Patch to nmap 2.12 to do another type of stealth scan similar to the xmas scan, which is not currently logged by iplog and some IDS software.
048c281f0945aad5f26df3cff014a677b6d32e1a25328c51839bee4cfda19c27
===========================================================================
vecna - november`99 - patch for nmap-2.12
stealth scan implementation - added options : -CP -CU -C2 -C3 -C4
use patch after "./configure" command. because the patch work in
Makefile.in too (and it is create by configure).
$patch -i nmap-2.12-vek.patch
===========================================================================
--- nmap.c.real Sun Apr 4 09:33:00 1999
+++ nmap.c Wed Nov 24 14:49:37 1999
@@ -83,7 +83,7 @@
if (argc < 2 ) printusage(argv[0]);
/* OK, lets parse these args! */
-while((arg = getopt(argc,fakeargv,"Ab:D:de:Ffg:hIi:M:m:NnOo:P:p:qRrS:s:T:Vv")) != EOF) {
+while((arg = getopt(argc,fakeargv,"Ab:D:de:Ffg:hIi:M:m:NnOo:P:p:qRrS:s:C:T:Vv")) != EOF) {
switch(arg) {
case 'A': o.allowall++; break;
case 'b':
@@ -237,6 +237,9 @@
if (!resolve(optarg, o.source))
fatal("Failed to resolve source address, try dotted decimal IP address\n");
break;
+
+/* Special scan - Null SYN FIN Xmas Ping and other by Fyodor */
+
case 's':
if (!*optarg) {
fprintf(stderr, "An option is required for -s, most common are -sT (tcp scan), -sS (SYN scan), -sF (FIN scan), -sU (UDP scan) and -sP (Ping scan)");
@@ -263,16 +266,49 @@
p++;
}
break;
+
+/* End of original stealth scan normal routine */
+
+/* the new options:
+
+ 1 = new URGENT -CU
+ 2 = new PUSH -CP
+ 3 = URGENT+PUSH -C2
+ 4 = FIN+URGENT -Cf
+ 5 = FIN+PUSH -CF
+
+*/
+ case 'C':
+ if (!*optarg) {
+ fprintf(stderr, "An option is required for -C, the new scan can be:\n -CU(Urgent) -CP(Push) -C2(Urgent+Push) -Cf(Fin+Urgent) -CF(Fin+Push)\n");
+ printusage(argv[0]);
+ }
+ p = optarg;
+ while(*p) {
+ switch(*p) {
+ case 'U': o.URGprobe = 1; break;
+ case 'P': o.PSHprobe = 1; break;
+ case '2': o.URGPSHprobe = 1; break;
+ case '3': o.FINURGprobe = 1; break;
+ case '4': o.FINPSHprobe = 1; break;
+ default: error("Scantype %c not supported\n",*p); printusage(argv[0]); break;
+ }
+ p++;
+ }
+ break;
+
+ /* End of routine options added */
+
case 'T': o.ptime = atoi(optarg); break;
case 'V':
- printf("\nnmap V. %s by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)\n", VERSION);
+ printf("\nnmap V. %s by Fyodor (www.insecure.com) patch by vecna - vecna@itapac.net", VERSION);
exit(0);
break;
case 'v': o.verbose++; break;
}
}
- fprintf(o.nmap_stdout, "\nStarting nmap V. %s by Fyodor (fyodor@dhp.com, www.insecure.org/nmap/)\n", VERSION);
+ fprintf(o.nmap_stdout, "\nStart nmap %s by Fyodor (fyodor@dhp.com) + patch by vecna (vecna@itapac.net)\n", VERSION);
if (o.pingtype == PINGTYPE_UNKNOWN) {
if (o.isr00t) o.pingtype = PINGTYPE_TCP|PINGTYPE_TCP_USE_ACK|PINGTYPE_ICMP;
@@ -282,7 +318,8 @@
/* Now we check the option sanity */
/* Insure that at least one scantype is selected */
-if (!o.connectscan && !o.udpscan && !o.synscan && !o.finscan && !o.maimonscan && !o.nullscan && !o.xmasscan && !o.bouncescan && !o.pingscan) {
+
+if (!o.connectscan && !o.udpscan && !o.URGprobe && !o.PSHprobe && !o.URGPSHprobe && !o.FINURGprobe && !o.FINPSHprobe && !o.synscan && !o.finscan && !o.maimonscan && !o.nullscan && !o.xmasscan && !o.bouncescan && !o.pingscan) {
