OpenVAS Scanner 23.32.3
nasl_builtin_openvas_tcp_scanner.c
Go to the documentation of this file.
1/* SPDX-FileCopyrightText: 2023 Greenbone AG
2 * SPDX-FileCopyrightText: 2004 Michel Arboi <mikhail@nessus.org>
3 *
4 * SPDX-License-Identifier: GPL-2.0-only
5 */
6
7#include "../misc/network.h"
8#include "../misc/plugutils.h"
9#include "nasl_builtin_plugins.h"
10#include "nasl_lex_ctxt.h"
11
12#include <errno.h> /* for errno() */
13#include <fcntl.h> /* for fcntl() */
14#include <glib.h>
15#include <gvm/base/logging.h>
16#include <gvm/base/prefs.h> /* for prefs_get */
17#include <netdb.h> /* for getprotobyname() */
18#include <stdio.h> /* for fprintf() */
19#include <stdlib.h> /* for atoi() */
20#include <string.h> /* for strcmp() */
21#include <sys/resource.h> /* for getrlimit() */
22#include <sys/socket.h> /* for socket() */
23#include <sys/time.h> /* for gettimeofday() */
24#include <sys/types.h> /* for socket() */
25#include <unistd.h> /* for close() */
26
27#ifdef LINUX
28#include <netinet/ip.h>
29#include <netinet/tcp.h>
30#endif
31#include <limits.h>
32#include <math.h> /* for sqrt(), floor() */
33
34#if !defined FD_SETSIZE || FD_SETSIZE > 1024
35#define GRAB_MAX_SOCK 1024
36#else
37#define GRAB_MAX_SOCK FD_SETSIZE
38#endif
39
40#if !defined FD_SETSIZE || FD_SETSIZE > 32
41#define GRAB_MIN_SOCK 32
42#else
43#define GRAB_MIN_SOCK FD_SETSIZE
44#warn "FD_SETSIZE is lower than 32"
45#endif
46
47#if !defined FD_SETSIZE || FD_SETSIZE > 128
48#define GRAB_MAX_SOCK_SAFE 128
49#else
50#define GRAB_MAX_SOCK_SAFE FD_SETSIZE
51#warn "FD_SETSIZE is lower than 128"
52#endif
53
54#define MAX_PASS_NB 16
55
56#ifndef MAXINT
57#define MAXINT 0x7fffffffL
58#endif
59
60#undef G_LOG_DOMAIN
64#define G_LOG_DOMAIN "lib nasl"
65
66typedef struct
67{
68 int fd;
69 struct timeval tictac; /* open time */
70 unsigned short port;
71 unsigned char state;
72} grab_socket_t;
73
74#define DIFFTV(t1, t2) \
75 (t1.tv_sec - t2.tv_sec + (t1.tv_usec - t2.tv_usec) / 1000000)
76#define DIFFTVu(t1, t2) \
77 ((t1.tv_sec - t2.tv_sec) * 1000000.0 + (t1.tv_usec - t2.tv_usec))
78
79#define GRAB_SOCKET_UNUSED 0
80#define GRAB_SOCKET_OPENING 1
81#define GRAB_SOCKET_OPEN 2
82
83#define GRAB_PORT_UNKNOWN 0
84#define GRAB_PORT_CLOSED 1
85#define GRAB_PORT_OPEN 2
86#define GRAB_PORT_SILENT 3
87#define GRAB_PORT_REJECTED 4
88#define GRAB_PORT_NOT_TESTED 254
89#define GRAB_PORT_TESTING 255
90
91#define COMPUTE_RTT
92/*
93 * RTT is always estimated (at least, the maximum is remembered)
94 * If you want to enable the "statistics", define COMPUTE_RTT and link
95 * the plugin with libm (we need sqrt)
96 */
97/* Linux re-sends a SYN packet after 3 s
98 * anyway, I don't think that we can have a RTT bigger than 2 s
99 */
100#define MAX_SANE_RTT 2000000 /* micro-seconds */
101
102static int
103my_socket_close (int s)
104{
105#ifndef SO_LINGER
106 shutdown (s, 2);
107#endif
108 return close (s);
109}
110
111static int
112std_port (int port)
113{
114 (void) port;
115 return 0;
120}
121
122static int
123double_check_std_ports (unsigned char *ports_states)
124{
125 int port, tbd_nb = 0;
126
127 for (port = 1; port <= 65535; port++)
128 if (std_port (port) && ports_states[port] == GRAB_PORT_SILENT)
129 {
130 ports_states[port] = GRAB_PORT_UNKNOWN;
131 tbd_nb++;
132 }
133 else if (ports_states[port] == GRAB_PORT_UNKNOWN)
134 {
135 g_message ("openvas_tcp_scanner: bug in double_check_std_ports!"
