targets.cc

来自「Ubuntu packages of security software。 相」· CC 代码 · 共 1,812 行 · 第 1/5 页

  pt.seq_offset = get_random_u16(); // For distinguishing between received packets from this execution vs. concurrent nmaps

  /* What port should we send from? */
  if (o.magic_port_set) sportbase = o.magic_port;
  else sportbase = o.magic_port + 20;

  /* What kind of scans are we doing? */
  if ((pingtype & (PINGTYPE_ICMP_PING|PINGTYPE_ICMP_MASK|PINGTYPE_ICMP_TS)) && 
      hostbatch[0]->v4source().s_addr) 
    ptech.rawicmpscan = 1;
  else if (pingtype & (PINGTYPE_ICMP_PING|PINGTYPE_ICMP_MASK|PINGTYPE_ICMP_TS)) 
    ptech.icmpscan = 1;
  if (pingtype & PINGTYPE_UDP) 
    ptech.rawudpscan = 1;
  if (pingtype & PINGTYPE_TCP) {
    if (o.isr00t && o.af() == AF_INET)
      ptech.rawtcpscan = 1;
    else ptech.connecttcpscan = 1;
  }

  probes_per_host = 0;
  if (pingtype & PINGTYPE_ICMP_PING) probes_per_host++;
  if (pingtype & PINGTYPE_ICMP_MASK) probes_per_host++;
  if (pingtype & PINGTYPE_ICMP_TS) probes_per_host++;
  probes_per_host += o.num_ping_synprobes + o.num_ping_ackprobes + o.num_ping_udpprobes;

  pt.min_group_size = MAX(3, MAX(o.min_parallelism, 16) / probes_per_host);

  /* I think max_parallelism mostly relates to # of probes in parallel against
     a single machine.  So I only use it to go down to 15 here */
  pt.group_size = (o.max_parallelism)? MIN(MAX(o.max_parallelism,15), gsize) : gsize;
  /* Make sure we have at least the minimum parallelism level */
  pt.group_size = MAX(pt.group_size, o.min_parallelism);
  /* Reduce the group size proportionally to number of probes sent per host */
  pt.group_size = MAX(pt.min_group_size, 0.9999 + pt.group_size / probes_per_host);
  max_block_size /= probes_per_host;

  /* TODO: I need to move ping scanning to ultra_scan or fix this
     function to handle scan_delay the way ultra scan does (limit the
     amount of time between probes sent to the SAME machine.  This func
     does the opposite -- sends same-box probes immediately and waits to
     go on to the next machine. */
  if (o.scan_delay > 1000) {
    pt.group_size = max_block_size = 1;
  }

  time = (struct timeval *) safe_zalloc(sizeof(struct timeval) * ((pt.max_tries) * num_hosts));
  id = (unsigned short) get_random_uint();

  if (ptech.connecttcpscan)  {
    /* I think max_parallelism mostly relates to # of probes in parallel against
       a given machine.  So I won't go below 15 here because of it */
    max_sockets = MAX(1, max_sd() - 4);
    if (o.max_parallelism) {
      max_block_size = MIN(50, MAX(o.max_parallelism, 15) / probes_per_host);
    } else {
      max_block_size = MIN(50, max_sockets / probes_per_host);
    }
    max_block_size = MAX(1, max_block_size);
    if (o.scan_delay > 1000)
      max_block_size = 1;
    pt.group_size = MIN(pt.group_size, max_block_size);
    memset((char *)&tqi, 0, sizeof(tqi));

    for(p=0; p < o.num_ping_synprobes; p++) {
      tqi.sockets[p] = (int *) safe_malloc(sizeof(int) * (pt.max_tries) * num_hosts);
      memset(tqi.sockets[p], 255, sizeof(int) * (pt.max_tries) * num_hosts);
    }
    FD_ZERO(&(tqi.fds_r));
    FD_ZERO(&(tqi.fds_w));
    FD_ZERO(&(tqi.fds_x));
    tqi.sockets_out = 0;
    tqi.maxsd = 0;
  }

  if (ptech.icmpscan) {
    sd = socket(AF_INET, SOCK_RAW, IPPROTO_ICMP);
    if (sd < 0) pfatal("Socket trouble in massping"); 
    unblock_socket(sd);
#ifndef WIN32
    sethdrinclude(sd);
#endif
    sd_blocking = 0;
    if (num_hosts > 10)
      max_rcvbuf(sd);
    broadcast_socket(sd);
  } else sd = -1;


