1
2 /***************************************************************************
3 * targets.cc -- Functions relating to "ping scanning" as well as *
4 * determining the exact IPs to hit based on CIDR and other input *
5 * formats. *
6 * *
7 ***********************IMPORTANT NMAP LICENSE TERMS************************
8 * *
9 * The Nmap Security Scanner is (C) 1996-2020 Insecure.Com LLC ("The Nmap *
10 * Project"). Nmap is also a registered trademark of the Nmap Project. *
11 * *
12 * This program is distributed under the terms of the Nmap Public Source *
13 * License (NPSL). The exact license text applying to a particular Nmap *
14 * release or source code control revision is contained in the LICENSE *
15 * file distributed with that version of Nmap or source code control *
16 * revision. More Nmap copyright/legal information is available from *
17 * https://nmap.org/book/man-legal.html, and further information on the *
18 * NPSL license itself can be found at https://nmap.org/npsl. This header *
19 * summarizes some key points from the Nmap license, but is no substitute *
20 * for the actual license text. *
21 * *
22 * Nmap is generally free for end users to download and use themselves, *
23 * including commercial use. It is available from https://nmap.org. *
24 * *
25 * The Nmap license generally prohibits companies from using and *
26 * redistributing Nmap in commercial products, but we sell a special Nmap *
27 * OEM Edition with a more permissive license and special features for *
28 * this purpose. See https://nmap.org/oem *
29 * *
30 * If you have received a written Nmap license agreement or contract *
31 * stating terms other than these (such as an Nmap OEM license), you may *
32 * choose to use and redistribute Nmap under those terms instead. *
33 * *
34 * The official Nmap Windows builds include the Npcap software *
35 * (https://npcap.org) for packet capture and transmission. It is under *
36 * separate license terms which forbid redistribution without special *
37 * permission. So the official Nmap Windows builds may not be *
38 * redistributed without special permission (such as an Nmap OEM *
39 * license). *
40 * *
41 * Source is provided to this software because we believe users have a *
42 * right to know exactly what a program is going to do before they run it. *
43 * This also allows you to audit the software for security holes. *
44 * *
45 * Source code also allows you to port Nmap to new platforms, fix bugs, *
46 * and add new features. You are highly encouraged to submit your *
47 * changes as a Github PR or by email to the dev@nmap.org mailing list *
48 * for possible incorporation into the main distribution. Unless you *
49 * specify otherwise, it is understood that you are offering us very *
50 * broad rights to use your submissions as described in the Nmap Public *
51 * Source License Contributor Agreement. This is important because we *
52 * fund the project by selling licenses with various terms, and also *
53 * because the inability to relicense code has caused devastating *
54 * problems for other Free Software projects (such as KDE and NASM). *
55 * *
56 * The free version of Nmap is distributed in the hope that it will be *
57 * useful, but WITHOUT ANY WARRANTY; without even the implied warranty of *
58 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Warranties, *
59 * indemnification and commercial support are all available through the *
60 * Npcap OEM program--see https://nmap.org/oem. *
61 * *
62 ***************************************************************************/
63
64 /* $Id: targets.cc 38078 2020-10-02 16:12:22Z dmiller $ */
65
66
67 #include <nbase.h>
68 #include "targets.h"
69 #include "timing.h"
70 #include "tcpip.h"
71 #include "NmapOps.h"
72 #include "NewTargets.h"
73 #include "Target.h"
74 #include "scan_engine.h"
75 #include "nmap_dns.h"
76 #include "utils.h"
77 #include "nmap_error.h"
78 #include "xml.h"
79
80 extern NmapOps o;
81 #ifdef WIN32
