1 2 /*************************************************************************** 3 * Service.h -- The "Service" class encapsulates every bit of information * 4 * about the associated target's (Target class) service. Service-specific * 5 * options, statistical and timing information as well as functions for * 6 * handling username/password list iteration all belong to this class. * 7 * * 8 ***********************IMPORTANT NMAP LICENSE TERMS************************ 9 * * 10 * The Nmap Security Scanner is (C) 1996-2019 Insecure.Com LLC ("The Nmap * 11 * Project"). Nmap is also a registered trademark of the Nmap Project. * 12 * This program is free software; you may redistribute and/or modify it * 13 * under the terms of the GNU General Public License as published by the * 14 * Free Software Foundation; Version 2 ("GPL"), BUT ONLY WITH ALL OF THE * 15 * CLARIFICATIONS AND EXCEPTIONS DESCRIBED HEREIN. This guarantees your * 16 * right to use, modify, and redistribute this software under certain * 17 * conditions. If you wish to embed Nmap technology into proprietary * 18 * software, we sell alternative licenses (contact sales@nmap.com). * 19 * Dozens of software vendors already license Nmap technology such as * 20 * host discovery, port scanning, OS detection, version detection, and * 21 * the Nmap Scripting Engine. * 22 * * 23 * Note that the GPL places important restrictions on "derivative works", * 24 * yet it does not provide a detailed definition of that term. To avoid * 25 * misunderstandings, we interpret that term as broadly as copyright law * 26 * allows. For example, we consider an application to constitute a * 27 * derivative work for the purpose of this license if it does any of the * 28 * following with any software or content covered by this license * 29 * ("Covered Software"): * 30 * * 31 * o Integrates source code from Covered Software. * 32 * * 33 * o Reads or includes copyrighted data files, such as Nmap's nmap-os-db * 34 * or nmap-service-probes. * 35 * * 36 * o Is designed specifically to execute Covered Software and parse the * 37 * results (as opposed to typical shell or execution-menu apps, which will * 38 * execute anything you tell them to). * 39 * * 40 * o Includes Covered Software in a proprietary executable installer. The * 41 * installers produced by InstallShield are an example of this. Including * 42 * Nmap with other software in compressed or archival form does not * 43 * trigger this provision, provided appropriate open source decompression * 44 * or de-archiving software is widely available for no charge. For the * 45 * purposes of this license, an installer is considered to include Covered * 46 * Software even if it actually retrieves a copy of Covered Software from * 47 * another source during runtime (such as by downloading it from the * 48 * Internet). * 49 * * 50 * o Links (statically or dynamically) to a library which does any of the * 51 * above. * 52 * * 53 * o Executes a helper program, module, or script to do any of the above. * 54 * * 55 * This list is not exclusive, but is meant to clarify our interpretation * 56 * of derived works with some common examples. Other people may interpret * 57 * the plain GPL differently, so we consider this a special exception to * 58 * the GPL that we apply to Covered Software. Works which meet any of * 59 * these conditions must conform to all of the terms of this license, * 60 * particularly including the GPL Section 3 requirements of providing * 61 * source code and allowing free redistribution of the work as a whole. * 62 * * 63 * As another special exception to the GPL terms, the Nmap Project grants * 64 * permission to link the code of this program with any version of the * 65 * OpenSSL library which is distributed under a license identical to that * 66 * listed in the included docs/licenses/OpenSSL.txt file, and distribute * 67 * linked combinations including the two. * 68 * * 69 * The Nmap Project has permission to redistribute Npcap, a packet * 70 * capturing driver and library for the Microsoft Windows platform. * 71 * Npcap is a separate work with it's own license rather than this Nmap * 72 * license. Since the Npcap license does not permit redistribution * 73 * without special permission, our