PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 12:41:29 +00:00
Code Issues Projects Releases Wiki Activity

Adding a new ping type: IPProto Ping. It's used with '-PO'. I've changed references to -P0 (zero) to -PN throughout the source code and refguide.xml

Browse Source
This commit is contained in:
kris
2007-10-28 00:05:03 +00:00
parent a4878d3150
commit 1b1fcc753b
10 changed files with 168 additions and 38 deletions
Download Patch File Download Diff File Expand all files Collapse all files

13
NmapOps.cc
View File

@@ -202,7 +202,7 @@ void NmapOps::Initialize() {
reference_FPs = NULL; reference_FPs = NULL;
magic_port = 33000 + (get_random_uint() % 31000); magic_port = 33000 + (get_random_uint() % 31000);
magic_port_set = 0; magic_port_set = 0;
num_ping_synprobes = num_ping_ackprobes = num_ping_udpprobes = 0; num_ping_synprobes = num_ping_ackprobes = num_ping_udpprobes = num_ping_protoprobes = 0;
timing_level = 3; timing_level = 3;
max_parallelism = 0; max_parallelism = 0;
min_parallelism = 0; min_parallelism = 0;
@@ -332,11 +332,11 @@ void NmapOps::ValidateOptions() {
} }
if (pingtype != PINGTYPE_NONE && spoofsource) { if (pingtype != PINGTYPE_NONE && spoofsource) {
error("WARNING: If -S is being used to fake your source address, you may also have to use -e <interface> and -P0 . If you are using it to specify your real source address, you can ignore this warning."); error("WARNING: If -S is being used to fake your source address, you may also have to use -e <interface> and -PN . If you are using it to specify your real source address, you can ignore this warning.");
} }
if (pingtype != PINGTYPE_NONE && idlescan) { if (pingtype != PINGTYPE_NONE && idlescan) {
error("WARNING: Many people use -P0 w/Idlescan to prevent pings from their true IP. On the other hand, timing info Nmap gains from pings can allow for faster, more reliable scans."); error("WARNING: Many people use -PN w/Idlescan to prevent pings from their true IP. On the other hand, timing info Nmap gains from pings can allow for faster, more reliable scans.");
sleep(2); /* Give ppl a chance for ^C :) */ sleep(2); /* Give ppl a chance for ^C :) */
} }
@@ -352,13 +352,16 @@ void NmapOps::ValidateOptions() {
fatal("Sorry, UDP Ping (-PU) only works if you are root (because we need to read raw responses off the wire) and only for IPv4 (cause fyodor is too lazy right now to add IPv6 support and nobody has sent a patch)"); fatal("Sorry, UDP Ping (-PU) only works if you are root (because we need to read raw responses off the wire) and only for IPv4 (cause fyodor is too lazy right now to add IPv6 support and nobody has sent a patch)");
} }
if ((pingtype & PINGTYPE_PROTO) && (!isr00t || af() != AF_INET)) {
fatal("Sorry, IPProto Ping (-PO) only works if you are root (because we need to read raw responses off the wire) and only for IPv4");
}
if (ipprotscan + (TCPScan() || UDPScan()) + listscan + pingscan > 1) { if (ipprotscan + (TCPScan() || UDPScan()) + listscan + pingscan > 1) {
fatal("Sorry, the IPProtoscan, Listscan, and Pingscan (-sO, -sL, -sP) must currently be used alone rather than combined with other scan types."); fatal("Sorry, the IPProtoscan, Listscan, and Pingscan (-sO, -sL, -sP) must currently be used alone rather than combined with other scan types.");
} }
if ((pingscan && pingtype == PINGTYPE_NONE)) { if ((pingscan && pingtype == PINGTYPE_NONE)) {
fatal("-P0 (skip ping) is incompatable with -sP (ping scan). If you only want to enumerate hosts, try list scan (-sL)"); fatal("-PN (skip ping) is incompatable with -sP (ping scan). If you only want to enumerate hosts, try list scan (-sL)");
} }
if (pingscan && (TCPScan() || UDPScan() || ipprotscan || listscan)) { if (pingscan && (TCPScan() || UDPScan() || ipprotscan || listscan)) {
@@ -413,7 +416,7 @@ void NmapOps::ValidateOptions() {
} }
if (bouncescan && pingtype != PINGTYPE_NONE) if (bouncescan && pingtype != PINGTYPE_NONE)
log_write(LOG_STDOUT, "Hint: if your bounce scan target hosts aren't reachable from here, remember to use -P0 so we don't try and ping them prior to the scan\n"); log_write(LOG_STDOUT, "Hint: if your bounce scan target hosts aren't reachable from here, remember to use -PN so we don't try and ping them prior to the scan\n");
if (ackscan+bouncescan+connectscan+finscan+idlescan+maimonscan+nullscan+synscan+windowscan+xmasscan > 1) if (ackscan+bouncescan+connectscan+finscan+idlescan+maimonscan+nullscan+synscan+windowscan+xmasscan > 1)
fatal("You specified more than one type of TCP scan. Please choose only one of -sA, -b, -sT, -sF, -sI, -sM, -sN, -sS, -sW, and -sX"); fatal("You specified more than one type of TCP scan. Please choose only one of -sA, -b, -sT, -sF, -sI, -sM, -sN, -sS, -sW, and -sX");

