Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

[npcap] - wireshark stopped see adapters after windows 10 updated to "annivarsary edition" #467

Closed
zdm opened this issue Aug 7, 2016 · 65 comments
Assignees

Comments

@zdm
Copy link

@zdm zdm commented Aug 7, 2016

Hi.
Today windows 10 was updated and wireshark don't see network adapters any more.
I am tried to reinstall npcap and wireshark - this wasn't helpful.
Npcap installed in winpcap compat. mode and wireshark detected npcap during install process.

@zdm
Copy link
Author

@zdm zdm commented Aug 7, 2016

Winpcap works.
Npcap - not.

@hsluoyz
Copy link
Member

@hsluoyz hsluoyz commented Aug 8, 2016

Hi @zdm ,

Is your OS x86 or x64? Which Npcap version and Wireshark version did you use? Which Npcap installation options did you choose? Thanks.

I have tested latest Npcap 0.08 r3 (with WinPcap Compat Mode) and latest Wireshark Development Release (2.1.1) on my Win10 x64 Anniversary version without any issues.

Please don't use Wireshark Stable Release because it can't recognize the new version Npcap when installed in non-WinPcap Compat Mode (which is by default).

@hsluoyz hsluoyz self-assigned this Aug 8, 2016
@zdm
Copy link
Author

@zdm zdm commented Aug 8, 2016

Windows 10 x64

Wireshark 2.0.5 x 64

I tried following npcap versions:
0.08-r2
0.08
0.07-r17

On 08.08.2016 03:42, Yang Luo wrote:

Hi @zdm https://github.com/zdm ,

Is your OS x86 or x64? Which Npcap version and Wireshark version did
you use? Thanks.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/nmap/nmap/issues/492#issuecomment-238119783, or
mute the thread
https://github.com/notifications/unsubscribe-auth/AA-mSPLEBGTtgI64dafMqjuEtOfrt_7sks5qdnt3gaJpZM4JekI0.

@hsluoyz
Copy link
Member

@hsluoyz hsluoyz commented Aug 8, 2016

I tried your environment and didn't encounter that issue. What error message did you actually see?

@zdm
Copy link
Author

@zdm zdm commented Aug 8, 2016

Wireshark doesn't show any errors, just shows no adapters.

On 08.08.2016 08:10, Yang Luo wrote:

I tried your environment and didn't encounter that issue. What error
message did you actually see?


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/nmap/nmap/issues/492#issuecomment-238143145, or
mute the thread
https://github.com/notifications/unsubscribe-auth/AA-mSKXeekOXzqlfxLlmsNTGN7LmW13Fks5qdrozgaJpZM4JekI0.

@hsluoyz
Copy link
Member

@hsluoyz hsluoyz commented Aug 8, 2016

  1. Install Npcap with default options.
  2. Reboot after intall.
  3. try nmap --iflis and paste the output here.

@zdm
Copy link
Author

@zdm zdm commented Aug 8, 2016

I have removed winpcap and installed npcap-v0.08-r2 with default options.

In not elevated cmd nmap return nothing:
screenshot 2016-08-08 08 36 38

But in elevated I got error:
screenshot 2016-08-08 08 36 48

@hsluoyz
Copy link
Member

@hsluoyz hsluoyz commented Aug 8, 2016

Oh, I forgot to say.

Please install Nmap's dev version: https://nmap.org/dist/nmap-7.25BETA1-setup.exe

And please install latest Npcap 0.08 r3.

@zdm
Copy link
Author

@zdm zdm commented Aug 8, 2016

With nmap-7.25-beta1 results are the same.

On 08.08.2016 08:41, Yang Luo wrote:

Oh, I forgot to see. Please install Nmap's dev version:
https://nmap.org/dist/nmap-7.25BETA1-setup.exe


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/nmap/nmap/issues/492#issuecomment-238146254, or
mute the thread
https://github.com/notifications/unsubscribe-auth/AA-mSM5dyTxbmUKly16L0gYzKfaVlElHks5qdsGYgaJpZM4JekI0.

@hsluoyz
Copy link
Member

@hsluoyz hsluoyz commented Aug 8, 2016

  1. See if the C:\Windows\System32\Npcap folder contains these two files: wpcap.dll, Packet.dll
  2. In Administrator CMD, enter sc query npcap and paste the result here.

