1 #ifndef MASSCAN_H 2 #define MASSCAN_H 3 #include "massip-addr.h" 4 #include "string_s.h" 5 #include "stack-src.h" 6 #include "massip.h" 7 #include <string.h> 8 #include <stdio.h> 9 #include <stdint.h> 10 #include <time.h> 11 12 #include "massip.h" 13 #include "stack-queue.h" 14 15 struct Adapter; 16 struct TemplateSet; 17 struct Banner1; 18 19 /** 20 * This is the "operation" to be performed by masscan, which is almost always 21 * to "scan" the network. However, there are some lesser operations to do 22 * instead, like run a "regression self test", or "debug", or something else 23 * instead of scanning. We parse the command-line in order to figure out the 24 * proper operation 25 */ 26 enum Operation { 27 Operation_Default = 0, /* nothing specified, so print usage */ 28 Operation_List_Adapters = 1, /* --listif */ 29 Operation_Selftest = 2, /* --selftest or --regress */ 30 Operation_Scan = 3, /* this is what you expect */ 31 Operation_DebugIF = 4, /* --debug if */ 32 Operation_ListScan = 5, /* -sL */ 33 Operation_ReadScan = 6, /* --readscan <binary-output> */ 34 Operation_ReadRange = 7, /* --readrange */ 35 Operation_Benchmark = 8, /* --benchmark */ 36 Operation_Echo = 9, /* --echo */ 37 Operation_EchoAll = 10, /* --echo-all */ 38 }; 39 40 /** 41 * The format of the output. If nothing is specified, then the default will 42 * be "--interactive", meaning that we'll print to the command-line live as 43 * results come in. Only one output format can be specified, except that 44 * "--interactive" can be specified alongside any of the other ones. 45 */ 46 enum OutputFormat { 47 Output_Default = 0x0000, 48 Output_Interactive = 0x0001, /* --interactive, print to cmdline */ 49 Output_List = 0x0002, 50 Output_Binary = 0x0004, /* -oB, "binary", the primary format */ 51 Output_XML = 0x0008, /* -oX, "xml" */ 52 Output_JSON = 0x0010, /* -oJ, "json" */ 53 Output_NDJSON = 0x0011, /* -oD, "ndjson" */ 54 Output_Nmap = 0x0020, 55 Output_ScriptKiddie = 0x0040, 56 Output_Grepable = 0x0080, /* -oG, "grepable" */ 57 Output_Redis = 0x0100, 58 Output_Unicornscan = 0x0200, /* -oU, "unicornscan" */ 59 Output_None = 0x0400, 60 Output_Certs = 0x0800, 61 Output_Hostonly = 0x1000, /* -oH, "hostonly" */ 62 Output_All = 0xFFBF, /* not supported */ 63 }; 64 65 66 /** 67 * Holds the list of TCP "hello" payloads, specified with the "--hello-file" 68 * or "--hello-string" options 69 */ 70 struct TcpCfgPayloads 71 { 72 /** The "hello" data in base64 format. This is either the base64 string 73 * specified in the cmdline/cfgfile with "--hello-string", or the 74 * contents of a file specified with "--hello-file" that we've converted 75 * into base64 */ 76 char *payload_base64; 77 78 /** The TCP port that this hello belongs to */ 79 unsigned port; 80 81 /** These configuration options are stored as a linked-list */ 82 struct TcpCfgPayloads *next; 83 }; 84 85 86 87 88 /** 89 * This is the master MASSCAN configuration structure. It is created on startup 90 * by reading the command-line and parsing configuration files. 91 * 92 * Once read in at the start, this structure doesn't change. The transmit 93 * and receive threads have only a "const" pointer to this structure. 