OpenVAS Scanner  22.7.9
nasl_builtin_synscan.c File Reference

Port scanner Synscan. More...

#include "../misc/bpf_share.h"
#include "../misc/network.h"
#include "../misc/pcap_openvas.h"
#include "../misc/plugutils.h"
#include "nasl_builtin_plugins.h"
#include "nasl_lex_ctxt.h"
#include <arpa/inet.h>
#include <gvm/base/logging.h>
#include <gvm/base/prefs.h>
#include <netinet/ip.h>
#include <netinet/tcp.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
Include dependency graph for nasl_builtin_synscan.c:

Go to the source code of this file.

Data Structures

struct  pseudohdr
 
struct  list
 

Macros

#define _BSD_SOURCE   1
 
#define _DEFAULT_SOURCE   1
 
#define NUM_RETRIES   2
 
#define G_LOG_DOMAIN   "lib nasl"
 GLib logging domain. More...
 

Functions

static int in_cksum (u_short *p, int n)
 
static unsigned long maketime ()
 
static struct timeval timeval (unsigned long val)
 
static unsigned long compute_rtt (unsigned long then)
 
static int packetdead (unsigned long then)
 
static int rawsocket (int family)
 Opens and returns a raw socket. More...
 
static int openbpf (struct in_addr dst, struct in_addr *src, int magic)
 Opens a packet filter, grabs packets from dst to port magic. More...
 
static int v6_openbpf (struct in6_addr *dst, struct in6_addr *src, int magic)
 
static struct listget_packet (struct list *l, unsigned short dport)
 
static struct listadd_packet (struct list *l, unsigned short dport, unsigned long ack)
 If no packet with dport is in list, prepends a "packet" to the. More...
 
static struct listrm_packet (struct list *l, unsigned short dport)
 
static struct listrm_dead_packets (struct list *l, int *retry)
 
static struct tcphdr * extracttcp (char *pkt, unsigned int len)
 
static struct tcphdr * v6_extracttcp (char *pkt)
 
static unsigned long extractack (char *pkt, int len, int family)
 
static unsigned short extractsport (char *pkt, int len, int family)
 
static int issynack (char *pkt, int len, int family)
 
static char * mktcp (struct in_addr src, int sport, struct in_addr dst, int dport, unsigned long th_ack, unsigned char flag)
 
static char * mktcpv6 (int sport, int dport, unsigned long th_ack, unsigned char flag)
 
static struct listsendpacket (int soc, int bpf, int skip, struct in_addr dst, struct in_addr src, int dport, int magic, struct list *packets, unsigned long *rtt, int sniff, struct script_infos *env)
 
static struct listv6_sendpacket (int soc, int bpf, int skip, struct in6_addr *dst, int dport, int magic, struct list *packets, unsigned long *rtt, int sniff, struct script_infos *env)
 
static int scan (struct script_infos *env, char *portrange, struct in6_addr *dst6, unsigned long rtt)
 
tree_cellplugin_run_synscan (lex_ctxt *lexic)
 

Detailed Description

Port scanner Synscan.

Definition in file nasl_builtin_synscan.c.

Macro Definition Documentation

◆ _BSD_SOURCE

#define _BSD_SOURCE   1

Definition at line 13 of file nasl_builtin_synscan.c.

◆ _DEFAULT_SOURCE

#define _DEFAULT_SOURCE   1

Definition at line 15 of file nasl_builtin_synscan.c.

◆ G_LOG_DOMAIN

#define G_LOG_DOMAIN   "lib nasl"

GLib logging domain.

Definition at line 43 of file nasl_builtin_synscan.c.

◆ NUM_RETRIES

#define NUM_RETRIES   2

Definition at line 37 of file nasl_builtin_synscan.c.

Function Documentation

◆ add_packet()

static struct list* add_packet ( struct list l,
unsigned short  dport,
unsigned long  ack 
)
static

If no packet with dport is in list, prepends a "packet" to the.

list l.

Definition at line 279 of file nasl_builtin_synscan.c.

280 {
281  struct list *ret;
282 
283  ret = get_packet (l, dport);
284  if (ret != NULL)
285  {
286 #ifdef SHOW_RETRIES
287  printf ("RETRIES FOR %d = %d\n", dport, ret->retries);
288 #endif
289  ret->retries++;
290  ret->when = ack;
291  return l;
292  }
293  ret = g_malloc0 (sizeof (struct list));
294 
295  ret->next = l;
296  ret->prev = NULL;
297  if (ret->next != NULL)
298  ret->next->prev = ret;
299 
300  ret->dport = dport;
301  ret->when = ack;
302  ret->retries = 0;
303  return ret;
304 }

References list::dport, get_packet(), list::next, list::prev, list::retries, and list::when.

Referenced by sendpacket(), and v6_sendpacket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ compute_rtt()

static unsigned long compute_rtt ( unsigned long  then)
static

Definition at line 121 of file nasl_builtin_synscan.c.

122 {
123  unsigned long now = maketime ();
124  unsigned long res;
125  unsigned long a, b;
126 
127  a = (unsigned long) ntohl (now);
128  b = (unsigned long) ntohl (then);
129 
130  if (b > a)
131  {
132  return 0;
133  }
134  res = a - b;
135  if (res >= (1 << 28))
136  res = 1 << 28;
137 
138  return htonl (res);
139 }

References maketime().

Referenced by sendpacket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ extractack()

static unsigned long extractack ( char *  pkt,
int  len,
int  family 
)
static

Definition at line 397 of file nasl_builtin_synscan.c.

398 {
399  unsigned long ret;
400  struct tcphdr *tcp;
401  if (family == AF_INET)
402  tcp = extracttcp (pkt, len);
403  else
404  tcp = v6_extracttcp (pkt);
405 
406  if (tcp == NULL)
407  return -1;
408 
409  ret = htonl (ntohl (tcp->th_ack) - 1);
410  return ret;
411 }

References extracttcp(), len, and v6_extracttcp().

Referenced by sendpacket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ extractsport()

static unsigned short extractsport ( char *  pkt,
int  len,
int  family 
)
static

Definition at line 414 of file nasl_builtin_synscan.c.

415 {
416  struct tcphdr *tcp;
417 
418  if (family == AF_INET)
419  tcp = extracttcp (pkt, len);
420  else
421  tcp = v6_extracttcp (pkt);
422 
423  if (tcp == NULL)
424  return 0;
425 
426  return ntohs (tcp->th_sport);
427 }

References extracttcp(), len, and v6_extracttcp().

Referenced by sendpacket(), and v6_sendpacket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ extracttcp()

static struct tcphdr* extracttcp ( char *  pkt,
unsigned int  len 
)
static

Definition at line 375 of file nasl_builtin_synscan.c.

376 {
377  struct ip *ip;
378  struct tcphdr *tcp;
379 
380  ip = (struct ip *) pkt;
381  if (ip->ip_hl * 4 + sizeof (struct tcphdr) > len)
382  return NULL;
383 
384  tcp = (struct tcphdr *) (pkt + ip->ip_hl * 4);
385  return tcp;
386 }

References len.

Referenced by extractack(), extractsport(), and issynack().

Here is the caller graph for this function:

◆ get_packet()

static struct list* get_packet ( struct list l,
unsigned short  dport 
)
static
Returns
First pointer to list in l with the given dport , NULL if no such list item could be found.

Definition at line 262 of file nasl_builtin_synscan.c.

263 {
264  while (l != NULL)
265  {
266  if (l->dport == dport)
267  return l;
268  else
269  l = l->next;
270  }
271  return NULL;
272 }

References list::dport, and list::next.

Referenced by add_packet(), and rm_packet().

Here is the caller graph for this function:

◆ in_cksum()

static int in_cksum ( u_short *  p,
int  n 
)
static

Definition at line 56 of file nasl_builtin_synscan.c.

57 {
58  register u_short answer;
59  register unsigned long sum = 0;
60  u_short odd_byte = 0;
61 
62  while (n > 1)
63  {
64  sum += *p++;
65  n -= 2;
66  }
67 
68  /* mop up an odd byte, if necessary */
69  if (n == 1)
70  {
71  *(u_char *) (&odd_byte) = *(u_char *) p;
72  sum += odd_byte;
73  }
74  sum = (sum >> 16) + (sum & 0xffff); /* add hi 16 to low 16 */
75  sum += (sum >> 16); /* add carry */
76  answer = (int) ~sum; /* ones-complement, truncate */
77  return (answer);
78 }

Referenced by mktcp().

Here is the caller graph for this function:

◆ issynack()

static int issynack ( char *  pkt,
int  len,
int  family 
)
static

Definition at line 430 of file nasl_builtin_synscan.c.

431 {
432  struct tcphdr *tcp;
433 
434  if (family == AF_INET)
435  tcp = extracttcp (pkt, len);
436  else
437  tcp = v6_extracttcp (pkt);
438 
439  if (tcp == NULL)
440  return 0;
441 
442  return tcp->th_flags == (TH_SYN | TH_ACK);
443 }

References extracttcp(), len, and v6_extracttcp().

Referenced by sendpacket(), and v6_sendpacket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ maketime()

static unsigned long maketime ( )
static

Definition at line 81 of file nasl_builtin_synscan.c.

