OpenVAS Libraries  9.0.3
nasl_builtin_synscan.c File Reference
#include <unistd.h>
#include <stdlib.h>
#include <arpa/inet.h>
#include <string.h>
#include <netinet/tcp.h>
#include <netinet/ip.h>
#include "../misc/arglists.h"
#include "../misc/bpf_share.h"
#include "../misc/pcap_openvas.h"
#include "../misc/plugutils.h"
#include "../misc/openvas_logging.h"
#include "../misc/prefs.h"
#include "../misc/network.h"
#include "nasl_lex_ctxt.h"
Include dependency graph for nasl_builtin_synscan.c:

Go to the source code of this file.

Data Structures

struct  pseudohdr
 
struct  list
 

Macros

#define _BSD_SOURCE   1
 
#define _DEFAULT_SOURCE   1
 
#define NUM_RETRIES   2
 

Functions

unsigned long maketime ()
 
struct timeval timeval (unsigned long val)
 
unsigned long compute_rtt (unsigned long then)
 
int packetdead (unsigned long then, unsigned long rtt)
 
int rawsocket (int family)
 Opens and returns a raw socket. More...
 
int openbpf (struct in_addr dst, struct in_addr *src, int magic)
 Opens a packet filter, grabs packets from dst to port magic. More...
 
int v6_openbpf (struct in6_addr *dst, struct in6_addr *src, int magic)
 
struct listget_packet (struct list *l, unsigned short dport)
 
struct listadd_packet (struct list *l, unsigned short dport, unsigned long ack)
 If no packet with dport is in list, prepends a "packet" to the. More...
 
struct listrm_packet (struct list *l, unsigned short dport)
 
struct listrm_dead_packets (struct list *l, unsigned long rtt, int *retry)
 
struct tcphdr * extracttcp (char *pkt, int len)
 
struct tcphdr * v6_extracttcp (char *pkt, int len)
 
unsigned long extractack (char *pkt, int len, int family)
 
unsigned short extractsport (char *pkt, int len, int family)
 
int issynack (char *pkt, int len, int family)
 
char * mktcp (struct in_addr src, int sport, struct in_addr dst, int dport, unsigned long th_ack, unsigned char flag)
 
char * mktcpv6 (struct in6_addr *src, int sport, struct in6_addr *dst, int dport, unsigned long th_ack, unsigned char flag)
 
struct listsendpacket (int soc, int bpf, int skip, struct in_addr dst, struct in_addr src, int dport, int magic, struct list *packets, unsigned long *rtt, int sniff, struct arglist *env)
 
struct listv6_sendpacket (int soc, int bpf, int skip, struct in6_addr *dst, struct in6_addr *src, int dport, int magic, struct list *packets, unsigned long *rtt, int sniff, struct arglist *env)
 
int scan (struct arglist *env, char *hostname, char *portrange, struct in6_addr *dst6, unsigned long rtt)
 
tree_cellplugin_run_synscan (lex_ctxt *lexic)
 

Macro Definition Documentation

◆ _BSD_SOURCE

#define _BSD_SOURCE   1

Definition at line 28 of file nasl_builtin_synscan.c.

◆ _DEFAULT_SOURCE

#define _DEFAULT_SOURCE   1

Definition at line 30 of file nasl_builtin_synscan.c.

◆ NUM_RETRIES

#define NUM_RETRIES   2

Definition at line 52 of file nasl_builtin_synscan.c.

Function Documentation

◆ add_packet()

struct list* add_packet ( struct list l,
unsigned short  dport,
unsigned long  ack 
)

If no packet with dport is in list, prepends a "packet" to the.

list l.

Definition at line 298 of file nasl_builtin_synscan.c.

299 {
300  struct list *ret;
301 
302  ret = get_packet (l, dport);
303  if (ret != NULL)
304  {
305 #ifdef SHOW_RETRIES
306  printf ("RETRIES FOR %d = %d\n", dport, ret->retries);
307 #endif
308  ret->retries++;
309  ret->when = ack;
310  return l;
311  }
312  ret = g_malloc0 (sizeof (struct list));
313 
314  ret->next = l;
315  ret->prev = NULL;
316  if (ret->next != NULL)
317  ret->next->prev = ret;
318 
319  ret->dport = dport;
320  ret->when = ack;
321  ret->retries = 0;
322  return ret;
323 }
struct list * get_packet(struct list *l, unsigned short dport)
unsigned short dport
unsigned long when
struct list * prev
struct list * next

References list::dport, get_packet(), list::next, list::prev, list::retries, and list::when.