2
NmapOps.h
View File

@@ -196,6 +196,8 @@ class NmapOps {
u16 ping_ackprobes[MAX_PROBE_PORTS]; u16 ping_ackprobes[MAX_PROBE_PORTS];
int num_ping_udpprobes; int num_ping_udpprobes;
u16 ping_udpprobes[MAX_PROBE_PORTS]; u16 ping_udpprobes[MAX_PROBE_PORTS];
int num_ping_protoprobes;
u16 ping_protoprobes[MAX_PROBE_PORTS];
/* Scan timing/politeness issues */ /* Scan timing/politeness issues */
int timing_level; // 0-5, corresponding to Paranoid, Sneaky, Polite, Normal, Aggressive, Insane int timing_level; // 0-5, corresponding to Paranoid, Sneaky, Polite, Normal, Aggressive, Insane
int max_parallelism; // 0 means it has not been set int max_parallelism; // 0 means it has not been set

59
docs/refguide.xml
View File

@@ -291,7 +291,7 @@ you would expect.</para>
the simple ICMP echo request packets associated with the the simple ICMP echo request packets associated with the
ubiquitous <application>ping</application> tool. Users can skip ubiquitous <application>ping</application> tool. Users can skip
the ping step entirely with a list scan (<option>-sL</option>) or the ping step entirely with a list scan (<option>-sL</option>) or
by disabling ping (<option>-P0</option>), or engage the network by disabling ping (<option>-PN</option>), or engage the network
with arbitrary combinations of multi-port TCP SYN/ACK, UDP, and with arbitrary combinations of multi-port TCP SYN/ACK, UDP, and
ICMP probes. The goal of these probes is to solicit responses ICMP probes. The goal of these probes is to solicit responses
which demonstrate that an IP address is actually active (is being which demonstrate that an IP address is actually active (is being
@@ -331,7 +331,7 @@ you would expect.</para>
probes (<option>-PU</option>). Read about the probes (<option>-PU</option>). Read about the
<option>-sP</option> option to learn how to perform <option>-sP</option> option to learn how to perform
<emphasis>only</emphasis> host discovery, or use <emphasis>only</emphasis> host discovery, or use
<option>-P0</option> to skip host discovery and port scan all <option>-PN</option> to skip host discovery and port scan all
target hosts. The following options control host target hosts. The following options control host
discovery:</para> discovery:</para>
@@ -363,7 +363,7 @@ you would expect.</para>
scanning, OS detection, or ping scanning cannot be combined scanning, OS detection, or ping scanning cannot be combined
with this. If you wish to disable ping scanning while still with this. If you wish to disable ping scanning while still
performing such higher level functionality, read up on the performing such higher level functionality, read up on the
<option>-P0</option> option.</para> <option>-PN</option> option.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@@ -398,7 +398,7 @@ you would expect.</para>
<option>--send-ip</option> was specified. <option>--send-ip</option> was specified.
The <option>-sP</option> option can be combined with any of the The <option>-sP</option> option can be combined with any of the
discovery probe types (the <option>-P*</option> options, discovery probe types (the <option>-P*</option> options,
excluding <option>-P0</option>) for greater flexibility. excluding <option>-PN</option>) for greater flexibility.
If any of those probe type and port number options are If any of those probe type and port number options are
used, the default probes (ACK and echo request) are used, the default probes (ACK and echo request) are
overridden. When strict firewalls are in place between the overridden. When strict firewalls are in place between the
@@ -413,8 +413,8 @@ you would expect.</para>
<varlistentry> <varlistentry>
<term> <term>
<option>-P0</option> (No ping) <option>-PN</option> (No ping)
<indexterm><primary>-P0</primary></indexterm> <indexterm><primary>-PN</primary></indexterm>
</term> </term>
<listitem> <listitem>
<para>This option skips the Nmap discovery stage altogether. <para>This option skips the Nmap discovery stage altogether.
@@ -422,12 +422,12 @@ you would expect.</para>
for heavier scanning. By default, Nmap only performs heavy for heavier scanning. By default, Nmap only performs heavy
probing such as port scans, version detection, or OS probing such as port scans, version detection, or OS
detection against hosts that are found to be up. Disabling detection against hosts that are found to be up. Disabling
host discovery with <option>-P0</option> causes Nmap to host discovery with <option>-PN</option> causes Nmap to
attempt the requested scanning functions against attempt the requested scanning functions against
<emphasis>every</emphasis> target IP address specified. So <emphasis>every</emphasis> target IP address specified. So
if a class B sized target address space (/16) is specified if a class B sized target address space (/16) is specified
on the command line, all 65,536 IP addresses are scanned. on the command line, all 65,536 IP addresses are scanned.
That second option character in <option>-P0</option> is a That second option character in <option>-PN</option> is a
zero and not the letter O. Proper host discovery is skipped zero and not the letter O. Proper host discovery is skipped
as with the list scan, but instead of stopping and printing as with the list scan, but instead of stopping and printing