82 {
83  struct timeval tv;
84  unsigned long ret;
85 
86  gettimeofday (&tv, NULL);
87 
88  ret = ((tv.tv_sec & 0x0000000F) << 28) | (((tv.tv_usec) & 0xFFFFFFF0) >> 4);
89 
90  return htonl (ret);
91 }

Referenced by compute_rtt(), packetdead(), sendpacket(), and v6_sendpacket().

Here is the caller graph for this function:

◆ mktcp()

static char* mktcp ( struct in_addr  src,
int  sport,
struct in_addr  dst,
int  dport,
unsigned long  th_ack,
unsigned char  flag 
)
static

Definition at line 446 of file nasl_builtin_synscan.c.

448 {
449  static char pkt[sizeof (struct ip) + sizeof (struct tcphdr)];
450  struct ip *ip;
451  struct tcphdr *tcp;
452  struct pseudohdr pseudohdr;
453  char tcpsumdata[sizeof (pseudohdr)];
454 
455  ip = (struct ip *) (&pkt);
456  ip->ip_hl = 5;
457  ip->ip_v = 4;
458  ip->ip_tos = 0;
459  ip->ip_len = sizeof (struct ip) + sizeof (struct tcphdr);
460  ip->ip_id = rand ();
461  ip->ip_off = 0;
462  ip->ip_ttl = 64;
463  ip->ip_p = IPPROTO_TCP;
464  ip->ip_sum = 0;
465  ip->ip_src.s_addr = src.s_addr;
466  ip->ip_dst.s_addr = dst.s_addr;
467  ip->ip_sum = in_cksum ((u_short *) pkt, sizeof (struct ip));
468 
469  tcp = (struct tcphdr *) (&(pkt[sizeof (struct ip)]));
470  tcp->th_sport = htons (sport);
471  tcp->th_dport = htons (dport);
472  tcp->th_seq = th_ack;
473  tcp->th_ack = 0;
474  tcp->th_x2 = 0;
475  tcp->th_off = 5;
476  tcp->th_flags = flag;
477  tcp->th_win = 4096;
478  tcp->th_sum = 0;
479  tcp->th_urp = 0;
480 
481  bzero (&pseudohdr, sizeof (pseudohdr));
482  pseudohdr.saddr.s_addr = src.s_addr;
483  pseudohdr.daddr.s_addr = dst.s_addr;
484  pseudohdr.protocol = IPPROTO_TCP;
485  pseudohdr.length = htons (sizeof (struct tcphdr));
486  bcopy ((char *) tcp, (char *) &pseudohdr.tcpheader, sizeof (struct tcphdr));
487  bcopy (&pseudohdr, tcpsumdata, sizeof (struct pseudohdr));
488  tcp->th_sum =
489  in_cksum ((unsigned short *) tcpsumdata, 12 + sizeof (struct tcphdr));
490 
491  return pkt;
492 }

References pseudohdr::daddr, in_cksum(), pseudohdr::length, pseudohdr::protocol, pseudohdr::saddr, and pseudohdr::tcpheader.

Referenced by sendpacket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ mktcpv6()

static char* mktcpv6 ( int  sport,
int  dport,
unsigned long  th_ack,
unsigned char  flag 
)
static

Definition at line 495 of file nasl_builtin_synscan.c.

496 {
497  static char pkt[sizeof (struct tcphdr)];
498  struct tcphdr *tcp;
499 
500  tcp = (struct tcphdr *) (&(pkt[0]));
501  tcp->th_sport = htons (sport);
502  tcp->th_dport = htons (dport);
503  tcp->th_ack = htonl (rand ());
504  tcp->th_seq = th_ack;
505  tcp->th_off = 5;
506  tcp->th_flags = flag;
507  tcp->th_win = htons (5760);
508  tcp->th_urp = 0;
509  tcp->th_sum = 2;
510 
511  return pkt;
512 }

Referenced by v6_sendpacket().

Here is the caller graph for this function:

◆ openbpf()

static int openbpf ( struct in_addr  dst,
struct in_addr *  src,
int  magic 
)
static

Opens a packet filter, grabs packets from dst to port magic.

Parameters
[out]srcin_addr of source.
[in]dstDestination.
[in]magicDestination port on src to listen to.
Returns
A bpf that listens to tcp packets coming from dst to port magic.

Definition at line 216 of file nasl_builtin_synscan.c.

217 {
218  char *iface;
219  char filter[255];
220  int bpf;
221 
222  iface = routethrough (&dst, src);
223  snprintf (filter, sizeof (filter), "tcp and src host %s and dst port %d",
224  inet_ntoa (dst), magic);
225  bpf = bpf_open_live (iface, filter);
226  return bpf;
227 }

References bpf_open_live(), and routethrough().

Referenced by scan().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ packetdead()

static int packetdead ( unsigned long  then)
static

Definition at line 142 of file nasl_builtin_synscan.c.