82 /* from libdnet's intf-win32.c */
83 extern "C" int g_has_npcap_loopback;
84 #endif
85
86 /* Conducts an ARP ping sweep of the given hosts to determine which ones
87 are up on a local ethernet network */
arpping(Target * hostbatch[],int num_hosts)88 static void arpping(Target *hostbatch[], int num_hosts) {
89 /* First I change hostbatch into a std::vector<Target *>, which is what ultra_scan
90 takes. I remove hosts that cannot be ARP scanned (such as localhost) */
91 std::vector<Target *> targets;
92 int targetno;
93 targets.reserve(num_hosts);
94
95 for (targetno = 0; targetno < num_hosts; targetno++) {
96 initialize_timeout_info(&hostbatch[targetno]->to);
97 /* Default timout should be much lower for arp */
98 hostbatch[targetno]->to.timeout = MAX(o.minRttTimeout(), MIN(o.initialRttTimeout(), INITIAL_ARP_RTT_TIMEOUT)) * 1000;
99 if (!hostbatch[targetno]->SrcMACAddress()) {
100 bool islocal = islocalhost(hostbatch[targetno]->TargetSockAddr());
101 if (islocal) {
102 log_write(LOG_STDOUT|LOG_NORMAL,
103 "ARP ping: Considering %s UP because it is a local IP, despite no MAC address for device %s\n",
104 hostbatch[targetno]->NameIP(), hostbatch[targetno]->deviceName());
105 hostbatch[targetno]->flags = HOST_UP;
106 } else {
107 log_write(LOG_STDOUT|LOG_NORMAL,
108 "ARP ping: Considering %s DOWN because no MAC address found for device %s.\n",
109 hostbatch[targetno]->NameIP(),
110 hostbatch[targetno]->deviceName());
111 hostbatch[targetno]->flags = HOST_DOWN;
112 }
113 continue;
114 }
115 targets.push_back(hostbatch[targetno]);
116 }
117 if (!targets.empty()) {
118 if (targets[0]->af() == AF_INET)
119 ultra_scan(targets, NULL, PING_SCAN_ARP);
120 else
121 ultra_scan(targets, NULL, PING_SCAN_ND);
122 }
123 return;
124 }
125
hoststructfry(Target * hostbatch[],int nelem)126 static void hoststructfry(Target *hostbatch[], int nelem) {
127 genfry((unsigned char *)hostbatch, sizeof(Target *), nelem);
128 return;
129 }
130
131 /* Returns the last host obtained by nexthost. It will be given again the next
132 time you call nexthost(). */
returnhost(HostGroupState * hs)133 void returnhost(HostGroupState *hs) {
134 assert(hs->next_batch_no > 0);
135 hs->next_batch_no--;
136 }
137
138 /* Is the host passed as Target to be excluded? Much of this logic had
139 to be rewritten from wam's original code to allow for the objects */
hostInExclude(struct sockaddr * checksock,size_t checksocklen,const struct addrset * exclude_group)140 static int hostInExclude(struct sockaddr *checksock, size_t checksocklen,
141 const struct addrset *exclude_group) {
142 if (exclude_group == NULL)
143 return 0;
144
145 if (checksock == NULL)
146 return 0;
147
148 if (addrset_contains(exclude_group,checksock))
149 return 1;
150 return 0;
151 }
152
153 /* Load an exclude list from a file for --excludefile. */
load_exclude_file(struct addrset * excludelist,FILE * fp)154 int load_exclude_file(struct addrset *excludelist, FILE *fp) {
155 char host_spec[1024];
156 size_t n;
157
158 while ((n = read_host_from_file(fp, host_spec, sizeof(host_spec))) > 0) {
159 if (n >= sizeof(host_spec))
160 fatal("One of your exclude file specifications was too long to read (>= %u chars)", (unsigned int) sizeof(host_spec));
161 if(!addrset_add_spec(excludelist, host_spec, o.af(), 1)){
162 fatal("Invalid address specification:");
163 }
164 }
165
166 return 1;
167 }
168
169 /* Load a comma-separated exclude list from a string, the argument to
170 --exclude. */
load_exclude_string(struct addrset * excludelist,const char * s)171 int load_exclude_string(struct addrset *excludelist, const char *s) {
172 const char *begin, *p;
173
174 p = s;
175 while (*p != '\0') {
176 begin = p;
177 while (*p != '\0' && *p != ',')
178 p++;
179 std::string addr_str = std::string(begin, p - begin);
180 if (!addrset_add_spec(excludelist, addr_str.c_str(), o.af(), 1)) {
181 fatal("Invalid address specification: %s", addr_str.c_str());
182 }
183 if (*p == '\0')
184 break;