the target list, Nmap continues to perform requested the target list, Nmap continues to perform requested
@@ -643,6 +643,37 @@ you would expect.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>
<option>-PO [protolist]</option> (IP Protocol Ping)
<indexterm><primary>-PO</primary></indexterm>
<indexterm><primary>IP Protocol ping</primary></indexterm>
</term>
<listitem>
<para>Another host discovery option is the IPProto ping,
which sends IP packets with the specified protocol numbers
in the Protocol field of the IP headers. The protocol list
takes the same format as with the port lists in the
previously discussed TCP and UDP host discovery options. If
no protocols are specified, the default is to send multiple
IP packets for ICMP (protocol 1), IGMP (protocol 2), TCP
(protocol 6) and UDP (protocol 17). The default protocols
can be configured at compile-time by changing
DEFAULT_PROTO_PROBE_PORTS in <filename>nmap.h</filename>.
Note that for the ICMP, IGMP, TCP and UDP protocols, the
packets are sent with the additional headers while other
protocols are sent with no additional data beyond the IP
header (unless the <option>--data-length</option> option is
specified).</para>
<para>This host discovery method looks for responses in the
same protocol as the probes, or ICMP Protocol Unreachable
messages which signify the specified IP protocol isn't
supported on the host (which gives away that it's up).</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term> <term>
<option>-PR</option> (ARP Ping) <option>-PR</option> (ARP Ping)
@@ -1809,7 +1840,7 @@ way.</para>
open and one closed TCP port are found. Set this option open and one closed TCP port are found. Set this option
and Nmap will not even try OS detection against hosts and Nmap will not even try OS detection against hosts
that do not meet this criteria. This can save substantial that do not meet this criteria. This can save substantial
time, particularly on <option>-P0</option> scans against many hosts. It time, particularly on <option>-PN</option> scans against many hosts. It
only matters when OS detection is requested with <option>-O</option> or <option>-A</option>.</para> only matters when OS detection is requested with <option>-O</option> or <option>-A</option>.</para>
</listitem> </listitem>
</varlistentry> </varlistentry>
@@ -2180,7 +2211,7 @@ unresponsive hosts.</para>
Specifying a lower <option>--max-rtt-timeout</option> and Specifying a lower <option>--max-rtt-timeout</option> and
<option>--initial-rtt-timeout</option> than the defaults can cut scan <option>--initial-rtt-timeout</option> than the defaults can cut scan
times significantly. This is particularly true for pingless times significantly. This is particularly true for pingless
(<option>-P0</option>) scans, and those against heavily filtered (<option>-PN</option>) scans, and those against heavily filtered
networks. Don't get too aggressive though. The scan can end up networks. Don't get too aggressive though. The scan can end up
taking longer if you specify such a low value that many probes are taking longer if you specify such a low value that many probes are
timing out and retransmitting while the response is in transit.</para> timing out and retransmitting while the response is in transit.</para>
@@ -2583,7 +2614,7 @@ lists the relevant options and describes what they do.</para>
to make the targets think that <emphasis>someone to make the targets think that <emphasis>someone
else</emphasis> is scanning them. Imagine a company being else</emphasis> is scanning them. Imagine a company being
repeatedly port scanned by a competitor! The repeatedly port scanned by a competitor! The
<option>-e</option> option and <option>-P0</option> are <option>-e</option> option and <option>-PN</option> are
generally required for this sort of usage. Note that you generally required for this sort of usage. Note that you
usually won't receive reply packets back (they will be usually won't receive reply packets back (they will be
addressed to the IP you are spoofing), so Nmap won't produce addressed to the IP you are spoofing), so Nmap won't produce
@@ -3650,17 +3681,17 @@ overwhelming requests. Specify <option>--open</option> to only see
what application is running.</para> what application is running.</para>
<para> <para>
<command>nmap -v -iR 100000 -P0 -p 80</command> <command>nmap -v -iR 100000 -PN -p 80</command>
</para> </para>
<para>Asks Nmap to choose 100,000 hosts at random and scan them <para>Asks Nmap to choose 100,000 hosts at random and scan them
for web servers (port 80). Host enumeration is disabled with for web servers (port 80). Host enumeration is disabled with
<option>-P0</option> since first sending a couple probes to <option>-PN</option> since first sending a couple probes to
determine whether a host is up is wasteful when you are only determine whether a host is up is wasteful when you are only
probing one port on each target host anyway.</para> probing one port on each target host anyway.</para>
<para> <para>
<command>nmap -P0 -p80 -oX logs/pb-port80scan.xml -oG <command>nmap -PN -p80 -oX logs/pb-port80scan.xml -oG
logs/pb-port80scan.gnmap 216.163.128.20/20</command> logs/pb-port80scan.gnmap 216.163.128.20/20</command>
</para> </para>
<para>This scans 4096 IPs for any webservers (without pinging <para>This scans 4096 IPs for any webservers (without pinging