Referenced by sendpacket(), and v6_sendpacket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ compute_rtt()

unsigned long compute_rtt ( unsigned long  then)

Definition at line 136 of file nasl_builtin_synscan.c.

137 {
138  unsigned long now = maketime();
139  unsigned long res;
140  unsigned long a, b;
141 
142  a = (unsigned long) ntohl(now);
143  b = (unsigned long) ntohl(then);
144 
145 
146  if (b > a) {
147  return 0;
148  }
149  res = a - b;
150  if ( res >= (1 << 28) )
151  res = 1 << 28;
152 
153  return htonl(res);
154 }
unsigned long maketime()

References maketime().

Referenced by sendpacket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ extractack()

unsigned long extractack ( char *  pkt,
int  len,
int  family 
)

Definition at line 415 of file nasl_builtin_synscan.c.

416 {
417  unsigned long ret;
418  struct tcphdr *tcp;
419  if(family == AF_INET)
420  tcp = extracttcp(pkt, len);
421  else
422  tcp = v6_extracttcp(pkt, len);
423 
424  if( tcp == NULL )
425  return -1;
426 
427  ret = htonl(ntohl(tcp->th_ack) - 1);
428  return ret;
429 }
struct tcphdr * extracttcp(char *pkt, int len)
struct tcphdr * v6_extracttcp(char *pkt, int len)

References extracttcp(), and v6_extracttcp().

Referenced by sendpacket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ extractsport()

unsigned short extractsport ( char *  pkt,
int  len,
int  family 
)

Definition at line 433 of file nasl_builtin_synscan.c.

434 {
435  struct tcphdr *tcp;
436 
437  if(family == AF_INET)
438  tcp = extracttcp(pkt, len);
439  else
440  tcp = v6_extracttcp(pkt, len);
441 
442  if(tcp == NULL)return 0;
443 
444  return ntohs(tcp->th_sport);
445 }
struct tcphdr * extracttcp(char *pkt, int len)
struct tcphdr * v6_extracttcp(char *pkt, int len)

References extracttcp(), and v6_extracttcp().

Referenced by sendpacket(), and v6_sendpacket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ extracttcp()

struct tcphdr* extracttcp ( char *  pkt,
int  len 
)

Definition at line 392 of file nasl_builtin_synscan.c.

393 {
394  struct ip * ip;
395  struct tcphdr *tcp;
396 
397  ip = (struct ip*)pkt;
398  if(ip->ip_hl * 4 + sizeof (struct tcphdr) > len)
399  return NULL;
400 
401  tcp = (struct tcphdr*)(pkt + ip->ip_hl * 4);
402  return tcp;
403 }

Referenced by extractack(), extractsport(), and issynack().

Here is the caller graph for this function:

◆ get_packet()

struct list* get_packet ( struct list l,
unsigned short  dport 
)
Returns
First pointer to list in l with the given dport , NULL if no such list item could be found.

Definition at line 280 of file nasl_builtin_synscan.c.

281 {
282  while (l != NULL)
283  {
284  if (l->dport == dport)
285  return l;
286  else
287  l = l->next;
288  }
289  return NULL;
290 }
unsigned short dport
struct list * next

References list::dport, and list::next.

Referenced by add_packet(), and rm_packet().

Here is the caller graph for this function:

◆ issynack()

int issynack ( char *  pkt,
int  len,
int  family 
)

Definition at line 448 of file nasl_builtin_synscan.c.

449 {
450  struct tcphdr *tcp;
451 
452  if (family == AF_INET)
453  tcp = extracttcp(pkt, len);
454  else
455  tcp = v6_extracttcp(pkt, len);
456 
457  if (tcp == NULL)
458  return 0;
459 
460  return tcp->th_flags == (TH_SYN | TH_ACK);
461 }
struct tcphdr * extracttcp(char *pkt, int len)
struct tcphdr * v6_extracttcp(char *pkt, int len)

References extracttcp(), and v6_extracttcp().

Referenced by sendpacket(), and v6_sendpacket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ maketime()

unsigned long maketime ( )

Definition at line 95 of file nasl_builtin_synscan.c.

96 {
97  struct timeval tv;
98  unsigned long ret;
99 
100  gettimeofday(&tv, NULL);
101 
102  ret = ((tv.tv_sec & 0x0000000F) << 28) | (((tv.tv_usec) & 0xFFFFFFF0) >> 4);
103 
104  return htonl (ret);
105 }
struct timeval timeval(unsigned long val)

References timeval().

Referenced by compute_rtt(), packetdead(), sendpacket(), and v6_sendpacket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ mktcp()

char* mktcp ( struct in_addr  src,
int  sport,
struct in_addr  dst,
int  dport,
unsigned long  th_ack,
unsigned char  flag 
)

Definition at line 464 of file nasl_builtin_synscan.c.

