OpenVAS Scanner  7.0.1~git
nasl_builtin_synscan.c File Reference

Port scanner Synscan. More...

#include "../misc/bpf_share.h"
#include "../misc/network.h"
#include "../misc/pcap_openvas.h"
#include "../misc/plugutils.h"
#include "nasl_lex_ctxt.h"
#include <arpa/inet.h>
#include <gvm/base/logging.h>
#include <gvm/base/prefs.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
Include dependency graph for nasl_builtin_synscan.c:

Go to the source code of this file.

Data Structures

struct  pseudohdr
 
struct  list
 

Macros

#define _BSD_SOURCE   1
 
#define _DEFAULT_SOURCE   1
 
#define NUM_RETRIES   2
 
#define G_LOG_DOMAIN   "lib nasl"
 GLib logging domain. More...
 

Functions

static int in_cksum (u_short *p, int n)
 
unsigned long maketime ()
 
struct timeval timeval (unsigned long val)
 
unsigned long compute_rtt (unsigned long then)
 
int packetdead (unsigned long then)
 
int rawsocket (int family)
 Opens and returns a raw socket. More...
 
int openbpf (struct in_addr dst, struct in_addr *src, int magic)
 Opens a packet filter, grabs packets from dst to port magic. More...
 
int v6_openbpf (struct in6_addr *dst, struct in6_addr *src, int magic)
 
struct listget_packet (struct list *l, unsigned short dport)
 
struct listadd_packet (struct list *l, unsigned short dport, unsigned long ack)
 If no packet with dport is in list, prepends a "packet" to the. More...
 
struct listrm_packet (struct list *l, unsigned short dport)
 
struct listrm_dead_packets (struct list *l, int *retry)
 
struct tcphdr * extracttcp (char *pkt, unsigned int len)
 
struct tcphdr * v6_extracttcp (char *pkt)
 
unsigned long extractack (char *pkt, int len, int family)
 
unsigned short extractsport (char *pkt, int len, int family)
 
int issynack (char *pkt, int len, int family)
 
char * mktcp (struct in_addr src, int sport, struct in_addr dst, int dport, unsigned long th_ack, unsigned char flag)
 
char * mktcpv6 (int sport, int dport, unsigned long th_ack, unsigned char flag)
 
struct listsendpacket (int soc, int bpf, int skip, struct in_addr dst, struct in_addr src, int dport, int magic, struct list *packets, unsigned long *rtt, int sniff, struct script_infos *env)
 
struct listv6_sendpacket (int soc, int bpf, int skip, struct in6_addr *dst, int dport, int magic, struct list *packets, unsigned long *rtt, int sniff, struct script_infos *env)
 
int scan (struct script_infos *env, char *portrange, struct in6_addr *dst6, unsigned long rtt)
 
tree_cellplugin_run_synscan (lex_ctxt *lexic)
 

Detailed Description

Port scanner Synscan.

Definition in file nasl_builtin_synscan.c.

Macro Definition Documentation

◆ _BSD_SOURCE

#define _BSD_SOURCE   1

Definition at line 25 of file nasl_builtin_synscan.c.

◆ _DEFAULT_SOURCE

#define _DEFAULT_SOURCE   1

Definition at line 27 of file nasl_builtin_synscan.c.

◆ G_LOG_DOMAIN

#define G_LOG_DOMAIN   "lib nasl"

GLib logging domain.

Definition at line 54 of file nasl_builtin_synscan.c.

◆ NUM_RETRIES

#define NUM_RETRIES   2

Definition at line 48 of file nasl_builtin_synscan.c.

Function Documentation

◆ add_packet()

struct list* add_packet ( struct list l,
unsigned short  dport,
unsigned long  ack 
)

If no packet with dport is in list, prepends a "packet" to the.

list l.

Definition at line 290 of file nasl_builtin_synscan.c.

291 {
292  struct list *ret;
293 
294  ret = get_packet (l, dport);
295  if (ret != NULL)
296  {
297 #ifdef SHOW_RETRIES
298  printf ("RETRIES FOR %d = %d\n", dport, ret->retries);
299 #endif
300  ret->retries++;
301  ret->when = ack;
302  return l;
303  }
304  ret = g_malloc0 (sizeof (struct list));
305 
306  ret->next = l;
307  ret->prev = NULL;
308  if (ret->next != NULL)
309  ret->next->prev = ret;
310 
311  ret->dport = dport;
312  ret->when = ack;
313  ret->retries = 0;
314  return ret;
315 }

References list::dport, get_packet(), list::next, list::prev, list::retries, and list::when.

Referenced by sendpacket(), and v6_sendpacket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ compute_rtt()

unsigned long compute_rtt ( unsigned long  then)

Definition at line 132 of file nasl_builtin_synscan.c.