143 {
144  unsigned long now = maketime ();
145 
146  then = ntohl (then);
147  now = ntohl (now);
148 
149  if ((now - then) >= 2 << 28)
150  {
151  return 1;
152  }
153 
154  return 0;
155 }

References maketime().

Referenced by rm_dead_packets().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ plugin_run_synscan()

tree_cell* plugin_run_synscan ( lex_ctxt lexic)

Definition at line 778 of file nasl_builtin_synscan.c.

779 {
780  struct script_infos *env = lexic->script_infos;
781  unsigned long rtt;
782  struct in6_addr *dst6 = plug_get_host_ip (env);
783  struct in_addr *dst;
784  struct in_addr inaddr;
785 
786  inaddr.s_addr = dst6->s6_addr32[3];
787  dst = &inaddr;
788 
789  if (islocalhost (dst))
790  return NULL;
791 
792  rtt = htonl (1 << 28);
793 
794  const char *range = prefs_get ("port_range");
795  scan (env, (char *) range, dst6, rtt);
796  plug_set_key (env, "Host/scanned", ARG_INT, (void *) 1);
797  plug_set_key (env, "Host/scanners/synscan", ARG_INT, (void *) 1);
798  return NULL;
799 }

References ARG_INT, islocalhost(), plug_get_host_ip(), plug_set_key(), scan(), and struct_lex_ctxt::script_infos.

Here is the call graph for this function:

◆ rawsocket()

static int rawsocket ( int  family)
static

Opens and returns a raw socket.

Definition at line 161 of file nasl_builtin_synscan.c.

162 {
163  int soc;
164  int opt = 1;
165  int offset = 8;
166 
167  if (family == AF_INET)
168  {
169  soc = socket (AF_INET, SOCK_RAW, IPPROTO_RAW);
170  if (soc < 0)
171  {
172  perror ("socket ");
173  printf ("error opeinig socket\n");
174  return -1;
175  }
176  if (setsockopt (soc, IPPROTO_IP, IP_HDRINCL, /*(char *) */ &opt,
177  sizeof (opt))
178  < 0)
179  {
180  perror ("setsockopt ");
181  printf ("error setting socket opt\n");
182  close (soc);
183  return -1;
184  }
185  }
186  else
187  {
188  soc = socket (AF_INET6, SOCK_RAW, IPPROTO_TCP);
189  if (soc < 0
190  || setsockopt (soc, IPPROTO_IPV6, IPV6_CHECKSUM, &offset,
191  sizeof (offset))
192  < 0)
193  {
194  perror ("socket ");
195  printf ("error opening socket\n");
196  if (soc >= 0)
197  close (soc);
198  return -1;
199  }
200  }
201 
202  return soc;
203 }

Referenced by scan().

Here is the caller graph for this function:

◆ rm_dead_packets()

static struct list* rm_dead_packets ( struct list l,
int *  retry 
)
static

Definition at line 327 of file nasl_builtin_synscan.c.

328 {
329  struct list *ret = l;
330  struct list *p = l;
331 
332  *retry = 0;
333  while (p != NULL)
334  {
335  struct list *next = p->next;
336  if (packetdead (p->when))
337  {
338  if (p->retries < NUM_RETRIES)
339  {
340 #ifdef SHOW_RETRIES
341  printf ("Will retry port %d\n", p->dport);
342 #endif
343  *retry = p->dport;
344  }
345  else
346  {
347 #ifdef SHOW_RTT_REMOVAL
348  printf ("Removing port %d (RTT elapsed)\n", p->dport);
349 #endif
350  if (p->next != NULL)
351  p->next->prev = p->prev;
352 
353  if (p->prev != NULL)
354  p->prev->next = p->next;
355  else
356  {
357  if (p->next == NULL)
358  {
359  g_free (p);
360  return NULL;
361  }
362  ret = p->next;
363  g_free (p);
364  }
365  }
366  }
367  p = next;
368  }
369  return ret;
370 }

References list::dport, list::next, NUM_RETRIES, packetdead(), list::prev, list::retries, and list::when.

Referenced by scan().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ rm_packet()

static struct list* rm_packet ( struct list l,
unsigned short  dport 
)
static

Definition at line 307 of file nasl_builtin_synscan.c.

308 {
309  struct list *ret = l;
310  struct list *p = get_packet (l, dport);
311 
312  if (p == NULL)
313  return l;
314  if (p->next != NULL)
315  p->next->prev = p->prev;
316 
317  if (p->prev != NULL)
318  p->prev->next = p->next;
319  else
320  ret = p->next;
321 
322  g_free (p);
323  return ret;
324 }

References list::dport, get_packet(), list::next, and list::prev.

Referenced by sendpacket(), and v6_sendpacket().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ scan()

static int scan ( struct script_infos env,
char *  portrange,
struct in6_addr *  dst6,
unsigned long  rtt 
)
static
Returns
-1 if the socket could not be opened (error), 0 otherwise.

