Nmap Development mailing list archives
Best practice for adding self-scan support for nmap
From: 食肉大灰兔V5 <hsluoyz () gmail com>
Date: Tue, 21 Jul 2015 16:34:31 +0800
Hi list, As Npcap's loopback capture feature has become stable after several rounds of bug fixes. I think it's time to discuss about how to integrate it with Nmap to let Nmap to be able to scan Windows localhost. (The latest Npcap installer: https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/npcap-nmap-0.01-r2.exe) As Windows doesn't support the same "lo" as in Linux, it brings lots of troubles for Npcap to implement localhost scan support. e.g. You can't assign 127.0.0.1 address to an adapter, so "Npcap Loopback Adapter" actually doesn't use 127.0.0.1 IP. Moreover, Windows faked a high-level interface named "Loopback Pseudo-Interface 1" which can be seen in IP Helper API (IPHlpApi.dll), this interface owns 127.0.0.1 IP but it is only high-level and can't be used to capture packets using Npcap or WinPcap. So Npcap's mission is to "deceive" Nmap to believe that "Npcap Loopback Adapter" is the loopback interface and owns the 127.0.0.1 address. Nmap (and nearly other softwares) only uses two ways to get interface infos: 1) IP Helper API, 2) WinPcap API. As Npcap can control the behavior of 2). What Npcap needs to do is to change the behavior of 1). So my solution is: 1) Nmap checked Npcap's software registry key when start, get the "Npcap Loopback Adapter"'s value, it the value exists, then we believe Npcap loopback feature is available by setting the global variable g_has_npcap_loopback to true. 2) Use Microsoft Detours API to hook the functions in IP Helper API (like GetAdaptersAddresses() function, it returns interface list to Nmap), substitute the useless "Loopback Pseudo-Interface 1" with "Npcap Loopback Adapter". I think hooking IP Helper API is better than messing with Nmap's code because: i. Make loopback deception loose couple with Nmap so it won't let Nmap code be too messed up. ii. It's easier to let Npcap to support other applications as they only need to import the detours code. 3) All other Nmap functions (like SYN Stealth Scan and OS Scan) related to loopback checks g_has_npcap_loopback first, if it is true, Nmap can just view the Windows "lo" interface the same as the linux "lo", no need to stop working and show something like "Skipping OS Scan against (127.0.0.1) because it doesn't work against your own machine (localhost)". If g_has_npcap_loopback == false, then it means Npcap loopback feature is unavailable and everything keeps the original way. This is my idea and I'd like to hear your suggestions. Thanks. Cheers, Yang
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Best practice for adding self-scan support for nmap 食肉大灰兔V5 (Jul 21)
- Re: Best practice for adding self-scan support for nmap Fyodor (Jul 22)