185 p++;
186 };
187
188 return 1;
189 }
190
191
192 /* A debug routine to dump some information to stdout. Invoked if debugging is
193 set to 4 or higher. */
dumpExclude(struct addrset * exclude_group)194 int dumpExclude(struct addrset *exclude_group) {
195 addrset_print(stdout, exclude_group);
196 return 1;
197 }
198
massping(Target * hostbatch[],int num_hosts,struct scan_lists * ports)199 static void massping(Target *hostbatch[], int num_hosts, struct scan_lists *ports) {
200 static struct timeout_info group_to = { 0, 0, 0 };
201 static char prev_device_name[16] = "";
202 const char *device_name;
203 std::vector<Target *> targets;
204 int i;
205
206 /* Get the name of the interface used to send to this group. We assume the
207 device used to send to the first target is used to send to all of them. */
208 device_name = NULL;
209 if (num_hosts > 0)
210 device_name = hostbatch[0]->deviceName();
211 if (device_name == NULL)
212 device_name = "";
213
214 /* group_to is a static variable that keeps track of group timeout values
215 between invocations of this function. We reuse timeouts as long as this
216 invocation uses the same device as the previous one. Otherwise we
217 reinitialize the timeouts. */
218 if (group_to.srtt == 0 || group_to.rttvar == 0 || group_to.timeout == 0
219 || strcmp(prev_device_name, device_name) != 0) {
220 initialize_timeout_info(&group_to);
221 Strncpy(prev_device_name, device_name, sizeof(prev_device_name));
222 }
223
224 for (i = 0; i < num_hosts; i++) {
225 if (hostbatch[i]->flags & HOST_DOWN)
226 continue;
227 initialize_timeout_info(&hostbatch[i]->to);
228 targets.push_back(hostbatch[i]);
229 }
230
231 ultra_scan(targets, ports, PING_SCAN, &group_to);
232 }
233
234 /* Returns true iff this target is incompatible with the other hosts in the host
235 group. This happens when:
236 1. it uses a different interface, or
237 2. it uses a different source address, or
238 3. it is directly connected when the other hosts are not, or vice versa, or
239 4. it has the same IP address as another target already in the group.
240 These restrictions only apply for raw scans, including host discovery. */
target_needs_new_hostgroup(Target ** targets,int targets_sz,const Target * target)241 bool target_needs_new_hostgroup(Target **targets, int targets_sz, const Target *target) {
242 int i = 0;
243
244 /* We've just started a new hostgroup, so any target is acceptable. */
245 if (targets_sz == 0)
246 return false;
247
248 /* There are no restrictions on non-root scans. */
249 if (!(o.isr00t && target->deviceName() != NULL))
250 return false;
251
252 /* Different address family? */
253 if (targets[0]->af() != target->af())
254 return true;
255
256 /* Different interface name? */
257 if (targets[0]->deviceName() != NULL &&
258 target->deviceName() != NULL &&
259 strcmp(targets[0]->deviceName(), target->deviceName()) != 0) {
260 return true;
261 }
262
263 /* Different source address? */
264 if (sockaddr_storage_cmp(targets[0]->SourceSockAddr(), target->SourceSockAddr()) != 0)
265 return true;
266
267 /* Different direct connectedness? */
268 if (targets[0]->directlyConnected() != target->directlyConnected())
269 return true;
270
271 /* Is there already a target with this same IP address? ultra_scan doesn't
272 cope with that, because it uses IP addresses to look up targets from
273 replies. What happens is one target gets the replies for all probes
274 referring to the same IP address. */
275 for (i = 0; i < targets_sz; i++) {
276 if (sockaddr_storage_cmp(targets[i]->TargetSockAddr(), target->TargetSockAddr()) == 0)
277 return true;
278 }
279
280 return false;
281 }
282
283 /* Lookahead is the number of hosts that can be
284 checked (such as ping scanned) in advance. Randomize causes each
285 group of up to lookahead hosts to be internally shuffled around.
286 The target_expressions array MUST REMAIN VALID IN MEMORY as long as
287 this class instance is used -- the array is NOT copied.
