1
2 /***************************************************************************
3 * scan_engine.cc -- Includes much of the "engine" functions for scanning, *
4 * such as ultra_scan. It also includes dependent functions such as those *
5 * for collecting SYN/connect scan responses. *
6 * *
7 ***********************IMPORTANT NMAP LICENSE TERMS************************
8 * *
9 * The Nmap Security Scanner is (C) 1996-2020 Insecure.Com LLC ("The Nmap *
10 * Project"). Nmap is also a registered trademark of the Nmap Project. *
11 * *
12 * This program is distributed under the terms of the Nmap Public Source *
13 * License (NPSL). The exact license text applying to a particular Nmap *
14 * release or source code control revision is contained in the LICENSE *
15 * file distributed with that version of Nmap or source code control *
16 * revision. More Nmap copyright/legal information is available from *
17 * https://nmap.org/book/man-legal.html, and further information on the *
18 * NPSL license itself can be found at https://nmap.org/npsl. This header *
19 * summarizes some key points from the Nmap license, but is no substitute *
20 * for the actual license text. *
21 * *
22 * Nmap is generally free for end users to download and use themselves, *
23 * including commercial use. It is available from https://nmap.org. *
24 * *
25 * The Nmap license generally prohibits companies from using and *
26 * redistributing Nmap in commercial products, but we sell a special Nmap *
27 * OEM Edition with a more permissive license and special features for *
28 * this purpose. See https://nmap.org/oem *
29 * *
30 * If you have received a written Nmap license agreement or contract *
31 * stating terms other than these (such as an Nmap OEM license), you may *
32 * choose to use and redistribute Nmap under those terms instead. *
33 * *
34 * The official Nmap Windows builds include the Npcap software *
35 * (https://npcap.org) for packet capture and transmission. It is under *
36 * separate license terms which forbid redistribution without special *
37 * permission. So the official Nmap Windows builds may not be *
38 * redistributed without special permission (such as an Nmap OEM *
39 * license). *
40 * *
41 * Source is provided to this software because we believe users have a *
42 * right to know exactly what a program is going to do before they run it. *
43 * This also allows you to audit the software for security holes. *
44 * *
45 * Source code also allows you to port Nmap to new platforms, fix bugs, *
46 * and add new features. You are highly encouraged to submit your *
47 * changes as a Github PR or by email to the dev@nmap.org mailing list *
48 * for possible incorporation into the main distribution. Unless you *
49 * specify otherwise, it is understood that you are offering us very *
50 * broad rights to use your submissions as described in the Nmap Public *
51 * Source License Contributor Agreement. This is important because we *
52 * fund the project by selling licenses with various terms, and also *
53 * because the inability to relicense code has caused devastating *
54 * problems for other Free Software projects (such as KDE and NASM). *
55 * *
56 * The free version of Nmap is distributed in the hope that it will be *
57 * useful, but WITHOUT ANY WARRANTY; without even the implied warranty of *
58 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Warranties, *
59 * indemnification and commercial support are all available through the *
60 * Npcap OEM program--see https://nmap.org/oem. *
61 * *
62 ***************************************************************************/
63
64 /* $Id: scan_engine.cc 38078 2020-10-02 16:12:22Z dmiller $ */
65
66 #ifdef WIN32
67 #include "nmap_winconfig.h"
68 #endif
69 #include "portreasons.h"
70 #include <dnet.h>
71 #include "scan_engine.h"
72 #include "scan_engine_connect.h"
73 #include "scan_engine_raw.h"
74 #include "timing.h"
75 #include "tcpip.h"
76 #include "NmapOps.h"
77 #include "nmap_tty.h"
78 #include "payload.h"
79 #include "Target.h"
80 #include "targets.h"
81 #include "utils.h"
82 #include "nmap_error.h"
83 #include "output.h"
84
85 #include "struct_ip.h"
86
87 #ifndef IPPROTO_SCTP
88 #include "libnetutil/netutil.h"
89 #endif
90
91 #include <math.h>
92 #include <list>
93 #include <map>
94
95 extern NmapOps o;
96 #ifdef WIN32
97 /* from libdnet's intf-win32.c */
98 extern "C" int g_has_npcap_loopback;
99 #endif
100
101 /* How long extra to wait before retransmitting for rate-limit detection */
102 #define RLD_TIME_MS 1000
103
operator ()(const HostScanStats * lhs,const HostScanStats * rhs) const104 int HssPredicate::operator() (const HostScanStats *lhs, const HostScanStats *rhs) const {
105 const struct sockaddr_storage *lss, *rss;
106 lss = (lhs) ? lhs->target->TargetSockAddr() : ss;
107 rss = (rhs) ? rhs->target->TargetSockAddr() : ss;
108 return 0 > sockaddr_storage_cmp(lss, rss);
109 }
110 struct sockaddr_storage *HssPredicate::ss = NULL;
111
log_overall_rates(int logt)112 void UltraScanInfo::log_overall_rates(int logt) {
113 log_write(logt, "Overall sending rates: %.2f packets / s", send_rate_meter.getOverallPacketRate(&now));
114 if (send_rate_meter.getNumBytes() > 0)
115 log_write(logt, ", %.2f bytes / s", send_rate_meter.getOverallByteRate(&now));
116 log_write(logt, ".\n");
117 }
118
log_current_rates(int logt,bool update)119 void UltraScanInfo::log_current_rates(int logt, bool update) {
120 log_write(logt, "Current sending rates: %.2f packets / s", send_rate_meter.getCurrentPacketRate(&now, update));
121 if (send_rate_meter.getNumBytes() > 0)
122 log_write(logt, ", %.2f bytes / s", send_rate_meter.getCurrentByteRate(&now));
123 log_write(logt, ".\n");
124 }
125
init()126 void ultra_scan_performance_vars::init() {
127 scan_performance_vars::init();
128 ping_magnifier = 3;
129 pingtime = 1250000;
130 tryno_cap = o.getMaxRetransmissions();
131 }
132
pspectype2ascii(int type)133 const char *pspectype2ascii(int type) {
134 switch (type) {
135 case PS_NONE:
136 return "NONE";
137 case PS_TCP:
138 return "TCP";
139 case PS_UDP:
140 return "UDP";
141 case PS_SCTP:
142 return "SCTP";
143 case PS_PROTO:
144 return "IP Proto";
145 case PS_ICMP:
146 return "ICMP";
147 case PS_ARP:
148 return "ARP";
149 case PS_ICMPV6:
150 return "ICMPv6";
151 case PS_ND:
152 return "ND";
153 case PS_CONNECTTCP:
154 return "connect";
155 default:
156 fatal("%s: Unknown type: %d", __func__, type);
157 }
158 return ""; // Unreached
159 }
160
161 /* Initialize the ultra_timing_vals structure timing. The utt must be
162 TIMING_HOST or TIMING_GROUP. If you happen to have the current
163 time handy, pass it as now, otherwise pass NULL */
164 static void init_ultra_timing_vals(ultra_timing_vals *timing,
165 enum ultra_timing_type utt,
166 int num_hosts_in_group,
167 struct ultra_scan_performance_vars *perf,
168 struct timeval *now);
169
170 /* Take a buffer, buf, of size bufsz (64 bytes is sufficient) and
171 writes a short description of the probe (arg1) into buf. It also returns
172 buf. */
probespec2ascii(const probespec * pspec,char * buf,unsigned int bufsz)173 static char *probespec2ascii(const probespec *pspec, char *buf, unsigned int bufsz) {
174 char flagbuf[32];
175 char *f;
176 switch (pspec->type) {
177 case PS_TCP:
178 if (!pspec->pd.tcp.flags) {
179 Strncpy(flagbuf, "(none)", sizeof(flagbuf));
180 } else {
181 f = flagbuf;
182 if (pspec->pd.tcp.flags & TH_SYN)
183 *f++ = 'S';
184 if (pspec->pd.tcp.flags & TH_FIN)
185 *f++ = 'F';
186 if (pspec->pd.tcp.flags & TH_RST)
187 *f++ = 'R';
188 if (pspec->pd.tcp.flags & TH_PUSH)
189 *f++ = 'P';
190 if (pspec->pd.tcp.flags & TH_ACK)
191 *f++ = 'A';
192 if (pspec->pd.tcp.flags & TH_URG)
193 *f++ = 'U';
194 if (pspec->pd.tcp.flags & TH_ECE)
195 *f++ = 'E'; /* rfc 2481/3168 */
196 if (pspec->pd.tcp.flags & TH_CWR)
197 *f++ = 'C'; /* rfc 2481/3168 */
198 *f++ = '\0';
199 }
200 Snprintf(buf, bufsz, "tcp to port %hu; flags: %s", pspec->pd.tcp.dport, flagbuf);
201 break;
202 case PS_UDP:
203 Snprintf(buf, bufsz, "udp to port %hu", pspec->pd.udp.dport);
204 break;
205 case PS_SCTP:
206 switch (pspec->pd.sctp.chunktype) {
207 case SCTP_INIT:
208 Strncpy(flagbuf, "INIT", sizeof(flagbuf));
209 break;
210 case SCTP_COOKIE_ECHO:
211 Strncpy(flagbuf, "COOKIE-ECHO", sizeof(flagbuf));
212 break;
213 default:
214 Strncpy(flagbuf, "(unknown)", sizeof(flagbuf));
215 }
216 Snprintf(buf, bufsz, "sctp to port %hu; chunk: %s", pspec->pd.sctp.dport,
217 flagbuf);
218 break;
219 case PS_PROTO:
220 Snprintf(buf, bufsz, "protocol %u", (unsigned int) pspec->proto);
221 break;
222 case PS_ICMP:
223 Snprintf(buf, bufsz, "icmp type %d code %d",
224 pspec->pd.icmp.type, pspec->pd.icmp.code);
225 break;
226 case PS_ARP:
227 Snprintf(buf, bufsz, "ARP");
228 break;
229 case PS_ICMPV6:
230 Snprintf(buf, bufsz, "icmpv6 type %d code %d",
231 pspec->pd.icmpv6.type, pspec->pd.icmpv6.code);
232 break;
233 case PS_ND:
234 Snprintf(buf, bufsz, "ND");
235 break;
236 case PS_CONNECTTCP:
237 Snprintf(buf, bufsz, "connect to port %hu", pspec->pd.tcp.dport);
238 break;
239 default:
240 fatal("Unexpected %s type encountered", __func__);
241 break;
242 }
243 return buf;
244 }
245
UltraProbe()246 UltraProbe::UltraProbe() {
247 type = UP_UNSET;
248 tryno = 0;
249 timedout = false;
250 retransmitted = false;
251 pingseq = 0;
252 mypspec.type = PS_NONE;
253 memset(&sent, 0, sizeof(prevSent));
254 memset(&prevSent, 0, sizeof(prevSent));
255 }
256
~UltraProbe()257 UltraProbe::~UltraProbe() {
258 if (type == UP_CONNECT)
259 delete probes.CP;
260 }
261
GroupScanStats(UltraScanInfo * UltraSI)262 GroupScanStats::GroupScanStats(UltraScanInfo *UltraSI) {
263 memset(&latestip, 0, sizeof(latestip));
264 memset(&timeout, 0, sizeof(timeout));
265 USI = UltraSI;
266 init_ultra_timing_vals(&timing, TIMING_GROUP, USI->numIncompleteHosts(), &(USI->perf), &USI->now);
267 initialize_timeout_info(&to);
268 /* Default timout should be much lower for arp */
269 if (USI->ping_scan_arp)
270 to.timeout = MAX(o.minRttTimeout(), MIN(o.initialRttTimeout(), INITIAL_ARP_RTT_TIMEOUT)) * 1000;
271 num_probes_active = 0;
272 numtargets = USI->numIncompleteHosts(); // They are all incomplete at the beginning
273 numprobes = USI->numProbesPerHost();
274
275 if (USI->scantype == CONNECT_SCAN || USI->ptech.connecttcpscan)
276 CSI = new ConnectScanInfo;
277 else CSI = NULL;
278 probes_sent = probes_sent_at_last_wait = 0;
279 lastping_sent = lastrcvd = USI->now;
280 send_no_earlier_than = USI->now;
281 send_no_later_than = USI->now;
282 lastping_sent_numprobes = 0;
283 pinghost = NULL;
284 gettimeofday(&last_wait, NULL);
285 num_hosts_timedout = 0;
286 }
287
~GroupScanStats()288 GroupScanStats::~GroupScanStats() {
289 delete CSI;
290 }
291
292 /* Called whenever a probe is sent to any host. Should only be called by
293 HostScanStats::probeSent. */
probeSent(unsigned int nbytes)294 void GroupScanStats::probeSent(unsigned int nbytes) {
295 USI->send_rate_meter.update(nbytes, &USI->now);
296
297 /* Find a new scheduling interval for minimum- and maximum-rate sending.
