├── .gitignore ├── .gitmodules ├── Makefile ├── README.md ├── go.mod └── main.go /.gitignore: -------------------------------------------------------------------------------- 1 | # Binaries for programs and plugins 2 | *.exe 3 | *.exe~ 4 | *.dll 5 | *.so 6 | *.dylib 7 | 8 | # Test binary, built with `go test -c` 9 | *.test 10 | 11 | # Output of the go coverage tool, specifically when used with LiteIDE 12 | *.out 13 | 14 | # Dependency directories (remove the comment below to include it) 15 | # vendor/ 16 | -------------------------------------------------------------------------------- /.gitmodules: -------------------------------------------------------------------------------- 1 | [submodule "masscan"] 2 | path = masscan 3 | url = https://github.com/robertdavidgraham/masscan 4 | -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | build: masscan 2 | go build -trimpath -o main main.go 3 | 4 | .PHONY: masscan 5 | masscan: 6 | make -C masscan 7 | 8 | clean: 9 | make -C masscan clean 10 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | https://mp.weixin.qq.com/s/A_MUSnU2gUK1-U5thr9p8w 2 | -------------------------------------------------------------------------------- /go.mod: -------------------------------------------------------------------------------- 1 | module masscan 2 | 3 | go 1.16 4 | -------------------------------------------------------------------------------- /main.go: -------------------------------------------------------------------------------- 1 | package main 2 | 3 | //#cgo CFLAGS: -I masscan/src 4 | //#cgo LDFLAGS: ${SRCDIR}/masscan/tmp/crypto-base64.o ${SRCDIR}/masscan/tmp/crypto-blackrock2.o ${SRCDIR}/masscan/tmp/event-timeout.o ${SRCDIR}/masscan/tmp/in-binary.o ${SRCDIR}/masscan/tmp/in-filter.o ${SRCDIR}/masscan/tmp/in-report.o ${SRCDIR}/masscan/tmp/logger.o ${SRCDIR}/masscan/tmp/main-conf.o ${SRCDIR}/masscan/tmp/main-dedup.o ${SRCDIR}/masscan/tmp/main-initadapter.o ${SRCDIR}/masscan/tmp/main-listscan.o ${SRCDIR}/masscan/tmp/main-ptrace.o ${SRCDIR}/masscan/tmp/main-readrange.o ${SRCDIR}/masscan/tmp/main-status.o ${SRCDIR}/masscan/tmp/main-throttle.o ${SRCDIR}/masscan/tmp/masscan-app.o ${SRCDIR}/masscan/tmp/massip-addr.o ${SRCDIR}/masscan/tmp/massip-parse.o ${SRCDIR}/masscan/tmp/massip-rangesv4.o ${SRCDIR}/masscan/tmp/massip-rangesv6.o ${SRCDIR}/masscan/tmp/massip.o ${SRCDIR}/masscan/tmp/misc-rstfilter.o ${SRCDIR}/masscan/tmp/out-binary.o ${SRCDIR}/masscan/tmp/out-certs.o ${SRCDIR}/masscan/tmp/out-grepable.o ${SRCDIR}/masscan/tmp/out-hostonly.o ${SRCDIR}/masscan/tmp/out-json.o ${SRCDIR}/masscan/tmp/out-ndjson.o ${SRCDIR}/masscan/tmp/out-null.o ${SRCDIR}/masscan/tmp/out-redis.o ${SRCDIR}/masscan/tmp/out-tcp-services.o ${SRCDIR}/masscan/tmp/out-text.o ${SRCDIR}/masscan/tmp/out-unicornscan.o ${SRCDIR}/masscan/tmp/out-xml.o ${SRCDIR}/masscan/tmp/output.o ${SRCDIR}/masscan/tmp/pixie-backtrace.o ${SRCDIR}/masscan/tmp/pixie-file.o ${SRCDIR}/masscan/tmp/pixie-threads.o ${SRCDIR}/masscan/tmp/pixie-timer.o ${SRCDIR}/masscan/tmp/proto-arp.o ${SRCDIR}/masscan/tmp/proto-banner1.o ${SRCDIR}/masscan/tmp/proto-banout.o ${SRCDIR}/masscan/tmp/proto-coap.o ${SRCDIR}/masscan/tmp/proto-dns.o ${SRCDIR}/masscan/tmp/proto-ftp.o ${SRCDIR}/masscan/tmp/proto-http.o ${SRCDIR}/masscan/tmp/proto-icmp.o ${SRCDIR}/masscan/tmp/proto-imap4.o ${SRCDIR}/masscan/tmp/proto-interactive.o ${SRCDIR}/masscan/tmp/proto-memcached.o ${SRCDIR}/masscan/tmp/proto-netbios.o ${SRCDIR}/masscan/tmp/proto-ntlmssp.o ${SRCDIR}/masscan/tmp/proto-ntp.o ${SRCDIR}/masscan/tmp/proto-oproto.o ${SRCDIR}/masscan/tmp/proto-pop3.o ${SRCDIR}/masscan/tmp/proto-preprocess.o ${SRCDIR}/masscan/tmp/proto-sctp.o ${SRCDIR}/masscan/tmp/proto-smb.o ${SRCDIR}/masscan/tmp/proto-smtp.o ${SRCDIR}/masscan/tmp/proto-snmp.o ${SRCDIR}/masscan/tmp/proto-ssh.o ${SRCDIR}/masscan/tmp/proto-ssl-test.o ${SRCDIR}/masscan/tmp/proto-ssl.o ${SRCDIR}/masscan/tmp/proto-tcp-rdp.o ${SRCDIR}/masscan/tmp/proto-tcp-telnet.o ${SRCDIR}/masscan/tmp/proto-tcp.o ${SRCDIR}/masscan/tmp/proto-udp.o ${SRCDIR}/masscan/tmp/proto-vnc.o ${SRCDIR}/masscan/tmp/proto-x509.o ${SRCDIR}/masscan/tmp/proto-zeroaccess.o ${SRCDIR}/masscan/tmp/rand-blackrock.o ${SRCDIR}/masscan/tmp/rand-lcg.o ${SRCDIR}/masscan/tmp/rand-primegen.o ${SRCDIR}/masscan/tmp/rawsock-getif.o ${SRCDIR}/masscan/tmp/rawsock-getip.o ${SRCDIR}/masscan/tmp/rawsock-getip6.o ${SRCDIR}/masscan/tmp/rawsock-getmac.o ${SRCDIR}/masscan/tmp/rawsock-getroute.o ${SRCDIR}/masscan/tmp/rawsock-pcapfile.o ${SRCDIR}/masscan/tmp/rawsock.o ${SRCDIR}/masscan/tmp/read-service-probes.o ${SRCDIR}/masscan/tmp/rte-ring.o ${SRCDIR}/masscan/tmp/scripting-banner.o ${SRCDIR}/masscan/tmp/scripting-masscan.o ${SRCDIR}/masscan/tmp/scripting.o ${SRCDIR}/masscan/tmp/siphash24.o ${SRCDIR}/masscan/tmp/smack1.o ${SRCDIR}/masscan/tmp/smackqueue.o ${SRCDIR}/masscan/tmp/stack-arpv4.o ${SRCDIR}/masscan/tmp/stack-if.o ${SRCDIR}/masscan/tmp/stack-ndpv6.o ${SRCDIR}/masscan/tmp/stack-queue.o ${SRCDIR}/masscan/tmp/stack-src.o ${SRCDIR}/masscan/tmp/string_s.o ${SRCDIR}/masscan/tmp/stub-lua.o ${SRCDIR}/masscan/tmp/stub-pcap.o ${SRCDIR}/masscan/tmp/stub-pfring.o ${SRCDIR}/masscan/tmp/syn-cookie.o ${SRCDIR}/masscan/tmp/templ-payloads.o ${SRCDIR}/masscan/tmp/templ-pkt.o ${SRCDIR}/masscan/tmp/util-checksum.o ${SRCDIR}/masscan/tmp/util-malloc.o ${SRCDIR}/masscan/tmp/versioning.o ${SRCDIR}/masscan/tmp/vulncheck-heartbleed.o ${SRCDIR}/masscan/tmp/vulncheck-ntp-monlist.o ${SRCDIR}/masscan/tmp/vulncheck-sslv3.o ${SRCDIR}/masscan/tmp/vulncheck.o ${SRCDIR}/masscan/tmp/xring.o 5 | ///* 6 | // 7 | // main 8 | // 9 | // This includes: 10 | // 11 | // * main() 12 | // * transmit_thread() - transmits probe packets 13 | // * receive_thread() - receives response packets 14 | // 15 | // You'll be wanting to study the transmit/receive threads, because that's 16 | // where all the action is. 17 | // 18 | // This is the lynch-pin of the entire program, so it includes a heckuva lot 19 | // of headers, and the functions have a lot of local variables. I'm trying 20 | // to make this file relative "flat" this way so that everything is visible. 21 | //*/ 22 | //#include "masscan.h" 23 | //#include "masscan-version.h" 24 | //#include "masscan-status.h" /* open or closed */ 25 | //#include "rand-blackrock.h" /* the BlackRock shuffling func */ 26 | //#include "rand-lcg.h" /* the LCG randomization func */ 27 | //#include "templ-pkt.h" /* packet template, that we use to send */ 28 | //#include "rawsock.h" /* api on top of Linux, Windows, Mac OS X*/ 29 | //#include "logger.h" /* adjust with -v command-line opt */ 30 | //#include "main-status.h" /* printf() regular status updates */ 31 | //#include "main-throttle.h" /* rate limit */ 32 | //#include "main-dedup.h" /* ignore duplicate responses */ 33 | //#include "main-ptrace.h" /* for nmap --packet-trace feature */ 34 | //#include "proto-arp.h" /* for responding to ARP requests */ 35 | //#include "stack-ndpv6.h" /* IPv6 Neighbor Discovery Protocol */ 36 | //#include "stack-arpv4.h" /* Handle ARP resolution and requests */ 37 | //#include "rawsock-adapter.h" 38 | //#include "proto-banner1.h" /* for snatching banners from systems */ 39 | //#include "proto-tcp.h" /* for TCP/IP connection table */ 40 | //#include "proto-preprocess.h" /* quick parse of packets */ 41 | //#include "proto-icmp.h" /* handle ICMP responses */ 42 | //#include "proto-udp.h" /* handle UDP responses */ 43 | //#include "syn-cookie.h" /* for SYN-cookies on send */ 44 | //#include "output.h" /* for outputing results */ 45 | //#include "rte-ring.h" /* producer/consumer ring buffer */ 46 | //#include "rawsock-pcapfile.h" /* for saving pcap files w/ raw packets */ 47 | //#include "stub-pcap.h" /* dynamically load libpcap library */ 48 | //#include "smack.h" /* Aho-corasick state-machine pattern-matcher */ 49 | //#include "pixie-timer.h" /* portable time functions */ 50 | //#include "pixie-threads.h" /* portable threads */ 51 | //#include "templ-payloads.h" /* UDP packet payloads */ 52 | //#include "proto-snmp.h" /* parse SNMP responses */ 53 | //#include "proto-ntp.h" /* parse NTP responses */ 54 | //#include "proto-coap.h" /* CoAP selftest */ 55 | //#include "in-binary.h" /* convert binary output to XML/JSON */ 56 | //#include "main-globals.h" /* all the global variables in the program */ 57 | //#include "proto-zeroaccess.h" 58 | //#include "siphash24.h" 59 | //#include "proto-x509.h" 60 | //#include "crypto-base64.h" /* base64 encode/decode */ 61 | //#include "pixie-backtrace.h" 62 | //#include "proto-sctp.h" 63 | //#include "proto-oproto.h" /* Other protocols on top of IP */ 64 | //#include "vulncheck.h" /* checking vulns like monlist, poodle, heartblee */ 65 | //#include "main-readrange.h" 66 | //#include "scripting.h" 67 | //#include "read-service-probes.h" 68 | //#include "misc-rstfilter.h" 69 | //#include "util-malloc.h" 70 | //#include "util-checksum.h" 71 | //#include "massip-parse.h" 72 | //#include "massip-port.h" 73 | // 74 | //#include 75 | //#include 76 | //#include 77 | //#include 78 | //#include 79 | //#include 80 | //#include 81 | // 82 | //#if defined(WIN32) 83 | //#include 84 | //#if defined(_MSC_VER) 85 | //#pragma comment(lib, "Ws2_32.lib") 86 | //#endif 87 | //#else 88 | //#include 89 | //#include 90 | //#include 91 | //#endif 92 | // 93 | ///* 94 | // * yea I know globals suck 95 | // */ 96 | //unsigned volatile is_tx_done = 0; 97 | //unsigned volatile is_rx_done = 0; 98 | //time_t global_now; 99 | // 100 | //uint64_t usec_start; 101 | // 102 | // 103 | ///*************************************************************************** 104 | // * We create a pair of transmit/receive threads for each network adapter. 