allow the sa_len to increase the size of the current structure, not
decrease it below sizeof(struct ifreq). Doing it this way makes it work
on NetBSD. This technique more or less matches that used in Unix Network
Programming, 3rd Edition, section 17.6. The old implementation was
likely incorrect, though it happened to work on FreeBSD.
DLT_LINUX_SLL, as well as the DLT_EN10MB that was formerly supported.
This type is used on some interfaces where Linux doesn't reliably retain
the link-layer header, and when capturing on the "any" device. On such
interfaces, you would get the error
read_arp_reply_pcap called on interfaces that is datatype 113 rather than DLT_EN10MB (1)
For more on this datalink type, see
pcap-linktype(7)
http://wiki.wireshark.org/SLL
I tested this by hacking scan_engine.cc to use the "any" device:
--- scan_engine.cc (revision 16972)
+++ scan_engine.cc (working copy)
@@ -4882,7 +4882,7 @@
}
}
- USI->pd = my_pcap_open_live(Targets[0]->deviceName(), 100, (o.spoofsource)? 1 : 0, pcap_selectable_fd_valid()? 200 : 2);
+ USI->pd = my_pcap_open_live("any" /*Targets[0]->deviceName()*/, 100, (o.spoofsource)? 1 : 0, pcap_selectable_fd_valid()? 200 : 2);
if (USI->ping_scan_arp){
/* Some OSs including Windows 7 and Solaris 10 have been seen to send their
ARP replies to the broadcast address, not to the (unicast) address that
I had to use a newer version of libpcap from git. The 1.0.0 that we ship
has a bug that keeps "any" from working. You would get SIOCGIFHWADDR: No
such device.
table is exactly the same as the address. This is how it appears to work on Mac
OS X. Now there are three ways for an address to be directly connected:
1. Gateway address is 0.0.0.0 (Linux).
2. Gateway address is the same as local interface address (Windows).
3. Gateway address is the same as the destination address (Mac OS X).
interface addresses and netmasks.
Before, route_dst worked like this:
1) Check destination address against all interfaces, with special-case
handling for local addresses.
2) Check destination address against routing table.
Now it works like this:
1) Check destination address against local addresses.
2) Check destination address against routing table.
3) Check destination address against all interfaces.
This allows a routing table entry to override an interface, for example
in this configuration:
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MAC
eth0 (eth0) 192.168.0.21/24 ethernet up 00:00:00:00:00:00
**************************ROUTES**************************
DST/MASK DEV GATEWAY
192.168.0.3/32 eth0 192.168.0.1
192.168.0.0/24 eth0
192.168.0.3 will not be considered directly connected, but will have its
traffic routed through 192.168.0.1.
The logic for determining when an address is directly connected has
changed. Instead of considering an address directly connected whenever
it matches an interface netmask, we consider it so when the gateway
address is 0.0.0.0 or when the gateway address is exactly equal to the
interface address. The proper way to do this would be to look at the "G"
flag from the routing table, but libdnet doesn't retain that.
This establishes a more regular syntax for some options that disable
phases of a scan:
-n no reverse DNS
-Pn no host discovery
-sn no port scan
Also, the -sP was possibly misleading because the 'P' suggests "ping
scan," when you can now do more than just pinging when you disable port
scanning. For example, -sC -sn and -sn -Pn --traceroute make sense.
being used, and this leaves the door open for non-Ethernet encapsulation
of ARP packets, in particular the Linux "cooked" socket encapsulation
that can in some cases be used by libpcap.
entries:
o [NSE] Raw packet sending at the IP layer is now supported, in addition to
the Ethernet sending functionality. Packets to send start with an IPv4
header and can be sent to arbitrary hosts. [Kris]
o [NSE] Added the ipidseq script to classify a host's IP ID sequence numbers
in the same way Nmap does. This can be used to test hosts' suitability for
Nmap's Idle Scan (-sI), i.e. check if a host is an idle zombie. This is
the first script to use the new raw IP sending functionality in NSE. [Kris]
o [NSE] Added the function nmap.is_privileged() to tell a script if, as far
as Nmap's concerned, it can do privileged operations. For instance, this
can be used to see if a script should be able to open a raw socket or
Ethernet interface. [Kris]
o [NSE] Added the function nmap.get_ports() to allow a script to iterate
over a host's port tables matching a certain protocol and state. [Kris,
Patrick]
connections in tcpip.cc. socket_strerror works with Winsock error codes whereas
plain strerror returns "Unknown error".
However, the error string for what is probably the most common error code,
WSAEWOULDBLOCK, is the big ugly "A non-blocking socket operation could not be
completed immediately.". Add a special case to use "Operation now in progress"
for that specific error.
MAC in the doArp function as is done for ARP ping scan in
scan_engine.cc. This makes us capable of reading ARP responses that are
sent to the broadcast address.
(*p & 0x40) == 0x40
But that doesn't check that the upper half of the byte is 4. It's true for 4,
5, 6, 7, 12, 13, 14, and 15. I changed it to
(*p & 0xF0) == 0x40
name. If the destination is missing, ignore that line and continue with
the next line rather than giving up on the whole file. Patch by Ankur
Nandwani.
first is a pointer was kept to the beginning of the packet payload, and
it was increased based on the varying size of the ICMP header. But its
type was pointer to u32 instead of pointer to u8, so the expression
datastart += 12 actually increased the pointer by 48 bytes, leaving
garbage in the first 36 bytes of the payload and making it possible for
the buffer to overflow. The second was that the remaining space left in
the buffer was not decreased when the datastart was increased, again
making it possible to overflow. I got a reliable segmentation fault with
the command
nmap -PP 1.2.3.4 --data-length 1480
Nmap used two functions: one of them, hdump(), just printed raw hex bytes
(no ASCII equivalents) and the other one, lamont_hdump() had a bug when
printing buffers where bufflen%16==3. A new function has been implemented
from scratch, that basically produces the same output as Wireshark.