133 {
134  unsigned long now = maketime ();
135  unsigned long res;
136  unsigned long a, b;
137 
138  a = (unsigned long) ntohl (now);
139  b = (unsigned long) ntohl (then);
140 
141  if (b > a)
142  {
143  return 0;
144  }
145  res = a - b;
146  if (res >= (1 << 28))
147  res = 1 << 28;
148 
149  return htonl (res);
150 }

References maketime().

Referenced by sendpacket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ extractack()

unsigned long extractack ( char *  pkt,
int  len,
int  family 
)

Definition at line 401 of file nasl_builtin_synscan.c.

402 {
403  unsigned long ret;
404  struct tcphdr *tcp;
405  if (family == AF_INET)
406  tcp = extracttcp (pkt, len);
407  else
408  tcp = v6_extracttcp (pkt);
409 
410  if (tcp == NULL)
411  return -1;
412 
413  ret = htonl (ntohl (tcp->th_ack) - 1);
414  return ret;
415 }

References extracttcp(), and v6_extracttcp().

Referenced by sendpacket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ extractsport()

unsigned short extractsport ( char *  pkt,
int  len,
int  family 
)

Definition at line 418 of file nasl_builtin_synscan.c.

419 {
420  struct tcphdr *tcp;
421 
422  if (family == AF_INET)
423  tcp = extracttcp (pkt, len);
424  else
425  tcp = v6_extracttcp (pkt);
426 
427  if (tcp == NULL)
428  return 0;
429 
430  return ntohs (tcp->th_sport);
431 }

References extracttcp(), and v6_extracttcp().

Referenced by sendpacket(), and v6_sendpacket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ extracttcp()

struct tcphdr* extracttcp ( char *  pkt,
unsigned int  len 
)

Definition at line 379 of file nasl_builtin_synscan.c.

380 {
381  struct ip *ip;
382  struct tcphdr *tcp;
383 
384  ip = (struct ip *) pkt;
385  if (ip->ip_hl * 4 + sizeof (struct tcphdr) > len)
386  return NULL;
387 
388  tcp = (struct tcphdr *) (pkt + ip->ip_hl * 4);
389  return tcp;
390 }

Referenced by extractack(), extractsport(), and issynack().

Here is the caller graph for this function:

◆ get_packet()

struct list* get_packet ( struct list l,
unsigned short  dport 
)
Returns
First pointer to list in l with the given dport , NULL if no such list item could be found.

Definition at line 273 of file nasl_builtin_synscan.c.

274 {
275  while (l != NULL)
276  {
277  if (l->dport == dport)
278  return l;
279  else
280  l = l->next;
281  }
282  return NULL;
283 }

References list::dport, and list::next.

Referenced by add_packet(), and rm_packet().

Here is the caller graph for this function:

◆ in_cksum()

static int in_cksum ( u_short *  p,
int  n 
)
static

Definition at line 67 of file nasl_builtin_synscan.c.

68 {
69  register u_short answer;
70  register unsigned long sum = 0;
71  u_short odd_byte = 0;
72 
73  while (n > 1)
74  {
75  sum += *p++;
76  n -= 2;
77  }
78 
79  /* mop up an odd byte, if necessary */
80  if (n == 1)
81  {
82  *(u_char *) (&odd_byte) = *(u_char *) p;
83  sum += odd_byte;
84  }
85  sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
86  sum += (sum >> 16); /* add carry */
87  answer = (int) ~sum; /* ones-complement, truncate */
88  return answer;
89 }

Referenced by mktcp().

Here is the caller graph for this function:

◆ issynack()

int issynack ( char *  pkt,
int  len,
int  family 
)

Definition at line 434 of file nasl_builtin_synscan.c.

435 {
436  struct tcphdr *tcp;
437 
438  if (family == AF_INET)
439  tcp = extracttcp (pkt, len);
440  else
441  tcp = v6_extracttcp (pkt);
442 
443  if (tcp == NULL)
444  return 0;
445 
446  return tcp->th_flags == (TH_SYN | TH_ACK);
447 }

References extracttcp(), and v6_extracttcp().

Referenced by sendpacket(), and v6_sendpacket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ maketime()

unsigned long maketime ( )

Definition at line 92 of file nasl_builtin_synscan.c.

93 {
94  struct timeval tv;
95  unsigned long ret;
96 
97  gettimeofday (&tv, NULL);
98 
99  ret = ((tv.tv_sec & 0x0000000F) << 28) | (((tv.tv_usec) & 0xFFFFFFF0) >> 4);
100 
101  return htonl (ret);
102 }

References timeval().