This will send packets to ports not in ports list, will it?

Todo:
How to do this for ipv6? This causes much scan delay for IPv6.

Definition at line 676 of file nasl_builtin_synscan.c.

678 {
679  int num;
680  int soc;
681  int bpf;
682  struct in_addr src;
683  struct in_addr dst;
684  struct in6_addr src6;
685  int magic = 4441 + (rand () % 1200);
686  int skip;
687  int i;
688  struct list *packets = NULL;
689  int retry;
690  unsigned short *ports;
691  int family;
692 
693  dst.s_addr = 0;
694 
695  if (IN6_IS_ADDR_V4MAPPED (dst6))
696  {
697  family = AF_INET;
698  dst.s_addr = dst6->s6_addr32[3];
699  soc = rawsocket (AF_INET);
700  }
701  else
702  {
703  family = AF_INET6;
704  soc = rawsocket (AF_INET6);
705  }
706 
707  ports = (unsigned short *) getpts (portrange, &num);
708 
709  if (soc < 0)
710  {
711  printf ("error opening raw socket\n");
712  return -1;
713  }
714 
715  if (family == AF_INET)
716  bpf = openbpf (dst, &src, magic);
717  else
718  bpf = v6_openbpf (dst6, &src6, magic);
719  if (bpf < 0)
720  {
721  close (soc);
722  return -1;
723  }
724  skip = get_datalink_size (bpf_datalink (bpf));
725 
727  for (i = 0; i < num; i += 2)
728  {
729  if (family == AF_INET)
730  packets = sendpacket (soc, bpf, skip, dst, src, ports[i], magic,
731  packets, &rtt, 0, env);
732  else
733  packets = v6_sendpacket (soc, bpf, skip, dst6, ports[i], magic, packets,
734  &rtt, 0, env);
735  if (i + 1 < num)
736  {
737  g_debug ("=====>> Sniffing %u\n", ports[i + 1]);
738  if (family == AF_INET)
739  packets = sendpacket (soc, bpf, skip, dst, src, ports[i + 1], magic,
740  packets, &rtt, 1, env);
741  else
742  packets = v6_sendpacket (soc, bpf, skip, dst6, ports[i + 1], magic,
743  packets, &rtt, 1, env);
744  }
745  }
746 
748  if (family == AF_INET)
749  {
750  while (packets != NULL)
751  {
752  i = 0;
753  retry = 0;
754  packets = rm_dead_packets (packets, &retry);
755  while (retry != 0 && i < 2)
756  {
757  packets = sendpacket (soc, bpf, skip, dst, src, retry, magic,
758  packets, &rtt, 0, env);
759  packets = rm_dead_packets (packets, &retry);
760  i++;
761  }
762  packets = sendpacket (soc, bpf, skip, dst, src, retry, magic, packets,
763  &rtt, 1, env);
764  }
765  }
766 
767  close (soc);
768  bpf_close (bpf);
769  if (ports != NULL)
770  g_free (ports);
771  if (num >= 65535)
772  plug_set_key (env, "Host/full_scan", ARG_INT, (void *) 1);
773 
774  return 0;
775 }

References ARG_INT, bpf_close(), bpf_datalink(), get_datalink_size(), getpts(), openbpf(), plug_set_key(), rawsocket(), rm_dead_packets(), sendpacket(), v6_openbpf(), and v6_sendpacket().

Referenced by plugin_run_synscan().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ sendpacket()

static struct list* sendpacket ( int  soc,
int  bpf,
int  skip,
struct in_addr  dst,
struct in_addr  src,
int  dport,
int  magic,
struct list packets,
unsigned long *  rtt,
int  sniff,
struct script_infos env 
)
static
Parameters
sniffIf != 0, "sniff" (listen to incoming packages), else just add packet.

Definition at line 520 of file nasl_builtin_synscan.c.

523 {
524  unsigned long ack = maketime ();
525  char *pkt = mktcp (src, magic, dst, dport, ack, TH_SYN);
526  int len;
527  char *res;
528  struct sockaddr_in soca;
529  struct timeval rtt_tv = timeval (*rtt);
530  int family = AF_INET;
531 
532  bzero (&soca, sizeof (soca));
533  soca.sin_family = AF_INET;
534  soca.sin_addr = dst;
535 
536  rtt_tv.tv_sec *= 1000;
537  rtt_tv.tv_sec /= 8;
538 
539  rtt_tv.tv_usec += (rtt_tv.tv_sec % 1000) * 1000;
540  rtt_tv.tv_sec /= 1000;
541  if (rtt_tv.tv_sec >= 1)
542  {
543  rtt_tv.tv_sec = 1;
544  rtt_tv.tv_usec = 0;
545  }
546 
547  if (dport != 0)
548  {
549  int e;
550  packets = add_packet (packets, dport, ack);
551  e = sendto (soc, pkt, sizeof (struct ip) + sizeof (struct tcphdr), 0,
552  (struct sockaddr *) &soca, sizeof (soca));
553  if (e < 0)
554  {
555  perror ("sendto ");
556  close (soc);
557  bpf_close (bpf);
558  return NULL;
559  }
560  }
561  if (sniff != 0)
562  {
563  again:
564  res = (char *) bpf_next_tv (bpf, &len, &rtt_tv);
565  if (res != NULL)
566  {
567  unsigned short sport = extractsport (res + skip, len, family);
568  int synack = issynack (res + skip, len, family);
569  unsigned int rack = extractack (res + skip, len, family);
570  if (synack)
571  {
572  char *rst;
573  scanner_add_port (env, sport, "tcp");
574  /* Send a RST to make sure the connection is closed on the remote
575  * side */
576  rst = mktcp (src, magic, dst, sport, ack + 1, TH_RST);
577  if (sendto (soc, rst, sizeof (struct ip) + sizeof (struct tcphdr),
578  0, (struct sockaddr *) &soca, sizeof (soca))
579  < 0)
580  {
581  perror ("sendto ");
582  close (soc);
583  bpf_close (bpf);
584  return NULL;
585  }
586 
587  /* Adjust the rtt */
588  *rtt = compute_rtt (rack);
589  if (ntohl (*rtt) >= (1 << 28))
590  *rtt = 1 << 28;
591  }
592  packets = rm_packet (packets, sport);
593  rtt_tv.tv_sec = 0;
594  rtt_tv.tv_usec = 0;
595  goto again;
596  }
597  }
598  return packets;
599 }

References add_packet(), bpf_close(), bpf_next_tv(), compute_rtt(), list::dport, extractack(), extractsport(), issynack(), len, maketime(), mktcp(), rm_packet(), scanner_add_port(), and timeval().

Referenced by scan().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ timeval()

static struct timeval timeval ( unsigned long  val)
static

Definition at line 81 of file nasl_builtin_synscan.c.

95 {
96  struct timeval ret;
97  unsigned int h, l;
98 
99  val = ntohl (val);
100 
101  h = (val & 0xF0000000) >> 28;
102  l = (val & 0x0FFFFFFF) << 4;
103 
104  ret.tv_sec = h;
105  ret.tv_usec = l;
106  while (ret.tv_usec >= 1000000)
107  {
108  ret.tv_usec -= 1000000;
109  ret.tv_sec++;
110  }
111 
112  if (ret.tv_sec > 2)
113  {
114  ret.tv_sec = 2;
115  ret.tv_usec = 0;
116  }
117  return ret;
118 }

Referenced by attack_network(), attack_start(), banner_grab(), bpf_next(), bpf_next_tv(), calculate_eta(), capture_next_frame(), capture_next_packet(), capture_next_v6_packet(), do_reseed_ntlmssp(), nasl_gettimeofday(), nasl_open_privileged_socket(), nasl_pcap_next(), nasl_recv(), nasl_send_capture(), nasl_tcp_ping(), nasl_tcp_v6_ping(), nsend(), open_socket(), open_SSL_connection(), plugin_do_run(), plugins_reload_from_dir(), read_stream_connection_unbuffered(), sendpacket(), socket_ssl_do_handshake(), update_running_processes(), v6_sendpacket(), wait_before_next_probe(), and write_stream_connection4().

Here is the caller graph for this function:

◆ v6_extracttcp()

static struct tcphdr* v6_extracttcp ( char *  pkt)
static

Definition at line 389 of file nasl_builtin_synscan.c.

390 {
391  struct tcphdr *tcp;
392  tcp = (struct tcphdr *) (pkt + 40);
393  return tcp;
394 }

Referenced by extractack(), extractsport(), and issynack().

Here is the caller graph for this function:

◆ v6_openbpf()

static int v6_openbpf ( struct in6_addr *  dst,
struct in6_addr *  src,
int  magic 
)
static

Definition at line 230 of file nasl_builtin_synscan.c.

231 {
232  char *iface;
233  char filter[255];
234  char hostname[INET6_ADDRSTRLEN];
235  int bpf;
236 
237  iface = v6_routethrough (dst, src);
238 
239  snprintf (filter, sizeof (filter), "tcp and src host %s and dst port %d",
240  inet_ntop (AF_INET6, dst, hostname, sizeof (hostname)), magic);
241  bpf = bpf_open_live (iface, filter);
242  if (bpf < 0)
243  printf ("bpf_open_live returned error\n");
244  return bpf;
245 }

References bpf_open_live(), hostname, and v6_routethrough().

Referenced by scan().

Here is the call graph for this function:
Here is the caller graph for this function:

◆ v6_sendpacket()

static struct list* v6_sendpacket ( int  soc,
int  bpf,
int  skip,
struct in6_addr *  dst,
int  dport,
int  magic,
struct list packets,
unsigned long *  rtt,
int  sniff,
struct script_infos env 
)
static

Definition at line 602 of file nasl_builtin_synscan.c.

605 {
606  unsigned long ack = maketime ();
607  char *pkt = mktcpv6 (magic, dport, ack, TH_SYN);
608  int len;
609  char *res;
610  struct sockaddr_in6 soca;
611  struct timeval rtt_tv = timeval (*rtt);
612 
613  bzero (&soca, sizeof (soca));
614  soca.sin6_family = AF_INET6;
615  memcpy (&soca.sin6_addr, dst, sizeof (struct in6_addr));
616  rtt_tv.tv_sec *= 1000;
617  rtt_tv.tv_sec /= 8;
618 
619  rtt_tv.tv_usec += (rtt_tv.tv_sec % 1000) * 1000;
620  rtt_tv.tv_sec /= 1000;
621  if (rtt_tv.tv_sec >= 1)
622  {
623  rtt_tv.tv_sec = 1;
624  rtt_tv.tv_usec = 0;
625  }
626 
627  if (dport != 0)
628  {
629  int e;
630  packets = add_packet (packets, dport, ack);
631  e = sendto (soc, pkt, sizeof (struct tcphdr), 0,
632  (struct sockaddr *) &soca, sizeof (soca));
633  if (e < 0)
634  {
635  g_message ("sendto error in v6_sendpacket");
636  perror ("sendto ");
637  close (soc);
638  bpf_close (bpf);
639  return NULL;
640  }
641  }
642  if (sniff != 0)
643  {
644  res = (char *) bpf_next (bpf, &len);
645  if (res != NULL)
646  {
647  unsigned short sport = extractsport (res + skip, len, AF_INET6);
648  int synack = issynack (res + skip, len, AF_INET6);
649  if (synack)
650  {
651  char *rst;
652  scanner_add_port (env, sport, "tcp");
653  /* Send a RST to make sure the connection is closed on the remote
654  * side */
655  rst = mktcpv6 (magic, sport, ack + 1, TH_RST);
656  if (sendto (soc, rst, sizeof (struct tcphdr), 0,
657  (struct sockaddr *) &soca, sizeof (soca))
658  < 0)
659  {
660  perror ("sendto ");
661  close (soc);
662  bpf_close (bpf);
663  return NULL;
664  }
665  }
666  packets = rm_packet (packets, sport);
667  }
668  }
669  return packets;
670 }

References add_packet(), bpf_close(), bpf_next(), list::dport, extractsport(), issynack(), len, maketime(), mktcpv6(), rm_packet(), scanner_add_port(), and timeval().

Referenced by scan().

Here is the call graph for this function:
Here is the caller graph for this function:
pseudohdr::saddr
struct in_addr saddr
Definition: nasl_builtin_synscan.c:47
compute_rtt
static unsigned long compute_rtt(unsigned long then)
Definition: nasl_builtin_synscan.c:121
script_infos
Definition: scanneraux.h:29
plug_get_host_ip
struct in6_addr * plug_get_host_ip(struct script_infos *args)
Definition: plugutils.c:316
pseudohdr::tcpheader
struct tcphdr tcpheader
Definition: nasl_builtin_synscan.c:52
bpf_open_live
int bpf_open_live(char *iface, char *filter)
Definition: bpf_share.c:39
maketime
static unsigned long maketime()
Definition: nasl_builtin_synscan.c:81
packetdead
static int packetdead(unsigned long then)
Definition: nasl_builtin_synscan.c:142
openbpf
static int openbpf(struct in_addr dst, struct in_addr *src, int magic)
Opens a packet filter, grabs packets from dst to port magic.
Definition: nasl_builtin_synscan.c:216
v6_routethrough
char * v6_routethrough(struct in6_addr *dest, struct in6_addr *source)
An awesome function to determine what interface a packet to a given destination should be routed thro...
Definition: pcap.c:841
sendpacket
static struct list * sendpacket(int soc, int bpf, int skip, struct in_addr dst, struct in_addr src, int dport, int magic, struct list *packets, unsigned long *rtt, int sniff, struct script_infos *env)
Definition: nasl_builtin_synscan.c:520
mktcpv6
static char * mktcpv6(int sport, int dport, unsigned long th_ack, unsigned char flag)
Definition: nasl_builtin_synscan.c:495
pseudohdr::daddr
struct in_addr daddr
Definition: nasl_builtin_synscan.c:48
bpf_close
void bpf_close(int bpf)
Definition: bpf_share.c:164
rawsocket
static int rawsocket(int family)
Opens and returns a raw socket.
Definition: nasl_builtin_synscan.c:161
NUM_RETRIES
#define NUM_RETRIES
Definition: nasl_builtin_synscan.c:37
pseudohdr::protocol
u_char protocol
Definition: nasl_builtin_synscan.c:50
getpts
unsigned short * getpts(char *origexpr, int *len)
Converts a string like "-100,200-1024,3000-4000,60000-" into an array.
Definition: network.c:2296
list::dport
unsigned short dport
Definition: nasl_builtin_synscan.c:250
rm_packet
static struct list * rm_packet(struct list *l, unsigned short dport)
Definition: nasl_builtin_synscan.c:307
add_packet
static struct list * add_packet(struct list *l, unsigned short dport, unsigned long ack)
If no packet with dport is in list, prepends a "packet" to the.
Definition: nasl_builtin_synscan.c:279
bpf_next_tv
u_char * bpf_next_tv(int bpf, int *caplen, struct timeval *tv)
Definition: bpf_share.c:119
v6_extracttcp
static struct tcphdr * v6_extracttcp(char *pkt)
Definition: nasl_builtin_synscan.c:389
extractsport
static unsigned short extractsport(char *pkt, int len, int family)
Definition: nasl_builtin_synscan.c:414
len
uint8_t len
Definition: nasl_packet_forgery.c:1
extractack
static unsigned long extractack(char *pkt, int len, int family)
Definition: nasl_builtin_synscan.c:397
pseudohdr::length
u_short length
Definition: nasl_builtin_synscan.c:51
islocalhost
int islocalhost(struct in_addr *addr)
Tests whether a packet sent to IP is LIKELY to route through the kernel localhost interface.
Definition: pcap.c:261
scanner_add_port
void scanner_add_port(struct script_infos *args, int port, char *proto)
Definition: plugutils.c:1049
bpf_datalink
int bpf_datalink(int bpf)
Definition: bpf_share.c:158
timeval
static struct timeval timeval(unsigned long val)
Definition: nasl_builtin_synscan.c:94
struct_lex_ctxt::script_infos
struct script_infos * script_infos
Definition: nasl_lex_ctxt.h:30
get_packet
static struct list * get_packet(struct list *l, unsigned short dport)
Definition: nasl_builtin_synscan.c:262
pseudohdr
Definition: nasl_builtin_synscan.c:46
get_datalink_size
int get_datalink_size(int datalink)
Definition: pcap.c:288
extracttcp
static struct tcphdr * extracttcp(char *pkt, unsigned int len)
Definition: nasl_builtin_synscan.c:375
ARG_INT
#define ARG_INT
Definition: plugutils.h:20
list::prev
struct list * prev
Definition: nasl_builtin_synscan.c:253
in_cksum
static int in_cksum(u_short *p, int n)
Definition: nasl_builtin_synscan.c:56
list::retries
int retries
Definition: nasl_builtin_synscan.c:252
hostname
const char * hostname
Definition: pluginlaunch.c:68
val
const char * val
Definition: nasl_init.c:412
list::when
unsigned long when
Definition: nasl_builtin_synscan.c:251
v6_sendpacket
static struct list * v6_sendpacket(int soc, int bpf, int skip, struct in6_addr *dst, int dport, int magic, struct list *packets, unsigned long *rtt, int sniff, struct script_infos *env)
Definition: nasl_builtin_synscan.c:602
bpf_next
u_char * bpf_next(int bpf, int *caplen)
Definition: bpf_share.c:150
scan
static int scan(struct script_infos *env, char *portrange, struct in6_addr *dst6, unsigned long rtt)
Definition: nasl_builtin_synscan.c:676
plug_set_key
void plug_set_key(struct script_infos *args, char *name, int type, const void *value)
Definition: plugutils.c:962
mktcp
static char * mktcp(struct in_addr src, int sport, struct in_addr dst, int dport, unsigned long th_ack, unsigned char flag)
Definition: nasl_builtin_synscan.c:446
rm_dead_packets
static struct list * rm_dead_packets(struct list *l, int *retry)
Definition: nasl_builtin_synscan.c:327
list::next
struct list * next
Definition: nasl_builtin_synscan.c:254
routethrough
char * routethrough(struct in_addr *dest, struct in_addr *source)
An awesome function to determine what interface a packet to a given destination should be routed thro...
Definition: pcap.c:1060
issynack
static int issynack(char *pkt, int len, int family)
Definition: nasl_builtin_synscan.c:430
list
Definition: nasl_builtin_synscan.c:249
v6_openbpf
static int v6_openbpf(struct in6_addr *dst, struct in6_addr *src, int magic)
Definition: nasl_builtin_synscan.c:230