fixed (I hope) some problems with -S and -e; about to release informal 3.94ALPHA1

CHANGELOG

@@ -27,9 +27,20 @@ o Fixed a problem which caused UDP version scanning to fail to print
   (martin.macok(a)underground.cz) for reporting the problem and Doug
   Hoyte (doug(a)hcsw.org) for fixing it.
 
+o Added the --webxml option, which does the same thing as 
+  --stylesheet http://www.insecure.org/nmap/data/nmap.xsl , without
+  requiring you to remember the exact URL or type that whole thing.
+
 o Fixed a crash occured when the --exclude option was used with
   netmasks on certain platforms.  Thanks to Adam
-  (nmapuser(a)globalmegahost.com) for reporting the problem.
+  (nmapuser(a)globalmegahost.com) for reporting the problem and to
+  Greg Darke (starstuff(a)optusnet.com.au) for sending a patch (I
+  modified the patch a bit to make it more efficient).
+
+o Fixed (I hope) a problem with the -S and -e options (spoof/set
+  source address, and set interface by name, respectively).  The problem
+  report and a partial patch were sent by Richard Birkett
+  (richard(a)musicbox.net).
 
 o Version detection softmatches (when Nmap determines the service
   protocol such as smtp but isn't able to determine the app name such as

docs/nmap.1

@@ -2,7 +2,7 @@
 .\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
 .\" Instead of manually editing it, you probably should edit the DocBook XML
 .\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "NMAP" "1" "11/17/2005" "" "Nmap Reference Guide"
+.TH "NMAP" "1" "11/27/2005" "" "Nmap Reference Guide"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -994,7 +994,7 @@ and
 \fIXscan.xml\fR
 respectively.
 .PP
-Nmap also offers options to control scan verbosity and to append to output files rather than clobbering them. All of these options are described belowe.
+Nmap also offers options to control scan verbosity and to append to output files rather than clobbering them. All of these options are described below.
 .PP
 \fBNmap Output Formats\fR
 .TP
@@ -1018,12 +1018,14 @@ in Perl CPAN. In almost all cases that a non\-trivial application interfaces wit
 .sp
 The XML output references an XSL stylesheet which can be used to format the results as HTML. The easiest way to use this is simply to load the XML output in a web browser such as Firefox or IE. By default, this will only work on the machine you ran Nmap on (or a similarly configured one) due to the hard\-coded
 \fInmap.xsl\fR
-filesystem path. See the
+filesystem path. Use the
+\fB\-\-webxml\fR
+or
 \fB\-\-stylesheet\fR
-option for a way to create a portable XML file that renders as HTML on any web\-connected machine.
+options to create portable XML files that render as HTML on any web\-connected machine.
 .TP
 \fB\-oS <filespec>\fR (ScRipT KIdd|3 oUTpuT)
-Script kiddie output is like interactive output, except that it is post\-processed to better suit the 'l33t HaXXorZ who previously looked down on Nmap due to its consistent capitalization and spelling. Humor impaired people should note that this option is making fun of the script kiddies before flaming me for supposedly
+Script kiddie output is like interactive output, except that it is post\-processed to better suit the l33t HaXXorZ who previously looked down on Nmap due to its consistent capitalization and spelling. Humor impaired people should note that this option is making fun of the script kiddies before flaming me for supposedly
 \(lqhelping them\(rq.
 .TP
 \fB\-oG <filespec>\fR (Grepable output)
@@ -1119,10 +1121,15 @@ where it was initially installed by Nmap (or in the current working directory on
 \fInmap.xsl\fR
 from the filesystem and use it to render results. If you wish to use a different stylesheet, specify it as the argument to
 \fB\-\-stylesheet\fR. You must pass the full pathname or URL. One common invocation is
-\fB\-\-stylesheet http://www.insecure.org/nmap/data/nmap.xsl\fR
-. This tells a browser to load the latest version of the stylesheet from Insecure.Org. This makes it easier to view results on a machine that doesn't have Nmap (and thus
+\fB\-\-stylesheet http://www.insecure.org/nmap/data/nmap.xsl\fR. This tells a browser to load the latest version of the stylesheet from Insecure.Org. The
+\fB\-\-webxml\fR
+option does the same thing with less typing and memorization. Loading the XSL from Insecure.Org makes it easier to view results on a machine that doesn't have Nmap (and thus
 \fInmap.xsl\fR) installed. So the URL is often more useful, but the local filesystem location of nmap.xsl is used by default for privacy reasons.
 .TP
+\fB\-\-webxml\fR (Load stylesheet from Insecure.Org)
+This convenience option is simply an alias for
+\fB\-\-stylesheet http://www.insecure.org/nmap/data/nmap.xsl\fR.
+.TP
 \fB\-\-no_stylesheet\fR (Omit XSL stylesheet declaration from XML)
 Specify this option to prevent Nmap from associating any XSL stylesheet with its XML output. The
 xml\-stylesheet