466 {
467  static char pkt[sizeof (struct ip) + sizeof (struct tcphdr)];
468  struct ip *ip;
469  struct tcphdr *tcp;
470  struct pseudohdr pseudohdr;
471  char tcpsumdata[sizeof(pseudohdr)];
472 
473  ip = (struct ip *) (&pkt);
474  ip->ip_hl = 5;
475  ip->ip_v = 4;
476  ip->ip_tos = 0;
477  ip->ip_len = sizeof (struct ip) + sizeof (struct tcphdr);
478  ip->ip_id = rand();
479  ip->ip_off = 0;
480  ip->ip_ttl = 64;
481  ip->ip_p = IPPROTO_TCP;
482  ip->ip_sum = 0;
483  ip->ip_src.s_addr = src.s_addr;
484  ip->ip_dst.s_addr = dst.s_addr;
485  ip->ip_sum = in_cksum ((u_short *) pkt, sizeof (struct ip));
486 
487  tcp = (struct tcphdr *) (&(pkt[sizeof (struct ip)]));
488  tcp->th_sport = htons(sport);
489  tcp->th_dport = htons(dport);
490  tcp->th_seq = th_ack;
491  tcp->th_ack = 0;
492  tcp->th_x2 = 0;
493  tcp->th_off = 5;
494  tcp->th_flags = flag;
495  tcp->th_win = 4096;
496  tcp->th_sum = 0;
497  tcp->th_urp = 0;
498 
499  bzero(&pseudohdr, 12);
500  pseudohdr.saddr.s_addr = src.s_addr;
501  pseudohdr.daddr.s_addr = dst.s_addr;
502  pseudohdr.protocol = IPPROTO_TCP;
503  pseudohdr.length = htons(sizeof (struct tcphdr));
504  bcopy((char *) tcp, (char *) &pseudohdr.tcpheader, sizeof (struct tcphdr));
505  bcopy(&pseudohdr, tcpsumdata, sizeof (struct pseudohdr));
506  tcp->th_sum = in_cksum((unsigned short *) tcpsumdata, 12 + sizeof (struct tcphdr));
507 
508  return pkt;
509 }
struct in_addr saddr
Definition: ids_send.c:132
struct tcp_packet tcpheader
Definition: ids_send.c:137
struct in_addr daddr
Definition: ids_send.c:133
u_short length
Definition: ids_send.c:136
u_char protocol
Definition: ids_send.c:135

Referenced by sendpacket().

Here is the caller graph for this function:

◆ mktcpv6()

char* mktcpv6 ( struct in6_addr *  src,
int  sport,
struct in6_addr *  dst,
int  dport,
unsigned long  th_ack,
unsigned char  flag 
)

Definition at line 512 of file nasl_builtin_synscan.c.

514 {
515  static char pkt[sizeof (struct tcphdr)];
516  struct tcphdr *tcp;
517 
518  tcp = (struct tcphdr *) (&(pkt[0]));
519  tcp->th_sport = htons(sport);
520  tcp->th_dport = htons(dport);
521  tcp->th_ack = htonl (rand ());
522  tcp->th_seq = th_ack;
523  tcp->th_off = 5;
524  tcp->th_flags = flag;
525  tcp->th_win = htons (5760);
526  tcp->th_urp = 0;
527  tcp->th_sum = 2;
528 
529  return pkt;
530 }

Referenced by v6_sendpacket().

Here is the caller graph for this function:

◆ openbpf()

int openbpf ( struct in_addr  dst,
struct in_addr *  src,
int  magic 
)

Opens a packet filter, grabs packets from dst to port magic.

Parameters
[out]srcin_addr of source.
[in]dstDestination.
[in]magicDestination port on src to listen to.
Returns
A bpf that listens to tcp packets coming from dst to port magic.

Definition at line 227 of file nasl_builtin_synscan.c.

228 {
229  char *iface;
230  char filter[255];
231  int bpf;
232 
233  iface = routethrough (&dst, src);
234 #ifdef DEBUG
235  printf ("Source address found via routethrough: %s\n", inet_ntoa (*src));
236 #endif
237  snprintf (filter, sizeof (filter), "tcp and src host %s and dst port %d", inet_ntoa (dst), magic);
238 #ifdef DEBUG
239  printf ("Open bpf on interface %s with filter: %s\n", iface, filter);
240 #endif
241  bpf = bpf_open_live (iface, filter);
242  return bpf;
243 }
int bpf_open_live(char *iface, char *filter)
Definition: bpf_share.c:40
char * routethrough(struct in_addr *dest, struct in_addr *source)
An awesome function to determine what interface a packet to a given destination should be routed thro...
Definition: pcap.c:1244

References bpf_open_live(), and routethrough().

