Nmap Development mailing list archives
minor fix + {ports} syntax
From: "Anonymous Remailer (austria)" <mixmaster () remailer privacy at>
Date: Wed, 3 Mar 2010 05:48:41 +0100 (CET)
Attachment:
patches_gg.tar.bz2
Description:
saludos,
greengreat.
==PATCH 1==
In scan_engine.cc,
In one comment, correct the order of probe tries, to reflect the code:
--- scan_engine.cc
+++ scan_engine.cc
@@ -2009,7 +2009,7 @@
return 0;
} else if (USI->ping_scan) {
/* This is ordered to try probes of higher effectiveness first:
- -PE -PS -PA -PP -PU
+ -PE -PS -PA -PY -PM -PP -PU -PO -PT
-PA is slightly better than -PS when combined with -PE, but give -PS an
edge because it is less likely to be dropped by firewalls. */
if (USI->ptech.rawicmpscan) {
==PATCH 2==
WORDING
In nmap.cc,
-p when associated with -PO is referred to protocol numbers:
--- nmap.cc
+++ nmap.cc
@@ -1201,7 +1201,7 @@
}
} else if (*optarg == 'O') {
if (ports.proto_ping_count > 0)
- fatal("Only one -PO option is allowed. Combine port ranges with commas.");
+ fatal("Only one -PO option is allowed. Combine protocol ranges with commas.");
o.pingtype |= PINGTYPE_PROTO;
if (*(optarg + 1) != '\0') {
getpts_simple(optarg + 1, SCAN_PROTOCOLS, &ports.proto_ping_ports, &ports.proto_ping_count);
==PATCH 3==
COMMANDLINE PARSE FIX
In nmap.cc,
initialize scanflags value to -1 so that would return error on all malformed input eg "--scanflags A9":
--- nmap.cc
+++ nmap.cc
@@ -127,7 +127,7 @@
/* parse the --scanflags argument. It can be a number >=0 or a string consisting of TCP flag names like "URGPSHFIN".
Returns -1 if the argument is invalid. */
static int parse_scanflags(char *arg) {
- int flagval = 0;
+ int flagval = -1;
char *end = NULL;
if (isdigit((int) (unsigned char) arg[0])) {
==PATCH 4==
DOC
In nmap.cc,
add -PY to available probes in the error message:
--- nmap.cc
+++ nmap.cc
@@ -1212,7 +1210,7 @@
assert(ports.proto_ping_count > 0);
}
} else {
- fatal("Illegal Argument to -P, use -PN, -PO, -PI, -PB, -PE, -PM, -PP, -PA, -PU, -PT, or -PT80 (or whatever
number you want for the TCP probe destination port)");
+ fatal("Illegal Argument to -P, use -PN, -PO, -PI, -PB, -PE, -PM, -PP, -PA, -PU, -PT, -PY or -PT80 (or whatever
port number you want to be probed)");
}
break;
==PATCH 5==
FEATURE?
In docs/nmap.1, docs/nmap.usage.txt, nmap.h, nmap.cc,
advertise (where lacks thereof) the explicit indication of SCTP scan (-sY||-sZ) probe ports ie: "-pS:ports"
and add a port range syntax complement to the square brackets [] one; it is a quick hack based on Doug Hoyte's code.
Curly brackets {}, make scan in the range of ports specified only the ones not present in nmap-services, in other words
the obscure, less used ones:
--- docs/nmap.1
+++ docs/nmap.1
@@ -142,7 +142,7 @@
\-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
\-p <port ranges>: Only scan specified ports
- Ex: \-p22; \-p1\-65535; \-p U:53,111,137,T:21\-25,80,139,8080
+ Ex: \-p22; \-p1\-65535; \-p[\-1024],{1025\-}; \-p U:53,111,137,T:21\-25,80,139,8080,S:20\-22
\-F: Fast mode \- Scan fewer ports than the default scan
\-r: Scan ports consecutively \- don\'t randomize
\-\-top\-ports <number>: Scan <number> most common ports
@@ -920,14 +920,19 @@
to scan ports from 1 through 65535\&. Scanning port zero.\" port zero
is allowed if you specify it explicitly\&. For IP protocol scanning (\fB\-sO\fR), this option specifies the protocol
numbers you wish to scan for (0\(en255)\&.
