3.84ALPHA1 release imminant

CHANGELOG

@@ -1,10 +1,6 @@
 # Nmap Changelog ($Id$)
 
-Nmap 3.83DC13
-
-o Removed WinIP library (and all Windows raw sockets code) since MS
-  has gone and broken raw sockets.  Maybe packet receipt via raw
-  sockets will come back at some point.
+Nmap 3.84ALPHA1
 
 o Added the ability for Nmap to send and properly route raw ethernet
   packets cointaining IP datagrams rather than always sending the
@@ -85,11 +81,15 @@ o Added "Exclude" directive to nmap-service-probes grammar which
   probes, etc.  If you really want to scan all ports, specify
   --allports.  This patch came from Doug Hoyte (doug(a)hcsw.org).
 
-o Added a stripped-down version of Dug Song's excellent libdnet
-  networking library (v. 1.10).  This helps with the new raw ethernet
-  features.  I made various changes, which are described in
+o Added a stripped-down and heavily modified version of Dug Song's
+  libdnet networking library (v. 1.10).  This helps with the new raw
+  ethernet features.  My changes are described in
   libdnet-stripped/NMAP_MODIFICATIONS
 
+o Removed WinIP library (and all Windows raw sockets code) since MS
+  has gone and broken raw sockets.  Maybe packet receipt via raw
+  sockets will come back at some point.
+
 o Chagned the interesting ports array from a 65K-member array of
   pointers into an STL list.  This noticeable reduces memory usage in
   some cases, and should also give a slight runtime performance
@@ -115,6 +115,15 @@ o Added a bunch of RPC numbers from nmap-rpc maintainer Eilon Gishri
 o Added some new RPC services to nmap-rpc thanks to a patch from
   vlad902 (vlad902(a)gmail.com).
 
+o Fixed a bug where Nmap would quit on Windows whenever it encountered
+  a raw scan of localhost (including the local ethernet interface
+  address), even when that was just one address out of a whole network
+  being scanned.  Now Nmap just warns that it is skipping raw scans when
+  it encounters the local IP, but continues on to scan the rest of the
+  network.  Raw scans do not currently work against local IP addresses
+  because Winpcap doesn't support reading/writing localhost interfaces
+  due to limitations of Windows.
+
 o The OS fingerprint is now provided in XML output if debugging is
   enabled (-d) or verbosity is at least 2 (-v -v).  This patch was
   sent by Okan Demirmen (okan(a)demirmen.com)

Makefile.in

@@ -1,4 +1,4 @@
-export NMAP_VERSION = 3.83.DC17
+export NMAP_VERSION = 3.84ALPHA1
 NMAP_NAME= nmap
 NMAP_URL= http://www.insecure.org/nmap/
 NMAP_PLATFORM=@host@

NmapOps.cc

@@ -101,7 +101,9 @@
 #include "nmap.h"
 #include "nbase.h"
 #include "NmapOps.h"
+#ifdef WIN32
 #include "winfix.h"
+#endif
 
 NmapOps o;
 
@@ -268,7 +270,11 @@ bool NmapOps::RawScan() {
 
 
 void NmapOps::ValidateOptions() {
-
+#ifdef WIN32
+	const char *privreq = "that WinPcap version 3.1 or higher and iphlpapi.dll be installed. You seem to be missing one or both of these.  Winpcap is available from http://www.winpcap.org.  iphlpapi.dll comes with Win98 and later operating sytems and NT 4.0 with SP4 or greater.  For previous windows versions, you may be able to take iphlpapi.dll from anotyer system and place it in your system32 dir (e.g. c:\\windows\\system32)";
+#else
+	const char *privreq = "root privileges";
+#endif
   if (pingtype == PINGTYPE_UNKNOWN) {
     if (isr00t && af() == AF_INET) pingtype = DEFAULT_PING_TYPES;
     else pingtype = PINGTYPE_TCP; // if nonr00t or IPv6
@@ -353,35 +359,19 @@ void NmapOps::ValidateOptions() {
 #endif
     
     if (ackscan|finscan|idlescan|ipprotscan|maimonscan|nullscan|synscan|udpscan|windowscan|xmasscan) {
-#ifndef WIN32
-      fatal("You requested a scan type which requires r00t privileges, and you do not have them.\n");
-#else
-      win_barf(0);
-#endif
+      fatal("You requested a scan type which requires %s.  Sorry dude.\n", privreq);
     }
     
