Nmap Development mailing list archives

Re: same issues with no resolve? npcap

From: 食肉大灰兔V5 <hsluoyz () gmail com>
Date: Mon, 25 Jul 2016 23:54:25 +0800

Hi Mike,

On Mon, Jul 25, 2016 at 10:58 PM, Mike . <dmciscobgp () hotmail com> wrote:

failed to open happens when i do a scan other than connect (sT). the debug
error is when i turn on packet trace. so:


nmap -n -T3 -ttl 64 -d2 -open -Pn -max-retries 1  -F 127.0.0.1
-packet-trace

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-07-25 09:54 Central
Daylight Time
Fetchfile found C:\Program Files\Nmap/nmap-services
PORTS: Using top 100 ports found open (TCP:100, UDP:0, SCTP:0)
npcap service is already running.
Winpcap present, dynamic linked to: Npcap version 0.07, based on WinPcap
version
 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0
branch 1_
rel0b (20091008)
Fetchfile found C:\Program Files\Nmap/nmap.xsl
The max # of sockets we are using is: 0
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 1, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Fetchfile found C:\Program Files\Nmap/nmap-payloads
Initiating SYN Stealth Scan at 09:54
dnet: Failed to open device lo0
QUITTING!


I understand this error, because your Npcap Loopback Adapter is still not
available, so you can't open it.

--------------------------------------------------------------------------------------------------------------------------


same thing but -sT

Changing ping technique for 127.0.0.1 to connect to port 8888
CONN (1.1490s) TCP localhost > 127.0.0.1:993 => No connection could be
made beca
use the target machine actively
Discovered closed port 993/tcp on 127.0.0.1
CONN (1.1510s) TCP localhost > 127.0.0.1:22 => No connection could be
made becau
se the target machine actively
Discovered closed port 22/tcp on 127.0.0.1
CONN (1.1510s) TCP localhost > 127.0.0.1:995 => No connection could be
made beca
use the target machine actively

It seems that -sT scan doesn't use Npcap. When I disabled my Npcap Loopback
Adapter, it can still be used to scan 127.0.0.1. So it's not Npcap related.

So all your problem is your "Npcap Loopback Adapter" can't be opened.

Here I give you a little "hack" way to enable the loopback adapter.

1) Create a Windows loopback adapter based on this:
https://social.technet.microsoft.com/Forums/windows/en-US/259c7ef2-3770-4212-8fca-c58936979851/how-to-install-microsoft-loopback-adapter?forum=w7itpronetworking
Then look at the result of "nmap --iflist", make sure the new loopback
adapter has a "WINDEVICE" value. You can check its IP/MASK for its DEV name.
If even the created Windows loopback adapter doesn't have a "WINDEVICE"
value, you have to use your eth0 as the "Npcap Loopback Adapter". For your
machine, it's:

eth0 \Device\NPF_{E6793762-9633-432B-B8A6-B4C2F6AA5179}

You record the "WINDEVICE" value like the above
"\Device\NPF_{E6793762-9633-432B-B8A6-B4C2F6AA5179}", remove the "NPF_", so
you get "\Device\{E6793762-9633-432B-B8A6-B4C2F6AA5179}"

2) Open the registry, replace the following two registry REG_SZ values with
the above string (no double quote)
1. HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Npcap\LoopbackAdapter
2.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\npcap\LoopbackAdapter

3) Open an Administrator CMD, enter "net stop npcap" and "net start npcap"
to restart the Npcap driver.

4) enter "nmap --iflist" again to look at the result. You should see that
the Npcap Loopback Adapter (lo0) has taken the place of the specified
"WINDEVICE" value.

For the above example, you should see:

lo0 \Device\NPF_{E6793762-9633-432B-B8A6-B4C2F6AA5179}

If you see this, then this hacking method succeeds. You should be able to
normally use commands like "nmap -n -T3 -ttl 64 -d2 -open -Pn -max-retries
1 -F 127.0.0.1" now.

