diff --git a/CHANGELOG b/CHANGELOG index 19ece2856..ffb34e006 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -13,6 +13,16 @@ o Added ARP ping (-PR). Nmap can now send raw ethernet ARP requests to detects that the conditions are met. Example usage: nmap -sP -PR 192.168.0.0/16 . This is not yet supported on Windows. +o Added "Exclude" directive to nmap-service-probes grammar which + causes version detection to skip listed ports. This is helpful for + ports such as 9100. Some printers simply print any data sent to + that port, leading to pages of HTTP requests, SMB queries, X Windows + probes, etc. If you really want to scan all ports, specify + --allports. This patch came from Doug Hoyte (doug(a)hcsw.org). + +o Integrated a bunch of nmap-service-probes fingerprints from Doug + Hoyte (doug(a)hcsw.org) + o The OS fingerprint is now provided in XML output if debugging is enabled (-d) or verbosity is at least 2 (-v -v). This patch was sent by Okan Demirmen (okan(a)demirmen.com) diff --git a/Makefile.in b/Makefile.in index 3c2de25a7..f1abb5c97 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -export NMAP_VERSION = 3.82.2CSW +export NMAP_VERSION = 3.83.DC1 NMAP_NAME= nmap NMAP_URL= http://www.insecure.org/nmap/ NMAP_PLATFORM=@host@ diff --git a/NmapOps.cc b/NmapOps.cc index 36252920d..0a8890ee4 100644 --- a/NmapOps.cc +++ b/NmapOps.cc @@ -221,6 +221,7 @@ void NmapOps::Initialize() { decoyturn = -1; osscan = 0; servicescan = 0; + override_excludeports = 0; pingtype = PINGTYPE_UNKNOWN; listscan = pingscan = allowall = ackscan = bouncescan = connectscan = 0; rpcscan = nullscan = xmasscan = fragscan = synscan = windowscan = 0; diff --git a/NmapOps.h b/NmapOps.h index e6d0ad9ce..058955026 100644 --- a/NmapOps.h +++ b/NmapOps.h @@ -216,6 +216,9 @@ class NmapOps { target_struct_get will eventually set it to 0. */ + // Version Detection Options + int override_excludeports; + struct in_addr decoys[MAX_DECOYS]; int osscan_limit; /* Skip OS Scan if no open or no closed TCP ports */ int osscan_guess; /* Be more aggressive in guessing OS type */ diff --git a/docs/nmap.1 b/docs/nmap.1 index b3ef77e21..85c2c43a7 100644 --- a/docs/nmap.1 +++ b/docs/nmap.1 @@ -618,6 +618,11 @@ Same functionality as the --exclude option, only the excluded targets are provided in an newline-delimited exclude_file rather than on the command line. .TP +.B \--allports +Causes version detection (-sV) to scan all open ports found, including +those excluded as dangerous (likely to cause crashes or other +problems) in nmap-service-probes. +.TP .B \--append_output Tells Nmap to append scan results to any output files you have specified rather than overwriting those files. diff --git a/docs/nmap.dtd b/docs/nmap.dtd index 3d36c76dc..12ed78f9d 100644 --- a/docs/nmap.dtd +++ b/docs/nmap.dtd @@ -77,7 +77,7 @@ - + diff --git a/docs/nmap.usage.txt b/docs/nmap.usage.txt index 28262d53d..8e51e930b 100644 --- a/docs/nmap.usage.txt +++ b/docs/nmap.usage.txt @@ -1,4 +1,4 @@ -Nmap 3.82.1CSW Usage: nmap [Scan Type(s)] [Options] +Nmap 3.83.DC1 Usage: nmap [Scan Type(s)] [Options] Some Common Scan Types ('*' options require root privileges) * -sS TCP SYN stealth port scan (default if privileged (root)) -sT TCP connect() port scan (default for unprivileged users) diff --git a/docs/nmap_manpage.html b/docs/nmap_manpage.html index 9cce06be4..a2d8a330e 100644 --- a/docs/nmap_manpage.html +++ b/docs/nmap_manpage.html @@ -579,6 +579,11 @@ targets are provided in an newline-delimited exclude_file rather than on the command line. + --allports + Causes version detection (-sV) to scan all open ports found, + including those excluded as dangerous (likely to cause crashes + or other problems) in nmap-service-probes. + --append_output Tells Nmap to append scan results to any output files you have specified rather than overwriting those files. @@ -734,6 +739,28 @@ Sets the IPv4 time to live field in sent packets to the given value. + --privileged + Tells Nmap to simply assume that it is privileged enough to per- + form raw socket sends, packet sniffing, and similar operations + that usually require root privileges on UNIX systems. By + default Nmap bails if such operations are requested but + geteuid() is not zero. --privileged is useful with Linux kernel + capabilities and similar systems that may be configured to allow + unprivileged users to perform raw-packet scans. Be sure to pro- + vide this option flag before any flags for options that require + privileges (SYN scan, OS detection, etc.). The NMAP_PRIVILEGED + variable may be set as an equivalent alternative --privileged. + + --interactive + Starts Nmap in interactive mode, which offers an interactive + Nmap prompt allowing easy launching of multiple scans (either + synchronously or in the background). This is useful for people + who scan from multi-user systems -- they often want to test + their security without letting everyone else on the system know + exactly which systems they are scanning. Use --interactive to + activate this mode and then type usually more familiar and fea- + ture-complete. + --randomize_hosts Tells Nmap to shuffle each group of up to 2048 hosts before it scans them. This can make the scans less obvious to various @@ -919,8 +946,8 @@ nmap -v target.example.com - This option scans all reserved TCP ports on the machine target.exam- - ple.com . The -v means turn on verbose mode. + This option scans all reserved TCP ports on the machine + target.example.com . The -v means turn on verbose mode. nmap -sS -O target.example.com/24 diff --git a/libdnet-stripped/libtool b/libdnet-stripped/libtool index fc5c820d5..3c471f64a 100755 --- a/libdnet-stripped/libtool +++ b/libdnet-stripped/libtool @@ -6938,11 +6938,11 @@ striplib="strip --strip-unneeded" # Dependencies to place before the objects being linked to create a # shared library. -predep_objects="/usr/lib/gcc/x86_64-redhat-linux/3.4.2/../../../../lib64/crti.o /usr/lib/gcc/x86_64-redhat-linux/3.4.2/crtbeginS.o" +predep_objects="/usr/lib/gcc/x86_64-redhat-linux/3.4.3/../../../../lib64/crti.o /usr/lib/gcc/x86_64-redhat-linux/3.4.3/crtbeginS.o" # Dependencies to place after the objects being linked to create a # shared library. -postdep_objects="/usr/lib/gcc/x86_64-redhat-linux/3.4.2/crtendS.o /usr/lib/gcc/x86_64-redhat-linux/3.4.2/../../../../lib64/crtn.o" +postdep_objects="/usr/lib/gcc/x86_64-redhat-linux/3.4.3/crtendS.o /usr/lib/gcc/x86_64-redhat-linux/3.4.3/../../../../lib64/crtn.o" # Dependencies to place before the objects being linked to create a # shared library. @@ -6954,7 +6954,7 @@ postdeps="-lstdc++ -lm -lgcc_s -lc -lgcc_s" # The library search path used internally by the compiler when linking # a shared