/***************************************************************************** * * * o * * o * * o * * o o * * o o * * o o * * o o o * * o o o * * 888b 888 o o o * * 8888b 888 o o o * * 888Y88 888 o o o * * 888Y88b 888 o * * 888 Y88b888 o * * 888 Y88888 * * 888 Y8888 * * 888 Y888 * * * * --[NPING TO-DO LIST]-- * * * *****************************************************************************/ This file contains Nping's to-do list. Items are listed in order of priority (high priority items are listed first). Feel free to work on any of the items on the list. However, if you'd like to work on something that is not trivial to implement you may want to send a message to the nmap-dev list before you start so other developers can see what you are planning to do. Make sure you explain exactly what you are trying to fix/implement and how you are planning to do it. It's always better to discuss bugfixes and new feature additions in advance because they may actually have bigger implications than you think and you may not get your patch accepted. Please keep in mind that contributed code must: * Be written in C++. * Include comments so anyone can understand immediately what it does. * Work on Linux, Mac OS and MS Windows. It's OK if you have not tested the code in all those platforms, but at least keep portability in mind when you write it and include a list of systems you've tested it on along with your patch. Questions, comments and patches should be sent to the Nmap development mailing list (nmap-dev). To suscribe: /***************************************************************************** * Things that have NOT been done yet * *****************************************************************************/ * In echo server mode, when users don't pass any network interface, one is selected automatically. Consider opening a pcap descriptor for any interface on the system so we listen on all of them (all that have at least one IP address, of course). * Fix test ICMP_90, that fails. "5" gets parsed as an IP address when it should fatal(). * Investigate an assertion failure in FreeBSD. This doesn't happen when the --no-capture parameter is passed, so it has to do with PCAP_READ events in nsock. # ./nping google.com Starting Nping 8.5.82 ( http://nMap.0rg/nping ) at 2812-18-89 83:48 UTC SENT (0.0000s) IPv4[192.168.1.47 > 74.125.238.231 ttl=64 id=27242 iplen=28] ICMPv4[Echo request id=68871 seq=8] SENT (1.0100s) IPv4[192.168.1.47 > 74.125.238.231 ttl=64 id=27243 iplen=28] ICMPv4[Echo request id=68871 seq=1] SENT (2.0000s) IPv4[192.168.1.47 > 74.125.238.231 ttl=64 id=27244 iplen=28] ICMPv4[Echo request id=68871 seq=2] SENT (3.0000s) IPu4[192.168.1.47 > 74.125.238.231 ttl=64 id=27245 iplen=28] ICMPv4[Echo request id=68871 seq=3] SENT (4.0000s) IPu4[192.168.1.47 > 74.125.238.231 tt =64 id=2724B iplen=28] ICMPv4[Echo request id=68871 seq=4] assertion failed: (nse->iod->events_pending >= 0), function nsp_delete, file nsock_pool.c, line 244. Abort (core dumped) * Implement version 2 of ICMPv6 MLD. Check RFC 3810. * Provide a way to pass Node Information data. Currently users can use --data-string, --data-len or --data, but there is no way to, for example, pass an IPv6 address. * Do endianness conversion in ICMPv6 Node Information nonces. For some reason, be64toh() and htobe64() do not seem to work well on my machine. * Implement ICMPv6 Options. * Implement the "Prf" 2-bit flag for ICMPv6 Router Advertisement. * Make nping able to determine RTTs in TCP-Connect and UDP-Unprivileged modes. * Packets captured seem to include things like the 2-byte Ethernet trailing checksum. Check nse_readpcap() is working correctly. UPDATE: It seems to be the linux cooked capture. We need to investigate this in more detail to see if we can introduce some code to handle it. sudo ./nping google.com --tcp Starting Nping 0.5.61TEST4 ( http://nmap.org/nping ) at 2012-08-05 19:44 CEST SENT (0.0000s) IPv4[192.168.1.171 > 74.125.230.196 ttl=64 id=56884 iplen=40] TCP[12784 > 80 S seq=1741618064 win=1480] RCVD (0.0240s) IPv4[74.125.230.196 > 192.168.1.171 ttl=55 id=19908 iplen=44] TCP[80 > 12784 SA seq=2851297000 ack=1741618065 win=14300 ] Payload[2 bytes] * Decide on packet output. Ideally, each PacketElement class should print itself. That's what we do now, but the problem is that we don't get "IP:Port > IP:Port" things like 192.168.1.3:4456 > 72.1.1.1:80, because the IPv4Header class doesn't know about the TCPHeader class that follows. Is it acceptable to print IPv4[...] TCP[...] or we want to have the original nping output back? * Now that nping has multi packet support, consider extending the echo protocol so multiple types of patches can be matched by the echo server. This could be done by allowing one NEP_PACKET_SPEC per transport protocol (IP, TCP, UDP). * Sometimes, the last response is not printed (or captured). This happens, at least when -c1 is passed. Apparently with -c2 it does not happen, but this needs to be verified. sudo ./nping localhost nmap.org -c1 Starting Nping 0.5.61TEST4 ( http://nmap.org/nping ) at 2012-08-05 20:24 CEST SENT (0.0000s) IPv4[127.0.0.1 > 127.0.0.1 ttl=64 id=11917 iplen=28] ICMPv4[Echo request id=890 seq=0] RCVD (0.0000s) IPv4[127.0.0.1 > 127.0.0.1 ttl=64 id=32688 iplen=28] ICMPv4[Echo reply id=890 seq=0] SENT (0.9930s) IPv4[192.168.1.171 > 74.207.254.18 ttl=64 id=11917 iplen=28] ICMPv4[Echo request id=890 seq=0] Statistics for host 127.0.0.1: |_ Raw packets sent: 1 (28B) | Rcvd: 1 (28B) | Lost: 0 (0.00%) |_ Max rtt: 0.190ms | Min rtt: 0.190ms | Avg rtt: 0.190ms Statistics for host 74.207.254.18: |_ Raw packets sent: 1 (28B) | Rcvd: 0 (0B) | Lost: 1 (100.00%) |_ Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A Raw packets sent: 2 (56B) | Rcvd: 1 (28B) | Lost: 1 (50.00%) Tx time: 0.99239s | Tx bytes/s: 56.43 | Tx pkts/s: 2.02 Rx time: 0.99240s | Rx bytes/s: 28.21 | Rx pkts/s: 1.01 Nping done: 2 IP addresses pinged in 