summaryrefslogtreecommitdiffstats
path: root/osscan2.h
diff options
context:
space:
mode:
Diffstat (limited to 'osscan2.h')
-rw-r--r--osscan2.h526
1 files changed, 526 insertions, 0 deletions
diff --git a/osscan2.h b/osscan2.h
new file mode 100644
index 0000000..71ad40a
--- /dev/null
+++ b/osscan2.h
@@ -0,0 +1,526 @@
+
+/***************************************************************************
+ * osscan2.h -- Header info for 2nd Generation OS detection via TCP/IP *
+ * fingerprinting. For more information on how this works in Nmap, see *
+ * http://insecure.org/osdetect/ *
+ * *
+ ***********************IMPORTANT NMAP LICENSE TERMS************************
+ *
+ * The Nmap Security Scanner is (C) 1996-2023 Nmap Software LLC ("The Nmap
+ * Project"). Nmap is also a registered trademark of the Nmap Project.
+ *
+ * This program is distributed under the terms of the Nmap Public Source
+ * License (NPSL). The exact license text applying to a particular Nmap
+ * release or source code control revision is contained in the LICENSE
+ * file distributed with that version of Nmap or source code control
+ * revision. More Nmap copyright/legal information is available from
+ * https://nmap.org/book/man-legal.html, and further information on the
+ * NPSL license itself can be found at https://nmap.org/npsl/ . This
+ * header summarizes some key points from the Nmap license, but is no
+ * substitute for the actual license text.
+ *
+ * Nmap is generally free for end users to download and use themselves,
+ * including commercial use. It is available from https://nmap.org.
+ *
+ * The Nmap license generally prohibits companies from using and
+ * redistributing Nmap in commercial products, but we sell a special Nmap
+ * OEM Edition with a more permissive license and special features for
+ * this purpose. See https://nmap.org/oem/
+ *
+ * If you have received a written Nmap license agreement or contract
+ * stating terms other than these (such as an Nmap OEM license), you may
+ * choose to use and redistribute Nmap under those terms instead.
+ *
+ * The official Nmap Windows builds include the Npcap software
+ * (https://npcap.com) for packet capture and transmission. It is under
+ * separate license terms which forbid redistribution without special
+ * permission. So the official Nmap Windows builds may not be redistributed
+ * without special permission (such as an Nmap OEM license).
+ *
+ * Source is provided to this software because we believe users have a
+ * right to know exactly what a program is going to do before they run it.
+ * This also allows you to audit the software for security holes.
+ *
+ * Source code also allows you to port Nmap to new platforms, fix bugs, and add
+ * new features. You are highly encouraged to submit your changes as a Github PR
+ * or by email to the dev@nmap.org mailing list for possible incorporation into
+ * the main distribution. Unless you specify otherwise, it is understood that
+ * you are offering us very broad rights to use your submissions as described in
+ * the Nmap Public Source License Contributor Agreement. This is important
+ * because we fund the project by selling licenses with various terms, and also
+ * because the inability to relicense code has caused devastating problems for
+ * other Free Software projects (such as KDE and NASM).
+ *
+ * The free version of Nmap is distributed in the hope that it will be
+ * useful, but WITHOUT ANY WARRANTY; without even the implied warranty of
+ * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. Warranties,
+ * indemnification and commercial support are all available through the
+ * Npcap OEM program--see https://nmap.org/oem/
+ *
+ ***************************************************************************/
+
+#ifndef OSSCAN2_H
+#define OSSCAN2_H
+
+#include "nbase.h"
+#include <dnet.h>
+#include <pcap.h>
+
+#include <vector>
+#include <list>
+#include "timing.h"
+#include "osscan.h"
+class FingerPrintResultsIPv4;
+class Target;
+
+
+/******************************************************************************
+ * CONSTANT DEFINITIONS *
+ ******************************************************************************/
+
+/* The number of tries we normally do. This may be increased if
+ the target looks like a good candidate for fingerprint submission, or fewer
+ if the user gave the --max-os-tries option */
+#define STANDARD_OS2_TRIES 2
+
+// The minimum (and target) amount of time to wait between probes
+// sent to a single host, in milliseconds.
