Nmap Development mailing list archives
Re: same issues with no resolve? npcap
From: 食肉大灰兔V5 <hsluoyz () gmail com>
Date: Mon, 25 Jul 2016 23:54:25 +0800
Hi Mike, On Mon, Jul 25, 2016 at 10:58 PM, Mike . <dmciscobgp () hotmail com> wrote:
failed to open happens when i do a scan other than connect (sT). the debug error is when i turn on packet trace. so: nmap -n -T3 -ttl 64 -d2 -open -Pn -max-retries 1 -F 127.0.0.1 -packet-trace Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-07-25 09:54 Central Daylight Time Fetchfile found C:\Program Files\Nmap/nmap-services PORTS: Using top 100 ports found open (TCP:100, UDP:0, SCTP:0) npcap service is already running. Winpcap present, dynamic linked to: Npcap version 0.07, based on WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_ rel0b (20091008) Fetchfile found C:\Program Files\Nmap/nmap.xsl The max # of sockets we are using is: 0 --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 1, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- Fetchfile found C:\Program Files\Nmap/nmap-payloads Initiating SYN Stealth Scan at 09:54 dnet: Failed to open device lo0 QUITTING!
I understand this error, because your Npcap Loopback Adapter is still not available, so you can't open it.
-------------------------------------------------------------------------------------------------------------------------- same thing but -sT Changing ping technique for 127.0.0.1 to connect to port 8888 CONN (1.1490s) TCP localhost > 127.0.0.1:993 => No connection could be made beca use the target machine actively Discovered closed port 993/tcp on 127.0.0.1 CONN (1.1510s) TCP localhost > 127.0.0.1:22 => No connection could be made becau se the target machine actively Discovered closed port 22/tcp on 127.0.0.1 CONN (1.1510s) TCP localhost > 127.0.0.1:995 => No connection could be made beca use the target machine actively
It seems that -sT scan doesn't use Npcap. When I disabled my Npcap Loopback Adapter, it can still be used to scan 127.0.0.1. So it's not Npcap related. So all your problem is your "Npcap Loopback Adapter" can't be opened. Here I give you a little "hack" way to enable the loopback adapter. 1) Create a Windows loopback adapter based on this: https://social.technet.microsoft.com/Forums/windows/en-US/259c7ef2-3770-4212-8fca-c58936979851/how-to-install-microsoft-loopback-adapter?forum=w7itpronetworking Then look at the result of "nmap --iflist", make sure the new loopback adapter has a "WINDEVICE" value. You can check its IP/MASK for its DEV name. If even the created Windows loopback adapter doesn't have a "WINDEVICE" value, you have to use your eth0 as the "Npcap Loopback Adapter". For your machine, it's: eth0 \Device\NPF_{E6793762-9633-432B-B8A6-B4C2F6AA5179} You record the "WINDEVICE" value like the above "\Device\NPF_{E6793762-9633-432B-B8A6-B4C2F6AA5179}", remove the "NPF_", so you get "\Device\{E6793762-9633-432B-B8A6-B4C2F6AA5179}" 2) Open the registry, replace the following two registry REG_SZ values with the above string (no double quote) 1. HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Npcap\LoopbackAdapter 2. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\LoopbackAdapter 3) Open an Administrator CMD, enter "net stop npcap" and "net start npcap" to restart the Npcap driver. 4) enter "nmap --iflist" again to look at the result. You should see that the Npcap Loopback Adapter (lo0) has taken the place of the specified "WINDEVICE" value. For the above example, you should see: lo0 \Device\NPF_{E6793762-9633-432B-B8A6-B4C2F6AA5179} If you see this, then this hacking method succeeds. You should be able to normally use commands like "nmap -n -T3 -ttl 64 -d2 -open -Pn -max-retries 1 -F 127.0.0.1" now. Cheers, Yang