Nmap Windows binary packages which * 74 * contain Npcap may not be redistributed without special permission. * 75 * * 76 * Any redistribution of Covered Software, including any derived works, * 77 * must obey and carry forward all of the terms of this license, including * 78 * obeying all GPL rules and restrictions. For example, source code of * 79 * the whole work must be provided and free redistribution must be * 80 * allowed. All GPL references to "this License", are to be treated as * 81 * including the terms and conditions of this license text as well. * 82 * * 83 * Because this license imposes special exceptions to the GPL, Covered * 84 * Work may not be combined (even as part of a larger work) with plain GPL * 85 * software. The terms, conditions, and exceptions of this license must * 86 * be included as well. This license is incompatible with some other open * 87 * source licenses as well. In some cases we can relicense portions of * 88 * Nmap or grant special permissions to use it in other open source * 89 * software. Please contact fyodor@nmap.org with any such requests. * 90 * Similarly, we don't incorporate incompatible open source software into * 91 * Covered Software without special permission from the copyright holders. * 92 * * 93 * If you have any questions about the licensing restrictions on using * 94 * Nmap in other works, we are happy to help. As mentioned above, we also * 95 * offer an alternative license to integrate Nmap into proprietary * 96 * applications and appliances. These contracts have been sold to dozens * 97 * of software vendors, and generally include a perpetual license as well * 98 * as providing support and updates. They also fund the continued * 99 * development of Nmap. Please email sales@nmap.com for further * 100 * information. * 101 * * 102 * If you have received a written license agreement or contract for * 103 * Covered Software stating terms other than these, you may choose to use * 104 * and redistribute Covered Software under those terms instead of these. * 105 * * 106 * Source is provided to this software because we believe users have a * 107 * right to know exactly what a program is going to do before they run it. * 108 * This also allows you to audit the software for security holes. * 109 * * 110 * Source code also allows you to port Nmap to new platforms, fix bugs, * 111 * and add new features. You are highly encouraged to send your changes * 112 * to the dev@nmap.org mailing list for possible incorporation into the * 113 * main distribution. By sending these changes to Fyodor or one of the * 114 * Insecure.Org development mailing lists, or checking them into the Nmap * 115 * source code repository, it is understood (unless you specify * 116 * otherwise) that you are offering the Nmap Project the unlimited, * 117 * non-exclusive right to reuse, modify, and relicense the code. Nmap * 118 * will always be available Open Source, but this is important because * 119 * the inability to relicense code has caused devastating problems for * 120 * other Free Software projects (such as KDE and NASM). We also * 121 * occasionally relicense the code to third parties as discussed above. * 122 * If you wish to specify special license conditions of your * 123 * contributions, just say so when you send them. * 124 * * 125 * This program is distributed in the hope that it will be useful, but * 126 * WITHOUT ANY WARRANTY; without even the implied warranty of * 127 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the Nmap * 128 * license file for more details (it's in a COPYING file included with * 129 * Nmap, and also available from https://svn.nmap.org/nmap/COPYING) * 130 * * 131 ***************************************************************************/ 132 133 134 #ifndef SERVICE_H 135 #define SERVICE_H 136 137 #include "ncrack.h" 138 #include "utils.h" 139 #include "Target.h" 140 #include "Buf.h" 141 #include "timing.h" 142 #include "Connection.h" 143 #include <list> 144 145 146 #define BUFSIZE 256 147 #define MAX_HOSTINFO_LEN 1024 148 149 150 151 typedef struct loginpair 152 { 153 char *user; 154 char *pass; 155 } loginpair; 156 157 158 struct end_reason 159 { 160 bool orly; /* did it end? */ 161 char *reason; /* why