20
nmap.cc
View File

@@ -224,9 +224,10 @@ printf("%s %s ( %s )\n"
"HOST DISCOVERY:\n" "HOST DISCOVERY:\n"
" -sL: List Scan - simply list targets to scan\n" " -sL: List Scan - simply list targets to scan\n"
" -sP: Ping Scan - go no further than determining if host is online\n" " -sP: Ping Scan - go no further than determining if host is online\n"
" -P0: Treat all hosts as online -- skip host discovery\n" " -PN: Treat all hosts as online -- skip host discovery\n"
" -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports\n" " -PS/PA/PU [portlist]: TCP SYN/ACK or UDP discovery to given ports\n"
" -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes\n" " -PE/PP/PM: ICMP echo, timestamp, and netmask request discovery probes\n"
" -PO [protocol list]: IP Protocol Ping\n"
" -n/-R: Never do DNS resolution/Always resolve [default: sometimes]\n" " -n/-R: Never do DNS resolution/Always resolve [default: sometimes]\n"
" --dns-servers <serv1[,serv2],...>: Specify custom DNS servers\n" " --dns-servers <serv1[,serv2],...>: Specify custom DNS servers\n"
" --system-dns: Use OS's DNS resolver\n" " --system-dns: Use OS's DNS resolver\n"
@@ -317,7 +318,7 @@ printf("%s %s ( %s )\n"
"EXAMPLES:\n" "EXAMPLES:\n"
" nmap -v -A scanme.nmap.org\n" " nmap -v -A scanme.nmap.org\n"
" nmap -v -sP 192.168.0.0/16 10.0.0.0/8\n" " nmap -v -sP 192.168.0.0/16 10.0.0.0/8\n"
" nmap -v -iR 10000 -P0 -p 80\n" " nmap -v -iR 10000 -PN -p 80\n"
"SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES\n", NMAP_NAME, NMAP_VERSION, NMAP_URL); "SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES\n", NMAP_NAME, NMAP_VERSION, NMAP_URL);
exit(rc); exit(rc);
} }
@@ -1081,9 +1082,20 @@ int nmap_main(int argc, char *argv[]) {
o.ping_ackprobes[0] = DEFAULT_TCP_PROBE_PORT; o.ping_ackprobes[0] = DEFAULT_TCP_PROBE_PORT;
} }
} else if (*optarg == 'O') { } else if (*optarg == 'O') {
fatal("-PO (the letter O)? No such option. Perhaps you meant to disable pings with -P0 (Zero)."); o.pingtype |= PINGTYPE_PROTO;
if (isdigit((int) *(optarg+1))) {
o.num_ping_protoprobes = numberlist2array(optarg+1, o.ping_protoprobes, sizeof(o.ping_protoprobes), &proberr);
if (o.num_ping_protoprobes < 0) {
fatal("Bogus argument to -PO: %s", proberr);
}
}
if (o.num_ping_protoprobes == 0) {
u16 probes[] = DEFAULT_PROTO_PROBE_PORTS;
o.num_ping_protoprobes = sizeof probes / sizeof *probes;
memcpy(o.ping_protoprobes, probes, sizeof probes);
}
} else { } else {
fatal("Illegal Argument to -P, use -P0, -PI, -PB, -PE, -PM, -PP, -PA, -PU, -PT, or -PT80 (or whatever number you want for the TCP probe destination port)"); fatal("Illegal Argument to -P, use -PN, -PO, -PI, -PB, -PE, -PM, -PP, -PA, -PU, -PT, or -PT80 (or whatever number you want for the TCP probe destination port)");
} }
break; break;
case 'p': case 'p':

3
nmap.h
View File

@@ -287,6 +287,8 @@ void *realloc();
to 113 */ to 113 */
#define DEFAULT_UDP_PROBE_PORT 31338 /* The port UDP probes (esp. "ping" probes) go to if unspecified #define DEFAULT_UDP_PROBE_PORT 31338 /* The port UDP probes (esp. "ping" probes) go to if unspecified
by user */ by user */
#define DEFAULT_PROTO_PROBE_PORTS { 1, 2, 6, 17 } /* The IPProto ping probes to use if unspecified
by user */
#define MAX_DECOYS 128 /* How many decoys are allowed? */ #define MAX_DECOYS 128 /* How many decoys are allowed? */
@@ -351,6 +353,7 @@ void *realloc();
#define PINGTYPE_CONNECTTCP 256 #define PINGTYPE_CONNECTTCP 256
#define PINGTYPE_UDP 512 #define PINGTYPE_UDP 512
#define PINGTYPE_ARP 1024 #define PINGTYPE_ARP 1024
#define PINGTYPE_PROTO 2048
#define DEFAULT_PING_TYPES PINGTYPE_TCP|PINGTYPE_TCP_USE_ACK|PINGTYPE_ICMP_PING #define DEFAULT_PING_TYPES PINGTYPE_TCP|PINGTYPE_TCP_USE_ACK|PINGTYPE_ICMP_PING