+#define OS_PROBE_DELAY 25
+
+// The target amount of time to wait between sequencing probes sent to
+// a single host, in milliseconds. The ideal is 500ms because of the
+// common 2Hz timestamp frequencies. Less than 500ms and we might not
+// see any change in the TS counter (and it gets less accurate even if
+// we do). More than 500MS and we risk having two changes (and it
+// gets less accurate even if we have just one). So we delay 100MS
+// between probes, leaving 500MS between 1st and 6th.
+#define OS_SEQ_PROBE_DELAY 100
+
+/* How many syn packets do we send to TCP sequence a host? */
+#define NUM_SEQ_SAMPLES 6
+
+/* TCP Timestamp Sequence */
+#define TS_SEQ_UNKNOWN 0
+#define TS_SEQ_ZERO 1 /* At least one of the timestamps we received back was 0 */
+#define TS_SEQ_2HZ 2
+#define TS_SEQ_100HZ 3
+#define TS_SEQ_1000HZ 4
+#define TS_SEQ_OTHER_NUM 5
+#define TS_SEQ_UNSUPPORTED 6 /* System didn't send back a timestamp */
+
+#define IPID_SEQ_UNKNOWN 0
+#define IPID_SEQ_INCR 1 /* simple increment by one each time */
+#define IPID_SEQ_BROKEN_INCR 2 /* Stupid MS -- forgot htons() so it
+ counts by 256 on little-endian platforms */
+#define IPID_SEQ_RPI 3 /* Goes up each time but by a "random" positive
+ increment */
+#define IPID_SEQ_RD 4 /* Appears to select IPID using a "random" distributions (meaning it can go up or down) */
+#define IPID_SEQ_CONSTANT 5 /* Contains 1 or more sequential duplicates */
+#define IPID_SEQ_ZERO 6 /* Every packet that comes back has an IP.ID of 0 (eg Linux 2.4 does this) */
+#define IPID_SEQ_INCR_BY_2 7 /* simple increment by two each time */
+
+
+/******************************************************************************
+ * TYPE AND STRUCTURE DEFINITIONS *
+ ******************************************************************************/
+
+struct seq_info {
+ int responses;
+ int ts_seqclass; /* TS_SEQ_* defines in nmap.h */
+ int ipid_seqclass; /* IPID_SEQ_* defines in nmap.h */
+ u32 seqs[NUM_SEQ_SAMPLES];
+ u32 timestamps[NUM_SEQ_SAMPLES];
+ int index;
+ u16 ipids[NUM_SEQ_SAMPLES];
+ time_t lastboot; /* 0 means unknown */
+};
+
+/* Different kinds of Ipids. */
+struct ipid_info {
+ u32 tcp_ipids[NUM_SEQ_SAMPLES];
+ u32 tcp_closed_ipids[NUM_SEQ_SAMPLES];
+ u32 icmp_ipids[NUM_SEQ_SAMPLES];
+};
+
+struct udpprobeinfo {
+ u16 iptl;
+ u16 ipid;
+ u16 ipck;
+ u16 sport;
+ u16 dport;
+ u16 udpck;
+ u16 udplen;
+ u8 patternbyte;
+ struct in_addr target;
+};
+
+typedef enum OFProbeType {
+ OFP_UNSET,
+ OFP_TSEQ,
+ OFP_TOPS,
+ OFP_TECN,
+ OFP_T1_7,
+ OFP_TICMP,
+ OFP_TUDP
+} OFProbeType;
+
+/******************************************************************************
+ * FUNCTION PROTOTYPES *
+ ******************************************************************************/
+
+int get_initial_ttl_guess(u8 ttl);
+
+int identify_sequence(int numSamples, u32 *ipid_diffs, int islocalhost, int allipideqz);
+int get_diffs(u32 *ipid_diffs, int numSamples, const u32 *ipids, int islocalhost);
+int get_ipid_sequence_16(int numSamples, const u32 *ipids, int islocalhost);
+int get_ipid_sequence_32(int numSamples, const u32 *ipids, int islocalhost);
+
+const char *ipidclass2ascii(int seqclass);
+const char *tsseqclass2ascii(int seqclass);
+
+/* Convert a TCP sequence prediction difficulty index like 1264386
+ into a difficulty string like "Worthy Challenge */
+const char *seqidx2difficultystr(unsigned long idx);
+/******************************************************************************
+ * CLASS DEFINITIONS *
+ ******************************************************************************/
+class OFProbe;
+class HostOsScanStats;
+class HostOsScan;
+class HostOsScanInfo;
+class OsScanInfo;
+
+/** Represents an OS detection probe. It does not contain the actual packet
+ * that is sent to the target but contains enough information to generate
+ * it (such as the probe type and its subid). It also stores timing
+ * information. */
+class OFProbe {
+
+ public:
+ OFProbe();
+
+ /* The literal string for the current probe type. */
+ const char *typestr() const;
+
+ /* Type of the probe: for what os fingerprinting test? */
+ OFProbeType type;
+
+ /* Subid of this probe to separate different tcp/udp/icmp. */
+ int subid;
+
+ /* Try (retransmission) number of this probe */
+ int tryno;
+
+ /* A packet may be timedout for a while before being retransmitted
+ due to packet sending rate limitations */
+ bool retransmitted;
+
+ struct timeval sent;
+
+ /* Time the previous probe was sent, if this is a retransmit (tryno > 0) */
+ struct timeval prevSent;
+};
+
+
+/* Stores the status for a host being scanned in a scan round. */
+class HostOsScanStats {
+
+ friend class HostOsScan;
+
+ public:
+ HostOsScanStats(Target *t);
+ ~HostOsScanStats();
+ void initScanStats();
+ struct eth_nfo *fill_eth_nfo(struct eth_nfo *eth, eth_t *ethsd) const;
+ void addNewProbe(OFProbeType type, int subid);
+ void removeActiveProbe(std::list<OFProbe *>::iterator probeI);
+ /* Get an active probe from active probe list identified by probe type
+ * and subid. returns probesActive.end() if there isn't one. */
+ std::list<OFProbe *>::iterator getActiveProbe(OFProbeType type, int subid);
+ void moveProbeToActiveList(std::list<OFProbe *>::iterator probeI);
+ void moveProbeToUnSendList(std::list<OFProbe *>::iterator probeI);
+ unsigned int numProbesToSend() const {return probesToSend.size();}
+ unsigned int numProbesActive() const {return probesActive.size();}
+ FingerPrint *getFP() const {return FP;}
+
+ Target *target; /* the Target */
+ struct seq_info si;
+ struct ipid_info ipid;
+
+ /* distance, distance_guess: hop count between us and the target.
+ *
+ * Possible values of distance:
+ * 0: when scan self;
+ * 1: when scan a target on the same network segment;
+ * >=1: not self, not same network and nmap has got the icmp reply to the U1 probe.
+ * -1: none of the above situations.
+ *
+ * Possible values of distance_guess:
+ * -1: nmap fails to get a valid ttl by all kinds of probes.
+ * >=1: a guessing value based on ttl. */
+ int distance;
+ int distance_guess;
+
+ /* Returns the amount of time taken between sending 1st tseq probe
+ * and the last one. Zero is
+ * returned if we didn't send the tseq probes because there was no
+ * open tcp port */
+ double timingRatio() const;
+
+ private:
+ /* Ports of the targets used in os fingerprinting. */
+ int openTCPPort, closedTCPPort, closedUDPPort;
+
+ /* Probe list used in tests. At first, probes are linked in
+ * probesToSend; when a probe is sent, it will be removed from
+ * probesToSend and appended to probesActive. If any probes in
+ * probesActive are timedout, they will be moved to probesToSend and
+ * sent again till expired. */
+ std::list<OFProbe *> probesToSend;
+ std::list<OFProbe *> probesActive;
+
+ /* A record of total number of probes that have been sent to this
+ * host, including retransmitted ones. */
+ unsigned int num_probes_sent;
+ /* Delay between two probes. */
+ unsigned int sendDelayMs;
+ /* When the last probe is sent. */
+ struct timeval lastProbeSent;
+
+ struct ultra_timing_vals timing;
+
+ /* Fingerprint of this target. When a scan is completed, it'll
+ * finally be passed to hs->target->FPR->FPs[x]. */
+ FingerPrint *FP;
+ FingerTest *FPtests[NUM_FPTESTS];
+ #define FP_TSeq FPtests[ID2INT(FingerPrintDef::SEQ)]
+ #define FP_TOps FPtests[ID2INT(FingerPrintDef::OPS)]
+ #define FP_TWin FPtests[ID2INT(FingerPrintDef::WIN)]
+ #define FP_TEcn FPtests[ID2INT(FingerPrintDef::ECN)]
+ #define FP_T1_7_OFF ID2INT(FingerPrintDef::T1)
+ #define FP_T1 FPtests[ID2INT(FingerPrintDef::T1)]
+ #define FP_T2 FPtests[ID2INT(FingerPrintDef::T2)]
+ #define FP_T3 FPtests[ID2INT(FingerPrintDef::T3)]
+ #define FP_T4 FPtests[ID2INT(FingerPrintDef::T4)]
+ #define FP_T5 FPtests[ID2INT(FingerPrintDef::T5)]
+ #define FP_T6 FPtests[ID2INT(FingerPrintDef::T6)]
+ #define FP_T7 FPtests[ID2INT(FingerPrintDef::T7)]
+ #define FP_TUdp FPtests[ID2INT(FingerPrintDef::U1)]
+ #define FP_TIcmp FPtests[ID2INT(FingerPrintDef::IE)]
+ const char *TOps_AVs[6]; /* 6 AVs of TOps */
+ const char *TWin_AVs[6]; /* 6 AVs of TWin */
+
+ /* The following are variables to store temporary results
+ * during the os fingerprinting process of this host. */
+ u16 lastipid;
+ struct timeval seq_send_times[NUM_SEQ_SAMPLES];
+
+ int TWinReplyNum; /* how many TWin replies are received. */
+ int TOpsReplyNum; /* how many TOps replies are received. Actually it is the same with TOpsReplyNum. */
+
+ struct ip *icmpEchoReply; /* To store one of the two icmp replies */
+ int storedIcmpReply; /* Which one of the two icmp replies is stored? */
+
+ struct udpprobeinfo upi; /* info of the udp probe we sent */
+};
+
+/* These are statistics for the whole group of Targets */
+class ScanStats {
+
+ public:
+ ScanStats();
+ bool sendOK() const; /* Returns true if the system says that sending is OK. */
+
+ struct ultra_timing_vals timing;
+ struct timeout_info to; /* rtt/timeout info */
+ int num_probes_active; /* Total number of active probes */
+ int num_probes_sent; /* Number of probes sent in total. */
+ int num_probes_sent_at_last_wait;
+};
+
+
+/* This class does the scan job, setting and using the status of a host in
+ * the host's HostOsScanStats. */
+class HostOsScan {
+
+ public:
+ HostOsScan(Target *t); /* OsScan need a target to set eth stuffs */
+ ~HostOsScan();
+
+ pcap_t *pd;
+ ScanStats *stats;
+
+ /* (Re)Initialize the parameters that will be used during the scan.*/
+ void reInitScanSystem();
+
+ void buildSeqProbeList(HostOsScanStats *hss);
+ void updateActiveSeqProbes(HostOsScanStats *hss);
+
+ void buildTUIProbeList(HostOsScanStats *hss);
+ void updateActiveTUIProbes(HostOsScanStats *hss);
+
+ /* send the next probe in the probe list of the hss */
+ void sendNextProbe(HostOsScanStats *hss);
+
+ /* Process one response. If the response is useful, return true. */
+ bool processResp(HostOsScanStats *hss, const struct ip *ip, unsigned int len, struct timeval *rcvdtime);
+
+ /* Make up the fingerprint. */
+ void makeFP(HostOsScanStats *hss);
+
+ /* Check whether the host is sendok. If not, fill _when_ with the
+ * time when it will be sendOK and return false; else, fill it with
+ * now and return true. */
+ bool hostSendOK(HostOsScanStats *hss, struct timeval *when) const;
+
+ /* Check whether it is ok to send the next seq probe to the host. If
+ * not, fill _when_ with the time when it will be sendOK and return
+ * false; else, fill it with now and return true. */
+ bool hostSeqSendOK(HostOsScanStats *hss, struct timeval *when) const;
+
+
+ /* How long I am currently willing to wait for a probe response
+ * before considering it timed out. Uses the host values from
+ * target if they are available, otherwise from gstats. Results
+ * returned in MICROseconds. */
+ unsigned long timeProbeTimeout(HostOsScanStats *hss) const;
+
+ /* If there are pending probe timeouts, fills in when with the time
+ * of the earliest one and returns true. Otherwise returns false
+ * and puts now in when. */
+ bool nextTimeout(HostOsScanStats *hss, struct timeval *when) const;
+
+ /* Adjust various timing variables based on pcket receipt. */
+ void adjust_times(HostOsScanStats *hss, const OFProbe *probe, const struct timeval *rcvdtime);
+
+private:
+ /* Probe send functions. */
+ void sendTSeqProbe(HostOsScanStats *hss, int probeNo);
+ void sendTOpsProbe(HostOsScanStats *hss, int probeNo);
+ void sendTEcnProbe(HostOsScanStats *hss);
+ void sendT1_7Probe(HostOsScanStats *hss, int probeNo);
+ void sendTUdpProbe(HostOsScanStats *hss, int probeNo);
+ void sendTIcmpProbe(HostOsScanStats *hss, int probeNo);
+ /* Response process functions. */
+ bool processTSeqResp(HostOsScanStats *hss, const struct ip *ip, int replyNo);
+ bool processTOpsResp(HostOsScanStats *hss, const struct tcp_hdr *tcp, int replyNo);
+ bool processTWinResp(HostOsScanStats *hss, const struct tcp_hdr *tcp, int replyNo);
+ bool processTEcnResp(HostOsScanStats *hss, const struct ip *ip);
+ bool processT1_7Resp(HostOsScanStats *hss, const struct ip *ip, int replyNo);
+ bool processTUdpResp(HostOsScanStats *hss, const struct ip *ip);
+ bool processTIcmpResp(HostOsScanStats *hss, const struct ip *ip, int replyNo);
+
+ /* Generic sending functions used by the above probe functions. */
+ int send_tcp_probe(HostOsScanStats *hss,
+ int ttl, bool df, u8* ipopt, int ipoptlen,
+ u16 sport, u16 dport, u32 seq, u32 ack,
+ u8 reserved, u8 flags, u16 window, u16 urp,
+ u8 *options, int optlen,
+ char *data, u16 datalen);
+ int send_icmp_echo_probe(HostOsScanStats *hss,
+ u8 tos, bool df, u8 pcode,
+ unsigned short id, u16 seq, u16 datalen);
+ int send_closedudp_probe(HostOsScanStats *hss,
+ int ttl, u16 sport, u16 dport);
+
+ void makeTSeqFP(HostOsScanStats *hss);
+ void makeTOpsFP(HostOsScanStats *hss);
+ void makeTWinFP(HostOsScanStats *hss);
+
+ int get_tcpopt_string(const struct tcp_hdr *tcp, int mss, char *result, int maxlen) const;
+
+ int rawsd; /* Raw socket descriptor */
+ eth_t *ethsd; /* Ethernet handle */
+
+ unsigned int tcpSeqBase; /* Seq value used in TCP probes */
+ unsigned int tcpAck; /* Ack value used in TCP probes */
+ int tcpMss; /* TCP MSS value used in TCP probes */
+ int udpttl; /* TTL value used in the UDP probe */
+ unsigned short icmpEchoId; /* ICMP Echo Identifier value for ICMP probes */
+ unsigned short icmpEchoSeq; /* ICMP Echo Sequence value used in ICMP probes */
+
+ /* Source port number in TCP probes. Different probes will use an arbitrary
+ * offset value of it. */
+ int tcpPortBase;
+ int udpPortBase;
+};
+
+
+
+/* Maintains a link of incomplete HostOsScanInfo. */
+class OsScanInfo {
+
+ public:
+ OsScanInfo(std::vector<Target *> &Targets);
+ ~OsScanInfo();
+ float starttime;
+
+ /* If you remove from this, you had better adjust nextI too (or call
+ * resetHostIterator() afterward). Don't let this list get empty,
+ * then add to it again, or you may mess up nextI (I'm not sure) */
+ std::list<HostOsScanInfo *> incompleteHosts;
+
+ unsigned int numIncompleteHosts() const {return incompleteHosts.size();}
+ HostOsScanInfo *findIncompleteHost(const struct sockaddr_storage *ss);
+
+ /* A circular buffer of the incompleteHosts. nextIncompleteHost() gives
+ the next one. The first time it is called, it will give the
+ first host in the list. If incompleteHosts is empty, returns
+ NULL. */
+ HostOsScanInfo *nextIncompleteHost();
+
+ /* Resets the host iterator used with nextIncompleteHost() to the
+ beginning. If you remove a host from incompleteHosts, call this
+ right afterward */
+ void resetHostIterator() { nextI = incompleteHosts.begin(); }
+
+ int removeCompletedHosts();
+
+ private:
+ unsigned int numInitialTargets;
+ std::list<HostOsScanInfo *>::iterator nextI;
+};
+
+
+/* The overall os scan information of a host:
+ * - Fingerprints gotten from every scan round;
+ * - Maching results of these fingerprints.
+ * - Is it timeout/completed?
+ * - ... */
+class HostOsScanInfo {
+
+ public:
+ HostOsScanInfo(Target *t, OsScanInfo *OSI);
+ ~HostOsScanInfo();
+
+ Target *target; /* The target */
+ FingerPrintResultsIPv4 *FPR;
+ OsScanInfo *OSI; /* The OSI which contains this HostOsScanInfo */
+ FingerPrint **FPs; /* Fingerprints of the host */
+ FingerPrintResultsIPv4 *FP_matches; /* Fingerprint-matching results */
+ bool timedOut; /* Did it time out? */
+ bool isCompleted; /* Has the OS detection been completed? */
+ HostOsScanStats *hss; /* Scan status of the host in one scan round */
+};
+
+
+/** This is the class that performs OS detection (both IPv4 and IPv6).
+ * Using it is simple, just call os_scan() passing a list of targets.
+ * The results of the detection will be stored inside the supplied
+ * target objects. */
+class OSScan {
+
+ private:
+ int chunk_and_do_scan(std::vector<Target *> &Targets, int family);
+ int os_scan_ipv4(std::vector<Target *> &Targets);
+ int os_scan_ipv6(std::vector<Target *> &Targets);
+
+ public:
+ OSScan();
+ ~OSScan();
+ void reset();
+ int os_scan(std::vector<Target *> &Targets);
+};
+
+#endif /*OSSCAN2_H*/
+