298 Recall that these have effect only when --min-rate or --max-rate is
299 given. */
300
301 if (o.max_packet_send_rate != 0.0)
302 TIMEVAL_ADD(send_no_earlier_than, send_no_earlier_than,
303 (time_t) (1000000.0 / o.max_packet_send_rate));
304 /* Allow send_no_earlier_than to slip into the past. This allows the sending
305 scheduler to catch up and make up for delays in other parts of the scan
306 engine. If we were to update send_no_earlier_than to the present the
307 sending rate could be much less than the maximum requested, even if the
308 connection is capable of the maximum. */
309
310 if (o.min_packet_send_rate != 0.0) {
311 if (TIMEVAL_SUBTRACT(send_no_later_than, USI->now) > 0) {
312 /* The next scheduled send is in the future. That means there's slack time
313 during which the sending rate could drop. Pull the time back to the
314 present to prevent that. */
315 send_no_later_than = USI->now;
316 }
317 TIMEVAL_ADD(send_no_later_than, send_no_later_than,
318 (time_t) (1000000.0 / o.min_packet_send_rate));
319 }
320 }
321
322 /* Returns true if the GLOBAL system says that sending is OK.*/
sendOK(struct timeval * when)323 bool GroupScanStats::sendOK(struct timeval *when) {
324 int recentsends;
325
326 /* In case it's not okay to send, arbitrarily say to check back in one
327 second. */
328 if (when)
329 TIMEVAL_MSEC_ADD(*when, USI->now, 1000);
330
331 if ((USI->scantype == CONNECT_SCAN || USI->ptech.connecttcpscan)
332 && CSI->numSDs >= CSI->maxSocketsAllowed)
333 return false;
334
335 /* We need to stop sending if it has been a long time since
336 the last listen call, at least for systems such as Windows that
337 don't give us a proper pcap time. Also for connect scans, since
338 we don't get an exact response time with them either. */
339 recentsends = USI->gstats->probes_sent - USI->gstats->probes_sent_at_last_wait;
340 if (recentsends > 0 &&
341 (USI->scantype == CONNECT_SCAN || USI->ptech.connecttcpscan || !pcap_recv_timeval_valid())) {
342 int to_ms = (int) MAX(to.srtt * .75 / 1000, 50);
343 if (TIMEVAL_MSEC_SUBTRACT(USI->now, last_wait) > to_ms)
344 return false;
345 }
346
347 /* Enforce a maximum scanning rate, if necessary. If it's too early to send,
348 return false. If not, mark now as a good time to send and allow the
349 congestion control to override it. */
350 if (o.max_packet_send_rate != 0.0) {
351 if (TIMEVAL_SUBTRACT(send_no_earlier_than, USI->now) > 0) {
352 if (when)
353 *when = send_no_earlier_than;
354 return false;
355 } else {
356 if (when)
357 *when = USI->now;
358 }
359 }
360
361 /* Enforce a minimum scanning rate, if necessary. If we're ahead of schedule,
362 record the time of the next scheduled send and submit to congestion
363 control. If we're behind schedule, return true to indicate that we need to
364 send right now. */
365 if (o.min_packet_send_rate != 0.0) {
366 if (TIMEVAL_SUBTRACT(send_no_later_than, USI->now) > 0) {
367 if (when)
368 *when = send_no_later_than;
369 } else {
370 if (when)
371 *when = USI->now;
372 return true;
373 }
374 }
375
376 /* There are good arguments for limiting the number of probes sent
377 between waits even when we do get appropriate receive times. For
378 example, overflowing the pcap receive buffer with responses is no
379 fun. On one of my Linux boxes, it seems to hold about 113
380 responses when I scan localhost. And half of those are the @#$#
381 sends being received. I think I'll put a limit of 50 sends per
382 wait */
383 if (recentsends >= 50)
384 return false;
385
386 /* In case the user specifically asked for no group congestion control */
387 if (o.nogcc) {
388 if (when)
389 *when = USI->now;
390 return true;
391 }
392
393 /* When there is only one target left, let the host congestion
394 stuff deal with it. */
395 if (USI->numIncompleteHostsLessThan(2)) {
396 if (when)
397 *when = USI->now;
398 return true;
399 }
400
401 if (timing.cwnd >= num_probes_active + 0.5) {
402 if (when)
403 *when = USI->now;
404 return true;
405 }
406
407 return false;
408 }
409
410 /* Return true if pingprobe is an appropriate ping probe for the currently
411 running scan. Because ping probes persist between host discovery and port
412 scanning stages, it's possible to have a ping probe that is not relevant for
413 the scan type, or won't be caught by the pcap filters. Examples of
414 inappropriate ping probes are an ARP ping for a TCP scan, or a raw SYN ping
415 for a connect scan. */
pingprobe_is_appropriate(const UltraScanInfo * USI,const probespec * pingprobe)416 static bool pingprobe_is_appropriate(const UltraScanInfo *USI,
417 const probespec *pingprobe) {
418 switch (pingprobe->type) {
419 case(PS_NONE):
420 return true;
421 case(PS_CONNECTTCP):
422 return USI->scantype == CONNECT_SCAN || (USI->ping_scan && USI->ptech.connecttcpscan);
423 case(PS_TCP):
424 case(PS_UDP):
425 case(PS_SCTP):
426 return (USI->tcp_scan && USI->scantype != CONNECT_SCAN) ||
427 USI->udp_scan ||
428 USI->sctp_scan ||
429 (USI->ping_scan && (USI->ptech.rawtcpscan || USI->ptech.rawudpscan || USI->ptech.rawsctpscan));
430 case(PS_PROTO):
431 return USI->prot_scan || (USI->ping_scan && USI->ptech.rawprotoscan);
432 case(PS_ICMP):
433 return ((USI->ping_scan && !USI->ping_scan_arp ) || pingprobe->pd.icmp.type == 3);
434 case(PS_ARP):
435 return USI->ping_scan_arp;
436 case(PS_ND):
437 return USI->ping_scan_nd;
438 }
439 return false;
440 }
441
HostScanStats(Target * t,UltraScanInfo * UltraSI)442 HostScanStats::HostScanStats(Target *t, UltraScanInfo *UltraSI) {
443 target = t;
444 USI = UltraSI;
445 next_portidx = 0;
446 sent_arp = false;
447 next_ackportpingidx = 0;
448 next_synportpingidx = 0;
449 next_udpportpingidx = 0;
450 next_sctpportpingidx = 0;
451 next_protoportpingidx = 0;
452 sent_icmp_ping = false;
453 sent_icmp_mask = false;
454 sent_icmp_ts = false;
455 retry_capped_warned = false;
456 num_probes_active = 0;
457 num_probes_waiting_retransmit = 0;
458 lastping_sent = lastprobe_sent = lastrcvd = USI->now;
459 lastping_sent_numprobes = 0;
460 nxtpseq = 1;
461 max_successful_tryno = 0;
462 tryno_mayincrease = true;
463 ports_finished = 0;
464 numprobes_sent = 0;
465 memset(&completiontime, 0, sizeof(completiontime));
466 init_ultra_timing_vals(&timing, TIMING_HOST, 1, &(USI->perf), &USI->now);
467 bench_tryno = 0;
468 memset(&sdn, 0, sizeof(sdn));
469 sdn.last_boost = USI->now;
470 sdn.delayms = o.scan_delay;
471 rld.max_tryno_sent = 0;
472 rld.rld_waiting = false;
473 rld.rld_waittime = USI->now;
474 if (!pingprobe_is_appropriate(USI, &target->pingprobe)) {
475 if (o.debugging > 1)
476 log_write(LOG_STDOUT, "%s pingprobe type %s is inappropriate for this scan type; resetting.\n", target->targetipstr(), pspectype2ascii(target->pingprobe.type));
477 memset(&target->pingprobe, 0, sizeof(target->pingprobe));
478 target->pingprobe_state = PORT_UNKNOWN;
479 }
480 }
481
~HostScanStats()482 HostScanStats::~HostScanStats() {
483 std::list<UltraProbe *>::iterator probeI, next;
484
485 /* Move any hosts from the bench to probes_outstanding for easier deletion */
486 for (probeI = probes_outstanding.begin(); probeI != probes_outstanding.end();
487 probeI = next) {
488 next = probeI;
489 next++;
490 destroyOutstandingProbe(probeI);
491 }
492 }
493
494 /* Called whenever a probe is sent to this host. Takes care of updating scan
495 delay and rate limiting variables. */
probeSent(unsigned int nbytes)496 void HostScanStats::probeSent(unsigned int nbytes) {
497 lastprobe_sent = USI->now;
498
499 /* Update group variables. */
500 USI->gstats->probeSent(nbytes);
501 }
502
503 /* How long I am currently willing to wait for a probe response before
504 considering it timed out. Uses the host values from target if they
505 are available, otherwise from gstats. Results returned in
506 MICROseconds. */
probeTimeout()507 unsigned long HostScanStats::probeTimeout() {
508 if (target->to.srtt > 0) {
509 /* We have at least one timing value to use. Good enough, I suppose */
510 return target->to.timeout;
511 } else if (USI->gstats->to.srtt > 0) {
512 /* OK, we'll use this one instead */
513 return USI->gstats->to.timeout;
514 } else {
515 return target->to.timeout; /* It comes with a default */
516 }
517 }
518
519 /* How long I'll wait until completely giving up on a probe.
520 Timedout probes are often marked as such (and sometimes
521 considered a drop), but kept in the list just in case they come
522 really late. But after probeExpireTime(), I don't waste time
523 keeping them around. Give in MICROseconds. The expiry time can
524 depend on the type of probe. Pass NULL to get the default time. */
probeExpireTime(const UltraProbe * probe)525 unsigned long HostScanStats::probeExpireTime(const UltraProbe *probe) {
526 if (probe == NULL || probe->type == UltraProbe::UP_CONNECT)
527 /* timedout probes close socket -- late resp. impossible */
528 return probeTimeout();
529 else
530 /* Wait a bit longer after probeTimeout. */
531 return MIN(10000000, probeTimeout() * 10);
532 }
533
534 /* Returns OK if sending a new probe to this host is OK (to avoid
535 flooding). If when is non-NULL, fills it with the time that sending
536 will be OK assuming no pending probes are resolved by responses
537 (call it again if they do). when will become now if it returns
538 true. */
sendOK(struct timeval * when)539 bool HostScanStats::sendOK(struct timeval *when) {
540 struct ultra_timing_vals tmng;
541 std::list<UltraProbe *>::iterator probeI;
542 struct timeval probe_to, earliest_to, sendTime;
543 long tdiff;
544
545 if (target->timedOut(&USI->now) || completed()) {
546 if (when)
547 *when = USI->now;
548 return false;
549 }
550
551 /* If the group stats say we need to send a probe to enforce a minimum
552 scanning rate, then we need to step up and send a probe. */
553 if (o.min_packet_send_rate != 0.0) {
554 if (TIMEVAL_SUBTRACT(USI->gstats->send_no_later_than, USI->now) <= 0) {
555 if (when)
556 *when = USI->now;
557 return true;
558 }
559 }
560
561 if (rld.rld_waiting) {
562 if (TIMEVAL_AFTER(rld.rld_waittime, USI->now)) {
563 if (when)
564 *when = rld.rld_waittime;
565 return false;
566 } else {
567 if (when)
568 *when = USI->now;
569 return true;
570 }
571 }
572
573 if (sdn.delayms) {
574 if (TIMEVAL_MSEC_SUBTRACT(USI->now, lastprobe_sent) < (int) sdn.delayms) {
575 if (when) {
576 TIMEVAL_MSEC_ADD(*when, lastprobe_sent, sdn.delayms);
577 }
578 return false;
579 }
580 }
581
582 getTiming(&tmng);
583 if (tmng.cwnd >= num_probes_active + .5 &&
584 (freshPortsLeft() || num_probes_waiting_retransmit || !retry_stack.empty())) {
585 if (when)
586 *when = USI->now;
587 return true;
588 }
589
590 if (!when)
591 return false;
592
593 TIMEVAL_MSEC_ADD(earliest_to, USI->now, 10000);
594
595 // Any timeouts coming up?
596 for (probeI = probes_outstanding.begin(); probeI != probes_outstanding.end();
597 probeI++) {
598 if (!(*probeI)->timedout) {
599 TIMEVAL_MSEC_ADD(probe_to, (*probeI)->sent, probeTimeout() / 1000);
600 if (TIMEVAL_SUBTRACT(probe_to, earliest_to) < 0) {
601 earliest_to = probe_to;
602 }
603 }
604 }
605
606 // Will any scan delay affect this?
607 if (sdn.delayms) {
608 TIMEVAL_MSEC_ADD(sendTime, lastprobe_sent, sdn.delayms);
609 if (TIMEVAL_BEFORE(sendTime, USI->now))
610 sendTime = USI->now;
611 tdiff = TIMEVAL_MSEC_SUBTRACT(earliest_to, sendTime);
612
613 /* Timeouts previous to the sendTime requirement are pointless,
614 and those later than sendTime are not needed if we can send a
615 new packet at sendTime */
616 if (tdiff < 0) {
617 earliest_to = sendTime;
618 } else {
619 getTiming(&tmng);
620 if (tdiff > 0 && tmng.cwnd > num_probes_active + .5) {
621 earliest_to = sendTime;
622 }
623 }
624 }
625
626 *when = earliest_to;
627 return false;
628 }
629
630 /* If there are pending probe timeouts, fills in when with the time of
631 the earliest one and returns true. Otherwise returns false and
632 puts now in when. */
nextTimeout(struct timeval * when)633 bool HostScanStats::nextTimeout(struct timeval *when) {
634 struct timeval probe_to, earliest_to;
635 std::list<UltraProbe *>::iterator probeI;
636 bool firstgood = true;
637
638 assert(when);
639 memset(&probe_to, 0, sizeof(probe_to));
640 memset(&earliest_to, 0, sizeof(earliest_to));
641
642 for (probeI = probes_outstanding.begin(); probeI != probes_outstanding.end();
643 probeI++) {
644 if (!(*probeI)->timedout) {
645 TIMEVAL_ADD(probe_to, (*probeI)->sent, probeTimeout());
646 if (firstgood || TIMEVAL_SUBTRACT(probe_to, earliest_to) < 0) {
647 earliest_to = probe_to;
648 firstgood = false;
649 }
650 }
651 }
652
653 *when = (firstgood) ? USI->now : earliest_to;
654 return !firstgood;
655 }
656
657 /* gives the maximum try number (try numbers start at zero and
658 increments for each retransmission) that may be used, based on
659 the scan type, observed network reliability, timing mode, etc.
660 This may change during the scan based on network traffic. If
661 capped is not null, it will be filled with true if the tryno is
662 at its upper limit. That often calls for a warning to be issued,
663 and marking of remaining timedout ports firewalled or whatever is
664 appropriate. If mayincrease is non-NULL, it is set to whether
665 the allowedTryno may increase again. If it is false, any probes
666 which have reached the given limit may be dealt with. */
allowedTryno(bool * capped,bool * mayincrease)667 unsigned int HostScanStats::allowedTryno(bool *capped, bool *mayincrease) {
668 std::list<UltraProbe *>::iterator probeI;
669 UltraProbe *probe = NULL;
670 bool allfinished = true;
671 unsigned int maxval = 0;
672
673 /* TODO: This should perhaps differ by scan type. */
674 maxval = MAX(1, max_successful_tryno + 1);
675 if (maxval > USI->perf.tryno_cap) {
676 if (capped)
677 *capped = true;
678 maxval = USI->perf.tryno_cap;
679 tryno_mayincrease = false; /* It never exceeds the cap */
680 } else if (capped) *capped = false;
681
682 /* Decide if the tryno can possibly increase. */
683 if (tryno_mayincrease && num_probes_active == 0 && freshPortsLeft() == 0) {
684 /* If every outstanding probe is timedout and at maxval, then no further
685 retransmits are necessary. */
686 for (probeI = probes_outstanding.begin();
687 probeI != probes_outstanding.end(); probeI++) {
688 probe = *probeI;
689 assert(probe->timedout);
690 if (!probe->retransmitted && !probe->isPing() && probe->tryno < maxval) {
691 /* Needs at least one more retransmit. */
692 allfinished = false;
693 break;
694 }
695 }
696 if (allfinished)
697 tryno_mayincrease = false;
698 }
699
700 if (mayincrease)
701 *mayincrease = tryno_mayincrease;
702
703 return maxval;
704 }
705
706
UltraScanInfo()707 UltraScanInfo::UltraScanInfo() {
708 }
709
~UltraScanInfo()710 UltraScanInfo::~UltraScanInfo() {
711 std::multiset<HostScanStats *, HssPredicate>::iterator hostI;
712
713 for (hostI = incompleteHosts.begin(); hostI != incompleteHosts.end(); hostI++) {
714 delete *hostI;
715 }
716
717 for (hostI = completedHosts.begin(); hostI != completedHosts.end(); hostI++) {
718 delete *hostI;
719 }
720
721 incompleteHosts.clear();
722 completedHosts.clear();
723
724 delete gstats;
725 delete SPM;
726 if (rawsd >= 0) {
727 close(rawsd);
728 rawsd = -1;
729 }
730 if (pd) {
731 pcap_close(pd);
732 pd = NULL;
733 }
734 if (ethsd) {
735 ethsd = NULL; /* NO need to eth_close it due to caching */
736 }
737 }
738
739 /* Returns true if this scan is a "raw" scan. A raw scan is ont that requires a
740 raw socket or ethernet handle to send, or a pcap sniffer to receive.
741 Basically, any scan type except pure TCP connect scans are raw. */
isRawScan()742 bool UltraScanInfo::isRawScan() {
743 return scantype != CONNECT_SCAN
744 && (tcp_scan || udp_scan || sctp_scan || prot_scan || ping_scan_arp || ping_scan_nd
745 || (ping_scan && (ptech.rawicmpscan || ptech.rawtcpscan || ptech.rawudpscan
746 || ptech.rawsctpscan || ptech.rawprotoscan)));
747 }
748
749 /* A circular buffer of the incompleteHosts. nextIncompleteHost() gives
750 the next one. The first time it is called, it will give the
751 first host in the list. If incompleteHosts is empty, returns
752 NULL. */
nextIncompleteHost()753 HostScanStats *UltraScanInfo::nextIncompleteHost() {
754 HostScanStats *nxt;
755
756 if (incompleteHosts.empty())
757 return NULL;
758
759 nxt = *nextI;
760 nextI++;
761 if (nextI == incompleteHosts.end())
762 nextI = incompleteHosts.begin();
763
764 return nxt;
765 }
766
767 /* Return a number between 0.0 and 1.0 inclusive indicating how much of the scan
768 is done. */
getCompletionFraction()769 double UltraScanInfo::getCompletionFraction() {
770 std::multiset<HostScanStats *, HssPredicate>::iterator hostI;
771 double total;
772
773 /* Add 1 for each completed host. */
774 total = gstats->numtargets - numIncompleteHosts();
775 /* Get the completion fraction for each incomplete host. */
776 for (hostI = incompleteHosts.begin(); hostI != incompleteHosts.end(); hostI++) {
777 HostScanStats *host = *hostI;
778 int maxtries = host->allowedTryno(NULL, NULL) + 1;
779 double thishostpercdone;
780
781 // This is inexact (maxtries - 1) because numprobes_sent includes
782 // at least one try of ports_finished.