  /* if to timeout structure hasn't been initialized yet */
  if (!to.srtt && !to.rttvar && !to.timeout) {
    /*  to.srtt = 800000;
	to.rttvar = 500000; */ /* we will init these when we get real data */
    initialize_timeout_info(&to);
  }

  /* Init our raw socket */
  if (o.numdecoys > 1 || ptech.rawtcpscan || ptech.rawicmpscan || ptech.rawudpscan) {
    if ((o.sendpref & PACKET_SEND_ETH) && hostbatch[0]->ifType() == devt_ethernet) {
      /* We'll send ethernet packets with dnet */
      ethsd = eth_open_cached(hostbatch[0]->deviceName());
      if (ethsd == NULL)
	fatal("dnet: Failed to open device %s", hostbatch[0]->deviceName());
      rawsd = -1; rawpingsd = -1;
    } else {
      if ((rawsd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0 )
	pfatal("socket troubles in massping");
      broadcast_socket(rawsd);
#ifndef WIN32
      sethdrinclude(rawsd);
#endif

      if ((rawpingsd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0 )
	pfatal("socket troubles in massping");
      broadcast_socket(rawpingsd);
#ifndef WIN32
      sethdrinclude(rawpingsd);
#endif
    }
  } else { rawsd = -1; rawpingsd = -1; }

  if (ptech.rawicmpscan || ptech.rawtcpscan || ptech.rawudpscan) {
    /* we need a pcap descript0r! */
    /* MAX snaplen needed = 
       24 bytes max link_layer header
       64 bytes max IPhdr
       16 bytes of the TCP header
       ---
       = 104 byte snaplen */
    pd = my_pcap_open_live(hostbatch[0]->deviceName(), 104, o.spoofsource, pcap_selectable_fd_valid()? 200 : 15);

    snprintf(filter, sizeof(filter), "(icmp and dst host %s) or ((tcp or udp) and dst host %s and ( dst port %d or dst port %d or dst port %d or dst port %d or dst port %d))", 
	     inet_ntoa(hostbatch[0]->v4source()),
	     inet_ntoa(hostbatch[0]->v4source()),
	     sportbase , sportbase + 1, sportbase + 2, sportbase + 3, 
	     sportbase + 4);

    set_pcap_filter(hostbatch[0]->deviceName(), pd, filter); 
  }

  blockinc = (int) (0.9999 + 8.0 / probes_per_host);

  memset((char *)&sock,0,sizeof(sock));
  gettimeofday(&start, NULL);

  pt.group_end = (int) MIN(pt.group_start + pt.group_size -1, num_hosts -1);
 
  while(pt.group_start < num_hosts) { /* while we have hosts left to scan */
    do { /* one block */
      pt.up_this_block = 0;
      pt.down_this_block = 0;
      pt.block_unaccounted = 0;

      /* Sometimes a group gets too big for the network path and a
	 router (especially things like cable/DSL modems) will drop our
	 packets after a certain number have been sent.  If we just
	 retry the exact same group, we are likely to get exactly the
	 same behavior (missing later hosts).  So we reverse the order
	 for each try */
      direction = (pt.block_tries % 2 == 0)? 1 : -1;
      if (direction == 1) { group_start = pt.group_start; group_end = pt.group_end; }
      else { group_start = pt.group_end; group_end = pt.group_start; }
      for(hostnum = group_start; hostnum != group_end + direction; hostnum += direction) {      
	/* If (we don't know whether the host is up yet) ... */
	if (!(hostbatch[hostnum]->flags & HOST_UP) && !hostbatch[hostnum]->wierd_responses && !(hostbatch[hostnum]->flags & HOST_DOWN)) {  
	  /* Send a ping queries to it */
	  seq = hostnum * pt.max_tries + pt.block_tries + pt.seq_offset;
	  if (ptech.icmpscan && !sd_blocking) { 
	    block_socket(sd); sd_blocking = 1; 
	  }
	  pt.block_unaccounted++;
	  gettimeofday(&time[(seq - pt.seq_offset) & 0xFFFF], NULL);

	  if (ptech.icmpscan || ptech.rawicmpscan)
	    sendpingqueries(sd, rawpingsd, ethsd, hostbatch[hostnum],  
			    seq, id, &ss, time, pingtype, ptech);
       
	  if (ptech.rawtcpscan || ptech.rawudpscan) 
	    sendrawtcpudppingqueries(rawsd, ethsd, hostbatch[hostnum], pingtype, seq, time, &pt);