o.connectscan++;
if (o.verbose) error("No scantype specified, assuming vanilla tcp connect() scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up).");
}
@@ -298,8 +335,15 @@
if (fastscan && ports) {
fatal("You can specify fast scan (-F) or explicitly select individual ports (-p), but not both");
} else if (fastscan) {
- ports = getfastports(o.synscan|o.connectscan|o.fragscan|o.finscan|o.maimonscan|o.bouncescan|o.nullscan|o.xmasscan,o.udpscan);
+ if (o.URGprobe||o.PSHprobe||o.URGPSHprobe||o.FINURGprobe||o.FINPSHprobe) {
+ o.xmasscan=1;
+ ports = getfastports(o.synscan|o.connectscan|o.fragscan|o.finscan|o.maimonscan|o.bouncescan|o.nullscan|o.xmasscan,o.udpscan);
+ o.xmasscan=0;
+ }
+ else ports = getfastports(o.synscan|o.connectscan|o.fragscan|o.finscan|o.maimonscan|o.bouncescan|o.nullscan|o.xmasscan,o.udpscan);
}
+/* emulazione di xmasscan x evitare il cambio delle varibili in
+ getsfastports() e getdefaultports() */
if (o.pingscan && ports) {
fatal("You cannot use -F (fast scan) or -p (explicit port selection) with PING scan");
@@ -309,17 +353,23 @@
fatal("The fast scan (-F) is incompatible with ping scan");
}
-if (!ports) {
- ports = getdefaultports(o.synscan|o.connectscan|o.fragscan|o.finscan|
- o.maimonscan|o.bouncescan|o.nullscan|o.xmasscan,
- o.udpscan);
+if (o.URGprobe||o.PSHprobe||o.URGPSHprobe||o.FINURGprobe||o.FINPSHprobe) {
+ o.xmasscan=1;
+ if (!ports) ports = getdefaultports(o.synscan|o.connectscan|o.fragscan|o.finscan|o.maimonscan|o.bouncescan|o.nullscan|o.xmasscan, o.udpscan);
+ o.xmasscan=0;
}
+/* nel caso ci sia uno dei nuovi scan, si emula l'xmas x non dover far
+ casini con altre varibili ecc... */
+
+else if (!ports) ports = getdefaultports(o.synscan|o.connectscan|o.fragscan|o.finscan|o.maimonscan|o.bouncescan|o.nullscan|o.xmasscan, o.udpscan);
+
+
/* Default dest port for tcp probe */
if (!o.tcp_probe_port) o.tcp_probe_port = 80;
-if (o.pingscan && (o.connectscan || o.udpscan || o.synscan || o.finscan || o.maimonscan || o.nullscan || o.xmasscan || o.bouncescan)) {
+if (o.pingscan && (o.connectscan || o.udpscan || o.URGprobe || o.PSHprobe || o.URGPSHprobe || o.FINURGprobe || o.FINPSHprobe || o.synscan || o.finscan || o.maimonscan || o.nullscan || o.xmasscan || o.bouncescan)) {
fatal("Ping scan is not valid with any other scan types (the other ones all include a ping scan");
}
@@ -331,8 +381,7 @@
o.pingtype = PINGTYPE_TCP;
}
- if (o.finscan || o.synscan || o.maimonscan || o.nullscan || o.xmasscan
- || o.udpscan ) {
+ if (o.finscan || o.synscan || o.maimonscan || o.nullscan || o.xmasscan || o.URGprobe || o.PSHprobe || o.URGPSHprobe || o.FINURGprobe || o.FINPSHprobe || o.udpscan ) {
fatal("You requested a scan type which requires r00t privileges, and you do not have them.\n");
}
@@ -352,7 +401,7 @@
if (o.bouncescan && o.pingtype != PINGTYPE_NONE)
fprintf(o.nmap_stdout, "Hint: if your bounce scan target hosts aren't reachable from here, remember to use -P0 so we don't try and ping them prior to the scan\n");
-if (o.connectscan + o.synscan + o.finscan + o.maimonscan + o.xmasscan + o.nullscan > 1) {
