diff --git a/Target.cc b/Target.cc
index 14f7aa07c..69d654f5b 100644
--- a/Target.cc
+++ b/Target.cc
@@ -306,6 +306,14 @@ const struct in_addr *Target::v4sourceip() const {
return NULL;
}
+// Returns IPv6 host address or NULL if unavailable.
+const struct in6_addr *Target::v6sourceip() const {
+ struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) &sourcesock;
+ if (sin6->sin6_family == AF_INET6) {
+ return &(sin6->sin6_addr);
+ }
+ return NULL;
+}
/* You can set to NULL to erase a name or if it failed to resolve -- or
just don't call this if it fails to resolve */
diff --git a/Target.h b/Target.h
index 0bd75ceec..d8ced1519 100644
--- a/Target.h
+++ b/Target.h
@@ -182,6 +182,7 @@ class Target {
void setSourceSockAddr(const struct sockaddr_storage *ss, size_t ss_len);
struct in_addr v4source() const;
const struct in_addr *v4sourceip() const;
+ const struct in6_addr *v6sourceip() const;
/* The IPv4 or IPv6 literal string for the target host */
const char *targetipstr() const { return targetipstring; }
/* Give the name from the last setHostName() call, which should be
diff --git a/global_structures.h b/global_structures.h
index 08cb710be..f8a2b37ff 100644
--- a/global_structures.h
+++ b/global_structures.h
@@ -244,6 +244,6 @@ struct scan_lists {
int prot_count;
};
-typedef enum { STYPE_UNKNOWN, HOST_DISCOVERY, ACK_SCAN, SYN_SCAN, FIN_SCAN, XMAS_SCAN, UDP_SCAN, CONNECT_SCAN, NULL_SCAN, WINDOW_SCAN, SCTP_INIT_SCAN, SCTP_COOKIE_ECHO_SCAN, RPC_SCAN, MAIMON_SCAN, IPPROT_SCAN, PING_SCAN, PING_SCAN_ARP, IDLE_SCAN, BOUNCE_SCAN, SERVICE_SCAN, OS_SCAN, SCRIPT_PRE_SCAN, SCRIPT_SCAN, SCRIPT_POST_SCAN, TRACEROUTE}stype;
+typedef enum { STYPE_UNKNOWN, HOST_DISCOVERY, ACK_SCAN, SYN_SCAN, FIN_SCAN, XMAS_SCAN, UDP_SCAN, CONNECT_SCAN, NULL_SCAN, WINDOW_SCAN, SCTP_INIT_SCAN, SCTP_COOKIE_ECHO_SCAN, RPC_SCAN, MAIMON_SCAN, IPPROT_SCAN, PING_SCAN, PING_SCAN_ARP, IDLE_SCAN, BOUNCE_SCAN, SERVICE_SCAN, OS_SCAN, SCRIPT_PRE_SCAN, SCRIPT_SCAN, SCRIPT_POST_SCAN, TRACEROUTE, PING_SCAN_ND }stype;
#endif /*GLOBAL_STRUCTURES_H */
diff --git a/libdnet-stripped/include/dnet/icmpv6.h b/libdnet-stripped/include/dnet/icmpv6.h
index 1f66770d4..9bea5a1a0 100644
--- a/libdnet-stripped/include/dnet/icmpv6.h
+++ b/libdnet-stripped/include/dnet/icmpv6.h
@@ -103,7 +103,7 @@ union icmpv6_msg {
memmove(echo_pack_p->icmpv6_data, data, len); \
} while (0)
-#define icmpv6_pack_hdr_ns(hdr, targetip, srcmac) do { \
+#define icmpv6_pack_hdr_ns_mac(hdr, targetip, srcmac) do { \
struct icmpv6_msg_nd *nd_pack_p = (struct icmpv6_msg_nd *) \
((uint8_t *)(hdr) + ICMPV6_HDR_LEN); \
icmpv6_pack_hdr(hdr, ICMPV6_NEIGHBOR_SOLICITATION, 0); \
diff --git a/libnetutil/netutil.cc b/libnetutil/netutil.cc
index ded755004..ec8d9382e 100644
--- a/libnetutil/netutil.cc
+++ b/libnetutil/netutil.cc
@@ -1567,25 +1567,31 @@ struct sys_route *getsysroutes(int *howmany, char *errstr, size_t errstrlen) {
* localhost. (eg: the address is something like 127.x.x.x, the address
* matches one of the local network interfaces' address, etc).
* Returns 1 if the address is thought to be localhost and 0 otherwise */
-int islocalhost(const struct in_addr *const addr) {
+int islocalhost(const struct sockaddr_storage *const ss) {
char dev[128];
- struct sockaddr_storage ss;
- struct sockaddr_in *sin;
+ struct sockaddr_in *sin = NULL;
+ struct sockaddr_in6 *sin6 = NULL;
- /* If it is 0.0.0.0 or starts with 127 then it is
- probably localhost */
- if ((addr->s_addr & htonl(0xFF000000)) == htonl(0x7F000000))
- return 1;
+ if (ss->ss_family == AF_INET){
+ sin = (struct sockaddr_in *) ss;
+ /* If it is 0.0.0.0 or starts with 127 then it is probably localhost. */
+ if ((sin->sin_addr.s_addr & htonl(0xFF000000)) == htonl(0x7F000000))
+ return 1;
- if (!addr->s_addr)
- return 1;
+ if (!(sin->sin_addr.s_addr))
+ return 1;
+ } else {
+ sin6 = (struct sockaddr_in6 *) ss;
+ /* If it is ::0 or ::1 then it is probably localhost. */
+ if (memcmp(&(sin6->sin6_addr), IP6_ADDR_UNSPEC, IP6_ADDR_LEN) == 0)
+ return 1;
+ if (memcmp(&(sin6->sin6_addr), IP6_ADDR_LOOPBACK, IP6_ADDR_LEN) == 0)
+ return 1;
+ }
/* If it is the same addy as a local interface, then it is
probably localhost */
- sin = (struct sockaddr_in *) &ss;
- sin->sin_family = AF_INET;
- sin->sin_addr = *addr;
- if (ipaddr2devname(dev, &ss) != -1)
+ if (ipaddr2devname(dev, ss) != -1)
return 1;
/* OK, so to a first approximation, this addy is probably not
@@ -4073,7 +4079,7 @@ bool doND(const char *dev, const u8 *srcmac,
netutil_fatal("%s: failed to open device %s", __func__, dev);
eth_pack_hdr(frame, *ns_dst_mac, *srcmac, ETH_TYPE_IPV6);
ip6_pack_hdr(frame + ETH_HDR_LEN, 0, 0, 32, 0x3a, 255, *src_sin6->sin6_addr.s6_addr, *ns_dst_ip6.sin6_addr.s6_addr);
- icmpv6_pack_hdr_ns(frame + ETH_HDR_LEN + IP6_HDR_LEN, target_sin6->sin6_addr.s6_addr, *srcmac);
+ icmpv6_pack_hdr_ns_mac(frame + ETH_HDR_LEN + IP6_HDR_LEN, target_sin6->sin6_addr.s6_addr, *srcmac);
ip6_checksum(frame + ETH_HDR_LEN, IP6_HDR_LEN + ICMPV6_HDR_LEN + 4 + 16 + 8);
gettimeofday(&start, NULL);
diff --git a/libnetutil/netutil.h b/libnetutil/netutil.h
index 22ca85456..f40c6967d 100644
--- a/libnetutil/netutil.h
+++ b/libnetutil/netutil.h
@@ -376,7 +376,7 @@ struct sys_route *getsysroutes(int *howmany, char *errstr, size_t errstrlen);
* localhost. (eg: the address is something like 127.x.x.x, the address
* matches one of the local network interfaces' address, etc).