Referenced by compute_rtt(), packetdead(), sendpacket(), and v6_sendpacket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ mktcp()

char* mktcp ( struct in_addr  src,
int  sport,
struct in_addr  dst,
int  dport,
unsigned long  th_ack,
unsigned char  flag 
)

Definition at line 450 of file nasl_builtin_synscan.c.

452 {
453  static char pkt[sizeof (struct ip) + sizeof (struct tcphdr)];
454  struct ip *ip;
455  struct tcphdr *tcp;
456  struct pseudohdr pseudohdr;
457  char tcpsumdata[sizeof (pseudohdr)];
458 
459  ip = (struct ip *) (&pkt);
460  ip->ip_hl = 5;
461  ip->ip_v = 4;
462  ip->ip_tos = 0;
463  ip->ip_len = sizeof (struct ip) + sizeof (struct tcphdr);
464  ip->ip_id = rand ();
465  ip->ip_off = 0;
466  ip->ip_ttl = 64;
467  ip->ip_p = IPPROTO_TCP;
468  ip->ip_sum = 0;
469  ip->ip_src.s_addr = src.s_addr;
470  ip->ip_dst.s_addr = dst.s_addr;
471  ip->ip_sum = in_cksum ((u_short *) pkt, sizeof (struct ip));
472 
473  tcp = (struct tcphdr *) (&(pkt[sizeof (struct ip)]));
474  tcp->th_sport = htons (sport);
475  tcp->th_dport = htons (dport);
476  tcp->th_seq = th_ack;
477  tcp->th_ack = 0;
478  tcp->th_x2 = 0;
479  tcp->th_off = 5;
480  tcp->th_flags = flag;
481  tcp->th_win = 4096;
482  tcp->th_sum = 0;
483  tcp->th_urp = 0;
484 
485  bzero (&pseudohdr, sizeof (pseudohdr));
486  pseudohdr.saddr.s_addr = src.s_addr;
487  pseudohdr.daddr.s_addr = dst.s_addr;
488  pseudohdr.protocol = IPPROTO_TCP;
489  pseudohdr.length = htons (sizeof (struct tcphdr));
490  bcopy ((char *) tcp, (char *) &pseudohdr.tcpheader, sizeof (struct tcphdr));
491  bcopy (&pseudohdr, tcpsumdata, sizeof (struct pseudohdr));
492  tcp->th_sum =
493  in_cksum ((unsigned short *) tcpsumdata, 12 + sizeof (struct tcphdr));
494 
495  return pkt;
496 }

References pseudohdr::daddr, in_cksum(), pseudohdr::length, pseudohdr::protocol, pseudohdr::saddr, and pseudohdr::tcpheader.

Referenced by sendpacket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ mktcpv6()

char* mktcpv6 ( int  sport,
int  dport,
unsigned long  th_ack,
unsigned char  flag 
)

Definition at line 499 of file nasl_builtin_synscan.c.

500 {
501  static char pkt[sizeof (struct tcphdr)];
502  struct tcphdr *tcp;
503 
504  tcp = (struct tcphdr *) (&(pkt[0]));
505  tcp->th_sport = htons (sport);
506  tcp->th_dport = htons (dport);
507  tcp->th_ack = htonl (rand ());
508  tcp->th_seq = th_ack;
509  tcp->th_off = 5;
510  tcp->th_flags = flag;
511  tcp->th_win = htons (5760);
512  tcp->th_urp = 0;
513  tcp->th_sum = 2;
514 
515  return pkt;
516 }

Referenced by v6_sendpacket().

Here is the caller graph for this function:

◆ openbpf()

int openbpf ( struct in_addr  dst,
struct in_addr *  src,
int  magic 
)

Opens a packet filter, grabs packets from dst to port magic.

Parameters
[out]srcin_addr of source.
[in]dstDestination.
[in]magicDestination port on src to listen to.
Returns
A bpf that listens to tcp packets coming from dst to port magic.

Definition at line 227 of file nasl_builtin_synscan.c.

228 {
229  char *iface;
230  char filter[255];
231  int bpf;
232 
233  iface = routethrough (&dst, src);
234  snprintf (filter, sizeof (filter), "tcp and src host %s and dst port %d",
235  inet_ntoa (dst), magic);
236  bpf = bpf_open_live (iface, filter);
237  return bpf;
238 }

References bpf_open_live(), and routethrough().

Referenced by scan().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ packetdead()

int packetdead ( unsigned long  then)

Definition at line 153 of file nasl_builtin_synscan.c.

154 {
155  unsigned long now = maketime ();
156 
157  then = ntohl (then);
158  now = ntohl (now);
159 
160  if ((now - then) >= 2 << 28)
161  {
162  return 1;
163  }
164 
165  return 0;
166 }

References maketime().

