1 /*
2 * $Id: discover_dispatch.c,v 1.8 2003/05/25 18:19:16 skyper Exp $
3 *
4 * Timeout handling and dispatcher function for delay slot.
5 */
6
7 #include <sys/time.h>
8 #include <time.h>
9 #include <pcap.h>
10 #include <libnet.h>
11 #include "default.h"
12 #include "thcrut.h"
13 #include "state.h"
14 #include "range.h"
15 #include "thcrut_pcap.h"
16 #include "thcrut_sig.h"
17 #include "network_raw.h"
18 #include "nmap_compat.h"
19 #include "packets.h"
20 #include "system.h"
21 #include "discover_dispatch.h"
22 #include "nvt.h"
23 #include "asn.h"
24 #include "network.h"
25
26 extern struct _opt opt;
27
28 //typedef void (*dispatch_func_send_t)(struct _state *, void *user);
29 typedef void (*dispatch_func_recv_t)(struct _state_fp *state, struct pcap_pkthdr *p, char *packet);
30
31 static void sendudp(struct _state_fp *state, unsigned short port, char *data, size_t len);
32 static void sendicmp(struct _state *state, char *data, size_t len);
33 static void dis_sendtcp(struct _state *state, unsigned short port);
34 static void dis_sendfpI(struct _state_fp *state, void *user);
35 static void dis_tcpwrite(struct _state_fp *state);
36 static void dis_tcpread(struct _state_fp *state);
37 static void dis_end(struct _state_fp *state);
38 static void dis_end_dis(struct _state_fp *state);
39 static void dis_end_fp(struct _state_fp *state);
40 static void dis_end_nmapfp(struct _state_fp *state);
41 static void dis_recvdummy(struct _state_fp *state, struct pcap_pkthdr *p, char *packet);
42 static void dis_recv(struct _state_fp *state, struct pcap_pkthdr *p, char *packet);
43 static void dis_recvfpI(struct _state_fp *state, struct pcap_pkthdr *p, char *packet);
44
45 static void tcp_open(struct _state_fp *state, unsigned short port);
46 static int fp_state_next_switch(struct _state_fp *state);
47 static void fp_state_exec(struct _state_fp *state);
48 void fp_output(char *results);
49
50 #define TOUT_TCP_CONN_EST (5)
51 #define TOUT_TCP_READ (35)
52
53 #define STATE_RESET (0) /* NULL function */
54 #define STATE_SENDTCP80I (1)
55 #define STATE_SENDTCP80II (2)
56 #define STATE_SENDTCP80III (3)
57 #define STATE_SENDTCP64kI (4) /* Try a High Port */
58 #define STATE_SENDTCP64kII (5) /* Try a High Port */
59 #define STATE_SENDTCP0I (6) /* Try a Low Port */
60 #define STATE_ICMP_ECHOI (7)
61 #define STATE_ICMP_ECHOII (8)
62 #define STATE_SENDTCP22I (9) /* try SSH Port */
63 #define STATE_SENDTCP22II (10) /* try SSH Port */
64 #define STATE_DISCOVERY_MAX (10) /* Upper bound of discovery states */
65
66 #define STATE_SENDFPI (11) /* Nmap Test 1 */
67 #define STATE_SENDFPII (12) /* Nmap Test 1 (second try) */
68 #define STATE_SENDFP_FIRST (13) /* Port characteristic and banner */
69 #define STATE_SENDFP_SECOND (14)
70 #define STATE_END (15)
71 #define STATE_TCP (16)
72 #define STATE_TCPWRITE (17)
73 #define STATE_TCPREAD (18)
74
75
76 char ip_tcp_sync[40];
77 char ip_tcp_fp[60];
78 char ip_udp_dcebind[20 + 8 + FP_DCEBIND_LEN];
79 char ip_udp_snmp[20 + 8 + FP_SNMP_LEN];
80 char ip_icmp_echo[20 + 8];
81
82 unsigned short ip_tcp_sync_chksum;
83 unsigned short ip_tcp_fp_chksum;
84 struct sockaddr_in ip_tcp_sync_addr;
85 static dispatch_func_recv_t dispatch_funcs[] = {
86 dis_recvdummy,
87 dis_recv,
88 dis_recv,
89 dis_recv,
90 dis_recv,
91 dis_recv,
92 dis_recv,
93 dis_recv,
94 dis_recv,
95 dis_recv,
96 dis_recv,
97 dis_recvfpI,
98 dis_recvfpI,
99 dis_recv, /* STATE_SENDFP_FIRST */
100 dis_recv}; /* STATE_SENDFP_SECOND */
101
102 extern int rawsox;
103
104 /*
105 * Switch to next FP state for fingerprinting.
106 * Return 0 on success, -1 on error (no tests left).
107 * This call should be followed by a call to fp_state_exec().
108 */
109 static int
fp_state_next_switch(struct _state_fp * state)110 fp_state_next_switch(struct _state_fp *state)
111 {
112 state->testnr++;
113 if (state->testnr >= opt.fpts.cat[state->cat].n_tests)
114 {
115 next:
116 state->cat++;
117 if (state->cat >= sizeof opt.fpts.cat / sizeof *opt.fpts.cat)
118 {
119 state->cat = 7;
120 return -1; /* STATE_reset(state); */
121 }
122 if (opt.fpts.cat[state->cat].n_tests == 0)
123 goto next;
124
125 state->testnr = 0;
126 }
127
128 fp_state_exec(state);
129
130 return 0;
131 }
132
133 /*
134 * Send packet in current FP state and perform a STATE_switch
135 * if required.
136 */
137 static void
fp_state_exec(struct _state_fp * state)138 fp_state_exec(struct _state_fp *state)
139 {
140 /* CALL THE CORRESPONDING FUNCTION */
141 switch (state->cat)
142 {
143 case FP_CAT_TCP:
144 STATE_current(state) = STATE_SENDFP_FIRST;
145 dis_sendtcp((struct _state *)state, opt.fpts.cat[FP_CAT_TCP].tests[state->testnr].port);
146 break;
147 case FP_CAT_UDP:
148 STATE_current(state) = STATE_SENDFP_FIRST;
149 /* FIXME */
150 sendudp(state, opt.fpts.cat[FP_CAT_UDP].tests[state->testnr].port, ip_udp_dcebind, 28 + FP_DCEBIND_LEN);
151 // fprintf(stderr, "%s UDP NOT SUPPORTED\n", __func__);
152 break;
153 case FP_CAT_BANNER:
154 tcp_open(state, opt.fpts.cat[state->cat].tests[state->testnr].port);
155 STATE_current(state) = STATE_TCPREAD;
156 break;
157 case FP_CAT_WWW:
158 tcp_open(state, opt.fpts.cat[state->cat].tests[state->testnr].port);
159 STATE_current(state) = STATE_TCPWRITE;
160 break;
161 case FP_CAT_SNMP:
162 STATE_current(state) = STATE_SENDFP_FIRST;
163 sendudp(state, opt.fpts.cat[FP_CAT_SNMP].tests[state->testnr].port, ip_udp_snmp, 28 + FP_SNMP_LEN);
164 break;
165 case FP_CAT_NVT:
166 STATE_current(state) = STATE_TCPREAD;
167 tcp_open(state, opt.fpts.cat[state->cat].tests[state->testnr].port);
168 break;
169 default:
170 fprintf(stderr, "%s: Unknown FP category %d for %s\n", __func__, state->cat, int_ntoa(STATE_ip(state)));
171 hexdump((char *)state, opt.sq.item_size);
172 }
173 }
174
175
176 /*
177 * Called if a state time'd out.
