static void parse_status(struct Output *out, enum PortStatus status, /* open/closed */ const unsigned char *buf, size_t buf_length) { struct MasscanRecord record; if (buf_length < 12) return; /* parse record */ record.timestamp = buf[0]<<24 | buf[1]<<16 | buf[2]<<8 | buf[3]; record.ip = buf[4]<<24 | buf[5]<<16 | buf[6]<<8 | buf[7]; record.port = buf[8]<<8 | buf[9]; record.reason = buf[10]; record.ttl = buf[11]; /* * Now report the result */ output_report_status(out, record.timestamp, status, record.ip, record.port, record.reason, record.ttl); }
void handle_udp(struct Output *out, time_t timestamp, const unsigned char *px, unsigned length, struct PreprocessedInfo *parsed, uint64_t entropy) { unsigned ip_them; unsigned port_them = parsed->port_src; unsigned status = 0; ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16 | parsed->ip_src[2]<< 8 | parsed->ip_src[3]<<0; switch (port_them) { case 53: /* DNS - Domain Name System (amplifier) */ status = handle_dns(out, timestamp, px, length, parsed, entropy); break; case 123: /* NTP - Network Time Protocol (amplifier) */ status = ntp_handle_response(out, timestamp, px, length, parsed, entropy); break; case 137: /* NetBIOS (amplifier) */ status = handle_nbtstat(out, timestamp, px, length, parsed, entropy); break; case 161: /* SNMP - Simple Network Managment Protocol (amplifier) */ status = handle_snmp(out, timestamp, px, length, parsed, entropy); break; case 11211: /* memcached (amplifier) */ px += parsed->app_offset; length = parsed->app_length; status = memcached_udp_parse(out, timestamp, px, length, parsed, entropy); break; case 16464: case 16465: case 16470: case 16471: status = handle_zeroaccess(out, timestamp, px, length, parsed, entropy); break; default: px += parsed->app_offset; length = parsed->app_length; status = default_udp_parse(out, timestamp, px, length, parsed, entropy); break; } if (status == 0) output_report_status( out, timestamp, PortStatus_Open, ip_them, 17, /* ip proto = udp */ port_them, 0, 0, parsed->mac_src); }
void handle_udp(struct Output *out, time_t timestamp, const unsigned char *px, unsigned length, struct PreprocessedInfo *parsed) { unsigned ip_them; unsigned port_them = parsed->port_src; unsigned status = 0; ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16 | parsed->ip_src[2]<< 8 | parsed->ip_src[3]<<0; switch (port_them) { case 53: status = handle_dns(out, timestamp, px, length, parsed); break; case 123: status = ntp_handle_response(out, timestamp, px, length, parsed); break; case 137: status = handle_nbtstat(out, timestamp, px, length, parsed); break; case 161: status = handle_snmp(out, timestamp, px, length, parsed); break; case 16464: case 16465: case 16470: case 16471: status = handle_zeroaccess(out, timestamp, px, length, parsed); break; } if (status == 0) output_report_status( out, timestamp, PortStatus_Open, ip_them, 17, /* ip proto = udp */ port_them, 0, 0); }
void handle_arp(struct Output *out, const unsigned char *px, unsigned length, struct PreprocessedInfo *parsed) { unsigned ip_them; UNUSEDPARM(length); UNUSEDPARM(px); ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16 | parsed->ip_src[2]<< 8 | parsed->ip_src[3]<<0; output_report_status( out, Port_ArpOpen, ip_them, 0, 0, 0); }
void handle_icmp(struct Output *out, const unsigned char *px, unsigned length, struct PreprocessedInfo *parsed) { unsigned type = parsed->port_src; unsigned code = parsed->port_dst; unsigned seqno_me; //unsigned ip_me; unsigned ip_them; /*ip_me = parsed->ip_dst[0]<<24 | parsed->ip_dst[1]<<16 | parsed->ip_dst[2]<< 8 | parsed->ip_dst[3]<<0;*/ ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16 | parsed->ip_src[2]<< 8 | parsed->ip_src[3]<<0; seqno_me = px[parsed->transport_offset+4]<<24 | px[parsed->transport_offset+5]<<16 | px[parsed->transport_offset+6]<<8 | px[parsed->transport_offset+7]<<0; switch (type) { case 0: /* ICMP echo reply */ if (syn_hash(ip_them, Templ_ICMP_echo) != seqno_me) return; /* not my response */ /* * Report "open" or "existence" of host */ output_report_status( out, Port_IcmpEchoResponse, ip_them, 0, 0, 0); break; case 3: /* destination unreachable */ switch (code) { case 0: /* net unreachable */ case 1: /* host unreachable */ case 2: /* protocol unreachable */ break; case 3: /* port unreachable */ if (length - parsed->transport_offset > 8) { unsigned ip_me2, ip_them2, port_me2, port_them2; int err; err = parse_port_unreachable( px + parsed->transport_offset + 8, length - parsed->transport_offset + 8, &ip_me2, &ip_them2, &port_me2, &port_them2); if (err) return; if (!matches_me(out, ip_me2, port_me2)) return; output_report_status( out, Port_UdpClosed, ip_them2, port_them2, 0, px[parsed->ip_offset + 8]); } } break; default: ; } }
/*************************************************************************** * This is where we handle all incoming ICMP packets. Some of these packets * will be due to scans we are doing, like pings (echoes). Some will * be inadvertent, such as "destination unreachable" messages. ***************************************************************************/ void handle_icmp(struct Output *out, time_t timestamp, const unsigned char *px, unsigned length, struct PreprocessedInfo *parsed) { unsigned type = parsed->port_src; unsigned code = parsed->port_dst; unsigned seqno_me; unsigned ip_me; unsigned ip_them; unsigned cookie; ip_me = parsed->ip_dst[0]<<24 | parsed->ip_dst[1]<<16 | parsed->ip_dst[2]<< 8 | parsed->ip_dst[3]<<0; ip_them = parsed->ip_src[0]<<24 | parsed->ip_src[1]<<16 | parsed->ip_src[2]<< 8 | parsed->ip_src[3]<<0; seqno_me = px[parsed->transport_offset+4]<<24 | px[parsed->transport_offset+5]<<16 | px[parsed->transport_offset+6]<<8 | px[parsed->transport_offset+7]<<0; switch (type) { case 0: /* ICMP echo reply */ cookie = (unsigned)syn_cookie(ip_them, Templ_ICMP_echo, ip_me, 0); if ((cookie & 0xFFFFFFFF) != seqno_me) return; /* not my response */ //if (syn_hash(ip_them, Templ_ICMP_echo) != seqno_me) // return; /* not my response */ /* * Report "open" or "existence" of host */ output_report_status( out, timestamp, PortStatus_Open, ip_them, 1, /* ip proto */ 0, 0, 0); break; case 3: /* destination unreachable */ switch (code) { case 0: /* net unreachable */ /* We get these a lot while port scanning, often a flood coming * back from broken/misconfigured networks */ break; case 1: /* host unreachable */ /* This means the router doesn't exist */ break; case 2: /* protocol unreachable */ /* The host exists, but it doesn't support SCTP */ break; case 3: /* port unreachable */ if (length - parsed->transport_offset > 8) { unsigned ip_me2, ip_them2, port_me2, port_them2; unsigned ip_proto; int err; err = parse_port_unreachable( px + parsed->transport_offset + 8, length - parsed->transport_offset + 8, &ip_me2, &ip_them2, &port_me2, &port_them2, &ip_proto); if (err) return; if (!matches_me(out, ip_me2, port_me2)) return; switch (ip_proto) { case 6: output_report_status( out, timestamp, PortStatus_Closed, ip_them2, ip_proto, port_them2, 0, px[parsed->ip_offset + 8]); break; case 17: output_report_status( out, timestamp, PortStatus_Closed, ip_them2, ip_proto, port_them2, 0, px[parsed->ip_offset + 8]); break; case 132: output_report_status( out, timestamp, PortStatus_Closed, ip_them2, ip_proto, port_them2, 0, px[parsed->ip_offset + 8]); break; } } } break; default: ; } }