2
output.cc
View File

@@ -1796,7 +1796,7 @@ void printfinaloutput() {
error("WARNING: No targets were specified, so 0 hosts scanned."); error("WARNING: No targets were specified, so 0 hosts scanned.");
if (o.numhosts_scanned == 1 && o.numhosts_up == 0 && !o.listscan && if (o.numhosts_scanned == 1 && o.numhosts_up == 0 && !o.listscan &&
o.pingtype != PINGTYPE_NONE) o.pingtype != PINGTYPE_NONE)
log_write(LOG_STDOUT, "Note: Host seems down. If it is really up, but blocking our ping probes, try -P0\n"); log_write(LOG_STDOUT, "Note: Host seems down. If it is really up, but blocking our ping probes, try -PN\n");
else if (o.numhosts_up > 0) { else if (o.numhosts_up > 0) {
if (o.osscan && o.servicescan) if (o.osscan && o.servicescan)
log_write(LOG_PLAIN, "OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .\n"); log_write(LOG_PLAIN, "OS and Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .\n");

100
scan_engine.cc
View File

@@ -424,6 +424,9 @@ public:
/* The index of the next UDP port in o.ping_udpprobes to probe during ping /* The index of the next UDP port in o.ping_udpprobes to probe during ping
scan. */ scan. */
int next_udpportpingidx; int next_udpportpingidx;
/* The index of the next IP protocol in o.ping_protoprobes to probe during ping
scan. */
int next_protoportpingidx;
/* Whether we have sent an ICMP echo request. */ /* Whether we have sent an ICMP echo request. */
bool sent_icmp_ping; bool sent_icmp_ping;
/* Whether we have sent an ICMP address mask request. */ /* Whether we have sent an ICMP address mask request. */
@@ -968,6 +971,7 @@ HostScanStats::HostScanStats(Target *t, UltraScanInfo *UltraSI) {
next_ackportpingidx = 0; next_ackportpingidx = 0;
next_synportpingidx = 0; next_synportpingidx = 0;
next_udpportpingidx = 0; next_udpportpingidx = 0;
next_protoportpingidx = 0;
sent_icmp_ping = false; sent_icmp_ping = false;
sent_icmp_mask = false; sent_icmp_mask = false;
sent_icmp_ts = false; sent_icmp_ts = false;
@@ -1220,7 +1224,7 @@ UltraScanInfo::~UltraScanInfo() {
bool UltraScanInfo::isRawScan() { bool UltraScanInfo::isRawScan() {
return scantype != CONNECT_SCAN return scantype != CONNECT_SCAN
&& (tcp_scan || udp_scan || prot_scan || ping_scan_arp && (tcp_scan || udp_scan || prot_scan || ping_scan_arp
|| (ping_scan && (ptech.rawicmpscan || ptech.rawtcpscan || ptech.rawudpscan))); || (ping_scan && (ptech.rawicmpscan || ptech.rawtcpscan || ptech.rawudpscan || ptech.rawprotoscan)));
} }
/* A circular buffer of the incompleteHosts. nextIncompleteHost() gives /* A circular buffer of the incompleteHosts. nextIncompleteHost() gives
@@ -1325,6 +1329,8 @@ void UltraScanInfo::Init(vector<Target *> &Targets, struct scan_lists *pts, styp
else else
ptech.connecttcpscan = 1; ptech.connecttcpscan = 1;
} }
if (o.pingtype & PINGTYPE_PROTO)
ptech.rawprotoscan = 1;
if (o.pingtype & PINGTYPE_CONNECTTCP) if (o.pingtype & PINGTYPE_CONNECTTCP)
ptech.connecttcpscan = 1; ptech.connecttcpscan = 1;
break; break;
@@ -1417,6 +1423,8 @@ unsigned int UltraScanInfo::numProbesPerHost()
if (o.pingtype & PINGTYPE_ICMP_TS) if (o.pingtype & PINGTYPE_ICMP_TS)
numprobes++; numprobes++;
} }
if (ptech.rawprotoscan)
numprobes += o.num_ping_protoprobes;
if (ptech.connecttcpscan) if (ptech.connecttcpscan)
numprobes += o.num_ping_synprobes; numprobes += o.num_ping_synprobes;
} else assert(0); /* TODO: RPC scan */ } else assert(0); /* TODO: RPC scan */
@@ -1722,6 +1730,11 @@ static int get_next_target_probe(UltraScanInfo *USI, HostScanStats *hss,
return 0; return 0;
} }
} }
if (USI->ptech.rawprotoscan) {
pspec->type = PS_PROTO;
pspec->proto = o.ping_protoprobes[hss->next_protoportpingidx++];
return 0;
}
if (USI->ptech.connecttcpscan && hss->next_synportpingidx < o.num_ping_synprobes) { if (USI->ptech.connecttcpscan && hss->next_synportpingidx < o.num_ping_synprobes) {
pspec->type = PS_CONNECTTCP; pspec->type = PS_CONNECTTCP;
pspec->proto = IPPROTO_TCP; pspec->proto = IPPROTO_TCP;
@@ -1771,6 +1784,8 @@ int HostScanStats::freshPortsLeft() {
