From d00a80d398050102cf2c7b309d27ae54fd986dbd Mon Sep 17 00:00:00 2001 From: nnposter Date: Mon, 27 Jun 2022 02:38:51 +0000 Subject: [PATCH] Implement Evil bit option in Nping. Fixes #2486 --- nping/ArgParser.cc | 11 +++++++++++ nping/NpingOps.cc | 21 +++++++++++++++++++++ nping/NpingOps.h | 6 ++++++ nping/ProbeMode.cc | 2 ++ nping/docs/nping-man.xml | 21 ++++++++++++++++++--- nping/docs/nping-usage.txt | 1 + 6 files changed, 59 insertions(+), 3 deletions(-) diff --git a/nping/ArgParser.cc b/nping/ArgParser.cc index 6365e93c3..00c60c5f6 100644 --- a/nping/ArgParser.cc +++ b/nping/ArgParser.cc @@ -101,6 +101,7 @@ int ArgParser::parseArguments(int argc, char *argv[]) { u8 *auxbuff=NULL; u16 *portlist=NULL; char errstr[256]; + char *script_kiddie; struct option long_options[] = { @@ -188,6 +189,7 @@ int ArgParser::parseArguments(int argc, char *argv[]) { {"id", required_argument, 0, 0}, {"df", no_argument, 0, 0}, {"mf", no_argument, 0, 0}, + {"evil", no_argument, 0, 0}, {"ttl", required_argument, 0, 0}, {"badsum-ip", no_argument, 0, 0}, {"ip-options", required_argument, 0, 0}, @@ -700,6 +702,9 @@ int ArgParser::parseArguments(int argc, char *argv[]) { /* More fragments bit */ } else if (strcmp(long_options[option_index].name, "mf") == 0 ){ o.setMF(); + /* Reserved / Evil bit */ + } else if (strcmp(long_options[option_index].name, "evil") == 0 ){ + o.setRF(); /* Time to live (hop-limit in IPv6) */ } else if (strcmp(long_options[option_index].name, "ttl") == 0 || strcmp(long_options[option_index].name, "hop-limit") == 0 ){ @@ -1099,6 +1104,11 @@ int ArgParser::parseArguments(int argc, char *argv[]) { } /* End of getopt while */ + /* Option --evil is implied when SCRIPT_KIDDIE has a non-zero value */ + script_kiddie = getenv("SCRIPT_KIDDIE"); + if (script_kiddie != NULL && strcmp(script_kiddie, "0") != 0) + o.setRF(); + /* Now it's time to parse target host specifications. As nmap does, Nping * treats everything getopt() can't parse as a host specification. At this * point, var optind should point to the argv[] position that contains the @@ -1185,6 +1195,7 @@ void ArgParser::printUsage(void){ " --id : Set identification field (16 bits).\n" " --df : Set Don't Fragment flag.\n" " --mf : Set More Fragments flag.\n" +" --evil : Set Reserved / Evil flag.\n" " --ttl : Set time to live [0-255].\n" " --badsum-ip : Use a random invalid checksum. \n" " --ip-options : Set IP options\n" diff --git a/nping/NpingOps.cc b/nping/NpingOps.cc index 1ad6c1cac..c8867db09 100644 --- a/nping/NpingOps.cc +++ b/nping/NpingOps.cc @@ -1179,6 +1179,20 @@ bool NpingOps::getDF(){ } /* End of getDF() */ +/** Set Reserved / Evil flag */ +int NpingOps::setRF(){ + this->rf = true; + this->rf_set = true; + return OP_SUCCESS; +} /* End of setRF() */ + + +/** Get Reserved / Evil flag */ +bool NpingOps::getRF(){ + return this->rf; +} /* End of getRF() */ + + /* Returns true if option has been set */ bool NpingOps::issetMF(){ return this->mf_set; @@ -1191,6 +1205,12 @@ bool NpingOps::issetDF(){ } /* End of isset() */ +/* Returns true if