inconvenient to change separately.
The first change fixes a logical error in the storage of timing ping
probes. Each target contains a description of a timing ping probe, which
is stored in the two members
probespec pingprobe;
int pingprobe_state;
pingprobe is the probe itself, and pingprobe_state is the state of the
port that the probe was sent to (PORT_OPEN, PORT_CLOSED, etc.). A change
in the state of the port was a criterion used in deciding whether to
replace the current ping probe.
The problem with this was that pingprobe_state was used to hold a host
state, not a port state, during host discovery. Therefore it held a
value like HOST_DOWN or HOST_UP. This was fine as long as host discovery
and port scanning were separate, but now that timing pings are shared
between those phases the states were in confict: HOST_UP = 1 = PORT_CLOSED.
THis was fixed by using a value of PORT_UNKNOWN during host discovery.
The second change redoes how timing ping probes are replaced. There is
now an order of preference for timing ping probe types, defined by the
function pingprobe_score (and pingprobe_is_better, which calls it). The
order I have defined, from highest preference to lowest, is
ARP
Raw TCP (not SYN to an open port)
UDP, IP protocol, or ICMP
Raw TCP (SYN to an open port)
TCP connect
Anything else
The port state is considered only in raw TCP SYN to an open port, which
is given a lower preference because of the possibility of SYN flooding.
Better ping probes supersede worse ping probes. So in
nmap -PS -sA scanme.nmap.org
the ping probe will be SYN to port 80 after host discovery, but then
will change to ACK to an unfiltered port during port scanning. In
nmap -PA -sS scanme.nmap.org
the ping probe will be ACK to port 80 after host discovery and will
remain that way during port scanning because SYN to an open port is a
worse ping probe. Run with -d2 to see when timing pings change.
o Added the undocumented (except here) --nogcc option which disables
global/group congestion control algorithms and so each member of a
scan group of machines is treated separately. This is just an
experimental option for now. [Fyodor]
to reuse an ACK ping probe from host detection during a SYN port scan. This can
greatly speed up a scan if the SYN scan finds only filtered ports.
One difficulty with implementing this is that not all ping probes are
appropriate for all scan types.
nmap -PA -sU scanme.nmap.org
would cache the ACK ping probe and send ACK pings during the UDP scan. But the
pcap filter for the UDP scan doesn't catch TCP packets, so the replies would
not be noticed and they would show up as dropped pings. Likewise,
nmap -PR -sS 192.168.0.1
would segfault when it tried to use an uninitialized Ethernet descriptor to
send an ARP ping during the SYN scan, which would use raw sockets.
To fix this I added a function pingprobe_is_appropriate that determines whether
a given ping probe is appropriate for the current scan type. If not, the
constructor for HostScanStats just erases the ping probe.
More types of ping probes could be made "appropriate." TCP timing pings work
during a UDP scan if only the pcap filter is expanded to include TCP packets.
In r8541 readip_pcap was given the ability to validate packets, and it also
returns a different length in some cases than it used to:
+ /* OK, since the IP header has been validated, we don't want to tell
+ * the caller they have more packet than they really have. This can
+ * be caused by the Ethernet CRC trailer being counted, for example.
+ */
+ if (*len > ntohs(iphdr->ip_len))
+ *len = ntohs(iphdr->ip_len);
which made some tests having to do with packet length invalid. They were
removed but this one was missed.
from ICMP probes during a protocol scan (protoscanicmphack). I don't know why
it was NULL before, but that's wrong. It was probably never noticed because in
the case of a port update, all that happens is a failure to update the timing.
In the case of a ping probe, it would look like a dropped ping probe, but that
woudl be unlikely because protocol scans usually don't take very long. I
discovered it while testing code to allow ping probes to persist between host
discovery and port scanning.
and having close() #defined to my_close() in nbase_winunix.h, I'm just defining close()
to closesocket() in nbase_winunix.h and removing my_close() from winfix.cc. I'm also
defining EWOULDBLOCK to WSAEWOULDBLOCK in nbase_winunix.h.
Nmap builds fine with these changes, and since it's just defining close() to something
that already exists, it shouldn't negatively affect other branches.
These are things I noticed while trying to cleanly "re-port" Ncat to VC++2008.
Remove duplicate indexterms. Some of them were just too close together.
Some of
them were "see also" entries; I didn't realize that
<indexterm><primary>a</primary></indexterm>
<indexterm><primary>a</primary><seealso>b</seealso></indexterm>
would create two entries for "a" on that page. There were also a few
instances
where I had a <primary> definition in an <indexterm class="endofrange"> tag.
book-3.diff (include MJB-* diagrams):
Crop out the titles of packet header diagrams.
book-4.diff:
Miscellaneous index and other fixes.
book-5.diff:
Run indexterms into the same line when they appear in a paragraph. The way I
was doing it before (with indexterms on separate lines) caused an extra space
to be inserted. This was especially visible in the OS detection chapter where
there were long strings of indexterms naming response tests.
book-6.diff:
Do some more cleanup. nmap-intro said it covered export control but it
didn't,
so I removed the mention of it. I thought that -ff made smaller fragments,
but
it makes bigger fragments, so an index entry has been amended. There was a
typo
<optino>; somehow that didn't give an error.
nse_main and nse_nsock. nse_main now uses Lua to create printable output
while a cleaner hexify procedure has been placed in nsock.
nse_string is removed as a result.
