Nmap Development mailing list archives
minor fix + {ports} syntax
From: "Anonymous Remailer (austria)" <mixmaster () remailer privacy at>
Date: Wed, 3 Mar 2010 05:48:41 +0100 (CET)
Attachment:
patches_gg.tar.bz2
Description:
saludos, greengreat. ==PATCH 1== In scan_engine.cc, In one comment, correct the order of probe tries, to reflect the code: --- scan_engine.cc +++ scan_engine.cc @@ -2009,7 +2009,7 @@ return 0; } else if (USI->ping_scan) { /* This is ordered to try probes of higher effectiveness first: - -PE -PS -PA -PP -PU + -PE -PS -PA -PY -PM -PP -PU -PO -PT -PA is slightly better than -PS when combined with -PE, but give -PS an edge because it is less likely to be dropped by firewalls. */ if (USI->ptech.rawicmpscan) { ==PATCH 2== WORDING In nmap.cc, -p when associated with -PO is referred to protocol numbers: --- nmap.cc +++ nmap.cc @@ -1201,7 +1201,7 @@ } } else if (*optarg == 'O') { if (ports.proto_ping_count > 0) - fatal("Only one -PO option is allowed. Combine port ranges with commas."); + fatal("Only one -PO option is allowed. Combine protocol ranges with commas."); o.pingtype |= PINGTYPE_PROTO; if (*(optarg + 1) != '\0') { getpts_simple(optarg + 1, SCAN_PROTOCOLS, &ports.proto_ping_ports, &ports.proto_ping_count); ==PATCH 3== COMMANDLINE PARSE FIX In nmap.cc, initialize scanflags value to -1 so that would return error on all malformed input eg "--scanflags A9": --- nmap.cc +++ nmap.cc @@ -127,7 +127,7 @@ /* parse the --scanflags argument. It can be a number >=0 or a string consisting of TCP flag names like "URGPSHFIN". Returns -1 if the argument is invalid. */ static int parse_scanflags(char *arg) { - int flagval = 0; + int flagval = -1; char *end = NULL; if (isdigit((int) (unsigned char) arg[0])) { ==PATCH 4== DOC In nmap.cc, add -PY to available probes in the error message: --- nmap.cc +++ nmap.cc @@ -1212,7 +1210,7 @@ assert(ports.proto_ping_count > 0); } } else { - fatal("Illegal Argument to -P, use -PN, -PO, -PI, -PB, -PE, -PM, -PP, -PA, -PU, -PT, or -PT80 (or whatever number you want for the TCP probe destination port)"); + fatal("Illegal Argument to -P, use -PN, -PO, -PI, -PB, -PE, -PM, -PP, -PA, -PU, -PT, -PY or -PT80 (or whatever port number you want to be probed)"); } break; ==PATCH 5== FEATURE? In docs/nmap.1, docs/nmap.usage.txt, nmap.h, nmap.cc, advertise (where lacks thereof) the explicit indication of SCTP scan (-sY||-sZ) probe ports ie: "-pS:ports" and add a port range syntax complement to the square brackets [] one; it is a quick hack based on Doug Hoyte's code. Curly brackets {}, make scan in the range of ports specified only the ones not present in nmap-services, in other words the obscure, less used ones: --- docs/nmap.1 +++ docs/nmap.1 @@ -142,7 +142,7 @@ \-b <FTP relay host>: FTP bounce scan PORT SPECIFICATION AND SCAN ORDER: \-p <port ranges>: Only scan specified ports - Ex: \-p22; \-p1\-65535; \-p U:53,111,137,T:21\-25,80,139,8080 + Ex: \-p22; \-p1\-65535; \-p[\-1024],{1025\-}; \-p U:53,111,137,T:21\-25,80,139,8080,S:20\-22 \-F: Fast mode \- Scan fewer ports than the default scan \-r: Scan ports consecutively \- don\'t randomize \-\-top\-ports <number>: Scan <number> most common ports @@ -920,14 +920,19 @@ to scan ports from 1 through 65535\&. Scanning port zero.\" port zero is allowed if you specify it explicitly\&. For IP protocol scanning (\fB\-sO\fR), this option specifies the protocol numbers you wish to scan for (0\(en255)\&. .sp -When scanning both TCP and UDP ports, you can specify a particular protocol by preceding the port numbers by +When scanning both TCP and UDP and/or SCTP ports, you can specify a particular protocol by preceding the port numbers +by T: or -U:\&. The qualifier lasts until you specify another qualifier\&. For example, the argument -\fB\-p U:53,111,137,T:21\-25,80,139,8080\fR -would scan UDP ports 53, 111,and 137, as well as the listed TCP ports\&. Note that to scan both UDP and TCP, you have to specify -\fB\-sU\fR -and at least one TCP scan type (such as +S: or U:\&. The qualifier lasts until you specify another qualifier\&. For example, the argument +\fB\-p U:53,111,137,T:21\-25,80,139,8080,S:20\-22\fR +would scan UDP ports 53, 111 and 137, as well as the listed TCP and SCTP ports\&. Note that to scan both SCTP and/or +UDP and/or TCP, you have to specify +\fB\-sU\fR, +and/or one STCP scan type (such as +\fB\-sY\fR, +\fB\-sZ\fR), +and/or one TCP scan type (such as \fB\-sS\fR, \fB\-sF\fR, or \fB\-sT\fR)\&. If no protocol qualifier is given, the port numbers are added to all protocol lists\&. @@ -941,10 +946,11 @@ if unsure\&. .sp Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear in -nmap\-services\&. For example, the following will scan all ports in +nmap\-services, or in curly brackets to mean ports not present in nmap\-services.\& For example, the following will +scan all ports in nmap\-services -equal to or below 1024: -\fB\-p [\-1024]\fR\&. Be careful with shell expansions and quote the argument to +equal to or below 1024 and all ports not in nmap\-services above 1024: +\fB\-p [\-1024],{1025\-}\fR\&. Be careful with shell expansions and quote the argument to \fB\-p\fR if unsure\&. .RE --- docs/nmap.usage.txt +++ docs/nmap.usage.txt @@ -29,7 +29,7 @@ -b <FTP relay host>: FTP bounce scan PORT SPECIFICATION AND SCAN ORDER: -p <port ranges>: Only scan specified ports - Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080 + Ex: -p22; -p1-65535; -p[-1024],{1025-}; -p U:53,111,137,T:21-25,80,139,8080,S:7,9,20,21 -F: Fast mode - Scan fewer ports than the default scan -r: Scan ports consecutively - don't randomize --top-ports <number>: Scan <number> most common ports --- nmap.h +++ nmap.h @@ -407,6 +407,10 @@ # define recvfrom6_t int #endif +/* port ranges syntax parsing */ +#define NESTED_NOT 0 +#define NESTED_SQUARE 1 /* [ports] nest */ +#define NESTED_CURLY 2 /* {ports} nest */ /********************** LOCAL INCLUDES *****************************/ #include "global_structures.h" --- nmap.cc +++ nmap.cc @@ -234,7 +234,7 @@ " -b <FTP relay host>: FTP bounce scan\n" "PORT SPECIFICATION AND SCAN ORDER:\n" " -p <port ranges>: Only scan specified ports\n" - " Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080\n" + " Ex: -p22; -p1-65535; -p[-1024],{1025-}; -p U:53,111,137,T:21-25,80,139,8080,S:7,9,20,21\n" " -F: Fast mode - Scan fewer ports than the default scan\n" " -r: Scan ports consecutively - don't randomize\n" " --top-ports <number>: Scan <number> most common ports\n" @@ -2160,8 +2160,9 @@ * Fyodor - Wrote original * William McVey - Added T:, U:, P: directives * Doug Hoyte - Added [], name lookups, and wildcard expansion - * - * getpts() handles [] + * Added {}, logical complement of []: useful to map out common ports when + * only looking for obscured services. + * getpts() handles [] and {} * Any port ranges included inside square brackets will have all * their ports looked up in nmap-services or nmap-protocols * and will only be included if they are found. @@ -2178,7 +2179,7 @@ * Will scan http (80), http-mgmt (280), http-proxy (8080), https (443), etc. * * Matching is case INsensitive but the first character in a match MUST - * be lowercase so it doesn't conflict with the T:, U:, and P: directives. + * be lowercase so it doesn't conflict with the T:, U:, S:, and P: directives. * * getpts() is unable to match service names that start with a digit * like 3com-tsmux (106/udp). Use a pattern like "?com-*" instead. @@ -2200,14 +2201,15 @@ * * ./nmap -p 'nm*' host * - * getpts() is smart enough to keep the T: U: and P: directives nested + * getpts() is smart enough to keep the T: U: S: and P: directives nested * and working in a logical manner. For instance, * - * nmap -sTU -p [U:1025-],1-1024 host + * nmap -sTUY -p [U:1025-],{1-1024} host * - * Will scan UDP ports 1025 and up that are found in the service file - * and all TCP/UDP ports below <= 1024. Notice that the U doesn't affect - * the outer part of the port expression. It's "closed". + * Will scan UDP ports 1025 and up that are found in the service file and all + * TCP/UDP/SCTP ports below <= 1024 which are not found in the service file. + * Notice that the U doesn't affect the outer part of the port expression. + * It's "closed". */ static void getpts_aux(const char *origexpr, int nested, u8 *porttbl, int range_type, @@ -2231,7 +2233,7 @@ porttbl = (u8 *) safe_zalloc(65536); getpts_aux(origexpr, // Pass on the expression - 0, // Don't start off nested + NESTED_NOT, // Don't start off nested porttbl, // Our allocated port table range_type, // Defaults to TCP/UDP/SCTP/Protos &portwarning); // No, we haven't warned them about dup ports yet @@ -2252,7 +2254,7 @@ } if (range_type != 0 && 0 == (ports->tcp_count + ports->udp_count + ports->sctp_count + ports->prot_count)) - fatal("No ports specified -- If you really don't want to scan any ports use ping scan..."); + fatal("No ports to scan as per -p -- If you really don't want to scan any ports use ping scan..."); if (ports->tcp_count) { ports->tcp_ports = (unsigned short *)safe_zalloc(ports->tcp_count * sizeof(unsigned short)); @@ -2297,8 +2299,8 @@ porttbl = (u8 *) safe_zalloc(65536); - /* Get the ports but do not allow changing the type with T:, U:, or P:. */ - getpts_aux(origexpr, 0, porttbl, range_type, &portwarning, false); + /* Get the ports but do not allow changing the type with T:, U:, S: or P:. */ + getpts_aux(origexpr, NESTED_NOT, porttbl, range_type, &portwarning, false); /* Count how many are set. */ *count = 0; @@ -2335,9 +2337,9 @@ /* An example of proper syntax to use in error messages. */ const char *syntax_example; if (change_range_type) - syntax_example = "-100,200-1024,T:3000-4000,U:60000-"; + syntax_example = "-100,200-1024,[1050-2000],T:3000-4000,U:{60000-},S:20-22"; else - syntax_example = "-100,200-1024,3000-4000,60000-"; + syntax_example = "-100,200-1024,[1050-2000],3000-4000,{60000-}"; current_range = origexpr; do { @@ -2368,10 +2370,10 @@ } if (*current_range == '[') { - if (nested) + if (nested != NESTED_NOT) fatal("Can't nest [] brackets in port/protocol specification"); - getpts_aux(++current_range, 1, porttbl, range_type, portwarning); + getpts_aux(++current_range, NESTED_SQUARE, porttbl, range_type, portwarning); // Skip past the ']'. This is OK because we can't nest []s while(*current_range != ']') current_range++; @@ -2382,10 +2384,29 @@ continue; } else if (*current_range == ']') { - if (!nested) + if (nested != NESTED_SQUARE) fatal("Unexpected ] character in port/protocol specification"); return; + } else if (*current_range == '{') { + if (nested != NESTED_NOT) + fatal("Can't nest {} brackets in port/protocol specification"); + + getpts_aux(++current_range, NESTED_CURLY, porttbl, range_type, portwarning); + + // Skip past the '}'. This is OK because we can't nest {}s + while(*current_range != '}') current_range++; + current_range++; + + // Skip over a following ',' so we're ready to keep parsing + if (*current_range == ',') current_range++; + + continue; + } else if (*current_range == '}') { + if (nested != NESTED_CURLY) + fatal("Unexpected } character in port/protocol specification"); + + return; } else if (*current_range == '-') { if (range_type & SCAN_PROTOCOLS) rangestart = 0; @@ -2406,13 +2427,14 @@ } else if (islower((int) (unsigned char) *current_range) || *current_range == '*' || *current_range == '?') { i = 0; - while (*current_range && !isspace((int) (unsigned char) *current_range) && *current_range != ',' && *current_range != ']') { + while (*current_range && !isspace((int) (unsigned char) *current_range) && *current_range != ',' && +*current_range != ']' && *current_range != '}') { servmask[i++] = *(current_range++); if (i >= ((int)sizeof(servmask)-1)) fatal("A service mask in the port/protocol specification is either malformed or too long"); } - if (*current_range && *current_range != ']') current_range++; // We want the '] character to be picked up on the next pass + if (*current_range && *current_range != ']' || *current_range != '}') current_range++; // We want the ']' or '}' characters to be picked up on the next pass servmask[i] = '\0'; // Finish the string i = addportsfromservmask(servmask, porttbl, range_type); @@ -2427,12 +2449,12 @@ fatal("Error #485: Your port specifications are illegal. Example of proper form: \"%s\"", syntax_example); } /* Now I have a rangestart, time to go after rangeend */ - if (!*current_range || *current_range == ',' || *current_range == ']') { + if (!*current_range || *current_range == ',' || *current_range == ']' || *current_range == '}') { /* Single port specification */ rangeend = rangestart; } else if (*current_range == '-') { current_range++; - if (!*current_range || *current_range == ',' || *current_range == ']') { + if (!*current_range || *current_range == ',' || *current_range == ']' || *current_range == '}') { /* Ended with a -, meaning up until the last possible port */ if (range_type & SCAN_PROTOCOLS) rangeend = 255; @@ -2468,7 +2490,7 @@ (*portwarning)++; } } else { - if (nested) { + if (nested == NESTED_SQUARE) { if ((range_type & SCAN_TCP_PORT) && nmap_getservbyport(htons(rangestart), "tcp")) { porttbl[rangestart] |= SCAN_TCP_PORT; @@ -2485,6 +2507,24 @@ nmap_getprotbynum(htons(rangestart))) { porttbl[rangestart] |= SCAN_PROTOCOLS; } + /* Add the ports in {} if they are not found in nmap_services */ + } else if (nested == NESTED_CURLY) { + if ((range_type & SCAN_TCP_PORT) && + !nmap_getservbyport(htons(rangestart), "tcp")) { + porttbl[rangestart] |= SCAN_TCP_PORT; + } + if ((range_type & SCAN_UDP_PORT) && + !nmap_getservbyport(htons(rangestart), "udp")) { + porttbl[rangestart] |= SCAN_UDP_PORT; + } + if ((range_type & SCAN_SCTP_PORT) && + !nmap_getservbyport(htons(rangestart), "sctp")) { + porttbl[rangestart] |= SCAN_SCTP_PORT; + } + if ((range_type & SCAN_PROTOCOLS) && + !nmap_getprotbynum(htons(rangestart))) { + porttbl[rangestart] |= SCAN_PROTOCOLS; + } } else { porttbl[rangestart] |= range_type; } @@ -2496,7 +2536,12 @@ while(isspace((int) (unsigned char) *current_range)) current_range++; if (*current_range == ']') { - if (!nested) fatal("Unexpected ] character in port/protocol specification"); + if (nested != NESTED_SQUARE) fatal("Unexpected ] character in port/protocol specification"); + return; + } + + if (*current_range == '}') { + if (nested != NESTED_CURLY) fatal("Unexpected } character in port/protocol specification"); return; }
_______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- minor fix + {ports} syntax Anonymous Remailer (austria) (Mar 04)
- Re: minor fix + {ports} syntax David Fifield (Mar 05)