288 */
HostGroupState(int lookahead,int rnd,int argc,const char ** argv)289 HostGroupState::HostGroupState(int lookahead, int rnd, int argc, const char **argv) {
290 assert(lookahead > 0);
291 this->argc = argc;
292 this->argv = argv;
293 hostbatch = (Target **) safe_zalloc(sizeof(Target *) * lookahead);
294 defer_buffer = std::list<Target *>();
295 undeferred = std::list<Target *>();
296 max_batch_sz = lookahead;
297 current_batch_sz = 0;
298 next_batch_no = 0;
299 randomize = rnd;
300 }
301
~HostGroupState()302 HostGroupState::~HostGroupState() {
303 free(hostbatch);
304 }
305
306 /* Returns true iff the defer buffer is not yet full. */
defer(Target * t)307 bool HostGroupState::defer(Target *t) {
308 this->defer_buffer.push_back(t);
309 return this->defer_buffer.size() < HostGroupState::DEFER_LIMIT;
310 }
311
undefer()312 void HostGroupState::undefer() {
313 this->undeferred.splice(this->undeferred.end(), this->defer_buffer);
314 }
315
next_expression()316 const char *HostGroupState::next_expression() {
317 if (o.max_ips_to_scan == 0 || o.numhosts_scanned + this->current_batch_sz < o.max_ips_to_scan) {
318 const char *expr;
319 expr = grab_next_host_spec(o.inputfd, o.generate_random_ips, this->argc, this->argv);
320 if (expr != NULL)
321 return expr;
322 }
323
324 #ifndef NOLUA
325 /* Add any new NSE discovered targets to the scan queue */
326 static char buf[1024];
327
328 NewTargets *new_targets = NewTargets::get();
329 if (o.script && new_targets != NULL) {
330 if (new_targets->get_queued() > 0) {
331 std::string expr_string;
332 expr_string = new_targets->read().c_str();
333 if (o.debugging > 3) {
334 log_write(LOG_PLAIN,
335 "New targets in the scanned cache: %ld, pending ones: %ld.\n",
336 new_targets->get_scanned(), new_targets->get_queued());
337 }
338 if (!expr_string.empty()) {
339 Strncpy(buf, expr_string.c_str(), sizeof(buf));
340 return buf;
341 }
342 }
343 }
344 #endif
345
346 return NULL;
347 }
348
349 /* Add a <target> element to the XML stating that a target specification was
350 ignored. This can be because of, for example, a DNS resolution failure, or a
351 syntax error. */
log_bogus_target(const char * expr)352 static void log_bogus_target(const char *expr) {
353 xml_open_start_tag("target");
354 xml_attribute("specification", "%s", expr);
355 xml_attribute("status", "skipped");
356 xml_attribute("reason", "invalid");
357 xml_close_empty_tag();
358 xml_newline();
359 }
360
361 /* Returns a newly allocated Target with the given address. Handles all the
362 details like setting the Target's address and next hop. */
setup_target(const HostGroupState * hs,const struct sockaddr_storage * ss,size_t sslen,int pingtype)363 static Target *setup_target(const HostGroupState *hs,
364 const struct sockaddr_storage *ss, size_t sslen,
365 int pingtype) {
366 struct route_nfo rnfo;
367 Target *t;
368
369 t = new Target();
370
371 t->setTargetSockAddr(ss, sslen);
372
373 /* Special handling for the resolved address (for example whatever
374 scanme.nmap.org resolves to in scanme.nmap.org/24). */
375 if (hs->current_group.is_resolved_address(ss)) {
376 if (hs->current_group.get_namedhost())
377 t->setTargetName(hs->current_group.get_resolved_name());
378 t->unscanned_addrs = hs->current_group.get_unscanned_addrs();
379 }
380
381 /* We figure out the source IP/device IFF
382 * the scan type requires us to */