	  else if (ptech.connecttcpscan) {
	    sendconnecttcpqueries(hostbatch, &tqi, hostbatch[hostnum], seq, time, &pt, &to, max_sockets);
	  }
	}
      } /* for() loop */
      /* OK, we have sent our ping packets ... now we wait for responses */
      gettimeofday(&begin_select, NULL);
      do {
	if (ptech.icmpscan && sd_blocking ) { 
	  unblock_socket(sd); sd_blocking = 0; 
	}
	if(ptech.icmpscan || ptech.rawicmpscan || ptech.rawtcpscan || ptech.rawudpscan) {       
	  get_ping_results(sd, pd, hostbatch, pingtype, time, &pt, &to, id, 
			   &ptech, ports);
	}
	if (ptech.connecttcpscan) {
	  get_connecttcpscan_results(&tqi, hostbatch, time, &pt, &to);
	}
	gettimeofday(&end, NULL);
	elapsed_time = TIMEVAL_SUBTRACT(end, begin_select);
      } while( elapsed_time < to.timeout);
      /* try again if a new box was found but some are still unaccounted for and
	 we haven't run out of retries.  Always retry at least once.
      */
      pt.dropthistry = 0;
      pt.block_tries++;
    } while ((pt.up_this_block > 0 || pt.block_tries == 1) && pt.block_unaccounted > 0 && pt.block_tries < pt.max_tries);

    if (o.debugging)
      log_write(LOG_STDOUT, "Finished block: srtt: %d rttvar: %d timeout: %d block_tries: %d up_this_block: %d down_this_block: %d group_sz: %d\n", to.srtt, to.rttvar, to.timeout, pt.block_tries, pt.up_this_block, pt.down_this_block, pt.group_end - pt.group_start + 1);

    if (pt.block_tries == 2 && pt.up_this_block == 0 && pt.down_this_block == 0)
      /* Then it did not miss any hosts (that we know of)*/
      pt.group_size = MIN(pt.group_size + blockinc, max_block_size);
   
    /* Move to next block */
    pt.block_tries = 0;
    pt.group_start = pt.group_end +1;
    pt.group_end = (int) MIN(pt.group_start + pt.group_size -1, num_hosts -1);
    /*   pt.block_unaccounted = pt.group_end - pt.group_start + 1;   */
  }

  if (sd >= 0) close(sd);
  if (ptech.connecttcpscan)
    for(p=0; p < o.num_ping_synprobes; p++)
      free(tqi.sockets[p]);
  if (sd >= 0) close(sd);
  if (rawsd >= 0) close(rawsd);
  if (rawpingsd >= 0) close(rawpingsd);
  /* No need to close ethsd due to caching */
  free(time);
  if (pd) pcap_close(pd);
  if (o.debugging) 
    log_write(LOG_STDOUT, "massping done:  num_hosts: %d  num_responses: %d\n", num_hosts, pt.num_responses);
  gsize = pt.group_size;
  return;
}

Target *nexthost(HostGroupState *hs, TargetGroup *exclude_group,
			    struct scan_lists *ports, int *pingtype) {
int hidx = 0;
int i;
struct sockaddr_storage ss;
size_t sslen;
struct intf_entry *ifentry;
 u32 ifbuf[200] ;
 struct route_nfo rnfo;
 bool arpping_done = false;
 struct timeval now;

 ifentry = (struct intf_entry *) ifbuf; 
 ifentry->intf_len = sizeof(ifbuf); // TODO: May want to use a larger buffer if interface aliases prove important.
if (hs->next_batch_no < hs->current_batch_sz) {
  /* Woop!  This is easy -- we just pass back the next host struct */
  return hs->hostbatch[hs->next_batch_no++];
}
/* Doh, we need to refresh our array */
/* for(i=0; i < hs->max_batch_sz; i++) hs->hostbatch[i] = new Target(); */

hs->current_batch_sz = hs->next_batch_no = 0;
do {
  /* Grab anything we have in our current_expression */
  while (hs->current_batch_sz < hs->max_batch_sz && 
	 hs->current_expression.get_next_host(&ss, &sslen) == 0)
    {
      if (hostInExclude((struct sockaddr *)&ss, sslen, exclude_group)) {
	continue; /* Skip any hosts the user asked to exclude */
      }
      hidx = hs->current_batch_sz;
      hs->hostbatch[hidx] = new Target();
      hs->hostbatch[hidx]->setTargetSockAddr(&ss, sslen);