Referenced by rm_dead_packets().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ plugin_run_synscan()

tree_cell* plugin_run_synscan ( lex_ctxt lexic)

Definition at line 782 of file nasl_builtin_synscan.c.

783 {
784  struct script_infos *env = lexic->script_infos;
785  unsigned long rtt;
786  struct in6_addr *dst6 = plug_get_host_ip (env);
787  struct in_addr *dst;
788  struct in_addr inaddr;
789 
790  inaddr.s_addr = dst6->s6_addr32[3];
791  dst = &inaddr;
792 
793  if (islocalhost (dst))
794  return NULL;
795 
796  rtt = htonl (1 << 28);
797 
798  const char *range = prefs_get ("port_range");
799  scan (env, (char *) range, dst6, rtt);
800  plug_set_key (env, "Host/scanned", ARG_INT, (void *) 1);
801  plug_set_key (env, "Host/scanners/synscan", ARG_INT, (void *) 1);
802  return NULL;
803 }

References ARG_INT, islocalhost(), plug_get_host_ip(), plug_set_key(), scan(), and struct_lex_ctxt::script_infos.

Here is the call graph for this function:

◆ rawsocket()

int rawsocket ( int  family)

Opens and returns a raw socket.

Definition at line 172 of file nasl_builtin_synscan.c.

173 {
174  int soc;
175  int opt = 1;
176  int offset = 8;
177 
178  if (family == AF_INET)
179  {
180  soc = socket (AF_INET, SOCK_RAW, IPPROTO_RAW);
181  if (soc < 0)
182  {
183  perror ("socket ");
184  printf ("error opeinig socket\n");
185  return -1;
186  }
187  if (setsockopt (soc, IPPROTO_IP, IP_HDRINCL, /*(char *) */ &opt,
188  sizeof (opt))
189  < 0)
190  {
191  perror ("setsockopt ");
192  printf ("error setting socket opt\n");
193  close (soc);
194  return -1;
195  }
196  }
197  else
198  {
199  soc = socket (AF_INET6, SOCK_RAW, IPPROTO_TCP);
200  if (soc < 0
201  || setsockopt (soc, IPPROTO_IPV6, IPV6_CHECKSUM, &offset,
202  sizeof (offset))
203  < 0)
204  {
205  perror ("socket ");
206  printf ("error opening socket\n");
207  if (soc >= 0)
208  close (soc);
209  return -1;
210  }
211  }
212 
213  return soc;
214 }

Referenced by scan().

Here is the caller graph for this function:

◆ rm_dead_packets()

struct list* rm_dead_packets ( struct list l,
int *  retry 
)

Definition at line 338 of file nasl_builtin_synscan.c.

339 {
340  struct list *ret = l;
341  struct list *p = l;
342 
343  *retry = 0;
344  while (p != NULL)
345  {
346  struct list *next = p->next;
347  if (packetdead (p->when))
348  {
349  if (p->retries < NUM_RETRIES)
350  {
351 #ifdef SHOW_RETRIES
352  printf ("Will retry port %d\n", p->dport);
353 #endif
354  *retry = p->dport;
355  }
356  else
357  {
358 #ifdef SHOW_RTT_REMOVAL
359  printf ("Removing port %d (RTT elapsed)\n", p->dport);
360 #endif
361  if (p->next != NULL)
362  p->next->prev = p->prev;
363 
364  if (p->prev != NULL)
365  p->prev->next = p->next;
366  else
367  ret = p->next;
368  g_free (p);
369  }
370  }
371  p = next;
372  }
373  return ret;
374 }

References list::dport, list::next, NUM_RETRIES, packetdead(), list::prev, list::retries, and list::when.

Referenced by scan().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ rm_packet()

struct list* rm_packet ( struct list l,
unsigned short  dport 
)

Definition at line 318 of file nasl_builtin_synscan.c.

319 {
320  struct list *ret = l;
321  struct list *p = get_packet (l, dport);
322 
323  if (p == NULL)
324  return l;
325  if (p->next != NULL)
326  p->next->prev = p->prev;
327 
328  if (p->prev != NULL)
329  p->prev->next = p->next;
330  else
331  ret = p->next;
332 
333  g_free (p);
334  return ret;
335 }

References list::dport, get_packet(), list::next, and list::prev.

Referenced by sendpacket(), and v6_sendpacket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ scan()

int scan ( struct script_infos env,
char *  portrange,
struct in6_addr *  dst6,
unsigned long  rtt 
)
Returns
-1 if the socket could not be opened (error), 0 otherwise.

This will send packets to ports not in ports list, will it?

Todo:
How to do this for ipv6? This causes much scan delay for IPv6.

Definition at line 680 of file nasl_builtin_synscan.c.

682 {
683  int num;
684  int soc;
685  int bpf;
686  struct in_addr src;
687  struct in_addr dst;
688  struct in6_addr src6;
689  int magic = 4441 + (rand () % 1200);
690  int skip;
691  int i;
692  struct list *packets = NULL;
693  int retry;
694  unsigned short *ports;
695  int family;
696 
697  dst.s_addr = 0;
698 
699  if (IN6_IS_ADDR_V4MAPPED (dst6))
700  {
701  family = AF_INET;
702  dst.s_addr = dst6->s6_addr32[3];
703  soc = rawsocket (AF_INET);
704  }
705  else
706  {
707  family = AF_INET6;
708  soc = rawsocket (AF_INET6);
709  }
710 
711  ports = (unsigned short *) getpts (portrange, &num);
712 
713  if (soc < 0)
714  {
715  printf ("error opening raw socket\n");
716  return -1;
717  }
718 
719  if (family == AF_INET)
720  bpf = openbpf (dst, &src, magic);
721  else
722  bpf = v6_openbpf (dst6, &src6, magic);
723  if (bpf < 0)
724  {
725  close (soc);
726  return -1;
727  }
728  skip = get_datalink_size (bpf_datalink (bpf));
729 
731  for (i = 0; i < num; i += 2)
732  {
733  if (family == AF_INET)
734  packets = sendpacket (soc, bpf, skip, dst, src, ports[i], magic,
735  packets, &rtt, 0, env);
736  else
737  packets = v6_sendpacket (soc, bpf, skip, dst6, ports[i], magic, packets,
738  &rtt, 0, env);
739  if (i + 1 < num)
740  {
741  g_debug ("=====>> Sniffing %u\n", ports[i + 1]);
742  if (family == AF_INET)
743  packets = sendpacket (soc, bpf, skip, dst, src, ports[i + 1], magic,
744  packets, &rtt, 1, env);
745  else
746  packets = v6_sendpacket (soc, bpf, skip, dst6, ports[i + 1], magic,
747  packets, &rtt, 1, env);
748  }
749  }
750 
752  if (family == AF_INET)
753  {
754  while (packets != NULL)
755  {
756  i = 0;
757  retry = 0;
758  packets = rm_dead_packets (packets, &retry);
759  while (retry != 0 && i < 2)
760  {
761  packets = sendpacket (soc, bpf, skip, dst, src, retry, magic,
762  packets, &rtt, 0, env);
763  packets = rm_dead_packets (packets, &retry);
764  i++;
765  }
766  packets = sendpacket (soc, bpf, skip, dst, src, retry, magic, packets,
767  &rtt, 1, env);
768  }
769  }
770 
771  close (soc);
772  bpf_close (bpf);
773  if (ports != NULL)
774  g_free (ports);
775  if (num >= 65535)
776  plug_set_key (env, "Host/full_scan", ARG_INT, (void *) 1);
777 
778  return 0;
779 }

References ARG_INT, bpf_close(), bpf_datalink(), get_datalink_size(), getpts(), openbpf(), plug_set_key(), rawsocket(), rm_dead_packets(), sendpacket(), v6_openbpf(), and v6_sendpacket().

Referenced by plugin_run_synscan().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ sendpacket()

struct list* sendpacket ( int  soc,
int  bpf,
int  skip,
struct in_addr  dst,
struct in_addr  src,
int  dport,
int  magic,
struct list packets,
unsigned long *  rtt,
int  sniff,
struct script_infos env 
)
Parameters
sniffIf != 0, "sniff" (listen to incoming packages), else just add packet.

Definition at line 524 of file nasl_builtin_synscan.c.

527 {
528  unsigned long ack = maketime ();
529  char *pkt = mktcp (src, magic, dst, dport, ack, TH_SYN);
530  int len;
531  char *res;
532  struct sockaddr_in soca;
533  struct timeval rtt_tv = timeval (*rtt);
534  int family = AF_INET;
535 
536  bzero (&soca, sizeof (soca));
537  soca.sin_family = AF_INET;
538  soca.sin_addr = dst;
539 
540  rtt_tv.tv_sec *= 1000;
541  rtt_tv.tv_sec /= 8;
542 
543  rtt_tv.tv_usec += (rtt_tv.tv_sec % 1000) * 1000;
544  rtt_tv.tv_sec /= 1000;
545  if (rtt_tv.tv_sec >= 1)
546  {
547  rtt_tv.tv_sec = 1;
548  rtt_tv.tv_usec = 0;
549  }
550 
551  if (dport != 0)
552  {
553  int e;
554  packets = add_packet (packets, dport, ack);
555  e = sendto (soc, pkt, sizeof (struct ip) + sizeof (struct tcphdr), 0,
556  (struct sockaddr *) &soca, sizeof (soca));
557  if (e < 0)
558  {
559  perror ("sendto ");
560  close (soc);
561  bpf_close (bpf);
562  return NULL;
563  }
564  }
565  if (sniff != 0)
566  {
567  again:
568  res = (char *) bpf_next_tv (bpf, &len, &rtt_tv);
569  if (res != NULL)
570  {
571  unsigned short sport = extractsport (res + skip, len, family);
572  int synack = issynack (res + skip, len, family);
573  unsigned int rack = extractack (res + skip, len, family);
574  if (synack)
575  {
576  char *rst;
577  scanner_add_port (env, sport, "tcp");
578  /* Send a RST to make sure the connection is closed on the remote
579  * side */
580  rst = mktcp (src, magic, dst, sport, ack + 1, TH_RST);
581  if (sendto (soc, rst, sizeof (struct ip) + sizeof (struct tcphdr),
582  0, (struct sockaddr *) &soca, sizeof (soca))
583  < 0)
584  {
585  perror ("sendto ");
586  close (soc);
587  bpf_close (bpf);
588  return NULL;
589  }
590 
591  /* Adjust the rtt */
592  *rtt = compute_rtt (rack);
593  if (ntohl (*rtt) >= (1 << 28))
594  *rtt = 1 << 28;
595  }
596  packets = rm_packet (packets, sport);
597  rtt_tv.tv_sec = 0;
598  rtt_tv.tv_usec = 0;
599  goto again;
600  }
601  }
602  return packets;
603 }

References add_packet(), bpf_close(), bpf_next_tv(), compute_rtt(), list::dport, extractack(), extractsport(), issynack(), maketime(), mktcp(), rm_packet(), scanner_add_port(), and timeval().

Referenced by scan().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ timeval()

struct timeval timeval ( unsigned long  val)

Definition at line 105 of file nasl_builtin_synscan.c.

106 {
107  struct timeval ret;
108  unsigned int h, l;
109 
110  val = ntohl (val);
111 
112  h = (val & 0xF0000000) >> 28;
113  l = (val & 0x0FFFFFFF) << 4;
114 
115  ret.tv_sec = h;
116  ret.tv_usec = l;
117  while (ret.tv_usec >= 1000000)
118  {
119  ret.tv_usec -= 1000000;
120  ret.tv_sec++;
121  }
122 
123  if (ret.tv_sec > 2)
124  {
125  ret.tv_sec = 2;
126  ret.tv_usec = 0;
127  }
128  return ret;
129 }

References val.

Referenced by attack_network(), attack_start(), banner_grab(), bpf_next(), bpf_next_tv(), calculate_eta(), capture_next_packet(), capture_next_v6_packet(), do_reseed_ntlmssp(), maketime(), nasl_gettimeofday(), nasl_open_privileged_socket(), nasl_pcap_next(), nasl_recv(), nasl_send_capture(), nasl_tcp_ping(), nasl_tcp_v6_ping(), nsend(), open_socket(), open_SSL_connection(), plugin_do_run(), plugins_reload_from_dir(), read_stream_connection_unbuffered(), sendpacket(), update_running_processes(), v6_sendpacket(), wait_before_next_probe(), and write_stream_connection4().

Here is the caller graph for this function:

◆ v6_extracttcp()

struct tcphdr* v6_extracttcp ( char *  pkt)

Definition at line 393 of file nasl_builtin_synscan.c.

394 {
395  struct tcphdr *tcp;
396  tcp = (struct tcphdr *) (pkt + 40);
397  return tcp;
398 }

Referenced by extractack(), extractsport(), and issynack().

Here is the caller graph for this function:

◆ v6_openbpf()

int v6_openbpf ( struct in6_addr *  dst,
struct in6_addr *  src,
int  magic 
)

Definition at line 241 of file nasl_builtin_synscan.c.

242 {
243  char *iface;
244  char filter[255];
245  char hostname[INET6_ADDRSTRLEN];
246  int bpf;
247 
248  iface = v6_routethrough (dst, src);
249 
250  snprintf (filter, sizeof (filter), "tcp and src host %s and dst port %d",
251  inet_ntop (AF_INET6, dst, hostname, sizeof (hostname)), magic);
252  bpf = bpf_open_live (iface, filter);
253  if (bpf < 0)
254  printf ("bpf_open_live returned error\n");
255  return bpf;
256 }

References bpf_open_live(), hostname, and v6_routethrough().

Referenced by scan().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ v6_sendpacket()

struct list* v6_sendpacket ( int  soc,
int  bpf,
int  skip,
struct in6_addr *  dst,
int  dport,
int  magic,
struct list packets,
unsigned long *  rtt,
int  sniff,
struct script_infos env 
)

Definition at line 606 of file nasl_builtin_synscan.c.

609 {
610  unsigned long ack = maketime ();
611  char *pkt = mktcpv6 (magic, dport, ack, TH_SYN);
612  int len;
613  char *res;
614  struct sockaddr_in6 soca;
615  struct timeval rtt_tv = timeval (*rtt);
616 
617  bzero (&soca, sizeof (soca));
618  soca.sin6_family = AF_INET6;
619  memcpy (&soca.sin6_addr, dst, sizeof (struct in6_addr));
620  rtt_tv.tv_sec *= 1000;
621  rtt_tv.tv_sec /= 8;
622 
623  rtt_tv.tv_usec += (rtt_tv.tv_sec % 1000) * 1000;
624  rtt_tv.tv_sec /= 1000;
625  if (rtt_tv.tv_sec >= 1)
626  {
627  rtt_tv.tv_sec = 1;
628  rtt_tv.tv_usec = 0;
629  }
630 
631  if (dport != 0)
632  {
633  int e;
634  packets = add_packet (packets, dport, ack);
635  e = sendto (soc, pkt, sizeof (struct tcphdr), 0,
636  (struct sockaddr *) &soca, sizeof (soca));
637  if (e < 0)
638  {
639  g_message ("sendto error in v6_sendpacket");
640  perror ("sendto ");
641  close (soc);
642  bpf_close (bpf);
643  return NULL;
644  }
645  }
646  if (sniff != 0)
647  {
648  res = (char *) bpf_next (bpf, &len);
649  if (res != NULL)
650  {
651  unsigned short sport = extractsport (res + skip, len, AF_INET6);
652  int synack = issynack (res + skip, len, AF_INET6);
653  if (synack)
654  {
655  char *rst;
656  scanner_add_port (env, sport, "tcp");
657  /* Send a RST to make sure the connection is closed on the remote
658  * side */
659  rst = mktcpv6 (magic, sport, ack + 1, TH_RST);
660  if (sendto (soc, rst, sizeof (struct tcphdr), 0,
661  (struct sockaddr *) &soca, sizeof (soca))
662  < 0)
663  {
664  perror ("sendto ");
665  close (soc);
666  bpf_close (bpf);
667  return NULL;
668  }
669  }
670  packets = rm_packet (packets, sport);
671  }
672  }
673  return packets;
674 }

References add_packet(), bpf_close(), bpf_next(), list::dport, extractsport(), issynack(), maketime(), mktcpv6(), rm_packet(), scanner_add_port(), and timeval().

Referenced by scan().

Here is the call graph for this function:
Here is the caller graph for this function:
rawsocket
int rawsocket(int family)
Opens and returns a raw socket.
Definition: nasl_builtin_synscan.c:172
pseudohdr::saddr
struct in_addr saddr
Definition: nasl_builtin_synscan.c:58
get_packet
struct list * get_packet(struct list *l, unsigned short dport)
Definition: nasl_builtin_synscan.c:273
script_infos
Definition: scanneraux.h:43
plug_get_host_ip
struct in6_addr * plug_get_host_ip(struct script_infos *args)
Definition: plugutils.c:285
pseudohdr::tcpheader
struct tcphdr tcpheader
Definition: nasl_builtin_synscan.c:63
bpf_open_live
int bpf_open_live(char *iface, char *filter)
Definition: bpf_share.c:52
extractsport
unsigned short extractsport(char *pkt, int len, int family)
Definition: nasl_builtin_synscan.c:418
maketime
unsigned long maketime()
Definition: nasl_builtin_synscan.c:92
timeval
struct timeval timeval(unsigned long val)
Definition: nasl_builtin_synscan.c:105
v6_routethrough
char * v6_routethrough(struct in6_addr *dest, struct in6_addr *source)
An awesome function to determine what interface a packet to a given destination should be routed thro...
Definition: pcap.c:789
rm_packet
struct list * rm_packet(struct list *l, unsigned short dport)
Definition: nasl_builtin_synscan.c:318
openbpf
int openbpf(struct in_addr dst, struct in_addr *src, int magic)
Opens a packet filter, grabs packets from dst to port magic.
Definition: nasl_builtin_synscan.c:227
extracttcp
struct tcphdr * extracttcp(char *pkt, unsigned int len)
Definition: nasl_builtin_synscan.c:379
pseudohdr::daddr
struct in_addr daddr
Definition: nasl_builtin_synscan.c:59
bpf_close
void bpf_close(int bpf)
Definition: bpf_share.c:157
scan
int scan(struct script_infos *env, char *portrange, struct in6_addr *dst6, unsigned long rtt)
Definition: nasl_builtin_synscan.c:680
add_packet
struct list * add_packet(struct list *l, unsigned short dport, unsigned long ack)
If no packet with dport is in list, prepends a "packet" to the.
Definition: nasl_builtin_synscan.c:290
v6_sendpacket
struct list * v6_sendpacket(int soc, int bpf, int skip, struct in6_addr *dst, int dport, int magic, struct list *packets, unsigned long *rtt, int sniff, struct script_infos *env)
Definition: nasl_builtin_synscan.c:606
mktcpv6
char * mktcpv6(int sport, int dport, unsigned long th_ack, unsigned char flag)
Definition: nasl_builtin_synscan.c:499
NUM_RETRIES
#define NUM_RETRIES
Definition: nasl_builtin_synscan.c:48
pseudohdr::protocol
u_char protocol
Definition: nasl_builtin_synscan.c:61
getpts
unsigned short * getpts(char *origexpr, int *len)
Converts a string like "-100,200-1024,3000-4000,60000-" into an array.
Definition: network.c:2103
compute_rtt
unsigned long compute_rtt(unsigned long then)
Definition: nasl_builtin_synscan.c:132
list::dport
unsigned short dport
Definition: nasl_builtin_synscan.c:261
bpf_next_tv
u_char * bpf_next_tv(int bpf, int *caplen, struct timeval *tv)
Definition: bpf_share.c:112
issynack
int issynack(char *pkt, int len, int family)
Definition: nasl_builtin_synscan.c:434
pseudohdr::length
u_short length
Definition: nasl_builtin_synscan.c:62
islocalhost
int islocalhost(struct in_addr *addr)
Tests whether a packet sent to IP is LIKELY to route through the kernel localhost interface.
Definition: pcap.c:268
scanner_add_port
void scanner_add_port(struct script_infos *args, int port, char *proto)
Definition: plugutils.c:652
bpf_datalink
int bpf_datalink(int bpf)
Definition: bpf_share.c:151
mktcp
char * mktcp(struct in_addr src, int sport, struct in_addr dst, int dport, unsigned long th_ack, unsigned char flag)
Definition: nasl_builtin_synscan.c:450
struct_lex_ctxt::script_infos
struct script_infos * script_infos
Definition: nasl_lex_ctxt.h:41
pseudohdr
Definition: nasl_builtin_synscan.c:56
get_datalink_size
int get_datalink_size(int datalink)
Definition: pcap.c:295
v6_openbpf
int v6_openbpf(struct in6_addr *dst, struct in6_addr *src, int magic)
Definition: nasl_builtin_synscan.c:241
ARG_INT
#define ARG_INT
Definition: plugutils.h:34
v6_extracttcp
struct tcphdr * v6_extracttcp(char *pkt)
Definition: nasl_builtin_synscan.c:393
extractack
unsigned long extractack(char *pkt, int len, int family)
Definition: nasl_builtin_synscan.c:401
list::prev
struct list * prev
Definition: nasl_builtin_synscan.c:264
in_cksum
static int in_cksum(u_short *p, int n)
Definition: nasl_builtin_synscan.c:67
list::retries
int retries
Definition: nasl_builtin_synscan.c:263
hostname
const char * hostname
Definition: pluginlaunch.c:76
rm_dead_packets
struct list * rm_dead_packets(struct list *l, int *retry)
Definition: nasl_builtin_synscan.c:338
val
const char * val
Definition: nasl_init.c:378
list::when
unsigned long when
Definition: nasl_builtin_synscan.c:262
packetdead
int packetdead(unsigned long then)
Definition: nasl_builtin_synscan.c:153
bpf_next
u_char * bpf_next(int bpf, int *caplen)
Definition: bpf_share.c:143
plug_set_key
void plug_set_key(struct script_infos *args, char *name, int type, const void *value)
Definition: plugutils.c:616
list::next
struct list * next
Definition: nasl_builtin_synscan.c:265
routethrough
char * routethrough(struct in_addr *dest, struct in_addr *source)
An awesome function to determine what interface a packet to a given destination should be routed thro...
Definition: pcap.c:975
list
Definition: nasl_builtin_synscan.c:259
sendpacket
struct list * sendpacket(int soc, int bpf, int skip, struct in_addr dst, struct in_addr src, int dport, int magic, struct list *packets, unsigned long *rtt, int sniff, struct script_infos *env)
Definition: nasl_builtin_synscan.c:524