docs/nmap.usage.txt

@@ -36,7 +36,7 @@ OS DETECTION:
   --osscan_limit: Limit OS detection to promising targets
   --osscan_guess: Guess OS more aggressively
 TIMING AND PERFORMANCE:
-  -T[0-6]: Set timing template (higher is faster)
+  -T[0-5]: Set timing template (higher is faster)
   --min_hostgroup/max_hostgroup <msec>: Parallel host scan group sizes
   --min_parallelism/max_parallelism <msec>: Probe parallelization
   --min_rtt_timeout/max_rtt_timeout/initial_rtt_timeout <msec>: Specifies
@@ -63,6 +63,7 @@ OUTPUT:
   --append_output: Append to rather than clobber specified output files
   --resume <filename>: Resume an aborted scan
   --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML
+  --webxml: Reference stylesheet from Insecure.Org for more portable XML
   --no_stylesheet: Prevent associating of XSL stylesheet w/XML output
 MISC:
   -6: Enable IPv6 scanning

nmap.cc

@@ -286,6 +286,7 @@ int nmap_main(int argc, char *argv[]) {
       {"send_ip", no_argument, 0, 0},
       {"stylesheet", required_argument, 0, 0},
       {"no_stylesheet", no_argument, 0, 0},
+      {"webxml", no_argument, 0, 0},
       {"rH", no_argument, 0, 0},
       {"vv", no_argument, 0, 0},
       {"ff", no_argument, 0, 0},
@@ -443,6 +444,8 @@ int nmap_main(int argc, char *argv[]) {
 	o.setXSLStyleSheet(optarg);
       } else if (strcmp(long_options[option_index].name, "no_stylesheet") == 0) {
 	o.setXSLStyleSheet(NULL);
+      } else if (strcmp(long_options[option_index].name, "webxml") == 0) {
+	o.setXSLStyleSheet("http://www.insecure.org/nmap/data/nmap.xsl");
       } else if (strcmp(long_options[option_index].name, "oN") == 0) {
 	normalfilename = optarg;
       } else if (strcmp(long_options[option_index].name, "oG") == 0 ||
@@ -1624,6 +1627,7 @@ printf("%s %s ( %s )\n"
        "  --append_output: Append to rather than clobber specified output files\n"
        "  --resume <filename>: Resume an aborted scan\n"
        "  --stylesheet <path/URL>: XSL stylesheet to transform XML output to HTML\n"
+       "  --webxml: Reference stylesheet from Insecure.Org for more portable XML\n"
        "  --no_stylesheet: Prevent associating of XSL stylesheet w/XML output\n"
        "MISC:\n"
        "  -6: Enable IPv6 scanning\n"

targets.cc

@@ -322,12 +322,6 @@ do {
       hs->hostbatch[hidx] = new Target();
       hs->hostbatch[hidx]->setTargetSockAddr(&ss, sslen);
 
-      /* Lets figure out what device this IP uses ... */
-      if (o.spoofsource) {
-	o.SourceSockAddr(&ss, &sslen);
-	hs->hostbatch[hidx]->setSourceSockAddr(&ss, sslen);
-	hs->hostbatch[hidx]->setDeviceNames(o.device, o.device);
-      } else {
       /* We figure out the source IP/device IFF
 	 1) We are r00t AND
 	 2) We are doing tcp or udp pingscan OR
@@ -362,7 +356,7 @@ do {
 	hs->hostbatch[hidx]->setDeviceNames(rnfo.ii.devname, rnfo.ii.devfullname);
 	//	  printf("Target %s %s directly connected, goes through local iface %s, which %s ethernet\n", hs->hostbatch[hidx]->NameIP(), hs->hostbatch[hidx]->directlyConnected()? "IS" : "IS NOT", hs->hostbatch[hidx]->deviceName(), (hs->hostbatch[hidx]->ifType() == devt_ethernet)? "IS" : "IS NOT");
       }
-      }
+      
 
