1
2 /***************************************************************************
3 * service_scan.cc -- Routines used for service fingerprinting to determine *
4 * what application-level protocol is listening on a given port *
5 * (e.g. snmp, http, ftp, smtp, etc.) *
6 * *
7 ***********************IMPORTANT NMAP LICENSE TERMS************************
8 * *
9 * The Nmap Security Scanner is (C) 1996-2020 Insecure.Com LLC ("The Nmap *
10 * Project"). Nmap is also a registered trademark of the Nmap Project. *
11 * *
12 * This program is distributed under the terms of the Nmap Public Source *
13 * License (NPSL). The exact license text applying to a particular Nmap *
14 * release or source code control revision is contained in the LICENSE *
15 * file distributed with that version of Nmap or source code control *
16 * revision. More Nmap copyright/legal information is available from *
17 * https://nmap.org/book/man-legal.html, and further information on the *
18 * NPSL license itself can be found at https://nmap.org/npsl. This header *
19 * summarizes some key points from the Nmap license, but is no substitute *
20 * for the actual license text. *
21 * *
22 * Nmap is generally free for end users to download and use themselves, *
23 * including commercial use. It is available from https://nmap.org. *
24 * *
25 * The Nmap license generally prohibits companies from using and *
26 * redistributing Nmap in commercial products, but we sell a special Nmap *
27 * OEM Edition with a more permissive license and special features for *
28 * this purpose. See https://nmap.org/oem *
29 * *
30 * If you have received a written Nmap license agreement or contract *
31 * stating terms other than these (such as an Nmap OEM license), you may *
32 * choose to use and redistribute Nmap under those terms instead. *
33 * *
34 * The official Nmap Windows builds include the Npcap software *
35 * (https://npcap.org) for packet capture and transmission. It is under *
36 * separate license terms which forbid redistribution without special *
37 * permission. So the official Nmap Windows builds may not be *
38 * redistributed without special permission (such as an Nmap OEM *
39 * license). *
40 * *
41 * Source is provided to this software because we believe users have a *
42 * right to know exactly what a program is going to do before they run it. *
43 * This also allows you to audit the software for security holes. *
44 * *
45 * Source code also allows you to port Nmap to new platforms, fix bugs, *
46 * and add new features. You are highly encouraged to submit your *
47 * changes as a Github PR or by email to the dev@nmap.org mailing list *
48 * for possible incorporation into the main distribution. Unless you *
49 * specify otherwise, it is understood that you are offering us very *
50 * broad rights to use your submissions as described in the Nmap Public *
51 * Source License Contributor Agreement. This is important because we *
52 * fund the project by selling licenses with various terms, and also *
53 * because the inability to relicense code has caused devastating *
54 * problems for other Free Software projects (such as KDE and NASM). *
55 * *
56 * The free version of Nmap is distributed in the hope that it will be *
57 * useful, but WITHOUT ANY WARRANTY; without even the implied warranty of *
58 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Warranties, *
59 * indemnification and commercial support are all available through the *
60 * Npcap OEM program--see https://nmap.org/oem. *
61 * *
62 ***************************************************************************/
63
64 /* $Id: service_scan.cc 38078 2020-10-02 16:12:22Z dmiller $ */
65
66
67 #include "service_scan.h"
68 #include "timing.h"
69 #include "NmapOps.h"
70 #include "nsock.h"
71 #include "Target.h"
72 #include "utils.h"
73 #include "nmap_error.h"
74 #include "protocols.h"
75 #include "scan_lists.h"
76
77 #include "nmap_tty.h"
78
79 #include <errno.h>
80
81 #if HAVE_OPENSSL
82 /* OpenSSL 1.0.0 needs _WINSOCKAPI_ to be defined, otherwise it loads
83 <windows.h> (through openssl/dtls1.h), which is incompatible with the
84 <winsock2.h> that we use. (It creates errors with the redefinition of struct
85 timeval, for example.) _WINSOCKAPI_ should be defined by our inclusion of
86 <winsock2.h>, but it appears to be undefined somewhere, possibly in
87 libpcap. */
88 #define _WINSOCKAPI_
89 #include <openssl/ssl.h>
90 #endif
91
92 #if TIME_WITH_SYS_TIME
93 # include <sys/time.h>
94 # include <time.h>
95 #else
96 # if HAVE_SYS_TIME_H
97 # include <sys/time.h>
98 # else
99 # include <time.h>
100 # endif
101 #endif
102
103 #ifndef IPPROTO_SCTP
104 #include "libnetutil/netutil.h"
105 #endif
106
107 #include <algorithm>
108 #include <list>
109
110 extern NmapOps o;
111
112 // Details on a particular service (open port) we are trying to match
113 class ServiceNFO {
114 public:
115 ServiceNFO(AllProbes *AP);
116 ~ServiceNFO();
117
118 // If a service response to a given probeName, this function adds
119 // the response the the fingerprint for that service. The
120 // fingerprint can be printed when nothing matches the service. You
121 // can obtain the fingerprint (if any) via getServiceFingerprint();
122 void addToServiceFingerprint(const char *probeName, const u8 *resp,
123 int resplen);
124
125 // Get the service fingerprint. It is NULL if there is none, such
126 // as if there was a match before any other probes were finished (or
127 // if no probes gave back data). Note that this is plain
128 // NUL-terminated ASCII data, although the length is optionally
129 // available anyway. This function terminates the service fingerprint
130 // with a semi-colon
131 const char *getServiceFingerprint(int *flen);
132
133 // Note that the next 2 members are for convenience and are not destroyed w/the ServiceNFO
134 Target *target; // the port belongs to this target host
135 // if a match is found, it is placed here. Otherwise NULL
136 const char *probe_matched;
137 // If a match is found, any product/version/info/hostname/ostype/devicetype
138 // is placed in these 6 strings. Otherwise the string will be 0 length.
139 char product_matched[80];
140 char version_matched[80];
141 char extrainfo_matched[256];
142 char hostname_matched[80];
143 char ostype_matched[32];
144 char devicetype_matched[32];
145 char cpe_a_matched[80];
146 char cpe_h_matched[80];
147 char cpe_o_matched[80];
148 enum service_tunnel_type tunnel; /* SERVICE_TUNNEL_NONE, SERVICE_TUNNEL_SSL */
149 // This stores our SSL session id, which will help speed up subsequent
150 // SSL connections. It's overwritten each time. void* is used so we don't
151 // need to #ifdef HAVE_OPENSSL all over. We'll cast later as needed.
152 void *ssl_session;
153 // if a match was found (see above), this tells whether it was a "soft"
154 // or hard match. It is always false if no match has been found.
155 bool softMatchFound;
156 // most recent probe executed (or in progress). If there has been a match
157 // (probe_matched != NULL), this will be the corresponding ServiceProbe.
158 ServiceProbe *currentProbe();
159 // computes the next probe to test, and ALSO CHANGES currentProbe() to
160 // that! If newresp is true, the old response info will be lost and
161 // invalidated. Otherwise it remains as if it had been received by
162 // the current probe (useful after a NULL probe).
163 ServiceProbe *nextProbe(bool newresp);
164 // Resets the probes back to the first one. One case where this is useful is
165 // when SSL is detected -- we redo all probes through SSL. If freeFP, any
166 // service fingerprint is freed too.
167 void resetProbes(bool freefp);
168 // Number of milliseconds used so far to complete the present probe. Timeval
169 // can omitted, it is just there as an optimization in case you have it handy.
170 int probe_timemsused(const ServiceProbe *probe, const struct timeval *now = NULL);
171 // Number of milliseconds left to complete the present probe, or 0 if
172 // the probe is already expired. Timeval can omitted, it is just there
173 // as an optimization in case you have it handy.
174 int probe_timemsleft(const ServiceProbe *probe, const struct timeval *now = NULL);
175 enum serviceprobestate probe_state; // defined in portlist.h
176 nsock_iod niod; // The IO Descriptor being used in this probe (or NULL)
177 u16 portno; // in host byte order
178 u8 proto; // IPPROTO_TCP or IPPROTO_UDP
179 // The time that the current probe was executed (meaning TCP connection
180 // made or first UDP packet sent
181 struct timeval currentprobe_exec_time;
182 // Append newly-received data to the current response string (if any)
183 void appendtocurrentproberesponse(const u8 *respstr, int respstrlen);
184 // Get the full current response string. Note that this pointer is
185 // INVALIDATED if you call appendtocurrentproberesponse() or nextProbe()
186 u8 *getcurrentproberesponse(int *respstrlen);
187 AllProbes *AP;
188 // Is it possible this service is tcpwrapped? Not if a probe times out or
189 // gets a real response.
190 bool tcpwrap_possible;
191
192 private:
193 // Adds a character to servicefp. Takes care of word wrapping if
194 // necessary at the given (wrapat) column. Chars will only be
195 // written if there is enough space. Otherwise it exits.
196 void addServiceChar(char c, int wrapat);
197 // Like addServiceChar, but for a whole zero-terminated string
198 void addServiceString(const char *s, int wrapat);
199 std::vector<ServiceProbe *>::iterator current_probe;
200 u8 *currentresp;
201 int currentresplen;
202 char *servicefp;
203 int servicefplen;
204 int servicefpalloc;
205 };
206
207 // This holds the service information for a group of Targets being service scanned.
208 class ServiceGroup {
209 public:
210 ServiceGroup(std::vector<Target *> &Targets, AllProbes *AP);
211 ~ServiceGroup();
212 std::list<ServiceNFO *> services_finished; // Services finished (discovered or not)
213 std::list<ServiceNFO *> services_in_progress; // Services currently being probed
214 std::list<ServiceNFO *> services_remaining; // Probes not started yet
215 unsigned int ideal_parallelism; // Max (and desired) number of probes out at once.
216 ScanProgressMeter *SPM;
217 int num_hosts_timedout; // # of hosts timed out during (or before) scan
218 };
219
220 #define SUBSTARGS_MAX_ARGS 5
221 #define SUBSTARGS_STRLEN 128
222 #define SUBSTARGS_ARGTYPE_NONE 0
223 #define SUBSTARGS_ARGTYPE_STRING 1
224 #define SUBSTARGS_ARGTYPE_INT 2
225 struct substargs {
226 int num_args; // Total number of arguments found
227 char str_args[SUBSTARGS_MAX_ARGS][SUBSTARGS_STRLEN];
228 // This is the length of each string arg, since they can contain zeros.
229 // The str_args[] are zero-terminated for convenience in the cases where
230 // you know they won't contain zero.
231 int str_args_len[SUBSTARGS_MAX_ARGS];
232 int int_args[SUBSTARGS_MAX_ARGS];
233 // The type of each argument -- see #define's above.
234 int arg_types[SUBSTARGS_MAX_ARGS];
235 };
236
237 /******************** PROTOTYPES *******************/
238 static void servicescan_read_handler(nsock_pool nsp, nsock_event nse, void *mydata);
239 static void servicescan_write_handler(nsock_pool nsp, nsock_event nse, void *mydata);
240 static void servicescan_connect_handler(nsock_pool nsp, nsock_event nse, void *mydata);
241 static void end_svcprobe(nsock_pool nsp, enum serviceprobestate probe_state, ServiceGroup *SG, ServiceNFO *svc, nsock_iod nsi);
242
ServiceProbeMatch()243 ServiceProbeMatch::ServiceProbeMatch() {
244 deflineno = -1;
245 servicename = NULL;
246 matchstr = NULL;
247 product_template = version_template = info_template = NULL;
248 hostname_template = ostype_template = devicetype_template = NULL;
249 regex_compiled = NULL;
250 regex_extra = NULL;
251 isInitialized = false;
252 matchops_ignorecase = false;
253 matchops_dotall = false;
254 isSoft = false;
255 }
256
~ServiceProbeMatch()257 ServiceProbeMatch::~ServiceProbeMatch() {
258 std::vector<char *>::iterator it;
259 if (!isInitialized) return;
260 if (servicename) free(servicename);
261 if (matchstr) free(matchstr);
262 if (product_template) free(product_template);
263 if (version_template) free(version_template);
264 if (info_template) free(info_template);
265 if (hostname_template) free(hostname_template);
266 if (ostype_template) free(ostype_template);
267 if (devicetype_template) free(devicetype_template);
268 for (it = cpe_templates.begin(); it != cpe_templates.end(); it++)
269 free(*it);
270 matchstrlen = 0;
271 if (regex_compiled) pcre_free(regex_compiled);
272 if (regex_extra) pcre_free(regex_extra);
273 isInitialized = false;
274 matchops_anchor = -1;
275 }
276
277 /* Realloc a malloc-allocated string and put a given prefix at the front. */
string_prefix(char * string,const char * prefix)278 static char *string_prefix(char *string, const char *prefix)
279 {
280 size_t slen, plen;
281
282 slen = strlen(string);
283 plen = strlen(prefix);
284 string = (char *) safe_realloc(string, plen + slen + 1);
285 memmove(string + plen, string, slen + 1);
286 memmove(string, prefix, plen);
287
288 return string;
289 }
290
291 /* Read the next tmplt from *matchtext and update *matchtext. Return true iff
292 a template was read. For example, after
293 matchtext = "p/123/ d/456/";
294 next_template(&matchtext, &modestr, &flags, &tmplt);
295 then
296 matchtext == " d/456/"
297 modestr == "p"
298 tmplt == "123"
299 flags == ""
300 *modestr and *tmplt must be freed if the return value is true. */
next_template(const char ** matchtext,char ** modestr,char ** tmplt,char ** flags,int lineno)301 static bool next_template(const char **matchtext, char **modestr, char **tmplt,
302 char **flags, int lineno) {
303 const char *p, *q;
304 char delimchar;
305
306 p = *matchtext;
307 while(isspace((int) (unsigned char) *p))
308 p++;
309 if (*p == '\0')
310 return false;
311
312 q = p;
313 while (isalpha(*q) || *q == ':')
314 q++;
315 if (*q == '\0' || isspace(*q))
316 fatal("%s: parse error on line %d of nmap-service-probes", __func__, lineno);
317
318 *modestr = mkstr(p, q);
319
320 delimchar = *q;
321 p = q + 1;
322
323 q = strchr(p, delimchar);
324 if (q == NULL)
325 fatal("%s: parse error on line %d of nmap-service-probes", __func__, lineno);
326
327 *tmplt = mkstr(p, q);
328 p = q + 1;
329
330 q = p;
331 while (isalpha(*q))
332 q++;
333 *flags = mkstr(p, q);
334
335 /* Update pointer for caller. */
336 *matchtext = q;
337
338 return true;
339 }
340
341 // match text from the nmap-service-probes file. This must be called
342 // before you try and do anything with this match. This function
343 // should be passed the whole line starting with "match" or
344 // "softmatch" in nmap-service-probes. The line number that the text
345 // is provided so that it can be reported in error messages. This
346 // function will abort the program if there is a syntax problem.
InitMatch(const char * matchtext,int lineno)347 void ServiceProbeMatch::InitMatch(const char *matchtext, int lineno) {
348 const char *p;
349 char *modestr, *tmptemplate, *flags;
350 int pcre_compile_ops = 0;
351 const char *pcre_errptr = NULL;
352 int pcre_erroffset = 0;
353 char **curr_tmp = NULL;
354
355 if (isInitialized) fatal("Sorry ... %s does not yet support reinitializion", __func__);
356 if (!matchtext || !*matchtext)
357 fatal("%s: no matchtext passed in (line %d of nmap-service-probes)", __func__, lineno);
358 isInitialized = true;
359
360 deflineno = lineno;
361 while(isspace((int) (unsigned char) *matchtext)) matchtext++;
362
363 // first we find whether this is a "soft" or normal match
364 if (strncmp(matchtext, "softmatch ", 10) == 0) {
365 isSoft = true;
366 matchtext += 10;
367 } else if (strncmp(matchtext, "match ", 6) == 0) {
368 isSoft = false;
369 matchtext += 6;
370 } else
371 fatal("%s: parse error on line %d of nmap-service-probes - must begin with \"match\" or \"softmatch\"", __func__, lineno);
372
373 // next comes the service name
374 p = strchr(matchtext, ' ');
375 if (!p) fatal("%s: parse error on line %d of nmap-service-probes: could not find service name", __func__, lineno);
376
377 servicename = (char *) safe_malloc(p - matchtext + 1);
378 memcpy(servicename, matchtext, p - matchtext);
379 servicename[p - matchtext] = '\0';
380
381 // The next part is a perl style regular expression specifier, like:
382 // m/^220 .*smtp/i Where 'm' means a normal regular expressions is
383 // used, the char after m can be anything (within reason, slash in
384 // this case) and tells us what delineates the end of the regex.