383 if (o.RawScan()) {
384 if (!nmap_route_dst(ss, &rnfo)) {
385 log_bogus_target(inet_ntop_ez(ss, sslen));
386 error("%s: failed to determine route to %s", __func__, t->NameIP());
387 goto bail;
388 }
389 if (rnfo.direct_connect) {
390 t->setDirectlyConnected(true);
391 } else {
392 t->setDirectlyConnected(false);
393 t->setNextHop(&rnfo.nexthop, sizeof(rnfo.nexthop));
394 }
395 t->setIfType(rnfo.ii.device_type);
396 if (rnfo.ii.device_type == devt_ethernet) {
397 if (o.spoofMACAddress())
398 t->setSrcMACAddress(o.spoofMACAddress());
399 else
400 t->setSrcMACAddress(rnfo.ii.mac);
401 }
402 #ifdef WIN32
403 else if (g_has_npcap_loopback && rnfo.ii.device_type == devt_loopback) {
404 if (o.spoofMACAddress())
405 t->setSrcMACAddress(o.spoofMACAddress());
406 else
407 t->setSrcMACAddress(rnfo.ii.mac);
408 t->setNextHopMACAddress(t->SrcMACAddress());
409 }
410 #endif
411 t->setSourceSockAddr(&rnfo.srcaddr, sizeof(rnfo.srcaddr));
412 if (hs->current_batch_sz == 0) /* Because later ones can have different src addy and be cut off group */
413 o.decoys[o.decoyturn] = t->source();
414 t->setDeviceNames(rnfo.ii.devname, rnfo.ii.devfullname);
415 t->setMTU(rnfo.ii.mtu);
416 // printf("Target %s %s directly connected, goes through local iface %s, which %s ethernet\n", t->NameIP(), t->directlyConnected()? "IS" : "IS NOT", t->deviceName(), (t->ifType() == devt_ethernet)? "IS" : "IS NOT");
417 }
418
419 return t;
420
421 bail:
422 delete t;
423 return NULL;
424 }
425
next_target(HostGroupState * hs,const struct addrset * exclude_group,struct scan_lists * ports,int pingtype)426 static Target *next_target(HostGroupState *hs, const struct addrset *exclude_group,
427 struct scan_lists *ports, int pingtype) {
428 struct sockaddr_storage ss;
429 size_t sslen;
430 Target *t;
431
432 /* First handle targets deferred in the last batch. */
433 if (!hs->undeferred.empty()) {
434 t = hs->undeferred.front();
435 hs->undeferred.pop_front();
436 return t;
437 }
438
439 tryagain:
440
441 if (hs->current_group.get_next_host(&ss, &sslen) != 0) {
442 const char *expr;
443 /* We are going to have to pop in another expression. */
444 for (;;) {
445 expr = hs->next_expression();
446 if (expr == NULL)
447 /* That's the last of them. */
448 return NULL;
449 if (hs->current_group.parse_expr(expr, o.af()) == 0)
450 break;
451 else
452 log_bogus_target(expr);
453 }
454 goto tryagain;
455 }
456
457 assert(ss.ss_family == o.af());
458
459 /* If we are resuming from a previous scan, we have already finished scanning
460 up to o.resume_ip. */
461 if (o.resume_ip.ss_family != AF_UNSPEC) {
462 if (!sockaddr_storage_cmp(&o.resume_ip, &ss))
463 /* We will continue starting with the next IP. */
464 o.resume_ip.ss_family = AF_UNSPEC;
465 goto tryagain;
466 }
467
468 /* Check exclude list. */
469 if (hostInExclude((struct sockaddr *) &ss, sslen, exclude_group))
470 goto tryagain;
471
472 t = setup_target(hs, &ss, sslen, pingtype);
473 if (t == NULL)
474 goto tryagain;
475
476 return t;
477 }
478
refresh_hostbatch(HostGroupState * hs,const struct addrset * exclude_group,struct scan_lists * ports,int pingtype)479 static void refresh_hostbatch(HostGroupState *hs, const struct addrset *exclude_group,
480 struct scan_lists *ports, int pingtype) {
481 int i;
482 bool arpping_done = false;
483 struct timeval now;
484
485 hs->current_batch_sz = hs->next_batch_no = 0;