       /* In some cases, we can only allow hosts that use the same
 	 device in a group.  Similarly, we don't mix

tcpip.cc

@@ -2328,6 +2328,47 @@ int sd;
   return mydevs;
 }
 
+/* Looks for an interface assigned to the given IP (ss), and returns
+   the interface_info for the first one found.  If non found, returns NULL */
+struct interface_info *getInterfaceByIP(struct sockaddr_storage *ss) {
+  struct sockaddr_in *sin = (struct sockaddr_in *) ss;
+  struct sockaddr_in *ifsin;
+  struct interface_info *ifaces;
+  int numifaces = 0;
+  int ifnum;
+
+  if (sin->sin_family != AF_INET)
+    fatal("%s called with non-IPv4 address", __FUNCTION__);
+
+  ifaces = getinterfaces(&numifaces);
+
+  for(ifnum=0; ifnum < numifaces; ifnum++) {
+    ifsin = (struct sockaddr_in *) &ifaces[ifnum].addr;
+    if (ifsin->sin_family != AF_INET) continue;
+    if (sin->sin_addr.s_addr == ifsin->sin_addr.s_addr)
+      return &ifaces[ifnum];
+  }
+  return NULL;
+}
+
+/* Looks for an interface with the given name (iname), and returns the
+   corresponding interface_info if found.  Will accept a match of
+   devname or devfullname.  Returns NULL if none found */
+struct interface_info *getInterfaceByName(char *iname) {
+  struct interface_info *ifaces;
+  int numifaces = 0;
+  int ifnum;
+
+  ifaces = getinterfaces(&numifaces);
+
+  for(ifnum=0; ifnum < numifaces; ifnum++) {
+    if (strcmp(ifaces[ifnum].devfullname, iname) == 0 ||
+	strcmp(ifaces[ifnum].devname, iname) == 0)
+      return &ifaces[ifnum];
+  }
+
+  return NULL;
+}
 
 
 /* A trivial function used with qsort to sort the routes by netmask */
@@ -2488,11 +2529,15 @@ struct sys_route *getsysroutes(int *howmany) {
    source address and interface necessary to route to this address.
    If no route is found, false is returned and rnfo is undefined.  If
    a route is found, true is returned and rnfo is filled in with all
-   of the routing details */
+   of the routing details.  This function takes into account -S and -e
+   options set by user (o.spoofsource, o.device) */
 bool route_dst(const struct sockaddr_storage *const dst, struct route_nfo *rnfo) {
   struct interface_info *ifaces;
+  struct interface_info *iface = NULL;
   int numifaces = 0;
   struct sys_route *routes;
+  struct sockaddr_storage spoofss;
+  size_t spoofsslen;
   int numroutes = 0;
   int ifnum;
   int i;
@@ -2504,6 +2549,41 @@ bool route_dst(const struct sockaddr_storage *const dst, struct route_nfo *rnfo)
   if (dstsin->sin_family != AF_INET)
     fatal("Sorry -- route_dst currently only supports IPv4");
 