136 " Unknown port %d status",
137 port);
138 tbd_nb++;
139 }
140 return tbd_nb;
141}
142
143static int
144banner_grab (const struct in6_addr *pia, const char *portrange,
145 const int read_timeout, int min_cnx, int max_cnx,
146 struct script_infos *desc)
147{
148 char buf[2048], kb[64];
149 int s, tcpproto, pass;
150 struct protoent *proto;
151 fd_set rfs, wfs, efs;
152 struct timeval timeout, ti;
153 struct sockaddr_in sa;
154 struct sockaddr_in6 sa6;
155 int len;
156 int retval;
157 int port = 23;
158 int imax, i, j, scanned_ports, x, opt;
159 unsigned int optsz;
160 int minport;
161 unsigned char ports_states[65536];
162 grab_socket_t sockets[GRAB_MAX_SOCK];
163 int open_sock_nb, open_sock_max, open_sock_max2;
164 int unfiltered_ports_nb, filtered_ports_nb;
165 int dropped_nb, timeout_nb, dropped_flag = 0;
166 int old_filtered = -1, old_opened = -1;
167 int open_ports_nb, closed_ports_nb;
168 int untested_ports_nb, total_ports_nb;
169 int cnx_max[3], rtt_max[3], rtt_min[3], ping_rtt = 0;
170#if defined COMPUTE_RTT
171 double rtt_sum[3], rtt_sum2[3];
172 int rtt_nb[3];
173 static const char *rtt_type[] = {"unfiltered", "open", "closed"};
174#endif
175 time_t start_time = time (NULL), start_time_1pass, end_time;
176 long diff_time, diff_time1;
177 int rst_rate_limit_flag = 0, doublecheck_flag = 0;
178#if defined COMPUTE_RTT
179 double mean, sd = -1.0, emax = -1.0;
180#endif
181
182 proto = getprotobyname ("tcp");
183 if (proto == NULL)
184 {
185 perror ("tcp");
186 return -1;
187 }
188 tcpproto = proto->p_proto;
189
190 for (i = 0; i < (int) (sizeof (ports_states) / sizeof (*ports_states)); i++)
191 ports_states[i] = GRAB_PORT_NOT_TESTED;
192 scanned_ports = 0;
193 for (i = 0; i < 3; i++)
194 {
195#if defined COMPUTE_RTT
196 rtt_sum[i] = rtt_sum2[i] = 0.0;
197 rtt_nb[i] = 0;
198#endif
199 rtt_max[i] = cnx_max[i] = 0;
200 rtt_min[i] = MAXINT;
201 }
202
203 {
204 char *k;
205 int type = 0;
206 k = plug_get_key (desc, "/tmp/ping/RTT", &type, NULL, 0);
207 if (type == ARG_STRING && k != NULL)
208 ping_rtt = atoi (k);
209 else if (type == ARG_INT)
210 ping_rtt = GPOINTER_TO_SIZE (k);
211 else if (type >= 0)
212 g_message ("openvas_tcp_scanner: unknown key type %d", type);
213 g_free (k);
214 if (ping_rtt < 0 || ping_rtt > MAX_SANE_RTT)
215 ping_rtt = 0;
216 }
217
218 {
219 char *p, *q;
220 int po1, po2 = 0;
221 p = (char *) portrange;
222 untested_ports_nb = 0;
223
224 if (p)
225 while (*p != '\0')
226 {
227 while (*p == ',')
228 p++;
229
230 /* Scanner accepts only T:1-3,6,U:103-333,770 due to getpts. */
231
232 if (*p == 'T' && p[1] && p[1] == ':')
233 /* Skip over the leading "T:". */
234 p += 2;
235 else if (*p == 'U' && p[1] && p[1] == ':')
236 /* "U:" for UDP. Skip the rest. */
237 break;
238
239 if (*p == '-')
240 {
241 po1 = 1;
242 q = p + 1;
243 po2 = strtol (q, &p, 10);
244 if (q == p)
245 {
246 g_message ("openvas_tcp_scanner: Cannot parse '%s'", p);
247 return -1;
248 }
249 }
250 else
251 {
252 po1 = strtol (p, &q, 10);
253 if (q == p)
254 {
255 g_message ("openvas_tcp_scanner: Cannot parse '%s'", p);
256 return -1;
257 }
258 if (*q == ',')
259 {
260 p = q + 1;
261 po2 = po1;
262 }
263 else if (*q == '\0')
264 {
265 p = q;
266 po2 = po1;
267 }
268 else if (*q == '-')
269 {
270 if (q[1] == '\0')
271 {
272 po2 = 65535;
273 p = q + 1;
274 }
275 else
276 {
277 po2 = strtol (q + 1, &p, 10);
278 if (q + 1 == p)
279 {
280 g_message ("openvas_tcp_scanner: Cannot parse '%s'",
281 p);
282 return -1;
283 }
284 }
285 }
286 }
287 for (i = po1; i <= po2; i++)
288 {
289 ports_states[i] = GRAB_PORT_UNKNOWN;
290 untested_ports_nb++;
291 }
292 }
293 else
294 {
295 g_message ("openvas_tcp_scanner: port list empty");
296 return -1;
297 }
298 }
299
300 for (i = 0; i < max_cnx; i++)
301 {
302 sockets[i].state = GRAB_SOCKET_UNUSED;
303 sockets[i].fd = -1;
304 }
305
306 open_sock_nb = 0;
307 open_sock_max = min_cnx;
308 open_sock_max2 = max_cnx;
309
310 open_ports_nb = closed_ports_nb = filtered_ports_nb = unfiltered_ports_nb = 0;
311
312 for (pass = 1; pass <= MAX_PASS_NB; pass++)
313 {
314 int open_ports_nb1 = 0, closed_ports_nb1 = 0;
315 int wait_sock_nb = 0;
316
317 minport = 1;
318 start_time_1pass = time (NULL);
319 FD_ZERO (&rfs);
320 FD_ZERO (&wfs);
321 imax = -1;
322
323 while (scanned_ports < 65535)
324 {
325 total_ports_nb =
326 unfiltered_ports_nb + filtered_ports_nb + untested_ports_nb;
327 while (open_sock_nb < open_sock_max)
328 {
329 for (port = minport;
330 port <= 65535 && ports_states[port] != GRAB_PORT_UNKNOWN;
331 port++)
332 ;
333 if (port > 65535)
334 break;
335 minport = port;
336
337 ports_states[port] = GRAB_PORT_TESTING;
338 if (IN6_IS_ADDR_V4MAPPED (pia))
339 {
340 s = socket (PF_INET, SOCK_STREAM, tcpproto);
341 }
342 else
343 {
344 s = socket (PF_INET6, SOCK_STREAM, tcpproto);
345 }
346 if (s < 0)
347 {
348 if (errno == ENFILE) /* File table overflow */
349 {
350 open_sock_max = open_sock_max2 = open_sock_nb / 2 - 1;
351 /* NB: if open_sock_max2 < 0, the scanner aborts */
352 /* DEBUG: otherwise, we print a less frigthtening message