783 thishostpercdone = host->ports_finished * (maxtries - 1) + host->numprobes_sent;
784 thishostpercdone /= maxtries * gstats->numprobes;
785 if (thishostpercdone >= 0.9999)
786 thishostpercdone = 0.9999;
787 total += thishostpercdone;
788 }
789
790 return total / gstats->numtargets;
791 }
792
793 /* Initialize the state for ports that don't receive a response in all the
794 targets. */
set_default_port_state(std::vector<Target * > & targets,stype scantype)795 static void set_default_port_state(std::vector<Target *> &targets, stype scantype) {
796 std::vector<Target *>::iterator target;
797
798 for (target = targets.begin(); target != targets.end(); target++) {
799 switch (scantype) {
800 case SYN_SCAN:
801 case ACK_SCAN:
802 case WINDOW_SCAN:
803 case CONNECT_SCAN:
804 (*target)->ports.setDefaultPortState(IPPROTO_TCP, PORT_FILTERED);
805 break;
806 case SCTP_INIT_SCAN:
807 (*target)->ports.setDefaultPortState(IPPROTO_SCTP, PORT_FILTERED);
808 break;
809 case NULL_SCAN:
810 case FIN_SCAN:
811 case MAIMON_SCAN:
812 case XMAS_SCAN:
813 (*target)->ports.setDefaultPortState(IPPROTO_TCP, PORT_OPENFILTERED);
814 break;
815 case UDP_SCAN:
816 (*target)->ports.setDefaultPortState(IPPROTO_UDP,
817 o.defeat_icmp_ratelimit ? PORT_CLOSEDFILTERED : PORT_OPENFILTERED);
818 break;
819 case IPPROT_SCAN:
820 (*target)->ports.setDefaultPortState(IPPROTO_IP, PORT_OPENFILTERED);
821 break;
822 case SCTP_COOKIE_ECHO_SCAN:
823 (*target)->ports.setDefaultPortState(IPPROTO_SCTP, PORT_OPENFILTERED);
824 break;
825 case PING_SCAN:
826 case PING_SCAN_ARP:
827 case PING_SCAN_ND:
828 break;
829 default:
830 fatal("Unexpected scan type found in %s()", __func__);
831 }
832 }
833 }
834
835 /* Order of initializations in this function CAN BE IMPORTANT, so be careful
836 mucking with it. */
Init(std::vector<Target * > & Targets,struct scan_lists * pts,stype scantp)837 void UltraScanInfo::Init(std::vector<Target *> &Targets, struct scan_lists *pts, stype scantp) {
838 unsigned int targetno = 0;
839 HostScanStats *hss;
840 int num_timedout = 0;
841
842 gettimeofday(&now, NULL);
843
844 ports = pts;
845
846 seqmask = get_random_u32();
847 scantype = scantp;
848 SPM = new ScanProgressMeter(scantype2str(scantype));
849 send_rate_meter.start(&now);
850 tcp_scan = udp_scan = sctp_scan = prot_scan = false;
851 ping_scan = noresp_open_scan = ping_scan_arp = ping_scan_nd = false;
852 memset((char *) &ptech, 0, sizeof(ptech));
853 perf.init();
854 switch (scantype) {
855 case FIN_SCAN:
856 case XMAS_SCAN:
857 case MAIMON_SCAN:
858 case NULL_SCAN:
859 noresp_open_scan = true;
860 case ACK_SCAN:
861 case CONNECT_SCAN:
862 case SYN_SCAN:
863 case WINDOW_SCAN:
864 tcp_scan = true;
865 break;
866 case UDP_SCAN:
867 noresp_open_scan = true;
868 udp_scan = true;
869 break;
870 case SCTP_INIT_SCAN:
871 case SCTP_COOKIE_ECHO_SCAN:
872 sctp_scan = true;
873 break;
874 case IPPROT_SCAN:
875 noresp_open_scan = true;
876 prot_scan = true;
877 break;
878 case PING_SCAN:
879 ping_scan = true;
880 /* What kind of pings are we doing? */
881 if (o.pingtype & (PINGTYPE_ICMP_PING | PINGTYPE_ICMP_MASK | PINGTYPE_ICMP_TS))
882 ptech.rawicmpscan = 1;
883 if (o.pingtype & PINGTYPE_UDP)
884 ptech.rawudpscan = 1;
885 if (o.pingtype & PINGTYPE_SCTP_INIT)
886 ptech.rawsctpscan = 1;
887 if (o.pingtype & PINGTYPE_TCP) {
888 if (o.isr00t)
889 ptech.rawtcpscan = 1;
890 else
891 ptech.connecttcpscan = 1;
892 }
893 if (o.pingtype & PINGTYPE_PROTO)
894 ptech.rawprotoscan = 1;
895 if (o.pingtype & PINGTYPE_CONNECTTCP)
896 ptech.connecttcpscan = 1;
897 break;
898 case PING_SCAN_ARP:
899 ping_scan = true;
900 ping_scan_arp = true;
901 /* For ARP and ND scan, we send pings more frequently. Otherwise we can't
902 * notice drops until we start sending retransmits after RLD_TIME_MS. */
903 perf.pingtime = RLD_TIME_MS * 1000 / 4;
904 break;
905 case PING_SCAN_ND:
906 ping_scan = true;
907 ping_scan_nd = true;
908 perf.pingtime = RLD_TIME_MS * 1000 / 4;
909 break;
910 default:
911 break;
912 }
913
914 set_default_port_state(Targets, scantype);
915
916 /* Keep a completed host around for a standard TCP MSL (2 min) */
917 completedHostLifetime = 120000;
918 memset(&lastCompletedHostRemoval, 0, sizeof(lastCompletedHostRemoval));
919
920 for (targetno = 0; targetno < Targets.size(); targetno++) {
921 if (Targets[targetno]->timedOut(&now)) {
922 num_timedout++;
923 continue;
924 }
925
926 hss = new HostScanStats(Targets[targetno], this);
927 incompleteHosts.insert(hss);
928 }
929 numInitialTargets = Targets.size();
930 nextI = incompleteHosts.begin();
931
932 gstats = new GroupScanStats(this); /* Peeks at several elements in USI - careful of order */
933 gstats->num_hosts_timedout += num_timedout;
934
935 pd = NULL;
936 rawsd = -1;
937 ethsd = NULL;
938
939 /* See if we need an ethernet handle or raw socket. Basically, it's if we
940 aren't doing a TCP connect scan, or if we're doing a ping scan that
941 requires it. */
942 if (isRawScan()) {
943 if (ping_scan_arp || (ping_scan_nd && o.sendpref != PACKET_SEND_IP_STRONG) || ((o.sendpref & PACKET_SEND_ETH) &&
944 (Targets[0]->ifType() == devt_ethernet
945 #ifdef WIN32
946 || (g_has_npcap_loopback && Targets[0]->ifType() == devt_loopback)
947 #endif
948 ))) {
949 /* We'll send ethernet packets with dnet */
950 ethsd = eth_open_cached(Targets[0]->deviceName());
951 if (ethsd == NULL)
952 fatal("dnet: Failed to open device %s", Targets[0]->deviceName());
953 rawsd = -1;
954 } else {
955 #ifdef WIN32
956 win32_fatal_raw_sockets(Targets[0]->deviceName());
957 #endif
958 rawsd = nmap_raw_socket();
959 if (rawsd < 0)
960 pfatal("Couldn't open a raw socket. "
961 #if defined(sun) && defined(__SVR4)
962 "In Solaris shared-IP non-global zones, this requires the PRIV_NET_RAWACCESS privilege. "
963 #endif
964 "Error"
965 );
966 /* We do not want to unblock the socket since we want to wait
967 if kernel send buffers fill up rather than get ENOBUF, and
968 we won't be receiving on the socket anyway
969 unblock_socket(rawsd);*/
970 ethsd = NULL;
971 }
972 }
973 }
974
975 /* Return the total number of probes that may be sent to each host. This never
976 changes after initialization. */
numProbesPerHost()977 unsigned int UltraScanInfo::numProbesPerHost() {
978 unsigned int numprobes = 0;
979
980 if (tcp_scan) {
981 numprobes = ports->tcp_count;
982 } else if (udp_scan) {
983 numprobes = ports->udp_count;
984 } else if (sctp_scan) {
985 numprobes = ports->sctp_count;
986 } else if (prot_scan) {
987 numprobes = ports->prot_count;
988 } else if (ping_scan_arp) {
989 numprobes = 1;
990 } else if (ping_scan_nd) {
991 numprobes = 1;
992 } else if (ping_scan) {
993 numprobes = 0;
994 if (ptech.rawtcpscan) {
995 if (o.pingtype & PINGTYPE_TCP_USE_ACK)
996 numprobes += ports->ack_ping_count;
997 if (o.pingtype & PINGTYPE_TCP_USE_SYN)
998 numprobes += ports->syn_ping_count;
999 }
1000 if (ptech.rawudpscan)
1001 numprobes += ports->udp_ping_count;
1002 if (ptech.rawsctpscan)
1003 numprobes += ports->sctp_ping_count;
1004 if (ptech.rawicmpscan) {
1005 if (o.pingtype & PINGTYPE_ICMP_PING)
1006 numprobes++;
1007 if (o.pingtype & PINGTYPE_ICMP_MASK)
1008 numprobes++;
1009 if (o.pingtype & PINGTYPE_ICMP_TS)
1010 numprobes++;
1011 }
1012 if (ptech.rawprotoscan)
1013 numprobes += ports->proto_ping_count;
1014 if (ptech.connecttcpscan)
1015 numprobes += ports->syn_ping_count;
1016 } else assert(0);
1017
1018 return numprobes;
1019 }
1020
1021 /* Consults with the group stats, and the hstats for every
1022 incomplete hosts to determine whether any probes may be sent.
1023 Returns true if they can be sent immediately. If when is
1024 non-NULL, it is filled with the next possible time that probes
1025 can be sent, assuming no probe responses are received (call it
1026 again if they are). when will be now, if the function returns
1027 true */
sendOK(struct timeval * when)1028 bool UltraScanInfo::sendOK(struct timeval *when) {
1029 struct timeval lowhtime = {0};
1030 struct timeval tmptv;
1031 std::multiset<HostScanStats *, HssPredicate>::iterator host;
1032 bool ggood = false;
1033 bool thisHostGood = false;
1034 bool foundgood = false;
1035
1036 ggood = gstats->sendOK(when);
1037
1038 if (!ggood) {
1039 if (when) {
1040 lowhtime = *when;
1041 // Can't do anything until global is OK - means packet receipt
1042 // or probe timeout.
1043 for (host = incompleteHosts.begin(); host != incompleteHosts.end();
1044 host++) {
1045 if ((*host)->nextTimeout(&tmptv)) {
1046 if (TIMEVAL_SUBTRACT(tmptv, lowhtime) < 0)
1047 lowhtime = tmptv;
1048 }
1049 }
1050 *when = lowhtime;
1051 }
1052 } else {
1053 for (host = incompleteHosts.begin(); host != incompleteHosts.end(); host++) {
1054 thisHostGood = (*host)->sendOK(&tmptv);
1055 if (ggood && thisHostGood) {
1056 lowhtime = tmptv;
1057 foundgood = true;
1058 break;
1059 }
1060
1061 if (!foundgood || TIMEVAL_SUBTRACT(lowhtime, tmptv) > 0) {
1062 lowhtime = tmptv;
1063 foundgood = true;
1064 }
1065 }
1066
1067 assert(foundgood);
1068 }
1069
1070 /* Defer to the group stats if they need a shorter delay to enforce a minimum
1071 packet sending rate. */
1072 if (o.min_packet_send_rate != 0.0) {
1073 if (TIMEVAL_MSEC_SUBTRACT(gstats->send_no_later_than, lowhtime) < 0)
1074 lowhtime = gstats->send_no_later_than;
1075 }
1076
1077 if (TIMEVAL_MSEC_SUBTRACT(lowhtime, now) < 0)
1078 lowhtime = now;
1079
1080 if (when)
1081 *when = lowhtime;
1082
1083 return (TIMEVAL_MSEC_SUBTRACT(lowhtime, now) == 0);
1084 }
1085
1086 /* Find a HostScanStats by its IP address in the incomplete and completed lists.