178 * Caller should check the state afterwards. It might have been freed
179 * by the state handling function (this or any other function).
180 *
181 * The discovery is split into 3 steps:
182 *
183 * +=================+
184 * +--------> || START (new IP) ||
185 * | +=================+
186 * | |
187 * | +-----------------------+
188 * | | Host online |
189 * +- NO -<-| (TCP to various ports |->-- YES --+
190 * +-----------------------+ +---------+-----------------+
191 * | Port State Fingerprinting |
192 * +---------+-----------------+
193 * |
194 * NMAP OS Fingerprinting
195 *
196 * (bad ascii art eh? no need for state deagram. We always
197 * do Fingerprinting if host has been found)
198 *
199 * Host discovery can be skipped and the FP can be forced.
200 * Host discovery without FP is possible.
201 */
202 void
dis_timeout(struct _state * state)203 dis_timeout(struct _state *state)
204 {
205 struct _state_dis *state_dis = (struct _state_dis *)state;
206 struct _state_fp *state_fp = (struct _state_fp *)state;
207 /*
208 * a small state struct is passed if we just do
209 * discovery, otherwise we have a larger state_fp
210 * struct. Care should be taken what is written to
211 * which one. port and flags lie in state_fp for example
212 * and should never be written to if we are just doing
213 * host discovery.
214 */
215
216 /*
217 * First of all check if there is pending data in the
218 * send buffer that still needs to be flushed through
219 * the raw socket. On success reset send buffer and
220 * reschedule the state.
221 */
222 if (state_dis->slen != 0)
223 {
224 if (net_send(rawsox, state_dis->sbuf, state_dis->slen) != 0)
225 state_dis->slen = 0;
226 /* No need to reschedule. We get called again in 1 second */
227
228 return;
229 }
230
231 /*
232 * What we should try in fact is
233 * TCP 80
234 * TCP64k
235 * ICMP PING
236 * TCP0
237 */
238 switch (STATE_current(state))
239 {
240
241 case STATE_RESET: /* START */
242 if (opt.flags & FL_OPT_HOSTDISCOVERY)
243 {
244 STATE_current(state) = STATE_SENDTCP80I;
245 dis_sendtcp(state, 80);
246 } else if (opt.flags & FL_OPT_FP) {
247 /* Execute first state */
248 fp_state_exec(state_fp);
249 }
250 break;
251 /* -----BEGIN HOST DISCOVERY------ */
252 case STATE_SENDTCP80I:
253 if (opt.flags & FL_OPT_FP)
254 state_fp->port = 80; /* save so that NMAP is faster */
255 STATE_current(state) = STATE_SENDTCP80II;
256 dis_sendtcp(state, 80);
257 break;
258 case STATE_SENDTCP80II:
259 STATE_current(state) = STATE_SENDTCP80III;
260
261 //dis_sendtcp(state, 65535);
262 sendicmp(state, ip_icmp_echo, sizeof ip_icmp_echo);
263 //dis_sendtcp(state, 0);
264
265 dis_sendtcp(state, 80);
266 break;
267 case STATE_SENDTCP80III:
268 STATE_current(state) = STATE_SENDTCP22I;
269
270 //sendicmp(state, ip_icmp_echo, sizeof ip_icmp_echo);
271 //dis_sendtcp(state, 0);
272 dis_sendtcp(state, 65535);
273
274 if (opt.flags & FL_OPT_FP)
275 state_fp->port = 22; /* save so that NMAP is faster */
276 dis_sendtcp(state, 22);
277 break;
278 #if 0
279 case STATE_SENDTCP64kI:
280 STATE_current(state) = STATE_SENDTCP64kII;
281 dis_sendtcp(state, 65535);
282 sendicmp(state, ip_icmp_echo, sizeof ip_icmp_echo);
283 dis_sendtcp(state, 0);
284 // dis_sendtcp(state, 0); /* Low Port */
285 break;
286 #endif
287 #if 0
288 case STATE_SENDTCP64kI:
289 if (opt.flags & FL_OPT_FP)
290 state_fp->port = 22; /* save so that NMAP is faster */
291 STATE_current(state) = STATE_SENDTCP22I;
292 dis_sendtcp(state, 22);
293 STATE_current(state) = STATE_SENDTCP0I;
294 sendicmp(state, ip_icmp_echo, sizeof ip_icmp_echo);
295 break;
296 case STATE_SENDTCP0I:
297 STATE_current(state) = STATE_ICMP_ECHOI;
298 sendicmp(state, ip_icmp_echo, sizeof ip_icmp_echo);
299 break;
300 case STATE_ICMP_ECHOI:
301 STATE_current(state) = STATE_ICMP_ECHOII;
302 sendicmp(state, ip_icmp_echo, sizeof ip_icmp_echo);
303 break;
304 case STATE_ICMP_ECHOII:
305 if (opt.flags & FL_OPT_FP)
306 state_fp->port = 22; /* save so that NMAP is faster */
307 STATE_current(state) = STATE_SENDTCP22I;
308 dis_sendtcp(state, 22);
309 break;
310 #endif
311 case STATE_SENDTCP22I:
312 STATE_current(state) = STATE_SENDTCP22II;
313 dis_sendtcp(state, 0);
314 dis_sendtcp(state, 22);
315 break;
316 case STATE_SENDTCP22II:
317 /* Timeout in last discovery slot. No asnwer at all */
318 STATE_reset(state); /* RESET */
319 break;
320 /* -----END HOST DISCOVERY----- */
321 /* -----BEGIN PORT STATE BANNER OS FP----- */
322 case STATE_TCPREAD:
323 dis_tcpread(state_fp);
324 break;
325 case STATE_TCPWRITE:
326 dis_tcpwrite(state_fp);
327 break;
328
329 case STATE_SENDFP_FIRST: /* Timeout occured */
330 fp_state_exec(state_fp);
331 STATE_current(state) = STATE_SENDFP_SECOND;
332 break;
333 case STATE_SENDFP_SECOND:
334 /* port state test */
335 if (fp_state_next_switch(state_fp) != 0)
336 dis_end_fp(state_fp);
337 break;
338 /* -----END PORT STATE BANNER OS FP----- */
339 /* -----BEGIN NMAP OS FP----- */
340 case STATE_SENDFPI:
341 dis_sendfpI(state_fp, NULL);
342 break;
343 case STATE_SENDFPII:
344 /* FIXME: Why do we break here already? */
345 if (state_fp->flags & STATE_FOUND_OPEN_PORT)
346 {
347 dis_end_nmapfp(state_fp);
348 break;
349 }
350 STATE_current(state_fp) = 0;
351 dis_sendfpI(state_fp, NULL);
352 break;
353 /* -----END NMAP OS FP----- */
354 case STATE_END:
355 STATE_reset(state);
356 fprintf(stderr, "%s:%d STATE_END timed out for ip %s. Should not happen\n", __func__, __LINE__, int_ntoa(STATE_ip(state)));