library. -compiler_lib_search_path="-L/usr/lib/gcc/x86_64-redhat-linux/3.4.2 -L/usr/lib/gcc/x86_64-redhat-linux/3.4.2 -L/usr/lib/gcc/x86_64-redhat-linux/3.4.2/../../../../lib64 -L/usr/lib/gcc/x86_64-redhat-linux/3.4.2/../../.. -L/lib/../lib64 -L/usr/lib/../lib64" +compiler_lib_search_path="-L/usr/lib/gcc/x86_64-redhat-linux/3.4.3 -L/usr/lib/gcc/x86_64-redhat-linux/3.4.3 -L/usr/lib/gcc/x86_64-redhat-linux/3.4.3/../../../../lib64 -L/usr/lib/gcc/x86_64-redhat-linux/3.4.3/../../.. -L/lib/../lib64 -L/usr/lib/../lib64" # Method to check whether dependent libraries are shared objects. deplibs_check_method="pass_all" diff --git a/nmap-os-fingerprints b/nmap-os-fingerprints index d8f3a5e78..7f82e364c 100644 --- a/nmap-os-fingerprints +++ b/nmap-os-fingerprints @@ -11142,6 +11142,20 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=) T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=) PU(Resp=N|Y) +# http://www.turtlebeach.com/site/products/audiotron/producthome.asp +Fingerprint Microsoft Windows 98SE or Turtle Beach AudioTron 100 network MP3 player +Class Microsoft | Windows | 95/98/ME | general purpose +Class Turtle Beach | embedded || media device +TSeq(Class=TD%gcd=<68%SI=<1E%IPID=BI%TS=U) +T1(DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M) +T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) +T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M) +T4(DF=N%W=0%ACK=O|S++%Flags=R%Ops=) +T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=) +T6(DF=N%W=0%ACK=O%Flags=R%Ops=) +T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=) +PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) + # Microsoft Windows 98SE, service pack 1 installed, litepc installed (www.litepc.com) Fingerprint Microsoft Windows 98SE SP1 Class Microsoft | Windows | 95/98/ME | general purpose @@ -16468,20 +16482,6 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=) T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=) PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=F%ULEN=134%DAT=E) -# http://www.turtlebeach.com/site/products/audiotron/producthome.asp -Fingerprint Turtle Beach AudioTron 100 network MP3 player or Microsoft Windows 98SE -Class Turtle Beach | embedded || media device -Class Microsoft | Windows | 95/98/ME | general purpose -TSeq(Class=TD%gcd=<68%SI=<1E%IPID=BI%TS=U) -T1(DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M) -T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=) -T3(Resp=Y%DF=Y%W=2017%ACK=S++%Flags=AS%Ops=M) -T4(DF=N%W=0%ACK=O|S++%Flags=R%Ops=) -T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=) -T6(DF=N%W=0%ACK=O%Flags=R%Ops=) -T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=) -PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) - # Turtle Beach AudioTron with firmware 3.0.0 Fingerprint Turtle Beach AudioTron network MP3 player Class Turtle Beach | embedded || media device diff --git a/nmap-service-probes b/nmap-service-probes index e68e4f2f2..f7adc2dbb 100644 --- a/nmap-service-probes +++ b/nmap-service-probes @@ -131,7 +131,7 @@ match ftp m|^220-FileZilla Server version (\d[-.\w ]+)\r\n| v/FileZilla ftpd/$1/ # Netgear RP114 match ftp m|^220 ([-\w]+)? FTP version 1\.0 ready at | v/Netgear broadband router ftpd/1.0// match ftp m|^220 [-.\w]+ FTP server \(GNU inetutils (\d[-.\w ]+)\) ready\.\r\n| v/GNU Inetutils FTPd/$1// -match ftp m|^220 .* \(glftpd (\d[-.0-9a-zA-Z]+)_(\w+)(\+TLS)?