* Returns 1 if the address is thought to be localhost and 0 otherwise */
-int islocalhost(const struct in_addr *const addr);
+int islocalhost(const struct sockaddr_storage *const ss);
/* Determines whether the supplied address corresponds to a private,
* non-Internet-routable address. See RFC1918 for details.
@@ -514,6 +514,10 @@ int read_arp_reply_pcap(pcap_t *pd, u8 *sendermac,
struct in_addr *senderIP, long to_usec,
struct timeval *rcvdtime,
void (*traceArp_callback)(int, const u8 *, u32 , struct timeval *));
+int read_ns_reply_pcap(pcap_t *pd, u8 *sendermac,
+ struct sockaddr_in6 *senderIP, long to_usec,
+ struct timeval *rcvdtime,
+ void (*traceArp_callback)(int, const u8 *, u32 , struct timeval *));
/* Read a single host specification from a file, as for -iL and --excludefile.
It returns the length of the string read; an overflow is indicated when the
diff --git a/nmap.cc b/nmap.cc
index c761906d1..d7da82c14 100644
--- a/nmap.cc
+++ b/nmap.cc
@@ -2627,6 +2627,7 @@ const char *scantype2str(stype scantype) {
case IPPROT_SCAN: return "IPProto Scan"; break;
case PING_SCAN: return "Ping Scan"; break;
case PING_SCAN_ARP: return "ARP Ping Scan"; break;
+ case PING_SCAN_ND: return "ND Ping Scan"; break;
case IDLE_SCAN: return "Idle Scan"; break;
case BOUNCE_SCAN: return "Bounce Scan"; break;
case SERVICE_SCAN: return "Service Scan"; break;
diff --git a/nselib/packet.lua b/nselib/packet.lua
index 3e9260089..e343eb6f5 100644
--- a/nselib/packet.lua
+++ b/nselib/packet.lua
@@ -120,6 +120,83 @@ IPPROTO_COMP = 108 -- Compression Header protocol
IPPROTO_SCTP = 132 -- Stream Control Transport Protocol
IPPROTO_UDPLITE = 136 -- UDP-Lite (RFC 3828)
+IPPROTO_ICMPV6 = 58
+IPV6_HOPBYHOP_OPTION = 0
+IPV6_DESTINATION_OPTION = 60
+IP_PROTO_ICMPV6 = 58
+
+ICMP6_ECHO_REQUEST = 128
+ICMP6_ECHO_REPLY = 129
+MLD_LISTENER_QUERY = 130
+MLD_LISTENER_REPORT = 131
+MLD_LISTENER_REDUCTION = 132
+ND_ROUTER_SOLICIT = 133
+ND_ROUTER_ADVERT = 134
+ND_NEIGHBOR_SOLICIT = 135
+ND_NEIGHBOR_ADVERT = 136
+ND_REDIRECT = 137
+
+ND_OPT_SOURCE_LINKADDR = 1
+ND_OPT_TARGET_LINKADDR = 2
+ND_OPT_PREFIX_INFORMATION = 3
+ND_OPT_REDIRECTED_HEADER = 4
+ND_OPT_MTU = 5
+ND_OPT_RTR_ADV_INTERVAL = 7
+ND_OPT_HOME_AGENT_INFO = 8
+
+----------------------------------------------------------------------------------------------------------------
+-- Frame is a class
+Frame = {}
+
+function Frame:new(frame, force_continue)
+ local packet = nil
+ local packet_len = 0
+ if frame and #frame > 14 then
+ packet = string.sub(frame, 15, -1)
+ packet_len = #frame - 14
+ end
+ local o = Packet:new(packet, packet_len, force_continue)
+
+ o.build_ether_frame = self.build_ether_frame
+ o.ether_parse = self.ether_parse
+ o.frame_buf = frame
+ o:ether_parse()
+ return o
+end
+--- Build an Ethernet frame.
+-- @param mac_dst six-byte string of the destination MAC address.
+-- @param mac_src six-byte string of the source MAC address.
+-- @param packet string of the payload.
+-- @return frame string of the Ether frame.
+function Frame:build_ether_frame(mac_dst, mac_src, packet)
+ self.mac_dst = mac_dst or self.mac_dst
+ self.mac_src = mac_src or self.mac_src
+ self.buf = packet or self.buf
+ local l3_type
+ if self.ip_v == 4 then
+ l3_type = string.char(0x08, 0x00)
+ elseif self.ip_v == 6 then
+ l3_type = string.char(0x86, 0xdd)
+ else
+ return nil, "Unknown packet."
+ end
+ self.frame_buf = self.mac_dst..self.mac_src..l3_type..self.buf
+end
+--- Parse an Ethernet frame.
+-- @param frame string of the Ether frame.
+-- @return mac_dst six-byte string of the destination MAC address.
+-- @return mac_src six-byte string of the source MAC address.
+-- @return packet string of the payload.
+function Frame:ether_parse()
+ if not self.frame_buf then
+ return false
+ end
+ if #self.frame_buf < 14 then -- too short
+ return false
+ end
+ self.mac_dst = string.sub(self.frame_buf, 1, 6)
+ self.mac_src = string.sub(self.frame_buf, 7, 12)
+end
----------------------------------------------------------------------------------------------------------------
-- Packet is a class
@@ -136,11 +213,27 @@ Packet = {}
-- @return A new Packet.
function Packet:new(packet, packet_len, force_continue)
local o = setmetatable({}, {__index = Packet})
+ if not packet then
+ return o
+ end
o.buf = packet
o.packet_len = packet_len
- if not o:ip_parse(force_continue) then
+ o.ip_v = bit.rshift(string.byte(o.buf), 4)
+ if o.ip_v == 4 and not o:ip_parse(force_continue) then
+ return nil
+ elseif o.ip_v == 6 and not o:ip6_parse(force_continue) then
return nil
end
+
+ if o.ip_v == 6 then
+ while o.ip6_nhdr ~= IPPROTO_TCP and o.ip6_nhdr ~= IPPROTO_UDP and o.ip6_nhdr ~= IPPROTO_ICMPV6 do
+ if not o:ipv6_ext_header_parse(force_continue) then
+ return nil
+ end
+ end
+ o.ip_p = o.ip6_nhdr
+ end
+
if o.ip_p == IPPROTO_TCP then
if not o:tcp_parse(force_continue) then
stdnse.print_debug("Error while parsing TCP packet\n")
@@ -153,9 +246,151 @@ function Packet:new(packet, packet_len, force_continue)
if not o:icmp_parse(force_continue) then
stdnse.print_debug("Error while parsing ICMP packet\n")
end
+ elseif o.ip_p == IPPROTO_ICMPV6 then
+ if not o:icmpv6_parse(force_continue) then
+ stdnse.print_debug("Error while parsing ICMPv6 packet\n")
+ end
end
return o
end
+--- Build an IPv6 packet.
+-- @param src 16-byte string of the source IPv6 address.
