1 2 /*************************************************************************** 3 * osscan2.h -- Header info for 2nd Generation OS detection via TCP/IP * 4 * fingerprinting. For more information on how this works in Nmap, see * 5 * http://insecure.org/osdetect/ * 6 * * 7 ***********************IMPORTANT NMAP LICENSE TERMS************************ 8 * * 9 * The Nmap Security Scanner is (C) 1996-2020 Insecure.Com LLC ("The Nmap * 10 * Project"). Nmap is also a registered trademark of the Nmap Project. * 11 * * 12 * This program is distributed under the terms of the Nmap Public Source * 13 * License (NPSL). The exact license text applying to a particular Nmap * 14 * release or source code control revision is contained in the LICENSE * 15 * file distributed with that version of Nmap or source code control * 16 * revision. More Nmap copyright/legal information is available from * 17 * https://nmap.org/book/man-legal.html, and further information on the * 18 * NPSL license itself can be found at https://nmap.org/npsl. This header * 19 * summarizes some key points from the Nmap license, but is no substitute * 20 * for the actual license text. * 21 * * 22 * Nmap is generally free for end users to download and use themselves, * 23 * including commercial use. It is available from https://nmap.org. * 24 * * 25 * The Nmap license generally prohibits companies from using and * 26 * redistributing Nmap in commercial products, but we sell a special Nmap * 27 * OEM Edition with a more permissive license and special features for * 28 * this purpose. See https://nmap.org/oem * 29 * * 30 * If you have received a written Nmap license agreement or contract * 31 * stating terms other than these (such as an Nmap OEM license), you may * 32 * choose to use and redistribute Nmap under those terms instead. * 33 * * 34 * The official Nmap Windows builds include the Npcap software * 35 * (https://npcap.org) for packet capture and transmission. It is under * 36 * separate license terms which forbid redistribution without special * 37 * permission. So the official Nmap Windows builds may not be * 38 * redistributed without special permission (such as an Nmap OEM * 39 * license). * 40 * * 41 * Source is provided to this software because we believe users have a * 42 * right to know exactly what a program is going to do before they run it. * 43 * This also allows you to audit the software for security holes. * 44 * * 45 * Source code also allows you to port Nmap to new platforms, fix bugs, * 46 * and add new features. You are highly encouraged to submit your * 47 * changes as a Github PR or by email to the dev@nmap.org mailing list * 48 * for possible incorporation into the main distribution. Unless you * 49 * specify otherwise, it is understood that you are offering us very * 50 * broad rights to use your submissions as described in the Nmap Public * 51 * Source License Contributor Agreement. This is important because we * 52 * fund the project by selling licenses with various terms, and also * 53 * because the inability to relicense code has caused devastating * 54 * problems for other Free Software projects (such as KDE and NASM). * 55 * * 56 * The free version of Nmap is distributed in the hope that it will be * 57 * useful, but WITHOUT ANY WARRANTY; without even the implied warranty of * 58 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Warranties, * 59 * indemnification and commercial support are all available through the * 60 * Npcap OEM program--see https://nmap.org/oem. * 61 * * 62 ***************************************************************************/ 63 64 #ifndef OSSCAN2_H 65 #define OSSCAN2_H 66 67 #include "nbase.h" 68 #include <dnet.h> 69 #include <pcap.h> 70 71 #include <vector> 72 #include <list> 73 #include "timing.h" 74 struct FingerPrint; 75 struct FingerTest; 76 class FingerPrintResultsIPv4; 77 class Target; 78 79 80 /****************************************************************************** 81 * CONSTANT DEFINITIONS * 82 ******************************************************************************/ 83 84 #define NUM_FPTESTS 13 85 86 /* The number of tries we normally do. This may be increased if 87 the target looks like a good candidate for fingerprint submission, or fewer 88 if the user gave the --max-os-tries option */ 89 #define STANDARD_OS2_TRIES 2 90 91 // The minimum (and target) amount of time to wait between probes 92 // sent to a single host, in milliseconds. 93 #define OS_PROBE_DELAY 25 94 95 // The target amount of time to wait between sequencing probes sent to 96 // a single host, in milliseconds. The ideal is 500ms because of the 97 // common 2Hz timestamp frequencies. Less than 500ms and we might not 98 // see any change in the TS counter (and it gets less accurate even if 99 // we do). More than 500MS and we risk having two changes (and it 100 // gets less accurate even if we have just one). So we delay 100MS 101 // between probes, leaving 500MS between 1st and 6th. 102 #define OS_SEQ_PROBE_DELAY 100 103 104 /* How many syn packets do we send to TCP sequence a host? */ 105 #define NUM_SEQ_SAMPLES 6 106 107 /* TCP Timestamp Sequence */ 108 #define TS_SEQ_UNKNOWN 0 109 #define TS_SEQ_ZERO 1 /* At least one of the timestamps we received back was 0 */ 110 #define TS_SEQ_2HZ 2 111 #define TS_SEQ_100HZ 3 112 #define TS_SEQ_1000HZ 4 113 #define TS_SEQ_OTHER_NUM 5 114 #define TS_SEQ_UNSUPPORTED 6 /* System didn't send back a timestamp */ 115 116 #define IPID_SEQ_UNKNOWN 0 117 #define IPID_SEQ_INCR 1 /* simple increment by one each time */ 118 #define IPID_SEQ_BROKEN_INCR 2 /* Stupid MS -- forgot htons() so it 119 counts by 256 on little-endian platforms */ 120 #define IPID_SEQ_RPI 3 /* Goes up each time but by a "random" positive 121 increment */ 122 #define IPID_SEQ_RD 4 /* Appears to select IPID using a "random" distributions (meaning it can go up or down) */ 123 #define IPID_SEQ_CONSTANT 5 /* Contains 1 or more sequential duplicates */ 124 #define IPID_SEQ_ZERO 6 /* Every packet that comes back has an IP.ID of 0 (eg Linux 2.4 does this) */ 125 #define IPID_SEQ_INCR_BY_2 7 /* simple increment by two each time */ 126 127 128 /****************************************************************************** 129 * TYPE AND STRUCTURE DEFINITIONS * 130 ******************************************************************************/ 131 132 struct seq_info { 133 int responses; 134 int ts_seqclass; /* TS_SEQ_* defines in nmap.h */ 135 int ipid_seqclass; /* IPID_SEQ_* defines in nmap.h */ 136 u32 seqs[NUM_SEQ_SAMPLES]; 137 u32 timestamps[NUM_SEQ_SAMPLES]; 138 int index; 139 u16 ipids[NUM_SEQ_SAMPLES]; 140 time_t lastboot; /* 0 means unknown */ 141 }; 142 143 /* Different kinds of Ipids. */ 144 struct ipid_info { 145 u32 tcp_ipids[NUM_SEQ_SAMPLES]; 146 u32 tcp_closed_ipids[NUM_SEQ_SAMPLES]; 147 u32 icmp_ipids[NUM_SEQ_SAMPLES]; 148 }; 149 150 struct udpprobeinfo { 151 u16 iptl; 152 u16 ipid; 153 u16 ipck; 154 u16 sport; 155 u16 dport; 156 u16 udpck; 157 u16 udplen; 158 u8 patternbyte; 159 struct in_addr target; 160 }; 161 162 typedef enum OFProbeType { 163 OFP_UNSET, 164 OFP_TSEQ, 165 OFP_TOPS, 166 OFP_TECN, 167 OFP_T1_7, 168 OFP_TICMP, 169 OFP_TUDP 170 } OFProbeType; 171 172 /****************************************************************************** 173 * FUNCTION PROTOTYPES * 174 ******************************************************************************/ 175 176 /* This is the primary OS detection function. If many Targets are 177 passed in (the threshold is based on timing level), they are 178 processed as smaller groups to improve accuracy */ 179 void os_scan2(std::vector<Target *> &Targets); 180 181 int get_initial_ttl_guess(u8 ttl); 182 183 int identify_sequence(int numSamples, u32 *ipid_diffs, int islocalhost, int allipideqz); 184 int get_diffs(u32 *ipid_diffs, int numSamples, u32 *ipids, int islocalhost); 185 int get_ipid_sequence_16(int numSamples, u32 *ipids, int islocalhost); 186 int get_ipid_sequence_32(int numSamples, u32 *ipids, int islocalhost); 187 188 const char *ipidclass2ascii(int seqclass); 189 const char *tsseqclass2ascii(int seqclass); 190 191 /* Convert a TCP sequence prediction difficulty index like 1264386 192 into a difficulty string like "Worthy Challenge */ 193 const char *seqidx2difficultystr(unsigned long idx); 194 /****************************************************************************** 195 * CLASS DEFINITIONS * 196 ******************************************************************************/ 197 class OFProbe; 198 class HostOsScanStats; 199 class HostOsScan; 200 class HostOsScanInfo; 201 class OsScanInfo; 202 203 /** Represents an OS detection probe. It does not contain the actual packet 204 * that is sent to the target but contains enough information to generate 205 * it (such as the probe type and its subid). It also stores timing 206 * information. */ 207 class OFProbe { 208 209 public: 210 OFProbe(); 211 212 /* The literal string for the current probe type. */ 213 const char *typestr(); 214 215 /* Type of the probe: for what os fingerprinting test? */ 216 OFProbeType type; 217 218 /* Subid of this probe to separate different tcp/udp/icmp. */ 219 int subid; 220 221 /* Try (retransmission) number of this probe */ 222 int tryno; 223 224 /* A packet may be timedout for a while before being retransmitted 225 due to packet sending rate limitations */ 226 bool retransmitted; 227 228 struct timeval sent; 229 230 /* Time the previous probe was sent, if this is a retransmit (tryno > 0) */ 231 struct timeval prevSent; 232 }; 233 234 235 /* Stores the status for a host being scanned in a scan round. */ 236 class HostOsScanStats { 237 238 friend class HostOsScan; 239 240 public: 241 HostOsScanStats(Target *t); 242 ~HostOsScanStats(); 243 void initScanStats(); 244 struct eth_nfo *fill_eth_nfo(struct eth_nfo *eth, eth_t *ethsd) const; 245 void addNewProbe(OFProbeType type, int subid); 246 void removeActiveProbe(std::list<OFProbe *>::iterator probeI); 247 /* Get an active probe from active probe list identified by probe type 248 * and subid. returns probesActive.end() if there isn't one. */ 249 std::list<OFProbe *>::iterator getActiveProbe(OFProbeType type, int subid); 250 void moveProbeToActiveList(std::list<OFProbe *>::iterator probeI); 251 void moveProbeToUnSendList(std::list<OFProbe *>::iterator probeI); numProbesToSend()252 unsigned int numProbesToSend() {return probesToSend.size();} numProbesActive()253 unsigned int numProbesActive() {return probesActive.size();} getFP()254 FingerPrint *getFP() {return FP;} 255 256 Target *target; /* the Target */ 257 struct seq_info si; 258 struct ipid_info ipid; 259 260 /* distance, distance_guess: hop count between us and the target. 261 * 262 * Possible values of distance: 263 * 0: when scan self; 264 * 1: when scan a target on the same network segment; 265 * >=1: not self, not same network and nmap has got the icmp reply to the U1 probe. 266 * -1: none of the above situations. 267 * 268 * Possible values of distance_guess: 269 * -1: nmap fails to get a valid ttl by all kinds of probes. 270 * >=1: a guessing value based on ttl. */ 271 int distance; 272 int distance_guess; 273 274 /* Returns the amount of time taken between sending 1st tseq probe 275 * and the last one. Zero is 276 * returned if we didn't send the tseq probes because there was no 277 * open tcp port */ 278 double timingRatio(); 279 double cc_scale(); 280 281 private: 282 /* Ports of the targets used in os fingerprinting. */ 283 int openTCPPort, closedTCPPort, closedUDPPort; 284 285 /* Probe list used in tests. At first, probes are linked in 286 * probesToSend; when a probe is sent, it will be removed from 287 * probesToSend and appended to probesActive. If any probes in 288 * probesActive are timedout, they will be moved to probesToSend and 289 * sent again till expired. */ 290 std::list<OFProbe *> probesToSend; 291 std::list<OFProbe *> probesActive; 292 293 /* A record of total number of probes that have been sent to this 294 * host, including retransmitted ones. */ 295 unsigned int num_probes_sent; 296 /* Delay between two probes. */ 297 unsigned int sendDelayMs; 298 /* When the last probe is sent. */ 299 struct timeval lastProbeSent; 300 301 struct ultra_timing_vals timing; 302 303 /* Fingerprint of this target. When a scan is completed, it'll 304 * finally be passed to hs->target->FPR->FPs[x]. */ 305 FingerPrint *FP; 306 FingerTest *FPtests[NUM_FPTESTS]; 307 #define FP_TSeq FPtests[0] 308 #define FP_TOps FPtests[1] 309 #define FP_TWin FPtests[2] 310 #define FP_TEcn FPtests[3] 311 #define FP_T1_7_OFF 4 312 #define FP_T1 FPtests[4] 313 #define FP_T2 FPtests[5] 314 #define FP_T3 FPtests[6] 315 #define FP_T4 FPtests[7] 316 #define FP_T5 FPtests[8] 317 #define FP_T6 FPtests[9] 318 #define FP_T7 FPtests[10] 319 #define FP_TUdp FPtests[11] 320 #define FP_TIcmp FPtests[12] 321 struct AVal *TOps_AVs[6]; /* 6 AVs of TOps */ 322 struct AVal *TWin_AVs[6]; /* 6 AVs of TWin */ 323 324 /* The following are variables to store temporary results 325 * during the os fingerprinting process of this host. */ 326 u16 lastipid; 327 struct timeval seq_send_times[NUM_SEQ_SAMPLES]; 328 329 int TWinReplyNum; /* how many TWin replies are received. */ 330 int TOpsReplyNum; /* how many TOps replies are received. Actually it is the same with TOpsReplyNum. */ 331 332 struct ip *icmpEchoReply; /* To store one of the two icmp replies */ 333 int storedIcmpReply; /* Which one of the two icmp replies is stored? */ 334 335 struct udpprobeinfo upi; /* info of the udp probe we sent */ 336 }; 337 338 /* These are statistics for the whole group of Targets */ 339 class ScanStats { 340 341 public: 342 ScanStats(); 343 bool sendOK(); /* Returns true if the system says that sending is OK. */ 344 double cc_scale(); 345 346 struct ultra_timing_vals timing; 347 struct timeout_info to; /* rtt/timeout info */ 348 int num_probes_active; /* Total number of active probes */ 349 int num_probes_sent; /* Number of probes sent in total. */ 350 int num_probes_sent_at_last_wait; 351 }; 352 353 354 /* This class does the scan job, setting and using the status of a host in 355 * the host's HostOsScanStats. */ 356 class HostOsScan { 357 358 public: 359 HostOsScan(Target *t); /* OsScan need a target to set eth stuffs */ 360 ~HostOsScan(); 361 362 pcap_t *pd; 363 ScanStats *stats; 364 365 /* (Re)Initialize the parameters that will be used during the scan.*/ 366 void reInitScanSystem(); 367 368 void buildSeqProbeList(HostOsScanStats *hss); 369 void updateActiveSeqProbes(HostOsScanStats *hss); 370 371 void buildTUIProbeList(HostOsScanStats *hss); 372 void updateActiveTUIProbes(HostOsScanStats *hss); 373 374 /* send the next probe in the probe list of the hss */ 375 void sendNextProbe(HostOsScanStats *hss); 376 377 /* Process one response. If the response is useful, return true. */ 378 bool processResp(HostOsScanStats *hss, struct ip *ip, unsigned int len, struct timeval *rcvdtime); 379 380 /* Make up the fingerprint. */ 381 void makeFP(HostOsScanStats *hss); 382 383 /* Check whether the host is sendok. If not, fill _when_ with the 384 * time when it will be sendOK and return false; else, fill it with 385 * now and return true. */ 386 bool hostSendOK(HostOsScanStats *hss, struct timeval *when); 387 388 /* Check whether it is ok to send the next seq probe to the host. If 389 * not, fill _when_ with the time when it will be sendOK and return 390 * false; else, fill it with now and return true. */ 391 bool hostSeqSendOK(HostOsScanStats *hss, struct timeval *when); 392 393 394 /* How long I am currently willing to wait for a probe response 395 * before considering it timed out. Uses the host values from 396 * target if they are available, otherwise from gstats. Results 397 * returned in MICROseconds. */ 398 unsigned long timeProbeTimeout(HostOsScanStats *hss); 399 400 /* If there are pending probe timeouts, fills in when with the time 401 * of the earliest one and returns true. Otherwise returns false 402 * and puts now in when. */ 403 bool nextTimeout(HostOsScanStats *hss, struct timeval *when); 404 405 /* Adjust various timing variables based on pcket receipt. */ 406 void adjust_times(HostOsScanStats *hss, OFProbe *probe, struct timeval *rcvdtime); 407 408 private: 409 /* Probe send functions. */ 410 void sendTSeqProbe(HostOsScanStats *hss, int probeNo); 411 void sendTOpsProbe(HostOsScanStats *hss, int probeNo); 412 void sendTEcnProbe(HostOsScanStats *hss); 413 void sendT1_7Probe(HostOsScanStats *hss, int probeNo); 414 void sendTUdpProbe(HostOsScanStats *hss, int probeNo); 415 void sendTIcmpProbe(HostOsScanStats *hss, int probeNo); 416 /* Response process functions. */ 417 bool processTSeqResp(HostOsScanStats *hss, struct ip *ip, int replyNo); 418 bool processTOpsResp(HostOsScanStats *hss, struct tcp_hdr *tcp, int replyNo); 419 bool processTWinResp(HostOsScanStats *hss, struct tcp_hdr *tcp, int replyNo); 420 bool processTEcnResp(HostOsScanStats *hss, struct ip *ip); 421 bool processT1_7Resp(HostOsScanStats *hss, struct ip *ip, int replyNo); 422 bool processTUdpResp(HostOsScanStats *hss, struct ip *ip); 423 bool processTIcmpResp(HostOsScanStats *hss, struct ip *ip, int replyNo); 424 425 /* Generic sending functions used by the above probe functions. */ 426 int send_tcp_probe(HostOsScanStats *hss, 427 int ttl, bool df, u8* ipopt, int ipoptlen, 428 u16 sport, u16 dport, u32 seq, u32 ack, 429 u8 reserved, u8 flags, u16 window, u16 urp, 430 u8 *options, int optlen, 431 char *data, u16 datalen); 432 int send_icmp_echo_probe(HostOsScanStats *hss, 433 u8 tos, bool df, u8 pcode, 434 unsigned short id, u16 seq, u16 datalen); 435 int send_closedudp_probe(HostOsScanStats *hss, 436 int ttl, u16 sport, u16 dport); 437 438 void makeTSeqFP(HostOsScanStats *hss); 439 void makeTOpsFP(HostOsScanStats *hss); 440 void makeTWinFP(HostOsScanStats *hss); 441 442 bool get_tcpopt_string(struct tcp_hdr *tcp, int mss, char *result, int maxlen); 443 444 int rawsd; /* Raw socket descriptor */ 445 eth_t *ethsd; /* Ethernet handle */ 446 447 unsigned int tcpSeqBase; /* Seq value used in TCP probes */ 448 unsigned int tcpAck; /* Ack value used in TCP probes */ 449 int tcpMss; /* TCP MSS value used in TCP probes */ 450 int udpttl; /* TTL value used in the UDP probe */ 451 unsigned short icmpEchoId; /* ICMP Echo Identifier value for ICMP probes */ 452 unsigned short icmpEchoSeq; /* ICMP Echo Sequence value used in ICMP probes */ 453 454 /* Source port number in TCP probes. Different probes will use an arbitrary 455 * offset value of it. */ 456 int tcpPortBase; 457 int udpPortBase; 458 }; 459 460 461 462 /* Maintains a link of incomplete HostOsScanInfo. */ 463 class OsScanInfo { 464 465 public: 466 OsScanInfo(std::vector<Target *> &Targets); 467 ~OsScanInfo(); 468 float starttime; 469 470 /* If you remove from this, you had better adjust nextI too (or call 471 * resetHostIterator() afterward). Don't let this list get empty, 472 * then add to it again, or you may mess up nextI (I'm not sure) */ 473 std::list<HostOsScanInfo *> incompleteHosts; 474 numIncompleteHosts()475 unsigned int numIncompleteHosts() {return incompleteHosts.size();} 476 HostOsScanInfo *findIncompleteHost(struct sockaddr_storage *ss); 477 478 /* A circular buffer of the incompleteHosts. nextIncompleteHost() gives 479 the next one. The first time it is called, it will give the 480 first host in the list. If incompleteHosts is empty, returns 481 NULL. */ 482 HostOsScanInfo *nextIncompleteHost(); 483 484 /* Resets the host iterator used with nextIncompleteHost() to the 485 beginning. If you remove a host from incompleteHosts, call this 486 right afterward */ resetHostIterator()487 void resetHostIterator() { nextI = incompleteHosts.begin(); } 488 489 int removeCompletedHosts(); 490 491 private: 492 unsigned int numInitialTargets; 493 std::list<HostOsScanInfo *>::iterator nextI; 494 }; 495 496 497 /* The overall os scan information of a host: 498 * - Fingerprints gotten from every scan round; 499 * - Maching results of these fingerprints. 500 * - Is it timeout/completed? 501 * - ... */ 502 class HostOsScanInfo { 503 504 public: 505 HostOsScanInfo(Target *t, OsScanInfo *OSI); 506 ~HostOsScanInfo(); 507 508 Target *target; /* The target */ 509 FingerPrintResultsIPv4 *FPR; 510 OsScanInfo *OSI; /* The OSI which contains this HostOsScanInfo */ 511 FingerPrint **FPs; /* Fingerprints of the host */ 512 FingerPrintResultsIPv4 *FP_matches; /* Fingerprint-matching results */ 513 bool timedOut; /* Did it time out? */ 514 bool isCompleted; /* Has the OS detection been completed? */ 515 HostOsScanStats *hss; /* Scan status of the host in one scan round */ 516 }; 517 518 519 /** This is the class that performs OS detection (both IPv4 and IPv6). 520 * Using it is simple, just call os_scan() passing a list of targets. 521 * The results of the detection will be stored inside the supplied 522 * target objects. */ 523 class OSScan { 524 525 private: 526 int chunk_and_do_scan(std::vector<Target *> &Targets, int family); 527 int os_scan_ipv4(std::vector<Target *> &Targets); 528 int os_scan_ipv6(std::vector<Target *> &Targets); 529 530 public: 531 OSScan(); 532 ~OSScan(); 533 void reset(); 534 int os_scan(std::vector<Target *> &Targets); 535 }; 536 537 #endif /*OSSCAN2_H*/ 538 539