353 */
354 continue;
355 }
356 else if (errno == EMFILE) /* Too many open files */
357 {
358 x = open_sock_nb / 16; /* 6.25% */
359 open_sock_max = open_sock_max2 =
360 open_sock_nb - (x > 0 ? x : 1);
361 /* NB: if open_sock_max2 < 0, the scanner aborts */
362 /* DEBUG: otherwise, we print a less frigthtening message
363 */
364 continue;
365 }
366 else
367 {
368 perror ("socket");
369 return -1;
370 }
371 }
372#if defined FD_SETSIZE
373 if (s >= FD_SETSIZE)
374 {
375 open_sock_max--;
376 open_sock_max2--;
377 if (close (s) < 0)
378 perror ("close");
379 continue;
380 }
381#endif
382
383 if ((x = fcntl (s, F_GETFL)) < 0)
384 {
385 perror ("fcntl(F_GETFL)");
386 close (s);
387 return -1;
388 }
389 if (fcntl (s, F_SETFL, x | O_NONBLOCK) < 0)
390 {
391 perror ("fcntl(F_SETFL)");
392 close (s);
393 return -1;
394 }
395
396#ifdef SO_LINGER
397 {
398 struct linger l;
399
400 l.l_onoff = 0;
401 l.l_linger = 0;
402 if (setsockopt (s, SOL_SOCKET, SO_LINGER, &l, sizeof (l)) < 0)
403 perror ("setsockopt(SO_LINGER)");
404 }
405#endif
406#if defined LINUX && defined IPTOS_RELIABILITY
407 /*
408 * IP TOS (RFC791) is obsoleted by RFC2474
409 * RFC3168 deprecates IPTOS_MINCOST, as it conflicts with
410 * the "ECN capable" flags
411 */
412 x = IPTOS_RELIABILITY;
413 if (setsockopt (s, SOL_IP, IP_TOS, &x, sizeof (x)) < 0)
414 perror ("setsockopt(IP_TOS");
415#endif
416 bzero (&sa, sizeof (sa));
417 bzero (&sa6, sizeof (sa6));
418 if (IN6_IS_ADDR_V4MAPPED (pia))
419 {
420 sa.sin_addr.s_addr = pia->s6_addr32[3];
421 sa.sin_family = AF_INET;
422 sa.sin_port = htons (port);
423 len = sizeof (struct sockaddr_in);
424 retval = connect (s, (struct sockaddr *) &sa, len);
425 }
426 else
427 {
428 memcpy (&sa6.sin6_addr, pia, sizeof (struct in6_addr));
429 sa6.sin6_family = AF_INET6;
430 sa6.sin6_port = htons (port);
431 len = sizeof (struct sockaddr_in6);
432 retval = connect (s, (struct sockaddr *) &sa6, len);
433 }
434 if (retval < 0)
435 {
436 switch (errno)
437 {
438 case EINPROGRESS:
439 case EALREADY:
440 sockets[open_sock_nb].fd = s;
441 sockets[open_sock_nb].port = port;
442 sockets[open_sock_nb].state = GRAB_SOCKET_OPENING;
443 (void) gettimeofday (&sockets[open_sock_nb].tictac, NULL);
444 open_sock_nb++;
445 FD_SET (s, &wfs);
446 if (s > imax)
447 imax = s;
448 break;
449
450 case EAGAIN:
451 x = open_sock_nb / 16; /* 6.25% */
452 open_sock_max = open_sock_max2 =
453 open_sock_nb - (x > 0 ? x : 1);
454 /* If open_sock_max2 < 0, the scanner aborts */
455 continue;
456
457 case ECONNREFUSED:
458 ports_states[port] = GRAB_PORT_CLOSED;
459 my_socket_close (s);
460 unfiltered_ports_nb++;
461 closed_ports_nb++;
462 closed_ports_nb1++;
463 untested_ports_nb--;
464 continue;
465
466 case ENETUNREACH:
467 case EHOSTUNREACH:
468 ports_states[port] = GRAB_PORT_REJECTED;
469 my_socket_close (s);
470 filtered_ports_nb++;
471 untested_ports_nb--;
472 continue;
473
474 default:
475 perror ("connect");
476 return -1;
477 }
478 }
479 else /* This should not happen! */
480 {
481 sockets[open_sock_nb].fd = s;
482 sockets[open_sock_nb].port = port;
483 sockets[open_sock_nb].state = GRAB_SOCKET_OPEN;
484 (void) gettimeofday (&sockets[open_sock_nb].tictac, NULL);
485 open_sock_nb++;
486 ports_states[port] = GRAB_PORT_OPEN;
487 unfiltered_ports_nb++;
488 open_ports_nb++;
489 open_ports_nb1++;
490 wait_sock_nb++;
491 untested_ports_nb--;
492 scanner_add_port (desc, port, "tcp");
493 }
494 if (imax >= 0)
495 {
496 timeout.tv_sec = timeout.tv_usec = 0;
497 if (select (imax + 1, NULL, &wfs, NULL, &timeout) > 0)
498 break;
499 }
500 }
501
502 if (open_sock_max2 <= 0) /* file table is full */
503 return -1;
504
505 if (open_sock_nb == 0)
506 goto end;
507
508 FD_ZERO (&rfs);
509 FD_ZERO (&wfs);
510 FD_ZERO (&efs);
511 imax = -1;
512
513 for (i = 0; i < open_sock_nb; i++)
514 {
515 if (sockets[i].fd >= 0)
516 {
517 switch (sockets[i].state)
518 {
519 case GRAB_SOCKET_OPEN:
520 FD_SET (sockets[i].fd, &rfs);
521 break;
522 case GRAB_SOCKET_OPENING:
523 FD_SET (sockets[i].fd, &wfs);
524 break;
525 default:
526 break;
527 }
528 if (sockets[i].fd > imax)
529 imax = sockets[i].fd;
530 }
531 }
532
533 if (imax < 0)
534 {
535 if (untested_ports_nb > 0)
536 return -1;
537 else
538 goto end;
539 }
540
541 timeout_nb = 0;
542 dropped_nb = 0;
543 dropped_flag = 0;
544#if defined COMPUTE_RTT
545 if (rtt_nb[0] > 1)
546 {
547 /* All values are in micro-seconds */
548 int em, moy;
549
550 mean = rtt_sum[0] / (double) rtt_nb[0];
551 if ((double) rtt_max[0] > mean)
552 {
553 sd = sqrt ((rtt_sum2[0] / rtt_nb[0] - mean * mean)
554 * (double) rtt_nb[0] / (rtt_nb[0] - 1));
555 emax = mean + 3 * sd;
556 em = floor (emax + 0.5);
557 moy = floor (rtt_sum[0] / rtt_nb[0] + 0.5);
558 if (em <= moy)
559 em = moy;
560 if (rtt_max[0] > em)
561 rtt_max[0] = em;
562 }
563 if (rtt_max[0] < rtt_min[0])
564 rtt_max[0] = rtt_min[0];
565 }
566#endif
567 /*
568 * Some randomness is added to the timeout so that not all
569 * scanners fire at the same time when several firewalled
570 * machines are scanned in parallel.