94 */ 95 struct Masscan 96 { 97 /** 98 * What this progrma is doing, which is normally "Operation_Scan", but 99 * which can be other things, like "Operation_SelfTest" 100 */ 101 enum Operation op; 102 103 struct { 104 unsigned tcp:1; 105 unsigned udp:1; /* -sU */ 106 unsigned sctp:1; 107 unsigned ping:1; /* --ping, ICMP echo */ 108 unsigned arp:1; /* --arp, local ARP scan */ 109 unsigned oproto:1; /* -sO */ 110 } scan_type; 111 112 /** 113 * After scan type has been configured, add these ports 114 */ 115 unsigned top_ports; 116 117 /** 118 * Temporary file to echo parameters to, used for saving configuration 119 * to a file 120 */ 121 FILE *echo; 122 unsigned echo_all; 123 124 /** 125 * One or more network adapters that we'll use for scanning. Each adapter 126 * should have a separate set of IP source addresses, except in the case 127 * of PF_RING dnaX:Y adapters. 128 */ 129 struct { 130 char ifname[256]; 131 struct Adapter *adapter; 132 struct stack_src_t src; 133 macaddress_t source_mac; 134 macaddress_t router_mac_ipv4; 135 macaddress_t router_mac_ipv6; 136 ipv4address_t router_ip; 137 int link_type; /* libpcap definitions */ 138 unsigned char my_mac_count; /*is there a MAC address? */ 139 unsigned vlan_id; 140 unsigned is_vlan:1; 141 unsigned is_usable:1; 142 } nic[8]; 143 unsigned nic_count; 144 145 /** 146 * The target ranges of IPv4 addresses that are included in the scan. 147 * The user can specify anything here, and we'll resolve all overlaps 148 * and such, and sort the target ranges. 149 */ 150 struct MassIP targets; 151 152 /** 153 * IPv4 addresses/ranges that are to be exluded from the scan. This takes 154 * precedence over any 'include' statement. What happens is this: after 155 * all the configuration has been read, we then apply the exclude/blacklist 156 * on top of the target/whitelist, leaving only a target/whitelist left. 157 * Thus, during the scan, we only choose from the target/whitelist and 158 * don't consult the exclude/blacklist. 159 */ 160 struct MassIP exclude; 161 162 /** 163 * Only output these types of banners 164 */ 165 struct RangeList banner_types; 166 167 168 /** 169 * Maximum rate, in packets-per-second (--rate parameter). This can be 170 * a fraction of a packet-per-second, or be as high as 30000000.0 (or 171 * more actually, but I've only tested to 30megapps). 172 */ 173 double max_rate; 174 175 /** 176 * Number of retries (--retries or --max-retries parameter). Retries 177 * happen a few seconds apart. 178 */ 179 unsigned retries; 180 181 182 unsigned is_pfring:1; /* --pfring */ 183 unsigned is_sendq:1; /* --sendq */ 184 unsigned is_banners:1; /* --banners */ 185 unsigned is_offline:1; /* --offline */ 186 unsigned is_noreset:1; /* --noreset, don't transmit RST */ 187 unsigned is_gmt:1; /* --gmt, all times in GMT */ 188 unsigned is_capture_cert:1; /* --capture cert */ 189 unsigned is_capture_html:1; /* --capture html */ 190 unsigned is_capture_heartbleed:1; /* --capture heartbleed */ 191 unsigned is_capture_ticketbleed:1; /* --capture ticket */ 192 unsigned is_test_csv:1; /* (temporary testing feature) */ 193 unsigned is_infinite:1; /* -infinite */ 194 unsigned is_readscan:1; /* --readscan, Operation_Readscan */ 195 unsigned is_heartbleed:1; /* --heartbleed, scan for this vuln */ 196 unsigned is_ticketbleed:1; /* --ticketbleed, scan for this vuln */ 197 unsigned is_poodle_sslv3:1; /* --vuln poodle, scan for this vuln */ 198 unsigned is_hello_ssl:1; /* --ssl, use SSL HELLO on all ports */ 199 unsigned is_hello_smbv1:1; /* --smbv1, use SMBv1 hello, instead of v1/v2 hello */ 200 unsigned is_hello_http:1; /* --hello=http, use HTTP on all ports */ 201 unsigned is_scripting:1; /* whether scripting is needed */ 202 unsigned is_capture_servername:1; /* --capture servername */ 203 204 /** 205 * Wait forever for responses, instead of the default 10 seconds 206 */ 207 unsigned wait; 208 209 /** 210 * --resume 211 * This structure contains options for pausing the scan (by exiting the 212 * program) and restarting it later. 