changes. The first is that Port objects don't allocate memory for
service and RPC results unless that information is set. This reduces the
size of a bare Port from 92 to 40 bytes on my machine. The second change
is that PortList now has the notion of a "default port state," which is
the state of any ports that didn't receive a response. These ports don't
need an allocated Port object, which saves a lot of memory in scans
where most ports didn't get a response.
FingerTest structures are supposed to have an array of AVals that are
allocated as a block and linked internally. But for OPS and WIN, each
AVal was allocated individually and linked together. When the FingerTest
was later freed, it freed only the first link in the chain.
TCP timestamp clock frequency uses large timestamp values, such that
a naive uptime calculation shows a boot time before the epoch. Also
fixed a printf format specifier mismatch that was revealed by the
overflow. Toby Simmons reported the problem and helped with the fix.
the network distance in SCAN.DS was calculated. Its value can be "L"
for localhost, "D" for a direct connection, "I" for an ICMP TTL
calculation, and "T" for a traceroute hop count. This is mainly for
the benefit of OS integration, when it is sometimes important to
distinguish between DS=1%DC=I (probably the result of forged TTLs)
and DS=1%DC=D (a true one-hop connection.) [David]
including alias extension, in several places to avoid this error message
when an alias has an IP address but the primary interface doesn't:
Failed to lookup subnet/netmask for device (venet0): venet0: no IPv4 address assigned
The patch also considers an interface alias if the primary interface
does not appear in the list of interfaces (perhaps because it does not
have an IP address assigned) when building the table of routes.
should prevent name collisions with internal but exported functions
in shared libraries Nmap links against (e.g. adler32() in zlib).
Such collisions seem to confuse the runtime linker on some platforms.
[Daniel Roethlisberger]
fingerprints: U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI. URL, DLI,
and SI were found not be helpful in distinguishing operating systems
because they didn't vary. TOS and TOSI were disabled in 4.85BETA1
but now they are not included in prints at all.
response was received, not zero. Because four responses are sufficient, the
message will be printed if one, two, or three reponses were received. The
message started being printed with zero responses in r12285, with an unrelated
change.
The message also now includes the IP address of the relevant host and requires
debugging to be enabled.
This adds a new SEQ.CI OS detection test. It is based on the IP IDs of the
responses to the three probes sent to a closed port: T5, T6, and T7. This has
been reported to differ from TI and was observed to do so in Internet scans
using the nmap-closed-ipid branch.
generation) even if there are no other SEQ test results. Try it with
"nmap -O -d -p 113 scanme.nmap.org". Now you get SEQ(II=I) instead of no
SEQ line at all.
This fixes the following bug: When scanning with an Ethernet handle (as
opposed to raw sockets), only the first host in an OS scan group would
get a result. All others would be blank fingerprints with R=N for every
probe. This was first noticed on Windows because Ethernet is the default
sending method, but it affects other platforms with --send-eth.
OS scan initialized an Ethernet handle once for each group, and recorded
the first-hop MAC address of the first target at that time. That
first-hop address was used for all targets. This failed on a switched
LAN, when the first-hop address for every host is different (it's the
MAC address of each target).
All the various high-level probe sending functions now do their work
through three low-level sending functions: one each for TCP, UDP, and
ICMP. Those low-level functions take care of setting the MAC addresses
before each send.
I checked and the other places where Ethernet sends are used do not have
this problem. ultra_scan, idle scan, and traceroute all set the
addresses before every send.
Like ultra_scan, OS scan has global and host-based congestion control
mechanisms like those in TCP. Part of global congestion control is
keeping track of how many probes are outstanding in the network; OS scan
keeps the number in a member variable called num_probes_active.
num_probes_active is meant to be the sum of the sizes of each host's
list of outstanding probes. It was correctly being decremented whenever
a probe was removed from an active list, but it was never incremented.
num_probes_active was always zero or negative, and therefore never
exceeded the global congestion window. This almost completely disabled
global congestion control.
With this fix OS scan will send a maximum of ten probes immediately at
the beginning of the scan. Previously it was limited only by the number
of hosts being scanned (20 or 30).
This brings in four discrete changes:
1. The widening of ranges for T test expressions in nmap-os-db. Any expressions
that were not already ranges were expanded to cover plus and minus five of
their original values.
2. The normalization of TG expressions in nmap-os-db. Nmap is only capable of
outputting 0x20, 0x40, 0x80, and 0xFF for a TG value, but many fingerprints
had values other than these. They have all been rounded to their nearest
likely value.
3. The elimination of the U1.TOS and IE.TOSI tests (both having to do with type
of service). This was effected by setting their MatchPoints to 0.
4. A cleanup and refactoring of OS fingerprint output code. This should not
have any impact on output, except in one case: when debugging is non-zero or
verbosity is greater than one, and at least one perfect match was found,
Nmap used to print "OS Fingerprint:" before the fingerprint. Now it prints
"TCP/IP fingerprint:" in this case like in all the others.
packet is OK from the get-go rather than running basic checks of it's own.
In a nutshell this patch checks to make sure:
1) there is enough room for an IP header in the amount of bytes read
2) the IP version number is correct
3) the IP length fields are at least as big as the standard header
4) the IP packet received isn't a fragment, or is the initial fragment
5) that next level headers seem reasonable
For TCP, this checks that there is enough room for the header in the number
of bytes read, and that any option lengths are correct. The options checked
are MSS, WScale, SackOK, Sack, and Timestamp.
This also fixes a bug I discovered while testing. Since the Ethernet CRC
(and other datalink-layer data) could be read and counted, it was being
returned that there was more IP packet than there really was. This didn't
cause an overrun of the buffer or anything, just that garbage data could have
easily been read instead of real packet data. Now, if validity is checked for
and the number of total bytes read is larger than the IP's length, the length
is set to the IP header's total length field.
This seems to work great after doing what testing I could. It's been out on
nmap-dev for a couple of weeks without any bad reports (none at all for that
matter). I reviewed this patch again before committing and it looks good as
well.