if ((o.pingtype & PINGTYPE_ICMP_TS) && !sent_icmp_ts) if ((o.pingtype & PINGTYPE_ICMP_TS) && !sent_icmp_ts)
num_probes++; num_probes++;
} }
if (USI->ptech.rawprotoscan)
num_probes += o.num_ping_protoprobes - next_protoportpingidx;
if (USI->ptech.connecttcpscan && next_synportpingidx < o.num_ping_synprobes) if (USI->ptech.connecttcpscan && next_synportpingidx < o.num_ping_synprobes)
num_probes += o.num_ping_synprobes - next_synportpingidx; num_probes += o.num_ping_synprobes - next_synportpingidx;
return num_probes; return num_probes;
@@ -2910,7 +2925,7 @@ static void retransmitProbe(UltraScanInfo *USI, HostScanStats *hss,
UltraProbe *probe) { UltraProbe *probe) {
UltraProbe *newProbe = NULL; UltraProbe *newProbe = NULL;
if (probe->type == UltraProbe::UP_IP) { if (probe->type == UltraProbe::UP_IP) {
if (USI->prot_scan) if (USI->prot_scan || USI->ptech.rawprotoscan)
newProbe = sendIPScanProbe(USI, hss, probe->pspec(), newProbe = sendIPScanProbe(USI, hss, probe->pspec(),
probe->tryno + 1, 0); probe->tryno + 1, 0);
else if (probe->protocol() == IPPROTO_TCP) { else if (probe->protocol() == IPPROTO_TCP) {
@@ -3856,6 +3871,34 @@ static int get_ping_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
if (ip->ip_hl < 5) if (ip->ip_hl < 5)
continue; continue;
if (USI->ptech.rawprotoscan) {
memset(&sin, 0, sizeof(sin));
sin.sin_addr.s_addr = ip->ip_src.s_addr;
sin.sin_family = AF_INET;
hss = USI->findHost((struct sockaddr_storage *) &sin);
if (hss) {
setTargetMACIfAvailable(hss->target, &linkhdr, ip, 0);
probeI = hss->probes_outstanding.end();
listsz = hss->num_probes_outstanding();
goodone = false;
for(probenum = 0; probenum < listsz && !goodone; probenum++) {
probeI--;
probe = *probeI;
if (probe->protocol() == ip->ip_p) {
/* if this is our probe we sent to localhost, then it doesn't count! */
if (ip->ip_src.s_addr == ip->ip_dst.s_addr &&
probe->ipid() == ntohs(ip->ip_id))
continue;
newstate = HOST_UP;
current_reason = ER_PROTORESPONSE;
goodone = true;
}
}
}
}
/* First check if it is ICMP, TCP, or UDP */ /* First check if it is ICMP, TCP, or UDP */
if (ip->ip_p == IPPROTO_ICMP) { if (ip->ip_p == IPPROTO_ICMP) {
/* if it is our response */ /* if it is our response */
@@ -3931,13 +3974,15 @@ static int get_ping_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
} }
struct ip *ip2 = (struct ip *) ((char *) ip + ip->ip_hl * 4 + 8); struct ip *ip2 = (struct ip *) ((char *) ip + ip->ip_hl * 4 + 8);
if (bytes < ip->ip_hl * 4 + 8U + ip2->ip_hl * 4 + 8U) {
/* IPProto Scan (generally) sends bare IP headers, so no extra payload */
if (bytes < ip->ip_hl * 4 + 8U + ip2->ip_hl * 4 + 8U && !USI->ptech.rawprotoscan) {
if (o.debugging) if (o.debugging)
error("ICMP (embedded) type %d code %d packet is only %d bytes\n", ping->type, ping->code, bytes); error("ICMP (embedded) type %d code %d packet is only %d bytes\n", ping->type, ping->code, bytes);
continue; continue;
} }
if (ip2->ip_p == IPPROTO_ICMP) { if (ip2->ip_p == IPPROTO_ICMP && !USI->ptech.rawprotoscan) {
/* The response was based on a ping packet we sent */ /* The response was based on a ping packet we sent */
if (!USI->ptech.rawicmpscan) { if (!USI->ptech.rawicmpscan) {
if (o.debugging) if (o.debugging)
@@ -3976,7 +4021,7 @@ static int get_ping_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
/* Did we fail to find a probe? */ /* Did we fail to find a probe? */
if (probenum >= listsz) if (probenum >= listsz)
continue; continue;
} else if (ip2->ip_p == IPPROTO_TCP) { } else if (ip2->ip_p == IPPROTO_TCP && !USI->ptech.rawprotoscan) {
/* The response was based our TCP probe */ /* The response was based our TCP probe */
if (!USI->ptech.rawtcpscan) { if (!USI->ptech.rawtcpscan) {
if (o.debugging) if (o.debugging)
@@ -4031,7 +4076,7 @@ static int get_ping_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
/* Did we fail to find a probe? */ /* Did we fail to find a probe? */
if (probenum >= listsz) if (probenum >= listsz)
continue; continue;
} else if (ip2->ip_p == IPPROTO_UDP) { } else if (ip2->ip_p == IPPROTO_UDP && !USI->ptech.rawprotoscan) {
