Re: from netscantools fin rst ack

[食肉大灰兔V5 <hsluoyz () gmail com>]

Hi Kirk,

I have analyzed your pcap file. It seems that NetScanTools has specified a
physical Ethernet interface IP (192.168.0.200) for the loopback interface.
Actually this is not the right usage. First of all, Windows TCP/IP stack
didn't allow a loopback packet to pass through with Src-IP and Dst-IP from
different adapters. Like you can ping from 192.168.0.200 to 192.168.0.200,
it's loopback. You can ping from 127.0.0.1 to 127.0.0.1 (or even 127.0.0.2,
they are the same). But you can't ping from 192.168.0.200 to 127.0.0.1.
Windows just ignores this kind of packets, and Npcap has no magic to let
these packets go. Like the experiment below, 192.168.0.107 is my physical
Ethernet Card IP.
-------------------------------------------------------------------------------------------------
C:\Windows\system32>ping -S 192.168.0.107 127.0.0.1

Pinging 127.0.0.1 from 192.168.0.107 with 32 bytes of data:
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.
PING: transmit failed. General failure.

Ping statistics for 127.0.0.1:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),
-------------------------------------------------------------------------------------------------

Using Wireshark, I have confirmed these ICMP requests didn't go to "Npcap
Loopback Adapter" interface or the physical Ethernet interface. They are
just discarded by Windows.

Then I have tested with Nmap:
1) nmap -v -sS -S 192.168.0.107 -e lo0 -Pn 127.0.0.2
2) nmap -v -sS -S 127.0.0.3 -e lo0 -Pn 127.0.0.2

1) command fails to get any responses, 2) command runs well.
So you can see using IP of physical interface on a loopback packet is NOT
the correct way and are expected to get no right responses, based on
Windows' mechanism. I don't know why you get two responses for every TCP
SYN scan, but who knows how Windows will response for a wrong input? It is
undocumented.

The best solution is to use the 127.0.0.1 source IP for any loopback usage,
to determine whether you are using a loopback interface, you can refer to
what I have done in Nmap:
https://svn.nmap.org/nmap-exp/yang/nmap-npcap/
https://svn.nmap.org/nmap-exp/yang/nmap-npcap/libdnet-stripped/src/intf-win32.c

intf_get_loopback_name() function from intf-win32.c is pasted below, this
function returns 1 if Npcap is found, and the adapter name can be saved in
a global variable for future use.

#ifdef _X86_
#define NPCAP_SOFTWARE_REGISTRY_KEY "SOFTWARE\\Npcap"
#else // AMD64
#define NPCAP_SOFTWARE_REGISTRY_KEY "SOFTWARE\\Wow6432Node\\Npcap"
#endif

int intf_get_loopback_name(char *buffer, int buf_size)
{
HKEY hKey;
DWORD type;
int size = buf_size;
int res = 0;

memset(buffer, 0, buf_size);

#ifndef _X86_
Wow64EnableWow64FsRedirection(FALSE);
#endif

if (RegOpenKeyExA(HKEY_LOCAL_MACHINE, NPCAP_SOFTWARE_REGISTRY_KEY, 0,
KEY_READ, &hKey) == ERROR_SUCCESS)
{
if (RegQueryValueExA(hKey, "Loopback", 0, &type, (LPBYTE)buffer, &size) ==
ERROR_SUCCESS && type == REG_SZ)
{
res = 1;
}
else
{
res = 0;
}

RegCloseKey(hKey);
}
else
{
res = 0;
}

#ifndef _X86_
Wow64EnableWow64FsRedirection(TRUE);
#endif

return res;
}

Cheers,
Yang


On Tue, Aug 18, 2015 at 10:09 AM, NetScanTools Customer Service <
support () netscantools com> wrote:

> Hi,
> Here is wireshark capture of SYN scan of 127.0.0.1 with 2 packet response.
> Source IP of
> 192.168.0.200 is the winpcap ethernet interface on the same machine.
>
> Thanks,
> Kirk Thomas
>
>
> The following section of this message contains a file attachment
> prepared for transmission using the Internet MIME message format.
> If you are using Pegasus Mail, or any other MIME-compliant system,
> you should be able to save it or view it from within your mailer.
> If you cannot, please ask your system administrator for assistance.
>
>    ---- File information -----------
>      File:  port-scan-fin-rst-ack.pcapng
>      Date:  17 Aug 2015, 19:04
>      Size:  13056 bytes.
>      Type:  Unknown
_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/