357 break;
358 default:
359 fprintf(stderr, "Unknown state: %d\n", STATE_current(state));
360 STATE_reset(state);
361 }
362 }
363
364
365 #if 0
366 /*
367 * Change IP in ip packet and fix the tcp checksum
368 */
369 static void
370 packetfixup(char *buf, unsigned short chksum, long newip)
371 {
372 int sum;
373
374 *(long *)(buf + 16) = newip;
375 sum = chksum;
376 sum = ~sum;
377 sum += *(unsigned short *)(buf + 16);
378 sum += *(unsigned short *)(buf + 18);
379 sum = ~sum;
380 sum = (sum >> 16) + (sum & 0xffff);
381 sum += (sum >> 16);
382 *(unsigned short *)(buf + 36) = sum;
383 }
384 #endif
385
386 static void
tcp_open(struct _state_fp * state,unsigned short port)387 tcp_open(struct _state_fp *state, unsigned short port)
388 {
389 struct sockaddr_in addr;
390 int on = 1;
391
392 memset(&addr, 0, sizeof addr);
393 addr.sin_family = PF_INET;
394 addr.sin_addr.s_addr = htonl(STATE_ip(state));
395 addr.sin_port = htons(port);
396
397 state->flags &= ~STATE_CRLF_SENT;
398 state->sox = socket(PF_INET, SOCK_STREAM, 0);
399 if (state->sox < 0)
400 {
401 fprintf(stderr, "socket: %s\n", strerror(errno));
402 STATE_reset(state);
403 return;
404 }
405
406 setsockopt(state->sox, SOL_SOCKET, SO_REUSEADDR, &on, sizeof on);
407 /* We are only interested in the first 128 bytes..even less */
408 /* On Linux this is rouned up to at least 192 bytes */
409 on = 2048; /* To get full FTP banner */
410 setsockopt(state->sox, SOL_SOCKET, SO_RCVBUF, &on, sizeof on);
411 if (fcntl(state->sox, F_SETFL, O_NONBLOCK) != 0)
412 {
413 fprintf(stderr, "fcntl: %s\n", strerror(errno));
414 STATE_reset(state)
415 return;
416 }
417 connect(state->sox, (struct sockaddr *)&addr, sizeof addr);
418 state->un.turn = 0;
419 }
420
421 //#define HTTP_HEAD "HEAD / HTTP/1.0\r\n\r\n"
422 #define HTTP_HEAD "GET / HTTP/1.0\r\n\r\n"
423
424 static void
dis_tcpwrite(struct _state_fp * state)425 dis_tcpwrite(struct _state_fp *state)
426 {
427 char ok = 0;
428
429 if (state->cat == FP_CAT_WWW)
430 ok = (write(state->sox, HTTP_HEAD, sizeof HTTP_HEAD - 1) == sizeof HTTP_HEAD -1);
431
432 if (!ok)
433 {
434 /*
435 * We give us 5 seconds to connect.
436 * on RST we have ECONNREFUSED set.
437 */
438 if ((errno == EAGAIN) || (errno == EINPROGRESS) || (errno == EWOULDBLOCK))
439 {
440 state->un.turn++;
441 if (state->un.turn <= TOUT_TCP_CONN_EST)
442 return;
443 }
444 shutdown(state->sox, 2);
445 close(state->sox);
446
447 /*
448 * No need to reschedule. This is function is called
449 * on timeout.
450 */
451 if (fp_state_next_switch(state) != 0)
452 dis_end_fp(state);
453
454 return;
455 }
456
457 state->un.turn = TOUT_TCP_CONN_EST + 1; /* is connected */
458
459 /* who writes will also read */
460 STATE_switch(state, STATE_TCPREAD);
461 }
462
463 /*
464 * Dispatcher function.
465 * Discovery ended.
466 */
467 static void
dis_end_dis(struct _state_fp * state)468 dis_end_dis(struct _state_fp *state)
469 {
470 struct _binout binout;
471
472 if (opt.flags & FL_OPT_FP)
473 {
474 if (opt.flags & FL_OPT_BINOUT)
475 {
476 memset(&binout, 0, sizeof binout);
477 binout.len = htons(sizeof binout);
478 binout.ip = htonl(STATE_ip(state));
479 write(1, &binout, sizeof binout);
480 }
481 fp_state_exec(state);
482 } else {
483 dis_end(state);
484 }
485 }
486
487 /*
488 * Portstate/Banner FP ended, start NMAP OS FP
489 */
490 static void
dis_end_fp(struct _state_fp * state)491 dis_end_fp(struct _state_fp *state)
492 {
493 state->un.ptr = NULL;
494 #ifdef WITH_NMAPFP
495 /* We enter with unkown state. This makes him resend
496 * everytng twice.
497 */
498 dis_sendfpI(state, NULL);
499 #else
500 /* Skip NMAP FP */
501 dis_end_nmapfp(state);
502 #endif
503 }
504
505 static void
dis_end_nmapfp(struct _state_fp * state)506 dis_end_nmapfp(struct _state_fp *state)
507 {
508 dis_end(state);
509 }
510
511 /*
512 * Input:
513 * data of length len
514 * dst must be 1 byte longer than the input string.
515 *
516 * Output:
517 * \0 terminated and stripped string
518 * Stripped means that all occurences of multiple non-printable chars
519 * are removed.
520 *
521 * Return:
522 * length (without \0) of the resulting string.
523 *
524 */
525 static int
strip(char * dst,char * data,int len)526 strip(char *dst, char *data, int len)
527 {
528 char c;
529 char last = 0;
530 char *ptr = dst;
531
532 while (len-- > 0)
533 {
534 c = *data++;
535
536 /* Ignore \x00 */
537 if (!c)
538 continue;
539
540 if (c == '\r')
541 c = '\n';
542
543 if (((c >= 0x21) && (c <= 0x7e)) || (c != last))
544 {
545 *dst++ = c;
546 }
547
548 last = c;
549 }
550
551 *dst = '\0';
552
553 return dst - ptr;
554 }
555
556 /*
557 * This function is only called from the timeout handler
558 * and the state is automatilcy rescheduled after return.
559 *
560 * We have to set state->reschedule if this function will be
561 * called from a filter() function in the future.
562 */
563 static void
dis_tcpread(struct _state_fp * state)564 dis_tcpread(struct _state_fp *state)
565 {
566 char buf[2048];
567 char ans[2048 + 1 + 2]; /* NVT answer */
568 char rem[2048]; /* NVT rem */
569 int alen, rlen, len;
570 char *end;
571 char *ptr;
572 char *res;
573 ssize_t n;
574 fd_set wfds;
575 struct timeval tv;
576
577 n = read(state->sox, buf, sizeof buf - 1);
578 if (n == 0)
579 goto end;
580
581 state->un.turn++;
582 if (n < 0)
583 {
584 /*
585 * Bloody hell. Some services try to resolve our
586 * IP and require 30 seconds until they come up with
587 * a banner.