did it end */ 162 }; 163 164 165 struct host_timeout_nfo { 166 unsigned long msecs_used; /* How many msecs has this Target used? */ 167 bool toclock_running; /* Is the clock running right now? */ 168 struct timeval toclock_start; /* When did the clock start? */ 169 time_t host_start, host_end; /* The absolute start and end for this host */ 170 }; 171 172 enum linear_states { LINEAR_INIT, LINEAR_ACTIVE, LINEAR_DONE }; 173 174 class Service 175 { 176 public: 177 Service(); 178 ~Service(); 179 180 /* ********************* Functions ******************* */ 181 182 Service(const Service&); /* copy constructor */ 183 const char *HostInfo(void); 184 185 double getPercDone(void); 186 187 /* Add discovered credential to 'credentials_found' */ 188 void addCredential(char *user, char *pass); 189 190 int getNextPair(char **login, char **pass); 191 void appendToPool(char *login, char *pass); 192 void removeFromPool(char *login, char *pass); 193 bool isMirrorPoolEmpty(void); 194 bool isPoolEmpty(void); 195 setListActive(void)196 void setListActive(void) { list_active = true; }; unsetListActive(void)197 void unsetListActive(void) { list_active = false; }; getListActive(void)198 bool getListActive(void) { return list_active; }; 199 setListWait(void)200 void setListWait(void) { list_wait = true; }; unsetListWait(void)201 void unsetListWait(void) { list_wait = false; }; getListWait(void)202 bool getListWait(void) { return list_wait; }; 203 setListPairfini(void)204 void setListPairfini(void) { list_pairfini = true; }; unsetListPairfini(void)205 void unsetListPairfini(void) { list_pairfini = false; }; getListPairfini(void)206 bool getListPairfini(void) { return list_pairfini; }; 207 setListFull(void)208 void setListFull(void) { list_full = true; }; unsetListFull(void)209 void unsetListFull(void) { list_full = false; }; getListFull(void)210 bool getListFull(void) { return list_full; }; 211 setListFinishing(void)212 void setListFinishing(void) { list_finishing = true; }; unsetListFinishing(void)213 void unsetListFinishing(void) { list_finishing = false; }; getListFinishing(void)214 bool getListFinishing(void) { return list_finishing; }; 215 setListFinished(void)216 void setListFinished(void) { list_finished = true; }; getListFinished(void)217 bool getListFinished(void) { return list_finished; }; 218 219 uint32_t getUserlistIndex(void); 220 void setUserlistIndex(uint32_t index); 221 uint32_t getPasslistIndex(void); 222 void setPasslistIndex(uint32_t index); 223 224 void setLinearState(size_t state); 225 size_t getLinearState(void); 226 227 228 /* ********************* Members ********************* */ 229 230 uint32_t uid; /* uniquely identifies service */ 231 char *name; 232 Target *target; /* service belongs to this host */ 233 u8 proto; 234 u16 portno; 235 236 struct end_reason end; /* reason that this service ended */ 237 238 /* list which holds discovered credentials if any */ 239 vector <loginpair> credentials_found; 240 241 bool loginlist_fini;/* true if login list has been iterated through */ 242 bool userlist_fini; 243 bool passlist_fini; 244 245 vector <char *> *UserArray; 246 vector <char *> *PassArray; 247 248 /* true -> reconnaissance/timing probe */ 249 bool just_started; 250 251 /* True if more connections needed for timing probe - usually modules like 252 * HTTP might need this, because they need to also check other variables 253 * like keep-alive values and authentication schemes (in separate 254 * connections) 255 */ 256 bool more_rounds; 257 258 /* Will skip current username and move on to the next one if true. 259 * Currently used for MongoDB user-enum vulnerability in SCRAM_SHA1 auth. 260 */ 261 bool skip_username; 262 263 unsigned int failed_connections; 264 long active_connections; 265 struct timeval last; /* time of last activated connection */ 266 267 /* 268 * How many attempts the service supports per connection before 269 * closing on us. This is used as a valuable piece of information 270 * for many timing checks, and is gathered during the first connection 271 * (since that probably is the most reliable one, because in the beginning 272 * we haven't opened up too many connections yet) 273 */ 274 unsigned long supported_attempts; 275 276 /* total auth attempts, including failed ones */ 277 unsigned long total_attempts; 278 279 /* auth attempts that have finished up to the point of completing 280 * all authentication steps and getting the results */ 281 unsigned long finished_attempts; 282 283 /* timing options that override global ones */ 284 285 /* minimum number of concurrent parallel connections */ 286 long min_connection_limit; 287 /* maximum number of concurrent parallel connections */ 288 long max_connection_limit; 289 /* ideal number of concurrent parallel connections */ 290 long ideal_parallelism; 291 /* authentication attempts per connections */ 292 long auth_tries; 293 /* number of milliseconds to wait between each connection */ 294 long connection_delay; 295 /* number of connection retries after connection failure */ 296 long connection_retries; 297 /* maximum cracking time regardless of success so far */ 298 long long timeout; 299 300 /* misc options */ 301 bool ssl; /* true -> SSL enabled over this service */ 302 char *path; /* used for HTTP or other modules that need a path-name */ 303 304 char *db; /* used for MongoDB or other modules that need a database name */ 305 306 char *domain; /* used for modules like WinRM that need a domain */ 307 308 void *module_data; /* service/module-specific data */ 309 310 RateMeter auth_rate_meter; 311 struct last_auth_rate { 312 double rate; 313 struct timeval time; 314 } last_auth_rate; 315 316 list <Connection *> connections; 317 318 /* 319 * Starts the timeout clock for the host running (e.g. you are 320 * beginning a scan). If you do not have the current time handy, 321 * you can pass in NULL. When done, call stopTimeOutClock (it will 322 * also automatically be stopped if timedOut() returns true) 323 */ 324 void startTimeOutClock(const struct timeval *now); 325 326 /* The complement to startTimeOutClock. */ 327 void stopTimeOutClock(const struct timeval *now); 328 329 /* Is the timeout clock currently running? */ timeOutClockRunning()330 bool timeOutClockRunning() { return htn.toclock_running; } 331 332 /* 333 * Returns whether the host is timedout. If the timeoutclock is 334 * running, counts elapsed time for that. Pass NULL if you don't have the 335 * current time handy. You might as well also pass NULL if the 336 * clock is not running, as the func won't need the time. 337 */ 338 bool timedOut(const struct timeval *now); 339 340 /* Return time_t for the start and end time of this host */ StartTime()341 time_t StartTime() { return htn.host_start; } 342 EndTime()343 time_t EndTime() { return htn.host_end; } 344 345 private: 346 347 /* 348 * hostinfo in form "<service_name>://<ip or hostname>:<port number>" 349 * e.g ftp://scanme.nmap.org:21 - Will be returned by HostInfo() 350 */ 351 char *hostinfo; 352 353 /* 354 * Login pair pool that holds pairs that didn't manage to be authenticated 355 * due to an error (the host timed out, the connection was forcefully closed 356 * etc). If this pool has elements, then the next returned pair from 357 * NextPair() will come from this pool. NextPair() will remove the 358 * element from the list. 359 */ 360 list <loginpair> pair_pool; 361 362 /* 363 * Mirror login pair pool, that holds pairs from login pair pool but which 364 * aren't removed from the list at the time they are used. 365 * By this way we can determine, if we are currently using pairs from the 366 * pair_pool by checking if the mirror_pair_pool is non-empty. 367 */ 368 list <loginpair> mirror_pair_pool; 369 370 vector <char *>::iterator uservi; 371 vector <char *>::iterator passvi; 372 373 bool list_active; /* service is now on 'services_active' list */ 374 bool list_wait; /* service appended to 'services_wait' list */ 375 bool list_pairfini; /* service appended to 'services_pairfini' list */ 376 bool list_full; /* service appended to 'services_full' list */ 377 bool list_finishing;/* service appended to 'services_finishing' list */ 378 bool list_finished; /* service is now on 'services_finished' list */ 379 380 381 /* 382 * LINEAR_INIT: service hasn't started connection yet 383 * LINEAR_ACTIVE: service has active connection 384 * LINEAR_DONE: service has finished connection 385 */ 386 size_t linear_state; 387 388 struct host_timeout_nfo htn; 389 390 }; 391 392 393 #endif 394