     if (numdecoys > 0) {
-#ifndef WIN32
-      fatal("Sorry, but you've got to be r00t to use decoys, boy!");
-#else
-      win_barf(0);
-#endif
+      fatal("Sorry, but decoys (-D) require %s.\n", privreq);
     }
     
     if (fragscan) {
-#ifndef WIN32
-      fatal("Sorry, but fragscan requires r00t privileges\n");
-#else
-      win_barf(0);
-#endif
+      fatal("Sorry, but fragscan requires %s\n", privreq);
     }
     
     if (osscan) {
-#ifndef WIN32
-      fatal("TCP/IP fingerprinting (for OS scan) requires root privileges which you do not appear to possess.  Sorry, dude.\n");
-#else
-      win_barf(0);
-#endif
+      fatal("TCP/IP fingerprinting (for OS scan) requires %s.  Sorry, dude.\n", privreq);
     }
   }
   

configure.ac

@@ -761,4 +761,4 @@ AC_OUTPUT(Makefile)
 if test -f docs/leet-nmap-ascii-art.txt; then
 	cat docs/leet-nmap-ascii-art.txt
 fi
-echo "Configuration complete.  Type make to compile."
+echo "Configuration complete.  Type make (or gmake on some *BSD machines) to compile."

docs/nmap.usage.txt

@@ -1,4 +1,4 @@
-Nmap 3.83.DC16 Usage: nmap [Scan Type(s)] [Options] <host or net list>
+Nmap 3.84ALPHA1 Usage: nmap [Scan Type(s)] [Options] <host or net list>
 Some Common Scan Types ('*' options require root privileges)
 * -sS TCP SYN stealth port scan (default if privileged (root))
   -sT TCP connect() port scan (default for unprivileged users)

idle_scan.cc

@@ -962,6 +962,11 @@ void idle_scan(Target *target, u16 *portarray, int numports,
   if (target->timedOut(NULL))
     return;
 
+  if (target->ifType() == devt_loopback) {
+    log_write(LOG_STDOUT, "Skipping Idle Scan against %s -- you can't idle scan your own machine (localhost).\n", target->NameIP());
+    return;
+  }
+
   target->startTimeOutClock(NULL);
 
   /* If this is the first call,  */

libdnet-stripped/NMAP_MODIFICATIONS

@@ -31,9 +31,15 @@ o A number of portability changes to remove errors/warnings during
 o Added libdnet-stripped.vcproj -- A Visual Studio.Net project file
   for dnet.
 
-o Changed eth_open() in eth-win32.c to more frequently consider the
-results of PacketGetAdapterNames() to be in single-char format rather
-than 2-byte wide characters.
+o Rewrote eth_open() for Win32 as its technique for translating from
+  a dnet-named interface to a pcap-named one did not work on any of my
+  systems.
+
+o Added intf_get_pcap_devname() function for Win32.  This tries to
+  convert a dnet if name into its pcap equivalent.  It is a hack, but
+  arguably better than the hacks that were there before.  The main
+  down side is that it won't work with interfaces that don't have an
+  IPv4 address configured.
 
 o Made some code changes to intf.c (the patch below).  This does the following:
 

libdnet-stripped/libdnet-stripped.vcproj

@@ -60,7 +60,7 @@
 			CharacterSet="2">
 			<Tool
 				Name="VCCLCompilerTool"
-				AdditionalIncludeDirectories="include"
+				AdditionalIncludeDirectories="include;&quot;..\mswin32\pcap-include&quot;"
 				PreprocessorDefinitions="WIN32;NDEBUG;_LIB"
 				RuntimeLibrary="4"
 				UsePrecompiledHeader="0"

mswin32/nmap.vcproj

@@ -103,7 +103,7 @@
 				Name="VCCustomBuildTool"/>
 			<Tool
 				Name="VCLinkerTool"
-				AdditionalDependencies="ws2_32.lib IPHlpAPI.Lib wpcap.lib packet.lib nsock.lib libpcre.lib nbase.lib libdnet-stripped.lib $(NOINHERIT)"
+				AdditionalDependencies="nsock.lib libpcre.lib nbase.lib libdnet-stripped.lib ws2_32.lib IPHlpAPI.Lib wpcap.lib packet.lib $(NOINHERIT)"
 				OutputFile=".\Release/nmap.exe"
 				LinkIncremental="1"
 				SuppressStartupBanner="TRUE"

mswin32/winclude.h

@@ -74,24 +74,6 @@
 #include <netinet/tcp.h>  
 #include <netinet/udp.h>  
 
-//#include <packet_types.h>
-#include "winip\winip.h"
-
-/* This is kind of ugly ... and worse is that windows includes suply an errno that doesn't work as in UNIX, so if a file
-	forgets to include this, it may use errno and get bogus results on Windows [shrug].  A better appraoch is probably
-	the nsock_errno() I use in nsock. */
-// #undef errno
-// #define errno WSAGetLastError()
-
-/* Disables VC++ warning:
-  "integral size mismatch in argument; conversion supplied".  Perhaps
-  I should try to fix this with casts at some point */
-// #pragma warning(disable: 4761)
-
-/* #define signal(x,y) ((void)0)	// ignore for now
-                                // later release may set console handlers
-*/
-
 /* non-functioning stub function */
 int fork();
 

mswin32/winfix.cc

@@ -132,17 +132,6 @@ int pcap_avail = 0;
 static void win_cleanup(void);
 static char pcaplist[4096];
 
-void win_barf(const char *msg)
-{
-  if(msg) printf("%s\n\n", msg);
-  printf("\nYour system doesn't have iphlpapi.dll\n\nIf you have Win95, "
-  "maybe you could grab it from a Win98 system\n"
-  "If you have NT4, you need service pack 4 or higher\n"
-  "If you have NT3.51, try grabbing it from an NT4 system\n"
-  "Otherwise, your system has problems ;-)\n");
-  exit(0);
-}
-
 void win_init()
 {
 	//   variables

nmap.cc

@@ -107,7 +107,9 @@
 #include "timing.h"
 #include "NmapOps.h"
 #include "MACLookup.h"
+#ifdef WIN32
 #include "winfix.h"
+#endif
 
 using namespace std;
 
@@ -791,6 +793,12 @@ int nmap_main(int argc, char *argv[]) {
     fatal("You cannot use -F (fast scan) or -p (explicit port selection) with PING scan or LIST scan");
   }
 
+#ifdef WIN32
+  if (o.sendpref & PACKET_SEND_IP) {
+	  error("WARNING: raw IP (rather than raw ethernet) packet sending attempted on Windows. This probably won't work.  Consider --send_eth next time.\n");
+
+  }
+#endif
   if (spoofmac) {
     u8 mac_data[6];
     int pos = 0; /* Next index of mac_data to fill in */

nmap_winconfig.h

@@ -104,7 +104,7 @@
 #ifndef NMAP_WINCONFIG_H
 #define NMAP_WINCONFIG_H
 
-#define NMAP_VERSION "3.83.DC16"
+#define NMAP_VERSION "3.84ALPHA1"
 #define NMAP_NAME "nmap"
 #define NMAP_URL "http://www.insecure.org/nmap"
 #define NMAP_PLATFORM "i686-pc-windows-windows"

osscan.cc

@@ -159,7 +159,7 @@ int seq_response_num; /* response # for sequencing */
 double avg_ts_hz = 0.0; /* Avg. amount that timestamps incr. each second */
 struct link_header linkhdr;
 struct eth_nfo eth;
- struct eth_nfo *ethptr; // for passing to send_ functions 
+struct eth_nfo *ethptr; // for passing to send_ functions 
 
 if (target->timedOut(NULL))
   return NULL;
@@ -302,7 +302,7 @@ if (o.verbose && openport != (unsigned long) -1)
    /* Test 8 */
    if (!FPtests[8]) {
      if (o.scan_delay) enforce_scan_delay(NULL);
-     upi = send_closedudp_probe(rawsd, target->v4hostip(), o.magic_port, closedport);
+     upi = send_closedudp_probe(rawsd, ethptr, target->v4hostip(), o.magic_port, closedport);
    }
    gettimeofday(&t1, NULL);
    timeout = 0;
@@ -1170,6 +1170,13 @@ int bestaccidx;
  if (target->timedOut(NULL))
    return 1;
  
+#ifdef WIN32
+  if (target->ifType() == devt_loopback) {
+    log_write(LOG_STDOUT, "Skipping OS Scan against %s because it doesn't work against your own machine (localhsot)\n", target->NameIP());
+    return 1;
+  }
+#endif
+
  if (o.debugging > 2) {
    starttimems = o.TimeSinceStartMS();
    log_write(LOG_STDOUT|LOG_NORMAL|LOG_SKID, "Initiating OS Detection against %s at %.3fs\n", target->targetipstr(), starttimems / 1000.0);
@@ -1699,7 +1706,8 @@ return AVs;
 }
 
 
-struct udpprobeinfo *send_closedudp_probe(int sd, const struct in_addr *victim,
+struct udpprobeinfo *send_closedudp_probe(int sd, struct eth_nfo *eth,
+					  const struct in_addr *victim,
 					  u16 sport, u16 dport) {
 
 static struct udpprobeinfo upi;
@@ -1729,18 +1737,14 @@ memset(data, patternbyte, datalen);
 while(!id) id = get_random_uint();
 
 /* check that required fields are there and not too silly */
-if ( !victim || !sport || !dport || sd < 0) {
+if ( !victim || !sport || !dport || (!eth && sd < 0)) {
   fprintf(stderr, "send_closedudp_probe: One or more of your parameters suck!\n");
   return NULL;
 }
 
 if (!myttl)  myttl = (time(NULL) % 14) + 51;
-/* It was a tough decision whether to do this here for every packet
-   or let the calling function deal with it.  In the end I grudgingly decided
-   to do it here and potentially waste a couple microseconds... */
-sethdrinclude(sd); 
 
- for(decoy=0; decoy < o.numdecoys; decoy++) {
+for(decoy=0; decoy < o.numdecoys; decoy++) {
   source = &o.decoys[decoy];
 
   memset((char *) packet, 0, sizeof(struct ip) + sizeof(udphdr_bsd));
@@ -1756,12 +1760,12 @@ sethdrinclude(sd);
   pseudo->length = htons(sizeof(udphdr_bsd) + datalen);
   
   /* OK, now we should be able to compute a valid checksum */
-realcheck = in_cksum((unsigned short *)pseudo, 20 /* pseudo + UDP headers */ +
+  realcheck = in_cksum((unsigned short *)pseudo, 20 /* pseudo + UDP headers */ +
 		       datalen);
 #if STUPID_SOLARIS_CHECKSUM_BUG
   udp->uh_sum = sizeof(udphdr_bsd) + datalen;
 #else
-udp->uh_sum = realcheck;
+  udp->uh_sum = realcheck;
 #endif
 
   /* Goodbye, pseudo header! */
@@ -1799,12 +1803,12 @@ udp->uh_sum = realcheck;
     readudppacket(packet,1);
   }
   
-   if ((res = send_ip_packet(sd, NULL, packet, ntohs(ip->ip_len))) == -1)
+  if ((res = send_ip_packet(sd, eth, packet, ntohs(ip->ip_len))) == -1)
     {
       perror("send_ip_packet in send_closedupd_probe");
       return NULL;
     }
- }
+}
 
 return &upi;
 

osscan.h

@@ -123,10 +123,9 @@ int os_scan(Target *target);
 FingerPrint *get_fingerprint(Target *target, struct seq_info *si);
 struct AVal *fingerprint_iptcppacket(struct ip *ip, int mss, unsigned int syn);
 struct AVal *fingerprint_portunreach(struct ip *ip, struct udpprobeinfo *upi);
-struct udpprobeinfo *send_closedudp_probe(int rawsd, 
-					  const struct in_addr *dest,
+struct udpprobeinfo *send_closedudp_probe(int sd, struct eth_nfo *eth,
+					  const struct in_addr *victim,
 					  u16 sport, u16 dport);
-
 unsigned int get_gcd_n_ulong(int numvalues, unsigned int *values);
 unsigned int euclid_gcd(unsigned int a, unsigned int b);
 char *fp2ascii(FingerPrint *FP);

portlist.cc

@@ -609,56 +609,61 @@ Port *PortList::nextPort(Port *afterthisport,
 			 bool allow_portzero) {
   
   /* These two are chosen because they come right "before" port 1/tcp */
-  unsigned int current_proto = IPPROTO_TCP;
-  map<u16,Port*>::iterator iter = tcp_ports.begin();
+  map<u16,Port*>::iterator iter;
   
-if (afterthisport) {
-  current_proto = afterthisport->proto;
-  
-  // This will advacne to one after the current
-  while (iter != tcp_ports.end() && iter->second->portno <= afterthisport->portno) {
+  if (afterthisport) {
+    if (afterthisport->proto == IPPROTO_TCP) {
+      iter = tcp_ports.find(afterthisport->portno);
+      assert(iter != tcp_ports.end());
       iter++;
-  }
-} 
-
-/* if (afterthisport) 
-   printf("Next Port After %d, %d\n", afterthisport->portno, iter->second->portno); fflush(0);
-*/
-
- if (!allow_portzero && iter->second && iter->second->portno == 0) iter++;
- 
-
-/* First we look for TCP ports ... */
-if (current_proto == IPPROTO_TCP) {
-  if ((allowed_protocol == 0 || allowed_protocol == IPPROTO_TCP) && 
-      current_proto == IPPROTO_TCP)
-    while (iter != tcp_ports.end()) {
-      if (!allowed_state || iter->second->state == allowed_state) {
-	//printf("Returning %d\n", iter->second->portno);
+      while(iter != tcp_ports.end()) {
+	if (!allowed_state || iter->second->state == allowed_state)
 	  return iter->second;
-      }
 	iter++;
       }
+      /* No more TCP ports ... */
+      if (allowed_protocol != 0)
+	return NULL;
       
-  /*  Uh-oh.  We have tried all tcp ports, lets move to udp */
-  current_proto = IPPROTO_UDP;
       iter = udp_ports.begin();
-}
-
-if ((allowed_protocol == 0 || allowed_protocol == IPPROTO_UDP) && 
-    current_proto == IPPROTO_UDP) {
-  while (iter != udp_ports.end()) {
-    if (!allowed_state || iter->second->state == allowed_state) {
-      //printf("Returning %d\n", iter->second->portno);
-      return iter->second;
-    }
+    } else {
+      assert(afterthisport->proto == IPPROTO_UDP);
+      iter = udp_ports.find(afterthisport->portno);
+      assert(iter != udp_ports.end());
       iter++;
     }
+    while(iter != udp_ports.end()) {
+      if (!allowed_state || iter->second->state == allowed_state)
+	return iter->second;
+      iter++;
+    }
+    return NULL;
+  } 
+
+  // First-time call - try TCP ports first
+  if (allowed_protocol == 0 || allowed_protocol == IPPROTO_TCP) {
+    iter = tcp_ports.begin();
+    while (iter != tcp_ports.end()) {
+      if (!allowed_state || iter->second->state == allowed_state)
+	return iter->second;
+      iter++;
+    }
+  }
+  
+  // Maybe we'll have better luck with UDP
+  if (allowed_protocol == 0 || allowed_protocol == IPPROTO_UDP) {
+    iter = udp_ports.begin();
+    while (iter != udp_ports.end()) {
+      if (!allowed_state || iter->second->state == allowed_state)
+	return iter->second;
+      iter++;
+    }
+  }
+  
+  // Nuthing found
+  return NULL;
 }
 
-/*  No more ports */
-return NULL;
-}
 
 // Move some popular TCP ports to the beginning of the portlist, because
 // that can speed up certain scans.  You should have already done any port

scan_engine.cc

@@ -690,7 +690,7 @@ bool GroupScanStats::sendOK() {
      don't give us a proper pcap time.  Also for connect scans, since
      we don't get an exact response time with them either. */
   if (USI->scantype == CONNECT_SCAN || !pcap_recv_timeval_valid()) {
-    int to_ms = (int) MAX(to.srtt * .75 / 1000, 20);
+    int to_ms = (int) MAX(to.srtt * .75 / 1000, 50);
     if (TIMEVAL_MSEC_SUBTRACT(USI->now, last_wait) > to_ms)
       return false;
   }
@@ -2276,6 +2276,7 @@ static bool do_one_select_round(UltraScanInfo *USI, struct timeval *stime) {
   recvfrom6_t optlen = sizeof(int);
   char buf[128];
   int numGoodSD = 0;
+  int err = 0;
 #ifdef LINUX
   int res;
   struct sockaddr_storage sin,sout;
@@ -2294,15 +2295,17 @@ static bool do_one_select_round(UltraScanInfo *USI, struct timeval *stime) {
     timeout.tv_sec = timeleft / 1000;
     timeout.tv_usec = (timeleft % 1000) * 1000;
 
-    if (CSI->numSDs)
+	if (CSI->numSDs) {
       selectres = select(CSI->maxValidSD + 1, &fds_rtmp, &fds_wtmp, 
 			 &fds_xtmp, &timeout);
+	  err = socket_errno();
+	}
     else {
       /* Apparently Windows returns an WSAEINVAL if you select without watching any SDs.  Lame.  We'll usleep instead in that case */
       usleep(timeleft * 1000);
       selectres = 0;
     }
-  } while (selectres == -1 && socket_errno() == EINTR);
+  } while (selectres == -1 && err == EINTR);
 
   gettimeofday(&USI->now, NULL);
   
@@ -3139,10 +3142,18 @@ void ultra_scan(vector<Target *> &Targets, struct scan_lists *ports,
 		stype scantype) {
   UltraScanInfo *USI = NULL;
   time_t starttime;
+
   if (Targets.size() == 0) {
     return;
   }
 
+#ifdef WIN32
+  if (scantype != CONNECT_SCAN && Targets[0]->ifType() == devt_loopback) {
+    log_write(LOG_STDOUT, "Skipping %s against %s because Windows does not support scanning your own machine (localhost) this way.\n", scantype2str(scantype), Targets[0]->NameIP());
+    return;
+  }
+#endif
+
   startTimeOutClocks(Targets);
   USI = new UltraScanInfo(Targets, ports, scantype);
 

scripts/Makefile

@@ -79,7 +79,7 @@ distro:
 	$(SHTOOL) mkdir /usr/tmp/nmap-$(NMAP_VERSION)/mswin32
 	cd ../mswin32; cp -ra *.[hHcC] *.cc ARPA NET NETINET RPC icon1.ico \
                     ifaddrlist.h lib libpcap-note.txt nmap.rc \
-                    nmap_performance.reg nmap.sln nmap.vcproj winip pcap-include \
+                    nmap_performance.reg nmap.sln nmap.vcproj pcap-include \
                     /usr/tmp/nmap-$(NMAP_VERSION)/mswin32
 
 	$(SHTOOL) mkdir /usr/tmp/nmap-$(NMAP_VERSION)/$(LIBPCAPDIR)

targets.cc

@@ -423,7 +423,7 @@ if (hs->randomize) {
  /* TODO: Maybe I should allow real ping scan of directly connected
     ethernet hosts? */
  /* Then we do the mass ping (if required - IP-level pings) */
- if (*pingtype == PINGTYPE_NONE) {
+ if (*pingtype == PINGTYPE_NONE || hs->hostbatch[0]->ifType() == devt_loopback) {
    for(i=0; i < hs->current_batch_sz; i++)  {
      initialize_timeout_info(&hs->hostbatch[i]->to);
      hs->hostbatch[i]->flags |= HOST_UP; /*hostbatch[i].up = 1;*/
@@ -1073,7 +1073,7 @@ while(pt->block_unaccounted) {
 	        case ECONNREFUSED:
 	        case EAGAIN:
 #ifdef WIN32
-//		  case WSAENOTCONN:	//	needed?  this fails around here on my system
+			case WSAENOTCONN:
 #endif
 		  if (sock_err == EAGAIN && o.verbose) {
 		    log_write(LOG_STDOUT, "Machine %s MIGHT actually be listening on probe port %d\n", hostbatch[hostindex]->targetipstr(), o.ping_synprobes[p]);

tcpip.cc

@@ -138,8 +138,6 @@ extern void CloseLibs(void);
 #endif
 
 #ifdef WIN32
-#include "mswin32/winip/winip.h"
-
 #include "pcap-int.h"
 
 void nmapwin_init();