1087 Returns NULL if none are found. */
findHost(struct sockaddr_storage * ss)1088 HostScanStats *UltraScanInfo::findHost(struct sockaddr_storage *ss) {
1089 std::multiset<HostScanStats *, HssPredicate>::iterator hss;
1090
1091 HssPredicate::ss = ss;
1092 HostScanStats *fakeHss = NULL;
1093
1094 hss = incompleteHosts.find(fakeHss);
1095 if (hss != incompleteHosts.end()) {
1096 if (o.debugging > 2)
1097 log_write(LOG_STDOUT, "Found %s in incomplete hosts list.\n", (*hss)->target->targetipstr());
1098 return *hss;
1099 }
1100
1101 hss = completedHosts.find(fakeHss);
1102 if (hss != completedHosts.end()) {
1103 if (o.debugging > 2)
1104 log_write(LOG_STDOUT, "Found %s in completed hosts list.\n", (*hss)->target->targetipstr());
1105 return *hss;
1106 }
1107
1108 return NULL;
1109 }
1110
1111 /* Check if incompleteHosts list contains less than n elements. This function
1112 is here to replace numIncompleteHosts() < n, which would have to walk
1113 through the entire list. */
numIncompleteHostsLessThan(unsigned int n)1114 bool UltraScanInfo::numIncompleteHostsLessThan(unsigned int n) {
1115 std::multiset<HostScanStats *, HssPredicate>::iterator hostI;
1116 unsigned int count;
1117
1118 count = 0;
1119 hostI = incompleteHosts.begin();
1120 while (count < n && hostI != incompleteHosts.end()) {
1121 hostI++;
1122 count++;
1123 }
1124
1125 return count < n;
1126 }
1127
1128 static bool pingprobe_is_better(const probespec *new_probe, int new_state,
1129 const probespec *old_probe, int old_state);
1130
1131 /* Removes any hosts that have completed their scans from the incompleteHosts
1132 list, and remove any hosts from completedHosts which have exceeded their
1133 lifetime. Returns the number of hosts removed. */
removeCompletedHosts()1134 int UltraScanInfo::removeCompletedHosts() {
1135 std::multiset<HostScanStats *, HssPredicate>::iterator hostI, nxt;
1136 HostScanStats *hss = NULL;
1137 int hostsRemoved = 0;
1138 bool timedout = false;
1139 struct timeval compare;
1140
1141 /* We don't want to run this all of the time */
1142 TIMEVAL_MSEC_ADD(compare, lastCompletedHostRemoval, completedHostLifetime / 2);
1143 if (TIMEVAL_AFTER(now, compare) ) {
1144 for (hostI = completedHosts.begin(); hostI != completedHosts.end(); hostI = nxt) {
1145 nxt = hostI;
1146 nxt++;
1147 hss = (*hostI);
1148
1149 /* Keep it if it's our port scan ping host */
1150 if (hss == gstats->pinghost)
1151 continue;
1152
1153 TIMEVAL_MSEC_ADD(compare, hss->completiontime, completedHostLifetime);
1154 if (TIMEVAL_AFTER(now, compare) ) {
1155 completedHosts.erase(hostI);
1156 hostsRemoved++;
1157 }
1158 }
1159 lastCompletedHostRemoval = now;
1160 }
1161
1162 for (hostI = incompleteHosts.begin(); hostI != incompleteHosts.end();
1163 hostI = nxt) {
1164 nxt = hostI;
1165 nxt++;
1166 hss = *hostI;
1167 timedout = hss->target->timedOut(&now);
1168 if (hss->completed() || timedout) {
1169 /* A host to remove! First adjust nextI appropriately */
1170 if (nextI == hostI && incompleteHosts.size() > 1) {
1171 nextI++;
1172 if (nextI == incompleteHosts.end())
1173 nextI = incompleteHosts.begin();
1174 }
1175 if (o.verbose && gstats->numprobes > 50) {
1176 int remain = incompleteHosts.size() - 1;
1177 if (remain && !timedout)
1178 log_write(LOG_STDOUT, "Completed %s against %s in %.2fs (%d %s)\n",
1179 scantype2str(scantype), hss->target->targetipstr(),
1180 TIMEVAL_MSEC_SUBTRACT(now, SPM->begin) / 1000.0, remain,
1181 (remain == 1) ? "host left" : "hosts left");
1182 else if (timedout)
1183 log_write(LOG_STDOUT, "%s timed out during %s (%d %s)\n",
1184 hss->target->targetipstr(), scantype2str(scantype), remain,
1185 (remain == 1) ? "host left" : "hosts left");
1186 }
1187 if (o.debugging > 2) {
1188 unsigned int num_outstanding_probes;
1189 num_outstanding_probes = hss->num_probes_outstanding();
1190 log_write(LOG_PLAIN, "Moving %s to completed hosts list with %d outstanding %s.\n",
1191 hss->target->targetipstr(), num_outstanding_probes,
1192 num_outstanding_probes == 1 ? "probe" : "probes");
1193 if (o.debugging > 3) {
1194 char tmpbuf[64];
1195 std::list<UltraProbe *>::iterator iter;
1196 for (iter = hss->probes_outstanding.begin(); iter != hss->probes_outstanding.end(); iter++)
1197 log_write(LOG_PLAIN, "* %s\n", probespec2ascii((probespec *) (*iter)->pspec(), tmpbuf, sizeof(tmpbuf)));
1198 }
1199 }
1200 hss->completiontime = now;
1201 completedHosts.insert(hss);
1202 incompleteHosts.erase(hostI);
1203 hostsRemoved++;
1204 /* Consider making this host the new global ping host during its
1205 retirement in the completed hosts list. */
1206 HostScanStats *pinghost = gstats->pinghost;
1207 if ((pinghost == NULL && hss->target->pingprobe.type != PS_NONE)
1208 || (pinghost != NULL && pinghost->num_probes_active == 0
1209 && !pingprobe_is_better(&pinghost->target->pingprobe, pinghost->target->pingprobe_state, &hss->target->pingprobe, hss->target->pingprobe_state))) {
1210 if (o.debugging > 1)
1211 log_write(LOG_PLAIN, "Changing global ping host to %s.\n", hss->target->targetipstr());
1212 gstats->pinghost = hss;
1213 }
1214 if (timedout)
1215 gstats->num_hosts_timedout++;
1216 /* We may have received an ARP response before we sent a probe, which
1217 * would mean the timeout clock is not running. Avoid an assertion
1218 * failure here by checking first. */
1219 if (hss->target->timeOutClockRunning()) {
1220 hss->target->stopTimeOutClock(&now);
1221 }
1222 }
1223 }
1224 return hostsRemoved;
1225 }
1226
1227 /* Determines an ideal number of hosts to be scanned (port scan, os
1228 scan, version detection, etc.) in parallel after the ping scan is
1229 completed. This is a balance between efficiency (more hosts in
1230 parallel often reduces scan time per host) and results latency (you
1231 need to wait for all hosts to finish before Nmap can spit out the
1232 results). Memory consumption usually also increases with the
1233 number of hosts scanned in parallel, though rarely to significant
1234 levels. */
determineScanGroupSize(int hosts_scanned_so_far,struct scan_lists * ports)1235 int determineScanGroupSize(int hosts_scanned_so_far,
1236 struct scan_lists *ports) {
1237 int groupsize = 16;
1238
1239 if (o.UDPScan())
1240 groupsize = 128;
1241 else if (o.SCTPScan())
1242 groupsize = 128;
1243 else if (o.TCPScan()) {
1244 groupsize = MAX(1024 / (ports->tcp_count ? ports->tcp_count : 1), 64);
1245 if (ports->tcp_count > 1000 && o.timing_level <= 4) {
1246 int quickgroupsz = 4;
1247 if (o.timing_level == 4)
1248 quickgroupsz = 8;
1249 if (hosts_scanned_so_far == 0)
1250 groupsize = quickgroupsz; // Give quick results for the very first batch
1251 else if (hosts_scanned_so_far == quickgroupsz &&
1252 groupsize > quickgroupsz * 2)
1253 /* account for initial quick-scan to keep us aligned
1254 on common network boundaries (e.g. /24) */
1255 groupsize -= quickgroupsz;
1256 }
1257 }
1258
1259 groupsize = box(o.minHostGroupSz(), o.maxHostGroupSz(), groupsize);
1260
1261 if (o.max_ips_to_scan && (o.max_ips_to_scan - hosts_scanned_so_far) < (unsigned int)groupsize)
1262 // don't scan more randomly generated hosts than was specified
1263 groupsize = o.max_ips_to_scan - hosts_scanned_so_far;
1264
1265 return groupsize;
1266 }
1267
1268 /* Initialize the ultra_timing_vals structure timing. The utt must be
1269 TIMING_HOST or TIMING_GROUP. If you happen to have the current
1270 time handy, pass it as now, otherwise pass NULL */
init_ultra_timing_vals(ultra_timing_vals * timing,enum ultra_timing_type utt,int num_hosts_in_group,struct ultra_scan_performance_vars * perf,struct timeval * now)1271 static void init_ultra_timing_vals(ultra_timing_vals *timing,
1272 enum ultra_timing_type utt,
1273 int num_hosts_in_group,
1274 struct ultra_scan_performance_vars *perf,
1275 struct timeval *now) {
1276 timing->cwnd = (utt == TIMING_HOST) ? perf->host_initial_cwnd : perf->group_initial_cwnd;
1277 timing->ssthresh = perf->initial_ssthresh; /* Will be reduced if any packets are dropped anyway */
1278 timing->num_replies_expected = 0;
1279 timing->num_replies_received = 0;
1280 timing->num_updates = 0;
1281 if (now)
1282 timing->last_drop = *now;
1283 else gettimeofday(&timing->last_drop, NULL);
1284 }
1285
1286 /* Returns the next probe to try against target. Supports many
1287 different types of probes (see probespec structure). Returns 0 and
1288 fills in pspec if there is a new probe, -1 if there are none
1289 left. */
get_next_target_probe(UltraScanInfo * USI,HostScanStats * hss,probespec * pspec)1290 static int get_next_target_probe(UltraScanInfo *USI, HostScanStats *hss,
1291 probespec *pspec) {
1292 assert(pspec);
1293
1294 if (USI->tcp_scan) {
1295 if (hss->next_portidx >= USI->ports->tcp_count)
1296 return -1;
1297 if (USI->scantype == CONNECT_SCAN)
1298 pspec->type = PS_CONNECTTCP;
1299 else
1300 pspec->type = PS_TCP;
1301 pspec->proto = IPPROTO_TCP;
1302
1303 pspec->pd.tcp.dport = USI->ports->tcp_ports[hss->next_portidx++];
1304 if (USI->scantype == CONNECT_SCAN)
1305 pspec->pd.tcp.flags = TH_SYN;
1306 else if (o.scanflags != -1)
1307 pspec->pd.tcp.flags = o.scanflags;
1308 else {
1309 switch (USI->scantype) {
1310 case SYN_SCAN:
1311 pspec->pd.tcp.flags = TH_SYN;
1312 break;
1313 case ACK_SCAN:
1314 pspec->pd.tcp.flags = TH_ACK;
1315 break;
1316 case XMAS_SCAN:
1317 pspec->pd.tcp.flags = TH_FIN | TH_URG | TH_PUSH;
1318 break;
1319 case NULL_SCAN:
1320 pspec->pd.tcp.flags = 0;
1321 break;
1322 case FIN_SCAN:
1323 pspec->pd.tcp.flags = TH_FIN;
1324 break;
1325 case MAIMON_SCAN:
1326 pspec->pd.tcp.flags = TH_FIN | TH_ACK;
1327 break;
1328 case WINDOW_SCAN:
1329 pspec->pd.tcp.flags = TH_ACK;
1330 break;
1331 default:
1332 assert(0);
1333 break;
1334 }
1335 }
1336 return 0;
1337 } else if (USI->udp_scan) {
1338 if (hss->next_portidx >= USI->ports->udp_count)
1339 return -1;
1340 pspec->type = PS_UDP;
1341 pspec->proto = IPPROTO_UDP;
1342 pspec->pd.udp.dport = USI->ports->udp_ports[hss->next_portidx++];
1343 return 0;
1344 } else if (USI->sctp_scan) {
1345 if (hss->next_portidx >= USI->ports->sctp_count)
1346 return -1;
1347 pspec->type = PS_SCTP;
1348 pspec->proto = IPPROTO_SCTP;
1349 pspec->pd.sctp.dport = USI->ports->sctp_ports[hss->next_portidx++];
1350 switch (USI->scantype) {
1351 case SCTP_INIT_SCAN:
1352 pspec->pd.sctp.chunktype = SCTP_INIT;
1353 break;
1354 case SCTP_COOKIE_ECHO_SCAN:
1355 pspec->pd.sctp.chunktype = SCTP_COOKIE_ECHO;
1356 break;
1357 default:
1358 assert(0);
1359 }
1360 return 0;
1361 } else if (USI->prot_scan) {
1362 if (hss->next_portidx >= USI->ports->prot_count)
1363 return -1;
1364 pspec->type = PS_PROTO;
1365 pspec->proto = USI->ports->prots[hss->next_portidx++];
1366 return 0;
1367 } else if (USI->ping_scan_arp) {
1368 if (hss->sent_arp)
1369 return -1;
1370 pspec->type = PS_ARP;
1371 hss->sent_arp = true;
1372 return 0;
1373 } else if (USI->ping_scan_nd) {
1374 if (hss->sent_arp)
1375 return -1;
1376 pspec->type = PS_ND;
1377 hss->sent_arp = true;
1378 return 0;
1379 } else if (USI->ping_scan) {
1380 /* This is ordered to try probes of higher effectiveness first:
1381 -PE -PS -PA -PP -PU
1382 -PA is slightly better than -PS when combined with -PE, but give -PS an
1383 edge because it is less likely to be dropped by firewalls. */
1384 if (USI->ptech.rawicmpscan) {
1385 if (hss->target->af() == AF_INET6) {
1386 pspec->type = PS_ICMPV6;
1387 pspec->proto = IPPROTO_ICMPV6;
1388 if ((o.pingtype & PINGTYPE_ICMP_PING) && !hss->sent_icmp_ping) {
1389 hss->sent_icmp_ping = true;
1390 pspec->pd.icmp.type = ICMPV6_ECHO;
1391 pspec->pd.icmp.code = 0;
1392 return 0;
1393 }
1394 }
1395 pspec->type = PS_ICMP;
1396 pspec->proto = IPPROTO_ICMP;
1397 if ((o.pingtype & PINGTYPE_ICMP_PING) && !hss->sent_icmp_ping) {
1398 hss->sent_icmp_ping = true;
1399 pspec->pd.icmp.type = ICMP_ECHO;
1400 pspec->pd.icmp.code = 0;
1401 return 0;
1402 }
1403 }
1404 if (USI->ptech.rawtcpscan) {
1405 pspec->type = PS_TCP;
1406 pspec->proto = IPPROTO_TCP;
1407 if ((o.pingtype & PINGTYPE_TCP_USE_SYN)
1408 && hss->next_synportpingidx < USI->ports->syn_ping_count) {
1409 pspec->pd.tcp.dport = USI->ports->syn_ping_ports[hss->next_synportpingidx++];
1410 pspec->pd.tcp.flags = TH_SYN;
1411 return 0;
1412 }
1413 if ((o.pingtype & PINGTYPE_TCP_USE_ACK)
1414 && hss->next_ackportpingidx < USI->ports->ack_ping_count) {
1415 pspec->pd.tcp.dport = USI->ports->ack_ping_ports[hss->next_ackportpingidx++];
1416 pspec->pd.tcp.flags = TH_ACK;
1417 return 0;
1418 }
1419 }
1420 if (USI->ptech.rawicmpscan) {
1421 pspec->type = PS_ICMP;
1422 pspec->proto = IPPROTO_ICMP;
1423 if ((o.pingtype & PINGTYPE_ICMP_TS) && !hss->sent_icmp_ts) {
1424 hss->sent_icmp_ts = true;
1425 pspec->pd.icmp.type = ICMP_TSTAMP;
1426 pspec->pd.icmp.code = 0;
1427 return 0;
1428 }
1429 }
1430 if (USI->ptech.rawudpscan && hss->next_udpportpingidx < USI->ports->udp_ping_count) {
1431 pspec->type = PS_UDP;
1432 pspec->proto = IPPROTO_UDP;
1433 pspec->pd.udp.dport = USI->ports->udp_ping_ports[hss->next_udpportpingidx++];
1434 return 0;
1435 }
1436 if (USI->ptech.rawsctpscan && hss->next_sctpportpingidx < USI->ports->sctp_ping_count) {
1437 pspec->type = PS_SCTP;
1438 pspec->proto = IPPROTO_SCTP;
1439 pspec->pd.sctp.dport = USI->ports->sctp_ping_ports[hss->next_sctpportpingidx++];
1440 pspec->pd.sctp.chunktype = SCTP_INIT;
1441 return 0;
1442 }
1443 if (USI->ptech.rawprotoscan && hss->next_protoportpingidx < USI->ports->proto_ping_count) {
1444 pspec->type = PS_PROTO;
1445 pspec->proto = USI->ports->proto_ping_ports[hss->next_protoportpingidx++];
1446 return 0;
1447 }
1448 if (USI->ptech.connecttcpscan && hss->next_synportpingidx < USI->ports->syn_ping_count) {
1449 pspec->type = PS_CONNECTTCP;
1450 pspec->proto = IPPROTO_TCP;
1451 pspec->pd.tcp.dport = USI->ports->syn_ping_ports[hss->next_synportpingidx++];
1452 pspec->pd.tcp.flags = TH_SYN;
1453 return 0;
1454 }
1455 if (USI->ptech.rawicmpscan) {
1456 pspec->type = PS_ICMP;
1457 pspec->proto = IPPROTO_ICMP;
1458 if ((o.pingtype & PINGTYPE_ICMP_MASK) && !hss->sent_icmp_mask) {
1459 hss->sent_icmp_mask = true;
1460 pspec->pd.icmp.type = ICMP_MASK;
1461 pspec->pd.icmp.code = 0;
1462 return 0;
1463 }
1464 }
1465 }
1466 assert(0); /* TODO: need to handle other protocols */
1467 return -1;
1468 }
1469
1470 /* Returns the number of ports remaining to probe */
freshPortsLeft()1471 int HostScanStats::freshPortsLeft() {
1472 if (USI->tcp_scan) {
1473 if (next_portidx >= USI->ports->tcp_count)
1474 return 0;
1475 return USI->ports->tcp_count - next_portidx;
1476 } else if (USI->udp_scan) {
1477 if (next_portidx >= USI->ports->udp_count)
1478 return 0;
1479 return USI->ports->udp_count - next_portidx;
1480 } else if (USI->sctp_scan) {
1481 if (next_portidx >= USI->ports->sctp_count)
1482 return 0;
1483 return USI->ports->sctp_count - next_portidx;
1484 } else if (USI->prot_scan) {
1485 if (next_portidx >= USI->ports->prot_count)
1486 return 0;
1487 return USI->ports->prot_count - next_portidx;
1488 } else if (USI->ping_scan_arp) {
1489 if (sent_arp)
1490 return 0;
1491 return 1;
1492 } else if (USI->ping_scan_nd) {
1493 if (sent_arp)
1494 return 0;
1495 return 1;
1496 } else if (USI->ping_scan) {
1497 unsigned int num_probes = 0;
1498 if (USI->ptech.rawtcpscan) {
1499 if ((o.pingtype & PINGTYPE_TCP_USE_ACK)
1500 && next_ackportpingidx < USI->ports->ack_ping_count)
1501 num_probes += USI->ports->ack_ping_count - next_ackportpingidx;
1502 if ((o.pingtype & PINGTYPE_TCP_USE_SYN)
1503 && next_synportpingidx < USI->ports->syn_ping_count)
1504 num_probes += USI->ports->syn_ping_count - next_synportpingidx;
1505 }
1506 if (USI->ptech.rawudpscan && next_udpportpingidx < USI->ports->udp_ping_count)
1507 num_probes += USI->ports->udp_ping_count - next_udpportpingidx;
1508 if (USI->ptech.rawsctpscan && next_sctpportpingidx < USI->ports->sctp_ping_count)
1509 num_probes += USI->ports->sctp_ping_count - next_sctpportpingidx;
1510 if (USI->ptech.rawicmpscan) {
1511 if ((o.pingtype & PINGTYPE_ICMP_PING) && !sent_icmp_ping)
1512 num_probes++;
1513 if ((o.pingtype & PINGTYPE_ICMP_MASK) && !sent_icmp_mask)
1514 num_probes++;
1515 if ((o.pingtype & PINGTYPE_ICMP_TS) && !sent_icmp_ts)
1516 num_probes++;
1517 }
1518 if (USI->ptech.rawprotoscan)
1519 num_probes += USI->ports->proto_ping_count - next_protoportpingidx;
1520 if (USI->ptech.connecttcpscan && next_synportpingidx < USI->ports->syn_ping_count)
1521 num_probes += USI->ports->syn_ping_count - next_synportpingidx;
1522 return num_probes;
1523 }
1524 assert(0);
1525 return 0;
1526 }
1527
1528 /* Removes a probe from probes_outstanding, adjusts HSS and USS
1529 active probe stats accordingly, then deletes the probe. */
destroyOutstandingProbe(std::list<UltraProbe * >::iterator probeI)1530 void HostScanStats::destroyOutstandingProbe(std::list<UltraProbe *>::iterator probeI) {
1531 UltraProbe *probe = *probeI;
1532 assert(!probes_outstanding.empty());
1533 if (!probe->timedout) {
1534 assert(num_probes_active > 0);
1535 num_probes_active--;
1536 assert(USI->gstats->num_probes_active > 0);
1537 USI->gstats->num_probes_active--;
1538 }
1539
1540 if (!probe->isPing() && probe->timedout && !probe->retransmitted) {
1541 assert(num_probes_waiting_retransmit > 0);
1542 num_probes_waiting_retransmit--;
1543 }
1544
1545 /* Remove it from scan watch lists, if it exists on them. */
1546 if (probe->type == UltraProbe::UP_CONNECT && probe->CP()->sd > 0)
1547 USI->gstats->CSI->clearSD(probe->CP()->sd);
1548
1549 probes_outstanding.erase(probeI);
1550 delete probe;
1551 }
1552
1553 /* Removes all probes from probes_outstanding using
1554 destroyOutstandingProbe. This is used in ping scan to quit waiting
1555 for responses once a host is known to be up. Invalidates iterators
1556 pointing into probes_outstanding. */
destroyAllOutstandingProbes()1557 void HostScanStats::destroyAllOutstandingProbes() {
1558 while (!probes_outstanding.empty())
1559 destroyOutstandingProbe(probes_outstanding.begin());
1560 }
1561
1562 /* Adjust host and group timeouts (struct timeout_info) based on a received
1563 packet. If rcvdtime is NULL, nothing is updated.