571 */
572 if (wait_sock_nb == 0)
573 if (rtt_max[0] > 0 || ping_rtt > 0)
574 {
575 if (rtt_max[0] > 0)
576 x = rtt_max[0];
577 else
578 x = ping_rtt;
579
580 if (doublecheck_flag)
581 {
582 x = 3 * x + 20000;
583 if (x > MAX_SANE_RTT)
584 x = MAX_SANE_RTT;
585 }
586 if (x > 1000000) /* more that 1 s */
587 x += (unsigned) (lrand48 () & 0x7FFFFFFF) % 100000;
588 else if (x > 20000) /* between 20 ms and 1 s */
589 x += (unsigned) (lrand48 () & 0x7FFFFFFF) % 50000;
590 else /* less than 20 ms */
591 x = 20000 + (unsigned) (lrand48 () & 0x7FFFFFFF) % 20000;
592 timeout.tv_sec = x / 1000000;
593 timeout.tv_usec = x % 1000000;
594 }
595 else
596 {
597 /* Max RTT = 2 s ? */
598 timeout.tv_sec = 2;
599 timeout.tv_usec = (unsigned) (lrand48 () & 0x7FFFFFFF) % 250000;
600 }
601 else
602 {
603 timeout.tv_sec = read_timeout; /* * 2 ? */
604 timeout.tv_usec = (unsigned) (lrand48 () & 0x7FFFFFFF) % 500000;
605 }
606 i = 0;
607 do
608 x = select (imax + 1, &rfs, &wfs, NULL, &timeout);
609 while (i++ < 10 && x < 0 && errno == EINTR);
610
611 if (x < 0)
612 {
613 perror ("select");
614 return -1;
615 }
616 else if (x == 0) /* timeout */
617 {
618 for (i = 0; i < open_sock_nb; i++)
619 {
620 if (sockets[i].fd > 0)
621 {
622 my_socket_close (sockets[i].fd);
623 sockets[i].fd = -1;
624 switch (sockets[i].state)
625 {
626 case GRAB_SOCKET_OPENING:
627 ports_states[sockets[i].port] = GRAB_PORT_SILENT;
628 filtered_ports_nb++;
629 dropped_nb++;
630 untested_ports_nb--;
631 break;
632 case GRAB_SOCKET_OPEN:
633 wait_sock_nb--;
634 break;
635 }
636 }
637 sockets[i].state = GRAB_SOCKET_UNUSED;
638 }
639 }
640 else /* something to do */
641 {
642 (void) gettimeofday (&ti, NULL);
643 for (i = 0; i < open_sock_nb; i++)
644 {
645 if (sockets[i].fd > 0)
646 {
647 if (FD_ISSET (sockets[i].fd, &wfs))
648 {
649 opt = 0;
650 optsz = sizeof (opt);
651 if (getsockopt (sockets[i].fd, SOL_SOCKET, SO_ERROR,
652 &opt, &optsz)
653 < 0)
654 {
655 perror ("getsockopt");
656 return -1;
657 }
658
659 x = DIFFTVu (ti, sockets[i].tictac);
660 if (opt != 0)
661 {
662 errno = opt;
663 if (x > cnx_max[2])
664 cnx_max[2] = x;
665 if (x < rtt_min[2])
666 rtt_min[2] = x;
667 if (x < MAX_SANE_RTT)
668 {
669 if (x > rtt_max[2])
670 rtt_max[2] = x;
671#if defined COMPUTE_RTT
672 rtt_nb[2]++;
673 rtt_sum[2] += (double) x;
674 rtt_sum2[2] += (double) x * (double) x;
675#endif
676 }
677
678 my_socket_close (sockets[i].fd);
679 sockets[i].fd = -1;
680 sockets[i].state = GRAB_SOCKET_UNUSED;
681
682 untested_ports_nb--;
683 switch (opt)
684 {
685 case ENETUNREACH:
686 case EHOSTUNREACH:
687 ports_states[sockets[i].port] =
688 GRAB_PORT_REJECTED;
689 filtered_ports_nb++;
690 break;
691
692 case ECONNREFUSED:
693 default:
694 ports_states[sockets[i].port] =
695 GRAB_PORT_CLOSED;
696 unfiltered_ports_nb++;
697 closed_ports_nb++;
698 closed_ports_nb1++;
699 break;
700 }
701 }
702 else
703 {
704 sockets[i].state = GRAB_SOCKET_OPEN;
705 if (x > cnx_max[1])
706 cnx_max[1] = x;
707 if (x < rtt_min[1])
708 rtt_min[1] = x;
709 if (x < MAX_SANE_RTT)
710 {
711 if (x > rtt_max[1])
712 rtt_max[1] = x;
713#if defined COMPUTE_RTT
714 rtt_nb[1]++;
715 rtt_sum[1] += (double) x;
716 rtt_sum2[1] += (double) x * (double) x;
717#endif
718 }
719
720 unfiltered_ports_nb++;
721 open_ports_nb++;
722 open_ports_nb1++;
723 untested_ports_nb--;
724 ports_states[sockets[i].port] = GRAB_PORT_OPEN;
725 scanner_add_port (desc, sockets[i].port, "tcp");
726 wait_sock_nb++;
727 snprintf (kb, sizeof (kb),
728 "TCPScanner/CnxTime1000/%u",
729 sockets[i].port);
730 plug_set_key (desc, kb, ARG_INT,
731 GSIZE_TO_POINTER (x / 1000));
732 snprintf (kb, sizeof (kb),
733 "TCPScanner/CnxTime/%u",
734 sockets[i].port);
735 plug_set_key (
736 desc, kb, ARG_INT,
737 GSIZE_TO_POINTER ((x + 500000) / 1000000));
738 sockets[i].tictac = ti;
739 }
740 if (x > cnx_max[0])
741 cnx_max[0] = x;
742 if (x < rtt_min[0])
743 rtt_min[0] = x;
744 if (x < MAX_SANE_RTT)
745 {
746 if (x > rtt_max[0])
747 rtt_max[0] = x;
748#if defined COMPUTE_RTT
749 rtt_nb[0]++;
750 rtt_sum[0] += (double) x;
751 rtt_sum2[0] += (double) x * (double) x;
752#endif
753 }
754 }
