From 1e3760a39735b127a4830e1978e2b96c4d4dae48 Mon Sep 17 00:00:00 2001
From: kris <kris@e0a8ed71-7df4-0310-8962-fdc924857419>
Date: Sat, 27 Jan 2007 04:36:24 +0000
Subject: [PATCH] Start sending a valid encapsulated header with IP-in-IP with
 -sO. Hosts respond more when a valid header is sent. I kept getting
 open|filtered for this, and now I get open. It's a lot like my IGMP patch
 from r4361

---
 CHANGELOG      |  7 ++++---
 scan_engine.cc | 17 +++++++++++++++++
 2 files changed, 21 insertions(+), 3 deletions(-)

diff --git a/CHANGELOG b/CHANGELOG
index c3e82f996..9a53c3572 100644
--- a/CHANGELOG
+++ b/CHANGELOG
@@ -31,9 +31,10 @@ o Fixed a bug which caused nmap --iflist to crash (and might have
 
 o Applied a bunch of code cleanup patches from Kris Katterjohn.
 
-o Changed the IP protocol scan so that it sends actual IGMP headers when
-  scanning protocol number 2.  This makes it much more likely that the host
-  will respond, proving that it's "open".  [Kris]
+o Changed the IP protocol scan so that it sends actual IGMP and IPIP
+  (IP-in-IP encapsulation) headers when scanning protocol numbers 2
+  and 4, respectively.  This makes it much more likely that the host
+  will respond, proving that they're "open".  [Kris]
 
 o Fixed UDP scan so that it doesn't find it's own port when scanning
   localhost.  This was thought to be fixed in 4.10.  This also prevents a
diff --git a/scan_engine.cc b/scan_engine.cc
index 22d11d5a2..35b468ed1 100644
--- a/scan_engine.cc
+++ b/scan_engine.cc
@@ -2203,6 +2203,23 @@ static UltraProbe *sendIPScanProbe(UltraScanInfo *USI, HostScanStats *hss,
 			       &packetlen);
 
 	break;
+      case IPPROTO_IPIP:
+	/* This is our inner IP header, followed by data */
+	packet = build_ip_raw(&o.decoys[decoy], hss->target->v4hostip(),
+			      IPPROTO_TCP, /* fake it */
+			      o.ttl, ipid, IP_TOS_DEFAULT, false,
+			      o.ipoptions, o.ipoptionslen,
+			      o.extra_payload, o.extra_payload_length, 
+			      &packetlen);
+
+	/* This is our outer IP header, followed by the inner header above */
+	packet = build_ip_raw(&o.decoys[decoy], hss->target->v4hostip(),
+			      pspec->proto,
+			      o.ttl, ipid, IP_TOS_DEFAULT, false,
+			      o.ipoptions, o.ipoptionslen,
+			      (char *) packet, packetlen,
+			      &packetlen);
+	break;
       default:
 	packet = build_ip_raw(&o.decoys[decoy], hss->target->v4hostip(),
 			      pspec->proto,