.2 2) nmap -v -sS -S 127.0.0.3 -e lo0 -Pn 127.0.0.2 1) command fails to get any responses, 2) command runs well. So you can see using IP of physical interface on a loopback packet is NOT the correct way and are expected to get no right responses, based on Windows' mechanism. I don't know why you get two responses for every TCP SYN scan, but who knows how Windows will response for a wrong input? It is undocumented. The best solution is to use the 127.0.0.1 source IP for any loopback usage, to determine whether you are using a loopback interface, you can refer to what I have done in Nmap: https://svn.nmap.org/nmap-exp/yang/nmap-npcap/ https://svn.nmap.org/nmap-exp/yang/nmap-npcap/libdnet-stripped/src/intf-win32.c intf_get_loopback_name() function from intf-win32.c is pasted below, this function returns 1 if Npcap is found, and the adapter name can be saved in a global variable for future use. #ifdef _X86_ #define NPCAP_SOFTWARE_REGISTRY_KEY "SOFTWARE\\Npcap" #else // AMD64 #define NPCAP_SOFTWARE_REGISTRY_KEY "SOFTWARE\\Wow6432Node\\Npcap" #endif int intf_get_loopback_name(char *buffer, int buf_size) { HKEY hKey; DWORD type; int size = buf_size; int res = 0; memset(buffer, 0, buf_size); #ifndef _X86_ Wow64EnableWow64FsRedirection(FALSE); #endif if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, NPCAP_SOFTWARE_REGISTRY_KEY, 0, KEY_READ, &hKey) == ERROR_SUCCESS) { if (RegQueryValueExA(hKey, "Loopback", 0, &type, (LPBYTE)buffer, &size) == ERROR_SUCCESS && type == REG_SZ) { res = 1; } else { res = 0; } RegCloseKey(hKey); } else { res = 0; } #ifndef _X86_ Wow64EnableWow64FsRedirection(TRUE); #endif return res; } Cheers, Yang On Tue, Aug 18, 2015 at 10:09 AM, NetScanTools Customer Service < support () netscantools com> wrote:
Hi, Here is wireshark capture of SYN scan of 127.0.0.1 with 2 packet response. Source IP of 192.168.0.200 is the winpcap ethernet interface on the same machine. Thanks, Kirk Thomas The following section of this message contains a file attachment prepared for transmission using the Internet MIME message format. If you are using Pegasus Mail, or any other MIME-compliant system, you should be able to save it or view it from within your mailer. If you cannot, please ask your system administrator for assistance. ---- File information ----------- File: port-scan-fin-rst-ack.pcapng Date: 17 Aug 2015, 19:04 Size: 13056 bytes. Type: Unknown
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Re: from netscantools fin rst ack 食肉大灰兔V5 (Aug 18)