1564
1565 This function is called for every probe response received, in order to keep
1566 an accurate timeout estimate. ultrascan_adjust_timing, on the other hand, is
1567 not called when a response is not useful for adjusting other timing
1568 variables. */
ultrascan_adjust_timeouts(UltraScanInfo * USI,HostScanStats * hss,UltraProbe * probe,struct timeval * rcvdtime)1569 static void ultrascan_adjust_timeouts(UltraScanInfo *USI, HostScanStats *hss,
1570 UltraProbe *probe,
1571 struct timeval *rcvdtime) {
1572 if (rcvdtime == NULL)
1573 return;
1574
1575 adjust_timeouts2(&(probe->sent), rcvdtime, &(hss->target->to));
1576 adjust_timeouts2(&(probe->sent), rcvdtime, &(USI->gstats->to));
1577
1578 USI->gstats->lastrcvd = hss->lastrcvd = *rcvdtime;
1579 }
1580
1581 /* Adjust host and group congestion control variables (struct ultra_timing_vals)
1582 and host send delay (struct send_delay_nfo) based on a received packet. Use
1583 rcvdtime == NULL to indicate that you have given up on a probe and want to
1584 count this as a DROPPED PACKET. */
ultrascan_adjust_timing(UltraScanInfo * USI,HostScanStats * hss,UltraProbe * probe,struct timeval * rcvdtime)1585 static void ultrascan_adjust_timing(UltraScanInfo *USI, HostScanStats *hss,
1586 UltraProbe *probe,
1587 struct timeval *rcvdtime) {
1588 int ping_magnifier = (probe->isPing()) ? USI->perf.ping_magnifier : 1;
1589
1590 USI->gstats->timing.num_replies_expected++;
1591 USI->gstats->timing.num_updates++;
1592
1593 hss->timing.num_replies_expected++;
1594 hss->timing.num_updates++;
1595
1596 /* Notice a drop if
1597 1) We get a response to a retransmitted probe (meaning the first reply was
1598 dropped), or
1599 2) We got no response to a timing ping. */
1600 if ((probe->tryno > 0 && rcvdtime != NULL)
1601 || (probe->isPing() && rcvdtime == NULL)) {
1602 if (o.debugging > 1)
1603 log_write(LOG_PLAIN, "Ultrascan DROPPED %sprobe packet to %s detected\n", probe->isPing() ? "PING " : "", hss->target->targetipstr());
1604 // Drops often come in big batches, but we only want one decrease per batch.
1605 if (TIMEVAL_AFTER(probe->sent, hss->timing.last_drop))
1606 hss->timing.drop(hss->num_probes_active, &USI->perf, &USI->now);
1607 if (TIMEVAL_AFTER(probe->sent, USI->gstats->timing.last_drop))
1608 USI->gstats->timing.drop_group(USI->gstats->num_probes_active, &USI->perf, &USI->now);
1609 }
1610 /* If !probe->isPing() and rcvdtime == NULL, do nothing. */
1611
1612 /* Increase the window for a positive reply. This can overlap with case (1)
1613 above. */
1614 if (rcvdtime != NULL) {
1615 USI->gstats->timing.ack(&USI->perf, ping_magnifier);
1616 hss->timing.ack(&USI->perf, ping_magnifier);
1617 }
1618
1619 /* If packet drops are particularly bad, enforce a delay between
1620 packet sends (useful for cases such as UDP scan where responses
1621 are frequently rate limited by dest machines or firewalls) */
1622
1623 /* First we decide whether this packet counts as a drop for send
1624 delay calculation purposes. This statement means if (a ping since last boost failed, or the previous packet was both sent after the last boost and dropped) */
1625 if ((probe->isPing() && rcvdtime == NULL && TIMEVAL_AFTER(probe->sent, hss->sdn.last_boost)) ||
1626 (probe->tryno > 0 && rcvdtime != NULL && TIMEVAL_AFTER(probe->prevSent, hss->sdn.last_boost))) {
1627 hss->sdn.droppedRespSinceDelayChanged++;
1628 // printf("SDELAY: increasing drops to %d (good: %d; tryno: %d, sent: %.4fs; prevSent: %.4fs, last_boost: %.4fs\n", hss->sdn.droppedRespSinceDelayChanged, hss->sdn.goodRespSinceDelayChanged, probe->tryno, o.TimeSinceStartMS(&probe->sent) / 1000.0, o.TimeSinceStartMS(&probe->prevSent) / 1000.0, o.TimeSinceStartMS(&hss->sdn.last_boost) / 1000.0);
1629 } else if (rcvdtime) {
1630 hss->sdn.goodRespSinceDelayChanged++;
1631 // printf("SDELAY: increasing good to %d (bad: %d)\n", hss->sdn.goodRespSinceDelayChanged, hss->sdn.droppedRespSinceDelayChanged);
1632 }
1633
1634 /* Now change the send delay if necessary */
1635 unsigned int oldgood = hss->sdn.goodRespSinceDelayChanged;
1636 unsigned int oldbad = hss->sdn.droppedRespSinceDelayChanged;
1637 double threshold = (o.timing_level >= 4) ? 0.40 : 0.30;
1638 if (oldbad > 10 && (oldbad / ((double) oldbad + oldgood) > threshold)) {
1639 unsigned int olddelay = hss->sdn.delayms;
1640 hss->boostScanDelay();
1641 if (o.verbose && hss->sdn.delayms != olddelay)
1642 log_write(LOG_PLAIN, "Increasing send delay for %s from %d to %d due to %d out of %d dropped probes since last increase.\n",
1643 hss->target->targetipstr(), olddelay, hss->sdn.delayms, oldbad,
1644 oldbad + oldgood);
1645 }
1646 }
1647
1648 /* Mark an outstanding probe as timedout. Adjusts stats
1649 accordingly. For connect scans, this closes the socket. */
markProbeTimedout(std::list<UltraProbe * >::iterator probeI)1650 void HostScanStats::markProbeTimedout(std::list<UltraProbe *>::iterator probeI) {
1651 UltraProbe *probe = *probeI;
1652 assert(!probe->timedout);
1653 assert(!probe->retransmitted);
1654 probe->timedout = true;
1655 assert(num_probes_active > 0);
1656 num_probes_active--;
1657 assert(USI->gstats->num_probes_active > 0);
1658 USI->gstats->num_probes_active--;
1659 ultrascan_adjust_timing(USI, this, probe, NULL);
1660 if (!probe->isPing())
1661 /* I'll leave it in the queue in case some response ever does come */
1662 num_probes_waiting_retransmit++;
1663
1664 if (probe->type == UltraProbe::UP_CONNECT && probe->CP()->sd >= 0 ) {
1665 /* Free the socket as that is a valuable resource, though it is a shame
1666 late responses will not be permitted */
1667 USI->gstats->CSI->clearSD(probe->CP()->sd);
1668 close(probe->CP()->sd);
1669 probe->CP()->sd = -1;
1670 }
1671 }
1672
completed()1673 bool HostScanStats::completed() {
1674 /* If there are probes active or awaiting retransmission, we are not done. */
1675 if (num_probes_active != 0 || num_probes_waiting_retransmit != 0
1676 || !probe_bench.empty() || !retry_stack.empty()) {
1677 return false;
1678 }
1679
1680 /* With ping scan, we are done once we know the host is up or down. */
1681 if (USI->ping_scan && ((target->flags & HOST_UP)
1682 || (target->flags & HOST_DOWN) || target->weird_responses)) {
1683 return true;
1684 }
1685
1686 /* With other types of scan, we are done when there are no more ports to
1687 probe. */
1688 return freshPortsLeft() == 0;
1689 }
1690
1691 /* This function provides the proper cwnd and ssthresh to use. It may
1692 differ from versions in timing member var because when no responses
1693 have been received for this host, may look at others in the group.
1694 For CHANGING this host's timing, use the timing memberval
1695 instead. */
getTiming(struct ultra_timing_vals * tmng)1696 void HostScanStats::getTiming(struct ultra_timing_vals *tmng) {
1697 assert(tmng);
1698
1699 /* Use the per-host value if a pingport has been found or very few probes
1700 have been sent */
1701 if (target->pingprobe.type != PS_NONE || numprobes_sent < 80) {
1702 *tmng = timing;
1703 return;
1704 }
1705
1706 /* Otherwise, use the global cwnd stats if it has sufficient responses */
1707 if (USI->gstats->timing.num_updates > 1) {
1708 *tmng = USI->gstats->timing;
1709 return;
1710 }
1711
1712 /* Last resort is to use canned values */
1713 tmng->cwnd = USI->perf.host_initial_cwnd;
1714 tmng->ssthresh = USI->perf.initial_ssthresh;
1715 tmng->num_updates = 0;
1716 return;
1717 }
1718
1719 /* Define a score for a ping probe, for the purposes of deciding whether one
1720 probe should be preferred to another. The order, from most preferred to least
1721 preferred, is
1722 Raw TCP/SCTP (not filtered, not SYN/INIT to an open port)
1723 ICMP information queries (echo request, timestamp request, netmask req)
1724 ARP/ND
1725 Raw TCP/SCTP (SYN/INIT to an open port)
1726 UDP, IP protocol, or other ICMP (including filtered TCP/SCTP)
1727 TCP connect
1728 Anything else
1729 Raw TCP SYN / SCTP INIT to an open port is given a low preference because of the
1730 risk of SYN flooding (this is the only case where the port state is considered).