385 // After the delineating character are any single-character
386 // options. ('i' means "case insensitive", 's' means that . matches
387 // newlines (both are just as in perl)
388 matchtext = p;
389 if (!next_template(&matchtext, &modestr, &matchstr, &flags, lineno))
390 fatal("%s: parse error on line %d of nmap-service-probes", __func__, lineno);
391
392 if (strcmp(modestr, "m") != 0)
393 fatal("%s: parse error on line %d of nmap-service-probes: matchtext must begin with 'm'", __func__, lineno);
394 matchtype = SERVICEMATCH_REGEX;
395
396 // any options?
397 for (p = flags; *p != '\0'; p++) {
398 if (*p == 'i')
399 matchops_ignorecase = true;
400 else if (*p == 's')
401 matchops_dotall = true;
402 else
403 fatal("%s: illegal regexp option on line %d of nmap-service-probes", __func__, lineno);
404 }
405
406 // Next we compile and study the regular expression to match
407 if (matchops_ignorecase)
408 pcre_compile_ops |= PCRE_CASELESS;
409
410 if (matchops_dotall)
411 pcre_compile_ops |= PCRE_DOTALL;
412
413 regex_compiled = pcre_compile(matchstr, pcre_compile_ops, &pcre_errptr,
414 &pcre_erroffset, NULL);
415
416 if (regex_compiled == NULL)
417 fatal("%s: illegal regexp on line %d of nmap-service-probes (at regexp offset %d): %s\n", __func__, lineno, pcre_erroffset, pcre_errptr);
418
419 // Now study the regexp for greater efficiency
420 regex_extra = pcre_study(regex_compiled, 0
421 #ifdef PCRE_STUDY_EXTRA_NEEDED
422 | PCRE_STUDY_EXTRA_NEEDED
423 #endif
424 , &pcre_errptr);
425 if (pcre_errptr != NULL)
426 fatal("%s: failed to pcre_study regexp on line %d of nmap-service-probes: %s\n", __func__, lineno, pcre_errptr);
427
428 if (!regex_extra) {
429 regex_extra = (pcre_extra *) pcre_malloc(sizeof(pcre_extra));
430 memset(regex_extra, 0, sizeof(pcre_extra));
431 }
432
433 // Set some limits to avoid evil match cases.
434 // These are flexible; if they cause problems, increase them.
435 #ifdef PCRE_ERROR_MATCHLIMIT
436 regex_extra->match_limit = 100000; // 100K
437 #endif
438 #ifdef PCRE_ERROR_RECURSIONLIMIT
439 regex_extra->match_limit_recursion = 10000; // 10K
440 #endif
441
442 free(modestr);
443 free(flags);
444
445 /* OK! Now we look for any templates of the form ?/.../
446 * where ? is either p, v, i, h, o, or d. / is any
447 * delimiter character and ... is a template */
448
449 while (next_template(&matchtext, &modestr, &tmptemplate, &flags, lineno)) {
450 if (strcmp(modestr, "p") == 0)
451 curr_tmp = &product_template;
452 else if (strcmp(modestr, "v") == 0)
453 curr_tmp = &version_template;
454 else if (strcmp(modestr, "i") == 0)
455 curr_tmp = &info_template;
456 else if (strcmp(modestr, "h") == 0)
457 curr_tmp = &hostname_template;
458 else if (strcmp(modestr, "o") == 0)
459 curr_tmp = &ostype_template;
460 else if (strcmp(modestr, "d") == 0)
461 curr_tmp = &devicetype_template;
462 else if (strcmp(modestr, "cpe:") == 0) {
463 tmptemplate = string_prefix(tmptemplate, "cpe:/");
464 cpe_templates.push_back(NULL);
465 curr_tmp = &cpe_templates.back();
466 } else
467 fatal("%s: Unknown template specifier '%s' on line %d of nmap-service-probes", __func__, modestr, lineno);
468
469 /* This one already defined? */
470 if (*curr_tmp) {
471 if (o.debugging) {
472 error("WARNING: Template \"%s/%s/\" replaced with \"%s/%s/\" on line %d of nmap-service-probes",
473 modestr, *curr_tmp, modestr, tmptemplate, lineno);
474 }
475 free(*curr_tmp);
476 }
477
478 *curr_tmp = tmptemplate;
479 free(modestr);
480 free(flags);
481 }
482
483 isInitialized = 1;
484 }
485
486 // If the buf (of length buflen) match the regex in this
487 // ServiceProbeMatch, returns the details of the match (service
488 // name, version number if applicable, and whether this is a "soft"
489 // match. If the buf doesn't match, the serviceName field in the
490 // structure will be NULL. The MatchDetails structure returned is
491 // only valid until the next time this function is called. The only
492 // exception is that the serviceName field can be saved throughout
493 // program execution. If no version matched, that field will be
494 // NULL.
testMatch(const u8 * buf,int buflen)495 const struct MatchDetails *ServiceProbeMatch::testMatch(const u8 *buf, int buflen) {
496 int rc;
497 static char product[80];
498 static char version[80];
499 static char info[256]; /* We will truncate with ... later */
500 static char hostname[80];
501 static char ostype[32];
502 static char devicetype[32];
503 static char cpe_a[80], cpe_h[80], cpe_o[80];
504 char *bufc = (char *) buf;
505 int ovector[150]; // allows 50 substring matches (including the overall match)
506 assert(isInitialized);
507
508 assert (matchtype == SERVICEMATCH_REGEX);
509
510 // Clear out the output struct
511 memset(&MD_return, 0, sizeof(MD_return));
512 MD_return.isSoft = isSoft;
513
514 rc = pcre_exec(regex_compiled, regex_extra, bufc, buflen, 0, 0, ovector, sizeof(ovector) / sizeof(*ovector));
515 if (rc < 0) {
516 #ifdef PCRE_ERROR_MATCHLIMIT // earlier PCRE versions lack this
517 if (rc == PCRE_ERROR_MATCHLIMIT) {
518 if (o.debugging || o.verbose > 1)
519 error("Warning: Hit PCRE_ERROR_MATCHLIMIT when probing for service %s with the regex '%s'", servicename, matchstr);
520 } else
521 #endif // PCRE_ERROR_MATCHLIMIT
522 #ifdef PCRE_ERROR_RECURSIONLIMIT
523 if (rc == PCRE_ERROR_RECURSIONLIMIT) {
524 if (o.debugging || o.verbose > 1)
525 error("Warning: Hit PCRE_ERROR_RECURSIONLIMIT when probing for service %s with the regex '%s'", servicename, matchstr);
526 } else
527 #endif // PCRE_ERROR_RECURSIONLIMIT
528 if (rc != PCRE_ERROR_NOMATCH) {
529 fatal("Unexpected PCRE error (%d) when probing for service %s with the regex '%s'", rc, servicename, matchstr);
530 }
531 } else {
532 // Yeah! Match apparently succeeded.
533 // Now lets get the version number if available
534 getVersionStr(buf, buflen, ovector, rc, product, sizeof(product), version, sizeof(version), info, sizeof(info),
535 hostname, sizeof(hostname), ostype, sizeof(ostype), devicetype, sizeof(devicetype),
536 cpe_a, sizeof(cpe_a), cpe_h, sizeof(cpe_h), cpe_o, sizeof(cpe_o));
537 if (*product) MD_return.product = product;
538 if (*version) MD_return.version = version;
539 if (*info) MD_return.info = info;
540 if (*hostname) MD_return.hostname = hostname;
541 if (*ostype) MD_return.ostype = ostype;
542 if (*devicetype) MD_return.devicetype = devicetype;
543 if (*cpe_a) MD_return.cpe_a = cpe_a;
544 if (*cpe_h) MD_return.cpe_h = cpe_h;
545 if (*cpe_o) MD_return.cpe_o = cpe_o;
546
547 MD_return.serviceName = servicename;
548 MD_return.lineno = getLineNo();
549 }
550
551 return &MD_return;
552 }
553
554 // This simple function parses arguments out of a string. The string
555 // starts with the first argument. Each argument can be a string or
556 // an integer. Strings must be enclosed in double quotes (""). Most
557 // standard C-style escapes are supported. If this is successful, the
558 // number of args found is returned, args is filled appropriately, and
559 // args_end (if non-null) is set to the character after the closing
560 // ')'. Otherwise we return -1 and the values of args and args_end
561 // are undefined.
getsubstcommandargs(struct substargs * args,char * args_start,char ** args_end)562 static int getsubstcommandargs(struct substargs *args, char *args_start,
563 char **args_end) {
564 char *p;
565 unsigned int len;
566 if (!args || !args_start) return -1;
567
568 memset(args, 0, sizeof(*args));
569
570 while(*args_start && *args_start != ')') {
571 // Find the next argument.
572 while(isspace((int) (unsigned char) *args_start)) args_start++;
573 if (*args_start == ')')
574 break;
575 else if (*args_start == '"') {
576 // OK - it is a string
577 // Do we have space for another arg?
578 if (args->num_args == SUBSTARGS_MAX_ARGS)
579 return -1;
580 do {
581 args_start++;
582 if (*args_start == '"' && (*(args_start - 1) != '\\' || *(args_start - 2) == '\\'))
583 break;
584 len = args->str_args_len[args->num_args];
585 if (len >= SUBSTARGS_STRLEN - 1)
586 return -1;
587 args->str_args[args->num_args][len] = *args_start;
588 args->str_args_len[args->num_args]++;
589 } while(*args_start);
590 len = args->str_args_len[args->num_args];
591 args->str_args[args->num_args][len] = '\0';
592 // Now handle escaped characters and such
593 if (!cstring_unescape(args->str_args[args->num_args], &len))
594 return -1;
595 args->str_args_len[args->num_args] = len;
596 args->arg_types[args->num_args] = SUBSTARGS_ARGTYPE_STRING;
597 args->num_args++;
598 args_start++;
599 args_start = strpbrk(args_start, ",)");
600 if (!args_start) return -1;
601 if (*args_start == ',') args_start++;
602 } else {
603 // Must be an integer argument
604 args->int_args[args->num_args] = (int) strtol(args_start, &p, 0);
605 if (p <= args_start) return -1;
606 args_start = p;
607 args->arg_types[args->num_args] = SUBSTARGS_ARGTYPE_INT;
608 args->num_args++;
609 args_start = strpbrk(args_start, ",)");
610 if (!args_start) return -1;
611 if (*args_start == ',') args_start++;
612 }
613 }
614
615 if (*args_start == ')') args_start++;
616 if (args_end) *args_end = args_start;
617 return args->num_args;
618 }
619
620 /* These three functions manage a growing string buffer, appended to at the end.
621 Begin with strbuf_init, follow with any number of strbuf_append, and end with
622 strbuf_finish. */
strbuf_init(char ** buf,size_t * n,size_t * len)623 static void strbuf_init(char **buf, size_t *n, size_t *len) {
624 *buf = NULL;
625 *n = 0;
626 *len = 0;
627 }
628
strbuf_append(char ** buf,size_t * n,size_t * len,const char * from,size_t fromlen)629 static void strbuf_append(char **buf, size_t *n, size_t *len,
630 const char *from, size_t fromlen) {
631 /* Double the size of the buffer if necessary. */
632 if (*len == 0 || *len + fromlen > *n) {
633 *n = (*len + fromlen) * 2;
634 *buf = (char *) safe_realloc(*buf, *n + 1);
635 }
636 memcpy(*buf + *len, from, fromlen);
637 *len += fromlen;
638 }
639
640 /* Trim to length. (Also does initial allocation when *buf is empty.) */
strbuf_finish(char ** buf,size_t * n,size_t * len)641 static void strbuf_finish(char **buf, size_t *n, size_t *len) {
642 *buf = (char *) safe_realloc(*buf, *len + 1);
643 (*buf)[*len] = '\0';
644 }
645
646 /* Transform a string so that it is safe to insert into the middle of a CPE URL. */
transform_cpe(const char * s)647 static char *transform_cpe(const char *s) {
648 char *result;
649 size_t n, len, repllen;
650 const char *p;
651
652 strbuf_init(&result, &n, &len);
653 for (p = s; *p != '\0'; p++) {
654 const char *repl;
655 char buf[32];
656
657 /* Section 5.4 of the CPE specification lists these characters to be
658 escaped. */
659 if (strchr(":/?#[]@!$&'()*+,;=%<>\"", *p) != NULL) {
660 Snprintf(buf, sizeof(buf), "%%%02X", *p);
661 repl = buf;
662 /* Replacing spaces with underscores is also a convention. */
663 } else if (isspace(*p)) {
664 repl = "_";
665 /* Otherwise just make lower-case. */
666 } else {
667 buf[0] = tolower(*p);
668 buf[1] = '\0';
669 repl = buf;
670 }
671
672 repllen = strlen(repl);
673 strbuf_append(&result, &n, &len, repl, repllen);
674 }
675 strbuf_finish(&result, &n, &len);
676
677 return result;
678 }
679
680 // This function does the substitution of a placeholder like $2 or $P(4). It
681 // returns a newly allocated string, or NULL if it fails. tmplvar is a template
682 // variable, such as "$P(2)". We set *tmplvarend to the character after the
683 // variable. subject, subjectlen, ovector, and nummatches mean the same as in
684 // dotmplsubst().
substvar(char * tmplvar,char ** tmplvarend,const u8 * subject,int subjectlen,int * ovector,int nummatches)685 static char *substvar(char *tmplvar, char **tmplvarend,
686 const u8 *subject, int subjectlen, int *ovector,
687 int nummatches) {
688 char substcommand[16];
689 char *p = NULL;
690 char *p_end;
691 int subnum = 0;
692 int offstart, offend;
693 int rc;
694 int i;
695 struct substargs command_args;
696 char *result;
697 size_t n, len;
698
699 // skip the '$'
700 if (*tmplvar != '$') return NULL;
701 tmplvar++;
702
703 if (!isdigit((int) (unsigned char) *tmplvar)) {
704 int commandlen;
705 /* This is a command like $P(1). */
706 p = strchr(tmplvar, '(');
707 if (!p) return NULL;
708 commandlen = p - tmplvar;
709 if (!commandlen || commandlen >= (int) sizeof(substcommand))
710 return NULL;
711 memcpy(substcommand, tmplvar, commandlen);
712 substcommand[commandlen] = '\0';
713 tmplvar = p+1;
714 // Now we grab the arguments.
715 rc = getsubstcommandargs(&command_args, tmplvar, &p_end);
716 if (rc <= 0) return NULL;
717 tmplvar = p_end;
718 } else {
719 /* This is a placeholder like $2. */
720 substcommand[0] = '\0';
721 subnum = *tmplvar - '0';
722 tmplvar++;
723 }
724
725 if (tmplvarend) *tmplvarend = tmplvar;
726
727 strbuf_init(&result, &n, &len);
728 if (!*substcommand) {
729 /* Handler for a placeholder like $2. */
730 if (subnum > 9 || subnum <= 0) return NULL;
731 if (subnum >= nummatches) return NULL;
732 offstart = ovector[subnum * 2];
733 offend = ovector[subnum * 2 + 1];
734 assert(offstart >= 0 && offstart < subjectlen);
735 assert(offend >= 0 && offend <= subjectlen);
736 // A plain-jane copy
737 strbuf_append(&result, &n, &len, (const char *) subject + offstart, offend - offstart);
738 } else if (strcmp(substcommand, "P") == 0) {
739 if (command_args.num_args != 1 ||
740 command_args.arg_types[0] != SUBSTARGS_ARGTYPE_INT) {
741 return NULL;
742 }
743 subnum = command_args.int_args[0];
744 if (subnum > 9 || subnum <= 0) return NULL;
745 if (subnum >= nummatches) return NULL;
746 offstart = ovector[subnum * 2];
747 offend = ovector[subnum * 2 + 1];
748 assert(offstart >= 0 && offstart < subjectlen);
749 assert(offend >= 0 && offend <= subjectlen);
750 // This filter only includes printable characters. It is particularly
751 // useful for collapsing unicode text that looks like
752 // "W\0O\0R\0K\0G\0R\0O\0U\0P\0"
753 for(i=offstart; i < offend; i++) {
754 if (isprint((int) subject[i]))
755 strbuf_append(&result, &n, &len, (const char *) subject + i, 1);
756 }
757 } else if (strcmp(substcommand, "SUBST") == 0) {
758 char *findstr, *replstr;
759 int findstrlen, replstrlen;
760 if (command_args.num_args != 3 ||
761 command_args.arg_types[0] != SUBSTARGS_ARGTYPE_INT ||
762 command_args.arg_types[1] != SUBSTARGS_ARGTYPE_STRING ||
763 command_args.arg_types[2] != SUBSTARGS_ARGTYPE_STRING) {
764 return NULL;
765 }
766 subnum = command_args.int_args[0];
767 if (subnum > 9 || subnum <= 0) return NULL;
768 if (subnum >= nummatches) return NULL;
769 offstart = ovector[subnum * 2];
770 offend = ovector[subnum * 2 + 1];
771 assert(offstart >= 0 && offstart < subjectlen);
772 assert(offend >= 0 && offend <= subjectlen);
773 findstr = command_args.str_args[1];
774 findstrlen = command_args.str_args_len[1];
775 replstr = command_args.str_args[2];
776 replstrlen = command_args.str_args_len[2];
777 for(i=offstart; i < offend; ) {
778 if (memcmp(subject + i, findstr, findstrlen) != 0) {
779 strbuf_append(&result, &n, &len, (const char *) subject + i, 1); // no match
780 i++;
781 } else {
782 // The find string was found, copy it to newstring
783 strbuf_append(&result, &n, &len, replstr, replstrlen);
784 i += findstrlen;
785 }
786 }
787 } else if (strcmp(substcommand, "I") == 0 ){
788 // Parse an unsigned int
789 long long unsigned val = 0;
790 bool bigendian = true;
791 char buf[24]; //0xffffffffffffffff = 18446744073709551615, 20 chars
792 int buflen;
793 if (command_args.num_args != 2 ||
794 command_args.arg_types[0] != SUBSTARGS_ARGTYPE_INT ||
795 command_args.arg_types[1] != SUBSTARGS_ARGTYPE_STRING ||
796 command_args.str_args_len[1] != 1) {
797 return NULL;
798 }
799 subnum = command_args.int_args[0];
800 if (subnum > 9 || subnum <= 0) return NULL;
801 if (subnum >= nummatches) return NULL;
802 offstart = ovector[subnum * 2];
803 offend = ovector[subnum * 2 + 1];
804 assert(offstart >= 0 && offstart < subjectlen);
805
806 // overflow
807 if (offend - offstart > 8) {
808 return NULL;
809 }
810 switch (command_args.str_args[1][0]) {
811 case '>':
812 bigendian = true;
813 break;
814 case '<':
815 bigendian = false;
816 break;
817 default:
818 return NULL;
819 break;
820 }
821 if (bigendian) {
822 for(i=offstart; i < offend; i++) {
823 val = (val<<8) + subject[i];
824 }
825 } else {
826 for(i=offend - 1; i > offstart - 1; i--) {
827 val = (val<<8) + subject[i];
828 }
829 }
830 buflen = Snprintf(buf, sizeof(buf), "%llu", val);
831 if (buflen < 0 || buflen >= (int) sizeof(buf)) {
832 return NULL;
833 }
834 strbuf_append(&result, &n, &len, buf, buflen);
835 } else return NULL; // Unknown command
836
837 strbuf_finish(&result, &n, &len);
838 return result;
839 }
840
841
842
843 // This function takes a template string (tmpl) which can have
844 // placeholders in it such as $1 for substring matches in a regexp
845 // that was run against subject, and subjectlen, with the 'nummatches'
846 // matches in ovector. The NUL-terminated newly composted string is
847 // placed into 'newstr', as long as it doesn't exceed 'newstrlen'
848 // bytes. Trailing whitespace and commas are removed. Returns zero for success
849 //
850 // The transform argument is a function pointer. If not NULL, the given
851 // function is applied to all substitutions before they are inserted
852 // into the result string.
dotmplsubst(const u8 * subject,int subjectlen,int * ovector,int nummatches,char * tmpl,char * newstr,int newstrlen,char * (* transform)(const char *)=NULL)853 static int dotmplsubst(const u8 *subject, int subjectlen,
854 int *ovector, int nummatches, char *tmpl, char *newstr,
855 int newstrlen,
856 char *(*transform)(const char *) = NULL) {
857 int newlen;
858 char *srcstart=tmpl, *srcend;
859 char *dst = newstr;
860 char *newstrend = newstr + newstrlen; // Right after the final char
861 char *subst;
862
863 if (!newstr || !tmpl) return -1;
864 if (newstrlen < 3) return -1; // Have a nice day!
865
866 while(*srcstart) {
867 // First do any literal text before '$'
868 srcend = strchr(srcstart, '$');
869 if (!srcend) {
870 // Only literal text remain!
871 while(*srcstart) {
872 if (dst >= newstrend - 1)
873 return -1;
874 *dst++ = *srcstart++;
875 }
876 *dst = '\0';
877 while (--dst >= newstr) {
878 if (isspace((int) (unsigned char) *dst) || *dst == ',')
879 *dst = '\0';
880 else break;
881 }
882 return 0;
883 } else {
884 // Copy the literal text up to the '$', then do the substitution
885 newlen = srcend - srcstart;
886 if (newlen > 0) {
887 if (newstrend - dst <= newlen - 1)
888 return -1;
889 memcpy(dst, srcstart, newlen);
890 dst += newlen;
891 }
892 srcstart = srcend;
893 subst = substvar(srcstart, &srcend, subject, subjectlen, ovector, nummatches);
894 if (subst == NULL)
895 return -1;
896 /* Apply transformation if requested. */
897 if (transform != NULL) {
898 char *tmp = subst;
899 subst = transform(subst);
900 free(tmp);
901 if (subst == NULL)
902 return -1;
903 }
904 newlen = strlen(subst);
905 if (dst + newlen >= newstrend - 1) {
906 free(subst);
907 return -1;
908 }
909 memcpy(dst, subst, newlen);
910 free(subst);
911 dst += newlen;
912 srcstart = srcend;
913 }
914 }
915
916 if (dst >= newstrend - 1)
917 return -1;
918 *dst = '\0';
919 while (--dst >= newstr) {
920 if (isspace((int) (unsigned char) *dst) || *dst == ',')
921 *dst = '\0';
922 else break;
923 }
924 return 0;
925
926 }
927
928
929 // Use the version templates and the match data included here
930 // to put the version info into the given strings, (as long as the sizes
931 // are sufficient). Returns zero for success. If no template is available
932 // for a string, that string will have zero length after the function
933 // call (assuming the corresponding length passed in is at least 1)
934
getVersionStr(const u8 * subject,int subjectlen,int * ovector,int nummatches,char * product,int productlen,char * version,int versionlen,char * info,int infolen,char * hostname,int hostnamelen,char * ostype,int ostypelen,char * devicetype,int devicetypelen,char * cpe_a,int cpe_alen,char * cpe_h,int cpe_hlen,char * cpe_o,int cpe_olen)935 int ServiceProbeMatch::getVersionStr(const u8 *subject, int subjectlen,
936 int *ovector, int nummatches, char *product, int productlen,
937 char *version, int versionlen, char *info, int infolen,
938 char *hostname, int hostnamelen, char *ostype, int ostypelen,
939 char *devicetype, int devicetypelen,
940 char *cpe_a, int cpe_alen,
941 char *cpe_h, int cpe_hlen,
942 char *cpe_o, int cpe_olen) {
943
944 int rc;
945 assert(productlen >= 0 && versionlen >= 0 && infolen >= 0 &&
946 hostnamelen >= 0 && ostypelen >= 0 && devicetypelen >= 0);
947
948 if (productlen > 0) *product = '\0';
949 if (versionlen > 0) *version = '\0';
950 if (infolen > 0) *info = '\0';
951 if (hostnamelen > 0) *hostname = '\0';
952 if (ostypelen > 0) *ostype = '\0';
953 if (devicetypelen > 0) *devicetype = '\0';
954 if (cpe_alen > 0) *cpe_a = '\0';
955 if (cpe_hlen > 0) *cpe_h = '\0';
956 if (cpe_olen > 0) *cpe_o = '\0';
957 int retval = 0;
958
959 // Now lets get this started! We begin with the product name
960 if (product_template) {
961 rc = dotmplsubst(subject, subjectlen, ovector, nummatches, product_template, product, productlen);
962 if (rc != 0) {
963 error("Warning: Servicescan failed to fill product_template (subjectlen: %d, productlen: %d). Capture exceeds length? Match string was line %d: p/%s/%s/%s", subjectlen, productlen, deflineno,
964 (product_template)? product_template : "",
965 (version_template)? version_template : "",
966 (info_template)? info_template : "");
967 if (productlen > 0) *product = '\0';
968 retval = -1;
969 }
970 }
971
972 if (version_template) {
973 rc = dotmplsubst(subject, subjectlen, ovector, nummatches, version_template, version, versionlen);
974 if (rc != 0) {
975 error("Warning: Servicescan failed to fill version_template (subjectlen: %d, versionlen: %d). Capture exceeds length? Match string was line %d: v/%s/%s/%s", subjectlen, versionlen, deflineno,
976 (product_template)? product_template : "",
977 (version_template)? version_template : "",
978 (info_template)? info_template : "");
979 if (versionlen > 0) *version = '\0';
980 retval = -1;
981 }
982 }
983
984 if (info_template) {
985 rc = dotmplsubst(subject, subjectlen, ovector, nummatches, info_template, info, infolen);
986 if (rc != 0) {
987 error("Warning: Servicescan failed to fill info_template (subjectlen: %d, infolen: %d). Capture exceeds length? Match string was line %d: i/%s/%s/%s", subjectlen, infolen, deflineno,
988 (product_template)? product_template : "",
989 (version_template)? version_template : "",
990 (info_template)? info_template : "");
991 if (infolen > 0) *info = '\0';
992 retval = -1;
993 }
994 }
995
996 if (hostname_template) {
997 rc = dotmplsubst(subject, subjectlen, ovector, nummatches, hostname_template, hostname, hostnamelen);
998 if (rc != 0) {
999 error("Warning: Servicescan failed to fill hostname_template (subjectlen: %d, hostnamelen: %d). Capture exceeds length? Match string was line %d: h/%s/", subjectlen, hostnamelen, deflineno,
1000 (hostname_template)? hostname_template : "");
1001 if (hostnamelen > 0) *hostname = '\0';
1002 retval = -1;
1003 }
1004 }
1005
1006 if (ostype_template) {
1007 rc = dotmplsubst(subject, subjectlen, ovector, nummatches, ostype_template, ostype, ostypelen);
1008 if (rc != 0) {
1009 error("Warning: Servicescan failed to fill ostype_template (subjectlen: %d, ostypelen: %d). Capture exceeds length? Match string was line %d: o/%s/", subjectlen, ostypelen, deflineno,
1010 (ostype_template)? ostype_template : "");
1011 if (ostypelen > 0) *ostype = '\0';
1012 retval = -1;
1013 }
1014 }
1015
1016 if (devicetype_template) {
1017 rc = dotmplsubst(subject, subjectlen, ovector, nummatches, devicetype_template, devicetype, devicetypelen);
1018 if (rc != 0) {
1019 error("Warning: Servicescan failed to fill devicetype_template (subjectlen: %d, devicetypelen: %d). Too long? Match string was line %d: d/%s/", subjectlen, devicetypelen, deflineno,
1020 (devicetype_template)? devicetype_template : "");
1021 if (devicetypelen > 0) *devicetype = '\0';
1022 retval = -1;
1023 }
1024 }
1025
1026 /* There may be multiple cpe templates. We peek at the first character and
1027 store in cpe_a, cpe_h, or cpe_o as appropriate. */
1028 for (unsigned int i = 0; i < cpe_templates.size(); i++) {
1029 char *cpe;
1030 int cpelen;
1031 int part;
1032
1033 part = cpe_get_part(cpe_templates[i]);
1034 switch (part) {
1035 case 'a':
1036 cpe = cpe_a;
1037 cpelen = cpe_alen;
1038 break;
1039 case 'h':
1040 cpe = cpe_h;
1041 cpelen = cpe_hlen;
1042 break;
1043 case 'o':
1044 cpe = cpe_o;
1045 cpelen = cpe_olen;
1046 break;
1047 default:
1048 error("Warning: ignoring cpe:// template with unknown part '%c' (0x%02X)",
1049 isprint(part) ? part : '.', part);
1050 continue;
1051 break;
1052 }
1053 rc = dotmplsubst(subject, subjectlen, ovector, nummatches, cpe_templates[i], cpe, cpelen, transform_cpe);
1054 if (rc != 0) {
1055 error("Warning: Servicescan failed to fill cpe_%c (subjectlen: %d, cpelen: %d). Too long? Match string was line %d: %s", part, subjectlen, cpelen, deflineno,
1056 (cpe_templates[i])? cpe_templates[i] : "");
1057 if (cpelen > 0) *cpe = '\0';
1058 retval = -1;
1059 }
1060 }
1061
1062 return retval;
1063 }
1064
1065
ServiceProbe()1066 ServiceProbe::ServiceProbe() {
1067 int i;
1068 probename = NULL;
1069 probestring = NULL;
1070 totalwaitms = DEFAULT_SERVICEWAITMS;
1071 tcpwrappedms = DEFAULT_TCPWRAPPEDMS;
1072 probestringlen = 0; probeprotocol = -1;
1073 // The default rarity level for a probe without a rarity
1074 // directive - should almost never have to be relied upon.