+if (o.connectscan + o.synscan + o.finscan + o.maimonscan + o.xmasscan + o.nullscan + o.URGprobe + o.PSHprobe + o.URGPSHprobe + o.FINURGprobe + o.FINPSHprobe > 1) {
fatal("You specified more than one type of TCP scan. Please choose only one of -sT, -sS, -sF, -sM, -sX, and -sN");
}
@@ -360,10 +409,8 @@
fatal("Decoys are irrelevant to the bounce or connect scans");
}
-if (o.fragscan && (o.connectscan ||
- (o.udpscan && (o.synscan + o.finscan + o.maimonscan +
- o.xmasscan + o.nullscan == 0))))
- fatal("Fragmentation scan can only be used with SYN, FIN, Maimon, XMAS, or NULL scan types");
+if (o.fragscan && (o.connectscan || (o.udpscan && (o.synscan + o.finscan + o.maimonscan + o.URGprobe + o.PSHprobe + o.URGPSHprobe + o.FINURGprobe + o.FINPSHprobe + o.xmasscan + o.nullscan == 0))))
+ fatal("Fragmentation scan can only be used with:\nSYN, FIN, Maimon, XMAS (and derived) or NULL scan types");
if (o.identscan && !o.connectscan) {
error("Identscan only works with connect scan (-sT) ... ignoring option");
@@ -531,8 +578,9 @@
telnetthere. wierd :0 */
if (currenths->flags & HOST_UP /* && !currenths->wierd_responses*/ &&
!o.pingscan) {
-
- if (currenths->flags & HOST_UP && !currenths->source_ip.s_addr && ( o.synscan || o.finscan || o.maimonscan || o.udpscan || o.nullscan || o.xmasscan)) {
+
+
+ if (currenths->flags & HOST_UP && !currenths->source_ip.s_addr && (o.finscan || o.synscan || o.maimonscan || o.nullscan || o.xmasscan || o.URGprobe || o.PSHprobe || o.URGPSHprobe || o.FINURGprobe || o.FINPSHprobe || o.udpscan )) {
if (gethostname(myname, MAXHOSTNAMELEN) ||
!(target = gethostbyname(myname)))
fatal("Cannot get hostname! Try using -S <my_IP_address> or -e <interface to scan through>\n");
@@ -544,7 +592,7 @@
}
/* Figure out what link-layer device (interface) to use (ie eth0, ppp0, etc) */
- if (!*currenths->device && currenths->flags & HOST_UP && (o.nullscan || o.xmasscan || o.udpscan || o.finscan || o.maimonscan || o.synscan || o.osscan) && (ipaddr2devname( currenths->device, ¤ths->source_ip) != 0))
+ if (!*currenths->device && currenths->flags & HOST_UP && ( o.finscan || o.synscan || o.maimonscan || o.nullscan || o.xmasscan || o.URGprobe || o.PSHprobe || o.URGPSHprobe || o.FINURGprobe || o.FINPSHprobe || o.udpscan || o.osscan) && (ipaddr2devname( currenths->device, ¤ths->source_ip) != 0))
fatal("Could not figure out what device to send the packet out on! You might possibly want to try -S (but this is probably a bigger problem). If you are trying to sp00f the source of a SYN/FIN scan with -S <fakeip>, then you must use -e eth0 (or other devicename) to tell us what interface to use.\n");
/* Set up the decoy */
o.decoys[o.decoyturn] = currenths->source_ip;
@@ -554,13 +602,20 @@
if (o.synscan) pos_scan(currenths, ports, SYN_SCAN);
if (o.connectscan) pos_scan(currenths, ports, CONNECT_SCAN);
-
+
+ /* adding now possible options */
+
if (o.finscan) super_scan(currenths, ports, FIN_SCAN);
if (o.xmasscan) super_scan(currenths, ports, XMAS_SCAN);
if (o.nullscan) super_scan(currenths, ports, NULL_SCAN);
if (o.maimonscan) super_scan(currenths, ports, MAIMON_SCAN);
if (o.udpscan) super_scan(currenths, ports, UDP_SCAN);
-
+ if (o.URGprobe) super_scan(currenths, ports, URG_SCAN);
+ if (o.PSHprobe) super_scan(currenths, ports, PSH_SCAN);
+ if (o.URGPSHprobe) super_scan(currenths, ports, URGPSH_SCAN);
+ if (o.FINURGprobe) super_scan(currenths, ports, URGFIN_SCAN);
+ if (o.FINPSHprobe) super_scan(currenths, ports, FINPSH_SCAN);
+
if (o.bouncescan) {
if (ftp.sd <= 0) ftp_anon_connect(&ftp);
if (ftp.sd > 0) bounce_scan(currenths, ports, &ftp);
@@ -787,11 +842,15 @@
}
void printusage(char *name) {
-printf("nmap V. %s usage: nmap [Scan Type(s)] [Options] <host or net #1 ... [#N]>\n\
+printf("nmap \033[1;1m2.12+V\033[0m patched version by vecna - vecna@itapac.net usage:\n\
+ nmap [Scan Type(s)] [Options] <host or net #1 ... [#N]>\n\
Scan types\n\
-sT tcp connect() port scan\n\
-sS tcp SYN stealth port scan (must be root)\n\
- -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (only works against UNIX).\n\
+ -sF,-sX,-sN Stealth FIN, Xmas, or Null scan\n\
+ -CU,-CP,-C2 New Urgent probe, Push probe, Urgent+Push probe\n\
+ -C3,-C4 New \"3\" Fin+Urgent \"4\" Fin+Push\n\
+ note: -sF,-sX,-sN,-C* only works against UNIX\n\
-sP ping \"scan\". Find which hosts on specified network(s) are up but don't \n\
port scan them\n\
-sU UDP port scan, must be r00t\n\
@@ -802,11 +861,12 @@
-PT Use \"TCP Ping\" to see what hosts are up (for normal and ping scans).\n\
-PT21 Use \"TCP Ping\" scan with probe destination port of 21 (or whatever).\n\
-PI Use ICMP ping packet to determines hosts that are up\n\
- -PB Do BOTH TCP & ICMP scans in parallel (TCP dest port can be specified after the 'B')\n\
+ -PB Do BOTH TCP & ICMP scans in parallel (TCP dest port after the 'B')\n\
-PS Use TCP SYN sweep rather than the default ACK sweep used in \"TCP ping\"\n\
-O Use TCP/IP fingerprinting to guess what OS the remote host is running\n\
-p <range> ports: ex: \'-p 23\' will only try port 23 of the host(s)\n\
- \'-p 20-30,63000-\' scans 20-30 and 63000-65535. default: 1-1024 + /etc/services\n\
+ \'-p 20-30,63000-\' scans 20-30 and 63000-65535.\n\
+ default: 1-1024 + /etc/services\n\
-Ddecoy_host1,decoy2,ME,decoy3[,...] Launch scans from decoy host(s) along\n\
with the real one. If you care about the order your real IP appears,\n\
stick \"ME\" somewhere in the list. Even if the target detects the\n\
@@ -819,8 +879,8 @@
-o <logfile> Output scan logs to <logfile> in human readable.\n\
-m <logfile> Output scan logs to <logfile> in machine parseable format.\n\
-i <inputfile> Grab IP numbers or hostnames from file. Use '-' for stdin\n\
- -g <portnumber> Sets the source port used for scans. 20 and 53 are good choices.\n\
- -S <your_IP> If you want to specify the source address of SYN or FYN scan.\n", VERSION);
+ -g <portnumber> Sets the source port used for scans.\n\
+ -S <your_IP> If you want to specify the source address of SYN or FYN scan.\n");
if (!o.allowall) printf(" -A Allow scanning .0 and .255 addresses" );
printf(" -v Verbose. Its use is recommended. Use twice for greater effect.\n\
-h help, print this junk. Also see http://www.insecure.org/nmap/\n\
@@ -1559,7 +1619,18 @@
if (pcap_setfilter(pd, &fcode) < 0 )
fatal("Failed to set the pcap filter: %s\n", pcap_geterr(pd));
+/* tcp flag setting - switch() very nice than if-list :\ */
+
+
if (scantype == XMAS_SCAN) scanflags = TH_FIN|TH_URG|TH_PUSH;
+else if (scantype == URG_SCAN) scanflags = TH_URG;
+else if (scantype == PSH_SCAN) scanflags = TH_PUSH;
+else if (scantype == URGPSH_SCAN) scanflags = TH_URG|TH_PUSH;
+else if (scantype == FINPSH_SCAN) scanflags = TH_FIN|TH_PUSH;
+else if (scantype == URGFIN_SCAN) scanflags = TH_URG|TH_FIN;
+
+/* end of tcp flag adding */
+
else if (scantype == NULL_SCAN) scanflags = 0;
else if (scantype == FIN_SCAN) scanflags = TH_FIN;
else if (scantype == MAIMON_SCAN) scanflags = TH_FIN|TH_ACK;
@@ -1568,7 +1639,7 @@
starttime = time(NULL);
if (o.debugging || o.verbose)
- fprintf(o.nmap_stdout, "Initiating FIN,NULL, UDP, or Xmas stealth scan against %s (%s)\n", target->name, inet_ntoa(target->host));
+ fprintf(o.nmap_stdout, "Initiating stealth scan against %s (%s)\n", target->name, inet_ntoa(target->host));
do {
@@ -2785,8 +2856,7 @@
fatal("Deletion of port %d failed\n", ports[i]);
}
}
- if (o.connectscan || o.nullscan || o.xmasscan || o.synscan ||
- o.maimonscan || o.finscan || o.bouncescan) {
+ if ( o.URGprobe || o.PSHprobe || o.URGPSHprobe || o.FINURGprobe || o.FINPSHprobe || o.nullscan || o.xmasscan || o.udpscan || o.finscan || o.maimonscan || o.synscan || o.bouncescan ) {
current = lookupport(*pl, ports[i], IPPROTO_TCP);
if (!current)
addport(pl, ports[i], IPPROTO_TCP, NULL, PORT_UNFIREWALLED);
--- targets.c.real Thu Nov 18 23:37:30 1999
+++ targets.c Thu Nov 18 23:38:42 1999
@@ -103,7 +103,7 @@
2) We are doing tcp pingscan OR
3) We are doing NO scan AND we are doing a raw-mode portscan or osscan*/
else {
- if (o.isr00t && ((o.pingtype & PINGTYPE_TCP) || (o.pingtype == PINGTYPE_NONE && (o.synscan || o.finscan || o.xmasscan || o.nullscan || o.maimonscan || o.udpscan || o.osscan )))) {
+ if (o.isr00t && ((o.pingtype & PINGTYPE_TCP) || (o.pingtype == PINGTYPE_NONE && (o.synscan || o.finscan || o.xmasscan || o.nullscan || o.maimonscan || o.udpscan || o.osscan || o.PSHprobe || o.URGPSHprobe || o.FINURGprobe || o.FINPSHprobe || o.URGprobe)))) {
device = routethrough(&(hostbatch[i].host), &(hostbatch[i].source_ip));
if (!device) {
if (o.pingtype == PINGTYPE_NONE) {
--- global_structures.h.real Thu Nov 18 23:37:47 1999
+++ global_structures.h Thu Nov 18 23:38:05 1999
@@ -161,6 +161,15 @@
int finscan;
int udpscan;
int noresolve;
+
+ /* New stealth scan : */
+ int URGprobe;
+ int PSHprobe;
+ int URGPSHprobe;
+ int FINURGprobe;
+ int FINPSHprobe;
+ /* End new stealth scan */
+
int force; /* force nmap to continue on even when the outcome seems somewhat certain */
FILE *logfd; /* Output log file descriptor */
FILE *machinelogfd; /* Machine parseable log file descriptor */
@@ -168,7 +177,19 @@
};
typedef port *portlist;
-typedef enum { SYN_SCAN, FIN_SCAN, XMAS_SCAN, UDP_SCAN, CONNECT_SCAN, NULL_SCAN, MAIMON_SCAN } stype;
+typedef enum { SYN_SCAN,
+ FIN_SCAN,
+ XMAS_SCAN,
+ UDP_SCAN,
+ CONNECT_SCAN,
+ NULL_SCAN,
+ URG_SCAN, /* start new vekkena skans */
+ PSH_SCAN,
+ URGPSH_SCAN,
+ URGFIN_SCAN,
+ FINPSH_SCAN,
+ MAIMON_SCAN /* end new vekkena skans */
+} stype;
#endif /*GLOBAL_STRUCTURES_H */
--- Makefile.in.real Thu Nov 18 23:37:55 1999
+++ Makefile.in Thu Nov 18 23:38:26 1999
@@ -20,7 +20,7 @@
INSTALL = @INSTALL@
MAKEDEPEND = @MAKEDEPEND@
RPMTDIR=$(HOME)/rpmdir
-VERSION = 2.12
+VERSION = 2.12+V
TARGET = nmap