Nmap Development mailing list archives

[Exp PATCH] Start OSScan more quickly

From: Kris Katterjohn <katterjohn () gmail com>
Date: Tue, 12 Jun 2007 14:07:22 -0500

Hey everyone!

I have attached an experimental (read: it works for me, but there'sprobably a better way) patch (off soc07) for people when they reallyjust want to use Nmap's OS Detection.

So, basically, --osscan-quick is an option added to end the portscanning of a host when an open and closed TCP port and/or a closed UDPport is determined, as this is what the OS Detection uses. The ideabeing that if we don't know what ports are open/closed on the host, wecan't limit the ports scanned using -p. But if we just want todetermine the OS, we don't really want to scan all the ports of the hostbecause that can take a while for information we don't want.

The clearHost() stuff in scan_engine.cc is the thing that can probablybe done better. Is there a better way to end prematurely? Does doingthis cause any problems? I didn't encounter any, but very thoroughtests were not done.



Please let me know what you think.


Thanks,
Kris Katterjohn

Index: nmap.cc
===================================================================
--- nmap.cc     (revision 4893)
+++ nmap.cc     (working copy)
@@ -570,6 +570,8 @@
       {"source-port", required_argument, 0, 'g'},
       {"randomize_hosts", no_argument, 0, 0},
       {"randomize-hosts", no_argument, 0, 0},
+      {"osscan-quick", no_argument, 0, 0},
+      {"osscan_quick", no_argument, 0, 0},
       {"osscan_limit", no_argument, 0, 0}, /* skip OSScan if no open ports */
       {"osscan-limit", no_argument, 0, 0}, /* skip OSScan if no open ports */
       {"osscan_guess", no_argument, 0, 0}, /* More guessing flexability */
@@ -773,6 +775,8 @@
                 || strcmp(long_options[option_index].name, "rH") == 0) {
        o.randomize_hosts = 1;
        o.ping_group_sz = PING_GROUP_SZ * 4;
+      } else if (optcmp(long_options[option_index].name, "osscan-quick") == 0) {
+       o.osscan_quick = true;
       } else if (optcmp(long_options[option_index].name, "osscan-limit")  == 0) {
        o.osscan_limit = 1;
       } else if (optcmp(long_options[option_index].name, "osscan-guess")  == 0
Index: NmapOps.cc
===================================================================
--- NmapOps.cc  (revision 4893)
+++ NmapOps.cc  (working copy)
@@ -223,6 +223,7 @@
   scanflags = -1;
   defeat_rst_ratelimit = 0;
   resume_ip.s_addr = 0;
+  osscan_quick = false;
   osscan_limit = 0;
   osscan_guess = 0;
   numdecoys = 0;
Index: scan_engine.cc
===================================================================
--- scan_engine.cc      (revision 4893)
+++ scan_engine.cc      (working copy)
@@ -403,6 +403,13 @@
   bool nextTimeout(struct timeval *when);
   UltraScanInfo *USI; /* The USI which contains this HSS */
 
+  /* 1) Remove all probes from probes_outstanding
+   * 2) Dismiss bench
+   * 3) Clear retry_stack and retry_stack_tries
+   * 4) Modify next_portidx so freshPortsLeft() returns 0
+   */
+  void clearHost();
+
   /* Removes a probe from probes_outstanding, adjusts HSS and USS
      active probe stats accordingly, then deletes the probe. */
   void destroyOutstandingProbe(list<UltraProbe *>::iterator probeI);
@@ -1466,6 +1473,26 @@
   return 0;
 }
 
+void HostScanStats::clearHost()
+{
+       list<UltraProbe *>::iterator probe;
+
+       for (probe = probes_outstanding.begin();
+            probe != probes_outstanding.end();
+            probe++) {
+               destroyOutstandingProbe(probe);
+       }
+
+       dismissBench();
+       retry_stack.clear();
+       retry_stack_tries.clear();
+
+       if (USI->tcp_scan)
+               next_portidx = USI->ports->tcp_count;
+       else if (USI->udp_scan)
+               next_portidx = USI->ports->udp_count;
+}
+
   /* Removes a probe from probes_outstanding, adjusts HSS and USS
      active probe stats accordingly, then deletes the probe. */
 void HostScanStats::destroyOutstandingProbe(list<UltraProbe *>::iterator probeI) {
@@ -3352,6 +3379,17 @@
     expire_us = host->probeExpire(); // give up completely after this long
     maxtries = host->allowedTryno(&tryno_capped, &tryno_mayincrease);
 
+    if (o.osscan_quick) {
+      if (USI->tcp_scan &&
+          host->target->ports.nextPort(NULL, IPPROTO_TCP, PORT_OPEN) &&
+          host->target->ports.nextPort(NULL, IPPROTO_TCP, PORT_CLOSED)) {
+        host->clearHost();
+      } else if (USI->udp_scan &&
+                 host->target->ports.nextPort(NULL, IPPROTO_UDP, PORT_CLOSED)) {
+        host->clearHost();
+      }
+    }
+
     /* Should we dump everyone off the bench? */
     if (host->probe_bench.size() > 0) {
       if (maxtries == host->bench_tryno && !tryno_mayincrease) {
Index: NmapOps.h
===================================================================
--- NmapOps.h   (revision 4893)
+++ NmapOps.h   (working copy)
@@ -273,6 +273,7 @@
   int version_intensity;
 
   struct in_addr decoys[MAX_DECOYS];
+  bool osscan_quick; /* Start OS Scan after we get an open and closed port */
   int osscan_limit; /* Skip OS Scan if no open or no closed TCP ports */
   int osscan_guess;   /* Be more aggressive in guessing OS type */
   int numdecoys;


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org

Current thread:

[Exp PATCH] Start OSScan more quickly Kris Katterjohn (Jun 12)
- Re: [Exp PATCH] Start OSScan more quickly Eddie Bell (Jun 14)
  - Re: [Exp PATCH] Start OSScan more quickly Kris Katterjohn (Jun 14)