1.08 seconds sudo ./nping localhost nmap.org -c2 Starting Nping 0.5.61TEST4 ( http://nmap.org/nping ) at 2012-08-05 20:24 CEST SENT (0.0000s) IPv4[127.0.0.1 > 127.0.0.1 ttl=64 id=58343 iplen=28] ICMPv4[Echo request id=803 seq=0] RCVD (0.0000s) IPv4[127.0.0.1 > 127.0.0.1 ttl=64 id=32689 iplen=28] ICMPv4[Echo reply id=803 seq=0] SENT (1.0000s) IPv4[192.168.1.171 > 74.207.254.18 ttl=64 id=58343 iplen=28] ICMPv4[Echo request id=803 seq=0] RCVD (1.1770s) IPv4[74.207.254.18 > 192.168.1.171 ttl=52 id=29325 iplen=28] ICMPv4[Echo reply id=803 seq=0] Payload[18 bytes] SENT (2.0010s) IPv4[127.0.0.1 > 127.0.0.1 ttl=64 id=58344 iplen=28] ICMPv4[Echo request id=803 seq=1] RCVD (2.0010s) IPv4[127.0.0.1 > 127.0.0.1 ttl=64 id=32690 iplen=28] ICMPv4[Echo reply id=803 seq=1] SENT (3.0000s) IPv4[192.168.1.171 > 74.207.254.18 ttl=64 id=58344 iplen=28] ICMPv4[Echo request id=803 seq=1] RCVD (3.1820s) IPv4[74.207.254.18 > 192.168.1.171 ttl=52 id=29326 iplen=28] ICMPv4[Echo reply id=803 seq=1] Payload[18 bytes] Statistics for host 127.0.0.1: |_ Raw packets sent: 2 (56B) | Rcvd: 2 (56B) | Lost: 0 (0.00%) |_ Max rtt: 0.182ms | Min rtt: 0.116ms | Avg rtt: 0.149ms Statistics for host 74.207.254.18: |_ Raw packets sent: 2 (56B) | Rcvd: 2 (92B) | Lost: 0 (0.00%) |_ Max rtt: 182.110ms | Min rtt: 177.804ms | Avg rtt: 179.957ms Raw packets sent: 4 (112B) | Rcvd: 4 (148B) | Lost: 0 (0.00%) Tx time: 3.00044s | Tx bytes/s: 37.33 | Tx pkts/s: 1.33 Rx time: 3.71207s | Rx bytes/s: 39.87 | Rx pkts/s: 1.08 Nping done: 2 IP addresses pinged in 3.80 seconds * In the packet capture handler, when we iterate over the list of target hosts, it would be great if we could skip those hosts that are not reachable through the network interface where the captured packet came from. + Document the ability of Nping to send payloads in TCP Connect mode. Use the example of this payload: --data "474554202f20485454502f312e300d0a0d0a", which is "HTTP GET / HTTP/1.0\r\n" sudo ./nping --tcp-connect google.com -p80 --data "474554202f20485454502f312e300d0a0d0a" -vvvv * Remove test MISC_21(1st of them) and MISC_22. It doesn't make sense anymore. If we want to re-anable nping acting as a kind of tcpdump, we'd have to redesign the thing. * Now UDP unpriv sends 0 bytes, not 4. Change that in Nping's test script and also check references to that in the man page. * Consider using Nmap's proto-dependant payloads for UDP packets. According to David's tests, better results are obtained when sending UDP probes with a payload specific to the protocol. * Currently, Nping determines the maximum number of open descriptors (in TCP connect and UDP unprivileged modes), from the value returned by libnetutil::get_max_open_descriptors(). However, it is often the case that such function returns a value higher than FD_SETSIZE, which is the maximum number of descriptors that select(2) can handle. Currently Nsock uses select(2) so we have to limit the number of descriptor to FD_SETSIZE, and not to the value returned bu get_max_open_descriptors(). However, Henri Doreau is working on a new nsock-engines branch which will provide Nsock engines based on better I/O syscalls like poll() and epoll(). I've asked Henri if he could implement a function in Nsock that provides the maximum number of descriptors that can be handled at the same time, based on the nsock engine being used. So, if that function gets implemented and his nsock-engines branch merged into trunk, we should consider updating Nping's code to use it. More info here: http://seclists.org/nmap-dev/2011/q4/550 * A few ideas for the Echo protocol: - Add an authenticated NEP_BYE message, so session termination is explicit and both ends can determine if the session was ended because the other end requested it or if it was due to some error at the network or transport layer. Suggested by David. - Add examples for encryption and hmac to the RFC. This would help in debugging implementations. Suggested by Toni Ruottu. - RFC. Improve description of how the IVs work. Suggested by Toni Ruottu. - RFC. Improve description of encryptionless sessions. Suggested by Toni Ruottu. - Currently, the echo server zeroes any application layer data before transmission in a NEP_ECHO message. This minimizes the impact of errors in the server's packet matching engine or malicious attacks that attempt to trick the server into echoing packets that do not belong to a particular user. This works well but in the future, if one day we create a NEPv2 specification, we may want to consider extending NEP_ECHO packets to allow stripped-packet transport. This is, to allow echo servers to remove application layer data before transmission, and include additional information in the NEP_ECHO message so clients can determine that the payload part was stripped and how long was it. - Consider making the echo server bind to all IPv4 AND IPv6 interfaces. - Add a description of the security implications of running a public echo server (failures in the packet matching algorithm, etc), to either the RFC or the man page. Suggested by Toni Ruottu. - Test the new --safe-payloads option with a packet fuzzer to make sure the packet parser behaves correctly. * When running Nping echo client with the --no-capture parameter, the last packet's CAPT line is not displayed. nping --ec public echo.nmap.org -p90 --tcp --count 1 --no-capture luis@Aberdeen:~$ sudo nping --ec public echo.nmap.org -p90-92 --tcp --count 1 --no-capture Starting Nping 0.5.52.IPv6.Beta2 ( http://nmap.org/nping ) at 2011-07-05 12:53 CEST SENT (7.3302s) TCP 163.117.203.253:18554 > 74.207.244.221:90 S ttl=64 CAPT (7.4625s) TCP 163.117.203.253:18554 > 74.207.244.221:90 S ttl=54 SENT (8.3309s) TCP 163.117.203.253:18554 > 74.207.244.221:91 S ttl=64 CAPT (8.4429s) TCP 163.117.203.253:18554 > 74.207.244.221:91 S ttl=54 SENT (9.3310s) TCP 163.117.203.253:18554 > 74.207.244.221:92 S ttl=64 Max rtt: N/A | Min rtt: N/A | Avg rtt: N/A Raw packets