105 | // * This structure contains the parameters we send to each pair. 106 | // ***************************************************************************/ 107 | //struct ThreadPair { 108 | // /** This points to the central configuration. Note that it's 'const', 109 | // * meaning that the thread cannot change the contents. That'd be 110 | // * unsafe */ 111 | // const struct Masscan *masscan; 112 | // 113 | // /** The adapter used by the thread-pair. Normally, thread-pairs have 114 | // * their own network adapter, especially when doing PF_RING 115 | // * clustering. */ 116 | // struct Adapter *adapter; 117 | // 118 | // struct stack_t *stack; 119 | // 120 | // /** 121 | // * The index of the network adapter that we are using for this 122 | // * thread-pair. This is an index into the "masscan->nic[]" 123 | // * array. 124 | // * 125 | // * NOTE: this is also the "thread-id", because we create one 126 | // * transmit/receive thread pair per NIC. 127 | // */ 128 | // unsigned nic_index; 129 | // 130 | // /** 131 | // * A copy of the master 'index' variable. This is just advisory for 132 | // * other threads, to tell them how far we've gotten. 133 | // */ 134 | // volatile uint64_t my_index; 135 | // 136 | // 137 | // /* This is used both by the transmit and receive thread for 138 | // * formatting packets */ 139 | // struct TemplateSet tmplset[1]; 140 | // 141 | // /** 142 | // * The current IP address we are using for transmit/receive. 143 | // */ 144 | // struct stack_src_t _src_; 145 | // 146 | // macaddress_t source_mac; 147 | // macaddress_t router_mac_ipv4; 148 | // macaddress_t router_mac_ipv6; 149 | // 150 | // unsigned done_transmitting; 151 | // unsigned done_receiving; 152 | // 153 | // double pt_start; 154 | // 155 | // struct Throttler throttler[1]; 156 | // 157 | // uint64_t *total_synacks; 158 | // uint64_t *total_tcbs; 159 | // uint64_t *total_syns; 160 | // 161 | // size_t thread_handle_xmit; 162 | // size_t thread_handle_recv; 163 | //}; 164 | // 165 | // 166 | // 167 | ///*************************************************************************** 168 | // * We support a range of source IP/port. This function converts that 169 | // * range into useful variables we can use to pick things form that range. 170 | // ***************************************************************************/ 171 | //static void 172 | //adapter_get_source_addresses(const struct Masscan *masscan, 173 | // unsigned nic_index, 174 | // unsigned *src_ipv4, 175 | // unsigned *src_ipv4_mask, 176 | // unsigned *src_port, 177 | // unsigned *src_port_mask, 178 | // ipv6address *src_ipv6, 179 | // ipv6address *src_ipv6_mask) 180 | //{ 181 | // const struct stack_src_t *src = &masscan->nic[nic_index].src; 182 | // static ipv6address mask = {~0ULL, ~0ULL}; 183 | // 184 | // *src_ipv4 = src->ipv4.first; 185 | // *src_ipv4_mask = src->ipv4.last - src->ipv4.first; 186 | // 187 | // *src_port = src->port.first; 188 | // *src_port_mask = src->port.last - src->port.first; 189 | // 190 | // *src_ipv6 = src->ipv6.first; 191 | // 192 | // /* TODO: currently supports only a single address. This needs to 193 | // * be fixed to support a list of addresses */ 194 | // *src_ipv6_mask = mask; 195 | //} 196 | // 197 | ///*************************************************************************** 198 | // * This thread spews packets as fast as it can 199 | // * 200 | // * THIS IS WHERE ALL THE EXCITEMENT HAPPENS!!!! 201 | // * 90% of CPU cycles are in the function. 202 | // * 203 | // ***************************************************************************/ 204 | //static void 205 | //transmit_thread(void *v) /*aka. scanning_thread() */ 206 | //{ 207 | // struct ThreadPair *parms = (struct ThreadPair *)v; 208 | // uint64_t i; 209 | // uint64_t start; 210 | // uint64_t end; 211 | // const struct Masscan *masscan = parms->masscan; 212 | // uint64_t retries = masscan->retries; 213 | // uint64_t rate = (uint64_t)masscan->max_rate; 214 | // unsigned r = (unsigned)retries + 1; 215 | // uint64_t range; 216 | // uint64_t range_ipv6; 217 | // struct BlackRock blackrock; 218 | // uint64_t count_ipv4 = rangelist_count(&masscan->targets.ipv4); 219 | // uint64_t count_ipv6 = range6list_count(&masscan->targets.ipv6).lo; 220 | // struct Throttler *throttler = parms->throttler; 221 | // struct TemplateSet pkt_template = templ_copy(parms->tmplset); 222 | // struct Adapter *adapter = parms->adapter; 223 | // uint64_t packets_sent = 0; 224 | // unsigned increment = (masscan->shard.of-1) + masscan->nic_count; 225 | // unsigned src_ipv4; 226 | // unsigned src_ipv4_mask; 227 | // unsigned src_port; 228 | // unsigned src_port_mask; 229 | // ipv6address src_ipv6; 230 | // ipv6address src_ipv6_mask; 231 | // uint64_t seed = masscan->seed; 232 | // uint64_t repeats = 0; /* --infinite repeats */ 233 | // uint64_t *status_syn_count; 234 | // uint64_t entropy = masscan->seed; 235 | // 236 | // LOG(1, "[+] starting transmit thread #%u\n", parms->nic_index); 237 | // 238 | // /* export a pointer to this variable outside this threads so 239 | // * that the 'status' system can print the rate of syns we are 240 | // * sending */ 241 | // status_syn_count = MALLOC(sizeof(uint64_t)); 242 | // *status_syn_count = 0; 243 | // parms->total_syns = status_syn_count; 244 | // 245 | // 246 | // /* Normally, we have just one source address. In special cases, though 247 | // * we can have multiple. */ 248 | // adapter_get_source_addresses(masscan, parms->nic_index, 249 | // &src_ipv4, &src_ipv4_mask, 250 | // &src_port, &src_port_mask, 251 | // &src_ipv6, &src_ipv6_mask); 252 | // 253 | // 254 | // /* "THROTTLER" rate-limits how fast we transmit, set with the 255 | // * --max-rate parameter */ 256 | // throttler_start(throttler, masscan->max_rate/masscan->nic_count); 257 | // 258 | //infinite: 259 | // 260 | // /* Create the shuffler/randomizer. This creates the 'range' variable, 261 | // * which is simply the number of IP addresses times the number of 262 | // * ports. 263 | // * IPv6: low index will pick addresses from the IPv6 ranges, and high 264 | // * indexes will pick addresses from the IPv4 ranges. */ 265 | // range = count_ipv4 * rangelist_count(&masscan->targets.ports) 266 | // + count_ipv6 * rangelist_count(&masscan->targets.ports); 267 | // range_ipv6 = count_ipv6 * rangelist_count(&masscan->targets.ports); 268 | // blackrock_init(&blackrock, range, seed, masscan->blackrock_rounds); 269 | // 270 | // /* Calculate the 'start' and 'end' of a scan. One reason to do this is 271 | // * to support --shard, so that multiple machines can co-operate on 272 | // * the same scan. Another reason to do this is so that we can bleed 273 | // * a little bit past the end when we have --retries. Yet another 274 | // * thing to do here is deal with multiple network adapters, which 275 | // * is essentially the same logic as shards. */ 276 | // start = masscan->resume.index + (masscan->shard.one-1) + parms->nic_index; 277 | // end = range; 278 | // if (masscan->resume.count && end > start + masscan->resume.count) 279 | // end = start + masscan->resume.count; 280 | // end += retries * range; 281 | // 282 | // 283 | // /* ----------------- 284 | // * the main loop 285 | // * -----------------*/ 286 | // LOG(3, "THREAD: xmit: starting main loop: [%llu..%llu]\n", start, end); 287 | // for (i=start; istack, adapter, 306 | // &packets_sent, &batch_size); 307 | // 308 | // 309 | // /* 310 | // * Transmit a bunch of packets. At any rate slower than 100,000 311 | // * packets/second, the 'batch_size' is likely to be 1. At higher 312 | // * rates, we can't afford to throttle on a per-packet basis and 313 | // * instead throttle on a per-batch basis. In other words, throttle 314 | // * based on 2-at-a-time, 3-at-time, and so on, with the batch 315 | // * size increasing as the packet rate increases. This gives us 316 | // * very precise packet-timing for low rates below 100,000 pps, 317 | // * while not incurring the overhead for high packet rates. 