+  /* First let us deal with the case where a user requested a specific spoofed IP/dev */
+  if (o.spoofsource || *o.device) {
+    if (o.spoofsource) {
+      o.SourceSockAddr(&spoofss, &spoofsslen);
+	if (!*o.device) {
+	  /* Look up the device corresponding to src IP, if any ... */
+	  iface = getInterfaceByIP(&spoofss);
+	}
+    }
+
+    if (*o.device) {
+      iface = getInterfaceByName(o.device);
+      if (!iface) 
+	fatal("Could not find interface %s which was specified by -e", o.device);
+    }
+
+    if (iface) {
+      /* Is it directly connected? */
+      mask = htonl((unsigned long) (0-1) << (32 - iface->netmask_bits));
+      ifsin = (struct sockaddr_in *) &(iface->addr);
+      if ((ifsin->sin_addr.s_addr & mask) == (dstsin->sin_addr.s_addr & mask))
+	rnfo->direct_connect = 1;
+      else rnfo->direct_connect = 0;
+      memcpy(&rnfo->ii, iface, sizeof(rnfo->ii));
+      if (o.spoofsource)
+	memcpy(&rnfo->srcaddr, &spoofss, sizeof(rnfo->srcaddr));
+      else
+	memcpy(&rnfo->srcaddr, &(iface->addr), sizeof(rnfo->srcaddr));
+      return true;
+    }
+    /* Control will get here if -S was specified to a non-interface
+       IP, but no interface was specified with -e.  We will try to
+       determine the proper interface in that case */
+  }
+
   ifaces = getinterfaces(&numifaces);
   /* I suppose that I'll first determine whether it is a direct connect instance */
   for(ifnum=0; ifnum < numifaces; ifnum++) {
@@ -2520,6 +2600,9 @@ bool route_dst(const struct sockaddr_storage *const dst, struct route_nfo *rnfo)
 	rnfo->direct_connect = true;
 	memcpy(&rnfo->ii, &ifaces[i], sizeof(rnfo->ii));
 	/* But the source address we want to use is the target addy */
+	if (o.spoofsource)
+	  memcpy(&rnfo->srcaddr, &spoofss, sizeof(rnfo->srcaddr));
+	else
 	  memcpy(&rnfo->srcaddr, &ifaces[ifnum].addr, sizeof(rnfo->srcaddr));
 	return true;
       }
@@ -2530,6 +2613,9 @@ bool route_dst(const struct sockaddr_storage *const dst, struct route_nfo *rnfo)
     if ((ifsin->sin_addr.s_addr & mask) == (dstsin->sin_addr.s_addr & mask)) {
       rnfo->direct_connect = 1;
       memcpy(&rnfo->ii, &ifaces[ifnum], sizeof(rnfo->ii));
+      if (o.spoofsource)
+	memcpy(&rnfo->srcaddr, &spoofss, sizeof(rnfo->srcaddr));
+      else
 	memcpy(&rnfo->srcaddr, &ifaces[ifnum].addr, sizeof(rnfo->srcaddr));
       return true;
     }
@@ -2545,6 +2631,9 @@ bool route_dst(const struct sockaddr_storage *const dst, struct route_nfo *rnfo)
 	(dstsin->sin_addr.s_addr & routes[i].netmask)) {
       /* Yay, found a matching route. */
       memcpy(&rnfo->ii, routes[i].device, sizeof(rnfo->ii));
+      if (o.spoofsource)
+	memcpy(&rnfo->srcaddr, &spoofss, sizeof(rnfo->srcaddr));
+      else
 	memcpy(&rnfo->srcaddr, &routes[i].device->addr, sizeof(rnfo->srcaddr));
       ifsin = (struct sockaddr_in *) &rnfo->nexthop;
       ifsin->sin_family = AF_INET;

tcpip.h

@@ -545,8 +545,10 @@ int resolve(char *hostname, struct in_addr *ip);
    source address and interface necessary to route to this address.
    If no route is found, false is returned and rnfo is undefined.  If
    a route is found, true is returned and rnfo is filled in with all
-   of the routing details */
+   of the routing details.  This function takes into account -S and -e
+   options set by user (o.spoofsource, o.device) */
 bool route_dst(const struct sockaddr_storage *const dst, struct route_nfo *rnfo);
+
 /* Determines what interface packets destined to 'dest' should be
    routed through.  It can also discover the appropriate next hop (if
    any) for ethernet routing.  If direct_connect is passed in, it will
@@ -667,8 +669,16 @@ int readudppacket(const u8 *packet, int readdata);
 int ipaddr2devname( char *dev, const struct in_addr *addr );
 /* And vice versa */
 int devname2ipaddr(char *dev, struct in_addr *addr);
-/* Where the above 2 functions get their info */
+/* Looks for an interface assigned to the given IP (ss), and returns
+   the interface_info for the first one found.  If non found, returns NULL */
+struct interface_info *getInterfaceByIP(struct sockaddr_storage *ss);
+/* Looks for an interface with the given name (iname), and returns the
+   corresponding interface_info if found.  Will accept a match of
+   devname or devfullname.  Returns NULL if none found */
+struct interface_info *getInterfaceByName(char *iname);
+/* Where the above 4 functions get their info */
 struct interface_info *getinterfaces(int *howmany);
+
 /* Parse the system routing table, converting each route into a
    sys_route entry.  Returns an array of sys_routes.  numroutes is set
    to the number of routes in the array.  The routing table is only