@zdm
Copy link
Author

@zdm zdm commented Aug 8, 2016

  1. Files are present;
  2. Service is stopped
SERVICE_NAME: npcap
        TYPE               : 1  KERNEL_DRIVER
        STATE              : 1  STOPPED
        WIN32_EXIT_CODE    : 31  (0x1f)
        SERVICE_EXIT_CODE  : 0  (0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

@hsluoyz
Copy link
Member

@hsluoyz hsluoyz commented Aug 8, 2016

In Administrator CMD, enter net start npcap and paste the result here.

@zdm
Copy link
Author

@zdm zdm commented Aug 8, 2016

Problem with signature

d:\downloads\111>net start npcap
System error 577 has occurred.

Windows cannot verify the digital signature for this file. A recent hardware or software change might have installed a file that is signed incorrectly or damaged, or that might be malicious software from an unknown source.

@hsluoyz
Copy link
Member

@hsluoyz hsluoyz commented Aug 8, 2016

  1. Unzip the attached signtool.zip, put signtool.exe to somewhere your CMD can find (e.g. . C:\Program Files\Npcap)
  2. In CMD, cd into the C:\Program Files\Npcap path, enter signtool verify /kp /c npcap.cat npcap.sys and paste the result here.

signtool.zip

@zdm
Copy link
Author

@zdm zdm commented Aug 8, 2016

0 sha256 RFC3161
Successfully verified: npcap.sys

On 08.08.2016 09:29, Yang Luo wrote:

|signtool verify /kp /c npcap.cat npcap.sys|

@hsluoyz
Copy link
Member

@hsluoyz hsluoyz commented Aug 8, 2016

  1. Restore the OS to the un-updated state.
  2. Uninstall Npcap.
  3. OS Update.
  4. Install Npcap.

@zdm
Copy link
Author

@zdm zdm commented Aug 8, 2016

I made clean os install a day ago.

On 08.08.2016 09:55, Yang Luo wrote:

  1. Restore the OS to the un-updated state.
  2. Uninstall Npcap.
  3. OS Update.
  4. Install Npcap.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/nmap/nmap/issues/492#issuecomment-238155582, or
mute the thread
https://github.com/notifications/unsubscribe-auth/AA-mSBoYypoQ6McWBwnoFySitntpiegPks5qdtLHgaJpZM4JekI0.

@hsluoyz
Copy link
Member

@hsluoyz hsluoyz commented Aug 8, 2016

I have no idea what happened.. Can I get a remote access?

@zdm
Copy link
Author

@zdm zdm commented Aug 8, 2016

yes, do you have teamviewer?

On 08.08.2016 10:01, Yang Luo wrote:

I have no idea what happened.. Can I get a remote access?


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/nmap/nmap/issues/492#issuecomment-238156601, or
mute the thread
https://github.com/notifications/unsubscribe-auth/AA-mSBBQxdNG9wZkONyQ80c_dbTxZfKnks5qdtRkgaJpZM4JekI0.

@hsluoyz
Copy link
Member

@hsluoyz hsluoyz commented Aug 8, 2016

Yes. You can email me the password:) hsluoyz@gmail.com

@hsluoyz
Copy link
Member

@hsluoyz hsluoyz commented Aug 8, 2016

The network connectivity is so bad. I can't even move the mouse in the remote window.

@zdm
Copy link
Author

@zdm zdm commented Aug 8, 2016

I don't know why, I have 100 Mb channel.

I need to go to the office now, and will be available in several hours.

So, the problem in the driver signature.

I will try to find the solution too, I already check, that your
certificate is stored as trusted.

On 08.08.2016 10:48, Yang Luo wrote:

The network connectivity is so bad. I can't even move the mouse in the
remote window.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/nmap/nmap/issues/492#issuecomment-238164611, or
mute the thread
https://github.com/notifications/unsubscribe-auth/AA-mSB2UxR32QYZ_Uez95mup17fI2hWzks5qdt9QgaJpZM4JekI0.

