2 /***************************************************************************
3 * service_scan.h -- Routines used for service fingerprinting to determine *
4 * what application-level protocol is listening on a given port *
5 * (e.g. snmp, http, ftp, smtp, etc.) *
7 ***********************IMPORTANT NMAP LICENSE TERMS************************
9 * The Nmap Security Scanner is (C) 1996-2006 Insecure.Com LLC. Nmap is *
10 * also a registered trademark of Insecure.Com LLC. This program is free *
11 * software; you may redistribute and/or modify it under the terms of the *
12 * GNU General Public License as published by the Free Software *
13 * Foundation; Version 2 with the clarifications and exceptions described *
14 * below. This guarantees your right to use, modify, and redistribute *
15 * this software under certain conditions. If you wish to embed Nmap *
16 * technology into proprietary software, we sell alternative licenses *
17 * (contact sales@insecure.com). Dozens of software vendors already *
18 * license Nmap technology such as host discovery, port scanning, OS *
19 * detection, and version detection. *
21 * Note that the GPL places important restrictions on "derived works", yet *
22 * it does not provide a detailed definition of that term. To avoid *
23 * misunderstandings, we consider an application to constitute a *
24 * "derivative work" for the purpose of this license if it does any of the *
26 * o Integrates source code from Nmap *
27 * o Reads or includes Nmap copyrighted data files, such as *
28 * nmap-os-fingerprints or nmap-service-probes. *
29 * o Executes Nmap and parses the results (as opposed to typical shell or *
30 * execution-menu apps, which simply display raw Nmap output and so are *
31 * not derivative works.) *
32 * o Integrates/includes/aggregates Nmap into a proprietary executable *
33 * installer, such as those produced by InstallShield. *
34 * o Links to a library or executes a program that does any of the above *
36 * The term "Nmap" should be taken to also include any portions or derived *
37 * works of Nmap. This list is not exclusive, but is just meant to *
38 * clarify our interpretation of derived works with some common examples. *
39 * These restrictions only apply when you actually redistribute Nmap. For *
40 * example, nothing stops you from writing and selling a proprietary *
41 * front-end to Nmap. Just distribute it by itself, and point people to *
42 * http://insecure.org/nmap/ to download Nmap. *
44 * We don't consider these to be added restrictions on top of the GPL, but *
45 * just a clarification of how we interpret "derived works" as it applies *
46 * to our GPL-licensed Nmap product. This is similar to the way Linus *
47 * Torvalds has announced his interpretation of how "derived works" *
48 * applies to Linux kernel modules. Our interpretation refers only to *
49 * Nmap - we don't speak for any other GPL products. *
51 * If you have any questions about the GPL licensing restrictions on using *
52 * Nmap in non-GPL works, we would be happy to help. As mentioned above, *
53 * we also offer alternative license to integrate Nmap into proprietary *
54 * applications and appliances. These contracts have been sold to dozens *
55 * of software vendors, and generally include a perpetual license as well *
56 * as providing for priority support and updates as well as helping to *
57 * fund the continued development of Nmap technology. Please email *
58 * sales@insecure.com for further information. *
60 * As a special exception to the GPL terms, Insecure.Com LLC grants *
61 * permission to link the code of this program with any version of the *
62 * OpenSSL library which is distributed under a license identical to that *
63 * listed in the included Copying.OpenSSL file, and distribute linked *
64 * combinations including the two. You must obey the GNU GPL in all *
65 * respects for all of the code used other than OpenSSL. If you modify *
66 * this file, you may extend this exception to your version of the file, *
67 * but you are not obligated to do so. *
69 * If you received these files with a written license agreement or *
70 * contract stating terms other than the terms above, then that *
71 * alternative license agreement takes precedence over these comments. *
73 * Source is provided to this software because we believe users have a *
74 * right to know exactly what a program is going to do before they run it. *
75 * This also allows you to audit the software for security holes (none *
76 * have been found so far). *
78 * Source code also allows you to port Nmap to new platforms, fix bugs, *
79 * and add new features. You are highly encouraged to send your changes *
80 * to fyodor@insecure.org for possible incorporation into the main *
81 * distribution. By sending these changes to Fyodor or one the *
82 * Insecure.Org development mailing lists, it is assumed that you are *
83 * offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right *
84 * to reuse, modify, and relicense the code. Nmap will always be *
85 * available Open Source, but this is important because the inability to *
86 * relicense code has caused devastating problems for other Free Software *
87 * projects (such as KDE and NASM). We also occasionally relicense the *
88 * code to third parties as discussed above. If you wish to specify *
89 * special license conditions of your contributions, just say so when you *
92 * This program is distributed in the hope that it will be useful, but *
93 * WITHOUT ANY WARRANTY; without even the implied warranty of *
94 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
95 * General Public License for more details at *
96 * http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included *
99 ***************************************************************************/
101 /* $Id: service_scan.h 3977 2006-09-12 03:35:29Z fyodor $ */
103 #ifndef SERVICE_SCAN_H
104 #define SERVICE_SCAN_H
107 #include "global_structures.h"
110 #ifdef HAVE_PCRE_PCRE_H
111 # include <pcre/pcre.h>
116 /********************** DEFINES/ENUMS ***********************************/
117 #define DEFAULT_SERVICEWAITMS 5000
118 #define DEFAULT_CONNECT_TIMEOUT 5000
119 #define DEFAULT_CONNECT_SSL_TIMEOUT 8000 // includes connect() + ssl negotiation
120 #define SERVICEMATCH_REGEX 1
121 // #define SERVICEMATCH_STATIC 2 -- no longer supported
123 /********************** STRUCTURES ***********************************/
125 // This is returned when we find a match
126 struct MatchDetails {
127 // Rather the match is a "soft" service only match, where we should
128 // continue to look for a better match.
