Nmap Development mailing list archives
Re: [Exp PATCH] Start OSScan more quickly
From: Kris Katterjohn <katterjohn () gmail com>
Date: Thu, 14 Jun 2007 17:53:13 -0500
Eddie Bell wrote:
Hey Kris,
Cool idea. I haven't look at the code very deeply but I think
clearHost() causes problems for the code that runs after it
$ sudo gdb ./nmap
(gdb) r -sS -p1-30 -O --osscan-quick -iR 200 -v
<snip>
Program received signal SIGSEGV, Segmentation fault.
HostScanStats::destroyOutstandingProbe at scan_engine.cc:1501
1501 if (!probe->timedout) {
(gdb) info stack
#0 HostScanStats::destroyOutstandingProbe (this=0xf859a0,
probeI=<value optimized out>) at scan_engine.cc:1501
#1 0x000000000043474f in HostScanStats::clearHost (this=0xf859a0) at
scan_engine.cc:1483
#2 0x000000000043966d in processData (USI=0xf857a0) at scan_engine.cc:3389
Also the check in scan_engine.cc only checks for osscan_quick. This
might cause a problem if the user has only specified that and not an
osscan (-O)
cheers
- eddie
Hey Eddie, thanks for testing!I have attached a patch with some simple changes to fix the problems you mentioned (they worked for me).
Please let me know if you have any more problems! :) Thanks, Kris Katterjohn
Index: nmap.cc
===================================================================
--- nmap.cc (revision 4916)
+++ nmap.cc (working copy)
@@ -570,6 +570,8 @@
{"source-port", required_argument, 0, 'g'},
{"randomize_hosts", no_argument, 0, 0},
{"randomize-hosts", no_argument, 0, 0},
+ {"osscan-quick", no_argument, 0, 0},
+ {"osscan_quick", no_argument, 0, 0},
{"osscan_limit", no_argument, 0, 0}, /* skip OSScan if no open ports */
{"osscan-limit", no_argument, 0, 0}, /* skip OSScan if no open ports */
{"osscan_guess", no_argument, 0, 0}, /* More guessing flexability */
@@ -773,6 +775,8 @@
|| strcmp(long_options[option_index].name, "rH") == 0) {
o.randomize_hosts = 1;
o.ping_group_sz = PING_GROUP_SZ * 4;
+ } else if (optcmp(long_options[option_index].name, "osscan-quick") == 0) {
+ o.osscan_quick = true;
} else if (optcmp(long_options[option_index].name, "osscan-limit") == 0) {
o.osscan_limit = 1;
} else if (optcmp(long_options[option_index].name, "osscan-guess") == 0
Index: NmapOps.cc
===================================================================
--- NmapOps.cc (revision 4916)
+++ NmapOps.cc (working copy)
@@ -223,6 +223,7 @@
scanflags = -1;
defeat_rst_ratelimit = 0;
resume_ip.s_addr = 0;
+ osscan_quick = false;
osscan_limit = 0;
osscan_guess = 0;
numdecoys = 0;
Index: scan_engine.cc
===================================================================
--- scan_engine.cc (revision 4916)
+++ scan_engine.cc (working copy)
@@ -403,6 +403,13 @@
bool nextTimeout(struct timeval *when);
UltraScanInfo *USI; /* The USI which contains this HSS */
+ /* 1) Remove all probes from probes_outstanding
+ * 2) Dismiss bench
+ * 3) Clear retry_stack and retry_stack_tries
+ * 4) Modify next_portidx so freshPortsLeft() returns 0
+ */
+ void clearHost();
+
/* Removes a probe from probes_outstanding, adjusts HSS and USS
active probe stats accordingly, then deletes the probe. */
void destroyOutstandingProbe(list<UltraProbe *>::iterator probeI);
@@ -1466,6 +1473,23 @@
return 0;
}
+void HostScanStats::clearHost()
+{
+ list<UltraProbe *>::iterator probe;
+
+ while (!probes_outstanding.empty())
+ destroyOutstandingProbe(probes_outstanding.begin());
+
+ dismissBench();
+ retry_stack.clear();
+ retry_stack_tries.clear();
+
+ if (USI->tcp_scan)
+ next_portidx = USI->ports->tcp_count;
+ else if (USI->udp_scan)
+ next_portidx = USI->ports->udp_count;
+}
+
/* Removes a probe from probes_outstanding, adjusts HSS and USS
active probe stats accordingly, then deletes the probe. */
void HostScanStats::destroyOutstandingProbe(list<UltraProbe *>::iterator probeI) {
@@ -3353,6 +3377,19 @@
expire_us = host->probeExpire(); // give up completely after this long
maxtries = host->allowedTryno(&tryno_capped, &tryno_mayincrease);
+ if (o.osscan_quick && o.osscan) {
+ if (USI->tcp_scan &&
+ host->target->ports.nextPort(NULL, IPPROTO_TCP, PORT_OPEN) &&
+ host->target->ports.nextPort(NULL, IPPROTO_TCP, PORT_CLOSED)) {
+ host->clearHost();
+ continue;
+ } else if (USI->udp_scan &&
+ host->target->ports.nextPort(NULL, IPPROTO_UDP, PORT_CLOSED)) {
+ host->clearHost();
+ continue;
+ }
+ }
+
/* Should we dump everyone off the bench? */
if (host->probe_bench.size() > 0) {
if (maxtries == host->bench_tryno && !tryno_mayincrease) {
Index: NmapOps.h
===================================================================
--- NmapOps.h (revision 4916)
+++ NmapOps.h (working copy)
@@ -273,6 +273,7 @@
int version_intensity;
struct in_addr decoys[MAX_DECOYS];
+ bool osscan_quick; /* Start OS Scan after we get an open and closed port */
int osscan_limit; /* Skip OS Scan if no open or no closed TCP ports */
int osscan_guess; /* Be more aggressive in guessing OS type */
int numdecoys;
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [Exp PATCH] Start OSScan more quickly Kris Katterjohn (Jun 12)
- Re: [Exp PATCH] Start OSScan more quickly Eddie Bell (Jun 14)
- Re: [Exp PATCH] Start OSScan more quickly Kris Katterjohn (Jun 14)
- Re: [Exp PATCH] Start OSScan more quickly Eddie Bell (Jun 14)