+-- @param dsr 16-byte string of the destination IPv6 address.
+-- @param nx_hdr integer that represents next header.
+-- @param h_limit integer that represents hop limit.
+-- @param t_class integer that represents traffic class.
+-- @param f_label integer that represents flow label.
+function Packet:build_ipv6_packet(src, dst, nx_hdr, payload, h_limit, t_class, f_label)
+ self.ip_v = 6
+ self.ip6_src = src or self.ip6_src
+ self.ip6_dst = dst or self.ip6_dst
+ self.ip6_nhdr = nx_hdr or self.ip6_nhdr
+ self.l4_packet = payload or self.l4_packet
+ self.ip6_tc = t_class or self.ip6_tc or 1
+ self.ip6_fl = f_label or self.ip6_fl or 1
+ self.ip6_hlimit = h_limit or self.ip6_hlimit or 255
+
+ local ver_tc_fl = bit.lshift(bit.band(self.ip_v, 0xF), 28) +
+ bit.lshift(bit.band(self.ip6_tc, 0xFF), 20) +
+ bit.band(self.ip6_fl, 0xFFFFF)
+
+ self.buf =
+ set_u32("....",0,ver_tc_fl) ..
+ set_u16("..",0,#(self.exheader or "")+#(self.l4_packet or "")) ..--string.char(0x00,0x10) .. --payload length
+ string.char(self.ip6_nxt_hdr) .. --next header
+ string.char(self.ip6_hlimit) .. --hop limit
+ self.ip6_src .. --Source
+ self.ip6_dst ..--dest
+ (self.exheader or "")..
+ (self.l4_packet or "")
+end
+--- Build an IPv6 invalid extension header.
+-- @param exheader integer that represents extension header's type
+function Packet:build_invalid_extension_header(exheader_type)
+ local ex_invalid_opt = string.char(0x80,0x01,0xfe,0x18,0xfe,0x18,0xfe,0x18,0x0,0x0,0x0,0x0,0x0,0x0)
+ local ext_header =
+ string.char(self.ip6_nxt_hdr) .. --next header
+ string.char(#ex_invalid_opt/16) .. --length (16bytes)
+ ex_invalid_opt
+ self.exheader = ext_header..(self.exheader or "")
+ self.ip6_nxt_hdr = exheader_type
+end
+--- Count IPv6 checksum.
+-- @return the checksum.
+function Packet:count_ipv6_pseudoheader_cksum()
+ local pseudoheader = self.ip6_src .. self.ip6_dst .. set_u16("..",0,#self.l4_packet) .. string.char(0x0,0x0,0x0) .. string.char(self.ip6_nxt_hdr)
+ local ck_content = pseudoheader .. self.l4_packet
+ return in_cksum(ck_content)
+end
+--- Set ICMPv6 checksum.
+function Packet:set_icmp6_cksum(check_sum)
+ self.l4_packet = set_u16(self.l4_packet, 2, check_sum)
+end
+--- Build an ICMPv6 header.
+-- @param icmpv6_type integer that represent ICMPv6 type.
+-- @param icmpv6_code integer that represent ICMPv6 code.
+-- @param icmpv6_payload string of the payload
+-- @param ip6_src 16-byte string of the source IPv6 address.
+-- @param ip6_dst 16-byte string of the destination IPv6 address.
+function Packet:build_icmpv6_header(icmpv6_type, icmpv6_code, icmpv6_payload, ip6_src, ip6_dst)
+ self.ip6_nxt_hdr = IPPROTO_ICMPV6
+ self.icmpv6_type = icmpv6_type or self.icmpv6_type
+ self.icmpv6_code = icmpv6_code or self.icmpv6_code
+ self.icmpv6_payload = icmpv6_payload or self.icmpv6_payload
+ self.ip6_src = ip6_src or self.ip6_src
+ self.ip6_dst = ip6_dst or self.ip6_dst
+
+ self.l4_packet =
+ string.char(self.icmpv6_type,self.icmpv6_code) ..
+ string.char(0x00,0x00) .. --checksum
+ (self.icmpv6_payload or "")
+ local check_sum = self:count_ipv6_pseudoheader_cksum()
+ self:set_icmp6_cksum(check_sum)
+end
+--- Build an ICMPv6 Echo Request frame.
+-- @param mac_src six-byte string of source MAC address.
+-- @param mac_dst sis-byte string of destination MAC address.
+-- @param ip6_src 16-byte string of source IPv6 address.
+-- @param ip6_dst 16-byte string of destinatiion IPv6 address.
+-- @param id integer that represents Echo ID.
+-- @param sequence integer that represents Echo sequence.
+-- @param data string of Echo data.
+-- @param tc integer that represents traffic class of IPv6 packet.
+-- @param fl integer that represents flow label of IPv6 packet.
+-- @param hop-limit integer that represents hop limit of IPv6 packet.
+function Packet:build_icmpv6_echo_request(id, sequence, data, mac_src, mac_dst, ip6_src, ip6_dst, tc, fl, hop_limit)
+ self.mac_src = mac_src or self.mac_src
+ self.mac_dst = mac_dst or self.mac_dst
+
+ self.ip6_src = ip6_src or self.ip6_src
+ self.ip6_dst = ip6_dst or self.ip6_dst
+ self.traffic_class = tc or 1
+ self.flow_label = fl or 1
+ self.ip6_hlimit = hop_limit or 255
+
+ self.icmpv6_type = ICMP6_ECHO_REQUEST
+ self.icmpv6_code = 0
+
+ self.echo_id = id or self.echo_id or 0xdead
+ self.echo_seq = sequence or self.echo_seq or 0xbeef
+ self.echo_data = data or self.echo_data or ""
+
+ self.icmpv6_payload = set_u16("..",0,self.echo_id) .. set_u16("..",0,self.echo_seq) .. self.echo_data
+end
+--- Set an ICMPv6 option message.
+function Packet:set_icmpv6_option(opt_type,msg)
+ return string.char(opt_type, (#msg+2)/8) .. msg
+end
+--- Build an Router Advertisement frame.
+-- @param mac_src six-byte string of the source MAC address.
+-- @param prefix 16-byte string of IPv6 address.
+-- @param prefix_len integer that represents the length of the prefix.
+-- @param valid_time integer that represents the valid time of the prefix.
+-- @param preferred_time integer that represents the preferred time of the prefix.
+function Packet:build_router_advert(mac_src,prefix,prefix_len,valid_time,preferred_time)
+ self.ip6_src = mac_to_lladdr(mac_src)
+ self.ip6_dst = ipv6tobin("ff02::1")
+ self.mac_src = mac_src
+ self.mac_dst = mactobin("33:33:00:00:00:01")
+
+ local ra_msg = string.char(0x0, --cur hop limit
+ 0x08, --flags
+ 0x00,0x00, --router lifetime
+ 0x00,0x00,0x00,0x00, --reachable time
+ 0x00,0x00,0x00,0x00) --retrans timer
+ local prefix_option_msg = string.char(prefix_len,
+ 0xc0) .. --flags: Onlink, Auto
+ packet.set_u32("....",0,valid_time) ..
+ packet.set_u32("....",0,preferred_time) ..
