Nmap Development mailing list archives
Plan to make NPcap support loopback packets capturing on Windows
From: 食肉大灰兔V5 <hsluoyz () gmail com>
Date: Mon, 6 Jul 2015 14:09:30 +0800
Hi list, We all know that Nmap doesn't quite work well when scanning a Windows localhost, like said in [1, 2]. This is mainly because WinPcap simply can't capture loopback packets. Actually I did a bit of research about this in GSoC 2013 [3], but it is just a prototype, which is also mentioned in fyodor's mail [4]. I'd like to continue this work this summer, to make NPcap see loopback packets in Win7 and later systems. My plan is integrating a Windows Filtering Platform (WFP) driver into NPcap to take care of loopback packets, as Jeffrey Tippet, from Microsoft suggested in [5]. I tried the linux's loopback mechanism. It has a special network adapter called "lo" (at least this name in Ubuntu). This "lo" adapter can see and only see traffic within localhost. Correspondingly, NPcap will add an adapter named "NPcap Loopback Adapter", it is created just like a normal Windows loopback adapter, but NPcap will specially take care of it and make it see and only see "real" loopback packets (like ping 127.0.0.0/8 or any local IPs). Other normal loopback adapters are not infected by NPcap. One thing to notice is that: As Windows just don't give the loopback packets a Data Link Layer (like Ethernet), loopback packets returned when they reached Network Layer (like ipv4). NPcap will just fake a Ethernet II header before packet data, leaves source MAC address and destination MAC address to zero, but will set the Protocol Type option to IPv4 or IPv6 based on packet's nature. This is how Linux's "lo" adapter works and NPcap will try to keep compatibility with Linux on this. And I have made some progress on this these days: 1) Automatically add or remove "NPcap Loopback Adapter" when installing or uninstalling NPcap. https://github.com/nmap/npcap/commit/7a1b95ae03a92309bf87ce1f7e87ef3ba63383e2 2) Made a simple WFP driver named "lbtest.sys" which successfully sees the loopback traffic. This code will be integrated into NPcap driver when it's finished. https://svn.nmap.org/nmap-exp/yang/NPcap-LWF/lbtest/ And one thing I'm not clear is when nmap sends a packet targeted to 127.0.0.1 (like nmap -v -A 127.0.0.1), which interface will it go to? Perhaps NPcap needs to take care of this and make this packet go to "NPcap Loopback Adapter" instead of other ones. And any suggestions about this feature are welcome! Cheers, Yang [1] http://seclists.org/nmap-dev/2013/q3/519 [2] http://seclists.org/wireshark/2010/Aug/169 [3] http://seclists.org/nmap-dev/2013/q3/627 [4] http://seclists.org/nmap-dev/2013/q4/108 [5] https://social.msdn.microsoft.com/Forums/en-US/ae63e3f7-0330-43cf-b4ba-8893d9103fba/is-it-possible-to-capture-all-loopback-packets-using-wfp-callouts?forum=wdk
_______________________________________________ Sent through the dev mailing list https://nmap.org/mailman/listinfo/dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Plan to make NPcap support loopback packets capturing on Windows 食肉大灰兔V5 (Jul 05)