755 else if (FD_ISSET (sockets[i].fd, &rfs))
756 {
757 x = read (sockets[i].fd, buf, sizeof (buf) - 1);
758 if (x > 0)
759 {
760 char buf2[sizeof (buf) * 2 + 1];
761 int y, flag = 0;
762
763 for (y = 0; y < x; y++)
764 {
765 sprintf (buf2 + 2 * y, "%02x",
766 (unsigned char) buf[y]);
767 if (buf[y] == '\0')
768 flag = 1;
769 }
770 buf2[2 * x - 1] = '\0';
771 if (flag)
772 {
773 snprintf (kb, sizeof (kb), "BannerHex/%u",
774 sockets[i].port);
775 plug_set_key (desc, kb, ARG_STRING, buf2);
776 }
777
778 buf[x] = '\0';
779 snprintf (kb, sizeof (kb), "Banner/%u",
780 sockets[i].port);
781 plug_set_key (desc, kb, ARG_STRING, buf);
782 x = DIFFTVu (ti, sockets[i].tictac) / 1000;
783 snprintf (kb, sizeof (kb),
784 "TCPScanner/RwTime1000/%u",
785 sockets[i].port);
786 plug_set_key (desc, kb, ARG_INT,
787 GSIZE_TO_POINTER (x));
788 snprintf (kb, sizeof (kb), "TCPScanner/RwTime/%u",
789 sockets[i].port);
790 plug_set_key (
791 desc, kb, ARG_INT,
792 GSIZE_TO_POINTER ((x + 500) / 1000));
793 }
794 wait_sock_nb--;
795 my_socket_close (sockets[i].fd);
796 sockets[i].fd = -1;
797 sockets[i].state = GRAB_SOCKET_UNUSED;
798 }
799 }
800 }
801 }
802
803 (void) gettimeofday (&ti, NULL);
804 for (i = 0; i < open_sock_nb; i++)
805 if (sockets[i].fd >= 0
806 && DIFFTV (ti, sockets[i].tictac) >= read_timeout)
807 {
808 switch (sockets[i].state)
809 {
810 case GRAB_SOCKET_OPEN:
811 timeout_nb++;
812 wait_sock_nb--;
813 snprintf (kb, sizeof (kb), "/tmp/NoBanner/%u",
814 sockets[i].port);
815 plug_set_key (desc, kb, ARG_INT, (void *) 1);
816 break;
817 case GRAB_SOCKET_OPENING:
818 ports_states[sockets[i].port] = GRAB_PORT_SILENT;
819 filtered_ports_nb++;
820 dropped_nb++;
821 untested_ports_nb--;
822 break;
823 default:
824 g_message (
825 "openvas_tcp_scanner: Unhandled case %d at %s:%d",
826 sockets[i].state, __FILE__, __LINE__);
827 break;
828 }
829 my_socket_close (sockets[i].fd);
830 sockets[i].fd = -1;
831 sockets[i].state = GRAB_SOCKET_UNUSED;
832 }
833
834 if (dropped_nb > 0 && dropped_nb >= (open_sock_nb * 3) / 4
835 && (dropped_nb < filtered_ports_nb
836 || dropped_nb > unfiltered_ports_nb))
837 {
838 /* firewalled machine? */
839 open_sock_max += dropped_nb;
840 if (open_sock_max2 < max_cnx)
841 open_sock_max2++;
842 }
843 else if (dropped_nb > 0)
844 {
845 dropped_flag = 1;
846 open_sock_max -= (dropped_nb + 2) / 3;
847 if (open_sock_max < min_cnx)
848 open_sock_max = min_cnx;
849 open_sock_max2 = (open_sock_max + 3 * open_sock_max2) / 4;
850 }
851 else if (dropped_nb == 0 && dropped_flag)
852 {
853 /* re-increase number of open sockets */
854 open_sock_max++;
855 }
856 open_sock_max += timeout_nb;
857 if (open_sock_max > open_sock_max2)
858 {
859 open_sock_max = open_sock_max2;
860 }
861 if (open_sock_max < min_cnx)
862 open_sock_max = min_cnx;
863 for (i = 0; i < open_sock_nb;)
864 if (sockets[i].state == GRAB_SOCKET_UNUSED || sockets[i].fd < 0)
865 {
866 for (j = i + 1; j < open_sock_nb
867 && (sockets[j].state == GRAB_SOCKET_UNUSED
868 || sockets[j].fd < 0);
869 j++)
870 ;
871 if (j < open_sock_nb)
872 memmove (sockets + i, sockets + j,
873 sizeof (*sockets) * (max_cnx - j));
874 open_sock_nb -= j - i;
875 }
876 else
877 i++;
878 }
879
880 end:
881 end_time = time (NULL);
882 diff_time1 = end_time - start_time_1pass;
883 diff_time = end_time - start_time;
884 if (dropped_flag
885 || (pass == 1 && filtered_ports_nb > 10 && closed_ports_nb > 10)
886 || (pass > 1 && filtered_ports_nb > 0))
887 {
888 if (doublecheck_flag && rst_rate_limit_flag
889 && open_ports_nb == old_opened)
890 break;
891 old_opened = open_ports_nb;
892
893 doublecheck_flag = 0;
894 if (filtered_ports_nb == old_filtered)
895 break;
896
897 if (pass > 1 && open_ports_nb1 == 0 && closed_ports_nb1 >= min_cnx &&
898 /*
899 * Default value is 100 RST per second on OpenBSD,
900 * 200 on FreeBSD and 40 on Solaris
901 */
902 /* 1st check on this pass only */
903 closed_ports_nb1 >= (diff_time1 + 1) * 10
904 && closed_ports_nb1 < (diff_time1 + 1) * 201 &&
905 /* 2nd check on all passes */
906 closed_ports_nb >= (diff_time + 1) * 10
907 && closed_ports_nb < (diff_time + 1) * 201)
908 {
