diff options
Diffstat (limited to 'todo/nping.txt')
-rw-r--r-- | todo/nping.txt | 799 |
1 files changed, 799 insertions, 0 deletions
diff --git a/todo/nping.txt b/todo/nping.txt new file mode 100644 index 0000000..c1130cf --- /dev/null +++ b/todo/nping.txt @@ -0,0 +1,799 @@ +/***************************************************************************** + * * + * o * + * o * + * o * + * o o * + * o o * + * o o * + * o o o * + * o o o * + * 888b 888 o o o * + * 8888b 888 o o o * + * 888Y88 888 o o o * + * 888Y88b 888 o * + * 888 Y88b888 o * + * 888 Y88888 * + * 888 Y8888 * + * 888 Y888 * + * * + * --[NPING TO-DO LIST]-- * + * * + *****************************************************************************/ + + This file contains Nping's to-do list. Items are listed in order of priority + (high priority items are listed first). Feel free to work on any of the items + on the list. However, if you'd like to work on something that is not trivial + to implement you may want to send a message to the nmap-dev list before you + start so other developers can see what you are planning to do. Make sure you + explain exactly what you are trying to fix/implement and how you are planning + to do it. It's always better to discuss bugfixes and new feature additions in + advance because they may actually have bigger implications than you think and + you may not get your patch accepted. + + Please keep in mind that contributed code must: + * Be written in C++. + * Include comments so anyone can understand immediately what it does. + * Work on Linux, Mac OS and MS Windows. It's OK if you have not tested + the code in all those platforms, but at least keep portability in mind when + you write it and include a list of systems you've tested it on along with + your patch. + + Questions, comments and patches should be sent to the Nmap development + mailing list (nmap-dev). To suscribe: + <https://nmap.org/mailman/listinfo/dev> + + +/***************************************************************************** + * Things that have NOT been done yet * + *****************************************************************************/ + +* Improve IPv6 support. Currently it doesn't work well. The situation should be + analyzed in detail because right now Nping has code to send packets at raw + transport level (letting the OS craft the IPv6 header), and at raw ethernet + level. None of them seems to work well, though. + +* Investigate an IPv6-related core dump reported by Vasiliy Kulikov. + More info: http://seclists.org/nmap-dev/2011/q3/567 + +* Consider using Nmap's proto-dependant payloads for UDP packets. According + to David's tests, better results are obtained when sending UDP probes with a + payload specific to the protocol. + +* Consider adding the possibility to see the RTT in the RECV line. Something + similar to the way the traditional ping tool prints the RTT (time=XXX ms) + + $ ping nmap.org + PING nmap.org (173.255.243.189) 56(84) bytes of data. + 64 bytes from nmap.org (173.255.243.189): icmp_req=1 ttl=48 time=169 ms + 64 bytes from nmap.org (173.255.243.189): icmp_req=2 ttl=48 time=177 ms + 64 bytes from nmap.org (173.255.243.189): icmp_req=3 ttl=48 time=179 ms + ^C + --- nmap.org ping statistics --- + 3 packets transmitted, 3 received, 0% packet loss, time 2000ms + rtt min/avg/max/mdev = 169.097/175.137/179.152/4.347 ms + + + This was requested by Jacek Wielemborek. More info: + http://seclists.org/nmap-dev/2013/q3/533 + +* Currently, Nping determines the maximum number of open descriptors + (in TCP connect and UDP unprivileged modes), from the value returned + by libnetutil::get_max_open_descriptors(). However, it is often the + case that such function returns a value higher than FD_SETSIZE, which + is the maximum number of descriptors that select(2) can handle. + Currently Nsock uses select(2) so we have to limit the number of + descriptor to FD_SETSIZE, and not to the value returned bu + get_max_open_descriptors(). However, Henri Doreau is working on a new + nsock-engines branch which will provide Nsock engines based on + better I/O syscalls like poll() and epoll(). I've asked Henri if he + could implement a function in Nsock that provides the maximum number + of descriptors that can be handled at the same time, based on the + nsock engine being used. So, if that function gets implemented and + his nsock-engines branch merged into trunk, we should consider + updating Nping's code to use it. + More info here: + http://seclists.org/nmap-dev/2011/q4/550 + +* A few ideas for the Echo protocol: + - Add an authenticated NEP_BYE message, so session termination is explicit + and both ends can determine if the session was ended because the other end + requested it or if it was due to some error at the network or transport + layer. Suggested by David. + + - Add examples for encryption and hmac to the RFC. This would help in + debugging implementations. Suggested by Toni Ruottu. + + - RFC. Improve description of how the IVs work. Suggested by Toni Ruottu. + + - RFC. Improve description of encryptionless sessions. Suggested by Toni + Ruottu. + + - Currently, the echo server zeroes any application layer data before + transmission in a NEP_ECHO message. This minimizes the impact of + errors in the server's packet matching engine or malicious attacks that + attempt to trick the server into echoing packets that do not belong to + a particular user. This works well but in the future, if one day we + create a NEPv2 specification, we may want to consider extending NEP_ECHO + packets to allow stripped-packet transport. This is, to allow echo servers + to remove application layer data before transmission, and include + additional information in the NEP_ECHO message so clients can determine + that the payload part was stripped and how long was it. + + - Consider making the echo server bind to all IPv4 AND IPv6 interfaces. + + - Add a description of the security implications of running a public echo + server (failures in the packet matching algorithm, etc), to either the + RFC or the man page. Suggested by Toni Ruottu. + + - Test the new --safe-payloads option with a packet fuzzer to make sure + the packet parser behaves correctly. + +* When running Nping echo client with the --no-capture parameter, the last + packet's CAPT line is not displayed. + + nping --ec public echo.nmap.org -p90 --tcp --count 1 --no-capture + + luis@Aberdeen:~$ sudo nping --ec public echo.nmap.org -p90-92 --tcp --count 1 --no-capture + + Starting Nping 0.5.52.IPv6.Beta2 ( https://nmap.org/nping ) at 2011-07-05 12:53 CEST + SENT (7.3302s) TCP 163.117.203.253:18554 > 74.207.244.221:90 S ttl=64 + CAPT (7.4625s) TCP 163.117.203.253:18554 > 74.207.244.221:90 S ttl=54 + SENT (8.3309s) TCP 163.117.203.253:18554 > 74.207.244.221:91 S ttl=64 + CAPT (8.4429s) TCP 163.117.203.253:18554 > 74.207.244.221:91 S ttl=54 + SENT (9.3310s) TCP 163.117.203.253:18554 > 74.207.244.221:92 S ttl=64 + + Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A + Raw packets sent: 3 (120B) | Rcvd: 0 (0B) | Lost: 3 (100.00%)| Echoed: 2 (80B) + Tx time: 2.00181s | Tx bytes/s: 59.95 | Tx pkts/s: 1.50 + Rx time: 2.00193s | Rx bytes/s: 0.00 | Rx pkts/s: 0.00 + Nping done: 1 IP address pinged in 9.33 seconds + +* Sometimes Nping displays a couple of error messages (related to cleanup of + Nsock events), even though everything went fine. + + luis@Aberdeen:~$ sudo nping --ec public echo.nmap.org -p90 --tcp --count 1 + + Starting Nping 0.5.52.IPv6.Beta2 ( https://nmap.org/nping ) at 2011-07-05 12:51 CEST + SENT (1.8965s) TCP 163.117.203.253:64288 > 74.207.244.221:90 S ttl=64 + CAPT (2.0293s) TCP 163.117.203.253:64288 > 74.207.244.221:90 S ttl=54 + RCVD (2.1233s) TCP 74.207.244.221:90 > 163.117.203.253:64288 RA ttl=51 + nping_event_handler(): READ-PCAP killed: Resource temporarily unavailable + nping_event_handler(): TIMER killed: Resource temporarily unavailable + + Max rtt: 226.762ms | Min rtt: 226.762ms | Avg rtt: 226.762ms + Raw packets sent: 1 (40B) | Rcvd: 1 (40B) | Lost: 0 (0.00%)| Echoed: 1 (40B) + Tx time: 0.00136s | Tx bytes/s: 29411.76 | Tx pkts/s: 735.29 + Rx time: 1.00082s | Rx bytes/s: 39.97 | Rx pkts/s: 1.00 + Nping done: 1 IP address pinged in 2.93 seconds + +* Investigate about warning on old version of gcc like g++ 4.1.2 20080704 + (Red Hat 4.1.2-48). No warnings are shown on newer version but it would be + nice to get rid of them if possible. There are some of them: + + ARPHeader.h:169: warning: ‘class ARPHeader’ has virtual functions but + non-virtual destructor + RawData.h:99: warning: ‘class RawData’ has virtual functions but + non-virtual destructor + +* Decide more on rDNS + - Do we want to rDNS resolve all target IPs? If so, where should we + show the name? At the final report (even when just one host + scanned, which omits that line now)? In the individual packet + trace lines? When a CNAME (or a name which forward resolves but + does the IP doesn't reverse resolve) is specified on the command + line, should we use that version, or the official rDNS, if any? + - Some more discussion on this topic on nmap-dev may be warranted. + +* Improve output for negative verbosity levels. Currently, one can't + even tell how many hosts replied, just how many responses were + received, which could be all from the same host. If there is only + one target, then the current behavior is fine. However, when pinging + more targets, we should be able to provide a better output; at least + how many hosts were alive. This was suggested by Dan Farmer. + +* Consider adding more examples of setting fields/payloads to the man + page. This was suggested by Dan Farmer. + +* Consider adding support for XML output. + +* From: David Lam <david@thedavid.net>, "Some general questions about + Nping/Ncat" + + In TCP traceroute mode, would it be possible to ask Nping to + stop once it gets an SYN-ACK response back from the destination host rather + than continuously hitting the host until the max TTL? + +* Make broadcast ping work. Currently the following command does not + show any captured packets: + nping 192.168.0.255 --dest-mac ff:ff:ff:ff:ff:ff -c 1 + The cause is probably the BPF filter, which only allows replies from + 192.168.0.255. + Also, look into official multicast addresses like 224.0.0.1. Can we + received replies to that probe? + + +* Do some performance testing. + Fyodor: + <<Nping should be able to send packets quickly, at least comparable to + "ping -f" and hping. If it can't send as many packets per second as those, + then it warrants looking into whym figuring out what the bottlenecks are. + It would be good to compare nping with other tools such as hping in + terms of how high the values of packets per second can get and still + work reliably.>> + +* Stats for ARP packets. + +* Do more testing on Mac + +* Support pre defined probe rates: --fast, --faster, --flood, --slow, + --slower, --paranoid... + +* Think about --establish feature, which uses raw packets to establish + a connection and can then send data on the connected stream (Luis + already has a proof-of-concept implementation). + +* Make privileged and unprivileged TCP/UDP mode specification consistent. + +> - User is unprivileged and did not supply mode: --> Use TCP-Connect +> - User is unprivileged and supplied --tcp --> Use TCP-Connect +> - User is unprivileged and supplied --upd --> User UDP unprivileged +> - User is root and did not supply mode --> Use ICMP Echo +> - User is root and supplied --tcp --> Use raw sockets TCP +> - User is root and supplied --udp --> User raw sockets UDP +> - User is root and wants to use TCP-Connect --> User needs to either +> pass --tcp-connect or --unprivileged +> - User is root and want unprivileged UDP --> User needs to pass +> --unprivileged or --udp-XXXXX (any suggestions?. --udp-sendto() may not +> be the best idea because when we use raw sockets we also use sendto() to +> transmit the data). + +* Support reverse DNS resolution in --traceroute + +* Implement TCP options + +* Implement hping-like ability to change the port/ttl using the keyboard + during a scan. + +* Disable ARP resolution when --source-mac is specified. + +* Implement --data-file option. What should we do if file is big? Read the + first X bytes? Send consecutive chunks? + +* Implement ICMP address mask + +* Implement entire ICMP Traceroute message opts. + +* Research on default IP Identification value. Kernel does not seem to like + value 0 because when set to zero, kernel changes it to some other value. When + we set it to something !=0, the kernel leaves our value untouched. + +* At some point in the future, implement weird ICMP Types. I think this would + let us make a difference to the rest of pings and packet creation tools + because anyone wanting to send weirds packes would have to download our + Nping ;-) + ( http://www.iana.org/assignments/icmp-parameters ) + 6 Alternate Host Address [JBP] + 31 Datagram Conversion Error [RFC1475] + 32 Mobile Host Redirect [David Johnson] + 33 IPv6 Where-Are-You [Bill Simpson] + 34 IPv6 I-Am-Here [Bill Simpson] + 35 Mobile Registration Request [Bill Simpson] + 36 Mobile Registration Reply [Bill Simpson] + 39 SKIP [Markson] + 40 Photuris [RFC2521] + +* Implement checks in function that handles received packets: + Fyodor: + <<You can't assume that the filter always works right, so you do need to + validate the information anyway. For example, on windows in some cases + we have to change the filter to "" because it doesn't work otherwise + so, in actuality, I often end up with rather broad pcap filters and then + do the checking by hand, but tightening the pcap filter can improve + performance a bit.>> + +* Implement "-iL inputfilename (Input from list) " and the case where "-" is + supplied and target specs need to be read from stdin. + +* Consider adding option to allow sending NO packets but act as a + simple sniffer. Users could use --bpf-filter to specify a + tcpdump-like filter and get every receive packet printed to + stdout. Maybe with "-c 0"? "-c none"? We need to have some flag in + NpingOps so we don't terminate Nping but wait undefinitely. + +* At some point we should support nmap-like MAC specification. + +* When implementing IPv6, check MAX_TCP_PAYLOAD_LEN constant and method + TCPHeader::setSum(). Because with IPv6 the max payload length should be 20 + bytes less than with the IPv4 header. + +* When using payloads, take into account that the IP and TCP headers may + contain options and therefore, the maximum payload len should be + 65535 - 20(ip header) - 40 (ip options) -20(tcp header) -20(tcp options); + +* Make sure randomnly generated checksums in IPv6-TCP/UDP are in fact invalid + and don't match the correct checksum. + +* Fyodor: + <<in some cases it might be nice to have an option which sends all + probes (all ports to all hosts) at the same time.>> + +* ARP mode does not support payload specification. However, users may + want to do things like appending null bytes at the end of an ARP + packet to test some device behaviour, etc. Adding support for + payload to this mode is really trivial, would make the payload spec + more consistent with the rest of the modes, and may be a nice to have + feature. + +* [EM] For CAPT packets, decide if we want to print the full info or + just the fields that have changed in transit (or both). Note that + printing differences would be complicated by the fact that nping + doesn't currently associate captured packets with the original send. + +* Decide if we want to allow things like "1074628148" or "0x400d8634" to + be treated as valid IP addresses. + +* Check out if --ip-options "RTUS 1.1.1.1 2.2.2.2" makes sense. It now + fails. + +* It may be nice to let users set the IP header lenght field. Maybe they + want to stress tcp/stacks with this. + +* Investigate on ICMP preference levels. It's not clear whether there is + a standard encoding or not. The logic that parses this in Nping needs + to be reviewed. + +* Split up libnetutil.cc into different source files. + +* Investigate on nping's version of devname2ipaddr. Think about side + effects on using that in Nmap. + +* Consider adding multi-packet support. + o Example: tell nping to send 4 tcp packets, 5 icmp packets and 3 udp packets + +* Consider adding RFC-style output for send/recv packets. + +* Consider adding more detailed stats for the Echo Mode. + +* [EM] Handle DLT types. Currently the server always sets the null DLT value + that indicates that no data link header is included. + +/***************************************************************************** + * Things that have been solved already * + *****************************************************************************/ + +[DONE] Add default target port for TCP-Connect and TCP modes :: Port 80 + +[DONE] Add default target port for UDP mode :: Port 40125 + +[DONE] Add default UDP Source port: 53 + JUSTIFICATION: From David's EffectivenessOfPingProbes + http://www.bamsoftware.com/wiki/Nmap/EffectivenessOfPingProbes + "The best individual UDP probes are still those to a random high port, + with a source port of 53 and a non-empty payload. Even without the source + port and payload, the ports 40125 and 40126 that I picked out of the air + are better choices than the current default of 31338, finding around 400 + additional hosts." + +[DONE] Change resolution for the inter-ping delay. (Fyodor: btw, usleep() will + probably do the trick for you as it let's you sleep with microsecond + precision) + +[DONE] Use int send_ip_packet(int sd, struct eth_nfo *eth, u8 *packet, unsigned int + packetlen) instead of ip_open(); + +[DONE] Add protocol to BPF filterstring because It is possible that when in TCP mode + a UDP packet destined to the TCP source, arrives to the net iface and gets + printed. + +[DONE] Implement multiple port specification. + +[DONE] Implement ICMP router advertisement entries + +[DONE] Default probe mode: ICMP echo + +[DONE] Test ICMPv4Header::addRouterAdEntry() and check entries are being added + correctly. + +[DONE] Determine source IP address automatically + +[DONE] Determine network interface to be used for packet capture automatically + +[DONE] Add support for cached DNS requests + +[DONE] Start user documentation (mainly man page) + +[DONE] Change output to include timing information + +[DONE] Implement controls in payload options parsing to prevent specifying lengths + that cannot be carried by a single TCP/UDP packet. + +[DONE] Start implementing unprivileged UDP pings. + +[DONE] When sending ICMP packets, checksum is not being computed correcly if + --data-length, and options like that, are specified. + +[DONE] Find a bug that under some circumstances produces a segfault. It is probably + related to the way option -e is being handled. + +[DONE] Fix a bug in option "-e iface" that results on IP 2.0.0.0 being used as a + source address. + +[DONE] Update --help display to include new ICMP flags. Check also commandline syntax + docs. + +[DONE] Use nsock approach instead of threads. + +[DONE] Finish ARP/RARP support. + +[DONE] Change doc for option --count. We don't stop after N probes, we stop after + N rounds. + +[DONE] Ask Fyodor what tool is used to convert from nmap-man.xml to nmap.1 + +[DONE] Check all outPrint()s and outError()s to ensure they specify the correct + verbosity/debug level. + +[DONE] Document format specified in ArgParser::atoICMPType(). + +[DONE] Document format specified in ArgParser::atoICMPCode(). + +[DONE] Finish implementing unprivileged UDP pings. + +[DONE] Finish Ethernet frame creation. + +[DONE] Find a way to convert the nping.xml into man page. + +[DONE] Check what happens if payload is specified and we are not sending TCP/UDP + but ICMP or other proto packets. [Sometimes it may not make sense to include + payloads (e.g. ARP) but we still allow it just in case users want to play + around]. + +[DONE] Ask Fyodor whether we want to display elapsed time (like nmap) or we prefer to + display rtt time as other ping utilities do. [This is probably fine for now] + +[DONE] Fix the warnings produced by Fyodor's gcc. + +---------------+ + NpingTargets.cc: In member function ‘int NpingTargets::processSpecs()’: + NpingTargets.cc:315: warning: comparison between signed and unsigned integer expressions + NpingTargets.cc: In member function ‘NpingTarget* NpingTargets::getNextTarget()’: + NpingTargets.cc:333: warning: comparison between signed and unsigned integer expressions + +---------------+ + In file included from /usr/include/string.h:640, + from nbase/nbase.h:158, + from nping.h:107, + from utils.cc:95: + In function ‘void* memset(void*, int, size_t)’, + inlined from ‘int getNetworkInterfaceName(sockaddr_storage*, char*)’ at utils.cc:689: + /usr/include/bits/string3.h:85: warning: call to void* __builtin___memset_chk(void*, int, long unsigned int, long unsigned int) will always overflow destination buffer + +---------------+ + + +[DONE] Redesign verbosity levels: + * Put verbosity levels 2 into level 1 + * Use level 2 for error. + * Use level 3 to print everything but not sent/rcv packets. + * Level 4 the usual + +[DONE] Add stats at the end of nping execution. + +[DONE] Add options to disable viewing of sent packets. + +[DONE] Add option to to disable packet capture. + +[DONE] Add a section to the man page explaining how we iterate over targets, + ports, etc. + +[DONE] Beta-testing email to the list. + +[DONE] Change default round count to 5. + +[DONE] Fix a segfault detected by Fyodor in trg=o.targets.findTarget(...). + +[DONE] Send an email to the list telling about the nping.exe file. + +[DONE] Support CTRL-C statistics. + +[DONE] Change "solution" file in mswin32/nmap.sln to nping.sln + +[DONE] In man page and -h: move Ethernet section so it appears after network + layer info. + +[DONE] Make rx time more accurate taking into account that we wait for a bit after + the last probe is sent. + +[DONE] Fix bug: add ICMP dest unreachable, etc to the BPF filter so we can get + icmp error messages when TTLs expire, etc. + +[DONE] Disable all ethernet related code when sendEth is false. + +[DONE] Finish porting Nping to Windows. + +[DONE] Find an OS X box to test Nping. + +[DONE] Reorganize verbosity levels (again ;-) [-3, +3]. + +[DONE] Finish documentation for options --source-mac and --dest-mac + +[DONE] Make sure --ether-type supports specifying types in hex. + +[DONE] Implement verbosity level 3: in this level, sent and recv packets are + hexdumped to stdout. + +[DONE] Write and check in nping/index.html web site + - Include SVN checkout/install instructions + - include tarballs when available + +[DONE] Create Windows installer (maybe can copy a lot of stuff from what + Ithilgore has done with Ncrack) + +[DONE] Create Nping release tarball for UNIX systems + +[DONE] Release Nping 0.1BETA2 + +[DONE] Man page should say Nping is currently in Alpha stage. + +[DONE] Support -vvv, -qqq and -ddd syntax. [Requested by Dirk Loss] + +[DONE] Create Mac OS X installer (also can probably copy a lot of stuff + from what Ithilgore has done with Ncrack. David can usually help + with installer building). + +[DONE] Move nping to /nping in SVN rather than being in nmap-exp + +[DONE] Set up automatic conversion from nping XML man page to HTML for + https://nmap.org/nping/man.html [Fyodor working on this] + +[DONE] Include signature files in new releases. [Requested by Henri Salo] +[DONE] It would be nice to have Bzip2 packages. [Requested by Henri Salo] + (These last two don't make sense anymore as Nping is now distributed + with Nmap). + +[DONE] Do small fix in nmap's send_ip_packet_sd() + - res = Sendto("send_ip_packet", sd, packet, packetlen, 0, + + res = Sendto("send_ip_packet_sd", sd, packet, packetlen, 0, + +[DONE] Correct BPF filter specs, to make the condition about the source + address apply everywhere. + +[DONE] Fix possible bug in BPF filter specification. More details in + http://seclists.org/nmap-dev/2010/q2/252 + +[DONE] Work on nping&nmap code merge. + +[DONE] For options that take numbers we need to allow users to specify them + also in hex with the format 0xNNNN... + +[DONE] Replace this pattern: + if ( isNumber_u32(optarg) ){ + u32 aux32 = strtoul( optarg, NULL, 10); + ... + } + with a function that checks for syntax and returns the value (i.e., a wrapper + around strtoul). There is nowhere that isNumber_u* is called without it being + immediately followed by a strtoul, outside of utils.cc. + +[DONE] Bug in --icmp-advert-entry. Specified IPs are being set in host byte + order instead if in network byte order. + +[DONE] Investigate why ARP replies are not being received. Wireshark shows + replies but they don't get captured by Nping. The bpf filter looks + ok: "arp and arp[6]==0x00 and arp[7]==0x02" + +[DONE] Investigate into this: + sudo nping --icmp scanme.nmap.org -vvv -d1 --icmp-type ra --icmp-advert-entry 256.257.258.259,222 + Invalid Router Advertising Entry specification: Unable to resolve 6628128 + Apparently the call to outFatal() is specifying %d instead of %s, but + that's not being detected properly by the compiler, because we don't + get a warning. We have to do something like this: + void fatal(const char *fmt, ...) + __attribute__ ((noreturn)) + __attribute__ ((format (printf, 1, 2))); + TODO: Look at the documentation to see what the numbers mean. + Probably one of the is the index of the format argument, and the + other is where the varargs start. + +[DONE] Fix division by zero exception: + sudo nping --icmp scanme.nmap.org -vvv -d1 --icmp-type echo --rate 0 + ./test_nping.sh: line 83: 11690 Floating point exception"$@" + +[DONE] Fix little problem in TIMING_5. We need to detect the bogus time + before we actually pass the value to NpingOps. Nping is giving an + error but the bogus input is getting to far. + +[DONE] Document that badsum-ip may not always work because the kernel may + correct the sum. + +[DONE] Change overloaded functions in libnetutil that were refactored to + make them compile in C. Go back to the overloaded version if possible. + +[DONE] Move grab_next_host_spec() and pals to netutil. + +[DONE] Control the case when user passes "--mtu 0". An assertion fails but + Nping should print a nicer message. + +[DONE] Improve error message for --mtu. We should probably allow mtu's bigger + than 2^16 but take that as a "dont fragment" request. Also, make + "rand" produce only valid MTUs (multiple of 8, etc). + +[DONE] When passing "--tcp-flags 0x100" the error is not very accurate. + This is because parser_u8() fails and then Nping tries to resolve the + value letter by letter. Maybe we can parse_u32() it, and then check + if n<255 and print a better error message. + +[DONE] Document what happens with the IP header length when user wants to + add uneven bytes of IP options. We are truncating the result, because + the header length is expressed in 32 bit words. + +[DONE] Check if there is any problem with -e "". Maybe we shouldn't let users + supply a NULL name, but make them use the "any" specifier. Add doc + about this and update the test description (MISC_12). + +[DONE] Update documentation for option --delay, including that now, time + specification as float numbers is supported (eg: --delay 0.1 meaning 100ms) + +[DONE] Change info about TODO file in https://nmap.org/nping web page. + - If you wish to contribute code to Nping there is a TO-DO list you can have + - a look at (file "TODO" in the source package). + + If you wish to contribute code to Nping there is a TO-DO list you can have + + a look at (file "todo/nping.txt" in nmap's source package). + +[DONE] Make sure randomnly generated checksums are in fact invalid and don't match + the correct checksum. There is a 1/65535 chance of this happening. + +[DONE] After merging nmap-dedup, change send_frag_ip_packet() to take "u32 mtu" + and fix the printf below to use "%u" instead of "%i". + +[DONE] [EM] Update EchoProtoRFC.txt and any of the other design files as + appropriate and send to nmap-dev for comments + +[DONE] [EM] Pick a default port number + +[DONE] [EM] Make a mockup of the desired standard output in a regular echo mode + execution, like nping -c 2 --tcp --flags SYN -p 80 scanme.nmap.org (let's + assume there are some differences found, like a NAT is in place) + o A key aspect of this task is determining what diffs are going + to look like. + +[DONE] [EM] Things to decide on: + o Decide on packet specifiers that can be passed to the server so it + can recognize packets sent by the client even if a number of headers + have changed and pass them back. (see Fyodor/Luis IM discussion logs + from 6/28/10). + +[DONE] [EM] Improve client error handling. Currently it doesn't behave well when + the server crashes. + +[DONE] [EM] Make the client timeout if the server does not send data during + handshake. Currently the client waits forever. + +[DONE] [EM] Make the server detect when a client disconnects and delete its context + data. + +[DONE] [EM] Get rid of some messages that are currently displayed in the client. + Print them only if debugging level is high enough. + +[DONE] [EM] Make sure -h help screen includes info about the echo mode. + +[DONE] [EM] Add echo mode to the man page. + +[DONE] [EM] Add received echoed packet to the final statistics. + +[DONE] [EM] Multi-client support + +[DONE] [EM] Delay RECV message printing so the CAPT messages are shown in order. + +[DONE] [EM] Use NEP_QUIT only if necessary, just close connection if possible. + +[DONE] [EM] Implement crypto + +[DONE] [EM] Consider whether the CAPT line should (or should have an + option to) display the time based on capture time from the server. + Obviously this can be problematic because not all machines run + ntpd. One option is to just make it an option so that people should + only use it if both the client and server are running ntpd. Luis is + adding a precision timestamp to NEP_ECHO packets so we could easily + add it in the future. Another approach would be to do NTP-style + handshaking to compute time offsets between the two machines during + the echo side-channel handshaking. Then the client could remember + how far off it is. A third approach is to guess about the CAPT time + that it was 1/2 the time between packet send and when we received + the NEP_ECHO back notifying us of receipt. + NOTE: We finally decided to take the third approach. CAPT_time=RTT/2. + +[DONE] [EM] Consider whether we should delay RCVD packet printing + slightly so that CAPT packets received just slightly afterward could + be printed before the RCVD. This might make the most sense if we do + the previous feature where we show the time that a packet was + actually captured by echo server. If we did it in normal cases, it + might make it easier to compare SENT and CAPT packets, but would + also be a bit strange to see the timeline out-of-order. + +[DONE] Fix Windows rtt values. Right now Nsock does not seem to be giving + the callback at the proper time, or something. + +[DONE] Add --no-crypto to -h output. + +[DONE] Make sure nping does not allow generating packets with tcp src port or + tcp dst port 9929 (or --echo-port N, if that is set), because 1) the + echo server does not capture those packets and 2) to avoid messing up the + established side-channel tcp connection. + +[DONE] Add support for custom IP binding: if user supplies -S then + the echo side-channel connection and connections in TCP-Connect mode should be + established from that IP. This includes the echo server binding to that IP. + +[DONE] Make nping issue a warning when user supplies a payload in TCP-Connect + mode. + +[DONE] [EM] Echo server should print which interface is using to capture packets. + +[DONE] In some cases, when using nping through a VPN connection, nsi_pcap_linktype() + returns something different to DLT_EN10MB, and Nping fatals. Investigate + why this happens to nping and is not a problem for Nmap. Also, determine + why this doesn't happen all the time. What does it change between these + two?: sudo nping --udp 1.1.1.1 -g 999 -p998 + sudo nping --udp 1.1.1.1 -g 999 -p999 + The first one works, and the other one fatals with the "Currently only + Ethernet is supported." (error message @ nping.cc:1717). + - Note this also happens when Fyodor uses Nping tethering through + his cell phone (ppp0) + +[DONE] [EM] Make the server stop capturing packets when all connected clients + finish their session. + +[DONE] [EM] Some things to keep in mind for the implementation and to update + our design docs accordingly: + o Implement different "modes" for the server: complete access, + one-time-access, and restricted. + +[DONE] Do more testing on MS Windows. + +[DONE] [EM] Investigate why the echo server does not send NEP_ECHO messages when the + client sends probes at a very high rate, like in : + ./nping -c 1000 --rate 1000 --echo-client "pass" --icmp -v echo.nmap.org + +[DONE] [EM] Add echo mode to the man page + + +[DONE] [EM] Do some extensive testing of the Echo mode once it is working + to try and flesh out any bugs before merging. + +[DONE] Make Nping call nsi_delete() on pcap IODs, IODs in TCP-Connect mode and maybe + in IODs of other modes. See http://seclists.org/nmap-dev/2010/q3/587 + +[DONE] Fix bug that causes Nping to fail when sending UDP packets to a broadcast + address. More info: <http://seclists.org/nmap-dev/2010/q3/752> + +[DONE] When doing ICMP echo traceroute (with --traceroute), unless the user + supplies a custom round count (-c/--count), Nping only sends 5 packets + (default round count). This is usually not enough to reach hosts + on the internet. What should be the default behaviour? Stick with the + default round count of 5 or increment it when --traceroute is set? + - We should probably set -c 32 when --traceroute is specified, + unless user specifies their own -c explicitly. + +[DONE] Try to reduce the size of the internal buffer in the EchoHeader class. + Currenltly it allocates a big buffer that is able to hold the theoretical + maximum size of a NEP message (normal use does not require so much space). + When this is done, check if we still need to increase the stack size + in the project properties in Visual Studio. + +[DONE] [Fixed by Vasiliy Kulikov] When running Nping in ARP mode, hexdump of + ARP replies is not shown with -vvv, only for requests. Here's the output: + +sudo nping --arp 192.168.240.139 -vvv -d1 + +Starting Nping 0.5.59BETA1 ( https://nmap.org/nping ) at 2011-07-11 12:32 CEST +BPF-filter: arp and arp[6]==0x00 and arp[7]==0x02 +SENT (0.0562s) ARP who has 192.168.240.139? Tell 192.168.240.1 +0000 ff ff ff ff ff ff 00 50 56 c0 00 01 08 06 00 01 .......PV....... +0010 08 00 06 04 00 01 00 50 56 c0 00 01 c0 a8 f0 01 .......PV....... +0020 00 00 00 00 00 00 c0 a8 f0 8b .......... +RCVD (0.0568s) ARP reply 192.168.240.139 is at 00:0C:29:E4:90:CD +SENT (1.0580s) ARP who has 192.168.240.139? Tell 192.168.240.1 +0000 ff ff ff ff ff ff 00 50 56 c0 00 01 08 06 00 01 .......PV....... +0010 08 00 06 04 00 01 00 50 56 c0 00 01 c0 a8 f0 01 .......PV....... +0020 00 00 00 00 00 00 c0 a8 f0 8b .......... + + |