588 * The first 5 seconds are reserved for connection
589 * establishment.
590 */
591 if (state->un.turn >= TOUT_TCP_CONN_EST + TOUT_TCP_READ)
592 goto end;
593
594 if ((errno == EAGAIN) || (errno == EWOULDBLOCK) || (errno == EINPROGRESS))
595 {
596 /*
597 * Check if we still try to connect (turn < 5)
598 * or if we got the connection but are waiting for
599 * data (5 < state < 40)
600 *
601 * Is there any decent solution to check the state of
602 * a socket? getsockopt(sox, SOL_SOCK, SO_ERROR, ..)
603 * wont work and also tricks like write(sox, NULL, 0)
604 * indicate that the socket is writeable even if not
605 * connected.
606 */
607 if (state->un.turn == TOUT_TCP_CONN_EST)
608 goto end;
609
610 /*
611 * If we didnt wrote anything so far
612 * check if we are connected at all.
613 */
614 if (state->un.turn < TOUT_TCP_CONN_EST)
615 {
616 tv.tv_usec = 0;
617 tv.tv_sec = 0;
618 FD_ZERO(&wfds);
619 FD_SET(state->sox, &wfds);
620 n = select(state->sox + 1, NULL, &wfds, NULL, &tv);
621 if (n > 0)
622 {
623 state->un.turn = TOUT_TCP_CONN_EST;
624 /* Some telnet sessions need a \r\n
625 * to be activated. We immediately send
626 * it.
627 */
628 if (state->cat == FP_CAT_NVT)
629 write(state->sox, "\r\n", 2);
630 }
631 }
632
633 /* Let's try again in 1 second */
634 /* It's rescheduled anyway */
635 //STATE_reschedule(state, 1);
636 return;
637 }
638 goto end;
639 } /* n < 0 */
640
641 //fprintf(stderr, "Read %d bytes\n", n);
642 if (n > 0)
643 {
644 if (state->un.turn < TOUT_TCP_CONN_EST)
645 state->un.turn = TOUT_TCP_CONN_EST; /* ESTABLISHED */
646 buf[n] = '\0';
647 switch (state->cat)
648 {
649 case FP_CAT_NVT:
650 NVT_decode(buf, n, ans, &alen, rem, &rlen);
651 /* We keep NVT-negotiation + banner */
652 len = strip(rem, buf, n);
653
654 res = state->results + opt.fpts.ofs_test_nvt + state->testnr * FP_NTEST_SZ;
655
656 ptr = res;
657 while (*res)
658 res++;
659 memcpy(res, rem, MIN(len, FP_NTEST_SZ - (res - ptr)));
660 ptr[FP_NTEST_SZ - 1] = '\0';
661 /* FULL */
662 if (len + (res - ptr) + 1 >= FP_NTEST_SZ)
663 break;
664 if ((alen > 0) || (rlen <= 0))
665 {
666 /*
667 * Push it! Some routers do a NVT negotiation
668 * but then wait for a CRLF.
669 */
670 if (!(state->flags & STATE_CRLF_SENT))
671 {
672 state->flags |= STATE_CRLF_SENT;
673 ans[alen++] = '\r';
674 ans[alen++] = '\n';
675 write(state->sox, ans, alen);
676 return;
677 }
678
679 /*
680 * NVT Negotiation. Try read again in 1 second.
681 * The might come more..
682 */
683 write(state->sox, ans, alen);
684
685 /*
686 * But if we already received some data
687 * then wait exactly 2 seconds longer
688 */
689 if ((rlen > 0) && (state->un.turn < TOUT_TCP_CONN_EST + TOUT_TCP_READ - 2))
690 state->un.turn = TOUT_TCP_CONN_EST + TOUT_TCP_READ - 2;
691 return;
692 }
693 break;
694 case FP_CAT_WWW:
695 ptr = strstr(buf, "Server:");
696 if (!ptr)
697 break;
698 ptr += 7;
699 if (!(end = strchr(ptr, '\r')))
700 end = strchr(ptr, '\n');
701 if (!end)
702 end = &buf[n];
703 else
704 *end = '\0';
705
706 res = state->results + opt.fpts.ofs_test_www + state->testnr * FP_WTEST_SZ;
707 memcpy(res, ptr, MIN(end - ptr + 1, FP_WTEST_SZ));
708 res[FP_WTEST_SZ - 1] = '\0';
709 break;
710 case FP_CAT_BANNER:
711 /*
712 * This is a hack. We try to auto-recognize FTP/smtp
713 * banner and log just the "\n220 " line
714 */
715 ptr = buf;
716 if (!strncmp("220-", ptr, 4))
717 {
718 ptr = strstr(ptr, "\n220 ");
719 if (ptr)
720 {
721 ptr++;
722 n = n - (ptr - buf);
723 } else
724 ptr = buf;
725 }
726 res = state->results + opt.fpts.ofs_test_banner + state->testnr * FP_BTEST_SZ;
727 memcpy(res, ptr, MIN(n, FP_BTEST_SZ));
728 res[FP_BTEST_SZ - 1] = '\0';
729 break;
730 default:
731 fprintf(stderr, "%s Wrong category\n", __func__);
732 }
733 }
734
735 end:
736 shutdown(state->sox, 2);
737 close(state->sox);
738 /*
739 * Start NMAP OS FP if no port state tests left.
740 * No need to reschedule. This function is called on timeout.
741 */
742 if (fp_state_next_switch(state) != 0)
743 dis_end_fp(state);
744 }
745
746 #define FILLSBUF(state, data, len) do { \
747 memcpy(((struct _state_dis *)(state))->sbuf, data, len); \
748 ((struct _state_dis *)(state))->slen = len; \
749 } while (0)
750
751 static void
sendicmp(struct _state * state,char * data,size_t len)752 sendicmp(struct _state *state, char *data, size_t len)
753 {
754 struct ip *ip = (struct ip *)(data);
755
756 ip->ip_dst.s_addr = htonl(STATE_ip(state));
757 libnet_do_checksum(data, IPPROTO_ICMP, len - LIBNET_IP_H);
758 if (net_send(rawsox, data, len) == 0)
759 FILLSBUF(state, data, len);
760 }
761
762 /*
763 * Send an empty UDP packet to this port.
764 */
765 static void
sendudp(struct _state_fp * state,unsigned short port,char * data,size_t len)766 sendudp(struct _state_fp *state, unsigned short port, char *data, size_t len)
767 {
768 struct ip *ip = (struct ip *)(data);
769 struct udphdr *udp = (struct udphdr *)(data + 20);
770
771 udp->uh_dport = htons(port);
772 ip->ip_dst.s_addr = htonl(STATE_ip(state));
773 if (net_send(rawsox, data, len) == 0)
774 FILLSBUF(state, data, len);
775 }
776
777 /*
778 * Dont switch state here. This is done in calling function.
