1 
2 /***************************************************************************
3  * osscan2.h -- Header info for 2nd Generation OS detection via TCP/IP     *
4  * fingerprinting.  For more information on how this works in Nmap, see    *
5  * http://insecure.org/osdetect/                                           *
6  *                                                                         *
7  ***********************IMPORTANT NMAP LICENSE TERMS************************
8  *                                                                         *
9  * The Nmap Security Scanner is (C) 1996-2020 Insecure.Com LLC ("The Nmap  *
10  * Project"). Nmap is also a registered trademark of the Nmap Project.     *
11  *                                                                         *
12  * This program is distributed under the terms of the Nmap Public Source   *
13  * License (NPSL). The exact license text applying to a particular Nmap    *
14  * release or source code control revision is contained in the LICENSE     *
15  * file distributed with that version of Nmap or source code control       *
16  * revision. More Nmap copyright/legal information is available from       *
17  * https://nmap.org/book/man-legal.html, and further information on the    *
18  * NPSL license itself can be found at https://nmap.org/npsl. This header  *
19  * summarizes some key points from the Nmap license, but is no substitute  *
20  * for the actual license text.                                            *
21  *                                                                         *
22  * Nmap is generally free for end users to download and use themselves,    *
23  * including commercial use. It is available from https://nmap.org.        *
24  *                                                                         *
25  * The Nmap license generally prohibits companies from using and           *
26  * redistributing Nmap in commercial products, but we sell a special Nmap  *
27  * OEM Edition with a more permissive license and special features for     *
28  * this purpose. See https://nmap.org/oem                                  *
29  *                                                                         *
30  * If you have received a written Nmap license agreement or contract       *
31  * stating terms other than these (such as an Nmap OEM license), you may   *
32  * choose to use and redistribute Nmap under those terms instead.          *
33  *                                                                         *
34  * The official Nmap Windows builds include the Npcap software             *
35  * (https://npcap.org) for packet capture and transmission. It is under    *
36  * separate license terms which forbid redistribution without special      *
37  * permission. So the official Nmap Windows builds may not be              *
38  * redistributed without special permission (such as an Nmap OEM           *
39  * license).                                                               *
40  *                                                                         *
41  * Source is provided to this software because we believe users have a     *
42  * right to know exactly what a program is going to do before they run it. *
43  * This also allows you to audit the software for security holes.          *
44  *                                                                         *
45  * Source code also allows you to port Nmap to new platforms, fix bugs,    *
46  * and add new features.  You are highly encouraged to submit your         *
47  * changes as a Github PR or by email to the dev@nmap.org mailing list     *
48  * for possible incorporation into the main distribution. Unless you       *
49  * specify otherwise, it is understood that you are offering us very       *
50  * broad rights to use your submissions as described in the Nmap Public    *
51  * Source License Contributor Agreement. This is important because we      *
52  * fund the project by selling licenses with various terms, and also       *
53  * because the inability to relicense code has caused devastating          *
54  * problems for other Free Software projects (such as KDE and NASM).       *
55  *                                                                         *
56  * The free version of Nmap is distributed in the hope that it will be     *
57  * useful, but WITHOUT ANY WARRANTY; without even the implied warranty of  *
58  * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Warranties,        *
59  * indemnification and commercial support are all available through the    *
60  * Npcap OEM program--see https://nmap.org/oem.                            *
61  *                                                                         *
62  ***************************************************************************/
63 
64 #ifndef OSSCAN2_H
65 #define OSSCAN2_H
66 
67 #include "nbase.h"
68 #include <dnet.h>
69 #include <pcap.h>
70 
71 #include <vector>
72 #include <list>
73 #include "timing.h"
74 struct FingerPrint;
75 struct FingerTest;
76 class FingerPrintResultsIPv4;
77 class Target;
78 
79 
80 /******************************************************************************
81  * CONSTANT DEFINITIONS                                                       *
82  ******************************************************************************/
83 
84 #define NUM_FPTESTS    13
85 
86 /* The number of tries we normally do.  This may be increased if
87    the target looks like a good candidate for fingerprint submission, or fewer
88    if the user gave the --max-os-tries option */
89 #define STANDARD_OS2_TRIES 2
90 
91 // The minimum (and target) amount of time to wait between probes
92 // sent to a single host, in milliseconds.
93 #define OS_PROBE_DELAY 25
94 
95 // The target amount of time to wait between sequencing probes sent to
96 // a single host, in milliseconds.  The ideal is 500ms because of the
97 // common 2Hz timestamp frequencies.  Less than 500ms and we might not
98 // see any change in the TS counter (and it gets less accurate even if
99 // we do).  More than 500MS and we risk having two changes (and it
100 // gets less accurate even if we have just one).  So we delay 100MS
101 // between probes, leaving 500MS between 1st and 6th.
102 #define OS_SEQ_PROBE_DELAY 100
103 
104 /* How many syn packets do we send to TCP sequence a host? */
105 #define NUM_SEQ_SAMPLES 6
106 
107 /* TCP Timestamp Sequence */
108 #define TS_SEQ_UNKNOWN 0
109 #define TS_SEQ_ZERO 1 /* At least one of the timestamps we received back was 0 */
110 #define TS_SEQ_2HZ 2
111 #define TS_SEQ_100HZ 3
112 #define TS_SEQ_1000HZ 4
113 #define TS_SEQ_OTHER_NUM 5
114 #define TS_SEQ_UNSUPPORTED 6 /* System didn't send back a timestamp */
115 
116 #define IPID_SEQ_UNKNOWN 0
117 #define IPID_SEQ_INCR 1  /* simple increment by one each time */
118 #define IPID_SEQ_BROKEN_INCR 2 /* Stupid MS -- forgot htons() so it
119                                   counts by 256 on little-endian platforms */
120 #define IPID_SEQ_RPI 3 /* Goes up each time but by a "random" positive
121                           increment */
122 #define IPID_SEQ_RD 4 /* Appears to select IPID using a "random" distributions (meaning it can go up or down) */
123 #define IPID_SEQ_CONSTANT 5 /* Contains 1 or more sequential duplicates */
124 #define IPID_SEQ_ZERO 6 /* Every packet that comes back has an IP.ID of 0 (eg Linux 2.4 does this) */
125 #define IPID_SEQ_INCR_BY_2 7 /* simple increment by two each time */
126 
127 
128 /******************************************************************************
129  * TYPE AND STRUCTURE DEFINITIONS                                             *
130  ******************************************************************************/
131 
132 struct seq_info {
133   int responses;
134   int ts_seqclass; /* TS_SEQ_* defines in nmap.h */
135   int ipid_seqclass; /* IPID_SEQ_* defines in nmap.h */
136   u32 seqs[NUM_SEQ_SAMPLES];
137   u32 timestamps[NUM_SEQ_SAMPLES];
138   int index;
139   u16 ipids[NUM_SEQ_SAMPLES];
140   time_t lastboot; /* 0 means unknown */
141 };
142 
143 /* Different kinds of Ipids. */
144 struct ipid_info {
145   u32 tcp_ipids[NUM_SEQ_SAMPLES];
146   u32 tcp_closed_ipids[NUM_SEQ_SAMPLES];
147   u32 icmp_ipids[NUM_SEQ_SAMPLES];
148 };
149 
150 struct udpprobeinfo {
151   u16 iptl;
152   u16 ipid;
153   u16 ipck;
154   u16 sport;
155   u16 dport;
156   u16 udpck;
157   u16 udplen;
158   u8 patternbyte;
159   struct in_addr target;
160 };
161 
162 typedef enum OFProbeType {
163   OFP_UNSET,
164   OFP_TSEQ,
165   OFP_TOPS,
166   OFP_TECN,
167   OFP_T1_7,
168   OFP_TICMP,
169   OFP_TUDP
170 } OFProbeType;
171 
172 /******************************************************************************
173  * FUNCTION PROTOTYPES                                                        *
174  ******************************************************************************/
175 
176 /* This is the primary OS detection function.  If many Targets are
177    passed in (the threshold is based on timing level), they are
178    processed as smaller groups to improve accuracy  */
179 void os_scan2(std::vector<Target *> &Targets);
180 
181 int get_initial_ttl_guess(u8 ttl);
182 