/* The response was based our UDP probe */ /* The response was based our UDP probe */
if (!USI->ptech.rawudpscan) { if (!USI->ptech.rawudpscan) {
if (o.debugging) if (o.debugging)
@@ -4083,7 +4128,40 @@ static int get_ping_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
/* Did we fail to find a probe? */ /* Did we fail to find a probe? */
if (probenum >= listsz) if (probenum >= listsz)
continue; continue;
} else { } else if (USI->ptech.rawprotoscan) {
memset(&sin, 0, sizeof(sin));
sin.sin_addr.s_addr = ip2->ip_dst.s_addr;
sin.sin_family = AF_INET;
hss = USI->findHost((struct sockaddr_storage *) &sin);
if (!hss) continue; // Not referring to a host that interests us
setTargetMACIfAvailable(hss->target, &linkhdr, ip, 0);
probeI = hss->probes_outstanding.end();
listsz = hss->num_probes_outstanding();
/* Find the probe that provoked this response. */
for (probenum = 0; probenum < listsz; probenum++) {
probeI--;
probe = *probeI;
goodseq = false;
if (o.af() != AF_INET || probe->protocol() != ip2->ip_p)
continue;
if (!allow_ipid_match(probe->ipid(), ntohs(ip2->ip_id)))
continue;
/* Ensure the connection info matches. */
if (hss->target->v4sourceip()->s_addr != ip->ip_dst.s_addr)
continue;
/* If we made it this far, we found it. We don't yet know if it's
going to change a host state (goodone) or not. */
break;
}
/* Did we fail to find a probe? */
if (probenum >= listsz)
continue;
} else {
if (o.debugging) if (o.debugging)
error("Got ICMP response to a packet which was not TCP, UDP, or ICMP"); error("Got ICMP response to a packet which was not TCP, UDP, or ICMP");
continue; continue;
@@ -4119,7 +4197,7 @@ static int get_ping_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
log_write(LOG_STDOUT, "Got ICMP message type %d code %d\n", ping->type, ping->code); log_write(LOG_STDOUT, "Got ICMP message type %d code %d\n", ping->type, ping->code);
} }
} }
} else if (ip->ip_p == IPPROTO_TCP) { } else if (ip->ip_p == IPPROTO_TCP && !USI->ptech.rawprotoscan) {
if (!USI->ptech.rawtcpscan) { if (!USI->ptech.rawtcpscan) {
continue; continue;
} }
@@ -4202,7 +4280,7 @@ static int get_ping_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
if (o.debugging) if (o.debugging)
log_write(LOG_STDOUT, "We got a TCP ping packet back from %s port %hi (trynum = %d)\n", inet_ntoa(ip->ip_src), ntohs(tcp->th_sport), trynum); log_write(LOG_STDOUT, "We got a TCP ping packet back from %s port %hi (trynum = %d)\n", inet_ntoa(ip->ip_src), ntohs(tcp->th_sport), trynum);
} }
} else if (ip->ip_p == IPPROTO_UDP) { } else if (ip->ip_p == IPPROTO_UDP && !USI->ptech.rawprotoscan) {
if (!USI->ptech.rawudpscan) { if (!USI->ptech.rawudpscan) {
continue; continue;
} }
@@ -4253,7 +4331,7 @@ static int get_ping_pcap_result(UltraScanInfo *USI, struct timeval *stime) {
if (o.debugging) if (o.debugging)
log_write(LOG_STDOUT, "In response to UDP-ping, we got UDP packet back from %s port %hi (trynum = %d)\n", inet_ntoa(ip->ip_src), htons(udp->uh_sport), trynum); log_write(LOG_STDOUT, "In response to UDP-ping, we got UDP packet back from %s port %hi (trynum = %d)\n", inet_ntoa(ip->ip_src), htons(udp->uh_sport), trynum);
} }
} else if (o.debugging) { } else if (!USI->ptech.rawprotoscan && o.debugging) {
error("Found whacked packet protocol %d in %s.", ip->ip_p, __func__); error("Found whacked packet protocol %d in %s.", ip->ip_p, __func__);
} }
} while (!goodone && !timedout); } while (!goodone && !timedout);
@@ -4349,7 +4427,7 @@ static void begin_sniffer(UltraScanInfo *USI, vector<Target *> &Targets) {
if (len < 0 || len >= (int) sizeof(pcap_filter)) if (len < 0 || len >= (int) sizeof(pcap_filter))
fatal("ran out of space in pcap filter"); fatal("ran out of space in pcap filter");
filterlen = len; filterlen = len;
} else if (USI->prot_scan) { } else if (USI->prot_scan || (USI->ping_scan && USI->ptech.rawprotoscan)) {
if (doIndividual) if (doIndividual)
len = Snprintf(pcap_filter, sizeof(pcap_filter), len = Snprintf(pcap_filter, sizeof(pcap_filter),
"dst host %s and (icmp or (%s))", "dst host %s and (icmp or (%s))",