Referenced by scan().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ packetdead()

int packetdead ( unsigned long  then,
unsigned long  rtt 
)

Definition at line 158 of file nasl_builtin_synscan.c.

159 {
160  unsigned long now = maketime();
161 
162  then = ntohl(then);
163  now = ntohl(now);
164 
165  if ((now - then) >= 2 << 28 ) {
166  return 1;
167  }
168 
169  return 0;
170 }
unsigned long maketime()

References maketime().

Referenced by rm_dead_packets().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ plugin_run_synscan()

tree_cell* plugin_run_synscan ( lex_ctxt lexic)

Definition at line 788 of file nasl_builtin_synscan.c.

789 {
790  struct arglist *env = lexic->script_infos;
791  unsigned long rtt;
792  struct in6_addr *dst6 = plug_get_host_ip (env);
793  struct in_addr *dst;
794  struct in_addr inaddr;
795 #ifdef DEBUG
796  struct timeval tv;
797 #endif
798 
799  inaddr.s_addr = dst6->s6_addr32[3];
800  dst = &inaddr;
801 
802  if (islocalhost (dst))
803  return NULL;
804 
805  rtt = htonl (1 << 28);
806 
807 #ifdef DEBUG
808  printf ("RTT = 0x%.8x\n", ntohl (rtt));
809  tv = timeval (rtt);
810  printf ("That's %ld seconds and %ld usecs\n", tv.tv_sec, tv.tv_usec);
811 #endif
812 
813  struct host_info *hostinfo = arg_get_value (env, "HOSTNAME");
814  char *hostname = hostinfo->name;
815  const char *range = prefs_get ("port_range");
816  scan (env, hostname, (char *)range, dst6, rtt);
817  plug_set_key (env, "Host/scanned", ARG_INT, (void *) 1);
818  plug_set_key (env, "Host/scanners/synscan", ARG_INT, (void*)1);
819  return NULL;
820 }
#define ARG_INT
Definition: arglists.h:40
void plug_set_key(struct arglist *args, char *name, int type, const void *value)
Definition: plugutils.c:658
int islocalhost(struct in_addr *addr)
Tests whether a packet sent to IP is LIKELY to route through the kernel localhost interface.
Definition: pcap.c:415
const gchar * prefs_get(const gchar *key)
Get a string preference value via a key.
Definition: prefs.c:86
char * name
Definition: network.h:58
A port range.
struct in6_addr * plug_get_host_ip(struct arglist *desc)
Definition: plugutils.c:216
int scan(struct arglist *env, char *hostname, char *portrange, struct in6_addr *dst6, unsigned long rtt)
struct timeval timeval(unsigned long val)
struct arglist * script_infos
Definition: nasl_lex_ctxt.h:39
void * arg_get_value(struct arglist *args, const char *name)
Definition: arglists.c:252

References arg_get_value(), ARG_INT, islocalhost(), host_info::name, plug_get_host_ip(), plug_set_key(), prefs_get(), scan(), struct_lex_ctxt::script_infos, and timeval().

Here is the call graph for this function:

◆ rawsocket()

int rawsocket ( int  family)

Opens and returns a raw socket.

Definition at line 177 of file nasl_builtin_synscan.c.

178 {
179  int soc;
180  int opt = 1;
181  int offset = 8;
182 
183  if (family == AF_INET)
184  {
185  soc = socket (AF_INET, SOCK_RAW, IPPROTO_RAW);
186  if (soc < 0)
187  {
188  perror ("socket ");
189  printf ("error opeinig socket\n");
190  return -1;
191  }
192  if (setsockopt (soc, IPPROTO_IP, IP_HDRINCL, /*(char *) */&opt, sizeof (opt)) < 0)
193  {
194  perror ("setsockopt ");
195  printf ("error setting socket opt\n");
196  close (soc);
197  return -1;
198  }
199  }
200  else
201  {
202  soc = socket (AF_INET6, SOCK_RAW, IPPROTO_TCP);
203  if (soc < 0)
204  {
205  perror ("socket ");
206  printf ("error opeinig socket\n");
207  return -1;
208  }
209  setsockopt (soc, IPPROTO_IPV6, IPV6_CHECKSUM, &offset, sizeof (offset));
210  }
211 
212  return soc;
213 }

Referenced by scan().