Cheers,
Yang


ok?
Mike

------------------------------
*From:* 食肉大灰兔V5 <hsluoyz () gmail com>
*Sent:* Monday, July 25, 2016 2:42 PM

*To:* Mike .; Nmap-dev
*Subject:* Re: same issues with no resolve? npcap

Hi Mike,

On Mon, Jul 25, 2016 at 10:14 PM, Mike . <dmciscobgp () hotmail com> wrote:

already done and same issues exist. the main 2 points i want someone to
explain to me that have me baffled: again, what does that error mean and
why do i get it? >>>


CONN (1.1140s) TCP localhost > 127.0.0.1:53 => No connection could be
made be
cause the target machine actively
CONN (1.1140s) TCP localhost > 127.0.0.1:8080 => No connection could be
made
because the target machine actively
CONN (1.1150s) TCP localhost > 127.0.0.1:22 => No connection could be
made be
cause the target machine actively


Hi, forgive me that I'm not an expert on Nmap commands. So PLEASE paste
BOTH the command and the complete Nmap feedback together. Otherwise, I
won't know what command you have used to get this result.

Why it doesn't show this error?
dnet: Failed to open device lo0
QUITTING!

Have you changed to another command? What command will lead to the so
called "No connection could be made be balabala.." and what command will
lead to the "dnet: Failed to open device lo0"? I'm confused now. Could you
make things more clear?

and lastly this. why will it still give me a successful scan if i do -F
but if i do more than that i get a scan lasting HRS?!! example:

with -F

Nmap scan report for 127.0.0.1
Host is up, received user-set (1.0s latency).
Scanned at 2016-07-25 09:08:09 Central Daylight Time for 27s
Not shown: 94 closed ports
Reason: 94 conn-refused
PORT     STATE SERVICE      REASON
135/tcp  open  msrpc        syn-ack
1025/tcp open  NFS-or-IIS   syn-ack
1026/tcp open  LSA-or-nterm syn-ack
1027/tcp open  IIS          syn-ack
1028/tcp open  unknown      syn-ack
1029/tcp open  ms-lsa       syn-ack
Final times for host: srtt: 1002380 rttvar: 4650  to: 1020980


It seems that you can still scan some ports? right? Why this? "dnet:
Failed to open device lo0" shows that the lo0 adapter is even not working.
Npcap won't work in any case about this lo0. Does this use other ways like
socket?


w/out

5 minutes have past...you get the idea

Fetchfile found C:\Program Files\Nmap/nmap-payloads
Initiating Connect Scan at 09:10
Scanning 192.168.0.16 [65000 ports]
Connect Scan Timing: About 0.30% done
Connect Scan Timing: About 0.53% done
Connect Scan Timing: About 0.75% done
Connect Scan Timing: About 0.98% done

This happens when Npcap fails to send any packets. Maybe it's related.


Cheers,
Yang

ok, thank you







------------------------------
*From:* 食肉大灰兔V5 <hsluoyz () gmail com>
*Sent:* Monday, July 25, 2016 2:06 PM

*To:* Mike .; Nmap-dev
*Subject:* Re: same issues with no resolve? npcap

Hi Mike,

On Mon, Jul 25, 2016 at 9:17 PM, Mike . <dmciscobgp () hotmail com> wrote:

just noticed the status for that adapter is in a continuous
"identifying..." mode. no clue on that. as far at the list here

This is NOT normal. My side shows "Unidentified network" which should be
a normal sign.

I suggest you disable and re-enable this adapter. See if it stops
showing "identifying...". If this doesn't fix, you can do as what Robert
said, reboot, reinstall Npcap, then reboot again.


DEV  (SHORT) IP/MASK         TYPE     UP MTU  MAC
lo0  (lo0)   ::1/128         loopback up 1500
lo0  (lo0)   127.0.0.1/8     loopback up 1500
eth0 (eth0)  192.168.0.16/24 ethernet up 1500 00:1C:25:74:AB:E1

DEV    WINDEVICE
lo0    <none>
lo0    <none>


This is NOT normal either. My side shows as below. the WINDEVICE of lo0
adapter should has something.

