1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
|
/*****************************************************************************
* *
* o *
* o *
* o *
* o o *
* o o *
* o o *
* o o o *
* o o o *
* 888b 888 o o o *
* 8888b 888 o o o *
* 888Y88 888 o o o *
* 888Y88b 888 o *
* 888 Y88b888 o *
* 888 Y88888 *
* 888 Y8888 *
* 888 Y888 *
* *
* --[NPING TO-DO LIST]-- *
* *
*****************************************************************************/
This file contains Nping's to-do list. Items are listed in order of priority
(high priority items are listed first). Feel free to work on any of the items
on the list. However, if you'd like to work on something that is not trivial
to implement you may want to send a message to the nmap-dev list before you
start so other developers can see what you are planning to do. Make sure you
explain exactly what you are trying to fix/implement and how you are planning
to do it. It's always better to discuss bugfixes and new feature additions in
advance because they may actually have bigger implications than you think and
you may not get your patch accepted.
Please keep in mind that contributed code must:
* Be written in C++.
* Include comments so anyone can understand immediately what it does.
* Work on Linux, Mac OS and MS Windows. It's OK if you have not tested
the code in all those platforms, but at least keep portability in mind when
you write it and include a list of systems you've tested it on along with
your patch.
Questions, comments and patches should be sent to the Nmap development
mailing list (nmap-dev). To suscribe:
<https://nmap.org/mailman/listinfo/dev>
/*****************************************************************************
* Things that have NOT been done yet *
*****************************************************************************/
* Improve IPv6 support. Currently it doesn't work well. The situation should be
analyzed in detail because right now Nping has code to send packets at raw
transport level (letting the OS craft the IPv6 header), and at raw ethernet
level. None of them seems to work well, though.
* Investigate an IPv6-related core dump reported by Vasiliy Kulikov.
More info: http://seclists.org/nmap-dev/2011/q3/567
* Consider using Nmap's proto-dependant payloads for UDP packets. According
to David's tests, better results are obtained when sending UDP probes with a
payload specific to the protocol.
* Consider adding the possibility to see the RTT in the RECV line. Something
similar to the way the traditional ping tool prints the RTT (time=XXX ms)
$ ping nmap.org
PING nmap.org (173.255.243.189) 56(84) bytes of data.
64 bytes from nmap.org (173.255.243.189): icmp_req=1 ttl=48 time=169 ms
64 bytes from nmap.org (173.255.243.189): icmp_req=2 ttl=48 time=177 ms
64 bytes from nmap.org (173.255.243.189): icmp_req=3 ttl=48 time=179 ms
^C
--- nmap.org ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2000ms
rtt min/avg/max/mdev = 169.097/175.137/179.152/4.347 ms
This was requested by Jacek Wielemborek. More info:
http://seclists.org/nmap-dev/2013/q3/533
* Currently, Nping determines the maximum number of open descriptors
(in TCP connect and UDP unprivileged modes), from the value returned
by libnetutil::get_max_open_descriptors(). However, it is often the
case that such function returns a value higher than FD_SETSIZE, which
is the maximum number of descriptors that select(2) can handle.
Currently Nsock uses select(2) so we have to limit the number of
descriptor to FD_SETSIZE, and not to the value returned bu
get_max_open_descriptors(). However, Henri Doreau is working on a new
nsock-engines branch which will provide Nsock engines based on
better I/O syscalls like poll() and epoll(). I've asked Henri if he
could implement a function in Nsock that provides the maximum number
of descriptors that can be handled at the same time, based on the
nsock engine being used. So, if that function gets implemented and
his nsock-engines branch merged into trunk, we should consider
updating Nping's code to use it.
More info here:
http://seclists.org/nmap-dev/2011/q4/550
* A few ideas for the Echo protocol:
- Add an authenticated NEP_BYE message, so session termination is explicit
and both ends can determine if the session was ended because the other end
requested it or if it was due to some error at the network or transport
layer. Suggested by David.
- Add examples for encryption and hmac to the RFC. This would help in
debugging implementations. Suggested by Toni Ruottu.
- RFC. Improve description of how the IVs work. Suggested by Toni Ruottu.