+ string.char(0,0,0,0) .. --unknown
+ prefix
+ local icmpv6_prefix_option = self:set_icmpv6_option(ND_OPT_PREFIX_INFORMATION,prefix_option_msg)
+ local icmpv6_src_link_option = self:set_icmpv6_option(ND_OPT_SOURCE_LINKADDR,mac_src)
+ self.icmpv6_payload = ra_msg .. icmpv6_prefix_option .. icmpv6_src_link_option
+
+ self.icmpv6_type = ND_ROUTER_ADVERT
+ self.icmpv6_code = 0
+end
-- Helpers
@@ -171,6 +406,73 @@ function iptobin(str)
end
return ret
end
+function inet6_pton_simple(str)
+ local addr_hex = ""
+ if str==nil then
+ return addr_hex
+ end
+ local unit16
+ for unit16 in string.gmatch(str, "%x+") do
+ local h8 = string.sub(unit16,-4,-3)
+ local l8 = string.sub(unit16,-2,-1)
+ local unit8
+ for _,unit8 in pairs({h8,l8}) do
+ if (unit8 == "") then
+ addr_hex = addr_hex .. string.char(0x00)
+ else
+ addr_hex = addr_hex .. string.char("0x"..unit8)
+ end
+ end
+ end
+ return addr_hex
+end
+--- Convert an IPv6 address string (like "fe80:21::1") to a raw
+-- string 16 bytes long.
+-- @param str IPv6 address string.
+-- @return 16-byte string.
+function ipv6tobin(str)
+ if not str then
+ return nil
+ end
+ local check_str = string.gsub(str,":","f")
+ if string.match(check_str,"[%X]") then
+ return nil,"Invalid IPv6 address: unknown character."
+ end
+ local i,j
+ i,j = string.find(str,"::")
+ if not i then
+ return inet6_pton_simple(str)
+ end
+ local lpart
+ local rpart
+ lpart = string.match(str,"([%x:]-)::")
+ rpart = string.match(str,"::([%x:]+)")
+ local lpart_hex = inet6_pton_simple(lpart)
+ local rpart_hex = inet6_pton_simple(rpart)
+ if (#lpart_hex+#rpart_hex~=16) then
+ local filler_num = 16 - #lpart_hex - #rpart_hex
+ local i
+ for i=1,filler_num do
+ lpart_hex = lpart_hex .. string.char(0x00)
+ end
+ end
+ return lpart_hex .. rpart_hex
+end
+--- Convert a MAC address string (like "00:23:ae:5d:3b:10") to
+-- a raw six-byte long.
+-- @param str MAC address string.
+-- @return Six-byte string.
+function mactobin(str)
+ if not str then
+ return mactobin("00:00:00:00:00:00")
+ end
+ local unit8
+ local addr_hex = ""
+ for unit8 in string.gmatch(str,"%x+") do
+ addr_hex = addr_hex .. string.char("0x"..unit8)
+ end
+ return addr_hex
+end
--- Convert a four-byte raw string to a dotted-quad IP address string.
-- @param raw_ip_addr Four-byte string.
-- @return IP address string.
@@ -180,6 +482,27 @@ function toip(raw_ip_addr)
end
return string.format("%i.%i.%i.%i", string.byte(raw_ip_addr,1,4))
end
+--- Convert a 16-byte raw string to an IPv6 address string.
+-- @param raw_ipv6_addr 16-byte string.
+-- @return IPv6 address string.
+function toipv6(raw_ipv6_addr)
+ if not raw_ipv6_addr then
+ return "?::?"
+ end
+ return string.format("%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x:%02x%02x",
+ string.byte(raw_ipv6_addr,1,16))
+end
+--- Generate the link-local IPv6 address from the MAC address.
+-- @param mac MAC address string.
+-- @return Link-local IPv6 address string.
+function mac_to_lladdr(mac)
+ if not mac then
+ return "?::?"
+ end
+ local interfier = string.char(bit.bor(string.byte(mac,1),0x02))..string.sub(mac,2,3)..string.char(0xff,0xfe)..string.sub(mac,4,6)
+ local ll_prefix = ipv6tobin("fe80::")
+ return string.sub(ll_prefix,1,8)..interfier
+end
--- Get an 8-bit integer at a 0-based byte offset in the packet.
-- @param index Offset.
-- @return An 8-bit integer.
@@ -269,6 +592,38 @@ function Packet:ip_parse(force_continue)
self.ip_data_offset = self.ip_offset + self.ip_hl*4
return true
end
+--- Parse an IPv6 packet header.
+-- @param force_continue Ignored.
+-- @return Whether the parsing succeeded.
+function Packet:ip6_parse(force_continue)
+ self.ip6_offset = 0
+ if #self.buf < 40 then -- too short
+ return false
+ end
+ self.ip_v = bit.rshift(bit.band(self:u8(self.ip6_offset + 0), 0xF0), 4)
+ if self.ip_v ~= 6 then -- not ipv6
+ return false
+ end
+ self.ip6 = true
+ self.ip6_tc = bit.rshift(bit.band(self:u16(self.ip6_offset + 0), 0x0FF0), 4)
+ self.ip6_fl = bit.band(self:u8(self.ip6_offset + 1), 0x0F)*65536 + self:u16(self.ip6_offset + 2)
+ self.ip6_plen = self:u16(self.ip6_offset + 4)
+ self.ip6_nhdr = self:u8(self.ip6_offset + 6)
+ self.ip6_hlimt = self:u8(self.ip6_offset + 7)
+ self.ip6_src = self:raw(self.ip6_offset + 8, 16)
+ self.ip6_dst = self:raw(self.ip6_offset + 24, 16)
+ self.ip6_data_offset = 40
+ return true
+end
+--- Pare an IPv6 extension header. Just jump over it at the moment.
+-- @param force_continue Ignored.
+-- @return Whether the parsing succeeded.
+function Packet:ipv6_ext_header_parse(force_continue)
+ local ext_hdr_len = self.u8(self.ip6_data_offset + 1)
+ ext_hdr_len = ext_hdr_len*8 + 8
+ self.ip6_data_offset = self.ip6_data_offset + ext_hdr_len
+ self.ip6_nhdr = self.u8(self.ip6_data_offset)
+end
--- Set the header length field.
function Packet:ip_set_hl(len)
self:set_u8(self.ip_offset + 0, bit.bor(bit.lshift(self.ip_v, 4), bit.band(len, 0x0F)))
@@ -420,6 +775,25 @@ function Packet:icmp_tostring()
return self:ip_tostring() .. " ICMP(" .. self.icmp_payload:tostring() .. ")"
end
+----------------------------------------------------------------------------------------------------------------
+--- Parse an ICMPv6 packet header.
+-- @param force_continue Ignored.
+-- @return Whether the parsing succeeded.
+function Packet:icmpv6_parse(force_continue)
+ self.icmpv6_offset = self.ip6_data_offset
+ if #self.buf < self.icmpv6_offset + 8 then -- let's say 8 bytes minimum
+ return false
+ end
+ self.icmpv6 = true
+ self.icmpv6_type = self:u8(self.icmpv6_offset + 0)
+ self.icmpv6_code = self:u8(self.icmpv6_offset + 1)
+
+ if self.icmpv6_type == ND_NEIGHBOR_SOLICIT then
+ self.ns_target = self:raw(self.icmpv6_offset + 8, 16)
+ end
+ return true
+end
+
----------------------------------------------------------------------------------------------------------------
-- Parse a TCP packet header.