1731 The probe passed to this function is assumed to have received a positive
1732 response, that is, it should not have set a port state just by timing out. */
pingprobe_score(const probespec * pspec,int state)1733 static unsigned int pingprobe_score(const probespec *pspec, int state) {
1734 unsigned int score;
1735
1736 switch (pspec->type) {
1737 case PS_TCP:
1738 if (state == PORT_FILTERED) /* Received an ICMP error. */
1739 score = 2;
1740 else if (pspec->pd.tcp.flags == TH_SYN && (state == PORT_OPEN || state == PORT_UNKNOWN))
1741 score = 3;
1742 else if (pspec->pd.tcp.dport == 25 ||
1743 pspec->pd.tcp.dport == 113 ||
1744 pspec->pd.tcp.dport == 135 ||
1745 pspec->pd.tcp.dport == 139 ||
1746 pspec->pd.tcp.dport == 445)
1747 /* Frequently spoofed port numbers */
1748 score = 5;
1749 else
1750 score = 6;
1751 break;
1752 case PS_SCTP:
1753 if (state == PORT_FILTERED) /* Received an ICMP error. */
1754 score = 2;
1755 else if (state == PORT_OPEN || state == PORT_UNKNOWN)
1756 score = 3;
1757 else
1758 score = 6;
1759 break;
1760 case PS_ICMP:
1761 if (pspec->pd.icmp.type == ICMP_ECHO || pspec->pd.icmp.type == ICMP_MASK || pspec->pd.icmp.type == ICMP_TSTAMP)
1762 score = 5;
1763 else
1764 score = 2;
1765 break;
1766 case PS_ARP:
1767 case PS_ND:
1768 score = 4;
1769 break;
1770 case PS_UDP:
1771 case PS_PROTO:
1772 score = 2;
1773 break;
1774 case PS_CONNECTTCP:
1775 score = 1;
1776 break;
1777 case PS_NONE:
1778 default:
1779 score = 0;
1780 break;
1781 }
1782
1783 return score;
1784 }
1785
1786 /* Return true if new_probe and new_state define a better ping probe, as defined
1787 by pingprobe_score, than do old_probe and old_state. */
pingprobe_is_better(const probespec * new_probe,int new_state,const probespec * old_probe,int old_state)1788 static bool pingprobe_is_better(const probespec *new_probe, int new_state,
1789 const probespec *old_probe, int old_state) {
1790 return pingprobe_score(new_probe, new_state) > pingprobe_score(old_probe, old_state);
1791 }
1792
1793 static bool ultrascan_host_pspec_update(UltraScanInfo *USI, HostScanStats *hss,
1794 const probespec *pspec, int newstate);
1795
1796 /* Like ultrascan_port_probe_update(), except it is called with just a
1797 probespec rather than a whole UltraProbe. Returns true if the port
1798 was added or at least the state was changed. */
ultrascan_port_pspec_update(UltraScanInfo * USI,HostScanStats * hss,const probespec * pspec,int newstate)1799 static bool ultrascan_port_pspec_update(UltraScanInfo *USI,
1800 HostScanStats *hss,
1801 const probespec *pspec,
1802 int newstate) {
1803 u16 portno = 0;
1804 u8 proto = 0;
1805 int oldstate = PORT_TESTING;
1806 /* Whether no response means a port is open */
1807 bool noresp_open_scan = USI->noresp_open_scan;
1808
1809 if (USI->prot_scan) {
1810 proto = IPPROTO_IP;
1811 portno = pspec->proto;
1812 } else if (pspec->type == PS_TCP || pspec->type == PS_CONNECTTCP) {
1813 proto = IPPROTO_TCP;
1814 portno = pspec->pd.tcp.dport;
1815 } else if (pspec->type == PS_UDP) {
1816 proto = IPPROTO_UDP;
1817 portno = pspec->pd.udp.dport;
1818 } else if (pspec->type == PS_SCTP) {
1819 proto = IPPROTO_SCTP;
1820 portno = pspec->pd.sctp.dport;
1821 } else assert(0);
1822
1823 if (hss->target->ports.portIsDefault(portno, proto)) {
1824 oldstate = PORT_TESTING;
1825 hss->ports_finished++;
1826 } else {
1827 oldstate = hss->target->ports.getPortState(portno, proto);
1828 }
1829
1830 /* printf("TCP port %hu has changed from state %s to %s!\n", portno, statenum2str(oldstate), statenum2str(newstate)); */
1831 switch (oldstate) {
1832 /* TODO: I need more code here to determine when a state should
1833 be overridden, for example PORT_OPEN trumps PORT_FILTERED
1834 in a SYN scan, but not necessarily for UDP scan */
1835 case PORT_TESTING:
1836 /* Brand new port -- add it to the list */
1837 hss->target->ports.setPortState(portno, proto, newstate);
1838 break;
1839 case PORT_OPEN:
1840 if (newstate != PORT_OPEN) {
1841 if (noresp_open_scan) {
1842 hss->target->ports.setPortState(portno, proto, newstate);
1843 } /* Otherwise The old open takes precedence */
1844 }
1845 break;
1846 case PORT_CLOSED:
1847 if (newstate != PORT_CLOSED) {
1848 if (!noresp_open_scan && newstate != PORT_FILTERED)
1849 hss->target->ports.setPortState(portno, proto, newstate);
1850 }
1851 break;
1852 case PORT_FILTERED:
1853 if (newstate != PORT_FILTERED) {
1854 if (!noresp_open_scan || newstate != PORT_OPEN)
1855 hss->target->ports.setPortState(portno, proto, newstate);
1856 }
1857 break;
1858 case PORT_UNFILTERED:
1859 /* This could happen in an ACK scan if I receive a RST and then an
1860 ICMP filtered message. I'm gonna stick with unfiltered in that
1861 case. I'll change it if the new state is open or closed,
1862 though I don't expect that to ever happen */
1863 if (newstate == PORT_OPEN || newstate == PORT_CLOSED)
1864 hss->target->ports.setPortState(portno, proto, newstate);
1865 break;
1866 case PORT_OPENFILTERED:
1867 if (newstate != PORT_OPENFILTERED) {
1868 hss->target->ports.setPortState(portno, proto, newstate);
1869 }
1870 break;
1871 default:
1872 fatal("Unexpected port state: %d\n", oldstate);
1873 break;
1874 }
1875
1876 return oldstate != newstate;
1877 }
1878
1879 /* Boost the scan delay for this host, usually because too many packet
1880 drops were detected. */
boostScanDelay()1881 void HostScanStats::boostScanDelay() {
1882 unsigned int maxAllowed = USI->tcp_scan ? o.maxTCPScanDelay() :
1883 USI->udp_scan ? o.maxUDPScanDelay() :
1884 o.maxSCTPScanDelay();
1885 if (sdn.delayms == 0)
1886 sdn.delayms = (USI->udp_scan) ? 50 : 5; // In many cases, a pcap wait takes a minimum of 80ms, so this matters little :(
1887 else sdn.delayms = MIN(sdn.delayms * 2, MAX(sdn.delayms, 1000));
1888 sdn.delayms = MIN(sdn.delayms, maxAllowed);
1889 sdn.last_boost = USI->now;
1890 sdn.droppedRespSinceDelayChanged = 0;
1891 sdn.goodRespSinceDelayChanged = 0;
1892 }
1893
1894 /* Dismiss all probe attempts on bench -- hosts are marked down and ports will
1895 be set to whatever the default port state is for the scan. */
dismissBench()1896 void HostScanStats::dismissBench() {
1897 if (probe_bench.empty())
1898 return;
1899 while (!probe_bench.empty()) {
1900 if (USI->ping_scan)
1901 ultrascan_host_pspec_update(USI, this, &probe_bench.back(), HOST_DOWN);
1902 /* Nothing to do if !USI->ping_scan. ultrascan_port_pspec_update would
1903 allocate a Port object but we rely on the default port state to save
1904 memory. */
1905 probe_bench.pop_back();
1906 }
1907 bench_tryno = 0;
1908 }
1909
1910 /* Move all members of bench to retry_stack for probe retransmission */
retransmitBench()1911 void HostScanStats::retransmitBench() {
1912 if (probe_bench.empty())
1913 return;
1914
1915 /* Move all contents of probe_bench to the end of retry_stack, updating retry_stack_tries accordingly */
1916 retry_stack.insert(retry_stack.end(), probe_bench.begin(), probe_bench.end());
1917 retry_stack_tries.insert(retry_stack_tries.end(), probe_bench.size(),
1918 bench_tryno);
1919 assert(retry_stack.size() == retry_stack_tries.size());
1920 probe_bench.erase(probe_bench.begin(), probe_bench.end());
1921 bench_tryno = 0;
1922 }
1923
1924 /* Moves the given probe from the probes_outstanding list, to
1925 probe_bench, and decrements num_probes_waiting_retransmit
1926 accordingly */
moveProbeToBench(std::list<UltraProbe * >::iterator probeI)1927 void HostScanStats::moveProbeToBench(std::list<UltraProbe *>::iterator probeI) {
1928 UltraProbe *probe = *probeI;
1929 if (!probe_bench.empty())
1930 assert(bench_tryno == probe->tryno);
1931 else {
1932 bench_tryno = probe->tryno;
1933 probe_bench.reserve(128);
1934 }
1935 probe_bench.push_back(*probe->pspec());
1936 probes_outstanding.erase(probeI);
1937 num_probes_waiting_retransmit--;
1938 delete probe;
1939 }
1940
1941 /* Called when a ping response is discovered. If adjust_timing is false, timing
1942 stats are not updated. */
ultrascan_ping_update(UltraScanInfo * USI,HostScanStats * hss,std::list<UltraProbe * >::iterator probeI,struct timeval * rcvdtime,bool adjust_timing)1943 void ultrascan_ping_update(UltraScanInfo *USI, HostScanStats *hss,
1944 std::list<UltraProbe *>::iterator probeI,
1945 struct timeval *rcvdtime,
1946 bool adjust_timing) {
1947 ultrascan_adjust_timeouts(USI, hss, *probeI, rcvdtime);
1948 if (adjust_timing)
1949 ultrascan_adjust_timing(USI, hss, *probeI, rcvdtime);
1950 hss->destroyOutstandingProbe(probeI);
1951 }
1952
readhoststate(int state)1953 static const char *readhoststate(int state) {
1954 switch (state) {
1955 case HOST_UNKNOWN:
1956 return "UNKNOWN";
1957 case HOST_UP:
1958 return "HOST_UP";
1959 case HOST_DOWN:
1960 return "HOST_DOWN";
1961 default:
1962 return "COMBO";
1963 }
1964
1965 return NULL;
1966 }
1967
1968 /* Update state of the host in hss based on its current state and newstate.
1969 Returns true if the state was changed. */
ultrascan_host_pspec_update(UltraScanInfo * USI,HostScanStats * hss,const probespec * pspec,int newstate)1970 static bool ultrascan_host_pspec_update(UltraScanInfo *USI, HostScanStats *hss,
1971 const probespec *pspec, int newstate) {
1972 int oldstate = hss->target->flags;
1973 /* If the host is already up, ignore any further updates. */
1974 if (hss->target->flags != HOST_UP) {
1975 assert(newstate == HOST_UP || newstate == HOST_DOWN);
1976 hss->target->flags = newstate;
1977 /* For port scans (not -sn) where output may be delayed until more scan
1978 * phases are done, emit a hosthint element during host discovery when a
1979 * target is found to be up. */
1980 if (oldstate != newstate && newstate == HOST_UP &&
1981 !o.noportscan && USI->ping_scan) {
1982 write_xml_hosthint(hss->target);
1983 }
1984 }
1985 return hss->target->flags != oldstate;
1986 }
1987
ultrascan_host_timeout_init(UltraScanInfo * USI,HostScanStats * hss)1988 static void ultrascan_host_timeout_init(UltraScanInfo *USI, HostScanStats *hss) {
1989 if (!hss->target->timeOutClockRunning() && !hss->target->timedOut(NULL)) {
1990 if (o.debugging > 2) {
1991 log_write(LOG_STDOUT, "Ultrascan timeout init for %s at %.6f\n", hss->target->targetipstr(), TIMEVAL_SECS(USI->now));
1992 }
1993 hss->target->startTimeOutClock(&USI->now);
1994 }
1995 }
1996
1997 /* Called when a new status is determined for host in hss (eg. it is
1998 found to be up or down by a ping/ping_arp scan. The probe that led
1999 to this new decision is in probeI. This function needs to update
2000 timing information and other stats as appropriate. If
2001 adjust_timing_hint is false, packet stats are not updated. */
ultrascan_host_probe_update(UltraScanInfo * USI,HostScanStats * hss,std::list<UltraProbe * >::iterator probeI,int newstate,struct timeval * rcvdtime,bool adjust_timing_hint)2002 void ultrascan_host_probe_update(UltraScanInfo *USI, HostScanStats *hss,
2003 std::list<UltraProbe *>::iterator probeI,
2004 int newstate, struct timeval *rcvdtime,
2005 bool adjust_timing_hint) {
2006 UltraProbe *probe = *probeI;
2007
2008 if (o.debugging > 1) {
2009 struct timeval tv;
2010
2011 gettimeofday(&tv, NULL);
2012 log_write(LOG_STDOUT, "%s called for machine %s state %s -> %s (trynum %d time: %ld)\n", __func__, hss->target->targetipstr(), readhoststate(hss->target->flags), readhoststate(newstate), probe->tryno, (long) TIMEVAL_SUBTRACT(tv, probe->sent));
2013 }
2014
2015 ultrascan_host_pspec_update(USI, hss, probe->pspec(), newstate);
2016
2017 ultrascan_adjust_timeouts(USI, hss, probe, rcvdtime);
2018
2019 /* Decide whether to adjust timing. We and together a bunch of conditions.
2020 First, don't adjust timing if adjust_timing_hint is false. */
2021 bool adjust_timing = adjust_timing_hint;
2022 bool adjust_ping = adjust_timing_hint;
2023
2024 /* If we got a response that meant "down", then it was an ICMP error. These
2025 are often rate-limited (RFC 1812) or generated by a different host. We only
2026 allow such responses to increase, not decrease, scanning speed by
2027 disallowing drops (probe->tryno > 0), and we don't allow changing the ping
2028 probe to something that's likely to get dropped. */
2029 if (rcvdtime != NULL && newstate == HOST_DOWN) {
2030 if (probe->tryno > 0) {
2031 if (adjust_timing && o.debugging > 1)
2032 log_write(LOG_PLAIN, "Response for %s means new state is down; not adjusting timing.\n", hss->target->targetipstr());
2033 adjust_timing = false;
2034 }
2035 adjust_ping = false;
2036 }
2037
2038 if (adjust_timing)
2039 ultrascan_adjust_timing(USI, hss, probe, rcvdtime);
2040
2041 /* If this probe received a positive response, consider making it the new
2042 timing ping probe. */
2043 if (rcvdtime != NULL && adjust_ping
2044 && pingprobe_is_better(probe->pspec(), PORT_UNKNOWN, &hss->target->pingprobe, hss->target->pingprobe_state)) {
2045 if (o.debugging > 1) {
2046 char buf[64];
2047 probespec2ascii(probe->pspec(), buf, sizeof(buf));
2048 log_write(LOG_PLAIN, "Changing ping technique for %s to %s\n", hss->target->targetipstr(), buf);
2049 }
2050 hss->target->pingprobe = *probe->pspec();
2051 hss->target->pingprobe_state = PORT_UNKNOWN;
2052 }
2053
2054 hss->destroyOutstandingProbe(probeI);
2055 }
2056
2057 /* This function is called when a new status is determined for a port.
2058 the port in the probeI of host hss is now in newstate. This
2059 function needs to update timing information, other stats, and the
2060 Nmap port state table as appropriate. If rcvdtime is NULL or we got
2061 unimportant packet, packet stats are not updated. If you don't have an
2062 UltraProbe list iterator, you may need to call ultrascan_port_psec_update()
2063 instead. If adjust_timing_hint is false, packet stats are not
2064 updated. */
ultrascan_port_probe_update(UltraScanInfo * USI,HostScanStats * hss,std::list<UltraProbe * >::iterator probeI,int newstate,struct timeval * rcvdtime,bool adjust_timing_hint)2065 void ultrascan_port_probe_update(UltraScanInfo *USI, HostScanStats *hss,
2066 std::list<UltraProbe *>::iterator probeI,
2067 int newstate, struct timeval *rcvdtime,
2068 bool adjust_timing_hint) {
2069 UltraProbe *probe = *probeI;
2070 const probespec *pspec = probe->pspec();
2071
2072 ultrascan_port_pspec_update(USI, hss, pspec, newstate);
2073
2074 ultrascan_adjust_timeouts(USI, hss, probe, rcvdtime);
2075
2076 /* Decide whether to adjust timing. We and together a bunch of conditions.
2077 First, don't adjust timing if adjust_timing_hint is false. */
2078 bool adjust_timing = adjust_timing_hint;
2079 bool adjust_ping = adjust_timing_hint;
2080
2081 /* If we got a response that meant "filtered", then it was an ICMP error.
2082 These are often rate-limited (RFC 1812) or generated by a different host.
2083 We only allow such responses to increase, not decrease, scanning speed by
2084 not considering drops (probe->tryno > 0), and we don't allow changing the
2085 ping probe to something that's likely to get dropped. */
2086 if (rcvdtime != NULL && newstate == PORT_FILTERED && !USI->noresp_open_scan) {
2087 if (probe->tryno > 0) {
2088 if (adjust_timing && o.debugging > 1)
2089 log_write(LOG_PLAIN, "Response for %s means new state is filtered; not adjusting timing.\n", hss->target->targetipstr());
2090 adjust_timing = false;
2091 }
2092 adjust_ping = false;
2093 }
2094 /* Do not slow down if
2095 1) we are in --defeat-rst-ratelimit mode
2096 2) the new state is closed
2097 3) this is not a UDP scan (other scans where noresp_open_scan is true
2098 aren't possible with the --defeat-rst-ratelimit option)
2099 We don't care if it's closed because of a RST or a timeout
2100 because they both mean the same thing. */
2101 if (rcvdtime != NULL
2102 && o.defeat_rst_ratelimit && newstate == PORT_CLOSED
2103 && !USI->noresp_open_scan) {
2104 if (probe->tryno > 0)
2105 adjust_timing = false;
2106 adjust_ping = false;
2107 }
2108 /* Do not slow down if
2109 1) we are in --defeat-icmp-ratelimit mode
2110 2) the new state is closed or filtered
2111 3) this is a UDP scan
2112 We don't want to adjust timing when we get ICMP response, as the host might
2113 be ratelimiting them. E.g. the port is actually closed, but the host ratelimiting
2114 ICMP responses so we had to retransmit the probe several times in order to
2115 match the (slow) rate limit that the target is using for responses. We
2116 do not want to waste time on such ports.