779 */
780 static void
dis_sendtcp(struct _state * state,unsigned short port)781 dis_sendtcp(struct _state *state, unsigned short port)
782 {
783 struct tcphdr *tcp = (struct tcphdr *)(ip_tcp_sync + 20);
784 struct ip *ip = (struct ip *)(ip_tcp_sync);
785 int src_ip;
786
787 /* src and dst ip must be set for checksum calculation! */
788 /* We must set src ip on packet generation (scanner_gen_packets) */
789 tcp->th_dport = htons(port);
790 ip->ip_dst.s_addr = htonl(STATE_ip(state));
791 /* The src IP is always set except we use the 'any' device in
792 * which case we have to recalculate it for any packet we send
793 * out.
794 */
795 src_ip = ip->ip_src.s_addr;
796 if (src_ip == 0)
797 ip->ip_src.s_addr = getmyip_by_dst(ip->ip_dst.s_addr);
798
799 libnet_do_checksum(ip_tcp_sync, IPPROTO_TCP, LIBNET_TCP_H);
800 if (net_send(rawsox, ip_tcp_sync, 40) == 0)
801 FILLSBUF(state, ip_tcp_sync, 40);
802 ip->ip_src.s_addr = src_ip; /* Set to 0 again */
803 }
804
805 /*
806 * NMAP
807 * If we are in this state then the host already responded with
808 * a packet (rst probably) and is 'alive'.
809 * We search an open port (if not already found).
810 */
811 static void
dis_sendfpI(struct _state_fp * state,void * user_not_used)812 dis_sendfpI(struct _state_fp *state, void *user_not_used)
813 {
814 struct ip *ip = (struct ip *)ip_tcp_fp;
815 struct tcphdr *tcp = (struct tcphdr *)(ip_tcp_fp + 20);
816
817 //DEBUGF("%s Starting NMAP OS FP on port %d, %s\n", int_ntoa(STATE_ip(state)), state->port, state->flags & STATE_FOUND_OPEN_PORT?"FOUND":"SEARCHING");
818 /*
819 * FIXME: Try every port twice
820 * Timeout handler only calls us if we are in
821 * STATE_SENDFPII. Receiver alwaays calls us with state to SENDFPI.
822 */
823 if ((!(state->flags & STATE_FOUND_OPEN_PORT)) && (STATE_current(state) != STATE_SENDFPI))
824 {
825 switch (state->port)
826 {
827 case 80:
828 state->port = 22;
829 break;
830 case 22:
831 state->port = 139;
832 break;
833 case 139:
834 state->port = 21;
835 break;
836 case 21:
837 state->port = 135;
838 case 135:
839 state->port = 1025;
840 break;
841 case 1025:
842 state->port = 1029;
843 break;
844 case 1029:
845 /* No open ports found at all */
846 /* This will usually call dis_end() and reset the state */
847 dis_end_nmapfp(state);
848 return;
849 default:
850 /*
851 * Should only happen if discovery has not been used.
852 * Otherwise did the discovery already checked for
853 * some ports and we skip them (80, 22, 65535).
854 */
855 // fprintf(stderr, "%s:%d NMAP searching for open port for %s:%d)\n", __func__, __LINE__, int_ntoa(STATE_ip(state)), state->port);
856 state->port = 80;
857 // dis_end_nmapfp(state);
858 // return;
859 }
860 }
861
862 /*
863 * We check for every port twice unless
864 * we get a RST back.
865 */
866 if (STATE_current(state) != STATE_SENDFPI)
867 STATE_current(state) = STATE_SENDFPI;
868 else
869 STATE_current(state) = STATE_SENDFPII;
870
871 ip->ip_dst.s_addr = htonl(STATE_ip(state));
872 tcp->th_dport = htons(state->port);
873 libnet_do_checksum(ip_tcp_fp, IPPROTO_TCP, LIBNET_TCP_H + NMAP_FP_TONE_LEN);
874 if (net_send(rawsox, ip_tcp_fp, 60) == 0)
875 FILLSBUF(state, ip_tcp_fp, 60);
876 }
877
878 /*
879 * Extract two bit tuple from a char array
880 * Set two bit typle in a char array
881 */
882 #define BF2_GET(ptr, nr) ((*((char *)ptr + nr / 4) >> ((nr % 4)*2)) & 0x3)
883 #define BF2_SET(ptr, nr, val) (*((char *)ptr + nr / 4) |= ((val & 0x3) << (nr%4)*2))
884 #define FP_TEST_TCP_PTR(fpts, res) ((res) + (fpts)->ofs_test_tcp)
885 #define FP_TEST_UDP_PTR(fpts, res) ((res) + (fpts)->ofs_test_udp)
886 #define FP_TEST_SNMP_PTR(fpts, res) ((res) + (fpts)->ofs_test_snmp)
887 #define FP_TEST_NVT_PTR(fpts, res) ((res) + (fpts)->ofs_test_nvt)
888
889 /*
890 * Output the gathered FP informations so that the user can add
891 * them to the fingerprint database.
892 */
893 void
fp_output(char * results)894 fp_output(char *results)
895 {
896 int n;
897 char *ptr;
898 char trans[] = {'?', 'C', 'O', '-'};
899 char buf[512];
900
901 printf("-----BEGIN THCRUT FINGERPRINT-----\n");
902 if (opt.fpts.cat[FP_CAT_TCP].n_tests > 0)
903 {
904 ptr = FP_TEST_TCP_PTR(&opt.fpts, results);
905 for (n = 0; n < opt.fpts.cat[FP_CAT_TCP].n_tests; n++)
906 printf("%dT=%c%%", opt.fpts.cat[FP_CAT_TCP].tests[n].port, trans[BF2_GET(ptr, n)]);
907 printf("\n");
908 }
909
910 if (opt.fpts.cat[FP_CAT_UDP].n_tests > 0)
911 {
912 ptr = FP_TEST_UDP_PTR(&opt.fpts, results);
913 for (n = 0; n < opt.fpts.cat[FP_CAT_UDP].n_tests; n++)
914 printf("%dU=%c%%", opt.fpts.cat[FP_CAT_UDP].tests[n].port, trans[BF2_GET(ptr, n)]);
915 printf("\n");
916 }
917
918 for (n = 0; n < opt.fpts.cat[FP_CAT_BANNER].n_tests; n++)
919 {
920 ptr = results + opt.fpts.ofs_test_banner + n * FP_BTEST_SZ;
921 perlstring(buf, sizeof buf, ptr, strlen(ptr));
922 printf("%dB=\"%s\"\n", opt.fpts.cat[FP_CAT_BANNER].tests[n].port, buf);
923 }
924 for (n = 0; n < opt.fpts.cat[FP_CAT_WWW].n_tests; n++)
925 printf("%dW=\"%s\"\n", opt.fpts.cat[FP_CAT_WWW].tests[n].port, results + opt.fpts.ofs_test_www + n * FP_WTEST_SZ);
926 for (n = 0; n < opt.fpts.cat[FP_CAT_SNMP].n_tests; n++)
927 {
928 ptr = results + opt.fpts.ofs_test_snmp + n * FP_STEST_SZ;
929 perlstring(buf, sizeof buf, ptr, strlen(ptr));
930 printf("%dS=\"%s\"\n", opt.fpts.cat[FP_CAT_SNMP].tests[n].port, buf);
931 }
932 for (n = 0; n < opt.fpts.cat[FP_CAT_NVT].n_tests; n++)
933 {
934 ptr = results + opt.fpts.ofs_test_nvt + n * FP_NTEST_SZ;
935 perlstring(buf, sizeof buf, ptr, strlen(ptr));
936 printf("%dN=\"%s\"\n", opt.fpts.cat[FP_CAT_NVT].tests[n].port, buf);
937 }
938 printf("-----END THCRUT FINGERPRINT-----\n");
939 }
940
941
942 #if 0
943 char *
944 fp_match_fp2(char *results)
945 {
946 struct _fp *fp = opt.fpts.fps;
947 char *ptr;
948
949 /*
950 * Keep variable substitution in mind.