-- @param force_continue Whether a short packet causes parsing to fail.
diff --git a/osscan2.cc b/osscan2.cc
index 1eb79c9bc..fb790af82 100644
--- a/osscan2.cc
+++ b/osscan2.cc
@@ -1809,7 +1809,7 @@ void HostOsScan::makeTSeqFP(HostOsScanStats *hss) {
}
if (good_tcp_ipid_num >= 3) {
- tcp_ipid_seqclass = get_ipid_sequence(good_tcp_ipid_num, hss->ipid.tcp_ipids, islocalhost(hss->target->v4hostip()));
+ tcp_ipid_seqclass = get_ipid_sequence(good_tcp_ipid_num, hss->ipid.tcp_ipids, islocalhost(hss->target->TargetSockAddr()));
} else {
tcp_ipid_seqclass = IPID_SEQ_UNKNOWN;
}
@@ -1817,13 +1817,13 @@ void HostOsScan::makeTSeqFP(HostOsScanStats *hss) {
hss->si.ipid_seqclass = tcp_ipid_seqclass;
if (good_tcp_closed_ipid_num >= 2) {
- tcp_closed_ipid_seqclass = get_ipid_sequence(good_tcp_closed_ipid_num, hss->ipid.tcp_closed_ipids, islocalhost(hss->target->v4hostip()));
+ tcp_closed_ipid_seqclass = get_ipid_sequence(good_tcp_closed_ipid_num, hss->ipid.tcp_closed_ipids, islocalhost(hss->target->TargetSockAddr()));
} else {
tcp_closed_ipid_seqclass = IPID_SEQ_UNKNOWN;
}
if (good_icmp_ipid_num >= 2) {
- icmp_ipid_seqclass = get_ipid_sequence(good_icmp_ipid_num, hss->ipid.icmp_ipids, islocalhost(hss->target->v4hostip()));
+ icmp_ipid_seqclass = get_ipid_sequence(good_icmp_ipid_num, hss->ipid.icmp_ipids, islocalhost(hss->target->TargetSockAddr()));
} else {
icmp_ipid_seqclass = IPID_SEQ_UNKNOWN;
}
@@ -3610,7 +3610,7 @@ static void endRound(OsScanInfo *OSI, HostOsScan *HOS, int roundNum) {
hsi->isCompleted = true;
}
- if (islocalhost(hsi->target->v4hostip())) {
+ if (islocalhost(hsi->target->TargetSockAddr())) {
/* scanning localhost */
distance = 0;
distance_calculation_method = DIST_METHOD_LOCALHOST;
diff --git a/portreasons.cc b/portreasons.cc
index 2746b54b6..00e14870e 100644
--- a/portreasons.cc
+++ b/portreasons.cc
@@ -150,6 +150,7 @@ reason_map_type::reason_map_type(){
reason_map[ER_IPIDCHANGE] = reason_string("ipid-change","ipid-changes");
reason_map[ER_ARPRESPONSE] = reason_string("arp-response","arp-responses");
+ reason_map[ER_NDRESPONSE] = reason_string("nd-response","nd-responses");
reason_map[ER_TCPRESPONSE] = reason_string("tcp-response","tcp-responses");
reason_map[ER_NORESPONSE] = reason_string("no-response","no-responses");
diff --git a/portreasons.h b/portreasons.h
index fcf197d39..9b3ea0a62 100644
--- a/portreasons.h
+++ b/portreasons.h
@@ -150,7 +150,7 @@ enum reason_codes {
ER_TIMEEXCEEDED, ER_TIMESTAMPREPLY,
ER_ADDRESSMASKREPLY, ER_NOIPIDCHANGE, ER_IPIDCHANGE,
- ER_ARPRESPONSE, ER_TCPRESPONSE, ER_NORESPONSE,
+ ER_ARPRESPONSE, ER_NDRESPONSE, ER_TCPRESPONSE, ER_NORESPONSE,
ER_INITACK, ER_ABORT,
ER_LOCALHOST, ER_SCRIPT, ER_UNKNOWN, ER_USER,
ER_NOROUTE, ER_BEYONDSCOPE, ER_REJECTROUTE, ER_PARAMPROBLEM,
diff --git a/scan_engine.cc b/scan_engine.cc
index e3192403a..b75d52b20 100644
--- a/scan_engine.cc
+++ b/scan_engine.cc
@@ -179,6 +179,8 @@ static const char *pspectype2ascii(int type) {
return "ICMP";
case PS_ARP:
return "ARP";
+ case PS_ND:
+ return "ND";
case PS_CONNECTTCP:
return "connect";
default:
@@ -223,7 +225,7 @@ class UltraProbe {
public:
UltraProbe();
~UltraProbe();
- enum UPType { UP_UNSET, UP_IP, UP_CONNECT, UP_RPC, UP_ARP } type; /* The type of probe this is */
+ enum UPType { UP_UNSET, UP_IP, UP_CONNECT, UP_RPC, UP_ARP, UP_ND } type; /* The type of probe this is */
/* Sets this UltraProbe as type UP_IP and creates & initializes the
internal IPProbe. The relevent probespec is necessary for setIP
@@ -235,6 +237,7 @@ public:
void setConnect(u16 portno);
/* Pass an arp packet, including ethernet header. Must be 42bytes */
void setARP(u8 *arppkt, u32 arplen);
+ void setND(u8 *ndpkt, u32 ndlen);
// The 4 accessors below all return in HOST BYTE ORDER
// source port used if TCP, UDP or SCTP
u16 sport() const {
@@ -618,6 +621,7 @@ public:
bool prot_scan;
bool ping_scan; /* Includes trad. ping scan & arp scan */
bool ping_scan_arp; /* ONLY includes arp ping scan */
+ bool ping_scan_nd; /* ONLY includes ND ping scan */
bool noresp_open_scan; /* Whether no response means a port is open */
/* massping state. */
@@ -759,6 +763,9 @@ static char *probespec2ascii(const probespec *pspec, char *buf, unsigned int buf
case PS_ARP:
Snprintf(buf, bufsz, "ARP");
break;
+ case PS_ND:
+ Snprintf(buf, bufsz, "ND");
+ break;
case PS_CONNECTTCP:
Snprintf(buf, bufsz, "connect to port %hu", pspec->pd.tcp.dport);
break;
@@ -802,6 +809,12 @@ void UltraProbe::setARP(u8 *arppkt, u32 arplen) {
return;
}
+void UltraProbe::setND(u8 *ndpkt, u32 ndlen) {
+ type = UP_ND;
+ mypspec.type = PS_ND;
+ return;
+}
+
/* Sets this UltraProbe as type UP_IP and creates & initializes the
internal IPProbe. The relevent probespec is necessary for setIP
because pspec.type is ambiguous with just the ippacket (e.g. a
@@ -1112,6 +1125,8 @@ static bool pingprobe_is_appropriate(const UltraScanInfo *USI,
return ((USI->ping_scan && !USI->ping_scan_arp )|| pingprobe->pd.icmp.type == 3);
case(PS_ARP):
return USI->ping_scan_arp;
+ case(PS_ND):