ok? Mike ------------------------------ *From:* 食肉大灰兔V5 <hsluoyz () gmail com> *Sent:* Monday, July 25, 2016 2:42 PM *To:* Mike .; Nmap-dev *Subject:* Re: same issues with no resolve? npcap Hi Mike, On Mon, Jul 25, 2016 at 10:14 PM, Mike . <dmciscobgp () hotmail com> wrote:already done and same issues exist. the main 2 points i want someone to explain to me that have me baffled: again, what does that error mean and why do i get it? >>> CONN (1.1140s) TCP localhost > 127.0.0.1:53 => No connection could be made be cause the target machine actively CONN (1.1140s) TCP localhost > 127.0.0.1:8080 => No connection could be made because the target machine actively CONN (1.1150s) TCP localhost > 127.0.0.1:22 => No connection could be made be cause the target machine activelyHi, forgive me that I'm not an expert on Nmap commands. So PLEASE paste BOTH the command and the complete Nmap feedback together. Otherwise, I won't know what command you have used to get this result. Why it doesn't show this error? dnet: Failed to open device lo0 QUITTING! Have you changed to another command? What command will lead to the so called "No connection could be made be balabala.." and what command will lead to the "dnet: Failed to open device lo0"? I'm confused now. Could you make things more clear?and lastly this. why will it still give me a successful scan if i do -F but if i do more than that i get a scan lasting HRS?!! example: with -F Nmap scan report for 127.0.0.1 Host is up, received user-set (1.0s latency). Scanned at 2016-07-25 09:08:09 Central Daylight Time for 27s Not shown: 94 closed ports Reason: 94 conn-refused PORT STATE SERVICE REASON 135/tcp open msrpc syn-ack 1025/tcp open NFS-or-IIS syn-ack 1026/tcp open LSA-or-nterm syn-ack 1027/tcp open IIS syn-ack 1028/tcp open unknown syn-ack 1029/tcp open ms-lsa syn-ack Final times for host: srtt: 1002380 rttvar: 4650 to: 1020980It seems that you can still scan some ports? right? Why this? "dnet: Failed to open device lo0" shows that the lo0 adapter is even not working. Npcap won't work in any case about this lo0. Does this use other ways like socket?w/out 5 minutes have past...you get the idea Fetchfile found C:\Program Files\Nmap/nmap-payloads Initiating Connect Scan at 09:10 Scanning 192.168.0.16 [65000 ports] Connect Scan Timing: About 0.30% done Connect Scan Timing: About 0.53% done Connect Scan Timing: About 0.75% done Connect Scan Timing: About 0.98% doneThis happens when Npcap fails to send any packets. Maybe it's related. Cheers, Yangok, thank you ------------------------------ *From:* 食肉大灰兔V5 <hsluoyz () gmail com> *Sent:* Monday, July 25, 2016 2:06 PM *To:* Mike .; Nmap-dev *Subject:* Re: same issues with no resolve? npcap Hi Mike, On Mon, Jul 25, 2016 at 9:17 PM, Mike . <dmciscobgp () hotmail com> wrote:just noticed the status for that adapter is in a continuous "identifying..." mode. no clue on that. as far at the list hereThis is NOT normal. My side shows "Unidentified network" which should be a normal sign. I suggest you disable and re-enable this adapter. See if it stops showing "identifying...". If this doesn't fix, you can do as what Robert said, reboot, reinstall Npcap, then reboot again.DEV (SHORT) IP/MASK TYPE UP MTU MAC lo0 (lo0) ::1/128 loopback up 1500 lo0 (lo0) 127.0.0.1/8 loopback up 1500 eth0 (eth0) 192.168.0.16/24 ethernet up 1500 00:1C:25:74:AB:E1 DEV WINDEVICE lo0 <none> lo0 <none>This is NOT normal either. My side shows as below. the WINDEVICE of lo0 adapter should has something. ------------------------------------------------------------------------ DEV WINDEVICE eth0 \Device\NPF_{5343DA6B-7495-4DFF-83AD-033E04FB8793} eth0 \Device\NPF_{5343DA6B-7495-4DFF-83AD-033E04FB8793} lo0 \Device\NPF_{DD9518B2-04F9-48E5-83AE-5E445C31C9F3} lo0 \Device\NPF_{DD9518B2-04F9-48E5-83AE-5E445C31C9F3} eth1 \Device\NPF_{C5C7E6A2-0952-4177-82DD-1FEE841AE165} eth1 \Device\NPF_{C5C7E6A2-0952-4177-82DD-1FEE841AE165} tun0 <none> tun0 <none> tun1 <none> tun2 <none> ------------------------------------------------------------------------ I suggest you another way to check: 1) Open an Administrator CMD, "cd" into the Npcap installation folder "C:\Program Files\Npcap". 2) Type in "NPFInstall.exe -ul" to uninstall "Npcap Loopback Adapter". Show me any error messages about this command. 3) Type in "NPFInstall.exe -il" to re-install "Npcap Loopback Adapter". Show me any error messages about this command. Cheers, Yangeth0 \Device\NPF_{E6793762-9633-432B-B8A6-B4C2F6AA5179} <none> \Device\NPF_NdisWanIpv6 <none> \Device\NPF_NdisWanIp **************************ROUTES************************** DST/MASK DEV METRIC GATEWAY 192.168.0.16/32 eth0 266 255.255.255.255/32 eth0 266 192.168.0.255/32 eth0 266 255.255.255.255/32 lo0 286 169.254.255.255/32 lo0 286 169.254.244.1/32 lo0 286 127.0.0.1/32 lo0 306 255.255.255.255/32 eth0 306 127.255.255.255/32 lo0 306 192.168.0.0/24 eth0 266 169.254.0.0/16 lo0 286 127.0.0.0/8 lo0 306 224.0.0.0/4 eth0 266 224.0.0.0/4 lo0 286 224.0.0.0/4 eth0 306 0.0.0.0/0 eth0 266 192.168.0.1 ::1/128 lo0 306 lastly, wireshark does not even show or recognize lo adapter------------------------------*From:* 食肉大灰兔V5 <hsluoyz () gmail com> *Sent:* Monday, July 25, 2016 12:15 PM *To:* Mike .; Nmap-dev *Subject:* Re: same issues with no resolve? npcap Hi Mike, On Mon, Jul 25, 2016 at 7:54 PM, Mike . <dmciscobgp () hotmail com> wrote:excuse me sir. but i have the exact same issues with "localhost"! btw, chime in. what is the difference between the "real" loopback and my local ip intranet side?If 192.168.0.16 is your one of your own host IPs, then it's equivalent to 127.0.0.1.both reflect the same addy. my router is 192.168.0.1. my addy is 16. yes i know wth a loopback addy is. anyway, just to show you, same error: nmap -n -T3 -ttl 64 -d2 -open -Pn -max-retries 1 -F 127.0.0.1 Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-07-25 06:49 Central Dayligh t Time Fetchfile found C:\Program Files\Nmap/nmap-services PORTS: Using top 100 ports found open (TCP:100, UDP:0, SCTP:0) npcap service is already running. Winpcap present, dynamic linked to: Npcap version 0.07, based on WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_ rel0b (20091008) Fetchfile found C:\Program Files\Nmap/nmap.xsl The max # of sockets we are using is: 0 --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 1, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- Fetchfile found C:\Program Files\Nmap/nmap-payloads Initiating SYN Stealth Scan at 06:49 dnet: Failed to open device lo0 QUITTING!A reason that I can think of is the status of the adapter. Have you enabled the "Npcap Loopback Adapter" in your "Control Panel\Network and Internet\Network Connections"? Can you paste your "nmap --iflist" result here? Also please try Wireshark like I said, it can help the troubleshooting. Thanks. Cheers, Yangguess im outta luck Mike ------------------------------ *From:* 食肉大灰兔V5 <hsluoyz () gmail com> *Sent:* Monday, July 25, 2016 11:41 AM *To:* Mike .; Nmap-dev *Subject:* Re: same issues with no resolve? npcap Hi Mike, On Mon, Jul 25, 2016 at 7:25 PM, Mike . <dmciscobgp () hotmail com> wrote:ok. thanks for getting back to me nmap -n -T3 -ttl 64 -d2 -open -Pn -max-retries 1 2> nul -F 192.168.0.16 This command has nothing to do with localhost. If you want to scanlocalhost, please use the IP: 127.0.0.1. So at my side, I used my router, 192.168.0.1 as the target. The result seems to be fine. --------------------------------------------------------------- C:\Windows\system32>nmap -n -T3 -ttl 64 -d2 -open -Pn -max-retries 1 2> nul -F 192.168.0.1 Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-07-25 19:34 China Standard Time Fetchfile found C:\Program Files (x86)\Nmap/nmap-services PORTS: Using top 100 ports found open (TCP:100, UDP:0, SCTP:0) npf service is already running. Winpcap present, dynamic linked to: Npcap version 0.07, based on WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0 branch 1_0_rel0b (20091008) Fetchfile found C:\Program Files (x86)\Nmap/nmap.xsl The max # of sockets we are using is: 0 --------------- Timing report --------------- hostgroups: min 1, max 100000 rtt-timeouts: init 1000, min 100, max 10000 max-scan-delay: TCP 1000, UDP 1000, SCTP 1000 parallelism: min 0, max 0 max-retries: 1, host-timeout: 0 min-rate: 0, max-rate: 0 --------------------------------------------- Fetchfile found C:\Program Files (x86)\Nmap/nmap-payloads Initiating ARP Ping Scan at 19:34 Scanning 192.168.0.1 [1 port] Packet capture filter (device eth3): arp and arp[18:4] = 0xE094678F and arp[22:2] = 0xFF3E ultrascan_host_probe_update called for machine 192.168.0.1 state UNKNOWN -> HOST_UP (trynum 0 time: 4000) Changing ping technique for 192.168.0.1 to ARP Changing global ping host to 192.168.0.1. Completed ARP Ping Scan at 19:34, 0.60s elapsed (1 total hosts) Overall sending rates: 1.66 packets / s, 69.65 bytes / s. Initiating SYN Stealth Scan at 19:34 192.168.0.1 