1075 rarity = 5;
1076 fallbackStr = NULL;
1077 for (i=0; i<MAXFALLBACKS+1; i++) fallbacks[i] = NULL;
1078 }
1079
~ServiceProbe()1080 ServiceProbe::~ServiceProbe() {
1081 std::vector<ServiceProbeMatch *>::iterator vi;
1082
1083 if (probename) free(probename);
1084 if (probestring) free(probestring);
1085
1086 for(vi = matches.begin(); vi != matches.end(); vi++) {
1087 delete *vi;
1088 }
1089
1090 if (fallbackStr) free(fallbackStr);
1091 }
1092
1093 // Parses the "probe " line in the nmap-service-probes file. Pass the rest of the line
1094 // after "probe ". The format better be:
1095 // [TCP|UDP] [probename] q|probetext|
1096 // Note that the delimiter (|) of the probetext can be anything (within reason)
1097 // the lineno is requested because this function will bail with an error
1098 // (giving the line number) if it fails to parse the string.
setProbeDetails(char * pd,int lineno)1099 void ServiceProbe::setProbeDetails(char *pd, int lineno) {
1100 char *p;
1101 unsigned int len;
1102 char delimiter;
1103
1104 if (!pd || !*pd)
1105 fatal("Parse error on line %d of nmap-service-probes: no arguments found!", lineno);
1106
1107 // First the protocol
1108 if (strncmp(pd, "TCP ", 4) == 0)
1109 probeprotocol = IPPROTO_TCP;
1110 else if (strncmp(pd, "UDP ", 4) == 0)
1111 probeprotocol = IPPROTO_UDP;
1112 else fatal("Parse error on line %d of nmap-service-probes: invalid protocol", lineno);
1113 pd += 4;
1114
1115 // Next the service name
1116 if (!isalnum((int) (unsigned char) *pd)) fatal("Parse error on line %d of nmap-service-probes - bad probe name", lineno);
1117 p = strchr(pd, ' ');
1118 if (!p) fatal("Parse error on line %d of nmap-service-probes - nothing after probe name", lineno);
1119 len = p - pd;
1120 probename = (char *) safe_malloc(len + 1);
1121 memcpy(probename, pd, len);
1122 probename[len] = '\0';
1123
1124 // Now for the probe itself
1125 pd = p+1;
1126
1127 if (*pd != 'q') fatal("Parse error on line %d of nmap-service-probes - probe string must begin with 'q'", lineno);
1128 delimiter = *(++pd);
1129 p = strchr(++pd, delimiter);
1130 if (!p) fatal("Parse error on line %d of nmap-service-probes -- no ending delimiter for probe string", lineno);
1131 *p = '\0';
1132 if (!cstring_unescape(pd, &len)) {
1133 fatal("Parse error on line %d of nmap-service-probes: bad probe string escaping", lineno);
1134 }
1135 setProbeString((const u8 *)pd, len);
1136 }
1137
setProbeString(const u8 * ps,int stringlen)1138 void ServiceProbe::setProbeString(const u8 *ps, int stringlen) {
1139 if (probestringlen) free(probestring);
1140 probestringlen = stringlen;
1141 if (stringlen > 0) {
1142 probestring = (u8 *) safe_malloc(stringlen + 1);
1143 memcpy(probestring, ps, stringlen);
1144 probestring[stringlen] = '\0'; // but note that other \0 may be in string
1145 } else probestring = NULL;
1146 }
1147
setPortVector(std::vector<u16> * portv,const char * portstr,int lineno)1148 void ServiceProbe::setPortVector(std::vector<u16> *portv, const char *portstr,
1149 int lineno) {
1150 const char *current_range;
1151 char *endptr;
1152 long int rangestart = 0, rangeend = 0;
1153
1154 current_range = portstr;
1155
1156 do {
1157 while(*current_range && isspace((int) (unsigned char) *current_range)) current_range++;
1158 if (isdigit((int) (unsigned char) *current_range)) {
1159 rangestart = strtol(current_range, &endptr, 10);
1160 if (rangestart < 0 || rangestart > 65535) {
1161 fatal("Parse error on line %d of nmap-service-probes: Ports must be between 0 and 65535 inclusive", lineno);
1162 }
1163 current_range = endptr;
1164 while(isspace((int) (unsigned char) *current_range)) current_range++;
1165 } else {
1166 fatal("Parse error on line %d of nmap-service-probes: An example of proper portlist form is \"21-25,53,80\"", lineno);
1167 }
1168
1169 /* Now I have a rangestart, time to go after rangeend */
1170 if (!*current_range || *current_range == ',') {
1171 /* Single port specification */
1172 rangeend = rangestart;
1173 } else if (*current_range == '-') {
1174 current_range++;
1175 if (isdigit((int) (unsigned char) *current_range)) {
1176 rangeend = strtol(current_range, &endptr, 10);
1177 if (rangeend < 0 || rangeend > 65535 || rangeend < rangestart) {
1178 fatal("Parse error on line %d of nmap-service-probes: Ports must be between 0 and 65535 inclusive", lineno);
1179 }
1180 current_range = endptr;
1181 } else {
1182 fatal("Parse error on line %d of nmap-service-probes: An example of proper portlist form is \"21-25,53,80\"", lineno);
1183 }
1184 } else {
1185 fatal("Parse error on line %d of nmap-service-probes: An example of proper portlist form is \"21-25,53,80\"", lineno);
1186 }
1187
1188 /* Now I have a rangestart and a rangeend, so I can add these ports */
1189 while(rangestart <= rangeend) {
1190 portv->push_back(rangestart);
1191 rangestart++;
1192 }
1193
1194 /* Find the next range */
1195 while(isspace((int) (unsigned char) *current_range)) current_range++;
1196 if (*current_range && *current_range != ',') {
1197 fatal("Parse error on line %d of nmap-service-probes: An example of proper portlist form is \"21-25,53,80\"", lineno);
1198 }
1199 if (*current_range == ',')
1200 current_range++;
1201 } while(current_range && *current_range);
1202 }
1203
1204 // Takes a string as given in the 'ports '/'sslports ' line of
1205 // nmap-service-probes. Pass in the list from the appropriate
1206 // line. For 'sslports', tunnel should be specified as
1207 // SERVICE_TUNNEL_SSL. Otherwise use SERVICE_TUNNEL_NONE. The line
1208 // number is requested because this function will bail with an error
1209 // (giving the line number) if it fails to parse the string. Ports
1210 // are a comma separated list of ports and ranges
1211 // (e.g. 53,80,6000-6010).
setProbablePorts(enum service_tunnel_type tunnel,const char * portstr,int lineno)1212 void ServiceProbe::setProbablePorts(enum service_tunnel_type tunnel,
1213 const char *portstr, int lineno) {
1214 if (tunnel == SERVICE_TUNNEL_NONE)
1215 setPortVector(&probableports, portstr, lineno);
1216 else {
1217 assert(tunnel == SERVICE_TUNNEL_SSL);
1218 setPortVector(&probablesslports, portstr, lineno);
1219 }
1220 }
1221
1222 /* Returns true if the passed in port is on the list of probable
1223 ports for this probe and tunnel type. Use a tunnel of
1224 SERVICE_TUNNEL_SSL or SERVICE_TUNNEL_NONE as appropriate */
portIsProbable(enum service_tunnel_type tunnel,u16 portno)1225 bool ServiceProbe::portIsProbable(enum service_tunnel_type tunnel, u16 portno) {
1226 std::vector<u16> *portv;
1227
1228 portv = (tunnel == SERVICE_TUNNEL_SSL)? &probablesslports : &probableports;
1229
1230 if (find(portv->begin(), portv->end(), portno) == portv->end())
1231 return false;
1232 return true;
1233 }
1234
1235 // Returns true if the passed in service name is among those that can
1236 // be detected by the matches in this probe;
serviceIsPossible(const char * sname)1237 bool ServiceProbe::serviceIsPossible(const char *sname) {
1238 std::vector<const char *>::iterator vi;
1239
1240 for(vi = detectedServices.begin(); vi != detectedServices.end(); vi++) {
1241 if (strcmp(*vi, sname) == 0)
1242 return true;
1243 }
1244 return false;
1245 }
1246
1247
1248 // Takes a string following a Rarity directive in the probes file.
1249 // The string should contain a single integer between 1 and 9. The
1250 // default rarity is 5. This function will bail if the string is invalid.
setRarity(const char * portstr,int lineno)1251 void ServiceProbe::setRarity(const char *portstr, int lineno) {
1252 int tp;
1253
1254 tp = atoi(portstr);
1255
1256 if (tp < 1 || tp > 9)
1257 fatal("%s: Rarity directive on line %d of nmap-service-probes must be between 1 and 9", __func__, lineno);
1258
1259 rarity = tp;
1260 }
1261
1262
1263 // Takes a match line in a probe description and adds it to the
1264 // list of matches for this probe. This function should be passed
1265 // the whole line starting with "match" or "softmatch" in
1266 // nmap-service-probes. The line number is requested because this
1267 // function will bail with an error (giving the line number) if it
1268 // fails to parse the string.
addMatch(const char * match,int lineno)1269 void ServiceProbe::addMatch(const char *match, int lineno) {
1270 const char *sname;
1271 ServiceProbeMatch *newmatch = new ServiceProbeMatch();
1272 newmatch->InitMatch(match, lineno);
1273 sname = newmatch->getName();
1274 if (!serviceIsPossible(sname))
1275 detectedServices.push_back(sname);
1276 matches.push_back(newmatch);
1277 }
1278
1279 /* Parses the given nmap-service-probes file into the AP class Must
1280 NOT be made static because I have external maintenance tools
1281 (servicematch) which use this */
parse_nmap_service_probe_file(AllProbes * AP,char * filename)1282 void parse_nmap_service_probe_file(AllProbes *AP, char *filename) {
1283 ServiceProbe *newProbe = NULL;
1284 char line[2048];
1285 int lineno = 0;
1286 FILE *fp;
1287
1288 // We better start by opening the file
1289 fp = fopen(filename, "r");
1290 if (!fp)
1291 fatal("Failed to open nmap-service-probes file %s for reading", filename);
1292
1293 while(fgets(line, sizeof(line), fp)) {
1294 lineno++;
1295
1296 if (*line == '\n' || *line == '#')
1297 continue;
1298
1299 if (strncmp(line, "Exclude ", 8) == 0) {
1300 if (AP->excluded_seen)
1301 fatal("Only 1 Exclude directive is allowed in the nmap-service-probes file");
1302 getpts(line+8, &AP->excludedports);
1303 AP->excluded_seen = true;
1304 continue;
1305 }
1306
1307 anotherprobe:
1308
1309 if (strncmp(line, "Probe ", 6) != 0)
1310 fatal("Parse error on line %d of nmap-service-probes file: %s -- line was expected to begin with \"Probe \" or \"Exclude \"", lineno, filename);
1311
1312 newProbe = new ServiceProbe();
1313 newProbe->setProbeDetails(line + 6, lineno);
1314
1315 // Now we read the rest of the probe info
1316 while(fgets(line, sizeof(line), fp)) {
1317 lineno++;
1318 if (*line == '\n' || *line == '#')
1319 continue;
1320
1321 if (strncmp(line, "Probe ", 6) == 0) {
1322 if (newProbe->isNullProbe()) {
1323 assert(!AP->nullProbe);
1324 AP->nullProbe = newProbe;
1325 } else {
1326 AP->probes.push_back(newProbe);
1327 }
1328 goto anotherprobe;
1329 } else if (strncmp(line, "ports ", 6) == 0) {
1330 newProbe->setProbablePorts(SERVICE_TUNNEL_NONE, line + 6, lineno);
1331 } else if (strncmp(line, "sslports ", 9) == 0) {
1332 newProbe->setProbablePorts(SERVICE_TUNNEL_SSL, line + 9, lineno);
1333 } else if (strncmp(line, "rarity ", 7) == 0) {
1334 newProbe->setRarity(line + 7, lineno);
1335 } else if (strncmp(line, "fallback ", 9) == 0) {
1336 newProbe->fallbackStr = strdup(line + 9);
1337 } else if (strncmp(line, "totalwaitms ", 12) == 0) {
1338 long waitms = strtol(line + 12, NULL, 10);
1339 if (waitms < 100 || waitms > 300000)
1340 fatal("Error on line %d of nmap-service-probes file (%s): bad totalwaitms value. Must be between 100 and 300000 milliseconds", lineno, filename);
1341 newProbe->totalwaitms = waitms;
1342 } else if (strncmp(line, "tcpwrappedms ", 13) == 0) {
1343 long waitms = strtol(line + 13, NULL, 10);
1344 if (waitms < 100 || waitms > 300000)
1345 fatal("Error on line %d of nmap-service-probes file (%s): bad tcpwrappedms value. Must be between 100 and 300000 milliseconds", lineno, filename);
1346 newProbe->tcpwrappedms = waitms;
1347 } else if (strncmp(line, "match ", 6) == 0 || strncmp(line, "softmatch ", 10) == 0) {
1348 newProbe->addMatch(line, lineno);
1349 } else if (strncmp(line, "Exclude ", 8) == 0) {
1350 fatal("The Exclude directive must precede all Probes in nmap-service-probes");
1351 } else fatal("Parse error on line %d of nmap-service-probes file: %s -- unknown directive", lineno, filename);
1352 }
1353 }
1354
1355 if (newProbe != NULL) {
1356 if (newProbe->isNullProbe()) {
1357 assert(!AP->nullProbe);
1358 AP->nullProbe = newProbe;
1359 } else {
1360 AP->probes.push_back(newProbe);
1361 }
1362 }
1363 fclose(fp);
1364
1365 AP->compileFallbacks();
1366 }
1367
1368 // Parses the nmap-service-probes file, and adds each probe to
1369 // the already-created 'probes' vector.
parse_nmap_service_probes(AllProbes * AP)1370 static void parse_nmap_service_probes(AllProbes *AP) {
1371 char filename[256];
1372
1373 if (nmap_fetchfile(filename, sizeof(filename), "nmap-service-probes") != 1){
1374 fatal("Service scan requested but I cannot find nmap-service-probes file.");
1375 }
1376
1377 parse_nmap_service_probe_file(AP, filename);
1378 /* Record where this data file was found. */
1379 o.loaded_data_files["nmap-service-probes"] = filename;
1380 }
1381
1382 AllProbes *AllProbes::global_AP;
service_scan_init(void)1383 AllProbes *AllProbes::service_scan_init(void)
1384 {
1385 if(global_AP)
1386 return global_AP;
1387 global_AP = new AllProbes();
1388 parse_nmap_service_probes(global_AP);
1389
1390 return global_AP;
1391 }
1392
service_scan_free(void)1393 void AllProbes::service_scan_free(void)
1394 {
1395 if(global_AP){
1396 delete global_AP;
1397 global_AP = NULL;
1398 }
1399 }
1400
1401 // Function that calls isExcluded() function to check if the port
1402 // is in the excludedports list.
check_excluded_port(unsigned short portno,int proto)1403 int AllProbes::check_excluded_port(unsigned short portno, int proto)
1404 {
1405 int excluded;
1406
1407 // Check if the -sV version scan option was specified
1408 // or if the --allports option was used
1409 if (!o.servicescan || o.override_excludeports)
1410 return 0;
1411
1412 if (global_AP == NULL)
1413 fatal("Failed to check the list of excluded ports: %s", __func__);
1414
1415 if ((excluded = global_AP->isExcluded(portno, proto))) {
1416 if (o.debugging)
1417 log_write(LOG_PLAIN, "EXCLUDING %d/%s\n",
1418 portno, IPPROTO2STR(proto));
1419 }
1420
1421 return excluded;
1422 }
1423
1424 // If the buf (of length buflen) matches one of the regexes in this
1425 // ServiceProbe, returns the details of nth match (service name,
1426 // version number if applicable, and whether this is a "soft" match.
1427 // If the buf doesn't match, the serviceName field in the structure
1428 // will be NULL. The MatchDetails returned is only valid until the
1429 // next time this function is called. The only exception is that the
1430 // serviceName field can be saved throughout program execution. If
1431 // no version matched, that field will be NULL. This function may
1432 // return NULL if there are no match lines at all in this probe.
testMatch(const u8 * buf,int buflen,int n=0)1433 const struct MatchDetails *ServiceProbe::testMatch(const u8 *buf, int buflen, int n = 0) {
1434 std::vector<ServiceProbeMatch *>::iterator vi;
1435 const struct MatchDetails *MD;
1436
1437 for(vi = matches.begin(); vi != matches.end(); vi++) {
1438 MD = (*vi)->testMatch(buf, buflen);
1439 if (MD->serviceName) {
1440 if (n == 0)
1441 return MD;
1442 n--;
1443 }
1444 }
1445
1446 return NULL;
1447 }
1448
AllProbes()1449 AllProbes::AllProbes() {
1450 nullProbe = NULL;
1451 excluded_seen = false;
1452 memset(&excludedports, 0, sizeof(excludedports));
1453 }
1454
~AllProbes()1455 AllProbes::~AllProbes() {
1456 std::vector<ServiceProbe *>::iterator vi;
1457
1458 // Delete all the ServiceProbe's inside the probes vector
1459 for(vi = probes.begin(); vi != probes.end(); vi++) {
1460 delete *vi;
1461 }
1462 if(nullProbe)
1463 delete nullProbe;
1464 free_scan_lists(&excludedports);
1465 }
1466
1467 // Tries to find the probe in this AllProbes class which have the
1468 // given name and protocol. If no match is found for the requested
1469 // protocol it will try to find matches on any protocol.
1470 // It can return the NULL probe.
getProbeByName(const char * name,int proto)1471 ServiceProbe *AllProbes::getProbeByName(const char *name, int proto) {
1472 std::vector<ServiceProbe *>::iterator vi;
1473
1474 if (proto == IPPROTO_TCP && nullProbe && strcmp(nullProbe->getName(), name) == 0)
1475 return nullProbe;
1476
1477 for(vi = probes.begin(); vi != probes.end(); vi++) {
1478 if ((*vi)->getProbeProtocol() == proto &&
1479 strcmp(name, (*vi)->getName()) == 0)
1480 return *vi;
1481 }
1482
1483 // Since the probe wasn't matched for the requested protocol, now try to
1484 // find a match regardless of protocol
1485 for(vi = probes.begin(); vi != probes.end(); vi++) {
1486 if (strcmp(name, (*vi)->getName()) == 0)
1487 return *vi;
1488 }
1489
1490 return NULL;
1491 }
1492
1493
1494
1495 // Returns nonzero if port was specified in the excludeports
1496 // directive in nmap-service-probes. Zero otherwise.