- RFC. Improve description of encryptionless sessions. Suggested by Toni
Ruottu.
- Currently, the echo server zeroes any application layer data before
transmission in a NEP_ECHO message. This minimizes the impact of
errors in the server's packet matching engine or malicious attacks that
attempt to trick the server into echoing packets that do not belong to
a particular user. This works well but in the future, if one day we
create a NEPv2 specification, we may want to consider extending NEP_ECHO
packets to allow stripped-packet transport. This is, to allow echo servers
to remove application layer data before transmission, and include
additional information in the NEP_ECHO message so clients can determine
that the payload part was stripped and how long was it.
- Consider making the echo server bind to all IPv4 AND IPv6 interfaces.
- Add a description of the security implications of running a public echo
server (failures in the packet matching algorithm, etc), to either the
RFC or the man page. Suggested by Toni Ruottu.
- Test the new --safe-payloads option with a packet fuzzer to make sure
the packet parser behaves correctly.
* When running Nping echo client with the --no-capture parameter, the last
packet's CAPT line is not displayed.
nping --ec public echo.nmap.org -p90 --tcp --count 1 --no-capture
luis@Aberdeen:~$ sudo nping --ec public echo.nmap.org -p90-92 --tcp --count 1 --no-capture
Starting Nping 0.5.52.IPv6.Beta2 ( https://nmap.org/nping ) at 2011-07-05 12:53 CEST
SENT (7.3302s) TCP 163.117.203.253:18554 > 74.207.244.221:90 S ttl=64
CAPT (7.4625s) TCP 163.117.203.253:18554 > 74.207.244.221:90 S ttl=54
SENT (8.3309s) TCP 163.117.203.253:18554 > 74.207.244.221:91 S ttl=64
CAPT (8.4429s) TCP 163.117.203.253:18554 > 74.207.244.221:91 S ttl=54
SENT (9.3310s) TCP 163.117.203.253:18554 > 74.207.244.221:92 S ttl=64
Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A
Raw packets sent: 3 (120B) | Rcvd: 0 (0B) | Lost: 3 (100.00%)| Echoed: 2 (80B)
Tx time: 2.00181s | Tx bytes/s: 59.95 | Tx pkts/s: 1.50
Rx time: 2.00193s | Rx bytes/s: 0.00 | Rx pkts/s: 0.00
Nping done: 1 IP address pinged in 9.33 seconds
* Sometimes Nping displays a couple of error messages (related to cleanup of
Nsock events), even though everything went fine.
luis@Aberdeen:~$ sudo nping --ec public echo.nmap.org -p90 --tcp --count 1
Starting Nping 0.5.52.IPv6.Beta2 ( https://nmap.org/nping ) at 2011-07-05 12:51 CEST
SENT (1.8965s) TCP 163.117.203.253:64288 > 74.207.244.221:90 S ttl=64
CAPT (2.0293s) TCP 163.117.203.253:64288 > 74.207.244.221:90 S ttl=54
RCVD (2.1233s) TCP 74.207.244.221:90 > 163.117.203.253:64288 RA ttl=51
nping_event_handler(): READ-PCAP killed: Resource temporarily unavailable
nping_event_handler(): TIMER killed: Resource temporarily unavailable
Max rtt: 226.762ms | Min rtt: 226.762ms | Avg rtt: 226.762ms
Raw packets sent: 1 (40B) | Rcvd: 1 (40B) | Lost: 0 (0.00%)| Echoed: 1 (40B)
Tx time: 0.00136s | Tx bytes/s: 29411.76 | Tx pkts/s: 735.29
Rx time: 1.00082s | Rx bytes/s: 39.97 | Rx pkts/s: 1.00
Nping done: 1 IP address pinged in 2.93 seconds
* Investigate about warning on old version of gcc like g++ 4.1.2 20080704
(Red Hat 4.1.2-48). No warnings are shown on newer version but it would be
nice to get rid of them if possible. There are some of them:
ARPHeader.h:169: warning: ‘class ARPHeader’ has virtual functions but
non-virtual destructor
RawData.h:99: warning: ‘class RawData’ has virtual functions but
non-virtual destructor
* Decide more on rDNS
- Do we want to rDNS resolve all target IPs? If so, where should we
show the name? At the final report (even when just one host
scanned, which omits that line now)? In the individual packet
trace lines? When a CNAME (or a name which forward resolves but
does the IP doesn't reverse resolve) is specified on the command
line, should we use that version, or the official rDNS, if any?
- Some more discussion on this topic on nmap-dev may be warranted.
* Improve output for negative verbosity levels. Currently, one can't
even tell how many hosts replied, just how many responses were
received, which could be all from the same host. If there is only
one target, then the current behavior is fine. However, when pinging
more targets, we should be able to provide a better output; at least
how many hosts were alive. This was suggested by Dan Farmer.
* Consider adding more examples of setting fields/payloads to the man
page. This was suggested by Dan Farmer.
* Consider adding support for XML output.
* From: David Lam <david@thedavid.net>, "Some general questions about
Nping/Ncat"
In TCP traceroute mode, would it be possible to ask Nping to
stop once it gets an SYN-ACK response back from the destination host rather
than continuously hitting the host until the max TTL?
* Make broadcast ping work. Currently the following command does not
show any captured packets:
nping 192.168.0.255 --dest-mac ff:ff:ff:ff:ff:ff -c 1
The cause is probably the BPF filter, which only allows replies from
192.168.0.255.
Also, look into official multicast addresses like 224.0.0.1. Can we
received replies to that probe?
* Do some performance testing.
Fyodor:
<<Nping should be able to send packets quickly, at least comparable to
"ping -f" and hping. If it can't send as many packets per second as those,
then it warrants looking into whym figuring out what the bottlenecks are.
It would be good to compare nping with other tools such as hping in
terms of how high the values of packets per second can get and still
work reliably.>>
* Stats for ARP packets.
* Do more testing on Mac
* Support pre defined probe rates: --fast, --faster, --flood, --slow,
--slower, --paranoid...
* Think about --establish feature, which uses raw packets to establish
a connection and can then send data on the connected stream (Luis
already has a proof-of-concept implementation).
* Make privileged and unprivileged TCP/UDP mode specification consistent.
> - User is unprivileged and did not supply mode: --> Use TCP-Connect
> - User is unprivileged and supplied --tcp --> Use TCP-Connect
> - User is unprivileged and supplied --upd --> User UDP unprivileged
> - User is root and did not supply mode --> Use ICMP Echo
> - User is root and supplied --tcp --> Use raw sockets TCP
> - User is root and supplied --udp --> User raw sockets UDP
> - User is root and wants to use TCP-Connect --> User needs to either
> pass --tcp-connect or --unprivileged
> - User is root and want unprivileged UDP --> User needs to pass
> --unprivileged or --udp-XXXXX (any suggestions?. --udp-sendto() may not
> be the best idea because when we use raw sockets we also use sendto() to
> transmit the data).
* Support reverse DNS resolution in --traceroute
* Implement TCP options
* Implement hping-like ability to change the port/ttl using the keyboard
during a scan.
* Disable ARP resolution when --source-mac is specified.
* Implement --data-file option. What should we do if file is big? Read the
first X bytes? Send consecutive chunks?
* Implement ICMP address mask
* Implement entire ICMP Traceroute message opts.
* Research on default IP Identification value. Kernel does not seem to like
value 0 because when set to zero, kernel changes it to some other value. When
we set it to something !=0, the kernel leaves our value untouched.
* At some point in the future, implement weird ICMP Types. I think this would
let us make a difference to the rest of pings and packet creation tools
because anyone wanting to send weirds packes would have to download our
Nping ;-)
( http://www.iana.org/assignments/icmp-parameters )
6 Alternate Host Address [JBP]
31 Datagram Conversion Error [RFC1475]
32 Mobile Host Redirect [David Johnson]
33 IPv6 Where-Are-You [Bill Simpson]
34 IPv6 I-Am-Here [Bill Simpson]
35 Mobile Registration Request [Bill Simpson]
36 Mobile Registration Reply [Bill Simpson]
39 SKIP [Markson]
40 Photuris [RFC2521]
* Implement checks in function that handles received packets:
Fyodor:
<<You can't assume that the filter always works right, so you do need to
validate the information anyway. For example, on windows in some cases
we have to change the filter to "" because it doesn't work otherwise
so, in actuality, I often end up with rather broad pcap filters and then
do the checking by hand, but tightening the pcap filter can improve
performance a bit.>>
* Implement "-iL inputfilename (Input from list) " and the case where "-" is
supplied and target specs need to be read from stdin.
* Consider adding option to allow sending NO packets but act as a
simple sniffer. Users could use --bpf-filter to specify a
tcpdump-like filter and get every receive packet printed to
stdout. Maybe with "-c 0"? "-c none"? We need to have some flag in
NpingOps so we don't terminate Nping but wait undefinitely.
* At some point we should support nmap-like MAC specification.
* When implementing IPv6, check MAX_TCP_PAYLOAD_LEN constant and method
TCPHeader::setSum(). Because with IPv6 the max payload length should be 20
bytes less than with the IPv4 header.
* When using payloads, take into account that the IP and TCP headers may
contain options and therefore, the maximum payload len should be
65535 - 20(ip header) - 40 (ip options) -20(tcp header) -20(tcp options);
* Make sure randomnly generated checksums in IPv6-TCP/UDP are in fact invalid
and don't match the correct checksum.
* Fyodor:
<<in some cases it might be nice to have an option which sends all
probes (all ports to all hosts) at the same time.>>
* ARP mode does not support payload specification. However, users may
want to do things like appending null bytes at the end of an ARP
packet to test some device behaviour, etc. Adding support for
payload to this mode is really trivial, would make the payload spec
more consistent with the rest of the modes, and may be a nice to have
feature.
* [EM] For CAPT packets, decide if we want to print the full info or
just the fields that have changed in transit (or both). Note that
printing differences would be complicated by the fact that nping
doesn't currently associate captured packets with the original send.
* Decide if we want to allow things like "1074628148" or "0x400d8634" to
be treated as valid IP addresses.
* Check out if --ip-options "RTUS 1.1.1.1 2.2.2.2" makes sense. It now
fails.
* It may be nice to let users set the IP header lenght field. Maybe they
want to stress tcp/stacks with this.
* Investigate on ICMP preference levels. It's not clear whether there is
a standard encoding or not. The logic that parses this in Nping needs
to be reviewed.
* Split up libnetutil.cc into different source files.
* Investigate on nping's version of devname2ipaddr. Think about side
effects on using that in Nmap.
* Consider adding multi-packet support.
o Example: tell nping to send 4 tcp packets, 5 icmp packets and 3 udp packets
* Consider adding RFC-style output for send/recv packets.
* Consider adding more detailed stats for the Echo Mode.
* [EM] Handle DLT types. Currently the server always sets the null DLT value
that indicates that no data link header is included.
/*****************************************************************************
* Things that have been solved already *
*****************************************************************************/
[DONE] Add default target port for TCP-Connect and TCP modes :: Port 80
[DONE] Add default target port for UDP mode :: Port 40125
[DONE] Add default UDP Source port: 53
JUSTIFICATION: From David's EffectivenessOfPingProbes
http://www.bamsoftware.com/wiki/Nmap/EffectivenessOfPingProbes
"The best individual UDP probes are still those to a random high port,
with a source port of 53 and a non-empty payload. Even without the source
port and payload, the ports 40125 and 40126 that I picked out of the air
are better choices than the current default of 31338, finding around 400
additional hosts."
[DONE] Change resolution for the inter-ping delay. (Fyodor: btw, usleep() will
probably do the trick for you as it let's you sleep with microsecond
precision)
[DONE] Use int send_ip_packet(int sd, struct eth_nfo *eth, u8 *packet, unsigned int
packetlen) instead of ip_open();
[DONE] Add protocol to BPF filterstring because It is possible that when in TCP mode
a UDP packet destined to the TCP source, arrives to the net iface and gets
printed.
[DONE] Implement multiple port specification.
[DONE] Implement ICMP router advertisement entries
[DONE] Default probe mode: ICMP echo
[DONE] Test ICMPv4Header::addRouterAdEntry() and check entries are being added
correctly.
[DONE] Determine source IP address automatically
[DONE] Determine network interface to be used for packet capture automatically
[DONE] Add support for cached DNS requests
[DONE] Start user documentation (mainly man page)
[DONE] Change output to include timing information
[DONE] Implement controls in payload options parsing to prevent specifying lengths
that cannot be carried by a single TCP/UDP packet.
[DONE] Start implementing unprivileged UDP pings.
[DONE] When sending ICMP packets, checksum is not being computed correcly if
--data-length, and options like that, are specified.
[DONE] Find a bug that under some circumstances produces a segfault. It is probably
related to the way option -e is being handled.
[DONE] Fix a bug in option "-e iface" that results on IP 2.0.0.0 being used as a
source address.
[DONE] Update --help display to include new ICMP flags. Check also commandline syntax
docs.
[DONE] Use nsock approach instead of threads.
[DONE] Finish ARP/RARP support.
[DONE] Change doc for option --count. We don't stop after N probes, we stop after
N rounds.
[DONE] Ask Fyodor what tool is used to convert from nmap-man.xml to nmap.1
[DONE] Check all outPrint()s and outError()s to ensure they specify the correct
verbosity/debug level.
[DONE] Document format specified in ArgParser::atoICMPType().
[DONE] Document format specified in ArgParser::atoICMPCode().
[DONE] Finish implementing unprivileged UDP pings.
[DONE] Finish Ethernet frame creation.
[DONE] Find a way to convert the nping.xml into man page.
[DONE] Check what happens if payload is specified and we are not sending TCP/UDP
but ICMP or other proto packets. [Sometimes it may not make sense to include
payloads (e.g. ARP) but we still allow it just in case users want to play
around].
[DONE] Ask Fyodor whether we want to display elapsed time (like nmap) or we prefer to
display rtt time as other ping utilities do. [This is probably fine for now]
[DONE] Fix the warnings produced by Fyodor's gcc.
+---------------+
NpingTargets.cc: In member function ‘int NpingTargets::processSpecs()’:
NpingTargets.cc:315: warning: comparison between signed and unsigned integer expressions
NpingTargets.cc: In member function ‘NpingTarget* NpingTargets::getNextTarget()’:
NpingTargets.cc:333: warning: comparison between signed and unsigned integer expressions
+---------------+
In file included from /usr/include/string.h:640,
from nbase/nbase.h:158,
from nping.h:107,
from utils.cc:95:
In function ‘void* memset(void*, int, size_t)’,
inlined from ‘int getNetworkInterfaceName(sockaddr_storage*, char*)’ at utils.cc:689:
/usr/include/bits/string3.h:85: warning: call to void* __builtin___memset_chk(void*, int, long unsigned int, long unsigned int) will always overflow destination buffer
+---------------+
[DONE] Redesign verbosity levels:
* Put verbosity levels 2 into level 1
* Use level 2 for error.
* Use level 3 to print everything but not sent/rcv packets.
* Level 4 the usual
[DONE] Add stats at the end of nping execution.
[DONE] Add options to disable viewing of sent packets.
[DONE] Add option to to disable packet capture.
[DONE] Add a section to the man page explaining how we iterate over targets,
ports, etc.
[DONE] Beta-testing email to the list.
[DONE] Change default round count to 5.
[DONE] Fix a segfault detected by Fyodor in trg=o.targets.findTarget(...).
[DONE] Send an email to the list telling about the nping.exe file.
[DONE] Support CTRL-C statistics.
[DONE] Change "solution" file in mswin32/nmap.sln to nping.sln
[DONE] In man page and -h: move Ethernet section so it appears after network
layer info.
[DONE] Make rx time more accurate taking into account that we wait for a bit after
the last probe is sent.
[DONE] Fix bug: add ICMP dest unreachable, etc to the BPF filter so we can get
icmp error messages when TTLs expire, etc.
[DONE] Disable all ethernet related code when sendEth is false.
[DONE] Finish porting Nping to Windows.
[DONE] Find an OS X box to test Nping.
[DONE] Reorganize verbosity levels (again ;-) [-3, +3].
[DONE] Finish documentation for options --source-mac and --dest-mac
[DONE] Make sure --ether-type supports specifying types in hex.
[DONE] Implement verbosity level 3: in this level, sent and recv packets are
hexdumped to stdout.
[DONE] Write and check in nping/index.html web site
- Include SVN checkout/install instructions
- include tarballs when available
[DONE] Create Windows installer (maybe can copy a lot of stuff from what
Ithilgore has done with Ncrack)
[DONE] Create Nping release tarball for UNIX systems
[DONE] Release Nping 0.1BETA2
[DONE] Man page should say Nping is currently in Alpha stage.
[DONE] Support -vvv, -qqq and -ddd syntax. [Requested by Dirk Loss]
[DONE] Create Mac OS X installer (also can probably copy a lot of stuff
from what Ithilgore has done with Ncrack. David can usually help
with installer building).
[DONE] Move nping to /nping in SVN rather than being in nmap-exp
[DONE] Set up automatic conversion from nping XML man page to HTML for
https://nmap.org/nping/man.html [Fyodor working on this]
[DONE] Include signature files in new releases. [Requested by Henri Salo]
[DONE] It would be nice to have Bzip2 packages. [Requested by Henri Salo]
(These last two don't make sense anymore as Nping is now distributed
with Nmap).
[DONE] Do small fix in nmap's send_ip_packet_sd()
- res = Sendto("send_ip_packet", sd, packet, packetlen, 0,
+ res = Sendto("send_ip_packet_sd", sd, packet, packetlen, 0,
[DONE] Correct BPF filter specs, to make the condition about the source
address apply everywhere.
[DONE] Fix possible bug in BPF filter specification. More details in
http://seclists.org/nmap-dev/2010/q2/252
[DONE] Work on nping&nmap code merge.
[DONE] For options that take numbers we need to allow users to specify them
also in hex with the format 0xNNNN...
[DONE] Replace this pattern:
if ( isNumber_u32(optarg) ){
u32 aux32 = strtoul( optarg, NULL, 10);
...
}
with a function that checks for syntax and returns the value (i.e., a wrapper
around strtoul). There is nowhere that isNumber_u* is called without it being
immediately followed by a strtoul, outside of utils.cc.
[DONE] Bug in --icmp-advert-entry. Specified IPs are being set in host byte
order instead if in network byte order.
[DONE] Investigate why ARP replies are not being received. Wireshark shows
replies but they don't get captured by Nping. The bpf filter looks
ok: "arp and arp[6]==0x00 and arp[7]==0x02"
[DONE] Investigate into this:
sudo nping --icmp scanme.nmap.org -vvv -d1 --icmp-type ra --icmp-advert-entry 256.257.258.259,222
Invalid Router Advertising Entry specification: Unable to resolve 6628128
Apparently the call to outFatal() is specifying %d instead of %s, but
that's not being detected properly by the compiler, because we don't
get a warning. We have to do something like this:
void fatal(const char *fmt, ...)
__attribute__ ((noreturn))
__attribute__ ((format (printf, 1, 2)));
TODO: Look at the documentation to see what the numbers mean.
Probably one of the is the index of the format argument, and the
other is where the varargs start.
[DONE] Fix division by zero exception:
sudo nping --icmp scanme.nmap.org -vvv -d1 --icmp-type echo --rate 0
./test_nping.sh: line 83: 11690 Floating point exception"$@"
[DONE] Fix little problem in TIMING_5. We need to detect the bogus time
before we actually pass the value to NpingOps. Nping is giving an
error but the bogus input is getting to far.
[DONE] Document that badsum-ip may not always work because the kernel may
correct the sum.
[DONE] Change overloaded functions in libnetutil that were refactored to
make them compile in C. Go back to the overloaded version if possible.
[DONE] Move grab_next_host_spec() and pals to netutil.
[DONE] Control the case when user passes "--mtu 0". An assertion fails but
Nping should print a nicer message.
[DONE] Improve error message for --mtu. We should probably allow mtu's bigger
than 2^16 but take that as a "dont fragment" request. Also, make
"rand" produce only valid MTUs (multiple of 8, etc).
[DONE] When passing "--tcp-flags 0x100" the error is not very accurate.
This is because parser_u8() fails and then Nping tries to resolve the
value letter by letter. Maybe we can parse_u32() it, and then check
if n<255 and print a better error message.
[DONE] Document what happens with the IP header length when user wants to
add uneven bytes of IP options. We are truncating the result, because
the header length is expressed in 32 bit words.
[DONE] Check if there is any problem with -e "". Maybe we shouldn't let users
supply a NULL name, but make them use the "any" specifier. Add doc
about this and update the test description (MISC_12).
[DONE] Update documentation for option --delay, including that now, time
specification as float numbers is supported (eg: --delay 0.1 meaning 100ms)
[DONE] Change info about TODO file in https://nmap.org/nping web page.
- If you wish to contribute code to Nping there is a TO-DO list you can have
- a look at (file "TODO" in the source package).
+ If you wish to contribute code to Nping there is a TO-DO list you can have
+ a look at (file "todo/nping.txt" in nmap's source package).
[DONE] Make sure randomnly generated checksums are in fact invalid and don't match
the correct checksum. There is a 1/65535 chance of this happening.
[DONE] After merging nmap-dedup, change send_frag_ip_packet() to take "u32 mtu"
and fix the printf below to use "%u" instead of "%i".
[DONE] [EM] Update EchoProtoRFC.txt and any of the other design files as
appropriate and send to nmap-dev for comments
[DONE] [EM] Pick a default port number
[DONE] [EM] Make a mockup of the desired standard output in a regular echo mode
execution, like nping -c 2 --tcp --flags SYN -p 80 scanme.nmap.org (let's
assume there are some differences found, like a NAT is in place)
o A key aspect of this task is determining what diffs are going
to look like.
[DONE] [EM] Things to decide on:
o Decide on packet specifiers that can be passed to the server so it
can recognize packets sent by the client even if a number of headers
have changed and pass them back. (see Fyodor/Luis IM discussion logs
from 6/28/10).
[DONE] [EM] Improve client error handling. Currently it doesn't behave well when
the server crashes.
[DONE] [EM] Make the client timeout if the server does not send data during
handshake. Currently the client waits forever.
[DONE] [EM] Make the server detect when a client disconnects and delete its context
data.
[DONE] [EM] Get rid of some messages that are currently displayed in the client.
Print them only if debugging level is high enough.
[DONE] [EM] Make sure -h help screen includes info about the echo mode.
[DONE] [EM] Add echo mode to the man page.
[DONE] [EM] Add received echoed packet to the final statistics.
[DONE] [EM] Multi-client support
[DONE] [EM] Delay RECV message printing so the CAPT messages are shown in order.
[DONE] [EM] Use NEP_QUIT only if necessary, just close connection if possible.
[DONE] [EM] Implement crypto
[DONE] [EM] Consider whether the CAPT line should (or should have an
option to) display the time based on capture time from the server.
Obviously this can be problematic because not all machines run
ntpd. One option is to just make it an option so that people should
only use it if both the client and server are running ntpd. Luis is
adding a precision timestamp to NEP_ECHO packets so we could easily
add it in the future. Another approach would be to do NTP-style
handshaking to compute time offsets between the two machines during
the echo side-channel handshaking. Then the client could remember
how far off it is. A third approach is to guess about the CAPT time
that it was 1/2 the time between packet send and when we received
the NEP_ECHO back notifying us of receipt.
NOTE: We finally decided to take the third approach. CAPT_time=RTT/2.
[DONE] [EM] Consider whether we should delay RCVD packet printing
slightly so that CAPT packets received just slightly afterward could
be printed before the RCVD. This might make the most sense if we do
the previous feature where we show the time that a packet was
actually captured by echo server. If we did it in normal cases, it
might make it easier to compare SENT and CAPT packets, but would
also be a bit strange to see the timeline out-of-order.
[DONE] Fix Windows rtt values. Right now Nsock does not seem to be giving
the callback at the proper time, or something.
[DONE] Add --no-crypto to -h output.
[DONE] Make sure nping does not allow generating packets with tcp src port or
tcp dst port 9929 (or --echo-port N, if that is set), because 1) the
echo server does not capture those packets and 2) to avoid messing up the
established side-channel tcp connection.
[DONE] Add support for custom IP binding: if user supplies -S then
the echo side-channel connection and connections in TCP-Connect mode should be
established from that IP. This includes the echo server binding to that IP.
[DONE] Make nping issue a warning when user supplies a payload in TCP-Connect
mode.
[DONE] [EM] Echo server should print which interface is using to capture packets.
[DONE] In some cases, when using nping through a VPN connection, nsi_pcap_linktype()
returns something different to DLT_EN10MB, and Nping fatals. Investigate
why this happens to nping and is not a problem for Nmap. Also, determine
why this doesn't happen all the time. What does it change between these
two?: sudo nping --udp 1.1.1.1 -g 999 -p998
sudo nping --udp 1.1.1.1 -g 999 -p999
The first one works, and the other one fatals with the "Currently only
Ethernet is supported." (error message @ nping.cc:1717).
- Note this also happens when Fyodor uses Nping tethering through
his cell phone (ppp0)
[DONE] [EM] Make the server stop capturing packets when all connected clients
finish their session.
[DONE] [EM] Some things to keep in mind for the implementation and to update
our design docs accordingly:
o Implement different "modes" for the server: complete access,
one-time-access, and restricted.
[DONE] Do more testing on MS Windows.
[DONE] [EM] Investigate why the echo server does not send NEP_ECHO messages when the
client sends probes at a very high rate, like in :
./nping -c 1000 --rate 1000 --echo-client "pass" --icmp -v echo.nmap.org
[DONE] [EM] Add echo mode to the man page
[DONE] [EM] Do some extensive testing of the Echo mode once it is working
to try and flesh out any bugs before merging.
[DONE] Make Nping call nsi_delete() on pcap IODs, IODs in TCP-Connect mode and maybe
in IODs of other modes. See http://seclists.org/nmap-dev/2010/q3/587
[DONE] Fix bug that causes Nping to fail when sending UDP packets to a broadcast
address. More info: <http://seclists.org/nmap-dev/2010/q3/752>
[DONE] When doing ICMP echo traceroute (with --traceroute), unless the user
supplies a custom round count (-c/--count), Nping only sends 5 packets
(default round count). This is usually not enough to reach hosts
on the internet. What should be the default behaviour? Stick with the
default round count of 5 or increment it when --traceroute is set?
- We should probably set -c 32 when --traceroute is specified,
unless user specifies their own -c explicitly.
[DONE] Try to reduce the size of the internal buffer in the EchoHeader class.
Currenltly it allocates a big buffer that is able to hold the theoretical
maximum size of a NEP message (normal use does not require so much space).
When this is done, check if we still need to increase the stack size
in the project properties in Visual Studio.
[DONE] [Fixed by Vasiliy Kulikov] When running Nping in ARP mode, hexdump of
ARP replies is not shown with -vvv, only for requests. Here's the output:
sudo nping --arp 192.168.240.139 -vvv -d1
Starting Nping 0.5.59BETA1 ( https://nmap.org/nping ) at 2011-07-11 12:32 CEST
BPF-filter: arp and arp[6]==0x00 and arp[7]==0x02
SENT (0.0562s) ARP who has 192.168.240.139? Tell 192.168.240.1
0000 ff ff ff ff ff ff 00 50 56 c0 00 01 08 06 00 01 .......PV.......
0010 08 00 06 04 00 01 00 50 56 c0 00 01 c0 a8 f0 01 .......PV.......
0020 00 00 00 00 00 00 c0 a8 f0 8b ..........
RCVD (0.0568s) ARP reply 192.168.240.139 is at 00:0C:29:E4:90:CD
SENT (1.0580s) ARP who has 192.168.240.139? Tell 192.168.240.1
0000 ff ff ff ff ff ff 00 50 56 c0 00 01 08 06 00 01 .......PV.......
0010 08 00 06 04 00 01 00 50 56 c0 00 01 c0 a8 f0 01 .......PV.......
0020 00 00 00 00 00 00 c0 a8 f0 8b ..........
|