183 int identify_sequence(int numSamples, u32 *ipid_diffs, int islocalhost, int allipideqz);
184 int get_diffs(u32 *ipid_diffs, int numSamples, u32 *ipids, int islocalhost);
185 int get_ipid_sequence_16(int numSamples, u32 *ipids, int islocalhost);
186 int get_ipid_sequence_32(int numSamples, u32 *ipids, int islocalhost);
187 
188 const char *ipidclass2ascii(int seqclass);
189 const char *tsseqclass2ascii(int seqclass);
190 
191 /* Convert a TCP sequence prediction difficulty index like 1264386
192    into a difficulty string like "Worthy Challenge */
193 const char *seqidx2difficultystr(unsigned long idx);
194 /******************************************************************************
195  * CLASS DEFINITIONS                                                          *
196  ******************************************************************************/
197 class OFProbe;
198 class HostOsScanStats;
199 class HostOsScan;
200 class HostOsScanInfo;
201 class OsScanInfo;
202 
203 /** Represents an OS detection probe. It does not contain the actual packet
204  * that is sent to the target but contains enough information to generate
205  * it (such as the probe type and its subid). It also stores timing
206  * information. */
207 class OFProbe {
208 
209  public:
210   OFProbe();
211 
212   /* The literal string for the current probe type. */
213   const char *typestr();
214 
215   /* Type of the probe: for what os fingerprinting test? */
216   OFProbeType type;
217 
218   /* Subid of this probe to separate different tcp/udp/icmp. */
219   int subid;
220 
221   /* Try (retransmission) number of this probe */
222   int tryno;
223 
224   /* A packet may be timedout for a while before being retransmitted
225      due to packet sending rate limitations */
226   bool retransmitted;
227 
228   struct timeval sent;
229 
230   /* Time the previous probe was sent, if this is a retransmit (tryno > 0) */
231   struct timeval prevSent;
232 };
233 
234 
235 /* Stores the status for a host being scanned in a scan round. */
236 class HostOsScanStats {
237 
238  friend class HostOsScan;
239 
240  public:
241   HostOsScanStats(Target *t);
242   ~HostOsScanStats();
243   void initScanStats();
244   struct eth_nfo *fill_eth_nfo(struct eth_nfo *eth, eth_t *ethsd) const;
245   void addNewProbe(OFProbeType type, int subid);
246   void removeActiveProbe(std::list<OFProbe *>::iterator probeI);
247   /* Get an active probe from active probe list identified by probe type
248    * and subid.  returns probesActive.end() if there isn't one. */
249   std::list<OFProbe *>::iterator getActiveProbe(OFProbeType type, int subid);
250   void moveProbeToActiveList(std::list<OFProbe *>::iterator probeI);
251   void moveProbeToUnSendList(std::list<OFProbe *>::iterator probeI);
numProbesToSend()252   unsigned int numProbesToSend() {return probesToSend.size();}
numProbesActive()253   unsigned int numProbesActive() {return probesActive.size();}
getFP()254   FingerPrint *getFP() {return FP;}
255 
256   Target *target; /* the Target */
257   struct seq_info si;
258   struct ipid_info ipid;
259 
260   /* distance, distance_guess: hop count between us and the target.
261    *
262    * Possible values of distance:
263    *   0: when scan self;
264    *   1: when scan a target on the same network segment;
265    * >=1: not self, not same network and nmap has got the icmp reply to the U1 probe.
266    *  -1: none of the above situations.
267    *
268    * Possible values of distance_guess:
269    *  -1: nmap fails to get a valid ttl by all kinds of probes.
270    * >=1: a guessing value based on ttl. */
271   int distance;
272   int distance_guess;
273 
274   /* Returns the amount of time taken between sending 1st tseq probe
275    * and the last one.  Zero is
276    * returned if we didn't send the tseq probes because there was no
277    * open tcp port */
278   double timingRatio();
279   double cc_scale();
280 
281  private:
282   /* Ports of the targets used in os fingerprinting. */
283   int openTCPPort, closedTCPPort, closedUDPPort;
284 
285   /* Probe list used in tests. At first, probes are linked in
286    * probesToSend; when a probe is sent, it will be removed from
287    * probesToSend and appended to probesActive. If any probes in
288    * probesActive are timedout, they will be moved to probesToSend and
289    * sent again till expired. */
290   std::list<OFProbe *> probesToSend;
291   std::list<OFProbe *> probesActive;
292 
293   /* A record of total number of probes that have been sent to this
294    * host, including retransmitted ones. */
295   unsigned int num_probes_sent;
296   /* Delay between two probes.    */
297   unsigned int sendDelayMs;
298   /* When the last probe is sent. */
299   struct timeval lastProbeSent;
300 
301   struct ultra_timing_vals timing;
302 
303   /* Fingerprint of this target. When a scan is completed, it'll
304    * finally be passed to hs->target->FPR->FPs[x]. */
305   FingerPrint *FP;
306   FingerTest *FPtests[NUM_FPTESTS];
307   #define FP_TSeq  FPtests[0]
308   #define FP_TOps  FPtests[1]
309   #define FP_TWin  FPtests[2]
310   #define FP_TEcn  FPtests[3]
311   #define FP_T1_7_OFF 4
312   #define FP_T1    FPtests[4]
313   #define FP_T2    FPtests[5]
314   #define FP_T3    FPtests[6]
315   #define FP_T4    FPtests[7]
316   #define FP_T5    FPtests[8]
317   #define FP_T6    FPtests[9]
318   #define FP_T7    FPtests[10]
319   #define FP_TUdp  FPtests[11]
320   #define FP_TIcmp FPtests[12]
321   struct AVal *TOps_AVs[6]; /* 6 AVs of TOps */
322   struct AVal *TWin_AVs[6]; /* 6 AVs of TWin */
323 
324   /* The following are variables to store temporary results
325    * during the os fingerprinting process of this host. */
326   u16 lastipid;
327   struct timeval seq_send_times[NUM_SEQ_SAMPLES];
328 
329   int TWinReplyNum; /* how many TWin replies are received. */
330   int TOpsReplyNum; /* how many TOps replies are received. Actually it is the same with TOpsReplyNum. */
331 
332   struct ip *icmpEchoReply; /* To store one of the two icmp replies */
333   int storedIcmpReply; /* Which one of the two icmp replies is stored? */
334 
335   struct udpprobeinfo upi; /* info of the udp probe we sent */
336 };
337 
338 /* These are statistics for the whole group of Targets */
339 class ScanStats {
340 
341  public:
342   ScanStats();
343   bool sendOK(); /* Returns true if the system says that sending is OK. */
344   double cc_scale();
345 
346   struct ultra_timing_vals timing;
347   struct timeout_info to;      /* rtt/timeout info                */
348   int num_probes_active;       /* Total number of active probes   */
349   int num_probes_sent;         /* Number of probes sent in total. */
350   int num_probes_sent_at_last_wait;
351 };
352 
353 
354 /* This class does the scan job, setting and using the status of a host in
355  * the host's HostOsScanStats. */
356 class HostOsScan {
357 
358  public:
359   HostOsScan(Target *t); /* OsScan need a target to set eth stuffs */
360   ~HostOsScan();
361 
362   pcap_t *pd;
363   ScanStats *stats;
364 
365   /* (Re)Initialize the parameters that will be used during the scan.*/
366   void reInitScanSystem();
367 
368   void buildSeqProbeList(HostOsScanStats *hss);
369   void updateActiveSeqProbes(HostOsScanStats *hss);
370 
371   void buildTUIProbeList(HostOsScanStats *hss);
372   void updateActiveTUIProbes(HostOsScanStats *hss);
373 
374   /* send the next probe in the probe list of the hss */
375   void sendNextProbe(HostOsScanStats *hss);
376 
377   /* Process one response. If the response is useful, return true. */
378   bool processResp(HostOsScanStats *hss, struct ip *ip, unsigned int len, struct timeval *rcvdtime);
379 
380   /* Make up the fingerprint. */
381   void makeFP(HostOsScanStats *hss);
382 
383   /* Check whether the host is sendok. If not, fill _when_ with the
384    * time when it will be sendOK and return false; else, fill it with
385    * now and return true. */
386   bool hostSendOK(HostOsScanStats *hss, struct timeval *when);
387 
388   /* Check whether it is ok to send the next seq probe to the host. If
389    * not, fill _when_ with the time when it will be sendOK and return
390    * false; else, fill it with now and return true. */
391   bool hostSeqSendOK(HostOsScanStats *hss, struct timeval *when);
392 
393 
394   /* How long I am currently willing to wait for a probe response
395    * before considering it timed out.  Uses the host values from
396    * target if they are available, otherwise from gstats.  Results
397    * returned in MICROseconds.  */
398   unsigned long timeProbeTimeout(HostOsScanStats *hss);
399 
400   /* If there are pending probe timeouts, fills in when with the time
401    * of the earliest one and returns true.  Otherwise returns false
402    * and puts now in when. */
403   bool nextTimeout(HostOsScanStats *hss, struct timeval *when);
404 
405   /* Adjust various timing variables based on pcket receipt. */
406   void adjust_times(HostOsScanStats *hss, OFProbe *probe, struct timeval *rcvdtime);
407 
408 private:
409   /* Probe send functions. */
410   void sendTSeqProbe(HostOsScanStats *hss, int probeNo);
411   void sendTOpsProbe(HostOsScanStats *hss, int probeNo);
412   void sendTEcnProbe(HostOsScanStats *hss);
413   void sendT1_7Probe(HostOsScanStats *hss, int probeNo);
414   void sendTUdpProbe(HostOsScanStats *hss, int probeNo);
415   void sendTIcmpProbe(HostOsScanStats *hss, int probeNo);
416   /* Response process functions. */
417   bool processTSeqResp(HostOsScanStats *hss, struct ip *ip, int replyNo);
418   bool processTOpsResp(HostOsScanStats *hss, struct tcp_hdr *tcp, int replyNo);
419   bool processTWinResp(HostOsScanStats *hss, struct tcp_hdr *tcp, int replyNo);
420   bool processTEcnResp(HostOsScanStats *hss, struct ip *ip);
421   bool processT1_7Resp(HostOsScanStats *hss, struct ip *ip, int replyNo);
422   bool processTUdpResp(HostOsScanStats *hss, struct ip *ip);
423   bool processTIcmpResp(HostOsScanStats *hss, struct ip *ip, int replyNo);
424 
425   /* Generic sending functions used by the above probe functions. */
426   int send_tcp_probe(HostOsScanStats *hss,
427                      int ttl, bool df, u8* ipopt, int ipoptlen,
428                      u16 sport, u16 dport, u32 seq, u32 ack,
429                      u8 reserved, u8 flags, u16 window, u16 urp,
430                      u8 *options, int optlen,
431                      char *data, u16 datalen);
432   int send_icmp_echo_probe(HostOsScanStats *hss,
433                            u8 tos, bool df, u8 pcode,
434                            unsigned short id, u16 seq, u16 datalen);
435   int send_closedudp_probe(HostOsScanStats *hss,
436                            int ttl, u16 sport, u16 dport);
437 
438   void makeTSeqFP(HostOsScanStats *hss);
439   void makeTOpsFP(HostOsScanStats *hss);
440   void makeTWinFP(HostOsScanStats *hss);
441 
442   bool get_tcpopt_string(struct tcp_hdr *tcp, int mss, char *result, int maxlen);
443 
444   int rawsd;    /* Raw socket descriptor */
445   eth_t *ethsd; /* Ethernet handle       */
446 
447   unsigned int tcpSeqBase;    /* Seq value used in TCP probes                 */
448   unsigned int  tcpAck;       /* Ack value used in TCP probes                 */
449   int tcpMss;                 /* TCP MSS value used in TCP probes             */
450   int udpttl;                 /* TTL value used in the UDP probe              */
451   unsigned short icmpEchoId;  /* ICMP Echo Identifier value for ICMP probes   */
452   unsigned short icmpEchoSeq; /* ICMP Echo Sequence value used in ICMP probes */
453 
454   /* Source port number in TCP probes. Different probes will use an arbitrary
455    * offset value of it. */
456   int tcpPortBase;
457   int udpPortBase;
458 };
459 
460 
461 
462 /* Maintains a link of incomplete HostOsScanInfo. */
463 class OsScanInfo {
464 
465  public:
466   OsScanInfo(std::vector<Target *> &Targets);
467   ~OsScanInfo();
468   float starttime;
469 
470   /* If you remove from this, you had better adjust nextI too (or call
471    * resetHostIterator() afterward). Don't let this list get empty,
472    * then add to it again, or you may mess up nextI (I'm not sure) */
473   std::list<HostOsScanInfo *> incompleteHosts;
474 
numIncompleteHosts()475   unsigned int numIncompleteHosts() {return incompleteHosts.size();}
476   HostOsScanInfo *findIncompleteHost(struct sockaddr_storage *ss);
477 
478   /* A circular buffer of the incompleteHosts.  nextIncompleteHost() gives
479      the next one.  The first time it is called, it will give the
480      first host in the list.  If incompleteHosts is empty, returns
481      NULL. */
482   HostOsScanInfo *nextIncompleteHost();
483 
484   /* Resets the host iterator used with nextIncompleteHost() to the
485      beginning.  If you remove a host from incompleteHosts, call this
486      right afterward */
resetHostIterator()487   void resetHostIterator() { nextI = incompleteHosts.begin(); }
488 
489   int removeCompletedHosts();
490 
491  private:
492   unsigned int numInitialTargets;
493   std::list<HostOsScanInfo *>::iterator nextI;
494 };
495 
496 
497 /* The overall os scan information of a host:
498  *  - Fingerprints gotten from every scan round;
499  *  - Maching results of these fingerprints.
500  *  - Is it timeout/completed?
501  *  - ... */
502 class HostOsScanInfo {
503 
504  public:
505   HostOsScanInfo(Target *t, OsScanInfo *OSI);
506   ~HostOsScanInfo();
507 
508   Target *target;       /* The target                                  */
509   FingerPrintResultsIPv4 *FPR;
510   OsScanInfo *OSI;      /* The OSI which contains this HostOsScanInfo  */
511   FingerPrint **FPs;    /* Fingerprints of the host                    */
512   FingerPrintResultsIPv4 *FP_matches; /* Fingerprint-matching results      */
513   bool timedOut;        /* Did it time out?                            */
514   bool isCompleted;     /* Has the OS detection been completed?        */
515   HostOsScanStats *hss; /* Scan status of the host in one scan round   */
516 };
517 
518 
519 /** This is the class that performs OS detection (both IPv4 and IPv6).
520   * Using it is simple, just call os_scan() passing a list of targets.
521   * The results of the detection will be stored inside the supplied
522   * target objects. */
523 class OSScan {
524 
525  private:
526   int chunk_and_do_scan(std::vector<Target *> &Targets, int family);
527   int os_scan_ipv4(std::vector<Target *> &Targets);
528   int os_scan_ipv6(std::vector<Target *> &Targets);
529 
530   public:
531    OSScan();
532    ~OSScan();
533    void reset();
534    int os_scan(std::vector<Target *> &Targets);
535 };
536 
537 #endif /*OSSCAN2_H*/
538 
539