213 */ 214 struct { 215 /** --resume-index */ 216 uint64_t index; 217 218 /** --resume-count */ 219 uint64_t count; 220 221 /** Derives the --resume-index from the target ip:port */ 222 struct { 223 unsigned ip; 224 unsigned port; 225 } target; 226 } resume; 227 228 /** 229 * --shard n/m 230 * This is used for distributin a scan acros multiple "shards". Every 231 * shard in the scan must know the total number of shards, and must also 232 * know which of those shards is it's identity. Thus, shard 1/5 scans 233 * a different range than 2/5. These numbers start at 1, so it's 234 * 1/3 (#1 out of three), 2/3, and 3/3 (but not 0/3). 235 */ 236 struct { 237 unsigned one; 238 unsigned of; 239 } shard; 240 241 /** 242 * The packet template set we are current using. We store a binary template 243 * for TCP, UDP, SCTP, ICMP, and so on. All the scans using that protocol 244 * are then scanned using that basic template. IP and TCP options can be 245 * added to the basic template without affecting any other component 246 * of the system. 247 */ 248 struct TemplateSet *pkt_template; 249 250 /** 251 * A random seed for randomization if zero, otherwise we'll use 252 * the configured seed for repeatable tests. 253 */ 254 uint64_t seed; 255 256 /** 257 * This block configures what we do for the output files 258 */ 259 struct OutputStuff { 260 261 /** 262 * --output-format 263 * Examples are "xml", "binary", "json", "ndjson", "grepable", and so on. 264 */ 265 enum OutputFormat format; 266 267 /** 268 * --output-filename 269 * The name of the file where we are storing scan results. 270 * Note: the filename "-" means that we should send the file to 271 * <stdout> rather than to a file. 272 */ 273 char filename[256]; 274 275 /** 276 * A feature of the XML output where we can insert an optional 277 * stylesheet into the file for better rendering on web browsers 278 */ 279 char stylesheet[256]; 280 281 /** 282 * --append 283 * We should append to the output file rather than overwriting it. 284 */ 285 unsigned is_append:1; 286 287 /** 288 * --open 289 * --open-only 290 * --show open 291 * Whether to show open ports 292 */ 293 unsigned is_show_open:1; 294 295 /** 296 * --show closed 297 * Whether to show closed ports (i.e. RSTs) 298 */ 299 unsigned is_show_closed:1; 300 301 /** 302 * --show host 303 * Whether to show host messages other than closed ports 304 */ 305 unsigned is_show_host:1; 306 307 /** 308 * print reason port is open, which is redundant for us 309 */ 310 unsigned is_reason:1; 311 312 /** 313 * --interactive 314 * Print to command-line while also writing to output file. This isn't 315 * needed if the output format is already 'interactive' (the default), 316 * but only if the default output format is anything else, and the 317 * user also wants interactivity. 318 */ 319 unsigned is_interactive:1; 320 321 /** 322 * Print state updates 323 */ 324 unsigned is_status_updates:1; 325 326 struct { 327 /** 328 * When we should rotate output into the target directory 329 */ 330 unsigned timeout; 331 332 /** 333 * When doing "--rotate daily", the rotation is done at GMT. In 334 * orderto fix this, add an offset. 