1 /*
2
3 main
4
5 This includes:
6
7 * main()
8 * transmit_thread() - transmits probe packets
9 * receive_thread() - receives response packets
10
11 You'll be wanting to study the transmit/receive threads, because that's
12 where all the action is.
13
14 This is the lynch-pin of the entire program, so it includes a heckuva lot
15 of headers, and the functions have a lot of local variables. I'm trying
16 to make this file relative "flat" this way so that everything is visible.
17 */
18 #include "masscan.h"
19 #include "masscan-version.h"
20 #include "masscan-status.h" /* open or closed */
21 #include "rand-blackrock.h" /* the BlackRock shuffling func */
22 #include "rand-lcg.h" /* the LCG randomization func */
23 #include "templ-pkt.h" /* packet template, that we use to send */
24 #include "rawsock.h" /* api on top of Linux, Windows, Mac OS X*/
25 #include "logger.h" /* adjust with -v command-line opt */
26 #include "main-status.h" /* printf() regular status updates */
27 #include "main-throttle.h" /* rate limit */
28 #include "main-dedup.h" /* ignore duplicate responses */
29 #include "main-ptrace.h" /* for nmap --packet-trace feature */
30 #include "proto-arp.h" /* for responding to ARP requests */
31 #include "stack-ndpv6.h" /* IPv6 Neighbor Discovery Protocol */
32 #include "stack-arpv4.h" /* Handle ARP resolution and requests */
33 #include "rawsock-adapter.h"
34 #include "proto-banner1.h" /* for snatching banners from systems */
35 #include "proto-tcp.h" /* for TCP/IP connection table */
36 #include "proto-preprocess.h" /* quick parse of packets */
37 #include "proto-icmp.h" /* handle ICMP responses */
38 #include "proto-udp.h" /* handle UDP responses */
39 #include "syn-cookie.h" /* for SYN-cookies on send */
40 #include "output.h" /* for outputing results */
41 #include "rte-ring.h" /* producer/consumer ring buffer */
42 #include "rawsock-pcapfile.h" /* for saving pcap files w/ raw packets */
43 #include "stub-pcap.h" /* dynamically load libpcap library */
44 #include "smack.h" /* Aho-corasick state-machine pattern-matcher */
45 #include "pixie-timer.h" /* portable time functions */
46 #include "pixie-threads.h" /* portable threads */
47 #include "templ-payloads.h" /* UDP packet payloads */
48 #include "proto-snmp.h" /* parse SNMP responses */
49 #include "proto-ntp.h" /* parse NTP responses */
50 #include "proto-coap.h" /* CoAP selftest */
51 #include "in-binary.h" /* convert binary output to XML/JSON */
52 #include "main-globals.h" /* all the global variables in the program */
53 #include "proto-zeroaccess.h"
54 #include "siphash24.h"
55 #include "proto-x509.h"
56 #include "crypto-base64.h" /* base64 encode/decode */
57 #include "pixie-backtrace.h"
58 #include "proto-sctp.h"
59 #include "proto-oproto.h" /* Other protocols on top of IP */
60 #include "vulncheck.h" /* checking vulns like monlist, poodle, heartblee */
61 #include "main-readrange.h"
62 #include "scripting.h"
63 #include "read-service-probes.h"
64 #include "misc-rstfilter.h"
65 #include "util-malloc.h"
66 #include "util-checksum.h"
67 #include "massip-parse.h"
68 #include "massip-port.h"
69
70 #include <assert.h>
71 #include <limits.h>
72 #include <string.h>
73 #include <time.h>
74 #include <stdlib.h>
75 #include <signal.h>
76 #include <stdint.h>
77
78 #if defined(WIN32)
79 #include <WinSock.h>
80 #if defined(_MSC_VER)
81 #pragma comment(lib, "Ws2_32.lib")
82 #endif
83 #else
84 #include <sys/socket.h>
85 #include <netinet/in.h>
86 #include <unistd.h>
87 #endif
88
89 /*
90 * yea I know globals suck
91 */
92 unsigned volatile is_tx_done = 0;
93 unsigned volatile is_rx_done = 0;
94 time_t global_now;
95
96 uint64_t usec_start;
97
98
99 /***************************************************************************
100 * We create a pair of transmit/receive threads for each network adapter.
101 * This structure contains the parameters we send to each pair.
102 ***************************************************************************/
103 struct ThreadPair {
104 /** This points to the central configuration. Note that it's 'const',
105 * meaning that the thread cannot change the contents. That'd be
106 * unsafe */
107 const struct Masscan *masscan;
108
109 /** The adapter used by the thread-pair. Normally, thread-pairs have
110 * their own network adapter, especially when doing PF_RING
111 * clustering. */
112 struct Adapter *adapter;
113
114 struct stack_t *stack;
115
116 /**
117 * The index of the network adapter that we are using for this
118 * thread-pair. This is an index into the "masscan->nic[]"
119 * array.
120 *
121 * NOTE: this is also the "thread-id", because we create one
122 * transmit/receive thread pair per NIC.
123 */
124 unsigned nic_index;
125
126 /**
127 * A copy of the master 'index' variable. This is just advisory for
128 * other threads, to tell them how far we've gotten.
129 */
130 volatile uint64_t my_index;
131
132
133 /* This is used both by the transmit and receive thread for
134 * formatting packets */
135 struct TemplateSet tmplset[1];
136
137 /**
138 * The current IP address we are using for transmit/receive.
139 */
140 struct stack_src_t _src_;
141
142 macaddress_t source_mac;
143 macaddress_t router_mac_ipv4;
144 macaddress_t router_mac_ipv6;
145
146 unsigned done_transmitting;
147 unsigned done_receiving;
148
149 double pt_start;
150
151 struct Throttler throttler[1];
152
153 uint64_t *total_synacks;
154 uint64_t *total_tcbs;
155 uint64_t *total_syns;
156
157 size_t thread_handle_xmit;
158 size_t thread_handle_recv;
159 };
160
161
162
163 /***************************************************************************
164 * We support a range of source IP/port. This function converts that
165 * range into useful variables we can use to pick things form that range.
166 ***************************************************************************/
167 static void
adapter_get_source_addresses(const struct Masscan * masscan,unsigned nic_index,unsigned * src_ipv4,unsigned * src_ipv4_mask,unsigned * src_port,unsigned * src_port_mask,ipv6address * src_ipv6,ipv6address * src_ipv6_mask)168 adapter_get_source_addresses(const struct Masscan *masscan,
169 unsigned nic_index,
170 unsigned *src_ipv4,
171 unsigned *src_ipv4_mask,
172 unsigned *src_port,
173 unsigned *src_port_mask,
174 ipv6address *src_ipv6,
175 ipv6address *src_ipv6_mask)
176 {
177 const struct stack_src_t *src = &masscan->nic[nic_index].src;
178 static ipv6address mask = {~0ULL, ~0ULL};
179
180 *src_ipv4 = src->ipv4.first;
181 *src_ipv4_mask = src->ipv4.last - src->ipv4.first;
182
183 *src_port = src->port.first;
184 *src_port_mask = src->port.last - src->port.first;
185
186 *src_ipv6 = src->ipv6.first;
187
188 /* TODO: currently supports only a single address. This needs to
189 * be fixed to support a list of addresses */
190 *src_ipv6_mask = mask;
191 }
192
193 /***************************************************************************
194 * This thread spews packets as fast as it can
195 *
196 * THIS IS WHERE ALL THE EXCITEMENT HAPPENS!!!!
197 * 90% of CPU cycles are in the function.