318 | // */ 319 | // while (batch_size && i < end) { 320 | // uint64_t xXx; 321 | // uint64_t cookie; 322 | // 323 | // 324 | // 325 | // /* 326 | // * RANDOMIZE THE TARGET: 327 | // * This is kinda a tricky bit that picks a random IP and port 328 | // * number in order to scan. We monotonically increment the 329 | // * index 'i' from [0..range]. We then shuffle (randomly transmog) 330 | // * that index into some other, but unique/1-to-1, number in the 331 | // * same range. That way we visit all targets, but in a random 332 | // * order. Then, once we've shuffled the index, we "pick" the 333 | // * IP address and port that the index refers to. 334 | // */ 335 | // xXx = (i + (r--) * rate); 336 | // if (rate > range) 337 | // xXx %= range; 338 | // else 339 | // while (xXx >= range) 340 | // xXx -= range; 341 | // xXx = blackrock_shuffle(&blackrock, xXx); 342 | // 343 | // if (xXx < range_ipv6) { 344 | // ipv6address ip_them; 345 | // unsigned port_them; 346 | // ipv6address ip_me; 347 | // unsigned port_me; 348 | // 349 | // ip_them = range6list_pick(&masscan->targets.ipv6, xXx % count_ipv6); 350 | // port_them = rangelist_pick(&masscan->targets.ports, xXx / count_ipv6); 351 | // 352 | // ip_me = src_ipv6; 353 | // port_me = src_port; 354 | // 355 | // cookie = syn_cookie_ipv6(ip_them, port_them, ip_me, port_me, entropy); 356 | // 357 | // rawsock_send_probe_ipv6( 358 | // adapter, 359 | // ip_them, port_them, 360 | // ip_me, port_me, 361 | // (unsigned)cookie, 362 | // !batch_size, /* flush queue on last packet in batch */ 363 | // &pkt_template 364 | // ); 365 | // 366 | // /* Our index selects an IPv6 target */ 367 | // } else { 368 | // /* Our index selects an IPv4 target. In other words, low numbers 369 | // * index into the IPv6 ranges, and high numbers index into the 370 | // * IPv4 ranges. */ 371 | // ipv4address ip_them; 372 | // ipv4address port_them; 373 | // unsigned ip_me; 374 | // unsigned port_me; 375 | // 376 | // xXx -= range_ipv6; 377 | // 378 | // ip_them = rangelist_pick(&masscan->targets.ipv4, xXx % count_ipv4); 379 | // port_them = rangelist_pick(&masscan->targets.ports, xXx / count_ipv4); 380 | // 381 | // /* 382 | // * SYN-COOKIE LOGIC 383 | // * Figure out the source IP/port, and the SYN cookie 384 | // */ 385 | // if (src_ipv4_mask > 1 || src_port_mask > 1) { 386 | // uint64_t ck = syn_cookie_ipv4((unsigned)(i+repeats), 387 | // (unsigned)((i+repeats)>>32), 388 | // (unsigned)xXx, (unsigned)(xXx>>32), 389 | // entropy); 390 | // port_me = src_port + (ck & src_port_mask); 391 | // ip_me = src_ipv4 + ((ck>>16) & src_ipv4_mask); 392 | // } else { 393 | // ip_me = src_ipv4; 394 | // port_me = src_port; 395 | // } 396 | // cookie = syn_cookie_ipv4(ip_them, port_them, ip_me, port_me, entropy); 397 | // 398 | // /* 399 | // * SEND THE PROBE 400 | // * This is sorta the entire point of the program, but little 401 | // * exciting happens here. The thing to note that this may 402 | // * be a "raw" transmit that bypasses the kernel, meaning 403 | // * we can call this function millions of times a second. 404 | // */ 405 | // rawsock_send_probe_ipv4( 406 | // adapter, 407 | // ip_them, port_them, 408 | // ip_me, port_me, 409 | // (unsigned)cookie, 410 | // !batch_size, /* flush queue on last packet in batch */ 411 | // &pkt_template 412 | // ); 413 | // } 414 | // 415 | // batch_size--; 416 | // packets_sent++; 417 | // (*status_syn_count)++; 418 | // 419 | // /* 420 | // * SEQUENTIALLY INCREMENT THROUGH THE RANGE 421 | // * Yea, I know this is a puny 'i++' here, but it's a core feature 422 | // * of the system that is linearly increments through the range, 423 | // * but produces from that a shuffled sequence of targets (as 424 | // * described above). Because we are linearly incrementing this 425 | // * number, we can do lots of creative stuff, like doing clever 426 | // * retransmits and sharding. 427 | // */ 428 | // if (r == 0) { 429 | // i += increment; /* <------ increment by 1 normally, more with shards/nics */ 430 | // r = (unsigned)retries + 1; 431 | // } 432 | // 433 | // } /* end of batch */ 434 | // 435 | // 436 | // /* save our current location for resuming, if the user pressed 437 | // * to exit early */ 438 | // parms->my_index = i; 439 | // 440 | // /* If the user pressed , then we need to exit. but, in case 441 | // * the user wants to --resume the scan later, we save the current 442 | // * state in a file */ 443 | // if (is_tx_done) { 444 | // break; 445 | // } 446 | // } 447 | // 448 | // /* 449 | // * --infinite 450 | // * For load testing, go around and do this again 451 | // */ 452 | // if (masscan->is_infinite && !is_tx_done) { 453 | // seed++; 454 | // repeats++; 455 | // goto infinite; 456 | // } 457 | // 458 | // /* 459 | // * Flush any untransmitted packets. High-speed mechanisms like Windows 460 | // * "sendq" and Linux's "PF_RING" queue packets and transmit many together, 461 | // * so there may be some packets that we've queueud but not yet transmitted. 462 | // * This call makes sure they are transmitted. 463 | // */ 464 | // rawsock_flush(adapter); 465 | // 466 | // /* 467 | // * Wait until the receive thread realizes the scan is over 468 | // */ 469 | // LOG(1, "[+] transmit thread #%u complete\n", parms->nic_index); 470 | // 471 | // /* 472 | // * We are done transmitting. However, response packets will take several 473 | // * seconds to arrive. Therefore, sit in short loop waiting for those 474 | // * packets to arrive. Pressing a second time will exit this 475 | // * prematurely. 476 | // */ 477 | // while (!is_rx_done) { 478 | // unsigned k; 479 | // uint64_t batch_size; 480 | // 481 | // for (k=0; k<1000; k++) { 482 | // 483 | // /* 484 | // * Only send a few packets at a time, throttled according to the max 485 | // * --max-rate set by the user 486 | // */ 487 | // batch_size = throttler_next_batch(throttler, packets_sent); 488 | // 489 | // 490 | // /* Transmit packets from the receive thread */ 491 | // stack_flush_packets( parms->stack, adapter, 492 | // &packets_sent, 493 | // &batch_size); 494 | // 495 | // /* Make sure they've actually been transmitted, not just queued up for 496 | // * transmit */ 497 | // rawsock_flush(adapter); 498 | // 499 | // pixie_usleep(100); 500 | // } 501 | // } 502 | // 503 | // /* Thread is about to exit */ 504 | // parms->done_transmitting = 1; 505 | // LOG(1, "[+] exiting transmit thread #%u \n", parms->nic_index); 506 | //} 507 | // 508 | // 509 | ///*************************************************************************** 510 | // ***************************************************************************/ 511 | //static unsigned 512 | //is_nic_port(const struct Masscan *masscan, unsigned ip) 513 | //{ 514 | // unsigned i; 515 | // for (i=0; inic_count; i++) 516 | // if (is_my_port(&masscan->nic[i].src, ip)) 517 | // return 1; 518 | // return 0; 519 | //} 520 | // 521 | //static unsigned 522 | //is_ipv6_multicast(ipaddress ip_me) 523 | //{ 524 | // /* If this is an IPv6 multicast packe, one sent to the IPv6 525 | // * address with a prefix of FF02::/16 */ 526 | // return ip_me.version == 6 && (ip_me.ipv6.hi>>48ULL) == 0xFF02; 527 | //} 528 | // 529 | // 530 | ///*************************************************************************** 531 | // * 532 | // * Asynchronous receive thread 533 | // * 534 | // * The transmit and receive threads run independently of each other. There 535 | // * is no record what was transmitted. Instead, the transmit thread sets a 536 | // * "SYN-cookie" in transmitted packets, which the receive thread will then 537 | // * use to match up requests with responses. 538 | // ***************************************************************************/ 539 | //static void 540 | //receive_thread(void *v) 541 | //{ 542 | // struct ThreadPair *parms = (struct ThreadPair *)v; 543 | // const struct Masscan *masscan = parms->masscan; 544 | // struct Adapter *adapter = parms->adapter; 545 | // int data_link = stack_if_datalink(adapter); 546 | // struct Output *out; 547 | // struct DedupTable *dedup; 548 | // struct PcapFile *pcapfile = NULL; 549 | // struct TCP_ConnectionTable *tcpcon = 0; 550 | // uint64_t *status_synack_count; 551 | // uint64_t *status_tcb_count; 552 | // uint64_t entropy = masscan->seed; 553 | // struct ResetFilter *rf; 554 | // struct stack_t *stack = parms->stack; 555 | // 556 | // 557 | // 558 | // /* For reducing RST responses, see rstfilter_is_filter() below */ 559 | // rf = rstfilter_create(entropy, 16384); 560 | // 561 | // /* some status variables */ 562 | // status_synack_count = MALLOC(sizeof(uint64_t)); 563 | // *status_synack_count = 0; 564 | // parms->total_synacks = status_synack_count; 565 | // 566 | // status_tcb_count = MALLOC(sizeof(uint64_t)); 567 | // *status_tcb_count = 0; 568 | // parms->total_tcbs = status_tcb_count; 569 | // 570 | // LOG(1, "[+] starting receive thread #%u\n", parms->nic_index); 571 | // 572 | // /* Lock this thread to a CPU. Transmit threads are on even CPUs, 573 | // * receive threads on odd CPUs */ 574 | // if (pixie_cpu_get_count() > 1) { 575 | // unsigned cpu_count = pixie_cpu_get_count(); 576 | // unsigned cpu = parms->nic_index * 2 + 1; 577 | // while (cpu >= cpu_count) { 578 | // cpu -= cpu_count; 579 | // cpu++; 580 | // } 581 | // //TODO: 582 | // //pixie_cpu_set_affinity(cpu); 583 | // } 584 | // 585 | // /* 586 | // * If configured, open a --pcap file for saving raw packets. This is 587 | // * so that we can debug scans, but also so that we can look at the 588 | // * strange things people send us. Note that we don't record transmitted 589 | // * packets, just the packets we've received. 