335 */ 336 unsigned offset; 337 338 /** 339 * Instead of rotating by timeout, we can rotate by filesize 340 */ 341 uint64_t filesize; 342 343 /** 344 * The directory to which we store rotated files 345 */ 346 char directory[256]; 347 } rotate; 348 } output; 349 350 struct { 351 unsigned data_length; /* number of bytes to randomly append */ 352 unsigned ttl; /* starting IP TTL field */ 353 unsigned badsum; /* bad TCP/UDP/SCTP checksum */ 354 355 unsigned packet_trace:1; /* print transmit messages */ 356 357 char datadir[256]; 358 } nmap; 359 360 char pcap_filename[256]; 361 362 struct { 363 unsigned timeout; 364 } tcb; 365 366 struct { 367 char *pcap_payloads_filename; 368 char *nmap_payloads_filename; 369 char *nmap_service_probes_filename; 370 371 struct PayloadsUDP *udp; 372 struct PayloadsUDP *oproto; 373 struct TcpCfgPayloads *tcp; 374 struct NmapServiceProbeList *probes; 375 } payloads; 376 377 unsigned char *http_user_agent; 378 unsigned http_user_agent_length; 379 unsigned tcp_connection_timeout; 380 381 /** Number of seconds to wait for a 'hello' from the server before 382 * giving up and sending a 'hello' from the client. Should be a small 383 * value when doing scans that expect client-side hellos, like HTTP or 384 * SSL, but should be a longer value when doing scans that expect server 385 * hellos, such as FTP or VNC */ 386 unsigned tcp_hello_timeout; 387 388 struct { 389 const char *header_name; 390 unsigned char *header_value; 391 unsigned header_value_length; 392 } http_headers[16]; 393 394 char *bpf_filter; 395 396 struct { 397 ipaddress ip; 398 unsigned port; 399 } redis; 400 401 402 403 /** 404 * --min-packet 405 */ 406 unsigned min_packet_size; 407 408 /** 409 * Number of rounds for randomization 410 * --blackrock-rounds 411 */ 412 unsigned blackrock_rounds; 413 414 /** 415 * --script <name> 416 */ 417 struct { 418 /* The name (filename) of the script to run */ 419 char *name; 420 421 /* The script VM */ 422 struct lua_State *L; 423 } scripting; 424 425 426 /** 427 * --vuln <name> 428 * The name of a vuln to check, like "poodle" 429 */ 430 const char *vuln_name; 431 432 }; 433 434 435 int mainconf_selftest(void); 436 void masscan_read_config_file(struct Masscan *masscan, const char *filename); 437 void masscan_command_line(struct Masscan *masscan, int argc, char *argv[]); 438 void masscan_usage(void); 439 void masscan_save_state(struct Masscan *masscan); 440 void main_listscan(struct Masscan *masscan); 441 442 /** 443 * Load databases, such as: 444 * - nmap-payloads 445 * - nmap-service-probes 446 * - pcap-payloads 447 */ 448 void masscan_load_database_files(struct Masscan *masscan); 449 450 /** 451 * Pre-scan the command-line looking for options that may affect how 452 * previous options are handled. This is a bit of a kludge, really. 453 */ 454 int masscan_conf_contains(const char *x, int argc, char **argv); 455 456 /** 457 * Called to set a <name=value> pair. 458 */ 459 void 460 masscan_set_parameter(struct Masscan *masscan, 461 const char *name, const char *value); 462 463 464 465 /** 466 * Discover the local network adapter parameters, such as whcih 467 * MAC address we are using and the MAC addresses of the 468 * local routers. 469 */ 470 int 471 masscan_initialize_adapter( 472 struct Masscan *masscan, 473 unsigned index, 474 macaddress_t *source_mac, 475 macaddress_t *router_mac_ipv4, 476 macaddress_t *router_mac_ipv6); 477 478 /** 479 * Echoes the settings to the command-line. By default, echoes only 480 * non-default values. With "echo-all", everything is echoed. 481 */ 482 void 483 masscan_echo(struct Masscan *masscan, FILE *fp, unsigned is_echo_all); 484 485 #endif 486