.sp
-When scanning both TCP and UDP ports, you can specify a particular protocol by preceding the port numbers by
+When scanning both TCP and UDP and/or SCTP ports, you can specify a particular protocol by preceding the port numbers
+by
T:
or
-U:\&. The qualifier lasts until you specify another qualifier\&. For example, the argument
-\fB\-p U:53,111,137,T:21\-25,80,139,8080\fR
-would scan UDP ports 53, 111,and 137, as well as the listed TCP ports\&. Note that to scan both UDP and TCP, you have
to specify
-\fB\-sU\fR
-and at least one TCP scan type (such as
+S: or U:\&. The qualifier lasts until you specify another qualifier\&. For example, the argument
+\fB\-p U:53,111,137,T:21\-25,80,139,8080,S:20\-22\fR
+would scan UDP ports 53, 111 and 137, as well as the listed TCP and SCTP ports\&. Note that to scan both SCTP and/or
+UDP and/or TCP, you have to specify
+\fB\-sU\fR,
+and/or one STCP scan type (such as
+\fB\-sY\fR,
+\fB\-sZ\fR),
+and/or one TCP scan type (such as
\fB\-sS\fR,
\fB\-sF\fR, or
\fB\-sT\fR)\&. If no protocol qualifier is given, the port numbers are added to all protocol lists\&.
@@ -941,10 +946,11 @@
if unsure\&.
.sp
Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear in
-nmap\-services\&. For example, the following will scan all ports in
+nmap\-services, or in curly brackets to mean ports not present in nmap\-services.\& For example, the following will
+scan all ports in
nmap\-services
-equal to or below 1024:
-\fB\-p [\-1024]\fR\&. Be careful with shell expansions and quote the argument to
+equal to or below 1024 and all ports not in nmap\-services above 1024:
+\fB\-p [\-1024],{1025\-}\fR\&. Be careful with shell expansions and quote the argument to
\fB\-p\fR
if unsure\&.
.RE
--- docs/nmap.usage.txt
+++ docs/nmap.usage.txt
@@ -29,7 +29,7 @@
-b <FTP relay host>: FTP bounce scan
PORT SPECIFICATION AND SCAN ORDER:
-p <port ranges>: Only scan specified ports
- Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
+ Ex: -p22; -p1-65535; -p[-1024],{1025-}; -p U:53,111,137,T:21-25,80,139,8080,S:7,9,20,21
-F: Fast mode - Scan fewer ports than the default scan
-r: Scan ports consecutively - don't randomize
--top-ports <number>: Scan <number> most common ports
--- nmap.h
+++ nmap.h
@@ -407,6 +407,10 @@
# define recvfrom6_t int
#endif
+/* port ranges syntax parsing */
+#define NESTED_NOT 0
+#define NESTED_SQUARE 1 /* [ports] nest */
+#define NESTED_CURLY 2 /* {ports} nest */
/********************** LOCAL INCLUDES *****************************/
#include "global_structures.h"
--- nmap.cc
+++ nmap.cc
@@ -234,7 +234,7 @@
" -b <FTP relay host>: FTP bounce scan\n"
"PORT SPECIFICATION AND SCAN ORDER:\n"
" -p <port ranges>: Only scan specified ports\n"
- " Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080\n"
+ " Ex: -p22; -p1-65535; -p[-1024],{1025-}; -p U:53,111,137,T:21-25,80,139,8080,S:7,9,20,21\n"
" -F: Fast mode - Scan fewer ports than the default scan\n"
" -r: Scan ports consecutively - don't randomize\n"
" --top-ports <number>: Scan <number> most common ports\n"
@@ -2160,8 +2160,9 @@
* Fyodor - Wrote original
* William McVey - Added T:, U:, P: directives
* Doug Hoyte - Added [], name lookups, and wildcard expansion
- *
- * getpts() handles []
+ * Added {}, logical complement of []: useful to map out common ports when
+ * only looking for obscured services.
+ * getpts() handles [] and {}
* Any port ranges included inside square brackets will have all
* their ports looked up in nmap-services or nmap-protocols
* and will only be included if they are found.
@@ -2178,7 +2179,7 @@
* Will scan http (80), http-mgmt (280), http-proxy (8080), https (443), etc.
*
* Matching is case INsensitive but the first character in a match MUST
- * be lowercase so it doesn't conflict with the T:, U:, and P: directives.
+ * be lowercase so it doesn't conflict with the T:, U:, S:, and P: directives.
*
* getpts() is unable to match service names that start with a digit
* like 3com-tsmux (106/udp). Use a pattern like "?com-*" instead.
@@ -2200,14 +2201,15 @@
*
* ./nmap -p 'nm*' host
*
- * getpts() is smart enough to keep the T: U: and P: directives nested
+ * getpts() is smart enough to keep the T: U: S: and P: directives nested
* and working in a logical manner. For instance,
*
- * nmap -sTU -p [U:1025-],1-1024 host
+ * nmap -sTUY -p [U:1025-],{1-1024} host
*
- * Will scan UDP ports 1025 and up that are found in the service file
- * and all TCP/UDP ports below <= 1024. Notice that the U doesn't affect
- * the outer part of the port expression. It's "closed".
+ * Will scan UDP ports 1025 and up that are found in the service file and all
+ * TCP/UDP/SCTP ports below <= 1024 which are not found in the service file.
+ * Notice that the U doesn't affect the outer part of the port expression.
+ * It's "closed".
*/
static void getpts_aux(const char *origexpr, int nested, u8 *porttbl, int range_type,
@@ -2231,7 +2233,7 @@
porttbl = (u8 *) safe_zalloc(65536);
getpts_aux(origexpr, // Pass on the expression
- 0, // Don't start off nested
+ NESTED_NOT, // Don't start off nested
porttbl, // Our allocated port table
range_type, // Defaults to TCP/UDP/SCTP/Protos
&portwarning); // No, we haven't warned them about dup ports yet
@@ -2252,7 +2254,7 @@
}
if (range_type != 0 && 0 == (ports->tcp_count + ports->udp_count + ports->sctp_count + ports->prot_count))
- fatal("No ports specified -- If you really don't want to scan any ports use ping scan...");
+ fatal("No ports to scan as per -p -- If you really don't want to scan any ports use ping scan...");
if (ports->tcp_count) {
ports->tcp_ports = (unsigned short *)safe_zalloc(ports->tcp_count * sizeof(unsigned short));
@@ -2297,8 +2299,8 @@
porttbl = (u8 *) safe_zalloc(65536);
- /* Get the ports but do not allow changing the type with T:, U:, or P:. */
- getpts_aux(origexpr, 0, porttbl, range_type, &portwarning, false);
+ /* Get the ports but do not allow changing the type with T:, U:, S: or P:. */
+ getpts_aux(origexpr, NESTED_NOT, porttbl, range_type, &portwarning, false);
/* Count how many are set. */
*count = 0;
@@ -2335,9 +2337,9 @@
/* An example of proper syntax to use in error messages. */
const char *syntax_example;
if (change_range_type)
- syntax_example = "-100,200-1024,T:3000-4000,U:60000-";
+ syntax_example = "-100,200-1024,[1050-2000],T:3000-4000,U:{60000-},S:20-22";
else
- syntax_example = "-100,200-1024,3000-4000,60000-";
+ syntax_example = "-100,200-1024,[1050-2000],3000-4000,{60000-}";
current_range = origexpr;
do {
@@ -2368,10 +2370,10 @@
}
if (*current_range == '[') {
- if (nested)
+ if (nested != NESTED_NOT)
fatal("Can't nest [] brackets in port/protocol specification");
- getpts_aux(++current_range, 1, porttbl, range_type, portwarning);
+ getpts_aux(++current_range, NESTED_SQUARE, porttbl, range_type, portwarning);
// Skip past the ']'. This is OK because we can't nest []s
while(*current_range != ']') current_range++;
@@ -2382,10 +2384,29 @@
continue;
} else if (*current_range == ']') {
- if (!nested)
+ if (nested != NESTED_SQUARE)
fatal("Unexpected ] character in port/protocol specification");
return;
+ } else if (*current_range == '{') {
+ if (nested != NESTED_NOT)
+ fatal("Can't nest {} brackets in port/protocol specification");
+
+ getpts_aux(++current_range, NESTED_CURLY, porttbl, range_type, portwarning);
+
+ // Skip past the '}'. This is OK because we can't nest {}s
+ while(*current_range != '}') current_range++;
+ current_range++;
+
+ // Skip over a following ',' so we're ready to keep parsing
+ if (*current_range == ',') current_range++;
+
+ continue;
+ } else if (*current_range == '}') {
+ if (nested != NESTED_CURLY)
+ fatal("Unexpected } character in port/protocol specification");
+
+ return;
} else if (*current_range == '-') {
if (range_type & SCAN_PROTOCOLS)
rangestart = 0;
@@ -2406,13 +2427,14 @@
} else if (islower((int) (unsigned char) *current_range) || *current_range == '*' || *current_range == '?') {
i = 0;
- while (*current_range && !isspace((int) (unsigned char) *current_range) && *current_range != ',' &&
*current_range != ']') {
+ while (*current_range && !isspace((int) (unsigned char) *current_range) && *current_range != ',' &&
+*current_range != ']' && *current_range != '}') {
servmask[i++] = *(current_range++);
if (i >= ((int)sizeof(servmask)-1))
fatal("A service mask in the port/protocol specification is either malformed or too long");
}
- if (*current_range && *current_range != ']') current_range++; // We want the '] character to be picked up on the
next pass
+ if (*current_range && *current_range != ']' || *current_range != '}') current_range++; // We want the ']' or '}'
characters to be picked up on the next pass
servmask[i] = '\0'; // Finish the string
i = addportsfromservmask(servmask, porttbl, range_type);
@@ -2427,12 +2449,12 @@
fatal("Error #485: Your port specifications are illegal. Example of proper form: \"%s\"", syntax_example);
}
/* Now I have a rangestart, time to go after rangeend */
- if (!*current_range || *current_range == ',' || *current_range == ']') {
+ if (!*current_range || *current_range == ',' || *current_range == ']' || *current_range == '}') {
/* Single port specification */
rangeend = rangestart;
} else if (*current_range == '-') {
current_range++;
- if (!*current_range || *current_range == ',' || *current_range == ']') {
+ if (!*current_range || *current_range == ',' || *current_range == ']' || *current_range == '}') {
/* Ended with a -, meaning up until the last possible port */
if (range_type & SCAN_PROTOCOLS)
rangeend = 255;
@@ -2468,7 +2490,7 @@
(*portwarning)++;
}
} else {
- if (nested) {
+ if (nested == NESTED_SQUARE) {
if ((range_type & SCAN_TCP_PORT) &&
nmap_getservbyport(htons(rangestart), "tcp")) {
porttbl[rangestart] |= SCAN_TCP_PORT;
@@ -2485,6 +2507,24 @@
nmap_getprotbynum(htons(rangestart))) {
porttbl[rangestart] |= SCAN_PROTOCOLS;
}
+ /* Add the ports in {} if they are not found in nmap_services */
+ } else if (nested == NESTED_CURLY) {
+ if ((range_type & SCAN_TCP_PORT) &&
+ !nmap_getservbyport(htons(rangestart), "tcp")) {
+ porttbl[rangestart] |= SCAN_TCP_PORT;
+ }
+ if ((range_type & SCAN_UDP_PORT) &&
+ !nmap_getservbyport(htons(rangestart), "udp")) {
+ porttbl[rangestart] |= SCAN_UDP_PORT;
+ }
+ if ((range_type & SCAN_SCTP_PORT) &&
+ !nmap_getservbyport(htons(rangestart), "sctp")) {
+ porttbl[rangestart] |= SCAN_SCTP_PORT;
+ }
+ if ((range_type & SCAN_PROTOCOLS) &&
+ !nmap_getprotbynum(htons(rangestart))) {
+ porttbl[rangestart] |= SCAN_PROTOCOLS;
+ }
} else {
porttbl[rangestart] |= range_type;
}
@@ -2496,7 +2536,12 @@
while(isspace((int) (unsigned char) *current_range)) current_range++;
if (*current_range == ']') {
- if (!nested) fatal("Unexpected ] character in port/protocol specification");
+ if (nested != NESTED_SQUARE) fatal("Unexpected ] character in port/protocol specification");
+ return;
+ }
+
+ if (*current_range == '}') {
+ if (nested != NESTED_CURLY) fatal("Unexpected } character in port/protocol specification");
return;
}
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- minor fix + {ports} syntax Anonymous Remailer (austria) (Mar 04)
- Re: minor fix + {ports} syntax David Fifield (Mar 05)