30 #define _DEFAULT_SOURCE 1 34 #include <arpa/inet.h> 36 #include <netinet/tcp.h> 37 #include <netinet/ip.h> 39 #include "../misc/arglists.h" 40 #include "../misc/bpf_share.h" 41 #include "../misc/pcap_openvas.h" 42 #include "../misc/plugutils.h" 43 #include "../misc/openvas_logging.h" 44 #include "../misc/prefs.h" 45 #include "../misc/network.h" 50 #undef SHOW_RTT_REMOVAL 71 in_cksum (u_short *p,
int n)
73 register u_short answer;
74 register unsigned long sum = 0;
84 *(u_char *) (&odd_byte) = *(u_char *) p;
87 sum = (sum >> 16) + (sum & 0xffff);
100 gettimeofday(&tv, NULL);
102 ret = ((tv.tv_sec & 0x0000000F) << 28) | (((tv.tv_usec) & 0xFFFFFFF0) >> 4);
116 h = (
val & 0xF0000000 ) >> 28;
117 l = (
val & 0x0FFFFFFF) << 4;
121 while ( ret.tv_usec >= 1000000 )
123 ret.tv_usec -= 1000000;
127 if ( ret.tv_sec > 2 ) {
142 a = (
unsigned long) ntohl(now);
143 b = (
unsigned long) ntohl(then);
150 if ( res >= (1 << 28) )
165 if ((now - then) >= 2 << 28 ) {
183 if (family == AF_INET)
185 soc = socket (AF_INET, SOCK_RAW, IPPROTO_RAW);
189 printf (
"error opeinig socket\n");
192 if (setsockopt (soc, IPPROTO_IP, IP_HDRINCL, &opt,
sizeof (opt)) < 0)
194 perror (
"setsockopt ");
195 printf (
"error setting socket opt\n");
202 soc = socket (AF_INET6, SOCK_RAW, IPPROTO_TCP);
206 printf (
"error opeinig socket\n");
209 setsockopt (soc, IPPROTO_IPV6, IPV6_CHECKSUM, &offset,
sizeof (offset));
227 openbpf (
struct in_addr dst,
struct in_addr * src,
int magic)
235 printf (
"Source address found via routethrough: %s\n", inet_ntoa (*src));
237 snprintf (filter,
sizeof (filter),
"tcp and src host %s and dst port %d", inet_ntoa (dst), magic);
239 printf (
"Open bpf on interface %s with filter: %s\n", iface, filter);
247 v6_openbpf (
struct in6_addr *dst,
struct in6_addr * src,
int magic)
251 char hostname[INET6_ADDRSTRLEN];
256 snprintf (filter,
sizeof(filter),
"tcp and src host %s and dst port %d",
257 inet_ntop (AF_INET6, dst, hostname,
sizeof (hostname)), magic);
260 printf(
"bpf_open_live returned error\n");
312 ret = g_malloc0 (
sizeof (
struct list));
316 if (ret->
next != NULL)
329 struct list *ret = l;
354 struct list *ret = l;
364 printf(
"Will retry port %d\n", p->
dport);
368 #ifdef SHOW_RTT_REMOVAL 369 printf(
"Removing port %d (RTT elapsed)\n", p->
dport);
397 ip = (
struct ip*)pkt;
398 if(ip->ip_hl * 4 + sizeof (
struct tcphdr) > len)
401 tcp = (
struct tcphdr*)(pkt + ip->ip_hl * 4);
409 tcp = (
struct tcphdr*)(pkt + 40);
419 if(family == AF_INET)
427 ret = htonl(ntohl(tcp->th_ack) - 1);
437 if(family == AF_INET)
442 if(tcp == NULL)
return 0;
444 return ntohs(tcp->th_sport);
452 if (family == AF_INET)
460 return tcp->th_flags == (TH_SYN | TH_ACK);
464 mktcp (
struct in_addr src,
int sport,
struct in_addr dst,
int dport,
465 unsigned long th_ack,
unsigned char flag)
467 static char pkt[
sizeof (
struct ip) + sizeof (struct tcphdr)];
473 ip = (
struct ip *) (&pkt);
477 ip->ip_len =
sizeof (
struct ip) + sizeof (struct tcphdr);
481 ip->ip_p = IPPROTO_TCP;
483 ip->ip_src.s_addr = src.s_addr;
484 ip->ip_dst.s_addr = dst.s_addr;
485 ip->ip_sum = in_cksum ((u_short *) pkt,
sizeof (
struct ip));
487 tcp = (
struct tcphdr *) (&(pkt[
sizeof (
struct ip)]));
488 tcp->th_sport = htons(sport);
489 tcp->th_dport = htons(dport);
490 tcp->th_seq = th_ack;
494 tcp->th_flags = flag;
506 tcp->th_sum = in_cksum((
unsigned short *) tcpsumdata, 12 +
sizeof (
struct tcphdr));
512 mktcpv6 (
struct in6_addr *src,
int sport,
struct in6_addr *dst,
int dport,
513 unsigned long th_ack,
unsigned char flag)
515 static char pkt[
sizeof (
struct tcphdr)];
518 tcp = (
struct tcphdr *) (&(pkt[0]));
519 tcp->th_sport = htons(sport);
520 tcp->th_dport = htons(dport);
521 tcp->th_ack = htonl (rand ());
522 tcp->th_seq = th_ack;
524 tcp->th_flags = flag;
525 tcp->th_win = htons (5760);
538 sendpacket (
int soc,
int bpf,
int skip,
struct in_addr dst,
struct in_addr src,
539 int dport,
int magic,
struct list * packets,
unsigned long * rtt,
540 int sniff,
struct arglist * env)
543 char *pkt =
mktcp (src, magic, dst,
dport, ack, TH_SYN);
546 struct sockaddr_in soca;
548 int family = AF_INET;
550 bzero (&soca,
sizeof (soca));
551 soca.sin_family = AF_INET;
554 rtt_tv.tv_sec *= 1000;
557 rtt_tv.tv_usec += (rtt_tv.tv_sec % 1000) * 1000;
558 rtt_tv.tv_sec /= 1000;
559 if (rtt_tv.tv_sec >= 1)
568 e = sendto(soc, pkt,
sizeof(
struct ip) +
sizeof(
struct tcphdr), 0, (
struct sockaddr *) & soca,
sizeof(soca));
580 unsigned short sport =
extractsport(res + skip, len, family);
581 int synack =
issynack(res + skip, len, family);
582 unsigned int rack =
extractack(res + skip, len, family);
586 printf(
"=> Port %d is open\n", sport);
590 rst =
mktcp(src, magic, dst, sport, ack + 1, TH_RST);
591 sendto(soc, rst,
sizeof(
struct ip) +
sizeof(
struct tcphdr), 0, (
struct sockaddr *) & soca,
sizeof(soca));
595 if (ntohl (*rtt) >= (1 << 28))
609 struct in6_addr *src,
int dport,
int magic,
610 struct list * packets,
unsigned long * rtt,
int sniff,
614 char *pkt =
mktcpv6(src, magic, dst,
dport, ack, TH_SYN);
617 struct sockaddr_in6 soca;
620 bzero(&soca,
sizeof(soca));
621 soca.sin6_family = AF_INET6;
622 memcpy(&soca.sin6_addr,dst,
sizeof(
struct in6_addr));
623 rtt_tv.tv_sec *= 1000;
626 rtt_tv.tv_usec += (rtt_tv.tv_sec % 1000) * 1000;
627 rtt_tv.tv_sec /= 1000;
628 if ( rtt_tv.tv_sec >= 1 )
637 e = sendto(soc, pkt,
sizeof(
struct tcphdr), 0, (
struct sockaddr *) & soca,
sizeof(soca));
649 unsigned short sport =
extractsport(res + skip, len, AF_INET6);
650 int synack =
issynack(res + skip, len, AF_INET6);
654 printf(
"=> Port %d is open\n", sport);
658 rst =
mktcpv6(src, magic, dst, sport, ack + 1, TH_RST);
659 sendto(soc, rst,
sizeof(
struct tcphdr), 0, (
struct sockaddr *) & soca,
sizeof(soca));
673 struct in6_addr *dst6,
unsigned long rtt)
680 struct in6_addr src6;
681 int magic = 4441 + (rand() % 1200);
684 struct list *packets = NULL;
686 unsigned short *ports;
691 if (IN6_IS_ADDR_V4MAPPED (dst6))
694 dst.s_addr = dst6->s6_addr32[3];
703 printf (
"===> Port range = %s\n", portrange);
704 printf (
"===> Target IP Family = %s\n", (family == AF_INET6) ?
"v6" 706 printf (
"===> Target = %s\n", inet_ntoa (dst));
709 ports = (
unsigned short *)
getpts (portrange, &num);
713 printf (
"error opening raw socket\n");
717 if (family == AF_INET)
718 bpf =
openbpf (dst, &src, magic);
724 for (i = 0; i < num ; i += 2)
727 printf (
"====> Sending packet to (at least) %u\n", ports[i]);
729 if (family == AF_INET)
730 packets =
sendpacket (soc, bpf, skip, dst, src, ports[i], magic,
731 packets, &rtt, 0, env);
733 packets =
v6_sendpacket (soc, bpf, skip, dst6, &src6, ports[i], magic,
734 packets, &rtt, 0, env);
738 printf (
"=====>> Sniffing %u\n", ports[i+1]);
740 if (family == AF_INET)
741 packets =
sendpacket (soc, bpf, skip, dst, src, ports[i + 1],
742 magic, packets, &rtt, 1, env);
744 packets =
v6_sendpacket (soc, bpf, skip, dst6, &src6, ports[i + 1],
745 magic, packets, &rtt, 1, env);
750 printf (
"Done with the sending\n");
754 if (family == AF_INET)
756 while (packets != NULL)
759 printf (
"===> Retry...\n");
764 while (retry != 0 && i < 2)
766 packets =
sendpacket (soc, bpf, skip, dst, src, retry, magic,
767 packets, &rtt, 0, env);
771 packets =
sendpacket (soc, bpf, skip, dst, src, retry, magic, packets,
794 struct in_addr inaddr;
799 inaddr.s_addr = dst6->s6_addr32[3];
805 rtt = htonl (1 << 28);
808 printf (
"RTT = 0x%.8x\n", ntohl (rtt));
810 printf (
"That's %ld seconds and %ld usecs\n", tv.tv_sec, tv.tv_usec);
814 char *hostname = hostinfo->
name;
816 scan (env, hostname, (
char *)
range, dst6, rtt);
int rawsocket(int family)
Opens and returns a raw socket.
char * v6_routethrough(struct in6_addr *dest, struct in6_addr *source)
An awesome function to determine what interface a packet to a given destination should be routed thro...
unsigned long extractack(char *pkt, int len, int family)
struct list * add_packet(struct list *l, unsigned short dport, unsigned long ack)
If no packet with dport is in list, prepends a "packet" to the.
char * mktcp(struct in_addr src, int sport, struct in_addr dst, int dport, unsigned long th_ack, unsigned char flag)
void plug_set_key(struct arglist *args, char *name, int type, const void *value)
tree_cell * plugin_run_synscan(lex_ctxt *lexic)
struct list * rm_packet(struct list *l, unsigned short dport)
struct tcp_packet tcpheader
int islocalhost(struct in_addr *addr)
Tests whether a packet sent to IP is LIKELY to route through the kernel localhost interface.
void log_legacy_write(const char *format,...)
Legacy function to write a log message.
unsigned long compute_rtt(unsigned long then)
const gchar * prefs_get(const gchar *key)
Get a string preference value via a key.
char * mktcpv6(struct in6_addr *src, int sport, struct in6_addr *dst, int dport, unsigned long th_ack, unsigned char flag)
int get_datalink_size(int datalink)
int bpf_datalink(int bpf)
struct list * get_packet(struct list *l, unsigned short dport)
unsigned short * getpts(char *origexpr, int *len)
Converts a string like "-100,200-1024,3000-4000,60000-" into an array.
unsigned short extractsport(char *pkt, int len, int family)
int bpf_open_live(char *iface, char *filter)
int v6_openbpf(struct in6_addr *dst, struct in6_addr *src, int magic)
struct in6_addr * plug_get_host_ip(struct arglist *desc)
struct list * sendpacket(int soc, int bpf, int skip, struct in_addr dst, struct in_addr src, int dport, int magic, struct list *packets, unsigned long *rtt, int sniff, struct arglist *env)
int issynack(char *pkt, int len, int family)
void scanner_add_port(struct arglist *args, int port, char *proto)
struct tcphdr * extracttcp(char *pkt, int len)
struct list * v6_sendpacket(int soc, int bpf, int skip, struct in6_addr *dst, struct in6_addr *src, int dport, int magic, struct list *packets, unsigned long *rtt, int sniff, struct arglist *env)
int packetdead(unsigned long then, unsigned long rtt)
int scan(struct arglist *env, char *hostname, char *portrange, struct in6_addr *dst6, unsigned long rtt)
struct timeval timeval(unsigned long val)
char * routethrough(struct in_addr *dest, struct in_addr *source)
An awesome function to determine what interface a packet to a given destination should be routed thro...
u_char * bpf_next(int bpf, int *caplen)
struct list * rm_dead_packets(struct list *l, unsigned long rtt, int *retry)
struct arglist * script_infos
u_char * bpf_next_tv(int bpf, int *caplen, struct timeval *tv)
struct tcphdr * v6_extracttcp(char *pkt, int len)
void * arg_get_value(struct arglist *args, const char *name)
int openbpf(struct in_addr dst, struct in_addr *src, int magic)
Opens a packet filter, grabs packets from dst to port magic.