[PATCH] Reorder Traceroute UDP port selection

[Kris Katterjohn <katterjohn () gmail com>]

Hey everyone!

I've attached a patch to reorder --traceroute's UDP port selection.

Before, an open port was checked for, then a closed one, then filtered 
(if not TCP).  The problem is the vast majority of the time a UDP port 
is considered open only because of version detection.. so when 
Traceroute sends a probe the an open port, it won't get a response back.

This patch makes it so that for UDP, it checks for closed, then open, 
then filtered.  For everything else it's the way it was.

Consider this host:

PORT    STATE  SERVICE VERSION
111/udp open   rpcbind  2 (rpc #100000)
112/udp closed mcidas
113/udp closed auth


Port 111 is only open because I ran -sV against it (was open|filtered). 
 So --traceroute, using the open port, doesn't get a response and 
results in this:

TRACEROUTE (using port 111/udp)
HOP RTT ADDRESS
! maximum TTL reached (50)


But with the patch, it uses the closed port first:

TRACEROUTE (using port 112/udp)
HOP RTT   ADDRESS
1   1.58  gateway (192.168.10.1)
<snip>
14  44.80 xhost (w.x.y.z)


Any comments or suggestions are appreciated.

Thanks,
Kris Katterjohn

Index: traceroute.cc
===================================================================
--- traceroute.cc       (revision 6837)
+++ traceroute.cc       (working copy)
@@ -325,8 +325,8 @@
     u16 open_port = 1;
     u16 closed_port = 1;
     u16 filtered_port = 1;
-    u16 state = 0;
     u16 port = 0;
+    int state = -1;
     struct Port *np;
 
     /* Use the first specified port for ping traceroutes */
@@ -347,21 +347,31 @@
         open_port = (!scaninfo.open_response) ? 0 : 1;
     }
 
-    /* First we try to find an open port, if not we try to find a closed
-     * port and lastly we try to find a filtered port */
-    if (open_port && t->ports.getStateCounts (proto, scaninfo.open_state))
-        state = scaninfo.open_state;
-    else if (closed_port && t->ports.getStateCounts (proto, scaninfo.closed_state))
-        state = scaninfo.closed_state;
-    else if (filtered_port && t->ports.getStateCounts (proto, PORT_FILTERED)) {
+    /* For UDP we try for a closed port, then an open one.  For everything else
+     * we try the opposite.  When all else fails, we try for filtered */
+    if (proto == IPPROTO_UDP) {
+        if (closed_port && t->ports.getStateCounts (proto, scaninfo.closed_state))
+            state = scaninfo.closed_state;
+        else if (open_port && t->ports.getStateCounts (proto, scaninfo.open_state))
+            state = scaninfo.open_state;
+    } else {
+        if (open_port && t->ports.getStateCounts (proto, scaninfo.open_state))
+            state = scaninfo.open_state;
+        else if (closed_port && t->ports.getStateCounts (proto, scaninfo.closed_state))
+            state = scaninfo.closed_state;
+    }
+
+    if (state == -1 && filtered_port &&
+        t->ports.getStateCounts (proto, PORT_FILTERED)) {
         state = PORT_FILTERED;
         if (o.verbose)
             log_write (LOG_PLAIN, "%s: only filtered %s available, results may be incorrect\n",
                        t->targetipstr (), o.ipprotscan ? "protocols" : "ports");
-    } else {
-        return -1;
     }
 
+    if (state == -1)
+        return -1;
+
     np = t->ports.nextPort (NULL, proto, state);
     if (!np)
       return -1;


_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org