590 | // */ 591 | // if (masscan->pcap_filename[0]) { 592 | // pcapfile = pcapfile_openwrite(masscan->pcap_filename, 1); 593 | // } 594 | // 595 | // /* 596 | // * Open output. This is where results are reported when saving 597 | // * the --output-format to the --output-filename 598 | // */ 599 | // out = output_create(masscan, parms->nic_index); 600 | // 601 | // /* 602 | // * Create deduplication table. This is so when somebody sends us 603 | // * multiple responses, we only record the first one. 604 | // */ 605 | // dedup = dedup_create(); 606 | // 607 | // /* 608 | // * Create a TCP connection table (per thread pair) for interacting with live 609 | // * connections when doing --banners 610 | // */ 611 | // if (masscan->is_banners) { 612 | // struct TcpCfgPayloads *pay; 613 | // size_t i; 614 | // 615 | // /* 616 | // * Create TCP connection table 617 | // */ 618 | // tcpcon = tcpcon_create_table( 619 | // (size_t)((masscan->max_rate/5) / masscan->nic_count), 620 | // parms->stack, 621 | // &parms->tmplset->pkts[Proto_TCP], 622 | // output_report_banner, 623 | // out, 624 | // masscan->tcb.timeout, 625 | // masscan->seed 626 | // ); 627 | // 628 | // /* 629 | // * Initialize TCP scripting 630 | // */ 631 | // scripting_init_tcp(tcpcon, masscan->scripting.L); 632 | // 633 | // 634 | // /* 635 | // * Set some flags [kludge] 636 | // */ 637 | // tcpcon_set_banner_flags(tcpcon, 638 | // masscan->is_capture_cert, 639 | // masscan->is_capture_servername, 640 | // masscan->is_capture_html, 641 | // masscan->is_capture_heartbleed, 642 | // masscan->is_capture_ticketbleed); 643 | // if (masscan->is_hello_smbv1) 644 | // tcpcon_set_parameter(tcpcon, "hello", 1, "smbv1"); 645 | // if (masscan->is_hello_http) 646 | // tcpcon_set_parameter(tcpcon, "hello", 1, "http"); 647 | // if (masscan->is_hello_ssl) 648 | // tcpcon_set_parameter(tcpcon, "hello", 1, "ssl"); 649 | // if (masscan->is_heartbleed) 650 | // tcpcon_set_parameter(tcpcon, "heartbleed", 1, "1"); 651 | // if (masscan->is_ticketbleed) 652 | // tcpcon_set_parameter(tcpcon, "ticketbleed", 1, "1"); 653 | // if (masscan->is_poodle_sslv3) 654 | // tcpcon_set_parameter(tcpcon, "sslv3", 1, "1"); 655 | // 656 | // if (masscan->http.payload) 657 | // tcpcon_set_parameter( tcpcon, 658 | // "http-payload", 659 | // masscan->http.payload_length, 660 | // masscan->http.payload); 661 | // if (masscan->http.user_agent) 662 | // tcpcon_set_parameter( tcpcon, 663 | // "http-user-agent", 664 | // masscan->http.user_agent_length, 665 | // masscan->http.user_agent); 666 | // if (masscan->http.host) 667 | // tcpcon_set_parameter( tcpcon, 668 | // "http-host", 669 | // masscan->http.host_length, 670 | // masscan->http.host); 671 | // if (masscan->http.method) 672 | // tcpcon_set_parameter( tcpcon, 673 | // "http-method", 674 | // masscan->http.method_length, 675 | // masscan->http.method); 676 | // if (masscan->http.url) 677 | // tcpcon_set_parameter( tcpcon, 678 | // "http-url", 679 | // masscan->http.url_length, 680 | // masscan->http.url); 681 | // if (masscan->http.version) 682 | // tcpcon_set_parameter( tcpcon, 683 | // "http-version", 684 | // masscan->http.version_length, 685 | // masscan->http.version); 686 | // 687 | // 688 | // if (masscan->tcp_connection_timeout) { 689 | // char foo[64]; 690 | // sprintf_s(foo, sizeof(foo), "%u", masscan->tcp_connection_timeout); 691 | // tcpcon_set_parameter( tcpcon, 692 | // "timeout", 693 | // strlen(foo), 694 | // foo); 695 | // } 696 | // if (masscan->tcp_hello_timeout) { 697 | // char foo[64]; 698 | // sprintf_s(foo, sizeof(foo), "%u", masscan->tcp_connection_timeout); 699 | // tcpcon_set_parameter( tcpcon, 700 | // "hello-timeout", 701 | // strlen(foo), 702 | // foo); 703 | // } 704 | // 705 | // for (i=0; ihttp.headers_count; i++) { 706 | // tcpcon_set_http_header(tcpcon, 707 | // masscan->http.headers[i].name, 708 | // masscan->http.headers[i].value_length, 709 | // masscan->http.headers[i].value, 710 | // http_field_replace); 711 | // } 712 | // for (i=0; ihttp.cookies_count; i++) { 713 | // tcpcon_set_http_header(tcpcon, 714 | // "Cookie", 715 | // masscan->http.cookies[i].value_length, 716 | // masscan->http.cookies[i].value, 717 | // http_field_add); 718 | // } 719 | // for (i=0; ihttp.remove_count; i++) { 720 | // tcpcon_set_http_header(tcpcon, 721 | // masscan->http.headers[i].name, 722 | // 0, 723 | // 0, 724 | // http_field_remove); 725 | // } 726 | // 727 | // for (pay = masscan->payloads.tcp; pay; pay = pay->next) { 728 | // char name[64]; 729 | // sprintf_s(name, sizeof(name), "hello-string[%u]", pay->port); 730 | // tcpcon_set_parameter( tcpcon, 731 | // name, 732 | // strlen(pay->payload_base64), 733 | // pay->payload_base64); 734 | // } 735 | // 736 | // } 737 | // 738 | // /* 739 | // * In "offline" mode, we don't have any receive threads, so simply 740 | // * wait until transmitter thread is done then go to the end 741 | // */ 742 | // if (masscan->is_offline) { 743 | // while (!is_rx_done) 744 | // pixie_usleep(10000); 745 | // parms->done_receiving = 1; 746 | // goto end; 747 | // } 748 | // 749 | // /* 750 | // * Receive packets. This is where we catch any responses and print 751 | // * them to the terminal. 752 | // */ 753 | // LOG(2, "[+] THREAD: recv: starting main loop\n"); 754 | // while (!is_rx_done) { 755 | // int status; 756 | // unsigned length; 757 | // unsigned secs; 758 | // unsigned usecs; 759 | // const unsigned char *px; 760 | // int err; 761 | // unsigned x; 762 | // struct PreprocessedInfo parsed; 763 | // ipaddress ip_me; 764 | // unsigned port_me; 765 | // ipaddress ip_them; 766 | // unsigned port_them; 767 | // unsigned seqno_me; 768 | // unsigned seqno_them; 769 | // unsigned cookie; 770 | // unsigned Q = 0; 771 | // 772 | // /* 773 | // * RECEIVE 774 | // * 775 | // * This is the boring part of actually receiving a packet 776 | // */ 777 | // err = rawsock_recv_packet( 778 | // adapter, 779 | // &length, 780 | // &secs, 781 | // &usecs, 782 | // &px); 783 | // if (err != 0) { 784 | // if (tcpcon) 785 | // tcpcon_timeouts(tcpcon, (unsigned)time(0), 0); 786 | // continue; 787 | // } 788 | // 789 | // 790 | // /* 791 | // * Do any TCP event timeouts based on the current timestamp from 792 | // * the packet. For example, if the connection has been open for 793 | // * around 10 seconds, we'll close the connection. (--banners) 794 | // */ 795 | // if (tcpcon) { 796 | // tcpcon_timeouts(tcpcon, secs, usecs); 797 | // } 798 | // 799 | // if (length > 1514) 800 | // continue; 801 | // 802 | // /* 803 | // * "Preprocess" the response packet. This means to go through and 804 | // * figure out where the TCP/IP headers are and the locations of 805 | // * some fields, like IP address and port numbers. 806 | // */ 807 | // x = preprocess_frame(px, length, data_link, &parsed); 808 | // if (!x) 809 | // continue; /* corrupt packet */ 810 | // ip_me = parsed.dst_ip; 811 | // ip_them = parsed.src_ip; 812 | // port_me = parsed.port_dst; 813 | // port_them = parsed.port_src; 814 | // seqno_them = TCP_SEQNO(px, parsed.transport_offset); 815 | // seqno_me = TCP_ACKNO(px, parsed.transport_offset); 816 | // 817 | // assert(ip_me.version != 0); 818 | // assert(ip_them.version != 0); 819 | // 820 | // switch (parsed.ip_protocol) { 821 | // case 132: /* SCTP */ 822 | // cookie = syn_cookie(ip_them, port_them | (Proto_SCTP<<16), ip_me, port_me, entropy) & 0xFFFFFFFF; 823 | // break; 824 | // default: 825 | // cookie = syn_cookie(ip_them, port_them, ip_me, port_me, entropy) & 0xFFFFFFFF; 826 | // } 827 | // 828 | // /* verify: my IP address */ 829 | // if (!is_my_ip(stack->src, ip_me)) { 830 | // /* NDP Neighbor Solicitations don't come to our IP address, but to 831 | // * a multicast address */ 832 | // if (is_ipv6_multicast(ip_me)) { 833 | // if (parsed.found == FOUND_NDPv6 && parsed.opcode == 135) { 834 | // stack_ndpv6_incoming_request(stack, &parsed, px, length); 835 | // } 836 | // } 837 | // continue; 838 | // } 839 | // 840 | // /* 841 | // * Handle non-TCP protocols 842 | // */ 843 | // switch (parsed.found) { 844 | // case FOUND_NDPv6: 845 | // switch (parsed.opcode) { 846 | // case 133: /* Router Solicitation */ 847 | // /* Ignore router solicitations, since we aren't a router */ 848 | // continue; 849 | // case 134: /* Router advertisement */ 850 | // /* TODO: We need to process router advertisements while scanning 851 | // * so that we can print warning messages if router information 852 | // * changes while scanning. */ 853 | // continue; 854 | // case 135: /* Neighbor Solicitation */ 855 | // /* When responses come back from our scans, the router will send us 856 | // * these packets. We need to respond to them, so that the router 857 | // * can then forward the packets to us. If we don't respond, we'll 858 | // * get no responses. */ 859 | // stack_ndpv6_incoming_request(stack, &parsed, px, length); 860 | // continue; 861 | // case 136: /* Neighbor Advertisment */ 862 | // /* TODO: If doing an --ndpscan, the scanner subsystem needs to deal 863 | // * with these */ 864 | // continue; 865 | // case 137: /* Redirect */ 866 | // /* We ignore these, since we really don't have the capability to send 867 | // * packets to one router for some destinations and to another router 868 | // * for other destinations */ 869 | // continue; 870 | // default: 871 | // break; 872 | // } 873 | // continue; 874 | // case FOUND_ARP: 875 | // LOGip(2, ip_them, 0, "-> ARP [%u] \n", px[parsed.found_offset]); 876 | // 877 | // switch (parsed.opcode) { 878 | // case 1: /* request */ 879 | // /* This function will transmit a "reply" to somebody's ARP request 880 | // * for our IP address (as part of our user-mode TCP/IP). 