1497 // Proto should be IPPROTO_TCP for TCP and IPPROTO_UDP for UDP
1498 // Note that although getpts() can set protocols (for protocol
1499 // scanning), this is ignored here because you can't version
1500 // scan protocols.
isExcluded(unsigned short port,int proto)1501 int AllProbes::isExcluded(unsigned short port, int proto) {
1502 unsigned short *p=NULL;
1503 int count=-1,i;
1504
1505 if (!excluded_seen) return 0;
1506
1507 if (proto == IPPROTO_TCP) {
1508 p = excludedports.tcp_ports;
1509 count = excludedports.tcp_count;
1510 } else if (proto == IPPROTO_UDP) {
1511 p = excludedports.udp_ports;
1512 count = excludedports.udp_count;
1513 } else if (proto == IPPROTO_SCTP) {
1514 p = excludedports.sctp_ports;
1515 count = excludedports.sctp_count;
1516 } else {
1517 fatal("Bad proto number (%d) specified in %s", proto, __func__);
1518 }
1519
1520 for (i=0; i<count; i++)
1521 if (p[i] == port)
1522 return 1;
1523
1524 return 0;
1525 }
1526
1527
1528 // Before this function is called, the fallbacks exist as unparsed
1529 // comma-separated strings in the fallbackStr field of each probe.
1530 // This function fills out the fallbacks array in each probe with
1531 // an ordered list of pointers to which probes to try. This is both for
1532 // efficiency and to deal with odd cases like the NULL probe and falling
1533 // back to probes later in the file. This function also free()s all the
1534 // fallbackStrs.
compileFallbacks()1535 void AllProbes::compileFallbacks() {
1536 std::vector<ServiceProbe *>::iterator curr;
1537 char *tp;
1538 int i;
1539
1540 curr = probes.begin();
1541
1542 // The NULL probe is a special case:
1543 if (nullProbe != NULL)
1544 nullProbe->fallbacks[0] = nullProbe;
1545
1546 while (curr != probes.end()) {
1547
1548 if ((*curr)->fallbackStr == NULL) {
1549 // A non-NULL probe without a fallback directive. We
1550 // just use "Itself,NULL" unless it's UDP, then just "Itself".
1551
1552 (*curr)->fallbacks[0] = *curr;
1553 if ((*curr)->getProbeProtocol() == IPPROTO_TCP)
1554 (*curr)->fallbacks[1] = nullProbe;
1555 } else {
1556 // A non-NULL probe *with* a fallback directive. We use:
1557 // TCP: "Itself,<directive1>,...,<directiveN>,NULL"
1558 // UDP: "Itself,<directive1>,...,<directiveN>"
1559
1560 (*curr)->fallbacks[0] = *curr;
1561 i = 1;
1562 tp = strtok((*curr)->fallbackStr, ",\r\n\t "); // \r and \n because string will be terminated with them
1563
1564 while (tp != NULL && i<(MAXFALLBACKS-1)) {
1565 (*curr)->fallbacks[i] = getProbeByName(tp, (*curr)->getProbeProtocol());
1566 if ((*curr)->fallbacks[i] == NULL)
1567 fatal("%s: Unknown fallback specified in Probe %s: '%s'", __func__, (*curr)->getName(), tp);
1568 i++;
1569 tp = strtok(NULL, ",\r\n\t ");
1570 }
1571
1572 if (i == MAXFALLBACKS-1)
1573 fatal("%s: MAXFALLBACKS exceeded on probe '%s'", __func__, (*curr)->getName());
1574
1575 if ((*curr)->getProbeProtocol() == IPPROTO_TCP)
1576 (*curr)->fallbacks[i] = nullProbe;
1577 }
1578
1579 if ((*curr)->fallbackStr) free((*curr)->fallbackStr);
1580 (*curr)->fallbackStr = NULL;
1581
1582 curr++;
1583 }
1584
1585 }
1586
1587
1588
ServiceNFO(AllProbes * newAP)1589 ServiceNFO::ServiceNFO(AllProbes *newAP) {
1590 target = NULL;
1591 probe_matched = NULL;
1592 niod = NULL;
1593 probe_state = PROBESTATE_INITIAL;
1594 portno = proto = 0;
1595 AP = newAP;
1596 currentresp = NULL;
1597 currentresplen = 0;
1598 product_matched[0] = version_matched[0] = extrainfo_matched[0] = '\0';
1599 hostname_matched[0] = ostype_matched[0] = devicetype_matched[0] = '\0';
1600 cpe_a_matched[0] = cpe_h_matched[0] = cpe_o_matched[0] = '\0';
1601 tunnel = SERVICE_TUNNEL_NONE;
1602 ssl_session = NULL;
1603 softMatchFound = false;
1604 servicefplen = servicefpalloc = 0;
1605 servicefp = NULL;
1606 tcpwrap_possible = true;
1607 memset(¤tprobe_exec_time, 0, sizeof(currentprobe_exec_time));
1608 }
1609
~ServiceNFO()1610 ServiceNFO::~ServiceNFO() {
1611 if (currentresp) free(currentresp);
1612 if (servicefp) free(servicefp);
1613 servicefp = NULL;
1614 servicefpalloc = servicefplen = 0;
1615 #if HAVE_OPENSSL
1616 if (ssl_session)
1617 SSL_SESSION_free((SSL_SESSION*)ssl_session);
1618 ssl_session=NULL;
1619 #endif
1620 }
1621
1622 // Adds a character to servicefp. Takes care of word wrapping if
1623 // necessary at the given (wrapat) column. Chars will only be
1624 // written if there is enough space. Otherwise it exits.
addServiceChar(const char c,int wrapat)1625 void ServiceNFO::addServiceChar(const char c, int wrapat) {
1626
1627 if (servicefpalloc - servicefplen < 6)
1628 fatal("%s - out of space for servicefp", __func__);
1629
1630 if (servicefplen % (wrapat+1) == wrapat) {
1631 // we need to start a new line
1632 memcpy(servicefp + servicefplen, "\nSF:", 4);
1633 servicefplen += 4;
1634 }
1635
1636 servicefp[servicefplen++] = c;
1637 }
1638
1639 // Like addServiceChar, but for a whole zero-terminated string
addServiceString(const char * s,int wrapat)1640 void ServiceNFO::addServiceString(const char *s, int wrapat) {
1641 while(*s)
1642 addServiceChar(*s++, wrapat);
1643 }
1644
1645 // If a service responds to a given probeName, this function adds the
1646 // response to the fingerprint for that service. The fingerprint can
1647 // be printed when nothing matches the service. You can obtain the
1648 // fingerprint (if any) via getServiceFingerprint();
addToServiceFingerprint(const char * probeName,const u8 * resp,int resplen)1649 void ServiceNFO::addToServiceFingerprint(const char *probeName, const u8 *resp,
1650 int resplen) {
1651 int spaceleft = servicefpalloc - servicefplen;
1652 int servicewrap=74; // Wrap after 74 chars / line
1653 int respused = MIN(resplen, (o.debugging)? 1300 : 900); // truncate to reasonable size
1654 // every char could require \xHH escape, plus there is the matter of
1655 // "\nSF:" for each line, plus "%r(probename,probelen,"") Oh, and
1656 // the SF-PortXXXX-TCP stuff, etc
1657 int spaceneeded = respused * 5 + strlen(probeName) + 128;
1658 int srcidx;
1659 struct tm ltime;
1660 time_t timep;
1661 int err;
1662 char buf[128];
1663
1664 assert(resplen);
1665 assert(probeName);
1666
1667 if (servicefplen > (o.debugging? 10000 : 2200))
1668 return; // it is large enough.
1669
1670 if (spaceneeded >= spaceleft) {
1671 spaceneeded = MAX(spaceneeded, 512); // No point in tiny allocations
1672 spaceneeded += servicefpalloc;
1673
1674 servicefp = (char *) safe_realloc(servicefp, spaceneeded);
1675 servicefpalloc = spaceneeded;
1676 }
1677 spaceleft = servicefpalloc - servicefplen;
1678
1679 if (servicefplen == 0) {
1680 timep = time(NULL);
1681 err = n_localtime(&timep, <ime);
1682 if (err)
1683 error("Error in localtime: %s", strerror(err));
1684 Snprintf(buf, sizeof(buf), "SF-Port%hu-%s:V=%s%s%%I=%d%%D=%d/%d%%Time=%X%%P=%s",
1685 portno, proto2ascii_uppercase(proto), NMAP_VERSION,
1686 (tunnel == SERVICE_TUNNEL_SSL)? "%T=SSL" : "", o.version_intensity,
1687 err ? 0 : ltime.tm_mon + 1, err ? 0 : ltime.tm_mday, (int) timep, NMAP_PLATFORM);
1688 addServiceString(buf, servicewrap);
1689 }
1690
1691 // Note that we give the total length of the response, even though we
1692 // may truncate
1693 Snprintf(buf, sizeof(buf), "%%r(%s,%X,\"", probeName, resplen);
1694 addServiceString(buf, servicewrap);
1695
1696 // Now for the probe response itself ...
1697 for(srcidx=0; srcidx < respused; srcidx++) {
1698 // A run of this can take up to 8 chars: "\n \x20"
1699 assert(servicefpalloc - servicefplen > 8);
1700
1701 if (isalnum((int)resp[srcidx]))
1702 addServiceChar((char) resp[srcidx], servicewrap);
1703 else if (resp[srcidx] == '\0') {
1704 /* We need to be careful with this, because if it is followed by
1705 an ASCII number, PCRE will treat it differently. */
1706 if (srcidx + 1 >= respused || !isdigit((int) resp[srcidx + 1]))
1707 addServiceString("\\0", servicewrap);
1708 else addServiceString("\\x00", servicewrap);
1709 } else if (strchr("\\?\"[]().*+$^|", resp[srcidx])) {
1710 addServiceChar('\\', servicewrap);
1711 addServiceChar(resp[srcidx], servicewrap);
1712 } else if (ispunct((int)resp[srcidx])) {
1713 addServiceChar((char) resp[srcidx], servicewrap);
1714 } else if (resp[srcidx] == '\r') {
1715 addServiceString("\\r", servicewrap);
1716 } else if (resp[srcidx] == '\n') {
1717 addServiceString("\\n", servicewrap);
1718 } else if (resp[srcidx] == '\t') {
1719 addServiceString("\\t", servicewrap);
1720 } else {
1721 addServiceChar('\\', servicewrap);
1722 addServiceChar('x', servicewrap);
1723 Snprintf(buf, sizeof(buf), "%02x", resp[srcidx]);
1724 addServiceChar(*buf, servicewrap);
1725 addServiceChar(*(buf+1), servicewrap);
1726 }
1727 }
1728
1729 addServiceChar('"', servicewrap);
1730 addServiceChar(')', servicewrap);
1731 assert(servicefpalloc - servicefplen > 1);
1732 servicefp[servicefplen] = '\0';
1733 }
1734
1735 // Get the service fingerprint. It is NULL if there is none, such
1736 // as if there was a match before any other probes were finished (or
1737 // if no probes gave back data). Note that this is plain
1738 // NUL-terminated ASCII data, although the length is optionally
1739 // available anyway. This function terminates the service fingerprint
1740 // with a semi-colon
getServiceFingerprint(int * flen)1741 const char *ServiceNFO::getServiceFingerprint(int *flen) {
1742
1743 if (servicefplen == 0) {
1744 if (flen) *flen = 0;
1745 return NULL;
1746 }
1747
1748 // Ensure we have enough space for the terminating semi-colon and \0
1749 if (servicefplen + 2 > servicefpalloc) {
1750 servicefpalloc = servicefplen + 20;
1751 servicefp = (char *) safe_realloc(servicefp, servicefpalloc);
1752 }
1753
1754 if (flen) *flen = servicefplen + 1;
1755 // We terminate with a semi-colon, which is never wrapped.
1756 servicefp[servicefplen] = ';';
1757 servicefp[servicefplen + 1] = '\0';
1758 return servicefp;
1759 }
1760
currentProbe()1761 ServiceProbe *ServiceNFO::currentProbe() {
1762 if (probe_state == PROBESTATE_INITIAL) {
1763 return nextProbe(true);
1764 } else if (probe_state == PROBESTATE_NULLPROBE) {
1765 assert(AP->nullProbe);
1766 return AP->nullProbe;
1767 } else if (probe_state == PROBESTATE_MATCHINGPROBES ||
1768 probe_state == PROBESTATE_NONMATCHINGPROBES) {
1769 return *current_probe;
1770 }
1771 return NULL;
1772 }
1773
1774 // computes the next probe to test, and ALSO CHANGES currentProbe() to
1775 // that! If newresp is true, the old response info will be lost and
1776 // invalidated. Otherwise it remains as if it had been received by
1777 // the current probe (useful after a NULL probe).
nextProbe(bool newresp)1778 ServiceProbe *ServiceNFO::nextProbe(bool newresp) {
1779 bool dropdown = false;
1780
1781 // This invalidates the probe response string if any
1782 if (newresp) {
1783 if (currentresp) free(currentresp);
1784 currentresp = NULL; currentresplen = 0;
1785 }
1786
1787 if (probe_state == PROBESTATE_INITIAL) {
1788 probe_state = PROBESTATE_NULLPROBE;
1789 // This is the very first probe -- so we try to use the NULL probe
1790 // but obviously NULL probe only works with TCP
1791 if (proto == IPPROTO_TCP && AP->nullProbe)
1792 return AP->nullProbe;
1793
1794 // No valid NULL probe -- we'll drop to the next state
1795 }
1796
1797 if (probe_state == PROBESTATE_NULLPROBE) {
1798 // There can only be one (or zero) NULL probe. So now we go through the
1799 // list looking for matching probes
1800 probe_state = PROBESTATE_MATCHINGPROBES;
1801 dropdown = true;
1802 current_probe = AP->probes.begin();
1803 }
1804
1805 if (probe_state == PROBESTATE_MATCHINGPROBES) {
1806 if (!dropdown && current_probe != AP->probes.end()) current_probe++;
1807 while (current_probe != AP->probes.end()) {
1808 // For the first run, we only do probes that match this port number
1809 if ((proto == (*current_probe)->getProbeProtocol()) &&
1810 (*current_probe)->portIsProbable(tunnel, portno) &&
1811 // Skip the probe if we softmatched and the service isn't available via this probe.
1812 // --version-all avoids this optimization here and in PROBESTATE_NONMATCHINGPROBES below.
1813 (!softMatchFound || o.version_intensity >= 9 || (*current_probe)->serviceIsPossible(probe_matched))) {
1814 // This appears to be a valid probe. Let's do it!
1815 return *current_probe;
1816 }
1817 current_probe++;
1818 }
1819 // Tried all MATCHINGPROBES -- now we must move to nonmatching
1820 probe_state = PROBESTATE_NONMATCHINGPROBES;
1821 dropdown = true;
1822 current_probe = AP->probes.begin();
1823 }
1824
1825 if (probe_state == PROBESTATE_NONMATCHINGPROBES) {
1826 if (!dropdown && current_probe != AP->probes.end()) current_probe++;
1827 while (current_probe != AP->probes.end()) {
1828 // The protocol must be right, it must be a nonmatching port ('cause we did those),
1829 // and we better either have no soft match yet, or the soft service match must
1830 // be available via this probe. Also, the Probe's rarity must be <= to our
1831 // version detection intensity level.
1832 if ((proto == (*current_probe)->getProbeProtocol()) &&
1833 !(*current_probe)->portIsProbable(tunnel, portno) &&
1834 // No softmatch so obey intensity, or
1835 ((!softMatchFound && (*current_probe)->getRarity() <= o.version_intensity) ||
1836 // Softmatch, so only require service match (no rarity check)
1837 (softMatchFound && (o.version_intensity >= 9 || (*current_probe)->serviceIsPossible(probe_matched))))) {
1838 // Valid, probe. Let's do it!
1839 return *current_probe;
1840 }
1841 current_probe++;
1842 }
1843
1844 // Tried all NONMATCHINGPROBES -- we're finished
1845 probe_state = (softMatchFound)? PROBESTATE_FINISHED_SOFTMATCHED : PROBESTATE_FINISHED_NOMATCH;
1846 return NULL;
1847 }
1848
1849 fatal("%s called for probe in state (%d)", __func__, (int) probe_state);
1850 return NULL;
1851 }
1852
1853 // Resets the probes back to the first one. One case where this is useful is
1854 // when SSL is detected -- we redo all probes through SSL. If freeFP, any
1855 // service fingerprint is freed too.
resetProbes(bool freefp)1856 void ServiceNFO::resetProbes(bool freefp) {
1857
1858 if (currentresp) free(currentresp);
1859
1860 if (freefp) {
1861 if (servicefp) { free(servicefp); servicefp = NULL; }
1862 servicefplen = servicefpalloc = 0;
1863 }
1864
1865 currentresp = NULL; currentresplen = 0;
1866
1867 probe_state = PROBESTATE_INITIAL;
1868 }
1869
probe_timemsused(const ServiceProbe * probe,const struct timeval * now)1870 int ServiceNFO::probe_timemsused(const ServiceProbe *probe, const struct timeval *now) {
1871 int timeused;
1872
1873 if (now)
1874 timeused = TIMEVAL_MSEC_SUBTRACT(*now, currentprobe_exec_time);
1875 else {
1876 struct timeval tv;
1877 gettimeofday(&tv, NULL);
1878 timeused = TIMEVAL_MSEC_SUBTRACT(tv, currentprobe_exec_time);
1879 }
1880
1881 // Historically this function was always called with the assumption that
1882 // probe == currentProbe(). Check that this remains the case.
1883 assert(probe == currentProbe());
1884
1885 return timeused;
1886 }
1887
probe_timemsleft(const ServiceProbe * probe,const struct timeval * now)1888 int ServiceNFO::probe_timemsleft(const ServiceProbe *probe, const struct timeval *now) {
1889
1890 // Historically this function was always called with the assumption that
1891 // probe == currentProbe(). Check that this remains the case.
1892 assert(probe == currentProbe());
1893
1894 int timeleft = probe->totalwaitms - probe_timemsused(probe, now);
1895 return (timeleft < 0)? 0 : timeleft;
1896 }
1897
appendtocurrentproberesponse(const u8 * respstr,int respstrlen)1898 void ServiceNFO::appendtocurrentproberesponse(const u8 *respstr, int respstrlen) {
1899 currentresp = (u8 *) safe_realloc(currentresp, currentresplen + respstrlen);
1900 memcpy(currentresp + currentresplen, respstr, respstrlen);
1901 currentresplen += respstrlen;
1902 }
1903
1904 // Get the full current response string. Note that this pointer is
1905 // INVALIDATED if you call appendtocurrentproberesponse() or nextProbe()
getcurrentproberesponse(int * respstrlen)1906 u8 *ServiceNFO::getcurrentproberesponse(int *respstrlen) {
1907 *respstrlen = currentresplen;
1908 return currentresp;
1909 }
1910
1911
ServiceGroup(std::vector<Target * > & Targets,AllProbes * AP)1912 ServiceGroup::ServiceGroup(std::vector<Target *> &Targets, AllProbes *AP) {
1913 unsigned int targetno;
1914 ServiceNFO *svc;
1915 Port *nxtport;
1916 Port port;
1917 int desired_par;
1918 struct timeval now;
1919 num_hosts_timedout = 0;
1920 gettimeofday(&now, NULL);
1921
1922 for(targetno = 0 ; targetno < Targets.size(); targetno++) {
1923 nxtport = NULL;
1924 if (Targets[targetno]->timedOut(&now)) {
1925 num_hosts_timedout++;
1926 continue;
1927 }
1928 while((nxtport = Targets[targetno]->ports.nextPort(nxtport, &port, TCPANDUDPANDSCTP, PORT_OPEN))) {
1929 svc = new ServiceNFO(AP);
1930 svc->target = Targets[targetno];
1931 svc->portno = nxtport->portno;
1932 svc->proto = nxtport->proto;
1933 services_remaining.push_back(svc);
1934 }
1935 }
1936
1937 /* Use a whole new loop for PORT_OPENFILTERED so that we try all the
1938 known open ports first before bothering with this speculative
1939 stuff */
1940 for(targetno = 0 ; targetno < Targets.size(); targetno++) {
1941 nxtport = NULL;
1942 if (Targets[targetno]->timedOut(&now)) {
1943 continue;
1944 }
1945 while((nxtport = Targets[targetno]->ports.nextPort(nxtport, &port, TCPANDUDPANDSCTP, PORT_OPENFILTERED))) {
1946 svc = new ServiceNFO(AP);
1947 svc->target = Targets[targetno];
1948 svc->portno = nxtport->portno;
1949 svc->proto = nxtport->proto;
1950 services_remaining.push_back(svc);
1951 }
1952 }
1953
1954 SPM = new ScanProgressMeter("Service scan");
1955 desired_par = 1;
1956 if (o.timing_level == 3) desired_par = 20;
1957 if (o.timing_level == 4) desired_par = 30;
1958 if (o.timing_level >= 5) desired_par = 40;
1959 // TODO: Come up with better ways to determine ideal_parallelism
1960 int min_par, max_par;
1961 min_par = o.min_parallelism;
1962 max_par = MAX(min_par, o.max_parallelism ? o.max_parallelism : 100);
1963 ideal_parallelism = box(min_par, max_par, desired_par);
1964 }
1965
~ServiceGroup()1966 ServiceGroup::~ServiceGroup() {
1967 std::list<ServiceNFO *>::iterator i;
1968
1969 for(i = services_finished.begin(); i != services_finished.end(); i++)
1970 delete *i;
1971
1972 for(i = services_in_progress.begin(); i != services_in_progress.end(); i++)
1973 delete *i;
1974
1975 for(i = services_remaining.begin(); i != services_remaining.end(); i++)
1976 delete *i;
1977
1978 delete SPM;
1979 }
1980
1981 /* Called if data is read for a service or a TCP connection made. Sets the port
1982 state to PORT_OPEN. */
adjustPortStateIfNecessary(ServiceNFO * svc)1983 static void adjustPortStateIfNecessary(ServiceNFO *svc) {
1984 int oldstate;
1985 char host[128];
1986
1987 oldstate = svc->target->ports.getPortState(svc->portno, svc->proto);
1988 if (oldstate != PORT_OPEN) {
1989 svc->target->ports.setPortState(svc->portno, svc->proto, PORT_OPEN);
1990 if (svc->proto == IPPROTO_TCP)
1991 svc->target->ports.setStateReason(svc->portno, svc->proto, ER_TCPRESPONSE, 0, NULL);
1992 if (svc->proto == IPPROTO_UDP)
1993 svc->target->ports.setStateReason(svc->portno, svc->proto, ER_UDPRESPONSE, 0, NULL);
1994
1995 if (o.verbose || o.debugging > 1) {
1996 svc->target->NameIP(host, sizeof(host));
1997
1998 log_write(LOG_STDOUT, "Discovered %s port %hu/%s on %s is actually open\n",
1999 statenum2str(oldstate), svc->portno, proto2ascii_lowercase(svc->proto), host);
2000 log_flush(LOG_STDOUT);
2001 }
2002 }
2003
2004 return;
2005 }
2006
2007 // Sends probe text to an open connection. In the case of a NULL probe, there
2008 // may be no probe text
send_probe_text(nsock_pool nsp,nsock_iod nsi,ServiceNFO * svc,ServiceProbe * probe)2009 static int send_probe_text(nsock_pool nsp, nsock_iod nsi, ServiceNFO *svc,
2010 ServiceProbe *probe) {
2011 const u8 *probestring;
2012 int probestringlen;
2013
2014 // Report data as probes are sent if --version-trace has been requested
2015 if (o.debugging > 1 || o.versionTrace()) {
2016 log_write(LOG_PLAIN, "Service scan sending probe %s to %s:%hu (%s)\n", probe->getName(), svc->target->targetipstr(), svc->portno, proto2ascii_lowercase(svc->proto));
2017 }
2018
2019 assert(probe);
2020 if (probe->isNullProbe())
2021 return 0; // No need to send anything for a NULL probe;
2022 probestring = probe->getProbeString(&probestringlen);
2023 assert(probestringlen > 0);
2024 // Now we write the string to the IOD
2025 nsock_write(nsp, nsi, servicescan_write_handler, svc->probe_timemsleft(probe), svc,
2026 (const char *) probestring, probestringlen);
2027 return 0;
2028 }
2029
2030 // This simple helper function is used to start the next probe. If
2031 // the probe exists, execution begins (and the previous one is cleaned
2032 // up if necessary) . Otherwise, the service is listed as finished
2033 // and moved to the finished list. If you pass 'true' for alwaysrestart, a
2034 // new connection will be made even if the previous probe was the NULL probe.
2035 // You would do this, for example, if the other side has closed the connection.
startNextProbe(nsock_pool nsp,nsock_iod nsi,ServiceGroup * SG,ServiceNFO * svc,bool alwaysrestart)2036 static void startNextProbe(nsock_pool nsp, nsock_iod nsi, ServiceGroup *SG,
2037 ServiceNFO *svc, bool alwaysrestart) {
2038 bool isInitial = svc->probe_state == PROBESTATE_INITIAL;
2039 ServiceProbe *probe = svc->currentProbe();
2040 struct sockaddr_storage ss;
2041 size_t ss_len;
2042
2043 if (!alwaysrestart && probe->isNullProbe()) {
2044 // The difference here is that we can reuse the same (TCP) connection
2045 // if the last probe was the NULL probe.
2046 probe = svc->nextProbe(false);
2047 if (probe) {
2048 svc->currentprobe_exec_time = *nsock_gettimeofday();
2049 send_probe_text(nsp, nsi, svc, probe);
2050 nsock_read(nsp, nsi, servicescan_read_handler,
2051 svc->probe_timemsleft(probe, nsock_gettimeofday()), svc);
2052 } else {
2053 // Should only happen if someone has a highly perverse nmap-service-probes
2054 // file. Null scan should generally never be the only probe.
2055 end_svcprobe(nsp, (svc->softMatchFound)? PROBESTATE_FINISHED_SOFTMATCHED : PROBESTATE_FINISHED_NOMATCH, SG, svc, NULL);
2056 }
2057 } else {
2058 // The finished probe was not a NULL probe. So we close the
2059 // connection, and if further probes are available, we launch the
2060 // next one.
2061 if (!isInitial)
2062 probe = svc->nextProbe(true); // if was initial, currentProbe() returned the right one to execute.
2063 if (probe) {
2064 // For a TCP probe, we start by requesting a new connection to the target
2065 if (svc->proto == IPPROTO_TCP) {
2066 nsock_iod_delete(nsi, NSOCK_PENDING_SILENT);
2067 if ((svc->niod = nsock_iod_new(nsp, svc)) == NULL) {
2068 fatal("Failed to allocate Nsock I/O descriptor in %s()", __func__);
2069 }
2070 if (o.spoofsource) {
2071 o.SourceSockAddr(&ss, &ss_len);
2072 nsock_iod_set_localaddr(svc->niod, &ss, ss_len);
2073 }
2074 if (o.ipoptionslen)
2075 nsock_iod_set_ipoptions(svc->niod, o.ipoptions, o.ipoptionslen);
2076 if (svc->target->TargetName()) {
2077 if (nsock_iod_set_hostname(svc->niod, svc->target->TargetName()) == -1)
2078 fatal("nsock_iod_set_hostname(\"%s\" failed in %s()",
2079 svc->target->TargetName(), __func__);
2080 }
2081 svc->target->TargetSockAddr(&ss, &ss_len);
2082 if (svc->tunnel == SERVICE_TUNNEL_NONE) {
2083 nsock_connect_tcp(nsp, svc->niod, servicescan_connect_handler,
2084 DEFAULT_CONNECT_TIMEOUT, svc,
2085 (struct sockaddr *) &ss, ss_len,
2086 svc->portno);
2087 } else {
2088 assert(svc->tunnel == SERVICE_TUNNEL_SSL);
2089 nsock_connect_ssl(nsp, svc->niod, servicescan_connect_handler,
2090 DEFAULT_CONNECT_SSL_TIMEOUT, svc,
2091 (struct sockaddr *) &ss,
2092 ss_len, svc->proto, svc->portno, svc->ssl_session);
2093 }
2094 } else {
2095 assert(svc->proto == IPPROTO_UDP);
2096 /* Can maintain the same UDP "connection" */
2097 svc->currentprobe_exec_time = *nsock_gettimeofday();
2098 send_probe_text(nsp, nsi, svc, probe);
2099 // Now let us read any results
2100 nsock_read(nsp, nsi, servicescan_read_handler,
2101 svc->probe_timemsleft(probe, nsock_gettimeofday()), svc);
2102 }
2103 } else {
2104 // No more probes remaining! Failed to match
2105 nsock_iod_delete(nsi, NSOCK_PENDING_SILENT);
2106 end_svcprobe(nsp, (svc->softMatchFound)? PROBESTATE_FINISHED_SOFTMATCHED :
2107 PROBESTATE_FINISHED_NOMATCH,
2108 SG, svc, NULL);
2109 }
2110 }
2111 return;
2112 }
2113
2114 /* Sometimes the normal service scan will detect a
2115 tunneling/encryption protocol such as SSL. Instead of just
2116 reporting "ssl", we can make an SSL connection and try to determine
2117 the service that is really sitting behind the SSL. This function
2118 will take a service that has just been detected (hard match only),
2119 and see if we can dig deeper through tunneling. Nonzero is
2120 returned if we can do more. Otherwise 0 is returned and the caller
2121 should end the service with its successful match. If the tunnel
2122 results can be determined with no more effort, 0 is also returned.
2123 For example, a service that already matched as "ssl/ldap" will be
2124 changed to "ldap" with the tunnel being SSL and 0 will be returned.
2125 That is a special case.
2126 */
2127
scanThroughTunnel(nsock_pool nsp,nsock_iod nsi,ServiceGroup * SG,ServiceNFO * svc)2128 static int scanThroughTunnel(nsock_pool nsp, nsock_iod nsi, ServiceGroup *SG,
2129 ServiceNFO *svc) {
2130
2131 if (svc->probe_matched && strncmp(svc->probe_matched, "ssl/", 4) == 0) {
2132 /* The service has been detected without having to make an SSL connection */
2133 svc->tunnel = SERVICE_TUNNEL_SSL;
2134 svc->probe_matched += 4;
2135 return 0;
2136 }
2137
2138 #ifdef HAVE_OPENSSL
2139 if (svc->tunnel != SERVICE_TUNNEL_NONE) {
2140 // Another tunnel type has already been tried. Let's not go recursive.
2141 return 0;
2142 }
2143
2144 if (svc->proto != IPPROTO_TCP ||
2145 !svc->probe_matched || strcmp(svc->probe_matched, "ssl") != 0)
2146 return 0; // Not SSL
2147
2148 // Alright! We are going to start the tests over using SSL
2149 // printf("DBG: Found SSL service on %s:%hu - starting SSL scan\n", svc->target->NameIP(), svc->portno);
2150 svc->tunnel = SERVICE_TUNNEL_SSL;
2151 svc->probe_matched = NULL;
2152 svc->product_matched[0] = svc->version_matched[0] = svc->extrainfo_matched[0] = '\0';
2153 svc->hostname_matched[0] = svc->ostype_matched[0] = svc->devicetype_matched[0] = '\0';
2154 svc->cpe_a_matched[0] = svc->cpe_h_matched[0] = svc->cpe_o_matched[0] = '\0';
2155 svc->softMatchFound = false;
2156 svc->resetProbes(true);
2157 startNextProbe(nsp, nsi, SG, svc, true);
2158 return 1;
2159 #else
2160 return 0;
2161 #endif
2162 }
2163
2164 /* Prints completion estimates and the like when appropriate */
considerPrintingStats(nsock_pool nsp,ServiceGroup * SG)2165 static void considerPrintingStats(nsock_pool nsp, ServiceGroup *SG) {
2166 /* Check for status requests */
2167 if (keyWasPressed()) {
2168 nmap_adjust_loglevel(o.versionTrace());
2169 SG->SPM->printStats(SG->services_finished.size() /
2170 ((double)SG->services_remaining.size() + SG->services_in_progress.size() +
2171 SG->services_finished.size()), nsock_gettimeofday());
2172 }
2173
2174
2175 /* Perhaps this should be made more complex, but I suppose it should be
2176 good enough for now. */
2177 if (SG->SPM->mayBePrinted(nsock_gettimeofday())) {
2178 SG->SPM->printStatsIfNecessary(SG->services_finished.size() / ((double)SG->services_remaining.size() + SG->services_in_progress.size() + SG->services_finished.size()), nsock_gettimeofday());
2179 }
2180 }
2181
2182 /* Check if target is done (no more probes remaining for it in service group),
2183 and responds appropriately if so */
handleHostIfDone(ServiceGroup * SG,Target * target)2184 static void handleHostIfDone(ServiceGroup *SG, Target *target) {
2185 std::list<ServiceNFO *>::iterator svcI;
2186 bool found = false;
2187
2188 for(svcI = SG->services_in_progress.begin();
2189 svcI != SG->services_in_progress.end(); svcI++) {
2190 if ((*svcI)->target == target) {
2191 found = true;
2192 break;
2193 }
2194 }
2195
2196 for(svcI = SG->services_remaining.begin();
2197 !found && svcI != SG->services_remaining.end(); svcI++) {
2198 if ((*svcI)->target == target) {
2199 found = true;
2200 break;
2201 }
2202 }
2203
2204 if (!found) {
2205 target->stopTimeOutClock(nsock_gettimeofday());
2206 if (target->timedOut(NULL)) {
2207 SG->num_hosts_timedout++;
2208 }
2209 }
2210 }
2211
2212 // A simple helper function to cancel further work on a service and
2213 // set it to the given probe_state pass NULL for nsi if you don't want
2214 // it to be deleted (for example, if you already have done so).
end_svcprobe(nsock_pool nsp,enum serviceprobestate probe_state,ServiceGroup * SG,ServiceNFO * svc,nsock_iod nsi)2215 static void end_svcprobe(nsock_pool nsp, enum serviceprobestate probe_state, ServiceGroup *SG, ServiceNFO *svc, nsock_iod nsi) {
2216 std::list<ServiceNFO *>::iterator member;
2217 Target *target = svc->target;
2218
2219 svc->probe_state = svc->tcpwrap_possible ? PROBESTATE_FINISHED_TCPWRAPPED : probe_state;
2220 member = find(SG->services_in_progress.begin(), SG->services_in_progress.end(),
2221 svc);
2222 if (member != SG->services_in_progress.end()) {
2223 assert(*member == svc);
2224 SG->services_in_progress.erase(member);
2225 } else {
2226 /* A probe can finish from services_remaining if the host times out before the
2227 probe has even started */
2228 member = find(SG->services_remaining.begin(), SG->services_remaining.end(),
2229 svc);
2230 assert(member != SG->services_remaining.end());
2231 assert(*member == svc);
2232 SG->services_remaining.erase(member);
2233 }
2234
2235 SG->services_finished.push_back(svc);
2236
2237 considerPrintingStats(nsp, SG);
2238
2239 if (nsi)
2240 nsock_iod_delete(nsi, NSOCK_PENDING_SILENT);
2241
2242 handleHostIfDone(SG, target);
2243 return;
2244 }
2245
2246 // This function consults the ServiceGroup to determine whether any
2247 // more probes can be launched at this time. If so, it determines the
2248 // appropriate ones and then starts them up.
launchSomeServiceProbes(nsock_pool nsp,ServiceGroup * SG)2249 static int launchSomeServiceProbes(nsock_pool nsp, ServiceGroup *SG) {
2250 ServiceNFO *svc;
2251 ServiceProbe *nextprobe;
2252 struct sockaddr_storage ss;
2253 size_t ss_len;
2254 static int warn_no_scanning=1;
2255
2256 while (SG->services_in_progress.size() < SG->ideal_parallelism &&
2257 !SG->services_remaining.empty()) {
2258 // Start executing a probe from the new list and move it to in_progress
2259 svc = SG->services_remaining.front();
2260 if (svc->target->timedOut(nsock_gettimeofday())) {
2261 end_svcprobe(nsp, PROBESTATE_INCOMPLETE, SG, svc, NULL);
2262 continue;
2263 }
2264 else if (!svc->target->timeOutClockRunning()) {
2265 svc->target->startTimeOutClock(nsock_gettimeofday());
2266 }
2267 nextprobe = svc->nextProbe(true);
2268
2269 if (nextprobe == NULL) {
2270 if (warn_no_scanning && o.debugging) {
2271 log_write(LOG_PLAIN, "Service scan: Not probing some ports due to low intensity\n");
2272 warn_no_scanning=0;
2273 }
2274 end_svcprobe(nsp, PROBESTATE_FINISHED_NOMATCH, SG, svc, NULL);
2275 continue;
2276 }
2277
2278 // We start by requesting a connection to the target
2279 if ((svc->niod = nsock_iod_new(nsp, svc)) == NULL) {
2280 fatal("Failed to allocate Nsock I/O descriptor in %s()", __func__);
2281 }
2282 if (o.debugging > 1) {
2283 log_write(LOG_PLAIN, "Starting probes against new service: %s:%hu (%s)\n", svc->target->targetipstr(), svc->portno, proto2ascii_lowercase(svc->proto));
2284 }
2285 if (o.spoofsource) {
2286 o.SourceSockAddr(&ss, &ss_len);
2287 nsock_iod_set_localaddr(svc->niod, &ss, ss_len);
2288 }
2289 if (o.ipoptionslen)
2290 nsock_iod_set_ipoptions(svc->niod, o.ipoptions, o.ipoptionslen);
2291 svc->target->TargetSockAddr(&ss, &ss_len);
2292 if (svc->proto == IPPROTO_TCP)
2293 nsock_connect_tcp(nsp, svc->niod, servicescan_connect_handler,
2294 DEFAULT_CONNECT_TIMEOUT, svc,
2295 (struct sockaddr *)&ss, ss_len,
2296 svc->portno);
2297 else {
2298 assert(svc->proto == IPPROTO_UDP);
2299 nsock_connect_udp(nsp, svc->niod, servicescan_connect_handler,
2300 svc, (struct sockaddr *) &ss, ss_len,
2301 svc->portno);
2302 }
2303 // Check that the service is still where we left it.
2304 // servicescan_connect_handler can call end_svcprobe before this point,
2305 // putting it into services_finished already.
2306 if (!SG->services_remaining.empty() && SG->services_remaining.front() == svc) {
2307 // Now remove it from the remaining service list
2308 SG->services_remaining.pop_front();
2309 // And add it to the in progress list
2310 SG->services_in_progress.push_back(svc);
2311 }
2312 }
2313 return 0;
2314 }
2315
2316
servicescan_connect_handler(nsock_pool nsp,nsock_event nse,void * mydata)2317 static void servicescan_connect_handler(nsock_pool nsp, nsock_event nse, void *mydata) {
2318 nsock_iod nsi = nse_iod(nse);
2319 enum nse_status status = nse_status(nse);
2320 enum nse_type type = nse_type(nse);
2321 ServiceNFO *svc = (ServiceNFO *) mydata;
2322 ServiceProbe *probe = svc->currentProbe();
2323 ServiceGroup *SG = (ServiceGroup *) nsock_pool_get_udata(nsp);
2324
2325 assert(type == NSE_TYPE_CONNECT || type == NSE_TYPE_CONNECT_SSL);
2326
2327 if (svc->target->timedOut(nsock_gettimeofday())) {
2328 end_svcprobe(nsp, PROBESTATE_INCOMPLETE, SG, svc, nsi);
2329 } else if (status == NSE_STATUS_SUCCESS) {
2330
2331 #if HAVE_OPENSSL
2332 // Snag our SSL_SESSION from the nsi for use in subsequent connections.
2333 if (nsock_iod_check_ssl(nsi)) {
2334 if (svc->ssl_session) {
2335 if (svc->ssl_session == (SSL_SESSION *)(nsock_iod_get_ssl_session(nsi, 0))) {
2336 //nada
2337 } else {
2338 SSL_SESSION_free((SSL_SESSION*)svc->ssl_session);
2339 svc->ssl_session = (SSL_SESSION *)(nsock_iod_get_ssl_session(nsi, 1));
2340 }
2341 } else {
2342 svc->ssl_session = (SSL_SESSION *)(nsock_iod_get_ssl_session(nsi, 1));
2343 }
2344 }
2345 #endif
2346
2347 /* If the port is TCP, it is now known to be open rather than openfiltered */
2348 if (svc->proto == IPPROTO_TCP)
2349 adjustPortStateIfNecessary(svc);
2350
2351 // Yeah! Connection made to the port. Send the appropriate probe
2352 // text (if any is needed -- might be NULL probe)
2353 svc->currentprobe_exec_time = *nsock_gettimeofday();
2354 send_probe_text(nsp, nsi, svc, probe);
2355 // Now let us read any results
2356 nsock_read(nsp, nsi, servicescan_read_handler, svc->probe_timemsleft(probe, nsock_gettimeofday()), svc);
2357 } else {
2358 switch(status) {
2359 case NSE_STATUS_TIMEOUT:
2360 case NSE_STATUS_ERROR:
2361 case NSE_STATUS_PROXYERROR:
2362 // This is not good. The connect() really shouldn't generally
2363 // be timing out like that. We'll mark this svc as incomplete
2364 // and move it to the finished bin.
2365 if (o.debugging)
2366 error("Got nsock CONNECT response with status %s - aborting this service", nse_status2str(status));
2367 end_svcprobe(nsp, PROBESTATE_INCOMPLETE, SG, svc, nsi);
2368 break;
2369
2370 case NSE_STATUS_KILL:
2371 /* User probably specified host_timeout and so the service scan is
2372 * shutting down */
2373 end_svcprobe(nsp, PROBESTATE_INCOMPLETE, SG, svc, nsi);
2374 return;
2375
2376 default:
2377 fatal("Unexpected nsock status (%d) returned for connection attempt", (int)status);
2378 }
2379 }
2380 // We may have room for more probes!
2381 launchSomeServiceProbes(nsp, SG);
2382 return;
2383 }
2384
servicescan_write_handler(nsock_pool nsp,nsock_event nse,void * mydata)2385 static void servicescan_write_handler(nsock_pool nsp, nsock_event nse, void *mydata) {
2386 enum nse_status status = nse_status(nse);
2387 nsock_iod nsi;
2388 ServiceNFO *svc = (ServiceNFO *)mydata;
2389 ServiceGroup *SG;
2390 int err;
2391
2392 SG = (ServiceGroup *) nsock_pool_get_udata(nsp);
2393 nsi = nse_iod(nse);
2394
2395 // Check if a status message was requested
2396 if (keyWasPressed()) {
2397 SG->SPM->printStats(SG->services_finished.size() /
2398 ((double)SG->services_remaining.size() + SG->services_in_progress.size() +
2399 SG->services_finished.size()), nsock_gettimeofday());
2400 }
2401
2402
2403 if (svc->target->timedOut(nsock_gettimeofday())) {
2404 end_svcprobe(nsp, PROBESTATE_INCOMPLETE, SG, svc, nsi);
2405 return;
2406 }
2407
2408 if (status == NSE_STATUS_SUCCESS)
2409 return;
2410
2411 if (status == NSE_STATUS_KILL) {
2412 /* User probably specified host_timeout and so the service scan is
2413 shutting down */
2414 end_svcprobe(nsp, PROBESTATE_INCOMPLETE, SG, svc, nsi);
2415 return;
2416 }
2417
2418 if (status == NSE_STATUS_ERROR || status == NSE_STATUS_PROXYERROR) {
2419 err = nse_errorcode(nse);
2420 error("Got nsock WRITE error #%d (%s)", err, strerror(err));
2421 }
2422
2423 // Uh-oh. Some sort of write failure ... maybe the connection closed
2424 // on us unexpectedly?
2425 if (o.debugging)
2426 error("Got nsock WRITE response with status %s - aborting this service", nse_status2str(status));
2427 end_svcprobe(nsp, PROBESTATE_INCOMPLETE, SG, svc, nsi);
2428
2429 // We may have room for more probes!
2430 launchSomeServiceProbes(nsp, SG);
2431
2432 return;
2433 }
2434
servicescan_read_handler(nsock_pool nsp,nsock_event nse,void * mydata)2435 static void servicescan_read_handler(nsock_pool nsp, nsock_event nse, void *mydata) {
2436 nsock_iod nsi = nse_iod(nse);
2437 enum nse_status status = nse_status(nse);
2438 enum nse_type type = nse_type(nse);
2439 ServiceNFO *svc = (ServiceNFO *) mydata;
2440 ServiceProbe *probe = svc->currentProbe();
2441 ServiceGroup *SG = (ServiceGroup *) nsock_pool_get_udata(nsp);
2442 const u8 *readstr;
2443 int readstrlen;
2444 const struct MatchDetails *MD;
2445 int fallbackDepth=0;
2446
2447 assert(type == NSE_TYPE_READ);
2448
2449 if (svc->target->timedOut(nsock_gettimeofday())) {
2450 svc->tcpwrap_possible = false;
2451 end_svcprobe(nsp, PROBESTATE_INCOMPLETE, SG, svc, nsi);
2452 } else if (status == NSE_STATUS_SUCCESS) {
2453 // w00p, w00p, we read something back from the port.
2454 svc->tcpwrap_possible = false;
2455 readstr = (u8 *) nse_readbuf(nse, &readstrlen);
2456 adjustPortStateIfNecessary(svc); /* A response means PORT_OPENFILTERED is really PORT_OPEN */
2457 svc->appendtocurrentproberesponse(readstr, readstrlen);
2458 // now get the full version
2459 readstr = svc->getcurrentproberesponse(&readstrlen);
2460
2461 for (MD = NULL; probe->fallbacks[fallbackDepth] != NULL; fallbackDepth++) {
2462 MD = (probe->fallbacks[fallbackDepth])->testMatch(readstr, readstrlen);
2463 if (MD && MD->serviceName) break; // Found one!
2464 }
2465
2466 if (MD && MD->serviceName) {
2467 // WOO HOO!!!!!! MATCHED! But might be soft
2468 if (MD->isSoft && svc->probe_matched) {
2469 if (strcmp(svc->probe_matched, MD->serviceName) != 0)
2470 error("WARNING: Service %s:%hu had already soft-matched %s, but now soft-matched %s; ignoring second value", svc->target->targetipstr(), svc->portno, svc->probe_matched, MD->serviceName);
2471 // No error if its the same - that happens frequently. For
2472 // example, if we read more data for the same probe response
2473 // it will probably still match.