486 hs->undefer();
487 while (hs->current_batch_sz < hs->max_batch_sz) {
488 Target *t;
489
490 t = next_target(hs, exclude_group, ports, pingtype);
491 if (t == NULL)
492 break;
493
494 /* Does this target need to go in a separate host group? */
495 if (target_needs_new_hostgroup(hs->hostbatch, hs->current_batch_sz, t)) {
496 if (hs->defer(t))
497 continue;
498 else
499 break;
500 }
501
502 o.decoys[o.decoyturn] = t->source();
503 hs->hostbatch[hs->current_batch_sz++] = t;
504 }
505
506 if (hs->current_batch_sz == 0)
507 return;
508
509 /* OK, now we have our complete batch of entries. The next step is to
510 randomize them (if requested) */
511 if (hs->randomize) {
512 hoststructfry(hs->hostbatch, hs->current_batch_sz);
513 }
514
515 /* First I'll do the ARP ping if all of the machines in the group are
516 directly connected over ethernet. I may need the MAC addresses
517 later anyway. */
518 if (hs->hostbatch[0]->ifType() == devt_ethernet &&
519 hs->hostbatch[0]->af() == AF_INET &&
520 hs->hostbatch[0]->directlyConnected() &&
521 o.sendpref != PACKET_SEND_IP_STRONG &&
522 o.implicitARPPing) {
523 arpping(hs->hostbatch, hs->current_batch_sz);
524 arpping_done = true;
525 }
526
527 /* No other interface types are supported by ND ping except devt_ethernet
528 at the moment. */
529 if (hs->hostbatch[0]->ifType() == devt_ethernet &&
530 hs->hostbatch[0]->af() == AF_INET6 &&
531 hs->hostbatch[0]->directlyConnected() &&
532 o.sendpref != PACKET_SEND_IP_STRONG &&
533 o.implicitARPPing) {
534 arpping(hs->hostbatch, hs->current_batch_sz);
535 arpping_done = true;
536 }
537
538 gettimeofday(&now, NULL);
539 if ((o.sendpref & PACKET_SEND_ETH) &&
540 hs->hostbatch[0]->ifType() == devt_ethernet) {
541 for (i=0; i < hs->current_batch_sz; i++) {
542 if (!(hs->hostbatch[i]->flags & HOST_DOWN) &&
543 !hs->hostbatch[i]->timedOut(&now)) {
544 if (!setTargetNextHopMAC(hs->hostbatch[i])) {
545 error("%s: Failed to determine dst MAC address for target %s",
546 __func__, hs->hostbatch[i]->NameIP());
547 hs->hostbatch[i]->flags = HOST_DOWN;
548 }
549 }
550 }
551 }
552
553 /* Then we do the mass ping (if required - IP-level pings) */
554 if ((pingtype == PINGTYPE_NONE && !arpping_done) || hs->hostbatch[0]->ifType() == devt_loopback) {
555 for (i=0; i < hs->current_batch_sz; i++) {
556 if (!(hs->hostbatch[i]->flags & HOST_DOWN || hs->hostbatch[i]->timedOut(&now))) {
557 initialize_timeout_info(&hs->hostbatch[i]->to);
558 hs->hostbatch[i]->flags |= HOST_UP; /*hostbatch[i].up = 1;*/
559 if (pingtype == PINGTYPE_NONE && !arpping_done)
560 hs->hostbatch[i]->reason.reason_id = ER_USER;
561 else
562 hs->hostbatch[i]->reason.reason_id = ER_LOCALHOST;
563 }
564 }
565 } else if (!arpping_done) {
566 massping(hs->hostbatch, hs->current_batch_sz, ports);
567 }
568
569 if (!o.noresolve)
570 nmap_mass_rdns(hs->hostbatch, hs->current_batch_sz);
571 }
572
nexthost(HostGroupState * hs,const struct addrset * exclude_group,struct scan_lists * ports,int pingtype)573 Target *nexthost(HostGroupState *hs, const struct addrset *exclude_group,
574 struct scan_lists *ports, int pingtype) {
575 if (hs->next_batch_no >= hs->current_batch_sz)
576 refresh_hostbatch(hs, exclude_group, ports, pingtype);
577 if (hs->next_batch_no >= hs->current_batch_sz)
578 return NULL;
579
580 return hs->hostbatch[hs->next_batch_no++];
581 }
582