Output looks like this:
0000 e8 60 65 86 d7 86 6d 30 35 97 54 87 ff 67 05 9e .`e...m05.T..g..
0010 07 5a 98 c0 ea ad 50 d2 62 4f 7b ff e1 34 f8 fc .Z....P.bO{..4..
0020 c4 84 0a 6a 39 ad 3c 10 63 b2 22 c4 24 40 f4 b1 ...j9.<.c.".$@..
Changes:
- The new hexdump() function has been added to nbase.
- Old hdump() and lamont_dump() have been removed from nmap's code.
- A wrapper to the new hexdump(), called nmap_hexdump(), has been added
to nmap's utils.cc. The wrapper basically prints the buffer returned
by hexdump() using nmap's log_write() function.
including alias extension, in several places to avoid this error message
when an alias has an IP address but the primary interface doesn't:
Failed to lookup subnet/netmask for device (venet0): venet0: no IPv4 address assigned
The patch also considers an interface alias if the primary interface
does not appear in the list of interfaces (perhaps because it does not
have an IP address assigned) when building the table of routes.
for an interface, and skip the interface. The warning looks like
Warning: Unable to get hardware address for interface %s -- skipping it.
This happens when a FireWire interface (fw*) has an address configured on Mac
OS X. Previously Nmap would die in getinterfaces so it wasn't even possible to
scan over the other interfaces.
in getinterfaces. This was the cause of an overlapping memcpy reported
at http://seclists.org/nmap-dev/2009/q2/0713.html.
In the code, sin is a pointer that holds the address of the IP address
configured for an interface. It is copied into a tmpifr.ifr_addr before
each ioctl, perhaps because that is required on some platforms even
though on Linux only ifr_name is needed by the ioctl. When the ioctl
returns, it overwrites whatever was in ifr_addr because that member is
in a union, so sin is kept in order to restore the address again before
the next ioctl.
In the code that handles SIOCGIFNETMASK, sin was mistakenly used as a
temporary pointer and redirected to &tmpifr.ifr_addr. This caused all
future memcpys before ioctl to copy tmpifr.ifr_addr to itself, rather
than copying in the IP address of the interface.
The throwaway sin assignment was not even used; the code that used it
was modified in r2751. So now we just keep sin pointing where it should
the whole time.
another thing otherwise in a big if/else. Now getinterfaces just does
caching and getinterfaces_dnet or getinterfaces_siocgifconf does the
actual interface lookup.
sending. In send_ip_packet, unswap them after sending so that the buffer is
returned unmodified. Do the packet trace after unswapping the values so that
the correct length and fragmentation offset are reported. On Mac OS X, an
ip_len of 60 (0x003c) was being reported as 15360 (0x3c00) and when ip_off had
the DF flag set (0x4000), it looked like a fragmentation offset of 512
(0x0040 * 8).
a layer 4 protocol used mostly for telephony related applications.
This brings the following new features:
o SCTP INIT chunk port scan (-sY): open ports return an INIT-ACK
chunk, closed ones an ABORT chunk. This is the SCTP equivalent
of a TCP SYN stealth scan.
o SCTP COOKIE-ECHO chunk port scan (-sZ): open ports are silent,
closed ports return an ABORT chunk.
o SCTP INIT chunk ping probes (-PY): host discovery using SCTP
INIT chunk packets.
o SCTP-specific IP protocol scan (-sO -p sctp).
o SCTP-specific traceroute support (--traceroute).
o The ability to use the deprecated Adler32 algorithm as specified
in RFC 2960 instead of CRC32C from RFC 4960 (--adler32).
o 42 well-known SCTP ports were added to the nmap-services file.
Part of the work on SCTP support was kindly sponsored by
Compass Security AG, Switzerland. [Daniel Roethlisberger]
address on Solaris. The Solaris error message was
/dev/lo: No such file or directory
but apparently it can also be
lo0: No DLPI device found
Also changed the message to say that it can happen when scanning any
interface address, not just localhost. The new error message was lately
reported by Dom De Vitto.
http://seclists.org/nmap-dev/2006/q2/0127.htmlhttp://seclists.org/nmap-dev/2009/q1/0853.html
need to have all the routes available before assigning interfaces to handle a
situation like the following:
# nmap --iflist
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MAC
lo0 (lo0) 127.0.0.1/8 loopback up
ppp0 (ppp0) YY.YY.YY.YY/16 point2point up
# netstat -rn
Destination Gateway Flags Refs Use Netif Expire
default XX.XX.XX.XX UGSc 7 16 ppp0
XX.XX.XX.XX YY.YY.YY.YY UH 8 0 ppp0
Here the second route can be matched up immediately with the ppp0 device,
because the YY.YY.YY.YY gateway address matches the YY.YY.YY.YY/16 IP and mask
of ppp0. But the first route (default) needs to go through the second route in
order to find its interface. So we don't reject the default route immediately,
but save it an try to match it with an interface after all routes have been
found. See http://seclists.org/nmap-dev/2008/q4/0576.html for more information.
crafted reply sent from a host on the same LAN slip through and cause
Nmap to segfault. Thanks to ithilgore of sock-raw.homeunix.org for
the very detailed bug report. [Kris]