pingprobe type ARP is inappropriate for this scan type; resetting. Scanning 192.168.0.1 [100 ports] Packet capture filter (device eth3): dst host 192.168.0.107 and (icmp or icmp6 or ((tcp or udp or sctp) and (src host 192.168.0.1))) Discovered open port 80/tcp on 192.168.0.1 Changing ping technique for 192.168.0.1 to tcp to port 80; flags: S Discovered open port 1900/tcp on 192.168.0.1 Changing global ping host to 192.168.0.1. Completed SYN Stealth Scan at 19:34, 1.72s elapsed (100 total ports) Overall sending rates: 115.52 packets / s, 5082.85 bytes / s. Nmap scan report for 192.168.0.1 Fetchfile found C:\Program Files (x86)\Nmap/nmap-mac-prefixes Host is up, received arp-response (0.0051s latency). Scanned at 2016-07-25 19:34:52 China Standard Time for 3s Not shown: 98 filtered ports Reason: 98 no-responses PORT STATE SERVICE REASON 80/tcp open http syn-ack ttl 64 1900/tcp open upnp syn-ack ttl 64 MAC Address: FC:D7:33:8D:06:CE (Tp-link Technologies) Final times for host: srtt: 5125 rttvar: 5062 to: 100000 Read from C:\Program Files (x86)\Nmap: nmap-mac-prefixes nmap-payloads nmap-services. Nmap done: 1 IP address (1 host up) scanned in 2.66 seconds Raw packets sent: 199 (8.740KB) | Rcvd: 6 (294B) C:\Windows\system32> ---------------------------------------------------------------connect scans work fine BUT they take FOREVER to do a complete 65000+ scan! no other scans will work against localhost without error occuring.What localhost command has you tried? Has you tried "nmap -v -A 127.0.0.1“? Please give me the feedback of the Nmap. Cheers, Yangi am on win7 x86 w/ no antivirus or wall whatsoever and as far as the winpcap install option i chose that loopback adapter option and left all others unchecked ------------------------------ *From:* 食肉大灰兔V5 <hsluoyz () gmail com> *Sent:* Monday, July 25, 2016 11:02 AM *To:* Mike . *Cc:* nmap-group *Subject:* Re: same issues with no resolve? npcap Hi Mike, Sorry for the delay! I have several questions which will help my troubleshooting process. 1) Which Nmap command did you use? I think you are typing in the Nmap commands in a CMD, right? Please just paste the whole content (the command + the nmap feedback) in your mail. 2) I think you are using the shipped Npcap 0.07 r17, right? Which options do you choose when installing Npcap? And which OS are you using? x86 or x64? 3) Have you enabled any anti-virus, firewall softwares? Please disable them then try again. Also try to use an Administrator CMD to run Nmap. 4) Try Wireshark latest development version, it should show an interface called "Npcap Loopback Adapter". Capture packets on this "Npcap Loopback Adapter", then "ping 127.0.0.1" in CMD and see if the corresponding ICMP packet shows up on Wireshark. Thanks! Cheers, Yang On Mon, Jul 25, 2016 at 6:46 PM, Mike . <dmciscobgp () hotmail com> wrote:not sure if what i posted on this was just ignored or never seen. still getting these issues with this npcap install. here is the debug output CONN (1.1190s) TCP localhost > 127.0.0.1:995 => No connection could be made because the target machine actively that is not truncated btw. why am i seeing this and why is that error written that way incomplete? also get this when i try anything other than a connect scan ---> dnet: Failed to open device lo0 QUITTING! ty Mike _______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- same issues with no resolve? npcap Mike . (Jul 25)
- Re: same issues with no resolve? npcap 食肉大灰兔V5 (Jul 25)
- Message not available
- Re: same issues with no resolve? npcap 食肉大灰兔V5 (Jul 25)
- Message not available
- Re: same issues with no resolve? npcap 食肉大灰兔V5 (Jul 25)
- Message not available
- Re: same issues with no resolve? npcap 食肉大灰兔V5 (Jul 25)
- Message not available
- Re: same issues with no resolve? npcap 食肉大灰兔V5 (Jul 25)
- Message not available
- Re: same issues with no resolve? npcap 食肉大灰兔V5 (Jul 25)
- Message not available
- Re: same issues with no resolve? npcap 食肉大灰兔V5 (Jul 25)
- Message not available
- Re: same issues with no resolve? npcap 食肉大灰兔V5 (Jul 25)
- Message not available
- Re: same issues with no resolve? npcap 食肉大灰兔V5 (Jul 26)
- Message not available
- Re: same issues with no resolve? npcap 食肉大灰兔V5 (Jul 25)