Nmap Development mailing list archives
Re: [Exp PATCH] Start OSScan more quickly
From: Kris Katterjohn <katterjohn () gmail com>
Date: Thu, 14 Jun 2007 17:53:13 -0500
Eddie Bell wrote:
Hey Kris, Cool idea. I haven't look at the code very deeply but I think clearHost() causes problems for the code that runs after it $ sudo gdb ./nmap (gdb) r -sS -p1-30 -O --osscan-quick -iR 200 -v <snip> Program received signal SIGSEGV, Segmentation fault. HostScanStats::destroyOutstandingProbe at scan_engine.cc:1501 1501 if (!probe->timedout) { (gdb) info stack #0 HostScanStats::destroyOutstandingProbe (this=0xf859a0, probeI=<value optimized out>) at scan_engine.cc:1501 #1 0x000000000043474f in HostScanStats::clearHost (this=0xf859a0) at scan_engine.cc:1483 #2 0x000000000043966d in processData (USI=0xf857a0) at scan_engine.cc:3389 Also the check in scan_engine.cc only checks for osscan_quick. This might cause a problem if the user has only specified that and not an osscan (-O) cheers - eddie
Hey Eddie, thanks for testing!I have attached a patch with some simple changes to fix the problems you mentioned (they worked for me).
Please let me know if you have any more problems! :) Thanks, Kris Katterjohn
Index: nmap.cc =================================================================== --- nmap.cc (revision 4916) +++ nmap.cc (working copy) @@ -570,6 +570,8 @@ {"source-port", required_argument, 0, 'g'}, {"randomize_hosts", no_argument, 0, 0}, {"randomize-hosts", no_argument, 0, 0}, + {"osscan-quick", no_argument, 0, 0}, + {"osscan_quick", no_argument, 0, 0}, {"osscan_limit", no_argument, 0, 0}, /* skip OSScan if no open ports */ {"osscan-limit", no_argument, 0, 0}, /* skip OSScan if no open ports */ {"osscan_guess", no_argument, 0, 0}, /* More guessing flexability */ @@ -773,6 +775,8 @@ || strcmp(long_options[option_index].name, "rH") == 0) { o.randomize_hosts = 1; o.ping_group_sz = PING_GROUP_SZ * 4; + } else if (optcmp(long_options[option_index].name, "osscan-quick") == 0) { + o.osscan_quick = true; } else if (optcmp(long_options[option_index].name, "osscan-limit") == 0) { o.osscan_limit = 1; } else if (optcmp(long_options[option_index].name, "osscan-guess") == 0 Index: NmapOps.cc =================================================================== --- NmapOps.cc (revision 4916) +++ NmapOps.cc (working copy) @@ -223,6 +223,7 @@ scanflags = -1; defeat_rst_ratelimit = 0; resume_ip.s_addr = 0; + osscan_quick = false; osscan_limit = 0; osscan_guess = 0; numdecoys = 0; Index: scan_engine.cc =================================================================== --- scan_engine.cc (revision 4916) +++ scan_engine.cc (working copy) @@ -403,6 +403,13 @@ bool nextTimeout(struct timeval *when); UltraScanInfo *USI; /* The USI which contains this HSS */ + /* 1) Remove all probes from probes_outstanding + * 2) Dismiss bench + * 3) Clear retry_stack and retry_stack_tries + * 4) Modify next_portidx so freshPortsLeft() returns 0 + */ + void clearHost(); + /* Removes a probe from probes_outstanding, adjusts HSS and USS active probe stats accordingly, then deletes the probe. */ void destroyOutstandingProbe(list<UltraProbe *>::iterator probeI); @@ -1466,6 +1473,23 @@ return 0; } +void HostScanStats::clearHost() +{ + list<UltraProbe *>::iterator probe; + + while (!probes_outstanding.empty()) + destroyOutstandingProbe(probes_outstanding.begin()); + + dismissBench(); + retry_stack.clear(); + retry_stack_tries.clear(); + + if (USI->tcp_scan) + next_portidx = USI->ports->tcp_count; + else if (USI->udp_scan) + next_portidx = USI->ports->udp_count; +} + /* Removes a probe from probes_outstanding, adjusts HSS and USS active probe stats accordingly, then deletes the probe. */ void HostScanStats::destroyOutstandingProbe(list<UltraProbe *>::iterator probeI) { @@ -3353,6 +3377,19 @@ expire_us = host->probeExpire(); // give up completely after this long maxtries = host->allowedTryno(&tryno_capped, &tryno_mayincrease); + if (o.osscan_quick && o.osscan) { + if (USI->tcp_scan && + host->target->ports.nextPort(NULL, IPPROTO_TCP, PORT_OPEN) && + host->target->ports.nextPort(NULL, IPPROTO_TCP, PORT_CLOSED)) { + host->clearHost(); + continue; + } else if (USI->udp_scan && + host->target->ports.nextPort(NULL, IPPROTO_UDP, PORT_CLOSED)) { + host->clearHost(); + continue; + } + } + /* Should we dump everyone off the bench? */ if (host->probe_bench.size() > 0) { if (maxtries == host->bench_tryno && !tryno_mayincrease) { Index: NmapOps.h =================================================================== --- NmapOps.h (revision 4916) +++ NmapOps.h (working copy) @@ -273,6 +273,7 @@ int version_intensity; struct in_addr decoys[MAX_DECOYS]; + bool osscan_quick; /* Start OS Scan after we get an open and closed port */ int osscan_limit; /* Skip OS Scan if no open or no closed TCP ports */ int osscan_guess; /* Be more aggressive in guessing OS type */ int numdecoys;
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://SecLists.Org
Current thread:
- [Exp PATCH] Start OSScan more quickly Kris Katterjohn (Jun 12)
- Re: [Exp PATCH] Start OSScan more quickly Eddie Bell (Jun 14)
- Re: [Exp PATCH] Start OSScan more quickly Kris Katterjohn (Jun 14)
- Re: [Exp PATCH] Start OSScan more quickly Eddie Bell (Jun 14)