      /* We figure out the source IP/device IFF
	 1) We are r00t AND
	 2) We are doing tcp or udp pingscan OR
	 3) We are doing a raw-mode portscan or osscan OR
	 4) We are on windows and doing ICMP ping */
      if (o.isr00t && o.af() == AF_INET && 
	  ((*pingtype & (PINGTYPE_TCP|PINGTYPE_UDP|PINGTYPE_ARP)) || o.RawScan()
#ifdef WIN32
	   || (*pingtype & (PINGTYPE_ICMP_PING|PINGTYPE_ICMP_MASK|PINGTYPE_ICMP_TS))
#endif // WIN32
	   )) {
	hs->hostbatch[hidx]->TargetSockAddr(&ss, &sslen);
	if (!route_dst(&ss, &rnfo)) {
	  fatal("%s: failed to determine route to %s", __FUNCTION__, hs->hostbatch[hidx]->NameIP());
	}
	if (rnfo.direct_connect) {
	  hs->hostbatch[hidx]->setDirectlyConnected(true);
	} else {
	  hs->hostbatch[hidx]->setDirectlyConnected(false);
	  hs->hostbatch[hidx]->setNextHop(&rnfo.nexthop, 
					  sizeof(rnfo.nexthop));
	}
	hs->hostbatch[hidx]->setIfType(rnfo.ii.device_type);
	if (rnfo.ii.device_type == devt_ethernet) {
	  if (o.spoofMACAddress())
	    hs->hostbatch[hidx]->setSrcMACAddress(o.spoofMACAddress());
	  else hs->hostbatch[hidx]->setSrcMACAddress(rnfo.ii.mac);
	}
	hs->hostbatch[hidx]->setSourceSockAddr(&rnfo.srcaddr, sizeof(rnfo.srcaddr));
	if (hidx == 0) /* Because later ones can have different src addy and be cut off group */
	  o.decoys[o.decoyturn] = hs->hostbatch[hidx]->v4source();
	hs->hostbatch[hidx]->setDeviceNames(rnfo.ii.devname, rnfo.ii.devfullname);
	//	  printf("Target %s %s directly connected, goes through local iface %s, which %s ethernet\n", hs->hostbatch[hidx]->NameIP(), hs->hostbatch[hidx]->directlyConnected()? "IS" : "IS NOT", hs->hostbatch[hidx]->deviceName(), (hs->hostbatch[hidx]->ifType() == devt_ethernet)? "IS" : "IS NOT");
      }
      

      /* In some cases, we can only allow hosts that use the same
	 device in a group.  Similarly, we don't mix
	 directly-connected boxes with those that aren't */
      if (o.af() == AF_INET && o.isr00t && hidx > 0 && 
	  hs->hostbatch[hidx]->deviceName() && 
	  (hs->hostbatch[hidx]->v4source().s_addr != hs->hostbatch[0]->v4source().s_addr || 
	   strcmp(hs->hostbatch[0]->deviceName(), 
		  hs->hostbatch[hidx]->deviceName()) != 0 
	  || hs->hostbatch[hidx]->directlyConnected() != hs->hostbatch[0]->directlyConnected())) {
	/* Cancel everything!  This guy must go in the next group and we are
	   out of here */
	hs->current_expression.return_last_host();
	delete hs->hostbatch[hidx];
	goto batchfull;
      }
      hs->current_batch_sz++;
}

  if (hs->current_batch_sz < hs->max_batch_sz &&
      hs->next_expression < hs->num_expressions) {
    /* We are going to have to pop in another expression. */
    while(hs->current_expression.parse_expr(hs->target_expressions[hs->next_expression++], o.af()) != 0) 
      if (hs->next_expression >= hs->num_expressions)
	break;
  } else break;
} while(1);

 batchfull:
 
if (hs->current_batch_sz == 0)
  return NULL;

/* OK, now we have our complete batch of entries.  The next step is to
   randomize them (if requested) */
if (hs->randomize) {
  hoststructfry(hs->hostbatch, hs->current_batch_sz);
}

/* First I'll do the ARP ping if all of the machines in the group are
   directly connected over ethernet.  I may need the MAC addresses
   later anyway. */
 if (hs->hostbatch[0]->ifType() == devt_ethernet && 
     hs->hostbatch[0]->directlyConnected() && 
     o.sendpref != PACKET_SEND_IP_STRONG) {
   arpping(hs->hostbatch, hs->current_batch_sz, ports);
   arpping_done = true;
 }
 
 gettimeofday(&now, NULL);
 if ((o.sendpref & PACKET_SEND_ETH) && 
     hs->hostbatch[0]->ifType() == devt_ethernet) {
   fo