=========================================================================== vecna - november`99 - patch for nmap-2.12 stealth scan implementation - added options : -CP -CU -C2 -C3 -C4 use patch after "./configure" command. because the patch work in Makefile.in too (and it is create by configure). $patch -i nmap-2.12-vek.patch =========================================================================== --- nmap.c.real Sun Apr 4 09:33:00 1999 +++ nmap.c Wed Nov 24 14:49:37 1999 @@ -83,7 +83,7 @@ if (argc < 2 ) printusage(argv[0]); /* OK, lets parse these args! */ -while((arg = getopt(argc,fakeargv,"Ab:D:de:Ffg:hIi:M:m:NnOo:P:p:qRrS:s:T:Vv")) != EOF) { +while((arg = getopt(argc,fakeargv,"Ab:D:de:Ffg:hIi:M:m:NnOo:P:p:qRrS:s:C:T:Vv" )) != EOF) { switch(arg) { case 'A': o.allowall++; break; case 'b': @@ -237,6 +237,9 @@ if (!resolve(optarg, o.source)) fatal("Failed to resolve source address, try dotted decimal IP address\n "); break; + +/* Special scan - Null SYN FIN Xmas Ping and other by Fyodor */ + case 's': if (!*optarg) { fprintf(stderr, "An option is required for -s, most common are -sT (tcp scan), -sS (SYN scan), -sF (FIN scan), -sU (UDP scan) and -sP (Ping scan)"); @@ -263,16 +266,49 @@ p++; } break; + +/* End of original stealth scan normal routine */ + +/* the new options: + + 1 = new URGENT -CU + 2 = new PUSH -CP + 3 = URGENT+PUSH -C2 + 4 = FIN+URGENT -Cf + 5 = FIN+PUSH -CF + +*/ + case 'C': + if (!*optarg) { + fprintf(stderr, "An option is required for -C, the new scan can be:\n -C U(Urgent) -CP(Push) -C2(Urgent+Push) -Cf(Fin+Urgent) -CF(Fin+Push)\n"); + printusage(argv[0]); + } + p = optarg; + while(*p) { + switch(*p) { + case 'U': o.URGprobe = 1; break; + case 'P': o.PSHprobe = 1; break; + case '2': o.URGPSHprobe = 1; break; + case '3': o.FINURGprobe = 1; break; + case '4': o.FINPSHprobe = 1; break; + default: error("Scantype %c not supported\n",*p); printusage(argv[0]); break; + } + p++; + } + break; + + /* End of routine options added */ + case 'T': o.ptime = atoi(optarg); break; case 'V': - printf("\nnmap V. %s by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)\n" , VERSION); + printf("\nnmap V. %s by Fyodor (www.insecure.com) patch by vecna - vecna@i tapac.net", VERSION); exit(0); break; case 'v': o.verbose++; break; } } - fprintf(o.nmap_stdout, "\nStarting nmap V. %s by Fyodor (fyodor@dhp.com, www. insecure.org/nmap/)\n", VERSION); + fprintf(o.nmap_stdout, "\nStart nmap %s by Fyodor (fyodor@dhp.com) + patch by vecna (vecna@itapac.net)\n", VERSION); if (o.pingtype == PINGTYPE_UNKNOWN) { if (o.isr00t) o.pingtype = PINGTYPE_TCP|PINGTYPE_TCP_USE_ACK|PINGTYPE_ICMP; @@ -282,7 +318,8 @@ /* Now we check the option sanity */ /* Insure that at least one scantype is selected */ -if (!o.connectscan && !o.udpscan && !o.synscan && !o.finscan && !o.maimonscan && !o.nullscan && !o.xmasscan && !o.bouncescan && !o.pingscan) { + +if (!o.connectscan && !o.udpscan && !o.URGprobe && !o.PSHprobe && !o.URGPSHpro be && !o.FINURGprobe && !o.FINPSHprobe && !o.synscan && !o.finscan && !o.maimon scan && !o.nullscan && !o.xmasscan && !o.bouncescan && !o.pingscan) { o.connectscan++; if (o.verbose) error("No scantype specified, assuming vanilla tcp connect() scan. Use -sP if you really don't want to portscan (and just want to see what h osts are up)."); } @@ -298,8 +335,15 @@ if (fastscan && ports) { fatal("You can specify fast scan (-F) or explicitly select individual ports (-p), but not both"); } else if (fastscan) { - ports = getfastports(o.synscan|o.connectscan|o.fragscan|o.finscan|o.maimonsc an|o.bouncescan|o.nullscan|o.xmasscan,o.udpscan); + if (o.URGprobe||o.PSHprobe||o.URGPSHprobe||o.FINURGprobe||o.FINPSHprobe) { + o.xmasscan=1; + ports = getfastports(o.synscan|o.connectscan|o.fragscan|o.finscan|o.maimon scan|o.bouncescan|o.nullscan|o.xmasscan,o.udpscan); + o.xmasscan=0; + } + else ports = getfastports(o.synscan|o.connectscan|o.fragscan|o.finscan|o.mai monscan|o.bouncescan|o.nullscan|o.xmasscan,o.udpscan); } +/* emulazione di xmasscan x evitare il cambio delle varibili in + getsfastports() e getdefaultports() */ if (o.pingscan && ports) { fatal("You cannot use -F (fast scan) or -p (explicit port selection) with PI NG scan"); @@ -309,17 +353,23 @@ fatal("The fast scan (-F) is incompatible with ping scan"); } -if (!ports) { - ports = getdefaultports(o.synscan|o.connectscan|o.fragscan|o.finscan| - o.maimonscan|o.bouncescan|o.nullscan|o.xmasscan, - o.udpscan); +if (o.URGprobe||o.PSHprobe||o.URGPSHprobe||o.FINURGprobe||o.FINPSHprobe) { + o.xmasscan=1; + if (!ports) ports = getdefaultports(o.synscan|o.connectscan|o.fragscan|o.fin scan|o.maimonscan|o.bouncescan|o.nullscan|o.xmasscan, o.udpscan); + o.xmasscan=0; } +/* nel caso ci sia uno dei nuovi scan, si emula l'xmas x non dover far + casini con altre varibili ecc... */ + +else if (!ports) ports = getdefaultports(o.synscan|o.connectscan|o.fragscan|o. finscan|o.maimonscan|o.bouncescan|o.nullscan|o.xmasscan, o.udpscan); + + /* Default dest port for tcp probe */ if (!o.tcp_probe_port) o.tcp_probe_port = 80; -if (o.pingscan && (o.connectscan || o.udpscan || o.synscan || o.finscan || o.m aimonscan || o.nullscan || o.xmasscan || o.bouncescan)) { +if (o.pingscan && (o.connectscan || o.udpscan || o.URGprobe || o.PSHprobe || o .URGPSHprobe || o.FINURGprobe || o.FINPSHprobe || o.synscan || o.finscan || o.m aimonscan || o.nullscan || o.xmasscan || o.bouncescan)) { fatal("Ping scan is not valid with any other scan types (the other ones all include a ping scan"); } @@ -331,8 +381,7 @@ o.pingtype = PINGTYPE_TCP; } - if (o.finscan || o.synscan || o.maimonscan || o.nullscan || o.xmasscan - || o.udpscan ) { + if (o.finscan || o.synscan || o.maimonscan || o.nullscan || o.xmasscan || o. URGprobe || o.PSHprobe || o.URGPSHprobe || o.FINURGprobe || o.FINPSHprobe || o. udpscan ) { fatal("You requested a scan type which requires r00t privileges, and you d o not have them.\n"); } @@ -352,7 +401,7 @@ if (o.bouncescan && o.pingtype != PINGTYPE_NONE) fprintf(o.nmap_stdout, "Hint: if your bounce scan target hosts aren't reacha ble from here, remember to use -P0 so we don't try and ping them prior to the s can\n"); -if (o.connectscan + o.synscan + o.finscan + o.maimonscan + o.xmasscan + o.null scan > 1) { +if (o.connectscan + o.synscan + o.finscan + o.maimonscan + o.xmasscan + o.null scan + o.URGprobe + o.PSHprobe + o.URGPSHprobe + o.FINURGprobe + o.FINPSHprobe > 1) { fatal("You specified more than one type of TCP scan. Please choose only one of -sT, -sS, -sF, -sM, -sX, and -sN"); } @@ -360,10 +409,8 @@ fatal("Decoys are irrelevant to the bounce or connect scans"); } -if (o.fragscan && (o.connectscan || - (o.udpscan && (o.synscan + o.finscan + o.maimonscan + - o.xmasscan + o.nullscan == 0)))) - fatal("Fragmentation scan can only be used with SYN, FIN, Maimon, XMAS, or N ULL scan types"); +if (o.fragscan && (o.connectscan || (o.udpscan && (o.synscan + o.finscan + o.m aimonscan + o.URGprobe + o.PSHprobe + o.URGPSHprobe + o.FINURGprobe + o.FINPSHp robe + o.xmasscan + o.nullscan == 0)))) + fatal("Fragmentation scan can only be used with:\nSYN, FIN, Maimon, XMAS (an d derived) or NULL scan types"); if (o.identscan && !o.connectscan) { error("Identscan only works with connect scan (-sT) ... ignoring option"); @@ -531,8 +578,9 @@ telnetthere. wierd :0 */ if (currenths->flags & HOST_UP /* && !currenths->wierd_responses*/ && !o.pingscan) { - - if (currenths->flags & HOST_UP && !currenths->source_ip.s_addr && ( o.synsc an || o.finscan || o.maimonscan || o.udpscan || o.nullscan || o.xmasscan)) { + + + if (currenths->flags & HOST_UP && !currenths->source_ip.s_addr && (o.finsca n || o.synscan || o.maimonscan || o.nullscan || o.xmasscan || o.URGprobe || o.P SHprobe || o.URGPSHprobe || o.FINURGprobe || o.FINPSHprobe || o.udpscan )) { if (gethostname(myname, MAXHOSTNAMELEN) || !(target = gethostbyname(myname))) fatal("Cannot get hostname! Try using -S or -e \n"); @@ -544,7 +592,7 @@ } /* Figure out what link-layer device (interface) to use (ie eth0, ppp0, etc ) */ - if (!*currenths->device && currenths->flags & HOST_UP && (o.nullscan || o.x masscan || o.udpscan || o.finscan || o.maimonscan || o.synscan || o.osscan) && (ipaddr2devname( currenths->device, ¤ths->source_ip) != 0)) + if (!*currenths->device && currenths->flags & HOST_UP && ( o.finscan || o.s ynscan || o.maimonscan || o.nullscan || o.xmasscan || o.URGprobe || o.PSHprobe || o.URGPSHprobe || o.FINURGprobe || o.FINPSHprobe || o.udpscan || o.osscan) && (ipaddr2devname( currenths->device, ¤ths->source_ip) != 0)) fatal("Could not figure out what device to send the packet out on! You m ight possibly want to try -S (but this is probably a bigger problem). If you a re trying to sp00f the source of a SYN/FIN scan with -S , then you must use -e eth0 (or other devicename) to tell us what interface to use.\n"); /* Set up the decoy */ o.decoys[o.decoyturn] = currenths->source_ip; @@ -554,13 +602,20 @@ if (o.synscan) pos_scan(currenths, ports, SYN_SCAN); if (o.connectscan) pos_scan(currenths, ports, CONNECT_SCAN); - + + /* adding now possible options */ + if (o.finscan) super_scan(currenths, ports, FIN_SCAN); if (o.xmasscan) super_scan(currenths, ports, XMAS_SCAN); if (o.nullscan) super_scan(currenths, ports, NULL_SCAN); if (o.maimonscan) super_scan(currenths, ports, MAIMON_SCAN); if (o.udpscan) super_scan(currenths, ports, UDP_SCAN); - + if (o.URGprobe) super_scan(currenths, ports, URG_SCAN); + if (o.PSHprobe) super_scan(currenths, ports, PSH_SCAN); + if (o.URGPSHprobe) super_scan(currenths, ports, URGPSH_SCAN); + if (o.FINURGprobe) super_scan(currenths, ports, URGFIN_SCAN); + if (o.FINPSHprobe) super_scan(currenths, ports, FINPSH_SCAN); + if (o.bouncescan) { if (ftp.sd <= 0) ftp_anon_connect(&ftp); if (ftp.sd > 0) bounce_scan(currenths, ports, &ftp); @@ -787,11 +842,15 @@ } void printusage(char *name) { -printf("nmap V. %s usage: nmap [Scan Type(s)] [Options] \n\ +printf("nmap \033[1;1m2.12+V\033[0m patched version by vecna - vecna@itapac.ne t usage:\n\ + nmap [Scan Type(s)] [Options] \n\ Scan types\n\ -sT tcp connect() port scan\n\ -sS tcp SYN stealth port scan (must be root)\n\ - -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (only works against UNIX).\n\ + -sF,-sX,-sN Stealth FIN, Xmas, or Null scan\n\ + -CU,-CP,-C2 New Urgent probe, Push probe, Urgent+Push probe\n\ + -C3,-C4 New \"3\" Fin+Urgent \"4\" Fin+Push\n\ + note: -sF,-sX,-sN,-C* only works against UNIX\n\ -sP ping \"scan\". Find which hosts on specified network(s) are up but don' t \n\ port scan them\n\ -sU UDP port scan, must be r00t\n\ @@ -802,11 +861,12 @@ -PT Use \"TCP Ping\" to see what hosts are up (for normal and ping scans).\ n\ -PT21 Use \"TCP Ping\" scan with probe destination port of 21 (or whatever) .\n\ -PI Use ICMP ping packet to determines hosts that are up\n\ - -PB Do BOTH TCP & ICMP scans in parallel (TCP dest port can be specified af ter the 'B')\n\ + -PB Do BOTH TCP & ICMP scans in parallel (TCP dest port after the 'B')\n\ -PS Use TCP SYN sweep rather than the default ACK sweep used in \"TCP ping\ "\n\ -O Use TCP/IP fingerprinting to guess what OS the remote host is running\n\ -p ports: ex: \'-p 23\' will only try port 23 of the host(s)\n\ - \'-p 20-30,63000-\' scans 20-30 and 63000-65535. default: 1- 1024 + /etc/services\n\ + \'-p 20-30,63000-\' scans 20-30 and 63000-65535.\n\ + default: 1-1024 + /etc/services\n\ -Ddecoy_host1,decoy2,ME,decoy3[,...] Launch scans from decoy host(s) along\ n\ with the real one. If you care about the order your real IP appears,\n\ stick \"ME\" somewhere in the list. Even if the target detects the\n\ @@ -819,8 +879,8 @@ -o Output scan logs to in human readable.\n\ -m Output scan logs to in machine parseable format.\n\ -i Grab IP numbers or hostnames from file. Use '-' for stdin\n \ - -g Sets the source port used for scans. 20 and 53 are good ch oices.\n\ - -S If you want to specify the source address of SYN or FYN scan.\ n", VERSION); + -g Sets the source port used for scans.\n\ + -S If you want to specify the source address of SYN or FYN scan.\ n"); if (!o.allowall) printf(" -A Allow scanning .0 and .255 addresses" ); printf(" -v Verbose. Its use is recommended. Use twice for greater effect.\ n\ -h help, print this junk. Also see http://www.insecure.org/nmap/\n\ @@ -1559,7 +1619,18 @@ if (pcap_setfilter(pd, &fcode) < 0 ) fatal("Failed to set the pcap filter: %s\n", pcap_geterr(pd)); +/* tcp flag setting - switch() very nice than if-list :\ */ + + if (scantype == XMAS_SCAN) scanflags = TH_FIN|TH_URG|TH_PUSH; +else if (scantype == URG_SCAN) scanflags = TH_URG; +else if (scantype == PSH_SCAN) scanflags = TH_PUSH; +else if (scantype == URGPSH_SCAN) scanflags = TH_URG|TH_PUSH; +else if (scantype == FINPSH_SCAN) scanflags = TH_FIN|TH_PUSH; +else if (scantype == URGFIN_SCAN) scanflags = TH_URG|TH_FIN; + +/* end of tcp flag adding */ + else if (scantype == NULL_SCAN) scanflags = 0; else if (scantype == FIN_SCAN) scanflags = TH_FIN; else if (scantype == MAIMON_SCAN) scanflags = TH_FIN|TH_ACK; @@ -1568,7 +1639,7 @@ starttime = time(NULL); if (o.debugging || o.verbose) - fprintf(o.nmap_stdout, "Initiating FIN,NULL, UDP, or Xmas stealth scan again st %s (%s)\n", target->name, inet_ntoa(target->host)); + fprintf(o.nmap_stdout, "Initiating stealth scan against %s (%s)\n", target-> name, inet_ntoa(target->host)); do { @@ -2785,8 +2856,7 @@ fatal("Deletion of port %d failed\n", ports[i]); } } - if (o.connectscan || o.nullscan || o.xmasscan || o.synscan || - o.maimonscan || o.finscan || o.bouncescan) { + if ( o.URGprobe || o.PSHprobe || o.URGPSHprobe || o.FINURGprobe || o.FI NPSHprobe || o.nullscan || o.xmasscan || o.udpscan || o.finscan || o.maimonscan || o.synscan || o.bouncescan ) { current = lookupport(*pl, ports[i], IPPROTO_TCP); if (!current) addport(pl, ports[i], IPPROTO_TCP, NULL, PORT_UNFIREWALLED); --- targets.c.real Thu Nov 18 23:37:30 1999 +++ targets.c Thu Nov 18 23:38:42 1999 @@ -103,7 +103,7 @@ 2) We are doing tcp pingscan OR 3) We are doing NO scan AND we are doing a raw-mode portscan or osscan* / else { - if (o.isr00t && ((o.pingtype & PINGTYPE_TCP) || (o.pingtype == PINGTYPE_ NONE && (o.synscan || o.finscan || o.xmasscan || o.nullscan || o.maimonscan || o.udpscan || o.osscan )))) { + if (o.isr00t && ((o.pingtype & PINGTYPE_TCP) || (o.pingtype == PINGTYPE_ NONE && (o.synscan || o.finscan || o.xmasscan || o.nullscan || o.maimonscan || o.udpscan || o.osscan || o.PSHprobe || o.URGPSHprobe || o.FINURGprobe || o.FINP SHprobe || o.URGprobe)))) { device = routethrough(&(hostbatch[i].host), &(hostbatch[i].source_ip)); if (!device) { if (o.pingtype == PINGTYPE_NONE) { --- global_structures.h.real Thu Nov 18 23:37:47 1999 +++ global_structures.h Thu Nov 18 23:38:05 1999 @@ -161,6 +161,15 @@ int finscan; int udpscan; int noresolve; + + /* New stealth scan : */ + int URGprobe; + int PSHprobe; + int URGPSHprobe; + int FINURGprobe; + int FINPSHprobe; + /* End new stealth scan */ + int force; /* force nmap to continue on even when the outcome seems somewhat certain */ FILE *logfd; /* Output log file descriptor */ FILE *machinelogfd; /* Machine parseable log file descriptor */ @@ -168,7 +177,19 @@ }; typedef port *portlist; -typedef enum { SYN_SCAN, FIN_SCAN, XMAS_SCAN, UDP_SCAN, CONNECT_SCAN, NULL_SCA N, MAIMON_SCAN } stype; +typedef enum { SYN_SCAN, + FIN_SCAN, + XMAS_SCAN, + UDP_SCAN, + CONNECT_SCAN, + NULL_SCAN, + URG_SCAN, /* start new vekkena skans */ + PSH_SCAN, + URGPSH_SCAN, + URGFIN_SCAN, + FINPSH_SCAN, + MAIMON_SCAN /* end new vekkena skans */ +} stype; #endif /*GLOBAL_STRUCTURES_H */ --- Makefile.in.real Thu Nov 18 23:37:55 1999 +++ Makefile.in Thu Nov 18 23:38:26 1999 @@ -20,7 +20,7 @@ INSTALL = @INSTALL@ MAKEDEPEND = @MAKEDEPEND@ RPMTDIR=$(HOME)/rpmdir -VERSION = 2.12 +VERSION = 2.12+V TARGET = nmap