2117 On the other hand if the port is detected to be open it is a good idea to
2118 adjust timing as we could have done retransmissions due to conjested network */
2119 if (rcvdtime != NULL
2120 && o.defeat_icmp_ratelimit
2121 && (newstate == PORT_CLOSED || newstate == PORT_FILTERED)
2122 && USI->udp_scan) {
2123 if (probe->tryno > 0)
2124 adjust_timing = false;
2125 adjust_ping = false;
2126 }
2127
2128 if (adjust_timing) {
2129 ultrascan_adjust_timing(USI, hss, probe, rcvdtime);
2130
2131 if (rcvdtime != NULL && probe->tryno > hss->max_successful_tryno) {
2132 /* We got a positive response to a higher tryno than we've seen so far. */
2133 hss->max_successful_tryno = probe->tryno;
2134 if (o.debugging)
2135 log_write(LOG_STDOUT, "Increased max_successful_tryno for %s to %d (packet drop)\n", hss->target->targetipstr(), hss->max_successful_tryno);
2136 if (hss->max_successful_tryno > ((o.timing_level >= 4) ? 4 : 3)) {
2137 unsigned int olddelay = hss->sdn.delayms;
2138 hss->boostScanDelay();
2139 if (o.verbose && hss->sdn.delayms != olddelay)
2140 log_write(LOG_STDOUT, "Increasing send delay for %s from %d to %d due to max_successful_tryno increase to %d\n",
2141 hss->target->targetipstr(), olddelay, hss->sdn.delayms,
2142 hss->max_successful_tryno);
2143 }
2144 }
2145 }
2146
2147 /* If this probe received a positive response, consider making it the new
2148 timing ping probe. */
2149 if (rcvdtime != NULL && adjust_ping
2150 && pingprobe_is_better(probe->pspec(), newstate, &hss->target->pingprobe, hss->target->pingprobe_state)) {
2151 if (o.debugging > 1) {
2152 char buf[64];
2153 probespec2ascii(probe->pspec(), buf, sizeof(buf));
2154 log_write(LOG_PLAIN, "Changing ping technique for %s to %s\n", hss->target->targetipstr(), buf);
2155 }
2156 hss->target->pingprobe = *probe->pspec();
2157 hss->target->pingprobe_state = newstate;
2158 }
2159
2160 hss->destroyOutstandingProbe(probeI);
2161 }
2162
sendNextScanProbe(UltraScanInfo * USI,HostScanStats * hss)2163 static void sendNextScanProbe(UltraScanInfo *USI, HostScanStats *hss) {
2164 probespec pspec;
2165
2166 if (get_next_target_probe(USI, hss, &pspec) == -1) {
2167 fatal("%s: No more probes! Error in Nmap.", __func__);
2168 }
2169 hss->numprobes_sent++;
2170 USI->gstats->probes_sent++;
2171 if (pspec.type == PS_ARP)
2172 sendArpScanProbe(USI, hss, 0, 0);
2173 else if (pspec.type == PS_ND)
2174 sendNDScanProbe(USI, hss, 0, 0);
2175 else if (pspec.type == PS_CONNECTTCP)
2176 sendConnectScanProbe(USI, hss, pspec.pd.tcp.dport, 0, 0);
2177 else if (pspec.type == PS_TCP || pspec.type == PS_UDP
2178 || pspec.type == PS_SCTP || pspec.type == PS_PROTO
2179 || pspec.type == PS_ICMP || pspec.type == PS_ICMPV6)
2180 sendIPScanProbe(USI, hss, &pspec, 0, 0);
2181 else
2182 assert(0);
2183 }
2184
sendNextRetryStackProbe(UltraScanInfo * USI,HostScanStats * hss)2185 static void sendNextRetryStackProbe(UltraScanInfo *USI, HostScanStats *hss) {
2186 assert(!hss->retry_stack.empty());
2187 probespec pspec;
2188 u8 pspec_tries;
2189 hss->numprobes_sent++;
2190 USI->gstats->probes_sent++;
2191
2192 pspec = hss->retry_stack.back();
2193 hss->retry_stack.pop_back();
2194 pspec_tries = hss->retry_stack_tries.back();
2195 hss->retry_stack_tries.pop_back();
2196
2197 if (pspec.type == PS_CONNECTTCP)
2198 sendConnectScanProbe(USI, hss, pspec.pd.tcp.dport, pspec_tries + 1, 0);
2199 else {
2200 assert(pspec.type != PS_ARP && pspec.type != PS_ND);
2201 sendIPScanProbe(USI, hss, &pspec, pspec_tries + 1, 0);
2202 }
2203 }
2204
doAnyNewProbes(UltraScanInfo * USI)2205 static void doAnyNewProbes(UltraScanInfo *USI) {
2206 HostScanStats *hss, *unableToSend;
2207
2208 gettimeofday(&USI->now, NULL);
2209
2210 /* Loop around the list of incomplete hosts and send a probe to each if
2211 appropriate. Stop once we've been all the way through the list without
2212 sending a probe. */
2213 unableToSend = NULL;
2214 hss = USI->nextIncompleteHost();
2215 while (hss != NULL && hss != unableToSend && USI->gstats->sendOK(NULL)) {
2216 if (hss->freshPortsLeft() && hss->sendOK(NULL)) {
2217 ultrascan_host_timeout_init(USI, hss);
2218 sendNextScanProbe(USI, hss);
2219 unableToSend = NULL;
2220 } else if (unableToSend == NULL) {
2221 /* Mark this as the first host we were not able to send to so we can break
2222 when we see it again. */
2223 unableToSend = hss;
2224 }
2225 hss = USI->nextIncompleteHost();
2226 }
2227 }
2228
doAnyRetryStackRetransmits(UltraScanInfo * USI)2229 static void doAnyRetryStackRetransmits(UltraScanInfo *USI) {
2230 HostScanStats *hss, *unableToSend;
2231
2232 gettimeofday(&USI->now, NULL);
2233
2234 /* Loop around the list of incomplete hosts and send a probe to each if
2235 appropriate. Stop once we've been all the way through the list without
2236 sending a probe. */
2237 unableToSend = NULL;
2238 hss = USI->nextIncompleteHost();
2239 while (hss != NULL && hss != unableToSend && USI->gstats->sendOK(NULL)) {
2240 if (!hss->retry_stack.empty() && hss->sendOK(NULL)) {
2241 sendNextRetryStackProbe(USI, hss);
2242 unableToSend = NULL;
2243 } else if (unableToSend == NULL) {
2244 /* Mark this as the first host we were not able to send to so we can break
2245 when we see it again. */
2246 unableToSend = hss;
2247 }
2248 hss = USI->nextIncompleteHost();
2249 }
2250 }
2251
2252 /* Sends a ping probe to the host. Assumes that caller has already
2253 checked that sending is OK w/congestion control and that pingprobe is
2254 available */
sendPingProbe(UltraScanInfo * USI,HostScanStats * hss)2255 static void sendPingProbe(UltraScanInfo *USI, HostScanStats *hss) {
2256 if (o.debugging > 1) {
2257 char tmpbuf[64];
2258 log_write(LOG_PLAIN, "Ultrascan PING SENT to %s [%s]\n", hss->target->targetipstr(),
2259 probespec2ascii(&hss->target->pingprobe, tmpbuf, sizeof(tmpbuf)));
2260 }
2261 if (hss->target->pingprobe.type == PS_CONNECTTCP) {
2262 sendConnectScanProbe(USI, hss, hss->target->pingprobe.pd.tcp.dport, 0,
2263 hss->nextPingSeq(true));
2264 } else if (hss->target->pingprobe.type == PS_TCP || hss->target->pingprobe.type == PS_UDP
2265 || hss->target->pingprobe.type == PS_SCTP || hss->target->pingprobe.type == PS_PROTO
2266 || hss->target->pingprobe.type == PS_ICMP) {
2267 sendIPScanProbe(USI, hss, &hss->target->pingprobe, 0, hss->nextPingSeq(true));
2268 } else if (hss->target->pingprobe.type == PS_ARP) {
2269 sendArpScanProbe(USI, hss, 0, hss->nextPingSeq(true));
2270 } else if (hss->target->pingprobe.type == PS_ND) {
2271 sendNDScanProbe(USI, hss, 0, hss->nextPingSeq(true));
2272 } else {
2273 assert(0);
2274 }
2275 USI->gstats->probes_sent++;
2276 }
2277
sendGlobalPingProbe(UltraScanInfo * USI)2278 static void sendGlobalPingProbe(UltraScanInfo *USI) {
2279 HostScanStats *hss;
2280
2281 hss = USI->gstats->pinghost;
2282 assert(hss != NULL);
2283
2284 if (o.debugging > 1) {
2285 char tmpbuf[64];
2286 log_write(LOG_PLAIN, "Ultrascan GLOBAL PING SENT to %s [%s]\n", hss->target->targetipstr(),
2287 probespec2ascii(&hss->target->pingprobe, tmpbuf, sizeof(tmpbuf)));
2288 }
2289 sendPingProbe(USI, hss);
2290 }
2291
doAnyPings(UltraScanInfo * USI)2292 static void doAnyPings(UltraScanInfo *USI) {
2293 std::multiset<HostScanStats *, HssPredicate>::iterator hostI;
2294 HostScanStats *hss = NULL;
2295
2296 gettimeofday(&USI->now, NULL);
2297 /* First single host pings */
2298 for (hostI = USI->incompleteHosts.begin();
2299 hostI != USI->incompleteHosts.end(); hostI++) {
2300 hss = *hostI;
2301 if (hss->target->pingprobe.type != PS_NONE &&
2302 hss->rld.rld_waiting == false &&
2303 hss->numprobes_sent >= hss->lastping_sent_numprobes + 10 &&
2304 TIMEVAL_SUBTRACT(USI->now, hss->lastrcvd) > USI->perf.pingtime &&
2305 TIMEVAL_SUBTRACT(USI->now, hss->lastping_sent) > USI->perf.pingtime &&
2306 USI->gstats->sendOK(NULL) && hss->sendOK(NULL)) {
2307 sendPingProbe(USI, hss);
2308 hss->lastping_sent = USI->now;
2309 hss->lastping_sent_numprobes = hss->numprobes_sent;
2310 }
2311 }
2312
2313 /* Next come global pings. We never send more than one of these at at time. */
2314 if (USI->gstats->pinghost != NULL &&
2315 USI->gstats->pinghost->target->pingprobe.type != PS_NONE &&
2316 USI->gstats->pinghost->num_probes_active == 0 &&
2317 USI->gstats->probes_sent >= USI->gstats->lastping_sent_numprobes + 20 &&
2318 TIMEVAL_SUBTRACT(USI->now, USI->gstats->lastrcvd) > USI->perf.pingtime &&
2319 TIMEVAL_SUBTRACT(USI->now, USI->gstats->lastping_sent) > USI->perf.pingtime &&
2320 USI->gstats->sendOK(NULL)) {
2321 sendGlobalPingProbe(USI);
2322 USI->gstats->lastping_sent = USI->now;
2323 USI->gstats->lastping_sent_numprobes = USI->gstats->probes_sent;
2324 }
2325 }
2326
2327 /* Retransmit one probe that has presumably been timed out. Only does
2328 retransmission, does not mark the probe timed out and such. */
retransmitProbe(UltraScanInfo * USI,HostScanStats * hss,UltraProbe * probe)2329 static void retransmitProbe(UltraScanInfo *USI, HostScanStats *hss,
2330 UltraProbe *probe) {
2331 UltraProbe *newProbe = NULL;
2332 if (probe->type == UltraProbe::UP_IP) {
2333 if (USI->prot_scan || USI->ptech.rawprotoscan)
2334 newProbe = sendIPScanProbe(USI, hss, probe->pspec(), probe->tryno + 1, 0);
2335 else if (probe->protocol() == IPPROTO_TCP) {
2336 newProbe = sendIPScanProbe(USI, hss, probe->pspec(), probe->tryno + 1, 0);
2337 } else if (probe->protocol() == IPPROTO_UDP) {
2338 newProbe = sendIPScanProbe(USI, hss, probe->pspec(), probe->tryno + 1, 0);
2339 } else if (probe->protocol() == IPPROTO_SCTP) {
2340 newProbe = sendIPScanProbe(USI, hss, probe->pspec(), probe->tryno + 1, 0);
2341 } else if (probe->protocol() == IPPROTO_ICMP || probe->protocol() == IPPROTO_ICMPV6) {
2342 newProbe = sendIPScanProbe(USI, hss, probe->pspec(), probe->tryno + 1, 0);
2343 } else {
2344 assert(0);
2345 }
2346 } else if (probe->type == UltraProbe::UP_CONNECT) {
2347 newProbe = sendConnectScanProbe(USI, hss, probe->pspec()->pd.tcp.dport, probe->tryno + 1, 0);
2348 } else if (probe->type == UltraProbe::UP_ARP) {
2349 newProbe = sendArpScanProbe(USI, hss, probe->tryno + 1, 0);
2350 } else if (probe->type == UltraProbe::UP_ND) {
2351 newProbe = sendNDScanProbe(USI, hss, probe->tryno + 1, 0);
2352 } else {
2353 /* TODO: Support any other probe types */
2354 fatal("%s: unsupported probe type %d", __func__, probe->type);
2355 }
2356 if (newProbe)
2357 newProbe->prevSent = probe->sent;
2358 probe->retransmitted = true;
2359 assert(hss->num_probes_waiting_retransmit > 0);
2360 hss->num_probes_waiting_retransmit--;
2361 hss->numprobes_sent++;
2362 USI->gstats->probes_sent++;
2363 }
2364
2365 /* Go through the ProbeQueue of each host, identify any
2366 timed out probes, then try to retransmit them as appropriate */
doAnyOutstandingRetransmits(UltraScanInfo * USI)2367 static void doAnyOutstandingRetransmits(UltraScanInfo *USI) {
2368 std::multiset<HostScanStats *, HssPredicate>::iterator hostI;
2369 std::list<UltraProbe *>::iterator probeI;
2370 /* A cache of the last processed probe from each host, to avoid re-examining a
2371 bunch of probes to find the next one that needs to be retransmitted. */
2372 std::map<HostScanStats *, std::list<UltraProbe *>::iterator> probe_cache;
2373 HostScanStats *host = NULL;
2374 UltraProbe *probe = NULL;
2375 int retrans = 0; /* Number of retransmissions during a loop */
2376 unsigned int maxtries;
2377
2378 struct timeval tv_start = {0};
2379
2380 gettimeofday(&USI->now, NULL);
2381
2382 if (o.debugging)
2383 tv_start = USI->now;
2384
2385 /* Loop until we get through all the hosts without a retransmit or we're not
2386 OK to send any more. */
2387 do {
2388 retrans = 0;
2389 for (hostI = USI->incompleteHosts.begin();
2390 hostI != USI->incompleteHosts.end() && USI->gstats->sendOK(NULL);
2391 hostI++) {
2392 host = *hostI;
2393 /* Skip this host if it has nothing to send. */
2394 if ((host->num_probes_active == 0
2395 && host->num_probes_waiting_retransmit == 0))
2396 continue;
2397 if (!host->sendOK(NULL))
2398 continue;
2399 assert(!host->probes_outstanding.empty());
2400
2401 /* Initialize the probe cache if necessary. */
2402 if (probe_cache.find(host) == probe_cache.end())
2403 probe_cache[host] = host->probes_outstanding.end();
2404 /* Restore the probe iterator from the cache. */
2405 probeI = probe_cache[host];
2406
2407 maxtries = host->allowedTryno(NULL, NULL);
2408 do {
2409 probeI--;
2410 probe = *probeI;
2411 if (probe->timedout && !probe->retransmitted &&
2412 maxtries > probe->tryno && !probe->isPing()) {
2413 /* For rate limit detection, we delay the first time a new tryno
2414 is seen, as long as we are scanning at least 2 ports */
2415 if (probe->tryno + 1 > (int) host->rld.max_tryno_sent &&
2416 (USI->gstats->numprobes > 1 || USI->ping_scan_arp || USI->ping_scan_nd)) {
2417 host->rld.max_tryno_sent = probe->tryno + 1;
2418 host->rld.rld_waiting = true;
2419 TIMEVAL_MSEC_ADD(host->rld.rld_waittime, USI->now, RLD_TIME_MS);
2420 } else {
2421 host->rld.rld_waiting = false;
2422 retransmitProbe(USI, host, probe);
2423 retrans++;