909 /* BSD-like system */
910 int break_flag =
911 (open_sock_max2 <= GRAB_MAX_SOCK_SAFE) || rst_rate_limit_flag;
912 int tbd = break_flag && !doublecheck_flag
913 ? double_check_std_ports (ports_states)
914 : 0;
915 if (tbd > 0)
916 {
917 doublecheck_flag = 1;
918 break_flag = 0;
919 }
920 rst_rate_limit_flag++;
921 if (break_flag)
922 break;
923 }
924 /*
925 * With doublecheck_flag, the range of tested port is different, so
926 * we'd better count the number of filtered ports
927 */
928 old_filtered = 0;
929 for (port = 1; port <= 65535; port++)
930 if (ports_states[port] == GRAB_PORT_SILENT)
931 {
932 ports_states[port] = GRAB_PORT_UNKNOWN;
933 old_filtered++;
934 }
935 untested_ports_nb = old_filtered;
936 filtered_ports_nb = 0;
937 open_sock_max = min_cnx / (pass + 1);
938 if (open_sock_max < 1)
939 open_sock_max = 1;
940 if (!dropped_flag)
941 {
942 open_sock_max2 *= 2;
943 open_sock_max2 /= 3;
944 }
945 else if (rst_rate_limit_flag)
946 {
947 if (open_sock_max2 > GRAB_MAX_SOCK_SAFE)
948 open_sock_max2 = GRAB_MAX_SOCK_SAFE;
949 if (open_sock_max > GRAB_MAX_SOCK_SAFE)
950 open_sock_max = GRAB_MAX_SOCK_SAFE;
951 }
952 else if (open_sock_max2 <= open_sock_max)
953 open_sock_max2 = open_sock_max * 2;
954 }
955 else if (filtered_ports_nb > 0)
956 {
957 int tbd_nb = 0;
958 doublecheck_flag = 1;
959 /* Double check standard ports, just to avoid being ridiculous */
960
961 if ((tbd_nb = double_check_std_ports (ports_states)) == 0)
962 break;
963 old_filtered = untested_ports_nb = tbd_nb;
964 filtered_ports_nb = 0;
965 open_sock_max = min_cnx / pass;
966 if (open_sock_max2 <= open_sock_max)
967 open_sock_max2 = open_sock_max * 2;
968 if (open_sock_max2 > GRAB_MAX_SOCK_SAFE)
969 open_sock_max2 = GRAB_MAX_SOCK_SAFE;
970 if (open_sock_max > GRAB_MAX_SOCK_SAFE)
971 open_sock_max = GRAB_MAX_SOCK_SAFE;
972 }
973 else
974 break;
975 } /* for pass = ... */
976
977 if (pass > MAX_PASS_NB)
978 {
979 pass--;
980 filtered_ports_nb = old_filtered;
981 }
982
983 plug_set_key (desc, "TCPScanner/NbPasses", ARG_INT, GSIZE_TO_POINTER (pass));
984
985#if defined COMPUTE_RTT
986 for (i = 0; i < 3; i++)
987 if (rtt_nb[i] > 0)
988 {
989 char rep[64];
990 double crtt_mean, crtt_sd = -1.0, crtt_emax = -1.0;
991
992 /* Convert from micro-seconds to seconds */
993 rtt_sum[i] /= 1e6;
994 rtt_sum2[i] /= 1e12;
995
996 crtt_mean = rtt_sum[i] / rtt_nb[i];
997 snprintf (rep, sizeof (rep), "%6g", crtt_mean);
998 snprintf (kb, sizeof (kb), "TCPScanner/%s/MeanRTT", rtt_type[i]);
999 plug_set_key (desc, kb, ARG_STRING, rep);
1000 x = floor (crtt_mean * 1000 + 0.5);
1001 snprintf (kb, sizeof (kb), "TCPScanner/%s/MeanRTT1000", rtt_type[i]);
1002 plug_set_key (desc, kb, ARG_INT, GSIZE_TO_POINTER (x));
1003 /* rtt_max is integer (uS) */
1004 snprintf (kb, sizeof (kb), "TCPScanner/%s/MaxRTT1000", rtt_type[i]);
1005 plug_set_key (desc, kb, ARG_INT,
1006 GSIZE_TO_POINTER ((rtt_max[i] + 500) / 1000));
1007 snprintf (rep, sizeof (rep), "%6g",
1008 (rtt_max[i] + 500000.0) / 1000000.0);
1009 snprintf (kb, sizeof (kb), "TCPScanner/%s/MaxRTT", rtt_type[i]);
1010 plug_set_key (desc, kb, ARG_STRING, rep);
1011 if (rtt_nb[i] > 1)
1012 {
1013 crtt_sd = sqrt ((rtt_sum2[i] / rtt_nb[i] - crtt_mean * crtt_mean)
1014 * rtt_nb[i] / (rtt_nb[i] - 1));
1015 crtt_emax = crtt_mean + 3 * crtt_sd;
1016 snprintf (rep, sizeof (rep), "%6g", crtt_sd);
1017 snprintf (kb, sizeof (kb), "TCPScanner/%s/SDRTT", rtt_type[i]);
1018 plug_set_key (desc, kb, ARG_STRING, rep);
1019 x = floor (crtt_sd * 1000 + 0.5);
1020 snprintf (kb, sizeof (kb), "TCPScanner/%s/SDRTT1000", rtt_type[i]);
1021 plug_set_key (desc, kb, ARG_INT, GSIZE_TO_POINTER (x));
1022 snprintf (rep, sizeof (rep), "%6g", crtt_emax);
1023 snprintf (kb, sizeof (kb), "TCPScanner/%s/EstimatedMaxRTT",
1024 rtt_type[i]);
1025 plug_set_key (desc, kb, ARG_STRING, rep);
1026 x = floor (crtt_emax * 1000 + 0.5);
1027 snprintf (kb, sizeof (kb), "TCPScanner/%s/EstimatedMaxRTT1000",
1028 rtt_type[i]);
1029 plug_set_key (desc, kb, ARG_INT, GSIZE_TO_POINTER (x));
1030 }
1031 }
1032#endif
1033 plug_set_key (desc, "TCPScanner/OpenPortsNb", ARG_INT,
1034 GSIZE_TO_POINTER (open_ports_nb));
1035 plug_set_key (desc, "TCPScanner/ClosedPortsNb", ARG_INT,
1036 GSIZE_TO_POINTER (closed_ports_nb));
1037 plug_set_key (desc, "TCPScanner/FilteredPortsNb", ARG_INT,
1038 GSIZE_TO_POINTER (filtered_ports_nb));
1039 plug_set_key (desc, "TCPScanner/RSTRateLimit", ARG_INT,
1040 GSIZE_TO_POINTER (rst_rate_limit_flag));
1041 if (untested_ports_nb <= 0)
1042 plug_set_key (desc, "Host/full_scan", ARG_INT, GSIZE_TO_POINTER (1));
1043 plug_set_key (desc, "Host/num_ports_scanned", ARG_INT,
1044 GSIZE_TO_POINTER ((total_ports_nb - untested_ports_nb)));
1045 return 0;
1046}
1047
1048tree_cell *
1049plugin_run_openvas_tcp_scanner (lex_ctxt *lexic)
1050{
1051 struct script_infos *desc = lexic->script_infos;
1052 const char *port_range = prefs_get ("port_range");
1053 const char *p;
1054 struct in6_addr *p_addr;
1055 unsigned int timeout = 0, max_cnx, min_cnx, x;
1056 int safe_checks = prefs_get_bool ("safe_checks");
1057
1058 p = prefs_get ("checks_read_timeout");
1059 if (p != NULL)
1060 timeout = atoi (p);
1061 if (timeout <= 0)
1062 timeout = 5;
1063 {
1064 int max_host = 0, max_checks = 0, cur_sys_fd = 0, max_sys_fd = 0;
1065 struct rlimit rlim;
1066 FILE *fp;
1067 int i;
1068 double loadavg[3], maxloadavg = -1.0;
1069 int stderr_fd = dup (2);
1070 int devnull_fd = open ("/dev/null", O_WRONLY);
1071 /* Avoid error messages from sysctl */
1072 if (devnull_fd <= 0)
1073 {
1074 if (stderr_fd != -1)
1075 close (stderr_fd);
1076 return NULL;
1077 }
1078 dup2 (devnull_fd, 2);
1079
1080 p = prefs_get ("max_hosts");
1081 if (p != NULL)
1082 max_host = atoi (p);
1083 if (max_host <= 0)
1084 max_host = 15;
1085
1086 p = prefs_get ("max_checks");
1087 if (p != NULL)
1088 max_checks = atoi (p);
1089 if (max_checks <= 0 || max_checks > 5)
1090 {
1091 max_checks = 5; /* bigger values do not make sense */
1092 g_debug ("openvas_tcp_scanner: max_checks forced to %d", max_checks);
1093 }
1094
1095 min_cnx = 8 * max_checks;
1096 if (safe_checks)
1097 max_cnx = 24 * max_checks;
1098 else
1099 max_cnx = 80 * max_checks;
1100
1101 getloadavg (loadavg, 3);
1102 for (i = 0; i < 3; i++)
1103 if (loadavg[i] > maxloadavg)
1104 maxloadavg = loadavg[i];
1105
1106 if (max_sys_fd <= 0)
1107 {
1108 fp = popen ("sysctl fs.file-nr", "r");
1109 if (fp != NULL)
1110 {
1111 if (fscanf (fp, "%*s = %*d %d %d", &cur_sys_fd, &max_sys_fd) == 1)
1112 max_sys_fd -= cur_sys_fd;
1113 else
1114 max_sys_fd = 0;
1115 pclose (fp);
1116 }
1117 }
1118 if (max_sys_fd <= 0)
1119 {
1120 fp = popen ("sysctl fs.file-max", "r");
1121 if (fp != NULL)
1122 {
1123 if (fscanf (fp, "%*s = %d", &max_sys_fd) < 1)
1124 max_sys_fd = 0;
1125 pclose (fp);
1126 }
1127 }
1128
1129 if (max_sys_fd <= 0)
1130 {
1131 fp = popen ("sysctl kern.maxfiles", "r");
1132 if (fp != NULL)
1133 {
1134 if (fscanf (fp, "%*s = %d", &max_sys_fd) < 1)
1135 max_sys_fd = 0;
1136 pclose (fp);
1137 }
1138 }
1139
1140 /* Restore stderr */
1141 close (devnull_fd);
1142 dup2 (stderr_fd, 2);
1143 close (stderr_fd);
1144
1145 if (maxloadavg >= 0.0)
1146 max_cnx /= (1.0 + maxloadavg);
1147
1148 if (max_sys_fd <= 0)
1149 max_sys_fd = 16384; /* reasonable default */
1150 /* Let's leave at least 1024 FD for other processes */
1151 if (max_sys_fd < 1024)
1152 x = GRAB_MIN_SOCK;
1153 else
1154 {
1155 max_sys_fd -= 1024;
1156 x = max_sys_fd / max_host;
1157 }
1158 if (max_cnx > x)
1159 max_cnx = x;
1160 if (max_cnx > GRAB_MAX_SOCK)
1161 max_cnx = GRAB_MAX_SOCK;
1162 if (max_cnx < GRAB_MIN_SOCK)
1163 max_cnx = GRAB_MIN_SOCK;
1164
1165 if (safe_checks && max_cnx > GRAB_MAX_SOCK_SAFE)
1166 max_cnx = GRAB_MAX_SOCK_SAFE;
1167
1168 if (getrlimit (RLIMIT_NOFILE, &rlim) < 0)
1169 perror ("getrlimit(RLIMIT_NOFILE)");
1170 else
1171 {
1172 /* value = one greater than the maximum file descriptor number */
1173 if (rlim.rlim_cur != RLIM_INFINITY && max_cnx >= rlim.rlim_cur)
1174 max_cnx = rlim.rlim_cur - 1;
1175 }
1176 x = max_cnx / 2;
1177 if (min_cnx > x)
1178 min_cnx = x > 0 ? x : 1;
1179 }
1180
1181 p_addr = desc->ip;
1182 if (p_addr == NULL)
1183 return NULL; // TODO: before it returned "1";
1184 if (banner_grab (p_addr, port_range, timeout, min_cnx, max_cnx, desc) < 0)
1185 return NULL; // TODO: before it returned "1";
1186 plug_set_key (desc, "Host/scanned", ARG_INT, (void *) 1);
1187 plug_set_key (desc, "Host/scanners/openvas_tcp_scanner", ARG_INT, (void *) 1);
1188 return NULL;
1189}
GRAB_MIN_SOCK
#define GRAB_MIN_SOCK
Definition nasl_builtin_openvas_tcp_scanner.c:41
MAX_SANE_RTT
#define MAX_SANE_RTT
Definition nasl_builtin_openvas_tcp_scanner.c:100
GRAB_MAX_SOCK
#define GRAB_MAX_SOCK
Definition nasl_builtin_openvas_tcp_scanner.c:35
GRAB_PORT_CLOSED
#define GRAB_PORT_CLOSED
Definition nasl_builtin_openvas_tcp_scanner.c:84
GRAB_PORT_OPEN
#define GRAB_PORT_OPEN
Definition nasl_builtin_openvas_tcp_scanner.c:85
DIFFTV
#define DIFFTV(t1, t2)
Definition nasl_builtin_openvas_tcp_scanner.c:74
GRAB_PORT_SILENT
#define GRAB_PORT_SILENT
Definition nasl_builtin_openvas_tcp_scanner.c:86
GRAB_PORT_TESTING
#define GRAB_PORT_TESTING
Definition nasl_builtin_openvas_tcp_scanner.c:89
DIFFTVu
#define DIFFTVu(t1, t2)
Definition nasl_builtin_openvas_tcp_scanner.c:76
GRAB_PORT_UNKNOWN
#define GRAB_PORT_UNKNOWN
Definition nasl_builtin_openvas_tcp_scanner.c:83
plugin_run_openvas_tcp_scanner
tree_cell * plugin_run_openvas_tcp_scanner(lex_ctxt *lexic)
Definition nasl_builtin_openvas_tcp_scanner.c:1049
GRAB_MAX_SOCK_SAFE
#define GRAB_MAX_SOCK_SAFE
Definition nasl_builtin_openvas_tcp_scanner.c:48
std_port
static int std_port(int port)
Definition nasl_builtin_openvas_tcp_scanner.c:112
GRAB_PORT_REJECTED
#define GRAB_PORT_REJECTED
Definition nasl_builtin_openvas_tcp_scanner.c:87
GRAB_SOCKET_OPENING
#define GRAB_SOCKET_OPENING
Definition nasl_builtin_openvas_tcp_scanner.c:80
my_socket_close
static int my_socket_close(int s)
Definition nasl_builtin_openvas_tcp_scanner.c:103
double_check_std_ports
static int double_check_std_ports(unsigned char *ports_states)
Definition nasl_builtin_openvas_tcp_scanner.c:123
MAXINT
#define MAXINT
Definition nasl_builtin_openvas_tcp_scanner.c:57
GRAB_SOCKET_UNUSED
#define GRAB_SOCKET_UNUSED
Definition nasl_builtin_openvas_tcp_scanner.c:79
MAX_PASS_NB
#define MAX_PASS_NB
Definition nasl_builtin_openvas_tcp_scanner.c:54
GRAB_SOCKET_OPEN
#define GRAB_SOCKET_OPEN
Definition nasl_builtin_openvas_tcp_scanner.c:81
GRAB_PORT_NOT_TESTED
#define GRAB_PORT_NOT_TESTED
Definition nasl_builtin_openvas_tcp_scanner.c:88
banner_grab
static int banner_grab(const struct in6_addr *pia, const char *portrange, const int read_timeout, int min_cnx, int max_cnx, struct script_infos *desc)
Definition nasl_builtin_openvas_tcp_scanner.c:144
nasl_builtin_plugins.h
Header file for built-in plugins.
timeval
static struct timeval timeval(unsigned long val)
Definition nasl_builtin_synscan.c:94
nasl_lex_ctxt.h
lex_ctxt
struct struct_lex_ctxt lex_ctxt
len
uint8_t len
Definition nasl_packet_forgery.c:1
safe_checks
tree_cell * safe_checks(lex_ctxt *lexic)
Definition nasl_scanner_glue.c:616
tree_cell
struct TC tree_cell
network.h
Header file for module network.
scanner_add_port
void scanner_add_port(struct script_infos *args, int port, char *proto)
Definition plugutils.c:1146
plug_set_key
void plug_set_key(struct script_infos *args, char *name, int type, const void *value)
Definition plugutils.c:1055
plug_get_key
void * plug_get_key(struct script_infos *args, char *name, int *type, size_t *len, int single)
Get values from a kb under the given key name.
Definition plugutils.c:1226
plugutils.h
Header file for module plugutils.
ARG_STRING
#define ARG_STRING
Definition plugutils.h:19
ARG_INT
#define ARG_INT
Definition plugutils.h:20
grab_socket_t
Definition nasl_builtin_openvas_tcp_scanner.c:67
grab_socket_t::fd
int fd
Definition nasl_builtin_openvas_tcp_scanner.c:68
grab_socket_t::state
unsigned char state
Definition nasl_builtin_openvas_tcp_scanner.c:71
grab_socket_t::port
unsigned short port
Definition nasl_builtin_openvas_tcp_scanner.c:70
grab_socket_t::tictac
struct timeval tictac
Definition nasl_builtin_openvas_tcp_scanner.c:69
script_infos
Definition scanneraux.h:29
script_infos::ip
struct in6_addr * ip
Definition scanneraux.h:37
struct_lex_ctxt::script_infos
struct script_infos * script_infos
Definition nasl_lex_ctxt.h:33