198 *
199 ***************************************************************************/
200 static void
transmit_thread(void * v)201 transmit_thread(void *v) /*aka. scanning_thread() */
202 {
203 struct ThreadPair *parms = (struct ThreadPair *)v;
204 uint64_t i;
205 uint64_t start;
206 uint64_t end;
207 const struct Masscan *masscan = parms->masscan;
208 uint64_t retries = masscan->retries;
209 uint64_t rate = (uint64_t)masscan->max_rate;
210 unsigned r = (unsigned)retries + 1;
211 uint64_t range;
212 uint64_t range_ipv6;
213 struct BlackRock blackrock;
214 uint64_t count_ipv4 = rangelist_count(&masscan->targets.ipv4);
215 uint64_t count_ipv6 = range6list_count(&masscan->targets.ipv6).lo;
216 struct Throttler *throttler = parms->throttler;
217 struct TemplateSet pkt_template = templ_copy(parms->tmplset);
218 struct Adapter *adapter = parms->adapter;
219 uint64_t packets_sent = 0;
220 unsigned increment = (masscan->shard.of-1) + masscan->nic_count;
221 unsigned src_ipv4;
222 unsigned src_ipv4_mask;
223 unsigned src_port;
224 unsigned src_port_mask;
225 ipv6address src_ipv6;
226 ipv6address src_ipv6_mask;
227 uint64_t seed = masscan->seed;
228 uint64_t repeats = 0; /* --infinite repeats */
229 uint64_t *status_syn_count;
230 uint64_t entropy = masscan->seed;
231
232 LOG(1, "[+] starting transmit thread #%u\n", parms->nic_index);
233
234 /* export a pointer to this variable outside this threads so
235 * that the 'status' system can print the rate of syns we are
236 * sending */
237 status_syn_count = MALLOC(sizeof(uint64_t));
238 *status_syn_count = 0;
239 parms->total_syns = status_syn_count;
240
241
242 /* Normally, we have just one source address. In special cases, though
243 * we can have multiple. */
244 adapter_get_source_addresses(masscan, parms->nic_index,
245 &src_ipv4, &src_ipv4_mask,
246 &src_port, &src_port_mask,
247 &src_ipv6, &src_ipv6_mask);
248
249
250 /* "THROTTLER" rate-limits how fast we transmit, set with the
251 * --max-rate parameter */
252 throttler_start(throttler, masscan->max_rate/masscan->nic_count);
253
254 infinite:
255
256 /* Create the shuffler/randomizer. This creates the 'range' variable,
257 * which is simply the number of IP addresses times the number of
258 * ports.
259 * IPv6: low index will pick addresses from the IPv6 ranges, and high
260 * indexes will pick addresses from the IPv4 ranges. */
261 range = count_ipv4 * rangelist_count(&masscan->targets.ports)
262 + count_ipv6 * rangelist_count(&masscan->targets.ports);
263 range_ipv6 = count_ipv6 * rangelist_count(&masscan->targets.ports);
264 blackrock_init(&blackrock, range, seed, masscan->blackrock_rounds);
265
266 /* Calculate the 'start' and 'end' of a scan. One reason to do this is
267 * to support --shard, so that multiple machines can co-operate on
268 * the same scan. Another reason to do this is so that we can bleed
269 * a little bit past the end when we have --retries. Yet another
270 * thing to do here is deal with multiple network adapters, which
271 * is essentially the same logic as shards. */
272 start = masscan->resume.index + (masscan->shard.one-1) + parms->nic_index;
273 end = range;
274 if (masscan->resume.count && end > start + masscan->resume.count)
275 end = start + masscan->resume.count;
276 end += retries * rate;
277
278
279 /* -----------------
280 * the main loop
281 * -----------------*/
282 LOG(3, "THREAD: xmit: starting main loop: [%llu..%llu]\n", start, end);
283 for (i=start; i<end; ) {
284 uint64_t batch_size;
285
286 /*
287 * Do a batch of many packets at a time. That because per-packet
288 * throttling is expensive at 10-million pps, so we reduce the
289 * per-packet cost by doing batches. At slower rates, the batch
290 * size will always be one. (--max-rate)
291 */
292 batch_size = throttler_next_batch(throttler, packets_sent);
293
294 /*
295 * Transmit packets from other thread, when doing --banners. This
296 * takes priority over sending SYN packets. If there is so much
297 * activity grabbing banners that we cannot transmit more SYN packets,
298 * then "batch_size" will get decremented to zero, and we won't be
299 * able to transmit SYN packets.
300 */
301 stack_flush_packets(parms->stack, adapter,
302 &packets_sent, &batch_size);
303
304
305 /*
306 * Transmit a bunch of packets. At any rate slower than 100,000
307 * packets/second, the 'batch_size' is likely to be 1. At higher
308 * rates, we can't afford to throttle on a per-packet basis and
309 * instead throttle on a per-batch basis. In other words, throttle
310 * based on 2-at-a-time, 3-at-time, and so on, with the batch
311 * size increasing as the packet rate increases. This gives us
312 * very precise packet-timing for low rates below 100,000 pps,
313 * while not incurring the overhead for high packet rates.
314 */
315 while (batch_size && i < end) {
316 uint64_t xXx;
317 uint64_t cookie;
318
319
320
321 /*
322 * RANDOMIZE THE TARGET:
323 * This is kinda a tricky bit that picks a random IP and port
324 * number in order to scan. We monotonically increment the
325 * index 'i' from [0..range]. We then shuffle (randomly transmog)
326 * that index into some other, but unique/1-to-1, number in the
327 * same range. That way we visit all targets, but in a random
328 * order. Then, once we've shuffled the index, we "pick" the
329 * IP address and port that the index refers to.
330 */
331 xXx = (i + (r--) * rate);
332 if (rate > range)
333 xXx %= range;
334 else
335 while (xXx >= range)
336 xXx -= range;
337 xXx = blackrock_shuffle(&blackrock, xXx);
338
339 if (xXx < range_ipv6) {
340 ipv6address ip_them;
341 unsigned port_them;
342 ipv6address ip_me;
343 unsigned port_me;
344
345 ip_them = range6list_pick(&masscan->targets.ipv6, xXx % count_ipv6);
346 port_them = rangelist_pick(&masscan->targets.ports, xXx / count_ipv6);
347
348 ip_me = src_ipv6;
349 port_me = src_port;
350
351 cookie = syn_cookie_ipv6(ip_them, port_them, ip_me, port_me, entropy);
352
353 rawsock_send_probe_ipv6(
354 adapter,
355 ip_them, port_them,
356 ip_me, port_me,
357 (unsigned)cookie,
358 !batch_size, /* flush queue on last packet in batch */
359 &pkt_template
360 );
361
362 /* Our index selects an IPv6 target */
363 } else {
364 /* Our index selects an IPv4 target. In other words, low numbers
365 * index into the IPv6 ranges, and high numbers index into the
366 * IPv4 ranges. */
367 ipv4address ip_them;
368 ipv4address port_them;
369 unsigned ip_me;
370 unsigned port_me;
371
372 xXx -= range_ipv6;
373
374 ip_them = rangelist_pick(&masscan->targets.ipv4, xXx % count_ipv4);
375 port_them = rangelist_pick(&masscan->targets.ports, xXx / count_ipv4);
376
377 /*
378 * SYN-COOKIE LOGIC
379 * Figure out the source IP/port, and the SYN cookie
380 */
381 if (src_ipv4_mask > 1 || src_port_mask > 1) {
382 uint64_t ck = syn_cookie_ipv4((unsigned)(i+repeats),
383 (unsigned)((i+repeats)>>32),
384 (unsigned)xXx, (unsigned)(xXx>>32),
385 entropy);
386 port_me = src_port + (ck & src_port_mask);
387 ip_me = src_ipv4 + ((ck>>16) & src_ipv4_mask);
388 } else {
389 ip_me = src_ipv4;
390 port_me = src_port;
391 }
392 cookie = syn_cookie_ipv4(ip_them, port_them, ip_me, port_me, entropy);
393
394 /*
395 * SEND THE PROBE
396 * This is sorta the entire point of the program, but little
397 * exciting happens here. The thing to note that this may
398 * be a "raw" transmit that bypasses the kernel, meaning
399 * we can call this function millions of times a second.
400 */
401 rawsock_send_probe_ipv4(
402 adapter,
403 ip_them, port_them,
404 ip_me, port_me,
405 (unsigned)cookie,
406 !batch_size, /* flush queue on last packet in batch */
407 &pkt_template
408 );
409 }
410
411 batch_size--;
412 packets_sent++;
413 (*status_syn_count)++;
414
415 /*
416 * SEQUENTIALLY INCREMENT THROUGH THE RANGE
417 * Yea, I know this is a puny 'i++' here, but it's a core feature
418 * of the system that is linearly increments through the range,
419 * but produces from that a shuffled sequence of targets (as
420 * described above). Because we are linearly incrementing this
421 * number, we can do lots of creative stuff, like doing clever
422 * retransmits and sharding.
423 */
424 if (r == 0) {
425 i += increment; /* <------ increment by 1 normally, more with shards/nics */
426 r = (unsigned)retries + 1;
427 }
428
429 } /* end of batch */
430
431
432 /* save our current location for resuming, if the user pressed
433 * <ctrl-c> to exit early */
434 parms->my_index = i;
435
436 /* If the user pressed <ctrl-c>, then we need to exit. but, in case
437 * the user wants to --resume the scan later, we save the current
438 * state in a file */
439 if (is_tx_done) {
440 break;
441 }
442 }
443
444 /*
445 * --infinite
446 * For load testing, go around and do this again
447 */
448 if (masscan->is_infinite && !is_tx_done) {
449 seed++;
450 repeats++;
451 goto infinite;
452 }
453
454 /*
455 * Flush any untransmitted packets. High-speed mechanisms like Windows
456 * "sendq" and Linux's "PF_RING" queue packets and transmit many together,
457 * so there may be some packets that we've queueud but not yet transmitted.
458 * This call makes sure they are transmitted.
459 */
460 rawsock_flush(adapter);
461
462 /*
463 * Wait until the receive thread realizes the scan is over
464 */
465 LOG(1, "[+] transmit thread #%u complete\n", parms->nic_index);
466
467 /*
468 * We are done transmitting. However, response packets will take several
469 * seconds to arrive. Therefore, sit in short loop waiting for those
470 * packets to arrive. Pressing <ctrl-c> a second time will exit this
471 * prematurely.
472 */
473 while (!is_rx_done) {
474 unsigned k;
475 uint64_t batch_size;
476
477 for (k=0; k<1000; k++) {
478
479 /*
480 * Only send a few packets at a time, throttled according to the max
481 * --max-rate set by the user
482 */
483 batch_size = throttler_next_batch(throttler, packets_sent);
484
485
486 /* Transmit packets from the receive thread */
487 stack_flush_packets( parms->stack, adapter,
488 &packets_sent,
489 &batch_size);
490
491 /* Make sure they've actually been transmitted, not just queued up for
492 * transmit */
493 rawsock_flush(adapter);
494
495 pixie_usleep(100);
496 }
497 }
498
499 /* Thread is about to exit */
500 parms->done_transmitting = 1;
501 LOG(1, "[+] exiting transmit thread #%u \n", parms->nic_index);
502 }
503
504
505 /***************************************************************************
506 ***************************************************************************/
507 static unsigned
is_nic_port(const struct Masscan * masscan,unsigned ip)508 is_nic_port(const struct Masscan *masscan, unsigned ip)
509 {
510 unsigned i;
511 for (i=0; i<masscan->nic_count; i++)
512 if (is_my_port(&masscan->nic[i].src, ip))
513 return 1;
514 return 0;
515 }
516
517 static unsigned
is_ipv6_multicast(ipaddress ip_me)518 is_ipv6_multicast(ipaddress ip_me)
519 {
520 /* If this is an IPv6 multicast packe, one sent to the IPv6
521 * address with a prefix of FF02::/16 */
522 return ip_me.version == 6 && (ip_me.ipv6.hi>>48ULL) == 0xFF02;
523 }
524
525
526 /***************************************************************************
527 *
528 * Asynchronous receive thread
529 *
530 * The transmit and receive threads run independently of each other. There
531 * is no record what was transmitted. Instead, the transmit thread sets a
532 * "SYN-cookie" in transmitted packets, which the receive thread will then
533 * use to match up requests with responses.
534 ***************************************************************************/
535 static void
receive_thread(void * v)536 receive_thread(void *v)
537 {
538 struct ThreadPair *parms = (struct ThreadPair *)v;
539 const struct Masscan *masscan = parms->masscan;
540 struct Adapter *adapter = parms->adapter;
541 int data_link = stack_if_datalink(adapter);
542 struct Output *out;
543 struct DedupTable *dedup;
544 struct PcapFile *pcapfile = NULL;
545 struct TCP_ConnectionTable *tcpcon = 0;
546 uint64_t *status_synack_count;
547 uint64_t *status_tcb_count;
548 uint64_t entropy = masscan->seed;
549 struct ResetFilter *rf;
550 struct stack_t *stack = parms->stack;
551
552
553
554 /* For reducing RST responses, see rstfilter_is_filter() below */
555 rf = rstfilter_create(entropy, 16384);
556
557 /* some status variables */
558 status_synack_count = MALLOC(sizeof(uint64_t));
559 *status_synack_count = 0;
560 parms->total_synacks = status_synack_count;
561
562 status_tcb_count = MALLOC(sizeof(uint64_t));
563 *status_tcb_count = 0;
564 parms->total_tcbs = status_tcb_count;
565
566 LOG(1, "[+] starting receive thread #%u\n", parms->nic_index);
567
568 /* Lock this thread to a CPU. Transmit threads are on even CPUs,
569 * receive threads on odd CPUs */
570 if (pixie_cpu_get_count() > 1) {
571 unsigned cpu_count = pixie_cpu_get_count();
572 unsigned cpu = parms->nic_index * 2 + 1;
573 while (cpu >= cpu_count) {
574 cpu -= cpu_count;
575 cpu++;
576 }
577 //TODO:
578 //pixie_cpu_set_affinity(cpu);
579 }
580
581 /*
582 * If configured, open a --pcap file for saving raw packets. This is
583 * so that we can debug scans, but also so that we can look at the
584 * strange things people send us. Note that we don't record transmitted
585 * packets, just the packets we've received.
586 */
587 if (masscan->pcap_filename[0]) {
588 pcapfile = pcapfile_openwrite(masscan->pcap_filename, 1);
589 }
590
591 /*
592 * Open output. This is where results are reported when saving
593 * the --output-format to the --output-filename
594 */
595 out = output_create(masscan, parms->nic_index);
596
597 /*
598 * Create deduplication table. This is so when somebody sends us
599 * multiple responses, we only record the first one.
600 */
601 dedup = dedup_create();
602
603 /*
604 * Create a TCP connection table (per thread pair) for interacting with live
605 * connections when doing --banners
606 */
607 if (masscan->is_banners) {
608 struct TcpCfgPayloads *pay;
609
610 /*
611 * Create TCP connection table
612 */
613 tcpcon = tcpcon_create_table(
614 (size_t)((masscan->max_rate/5) / masscan->nic_count),
615 parms->stack,
616 &parms->tmplset->pkts[Proto_TCP],
617 output_report_banner,
618 out,
619 masscan->tcb.timeout,
620 masscan->seed
621 );
622
623 /*
624 * Initialize TCP scripting
625 */
626 scripting_init_tcp(tcpcon, masscan->scripting.L);
627
628
629 /*
630 * Set some flags [kludge]
631 */
632 tcpcon_set_banner_flags(tcpcon,
633 masscan->is_capture_cert,
634 masscan->is_capture_servername,
635 masscan->is_capture_html,
636 masscan->is_capture_heartbleed,
637 masscan->is_capture_ticketbleed);
638 if (masscan->http_user_agent_length)
639 tcpcon_set_parameter( tcpcon,
640 "http-user-agent",
641 masscan->http_user_agent_length,
642 masscan->http_user_agent);
643 if (masscan->is_hello_smbv1)
644 tcpcon_set_parameter( tcpcon,
645 "hello",
646 1,
647 "smbv1");
648 if (masscan->is_hello_http)
649 tcpcon_set_parameter( tcpcon,
650 "hello",
651 1,
652 "http");
653 if (masscan->is_hello_ssl)
654 tcpcon_set_parameter( tcpcon,
655 "hello",
656 1,
657 "ssl");
658 if (masscan->is_heartbleed)
659 tcpcon_set_parameter( tcpcon,
660 "heartbleed",
661 1,
662 "1");
663 if (masscan->is_ticketbleed)
664 tcpcon_set_parameter( tcpcon,
665 "ticketbleed",
666 1,
667 "1");
668 if (masscan->is_poodle_sslv3)
669 tcpcon_set_parameter( tcpcon,
670 "sslv3",
671 1,
672 "1");
673 if (masscan->tcp_connection_timeout) {
674 char foo[64];
675 sprintf_s(foo, sizeof(foo), "%u", masscan->tcp_connection_timeout);
676 tcpcon_set_parameter( tcpcon,
677 "timeout",
678 strlen(foo),
679 foo);
680 }
681 if (masscan->tcp_hello_timeout) {
682 char foo[64];
683 sprintf_s(foo, sizeof(foo), "%u", masscan->tcp_connection_timeout);
684 tcpcon_set_parameter( tcpcon,
685 "hello-timeout",
686 strlen(foo),
687 foo);
688 }
689
690 for (pay = masscan->payloads.tcp; pay; pay = pay->next) {
691 char name[64];
692 sprintf_s(name, sizeof(name), "hello-string[%u]", pay->port);
693 tcpcon_set_parameter( tcpcon,
694 name,
695 strlen(pay->payload_base64),
696 pay->payload_base64);
697 }
698
699 }
700
701 /*
702 * In "offline" mode, we don't have any receive threads, so simply
703 * wait until transmitter thread is done then go to the end
704 */
705 if (masscan->is_offline) {
706 while (!is_rx_done)
707 pixie_usleep(10000);
708 parms->done_receiving = 1;
709 goto end;
710 }
711
712 /*
713 * Receive packets. This is where we catch any responses and print
714 * them to the terminal.
715 */
716 LOG(2, "[+] THREAD: recv: starting main loop\n");
717 while (!is_rx_done) {
718 int status;
719 unsigned length;
720 unsigned secs;
721 unsigned usecs;
722 const unsigned char *px;
723 int err;
724 unsigned x;
725 struct PreprocessedInfo parsed;
726 ipaddress ip_me;
727 unsigned port_me;
728 ipaddress ip_them;
729 unsigned port_them;
730 unsigned seqno_me;
731 unsigned seqno_them;
732 unsigned cookie;
733 unsigned Q = 0;
734
735 /*
736 * RECEIVE
737 *
738 * This is the boring part of actually receiving a packet
739 */
740 err = rawsock_recv_packet(
741 adapter,
742 &length,
743 &secs,
744 &usecs,
745 &px);
746 if (err != 0) {
747 if (tcpcon)
748 tcpcon_timeouts(tcpcon, (unsigned)time(0), 0);
749 continue;
750 }
751
752
753 /*
754 * Do any TCP event timeouts based on the current timestamp from
755 * the packet. For example, if the connection has been open for
756 * around 10 seconds, we'll close the connection. (--banners)
757 */
758 if (tcpcon) {
759 tcpcon_timeouts(tcpcon, secs, usecs);
760 }
761
762 if (length > 1514)
763 continue;
764
765 /*
766 * "Preprocess" the response packet. This means to go through and
767 * figure out where the TCP/IP headers are and the locations of
768 * some fields, like IP address and port numbers.
769 */
770 x = preprocess_frame(px, length, data_link, &parsed);
771 if (!x)
772 continue; /* corrupt packet */
773 ip_me = parsed.dst_ip;
774 ip_them = parsed.src_ip;
775 port_me = parsed.port_dst;
776 port_them = parsed.port_src;
777 seqno_them = TCP_SEQNO(px, parsed.transport_offset);
778 seqno_me = TCP_ACKNO(px, parsed.transport_offset);
779
780 assert(ip_me.version != 0);
781 assert(ip_them.version != 0);
782
783 switch (parsed.ip_protocol) {
784 case 132: /* SCTP */
785 cookie = syn_cookie(ip_them, port_them | (Proto_SCTP<<16), ip_me, port_me, entropy) & 0xFFFFFFFF;
786 break;
787 default:
788 cookie = syn_cookie(ip_them, port_them, ip_me, port_me, entropy) & 0xFFFFFFFF;
789 }
790
791 /* verify: my IP address */
792 if (!is_my_ip(stack->src, ip_me)) {
793 /* NDP Neighbor Solicitations don't come to our IP address, but to
794 * a multicast address */
795 if (is_ipv6_multicast(ip_me)) {
796 if (parsed.found == FOUND_NDPv6 && parsed.opcode == 135) {
797 stack_ndpv6_incoming_request(stack, &parsed, px, length);
798 }
799 }
800 continue;
801 }
802
803 /*
804 * Handle non-TCP protocols
805 */
806 switch (parsed.found) {
807 case FOUND_NDPv6:
808 switch (parsed.opcode) {
809 case 133: /* Router Solicitation */
810 /* Ignore router solicitations, since we aren't a router */
811 continue;
812 case 134: /* Router advertisement */
813 /* TODO: We need to process router advertisements while scanning
814 * so that we can print warning messages if router information
815 * changes while scanning. */
816 continue;
817 case 135: /* Neighbor Solicitation */
818 /* When responses come back from our scans, the router will send us
819 * these packets. We need to respond to them, so that the router
820 * can then forward the packets to us. If we don't respond, we'll
821 * get no responses. */
822 stack_ndpv6_incoming_request(stack, &parsed, px, length);
823 continue;
824 case 136: /* Neighbor Advertisment */
825 /* TODO: If doing an --ndpscan, the scanner subsystem needs to deal
826 * with these */
827 continue;
828 case 137: /* Redirect */
829 /* We ignore these, since we really don't have the capability to send
830 * packets to one router for some destinations and to another router
831 * for other destinations */
832 continue;
833 default:
834 break;
835 }
836 continue;
837 case FOUND_ARP:
838 LOGip(2, ip_them, 0, "-> ARP [%u] \n", px[parsed.found_offset]);
839
840 switch (parsed.opcode) {
841 case 1: /* request */
842 /* This function will transmit a "reply" to somebody's ARP request
843 * for our IP address (as part of our user-mode TCP/IP).