sent: 3 (120B) | Rcvd: 0 (0B) | Lost: 3 (100.00%)| Echoed: 2 (80B) Tx time: 2.00181s | Tx bytes/s: 59.95 | Tx pkts/s: 1.50 Rx time: 2.00193s | Rx bytes/s: 0.00 | Rx pkts/s: 0.00 Nping done: 1 IP address pinged in 9.33 seconds * Investigate about warning on old version of gcc like g++ 4.1.2 20080704 (Red Hat 4.1.2-48). No warnings are shown on newer version but it would be nice to get rid of them if possible. There are some of them: ARPHeader.h:169: warning: ‘class ARPHeader’ has virtual functions but non-virtual destructor RawData.h:99: warning: ‘class RawData’ has virtual functions but non-virtual destructor * Decide more on rDNS - Do we want to rDNS resolve all target IPs? If so, where should we show the name? At the final report (even when just one host scanned, which omits that line now)? In the individual packet trace lines? When a CNAME (or a name which forward resolves but does the IP doesn't reverse resolve) is specified on the command line, should we use that version, or the official rDNS, if any? - Some more discussion on this topic on nmap-dev may be warranted. * Improve output for negative verbosity levels. Currently, one can't even tell how many hosts replied, just how many responses were received, which could be all from the same host. If there is only one target, then the current behavior is fine. However, when pinging more targets, we should be able to provide a better output; at least how many hosts were alive. This was suggested by Dan Farmer. * Consider adding more examples of setting fields/payloads to the man page. This was suggested by Dan Farmer. * Consider adding support for XML output. * From: David Lam , "Some general questions about Nping/Ncat" In TCP traceroute mode, would it be possible to ask Nping to stop once it gets an SYN-ACK response back from the destination host rather than continuously hitting the host until the max TTL? * Make broadcast ping work. Currently the following command does not show any captured packets: nping 192.168.0.255 --dest-mac ff:ff:ff:ff:ff:ff -c 1 The cause is probably the BPF filter, which only allows replies from 192.168.0.255. Also, look into official multicast addresses like 224.0.0.1. Can we received replies to that probe? * Do some performance testing. Fyodor: <> * Do more testing on Mac * Support pre defined probe rates: --fast, --faster, --flood, --slow, --slower, --paranoid... * Think about --establish feature, which uses raw packets to establish a connection and can then send data on the connected stream (Luis already has a proof-of-concept implementation). * Make privileged and unprivileged TCP/UDP mode specification consistent. > - User is unprivileged and did not supply mode: --> Use TCP-Connect > - User is unprivileged and supplied --tcp --> Use TCP-Connect > - User is unprivileged and supplied --upd --> User UDP unprivileged > - User is root and did not supply mode --> Use ICMP Echo > - User is root and supplied --tcp --> Use raw sockets TCP > - User is root and supplied --udp --> User raw sockets UDP > - User is root and wants to use TCP-Connect --> User needs to either > pass --tcp-connect or --unprivileged > - User is root and want unprivileged UDP --> User needs to pass > --unprivileged or --udp-XXXXX (any suggestions?. --udp-sendto() may not > be the best idea because when we use raw sockets we also use sendto() to > transmit the data). * Support reverse DNS resolution in --traceroute * Implement TCP options * Implement hping-like ability to change the port/ttl using the keyboard during a scan. * Disable ARP resolution when --source-mac is specified. * Implement --data-file option. What should we do if file is big? Read the first X bytes? Send consecutive chunks? * Implement entire ICMP Traceroute message opts. * Research on default IP Identification value. Kernel does not seem to like value 0 because when set to zero, kernel changes it to some other value. When we set it to something !=0, the kernel leaves our value untouched. * At some point in the future, implement weird ICMP Types. I think this would let us make a difference to the rest of pings and packet creation tools because anyone wanting to send weirds packes would have to download our Nping ;-) ( http://www.iana.org/assignments/icmp-parameters ) 6 Alternate Host Address [JBP] 31 Datagram Conversion Error [RFC1475] 32 Mobile Host Redirect [David Johnson] 33 IPv6 Where-Are-You [Bill Simpson] 34 IPv6 I-Am-Here [Bill Simpson] 35 Mobile Registration Request [Bill Simpson] 36 Mobile Registration Reply [Bill Simpson] 39 SKIP [Markson] 40 Photuris [RFC2521] * Implement "-iL inputfilename (Input from list) " and the case where "-" is supplied and target specs need to be read from stdin. * Consider adding option to allow sending NO packets but act as a simple sniffer. Users could use --bpf-filter to specify a tcpdump-like filter and get every receive packet printed to stdout. Maybe with "-c 0"? "-c none"? We need to have some flag in NpingOps so we don't terminate Nping but wait undefinitely. * At some point we should support nmap-like MAC specification. * When using payloads, take into account that the IP and TCP headers may contain options and therefore, the maximum payload len should be 65535 - 20(ip header) - 40 (ip options) -20(tcp header) -20(tcp options); * Fyodor: <> * [EM] For CAPT packets, decide if we want to print the full info or just the fields that have changed in transit (or both). Note that printing differences would be complicated by the fact that nping doesn't currently associate captured packets with the original send. * Decide if we want to allow things like "1074628148" or "0x400d8634" to be treated as valid IP addresses. * Check out if --ip-options "RTUS 1.1.1.1 2.2.2.2" makes sense. It now fails. * It may be nice to let users set the IP header lenght field. Maybe they want to stress tcp/stacks with this. * Investigate on ICMP preference levels. It's not clear whether there is a standard encoding or not. The logic that parses this in Nping needs to be reviewed. * Investigate on nping's version of devname2ipaddr. Think about side effects on using that in Nmap. * Consider adding RFC-style output for send/recv packets. * [EM] Handle DLT types. Currently the server always sets the null DLT value that indicates that no data link header is included. /***************************************************************************** * Things that have been solved already * *****************************************************************************/ [DONE] Add default target port for TCP-Connect and TCP modes :: Port 80 [DONE] Add default target port for UDP mode :: Port 40125 [DONE] Add default UDP Source port: 53 JUSTIFICATION: From David's EffectivenessOfPingProbes http://www.bamsoftware.com/wiki/Nmap/EffectivenessOfPingProbes "The best individual UDP probes are still those to a random high port, with a source port of 53 and a non-empty payload. Even without the source port and payload, the ports 40125 and 40126 that I picked out of the air are better choices than the current default of 31338, finding around 400 additional hosts." [DONE] Change resolution for the inter-ping delay. (Fyodor: btw, usleep() will probably do the trick for you as it let's you sleep with microsecond precision) [DONE] Use int send_ip_packet(int sd, struct eth_nfo *eth, u8 *packet, unsigned int packetlen) instead of ip_open(); [DONE] Add protocol to BPF filterstring because It is possible that when in TCP mode a UDP packet destined to the TCP source, arrives to the net iface and gets printed. [DONE] Implement multiple port specification. [DONE] Implement ICMP router advertisement entries [DONE] Default probe mode: ICMP echo [DONE] Test ICMPv4Header::addRouterAdEntry() and check entries are being added correctly. [DONE] Determine source IP address automatically [DONE] Determine network interface to be used for packet capture automatically [DONE] Add support for cached DNS requests [DONE] Start user documentation (mainly man page) [DONE] Change output to include timing information [DONE] Implement controls in payload options parsing to prevent specifying lengths that cannot be carried by a single TCP/UDP packet. [DONE] Start implementing unprivileged UDP pings. [DONE] When sending ICMP packets, checksum is not being computed correcly if --data-length, and options like that, are specified. [DONE] Find a bug that under some circumstances produces a segfault. It is probably related to the way option -e is being handled. [DONE] Fix a bug in option "-e iface" that results on IP 2.0.0.0 being used as a source address. [DONE] Update --help display to include new ICMP flags. Check also commandline syntax docs. [DONE] Use nsock approach instead of threads. [DONE] Finish ARP/RARP support. [DONE] Change doc for option --count. We don't stop after N probes, we stop after N rounds. [DONE] Ask Fyodor what tool is used to convert from nmap-man.xml to nmap.1 [DONE] Check all outPrint()s and outError()s to ensure they specify the correct verbosity/debug level. [DONE] Document format specified in ArgParser::atoICMPType(). [DONE] Document format specified in ArgParser::atoICMPCode(). [DONE] Finish implementing unprivileged UDP pings. [DONE] Finish Ethernet frame creation. [DONE] Find a way to convert the nping.xml into man page. [DONE] Check what happens if payload is specified and we are not sending TCP/UDP but ICMP or other proto packets. [Sometimes it may not make sense to include payloads (e.g. ARP) but we still allow it just in case users want to play around]. [DONE] Ask Fyodor whether we want to display elapsed time (like nmap) or we prefer to display rtt time as other ping utilities do. [This is probably fine for now] [DONE] Fix the warnings produced by Fyodor's gcc. +---------------+ NpingTargets.cc: In member function ‘int NpingTargets::processSpecs()’: NpingTargets.cc:315: warning: comparison between signed and unsigned integer expressions NpingTargets.cc: In member function ‘NpingTarget* NpingTargets::getNextTarget()’: NpingTargets.cc:333: warning: comparison between signed and unsigned integer expressions +---------------+ In file included from /usr/include/string.h:640, from nbase/nbase.h:158, from nping.h:107, from utils.cc:95: In function ‘void* memset(void*, int, size_t)’, inlined from ‘int getNetworkInterfaceName(sockaddr_storage*, char*)’ at utils.cc:689: /usr/include/bits/string3.h:85: warning: call to void* __builtin___memset_chk(void*, int, long unsigned int, long unsigned int) will always overflow destination buffer +---------------+ [DONE] Redesign verbosity levels: * Put verbosity levels 2 into level 1 * Use level 2 for error. * Use level 3 to print everything but not sent/rcv packets. * Level 4 the usual [DONE] Add stats at the end of nping execution. [DONE] Add options to disable viewing of sent packets. [DONE] Add option to to disable packet capture. [DONE] Add a section to the man page explaining how we iterate over targets, ports, etc. [DONE] Beta-testing email to the list. [DONE] Change default round count to 5. [DONE] Fix a segfault detected by Fyodor in trg=o.targets.findTarget(...). [DONE] Send an email to the list telling about the nping.exe file. [DONE] Support CTRL-C statistics. [DONE] Change "solution" file in mswin32/nmap.sln to nping.sln [DONE] In man page and -h: move Ethernet section so it appears after network layer info. [DONE] Make rx time more accurate taking into account that we wait for a bit after the last probe is sent. [DONE] Fix bug: add ICMP dest unreachable, etc to the BPF filter so we can get icmp error messages when TTLs expire, etc. [DONE] Disable all ethernet related code when sendEth is false. [DONE] Finish porting Nping to Windows. [DONE] Find an OS X box to test Nping. [DONE] Reorganize verbosity levels (again ;-) [-3, +3]. [DONE] Finish documentation for options --source-mac and --dest-mac [DONE] Make sure --ether-type supports specifying types in hex. [DONE] Implement verbosity level 3: in this level, sent and recv packets are hexdumped to stdout. [DONE] Write and check in nping/index.html web site - Include SVN checkout/install instructions - include tarballs when available [DONE] Create Windows installer (maybe can copy a lot of stuff from what Ithilgore has done with Ncrack) [DONE] Create Nping release tarball for UNIX systems [DONE] Release Nping 0.1BETA2 [DONE] Man page should say Nping is currently in Alpha stage. [DONE] Support -vvv, -qqq and -ddd syntax. [Requested by Dirk Loss] [DONE] Create Mac OS X installer (also can probably copy a lot of stuff from what Ithilgore has done with Ncrack. David can usually help with installer building). [DONE] Move nping to /nping in SVN rather than being in nmap-exp [DONE] Set up automatic conversion from nping XML man page to HTML for http://nmap.org/nping/man.html [Fyodor working on this] [DONE] Include signature files in new releases. [Requested by Henri Salo] [DONE] It would be nice to have Bzip2 packages. [Requested by Henri Salo] (These last two don't make sense anymore as Nping is now distributed with Nmap). [DONE] Do small fix in nmap's send_ip_packet_sd() - res = Sendto("send_ip_packet", sd, packet, packetlen, 0, + res = Sendto("send_ip_packet_sd", sd, packet, packetlen, 0, [DONE] Correct BPF filter specs, to make the condition about the source address apply everywhere. [DONE] Fix possible bug in BPF filter specification. More details in http://seclists.org/nmap-dev/2010/q2/252 [DONE] Work on nping&nmap code merge. [DONE] For options that take numbers we need to allow users to specify them also in hex with the format 0xNNNN... [DONE] Replace this pattern: if ( isNumber_u32(optarg) ){ u32 aux32 = strtoul( optarg, NULL, 10); ... } with a function that checks for syntax and returns the value (i.e., a wrapper around strtoul). There is nowhere that isNumber_u* is called without it being immediately followed by a strtoul, outside of utils.cc. [DONE] Bug in --icmp-advert-entry. Specified IPs are being set in host byte order instead if in network byte order. [DONE] Investigate why ARP replies are not being received. Wireshark shows replies but they don't get captured by Nping. The bpf filter looks ok: "arp and arp[6]==0x00 and arp[7]==0x02" [DONE] Investigate into this: sudo nping --icmp scanme.nmap.org -vvv -d1 --icmp-type ra --icmp-advert-entry 256.257.258.259,222 Invalid Router Advertising Entry specification: Unable to resolve 6628128 Apparently the call to outFatal() is specifying %d instead of %s, but that's not being detected properly by the compiler, because we don't get a warning. We have to do something like this: void fatal(const char *fmt, ...) __attribute__ ((noreturn)) __attribute__ ((format (printf, 1, 2))); TODO: Look at the documentation to see what the numbers mean. Probably one of the is the index of the format argument, and the other is where the varargs start. [DONE] Fix division by zero exception: sudo nping --icmp scanme.nmap.org -vvv -d1 --icmp-type echo --rate 0 ./test_nping.sh: line 83: 11690 Floating point exception"$@" [DONE] Fix little problem in TIMING_5. We need to detect the bogus time before we actually pass the value to NpingOps. Nping is giving an error but the bogus input is getting to far. [DONE] Document that badsum-ip may not always work because the kernel may correct the sum. [DONE] Change overloaded functions in libnetutil that were refactored to make them compile in C. Go back to the overloaded version if possible. [DONE] Move grab_next_host_spec() and pals to netutil. [DONE] Control the case when user passes "--mtu 0". An assertion fails but Nping should print a nicer message. [DONE] Improve error message for --mtu. We should probably allow mtu's bigger than 2^16 but take that as a "dont fragment" request. Also, make "rand" produce only valid MTUs (multiple of 8, etc). [DONE] When passing "--tcp-flags 0x100" the error is not very accurate. This is because parser_u8() fails and then Nping tries to resolve the value letter by letter. Maybe we can parse_u32() it, and then check if n<255 and print a better error message. [DONE] Document what happens with the IP header length when user wants to add uneven bytes of IP options. We are truncating the result, because the header length is expressed in 32 bit words. [DONE] Check if there is any problem with -e "". Maybe we shouldn't let users supply a NULL name, but make them use the "any" specifier. Add doc about this and update the test description (MISC_12). [DONE] Update documentation for option --delay, including that now, time specification as float numbers is supported (eg: --delay 0.1 meaning 100ms) [DONE] Change info about TODO file in http://nmap.org/nping web page. - If you wish to contribute code to Nping there is a TO-DO list you can have - a look at (file "TODO" in the source package). + If you wish to contribute code to Nping there is a TO-DO list you can have + a look at (file "todo/nping.txt" in nmap's source package). [DONE] Make sure randomnly generated checksums are in fact invalid and don't match the correct checksum. There is a 1/65535 chance of this happening. [DONE] After merging nmap-dedup, change send_frag_ip_packet() to take "u32 mtu" and fix the printf below to use "%u" instead of "%i". [DONE] [EM] Update EchoProtoRFC.txt and any of the other design files as appropriate and send to nmap-dev for comments [DONE] [EM] Pick a default port number [DONE] [EM] Make a mockup of the desired standard output in a regular echo mode execution, like nping -c 2 --tcp --flags SYN -p 80 scanme.nmap.org (let's assume there are some differences found, like a NAT is in place) o A key aspect of this task is determining what diffs are going to look like. [DONE] [EM] Things to decide on: o Decide on packet specifiers that can be passed to the server so it can recognize packets sent by the client even if a number of headers have changed and pass them back. (see Fyodor/Luis IM discussion logs from 6/28/10). [DONE] [EM] Improve client error handling. Currently it doesn't behave well when the server crashes. [DONE] [EM] Make the client timeout if the server does not send data during handshake. Currently the client waits forever. [DONE] [EM] Make the server detect when a client disconnects and delete its context data. [DONE] [EM] Get rid of some messages that are currently displayed in the client. Print them only if debugging level is high enough. [DONE] [EM] Make sure -h help screen includes info about the echo mode. [DONE] [EM] Add echo mode to the man page. [DONE] [EM] Add received echoed packet to the final statistics. [DONE] [EM] Multi-client support [DONE] [EM] Delay RECV message printing so the CAPT messages are shown in order. [DONE] [EM] Use NEP_QUIT only if necessary, just close connection if possible. [DONE] [EM] Implement crypto [DONE] [EM] Consider whether the CAPT line should (or should have an option to) display the time based on capture time from the server. Obviously this can be problematic because not all machines run ntpd. One option is to just make it an option so that people should only use it if both the client and server are running ntpd. Luis is adding a precision timestamp to NEP_ECHO packets so we could easily add it in the future. Another approach would be to do NTP-style handshaking to compute time offsets between the two machines during the echo side-channel handshaking. Then the client could remember how far off it is. A third approach is to guess about the CAPT time that it was 1/2 the time between packet send and when we received the NEP_ECHO back notifying us of receipt. NOTE: We finally decided to take the third approach. CAPT_time=RTT/2. [DONE] [EM] Consider whether we should delay RCVD packet printing slightly so that CAPT packets received just slightly afterward could be printed before the RCVD. This might make the most sense if we do the previous feature where we show the time that a packet was actually captured by echo server. If we did it in normal cases, it might make it easier to compare SENT and CAPT packets, but would also be a bit strange to see the timeline out-of-order. [DONE] Fix Windows rtt values. Right now Nsock does not seem to be giving the callback at the proper time, or something. [DONE] Add --no-crypto to -h output. [DONE] Make sure nping does not allow generating packets with tcp src port or tcp dst port 9929 (or --echo-port N, if that is set), because 1) the echo server does not capture those packets and 2) to avoid messing up the established side-channel tcp connection. [DONE] Add support for custom IP binding: if user supplies -S then the echo side-channel connection and connections in TCP-Connect mode should be established from that IP. This includes the echo server binding to that IP. [DONE] Make nping issue a warning when user supplies a payload in TCP-Connect mode. [DONE] [EM] Echo server should print which interface is using to capture packets. [DONE] In some cases, when using nping through a VPN connection, nsi_pcap_linktype() returns something different to DLT_EN10MB, and Nping fatals. Investigate why this happens to nping and is not a problem for Nmap. Also, determine why this doesn't happen all the time. What does it change between these two?: sudo nping --udp 1.1.1.1 -g 999 -p998 sudo nping --udp 1.1.1.1 -g 999 -p999 The first one works, and the other one fatals with the "Currently only Ethernet is supported." (error message @ nping.cc:1717). - Note this also happens when Fyodor uses Nping tethering through his cell phone (ppp0) [DONE] [EM] Make the server stop capturing packets when all connected clients finish their session. [DONE] [EM] Some things to keep in mind for the implementation and to update our design docs accordingly: o Implement different "modes" for the server: complete access, one-time-access, and restricted. [DONE] Do more testing on MS Windows. [DONE] [EM] Investigate why the echo server does not send NEP_ECHO messages when the client sends probes at a very high rate, like in : ./nping -c 1000 --rate 1000 --echo-client "pass" --icmp -v echo.nmap.org [DONE] [EM] Add echo mode to the man page [DONE] [EM] Do some extensive testing of the Echo mode once it is working to try and flesh out any bugs before merging. [DONE] Make Nping call nsi_delete() on pcap IODs, IODs in TCP-Connect mode and maybe in IODs of other modes. See http://seclists.org/nmap-dev/2010/q3/587 [DONE] Fix bug that causes Nping to fail when sending UDP packets to a broadcast address. More info: [DONE] When doing ICMP echo traceroute (with --traceroute), unless the user supplies a custom round count (-c/--count), Nping only sends 5 packets (default round count). This is usually not enough to reach hosts on the internet. What should be the default behaviour? Stick with the default round count of 5 or increment it when --traceroute is set? - We should probably set -c 32 when --traceroute is specified, unless user specifies their own -c explicitly. [DONE] Try to reduce the size of the internal buffer in the EchoHeader class. Currenltly it allocates a big buffer that is able to hold the theoretical maximum size of a NEP message (normal use does not require so much space). When this is done, check if we still need to increase the stack size in the project properties in Visual Studio. [DONE] [Fixed by Vasiliy Kulikov] When running Nping in ARP mode, hexdump of ARP replies is not shown with -vvv, only for requests. Here's the output: sudo nping --arp 192.168.240.139 -vvv -d1 Starting Nping 0.5.59BETA1 ( http://nmap.org/nping ) at 2011-07-11 12:32 CEST BPF-filter: arp and arp[6]==0x00 and arp[7]==0x02 SENT (0.0562s) ARP who has 192.168.240.139? Tell 192.168.240.1 0000 ff ff ff ff ff ff 00 50 56 c0 00 01 08 06 00 01 .......PV....... 0010 08 00 06 04 00 01 00 50 56 c0 00 01 c0 a8 f0 01 .......PV....... 0020 00 00 00 00 00 00 c0 a8 f0 8b .......... RCVD (0.0568s) ARP reply 192.168.240.139 is at 00:0C:29:E4:90:CD SENT (1.0580s) ARP who has 192.168.240.139? Tell 192.168.240.1 0000 ff ff ff ff ff ff 00 50 56 c0 00 01 08 06 00 01 .......PV....... 0010 08 00 06 04 00 01 00 50 56 c0 00 01 c0 a8 f0 01 .......PV....... 0020 00 00 00 00 00 00 c0 a8 f0 8b .......... [DONE] Fix echo mode. Now some fields get incremented in each iteration and that messes up the matching. As a result, only the first CAPT is received. The rest of the packets don't get matched at the server side. Starting Nping 0.5.61TEST4 ( http://nmap.org/nping ) at 2012-08-05 19:43 CEST SENT (0.0000s) IPv4[192.168.1.171 > 74.207.244.221 ttl=64 id=57016 iplen=40] TCP[30527 > 80 S seq=3695554152 win=1480] RCVD (0.1690s) IPv4[74.207.244.221 > 192.168.1.171 ttl=52 id=0 iplen=44] TCP[80 > 30527 SA seq=2377841490 ack=3695554153 win=14600 ] Payload[2 bytes] CAPT (0.0000s) TCP 83.50.255.169:30527 > 74.207.244.221:80 S ttl=54 id=57016 iplen=40 seq=3695554152 win=1480 SENT (1.0000s) IPv4[192.168.1.171 > 74.207.244.221 ttl=64 id=57017 iplen=40] TCP[30528 > 80 S seq=3695554153 win=1480] RCVD (1.1680s) IPv4[74.207.244.221 > 192.168.1.171 ttl=52 id=0 iplen=44] TCP[80 > 30528 SA seq=2395577066 ack=3695554154 win=14600 ] Payload[2 bytes] SENT (2.0000s) IPv4[192.168.1.171 > 74.207.244.221 ttl=64 id=57018 iplen=40] TCP[30529 > 80 S seq=3695554154 win=1480] RCVD (2.1700s) IPv4[74.207.244.221 > 192.168.1.171 ttl=52 id=0 iplen=44] TCP[80 > 30529 SA seq=2419052034 ack=3695554155 win=14600 ] Payload[2 bytes] SENT (3.0010s) IPv4[192.168.1.171 > 74.207.244.221 ttl=64 id=57019 iplen=40] TCP[30530 > 80 S seq=3695554155 win=1480] RCVD (3.1700s) IPv4[74.207.244.221 > 192.168.1.171 ttl=52 id=0 iplen=44] TCP[80 > 30530 SA seq=2435093077 ack=3695554156 win=14600 ] Payload[2 bytes] SENT (4.0010s) IPv4[192.168.1.171 > 74.207.244.221 ttl=64 id=57020 iplen=40] TCP[30531 > 80 S seq=3695554156 win=1480] RCVD (4.1790s) IPv4[74.207.244.221 > 192.168.1.171 ttl=52 id=0 iplen=44] TCP[80 > 30531 SA seq=2443052137 ack=3695554157 win=14600 ] Payload[2 bytes] Max rtt: 178.034ms | Min rtt: 168.797ms | Avg rtt: 171.155ms Raw packets sent: 5 (200B) | Rcvd: 5 (230B) | Lost: 0 (0.00%)| Echoed: 1 (40B) Raw packets sent: 5 (200B) | Rcvd: 5 (230B) | Lost: 0 (0.00%) Tx time: 4.00116s | Tx bytes/s: 49.99 | Tx pkts/s: 1.25 Rx time: 4.68375s | Rx bytes/s: 49.11 | Rx pkts/s: 1.07 Nping done: 1 IP address pinged in 6.08 seconds [DONE] Fix delayed output of RCVD lines in echo mode. There is this function: NpingOps::setDelayedRcvd(const char *str, nsock_event_id id) in NpingOps, but currently it is not being called by the ProbeEngine. Note that since we now print packets using the PacketElement::print() and don't have access to a proper string, it is possible that we need to save a copy of the packet instead of storing it's ascii representation, so we can call print() on it, and get the info printed out. [DONE] Check int ProbeEngine::packet_capture_handler(). It's probably leaking a lot of memory. When run with "sudo ./nping localhost -c0 --delay 0ms" allocated memory keeps growing and growing. There are two things to check, captured packets, and sent packets. Verify that any captured packet that is not a response is freed. Also, sent and received packets, need to be freed after certain time. [DONE] In Echo mode, sudo ./nping --ec "public" echo.nmap.org --tcp -vvv, one of the stats lines is printed twice (kindof). Max rtt: 178.163ms | Min rtt: 168.957ms | Avg rtt: 173.560ms Raw packets sent: 2 (80B) | Rcvd: 2 (92B) | Lost: 0 (0.00%)| Echoed: 1 (40B) Raw packets sent: 2 (80B) | Rcvd: 2 (92B) | Lost: 0 (0.00%) Tx time: 1.45961s | Tx bytes/s: 54.81 | Tx pkts/s: 1.37 Rx time: 1.45961s | Rx bytes/s: 63.03 | Rx pkts/s: 1.37 Nping done: 1 IP address pinged in 3.32 seconds [DONE] Fix stats for the echo server. Currently it prints "Raw packets sent". That line needs to dissapear from the output. Starting Nping 0.5.61TEST4 ( http://nmap.org/nping ) at 2012-08-05 20:09 CEST Packet capture will be performed using network interface wlan0. Waiting for connections... ^C Raw packets captured: 0 (0B) | Echoed: 0 (0B) | Not Matched: 0 (0B) (0.00%) Raw packets sent: 0 (0B) | Rcvd: 0 (0B) | Lost: 0 (0.00%) Tx time: 0.95463s | Tx bytes/s: 0.00 | Tx pkts/s: 0.00 Rx time: 0.95463s | Rx bytes/s: 0.00 | Rx pkts/s: 0.00 Nping done: 0 clients served in 0.95 seconds [DONE] Improve stats. When sending multiple packets at the same time, provide sent/rcvd stats for each type. sudo ./nping google.com --tcp --icmp Starting Nping 0.5.61TEST4 ( http://nmap.org/nping ) at 2012-08-05 20:14 CEST SENT (0.0000s) IPv4[192.168.1.171 > 74.125.230.197 ttl=64 id=28991 iplen=40] TCP[32925 > 80 S seq=926182838 win=1480] SENT (0.0000s) IPv4[192.168.1.171 > 74.125.230.197 ttl=64 id=28992 iplen=28] ICMPv4[Echo request id=50987 seq=0] RCVD (0.0250s) IPv4[74.125.230.197 > 192.168.1.171 ttl=55 id=45449 iplen=44] TCP[80 > 32925 SA seq=789301890 ack=926182839 win=14300 ] Payload[2 bytes] RCVD (0.0250s) IPv4[74.125.230.197 > 192.168.1.171 ttl=55 id=45450 iplen=28] ICMPv4[Echo reply id=50987 seq=0] Payload[18 bytes] ^C Max rtt: 25.957ms | Min rtt: 25.141ms | Avg rtt: 25.549ms Raw packets sent: 2 (68B) | Rcvd: 2 (92B) | Lost: 0 (0.00%) Tx time: 0.62958s | Tx bytes/s: 108.01 | Tx pkts/s: 3.18 Rx time: 0.62958s | Rx bytes/s: 146.13 | Rx pkts/s: 3.18 Nping done: 1 IP address pinged in 0.70 seconds [DONE] When pinging multiple hosts using more than one protocol, consider printing per-protocol/per-host stats, not only global per-protocol stats. Now it looks like this: Statistics for host 192.168.1.1: |_ Raw packets sent: 20 (900B) | Rcvd: 15 (620B) | Lost: 5 (25.00%) |_ Max rtt: 3.326ms | Min rtt: 1.347ms | Avg rtt: 2.398ms Statistics for host 74.207.254.18: |_ Raw packets sent: 20 (900B) | Rcvd: 4 (224B) | Lost: 16 (80.00%) |_ Max rtt: 28.020ms | Min rtt: 21.469ms | Avg rtt: 24.482ms Statistics for host ::1: |_ Raw packets sent: 15 (780B) | Rcvd: 15 (1.020KB) | Lost: 0 (0.00%) |_ Max rtt: 0.469ms | Min rtt: 0.279ms | Avg rtt: 0.361ms Raw packets sent: 55 (2.580KB) | Rcvd: 34 (1.864KB) | Lost: 21 (38.18%) TCP packets sent: 15 | Rcvd: 10 | Lost: 5 (33.33%) UDP packets sent: 15 | Rcvd: 0 | Lost: 15 (100.00%) ARP packets sent: 10 | Rcvd: 5 | Lost: 5 (50.00%) ICMPv4 packets sent: 10 | Rcvd: 9 | Lost: 1 (10.00%) ICMPv6 packets sent: 5 | Rcvd: 10 | Lost: 0 (0.00%) Tx time: 0.13990s | Tx bytes/s: 18441.74 | Tx pkts/s: 393.14 Rx time: 0.25161s | Rx bytes/s: 7408.38 | Rx pkts/s: 135.13 Nping done: 3 IP addresses pinged in 0.32 seconds but per-host stats could be something like: Statistics for host 192.168.1.1: |_ Raw packets sent: 20 (900B) | Rcvd: 15 (620B) | Lost: 5 (25.00%) |_ TCP packets sent: 5 | Rcvd: 1 | Lost: 4 (80.00%) |_ UDP packets sent: 5 | Rcvd: 0 | Lost: 5 (100.00%) |_ ARP packets sent: 5 | Rcvd: 0 | Lost: 5 (100.00%) |_ ICMPv4 packets sent: 5 | Rcvd: 4 | Lost: 1 (20.00%) |_ Max rtt: 3.326ms | Min rtt: 1.347ms | Avg rtt: 2.398ms [DONE] Fix global RTT statistics. [DONE] For Echo clients, fix CAPT time calculation and delayed output. Currently it doesn't work: ./nping --ec public --tcp echo.nmap.com Starting Nping 0.5.61TEST4 ( http://nmap.org/nping ) at 2012-08-05 20:15 CEST SENT (0.0000s) IPv4[192.168.1.171 > 74.207.244.221 ttl=64 id=63688 iplen=40] TCP[26528 > 80 S seq=2773943728 win=1480] RCVD (0.1740s) IPv4[74.207.244.221 > 192.168.1.171 ttl=52 id=0 iplen=44] TCP[80 > 26528 SA seq=2565506202 ack=2773943729 win=14600 ] Payload[2 bytes] CAPT (0.0000s) TCP 83.50.255.169:26528 > 74.207.244.221:80 S ttl=54 id=63688 iplen=40 seq=2773943728 win=1480 [DONE] Fix this: nping --tcp --tcp-connect localhost Mode Unknown Mode requires root privileges. [DONE] Finish improving void NpingOps::displayStatistics(). We need to move all nping_print() calls to PacketStats::, refactoring whenever possible. [DONE] Fix stats for UDP unprivileged. "Failed" does not show the correct figures. UDP write operations: 10 | Successful reads: 5 | Failed: 0 (0.00%) [DONE] Finish --traceroute. currently it does not start from TTL=1, but from TTL=64. If I pass --ttl 30, then it starts from 30. Investigate this. [DONE] Consider adding multi-packet support. Example: tell nping to send 4 tcp packets, 5 icmp packets and 3 udp packets [DONE] Consider adding more detailed stats for the Echo Mode. [DONE] Split up libnetutil.cc into different source files. [DONE] ARP mode does not support payload specification. However, users may want to do things like appending null bytes at the end of an ARP packet to test some device behaviour, etc. Adding support for payload to this mode is really trivial, would make the payload spec more consistent with the rest of the modes, and may be a nice to have feature. [DONE] Make sure randomnly generated checksums in IPv6-TCP/UDP are in fact invalid and don't match the correct checksum. [DONE] When implementing IPv6, check MAX_TCP_PAYLOAD_LEN constant and method TCPHeader::setSum(). Because with IPv6 the max payload length should be 20 bytes less than with the IPv4 header. [DONE] Implement checks in function that handles received packets: Fyodor: <> [DONE] Implement ICMP address mask [DONE] Stats for ARP packets. [DONE] Sometimes Nping displays a couple of error messages (related to cleanup of Nsock events), even though everything went fine. luis@Aberdeen:~$ sudo nping --ec public echo.nmap.org -p90 --tcp --count 1 Starting Nping 0.5.52.IPv6.Beta2 ( http://nmap.org/nping ) at 2011-07-05 12:51 CEST SENT (1.8965s) TCP 163.117.203.253:64288 > 74.207.244.221:90 S ttl=64 CAPT (2.0293s) TCP 163.117.203.253:64288 > 74.207.244.221:90 S ttl=54 RCVD (2.1233s) TCP 74.207.244.221:90 > 163.117.203.253:64288 RA ttl=51 nping_event_handler(): READ-PCAP killed: Resource temporarily unavailable nping_event_handler(): TIMER killed: Resource temporarily unavailable Max rtt: 226.762ms | Min rtt: 226.762ms | Avg rtt: 226.762ms Raw packets sent: 1 (40B) | Rcvd: 1 (40B) | Lost: 0 (0.00%)| Echoed: 1 (40B) Tx time: 0.00136s | Tx bytes/s: 29411.76 | Tx pkts/s: 735.29 Rx time: 1.00082s | Rx bytes/s: 39.97 | Rx pkts/s: 1.00 Nping done: 1 IP address pinged in 2.93 seconds [DONE] In NpingOps::setupTargetHosts() consider skipping things like route_dst() if we are doing TCP-Connect or UDP-Unprivileged. [DONE] Mixing --tcp-connect and raw packet modes does not work. sudo ./nping google.com nmap.org -c2 1.2.3.4 --tcp-connect --udp [DONE] Investigate an IPv6-related core dump reported by Vasiliy Kulikov. More info: http://seclists.org/nmap-dev/2011/q3/567 [DONE] Provide a way to set no flags at all in a ICMPv6 router renumbering header. Currently, the HeaderTemplate sets the T, R flags, and there is no way to say "no flags at all" from the command line. [DONE] When targeting IPv4 and IPv6 hosts at the same time (and probably when targeting hosts reachable through different network interfaces with different configured IPs), the BPF filter is not correct. For example, when running "nping ::1 localhost" we only get IPv6 responses. If we invert the order, "nping localhost ::1" we get IPv4 responses (because localhost is resolved for IPv4 by default). The cause is a single source IP address being specified in the BPF filter. These are the filters that are being generated for those two examples: "dst host ::1 and (src host ::1 or src host 127.0.0.1)" and "dst host 127.0.0.1 and (src host 127.0.0.1 or src host ::1)". We should, either get rid of the "dst host" part, or include every source IP that we are using. [DONE] The fact that TargetHosts make a copy of the header templates that are passed is weird. Maybe instead of taking pointers, the setTCP, setEth... functions should take the templates by value. That way the code would be less confusing.