881 | // * Since we completely bypass the TCP/IP stack, we have to handle ARPs 882 | // * ourself, or the router will lose track of us.*/ 883 | // stack_arp_incoming_request(stack, 884 | // ip_me.ipv4, 885 | // parms->source_mac, 886 | // px, length); 887 | // break; 888 | // case 2: /* response */ 889 | // /* This is for "arp scan" mode, where we are ARPing targets rather 890 | // * than port scanning them */ 891 | // 892 | // /* If we aren't doing an ARP scan, then ignore ARP responses */ 893 | // if (!masscan->scan_type.arp) 894 | // break; 895 | // 896 | // /* If this response isn't in our range, then ignore it */ 897 | // if (!rangelist_is_contains(&masscan->targets.ipv4, ip_them.ipv4)) 898 | // break; 899 | // 900 | // /* Ignore duplicates */ 901 | // if (dedup_is_duplicate(dedup, ip_them, 0, ip_me, 0)) 902 | // continue; 903 | // 904 | // /* ...everything good, so now report this response */ 905 | // arp_recv_response(out, secs, px, length, &parsed); 906 | // break; 907 | // } 908 | // continue; 909 | // case FOUND_UDP: 910 | // case FOUND_DNS: 911 | // if (!is_nic_port(masscan, port_me)) 912 | // continue; 913 | // if (parms->masscan->nmap.packet_trace) 914 | // packet_trace(stdout, parms->pt_start, px, length, 0); 915 | // handle_udp(out, secs, px, length, &parsed, entropy); 916 | // continue; 917 | // case FOUND_ICMP: 918 | // handle_icmp(out, secs, px, length, &parsed, entropy); 919 | // continue; 920 | // case FOUND_SCTP: 921 | // handle_sctp(out, secs, px, length, cookie, &parsed, entropy); 922 | // break; 923 | // case FOUND_OPROTO: /* other IP proto */ 924 | // handle_oproto(out, secs, px, length, &parsed, entropy); 925 | // break; 926 | // case FOUND_TCP: 927 | // /* fall down to below */ 928 | // break; 929 | // default: 930 | // continue; 931 | // } 932 | // 933 | // 934 | // /* verify: my port number */ 935 | // if (!is_my_port(stack->src, port_me)) 936 | // continue; 937 | // if (parms->masscan->nmap.packet_trace) 938 | // packet_trace(stdout, parms->pt_start, px, length, 0); 939 | // 940 | // Q = 0; 941 | // 942 | // /* Save raw packet in --pcap file */ 943 | // if (pcapfile) { 944 | // pcapfile_writeframe( 945 | // pcapfile, 946 | // px, 947 | // length, 948 | // length, 949 | // secs, 950 | // usecs); 951 | // } 952 | // 953 | // { 954 | // char buf[64]; 955 | // LOGip(5, ip_them, port_them, "-> TCP ackno=0x%08x flags=0x%02x(%s)\n", 956 | // seqno_me, 957 | // TCP_FLAGS(px, parsed.transport_offset), 958 | // reason_string(TCP_FLAGS(px, parsed.transport_offset), buf, sizeof(buf))); 959 | // } 960 | // 961 | // /* If recording --banners, create a new "TCP Control Block (TCB)" */ 962 | // if (tcpcon) { 963 | // struct TCP_Control_Block *tcb; 964 | // 965 | // /* does a TCB already exist for this connection? */ 966 | // tcb = tcb_lookup(tcpcon, 967 | // ip_me, ip_them, 968 | // port_me, port_them); 969 | // 970 | // if (TCP_IS_SYNACK(px, parsed.transport_offset)) { 971 | // if (cookie != seqno_me - 1) { 972 | // ipaddress_formatted_t fmt = ipaddress_fmt(ip_them); 973 | // LOG(2, "%s - bad cookie: ackno=0x%08x expected=0x%08x\n", 974 | // fmt.string, seqno_me-1, cookie); 975 | // continue; 976 | // } 977 | // 978 | // if (tcb == NULL) { 979 | // tcb = tcpcon_create_tcb(tcpcon, 980 | // ip_me, ip_them, 981 | // port_me, port_them, 982 | // seqno_me, seqno_them+1, 983 | // parsed.ip_ttl); 984 | // (*status_tcb_count)++; 985 | // 986 | // } 987 | // 988 | // Q += stack_incoming_tcp(tcpcon, tcb, TCP_WHAT_SYNACK, 989 | // 0, 0, secs, usecs, seqno_them+1); 990 | // 991 | // } else if (tcb) { 992 | // /* If this is an ACK, then handle that first */ 993 | // if (TCP_IS_ACK(px, parsed.transport_offset)) { 994 | // Q += stack_incoming_tcp(tcpcon, tcb, TCP_WHAT_ACK, 995 | // 0, seqno_me, secs, usecs, seqno_them); 996 | // } 997 | // 998 | // /* If this contains payload, handle that second */ 999 | // if (parsed.app_length) { 1000 | // Q += stack_incoming_tcp(tcpcon, tcb, TCP_WHAT_DATA, 1001 | // px + parsed.app_offset, parsed.app_length, 1002 | // secs, usecs, seqno_them); 1003 | // } 1004 | // 1005 | // /* If this is a FIN, handle that. Note that ACK + 1006 | // * payload + FIN can come together */ 1007 | // if (TCP_IS_FIN(px, parsed.transport_offset) 1008 | // && !TCP_IS_RST(px, parsed.transport_offset)) { 1009 | // Q += stack_incoming_tcp(tcpcon, tcb, TCP_WHAT_FIN, 1010 | // 0, parsed.app_length, secs, usecs, seqno_them); 1011 | // } 1012 | // 1013 | // /* If this is a RST, then we'll be closing the connection */ 1014 | // if (TCP_IS_RST(px, parsed.transport_offset)) { 1015 | // Q += stack_incoming_tcp(tcpcon, tcb, TCP_WHAT_RST, 1016 | // 0, 0, secs, usecs, seqno_them); 1017 | // } 1018 | // } else if (TCP_IS_FIN(px, parsed.transport_offset)) { 1019 | // ipaddress_formatted_t fmt; 1020 | // /* 1021 | // * NO TCB! 1022 | // * This happens when we've sent a FIN, deleted our connection, 1023 | // * but the other side didn't get the packet. 1024 | // */ 1025 | // fmt = ipaddress_fmt(ip_them); 1026 | // LOG(4, "%s: received FIN but no TCB\n", fmt.string); 1027 | // if (TCP_IS_RST(px, parsed.transport_offset)) 1028 | // ; /* ignore if it's own TCP flag is set */ 1029 | // else { 1030 | // int is_suppress; 1031 | // 1032 | // is_suppress = rstfilter_is_filter(rf, ip_me, port_me, ip_them, port_them); 1033 | // if (!is_suppress) 1034 | // tcpcon_send_RST( 1035 | // tcpcon, 1036 | // ip_me, ip_them, 1037 | // port_me, port_them, 1038 | // seqno_them, seqno_me); 1039 | // } 1040 | // } 1041 | // 1042 | // } 1043 | // 1044 | // if (Q == 0) 1045 | // ; //printf("\nerr\n"); 1046 | // 1047 | // if (TCP_IS_SYNACK(px, parsed.transport_offset) 1048 | // || TCP_IS_RST(px, parsed.transport_offset)) { 1049 | // 1050 | // /* figure out the status */ 1051 | // status = PortStatus_Unknown; 1052 | // if (TCP_IS_SYNACK(px, parsed.transport_offset)) 1053 | // status = PortStatus_Open; 1054 | // if (TCP_IS_RST(px, parsed.transport_offset)) { 1055 | // status = PortStatus_Closed; 1056 | // } 1057 | // 1058 | // /* verify: syn-cookies */ 1059 | // if (cookie != seqno_me - 1) { 1060 | // ipaddress_formatted_t fmt = ipaddress_fmt(ip_them); 1061 | // LOG(5, "%s - bad cookie: ackno=0x%08x expected=0x%08x\n", 1062 | // fmt.string, seqno_me-1, cookie); 1063 | // continue; 1064 | // } 1065 | // 1066 | // /* verify: ignore duplicates */ 1067 | // if (dedup_is_duplicate(dedup, ip_them, port_them, ip_me, port_me)) 1068 | // continue; 1069 | // 1070 | // /* keep statistics on number received */ 1071 | // if (TCP_IS_SYNACK(px, parsed.transport_offset)) 1072 | // (*status_synack_count)++; 1073 | // 1074 | // /* 1075 | // * This is where we do the output 1076 | // */ 1077 | // output_report_status( 1078 | // out, 1079 | // global_now, 1080 | // status, 1081 | // ip_them, 1082 | // 6, /* ip proto = tcp */ 1083 | // port_them, 1084 | // px[parsed.transport_offset + 13], /* tcp flags */ 1085 | // parsed.ip_ttl, 1086 | // parsed.mac_src 1087 | // ); 1088 | // 1089 | // 1090 | // /* 1091 | // * Send RST so other side isn't left hanging (only doing this in 1092 | // * complete stateless mode where we aren't tracking banners) 1093 | // */ 1094 | // if (tcpcon == NULL && !masscan->is_noreset) 1095 | // tcp_send_RST( 1096 | // &parms->tmplset->pkts[Proto_TCP], 1097 | // parms->stack, 1098 | // ip_them, ip_me, 1099 | // port_them, port_me, 1100 | // 0, seqno_me); 1101 | // 1102 | // } 1103 | // } 1104 | // 1105 | // 1106 | // LOG(1, "[+] exiting receive thread #%u \n", parms->nic_index); 1107 | // 1108 | // /* 1109 | // * cleanup 1110 | // */ 1111 | //end: 1112 | // if (tcpcon) 1113 | // tcpcon_destroy_table(tcpcon); 1114 | // dedup_destroy(dedup); 1115 | // output_destroy(out); 1116 | // if (pcapfile) 1117 | // pcapfile_close(pcapfile); 1118 | // 1119 | // /*TODO: free stack packet buffers */ 1120 | // 1121 | // /* Thread is about to exit */ 1122 | // parms->done_receiving = 1; 1123 | //} 1124 | // 1125 | // 1126 | ///*************************************************************************** 1127 | // * We trap the so that instead of exiting immediately, we sit in 1128 | // * a loop for a few seconds waiting for any late response. But, the user 1129 | // * can press a second time to exit that waiting. 1130 | // ***************************************************************************/ 1131 | //static void control_c_handler(int x) 1132 | //{ 1133 | // static unsigned control_c_pressed = 0; 1134 | // static unsigned control_c_pressed_again = 0; 1135 | // if (control_c_pressed == 0) { 1136 | // fprintf(stderr, 1137 | // "waiting several seconds to exit..." 1138 | // " \n" 1139 | // ); 1140 | // fflush(stderr); 1141 | // control_c_pressed = 1+x; 1142 | // is_tx_done = control_c_pressed; 1143 | // } else { 1144 | // if (is_rx_done) { 1145 | // fprintf(stderr, "\nERROR: threads not exiting %d\n", is_rx_done); 1146 | // if (is_rx_done++ > 1) 1147 | // exit(1); 1148 | // } else { 1149 | // control_c_pressed_again = 1; 1150 | // is_rx_done = control_c_pressed_again; 1151 | // } 1152 | // } 1153 | // 1154 | //} 1155 | // 1156 | // 1157 | // 1158 | // 1159 | ///*************************************************************************** 1160 | // * Called from main() to initiate the scan. 1161 | // * Launches the 'transmit_thread()' and 'receive_thread()' and waits for 1162 | // * them to exit. 1163 | // ***************************************************************************/ 1164 | //static int 1165 | //main_scan(struct Masscan *masscan) 1166 | //{ 1167 | // struct ThreadPair parms_array[8]; 1168 | // uint64_t count_ips; 1169 | // uint64_t count_ports; 1170 | // uint64_t range; 1171 | // unsigned index; 1172 | // time_t now = time(0); 1173 | // struct Status status; 1174 | // uint64_t min_index = UINT64_MAX; 1175 | // struct MassVulnCheck *vulncheck = NULL; 1176 | // struct stack_t *stack; 1177 | // 1178 | // memset(parms_array, 0, sizeof(parms_array)); 1179 | // 1180 | // /* 1181 | // * Vuln check initialization 1182 | // */ 1183 | // if (masscan->vuln_name) { 1184 | // unsigned i; 1185 | // unsigned is_error; 1186 | // vulncheck = vulncheck_lookup(masscan->vuln_name); 1187 | // 1188 | // /* If no ports specified on command-line, grab default ports */ 1189 | // is_error = 0; 1190 | // if (rangelist_count(&masscan->targets.ports) == 0) 1191 | // rangelist_parse_ports(&masscan->targets.ports, vulncheck->ports, &is_error, 0); 1192 | // 1193 | // /* Kludge: change normal port range to vulncheck range */ 1194 | // for (i=0; itargets.ports.count; i++) { 1195 | // struct Range *r = &masscan->targets.ports.list[i]; 1196 | // r->begin = (r->begin&0xFFFF) | Templ_VulnCheck; 1197 | // r->end = (r->end & 0xFFFF) | Templ_VulnCheck; 1198 | // } 1199 | // } 1200 | // 1201 | // /* 1202 | // * Initialize the task size 1203 | // */ 1204 | // count_ips = rangelist_count(&masscan->targets.ipv4) + range6list_count(&masscan->targets.ipv6).lo; 1205 | // if (count_ips == 0) { 1206 | // LOG(0, "FAIL: target IP address list empty\n"); 1207 | // LOG(0, " [hint] try something like \"--range 10.0.0.0/8\"\n"); 1208 | // LOG(0, " [hint] try something like \"--range 192.168.0.100-192.168.0.200\"\n"); 1209 | // return 1; 1210 | // } 1211 | // count_ports = rangelist_count(&masscan->targets.ports); 1212 | // if (count_ports == 0) { 1213 | // LOG(0, "FAIL: no ports were specified\n"); 1214 | // LOG(0, " [hint] try something like \"-p80,8000-9000\"\n"); 1215 | // LOG(0, " [hint] try something like \"--ports 0-65535\"\n"); 1216 | // return 1; 1217 | // } 1218 | // range = count_ips * count_ports + (uint64_t)(masscan->retries * masscan->max_rate); 1219 | // 1220 | // /* 1221 | // * If doing an ARP scan, then don't allow port scanning 1222 | // */ 1223 | // if (rangelist_is_contains(&masscan->targets.ports, Templ_ARP)) { 1224 | // if (masscan->targets.ports.count != 1) { 1225 | // LOG(0, "FAIL: cannot arpscan and portscan at the same time\n"); 1226 | // return 1; 1227 | // } 1228 | // } 1229 | // 1230 | // /* 1231 | // * If the IP address range is very big, then require that that the 1232 | // * user apply an exclude range 1233 | // */ 1234 | // if (count_ips > 1000000000ULL && rangelist_count(&masscan->exclude.ipv4) == 0) { 1235 | // LOG(0, "FAIL: range too big, need confirmation\n"); 1236 | // LOG(0, " [hint] to prevent acccidents, at least one --exclude must be specified\n"); 1237 | // LOG(0, " [hint] use \"--exclude 255.255.255.255\" as a simple confirmation\n"); 1238 | // exit(1); 1239 | // } 1240 | // 1241 | // /* 1242 | // * trim the nmap UDP payloads down to only those ports we are using. This 1243 | // * makes lookups faster at high packet rates. 1244 | // */ 1245 | // payloads_udp_trim(masscan->payloads.udp, &masscan->targets); 1246 | // payloads_oproto_trim(masscan->payloads.oproto, &masscan->targets); 1247 | // 1248 | // 1249 | //#ifdef __AFL_HAVE_MANUAL_CONTROL 1250 | // __AFL_INIT(); 1251 | //#endif 1252 | // 1253 | // /* 1254 | // * Start scanning threats for each adapter 1255 | // */ 1256 | // for (index=0; indexnic_count; index++) { 1257 | // struct ThreadPair *parms = &parms_array[index]; 1258 | // int err; 1259 | // 1260 | // parms->masscan = masscan; 1261 | // parms->nic_index = index; 1262 | // parms->my_index = masscan->resume.index; 1263 | // parms->done_transmitting = 0; 1264 | // parms->done_receiving = 0; 1265 | // 1266 | // /* needed for --packet-trace option so that we know when we started 1267 | // * the scan */ 1268 | // parms->pt_start = 1.0 * pixie_gettime() / 1000000.0; 1269 | // 1270 | // 1271 | // /* 1272 | // * Turn the adapter on, and get the running configuration 1273 | // */ 1274 | // err = masscan_initialize_adapter( 1275 | // masscan, 1276 | // index, 1277 | // &parms->source_mac, 1278 | // &parms->router_mac_ipv4, 1279 | // &parms->router_mac_ipv6 1280 | // ); 1281 | // if (err != 0) 1282 | // exit(1); 1283 | // parms->adapter = masscan->nic[index].adapter; 1284 | // if (!masscan->nic[index].is_usable) { 1285 | // LOG(0, "FAIL: failed to detect IP of interface\n"); 1286 | // LOG(0, " [hint] did you spell the name correctly?\n"); 1287 | // LOG(0, " [hint] if it has no IP address, " 1288 | // "manually set with \"--adapter-ip 192.168.100.5\"\n"); 1289 | // exit(1); 1290 | // } 1291 | // 1292 | // 1293 | // /* 1294 | // * Initialize the TCP packet template. The way this works is that 1295 | // * we parse an existing TCP packet, and use that as the template for 1296 | // * scanning. Then, we adjust the template with additional features, 1297 | // * such as the IP address and so on. 1298 | // */ 1299 | // parms->tmplset->vulncheck = vulncheck; 1300 | // template_packet_init( 1301 | // parms->tmplset, 1302 | // parms->source_mac, 1303 | // parms->router_mac_ipv4, 1304 | // parms->router_mac_ipv6, 1305 | // masscan->payloads.udp, 1306 | // masscan->payloads.oproto, 1307 | // stack_if_datalink(masscan->nic[index].adapter), 1308 | // masscan->seed); 1309 | // 1310 | // /* 1311 | // * Set the "source port" of everything we transmit. 1312 | // */ 1313 | // if (masscan->nic[index].src.port.range == 0) { 1314 | // unsigned port = 40000 + now % 20000; 1315 | // masscan->nic[index].src.port.first = port; 1316 | // masscan->nic[index].src.port.last = port; 1317 | // masscan->nic[index].src.port.range = 1; 1318 | // } 1319 | // 1320 | // stack = stack_create(parms->source_mac, &masscan->nic[index].src); 1321 | // parms->stack = stack; 1322 | // 1323 | // /* 1324 | // * Set the "TTL" (IP time-to-live) of everything we send. 1325 | // */ 1326 | // if (masscan->nmap.ttl) 1327 | // template_set_ttl(parms->tmplset, masscan->nmap.ttl); 1328 | // 1329 | // if (masscan->nic[0].is_vlan) 1330 | // template_set_vlan(parms->tmplset, masscan->nic[0].vlan_id); 1331 | // 1332 | // 1333 | // /* 1334 | // * trap to pause 1335 | // */ 1336 | // signal(SIGINT, control_c_handler); 1337 | // 1338 | // } 1339 | // 1340 | // /* 1341 | // * Print helpful text 1342 | // */ 1343 | // { 1344 | // char buffer[80]; 1345 | // struct tm x; 1346 | // 1347 | // now = time(0); 1348 | // gmtime_s(&x, &now); 1349 | // strftime(buffer, sizeof(buffer), "%Y-%m-%d %H:%M:%S GMT", &x); 1350 | // LOG(0, "Starting masscan " MASSCAN_VERSION " (http://bit.ly/14GZzcT) at %s\n", 1351 | // buffer); 1352 | // 1353 | // if (count_ports == 1 && \ 1354 | // masscan->targets.ports.list->begin == Templ_ICMP_echo && \ 1355 | // masscan->targets.ports.list->end == Templ_ICMP_echo) 1356 | // { /* ICMP only */ 1357 | // //LOG(0, " -- forced options: -sn -n --randomize-hosts -v --send-eth\n"); 1358 | // LOG(0, "Initiating ICMP Echo Scan\n"); 1359 | // LOG(0, "Scanning %u hosts\n",(unsigned)count_ips); 1360 | // } 1361 | // else /* This could actually also be a UDP only or mixed UDP/TCP/ICMP scan */ 1362 | // { 1363 | // //LOG(0, " -- forced options: -sS -Pn -n --randomize-hosts -v --send-eth\n"); 1364 | // LOG(0, "Initiating SYN Stealth Scan\n"); 1365 | // LOG(0, "Scanning %u hosts [%u port%s/host]\n", 1366 | // (unsigned)count_ips, (unsigned)count_ports, (count_ports==1)?"":"s"); 1367 | // } 1368 | // } 1369 | // 1370 | // /* 1371 | // * Start all the threads 1372 | // */ 1373 | // for (index=0; indexnic_count; index++) { 1374 | // struct ThreadPair *parms = &parms_array[index]; 1375 | // 1376 | // /* 1377 | // * Start the scanning thread. 1378 | // * THIS IS WHERE THE PROGRAM STARTS SPEWING OUT PACKETS AT A HIGH 1379 | // * RATE OF SPEED. 1380 | // */ 1381 | // parms->thread_handle_xmit = pixie_begin_thread(transmit_thread, 0, parms); 1382 | // 1383 | // /* 1384 | // * Start the MATCHING receive thread. Transmit and receive threads 1385 | // * come in matching pairs. 1386 | // */ 1387 | // parms->thread_handle_recv = pixie_begin_thread(receive_thread, 0, parms); 1388 | // } 1389 | // 1390 | // /* 1391 | // * Now wait for to be pressed OR for threads to exit 1392 | // */ 1393 | // pixie_usleep(1000 * 100); 1394 | // LOG(1, "[+] waiting for threads to finish\n"); 1395 | // status_start(&status); 1396 | // status.is_infinite = masscan->is_infinite; 1397 | // while (!is_tx_done && masscan->output.is_status_updates) { 1398 | // unsigned i; 1399 | // double rate = 0; 1400 | // uint64_t total_tcbs = 0; 1401 | // uint64_t total_synacks = 0; 1402 | // uint64_t total_syns = 0; 1403 | // 1404 | // 1405 | // /* Find the minimum index of all the threads */ 1406 | // min_index = UINT64_MAX; 1407 | // for (i=0; inic_count; i++) { 1408 | // struct ThreadPair *parms = &parms_array[i]; 1409 | // 1410 | // if (min_index > parms->my_index) 1411 | // min_index = parms->my_index; 1412 | // 1413 | // rate += parms->throttler->current_rate; 1414 | // 1415 | // if (parms->total_tcbs) 1416 | // total_tcbs += *parms->total_tcbs; 1417 | // if (parms->total_synacks) 1418 | // total_synacks += *parms->total_synacks; 1419 | // if (parms->total_syns) 1420 | // total_syns += *parms->total_syns; 1421 | // } 1422 | // 1423 | // if (min_index >= range && !masscan->is_infinite) { 1424 | // /* Note: This is how we can tell the scan has ended */ 1425 | // is_tx_done = 1; 1426 | // } 1427 | // 1428 | // /* 1429 | // * update screen about once per second with statistics, 1430 | // * namely packets/second. 1431 | // */ 1432 | // if (masscan->output.is_status_updates) 1433 | // status_print(&status, min_index, range, rate, 1434 | // total_tcbs, total_synacks, total_syns, 1435 | // 0, masscan->output.is_status_ndjson); 1436 | // 1437 | // /* Sleep for almost a second */ 1438 | // pixie_mssleep(750); 1439 | // } 1440 | // 1441 | // /* 1442 | // * If we haven't completed the scan, then save the resume 1443 | // * information. 1444 | // */ 1445 | // if (min_index < count_ips * count_ports) { 1446 | // masscan->resume.index = min_index; 1447 | // 1448 | // /* Write current settings to "paused.conf" so that the scan can be restarted */ 1449 | // masscan_save_state(masscan); 1450 | // } 1451 | // 1452 | // 1453 | // 1454 | // /* 1455 | // * Now wait for all threads to exit 1456 | // */ 1457 | // now = time(0); 1458 | // for (;;) { 1459 | // unsigned transmit_count = 0; 1460 | // unsigned receive_count = 0; 1461 | // unsigned i; 1462 | // double rate = 0; 1463 | // uint64_t total_tcbs = 0; 1464 | // uint64_t total_synacks = 0; 1465 | // uint64_t total_syns = 0; 1466 | // 1467 | // 1468 | // /* Find the minimum index of all the threads */ 1469 | // min_index = UINT64_MAX; 1470 | // for (i=0; inic_count; i++) { 1471 | // struct ThreadPair *parms = &parms_array[i]; 1472 | // 1473 | // if (min_index > parms->my_index) 1474 | // min_index = parms->my_index; 1475 | // 1476 | // rate += parms->throttler->current_rate; 1477 | // 1478 | // if (parms->total_tcbs) 1479 | // total_tcbs += *parms->total_tcbs; 1480 | // if (parms->total_synacks) 1481 | // total_synacks += *parms->total_synacks; 1482 | // if (parms->total_syns) 1483 | // total_syns += *parms->total_syns; 1484 | // } 1485 | // 1486 | // 1487 | // 1488 | // if (time(0) - now >= masscan->wait) { 1489 | // is_rx_done = 1; 1490 | // } 1491 | // 1492 | // if (time(0) - now - 10 > masscan->wait) { 1493 | // LOG(0, "[-] Passed the wait window but still running, forcing exit...\n"); 1494 | // exit(0); 1495 | // } 1496 | // 1497 | // if (masscan->output.is_status_updates) { 1498 | // status_print(&status, min_index, range, rate, 1499 | // total_tcbs, total_synacks, total_syns, 1500 | // masscan->wait - (time(0) - now), 1501 | // masscan->output.is_status_ndjson); 1502 | // 1503 | // for (i=0; inic_count; i++) { 1504 | // struct ThreadPair *parms = &parms_array[i]; 1505 | // 1506 | // transmit_count += parms->done_transmitting; 1507 | // receive_count += parms->done_receiving; 1508 | // 1509 | // } 1510 | // 1511 | // pixie_mssleep(250); 1512 | // 1513 | // if (transmit_count < masscan->nic_count) 1514 | // continue; 1515 | // is_tx_done = 1; 1516 | // is_rx_done = 1; 1517 | // if (receive_count < masscan->nic_count) 1518 | // continue; 1519 | // 1520 | // } else { 1521 | // /* [AFL-fuzz] 1522 | // * Join the threads, which doesn't allow us to print out 1523 | // * status messages, but allows us to exit cleaningly without 1524 | // * any waiting */ 1525 | // for (i=0; inic_count; i++) { 1526 | // struct ThreadPair *parms = &parms_array[i]; 1527 | // 1528 | // pixie_thread_join(parms->thread_handle_xmit); 1529 | // parms->thread_handle_xmit = 0; 1530 | // pixie_thread_join(parms->thread_handle_recv); 1531 | // parms->thread_handle_recv = 0; 1532 | // } 1533 | // is_tx_done = 1; 1534 | // is_rx_done = 1; 1535 | // } 1536 | // 1537 | // break; 1538 | // } 1539 | // 1540 | // 1541 | // /* 1542 | // * Now cleanup everything 1543 | // */ 1544 | // status_finish(&status); 1545 | // 1546 | // if (!masscan->output.is_status_updates) { 1547 | // uint64_t usec_now = pixie_gettime(); 1548 | // 1549 | // printf("%u milliseconds ellapsed\n", (unsigned)((usec_now - usec_start)/1000)); 1550 | // } 1551 | // 1552 | // LOG(1, "[+] all threads have exited \n"); 1553 | // 1554 | // return 0; 1555 | //} 1556 | // 1557 | // 1558 | // 1559 | // 1560 | ///*************************************************************************** 1561 | // ***************************************************************************/ 1562 | //int scan(int argc, char *argv[]) 1563 | //{ 1564 | // struct Masscan masscan[1]; 1565 | // unsigned i; 1566 | // int has_target_addresses = 0; 1567 | // int has_target_ports = 0; 1568 | // 1569 | // usec_start = pixie_gettime(); 1570 | //#if defined(WIN32) 1571 | // {WSADATA x; WSAStartup(0x101, &x);} 1572 | //#endif 1573 | // 1574 | // global_now = time(0); 1575 | // 1576 | // /* Set system to report debug information on crash */ 1577 | // { 1578 | // int is_backtrace = 1; 1579 | // for (i=1; i<(unsigned)argc; i++) { 1580 | // if (strcmp(argv[i], "--nobacktrace") == 0) 1581 | // is_backtrace = 0; 1582 | // } 1583 | // if (is_backtrace) 1584 | // pixie_backtrace_init(argv[0]); 1585 | // } 1586 | // 1587 | // /* 1588 | // * Initialize those defaults that aren't zero 1589 | // */ 1590 | // memset(masscan, 0, sizeof(*masscan)); 1591 | // /* 14 rounds seem to give way better statistical distribution than 4 with a 1592 | // very low impact on scan rate */ 1593 | // masscan->blackrock_rounds = 14; 1594 | // masscan->output.is_show_open = 1; /* default: show syn-ack, not rst */ 1595 | // masscan->output.is_status_updates = 1; /* default: show status updates */ 1596 | // masscan->wait = 10; /* how long to wait for responses when done */ 1597 | // masscan->max_rate = 100.0; /* max rate = hundred packets-per-second */ 1598 | // masscan->nic_count = 1; 1599 | // masscan->shard.one = 1; 1600 | // masscan->shard.of = 1; 1601 | // masscan->min_packet_size = 60; 1602 | // masscan->payloads.udp = payloads_udp_create(); 1603 | // masscan->payloads.oproto = payloads_oproto_create(); 1604 | // strcpy_s( masscan->output.rotate.directory, 1605 | // sizeof(masscan->output.rotate.directory), 1606 | // "."); 1607 | // masscan->is_capture_cert = 1; 1608 | // 1609 | // /* 1610 | // * Pre-parse the command-line 1611 | // */ 1612 | // if (masscan_conf_contains("--readscan", argc, argv)) { 1613 | // masscan->is_readscan = 1; 1614 | // } 1615 | // 1616 | // /* 1617 | // * On non-Windows systems, read the defaults from the file in 1618 | // * the /etc directory. These defaults will contain things 1619 | // * like the output directory, max packet rates, and so on. Most 1620 | // * importantly, the master "--excludefile" might be placed here, 1621 | // * so that blacklisted ranges won't be scanned, even if the user 1622 | // * makes a mistake 1623 | // */ 1624 | //#if !defined(WIN32) 1625 | // if (!masscan->is_readscan) { 1626 | // if (access("/etc/masscan/masscan.conf", 0) == 0) { 1627 | // masscan_read_config_file(masscan, "/etc/masscan/masscan.conf"); 1628 | // } 1629 | // } 1630 | //#endif 1631 | // 1632 | // /* 1633 | // * Read in the configuration from the command-line. We are looking for 1634 | // * either options or a list of IPv4 address ranges. 1635 | // */ 1636 | // masscan_command_line(masscan, argc, argv); 1637 | // if (masscan->seed == 0) 1638 | // masscan->seed = get_entropy(); /* entropy for randomness */ 1639 | // 1640 | // /* 1641 | // * Load database files like "nmap-payloads" and "nmap-service-probes" 1642 | // */ 1643 | // masscan_load_database_files(masscan); 1644 | // 1645 | // /* 1646 | // * Load the scripting engine if needed and run those that were 1647 | // * specified. 1648 | // */ 1649 | // if (masscan->is_scripting) 1650 | // scripting_init(masscan); 1651 | // 1652 | // /* We need to do a separate "raw socket" initialization step. This is 1653 | // * for Windows and PF_RING. */ 1654 | // if (pcap_init() != 0) 1655 | // LOG(2, "libpcap: failed to load\n"); 1656 | // rawsock_init(); 1657 | // 1658 | // /* Init some protocol parser data structures */ 1659 | // snmp_init(); 1660 | // x509_init(); 1661 | // 1662 | // 1663 | // /* 1664 | // * Apply excludes. People ask us not to scan them, so we maintain a list 1665 | // * of their ranges, and when doing wide scans, add the exclude list to 1666 | // * prevent them from being scanned. 1667 | // */ 1668 | // has_target_addresses = massip_has_ipv4_targets(&masscan->targets) || massip_has_ipv6_targets(&masscan->targets); 1669 | // has_target_ports = massip_has_target_ports(&masscan->targets); 1670 | // massip_apply_excludes(&masscan->targets, &masscan->exclude); 1671 | // if (!has_target_ports && masscan->op == Operation_ListScan) 1672 | // massip_add_port_string(&masscan->targets, "80", 0); 1673 | // 1674 | // 1675 | // 1676 | // 1677 | // /* Optimize target selection so it's a quick binary search instead 1678 | // * of walking large memory tables. When we scan the entire Internet 1679 | // * our --excludefile will chop up our pristine 0.0.0.0/0 range into 1680 | // * hundreds of subranges. This allows us to grab addresses faster. */ 1681 | // massip_optimize(&masscan->targets); 1682 | // 1683 | // /* FIXME: we only support 63-bit scans at the current time. 1684 | // * This is big enough for the IPv4 Internet, where scanning 1685 | // * for all TCP ports on all IPv4 addresses results in a 48-bit 1686 | // * scan, but this isn't big enough even for a single port on 1687 | // * an IPv6 subnet (which are 64-bits in size, usually). However, 1688 | // * even at millions of packets per second scanning rate, you still 1689 | // * can't complete a 64-bit scan in a reasonable amount of time. 1690 | // * Nor would you want to attempt the feat, as it would overload 1691 | // * the target IPv6 subnet. Since implementing this would be 1692 | // * difficult for 32-bit processors, for now, I'm going to stick 1693 | // * to a simple 63-bit scan. 1694 | // */ 1695 | // if (massint128_bitcount(massip_range(&masscan->targets)) > 63) { 1696 | // fprintf(stderr, "[-] FAIL: scan range too large, max is 63-bits, requested is %u bits\n", 1697 | // massint128_bitcount(massip_range(&masscan->targets))); 1698 | // fprintf(stderr, " Hint: scan range is number of IP addresses times number of ports\n"); 1699 | // fprintf(stderr, " Hint: IPv6 subnet must be at least /66 \n"); 1700 | // exit(1); 1701 | // } 1702 | // 1703 | // /* 1704 | // * Once we've read in the configuration, do the operation that was 1705 | // * specified 1706 | // */ 1707 | // switch (masscan->op) { 1708 | // case Operation_Default: 1709 | // /* Print usage info and exit */ 1710 | // masscan_usage(); 1711 | // break; 1712 | // 1713 | // case Operation_Scan: 1714 | // /* 1715 | // * THIS IS THE NORMAL THING 1716 | // */ 1717 | // if (rangelist_count(&masscan->targets.ipv4) == 0 && massint128_is_zero(range6list_count(&masscan->targets.ipv6))) { 1718 | // /* We check for an empty target list here first, before the excludes, 1719 | // * so that we can differentiate error messages after excludes, in case 1720 | // * the user specified addresses, but they were removed by excludes. */ 1721 | // LOG(0, "FAIL: target IP address list empty\n"); 1722 | // if (has_target_addresses) { 1723 | // LOG(0, " [hint] all addresses were removed by exclusion ranges\n"); 1724 | // } else { 1725 | // LOG(0, " [hint] try something like \"--range 10.0.0.0/8\"\n"); 1726 | // LOG(0, " [hint] try something like \"--range 192.168.0.100-192.168.0.200\"\n"); 1727 | // } 1728 | // exit(1); 1729 | // } 1730 | // if (rangelist_count(&masscan->targets.ports) == 0) { 1731 | // if (has_target_ports) { 1732 | // LOG(0, " [hint] all ports were removed by exclusion ranges\n"); 1733 | // } else { 1734 | // LOG(0, "FAIL: no ports were specified\n"); 1735 | // LOG(0, " [hint] try something like \"-p80,8000-9000\"\n"); 1736 | // LOG(0, " [hint] try something like \"--ports 0-65535\"\n"); 1737 | // } 1738 | // return 1; 1739 | // } 1740 | // return main_scan(masscan); 1741 | // 1742 | // case Operation_ListScan: 1743 | // /* Create a randomized list of IP addresses */ 1744 | // main_listscan(masscan); 1745 | // return 0; 1746 | // 1747 | // case Operation_List_Adapters: 1748 | // /* List the network adapters we might want to use for scanning */ 1749 | // rawsock_list_adapters(); 1750 | // break; 1751 | // 1752 | // case Operation_DebugIF: 1753 | // for (i=0; inic_count; i++) 1754 | // rawsock_selftest_if(masscan->nic[i].ifname); 1755 | // return 0; 1756 | // 1757 | // case Operation_ReadRange: 1758 | // main_readrange(masscan); 1759 | // return 0; 1760 | // 1761 | // case Operation_ReadScan: 1762 | // { 1763 | // unsigned start; 1764 | // unsigned stop; 1765 | // 1766 | // /* find first file */ 1767 | // for (start=1; start<(unsigned)argc; start++) { 1768 | // if (memcmp(argv[start], "--readscan", 10) == 0) { 1769 | // start++; 1770 | // break; 1771 | // } 1772 | // } 1773 | // 1774 | // /* find last file */ 1775 | // for (stop=start+1; stop<(unsigned)argc && argv[stop][0] != '-'; stop++) 1776 | // ; 1777 | // 1778 | // /* 1779 | // * read the binary files, and output them again depending upon 1780 | // * the output parameters 1781 | // */ 1782 | // read_binary_scanfile(masscan, start, stop, argv); 1783 | // 1784 | // } 1785 | // break; 1786 | // 1787 | // case Operation_Benchmark: 1788 | // printf("=== benchmarking (%u-bits) ===\n\n", (unsigned)sizeof(void*)*8); 1789 | // blackrock_benchmark(masscan->blackrock_rounds); 1790 | // blackrock2_benchmark(masscan->blackrock_rounds); 1791 | // smack_benchmark(); 1792 | // exit(1); 1793 | // break; 1794 | // 1795 | // case Operation_Echo: 1796 | // masscan_echo(masscan, stdout, 0); 1797 | // exit(0); 1798 | // break; 1799 | // 1800 | // case Operation_EchoAll: 1801 | // masscan_echo(masscan, stdout, 0); 1802 | // exit(0); 1803 | // break; 1804 | // 1805 | // case Operation_Selftest: 1806 | // /* 1807 | // * Do a regression test of all the significant units 1808 | // */ 1809 | // { 1810 | // int x = 0; 1811 | // x += massip_selftest(); 1812 | // x += ranges6_selftest(); 1813 | // x += dedup_selftest(); 1814 | // x += checksum_selftest(); 1815 | // x += ipv6address_selftest(); 1816 | // x += proto_coap_selftest(); 1817 | // x += smack_selftest(); 1818 | // x += sctp_selftest(); 1819 | // x += base64_selftest(); 1820 | // x += banner1_selftest(); 1821 | // x += output_selftest(); 1822 | // x += siphash24_selftest(); 1823 | // x += ntp_selftest(); 1824 | // x += snmp_selftest(); 1825 | // x += payloads_udp_selftest(); 1826 | // x += blackrock_selftest(); 1827 | // x += rawsock_selftest(); 1828 | // x += lcg_selftest(); 1829 | // x += template_selftest(); 1830 | // x += ranges_selftest(); 1831 | // x += massip_parse_selftest(); 1832 | // x += pixie_time_selftest(); 1833 | // x += rte_ring_selftest(); 1834 | // x += mainconf_selftest(); 1835 | // x += zeroaccess_selftest(); 1836 | // x += nmapserviceprobes_selftest(); 1837 | // x += rstfilter_selftest(); 1838 | // 1839 | // 1840 | // if (x != 0) { 1841 | // /* one of the selftests failed, so return error */ 1842 | // fprintf(stderr, "regression test: failed :( \n"); 1843 | // return 1; 1844 | // } else { 1845 | // fprintf(stderr, "regression test: success!\n"); 1846 | // return 0; 1847 | // } 1848 | // } 1849 | // break; 1850 | // } 1851 | // 1852 | // 1853 | // return 0; 1854 | //} 1855 | // 1856 | // 1857 | // 1858 | import "C" 1859 | 1860 | import "unsafe" 1861 | 1862 | func main() { 1863 | arr := [...]*C.char{C.CString("masscan"), C.CString("-p"), C.CString("80"), C.CString("1.1.1.1")} 1864 | C.scan(C.int(len(arr)), (**C.char)(unsafe.Pointer(&arr))) 1865 | } 1866 | 1867 | --------------------------------------------------------------------------------