951 * We might have to call this recursively and
952 * jump to other variable-lines (which are like
953 * fp-lines, they contain a number of fp_test's
954 * (0..fp->n_tests
955 */
956 while (fp)
957 {
958 /*
959 * Call a function that returns the accuracy
960 * for given results. (e.g. we pass the results
961 * and get back the accuracy).
962 * We can do this per test and add up the accuracy.
963 */
964 /* BANNER */
965 /*
966 * FIXME: The problem is that we account this for every
967 * port. e.g. banner on port 80, banner on port 21, ..
968 * And if match on 80 then this does not mean that
969 * we stop with 21 :/
970 * This is what testnr is all about.
971 * Well, we could mark it in an array if we already
972 * have an result for this testnr (e.g store the accuracy in there).
973 */
974 // ptr = results + opt.fpts.ofs_test_banner + testnr * FP_BTEST_SZ;
975
976
977 }
978 }
979 #endif
980
981 /*
982 * From a state table try to guess the OS.
983 * Return string if found and class & accuracy.
984 * Return NULL otherwise.
985 */
986 char *
fp_match_fp(unsigned int * ret_class,int * ret_accuracy,char * results)987 fp_match_fp(unsigned int *ret_class, int *ret_accuracy, char *results)
988 {
989 struct _fp *fp = opt.fpts.fps, *fp_match = NULL;
990 struct _fp_test *fpt;
991 unsigned char cat;
992 unsigned char testnr;
993 int accuracy_old = 1, accuracy = 0;
994 char *ptr;
995 int offsets[99];
996 char state_port;
997 int n;
998 char tcp_open_found;
999 int accuracy_tcp;
1000 char match, match_tcp;
1001 // int accuracy_idx[128];
1002
1003 // memset(&accuracy_idx, 0, sizeof accuracy_idx);
1004
1005 while (fp)
1006 {
1007 accuracy = 0;
1008 accuracy_tcp = 0;
1009 tcp_open_found = 0;
1010 for (n = 0; n < fp->n_tests; n++)
1011 {
1012 fpt = &fp->fp_tests[n];
1013 // if (accuracy_idx[fpt->testnr_cat])
1014 // continue;
1015
1016 cat = FP_TEST_CAT(fpt);
1017 testnr = FP_TEST_NR(fpt);
1018 match = 0;
1019 match_tcp = 0;
1020 switch (cat)
1021 {
1022 case FP_CAT_TCP:
1023 ptr = FP_TEST_TCP_PTR(&opt.fpts, results);
1024 state_port = BF2_GET(ptr, testnr);
1025 /*
1026 * If we match OPEN or CLOSED we increase the
1027 * accuracy. If the results does not know about
1028 * the STATE (== 0b00) we ignore it
1029 */
1030 if (!state_port) /* Dont care */
1031 break;
1032 if (state_port & fpt->flags)
1033 {
1034 /*
1035 * We discard a port state test if
1036 * not a single port for which we
1037 * test for is found open.
1038 */
1039 if (state_port & FP_TEST_OPEN)
1040 tcp_open_found = 1;
1041 match_tcp = 1;
1042 } else
1043 accuracy_tcp--;
1044 break;
1045 case FP_CAT_UDP:
1046 ptr = FP_TEST_UDP_PTR(&opt.fpts, results);
1047 state_port = BF2_GET(ptr, testnr);
1048 if (!state_port)
1049 break;
1050 if (state_port & fpt->flags)
1051 match = 1;
1052 else
1053 accuracy--;
1054 case FP_CAT_BANNER:
1055 //fprintf(stderr, "BMATCHING %s\n", fpt->str);
1056 ptr = results + opt.fpts.ofs_test_banner + testnr * FP_BTEST_SZ;
1057 if (*ptr == '\0')
1058 break;
1059 if (pcre_exec(fpt->pattern, fpt->hints, ptr, strlen(ptr), 0, 0, offsets, sizeof offsets) >= 0)
1060 match = 1;
1061 break;
1062 case FP_CAT_WWW:
1063 ptr = results + opt.fpts.ofs_test_www + testnr * FP_WTEST_SZ;
1064 if (*ptr == '\0')
1065 break;
1066 if (pcre_exec(fpt->pattern, fpt->hints, ptr, strlen(ptr), 0, 0, offsets, sizeof offsets) >= 0)
1067 match = 1;
1068 break;
1069 case FP_CAT_SNMP:
1070 ptr = FP_TEST_SNMP_PTR(&opt.fpts, results);
1071 if (*ptr == '\0')
1072 break;
1073 if (pcre_exec(fpt->pattern, fpt->hints, ptr, strlen(ptr), 0, 0, offsets, sizeof offsets) >= 0)
1074 match = 1;
1075 break;
1076 case FP_CAT_NVT:
1077 ptr = FP_TEST_NVT_PTR(&opt.fpts, results);
1078 if (*ptr == '\0')
1079 break;
1080 if (pcre_exec(fpt->pattern, fpt->hints, ptr, strlen(ptr), 0, 0, offsets, sizeof offsets) >= 0)
1081 match = 1;
1082 break;
1083 default:
1084 fprintf(stderr, "%s Unknown category (%d)\n", __func__, cat);
1085 }
1086
1087 /*
1088 * On match (TRUE) increase accuracy.
1089 * On !match (FALSE) do nothing here (see above).
1090 * Only change value (reset or increment) on MATCH.
1091 */
1092 if (((match) || (match_tcp)) && (fpt->accuracy == 0))
1093 {
1094 accuracy = 0;
1095 accuracy_tcp = 0;
1096 break;
1097 }
1098 if (match)
1099 {
1100 accuracy += fpt->accuracy;
1101 if (accuracy >= 20)
1102 break;
1103 }
1104 if (match_tcp)
1105 {
1106 accuracy_tcp += fpt->accuracy;
1107 if (accuracy_tcp >= 20)
1108 break;
1109 }
1110 } /* this testline */
1111
1112 /*
1113 * We discard the results of a tcp port state test if not a
1114 * single port that is checked for state open could be found.
