/*************************************************************************** * osscan2.cc -- Routines used for 2nd Generation OS detection via         * * TCP/IP fingerprinting.  * For more information on how this works in     * * Nmap, see http://insecure.org/nmap/osdetect/                            * *                                                                         * ***********************IMPORTANT NMAP LICENSE TERMS************************ *                                                                         * * The Nmap Security Scanner is (C) 1996-2008 Insecure.Com LLC. Nmap is    * * also a registered trademark of Insecure.Com LLC.  This program is free  * * software; you may redistribute and/or modify it under the terms of the  * * GNU General Public License as published by the Free Software            * * Foundation; Version 2 with the clarifications and exceptions described  * * below.  This guarantees your right to use, modify, and redistribute     * * this software under certain conditions.  If you wish to embed Nmap      * * technology into proprietary software, we sell alternative licenses      * * (contact sales@insecure.com).  Dozens of software vendors already       * * license Nmap technology such as host discovery, port scanning, OS       * * detection, and version detection.                                       * *                                                                         * * Note that the GPL places important restrictions on "derived works", yet * * it does not provide a detailed definition of that term.  To avoid       * * misunderstandings, we consider an application to constitute a           * * "derivative work" for the purpose of this license if it does any of the * * following:                                                              * * o Integrates source code from Nmap                                      * * o Reads or includes Nmap copyrighted data files, such as                * *   nmap-os-fingerprints or nmap-service-probes.                          * * o Executes Nmap and parses the results (as opposed to typical shell or  * *   execution-menu apps, which simply display raw Nmap output and so are  * *   not derivative works.)                                                *  * o Integrates/includes/aggregates Nmap into a proprietary executable     * *   installer, such as those produced by InstallShield.                   * * o Links to a library or executes a program that does any of the above   * *                                                                         * * The term "Nmap" should be taken to also include any portions or derived * * works of Nmap.  This list is not exclusive, but is just meant to        * * clarify our interpretation of derived works with some common examples.  * * These restrictions only apply when you actually redistribute Nmap.  For * * example, nothing stops you from writing and selling a proprietary       * * front-end to Nmap.  Just distribute it by itself, and point people to   * * http://insecure.org/nmap/ to download Nmap.                             * *                                                                         * * We don't consider these to be added restrictions on top of the GPL, but * * just a clarification of how we interpret "derived works" as it applies  * * to our GPL-licensed Nmap product.  This is similar to the way Linus     * * Torvalds has announced his interpretation of how "derived works"        * * applies to Linux kernel modules.  Our interpretation refers only to     * * Nmap - we don't speak for any other GPL products.                       * *                                                                         * * If you have any questions about the GPL licensing restrictions on using * * Nmap in non-GPL works, we would be happy to help.  As mentioned above,  * * we also offer alternative license to integrate Nmap into proprietary    * * applications and appliances.  These contracts have been sold to dozens  * * of software vendors, and generally include a perpetual license as well  * * as providing for priority support and updates as well as helping to     * * fund the continued development of Nmap technology.  Please email        * * sales@insecure.com for further information.                             * *                                                                         * * As a special exception to the GPL terms, Insecure.Com LLC grants        * * permission to link the code of this program with any version of the     * * OpenSSL library which is distributed under a license identical to that  * * listed in the included Copying.OpenSSL file, and distribute linked      * * combinations including the two. You must obey the GNU GPL in all        * * respects for all of the code used other than OpenSSL.  If you modify    * * this file, you may extend this exception to your version of the file,   * * but you are not obligated to do so.                                     * *                                                                         * * If you received these files with a written license agreement or         * * contract stating terms other than the terms above, then that            * * alternative license agreement takes precedence over these comments.     * *                                                                         * * Source is provided to this software because we believe users have a     * * right to know exactly what a program is going to do before they run it. * * This also allows you to audit the software for security holes (none     * * have been found so far).                                                * *                                                                         * * Source code also allows you to port Nmap to new platforms, fix bugs,    * * and add new features.  You are highly encouraged to send your changes   * * to fyodor@insecure.org for possible incorporation into the main         * * distribution.  By sending these changes to Fyodor or one the            * * Insecure.Org development mailing lists, it is assumed that you are      * * offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right * * to reuse, modify, and relicense the code.  Nmap will always be          * * available Open Source, but this is important because the inability to   * * relicense code has caused devastating problems for other Free Software  * * projects (such as KDE and NASM).  We also occasionally relicense the    * * code to third parties as discussed above.  If you wish to specify       * * special license conditions of your contributions, just say so when you  * * send them.                                                              * *                                                                         * * This program is distributed in the hope that it will be useful, but     * * WITHOUT ANY WARRANTY; without even the implied warranty of              * * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the GNU       * * General Public License for more details at                              * * http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included  * * with Nmap.                                                              * *                                                                         * ***************************************************************************//* $Id: osscan.cc 3636 2006-07-04 23:04:56Z fyodor $ */#include "osscan.h"#include "osscan2.h"#include "timing.h"#include "NmapOps.h"#include "Target.h"#include "utils.h"#include <dnet.h>#include <list>#define NUM_FPTESTS    13/* The number of tries we normally do.  This may be increased if   the target looks like a good candidate for fingerprint submission, or fewer   if the user gave the --max-os-tries option */#define STANDARD_OS2_TRIES 2// The minimum (and target) amount of time to wait between probes// sent to a single host, in milliseconds.#define OS_PROBE_DELAY 25// The target amount of time to wait between sequencing probes sent to// a single host, in milliseconds.  The ideal is 500ms because of the// common 2Hz timestamp frequencies.  Less than 500ms and we might not// see any change in the TS counter (and it gets less accurate even if// we do).  More than 500MS and we risk having two changes (and it// gets less accurate even if we have just one).  So we delay 100MS// between probes, leaving 500MS between 1st and 6th.#define OS_SEQ_PROBE_DELAY 100using namespace std;extern NmapOps o;/* 8 options: *  0~5: six options for SEQ/OPS/WIN/T1 probes. *  6:   ECN probe. *  7-12:   T2~T7 probes. * * option 0: WScale (10), Nop, MSS (1460), Timestamp, SackP * option 1: MSS (1400), WScale (0), Nop, SackP, T * option 2: T, Nop, Nop, WScale (5), Nop, MSS (640) * option 3: SackP, T, WScale (10), Nop * option 4: MSS (536), SackP, T, WScale (10), Nop * option 5: MSS (265), SackP, Nop, Nop, T, Nop, End * option 6: WScale (10), Nop, MSS (1460), SackP, Nop, Nop * option 7-11: WScale (10), Nop, MSS (265), T, SackP * option 12: WScale (15), Nop, MSS (265), T, SackP */static struct {  u8* val;  int len;} prbOpts[] = {  {(u8*) "\003\003\012\001\002\004\005\264\010\012\377\377\377\377\000\000\000\000\004\002", 20},  {(u8*) "\002\004\005\170\003\003\000\004\002\010\012\377\377\377\377\000\000\000\000\0", 20},  {(u8*) "\010\012\377\377\377\377\000\000\000\000\001\001\003\003\005\001\002\004\002\200", 20},  {(u8*) "\004\002\010\012\377\377\377\377\000\000\000\000\003\003\012\0", 16},  {(u8*) "\002\004\002\030\004\002\010\012\377\377\377\377\000\000\000\000\003\003\012\0", 20},  {(u8*) "\002\004\001\011\004\002\010\012\377\377\377\377\000\000\000\000", 16},  {(u8*) "\003\003\012\001\002\004\005\264\004\002\001\001", 12},  {(u8*) "\003\003\012\001\002\004\001\011\010\012\377\377\377\377\000\000\000\000\004\002", 20},  {(u8*) "\003\003\012\001\002\004\001\011\010\012\377\377\377\377\000\000\000\000\004\002", 20},  {(u8*) "\003\003\012\001\002\004\001\011\010\012\377\377\377\377\000\000\000\000\004\002", 20},  {(u8*) "\003\003\012\001\002\004\001\011\010\012\377\377\377\377\000\000\000\000\004\002", 20},  {(u8*) "\003\003\012\001\002\004\001\011\010\012\377\377\377\377\000\000\000\000\004\002", 20},  {(u8*) "\003\003\017\001\002\004\001\011\010\012\377\377\377\377\000\000\000\000\004\002", 20}};/* Numbering is the same as for prbOpts[] */u16 prbWindowSz[] = { 1, 63, 4, 4, 16, 512, 3, 128, 256, 1024, 31337, 32768, 65535 };/* A global now. Updated after potentially meaningful delays. This can * be used to save a call to gettimeofday() */static struct timeval now;class OFProbe;class HostOsScanStats;class HostOsScan;class HostOsScanInfo;class OsScanInfo;/* Performance tuning variable. */struct os_scan_performance_vars {  int low_cwnd;  /* The lowest cwnd (congestion window) allowed */  int host_initial_cwnd; /* Initial congestion window for ind. hosts */  int group_initial_cwnd; /* Initial congestion window for all hosts as a group */  int max_cwnd; /* I should never have more than this many probes                   outstanding */  int quick_incr; /* How many probes are incremented for each response                     in quick start mode */  int cc_incr; /* How many probes are incremented per (roughly) rtt in                   congestion control mode */  int initial_ccthresh;  /* When a successful ping response comes back, it counts as this many     "normal" responses, because the fact that pings are neccessary means     we aren't getting much input. */  int ping_magnifier;  /* Try to send a scanping if no response has been received from a target host     in this many usecs */  int pingtime;  double group_drop_cwnd_divisor; /* all-host group cwnd divided by this                                     value if any packet drop occurs */  double group_drop_ccthresh_divisor; /* used to drop the group ccthresh when                                         any drop occurs */  double host_drop_ccthresh_divisor; /* used to drop the host ccthresh when                                        any drop occurs */  int tryno_cap; /* The maximum trynumber (starts at zero) allowed */} perf;/* Some of the algorithms used here are TCP congestion control   techniques from RFC2581. */struct osscan_timing_vals {  double cwnd; /* Congestion window - in probes */    /* The threshold after which mode is changed from QUICK_START to     CONGESTION_CONTROL */  int ccthresh;    /* Number of updates to this utv (generally packet receipts ) */  int num_updates;    /* Last time values were adjusted for a drop (you usually only want     to adjust again based on probes sent after that adjustment so a     sudden batch of drops doesn't destroy timing.  Init to now */  struct timeval last_drop;};typedef enum OFProbeType {  OFP_UNSET,  OFP_TSEQ,  OFP_TOPS,  OFP_TECN,  OFP_T1_7,  OFP_TICMP,  OFP_TUDP} OFProbeType;class OFProbe{public:  OFProbe();    /* The literal string for the current probe type. */  const char *typestr();  /* Type of the probe: for what os fingerprinting test? */  OFProbeType type;  /* Subid of this probe to separate different tcp/udp/icmp. */  int subid;  int tryno; /* Try (retransmission) number of this probe */    /* A packet may be timedout for a while before being retransmitted     due to packet sending rate limitations */  bool retransmitted;    struct timeval sent;    /* Time the previous probe was sent, if this is a retransmit (tryno > 0) */  struct timeval prevSent;};/* * HostOsScanStats stores the status for a host being scanned  * in a scan round. */class HostOsScanStats{  friend class HostOsScan;public:  HostOsScanStats(Target *t);  ~HostOsScanStats();  void initScanStats();    void addNewProbe(OFProbeType type, int subid);  void removeActiveProbe(list<OFProbe *>::iterator probeI);/* Get an active probe from active probe list identified by probe type   and subid.  returns probesActive.end() if there isn't one. */  list<OFProbe *>::iterator getActiveProbe(OFProbeType type, int subid);  void moveProbeToActiveList(list<OFProbe *>::iterator probeI);  void moveProbeToUnSendList(list<OFProbe *>::iterator probeI);  unsigned int numProbesToSend() {return probesToSend.size();}  unsigned int numProbesActive() {return probesActive.size();}  FingerPrint *getFP() {fpPassed = true; return FP;}    Target *target; /* the Target */  struct seq_info si;  struct ipid_info ipid;  /*   * distance, distance_guess: hop count between us and the target.   *   * Possible values of distance:   *   0: when scan self;   *   1: when scan a target on the same network segment;   * >=1: not self, not same network and nmap has got the icmp reply to the U1 probe.   *  -1: none of the above situations.   *   * Possible values of distance_guess:   *  -1: nmap fails to get a valid ttl by all kinds of probes.   * >=1: a guessing value based on ttl.   */  int distance;  int distance_guess;    /* Returns the amount of time taken between sending 1st tseq probe     and the last one.  Zero is     returned if we didn't send the tseq probes because there was no     open tcp port */  double timingRatio();private:  /* Ports of the targets used in os fingerprinting. */    int openTCPPort, closedTCPPort, closedUDPPort;  /* Probe list used in tests. At first, probes are linked in   * probesToSend; when a probe is sent, it will be removed from   * probesToSend and appended to probesActive. If any probes in   * probesActive are timedout, they will be moved to probesToSend and   * sent again till expired.   */    list<OFProbe *> probesToSend;  list<OFProbe *> probesActive;  /* A record of total number of probes that have been sent to this   * host, including restranmited ones. */  unsigned int num_probes_sent;  /* Delay between two probes. */  unsigned int sendDelayMs;  /* When the last probe is sent. */  struct timeval lastProbeSent;  struct osscan_timing_vals timing;  /*   * Fingerprint of this target. When a scan is completed, it'll   * finally be passed to hs->target->FPR->FPs[x].   */  FingerPrint *FP;  FingerPrint *FPtests[NUM_FPTESTS];#define FP_TSeq  FPtests[0]#define FP_TOps  FPtests[1]#define FP_TWin  FPtests[2]#define FP_TEcn  FPtests[3]#define FP_T1_7_OFF 4#define FP_T1    FPtests[4]#define FP_T2    FPtests[5]#define FP_T3    FPtests[6]#define FP_T4    FPtests[7]#define FP_T5    FPtests[8]#define FP_T6    FPtests[9]#define FP_T7    FPtests[10]#define FP_TUdp  FPtests[11]#define FP_TIcmp FPtests[12]  struct AVal *TOps_AVs[6]; /* 6 AVs of TOps */  struct AVal *TWin_AVs[6]; /* 6 AVs of TWin */  /* Whether the above FPs is passed. If not and the hss stats is to be	 deleted, delete the FPs. This happens when the host is timedout	 during the scan. */  bool fpPassed;  /* The following are variables to store temporary results   * during the os fingerprinting process of this host.   */  u16 lastipid;  struct timeval seq_send_times[NUM_SEQ_SAMPLES];  int TWinReplyNum; /* how many TWin replies are received. */  int TOpsReplyNum; /* how many TOps replies are received. Actually it is the same with TOpsReplyNum. */  struct ip *icmpEchoReply; /* To store one of the two icmp replies */  int storedIcmpReply; /* Which one of the two icmp replies is stored? */    struct udpprobeinfo upi; /* info of the udp probe we sent */};