MAC in the doArp function as is done for ARP ping scan in
scan_engine.cc. This makes us capable of reading ARP responses that are
sent to the broadcast address.
(*p & 0x40) == 0x40
But that doesn't check that the upper half of the byte is 4. It's true for 4,
5, 6, 7, 12, 13, 14, and 15. I changed it to
(*p & 0xF0) == 0x40
name. If the destination is missing, ignore that line and continue with
the next line rather than giving up on the whole file. Patch by Ankur
Nandwani.
first is a pointer was kept to the beginning of the packet payload, and
it was increased based on the varying size of the ICMP header. But its
type was pointer to u32 instead of pointer to u8, so the expression
datastart += 12 actually increased the pointer by 48 bytes, leaving
garbage in the first 36 bytes of the payload and making it possible for
the buffer to overflow. The second was that the remaining space left in
the buffer was not decreased when the datastart was increased, again
making it possible to overflow. I got a reliable segmentation fault with
the command
nmap -PP 1.2.3.4 --data-length 1480
Nmap used two functions: one of them, hdump(), just printed raw hex bytes
(no ASCII equivalents) and the other one, lamont_hdump() had a bug when
printing buffers where bufflen%16==3. A new function has been implemented
from scratch, that basically produces the same output as Wireshark.
Output looks like this:
0000 e8 60 65 86 d7 86 6d 30 35 97 54 87 ff 67 05 9e .`e...m05.T..g..
0010 07 5a 98 c0 ea ad 50 d2 62 4f 7b ff e1 34 f8 fc .Z....P.bO{..4..
0020 c4 84 0a 6a 39 ad 3c 10 63 b2 22 c4 24 40 f4 b1 ...j9.<.c.".$@..
Changes:
- The new hexdump() function has been added to nbase.
- Old hdump() and lamont_dump() have been removed from nmap's code.
- A wrapper to the new hexdump(), called nmap_hexdump(), has been added
to nmap's utils.cc. The wrapper basically prints the buffer returned
by hexdump() using nmap's log_write() function.
including alias extension, in several places to avoid this error message
when an alias has an IP address but the primary interface doesn't:
Failed to lookup subnet/netmask for device (venet0): venet0: no IPv4 address assigned
The patch also considers an interface alias if the primary interface
does not appear in the list of interfaces (perhaps because it does not
have an IP address assigned) when building the table of routes.
for an interface, and skip the interface. The warning looks like
Warning: Unable to get hardware address for interface %s -- skipping it.
This happens when a FireWire interface (fw*) has an address configured on Mac
OS X. Previously Nmap would die in getinterfaces so it wasn't even possible to
scan over the other interfaces.
in getinterfaces. This was the cause of an overlapping memcpy reported
at http://seclists.org/nmap-dev/2009/q2/0713.html.
In the code, sin is a pointer that holds the address of the IP address
configured for an interface. It is copied into a tmpifr.ifr_addr before
each ioctl, perhaps because that is required on some platforms even
though on Linux only ifr_name is needed by the ioctl. When the ioctl
returns, it overwrites whatever was in ifr_addr because that member is
in a union, so sin is kept in order to restore the address again before
the next ioctl.
In the code that handles SIOCGIFNETMASK, sin was mistakenly used as a
temporary pointer and redirected to &tmpifr.ifr_addr. This caused all
future memcpys before ioctl to copy tmpifr.ifr_addr to itself, rather
than copying in the IP address of the interface.
The throwaway sin assignment was not even used; the code that used it
was modified in r2751. So now we just keep sin pointing where it should
the whole time.
another thing otherwise in a big if/else. Now getinterfaces just does
caching and getinterfaces_dnet or getinterfaces_siocgifconf does the
actual interface lookup.
sending. In send_ip_packet, unswap them after sending so that the buffer is
returned unmodified. Do the packet trace after unswapping the values so that
the correct length and fragmentation offset are reported. On Mac OS X, an
ip_len of 60 (0x003c) was being reported as 15360 (0x3c00) and when ip_off had
the DF flag set (0x4000), it looked like a fragmentation offset of 512
(0x0040 * 8).
a layer 4 protocol used mostly for telephony related applications.