@zdm
Copy link
Author

@zdm zdm commented Aug 8, 2016

I found the article, that describes drivers signing changes in windows
10 anniversary edition.

http://www.thewindowsclub.com/driver-signing-changes-windows-10

Maybe this will helpful to solve the problem.

On 08.08.2016 10:48, Yang Luo wrote:

The network connectivity is so bad. I can't even move the mouse in the
remote window.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/nmap/nmap/issues/492#issuecomment-238164611, or
mute the thread
https://github.com/notifications/unsubscribe-auth/AA-mSB2UxR32QYZ_Uez95mup17fI2hWzks5qdt9QgaJpZM4JekI0.

@zdm
Copy link
Author

@zdm zdm commented Aug 8, 2016

I think, that this requirement should be met:

"The latest version of Windows 10 will load only Kernel mode drivers
signed digitally by the Dev Portal. However, the changes will affect
only the new installations of the operating system with Secure Boot
http://www.thewindowsclub.com/understanding-measured-boot-secure-boot-work-windows-8
on. The non-upgraded fresh installations would require drivers signed by
Microsoft."

On 08.08.2016 10:48, Yang Luo wrote:

The network connectivity is so bad. I can't even move the mouse in the
remote window.


You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub
https://github.com/nmap/nmap/issues/492#issuecomment-238164611, or
mute the thread
https://github.com/notifications/unsubscribe-auth/AA-mSB2UxR32QYZ_Uez95mup17fI2hWzks5qdt9QgaJpZM4JekI0.

@hsluoyz
Copy link
Member

@hsluoyz hsluoyz commented Aug 9, 2016

Thanks! This should be the reason.

From your link here, the following 5 conditions have described what kind of Windows will be affected by this new signing rule:

  1. PCs upgraded to Windows 10 Build 1607 from a previous version of Windows (for instance Windows 10 version 1511) are not affected by the change.
  2. PCs without Secure Boot functionality, or Secure Boot off, are not affected either.
  3. All drivers signed with cross-signing certificates that were issued prior to July 29, 2015, will continue to work.
  4. Boot drivers won’t be blocked to prevent systems from failing to boot. They will be removed by the Program Compatibility Assistant, however.
  5. The change affects only Windows 10 Version 1607. All previous versions of Windows are not affected.

But it's a little weird. Even the latest Npcap 0.08 r3's driver files were signed in July, 24. So according to the condition 3., Npcap driver should work without signature issues. I don't know why you encounter this issue.

Moreover, I have tried to reproduce this issue but I couldn't. I have installed a fresh Win10 1607 x64 in my VMware Workstation 12, but Npcap 0.08 r3 installs successfully. From msinfo32.exe, I saw that this VM doesn't support secure boot. But based on this post, it said that changing a registry key can "make“ msinfo32.exe believe secure boot is supported and enabled. I tried this method and it works. But I don't know if this cheating will also deceive the above condition 2. And I re-signed all the driver files to make sure the condition 3 will not be satisfied.

But why still can't reproduce this issue? It seems that the only reason is the secure boot. My secure boot cheating doesn't work. Unfortunately, I don't have an available machine for me to install Win 10 1607, so I have to use a VM here. Do you know any other ways to get a Win 10 VM with the secure boot support? Like using VirtualBox? or using a remote machine from providers like Amazon, etc.?

@hsluoyz
Copy link
Member

@hsluoyz hsluoyz commented Aug 9, 2016

@zdm
Copy link
Author

@zdm zdm commented Aug 9, 2016

I my case everything happens, like it described in the article.
I have clean windows installed and npcap driver is not loading.

@hsluoyz
Copy link
Member

@hsluoyz hsluoyz commented Aug 9, 2016

@zdm , OK. I found hyper-V supports secure boot in VMs. And I have reproduced your issue with Npcap 0.08 r4 in my VM. We will discuss about how to improve our signing method. Thanks for reporting this issue!

@fyodor , can you register an account here: https://sysdev.microsoft.com/en-us/hardware/signup/ ? So we can log in to see what's going on there.

@marlop352
Copy link

@marlop352 marlop352 commented Sep 7, 2016

Any updates about the signing problem?