844 * Since we completely bypass the TCP/IP stack, we have to handle ARPs
845 * ourself, or the router will lose track of us.*/
846 stack_arp_incoming_request(stack,
847 ip_me.ipv4,
848 parms->source_mac,
849 px, length);
850 break;
851 case 2: /* response */
852 /* This is for "arp scan" mode, where we are ARPing targets rather
853 * than port scanning them */
854
855 /* If we aren't doing an ARP scan, then ignore ARP responses */
856 if (!masscan->scan_type.arp)
857 break;
858
859 /* If this response isn't in our range, then ignore it */
860 if (!rangelist_is_contains(&masscan->targets.ipv4, ip_them.ipv4))
861 break;
862
863 /* Ignore duplicates */
864 if (dedup_is_duplicate(dedup, ip_them, 0, ip_me, 0))
865 continue;
866
867 /* ...everything good, so now report this response */
868 arp_recv_response(out, secs, px, length, &parsed);
869 break;
870 }
871 continue;
872 case FOUND_UDP:
873 case FOUND_DNS:
874 if (!is_nic_port(masscan, port_me))
875 continue;
876 if (parms->masscan->nmap.packet_trace)
877 packet_trace(stdout, parms->pt_start, px, length, 0);
878 handle_udp(out, secs, px, length, &parsed, entropy);
879 continue;
880 case FOUND_ICMP:
881 handle_icmp(out, secs, px, length, &parsed, entropy);
882 continue;
883 case FOUND_SCTP:
884 handle_sctp(out, secs, px, length, cookie, &parsed, entropy);
885 break;
886 case FOUND_OPROTO: /* other IP proto */
887 handle_oproto(out, secs, px, length, &parsed, entropy);
888 break;
889 case FOUND_TCP:
890 /* fall down to below */
891 break;
892 default:
893 continue;
894 }
895
896
897 /* verify: my port number */
898 if (!is_my_port(stack->src, port_me))
899 continue;
900 if (parms->masscan->nmap.packet_trace)
901 packet_trace(stdout, parms->pt_start, px, length, 0);
902
903 Q = 0;
904
905 /* Save raw packet in --pcap file */
906 if (pcapfile) {
907 pcapfile_writeframe(
908 pcapfile,
909 px,
910 length,
911 length,
912 secs,
913 usecs);
914 }
915
916 {
917 char buf[64];
918 LOGip(5, ip_them, port_them, "-> TCP ackno=0x%08x flags=0x%02x(%s)\n",
919 seqno_me,
920 TCP_FLAGS(px, parsed.transport_offset),
921 reason_string(TCP_FLAGS(px, parsed.transport_offset), buf, sizeof(buf)));
922 }
923
924 /* If recording --banners, create a new "TCP Control Block (TCB)" */
925 if (tcpcon) {
926 struct TCP_Control_Block *tcb;
927
928 /* does a TCB already exist for this connection? */
929 tcb = tcb_lookup(tcpcon,
930 ip_me, ip_them,
931 port_me, port_them);
932
933 if (TCP_IS_SYNACK(px, parsed.transport_offset)) {
934 if (cookie != seqno_me - 1) {
935 ipaddress_formatted_t fmt = ipaddress_fmt(ip_them);
936 LOG(2, "%s - bad cookie: ackno=0x%08x expected=0x%08x\n",
937 fmt.string, seqno_me-1, cookie);
938 continue;
939 }
940
941 if (tcb == NULL) {
942 tcb = tcpcon_create_tcb(tcpcon,
943 ip_me, ip_them,
944 port_me, port_them,
945 seqno_me, seqno_them+1,
946 parsed.ip_ttl);
947 (*status_tcb_count)++;
948
949 }
950
951 Q += stack_incoming_tcp(tcpcon, tcb, TCP_WHAT_SYNACK,
952 0, 0, secs, usecs, seqno_them+1);
953
954 } else if (tcb) {
955 /* If this is an ACK, then handle that first */
956 if (TCP_IS_ACK(px, parsed.transport_offset)) {
957 Q += stack_incoming_tcp(tcpcon, tcb, TCP_WHAT_ACK,
958 0, seqno_me, secs, usecs, seqno_them);
959 }
960
961 /* If this contains payload, handle that second */
962 if (parsed.app_length) {
963 Q += stack_incoming_tcp(tcpcon, tcb, TCP_WHAT_DATA,
964 px + parsed.app_offset, parsed.app_length,
965 secs, usecs, seqno_them);
966 }
967
968 /* If this is a FIN, handle that. Note that ACK +
969 * payload + FIN can come together */
970 if (TCP_IS_FIN(px, parsed.transport_offset)
971 && !TCP_IS_RST(px, parsed.transport_offset)) {
972 Q += stack_incoming_tcp(tcpcon, tcb, TCP_WHAT_FIN,
973 0, parsed.app_length, secs, usecs, seqno_them);
974 }
975
976 /* If this is a RST, then we'll be closing the connection */
977 if (TCP_IS_RST(px, parsed.transport_offset)) {
978 Q += stack_incoming_tcp(tcpcon, tcb, TCP_WHAT_RST,
979 0, 0, secs, usecs, seqno_them);
980 }
981 } else if (TCP_IS_FIN(px, parsed.transport_offset)) {
982 ipaddress_formatted_t fmt;
983 /*
984 * NO TCB!
985 * This happens when we've sent a FIN, deleted our connection,
986 * but the other side didn't get the packet.
987 */
988 fmt = ipaddress_fmt(ip_them);
989 LOG(4, "%s: received FIN but no TCB\n", fmt.string);
990 if (TCP_IS_RST(px, parsed.transport_offset))
991 ; /* ignore if it's own TCP flag is set */
992 else {
993 int is_suppress;
994
995 is_suppress = rstfilter_is_filter(rf, ip_me, port_me, ip_them, port_them);
996 if (!is_suppress)
997 tcpcon_send_RST(
998 tcpcon,
999 ip_me, ip_them,
1000 port_me, port_them,
1001 seqno_them, seqno_me);
1002 }
1003 }
1004
1005 }
1006
1007 if (Q == 0)
1008 ; //printf("\nerr\n");
1009
1010 if (TCP_IS_SYNACK(px, parsed.transport_offset)
1011 || TCP_IS_RST(px, parsed.transport_offset)) {
1012
1013 /* figure out the status */
1014 status = PortStatus_Unknown;
1015 if (TCP_IS_SYNACK(px, parsed.transport_offset))
1016 status = PortStatus_Open;
1017 if (TCP_IS_RST(px, parsed.transport_offset)) {
1018 status = PortStatus_Closed;
1019 }
1020
1021 /* verify: syn-cookies */
1022 if (cookie != seqno_me - 1) {
1023 ipaddress_formatted_t fmt = ipaddress_fmt(ip_them);
1024 LOG(5, "%s - bad cookie: ackno=0x%08x expected=0x%08x\n",
1025 fmt.string, seqno_me-1, cookie);
1026 continue;
1027 }
1028
1029 /* verify: ignore duplicates */
1030 if (dedup_is_duplicate(dedup, ip_them, port_them, ip_me, port_me))
1031 continue;
1032
1033 /* keep statistics on number received */
1034 if (TCP_IS_SYNACK(px, parsed.transport_offset))
1035 (*status_synack_count)++;
1036
1037 /*
1038 * This is where we do the output
1039 */
1040 output_report_status(
1041 out,
1042 global_now,
1043 status,
1044 ip_them,
1045 6, /* ip proto = tcp */
1046 port_them,
1047 px[parsed.transport_offset + 13], /* tcp flags */
1048 parsed.ip_ttl,
1049 parsed.mac_src
1050 );
1051
1052
1053 /*
1054 * Send RST so other side isn't left hanging (only doing this in
1055 * complete stateless mode where we aren't tracking banners)
1056 */
1057 if (tcpcon == NULL && !masscan->is_noreset)
1058 tcp_send_RST(
1059 &parms->tmplset->pkts[Proto_TCP],
1060 parms->stack,
1061 ip_them, ip_me,
1062 port_them, port_me,
1063 0, seqno_me);
1064
1065 }
1066 }
1067
1068
1069 LOG(1, "[+] exiting receive thread #%u \n", parms->nic_index);
1070
1071 /*
1072 * cleanup
1073 */
1074 end:
1075 if (tcpcon)
1076 tcpcon_destroy_table(tcpcon);
1077 dedup_destroy(dedup);
1078 output_destroy(out);
1079 if (pcapfile)
1080 pcapfile_close(pcapfile);
1081
1082 /*TODO: free stack packet buffers */
1083
1084 /* Thread is about to exit */
1085 parms->done_receiving = 1;
1086 }
1087
1088
1089 /***************************************************************************
1090 * We trap the <ctrl-c> so that instead of exiting immediately, we sit in
1091 * a loop for a few seconds waiting for any late response. But, the user
1092 * can press <ctrl-c> a second time to exit that waiting.
1093 ***************************************************************************/
control_c_handler(int x)1094 static void control_c_handler(int x)
1095 {
1096 static unsigned control_c_pressed = 0;
1097 static unsigned control_c_pressed_again = 0;
1098 if (control_c_pressed == 0) {
1099 fprintf(stderr,
1100 "waiting several seconds to exit..."
1101 " \n"
1102 );
1103 fflush(stderr);
1104 control_c_pressed = 1+x;
1105 is_tx_done = control_c_pressed;
1106 } else {
1107 if (is_rx_done) {
1108 fprintf(stderr, "\nERROR: threads not exiting %d\n", is_rx_done);
1109 if (is_rx_done++ > 1)
1110 exit(1);
1111 } else {
1112 control_c_pressed_again = 1;
1113 is_rx_done = control_c_pressed_again;
1114 }
1115 }
1116
1117 }
1118
1119
1120
1121
1122 /***************************************************************************
1123 * Called from main() to initiate the scan.
1124 * Launches the 'transmit_thread()' and 'receive_thread()' and waits for
1125 * them to exit.