2474 } else {
2475 if (o.debugging > 1 || o.versionTrace()) {
2476 if (MD->product || MD->version || MD->info)
2477 log_write(LOG_PLAIN, "Service scan match (Probe %s matched with %s line %d): %s:%hu is %s%s. Version: |%s|%s|%s|\n",
2478 probe->getName(), (*probe->fallbacks[fallbackDepth]).getName(),
2479 MD->lineno,
2480 svc->target->targetipstr(), svc->portno, (svc->tunnel == SERVICE_TUNNEL_SSL)? "SSL/" : "",
2481 MD->serviceName, (MD->product)? MD->product : "", (MD->version)? MD->version : "",
2482 (MD->info)? MD->info : "");
2483 else
2484 log_write(LOG_PLAIN, "Service scan %s match (Probe %s matched with %s line %d): %s:%hu is %s%s\n",
2485 (MD->isSoft)? "soft" : "hard",
2486 probe->getName(), (*probe->fallbacks[fallbackDepth]).getName(),
2487 MD->lineno,
2488 svc->target->targetipstr(), svc->portno, (svc->tunnel == SERVICE_TUNNEL_SSL)? "SSL/" : "", MD->serviceName);
2489 }
2490 svc->probe_matched = MD->serviceName;
2491 if (MD->product)
2492 Strncpy(svc->product_matched, MD->product, sizeof(svc->product_matched));
2493 if (MD->version)
2494 Strncpy(svc->version_matched, MD->version, sizeof(svc->version_matched));
2495 if (MD->info)
2496 Strncpy(svc->extrainfo_matched, MD->info, sizeof(svc->extrainfo_matched));
2497 if (MD->hostname)
2498 Strncpy(svc->hostname_matched, MD->hostname, sizeof(svc->hostname_matched));
2499 if (MD->ostype)
2500 Strncpy(svc->ostype_matched, MD->ostype, sizeof(svc->ostype_matched));
2501 if (MD->devicetype)
2502 Strncpy(svc->devicetype_matched, MD->devicetype, sizeof(svc->devicetype_matched));
2503 if (MD->cpe_a)
2504 Strncpy(svc->cpe_a_matched, MD->cpe_a, sizeof(svc->cpe_a_matched));
2505 if (MD->cpe_h)
2506 Strncpy(svc->cpe_h_matched, MD->cpe_h, sizeof(svc->cpe_h_matched));
2507 if (MD->cpe_o)
2508 Strncpy(svc->cpe_o_matched, MD->cpe_o, sizeof(svc->cpe_o_matched));
2509 svc->softMatchFound = MD->isSoft;
2510 if (!svc->softMatchFound) {
2511 // We might be able to continue scan through a tunnel protocol
2512 // like SSL
2513 if (scanThroughTunnel(nsp, nsi, SG, svc) == 0)
2514 end_svcprobe(nsp, PROBESTATE_FINISHED_HARDMATCHED, SG, svc, nsi);
2515 }
2516 }
2517 }
2518
2519 if (!MD || !MD->serviceName || MD->isSoft) {
2520 // Didn't match... maybe reading more until timeout will help
2521 // TODO: For efficiency I should be able to test if enough data
2522 // has been received rather than always waiting for the reading
2523 // to timeout. For now I'll limit it to 4096 bytes just to
2524 // avoid reading megs from services like chargen. But better
2525 // approach is needed.
2526 if (svc->probe_timemsleft(probe) > 0 && readstrlen < 4096) {
2527 nsock_read(nsp, nsi, servicescan_read_handler, svc->probe_timemsleft(probe), svc);
2528 } else {
2529 // Failed -- lets go to the next probe.
2530 if (readstrlen > 0)
2531 svc->addToServiceFingerprint(probe->getName(), readstr, readstrlen);
2532 startNextProbe(nsp, nsi, SG, svc, false);
2533 }
2534 }
2535 } else if (status == NSE_STATUS_TIMEOUT) {
2536 // Failed to read enough to make a match in the given amount of time. So we
2537 // move on to the next probe. If this was a NULL probe, we can simply
2538 // send the new probe text immediately. Otherwise we make a new connection.
2539
2540 svc->tcpwrap_possible = false;
2541 readstr = svc->getcurrentproberesponse(&readstrlen);
2542 if (readstrlen > 0)
2543 svc->addToServiceFingerprint(svc->currentProbe()->getName(), readstr,
2544 readstrlen);
2545 startNextProbe(nsp, nsi, SG, svc, false);
2546
2547 } else if (status == NSE_STATUS_EOF) {
2548 // The jerk closed on us during read request!
2549 // If this was during the NULL probe, let's (for now) assume
2550 // the port is TCP wrapped. Otherwise, we'll treat it as a nomatch
2551 readstr = svc->getcurrentproberesponse(&readstrlen);
2552 if (readstrlen > 0) {
2553 svc->addToServiceFingerprint(svc->currentProbe()->getName(), readstr,
2554 readstrlen);
2555 svc->tcpwrap_possible = false;
2556 }
2557 if (svc->tcpwrap_possible && probe->isNullProbe() && readstrlen == 0 && svc->probe_timemsused(probe) < probe->tcpwrappedms) {
2558 // TODO: Perhaps should do further verification before making this assumption
2559 end_svcprobe(nsp, PROBESTATE_FINISHED_TCPWRAPPED, SG, svc, nsi);
2560 } else {
2561 // Perhaps this service didn't like the particular probe text.
2562 // We'll try the next one
2563 startNextProbe(nsp, nsi, SG, svc, true);
2564 }
2565 } else if (status == NSE_STATUS_ERROR) {
2566 // Errors might happen in some cases ... I'll worry about later
2567 int err = nse_errorcode(nse);
2568 switch(err) {
2569 case ECONNRESET:
2570 case ECONNREFUSED: // weird to get this on a connected socket (shrug) but
2571 // BSD sometimes gives it
2572 case ECONNABORTED:
2573 // Jerk hung up on us. Probably didn't like our probe. We treat it as with EOF above.
2574 if (svc->tcpwrap_possible && probe->isNullProbe() && svc->probe_timemsused(probe) < probe->tcpwrappedms) {
2575 // TODO: Perhaps should do further verification before making this assumption
2576 end_svcprobe(nsp, PROBESTATE_FINISHED_TCPWRAPPED, SG, svc, nsi);
2577 } else {
2578 // Perhaps this service didn't like the particular probe text. We'll try the
2579 // next one
2580 startNextProbe(nsp, nsi, SG, svc, true);
2581 }
2582 break;
2583 #ifdef EHOSTDOWN
2584 case EHOSTDOWN: // ICMP_HOST_UNKNOWN
2585 #endif
2586 #ifdef ENONET
2587 case ENONET: // ICMP_HOST_ISOLATED
2588 #endif
2589 /* EHOSTDOWN and ENONET can be the result of forged ICMP responses.
2590 * We should probably give up on this port.
2591 */
2592 case ENETUNREACH:
2593 case EHOSTUNREACH:
2594 // That is funny. The port scanner listed the port as open. Maybe it got unplugged, or firewalled us, or did
2595 // something else nasty during the scan. Shrug. I'll give up on this port
2596 svc->tcpwrap_possible = false;
2597 end_svcprobe(nsp, PROBESTATE_INCOMPLETE, SG, svc, nsi);
2598 break;
2599 #ifdef ENOPROTOOPT
2600 case ENOPROTOOPT: // ICMP_PROT_UNREACH
2601 #endif
2602 case EMSGSIZE: // ICMP_FRAG_NEEDED
2603 case EOPNOTSUPP: // ICMP_SR_FAILED
2604 /* EPROTOOPT has been reported in the wild. EMSGSIZE and EOPNOTSUPP are theoretically
2605 * possible responses due to forged ICMP responses.
2606 * These seem packet-specific, not a result of the host shutting us out completely.
2607 * We'll try some other probes.
2608 */
2609 #ifndef WIN32
2610 case EPIPE:
2611 #endif
2612
2613 case ENETRESET:
2614 //This error (same as WSAENETRESET according to nbase_winunix) is Microsoft only error, where the connected host crashes and then resets during the communication
2615 //More information can be found at http://www.sockets.com/err_lst1.htm#WSAENETRESET.
2616 //I assume that we shouldn't bother doing anything beyond catching it, and then going on to the next probe.
2617
2618 #ifdef EPROTO
2619 case EPROTO:
2620 // EPROTO is suspected to be caused by an active IDS/IPS that forges ICMP
2621 // type-12 errors ("Parameter problem"). It's been seen in response to the
2622 // Sqlping probe.
2623 #endif
2624 case EIO:
2625 // Usually an SSL error of some sort (those are presently
2626 // hardcoded to EIO). I'll just try the next probe.
2627 startNextProbe(nsp, nsi, SG, svc, true);
2628 break;
2629 default:
2630 fatal("Unexpected error in NSE_TYPE_READ callback. Error code: %d (%s)", err,
2631 socket_strerror(err));
2632 }
2633 } else if (status == NSE_STATUS_KILL) {
2634 /* User probably specified host_timeout and so the service scan is
2635 shutting down */
2636 svc->tcpwrap_possible = false;
2637 end_svcprobe(nsp, PROBESTATE_INCOMPLETE, SG, svc, nsi);
2638 return;
2639 } else {
2640 fatal("Unexpected status (%d) in NSE_TYPE_READ callback.", (int) status);
2641 }
2642
2643 // We may have room for more probes!
2644 launchSomeServiceProbes(nsp, SG);
2645 return;
2646 }
2647
2648
2649 // This is used in processResults to determine whether a FP
2650 // should be printed based on type of match, version intensity, etc.
shouldWePrintFingerprint(ServiceNFO * svc)2651 static int shouldWePrintFingerprint(ServiceNFO *svc) {
2652 // Never print FP if hardmatched
2653 if (svc->probe_state == PROBESTATE_FINISHED_HARDMATCHED)
2654 return 0;
2655
2656 // If we were called with a version_intensity less than
2657 // the default, don't bother printing.
2658 if (o.version_intensity < 7) return 0;
2659
2660 return 1;
2661 }
2662
2663 // This is passed a completed ServiceGroup which contains the scanning results for every service.
2664 // The function iterates through each finished service and adds the results to Target structure for
2665 // Nmap to output later.
2666
processResults(ServiceGroup * SG)2667 static void processResults(ServiceGroup *SG) {
2668 std::list<ServiceNFO *>::iterator svc;
2669
2670 for(svc = SG->services_finished.begin(); svc != SG->services_finished.end(); svc++) {
2671 if ((*svc)->probe_state != PROBESTATE_FINISHED_NOMATCH) {
2672 std::vector<const char *> cpe;
2673
2674 if (*(*svc)->cpe_a_matched)
2675 cpe.push_back((*svc)->cpe_a_matched);
2676 if (*(*svc)->cpe_h_matched)
2677 cpe.push_back((*svc)->cpe_h_matched);
2678 if (*(*svc)->cpe_o_matched)
2679 cpe.push_back((*svc)->cpe_o_matched);
2680
2681 (*svc)->target->ports.setServiceProbeResults((*svc)->portno, (*svc)->proto,
2682 (*svc)->probe_state,
2683 (*svc)->probe_matched,
2684 (*svc)->tunnel,
2685 *(*svc)->product_matched? (*svc)->product_matched : NULL,
2686 *(*svc)->version_matched? (*svc)->version_matched : NULL,
2687 *(*svc)->extrainfo_matched? (*svc)->extrainfo_matched : NULL,
2688 *(*svc)->hostname_matched? (*svc)->hostname_matched : NULL,
2689 *(*svc)->ostype_matched? (*svc)->ostype_matched : NULL,
2690 *(*svc)->devicetype_matched? (*svc)->devicetype_matched : NULL,
2691 (cpe.size() > 0) ? &cpe : NULL,
2692 shouldWePrintFingerprint(*svc) ? (*svc)->getServiceFingerprint(NULL) : NULL);
2693 } else {
2694 (*svc)->target->ports.setServiceProbeResults((*svc)->portno, (*svc)->proto,
2695 (*svc)->probe_state, NULL,
2696 (*svc)->tunnel, NULL, NULL, NULL, NULL, NULL, NULL,
2697 NULL,
2698 (*svc)->getServiceFingerprint(NULL));
2699 }
2700 }
2701 }
2702
2703
2704 // We iterate through SG->services_remaining and remove any with port/protocol
2705 // pairs that are excluded. We use AP->isExcluded() to determine which ports
2706 // are excluded.
remove_excluded_ports(AllProbes * AP,ServiceGroup * SG)2707 static void remove_excluded_ports(AllProbes *AP, ServiceGroup *SG) {
2708 std::list<ServiceNFO *>::iterator i, nxt;
2709 ServiceNFO *svc;
2710
2711 for(i = SG->services_remaining.begin(); i != SG->services_remaining.end(); i=nxt) {
2712 nxt = i;
2713 nxt++;
2714
2715 svc = *i;
2716 if (AP->isExcluded(svc->portno, svc->proto)) {
2717
2718 if (o.debugging) log_write(LOG_PLAIN, "EXCLUDING %d/%s\n", svc->portno,
2719 IPPROTO2STR(svc->proto));
2720
2721 svc->target->ports.setServiceProbeResults(svc->portno, svc->proto,
2722 PROBESTATE_EXCLUDED, NULL,
2723 SERVICE_TUNNEL_NONE,
2724 "Excluded from version scan", NULL,
2725 NULL, NULL, NULL, NULL, NULL, NULL);
2726
2727 SG->services_remaining.erase(i);
2728 SG->services_finished.push_back(svc);
2729 }
2730 }
2731
2732 }
2733
2734
2735 /* Execute a service fingerprinting scan against all open ports of the
2736 Targets specified. */
service_scan(std::vector<Target * > & Targets)2737 int service_scan(std::vector<Target *> &Targets) {
2738 // int service_scan(Target *targets[], int num_targets)
2739 AllProbes *AP;
2740 ServiceGroup *SG;
2741 nsock_pool nsp;
2742 struct timeval now;
2743 int timeout;
2744 enum nsock_loopstatus looprc;
2745 struct timeval starttv;
2746
2747 if (Targets.size() == 0)
2748 return 1;
2749
2750 AP = AllProbes::service_scan_init();
2751
2752
2753 // Now I convert the targets into a new ServiceGroup
2754 SG = new ServiceGroup(Targets, AP);
2755
2756 if (o.override_excludeports) {
2757 if (o.debugging || o.verbose) log_write(LOG_PLAIN, "Overriding exclude ports option! Some undesirable ports may be version scanned!\n");
2758 } else {
2759 remove_excluded_ports(AP, SG);
2760 }
2761
2762 if (SG->services_remaining.size() == 0) {
2763 delete SG;
2764 return 1;
2765 }
2766
2767 gettimeofday(&starttv, NULL);
2768 if (o.verbose) {
2769 char targetstr[128];
2770 bool plural = (Targets.size() != 1);
2771 if (!plural) {
2772 (*(Targets.begin()))->NameIP(targetstr, sizeof(targetstr));
2773 } else Snprintf(targetstr, sizeof(targetstr), "%u hosts", (unsigned) Targets.size());
2774
2775 log_write(LOG_STDOUT, "Scanning %u %s on %s\n",
2776 (unsigned) SG->services_remaining.size(),
2777 (SG->services_remaining.size() == 1)? "service" : "services",
2778 targetstr);
2779 }
2780
2781 // Lets create a nsock pool for managing all the concurrent probes
2782 // Store the servicegroup in there for availability in callbacks
2783 if ((nsp = nsock_pool_new(SG)) == NULL) {
2784 fatal("%s() failed to create new nsock pool.", __func__);
2785 }
2786 nmap_set_nsock_logger();
2787 nmap_adjust_loglevel(o.versionTrace());
2788
2789 nsock_pool_set_device(nsp, o.device);
2790
2791 if (o.proxy_chain) {
2792 nsock_pool_set_proxychain(nsp, o.proxy_chain);
2793 }
2794
2795 #if HAVE_OPENSSL
2796 /* We don't care about connection security in version detection. */
2797 nsock_pool_ssl_init(nsp, NSOCK_SSL_MAX_SPEED);
2798 #endif
2799
2800 launchSomeServiceProbes(nsp, SG);
2801
2802 // How long do we have before timing out?
2803 gettimeofday(&now, NULL);
2804 timeout = -1;
2805
2806 // OK! Lets start our main loop!
2807 looprc = nsock_loop(nsp, timeout);
2808 if (looprc == NSOCK_LOOP_ERROR) {
2809 int err = nsock_pool_get_error(nsp);
2810 fatal("Unexpected nsock_loop error. Error code %d (%s)", err, socket_strerror(err));
2811 }
2812
2813 nsock_pool_delete(nsp);
2814
2815 if (o.verbose) {
2816 char additional_info[128];
2817 if (SG->num_hosts_timedout == 0)
2818 Snprintf(additional_info, sizeof(additional_info), "%u %s on %u %s",
2819 (unsigned) SG->services_finished.size(),
2820 (SG->services_finished.size() == 1)? "service" : "services",
2821 (unsigned) Targets.size(), (Targets.size() == 1)? "host" : "hosts");
2822 else Snprintf(additional_info, sizeof(additional_info), "%u %s timed out",
2823 SG->num_hosts_timedout,
2824 (SG->num_hosts_timedout == 1)? "host" : "hosts");
2825 SG->SPM->endTask(NULL, additional_info);
2826 }
2827
2828 // Yeah - done with the service scan. Now I go through the results
2829 // discovered, store the important info away, and free up everything
2830 // else.
2831 processResults(SG);
2832
2833 delete SG;
2834
2835 return 0;
2836 }
2837