+ return USI->ping_scan_nd;
}
return false;
}
@@ -1400,7 +1415,7 @@ UltraScanInfo::~UltraScanInfo() {
Basically, any scan type except pure TCP connect scans are raw. */
bool UltraScanInfo::isRawScan() {
return scantype != CONNECT_SCAN
- && (tcp_scan || udp_scan || sctp_scan || prot_scan || ping_scan_arp
+ && (tcp_scan || udp_scan || sctp_scan || prot_scan || ping_scan_arp || ping_scan_nd
|| (ping_scan && (ptech.rawicmpscan || ptech.rawtcpscan || ptech.rawudpscan
|| ptech.rawsctpscan || ptech.rawprotoscan)));
}
@@ -1516,6 +1531,7 @@ static void set_default_port_state(vector &targets, stype scantype) {
break;
case PING_SCAN:
case PING_SCAN_ARP:
+ case PING_SCAN_ND:
break;
default:
fatal("Unexpected scan type found in %s()", __func__);
@@ -1539,7 +1555,7 @@ void UltraScanInfo::Init(vector &Targets, struct scan_lists *pts, styp
SPM = new ScanProgressMeter(scantype2str(scantype));
send_rate_meter.start(&now);
tcp_scan = udp_scan = sctp_scan = prot_scan = false;
- ping_scan = noresp_open_scan = ping_scan_arp = false;
+ ping_scan = noresp_open_scan = ping_scan_arp = ping_scan_nd = false;
memset((char *) &ptech, 0, sizeof(ptech));
switch(scantype) {
case FIN_SCAN:
@@ -1589,6 +1605,10 @@ void UltraScanInfo::Init(vector &Targets, struct scan_lists *pts, styp
ping_scan = true;
ping_scan_arp = true;
break;
+ case PING_SCAN_ND:
+ ping_scan = true;
+ ping_scan_nd = true;
+ break;
default:
break;
}
@@ -1624,7 +1644,7 @@ void UltraScanInfo::Init(vector &Targets, struct scan_lists *pts, styp
aren't doing a TCP connect scan, or if we're doing a ping scan that
requires it. */
if (isRawScan()) {
- if (ping_scan_arp || ((o.sendpref & PACKET_SEND_ETH) &&
+ if (ping_scan_arp || (ping_scan_nd && o.sendpref != PACKET_SEND_IP_STRONG) || ((o.sendpref & PACKET_SEND_ETH) &&
Targets[0]->ifType() == devt_ethernet)) {
/* We'll send ethernet packets with dnet */
ethsd = eth_open_cached(Targets[0]->deviceName());
@@ -2020,6 +2040,12 @@ static int get_next_target_probe(UltraScanInfo *USI, HostScanStats *hss,
pspec->type = PS_ARP;
hss->sent_arp = true;
return 0;
+ } else if (USI->ping_scan_nd) {
+ if (hss->sent_arp)
+ return -1;
+ pspec->type = PS_ND;
+ hss->sent_arp = true;
+ return 0;
} else if (USI->ping_scan) {
/* This is ordered to try probes of higher effectiveness first:
-PE -PS -PA -PP -PU
@@ -2132,6 +2158,9 @@ int HostScanStats::freshPortsLeft() {
} else if (USI->ping_scan_arp) {
if (sent_arp) return 0;
return 1;
+ } else if (USI->ping_scan_nd) {
+ if (sent_arp) return 0;
+ return 1;
} else if (USI->ping_scan) {
unsigned int num_probes = 0;
if (USI->ptech.rawtcpscan) {
@@ -2566,7 +2595,7 @@ void HostScanStats::getTiming(struct ultra_timing_vals *tmng) {
preferred, is
Raw TCP/SCTP (not filtered, not SYN/INIT to an open port)
ICMP information queries (echo request, timestamp request, netmask req)
- ARP
+ ARP/ND
Raw TCP/SCTP (SYN/INIT to an open port)
UDP, IP protocol, or other ICMP (including filtered TCP/SCTP)
TCP connect
@@ -2602,6 +2631,7 @@ static unsigned int pingprobe_score(const probespec *pspec, int state) {
score = 2;
break;
case PS_ARP:
+ case PS_ND:
score = 4;
break;
case PS_UDP:
@@ -3159,6 +3189,75 @@ static UltraProbe *sendArpScanProbe(UltraScanInfo *USI, HostScanStats *hss,
return probe;
}
+static UltraProbe *sendNDScanProbe(UltraScanInfo *USI, HostScanStats *hss,
+ u8 tryno, u8 pingseq) {
+ UltraProbe *probe = new UltraProbe();
+ struct eth_nfo eth;
+ struct eth_nfo *ethptr = NULL;
+ u8 *packet = NULL;
+ u32 packetlen = 0;
+ struct in6_addr ns_dst_ip6;
+ ns_dst_ip6 = *hss->target->v6hostip();
+
+ if (USI->ethsd) {
+ unsigned char ns_dst_mac[6] = {0x33, 0x33, 0xff};
+ ns_dst_mac[3] = ns_dst_ip6.s6_addr[13];
+ ns_dst_mac[4] = ns_dst_ip6.s6_addr[14];
+ ns_dst_mac[5] = ns_dst_ip6.s6_addr[15];
+
+ memcpy(eth.srcmac, hss->target->SrcMACAddress(), 6);
+ memcpy(eth.dstmac, ns_dst_mac, 6);
+ eth.ethsd = USI->ethsd;
+ eth.devname[0] = '\0';
+ ethptr = ð
+ }
+
+ unsigned char multicast_prefix[13] = {0};
+ multicast_prefix[0] = 0xff;
+ multicast_prefix[1] = 0x02;
+ multicast_prefix[11] = 0x1;
+ multicast_prefix[12] = 0xff;
+ memcpy(&ns_dst_ip6, multicast_prefix, sizeof(multicast_prefix));
+
+ struct sockaddr_storage source;
+ struct sockaddr_in6 *sin6;
+ size_t source_len;
+
+ source_len = sizeof(source);
+ hss->target->SourceSockAddr(&source, &source_len);
+ sin6 = (struct sockaddr_in6 *) &source;
+
+ struct icmpv6_msg_nd ns_msg;
+ ns_msg.icmpv6_flags = htons(0);
+ memcpy(&ns_msg.icmpv6_target, hss->target->v6hostip(), IP6_ADDR_LEN);
+ ns_msg.icmpv6_option_type = 1;
+ ns_msg.icmpv6_option_length = 1;
+ memcpy(&ns_msg.icmpv6_mac, hss->target->SrcMACAddress(), ETH_ADDR_LEN);
+
+ packet = build_icmpv6_raw(&sin6->sin6_addr, &ns_dst_ip6,
+ 0, 0, o.ttl, 0, 0, ICMPV6_NEIGHBOR_SOLICITATION,
+ 0, (char *)&ns_msg, sizeof(ns_msg),
+ &packetlen);
+ probe->sent = USI->now;
+ hss->probeSent(packetlen);
+ send_ip_packet(USI->rawsd, ethptr, packet, packetlen);
+
+ probe->tryno = tryno;
+ probe->pingseq = pingseq;
+ /* First build the probe */