1126 ***************************************************************************/
1127 static int
main_scan(struct Masscan * masscan)1128 main_scan(struct Masscan *masscan)
1129 {
1130 struct ThreadPair parms_array[8];
1131 uint64_t count_ips;
1132 uint64_t count_ports;
1133 uint64_t range;
1134 unsigned index;
1135 time_t now = time(0);
1136 struct Status status;
1137 uint64_t min_index = UINT64_MAX;
1138 struct MassVulnCheck *vulncheck = NULL;
1139 struct stack_t *stack;
1140
1141 memset(parms_array, 0, sizeof(parms_array));
1142
1143 /*
1144 * Vuln check initialization
1145 */
1146 if (masscan->vuln_name) {
1147 unsigned i;
1148 unsigned is_error;
1149 vulncheck = vulncheck_lookup(masscan->vuln_name);
1150
1151 /* If no ports specified on command-line, grab default ports */
1152 is_error = 0;
1153 if (rangelist_count(&masscan->targets.ports) == 0)
1154 rangelist_parse_ports(&masscan->targets.ports, vulncheck->ports, &is_error, 0);
1155
1156 /* Kludge: change normal port range to vulncheck range */
1157 for (i=0; i<masscan->targets.ports.count; i++) {
1158 struct Range *r = &masscan->targets.ports.list[i];
1159 r->begin = (r->begin&0xFFFF) | Templ_VulnCheck;
1160 r->end = (r->end & 0xFFFF) | Templ_VulnCheck;
1161 }
1162 }
1163
1164 /*
1165 * Initialize the task size
1166 */
1167 count_ips = rangelist_count(&masscan->targets.ipv4) + range6list_count(&masscan->targets.ipv6).lo;
1168 if (count_ips == 0) {
1169 LOG(0, "FAIL: target IP address list empty\n");
1170 LOG(0, " [hint] try something like \"--range 10.0.0.0/8\"\n");
1171 LOG(0, " [hint] try something like \"--range 192.168.0.100-192.168.0.200\"\n");
1172 return 1;
1173 }
1174 count_ports = rangelist_count(&masscan->targets.ports);
1175 if (count_ports == 0) {
1176 LOG(0, "FAIL: no ports were specified\n");
1177 LOG(0, " [hint] try something like \"-p80,8000-9000\"\n");
1178 LOG(0, " [hint] try something like \"--ports 0-65535\"\n");
1179 return 1;
1180 }
1181 range = count_ips * count_ports + (uint64_t)(masscan->retries * masscan->max_rate);
1182
1183 /*
1184 * If doing an ARP scan, then don't allow port scanning
1185 */
1186 if (rangelist_is_contains(&masscan->targets.ports, Templ_ARP)) {
1187 if (masscan->targets.ports.count != 1) {
1188 LOG(0, "FAIL: cannot arpscan and portscan at the same time\n");
1189 return 1;
1190 }
1191 }
1192
1193 /*
1194 * If the IP address range is very big, then require that that the
1195 * user apply an exclude range
1196 */
1197 if (count_ips > 1000000000ULL && rangelist_count(&masscan->exclude.ipv4) == 0) {
1198 LOG(0, "FAIL: range too big, need confirmation\n");
1199 LOG(0, " [hint] to prevent acccidents, at least one --exclude must be specified\n");
1200 LOG(0, " [hint] use \"--exclude 255.255.255.255\" as a simple confirmation\n");
1201 exit(1);
1202 }
1203
1204 /*
1205 * trim the nmap UDP payloads down to only those ports we are using. This
1206 * makes lookups faster at high packet rates.
1207 */
1208 payloads_udp_trim(masscan->payloads.udp, &masscan->targets);
1209 payloads_oproto_trim(masscan->payloads.oproto, &masscan->targets);
1210
1211
1212 #ifdef __AFL_HAVE_MANUAL_CONTROL
1213 __AFL_INIT();
1214 #endif
1215
1216 /*
1217 * Start scanning threats for each adapter
1218 */
1219 for (index=0; index<masscan->nic_count; index++) {
1220 struct ThreadPair *parms = &parms_array[index];
1221 int err;
1222
1223 parms->masscan = masscan;
1224 parms->nic_index = index;
1225 parms->my_index = masscan->resume.index;
1226 parms->done_transmitting = 0;
1227 parms->done_receiving = 0;
1228
1229 /* needed for --packet-trace option so that we know when we started
1230 * the scan */
1231 parms->pt_start = 1.0 * pixie_gettime() / 1000000.0;
1232
1233
1234 /*
1235 * Turn the adapter on, and get the running configuration
1236 */
1237 err = masscan_initialize_adapter(
1238 masscan,
1239 index,
1240 &parms->source_mac,
1241 &parms->router_mac_ipv4,
1242 &parms->router_mac_ipv6
1243 );
1244 if (err != 0)
1245 exit(1);
1246 parms->adapter = masscan->nic[index].adapter;
1247 if (!masscan->nic[index].is_usable) {
1248 LOG(0, "FAIL: failed to detect IP of interface\n");
1249 LOG(0, " [hint] did you spell the name correctly?\n");
1250 LOG(0, " [hint] if it has no IP address, "
1251 "manually set with \"--adapter-ip 192.168.100.5\"\n");
1252 exit(1);
1253 }
1254
1255
1256 /*
1257 * Initialize the TCP packet template. The way this works is that
1258 * we parse an existing TCP packet, and use that as the template for
1259 * scanning. Then, we adjust the template with additional features,
1260 * such as the IP address and so on.
1261 */
1262 parms->tmplset->vulncheck = vulncheck;
1263 template_packet_init(
1264 parms->tmplset,
1265 parms->source_mac,
1266 parms->router_mac_ipv4,
1267 parms->router_mac_ipv6,
1268 masscan->payloads.udp,
1269 masscan->payloads.oproto,
1270 stack_if_datalink(masscan->nic[index].adapter),
1271 masscan->seed);
1272
1273 /*
1274 * Set the "source port" of everything we transmit.
1275 */
1276 if (masscan->nic[index].src.port.range == 0) {
1277 unsigned port = 40000 + now % 20000;
1278 masscan->nic[index].src.port.first = port;
1279 masscan->nic[index].src.port.last = port;
1280 masscan->nic[index].src.port.range = 1;
1281 }
1282
1283 stack = stack_create(parms->source_mac, &masscan->nic[index].src);
1284 parms->stack = stack;
1285
1286 /*
1287 * Set the "TTL" (IP time-to-live) of everything we send.
1288 */
1289 if (masscan->nmap.ttl)
1290 template_set_ttl(parms->tmplset, masscan->nmap.ttl);
1291
1292 if (masscan->nic[0].is_vlan)
1293 template_set_vlan(parms->tmplset, masscan->nic[0].vlan_id);
1294
1295
1296 /*
1297 * trap <ctrl-c> to pause
1298 */
1299 signal(SIGINT, control_c_handler);
1300
1301 }
1302
1303 /*
1304 * Print helpful text
1305 */
1306 {
1307 char buffer[80];
1308 struct tm x;
1309
1310 now = time(0);
1311 gmtime_s(&x, &now);
1312 strftime(buffer, sizeof(buffer), "%Y-%m-%d %H:%M:%S GMT", &x);
1313 LOG(0, "Starting masscan " MASSCAN_VERSION " (http://bit.ly/14GZzcT) at %s\n",
1314 buffer);
1315
1316 if (count_ports == 1 && \
1317 masscan->targets.ports.list->begin == Templ_ICMP_echo && \
1318 masscan->targets.ports.list->end == Templ_ICMP_echo)
1319 { /* ICMP only */
1320 //LOG(0, " -- forced options: -sn -n --randomize-hosts -v --send-eth\n");
1321 LOG(0, "Initiating ICMP Echo Scan\n");
1322 LOG(0, "Scanning %u hosts\n",(unsigned)count_ips);
1323 }
1324 else /* This could actually also be a UDP only or mixed UDP/TCP/ICMP scan */
1325 {
1326 //LOG(0, " -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth\n");
1327 LOG(0, "Initiating SYN Stealth Scan\n");
1328 LOG(0, "Scanning %u hosts [%u port%s/host]\n",
1329 (unsigned)count_ips, (unsigned)count_ports, (count_ports==1)?"":"s");
1330 }
1331 }
1332
1333 /*
1334 * Start all the threads
1335 */
1336 for (index=0; index<masscan->nic_count; index++) {
1337 struct ThreadPair *parms = &parms_array[index];
1338
1339 /*
1340 * Start the scanning thread.
1341 * THIS IS WHERE THE PROGRAM STARTS SPEWING OUT PACKETS AT A HIGH
1342 * RATE OF SPEED.
1343 */
1344 parms->thread_handle_xmit = pixie_begin_thread(transmit_thread, 0, parms);
1345
1346 /*
1347 * Start the MATCHING receive thread. Transmit and receive threads
1348 * come in matching pairs.