Here is the caller graph for this function:

◆ rm_dead_packets()

struct list* rm_dead_packets ( struct list l,
unsigned long  rtt,
int *  retry 
)

Definition at line 352 of file nasl_builtin_synscan.c.

353 {
354  struct list *ret = l;
355  struct list *p = l;
356 
357 
358  *retry = 0;
359  while (p != NULL) {
360  struct list *next = p->next;
361  if (packetdead(p->when, rtt)) {
362  if (p->retries < NUM_RETRIES) {
363 #ifdef SHOW_RETRIES
364  printf("Will retry port %d\n", p->dport);
365 #endif
366  *retry = p->dport;
367  } else {
368 #ifdef SHOW_RTT_REMOVAL
369  printf("Removing port %d (RTT elapsed)\n", p->dport);
370 #endif
371  if (p->next != NULL)
372  p->next->prev = p->prev;
373 
374  if (p->prev != NULL)
375  p->prev->next = p->next;
376  else
377  ret = p->next;
378  g_free(p);
379  }
380  }
381  p = next;
382  }
383  return ret;
384 }
#define NUM_RETRIES
unsigned short dport
int packetdead(unsigned long then, unsigned long rtt)
unsigned long when
struct list * prev
struct list * next

References list::dport, list::next, NUM_RETRIES, packetdead(), list::prev, list::retries, and list::when.

Referenced by scan().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ rm_packet()

struct list* rm_packet ( struct list l,
unsigned short  dport 
)

Definition at line 327 of file nasl_builtin_synscan.c.

328 {
329  struct list *ret = l;
330  struct list *p = get_packet (l, dport);
331 
332  if (p == NULL)
333  {
334 #if DEBUG > 1
335  log_legacy_write ("Odd - no entry for %d - RTT too low ?!", dport);
336 #endif
337  return l;
338  }
339  if (p->next != NULL)
340  p->next->prev = p->prev;
341 
342  if (p->prev != NULL)
343  p->prev->next = p->next;
344  else
345  ret = p->next;
346 
347  g_free(p);
348  return ret;
349 }
void log_legacy_write(const char *format,...)
Legacy function to write a log message.
struct list * get_packet(struct list *l, unsigned short dport)
unsigned short dport
struct list * prev
struct list * next

References list::dport, get_packet(), log_legacy_write(), list::next, and list::prev.

Referenced by sendpacket(), and v6_sendpacket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ scan()

int scan ( struct arglist env,
char *  hostname,
char *  portrange,
struct in6_addr *  dst6,
unsigned long  rtt 
)
Returns
-1 if the socket could not be opened (error), 0 otherwise.

This will send packets to ports not in ports list, will it?

Todo:
How to do this for ipv6? This causes much scan delay for IPv6.

Definition at line 672 of file nasl_builtin_synscan.c.