+ probe->setND(packet, packetlen);
+
+ free(packet);
+
+ /* Now that the probe has been sent, add it to the Queue for this host */
+ hss->probes_outstanding.push_back(probe);
+ USI->gstats->num_probes_active++;
+ hss->num_probes_active++;
+
+ gettimeofday(&USI->now, NULL);
+ return probe;
+}
+
/* Build an appropriate protocol scan (-sO) probe for the given source and
destination addresses and protocol. src and dst must be of the same address
@@ -3559,6 +3658,8 @@ static void sendNextScanProbe(UltraScanInfo *USI, HostScanStats *hss) {
USI->gstats->probes_sent++;
if (pspec.type == PS_ARP)
sendArpScanProbe(USI, hss, 0, 0);
+ else if (pspec.type == PS_ND)
+ sendNDScanProbe(USI, hss, 0, 0);
else if (pspec.type == PS_CONNECTTCP)
sendConnectScanProbe(USI, hss, pspec.pd.tcp.dport, 0, 0);
else if (pspec.type == PS_TCP || pspec.type == PS_UDP
@@ -3584,7 +3685,7 @@ static void sendNextRetryStackProbe(UltraScanInfo *USI, HostScanStats *hss) {
if (pspec.type == PS_CONNECTTCP)
sendConnectScanProbe(USI, hss, pspec.pd.tcp.dport, pspec_tries + 1, 0);
else {
- assert(pspec.type != PS_ARP);
+ assert(pspec.type != PS_ARP and pspec.type != PS_ND);
sendIPScanProbe(USI, hss, &pspec, pspec_tries + 1, 0);
}
}
@@ -3653,6 +3754,8 @@ static void sendPingProbe(UltraScanInfo *USI, HostScanStats *hss) {
sendIPScanProbe(USI, hss, &hss->target->pingprobe, 0, hss->nextPingSeq(true));
} else if (hss->target->pingprobe.type == PS_ARP) {
sendArpScanProbe(USI, hss, 0, hss->nextPingSeq(true));
+ } else if (hss->target->pingprobe.type == PS_ND) {
+ sendNDScanProbe(USI, hss, 0, hss->nextPingSeq(true));
} else if (USI->scantype == RPC_SCAN) {
assert(0); /* TODO: fill out */
} else {
@@ -3738,6 +3841,8 @@ static void retransmitProbe(UltraScanInfo *USI, HostScanStats *hss,
newProbe = sendConnectScanProbe(USI, hss, probe->pspec()->pd.tcp.dport, probe->tryno + 1, 0);
} else if (probe->type == UltraProbe::UP_ARP) {
newProbe = sendArpScanProbe(USI, hss, probe->tryno + 1, 0);
+ } else if (probe->type == UltraProbe::UP_ND) {
+ newProbe = sendNDScanProbe(USI, hss, probe->tryno + 1, 0);
} else {
/* TODO: Support any other probe types */
fatal("%s: unsupported probe type %d", __func__, probe->type);
@@ -4171,6 +4276,75 @@ static bool get_arp_result(UltraScanInfo *USI, struct timeval *stime) {
return gotone;
}
+static bool get_ns_result(UltraScanInfo *USI, struct timeval *stime) {
+
+ gettimeofday(&USI->now, NULL);
+ long to_usec;
+ int rc;
+ u8 rcvdmac[6];
+ struct sockaddr_in6 rcvdIP;
+ struct timeval rcvdtime;
+ bool timedout = false;
+ bool has_mac = false;
+ struct sockaddr_in6 sin6;
+ HostScanStats *hss = NULL;
+ list::iterator probeI;
+ int gotone = 0;
+
+ do {
+ to_usec = TIMEVAL_SUBTRACT(*stime, USI->now);
+ if (to_usec < 2000) to_usec = 2000;
+ rc = read_na_pcap(USI->pd, rcvdmac, &rcvdIP, to_usec, &rcvdtime, &has_mac);
+ gettimeofday(&USI->now, NULL);
+ if (rc == -1) fatal("Received -1 response from read_arp_reply_pcap");
+ if (rc == 0) {
+ if (TIMEVAL_SUBTRACT(*stime, USI->now) < 0) {
+ timedout = true;
+ break;
+ } else continue;
+ }
+ if (rc == 1) {
+ if (TIMEVAL_SUBTRACT(USI->now, *stime) > 200000) {
+ /* While packets are still being received, I'll be generous
+ and give an extra 1/5 sec. But we have to draw the line
+ somewhere. Hopefully this response will be a keeper so it
+ won't matter. */
+ timedout = true;
+ }
+
+ /* Yay, I got one. Find whether I asked for it */
+ /* Search for this host on the incomplete list */
+ memset(&sin6, 0, sizeof(sin6));
+ sin6.sin6_addr = rcvdIP.sin6_addr;
+ sin6.sin6_family = AF_INET6;
+ hss = USI->findHost((struct sockaddr_storage *) &sin6);
+ if (!hss) continue;
+ /* Add found HW address for target */
+ /* A Neighbor Advertisement packet may not include the Target link-layer address. */
+ if (has_mac){
+ hss->target->setMACAddress(rcvdmac);
+ }
+ hss->target->reason.reason_id = ER_NDRESPONSE;
+
+ if (hss->probes_outstanding.empty()) {
+ continue;
+ /* TODO: I suppose I should really mark the @@# host as up */
+ }
+ probeI = hss->probes_outstanding.end();
+ probeI--;
+ ultrascan_host_probe_update(USI, hss, probeI, HOST_UP, &rcvdtime);
+ /* Now that we know the host is up, we can forget our other probes. */
+ hss->destroyAllOutstandingProbes();
+ /* TODO: Set target mac */
+ gotone = 1;
+ // printf("Marked host %s as up!", hss->target->NameIP());
+ break;
+ }
+ } while(!timedout);
+
+ return gotone;
+}
+
/* Tries to get one *good* (finishes a probe) pcap response by the
@@ -5254,6 +5428,8 @@ static void waitForResponses(UltraScanInfo *USI) {
USI->sendOK(&stime);
if (USI->ping_scan_arp) {
gotone = get_arp_result(USI, &stime);
+ } else if (USI->ping_scan_nd) {
+ gotone = get_ns_result(USI,&stime);
} else if (USI->ping_scan) {
if (USI->pd)
gotone = get_ping_pcap_result(USI, &stime);
@@ -5315,6 +5491,16 @@ static void begin_sniffer(UltraScanInfo *USI, vector &Targets) {
pcap_filter += " and arp[22:2] = 0x";
pcap_filter.append(macstring, 4 * 2, 2 * 2);
//its not arp, so lets check if for a protocol scan.