1349 */
1350 parms->thread_handle_recv = pixie_begin_thread(receive_thread, 0, parms);
1351 }
1352
1353 /*
1354 * Now wait for <ctrl-c> to be pressed OR for threads to exit
1355 */
1356 pixie_usleep(1000 * 100);
1357 LOG(1, "[+] waiting for threads to finish\n");
1358 status_start(&status);
1359 status.is_infinite = masscan->is_infinite;
1360 while (!is_tx_done && masscan->output.is_status_updates) {
1361 unsigned i;
1362 double rate = 0;
1363 uint64_t total_tcbs = 0;
1364 uint64_t total_synacks = 0;
1365 uint64_t total_syns = 0;
1366
1367
1368 /* Find the minimum index of all the threads */
1369 min_index = UINT64_MAX;
1370 for (i=0; i<masscan->nic_count; i++) {
1371 struct ThreadPair *parms = &parms_array[i];
1372
1373 if (min_index > parms->my_index)
1374 min_index = parms->my_index;
1375
1376 rate += parms->throttler->current_rate;
1377
1378 if (parms->total_tcbs)
1379 total_tcbs += *parms->total_tcbs;
1380 if (parms->total_synacks)
1381 total_synacks += *parms->total_synacks;
1382 if (parms->total_syns)
1383 total_syns += *parms->total_syns;
1384 }
1385
1386 if (min_index >= range && !masscan->is_infinite) {
1387 /* Note: This is how we can tell the scan has ended */
1388 is_tx_done = 1;
1389 }
1390
1391 /*
1392 * update screen about once per second with statistics,
1393 * namely packets/second.
1394 */
1395 if (masscan->output.is_status_updates)
1396 status_print(&status, min_index, range, rate,
1397 total_tcbs, total_synacks, total_syns,
1398 0);
1399
1400 /* Sleep for almost a second */
1401 pixie_mssleep(750);
1402 }
1403
1404 /*
1405 * If we haven't completed the scan, then save the resume
1406 * information.
1407 */
1408 if (min_index < count_ips * count_ports) {
1409 masscan->resume.index = min_index;
1410
1411 /* Write current settings to "paused.conf" so that the scan can be restarted */
1412 masscan_save_state(masscan);
1413 }
1414
1415
1416
1417 /*
1418 * Now wait for all threads to exit
1419 */
1420 now = time(0);
1421 for (;;) {
1422 unsigned transmit_count = 0;
1423 unsigned receive_count = 0;
1424 unsigned i;
1425 double rate = 0;
1426 uint64_t total_tcbs = 0;
1427 uint64_t total_synacks = 0;
1428 uint64_t total_syns = 0;
1429
1430
1431 /* Find the minimum index of all the threads */
1432 min_index = UINT64_MAX;
1433 for (i=0; i<masscan->nic_count; i++) {
1434 struct ThreadPair *parms = &parms_array[i];
1435
1436 if (min_index > parms->my_index)
1437 min_index = parms->my_index;
1438
1439 rate += parms->throttler->current_rate;
1440
1441 if (parms->total_tcbs)
1442 total_tcbs += *parms->total_tcbs;
1443 if (parms->total_synacks)
1444 total_synacks += *parms->total_synacks;
1445 if (parms->total_syns)
1446 total_syns += *parms->total_syns;
1447 }
1448
1449
1450
1451 if (time(0) - now >= masscan->wait) {
1452 is_rx_done = 1;
1453 }
1454
1455 if (masscan->output.is_status_updates) {
1456 status_print(&status, min_index, range, rate,
1457 total_tcbs, total_synacks, total_syns,
1458 masscan->wait - (time(0) - now));
1459
1460 for (i=0; i<masscan->nic_count; i++) {
1461 struct ThreadPair *parms = &parms_array[i];
1462
1463 transmit_count += parms->done_transmitting;
1464 receive_count += parms->done_receiving;
1465
1466 }
1467
1468 pixie_mssleep(250);
1469
1470 if (transmit_count < masscan->nic_count)
1471 continue;
1472 is_tx_done = 1;
1473 is_rx_done = 1;
1474 if (receive_count < masscan->nic_count)
1475 continue;
1476
1477 } else {
1478 /* [AFL-fuzz]
1479 * Join the threads, which doesn't allow us to print out
1480 * status messages, but allows us to exit cleaningly without
1481 * any waiting */
1482 for (i=0; i<masscan->nic_count; i++) {
1483 struct ThreadPair *parms = &parms_array[i];
1484
1485 pixie_thread_join(parms->thread_handle_xmit);
1486 parms->thread_handle_xmit = 0;
1487 pixie_thread_join(parms->thread_handle_recv);
1488 parms->thread_handle_recv = 0;
1489 }
1490 is_tx_done = 1;
1491 is_rx_done = 1;
1492 }
1493
1494 break;
1495 }
1496
1497
1498 /*
1499 * Now cleanup everything
1500 */
1501 status_finish(&status);
1502
1503 if (!masscan->output.is_status_updates) {
1504 uint64_t usec_now = pixie_gettime();
1505
1506 printf("%u milliseconds ellapsed\n", (unsigned)((usec_now - usec_start)/1000));
1507 }
1508
1509 LOG(1, "[+] all threads have exited \n");
1510
1511 return 0;
1512 }
1513
1514
1515
1516
1517 /***************************************************************************
1518 ***************************************************************************/
main(int argc,char * argv[])1519 int main(int argc, char *argv[])
1520 {
1521 struct Masscan masscan[1];
1522 unsigned i;
1523 int has_target_addresses = 0;
1524 int has_target_ports = 0;
1525
1526 usec_start = pixie_gettime();
1527 #if defined(WIN32)
1528 {WSADATA x; WSAStartup(0x101, &x);}
1529 #endif
1530
1531 global_now = time(0);
1532
1533 /* Set system to report debug information on crash */
1534 {
1535 int is_backtrace = 1;
1536 for (i=1; i<(unsigned)argc; i++) {
1537 if (strcmp(argv[i], "--nobacktrace") == 0)
1538 is_backtrace = 0;
1539 }
1540 if (is_backtrace)
1541 pixie_backtrace_init(argv[0]);
1542 }
1543
1544 /*
1545 * Initialize those defaults that aren't zero
1546 */
1547 memset(masscan, 0, sizeof(*masscan));
1548 /* 14 rounds seem to give way better statistical distribution than 4 with a
1549 very low impact on scan rate */
1550 masscan->blackrock_rounds = 14;
1551 masscan->output.is_show_open = 1; /* default: show syn-ack, not rst */
1552 masscan->output.is_status_updates = 1; /* default: show status updates */
1553 masscan->wait = 10; /* how long to wait for responses when done */
1554 masscan->max_rate = 100.0; /* max rate = hundred packets-per-second */
1555 masscan->nic_count = 1;
1556 masscan->shard.one = 1;
1557 masscan->shard.of = 1;
1558 masscan->min_packet_size = 60;
1559 masscan->payloads.udp = payloads_udp_create();
1560 masscan->payloads.oproto = payloads_oproto_create();
1561 strcpy_s( masscan->output.rotate.directory,
1562 sizeof(masscan->output.rotate.directory),
1563 ".");
1564 masscan->is_capture_cert = 1;
1565
1566 /*
1567 * Pre-parse the command-line
1568 */
1569 if (masscan_conf_contains("--readscan", argc, argv)) {
1570 masscan->is_readscan = 1;
1571 }
1572
1573 /*
1574 * On non-Windows systems, read the defaults from the file in
1575 * the /etc directory. These defaults will contain things
1576 * like the output directory, max packet rates, and so on. Most
1577 * importantly, the master "--excludefile" might be placed here,
1578 * so that blacklisted ranges won't be scanned, even if the user
1579 * makes a mistake
1580 */
1581 #if !defined(WIN32)
1582 if (!masscan->is_readscan) {
1583 if (access("/etc/masscan/masscan.conf", 0) == 0) {
1584 masscan_read_config_file(masscan, "/etc/masscan/masscan.conf");
1585 }
1586 }
1587 #endif
1588
1589 /*
1590 * Read in the configuration from the command-line. We are looking for
1591 * either options or a list of IPv4 address ranges.