2
targets.cc
View File

@@ -503,7 +503,7 @@ do {
3) We are doing a raw-mode portscan or osscan OR 3) We are doing a raw-mode portscan or osscan OR
4) We are on windows and doing ICMP ping */ 4) We are on windows and doing ICMP ping */
if (o.isr00t && o.af() == AF_INET && if (o.isr00t && o.af() == AF_INET &&
((pingtype & (PINGTYPE_TCP|PINGTYPE_UDP|PINGTYPE_ARP)) || o.RawScan() ((pingtype & (PINGTYPE_TCP|PINGTYPE_UDP|PINGTYPE_PROTO|PINGTYPE_ARP)) || o.RawScan()
#ifdef WIN32 #ifdef WIN32
|| (pingtype & (PINGTYPE_ICMP_PING|PINGTYPE_ICMP_MASK|PINGTYPE_ICMP_TS)) || (pingtype & (PINGTYPE_ICMP_PING|PINGTYPE_ICMP_MASK|PINGTYPE_ICMP_TS))
#endif // WIN32 #endif // WIN32

3
targets.h
View File

@@ -158,7 +158,8 @@ struct pingtech {
unsigned int rawicmpscan: 1, unsigned int rawicmpscan: 1,
connecttcpscan: 1, connecttcpscan: 1,
rawtcpscan: 1, rawtcpscan: 1,
rawudpscan: 1; rawudpscan: 1,
rawprotoscan: 1;
}; };

2
tcpip.cc
View File

@@ -949,7 +949,7 @@ fatal("Call to pcap_open_live(%s, %d, %d, %d) failed three times. Reported error
"LINUX: If you are getting Socket type not supported, try modprobe af_packet or recompile your kernel with SOCK_PACKET enabled.\n" "LINUX: If you are getting Socket type not supported, try modprobe af_packet or recompile your kernel with SOCK_PACKET enabled.\n"
"*BSD: If you are getting device not configured, you need to recompile your kernel with Berkeley Packet Filter support. If you are getting No such file or directory, try creating the device (eg cd /dev; MAKEDEV <device>; or use mknod).\n" "*BSD: If you are getting device not configured, you need to recompile your kernel with Berkeley Packet Filter support. If you are getting No such file or directory, try creating the device (eg cd /dev; MAKEDEV <device>; or use mknod).\n"
"*WINDOWS: Nmap only supports ethernet interfaces on Windows for most operations because Microsoft disabled raw sockets as of Windows XP SP2. Depending on the reason for this error, it is possible that the --unprivileged command-line argument will help.\n" "*WINDOWS: Nmap only supports ethernet interfaces on Windows for most operations because Microsoft disabled raw sockets as of Windows XP SP2. Depending on the reason for this error, it is possible that the --unprivileged command-line argument will help.\n"
"SOLARIS: If you are trying to scan localhost and getting '/dev/lo0: No such file or directory', complain to Sun. I don't think Solaris can support advanced localhost scans. You can probably use \"-P0 -sT localhost\" though.\n\n", pcapdev, snaplen, promisc, to_ms, err0r); "SOLARIS: If you are trying to scan localhost and getting '/dev/lo0: No such file or directory', complain to Sun. I don't think Solaris can support advanced localhost scans. You can probably use \"-PN -sT localhost\" though.\n\n", pcapdev, snaplen, promisc, to_ms, err0r);
} else { } else {
error("pcap_open_live(%s, %d, %d, %d) FAILED. Reported error: %s. Will wait %d seconds then retry.", pcapdev, snaplen, promisc, to_ms, err0r, (int) pow(5.0, failed)); error("pcap_open_live(%s, %d, %d, %d) FAILED. Reported error: %s. Will wait %d seconds then retry.", pcapdev, snaplen, promisc, to_ms, err0r, (int) pow(5.0, failed));
} }