\) ready\.\r\n| v/glFtpD/$1/platform: $2/ +match ftp m|^220 .* \(glftpd (\d[-.0-9a-zA-Z]+)_(\w+)(\+TLS)?\) ready\.\r\n| v/glFtpD/$1/$2/ match ftp m|^220 [-.\w]+ FTP server \(FirstClass v(\d[-.\w]+)\) ready\.\r\n| v/FirstClass FTP server/$1// match ftp m|^220 [-.\w]+ FTP server \(Compaq Tru64 UNIX Version (\d[-.\w]+)\) ready\.\r\n| v/Compaq Tru64 ftp server/$1// match ftp m|^220 AXIS ([-.\w]+) FTP Network Print Server V(\d[-.\w]+) [A-Z][a-z]| v/Axis network print server ftpd/$2/Model $1/ @@ -1139,7 +1139,7 @@ match http m|^HTTP/1\.0 200 OK\r\nServer: SimpleServer:WWW/(\d[-.\w]+)\r\n| v/An # Xitami v2.4d9 Windows match http m|^HTTP/1\.0 \d\d\d .*\r\nContent-Length: \d+\r\nX-Powered-By: ([-/.\w ]+)\r\nContent-Type: .*\r\nServer: Xitami\r\n| v/Xitami httpd//$1/ match http m|^HTTP/1\.1 200 OK\r\nDate: .*\r\nServer: CANON HTTP Server Ver(\d[-.\w ]+)\r\n| v/Canon printer web interface/$1// -match http m|^HTTP/1\.1 500 Server Error\r\nConnection: close\r\nContent-Length: \d+\r\nDate: .*\r\nServer: Radio UserLand/(\d[.\w ]+)-([-.\w ]+)\r\n\r\n| v/Radio Userland blog server/$1/platform: $2/ +match http m|^HTTP/1\.1 500 Server Error\r\nConnection: close\r\nContent-Length: \d+\r\nDate: .*\r\nServer: Radio UserLand/(\d[.\w ]+)-([-.\w ]+)\r\n\r\n| v/Radio Userland blog server/$1/$2/ match http m|^HTTP/1\.1 302 Moved Temporarily\r\nPragma: no-cache\r\nLocation: /servlet/nodeinfo/\r\nExpires: .*\r\nCache-Control: post-check=0, pre-check=0\r\nConnection: close\r\nContent-type: \r\nServer: Fred (\d[-.\w]+) \(build (\d+)\) HTTP Servlets\r\n\r\n| v/Freenet Fred anonymous P2P/$1 build $2// match http m|^HTTP/1\.0 200 Ok\r\nServer: diva_httpd\r\n| v/Eicon Diva ISDN card configuration server/// match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: Resin/(\d[-.\w]+)\r\n| v/Caucho Resin JSP engine/$1// @@ -1178,10 +1178,10 @@ match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Oracle XML DB/(Oracle[\w]+ Enterpri match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nServer: Oracle9iAS \((\d[-.\w]+)\) Containers for J2EE\r\n| v/Oracle 9iAS J2EE webserver/$1// match http m|^HTTP/1\.1 \d\d\d .*\r\nDate: .*\r\nAllow: .*\r\nServer: Oracle9iAS-Web-Cache/(\d[-.\w]+)\r\n| v/Oracle 9iAS Web Cache/$1// # ntop 2.1.56 -match http m|^HTTP/1\.0 \d\d\d .*\nServer: ntop/(\d[-.\w]+) \(([-.\w]+)\)\n|s v/Ntop web interface/$1/platform: $2/ +match http m|^HTTP/1\.0 \d\d\d .*\nServer: ntop/(\d[-.\w]+) \(([-.\w]+)\)\n|s v/Ntop web interface/$1/$2/ match http m|^HTTP/1\.0 \d\d\d .*\nServer: ntop/(\d[-.\w]+) \([^\)\r]+\)\r\n|s v/Ntop web interface/$1// # Ntop 2.1.3 -match http m|HTTP/1\.0 \d\d\d .*\nDate: .*\nCache-Control: .*\nConnection: .*\nServer: ntop/(\d[-.\w]+) ([-.\w ]+) \(([-.\w]+)\)\n| v/Ntop web interface/$1/$2; platform: $3/ +match http m|HTTP/1\.0 \d\d\d .*\nDate: .*\nCache-Control: .*\nConnection: .*\nServer: ntop/(\d[-.\w]+) ([-.\w ]+) \(([-.\w]+)\)\n| v/Ntop web interface/$1/$2; $3/ match http m|^HTTP/1\.1 \d\d\d .*\r\nServer: Apt-proxy (\d[-.\w]+)\r\n|s v/Debian Apt-proxy/$1// match http m|^HTTP/1\.0 404 NON-EXISTENT BACKEND\r\n\r\n$| v/Debian Apt-proxy//Broken: no backend/ match http m|^HTTP/1\.0 \d\d\d .*\r\nServer: mini_httpd/(\d[-.\w]+) | v/Mini_httpd/$1// @@ -1423,8 +1423,8 @@ match postgresql m|^EFATAL: invalid length of startup packet\n\0$| v/PostgreSQL match rendezvous m|^HTTP/1\.1 400 Bad Request\r\nDate: .