PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-14 19:59:02 +00:00
Code Issues Projects Releases Wiki Activity

Save timing ping probes between calls to ultra_scan. This allows, for example,

Browse Source 
to reuse an ACK ping probe from host detection during a SYN port scan. This can
greatly speed up a scan if the SYN scan finds only filtered ports.

One difficulty with implementing this is that not all ping probes are
appropriate for all scan types.
  nmap -PA -sU scanme.nmap.org
would cache the ACK ping probe and send ACK pings during the UDP scan. But the
pcap filter for the UDP scan doesn't catch TCP packets, so the replies would
not be noticed and they would show up as dropped pings. Likewise,
  nmap -PR -sS 192.168.0.1
would segfault when it tried to use an uninitialized Ethernet descriptor to
send an ARP ping during the SYN scan, which would use raw sockets.

To fix this I added a function pingprobe_is_appropriate that determines whether
a given ping probe is appropriate for the current scan type. If not, the
constructor for HostScanStats just erases the ping probe.

More types of ping probes could be made "appropriate." TCP timing pings work
during a UDP scan if only the pcap filter is expanded to include TCP packets.
This commit is contained in:
david
2008-07-11 06:12:38 +00:00
parent 40ae30f600
commit 09c70e143f
4 changed files with 101 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

38
scan_engine.h
View File

@@ -107,6 +107,44 @@
#include "global_structures.h"
#include <vector>
struct probespec_tcpdata {
u16 dport;
u8 flags;
};
struct probespec_udpdata {
u16 dport;
};
struct probespec_icmpdata {
u8 type;
u8 code;
};
#define PS_NONE 0
#define PS_TCP 1
#define PS_UDP 2
#define PS_PROTO 3
#define PS_ICMP 4
#define PS_ARP 5
#define PS_CONNECTTCP 6
/* The size of this structure is critical, since there can be tens of
thousands of them stored together ... */
typedef struct probespec {
/* To save space, I changed this from private enum (took 4 bytes) to
u8 that uses #defines above */
u8 type;
u8 proto; /* If not PS_ARP -- Protocol number ... eg IPPROTO_TCP, etc. */
union {
struct probespec_tcpdata tcp; /* If type is PS_TCP or PS_CONNECTTCP. */
struct probespec_udpdata udp; /* PS_UDP */
struct probespec_icmpdata icmp; /* PS_ICMP */
/* Nothing needed for PS_ARP, since src mac and target IP are
avail from target structure anyway */
} pd;
} probespec;
/* 3rd generation Nmap scanning function. Handles most Nmap port scan types */
void ultra_scan(std::vector<Target *> &Targets, struct scan_lists *ports,
stype scantype, struct timeout_info *to = NULL);