1115 */
1116 if (tcp_open_found)
1117 {
1118 tcp_open_found = 0;
1119 accuracy += accuracy_tcp;
1120 }
1121
1122 if (accuracy >= accuracy_old)
1123 {
1124 /* FIXME: also store class or ptr here */
1125 accuracy_old = accuracy;
1126 fp_match = fp;
1127 if (accuracy >= 20) /* BAIL OUT! Max value reached */
1128 {
1129 accuracy = 20;
1130 break;
1131 }
1132 }
1133
1134 fp = fp->next;
1135 }
1136
1137 if (!fp_match)
1138 return NULL;
1139
1140 if (ret_accuracy)
1141 *ret_accuracy = accuracy_old;
1142 if (ret_class)
1143 *ret_class = fp_match->class;
1144
1145 return opt.fpts.strings + fp_match->ofs_string;
1146 }
1147
1148 /*
1149 * Called by sender and receiver
1150 * Outputs all gathered informations.
1151 */
1152 static void
dis_end(struct _state_fp * state)1153 dis_end(struct _state_fp *state)
1154 {
1155 long l = htonl(STATE_ip(state));
1156 struct _nmap_osfp_TONE *tone, *mytone;
1157 char *ptr;
1158 unsigned int class;
1159 int accuracy = 0;
1160 int n;
1161 char buf[1024];
1162 struct _binout *binout = (struct _binout *)buf;
1163 size_t len;
1164
1165 /*
1166 * Later on we first check port state FP and
1167 * compare if NMAP can give us a more (but not less!)
1168 * specific result.
1169 */
1170 if (opt.flags & FL_OPT_FP)
1171 {
1172 /*
1173 * Port State fingerprint
1174 */
1175 ptr = fp_match_fp(&class, &accuracy, state->results);
1176 tone = (struct _nmap_osfp_TONE *)state->un.ptr;
1177 if ((!ptr) && (tone) && (!tone->next) && (accuracy == 0))
1178 ptr = opt.osfp.strings + tone->ofs_string;
1179
1180
1181 /* Binary output for further processing */
1182 if (opt.flags & FL_OPT_BINOUT)
1183 {
1184 if (class)
1185 {
1186 len = sizeof *binout;
1187 /*
1188 * Copy string of fingerprint with the terminating \0.
1189 */
1190 if (ptr)
1191 len += strlcpy(binout->str, ptr, sizeof buf - sizeof *binout) + 1;
1192
1193 binout->ip = l;
1194 binout->class = htonl(class);
1195 binout->len = htons(len);
1196 write(1, binout, len);
1197 }
1198 /* Otherwise (if no PTR string found) did we already
1199 * output this host after discovery
1200 */
1201 } else {
1202 if (ptr)
1203 {
1204 if (opt.flags & FL_OPT_VERBOSE)
1205 printf("Host: %s %s(%u, %s) %d %s\n", int_ntoa(l), FP_class2str(NULL, class), class, int2bit(class), accuracy, ptr);
1206 else
1207 printf("Host: %s %s\n", int_ntoa(l), ptr);
1208 } else
1209 printf("Host: %s\n", int_ntoa(l));
1210 }
1211
1212 /*
1213 * NMAP
1214 * For each FP line check if any testnr line matches
1215 *
1216 * FIXME: NMAP is currently EXPERIMENTAL. the NMAP OS FP file
1217 * requies class informations. With this we can precise our FP
1218 * results or select a OS from NMAP if all os-values are
1219 * equal (same os).
1220 *
1221 * Have to convince Fyodor to cathegorze nmap-of-fingerprints.
1222 */
1223 if ((tone) && (opt.flags & FL_OPT_VERBOSE))
1224 {
1225 tone = (struct _nmap_osfp_TONE *)state->un.ptr;
1226 mytone = tone;
1227 n = 1;
1228 printf("%03d NMAP: %s:%ld:\"%s\"\n", n++, int_ntoa(l), tone->class, opt.osfp.strings + tone->ofs_string);
1229 while ( (tone = tone->next))
1230 {
1231 if (!NMAP_TONE_MATCH(tone, mytone->wsize, NMAP_DF_ISSET(mytone), tone->ops))
1232 continue;
1233 printf("%03d NMAP: %d, %x, %s\n", n++, NMAP_DF_ISSET(tone)?1:0, tone->wsize, opt.osfp.strings + tone->ofs_string);
1234 }
1235 }
1236
1237 /* Output all gathere information for debugging purposes */
1238 if ((opt.flags & FL_OPT_VERBOSE) || (!ptr))
1239 fp_output(state->results);
1240
1241 } else if (opt.flags & FL_OPT_HOSTDISCOVERY) {
1242 if (opt.flags & FL_OPT_BINOUT)
1243 {
1244 write(1, &l, 4);
1245 } else {
1246 printf("Host: %s\n", int_ntoa(l));
1247 }
1248 }
1249
1250 STATE_reset(state);
1251 }
1252
1253 #define PACKET_ALIGN(buf, len, min, max, p, packet) do{ \
1254 if ((p->caplen < opt.dlt_len) || (p->caplen - opt.dlt_len < min)) \
1255 return; \
1256 if (p->caplen - opt.dlt_len < max) \
1257 len = p->caplen - opt.dlt_len; \
1258 else \
1259 len = max; \
1260 memcpy(buf, packet + opt.dlt_len, len); \
1261 }while(0)
1262
1263 /*
1264 * Dummy, to prevent racecondition if sender times this scan out
1265 * but it's still looked up by pcap thread.
1266 */
1267 static void
dis_recvdummy(struct _state_fp * state,struct pcap_pkthdr * p,char * packet)1268 dis_recvdummy(struct _state_fp *state, struct pcap_pkthdr *p, char *packet)
1269 {
1270 }
1271
1272 /*
1273 * Discovery found the host.
1274 * Now we never reset the state to 0 but always go via dis_end
1275 * to output the found IP after FP has completed.
1276 *
1277 * Save open tcp port here if found one.
1278 */
1279 static void
dis_recv(struct _state_fp * state,struct pcap_pkthdr * p,char * packet)1280 dis_recv(struct _state_fp *state, struct pcap_pkthdr *p, char *packet)
1281 {
1282 char buf[256];
1283 size_t len;
1284 struct ip *ip = (struct ip *)buf;
1285 struct tcphdr *tcp;
1286 struct udphdr *udp;
1287 unsigned short options;
1288 char *ptr;
1289 char *udp_data;
1290 char *udp_end;
1291 unsigned char asn_type;
1292
1293 PACKET_ALIGN(buf, len, 40, sizeof buf, p, packet);
1294 if (vrfy_ip(ip, len, &options) != 0)
1295 return;
1296 if ((ip->ip_p == IPPROTO_TCP) && (len < 40 + options))
1297 return;
1298 else if (len < 28 + options) /* UDP / min ICMP header */
1299 return;
1300
1301 tcp = (struct tcphdr *)(buf + 20 + options);
1302
1303 /*
1304 * If we are in discovery mode any packet from the remote is
1305 * fine.