1592 */
1593 masscan_command_line(masscan, argc, argv);
1594 if (masscan->seed == 0)
1595 masscan->seed = get_entropy(); /* entropy for randomness */
1596
1597 /*
1598 * Load database files like "nmap-payloads" and "nmap-service-probes"
1599 */
1600 masscan_load_database_files(masscan);
1601
1602 /*
1603 * Load the scripting engine if needed and run those that were
1604 * specified.
1605 */
1606 if (masscan->is_scripting)
1607 scripting_init(masscan);
1608
1609 /* We need to do a separate "raw socket" initialization step. This is
1610 * for Windows and PF_RING. */
1611 if (pcap_init() != 0)
1612 LOG(2, "libpcap: failed to load\n");
1613 rawsock_init();
1614
1615 /* Init some protocol parser data structures */
1616 snmp_init();
1617 x509_init();
1618
1619
1620 /*
1621 * Apply excludes. People ask us not to scan them, so we maintain a list
1622 * of their ranges, and when doing wide scans, add the exclude list to
1623 * prevent them from being scanned.
1624 */
1625 has_target_addresses = massip_has_ipv4_targets(&masscan->targets) || massip_has_ipv6_targets(&masscan->targets);
1626 has_target_ports = massip_has_target_ports(&masscan->targets);
1627 massip_apply_excludes(&masscan->targets, &masscan->exclude);
1628 if (!has_target_ports && masscan->op == Operation_ListScan)
1629 massip_add_port_string(&masscan->targets, "80", 0);
1630
1631
1632
1633
1634 /* Optimize target selection so it's a quick binary search instead
1635 * of walking large memory tables. When we scan the entire Internet
1636 * our --excludefile will chop up our pristine 0.0.0.0/0 range into
1637 * hundreds of subranges. This allows us to grab addresses faster. */
1638 massip_optimize(&masscan->targets);
1639
1640 /* FIXME: we only support 63-bit scans at the current time.
1641 * This is big enough for the IPv4 Internet, where scanning
1642 * for all TCP ports on all IPv4 addresses results in a 48-bit
1643 * scan, but this isn't big enough even for a single port on
1644 * an IPv6 subnet (which are 64-bits in size, usually). However,
1645 * even at millions of packets per second scanning rate, you still
1646 * can't complete a 64-bit scan in a reasonable amount of time.
1647 * Nor would you want to attempt the feat, as it would overload
1648 * the target IPv6 subnet. Since implementing this would be
1649 * difficult for 32-bit processors, for now, I'm going to stick
1650 * to a simple 63-bit scan.
1651 */
1652 if (massint128_bitcount(massip_range(&masscan->targets)) > 63) {
1653 fprintf(stderr, "[-] FAIL: scan range too large, max is 63-bits, requested is %u bits\n",
1654 massint128_bitcount(massip_range(&masscan->targets)));
1655 fprintf(stderr, " Hint: scan range is number of IP addresses times number of ports\n");
1656 fprintf(stderr, " Hint: IPv6 subnet must be at least /66 \n");
1657 exit(1);
1658 }
1659
1660 /*
1661 * Once we've read in the configuration, do the operation that was
1662 * specified
1663 */
1664 switch (masscan->op) {
1665 case Operation_Default:
1666 /* Print usage info and exit */
1667 masscan_usage();
1668 break;
1669
1670 case Operation_Scan:
1671 /*
1672 * THIS IS THE NORMAL THING
1673 */
1674 if (rangelist_count(&masscan->targets.ipv4) == 0 && massint128_is_zero(range6list_count(&masscan->targets.ipv6))) {
1675 /* We check for an empty target list here first, before the excludes,
1676 * so that we can differentiate error messages after excludes, in case
1677 * the user specified addresses, but they were removed by excludes. */
1678 LOG(0, "FAIL: target IP address list empty\n");
1679 if (has_target_addresses) {
1680 LOG(0, " [hint] all addresses were removed by exclusion ranges\n");
1681 } else {
1682 LOG(0, " [hint] try something like \"--range 10.0.0.0/8\"\n");
1683 LOG(0, " [hint] try something like \"--range 192.168.0.100-192.168.0.200\"\n");
1684 }
1685 exit(1);
1686 }
1687 if (rangelist_count(&masscan->targets.ports) == 0) {
1688 if (has_target_ports) {
1689 LOG(0, " [hint] all ports were removed by exclusion ranges\n");
1690 } else {
1691 LOG(0, "FAIL: no ports were specified\n");
1692 LOG(0, " [hint] try something like \"-p80,8000-9000\"\n");
1693 LOG(0, " [hint] try something like \"--ports 0-65535\"\n");
1694 }
1695 return 1;
1696 }
1697 return main_scan(masscan);
1698
1699 case Operation_ListScan:
1700 /* Create a randomized list of IP addresses */
1701 main_listscan(masscan);
1702 return 0;
1703
1704 case Operation_List_Adapters:
1705 /* List the network adapters we might want to use for scanning */
1706 rawsock_list_adapters();
1707 break;
1708
1709 case Operation_DebugIF:
1710 for (i=0; i<masscan->nic_count; i++)
1711 rawsock_selftest_if(masscan->nic[i].ifname);
1712 return 0;
1713
1714 case Operation_ReadRange:
1715 main_readrange(masscan);
1716 return 0;
1717
1718 case Operation_ReadScan:
1719 {
1720 unsigned start;
1721 unsigned stop;
1722
1723 /* find first file */
1724 for (start=1; start<(unsigned)argc; start++) {
1725 if (memcmp(argv[start], "--readscan", 10) == 0) {
1726 start++;
1727 break;
1728 }
1729 }
1730
1731 /* find last file */
1732 for (stop=start+1; stop<(unsigned)argc && argv[stop][0] != '-'; stop++)
1733 ;
1734
1735 /*
1736 * read the binary files, and output them again depending upon
1737 * the output parameters
1738 */
1739 read_binary_scanfile(masscan, start, stop, argv);
1740
1741 }
1742 break;
1743
1744 case Operation_Benchmark:
1745 printf("=== benchmarking (%u-bits) ===\n\n", (unsigned)sizeof(void*)*8);
1746 blackrock_benchmark(masscan->blackrock_rounds);
1747 blackrock2_benchmark(masscan->blackrock_rounds);
1748 smack_benchmark();
1749 exit(1);
1750 break;
1751
1752 case Operation_Echo:
1753 masscan_echo(masscan, stdout, 0);
1754 exit(0);
1755 break;
1756
1757 case Operation_EchoAll:
1758 masscan_echo(masscan, stdout, 0);
1759 exit(0);
1760 break;
1761
1762 case Operation_Selftest:
1763 /*
1764 * Do a regression test of all the significant units
1765 */
1766 {
1767 int x = 0;
1768 x += massip_selftest();
1769 x += ranges6_selftest();
1770 x += dedup_selftest();
1771 x += checksum_selftest();
1772 x += ipv6address_selftest();
1773 x += proto_coap_selftest();
1774 x += smack_selftest();
1775 x += sctp_selftest();
1776 x += base64_selftest();
1777 x += banner1_selftest();
1778 x += output_selftest();
1779 x += siphash24_selftest();
1780 x += ntp_selftest();
1781 x += snmp_selftest();
1782 x += payloads_udp_selftest();
1783 x += blackrock_selftest();
1784 x += rawsock_selftest();
1785 x += lcg_selftest();
1786 x += template_selftest();
1787 x += ranges_selftest();
1788 x += massip_parse_selftest();
1789 x += pixie_time_selftest();
1790 x += rte_ring_selftest();
1791 x += mainconf_selftest();
1792 x += zeroaccess_selftest();
1793 x += nmapserviceprobes_selftest();
1794 x += rstfilter_selftest();
1795
1796
1797 if (x != 0) {
1798 /* one of the selftests failed, so return error */
1799 fprintf(stderr, "regression test: failed :( \n");
1800 return 1;
1801 } else {
1802 fprintf(stderr, "regression test: success!\n");
1803 return 0;
1804 }
1805 }
1806 break;
1807 }
1808
1809
1810 return 0;
1811 }
1812
1813
1814