@dmiller-nmap
Copy link
Contributor

@dmiller-nmap dmiller-nmap commented Dec 9, 2016

@BavoB @mhoes @marlop352 @zdm @sanitybit,

We have obtained an EV code signing certificate and are in the process of figuring out how to best accomplish the Dev Portal signing in such a way that it supports all versions of Windows from 7 through 10. Since you have each experienced problems with the driver signing issue, we are asking you to help us test a couple candidate builds of the latest Npcap 0.78 r2:

First, we have built [an installer with drivers signed directly by our EV cert]. This works on earlier versions of Windows, but we have not tested yet whether it works on Windows 10 1607, which is of course the primary problem. If this works for you on the Anniversary Update, we can begin shipping installers with this configuration right away.

If that should fail, we have an installer with Microsoft Attestation-signed drivers. The drivers were cross-signed by Microsoft through the Dev Portal after we signed them with our EV cert, and will most likely work with Windows 10, any release. Unfortunately, the do NOT work with previous versions.

If the first installer (EV-only) works for Win10 1607, then we can be done. If only the second one (attestation signed) works, then we will have to multiply again the drivers we ship: SHA-1-signed for Win7, EV-signed for Win8, and attestation-signed for Win10.

Please let us know at your earliest convenience which of these installers works for you, if any.

NOTE: these URLs are not permanent. Once we get a configuration finalized, we'll remove them and you can go back to obtaining Npcap through the Github releases page.

@zdm
Copy link
Author

@zdm zdm commented Dec 9, 2016

@BavoB
Copy link

@BavoB BavoB commented Dec 10, 2016

@zdm
Copy link
Author

@zdm zdm commented Dec 10, 2016

Win10 with secure boot enabled:

  • npcap-0.78-r2-attestation.exe - works;
  • npcap-0.78-r2-ev.exe - not installed, failed to create service during installation;

@mhoes
Copy link

@mhoes mhoes commented Dec 10, 2016

@zdm
Copy link
Author

@zdm zdm commented Dec 10, 2016

@hsluoyz
Copy link
Member

@hsluoyz hsluoyz commented Dec 10, 2016

@mhoes @zdm , I have fixed this Npcap loopback adapters are not uninstalled issue in latest Npcap 0.78 r4.

Please try the installer at: https://github.com/nmap/npcap/releases

Note: this version still doesn't support Win10 1607 with Secure Boot on. Only the Microsoft Attestation-signed version Npcap released by Dan supports it.

@marlop352
Copy link

@marlop352 marlop352 commented Dec 10, 2016

0.78 r2-ev does not work(fails to create services)

0.78 r2-atestation works

with 0.78 r4 windows gives an error after installation saying that it blocked the installation of a driver not digitally signed

@hsluoyz
Copy link
Member

@hsluoyz hsluoyz commented Dec 11, 2016

@marlop352 , Npcap 0.78 r4 still doesn't support Win10 1607 with Secure Boot on. Only the Microsoft Attestation-signed version Npcap released by Dan supports it. You can wait for Dan to release a 0.78 r4 version.

@marlop352
Copy link

@marlop352 marlop352 commented Dec 11, 2016

@hsluoyz thought so, reported it because the error was different from what I remember happening when using the normal installer

I don't know how you generate the installer of how this specific one works, but can't it have the two types of binaries(normal and attestation) and choose which to use by detecting what system it's been run from?

@BavoB
Copy link

@BavoB BavoB commented Dec 11, 2016

@BavoB
Copy link

@BavoB BavoB commented Dec 11, 2016

@dmiller-nmap
Copy link
Contributor

@dmiller-nmap dmiller-nmap commented Dec 11, 2016

Everyone,

Sorry for the confusion. I had a misconfiguration that caused our EV-signed drivers to not validate, so they were not working on any system. Now they work on Windows 8 at least, and I would appreciate a test with Windows 10 1607. Here is the download link for Npcap 0.78 r4, EV cert.

@mhoes
Copy link

@mhoes mhoes commented Dec 12, 2016

@BavoB
Copy link

@BavoB BavoB commented Dec 13, 2016

@ mhoes: which probably proves the point. For Win10 1607 with secure boot enabled (freshly installed, but as your experience shows even for upgrades depending on who knows what) you need attestation, no way around it.