------------------------------------------------------------------------
DEV  WINDEVICE
eth0 \Device\NPF_{5343DA6B-7495-4DFF-83AD-033E04FB8793}
eth0 \Device\NPF_{5343DA6B-7495-4DFF-83AD-033E04FB8793}
lo0  \Device\NPF_{DD9518B2-04F9-48E5-83AE-5E445C31C9F3}
lo0  \Device\NPF_{DD9518B2-04F9-48E5-83AE-5E445C31C9F3}
eth1 \Device\NPF_{C5C7E6A2-0952-4177-82DD-1FEE841AE165}
eth1 \Device\NPF_{C5C7E6A2-0952-4177-82DD-1FEE841AE165}
tun0 <none>
tun0 <none>
tun1 <none>
tun2 <none>
------------------------------------------------------------------------

I suggest you another way to check:
1) Open an Administrator CMD, "cd" into the Npcap installation folder
"C:\Program Files\Npcap".
2) Type in "NPFInstall.exe -ul" to uninstall "Npcap Loopback Adapter".
Show me any error messages about this command.
3) Type in "NPFInstall.exe -il" to re-install "Npcap Loopback Adapter".
Show me any error messages about this command.


Cheers,
Yang

eth0   \Device\NPF_{E6793762-9633-432B-B8A6-B4C2F6AA5179}
<none> \Device\NPF_NdisWanIpv6
<none> \Device\NPF_NdisWanIp

**************************ROUTES**************************
DST/MASK           DEV  METRIC GATEWAY
192.168.0.16/32    eth0 266
255.255.255.255/32 eth0 266
192.168.0.255/32   eth0 266
255.255.255.255/32 lo0  286
169.254.255.255/32 lo0  286
169.254.244.1/32   lo0  286
127.0.0.1/32       lo0  306
255.255.255.255/32 eth0 306
127.255.255.255/32 lo0  306
192.168.0.0/24     eth0 266
169.254.0.0/16     lo0  286
127.0.0.0/8        lo0  306
224.0.0.0/4        eth0 266
224.0.0.0/4        lo0  286
224.0.0.0/4        eth0 306
0.0.0.0/0          eth0 266    192.168.0.1
::1/128            lo0  306



lastly, wireshark does not even show or recognize lo adapter

------------------------------

*From:* 食肉大灰兔V5 <hsluoyz () gmail com>
*Sent:* Monday, July 25, 2016 12:15 PM

*To:* Mike .; Nmap-dev
*Subject:* Re: same issues with no resolve? npcap

Hi Mike,

On Mon, Jul 25, 2016 at 7:54 PM, Mike . <dmciscobgp () hotmail com> wrote:

excuse me sir. but i have the exact same issues with "localhost"! btw,
chime in. what is the difference between the "real" loopback and my local
ip intranet side?

If 192.168.0.16 is your one of your own host IPs, then it's equivalent
to 127.0.0.1.

both reflect the same addy. my router is 192.168.0.1. my addy is 16.
yes i know wth a loopback addy is. anyway, just to show you, same error:


nmap -n -T3 -ttl 64 -d2 -open -Pn -max-retries 1 -F 127.0.0.1

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-07-25 06:49
Central Dayligh
t Time
Fetchfile found C:\Program Files\Nmap/nmap-services
PORTS: Using top 100 ports found open (TCP:100, UDP:0, SCTP:0)
npcap service is already running.
Winpcap present, dynamic linked to: Npcap version 0.07, based on
WinPcap version
 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap version 1.0
branch 1_0_
rel0b (20091008)
Fetchfile found C:\Program Files\Nmap/nmap.xsl
The max # of sockets we are using is: 0
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 1, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Fetchfile found C:\Program Files\Nmap/nmap-payloads
Initiating SYN Stealth Scan at 06:49
dnet: Failed to open device lo0
QUITTING!