This brings the following new features:
o SCTP INIT chunk port scan (-sY): open ports return an INIT-ACK
chunk, closed ones an ABORT chunk. This is the SCTP equivalent
of a TCP SYN stealth scan.
o SCTP COOKIE-ECHO chunk port scan (-sZ): open ports are silent,
closed ports return an ABORT chunk.
o SCTP INIT chunk ping probes (-PY): host discovery using SCTP
INIT chunk packets.
o SCTP-specific IP protocol scan (-sO -p sctp).
o SCTP-specific traceroute support (--traceroute).
o The ability to use the deprecated Adler32 algorithm as specified
in RFC 2960 instead of CRC32C from RFC 4960 (--adler32).
o 42 well-known SCTP ports were added to the nmap-services file.
Part of the work on SCTP support was kindly sponsored by
Compass Security AG, Switzerland. [Daniel Roethlisberger]
address on Solaris. The Solaris error message was
/dev/lo: No such file or directory
but apparently it can also be
lo0: No DLPI device found
Also changed the message to say that it can happen when scanning any
interface address, not just localhost. The new error message was lately
reported by Dom De Vitto.
http://seclists.org/nmap-dev/2006/q2/0127.htmlhttp://seclists.org/nmap-dev/2009/q1/0853.html
need to have all the routes available before assigning interfaces to handle a
situation like the following:
# nmap --iflist
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MAC
lo0 (lo0) 127.0.0.1/8 loopback up
ppp0 (ppp0) YY.YY.YY.YY/16 point2point up
# netstat -rn
Destination Gateway Flags Refs Use Netif Expire
default XX.XX.XX.XX UGSc 7 16 ppp0
XX.XX.XX.XX YY.YY.YY.YY UH 8 0 ppp0
Here the second route can be matched up immediately with the ppp0 device,
because the YY.YY.YY.YY gateway address matches the YY.YY.YY.YY/16 IP and mask
of ppp0. But the first route (default) needs to go through the second route in
order to find its interface. So we don't reject the default route immediately,
but save it an try to match it with an interface after all routes have been
found. See http://seclists.org/nmap-dev/2008/q4/0576.html for more information.
crafted reply sent from a host on the same LAN slip through and cause
Nmap to segfault. Thanks to ithilgore of sock-raw.homeunix.org for
the very detailed bug report. [Kris]
The partial checksum for the TCP/UDP pseudo-header is calculated and then it is
added to the checksum for the rest of the packet. I started to write the
functions for such incremental checksum calculation but then I saw they are
already implemented in libdnet.
packet is OK from the get-go rather than running basic checks of it's own.
In a nutshell this patch checks to make sure:
1) there is enough room for an IP header in the amount of bytes read
2) the IP version number is correct
3) the IP length fields are at least as big as the standard header
4) the IP packet received isn't a fragment, or is the initial fragment
5) that next level headers seem reasonable
For TCP, this checks that there is enough room for the header in the number
of bytes read, and that any option lengths are correct. The options checked
are MSS, WScale, SackOK, Sack, and Timestamp.
This also fixes a bug I discovered while testing. Since the Ethernet CRC
(and other datalink-layer data) could be read and counted, it was being
returned that there was more IP packet than there really was. This didn't
cause an overrun of the buffer or anything, just that garbage data could have
easily been read instead of real packet data. Now, if validity is checked for
and the number of total bytes read is larger than the IP's length, the length
is set to the IP header's total length field.
This seems to work great after doing what testing I could. It's been out on
nmap-dev for a couple of weeks without any bad reports (none at all for that
matter). I reviewed this patch again before committing and it looks good as
well.
not used before because of how the logic for o.spoofsource and o.device is
handled in nmap.cc.) Its basic purpose remains in the function ipaddr2devname.
has been messed up for a while and I was having trouble reading it. I changed
it to use the mix of 8-wide tabs and spaces used by most of the rest of the
file.