@BavoB
Copy link

@BavoB BavoB commented Dec 13, 2016

npcap 0 78 r4 beta ev version
For completeness sake: this is the EV version installed on Windows 2012 R2 (server) - UEFI with secure boot. So AFAIK the attestation is also needed here or else there is still something else wrong.
I got the Windows Security pop-up 'Would you like to install this device software ?", to which I answered 'no' (do not always trust Insecure LLC).

@mhoes
Copy link

@mhoes mhoes commented Dec 13, 2016

@BavoB
Copy link

@BavoB BavoB commented Dec 13, 2016

@hsluoyz
Copy link
Member

@hsluoyz hsluoyz commented Dec 13, 2016

@BavoB

I got the Windows Security pop-up 'Would you like to install this device software ?", to which I answered 'no'

If you choose no here, then you will always fail the driver install no matter how our driver is signed. So please choose yes.

@BavoB
Copy link

@BavoB BavoB commented Dec 13, 2016

@mhoes
Copy link

@mhoes mhoes commented Dec 13, 2016

It appears to me as if two things are getting mixed up here, but I may be wrong ? (I made a screenshot of the pop-up I get, yours may be different). In the pop-up, there are actually two related, but different, things. First of all, there is a 'checkbox' that you can check if you always want to trust drivers singed by "Insecure.Com LLC". You don't have to check that box, but you can. I'm guessing that if you do check the box to always trust the signer that you will never get this pop-up again, and that you will get the pop-up again if you don't.

Then there are the 'install' and 'dont install' buttons. If you want to install the driver (and I'm guessing that you want to) then you must click the button that says 'install'. If you haven't checked the checkbox in combination with clicking on 'install', you will only trust the signer once, for this install only, instead of always.

pop-up

@marlop352
Copy link

@marlop352 marlop352 commented Dec 13, 2016

0.78 r2-ev does not work(fails to create services)
0.78 r2-atestation works
with 0.78 r4 windows gives an error after installation saying that it blocked the installation of a driver not digitally signed

0.78 r4-ev still gives me the same error as 0.78 r4 even if I mark the always trust box(witch does not appear on 0.78 r4) (checking that box should have made it accept the driver I think)

Windows 10 Pro 1607 (it's a clean install, not an update from a previous version) with secure boot enabled

@dmiller-nmap
Copy link
Contributor

@dmiller-nmap dmiller-nmap commented Dec 15, 2016

Ok, all: I just published Npcap 0.78 r5, which has attestation-signed drivers for Win10 users, dual-signed SHA1/SHA256 drivers with MS Cross-Certs for Windows 8 and earlier. We are back in business! Do let us know if you still experience these problems.

@BavoB
Copy link

@BavoB BavoB commented Dec 15, 2016

@mhoes
Copy link

@mhoes mhoes commented Dec 16, 2016

@BavoB
Copy link

@BavoB BavoB commented Dec 20, 2016

OK, I had a chance to uninstall 0.78 r4 on a Window Win2012 R2 server + install 0.78 r5 (system with secure boot enabled). My findings, some of which have been reported before:

  • uninstalling took very long and didn't remove the adapters (which I removed manually), but eventually it did uninstall - it seemed to be stuck on the 'stopping npcap driver' stage
  • installing 0.78 r5 worked, but I did get the 'failed to create service' error: however after installing it seemed to work ==> i did not have winpcap installed on this system, I installed npcap in winpcap api compatible mode and the programs that normally rely on winpcap seemed to be working normally

So I guess there is some progress ;-)

I have some questions:

  1. what services are created by the installer, what is their name? (I'd like to check in services msc to see if it is running)
  2. are the uninstall problems also related to the (kernel) driver signing requirements/problems ==> although here I'm not running on Win10 based system
  3. what is the current status of npcap compared to winpcap: can this be run safely with a program like Wireshark (without Winpcap)?

@mhoes
Copy link

@mhoes mhoes commented Dec 20, 2016

@dmiller-nmap
Copy link
Contributor

@dmiller-nmap dmiller-nmap commented Jan 19, 2017

Looks like we handled the core issue reported here. If you continue to have problems with uninstalling, please open a new issue so we can track and fix it. Thanks!

@fyodor fyodor transferred this issue from nmap/nmap May 5, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

7 participants