A reason that I can think of is the status of the adapter. Have you
enabled the "Npcap Loopback Adapter" in your "Control Panel\Network and
Internet\Network Connections"? Can you paste your "nmap --iflist" result
here? Also please try Wireshark like I said, it can help the
troubleshooting.

Thanks.


Cheers,
Yang


guess im outta luck
Mike

------------------------------
*From:* 食肉大灰兔V5 <hsluoyz () gmail com>
*Sent:* Monday, July 25, 2016 11:41 AM
*To:* Mike .; Nmap-dev

*Subject:* Re: same issues with no resolve? npcap

Hi Mike,

On Mon, Jul 25, 2016 at 7:25 PM, Mike . <dmciscobgp () hotmail com> wrote:

ok. thanks for getting back to me


nmap -n -T3 -ttl 64 -d2 -open -Pn -max-retries 1 2> nul -F
192.168.0.16


This command has nothing to do with localhost. If you want to scan

localhost, please use the IP: 127.0.0.1.

So at my side, I used my router, 192.168.0.1 as the target. The result
seems to be fine.

---------------------------------------------------------------
C:\Windows\system32>nmap -n -T3 -ttl 64 -d2 -open -Pn -max-retries 1 2>
nul -F 192.168.0.1

Starting Nmap 7.25BETA1 ( https://nmap.org ) at 2016-07-25 19:34 China
Standard Time
Fetchfile found C:\Program Files (x86)\Nmap/nmap-services
PORTS: Using top 100 ports found open (TCP:100, UDP:0, SCTP:0)
npf service is already running.
Winpcap present, dynamic linked to: Npcap version 0.07, based on
WinPcap version 4.1.3 (packet.dll version 4.1.0.2980), based on libpcap
version 1.0 branch 1_0_rel0b (20091008)
Fetchfile found C:\Program Files (x86)\Nmap/nmap.xsl
The max # of sockets we are using is: 0
--------------- Timing report ---------------
  hostgroups: min 1, max 100000
  rtt-timeouts: init 1000, min 100, max 10000
  max-scan-delay: TCP 1000, UDP 1000, SCTP 1000
  parallelism: min 0, max 0
  max-retries: 1, host-timeout: 0
  min-rate: 0, max-rate: 0
---------------------------------------------
Fetchfile found C:\Program Files (x86)\Nmap/nmap-payloads
Initiating ARP Ping Scan at 19:34
Scanning 192.168.0.1 [1 port]
Packet capture filter (device eth3): arp and arp[18:4] = 0xE094678F and
arp[22:2] = 0xFF3E
ultrascan_host_probe_update called for machine 192.168.0.1 state
UNKNOWN -> HOST_UP (trynum 0 time: 4000)
Changing ping technique for 192.168.0.1 to ARP
Changing global ping host to 192.168.0.1.
Completed ARP Ping Scan at 19:34, 0.60s elapsed (1 total hosts)
Overall sending rates: 1.66 packets / s, 69.65 bytes / s.
Initiating SYN Stealth Scan at 19:34
192.168.0.1 pingprobe type ARP is inappropriate for this scan type;
resetting.
Scanning 192.168.0.1 [100 ports]
Packet capture filter (device eth3): dst host 192.168.0.107 and (icmp
or icmp6 or ((tcp or udp or sctp) and (src host 192.168.0.1)))
Discovered open port 80/tcp on 192.168.0.1
Changing ping technique for 192.168.0.1 to tcp to port 80; flags: S
Discovered open port 1900/tcp on 192.168.0.1
Changing global ping host to 192.168.0.1.
Completed SYN Stealth Scan at 19:34, 1.72s elapsed (100 total ports)
Overall sending rates: 115.52 packets / s, 5082.85 bytes / s.
Nmap scan report for 192.168.0.1
Fetchfile found C:\Program Files (x86)\Nmap/nmap-mac-prefixes
Host is up, received arp-response (0.0051s latency).
Scanned at 2016-07-25 19:34:52 China Standard Time for 3s
Not shown: 98 filtered ports
Reason: 98 no-responses
PORT     STATE SERVICE REASON
80/tcp   open  http    syn-ack ttl 64
1900/tcp open  upnp    syn-ack ttl 64
MAC Address: FC:D7:33:8D:06:CE (Tp-link Technologies)
Final times for host: srtt: 5125 rttvar: 5062  to: 100000

Read from C:\Program Files (x86)\Nmap: nmap-mac-prefixes nmap-payloads
nmap-services.
Nmap done: 1 IP address (1 host up) scanned in 2.66 seconds
           Raw packets sent: 199 (8.740KB) | Rcvd: 6 (294B)

C:\Windows\system32>
---------------------------------------------------------------

connect scans work fine BUT they take FOREVER to do a complete 65000+
scan! no other scans will work against localhost without error occuring.


What localhost command has you tried? Has you tried "nmap -v -A
127.0.0.1“? Please give me the feedback of the Nmap.

Cheers,
Yang

i am on win7 x86 w/ no antivirus or wall whatsoever and as far as the
winpcap install option i chose that loopback adapter option and left all
others unchecked

------------------------------
*From:* 食肉大灰兔V5 <hsluoyz () gmail com>
*Sent:* Monday, July 25, 2016 11:02 AM
*To:* Mike .
*Cc:* nmap-group
*Subject:* Re: same issues with no resolve? npcap

Hi Mike,

Sorry for the delay! I have several questions which will help my
troubleshooting process.

1) Which Nmap command did you use? I think you are typing in the Nmap
commands in a CMD, right? Please just paste the whole content (the command
+ the nmap feedback) in your mail.

2) I think you are using the shipped Npcap 0.07 r17, right? Which
options do you choose when installing Npcap? And which OS are you using?
x86 or x64?

3) Have you enabled any anti-virus, firewall softwares? Please disable
them then try again. Also try to use an Administrator CMD to run Nmap.

4) Try Wireshark latest development version, it should show an
interface called "Npcap Loopback Adapter". Capture packets on this "Npcap
Loopback Adapter", then "ping 127.0.0.1" in CMD and see if the
corresponding ICMP packet shows up on Wireshark.

Thanks!


Cheers,
Yang


On Mon, Jul 25, 2016 at 6:46 PM, Mike . <dmciscobgp () hotmail com>
wrote:

not sure if what i posted on this was just ignored or never seen.
still getting these issues with this npcap install. here is the debug
output


CONN (1.1190s) TCP localhost > 127.0.0.1:995 => No connection could
be made because the target machine actively

that is not truncated btw. why am i seeing this and why is that error
written that way incomplete? also get this when i try anything other than a
connect scan --->
dnet: Failed to open device lo0
QUITTING!

ty

Mike


_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/

Current thread:

same issues with no resolve? npcap Mike . (Jul 25)
- Re: same issues with no resolve? npcap 食肉大灰兔V5 (Jul 25)
  - Message not available
    - Re: same issues with no resolve? npcap 食肉大灰兔V5 (Jul 25)
    - Message not available
    - Re: same issues with no resolve? npcap 食肉大灰兔V5 (Jul 25)
    - Message not available
    - Re: same issues with no resolve? npcap 食肉大灰兔V5 (Jul 25)
    - Message not available
    - Re: same issues with no resolve? npcap 食肉大灰兔V5 (Jul 25)
    - Message not available
    - Re: same issues with no resolve? npcap 食肉大灰兔V5 (Jul 25)
    - Message not available
    - Re: same issues with no resolve? npcap 食肉大灰兔V5 (Jul 25)
    - Message not available
    - Re: same issues with no resolve? npcap 食肉大灰兔V5 (Jul 25)
    - Message not available
    - Re: same issues with no resolve? npcap 食肉大灰兔V5 (Jul 26)