Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Best practice for adding self-scan support for nmap

From: 食肉大灰兔V5 <hsluoyz () gmail com>
Date: Tue, 21 Jul 2015 16:34:31 +0800
Hi list,

As Npcap's loopback capture feature has become stable after several rounds
of bug fixes. I think it's time to discuss about how to integrate it with
Nmap to let Nmap to be able to scan Windows localhost. (The latest Npcap
installer:
https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.01-r2.exe)

As Windows doesn't support the same "lo" as in Linux, it brings lots of
troubles for Npcap to implement localhost scan support. e.g. You can't
assign 127.0.0.1 address to an adapter, so "Npcap Loopback Adapter"
actually doesn't use 127.0.0.1 IP. Moreover, Windows faked a high-level
interface named "Loopback Pseudo-Interface 1" which can be seen in IP
Helper API (IPHlpApi.dll), this interface owns 127.0.0.1 IP but it is only
high-level and can't be used to capture packets using Npcap or WinPcap.

So Npcap's mission is to "deceive" Nmap to believe that "Npcap Loopback
Adapter" is the loopback interface and owns the 127.0.0.1 address. Nmap
(and nearly other softwares) only uses two ways to get interface infos: 1)
IP Helper API, 2) WinPcap API. As Npcap can control the behavior of 2).
What Npcap needs to do is to change the behavior of 1).

So my solution is:

1) Nmap checked Npcap's software registry key when start, get the "Npcap
Loopback Adapter"'s value, it the value exists, then we believe Npcap
loopback feature is available by setting the global variable
g_has_npcap_loopback to true.

2) Use Microsoft Detours API to hook the functions in IP Helper API (like
GetAdaptersAddresses() function, it returns interface list to Nmap),
substitute the useless "Loopback Pseudo-Interface 1" with  "Npcap Loopback
Adapter". I think hooking IP Helper API is better than messing with Nmap's
code because: i. Make loopback deception loose couple with Nmap so it won't
let Nmap code be too messed up. ii. It's easier to let Npcap to support
other applications as they only need to import the detours code.

3) All other Nmap functions (like SYN Stealth Scan and OS Scan) related to
loopback checks g_has_npcap_loopback first, if it is true, Nmap can just
view the Windows "lo" interface the same as the linux "lo", no need to stop
working and show something like "Skipping OS Scan against  (127.0.0.1)
because it doesn't work against your own machine (localhost)". If
g_has_npcap_loopback == false, then it means Npcap loopback feature is
unavailable and everything keeps the original way.

This is my idea and I'd like to hear your suggestions. Thanks.


Cheers,
Yang

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: