"Fossies" - the Fresh Open Source Software Archive 
Member "scanssh-2.1/scanssh.c" (21 Nov 2004, 31480 Bytes) of package /linux/privat/old/scanssh-2.1.tar.gz:
As a special service "Fossies" has tried to format the requested source page into HTML format using (guessed) C and C++ source code syntax highlighting (style:
standard) with prefixed line numbers and
code folding option.
Alternatively you can here
view or
download the uninterpreted source code file.
1 /*
2 * ScanSSH - simple SSH version scanner
3 *
4 * Copyright 2000-2004 (c) Niels Provos <provos@citi.umich.edu>
5 * All rights reserved.
6 *
7 * Redistribution and use in source and binary forms, with or without
8 * modification, are permitted provided that the following conditions
9 * are met:
10 * 1. Redistributions of source code must retain the above copyright
11 * notice, this list of conditions and the following disclaimer.
12 * 2. Redistributions in binary form must reproduce the above copyright
13 * notice, this list of conditions and the following disclaimer in the
14 * documentation and/or other materials provided with the distribution.
15 * 3. The name of the author may not be used to endorse or promote products
16 * derived from this software without specific prior written permission.
17 *
18 * THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
19 * IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
20 * OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
21 * IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
22 * INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
23 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
24 * DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
25 * THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
26 * (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
27 * THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
28 */
29
30 #include <sys/types.h>
31
32 #ifdef HAVE_CONFIG_H
33 #include "config.h"
34 #endif
35
36 #include <sys/socket.h>
37 #include <sys/wait.h>
38 #include <sys/time.h>
39 #include <sys/resource.h>
40 #include <sys/queue.h>
41 #include <sys/tree.h>
42
43 #include <netinet/in.h>
44 #include <arpa/inet.h>
45
46 #include <stdio.h>
47 #include <stdlib.h>
48 #include <string.h>
49 #include <signal.h>
50 #include <errno.h>
51 #include <err.h>
52 #include <fcntl.h>
53 #include <netdb.h>
54 #include <pcap.h>
55 #include <unistd.h>
56 #include <md5.h>
57 #include <stdarg.h>
58 #include <assert.h>
59
60 #include <event.h>
61 #include <dnet.h>
62
63 #include "scanssh.h"
64 #include "exclude.h"
65 #include "xmalloc.h"
66 #include "interface.h"
67
68 #ifndef howmany
69 #define howmany(x,y) (((x) + ((y) - 1)) / (y))
70 #endif
71
72 #ifdef DEBUG
73 int debug = 0;
74 #define DFPRINTF(x) if (debug) fprintf x
75 #define DNFPRINTF(y, x) if (debug >= y) fprintf x
76 #else
77 #define DFPRINTF(x)
78 #define DNFPRINTF(y, x)
79 #endif
80
81 struct address_node {
82 TAILQ_ENTRY (address_node) an_next;
83
84 struct addr an_start;
85 struct addr an_end;
86 int an_bits;
87 };
88
89 struct generate {
90 TAILQ_ENTRY (generate) gen_next;
91
92 TAILQ_HEAD (an_list, address_node) gen_anqueue;
93
94 int gen_flags;
95
96 uint32_t gen_seed; /* Seed for PRNG */
97
98 uint32_t gen_bits;
99 uint32_t gen_start;
100 uint32_t gen_iterate;
101 uint32_t gen_end;
102 uint32_t gen_current;
103 uint32_t gen_n; /* successful generations */
104 uint32_t gen_max;
105
106
107 struct port *gen_ports;
108 int gen_nports;
109 };
110
111 int populate(struct argument **, int *);
112 int next_address(struct generate *, struct addr *);
113
114 /* Globals */
115 struct interface *ss_inter;
116 rand_t *ss_rand;
117 ip_t *ss_ip;
118
119 /* SOCKS servers via which we can scan */
120 struct socksq socks_host;
121
122 struct scanner **ss_scanners = NULL;
123 int ss_nscanners = 0;
124
125 struct argument *args; /* global list of addresses */
126 int entries; /* number of remaining addresses */
127
128 int ssh_sendident; /* should we send ident to ssh server? */
129
130 struct port *ss_ports = NULL; /* global list of ports to be scanned */
131 int ss_nports = 0;
132
133 int ss_nhosts = 0; /* Number of addresses generated */
134
135 pcap_t *pd;
136 int rndexclude = 1;
137 struct timeval syn_start;
138 int syn_rate = 100;
139 int syn_nsent = 0;
140
141 int max_scanqueue_size = MAXSCANQUEUESZ;
142
143 struct address_slot slots[MAXSLOTS];
144
145 #define MAX_PROCESSES 30
146
147 int commands[MAX_PROCESSES];
148 int results[MAX_PROCESSES];
149
150 TAILQ_HEAD (gen_list, generate) genqueue;
151 struct queue_list readyqueue;
152
153 /* Structure for probes */
154 static SPLAY_HEAD(syntree, argument) synqueue;
155
156 int
157 argumentcompare(struct argument *a, struct argument *b)
158 {
159 return (addr_cmp(&a->addr, &b->addr));
160 }
161
162 SPLAY_PROTOTYPE(syntree, argument, a_node, argumentcompare);
163 SPLAY_GENERATE(syntree, argument, a_node, argumentcompare);
164
165 #define synlist_empty() (synqueuesz == 0)
166
167 int synqueuesz;
168
169 struct address_slot *
170 slot_get(void)
171 {
172 int i;
173 struct address_slot *slot;
174
175 for (i = 0; i < MAXSLOTS; i++)
176 if (slots[i].slot_base == NULL)
177 break;
178
179 if (i >= MAXSLOTS)
180 return (NULL);
181
182 slot = &slots[i];
183
184 if (slot->slot_base == NULL) {
185 slot->slot_size = EXPANDEDARGS;
186 slot->slot_base = xmalloc(EXPANDEDARGS * sizeof(struct argument));
187 memset(slot->slot_base, 0,
188 slot->slot_size * sizeof(struct argument));
189 }
190
191 return (slot);
192 }
193
194 /* We need to call this to free up our memory */
195
196 void
197 slot_free(struct address_slot *slot)
198 {
199 slot->slot_ref--;
200 if (slot->slot_ref)
201 return;
202
203 slot->slot_size = 0;
204 free(slot->slot_base);
205 slot->slot_base = NULL;
206 }
207
208 void
209 argument_free(struct argument *arg)
210 {
211 if (arg->a_ports != NULL && arg->a_hasports) {
212 int i;
213
214 for (i = 0; i < arg->a_nports; i++) {
215 struct port_scan *ps = arg->a_ports[i].scan;
216 if (ps != NULL) {
217 event_del(&ps->ev);
218 free(ps);
219 }
220 }
221 free(arg->a_ports);
222 arg->a_ports = NULL;
223 }
224
225 if (arg->a_res != NULL) {
226 free(arg->a_res);
227 arg->a_res = NULL;
228 }
229
230 slot_free(arg->a_slot);
231 }
232
233 void
234 synlist_init(void)
235 {
236 SPLAY_INIT(&synqueue);
237 synqueuesz = 0;
238 }
239
240 /* Inserts an address into the syn tree and schedules a retransmit */
241
242 int
243 synlist_insert(struct argument *arg)
244 {
245 struct timeval tv;
246
247 timerclear(&tv);
248 tv.tv_sec = (arg->a_retry/2 + 1) * SYNWAIT;
249 tv.tv_usec = rand_uint32(ss_rand) % 1000000L;
250
251 evtimer_add(&arg->ev, &tv);
252
253 /* Insert the node into our tree */
254 assert(SPLAY_FIND(syntree, &synqueue, arg) == NULL);
255 SPLAY_INSERT(syntree, &synqueue, arg);
256
257 synqueuesz++;
258
259 return (0);
260 }
261
262 void
263 synlist_remove(struct argument *arg)
264 {
265 SPLAY_REMOVE(syntree, &synqueue, arg);
266 evtimer_del(&arg->ev);
267 synqueuesz--;
268 }
269
270 int
271 synlist_probe(struct argument *arg, uint16_t port)
272 {
273 return (synprobe_send(&ss_inter->if_ent.intf_addr,
274 &arg->addr, port, &arg->a_seqnr));
275 }
276
277 int
278 synprobe_send(struct addr *src, struct addr *dst,
279 uint16_t port, uint32_t *seqnr)
280 {
281 static uint8_t pkt[1500];
282 struct tcp_hdr *tcp;
283 uint iplen;
284 int res;
285
286 DFPRINTF((stderr, "Sending probe to %s:%d\n", addr_ntoa(dst), port));
287
288 tcp = (struct tcp_hdr *)(pkt + IP_HDR_LEN);
289 tcp_pack_hdr(tcp, rand_uint16(ss_rand), port,
290 *seqnr, 0,
291 TH_SYN, 0x8000, 0);
292
293 iplen = IP_HDR_LEN + (tcp->th_off << 2);
294
295 /* Src and Dst are reversed both for ip and tcp */
296 ip_pack_hdr(pkt, 0, iplen,
297 rand_uint16(ss_rand),
298 IP_DF, 64,
299 IP_PROTO_TCP, src->addr_ip, dst->addr_ip);
300
301 ip_checksum(pkt, iplen);
302
303 if ((res = ip_send(ss_ip, pkt, iplen)) != iplen) {
304 warn("%s: ip_send(%d): %s", __func__, res, addr_ntoa(dst));
305 return (-1);
306 }
307
308 return (0);
309 }
310
311 void
312 sigchld_handler(int sig)
313 {
314 int save_errno = errno;
315 int status;
316 wait(&status);
317 signal(SIGCHLD, sigchld_handler);
318 errno = save_errno;
319 }
320
321 void
322 printres(struct argument *exp, uint16_t port, char *result)
323 {
324 fprintf(stdout, "%s:%d %s\n",
325 addr_ntoa(&exp->addr), port, result);
326 fflush(stdout);
327 }
328
329 void
330 postres(struct argument *arg, const char *fmt, ...)
331 {
332 static char buffer[1024];
333 va_list ap;
334
335 va_start(ap, fmt);
336 vsnprintf(buffer, sizeof(buffer), fmt, ap);
337 va_end(ap);
338
339 if (arg->a_res != NULL)
340 free(arg->a_res);
341 if ((arg->a_res = strdup(buffer)) == NULL)
342 err(1, "%s: strdup", __func__);
343 }
344
345 /*
346 * Called when a syn probe times out and we might have to repeat it
347 */
348
349 void
350 ss_timeout(int fd, short what, void *parameter)
351 {
352 struct argument *arg = parameter;
353 struct timeval tv;
354
355 if (arg->a_retry < SYNRETRIES) {
356 arg->a_retry++;
357 /*
358 * If this probe fails we are not reducing the retry counter,
359 * as some of the failures might repeat always, like a host
360 * on the local network not being reachable or some unrouteable
361 * address space.
362 */
363 if (synlist_probe(arg, arg->a_ports[0].port) == 0)
364 syn_nsent++;
365 } else {
366 printres(arg, arg->a_ports[0].port, "<timeout>");
367 synlist_remove(arg);
368 argument_free(arg);
369 return;
370 }
371
372 timerclear(&tv);
373 tv.tv_sec = (arg->a_retry/2 + 1) * SYNWAIT;
374 tv.tv_usec = rand_uint32(ss_rand) % 1000000L;
375
376 evtimer_add(&arg->ev, &tv);
377 }
378
379 void
380 ss_recv_cb(uint8_t *ag, const struct pcap_pkthdr *pkthdr, const uint8_t *pkt)
381 {
382 struct interface *inter = (struct interface *)ag;
383 struct ip_hdr *ip;
384 struct tcp_hdr *tcp = NULL;
385 struct addr addr;
386 struct argument *arg, tmp;
387 ushort iplen, iphlen;
388
389 /* Everything below assumes that the packet is IPv4 */
390 if (pkthdr->caplen < inter->if_dloff + IP_HDR_LEN)
391 return;
392
393 pkt += inter->if_dloff;
394 ip = (struct ip_hdr *)pkt;
395
396 iplen = ntohs(ip->ip_len);
397 if (pkthdr->caplen - inter->if_dloff < iplen)
398 return;
399
400 iphlen = ip->ip_hl << 2;
401 if (iphlen > iplen)
402 return;
403 if (iphlen < sizeof(struct ip_hdr))
404 return;
405
406 addr_pack(&addr, ADDR_TYPE_IP, IP_ADDR_BITS, &ip->ip_src, IP_ADDR_LEN);
407
408 if (iplen < iphlen + TCP_HDR_LEN)
409 return;
410
411 tcp = (struct tcp_hdr *)(pkt + iphlen);
412
413 /* See if we get results from our syn probe */
414 tmp.addr = addr;
415 if ((arg = SPLAY_FIND(syntree, &synqueue, &tmp)) != NULL) {
416 struct port *port;
417 /* Check if the result is coming from the right port */
418 port = ports_find(arg, ntohs(tcp->th_sport));
419 if (port == NULL)
420 return;
421
422 if (!arg->a_hasports)
423 ports_setup(arg, arg->a_ports, arg->a_nports);
424
425 if (tcp->th_flags & TH_RST) {
426 printres(arg, port->port, "<refused>");
427 ports_remove(arg, port->port);
428 if (arg->a_nports == 0) {
429 synlist_remove(arg);
430 argument_free(arg);
431 return;
432 }
433 } else {
434 ports_markchecked(arg, port);
435 }
436
437 if (ports_isalive(arg) == 1) {
438 synlist_remove(arg);
439 scanhost_ready(arg);
440 }
441 }
442 }
443
444 void
445 scanssh_init(void)
446 {
447 TAILQ_INIT(&readyqueue);
448 synlist_init();
449 }
450
451 void
452 usage(char *name)
453 {
454 fprintf(stderr,
455 "%s: [-VIERhp] [-s scanners] [-n ports] [-e excludefile] [-i if] [-b alias] <IP address|network>...\n\n"
456 "\t-V print version number of scanssh,\n"
457 "\t-I do not send identification string,\n"
458 "\t-E exit if exclude file is missing,\n"
459 "\t-R do not honor exclude file for random addresses,\n"
460 "\t-p proxy detection mode; set scanners and ports,\n"
461 "\t-n <port> the port number to scan.\n"
462 "\t-e <file> exclude the IP addresses and networks in <file>,\n"
463 "\t-b <alias> specifies the IP alias to connect from,\n"
464 "\t-i <if> specifies the local interface,\n"
465 "\t-h this message.\n"
466 "\t-s <modes> uses the following modules for scanning:\n",
467 name);
468 scanner_print("\t\t");
469 }
470
471 void
472 generate_free(struct generate *gen)
473 {
474 struct address_node *node;
475
476 /* Remove generator and attached addr nodes */
477 for (node = TAILQ_FIRST(&gen->gen_anqueue);
478 node;
479 node = TAILQ_FIRST(&gen->gen_anqueue)) {
480 TAILQ_REMOVE(&gen->gen_anqueue, node, an_next);
481 xfree(node);
482 }
483
484 TAILQ_REMOVE(&genqueue, gen, gen_next);
485 xfree(gen);
486 }
487
488 /*
489 * Given an IP prefix and mask create all addresses contained
490 * excluding any addresses specified in the exclude queues.
491 */
492
493 int
494 populate(struct argument **pargs, int *nargs)
495 {
496 struct generate *gen;
497 struct addr addr;
498 struct address_slot *slot = NULL;
499 struct argument *args;
500 int count;
501
502 uint32_t i = 0;
503
504 if (!TAILQ_FIRST(&genqueue))
505 return (-1);
506
507 if ((slot = slot_get()) == NULL)
508 return (-1);
509
510 args = slot->slot_base;
511 count = slot->slot_size;
512
513 while (TAILQ_FIRST(&genqueue) && count) {
514 struct port *ports;
515 int nports;
516
517 gen = TAILQ_FIRST(&genqueue);
518 ports = gen->gen_ports;
519 nports = gen->gen_nports;
520
521
522 /* Initalize generator */
523 if (!gen->gen_current) {
524 if (gen->gen_flags & FLAGS_USERANDOM)
525 rndsboxinit(gen->gen_seed);
526
527 gen->gen_current = gen->gen_start;
528 }
529
530 while (count) {
531 if (next_address(gen, &addr) == -1) {
532 generate_free(gen);
533 break;
534 }
535
536 DFPRINTF((stderr, "New address: %s\n",
537 addr_ntoa(&addr)));
538
539 /* Set up a new address for scanning */
540 memset(&args[i], 0, sizeof(struct argument));
541 args[i].addr = addr;
542 args[i].a_slot = slot;
543 args[i].a_scanner = ss_scanners[0];
544 args[i].a_scanneroff = 0;
545 args[i].a_seqnr = rand_uint32(ss_rand);
546
547 /*
548 * If we have a local port range from the generator
549 * use that. Otherwise, use the ports that have
550 * been supplied globally.
551 */
552 if (ports != NULL) {
553 args[i].a_ports = ports;
554 args[i].a_nports = nports;
555 } else {
556 args[i].a_ports = ss_ports;
557 args[i].a_nports = ss_nports;
558 }
559
560 evtimer_set(&args[i].ev, ss_timeout, &args[i]);
561
562 slot->slot_ref++;
563 ss_nhosts++;
564
565 count--;
566 i++;
567 }
568 }
569
570 *pargs = args;
571 *nargs = i;
572
573 return (0);
574 }
575
576 int
577 address_from_offset(struct address_node *an, uint32_t offset,
578 struct addr *addr)
579 {
580 ip_addr_t start, end;
581 for (; an; an = TAILQ_NEXT(an, an_next)) {
582 *addr = an->an_start;
583 start = ntohl(an->an_start.addr_ip);
584 end = ntohl(an->an_end.addr_ip);
585 if (start + offset <= end)
586 break;
587 offset -= end - start + 1;
588 }
589
590 if (an == NULL)
591 return (-1);
592
593 addr->addr_ip = htonl(start + offset);
594
595 return (0);
596 }
597
598 /*
599 * get the next address, keep state.
600 */
601
602 int
603 next_address(struct generate *gen, struct addr *addr)
604 {
605 struct addr ipv4addr, tmp;
606 uint32_t offset;
607 int done = 0, random;
608
609 /* Check if generator has been exhausted */
610 if (gen->gen_n >= gen->gen_max)
611 return (-1);
612
613 random = gen->gen_flags & FLAGS_USERANDOM;
614
615 do {
616 /* Get offset into address range */
617 if (random)
618 offset = rndgetaddr(gen->gen_bits,
619 gen->gen_current);
620 else
621 offset = gen->gen_current;
622
623 gen->gen_current += gen->gen_iterate;
624
625 if (address_from_offset(TAILQ_FIRST(&gen->gen_anqueue),
626 offset, &ipv4addr) == -1)
627 continue;
628
629 if (!random || rndexclude) {
630 tmp = exclude(ipv4addr, &excludequeue);
631 if (addr_cmp(&ipv4addr, &tmp)) {
632 if (random) {
633 if (gen->gen_flags & FLAGS_SUBTRACTEXCLUDE)
634 gen->gen_max--;
635
636 continue;
637 }
638
639 /* In linear mode, we can skip these */
640 offset = gen->gen_current;
641 offset += ntohl(tmp.addr_ip) - ntohl(ipv4addr.addr_ip);
642 if (offset < gen->gen_current) {
643 gen->gen_current = gen->gen_end;
644 break;
645 }
646 gen->gen_current = offset;
647
648 if (gen->gen_iterate == 1)
649 continue;
650
651 /* Adjust for splits */
652 offset /= gen->gen_iterate;
653 offset *= gen->gen_iterate;
654
655 offset += gen->gen_start;
656
657 if (offset < gen->gen_current)
658 offset += gen->gen_iterate;
659 if (offset < gen->gen_current) {
660 gen->gen_current = gen->gen_end;
661 break;
662 }
663
664 gen->gen_current = offset;
665 continue;
666 }
667 }
668
669 if (random) {
670 tmp = exclude(ipv4addr, &rndexclqueue);
671 if (addr_cmp(&ipv4addr, &tmp)) {
672 if (gen->gen_flags & FLAGS_SUBTRACTEXCLUDE)
673 gen->gen_max--;
674 continue;
675 }
676 }
677
678 /* We have an address */
679 done = 1;
680 } while ((gen->gen_current < gen->gen_end) &&
681 (gen->gen_n < gen->gen_max) && !done);
682
683 if (!done)
684 return (-1);
685
686 gen->gen_n += gen->gen_iterate;
687
688 *addr = ipv4addr;
689
690 return (0);
691 }
692
693 struct address_node *
694 address_node_get(char *line)
695 {
696 struct address_node *an;
697
698 /* Allocate an address node */
699 an = xmalloc(sizeof(struct address_node));
700 memset(an, 0, sizeof(struct address_node));
701 if (addr_pton(line, &an->an_start) == -1) {
702 fprintf(stderr, "Can not parse %s\n", line);
703 goto error;
704 }
705 /* Working around libdnet bug */
706 if (strcmp(line, "0.0.0.0/0") == 0)
707 an->an_start.addr_bits = 0;
708
709 an->an_bits = an->an_start.addr_bits;
710
711 addr_bcast(&an->an_start, &an->an_end);
712 an->an_start.addr_bits = IP_ADDR_BITS;
713 an->an_end.addr_bits = IP_ADDR_BITS;
714
715 return (an);
716
717 error:
718 free(an);
719 return (NULL);
720 }
721
722 /*
723 * Creates a generator from a command line
724 * [split(x/n)/][random(x,s)/][(]<address/mask> .... [)]
725 */
726
727 int
728 generate_split(struct generate *gen, char **pline)
729 {
730 char *line, *end;
731
732 line = *pline;
733
734 if ((end = strstr(line, ")/")) == NULL ||
735 strchr(line, '/') < end) {
736 fprintf(stderr, "Split not terminated correctly: %s\n", line);
737 return (-1);
738 }
739
740 line = strsep(pline, "/");
741
742 /* Generate a random scan entry */
743 if (sscanf(line, "split(%d,%d)/",
744 &gen->gen_start, &gen->gen_iterate) != 2)
745 return (-1);
746
747 if (!gen->gen_start || gen->gen_start > gen->gen_iterate) {
748 fprintf(stderr, "Invalid start/iterate pair: %d/%d\n",
749 gen->gen_start, gen->gen_iterate);
750 return (-1);
751 }
752
753 /* Internally, we start counting at 0 */
754 gen->gen_start--;
755
756 return (0);
757 }
758
759 /*
760 * Creates a generator from a command line
761 * [split(x/n)/][random(x,s)/][(]<address/mask> .... [)]
762 */
763
764 int
765 generate_random(struct generate *gen, char **pline)
766 {
767 int i;
768 char seed[31], *line, *end;
769
770 line = *pline;
771
772 if ((end = strstr(line, ")/")) == NULL ||
773 strchr(line, '/') < end) {
774 fprintf(stderr, "Random not terminated correctly: %s\n", line);
775 return (-1);
776 }
777
778 line = strsep(pline, "/");
779
780 /* Generate a random scan entry */
781 seed[0] = '\0';
782 if (sscanf(line, "random(%d,%30s)/", &gen->gen_max, seed) < 1)
783 return (-1);
784
785 /* Generate seed from string */
786 if (strlen(seed)) {
787 MD5_CTX ctx;
788 uint8_t digest[16];
789 uint32_t *tmp = (uint32_t *)digest;
790
791 MD5Init(&ctx);
792 MD5Update(&ctx, seed, strlen(seed));
793 MD5Final(digest, &ctx);
794
795 gen->gen_seed = 0;
796 for (i = 0; i < 4; i ++)
797 gen->gen_seed ^= *tmp++;
798
799 } else
800 gen->gen_seed = rand_uint32(ss_rand);
801
802 gen->gen_flags |= FLAGS_USERANDOM;
803
804 /* If the random numbers exhaust all possible addresses,
805 * we need to subtract those addresses from the count
806 * that can not be generated because they were excluded
807 */
808 if (!gen->gen_max)
809 gen->gen_flags |= FLAGS_SUBTRACTEXCLUDE;
810
811 return (0);
812 }
813
814 int
815 generate(char *line)
816 {
817 struct generate *gen;
818 struct address_node *an;
819 uint32_t count, tmp;
820 char *p;
821 int bits, i, done;
822
823 gen = xmalloc(sizeof(struct generate));
824 memset(gen, 0, sizeof(struct generate));
825 TAILQ_INIT(&gen->gen_anqueue);
826
827 /* Insert in generator queue, on failure generate_free removes it */
828 TAILQ_INSERT_TAIL(&genqueue, gen, gen_next);
829
830 /* Check for port ranges */
831 p = strsep(&line, ":");
832 if (line != NULL) {
833 if (ports_parse(line,
834 &gen->gen_ports, &gen->gen_nports) == -1) {
835 fprintf(stderr, "Bad port range: %s\n", line);
836 goto fail;
837 }
838 }
839 line = p;
840
841 done = 0;
842 while (!done) {
843 done = 1;
844 if (strncmp(line, "random(", 7) == 0) {
845 if (gen->gen_flags & FLAGS_USERANDOM) {
846 fprintf(stderr,
847 "Random already specified: %s\n",
848 line);
849 goto fail;
850 }
851 if (generate_random(gen, &line) == -1)
852 goto fail;
853
854 done = 0;
855 } else if (strncmp(line, "split(", 6) == 0) {
856 if (gen->gen_iterate) {
857 fprintf(stderr,
858 "Split already specified: %s\n",
859 line);
860 goto fail;
861 }
862 if (generate_split(gen, &line) == -1)
863 goto fail;
864
865 done = 0;
866 }
867 }
868
869 /* If no special split is specified, always iterated by 1 */
870 if (!gen->gen_iterate)
871 gen->gen_iterate = 1;
872
873 if (line[0] == '(') {
874 char *end;
875
876 line++;
877 if ((end = strchr(line, ')')) == NULL) {
878 fprintf(stderr, "Missing ')' in line: %s\n", line);
879 goto fail;
880 }
881 *end = '\0';
882
883 }
884
885 while (line && (p = strsep(&line, " "))) {
886 if ((an = address_node_get(p)) == NULL)
887 goto fail;
888
889 TAILQ_INSERT_TAIL(&gen->gen_anqueue, an, an_next);
890 }
891
892 /* Try to find out the effective bit range */
893 count = 0;
894 for (an = TAILQ_FIRST(&gen->gen_anqueue); an;
895 an = TAILQ_NEXT(an, an_next)) {
896 bits = an->an_bits;
897 if (bits == 0) {
898 count = -1;
899 break;
900 }
901
902 if (count + (1 << (32 - bits)) < count) {
903 count = -1;
904 break;
905 }
906
907 count += 1 << (32 - bits);
908 }
909
910 /* Try to convert count into a network mask */
911 bits = 0;
912 tmp = count;
913 for (i = -1; tmp; tmp >>= 1, i++) {
914 if (tmp & 1)
915 bits++;
916 }
917
918 /* a count of 01100, results in bits = 29, but it should be 28 */
919 gen->gen_bits = 32 - i;
920 if (bits > 1)
921 gen->gen_bits--;
922 bits = gen->gen_bits;
923
924 if (gen->gen_flags & FLAGS_USERANDOM) {
925 if (bits == 0)
926 gen->gen_end = -1;
927 else
928 gen->gen_end = 1 << (32 - bits);
929 } else
930 gen->gen_end = count;
931
932 if (gen->gen_max == 0)
933 gen->gen_max = count;
934
935 return (0);
936 fail:
937 if (gen)
938 generate_free(gen);
939
940 return (-1);
941 }
942
943 int
944 probe_haswork(void)
945 {
946 return (TAILQ_FIRST(&genqueue) || entries || !synlist_empty());
947 }
948
949 void
950 probe_send(int fd, short what, void *parameter)
951 {
952 struct event *ev = parameter;
953 struct timeval tv;
954 int ntotal, nprobes, nsent;
955 extern int scan_nhosts;
956
957 /* Schedule the next probe */
958 if (probe_haswork()) {
959 timerclear(&tv);
960 tv.tv_usec = 1000000L / syn_rate;
961 evtimer_add(ev, &tv);
962 } else if (TAILQ_FIRST(&readyqueue) == NULL && !scan_nhosts) {
963 struct timeval tv;
964
965 /* Terminate the event loop */
966 timerclear(&tv);
967 tv.tv_sec = 2;
968 event_loopexit(&tv);
969 }
970
971 gettimeofday(&tv, NULL);
972 timersub(&tv, &syn_start, &tv);
973
974 ntotal = tv.tv_sec * syn_rate + (tv.tv_usec * syn_rate) / 1000000L;
975 nprobes = ntotal - syn_nsent;
976
977 nsent = 0;
978 while ((TAILQ_FIRST(&genqueue) || entries) && nsent < nprobes) {
979 /* Create new entries, if we need them */
980 if (!entries && TAILQ_FIRST(&genqueue)) {
981 if (populate(&args, &entries) == -1) {
982 /*
983 * We fail if we have used up our memory.
984 * We also need to consume our number of
985 * sent packets.
986 */
987 syn_nsent = ntotal;
988 entries = 0;
989 break;
990 }
991 continue;
992 }
993
994 entries--;
995 args[entries].a_retry = 0;
996
997 if (TAILQ_FIRST(&socks_host) == NULL) {
998 synlist_insert(&args[entries]);
999
1000 /*
1001 * On failure, synlist_insert already scheduled
1002 * a retransmit.
1003 */
1004 synlist_probe(&args[entries],
1005 args[entries].a_ports[0].port);
1006 } else {
1007 struct argument *arg = &args[entries];
1008 if (!arg->a_hasports)
1009 ports_setup(arg, arg->a_ports, arg->a_nports);
1010 scanhost_ready(arg);
1011 }
1012
1013 nsent++;
1014 syn_nsent++;
1015 }
1016 }
1017
1018 int
1019 parse_socks_host(char *optarg)
1020 {
1021 char *host;
1022 while ((host = strsep(&optarg, ",")) != NULL) {
1023 /*
1024 * Parse the address of a SOCKS proxy that we are
1025 * using for all connections.
1026 */
1027 struct socks_host *single_host;
1028
1029 char *address = strsep(&host, ":");
1030 if (host == NULL || *host == '\0')
1031 return (-1);
1032
1033 single_host = calloc(1, sizeof(struct socks_host));
1034 if (single_host == NULL)
1035 err(1, "calloc");
1036 if (addr_pton(address, &single_host->host) == -1)
1037 return (-1);
1038
1039 if ((single_host->port = atoi(host)) == 0)
1040 return (-1);
1041
1042 TAILQ_INSERT_TAIL(&socks_host, single_host, next);
1043 }
1044
1045 return (0);
1046 }
1047
1048 int
1049 main(int argc, char **argv)
1050 {
1051 struct event ev_send;
1052 char *name, *dev = NULL, *scanner = "ssh";
1053 char *default_ports = "22";
1054 int ch;
1055 struct timeval tv, tv_start, tv_end;
1056 struct rlimit rl;
1057 int failonexclude = 0;
1058 int milliseconds;
1059
1060 ssh_sendident = 1;
1061
1062 TAILQ_INIT(&socks_host);
1063
1064 name = argv[0];
1065 while ((ch = getopt(argc, argv, "VIhdpm:u:s:i:e:n:r:ER")) != -1)
1066 switch(ch) {
1067 case 'V':
1068 fprintf(stderr, "ScanSSH %s\n", VERSION);
1069 exit(0);
1070 #ifdef DEBUG
1071 case 'd':
1072 debug++;
1073 break;
1074 #endif
1075 case 'I':
1076 ssh_sendident = 0;
1077 break;
1078 case 'p':
1079 scanner = "http-proxy,http-connect,socks5,socks4,telnet-proxy,ssh";
1080 default_ports = "23,22,80,81,808,1080,1298,3128,6588,4480,8080,8081,8000,8100,9050";
1081 break;
1082 case 'm':
1083 max_scanqueue_size = atoi(optarg);
1084 if (max_scanqueue_size == 0) {
1085 usage(name);
1086 exit(1);
1087 }
1088 break;
1089 case 'u':
1090 if (parse_socks_host(optarg) == -1) {
1091 usage(name);
1092 exit(1);
1093 }
1094 break;
1095 case 's':
1096 scanner = optarg;
1097 break;
1098 case 'i':
1099 dev = optarg;
1100 break;
1101 case 'n':
1102 if (ports_parse(optarg, &ss_ports, &ss_nports) == -1) {
1103 usage(name);
1104 exit(1);
1105 }
1106 break;
1107 case 'e':
1108 excludefile = optarg;
1109 /* FALLTHROUGH */
1110 case 'E':
1111 failonexclude = 1;
1112 break;
1113 case 'R':
1114 rndexclude=0;
1115 break;
1116 case 'r':
1117 syn_rate = atoi(optarg);
1118 if (syn_rate == 0) {
1119 fprintf(stderr, "Bad syn probe rate: %s\n",
1120 optarg);
1121 usage(name);
1122 exit(1);
1123 }
1124 break;
1125 case 'h':
1126 default:
1127 usage(name);
1128 exit(1);
1129 }
1130
1131 argc -= optind;
1132 argv += optind;
1133
1134 if (scanner_parse(scanner) == -1)
1135 errx(1, "bad scanner: %s", scanner);
1136
1137 if ((ss_rand = rand_open()) == NULL)
1138 err(1, "rand_open");
1139
1140 if ((ss_ip = ip_open()) == NULL)
1141 err(1, "ip_open");
1142
1143 scanssh_init();
1144
1145 event_init();
1146
1147 interface_initialize();
1148
1149 /* Initialize the specified interfaces */
1150 interface_init(dev, 0, NULL,
1151 "(tcp[13] & 18 = 18 or tcp[13] & 4 = 4)");
1152
1153 /* Raising file descriptor limits */
1154 rl.rlim_max = RLIM_INFINITY;
1155 rl.rlim_cur = RLIM_INFINITY;
1156 if (setrlimit(RLIMIT_NOFILE, &rl) == -1) {
1157 /* Linux does not seem to like this */
1158 if (getrlimit(RLIMIT_NOFILE, &rl) == -1)
1159 err(1, "getrlimit: NOFILE");
1160 rl.rlim_cur = rl.rlim_max;
1161 if (setrlimit(RLIMIT_NOFILE, &rl) == -1)
1162 err(1, "setrlimit: NOFILE");
1163 }
1164
1165 /* Raising the memory limits */
1166 rl.rlim_max = RLIM_INFINITY;
1167 rl.rlim_cur = MAXSLOTS * EXPANDEDARGS * sizeof(struct argument) * 2;
1168 if (setrlimit(RLIMIT_DATA, &rl) == -1) {
1169 /* Linux does not seem to like this */
1170 if (getrlimit(RLIMIT_DATA, &rl) == -1)
1171 err(1, "getrlimit: DATA");
1172 rl.rlim_cur = rl.rlim_max;
1173 if (setrlimit(RLIMIT_DATA, &rl) == -1)
1174 err(1, "setrlimit: DATA");
1175 }
1176
1177
1178 /* revoke privs */
1179 #ifdef HAVE_SETEUID
1180 seteuid(getuid());
1181 #endif /* HAVE_SETEUID */
1182 setuid(getuid());
1183
1184 /* Set up our port ranges */
1185 if (ss_nports == 0) {
1186 if (ports_parse(default_ports, &ss_ports, &ss_nports) == -1)
1187 errx(1, "Error setting up port list");
1188 }
1189
1190 if (setupexcludes() == -1 && failonexclude) {
1191 warn("fopen: %s", excludefile);
1192 exit(1);
1193 }
1194
1195 memset(slots, 0, sizeof(slots));
1196
1197 TAILQ_INIT(&genqueue);
1198
1199 while (argc) {
1200 if (generate(argv[0]) == -1)
1201 warnx("generate failed on %s", argv[0]);
1202
1203 argv++;
1204 argc--;
1205 }
1206
1207 if (!TAILQ_FIRST(&genqueue))
1208 errx(1, "nothing to scan");
1209
1210 gettimeofday(&syn_start, NULL);
1211
1212 evtimer_set(&ev_send, probe_send, &ev_send);
1213 timerclear(&tv);
1214 tv.tv_usec = 1000000L / syn_rate;
1215 evtimer_add(&ev_send, &tv);
1216
1217 gettimeofday(&tv_start, NULL);
1218
1219 event_dispatch();
1220
1221 /* Measure our effective host scan rate */
1222
1223 gettimeofday(&tv_end, NULL);
1224
1225 timersub(&tv_end, &tv_start, &tv_end);
1226
1227 milliseconds = tv_end.tv_sec * 1000 + tv_end.tv_usec % 1000;
1228
1229 fprintf(stderr, "Effective host scan rate: %.2f hosts/s\n",
1230 (float)ss_nhosts / (float) milliseconds * 1000.0);
1231
1232 return (1);
1233 }
1234
1235 void
1236 ports_timeout(int fd, short what, void *parameter)
1237 {
1238 struct port_scan *ps = parameter;
1239 struct argument *arg = ps->arg;
1240 struct timeval tv;
1241
1242 if (ps->count < SYNRETRIES) {
1243 ps->count++;
1244 /*
1245 * If this probe fails we are not reducing the retry counter,
1246 * as some of the failures might repeat always, like a host
1247 * on the local network not being reachable or some unrouteable
1248 * address space,
1249 */
1250 if (synlist_probe(arg, ps->port) == -1)
1251 goto reschedule;
1252
1253 syn_nsent++;
1254 } else {
1255 printres(arg, ps->port, "<timeout>");
1256 ports_remove(arg, ps->port);
1257 if (arg->a_nports == 0) {
1258 synlist_remove(arg);
1259 argument_free(arg);
1260 return;
1261 }
1262 return;
1263 }
1264
1265 reschedule:
1266 timerclear(&tv);
1267 tv.tv_sec += (arg->a_retry/2 + 1) * SYNWAIT;
1268 tv.tv_usec = rand_uint32(ss_rand) % 1000000L;
1269
1270 evtimer_add(&arg->ev, &tv);
1271 }
1272
1273 /* Mark a port as checked - meaning that we can connect to it */
1274
1275 void
1276 ports_markchecked(struct argument *arg, struct port *port)
1277 {
1278 struct port_scan *ps = port->scan;
1279
1280 DNFPRINTF(2, (stderr, "%s: %s:%d marked alive\n",
1281 __func__, addr_ntoa(&arg->addr), port->port));
1282
1283 if (ps == NULL) {
1284 /* Populates scan structures */
1285 ports_isalive(arg);
1286
1287 /* This argument has a new memory area now */
1288 port = ports_find(arg, port->port);
1289 ps = port->scan;
1290 }
1291
1292 event_del(&ps->ev);
1293 ps->flags |= PORT_CHECKED;
1294 }
1295
1296 /* Checks if all ports for this host have been checked to be alive */
1297
1298 int
1299 ports_isalive(struct argument *arg)
1300 {
1301 struct port_scan *ps;
1302 int i;
1303
1304 /* We already populated the structures */
1305 if (arg->a_ports[0].scan != NULL) {
1306 for (i = 0; i < arg->a_nports; i++)
1307 if (!(arg->a_ports[i].scan->flags & PORT_CHECKED))
1308 return (0);
1309 for (i = 0; i < arg->a_nports; i++) {
1310 ps = arg->a_ports[i].scan;
1311 event_del(&ps->ev);
1312 free(ps);
1313 arg->a_ports[i].scan = NULL;
1314 }
1315 return (1);
1316 }
1317
1318 /* This host was newly detected as alive */
1319 for (i = 0; i < arg->a_nports; i++) {
1320 struct timeval tv;
1321
1322 if ((ps = calloc(1, sizeof(struct port_scan))) == NULL)
1323 err(1, "%s: calloc");
1324 arg->a_ports[i].scan = ps;
1325
1326 ps->arg = arg;
1327 ps->port = arg->a_ports[i].port;
1328 evtimer_set(&ps->ev, ports_timeout, ps);
1329
1330 timerclear(&tv);
1331 tv.tv_usec = rand_uint32(ss_rand) % 1000000L;
1332
1333 evtimer_add(&ps->ev, &tv);
1334 }
1335
1336 return (0);
1337 }
1338
1339 /* Copy the ports list to the argument and use it for scanning */
1340
1341 int
1342 ports_setup(struct argument *arg, struct port *ports, int nports)
1343 {
1344 arg->a_hasports = 1;
1345 arg->a_nports = nports;
1346 if ((arg->a_ports = calloc(nports, sizeof(struct port))) == NULL)
1347 err(1, "%s: calloc", __func__);
1348
1349 memcpy(arg->a_ports, ports, nports * sizeof(struct port));
1350
1351 return (0);
1352 }
1353
1354 struct port *
1355 ports_find(struct argument *arg, uint16_t port)
1356 {
1357 int i;
1358
1359 for (i = 0; i < arg->a_nports; i++)
1360 if (arg->a_ports[i].port == port)
1361 return (&arg->a_ports[i]);
1362
1363 return (NULL);
1364 }
1365
1366 /* Remove one port from the list and reduce the number of available ports */
1367
1368 int
1369 ports_remove(struct argument *arg, uint16_t port)
1370 {
1371 int i;
1372
1373 for (i = 0; i < arg->a_nports; i++) {
1374 if (arg->a_ports[i].port == port) {
1375 /* Deallocate the scan structure if necessary */
1376 if (arg->a_ports[i].scan != NULL) {
1377 event_del(&arg->a_ports[i].scan->ev);
1378 free(arg->a_ports[i].scan);
1379 }
1380 arg->a_nports--;
1381 if (i < arg->a_nports) {
1382 arg->a_ports[i] = arg->a_ports[arg->a_nports];
1383 } else if (arg->a_nports == 0) {
1384 free (arg->a_ports);
1385 arg->a_ports = NULL;
1386 }
1387 return (0);
1388 }
1389 }
1390
1391 return (-1);
1392 }
1393
1394 /* Parse the list of ports and put them into an array */
1395
1396 int
1397 ports_parse(char *argument, struct port **pports, int *pnports)
1398 {
1399 char buf[1024], *line = buf;
1400 char *p, *e;
1401 int size, count, val;
1402 struct port *ports = *pports;
1403 struct port port;
1404
1405 strlcpy(buf, argument, sizeof(buf));
1406
1407 memset(&port, 0, sizeof(port));
1408
1409 count = 0;
1410 size = 0;
1411 while ((p = strsep(&line, ",")) != NULL) {
1412 val = strtoul(p, &e, 10);
1413 if (p[0] == '\0' || *e != '\0')
1414 return (-1);
1415 if (val <= 0 || val > 65535)
1416 return (-1);
1417
1418 if (count >= size) {
1419 struct port *tmpports;
1420 if (size == 0)
1421 size = 10;
1422 else
1423 size <<= 1;
1424
1425 tmpports = realloc(ports, size*sizeof(struct port));
1426 if (tmpports == NULL)
1427 err(1, "realloc");
1428 ports = tmpports;
1429 memset(&ports[count], 0,
1430 (size - count) * sizeof(struct port));
1431 }
1432
1433 port.port = val;
1434 ports[count++] = port;
1435 }
1436
1437 if (count == 0)
1438 return (-1);
1439
1440 *pports = ports;
1441 *pnports = count;
1442 return (0);
1443 }
1444
1445 /* Parse the list of scanners and put them into an array */
1446
1447 int
1448 scanner_parse(char *argument)
1449 {
1450 char buf[1024], *line = buf;
1451 char *p;
1452 int size, count;
1453 struct scanner *scanner;
1454
1455 strlcpy(buf, argument, sizeof(buf));
1456
1457 count = 0;
1458 size = 0;
1459 while ((p = strsep(&line, ",")) != NULL) {
1460 if ((scanner = scanner_find(p)) == NULL)
1461 return (-1);
1462
1463 if (count >= size) {
1464 struct scanner **tmpscanners;
1465 if (size == 0)
1466 size = 10;
1467 else
1468 size <<= 1;
1469
1470 tmpscanners = realloc(ss_scanners,
1471 size * sizeof(struct scanner *));
1472 if (tmpscanners == NULL)
1473 err(1, "realloc");
1474 ss_scanners = tmpscanners;
1475 memset(&ss_scanners[count], 0,
1476 (size - count) * sizeof(struct scanner *));
1477 }
1478 ss_scanners[count++] = scanner;
1479 }
1480
1481 if (count == 0)
1482 return (-1);
1483
1484 ss_nscanners = count;
1485 return (0);
1486 }