option has been set */ +bool NpingOps::issetRF(){ + return this->rf_set; +} /* End of isset() */ + + /** Sets Maximum Transmission Unit length. Supplied parameter must be a positive * integer and must be a multiple of 8. * @return OP_SUCCESS on success and OP_FAILURE in case of error. */ @@ -2577,6 +2597,7 @@ bool NpingOps::canRunUDPWithoutPrivileges(){ this->issetIdentification() || this->issetMF() || this->issetDF() || + this->issetRF() || this->issetIPv4SourceAddress() || this->issetIPv6SourceAddress() || this->issetIPOptions() || diff --git a/nping/NpingOps.h b/nping/NpingOps.h index c4f812512..cd34b5617 100644 --- a/nping/NpingOps.h +++ b/nping/NpingOps.h @@ -184,6 +184,8 @@ class NpingOps { bool mf_set; bool df; /* Don't fragment flag */ bool df_set; + bool rf; /* Reserved / Evil flag */ + bool rf_set; u32 mtu; /* Custom MTU len (for IP fragmentation) */ bool mtu_set; bool badsum_ip; /* Generate invalid checksums in TCP/UDP */ @@ -433,6 +435,10 @@ class NpingOps { bool getDF(); bool issetDF(); + int setRF(); + bool getRF(); + bool issetRF(); + struct in_addr getIPv4SourceAddress(); int setIPv4SourceAddress(struct in_addr i); bool issetIPv4SourceAddress(); diff --git a/nping/ProbeMode.cc b/nping/ProbeMode.cc index a3bf2ea26..ea07d2bb0 100644 --- a/nping/ProbeMode.cc +++ b/nping/ProbeMode.cc @@ -607,6 +607,8 @@ int ProbeMode::createIPv4(IPv4Header *i, PacketElement *next_element, const char i->setMF(); if( o.issetDF() && o.getDF() == true ) i->setDF(); + if( o.issetRF() && o.getRF() == true ) + i->setRF(); /* IP Options */ if( o.issetIPOptions() == true ) diff --git a/nping/docs/nping-man.xml b/nping/docs/nping-man.xml index 729808360..1884ace89 100644 --- a/nping/docs/nping-man.xml +++ b/nping/docs/nping-man.xml @@ -1983,7 +1983,6 @@ SENT (4.0330s) TCP 192.168.0.21 > 3.3.3.3:139 - (Type of Service) @@ -2018,7 +2017,6 @@ SENT (4.0330s) TCP 192.168.0.21 > 3.3.3.3:139 - (Don't Fragment) @@ -2036,7 +2034,6 @@ SENT (4.0330s) TCP 192.168.0.21 > 3.3.3.3:139 - (More Fragments) @@ -2053,6 +2050,24 @@ SENT (4.0330s) TCP 192.168.0.21 > 3.3.3.3:139 + + + (Reserved / Evil) + (Nping option) + + + + Sets the Reserved / Evil bit in sent packets. The Evil flag + helps firewalls and other network security systems to distinguish + between datagram that have malicious intent and those that are + merely unusual. When set, it indicates that the datagram has evil + intent, instructing insecure systems to succumb. Setting it to zero + indicates no evil intent. The option is implied if environmental + variable SCRIPT_KIDDIE is set to a non-zero value. + + + + (Time To Live) diff --git a/nping/docs/nping-usage.txt b/nping/docs/nping-usage.txt index 5a5100188..3e0cfca29 100644 --- a/nping/docs/nping-usage.txt +++ b/nping/docs/nping-usage.txt @@ -53,6 +53,7 @@ IPv4 OPTIONS: --id : Set identification field (16 bits). --df : Set Don't Fragment flag. --mf : Set More Fragments flag. + --evil : Set Reserved / Evil flag. --ttl : Set time to live [0-255]. --badsum-ip : Use a random invalid checksum. --ip-options : Set IP options