*\r\nDAAP-Server: iTunes/(\d[-.\w]+) \((.*)\)\r\n| v/Apple iTunes/$1/on $2/ match rtsp m|^RTSP/1.0 400 Bad Request\r\nServer: DSS/([-.\w]+) \[(v\d+)]-(\w+)\r\n| v/DarwinStreamingServer/$1/$2 on $3/ -match rtsp m|^RTSP/1\.0 400 Bad Request\r\nServer: QTSS/(\d[\d.]+ \[v\d+\]-Win32)\r\nCseq: \r\n| v/Apple QuickTime Streaming Server/$1// -match rtsp m|^RTSP/1\.0 400 Bad Request\r\nServer: QTSS/(\d[-.\w]+) \(Build/([\d.]+); Platform/([-.\w]+)\)\r\nCseq: \r\nConnection: Close\r\n\r\n$| v/Apple QuickTime Streaming Server/$1 build $2/Platform: $3/ +match rtsp m|^RTSP/1\.0 400 Bad Request\r\nServer: QTSS/(\d[\d.]+ \[v\d+\]-Win32)\r\nCseq: \r\n| v/Apple QuickTime Streaming Server/$1/Win32/ +match rtsp m|^RTSP/1\.0 400 Bad Request\r\nServer: QTSS/(\d[-.\w]+) \(Build/([\d.]+); Platform/([-.\w]+)\)\r\nCseq: \r\nConnection: Close\r\n\r\n$| v/Apple QuickTime Streaming Server/$1 build $2/$3/ match rtsp m|^RTSP/1\.0 505 Protocol Version Not Supported\r\nDate: .*\r\nServer: WMServer/(\d[-.\w]+)\r\n\r\n$| v/Microsoft Windows Media Server/$1// match slimp3 m|^GET %2f HTTP%2f1\.0\n$| v|SliMP3 MP3 player||http://www.slimdevices.com| @@ -1517,9 +1517,9 @@ match kmldonkey m|^HTTP/1\.1 400 Bad Request\r\nServer: KMLDonkey/(\d\S+)| v/KML ##############################NEXT PROBE############################## Probe TCP RTSPRequest q|OPTIONS / RTSP/1.0\r\n\r\n| -match rtsp m|^RTSP/1\.0 200 OK\r\nCSeq: 0\r\nDate: .*\r\nServer: RealServer Version (\d[-.\w]+) \(win32\)\r\n| v/Realserver RTSP/$1/win32/ -match rtsp m|^RTSP/1\.0 200 OK\r\n.*Server: RealMedia EncoderServer Version (\d[-.\w]+) \(win32\)\r\n|s v/RealMedia EncoderServer/$1/win32/ -match rtsp m|^RTSP/1\.0 200 OK\r\n.*Server: RealServer Version (\d[-.\w]+) \(([-.+\w]+)\)\r\n|s v/RealOne Server/$1/platform: $2/ +match rtsp m|^RTSP/1\.0 200 OK\r\nCSeq: 0\r\nDate: .*\r\nServer: RealServer Version (\d[-.\w]+) \(win32\)\r\n| v/Realserver RTSP/$1/Win32/ +match rtsp m|^RTSP/1\.0 200 OK\r\n.*Server: RealMedia EncoderServer Version (\d[-.\w]+) \(win32\)\r\n|s v/RealMedia EncoderServer/$1/Win32/ +match rtsp m|^RTSP/1\.0 200 OK\r\n.*Server: RealServer Version (\d[-.\w]+) \(([-.+\w]+)\)\r\n|s v/RealOne Server/$1/$2/ # APC PowerChute Business Edition Agent 6.1.0.0 on Windows 2000 Server match powerchute m|^RTSP/1\.0 400 Bad request\r\nContent-type: text/html\r\n\r\n| v/APC PowerChute Agent/// match msdtc m|^ERROR\n$|s v/Microsoft Distributed Transaction Coordinator//error/ diff --git a/nmap.cc b/nmap.cc index ede34710a..581675456 100644 --- a/nmap.cc +++ b/nmap.cc @@ -285,6 +285,7 @@ int nmap_main(int argc, char *argv[]) { {"append_output", no_argument, 0, 0}, {"noninteractive", no_argument, 0, 0}, {"ttl", required_argument, 0, 0}, /* Time to live */ + {"allports", no_argument, 0, 0}, #ifdef WIN32 {"win_list_interfaces", no_argument, 0, 0}, {"win_norawsock", no_argument, 0, 0}, @@ -404,6 +405,8 @@ int nmap_main(int argc, char *argv[]) { o.append_output = 1; } else if (strcmp(long_options[option_index].name, "noninteractive") == 0) { /* Do nothing */ + } else if (strcmp(long_options[option_index].name, "allports") == 0) { + o.override_excludeports = 1; } else if (strcmp(long_options[option_index].name, "scan_delay") == 0) { o.scan_delay = atoi(optarg); if (o.scan_delay <= 0) { diff --git a/nmap.h b/nmap.h index 0faff06ab..e78e65443 100644 --- a/nmap.h +++ b/nmap.h @@ -304,10 +304,6 @@ void *realloc(); #define MAX_DECOYS 128 /* How many decoys are allowed? */ -#ifndef MAX_RTT_TIMEOUT -#define MAX_RTT_TIMEOUT 10000 /* Never allow more than 10 secs for packet round - trip */ -#endif /* Default maximum send delay between probes to the same host */ #ifndef MAX_TCP_SCAN_DELAY @@ -326,6 +322,11 @@ void *realloc(); #define MIN_RTT_TIMEOUT 100 #endif +#ifndef MAX_RTT_TIMEOUT +#define MAX_RTT_TIMEOUT 10000 /* Never allow more than 10 secs for packet round + trip */ +#endif + #define INITIAL_RTT_TIMEOUT 1000 /* Allow 1 second initially for packet responses */ #define HOST_TIMEOUT 0 /* By default allow unlimited time to scan each host */ diff --git a/portlist.cc b/portlist.cc index 24dce64e5..f832b0487 100644 --- a/portlist.cc +++ b/portlist.cc @@ -216,6 +216,16 @@ int Port::getServiceDeductions(struct serviceDeductions *sd) { sd->extrainfo = serviceprobe_extrainfo; populateFullVersionString(sd); return 0; + } else if (serviceprobe_results == PROBESTATE_EXCLUDED) { + service = nmap_getservbyport(htons(portno), (proto == IPPROTO_TCP)? "tcp" : "udp"); + + if (service) sd->name = service->s_name; + + sd->name_confidence = 2; // Since we didn't even check it, we aren't very confident + sd->dtype = SERVICE_DETECTION_TABLE; + sd->product = serviceprobe_product; // Should have a string that says port was excluded + populateFullVersionString(sd); + return 0; } else if (serviceprobe_results == PROBESTATE_FINISHED_TCPWRAPPED) { sd->dtype = SERVICE_DETECTION_PROBED; sd->name = "tcpwrapped"; diff --git a/portlist.h b/portlist.h index a03754f50..8eb5afe5c 100644 --- a/portlist.h +++ b/portlist.h @@ -130,6 +130,7 @@ enum serviceprobestate { PROBESTATE_FINISHED_SOFTMATCHED, // Well, a soft match anyway PROBESTATE_FINISHED_NOMATCH, // D'oh! Failed to find the service. PROBESTATE_FINISHED_TCPWRAPPED, // We think the port is blocked via tcpwrappers + PROBESTATE_EXCLUDED, // The port has been excluded from the scan PROBESTATE_INCOMPLETE // failed to complete (error, host timeout, etc.) }; diff --git a/service_scan.cc b/service_scan.cc index 4e3c9d41a..74d2cdb3b 100644 --- a/service_scan.cc +++ b/service_scan.cc @@ -998,10 +998,18 @@ void parse_nmap_service_probe_file(AllProbes *AP, char *filename) { if (*line == '\n' || *line == '#') continue; + if (strncmp(line, "Exclude ", 8) == 0) { + if (AP->excludedports != NULL) + fatal("Only 1 Exclude directive is allowed in the nmap-service-probes file"); + + AP->excludedports = getpts(line+8); + continue; + } + anotherprobe: if (strncmp(line, "Probe ", 6) != 0) - fatal("Parse error on line %d of nmap-service-probes file: %s -- line was expected to begin with \"Probe \"", lineno, filename); + fatal("Parse error on line %d of nmap-service-probes file: %s -- line was expected to begin with \"Probe \" or \"Exclude \"", lineno, filename); newProbe = new ServiceProbe(); newProbe->setProbeDetails(line + 6, lineno); @@ -1031,6 +1039,8 @@ void parse_nmap_service_probe_file(AllProbes *AP, char *filename) { newProbe->totalwaitms = waitms; } else if (strncmp(line, "match ", 6) == 0 || strncmp(line, "softmatch ", 10) == 0) { newProbe->addMatch(line, lineno); + } else if (strncmp(line, "Exclude ", 8) == 0) { + fatal("The Exclude directive must precede all Probes in nmap-service-probes"); } else fatal("Parse error on line %d of nmap-service-probes file: %s -- unknown