1306 */
1307 if (STATE_current(state) <= STATE_DISCOVERY_MAX)
1308 {
1309 if ((opt.flags & FL_OPT_FP) && (ip->ip_p == IPPROTO_TCP) && (len >= 40 + options))
1310 {
1311 if ((tcp->th_flags & (TH_SYN | TH_ACK)) == (TH_SYN | TH_ACK))
1312 state->flags |= STATE_FOUND_OPEN_PORT;
1313
1314 state->port = ntohs(tcp->th_sport);
1315 }
1316
1317 /* Discovery ended */
1318 STATE_reschedule(state, 1); /* Why here? dis_end_dis() might start a job */
1319 dis_end_dis(state);
1320 return;
1321 }
1322
1323 if (ip->ip_p == IPPROTO_UDP)
1324 {
1325 if (!opt.fpts.cat[state->cat].n_tests)
1326 return;
1327 udp = (struct udphdr *)(buf + 20 + options);
1328 if (ntohs(udp->uh_sport) != opt.fpts.cat[state->cat].tests[state->testnr].port)
1329 return;
1330
1331 if (state->cat == FP_CAT_UDP)
1332 {
1333 ptr = FP_TEST_UDP_PTR(&opt.fpts, state->results);
1334 BF2_SET(ptr, state->testnr, FP_TEST_OPEN);
1335 } else if (state->cat == FP_CAT_SNMP) {
1336 udp_data = (char *)udp + 8;
1337 udp_end = udp_data + len - 20 - options - 8;
1338 /* VERSION */
1339 if (!(len = ASN_next(&udp_data, udp_end - udp_data, &asn_type)))
1340 return;
1341 udp_data += len;
1342 /* COMMUNITY */
1343 if (!(len = ASN_next(&udp_data, udp_end - udp_data, &asn_type)))
1344 return;
1345 udp_data += len;
1346 /* Now until next string */
1347 while (1)
1348 {
1349 len = ASN_next(&udp_data, udp_end - udp_data, &asn_type);
1350 if (!len)
1351 return;
1352 if (asn_type == ASN_OCTET_STR)
1353 break;
1354 udp_data += len;
1355 }
1356 if (len > FP_STEST_SZ - 1)
1357 len = FP_STEST_SZ - 1;
1358 ptr = FP_TEST_SNMP_PTR(&opt.fpts, state->results);
1359 memcpy(ptr, udp_data, len);
1360 ptr[len] = '\0';
1361 }
1362 goto endfp;
1363 }
1364
1365 if ((ip->ip_p != IPPROTO_TCP) || (!opt.fpts.cat[FP_CAT_TCP].n_tests))
1366 return;
1367
1368 if (ntohs(tcp->th_sport) != opt.fpts.cat[FP_CAT_TCP].tests[state->testnr].port)
1369 return;
1370
1371 ptr = FP_TEST_TCP_PTR(&opt.fpts, state->results);
1372 if ((tcp->th_flags & (TH_SYN | TH_ACK)) == (TH_SYN | TH_ACK))
1373 {
1374 BF2_SET(ptr, state->testnr, FP_TEST_OPEN);
1375 if (!(state->flags & STATE_FOUND_OPEN_PORT))
1376 {
1377 state->flags |= STATE_FOUND_OPEN_PORT;
1378 state->port = ntohs(tcp->th_sport);
1379 }
1380 } else
1381 BF2_SET(ptr, state->testnr, FP_TEST_CLOSED);
1382 endfp:
1383 if (fp_state_next_switch(state) != 0)
1384 {
1385 STATE_reschedule(state, 1);
1386 dis_end_fp(state);
1387 return;
1388 }
1389 }
1390
1391
1392 /*
1393 * Received FP information.
1394 */
1395 static void
dis_recvfpI(struct _state_fp * state,struct pcap_pkthdr * p,char * packet)1396 dis_recvfpI(struct _state_fp *state, struct pcap_pkthdr *p, char *packet)
1397 {
1398 char buf[60];
1399 size_t len;
1400 struct ip *ip = (struct ip *)buf;
1401 struct tcphdr *tcp;
1402 unsigned short ip_options;
1403 unsigned short tcp_options;
1404 unsigned long ops;
1405 //struct _nmap_osfp_TONE *tone;
1406 char df;
1407 char opstr[16];
1408
1409 PACKET_ALIGN(buf, len, 40, 60, p, packet);
1410 if (ip->ip_p != IPPROTO_TCP)
1411 return;
1412 if (vrfy_ip(ip, len, &ip_options) != 0)
1413 return;
1414 tcp = (struct tcphdr *)(buf + 20 + ip_options);
1415
1416 if (vrfy_tcp(tcp, len - 20 - ip_options, &tcp_options) != 0)
1417 return;
1418
1419 if (ntohs(tcp->th_dport) != opt.src_port + 1)
1420 return;
1421
1422 /* If we got a packet back which is not SYN then
1423 * try another port
1424 */
1425 if ((tcp->th_flags & (TH_SYN | TH_ACK)) != (TH_SYN | TH_ACK))
1426 {
1427 if (ntohs(tcp->th_sport) == state->port)
1428 {
1429 state->flags &= ~STATE_FOUND_OPEN_PORT; /* Not open anymore :/ */
1430 STATE_reschedule(state, 1); /* RST, start again */
1431 STATE_current(state) = 0;
1432 dis_sendfpI(state, NULL); /* No syn back? Service died!? */
1433 }
1434 return;
1435 }
1436
1437 df = (ip->ip_off & htons(IP_DF)) == 0 ? 0 : 1;
1438
1439 ops = NMAP_tcpops2ops(opstr, (char *)buf + 40 + ip_options, tcp_options);
1440 if (ops == -1)
1441 return;
1442 state->un.ptr = NMAP_lookup(&opt.osfp, ntohs(tcp->th_win), df, ops);
1443 #if 0
1444 if (state->un.ptr)
1445 printf("FP for %s, wsize %x, df %d, ops: %s %ld\n", int_ntoa(STATE_ip(state)), (unsigned short)ntohs(tcp->th_win), df, opstr, ops);
1446 #endif
1447
1448 dis_end_nmapfp(state);
1449 }
1450
1451
1452 void
scanner_filter(unsigned char * u,struct pcap_pkthdr * p,unsigned char * packet)1453 scanner_filter(unsigned char *u, struct pcap_pkthdr *p, unsigned char *packet)
1454 {
1455 struct _state *state;
1456 unsigned long l;
1457
1458 //DEBUGF("filter invoked %u, %u, dltlen: %d\n", p->caplen, p->len, opt.dlt_len);
1459 /* The RFC says that ETH frame must have a min. length of 64 bytes.
1460 * Tailers are truncated by pcap lib and we might get less here.
1461 */
1462 if (p->caplen < (opt.dlt_len + 20))
1463 return;
1464
1465 memcpy(&l, packet + opt.dlt_len + 12, 4);
1466 if (!(state = STATE_by_ip(&opt.sq, ntohl(l))))
1467 return;
1468
1469 state->reschedule = 0;
1470 /* FIXME: we can also do the state switch here.
1471 * No need for idspatcher functions.
1472 * - get IP header + options
1473 * - pass payload (unaligned) + ip header.
1474 */
1475 if (state->current < sizeof dispatch_funcs / sizeof *dispatch_funcs)
1476 dispatch_funcs[state->current]((struct _state_fp *)state, p, packet);
1477 }
1478
1479