Re: OS Scan & Print Port Output after host timeout

[Colin Phipps <cph () netcraft com>]

On Sat, Aug 10, 2002 at 04:31:31PM -0500, Johnson, Greg wrote:
> (1) After a host_timeout, could nmap be made to print port output it
> may have accumulated?  Nmap worked so hard to get that info, it's a
> pity to flush it away.  

Agreed. It's not good to hammer a system with a port scan and then lose
the results.

> Removing the "else" at nmap.c 1017 around the output functions works
> for me.  Less code, more results.  I don't see any need to make an
> option for this behavior, so long as the output indicates that a
> timeout occurred.

This looks like a good time to resubmit my host-timeout patch. I have
been using this for over a year and it seems solid. It fixes both
pos_scan and super_scan to report after a timeout. It does print a
warning when a timeout occurs.

It was not included last time I submitted it in part because there were
doubts about the safety of giving incomplete results. However,
--host_timeout is not a default option, and there is a warning in the
output - this is no less safe than the current output IMO, which gives a
warning and tells you no ports at all. A timeout option that gives no
output is simply not useful, so I hope this patch, or equivalent, will
be included soon.

-- 
Colin Phipps         PGP 0x689E463E     http://www.netcraft.com/

diff -pbur nmap-2.54BETA29/nmap.c nmap-2.54BETA29-NC/nmap.c
--- nmap-2.54BETA29/nmap.c      Fri Aug 10 06:53:07 2001
+++ nmap-2.54BETA29-NC/nmap.c   Fri Aug 10 11:15:48 2001
@@ -1199,11 +1199,12 @@ int nmap_main(int argc, char *argv[]) {
        }
        
        if (currenths->timedout) {
-         log_write(LOG_NORMAL|LOG_SKID|LOG_STDOUT,"Skipping host  %s (%s) due to host timeout\n", currenths->name,
+         log_write(LOG_NORMAL|LOG_SKID|LOG_STDOUT,"Results for host %s (%s) incomplete due to host timeout\n", 
currenths->name,
                    inet_ntoa(currenths->host));
          log_write(LOG_MACHINE,"Host: %s (%s)\tStatus: Timeout", 
                    inet_ntoa(currenths->host), currenths->name);
-       } else {
+       }
+       {
          assignignoredportstate(&currenths->ports);
          printportoutput(currenths, &currenths->ports);
          printosscanoutput(currenths);
diff -pbur nmap-2.54BETA29/scan_engine.c nmap-2.54BETA29-NC/scan_engine.c
--- nmap-2.54BETA29/scan_engine.c       Fri Aug 10 06:53:08 2001
+++ nmap-2.54BETA29-NC/scan_engine.c    Fri Aug 10 11:21:04 2001
@@ -1059,11 +1059,11 @@ void pos_scan(struct hoststruct *target,
     error("WARNING: GAVE UP ON SCAN AFTER 20 RETRIES");
   }
   
+ posscan_timedout:
+  
   if (o.verbose)
     log_write(LOG_STDOUT, "The %s took %ld %s to scan %d ports.\n", scantype2str(scantype),  (long) time(NULL) - 
starttime, (((long) time(NULL) - starttime) == 1)? "second" : "seconds", numports);
   
- posscan_timedout:
-  
   free(scan);
   if (rawsd >= 0) 
     close(rawsd);
@@ -1653,12 +1653,17 @@ void super_scan(struct hoststruct *targe
     }
   } while(changed && ++tries < 100);   
 
-  openlist = testinglist;
+superscan_timedout: /* cph - give a hint about open ports anyway */
 
   if (o.debugging || o.verbose)
     log_write(LOG_STDOUT, "The %s took %ld %s to scan %d ports.\n", scantype2str(scantype), (long) time(NULL) - 
starttime, (((long) time(NULL) - starttime) == 1)? "second" : "seconds",  numports);
   
-  for (current = openlist; current;  current = (current->next >= 0)? &scan[current->next] : NULL) {
+  /* cph 2001/08/07 - all ports on both openlist and testinglist are
+   * potentially open, must mark them all as open for the results. 
+   * Watch out for the messy logic here. */
+  current = openlist;
+  do {
+   for (; current;  current = (current->next >= 0)? &scan[current->next] : NULL) {
     if (scantype == IPPROT_SCAN)
       addport(&target->ports, current->portno, IPPROTO_IP, NULL, PORT_OPEN);
     else if (scantype != UDP_SCAN)
@@ -1666,8 +1671,10 @@ void super_scan(struct hoststruct *targe
     else
       addport(&target->ports, current->portno, IPPROTO_UDP, NULL, PORT_OPEN);
   }
-
- superscan_timedout:
+   /* If we still have testinglist to do, get it now */
+   current = testinglist;
+   testinglist = NULL;
+  } while (current);
 
   free(scan);
   close(rawsd);

---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).