131 // The service that was matched (Or NULL) zero-terminated.
132 const char *serviceName;
134 // The product/verson/info for the service that was matched (Or NULL)
140 // More information from a match. Zero-terminated strings or NULL.
141 const char *hostname;
143 const char *devicetype;
146 /********************** CLASSES ***********************************/
148 class ServiceProbeMatch {
151 ~ServiceProbeMatch();
153 // match text from the nmap-service-probes file. This must be called
154 // before you try and do anything with this match. This function
155 // should be passed the whole line starting with "match" or
156 // "softmatch" in nmap-service-probes. The line number that the text
157 // is provided so that it can be reported in error messages. This
158 // function will abort the program if there is a syntax problem.
159 void InitMatch(const char *matchtext, int lineno);
161 // If the buf (of length buflen) match the regex in this
162 // ServiceProbeMatch, returns the details of the match (service
163 // name, version number if applicable, and whether this is a "soft"
164 // match. If the buf doesn't match, the serviceName field in the
165 // structure will be NULL. The MatchDetails returned is only valid
166 // until the next time this function is called. The only exception
167 // is that the serviceName field can be saved throughought program
168 // execution. If no version matched, that field will be NULL.
169 const struct MatchDetails *testMatch(const u8 *buf, int buflen);
170 // Returns the service name this matches
171 const char *getName() { return servicename; }
172 // The Line number where this match string was defined. Returns
174 int getLineNo() { return deflineno; }
176 int deflineno; // The line number where this match is defined.
177 bool isInitialized; // Has InitMatch yet been called?
179 int matchtype; // SERVICEMATCH_REGEX or SERVICESCAN_STATIC
180 char *matchstr; // Regular expression text, or static string
181 int matchstrlen; // Because static strings may have embedded NULs
182 pcre *regex_compiled;
183 pcre_extra *regex_extra;
184 bool matchops_ignorecase;
185 bool matchops_dotall;
186 bool isSoft; // is this a soft match? ("softmatch" keyword in nmap-service-probes)
187 // If any of these 3 are non-NULL, a product, version, or template
188 // string was given to deduce the application/version info via
189 // substring matches.
190 char *product_template;
191 char *version_template;
194 char *hostname_template;
195 char *ostype_template;
196 char *devicetype_template;
197 // The anchor is for SERVICESCAN_STATIC matches. If the anchor is not -1, the match must
198 // start at that zero-indexed position in the response str.
200 // Details to fill out and return for testMatch() calls
201 struct MatchDetails MD_return;
203 // Use the six version templates and the match data included here
204 // to put the version info into the given strings, (as long as the sizes
205 // are sufficient). Returns zero for success. If no template is available
206 // for a string, that string will have zero length after the function
207 // call (assuming the corresponding length passed in is at least 1)
208 int getVersionStr(const u8 *subject, int subjectlen, int *ovector,
209 int nummatches, char *product, int productlen,
210 char *version, int versionlen, char *info, int infolen,
211 char *hostname, int hostnamelen, char *ostype, int ostypelen,
212 char *devicetype, int devicetypelen);
220 const char *getName() { return probename; }
221 // Returns true if this is the "null" probe, meaning it sends no probe and
222 // only listens for a banner. Only TCP services have this.
223 bool isNullProbe() { return (probestringlen == 0); }
224 bool isProbablePort(u16 portno); // Returns true if the portnumber given was listed
225 // as a port that is commonly identified by this
226 // probe (e.g. an SMTP probe would commonly identify port 25)
227 // Amount of time to wait after a connection succeeds (or packet sent) for a responses.
230 // Parses the "probe " line in the nmap-service-probes file. Pass the rest of the line
231 // after "probe ". The format better be:
232 // [TCP|UDP] [probename] "probetext"
233 // the lineno is requested because this function will bail with an error
234 // (giving the line number) if it fails to parse the string.
235 void setProbeDetails(char *pd, int lineno);
237 // obtains the probe string (in raw binary form) and the length. The string will be
238 // NUL-terminated, but there may be other \0 in the string, so the termination is only
239 // done for ease of printing ASCII probes in debugging cases.
240 const u8 *getProbeString(int *stringlen) { *stringlen = probestringlen; return probestring; }
241 void setProbeString(const u8 *ps, int stringlen);
243 /* Protocols are IPPROTO_TCP and IPPROTO_UDP */
244 u8 getProbeProtocol() {
245 assert(probeprotocol == IPPROTO_TCP || probeprotocol == IPPROTO_UDP);
246 return probeprotocol;
248 void setProbeProtocol(u8 protocol) { probeprotocol = protocol; }
250 // Takes a string as given in the 'ports '/'sslports ' line of
251 // nmap-service-probes. Pass in the list from the appropriate
252 // line. For 'sslports', tunnel should be specified as
253 // SERVICE_TUNNEL_SSL. Otherwise use SERVICE_TUNNEL_NONE. The line
254 // number is requested because this function will bail with an error
255 // (giving the line number) if it fails to parse the string. Ports
256 // are a comma separated list of ports and ranges
257 // (e.g. 53,80,6000-6010).
258 void setProbablePorts(enum service_tunnel_type tunnel,
259 const char *portstr, int lineno);
261 /* Returns true if the passed in port is on the list of probable
262 ports for this probe and tunnel type. Use a tunnel of
263 SERVICE_TUNNEL_SSL or SERVICE_TUNNEL_NONE as appropriate */
264 bool portIsProbable(enum service_tunnel_type tunnel, u16 portno);
265 // Returns true if the passed in service name is among those that can
266 // be detected by the matches in this probe;
267 bool serviceIsPossible(const char *sname);
269 // Takes a string following a Rarity directive in the probes file.
270 // The string should contain a single integer between 1 and 9. The
271 // default rarity is 5. This function will bail if the string is invalid.
272 void setRarity(const char *portstr, int lineno);
274 // Simply returns the rarity of this probe
275 const int getRarity() { return rarity; }
277 // Takes a match line in a probe description and adds it to the
278 // list of matches for this probe. This function should be passed
279 // the whole line starting with "match" or "softmatch" in
280 // nmap-service-probes. The line number is requested because this
281 // function will bail with an error (giving the line number) if it
282 // fails to parse the string.
283 void addMatch(const char *match, int lineno);
285 // If the buf (of length buflen) matches one of the regexes in this
286 // ServiceProbe, returns the details of the match (service name,
287 // version number if applicable, and whether this is a "soft" match.
288 // If the buf doesn't match, the serviceName field in the structure
289 // will be NULL. The MatchDetails returned is only valid until the
290 // next time this function is called. The only exception is that the
291 // serviceName field can be saved throughought program execution. If
292 // no version matched, that field will be NULL. This function may
293 // return NULL if there are no match lines at all in this probe.
294 const struct MatchDetails *testMatch(const u8 *buf, int buflen);
297 ServiceProbe *fallbacks[MAXFALLBACKS+1];
300 void setPortVector(std::vector<u16> *portv, const char *portstr,
306 std::vector<u16> probableports;
307 std::vector<u16> probablesslports;
309 std::vector<const char *> detectedServices;
311 std::vector<ServiceProbeMatch *> matches; // first-ever use of STL in Nmap!
318 // Tries to find the probe in this AllProbes class which have the
319 // given name and protocol. It can return the NULL probe.
320 ServiceProbe *getProbeByName(const char *name, int proto);
321 std::vector<ServiceProbe *> probes; // All the probes except nullProbe
322 ServiceProbe *nullProbe; // No probe text - just waiting for banner
324 // Before this function is called, the fallbacks exist as unparsed
325 // comma-separated strings in the fallbackStr field of each probe.
326 // This function fills out the fallbacks array in each probe with
327 // an ordered list of pointers to which probes to try. This is both for
328 // efficiency and to deal with odd cases like the NULL probe and falling
329 // back to probes later in the file. This function also free()s all the
331 void compileFallbacks();
333 int isExcluded(unsigned short port, int proto);
334 struct scan_lists *excludedports;
336 static AllProbes *service_scan_init(void);
337 static void service_scan_free(void);
339 static AllProbes *global_AP;
342 /********************** PROTOTYPES ***********************************/
344 /* Parses the given nmap-service-probes file into the AP class Must
345 NOT be made static because I have external maintenance tools
346 (servicematch) which use this */
347 void parse_nmap_service_probe_file(AllProbes *AP, char *filename);
349 /* Execute a service fingerprinting scan against all open ports of the
350 Targets specified. */
351 int service_scan(std::vector<Target *> &Targets);
353 #endif /* SERVICE_SCAN_H */