+ } else if (USI->ping_scan_nd) {
+ /* Libpcap: IPv6 upper-layer protocol is not supported by proto[x] */
+ /* Grab the ICMPv6 type using ip6[X:Y] syntax. This works only if there are no
+ extension headers (top-level nh is IPPROTO_ICMPV6). */
+ const u8 *srcmac = Targets[0]->SrcMACAddress();
+ assert(srcmac);
+ char filterstr[256];
+ Snprintf(filterstr, 256, "icmp6 and ip6[6:1] = %u and ip6[40:1] = %u",
+ IPPROTO_ICMPV6, ICMPV6_NEIGHBOR_ADVERTISEMENT);
+ pcap_filter.append(filterstr);
} else if(USI->prot_scan || (USI->ping_scan && USI->ptech.rawprotoscan)){
struct sockaddr_storage source;
size_t source_len;
diff --git a/scan_engine.h b/scan_engine.h
index aec707f5c..e08167df1 100644
--- a/scan_engine.h
+++ b/scan_engine.h
@@ -131,6 +131,7 @@ struct probespec_icmpv6data {
#define PS_CONNECTTCP 6
#define PS_SCTP 7
#define PS_ICMPV6 8
+#define PS_ND 9
/* The size of this structure is critical, since there can be tens of
thousands of them stored together ... */
diff --git a/targets.cc b/targets.cc
index b5a30c1c0..c4bce36f4 100644
--- a/targets.cc
+++ b/targets.cc
@@ -118,7 +118,7 @@ static void arpping(Target *hostbatch[], int num_hosts) {
/* Default timout should be much lower for arp */
hostbatch[targetno]->to.timeout = MAX(o.minRttTimeout(), MIN(o.initialRttTimeout(), INITIAL_ARP_RTT_TIMEOUT)) * 1000;
if (!hostbatch[targetno]->SrcMACAddress()) {
- bool islocal = islocalhost(hostbatch[targetno]->v4hostip());
+ bool islocal = islocalhost(hostbatch[targetno]->TargetSockAddr());
if (islocal) {
log_write(LOG_STDOUT|LOG_NORMAL,
"ARP ping: Considering %s UP because it is a local IP, despite no MAC address for device %s\n",
@@ -136,7 +136,10 @@ static void arpping(Target *hostbatch[], int num_hosts) {
targets.push_back(hostbatch[targetno]);
}
if (!targets.empty())
- ultra_scan(targets, NULL, PING_SCAN_ARP);
+ if (targets[0]->af() == AF_INET)
+ ultra_scan(targets, NULL, PING_SCAN_ARP);
+ else
+ ultra_scan(targets, NULL, PING_SCAN_ND);
return;
}
@@ -419,6 +422,16 @@ batchfull:
arpping_done = true;
}
+ /* No other interface types are supported by ND ping except devt_ethernet
+ at the moment. */
+ if (hs->hostbatch[0]->ifType() == devt_ethernet &&
+ hs->hostbatch[0]->af() == AF_INET6 &&
+ hs->hostbatch[0]->directlyConnected() &&
+ o.sendpref != PACKET_SEND_IP_STRONG) {
+ arpping(hs->hostbatch, hs->current_batch_sz);
+ arpping_done = true;
+ }
+
gettimeofday(&now, NULL);
if ((o.sendpref & PACKET_SEND_ETH) &&
hs->hostbatch[0]->ifType() == devt_ethernet) {
diff --git a/tcpip.cc b/tcpip.cc
index a8e0c31ed..68851c264 100644
--- a/tcpip.cc
+++ b/tcpip.cc
@@ -1093,11 +1093,9 @@ u8 *build_icmpv6_raw(const struct in6_addr *source,
packet, icmplen, packetlen);
free(packet);
-
return ipv6;
}
-
/* Builds an IGMP packet (including an IP header) by packing the fields
with the given information. It allocates a new buffer to store the
packet contents, and then returns that buffer. The packet is not
@@ -1689,9 +1687,87 @@ char *readip_pcap(pcap_t *pd, unsigned int *len, long to_usec,
return alignedbuf;
}
+/* Attempts to read one IPv6 Neighbor Solicitation reply packet from the pcap
+ descriptor pd. If it receives one, fills in sendermac (must pass
+ in 6 bytes), senderIP, and rcvdtime (can be NULL if you don't care)
+ and returns 1. If it times out and reads no Neighbor Advertisement, returns
+ 0. to_usec is the timeout period in microseconds. Use 0 to avoid
+ blocking to the extent possible. Returns -1 or exits if there is
+ an error. The last parameter is a pointer to a callback function
+ that can be used for packet tracing. This is intended to be used
+ by Nmap only. Any other calling this should pass NULL instead. */
+int read_na_pcap(pcap_t *pd, u8 *sendermac, struct sockaddr_in6 *senderIP, long to_usec,
+ struct timeval *rcvdtime, bool *has_mac) {
+ struct ip *ip_tmp;
+ struct icmpv6_hdr *icmp6_header;
+ struct icmpv6_msg_nd *na;
+ struct timeval tv_start, tv_end;
+ const void *data = NULL;
+ unsigned int datalen;
+ static int warning = 0;
+ int timedout = 0;
+ struct abstract_ip_hdr hdr;
+ struct link_header linknfo;
+ if (to_usec < 0) {
+ if (!warning) {
+ warning = 1;
+ error("WARNING: Negative timeout value (%lu) passed to %s() -- using 0", to_usec, __func__);
+ }
+ to_usec = 0;
+ }
+ if (to_usec > 0) {
+ gettimeofday(&tv_start, NULL);
+ }
+
+ do {
+ ip_tmp = (struct ip *) readip_pcap(pd, &datalen, to_usec, rcvdtime,
+ &linknfo, true);
+ if(ip_tmp){ //Check Neighbor Advertisement Packet.
+ /* OK, we got a packet. Most packet validity tests are taken care
+ * of in readip_pcap, so this is simple
+ */
+ data = ip_get_data(ip_tmp, &datalen, &hdr);
+ if (data == NULL)
+ continue;
+ if (hdr.proto == IPPROTO_ICMPV6){
+ icmp6_header = (struct icmpv6_hdr *)data;
+ na = (struct icmpv6_msg_nd *) ((unsigned char*)data + ICMPV6_HDR_LEN);
+ if (icmp6_header->icmpv6_type == ICMPV6_NEIGHBOR_ADVERTISEMENT &&
+ icmp6_header->icmpv6_code == 0){
+ //Set target IPv6 address
+ senderIP->sin6_family = AF_INET6;
+ memcpy(&senderIP->sin6_addr.s6_addr, &na->icmpv6_target, 16);
+ //Set MAC
+ if (datalen == ICMPV6_HDR_LEN + sizeof(struct icmpv6_msg_nd)){
+ if (na->icmpv6_option_type == 2 && na->icmpv6_option_length == 1){
+ *has_mac = true;
+ memcpy(sendermac, &na->icmpv6_mac, 6);
+ }
+ } else{
+ *has_mac = false;
+ }
+ }
+ }
+ } else {
+ /* Should we timeout? */
+ if (to_usec == 0) {
+ timedout = 1;
+ } else if (to_usec > 0) {
+ gettimeofday(&tv_end, NULL);
+ if (TIMEVAL_SUBTRACT(tv_end, tv_start) >= to_usec) {
+ timedout = 1;
+ }
+ }
+ }
+ } while (!timedout and !ip_tmp);
+
+ if (timedout)
+ return 0;
+ return 1;
+}
// Returns whether the packet receive time value obtained from libpcap
// (and thus by readip_pcap()) should be considered valid. When
diff --git a/tcpip.h b/tcpip.h
index aed4071fd..83b7789a9 100644
--- a/tcpip.h
+++ b/tcpip.h
@@ -638,6 +638,9 @@ char *readipv4_pcap(pcap_t *pd, unsigned int *len, long to_usec,
char *readip_pcap(pcap_t *pd, unsigned int *len, long to_usec,
struct timeval *rcvdtime, struct link_header *linknfo, bool validate);
+int read_na_pcap(pcap_t *pd, u8 *sendermac, struct sockaddr_in6 *senderIP, long to_usec,
+ struct timeval *rcvdtime, bool *has_mac);
+
/* Attempts to read one IPv4/Ethernet ARP reply packet from the pcap
descriptor pd. If it receives one, fills in sendermac (must pass
in 6 bytes), senderIP, and rcvdtime (can be NULL if you don't care)