directive", lineno, filename); } } @@ -1082,6 +1092,7 @@ const struct MatchDetails *ServiceProbe::testMatch(const u8 *buf, int buflen) { AllProbes::AllProbes() { nullProbe = NULL; + excludedports = NULL; } AllProbes::~AllProbes() { @@ -1109,6 +1120,36 @@ ServiceProbe *AllProbes::getProbeByName(const char *name, int proto) { return NULL; } + + +// Returns nonzero if port was specified in the excludeports +// directive in nmap-service-probes. Zero otherwise. +// Proto should be IPPROTO_TCP for TCP and IPPROTO_UDP for UDP +// Note that although getpts() can set protocols (for protocol +// scanning), this is ignored here because you can't version +// scan protocols. +int AllProbes::isExcluded(unsigned short port, int proto) { + unsigned short *p=NULL; + int count=-1; + + if (proto == IPPROTO_TCP) { + p = excludedports->tcp_ports; + count = excludedports->tcp_count; + } else if (proto == IPPROTO_UDP) { + p = excludedports->udp_ports; + count = excludedports->udp_count; + } else { + fatal("Bad proto number (%d) specified in AllProbes::isExcluded", proto); + } + + for (;count >= 0;count--) + if (p[count] == port) return 1; + + return 0; +} + + + ServiceNFO::ServiceNFO(AllProbes *newAP) { target = NULL; probe_matched = NULL; @@ -2061,6 +2102,35 @@ static void startTimeOutClocks(ServiceGroup *SG) { } } + + +// We iterate through SG->services_remaining and remove any with port/protocol +// pairs that are excluded. We use AP->isExcluded() to determine which ports +// are excluded. +void remove_excluded_ports(AllProbes *AP, ServiceGroup *SG) { + list::iterator i, nxt; + ServiceNFO *svc; + + for(i = SG->services_remaining.begin(); i != SG->services_remaining.end(); i=nxt) { + nxt = i; + nxt++; + + svc = *i; + if (AP->isExcluded(svc->portno, svc->proto)) { + + if (o.debugging) printf("EXCLUDING %d/%s\n", svc->portno, svc->proto==IPPROTO_TCP ? "tcp" : "udp"); + + svc->port->setServiceProbeResults(PROBESTATE_EXCLUDED, NULL, SERVICE_TUNNEL_NONE, + "Excluded from version scan", NULL, NULL, NULL); + + SG->services_remaining.erase(i); + SG->services_finished.push_back(svc); + } + } + +} + + /* Execute a service fingerprinting scan against all open ports of the Targets specified. */ int service_scan(vector &Targets) { @@ -2085,6 +2155,13 @@ int service_scan(vector &Targets) { // Now I convert the targets into a new ServiceGroup SG = new ServiceGroup(Targets, AP); + + if (o.override_excludeports) { + if (o.debugging || o.verbose) printf("Overriding exclude ports option! Some undesirable ports may be version scanned!\n"); + } else { + remove_excluded_ports(AP, SG); + } + startTimeOutClocks(SG); if (SG->services_remaining.size() == 0) { @@ -2120,7 +2197,7 @@ int service_scan(vector &Targets) { launchSomeServiceProbes(nsp, SG); - // How long do we have befor timing out? + // How long do we have before timing out? gettimeofday(&now, NULL); timeout = -1; diff --git a/service_scan.h b/service_scan.h index 9a7e9c1c5..3b764955f 100644 --- a/service_scan.h +++ b/service_scan.h @@ -303,6 +303,9 @@ public: ServiceProbe *getProbeByName(const char *name, int proto); vector probes; // All the probes except nullProbe ServiceProbe *nullProbe; // No probe text - just waiting for banner + + int isExcluded(unsigned short port, int proto); + struct scan_lists *excludedports; }; /********************** PROTOTYPES ***********************************/