Nmap Development mailing list archives

Previous By Date Next
Previous By Thread Next

Plan to make NPcap support loopback packets capturing on Windows

From: 食肉大灰兔V5 <hsluoyz () gmail com>
Date: Mon, 6 Jul 2015 14:09:30 +0800
Hi list,

We all know that Nmap doesn't quite work well when scanning a Windows
localhost, like said in [1, 2]. This is mainly because WinPcap simply can't
capture loopback packets. Actually I did a bit of research about this in
GSoC 2013 [3], but it is just a prototype, which is also mentioned in
fyodor's mail [4]. I'd like to continue this work this summer, to make
NPcap see loopback packets in Win7 and later systems.

My plan is integrating a Windows Filtering Platform (WFP) driver into NPcap
to take care of loopback packets, as Jeffrey Tippet, from Microsoft
suggested in [5]. I tried the linux's loopback mechanism. It has a special
network adapter called "lo" (at least this name in Ubuntu). This "lo"
adapter can see and only see traffic within localhost. Correspondingly,
NPcap will add an adapter named "NPcap Loopback Adapter", it is created
just like a normal Windows loopback adapter, but NPcap will specially take
care of it and make it see and only see "real" loopback packets (like ping
127.0.0.0/8 or any local IPs). Other normal loopback adapters are not
infected by NPcap.

One thing to notice is that: As Windows just don't give the loopback
packets a Data Link Layer (like Ethernet), loopback packets returned when
they reached Network Layer (like ipv4). NPcap will just fake a Ethernet II
header before packet data, leaves source MAC address and destination MAC
address to zero, but will set the Protocol Type option to IPv4 or IPv6
based on packet's nature. This is how Linux's "lo" adapter works and NPcap
will try to keep compatibility with Linux on this.

And I have made some progress on this these days:
1) Automatically add or remove "NPcap Loopback Adapter" when installing or
uninstalling NPcap.
https://github.com/nmap/npcap/commit/7a1b95ae03a92309bf87ce1f7e87ef3ba63383e2

2) Made a simple WFP driver named "lbtest.sys" which successfully sees the
loopback traffic. This code will be integrated into NPcap driver when it's
finished.
https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/lbtest/

And one thing I'm not clear is when nmap sends a packet targeted to
127.0.0.1 (like nmap -v -A 127.0.0.1), which interface will it go to?
Perhaps NPcap needs to take care of this and make this packet go to "NPcap
Loopback Adapter" instead of other ones. And any suggestions about this
feature are welcome!

Cheers,
Yang


[1] http://seclists.org/nmap-dev/2013/q3/519
[2] http://seclists.org/wireshark/2010/Aug/169
[3] http://seclists.org/nmap-dev/2013/q3/627
[4] http://seclists.org/nmap-dev/2013/q4/108
[5]
https://social.msdn.microsoft.com/Forums/en-US/ae63e3f7-0330-43cf-b4ba-8893d9103fba/is-it-possible-to-capture-all-loopback-packets-using-wfp-callouts?forum=wdk

_______________________________________________
Sent through the dev mailing list
https://nmap.org/mailman/listinfo/dev
Archived at http://seclists.org/nmap-dev/
Previous By Date Next
Previous By Thread Next

Current thread: