diff -cr nmap-2.30BETA20.orig/global_structures.h nmap-2.30BETA20/global_structures.h *** nmap-2.30BETA20.orig/global_structures.h Sat Apr 8 15:59:42 2000 --- nmap-2.30BETA20/global_structures.h Tue Apr 11 18:33:47 2000 *************** *** 199,204 **** --- 199,205 ---- int xmasscan; int fragscan; int synscan; + int ciscoscan; int windowscan; int maimonscan; int finscan; *************** *** 210,216 **** FILE *nmap_stdout; /* Nmap standard output */ }; ! typedef enum { ACK_SCAN, SYN_SCAN, FIN_SCAN, XMAS_SCAN, UDP_SCAN, CONNECT_SCAN, NULL_SCAN, WINDOW_SCAN, RPC_SCAN, MAIMON_SCAN } stype; #endif /*GLOBAL_STRUCTURES_H */ --- 211,217 ---- FILE *nmap_stdout; /* Nmap standard output */ }; ! typedef enum { ACK_SCAN, SYN_SCAN, FIN_SCAN, XMAS_SCAN, UDP_SCAN, CONNECT_SCAN, NULL_SCAN, WINDOW_SCAN, RPC_SCAN, MAIMON_SCAN, CISCO_SCAN } stype; #endif /*GLOBAL_STRUCTURES_H */ diff -cr nmap-2.30BETA20.orig/nmap.c nmap-2.30BETA20/nmap.c *** nmap-2.30BETA20.orig/nmap.c Mon Apr 10 04:19:42 2000 --- nmap-2.30BETA20/nmap.c Thu Apr 20 17:29:48 2000 *************** *** 549,554 **** --- 549,555 ---- case 'A': o.ackscan = 1; break; case 'B': fatal("No scan type 'B', did you mean bounce scan (-b)?"); break; + case 'C': o.ciscoscan = 1; break; case 'F': o.finscan = 1; break; case 'M': o.maimonscan = 1; break; case 'N': o.nullscan = 1; break; *************** *** 621,627 **** /* Now we check the option sanity */ /* Insure that at least one scantype is selected */ ! if (!o.connectscan && !o.udpscan && !o.synscan && !o.windowscan && !o.finscan && !o.maimonscan && !o.nullscan && !o.xmasscan && !o.ackscan && !o.bouncescan && !o.pingscan) { o.connectscan++; if (o.verbose) error("No tcp,udp, or ICMP scantype specified, assuming vanilla tcp connect() scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up)."); } --- 622,628 ---- /* Now we check the option sanity */ /* Insure that at least one scantype is selected */ ! if (!o.connectscan && !o.udpscan && !o.synscan && !o.windowscan && !o.finscan && !o.maimonscan && !o.nullscan && !o.xmasscan && !o.ackscan && !o.bouncescan && !o.pingscan && !o.ciscoscan) { o.connectscan++; if (o.verbose) error("No tcp,udp, or ICMP scantype specified, assuming vanilla tcp connect() scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up)."); } *************** *** 634,647 **** error("WARNING: -S will not affect the source address used in a connect() scan. Use -sS or another raw scan if you want to use the specified source address for the port scanning stage of nmap"); } if (fastscan && ports) { fatal("You can specify fast scan (-F) or explicitly select individual ports (-p), but not both"); } else if (fastscan) { ! ports = getfastports(o.windowscan|o.synscan|o.connectscan|o.fragscan|o.finscan|o.maimonscan|o.bouncescan|o.nullscan|o.xmasscan|o.ackscan,o.udpscan); } if (o.pingscan && ports) { ! fatal("You cannot use -F (fast scan) or -p (explicit port selection) with PING scan"); } if (o.pingscan && fastscan) { --- 635,656 ---- error("WARNING: -S will not affect the source address used in a connect() scan. Use -sS or another raw scan if you want to use the specified source address for the port scanning stage of nmap"); } + if (o.ciscoscan) + if (ports) + fatal("You cannot specify ports to use with a cisco scan"); + else if (fastscan) + fatal("You cannot use fastscan with cisco scan"); + else + ports=getpts("1999"); + if (fastscan && ports) { fatal("You can specify fast scan (-F) or explicitly select individual ports (-p), but not both"); } else if (fastscan) { ! ports = getfastports(o.windowscan|o.ciscoscan|o.synscan|o.connectscan|o.fragscan|o.finscan|o.maimonscan|o.bouncescan|o.nullscan|o.xmasscan|o.ackscan,o.udpscan); } if (o.pingscan && ports) { ! fatal("You cannot use -F (fast scan), -sC (cisco scan) or -p (explicit port selection) with PING scan"); } if (o.pingscan && fastscan) { *************** *** 658,664 **** if (!o.tcp_probe_port) o.tcp_probe_port = 80; ! if (o.pingscan && (o.connectscan || o.udpscan || o.windowscan || o.synscan || o.finscan || o.maimonscan || o.nullscan || o.xmasscan || o.ackscan || o.bouncescan)) { fatal("Ping scan is not valid with any other scan types (the other ones all include a ping scan"); } --- 667,673 ---- if (!o.tcp_probe_port) o.tcp_probe_port = 80; ! if (o.pingscan && (o.connectscan || o.udpscan || o.windowscan || o.synscan || o.ciscoscan || o.finscan || o.maimonscan || o.nullscan || o.xmasscan || o.ackscan || o.bouncescan)) { fatal("Ping scan is not valid with any other scan types (the other ones all include a ping scan"); } *************** *** 670,676 **** o.pingtype = PINGTYPE_TCP; } ! if (o.finscan || o.windowscan || o.synscan || o.maimonscan || o.nullscan || o.xmasscan || o.ackscan || o.udpscan ) { fatal("You requested a scan type which requires r00t privileges, and you do not have them.\n"); } --- 679,685 ---- o.pingtype = PINGTYPE_TCP; } ! if (o.finscan || o.windowscan || o.synscan || o.ciscoscan || o.maimonscan || o.nullscan || o.xmasscan || o.ackscan || o.udpscan ) { fatal("You requested a scan type which requires r00t privileges, and you do not have them.\n"); } *************** *** 695,702 **** if (o.bouncescan && o.pingtype != PINGTYPE_NONE) log_write(LOG_STDOUT, "Hint: if your bounce scan target hosts aren't reachable from here, remember to use -P0 so we don't try and ping them prior to the scan\n"); ! if (o.connectscan + o.windowscan + o.synscan + o.finscan + o.maimonscan + o.xmasscan + o.nullscan + o.ackscan > 1) { ! fatal("You specified more than one type of TCP scan. Please choose only one of -sT, -sS, -sF, -sM, -sX, -sA, -sW, and -sN"); } if (o.numdecoys > 0 && (o.bouncescan || o.connectscan)) { --- 704,711 ---- if (o.bouncescan && o.pingtype != PINGTYPE_NONE) log_write(LOG_STDOUT, "Hint: if your bounce scan target hosts aren't reachable from here, remember to use -P0 so we don't try and ping them prior to the scan\n"); ! if (o.connectscan + o.windowscan + o.synscan + o.ciscoscan + o.finscan + o.maimonscan + o.xmasscan + o.nullscan + o.ackscan > 1) { ! fatal("You specified more than one type of TCP scan. Please choose only one of -sT, -sS, -sF, -sM, -sX, -sA, -sW, -sC, and -sN"); } if (o.numdecoys > 0 && (o.bouncescan || o.connectscan)) { *************** *** 704,710 **** } if (o.fragscan && (o.connectscan || ! (o.udpscan && (o.windowscan + o.synscan + o.finscan + o.maimonscan + o.xmasscan + o.ackscan + o.nullscan == 0)))) fatal("Fragmentation scan can only be used with SYN, FIN, Maimon, XMAS, ACK, or NULL scan types"); --- 713,719 ---- } if (o.fragscan && (o.connectscan || ! (o.udpscan && (o.windowscan + o.synscan + o.ciscoscan + o.finscan + o.maimonscan + o.xmasscan + o.ackscan + o.nullscan == 0)))) fatal("Fragmentation scan can only be used with SYN, FIN, Maimon, XMAS, ACK, or NULL scan types"); *************** *** 869,874 **** --- 878,884 ---- } else { + printf("currenths->flags %x\n",currenths->flags); if (currenths->flags & HOST_UP) { log_write(LOG_NORMAL|LOG_SKID|LOG_STDOUT,"Host %s (%s) appears to be up.\n", currenths->name, inet_ntoa(currenths->host)); log_write(LOG_MACHINE,"Host: %s (%s)\tStatus: Up\n", inet_ntoa(currenths->host), currenths->name); *************** *** 898,904 **** if (currenths->flags & HOST_UP /*&& !currenths->wierd_responses*/ && !o.pingscan) { ! if (currenths->flags & HOST_UP && !currenths->source_ip.s_addr && ( o.windowscan || o.synscan || o.finscan || o.maimonscan || o.udpscan || o.nullscan || o.xmasscan || o.ackscan )) { if (gethostname(myname, MAXHOSTNAMELEN) || !(target = gethostbyname(myname))) fatal("Cannot get hostname! Try using -S or -e \n"); --- 908,914 ---- if (currenths->flags & HOST_UP /*&& !currenths->wierd_responses*/ && !o.pingscan) { ! if (currenths->flags & HOST_UP && !currenths->source_ip.s_addr && ( o.windowscan || o.synscan || o.ciscoscan || o.finscan || o.maimonscan || o.udpscan || o.nullscan || o.xmasscan || o.ackscan )) { if (gethostname(myname, MAXHOSTNAMELEN) || !(target = gethostbyname(myname))) fatal("Cannot get hostname! Try using -S or -e \n"); *************** *** 910,922 **** } /* Figure out what link-layer device (interface) to use (ie eth0, ppp0, etc) */ ! if (!*currenths->device && currenths->flags & HOST_UP && (o.nullscan || o.xmasscan || o.ackscan || o.udpscan || o.finscan || o.maimonscan || o.synscan || o.osscan || o.windowscan) && (ipaddr2devname( currenths->device, ¤ths->source_ip) != 0)) fatal("Could not figure out what device to send the packet out on! You might possibly want to try -S (but this is probably a bigger problem). If you are trying to sp00f the source of a SYN/FIN scan with -S , then you must use -e eth0 (or other devicename) to tell us what interface to use.\n"); /* Set up the decoy */ o.decoys[o.decoyturn] = currenths->source_ip; /* Time for some actual scanning! */ if (o.synscan) pos_scan(currenths, ports, SYN_SCAN); if (o.windowscan) pos_scan(currenths, ports, WINDOW_SCAN); if (o.connectscan) pos_scan(currenths, ports, CONNECT_SCAN); if (o.ackscan) pos_scan(currenths, ports, ACK_SCAN); --- 920,933 ---- } /* Figure out what link-layer device (interface) to use (ie eth0, ppp0, etc) */ ! if (!*currenths->device && currenths->flags & HOST_UP && (o.nullscan || o.xmasscan || o.ackscan || o.udpscan || o.finscan || o.maimonscan || o.synscan || o.ciscoscan || o.osscan || o.windowscan) && (ipaddr2devname( currenths->device, ¤ths->source_ip) != 0)) fatal("Could not figure out what device to send the packet out on! You might possibly want to try -S (but this is probably a bigger problem). If you are trying to sp00f the source of a SYN/FIN scan with -S , then you must use -e eth0 (or other devicename) to tell us what interface to use.\n"); /* Set up the decoy */ o.decoys[o.decoyturn] = currenths->source_ip; /* Time for some actual scanning! */ if (o.synscan) pos_scan(currenths, ports, SYN_SCAN); + if (o.ciscoscan) pos_scan(currenths, ports, CISCO_SCAN); if (o.windowscan) pos_scan(currenths, ports, WINDOW_SCAN); if (o.connectscan) pos_scan(currenths, ports, CONNECT_SCAN); if (o.ackscan) pos_scan(currenths, ports, ACK_SCAN); *************** *** 946,952 **** log_write(LOG_MACHINE,"Host: %s (%s)\tStatus: Timeout", inet_ntoa(currenths->host), currenths->name); } ! else if (!o.pingscan) { assignignoredportstate(¤ths->ports); printportoutput(currenths, ¤ths->ports); resetportlist(¤ths->ports); --- 957,963 ---- log_write(LOG_MACHINE,"Host: %s (%s)\tStatus: Timeout", inet_ntoa(currenths->host), currenths->name); } ! else if (!o.pingscan && !o.ciscoscan) { assignignoredportstate(¤ths->ports); printportoutput(currenths, ¤ths->ports); resetportlist(¤ths->ports); *************** *** 2361,2367 **** /* Init our raw socket */ if ((scantype == SYN_SCAN) || (scantype == WINDOW_SCAN) || ! (scantype == ACK_SCAN)) { if ((rawsd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0 ) pfatal("socket troubles in pos_scan"); /* We do not wan't to unblock the socket since we want to wait --- 2372,2378 ---- /* Init our raw socket */ if ((scantype == SYN_SCAN) || (scantype == WINDOW_SCAN) || ! (scantype == ACK_SCAN) || (scantype == CISCO_SCAN)) { if ((rawsd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0 ) pfatal("socket troubles in pos_scan"); /* We do not wan't to unblock the socket since we want to wait *************** *** 2409,2415 **** fatal("Error compiling our pcap filter: %s\n", pcap_geterr(pd)); if (pcap_setfilter(pd, &fcode) < 0 ) fatal("Failed to set the pcap filter: %s\n", pcap_geterr(pd)); ! if (scantype == SYN_SCAN) scanflags = TH_SYN; else scanflags = TH_ACK; --- 2420,2426 ---- fatal("Error compiling our pcap filter: %s\n", pcap_geterr(pd)); if (pcap_setfilter(pd, &fcode) < 0 ) fatal("Failed to set the pcap filter: %s\n", pcap_geterr(pd)); ! if (scantype == SYN_SCAN || scantype == CISCO_SCAN) scanflags = TH_SYN; else scanflags = TH_ACK; *************** *** 2442,2447 **** --- 2453,2460 ---- if (o.debugging || o.verbose) { if (scantype == SYN_SCAN) log_write(LOG_STDOUT, "Initiating SYN half-open stealth scan against %s (%s)\n", target->name, inet_ntoa(target->host)); + else if (scantype == CISCO_SCAN) + log_write(LOG_STDOUT, "Initiating cisco stealth scan against %s (%s)\n",target->name, inet_ntoa(target->host)); else if (scantype == CONNECT_SCAN) log_write(LOG_STDOUT, "Initiating TCP connect() scan against %s (%s)\n",target->name, inet_ntoa(target->host)); else if (scantype == WINDOW_SCAN) { *************** *** 2565,2571 **** current->trynum++; gettimeofday(¤t->sent[current->trynum], NULL); now = current->sent[current->trynum]; ! if ((scantype == SYN_SCAN) || (scantype == WINDOW_SCAN) || (scantype == ACK_SCAN)) { if (o.fragscan) send_small_fragz_decoys(rawsd, &target->host, sequences[current->trynum], o.magic_port + tries * 3 + current->trynum, current->portno, scanflags); else --- 2578,2584 ---- current->trynum++; gettimeofday(¤t->sent[current->trynum], NULL); now = current->sent[current->trynum]; ! if ((scantype == SYN_SCAN) || (scantype == WINDOW_SCAN) || (scantype == ACK_SCAN) || (scantype == CISCO_SCAN)) { if (o.fragscan) send_small_fragz_decoys(rawsd, &target->host, sequences[current->trynum], o.magic_port + tries * 3 + current->trynum, current->portno, scanflags); else *************** *** 2660,2666 **** ss.numqueries_outstanding++; gettimeofday(¤t->sent[0], NULL); if ((scantype == SYN_SCAN) || (scantype == WINDOW_SCAN) || ! (scantype == ACK_SCAN)) { if (o.fragscan) send_small_fragz_decoys(rawsd, &target->host, sequences[current->trynum], o.magic_port + tries * 3, current->portno, scanflags); else --- 2673,2679 ---- ss.numqueries_outstanding++; gettimeofday(¤t->sent[0], NULL); if ((scantype == SYN_SCAN) || (scantype == WINDOW_SCAN) || ! (scantype == ACK_SCAN) || (scantype == CISCO_SCAN)) { if (o.fragscan) send_small_fragz_decoys(rawsd, &target->host, sequences[current->trynum], o.magic_port + tries * 3, current->portno, scanflags); else *************** *** 2718,2724 **** /* Now that we have sent the packets we wait for responses */ ss.alreadydecreasedqueries = 0; ! if ((scantype == SYN_SCAN) || (scantype == WINDOW_SCAN) || (scantype == ACK_SCAN)) get_syn_results(target, scan, &ss, &pil, portlookup, pd, sequences, scantype); else if (scantype == RPC_SCAN) { /* We only bother worrying about responses if we haven't reached --- 2731,2737 ---- /* Now that we have sent the packets we wait for responses */ ss.alreadydecreasedqueries = 0; ! if ((scantype == SYN_SCAN) || (scantype == WINDOW_SCAN) || (scantype == ACK_SCAN) || (scantype == CISCO_SCAN)) get_syn_results(target, scan, &ss, &pil, portlookup, pd, sequences, scantype); else if (scantype == RPC_SCAN) { /* We only bother worrying about responses if we haven't reached *************** *** 2808,2814 **** } if (o.verbose) ! log_write(LOG_STDOUT, "The %s scan took %ld %s to scan %d ports.\n", (scantype == WINDOW_SCAN) ? "Window" : (scantype == SYN_SCAN)? "SYN" : (scantype == CONNECT_SCAN)? "TCP connect" : (scantype == RPC_SCAN)? "RPC" : "ACK", (long) time(NULL) - starttime, (((long) time(NULL) - starttime) == 1)? "second" : "seconds", o.numports); posscan_timedout: --- 2821,2827 ---- } if (o.verbose) ! log_write(LOG_STDOUT, "The %s scan took %ld %s to scan %d ports.\n", (scantype == WINDOW_SCAN) ? "Window" : (scantype == SYN_SCAN)? "SYN" : (scantype == CONNECT_SCAN)? "TCP connect" : (scantype == RPC_SCAN)? "RPC" : (scantype == CISCO_SCAN)? "CISCO" : "ACK", (long) time(NULL) - starttime, (((long) time(NULL) - starttime) == 1)? "second" : "seconds", o.numports); posscan_timedout: *************** *** 2908,2914 **** worse shape */ if (newstate != PORT_FIREWALLED) ss->changed++; ! if (scantype == SYN_SCAN) ss->numqueries_outstanding--; else { for(i=0; i <= current->trynum; i++) --- 2921,2927 ---- worse shape */ if (newstate != PORT_FIREWALLED) ss->changed++; ! if (scantype == SYN_SCAN || scantype == CISCO_SCAN) ss->numqueries_outstanding--; else { for(i=0; i <= current->trynum; i++) *************** *** 3277,3282 **** --- 3290,3306 ---- else if (tcp->th_flags & TH_RST) { newstate = PORT_CLOSED; } + } + else if (scantype == CISCO_SCAN) { + char *tcpdata = (char *) (((char *) tcp) + 4 * tcp->th_off); + if (tcp->th_flags & TH_RST && + memcmp(tcpdata, "cisco\0", 6) == 0) { + log_write(LOG_NORMAL|LOG_SKID|LOG_STDOUT,"Host %s (%s) appears to be a cisco.\n", target->name, inet_ntoa(target->host)); + log_write(LOG_MACHINE,"Host: %s (%s)\tStatus: Up Cisco\n", inet_ntoa(target->host), target->name); + target->flags |= HOST_CISCO; + } + newstate = PORT_CLOSED; + target->flags |= HOST_UP; } else if (scantype == WINDOW_SCAN) { if (tcp->th_win) { diff -cr nmap-2.30BETA20.orig/nmap.h nmap-2.30BETA20/nmap.h *** nmap-2.30BETA20.orig/nmap.h Mon Apr 10 03:55:22 2000 --- nmap-2.30BETA20/nmap.h Thu Apr 20 14:09:33 2000 *************** *** 209,214 **** --- 209,215 ---- #define HOST_DOWN 2 #define HOST_FIREWALLED 4 #define HOST_BROADCAST 8 /* use the wierd_responses member of hoststruct instead */ + #define HOST_CISCO 16 /* host is a cisco */ #define PINGTYPE_UNKNOWN 0 #define PINGTYPE_NONE 1 diff -cr nmap-2.30BETA20.orig/services.c nmap-2.30BETA20/services.c *** nmap-2.30BETA20.orig/services.c Thu Apr 6 03:58:00 2000 --- nmap-2.30BETA20/services.c Thu Apr 20 18:43:04 2000 *************** *** 56,61 **** --- 56,67 ---- numtcpports++; } else if (strncasecmp(proto, "udp", 3) == 0) { numudpports++; + } else if (strncasecmp(proto, "ddp", 3) == 0) { + /* ddp is some apple thing...we don't "do" that */ + } else if (strncasecmp(proto, "divert", 6) == 0) { + /* divert sockets are for freebsd's natd */ + } else if (strncasecmp(proto, "#", 1) == 0) { + /* possibly misplaced comment, but who cares? */ } else { if (o.debugging) error("Unknown protocol (%s) on line %d of services file %s.", proto, lineno, filename); diff -cr nmap-2.30BETA20.orig/targets.c nmap-2.30BETA20/targets.c *** nmap-2.30BETA20.orig/targets.c Thu Apr 6 03:58:00 2000 --- nmap-2.30BETA20/targets.c Thu Apr 20 14:22:04 2000 *************** *** 147,153 **** if (o.isr00t && ((o.pingtype & PINGTYPE_TCP) || (o.pingtype == PINGTYPE_NONE && ! (o.synscan || o.finscan || o.xmasscan || o.nullscan || o.maimonscan || o.ackscan || o.udpscan || o.osscan || o.windowscan)))) { device = routethrough(&(hs->hostbatch[hidx].host), &(hs->hostbatch[hidx].source_ip)); if (!device) { --- 147,153 ---- if (o.isr00t && ((o.pingtype & PINGTYPE_TCP) || (o.pingtype == PINGTYPE_NONE && ! (o.synscan || o.finscan || o.xmasscan || o.nullscan || o.ciscoscan || o.maimonscan || o.ackscan || o.udpscan || o.osscan || o.windowscan)))) { device = routethrough(&(hs->hostbatch[hidx].host), &(hs->hostbatch[hidx].source_ip)); if (!device) { *************** *** 1169,1174 **** --- 1169,1176 ---- return "HOST_DOWN"; case HOST_FIREWALLED: return "HOST_FIREWALLED"; + case HOST_UP|HOST_CISCO: + return "HOST_UP(CISCO)"; default: return "UNKNOWN/COMBO"; }