674 {
675  int num;
676  int soc;
677  int bpf;
678  struct in_addr src;
679  struct in_addr dst;
680  struct in6_addr src6;
681  int magic = 4441 + (rand() % 1200);
682  int skip;
683  int i;
684  struct list *packets = NULL;
685  int retry;
686  unsigned short *ports;
687  int family;
688 
689  dst.s_addr = 0;
690 
691  if (IN6_IS_ADDR_V4MAPPED (dst6))
692  {
693  family = AF_INET;
694  dst.s_addr = dst6->s6_addr32[3];
695  soc = rawsocket (AF_INET);
696  }
697  else
698  {
699  family = AF_INET6;
700  soc = rawsocket (AF_INET6);
701  }
702 #ifdef DEBUG
703  printf ("===> Port range = %s\n", portrange);
704  printf ("===> Target IP Family = %s\n", (family == AF_INET6) ? "v6"
705  : "v4");
706  printf ("===> Target = %s\n", inet_ntoa (dst));
707 #endif
708 
709  ports = (unsigned short *) getpts (portrange, &num);
710 
711  if (soc < 0)
712  {
713  printf ("error opening raw socket\n");
714  return -1;
715  }
716 
717  if (family == AF_INET)
718  bpf = openbpf (dst, &src, magic);
719  else
720  bpf = v6_openbpf (dst6, &src6, magic);
721  skip = get_datalink_size (bpf_datalink (bpf));
722 
724  for (i = 0; i < num ; i += 2)
725  {
726 #ifdef DEBUG
727  printf ("====> Sending packet to (at least) %u\n", ports[i]);
728 #endif
729  if (family == AF_INET)
730  packets = sendpacket (soc, bpf, skip, dst, src, ports[i], magic,
731  packets, &rtt, 0, env);
732  else
733  packets = v6_sendpacket (soc, bpf, skip, dst6, &src6, ports[i], magic,
734  packets, &rtt, 0, env);
735  if (i + 1 < num)
736  {
737 #ifdef DEBUG
738  printf ("=====>> Sniffing %u\n", ports[i+1]);
739 #endif
740  if (family == AF_INET)
741  packets = sendpacket (soc, bpf, skip, dst, src, ports[i + 1],
742  magic, packets, &rtt, 1, env);
743  else
744  packets = v6_sendpacket (soc, bpf, skip, dst6, &src6, ports[i + 1],
745  magic, packets, &rtt, 1, env);
746  }
747  }
748 
749 #ifdef DEBUG
750  printf ("Done with the sending\n");
751 #endif
752 
754  if (family == AF_INET)
755  {
756  while (packets != NULL)
757  {
758 #ifdef DEBUG
759  printf ("===> Retry...\n");
760 #endif
761  i = 0;
762  retry = 0;
763  packets = rm_dead_packets (packets, rtt, &retry);
764  while (retry != 0 && i < 2)
765  {
766  packets = sendpacket (soc, bpf, skip, dst, src, retry, magic,
767  packets, &rtt, 0, env);
768  packets = rm_dead_packets (packets, rtt, &retry);
769  i++;
770  }
771  packets = sendpacket (soc, bpf, skip, dst, src, retry, magic, packets,
772  &rtt, 1, env);
773  }
774  }
775 
776  close (soc);
777  bpf_close (bpf);
778  if (ports != NULL)
779  g_free (ports);
780  if (num >= 65535)
781  plug_set_key (env, "Host/full_scan", ARG_INT, (void*) 1);
782 
783  return 0;
784 }
#define ARG_INT
Definition: arglists.h:40
int rawsocket(int family)
Opens and returns a raw socket.
void plug_set_key(struct arglist *args, char *name, int type, const void *value)
Definition: plugutils.c:658
void bpf_close(int bpf)
Definition: bpf_share.c:153
int get_datalink_size(int datalink)
Definition: pcap.c:442
int bpf_datalink(int bpf)
Definition: bpf_share.c:146
unsigned short * getpts(char *origexpr, int *len)
Converts a string like "-100,200-1024,3000-4000,60000-" into an array.
Definition: network.c:2416
int v6_openbpf(struct in6_addr *dst, struct in6_addr *src, int magic)
struct list * sendpacket(int soc, int bpf, int skip, struct in_addr dst, struct in_addr src, int dport, int magic, struct list *packets, unsigned long *rtt, int sniff, struct arglist *env)
struct list * v6_sendpacket(int soc, int bpf, int skip, struct in6_addr *dst, struct in6_addr *src, int dport, int magic, struct list *packets, unsigned long *rtt, int sniff, struct arglist *env)
struct list * rm_dead_packets(struct list *l, unsigned long rtt, int *retry)
int openbpf(struct in_addr dst, struct in_addr *src, int magic)
Opens a packet filter, grabs packets from dst to port magic.

References ARG_INT, bpf_close(), bpf_datalink(), get_datalink_size(), getpts(), openbpf(), plug_set_key(), rawsocket(), rm_dead_packets(), sendpacket(), v6_openbpf(), and v6_sendpacket().

Referenced by plugin_run_synscan().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ sendpacket()

struct list* sendpacket ( int  soc,
int  bpf,
int  skip,
struct in_addr  dst,
struct in_addr  src,
int  dport,
int  magic,
struct list packets,
unsigned long *  rtt,
int  sniff,
struct arglist env 
)
Parameters
sniffIf != 0, "sniff" (listen to incoming packages), else just add packet.

Definition at line 538 of file nasl_builtin_synscan.c.

541 {
542  unsigned long ack = maketime();
543  char *pkt = mktcp (src, magic, dst, dport, ack, TH_SYN);
544  int len;
545  char *res;
546  struct sockaddr_in soca;
547  struct timeval rtt_tv = timeval(*rtt);
548  int family = AF_INET;
549 
550  bzero (&soca, sizeof (soca));
551  soca.sin_family = AF_INET;
552  soca.sin_addr = dst;
553 
554  rtt_tv.tv_sec *= 1000;
555  rtt_tv.tv_sec /= 8;
556 
557  rtt_tv.tv_usec += (rtt_tv.tv_sec % 1000) * 1000;
558  rtt_tv.tv_sec /= 1000;
559  if (rtt_tv.tv_sec >= 1)
560  {
561  rtt_tv.tv_sec = 1;
562  rtt_tv.tv_usec = 0;
563  }
564 
565  if (dport != 0) {
566  int e;
567  packets = add_packet(packets, dport, ack);
568  e = sendto(soc, pkt, sizeof(struct ip) + sizeof(struct tcphdr), 0, (struct sockaddr *) & soca, sizeof(soca));
569  if (e < 0) {
570  perror("sendto ");
571  close(soc);
572  bpf_close(bpf);
573  return NULL;
574  }
575  }
576  if (sniff != 0) {
577 again:
578  res = (char *) bpf_next_tv (bpf, &len, &rtt_tv);
579  if (res != NULL) {
580  unsigned short sport = extractsport(res + skip, len, family);
581  int synack = issynack(res + skip, len, family);
582  unsigned int rack = extractack(res + skip, len, family);
583  if (synack) {
584  char * rst;
585 #ifdef DEBUG
586  printf("=> Port %d is open\n", sport);
587 #endif
588  scanner_add_port (env, sport, "tcp");
589  /* Send a RST to make sure the connection is closed on the remote side */
590  rst = mktcp(src, magic, dst, sport, ack + 1, TH_RST);
591  sendto(soc, rst, sizeof(struct ip) + sizeof(struct tcphdr), 0, (struct sockaddr *) & soca, sizeof(soca));
592 
593  /* Adjust the rtt */
594  *rtt = compute_rtt(rack);
595  if (ntohl (*rtt) >= (1 << 28))
596  *rtt = 1 << 28;
597  }
598  packets = rm_packet(packets, sport);
599  rtt_tv.tv_sec = 0;
600  rtt_tv.tv_usec = 0;
601  goto again;
602  }
603  }
604  return packets;
605 }
unsigned long extractack(char *pkt, int len, int family)
struct list * add_packet(struct list *l, unsigned short dport, unsigned long ack)
If no packet with dport is in list, prepends a "packet" to the.
char * mktcp(struct in_addr src, int sport, struct in_addr dst, int dport, unsigned long th_ack, unsigned char flag)
struct list * rm_packet(struct list *l, unsigned short dport)
void bpf_close(int bpf)
Definition: bpf_share.c:153
unsigned long compute_rtt(unsigned long then)
unsigned short extractsport(char *pkt, int len, int family)
unsigned short dport
int issynack(char *pkt, int len, int family)
void scanner_add_port(struct arglist *args, int port, char *proto)
Definition: plugutils.c:703
struct timeval timeval(unsigned long val)
unsigned long maketime()
u_char * bpf_next_tv(int bpf, int *caplen, struct timeval *tv)
Definition: bpf_share.c:104

References add_packet(), bpf_close(), bpf_next_tv(), compute_rtt(), list::dport, extractack(), extractsport(), issynack(), maketime(), mktcp(), rm_packet(), scanner_add_port(), and timeval().

Referenced by scan().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ timeval()

struct timeval timeval ( unsigned long  val)

Definition at line 109 of file nasl_builtin_synscan.c.

110 {
111  struct timeval ret;
112  unsigned int h, l;
113 
114  val = ntohl (val);
115 
116  h = ( val & 0xF0000000 ) >> 28;
117  l = ( val & 0x0FFFFFFF) << 4;
118 
119  ret.tv_sec = h;
120  ret.tv_usec = l;
121  while ( ret.tv_usec >= 1000000 )
122  {
123  ret.tv_usec -= 1000000;
124  ret.tv_sec ++;
125  }
126 
127  if ( ret.tv_sec > 2 ) {
128  ret.tv_sec = 2;
129  ret.tv_usec = 0;
130  }
131  return ret;
132 }
const char * val
Definition: nasl_init.c:525
struct timeval timeval(unsigned long val)

References val.

Referenced by bpf_next(), bpf_next_tv(), capture_next_packet(), capture_next_v6_packet(), get_random_bytes(), maketime(), nasl_gettimeofday(), nasl_pcap_next(), nasl_recv(), nasl_send_capture(), nasl_tcp_ping(), nasl_tcp_v6_ping(), plugin_run_synscan(), sendpacket(), and v6_sendpacket().

Here is the caller graph for this function:

◆ v6_extracttcp()

struct tcphdr* v6_extracttcp ( char *  pkt,
int  len 
)

Definition at line 406 of file nasl_builtin_synscan.c.

407 {
408  struct tcphdr *tcp;
409  tcp = (struct tcphdr*)(pkt + 40);
410  return tcp;
411 }

Referenced by extractack(), extractsport(), and issynack().

Here is the caller graph for this function:

◆ v6_openbpf()

int v6_openbpf ( struct in6_addr *  dst,
struct in6_addr *  src,
int  magic 
)

Definition at line 247 of file nasl_builtin_synscan.c.

248 {
249  char *iface;
250  char filter[255];
251  char hostname[INET6_ADDRSTRLEN];
252  int bpf;
253 
254  iface = v6_routethrough(dst, src);
255 
256  snprintf (filter, sizeof(filter), "tcp and src host %s and dst port %d",
257  inet_ntop (AF_INET6, dst, hostname, sizeof (hostname)), magic);
258  bpf = bpf_open_live (iface, filter);
259  if (bpf < 0)
260  printf("bpf_open_live returned error\n");
261  return bpf;
262 }
char * v6_routethrough(struct in6_addr *dest, struct in6_addr *source)
An awesome function to determine what interface a packet to a given destination should be routed thro...
Definition: pcap.c:1061
int bpf_open_live(char *iface, char *filter)
Definition: bpf_share.c:40

References bpf_open_live(), and v6_routethrough().

Referenced by scan().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ v6_sendpacket()

struct list* v6_sendpacket ( int  soc,
int  bpf,
int  skip,
struct in6_addr *  dst,
struct in6_addr *  src,
int  dport,
int  magic,
struct list packets,
unsigned long *  rtt,
int  sniff,
struct arglist env 
)

Definition at line 608 of file nasl_builtin_synscan.c.

612 {
613  unsigned long ack = maketime();
614  char *pkt = mktcpv6(src, magic, dst, dport, ack, TH_SYN);
615  int len;
616  char *res;
617  struct sockaddr_in6 soca;
618  struct timeval rtt_tv = timeval(*rtt);
619 
620  bzero(&soca, sizeof(soca));
621  soca.sin6_family = AF_INET6;
622  memcpy(&soca.sin6_addr,dst, sizeof(struct in6_addr));
623  rtt_tv.tv_sec *= 1000;
624  rtt_tv.tv_sec /= 8;
625 
626  rtt_tv.tv_usec += (rtt_tv.tv_sec % 1000) * 1000;
627  rtt_tv.tv_sec /= 1000;
628  if ( rtt_tv.tv_sec >= 1 )
629  {
630  rtt_tv.tv_sec = 1;
631  rtt_tv.tv_usec = 0;
632  }
633 
634  if (dport != 0) {
635  int e;
636  packets = add_packet(packets, dport, ack);
637  e = sendto(soc, pkt,sizeof(struct tcphdr), 0, (struct sockaddr *) & soca, sizeof(soca));
638  if (e < 0) {
639  log_legacy_write ("sendto error in v6_sendpacket");
640  perror("sendto ");
641  close(soc);
642  bpf_close(bpf);
643  return NULL;
644  }
645  }
646  if (sniff != 0) {
647  res = (char *) bpf_next(bpf, &len);
648  if (res != NULL) {
649  unsigned short sport = extractsport(res + skip, len, AF_INET6);
650  int synack = issynack(res + skip, len, AF_INET6);
651  if (synack) {
652  char * rst;
653 #ifdef DEBUG
654  printf("=> Port %d is open\n", sport);
655 #endif
656  scanner_add_port(env, sport, "tcp");
657  /* Send a RST to make sure the connection is closed on the remote side */
658  rst = mktcpv6(src, magic, dst, sport, ack + 1, TH_RST);
659  sendto(soc, rst, sizeof(struct tcphdr), 0, (struct sockaddr *) & soca, sizeof(soca));
660  }
661  packets = rm_packet(packets, sport);
662  }
663  }
664  return packets;
665 }
struct list * add_packet(struct list *l, unsigned short dport, unsigned long ack)
If no packet with dport is in list, prepends a "packet" to the.
struct list * rm_packet(struct list *l, unsigned short dport)
void log_legacy_write(const char *format,...)
Legacy function to write a log message.
void bpf_close(int bpf)
Definition: bpf_share.c:153
char * mktcpv6(struct in6_addr *src, int sport, struct in6_addr *dst, int dport, unsigned long th_ack, unsigned char flag)
unsigned short extractsport(char *pkt, int len, int family)
int issynack(char *pkt, int len, int family)
void scanner_add_port(struct arglist *args, int port, char *proto)
Definition: plugutils.c:703
struct timeval timeval(unsigned long val)
u_char * bpf_next(int bpf, int *caplen)
Definition: bpf_share.c:137
unsigned long maketime()

References add_packet(), bpf_close(), bpf_next(), list::dport, extractsport(), issynack(), log_legacy_write(), maketime(), mktcpv6(), rm_packet(), scanner_add_port(), and timeval().

Referenced by scan().

Here is the call graph for this function:
Here is the caller graph for this function: