targets.cc
来自「Ubuntu packages of security software。 相」· CC 代码 · 共 1,812 行 · 第 1/5 页
CC
1,812 行
/*************************************************************************** * targets.cc -- Functions relating to "ping scanning" as well as * * determining the exact IPs to hit based on CIDR and other input * * formats. * * * ***********************IMPORTANT NMAP LICENSE TERMS************************ * * * The Nmap Security Scanner is (C) 1996-2006 Insecure.Com LLC. Nmap is * * also a registered trademark of Insecure.Com LLC. This program is free * * software; you may redistribute and/or modify it under the terms of the * * GNU General Public License as published by the Free Software * * Foundation; Version 2 with the clarifications and exceptions described * * below. This guarantees your right to use, modify, and redistribute * * this software under certain conditions. If you wish to embed Nmap * * technology into proprietary software, we sell alternative licenses * * (contact sales@insecure.com). Dozens of software vendors already * * license Nmap technology such as host discovery, port scanning, OS * * detection, and version detection. * * * * Note that the GPL places important restrictions on "derived works", yet * * it does not provide a detailed definition of that term. To avoid * * misunderstandings, we consider an application to constitute a * * "derivative work" for the purpose of this license if it does any of the * * following: * * o Integrates source code from Nmap * * o Reads or includes Nmap copyrighted data files, such as * * nmap-os-fingerprints or nmap-service-probes. * * o Executes Nmap and parses the results (as opposed to typical shell or * * execution-menu apps, which simply display raw Nmap output and so are * * not derivative works.) * * o Integrates/includes/aggregates Nmap into a proprietary executable * * installer, such as those produced by InstallShield. * * o Links to a library or executes a program that does any of the above * * * * The term "Nmap" should be taken to also include any portions or derived * * works of Nmap. This list is not exclusive, but is just meant to * * clarify our interpretation of derived works with some common examples. * * These restrictions only apply when you actually redistribute Nmap. For * * example, nothing stops you from writing and selling a proprietary * * front-end to Nmap. Just distribute it by itself, and point people to * * http://insecure.org/nmap/ to download Nmap. * * * * We don't consider these to be added restrictions on top of the GPL, but * * just a clarification of how we interpret "derived works" as it applies * * to our GPL-licensed Nmap product. This is similar to the way Linus * * Torvalds has announced his interpretation of how "derived works" * * applies to Linux kernel modules. Our interpretation refers only to * * Nmap - we don't speak for any other GPL products. * * * * If you have any questions about the GPL licensing restrictions on using * * Nmap in non-GPL works, we would be happy to help. As mentioned above, * * we also offer alternative license to integrate Nmap into proprietary * * applications and appliances. These contracts have been sold to dozens * * of software vendors, and generally include a perpetual license as well * * as providing for priority support and updates as well as helping to * * fund the continued development of Nmap technology. Please email * * sales@insecure.com for further information. * * * * As a special exception to the GPL terms, Insecure.Com LLC grants * * permission to link the code of this program with any version of the * * OpenSSL library which is distributed under a license identical to that * * listed in the included Copying.OpenSSL file, and distribute linked * * combinations including the two. You must obey the GNU GPL in all * * respects for all of the code used other than OpenSSL. If you modify * * this file, you may extend this exception to your version of the file, * * but you are not obligated to do so. * * * * If you received these files with a written license agreement or * * contract stating terms other than the terms above, then that * * alternative license agreement takes precedence over these comments. * * * * Source is provided to this software because we believe users have a * * right to know exactly what a program is going to do before they run it. * * This also allows you to audit the software for security holes (none * * have been found so far). * * * * Source code also allows you to port Nmap to new platforms, fix bugs, * * and add new features. You are highly encouraged to send your changes * * to fyodor@insecure.org for possible incorporation into the main * * distribution. By sending these changes to Fyodor or one the * * Insecure.Org development mailing lists, it is assumed that you are * * offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right * * to reuse, modify, and relicense the code. Nmap will always be * * available Open Source, but this is important because the inability to * * relicense code has caused devastating problems for other Free Software * * projects (such as KDE and NASM). We also occasionally relicense the * * code to third parties as discussed above. If you wish to specify * * special license conditions of your contributions, just say so when you * * send them. * * * * This program is distributed in the hope that it will be useful, but * * WITHOUT ANY WARRANTY; without even the implied warranty of * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU * * General Public License for more details at * * http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included * * with Nmap. * * * ***************************************************************************//* $Id: targets.cc 4198 2006-11-19 09:35:26Z fyodor $ */#include "targets.h"#include "timing.h"#include "osscan.h"#include "NmapOps.h"#include "TargetGroup.h"#include "Target.h"#include "scan_engine.h"#include "nmap_dns.h"#include "nmap_tty.h"using namespace std;extern NmapOps o;enum pingstyle { pingstyle_unknown, pingstyle_rawtcp, pingstyle_rawudp, pingstyle_connecttcp, pingstyle_icmp };/* Gets the host number (index) of target in the hostbatch array of pointers. Note that the target MUST EXIST in the array or all heck will break loose. */static inline int gethostnum(Target *hostbatch[], Target *target) { int i = 0; do { if (hostbatch[i] == target) return i; } while(++i); fatal("fluxx0red"); return 0; // Unreached}char *readhoststate(int state) { switch(state) { case HOST_UP: return "HOST_UP"; case HOST_DOWN: return "HOST_DOWN"; case HOST_FIREWALLED: return "HOST_FIREWALLED"; default: return "UNKNOWN/COMBO"; } return NULL;}/* Internal function to update the state of machine (up/down/etc) based on ping results */static int hostupdate(Target *hostbatch[], Target *target, int newstate, int dotimeout, int trynum, struct timeout_info *to, struct timeval *sent, struct timeval *rcvd, struct pingtune *pt, struct tcpqueryinfo *tqi, enum pingstyle style){ int hostnum = gethostnum(hostbatch, target); int i; int p; int seq; int tmpsd; struct timeval tv; if (o.debugging) { gettimeofday(&tv, NULL); log_write(LOG_STDOUT, "Hostupdate called for machine %s state %s -> %s (trynum %d, dotimeadj: %s time: %ld)\n", target->targetipstr(), readhoststate(target->flags), readhoststate(newstate), trynum, (dotimeout)? "yes" : "no", (long) TIMEVAL_SUBTRACT(tv, *sent)); } assert(hostnum <= pt->group_end); if (dotimeout) { if (!rcvd) { rcvd = &tv; gettimeofday(&tv, NULL); } adjust_timeouts2(sent, rcvd, to); } /* If this is a tcp connect() pingscan, close all sockets */ if (style == pingstyle_connecttcp) { seq = hostnum * pt->max_tries + trynum; for(p=0; p < o.num_ping_synprobes; p++) { for(i=0; i <= pt->block_tries; i++) { seq = hostnum * pt->max_tries + i; tmpsd = tqi->sockets[p][seq]; if (tmpsd >= 0) { assert(tqi->sockets_out > 0); tqi->sockets_out--; close(tmpsd); if (tmpsd == tqi->maxsd) tqi->maxsd--; FD_CLR(tmpsd, &(tqi->fds_r)); FD_CLR(tmpsd, &(tqi->fds_w)); FD_CLR(tmpsd, &(tqi->fds_x)); tqi->sockets[p][seq] = -1; } } } } target->to = *to; if (target->flags & HOST_UP) { /* The target is already up and that takes precedence over HOST_DOWN or HOST_FIREWALLED, so we just return. */ return 0; } if (trynum > 0 && !(pt->dropthistry)) { pt->dropthistry = 1; if (o.debugging) log_write(LOG_STDOUT, "Decreasing massping group size from %f to ", pt->group_size); pt->group_size = MAX(pt->group_size * 0.75, pt->min_group_size); if (o.debugging) log_write(LOG_STDOUT, "%f\n", pt->group_size); } if (newstate == HOST_DOWN && (target->flags & HOST_DOWN)) { /* I see nothing to do here */ } else if (newstate == HOST_UP && (target->flags & HOST_DOWN)) { /* We give host_up precedence */ target->flags &= ~HOST_DOWN; /* Kill the host_down flag */ target->flags |= HOST_UP; if (hostnum >= pt->group_start) { /* The pt->block_tries was added because it is possible for a host to be marked down in the first block try, then down_this_block will be reset to 0 for the next try, in which a late packet could cause the box to be marked up. In that case, down_this_block could legitimately be 0. */ assert(pt->block_tries > 0 || pt->down_this_block > 0); if (pt->down_this_block > 0) pt->down_this_block--; pt->up_this_block++; } } else if (newstate == HOST_DOWN) { target->flags |= HOST_DOWN; assert(pt->block_unaccounted > 0); if (hostnum >= pt->group_start) { pt->down_this_block++; pt->block_unaccounted--; pt->num_responses++; } } else { assert(newstate == HOST_UP); target->flags |= HOST_UP; assert(pt->block_unaccounted > 0); if (hostnum >= pt->group_start) { pt->up_this_block++; pt->block_unaccounted--; pt->num_responses++; } } return 0;}/* Conducts an ARP ping sweep of the given hosts to determine which ones are up on a local ethernet network */static void arpping(Target *hostbatch[], int num_hosts, struct scan_lists *ports) { /* First I change hostbatch into a vector<Target *>, which is what ultra_scan takes. I remove hosts that cannot be ARP scanned (such as localhost) */ vector<Target *> targets; int targetno; targets.reserve(num_hosts); for(targetno = 0; targetno < num_hosts; targetno++) { initialize_timeout_info(&hostbatch[targetno]->to); /* Default timout should be much lower for arp */ hostbatch[targetno]->to.timeout = MIN(o.initialRttTimeout(), 100) * 1000; if (!hostbatch[targetno]->SrcMACAddress()) { bool islocal = islocalhost(hostbatch[targetno]->v4hostip()); if (islocal) { log_write(LOG_STDOUT|LOG_NORMAL, "ARP ping: Considering %s UP because it is a local IP, despite no MAC address for device %s\n", hostbatch[targetno]->NameIP(), hostbatch[targetno]->deviceName()); hostbatch[targetno]->flags &= ~(HOST_DOWN|HOST_FIREWALLED); hostbatch[targetno]->flags |= HOST_UP; } else { log_write(LOG_STDOUT|LOG_NORMAL, "ARP ping: Considering %s DOWN because no MAC address found for device %s.\n", hostbatch[targetno]->NameIP(), hostbatch[targetno]->deviceName()); hostbatch[targetno]->flags &= ~HOST_FIREWALLED; hostbatch[targetno]->flags |= HOST_DOWN; } continue; } targets.push_back(hostbatch[targetno]); } if (!targets.empty()) ultra_scan(targets, ports, PING_SCAN_ARP); return;}static void hoststructfry(Target *hostbatch[], int nelem) { genfry((unsigned char *)hostbatch, sizeof(Target *), nelem); return;}/* Returns the last host obtained by nexthost. It will be given again the next time you call nexthost(). */void returnhost(HostGroupState *hs) { assert(hs->next_batch_no > 0); hs->next_batch_no--;}/* Is the host passed as Target to be excluded, much of this logic had (mdmcl) * to be rewritten from wam's original code to allow for the objects */static int hostInExclude(struct sockaddr *checksock, size_t checksocklen, TargetGroup *exclude_group) { unsigned long tmpTarget; /* ip we examine */ int i=0; /* a simple index */ char targets_type; /* what is the address type of the Target Group */ struct sockaddr_storage ss; struct sockaddr_in *sin = (struct sockaddr_in *) &ss; size_t slen; /* needed for funct but not used */ unsigned long mask = 0; /* our trusty netmask, which we convert to nbo */ struct sockaddr_in *checkhost; if ((TargetGroup *)0 == exclude_group) return 0; assert(checksocklen >= sizeof(struct sockaddr_in)); checkhost = (struct sockaddr_in *) checksock; if (checkhost->sin_family != AF_INET) checkhost = NULL; /* First find out what type of addresses are in the target group */ targets_type = exclude_group[i].get_targets_type(); /* Lets go through the targets until we reach our uninitialized placeholder */ while (exclude_group[i].get_targets_type() != TargetGroup::TYPE_NONE) { /* while there are still hosts in the target group */ while (exclude_group[i].get_next_host(&ss, &slen) == 0) { tmpTarget = sin->sin_addr.s_addr; /* For Netmasks simply compare the network bits and move to the next * group if it does not compare, we don't care about the individual addrs */ if (targets_type == TargetGroup::IPV4_NETMASK) { mask = htonl((unsigned long) (0-1) << 32-exclude_group[i].get_mask()); if ((tmpTarget & mask) == (checkhost->sin_addr.s_addr & mask)) { exclude_group[i].rewind(); return 1; } else { break; } } /* For ranges we need to be a little more slick, if we don't find a match * we should skip the rest of the addrs in the octet, thank wam for this * optimization */ else if (targets_type == TargetGroup::IPV4_RANGES) { if (tmpTarget == checkhost->sin_addr.s_addr) { exclude_group[i].rewind(); return 1; } else { /* note these are in network byte order */ if ((tmpTarget & 0x000000ff) != (checkhost->sin_addr.s_addr & 0x000000ff)) exclude_group[i].skip_range(TargetGroup::FIRST_OCTET); else if ((tmpTarget & 0x0000ff00) != (checkhost->sin_addr.s_addr & 0x0000ff00)) exclude_group[i].skip_range(TargetGroup::SECOND_OCTET); else if ((tmpTarget & 0x00ff0000) != (checkhost->sin_addr.s_addr & 0x00ff0000))⌨️ 快捷键说明
复制代码Ctrl + C
搜索代码Ctrl + F
全屏模式F11
增大字号Ctrl + =
减小字号Ctrl + -
显示快捷键?