2424 }
2425 break; /* I only do one probe per host for now to spread load */
2426 }
2427 } while (probeI != host->probes_outstanding.begin());
2428
2429 /* Wrap the probe iterator around. */
2430 if (probeI == host->probes_outstanding.begin())
2431 probeI = host->probes_outstanding.end();
2432 /* Cache the probe iterator. */
2433 probe_cache[host] = probeI;
2434 }
2435 } while (USI->gstats->sendOK(NULL) && retrans != 0);
2436
2437 gettimeofday(&USI->now, NULL);
2438 if (o.debugging) {
2439 long tv_diff = TIMEVAL_MSEC_SUBTRACT(USI->now, tv_start);
2440 if (tv_diff > 30)
2441 log_write(LOG_PLAIN, "%s took %lims\n", __func__, tv_diff);
2442 }
2443 }
2444
2445 /* Print occasional remaining time estimates, as well as
2446 debugging information */
printAnyStats(UltraScanInfo * USI)2447 static void printAnyStats(UltraScanInfo *USI) {
2448 std::multiset<HostScanStats *, HssPredicate>::iterator hostI;
2449 HostScanStats *hss;
2450 struct ultra_timing_vals hosttm;
2451
2452 /* Print debugging states for each host being scanned */
2453 if (o.debugging > 2) {
2454 log_write(LOG_PLAIN, "**TIMING STATS** (%.4fs): IP, probes active/freshportsleft/retry_stack/outstanding/retranwait/onbench, cwnd/ssthresh/delay, timeout/srtt/rttvar/\n", o.TimeSinceStart());
2455 log_write(LOG_PLAIN, " Groupstats (%d/%d incomplete): %d/*/*/*/*/* %.2f/%d/* %d/%d/%d\n",
2456 USI->numIncompleteHosts(), USI->numInitialHosts(),
2457 USI->gstats->num_probes_active, USI->gstats->timing.cwnd,
2458 USI->gstats->timing.ssthresh, USI->gstats->to.timeout,
2459 USI->gstats->to.srtt, USI->gstats->to.rttvar);
2460
2461 if (o.debugging > 3) {
2462 for (hostI = USI->incompleteHosts.begin();
2463 hostI != USI->incompleteHosts.end(); hostI++) {
2464 hss = *hostI;
2465 hss->getTiming(&hosttm);
2466 log_write(LOG_PLAIN, " %s: %d/%d/%d/%d/%d/%d %.2f/%d/%d %li/%d/%d\n", hss->target->targetipstr(),
2467 hss->num_probes_active, hss->freshPortsLeft(),
2468 (int) hss->retry_stack.size(),
2469 hss->num_probes_outstanding(),
2470 hss->num_probes_waiting_retransmit, (int) hss->probe_bench.size(),
2471 hosttm.cwnd, hosttm.ssthresh, hss->sdn.delayms,
2472 hss->probeTimeout(), hss->target->to.srtt,
2473 hss->target->to.rttvar);
2474 }
2475 }
2476
2477 USI->log_current_rates(LOG_PLAIN);
2478 USI->log_overall_rates(LOG_PLAIN);
2479 }
2480
2481 if (USI->SPM->mayBePrinted(&USI->now))
2482 USI->SPM->printStatsIfNecessary(USI->getCompletionFraction(), &USI->now);
2483 }
2484
waitForResponses(UltraScanInfo * USI)2485 static void waitForResponses(UltraScanInfo *USI) {
2486 struct timeval stime;
2487 bool gotone;
2488 gettimeofday(&USI->now, NULL);
2489 USI->gstats->last_wait = USI->now;
2490 USI->gstats->probes_sent_at_last_wait = USI->gstats->probes_sent;
2491
2492 do {
2493 gotone = false;
2494 USI->sendOK(&stime);
2495 if (USI->ping_scan_arp) {
2496 gotone = get_arp_result(USI, &stime);
2497 } else if (USI->ping_scan_nd) {
2498 gotone = get_ns_result(USI, &stime);
2499 } else if (USI->ping_scan) {
2500 if (USI->pd)
2501 gotone = get_ping_pcap_result(USI, &stime);
2502 if (!gotone && USI->ptech.connecttcpscan)
2503 gotone = do_one_select_round(USI, &stime);
2504 } else if (USI->pd) {
2505 gotone = get_pcap_result(USI, &stime);
2506 } else if (USI->scantype == CONNECT_SCAN) {
2507 gotone = do_one_select_round(USI, &stime);
2508 } else assert(0);
2509 } while (gotone && USI->gstats->num_probes_active > 0);
2510
2511 gettimeofday(&USI->now, NULL);
2512 USI->gstats->last_wait = USI->now;
2513 }
2514
2515 /* Go through the data structures, making appropriate changes (such as expiring
2516 probes, noting when hosts are complete, etc. */
processData(UltraScanInfo * USI)2517 static void processData(UltraScanInfo *USI) {
2518 std::multiset<HostScanStats *, HssPredicate>::iterator hostI;
2519 std::list<UltraProbe *>::iterator probeI, nextProbeI;
2520 HostScanStats *host = NULL;
2521 UltraProbe *probe = NULL;
2522 unsigned int maxtries = 0;
2523 int expire_us = 0;
2524
2525 bool tryno_capped = false, tryno_mayincrease = false;
2526 struct timeval tv_start = {0};
2527
2528 gettimeofday(&USI->now, NULL);
2529
2530 if (o.debugging)
2531 tv_start = USI->now;
2532
2533 /* First go through hosts and remove any completed ones from incompleteHosts */
2534 USI->removeCompletedHosts();
2535 if (USI->incompleteHostsEmpty())
2536 return;
2537
2538 /* Run through probe lists to:
2539 1) Mark timedout entries as such
2540 2) Remove long-expired and retransmitted entries
2541 3) Detect if we are done (we may just have a bunch of probes
2542 sitting around waiting to see if another round of
2543 retransmissions will be required).
2544 */
2545 for (hostI = USI->incompleteHosts.begin();
2546 hostI != USI->incompleteHosts.end(); hostI++) {
2547 host = *hostI;
2548 /* Look for timedout or long expired entries */
2549 maxtries = host->allowedTryno(&tryno_capped, &tryno_mayincrease);
2550
2551 /* Should we dump everyone off the bench? */
2552 if (!host->probe_bench.empty()) {
2553 if (maxtries == host->bench_tryno && !tryno_mayincrease) {
2554 /* We'll never need to retransmit these suckers! So they can
2555 be treated as done */
2556 host->dismissBench();
2557 } else if (maxtries > host->bench_tryno) {
2558 // These fellows may be retransmitted now that maxtries has increased
2559 host->retransmitBench();
2560 }
2561 }
2562
2563 for (probeI = host->probes_outstanding.begin();
2564 probeI != host->probes_outstanding.end(); probeI = nextProbeI) {
2565 nextProbeI = probeI;
2566 nextProbeI++;
2567 probe = *probeI;
2568
2569 // give up completely after this long
2570 expire_us = host->probeExpireTime(probe);
2571
2572 if (!probe->timedout && TIMEVAL_SUBTRACT(USI->now, probe->sent) >
2573 (long) host->probeTimeout()) {
2574 host->markProbeTimedout(probeI);
2575 /* Once we've timed out a probe, skip it for this round of processData.
2576 We don't want it to move to the bench or anything until the other
2577 functions have had a chance to see that it's timed out. In
2578 particular, timing out a probe may mean that the tryno can no longer
2579 increase, which would make the logic below incorrect. */
2580 continue;
2581 }
2582
2583 if (!probe->isPing() && probe->timedout && !probe->retransmitted) {
2584 if (!tryno_mayincrease && probe->tryno >= maxtries) {
2585 if (tryno_capped && !host->retry_capped_warned) {
2586 log_write(LOG_PLAIN, "Warning: %s giving up on port because"
2587 " retransmission cap hit (%d).\n", host->target->targetipstr(),
2588 probe->tryno);
2589 host->retry_capped_warned = true;
2590 }
2591 if (USI->ping_scan) {
2592 ultrascan_host_probe_update(USI, host, probeI, HOST_DOWN, NULL);
2593 if (host->target->reason.reason_id == ER_UNKNOWN)
2594 host->target->reason.reason_id = ER_NORESPONSE;
2595 } else {
2596 /* No ultrascan_port_probe_update because that allocates a Port
2597 object; the default port state as set by setDefaultPortState
2598 handles these no-response ports. */
2599 host->destroyOutstandingProbe(probeI);
2600 }
2601 continue;
2602 } else if (probe->tryno >= maxtries &&
2603 TIMEVAL_SUBTRACT(USI->now, probe->sent) > expire_us) {
2604 assert(probe->tryno == maxtries);
2605 /* Move it to the bench until it is needed (maxtries
2606 increases or is capped */
2607 host->moveProbeToBench(probeI);
2608 continue;
2609 }
2610 }
2611
2612 if ((probe->isPing() || (probe->timedout && probe->retransmitted)) &&
2613 TIMEVAL_SUBTRACT(USI->now, probe->sent) > expire_us) {
2614 host->destroyOutstandingProbe(probeI);
2615 continue;
2616 }
2617 }
2618 }
2619
2620 /* In case any hosts were completed during this run */
2621 USI->removeCompletedHosts();
2622
2623 /* Check for expired global pings. */
2624 HostScanStats *pinghost = USI->gstats->pinghost;
2625 if (pinghost != NULL) {
2626 for (probeI = pinghost->probes_outstanding.begin();
2627 probeI != pinghost->probes_outstanding.end();
2628 probeI = nextProbeI) {
2629 nextProbeI = probeI;
2630 nextProbeI++;
2631 /* If a global ping probe times out, we want to get rid of it so a new
2632 host can take its place. */
2633 if ((*probeI)->isPing()
2634 && TIMEVAL_SUBTRACT(USI->now, (*probeI)->sent) > (long) pinghost->probeTimeout()) {
2635 if (o.debugging)
2636 log_write(LOG_STDOUT, "Destroying timed-out global ping from %s.\n", pinghost->target->targetipstr());
2637 /* ultrascan_ping_update destroys the probe. */
2638 ultrascan_ping_update(USI, pinghost, probeI, NULL);
2639 }
2640 }
2641 }
2642
2643 gettimeofday(&USI->now, NULL);
2644 if (o.debugging) {
2645 long tv_diff = TIMEVAL_MSEC_SUBTRACT(USI->now, tv_start);
2646 if (tv_diff > 30)
2647 log_write(LOG_PLAIN, "%s took %lims\n", __func__, tv_diff);
2648 }
2649 }
2650
2651 /* 3rd generation Nmap scanning function. Handles most Nmap port scan types.
2652
2653 The parameter to gives group timing information, and if it is not NULL,
2654 changed timing information will be stored in it when the function returns. It
2655 exists so timing can be shared across invocations of this function. If to is
2656 NULL (its default value), a default timeout_info will be used. */
ultra_scan(std::vector<Target * > & Targets,struct scan_lists * ports,stype scantype,struct timeout_info * to)2657 void ultra_scan(std::vector<Target *> &Targets, struct scan_lists *ports,
2658 stype scantype, struct timeout_info *to) {
2659 o.current_scantype = scantype;
2660
2661 increment_base_port();
2662
2663 /* Load up _all_ payloads into a mapped table. Only needed for raw scans. */
2664
2665 init_payloads();
2666
2667 if (Targets.size() == 0) {
2668 return;
2669 }
2670
2671 #ifdef WIN32
2672 if (g_has_npcap_loopback == 0 && scantype != CONNECT_SCAN && Targets[0]->ifType() == devt_loopback) {
2673 log_write(LOG_STDOUT, "Skipping %s against %s because Windows does not support scanning your own machine (localhost) this way.\n", scantype2str(scantype), Targets[0]->NameIP());
2674 return;
2675 }
2676 #endif
2677
2678 // Set the variable for status printing
2679 o.numhosts_scanning = Targets.size();
2680
2681 UltraScanInfo USI(Targets, ports, scantype);
2682
2683 if (USI.gstats->numprobes <= 0) {
2684 if (o.debugging) {
2685 log_write(LOG_STDOUT, "Skipping %s: no probes to send\n", scantype2str(scantype));
2686 }
2687 return;
2688 }
2689
2690 /* Use the requested timeouts. */
2691 if (to != NULL)
2692 USI.gstats->to = *to;
2693
2694 if (o.verbose) {
2695 char targetstr[128];
2696 bool plural = (Targets.size() != 1);
2697 if (!plural) {
2698 (*(Targets.begin()))->NameIP(targetstr, sizeof(targetstr));
2699 } else Snprintf(targetstr, sizeof(targetstr), "%d hosts", (int) Targets.size());
2700 log_write(LOG_STDOUT, "Scanning %s [%d port%s%s]\n", targetstr, USI.gstats->numprobes, (USI.gstats->numprobes != 1) ? "s" : "", plural ? "/host" : "");
2701 }
2702
2703 if (USI.isRawScan())
2704 begin_sniffer(&USI, Targets);
2705 /* Otherwise, no sniffer needed! */
2706
2707 while (!USI.incompleteHostsEmpty()) {
2708 doAnyPings(&USI);
2709 doAnyOutstandingRetransmits(&USI); // Retransmits from probes_outstanding
2710 /* Retransmits from retry_stack -- goes after OutstandingRetransmits for
2711 memory consumption reasons */
2712 doAnyRetryStackRetransmits(&USI);
2713 doAnyNewProbes(&USI);
2714 gettimeofday(&USI.now, NULL);
2715 // printf("TRACE: Finished doAnyNewProbes() at %.4fs\n", o.TimeSinceStartMS(&USI.now) / 1000.0);
2716 printAnyStats(&USI);
2717 waitForResponses(&USI);
2718 gettimeofday(&USI.now, NULL);
2719 // printf("TRACE: Finished waitForResponses() at %.4fs\n", o.TimeSinceStartMS(&USI.now) / 1000.0);
2720 processData(&USI);
2721
2722 if (keyWasPressed()) {
2723 // This prints something like
2724 // SYN Stealth Scan Timing: About 1.14% done; ETC: 15:01 (0:43:23 remaining);
2725 USI.SPM->printStats(USI.getCompletionFraction(), NULL);
2726 if (o.debugging) {
2727 /* Don't update when getting the current rates, otherwise we can get
2728 anomalies (rates are too low) from having just done a potentially
2729 long waitForResponses without sending any packets. */
2730 USI.log_current_rates(LOG_STDOUT, false);
2731 }
2732
2733 log_flush(LOG_STDOUT);
2734 }
2735 }
2736
2737 USI.send_rate_meter.stop(&USI.now);
2738
2739 /* Save the computed timeouts. */
2740 if (to != NULL)
2741 *to = USI.gstats->to;
2742
2743 if (o.verbose) {
2744 char additional_info[128];
2745 if (USI.gstats->num_hosts_timedout == 0)
2746 if (USI.ping_scan) {
2747 Snprintf(additional_info, sizeof(additional_info), "%lu total hosts",
2748 (unsigned long) Targets.size());
2749 } else {
2750 Snprintf(additional_info, sizeof(additional_info), "%lu total ports",
2751 (unsigned long) USI.gstats->numprobes * Targets.size());
2752 }
2753 else Snprintf(additional_info, sizeof(additional_info), "%d %s timed out",
2754 USI.gstats->num_hosts_timedout,
2755 (USI.gstats->num_hosts_timedout == 1) ? "host" : "hosts");
2756 USI.SPM->endTask(NULL, additional_info);
2757 }
2758 if (o.debugging)
2759 USI.log_overall_rates(LOG_STDOUT);
2760
2761 if (o.debugging > 2 && USI.pd != NULL)
2762 pcap_print_stats(LOG_PLAIN, USI.pd);
2763 }
2764