Use scan randomness for TCP too

Author: sfan5

src/scan-responder.c

@@ -13,21 +13,27 @@
 #include "banner.h"
 #include "util.h"
 
+enum {
+	IP_SZ = FRAME_ETH_SIZE + FRAME_IP_SIZE,
+	TCP_SZ = IP_SZ + TCP_HEADER_SIZE,
+};
+
 static struct {
 	/* TODO: better sharing of these vars with scan.c */
 	FILE *outfile;
 	const struct outputdef *outdef;
 	uint16_t source_port;
+	uint32_t scan_randomness;
 
-	uint8_t _Alignas(uint32_t) buffer[FRAME_ETH_SIZE + FRAME_IP_SIZE + TCP_HEADER_SIZE + BANNER_QUERY_MAX_LENGTH];
+	uint8_t _Alignas(uint32_t) buffer[TCP_SZ + BANNER_QUERY_MAX_LENGTH];
 
 	pthread_t tcp_thread;
 	atomic_bool tcp_thread_exit;
 } responder;
 
 static void *tcp_thread(void *unused);
 
-int scan_responder_init(FILE *outfile, const struct outputdef *outdef, uint16_t source_port)
+int scan_responder_init(FILE *outfile, const struct outputdef *outdef, uint16_t source_port, uint32_t scan_randomness)
 {
 	uint8_t *spacket = responder.buffer;
 
@@ -38,6 +44,7 @@ int scan_responder_init(FILE *outfile, const struct outputdef *outdef, uint16_t
 	responder.outfile = outfile;
 	responder.outdef = outdef;
 	responder.source_port = source_port;
+	responder.scan_randomness = scan_randomness;
 
 	if(tcp_state_init() < 0)
 		return -1;
@@ -70,9 +77,9 @@ void scan_responder_process(uint64_t ts, int len, const uint8_t *rpacket)
 	tcp_decode_header(TCP_HEADER(rpacket), &data_offset);
 	// ordinary packet with data
 	if(!TCP_HEADER(rpacket)->f_rst && !TCP_HEADER(rpacket)->f_syn &&
-		len > FRAME_ETH_SIZE + FRAME_IP_SIZE + data_offset) {
+		len > IP_SZ + data_offset) {
 		tcp_decode2(TCP_HEADER(rpacket), &rseqnum, NULL);
-		unsigned int plen = len - (FRAME_ETH_SIZE + FRAME_IP_SIZE + data_offset);
+		unsigned int plen = len - (IP_SZ + data_offset);
 
 		tcp_debug("< seqnum = %08x got data", rseqnum);
 		if(!tcp_state_find(rsrcaddr, rport, &p))
@@ -97,7 +104,7 @@ void scan_responder_process(uint64_t ts, int len, const uint8_t *rpacket)
 		tcp_debug("> ack%s seq=%08x ack=%08x",
 			TCP_HEADER(spacket)->f_fin?"+fin":"", lseqnum, rseqnum + plen + x);
 		tcp_checksum(IP_FRAME(spacket), TCP_HEADER(spacket), 0);
-		rawsock_send(spacket, FRAME_ETH_SIZE + FRAME_IP_SIZE + TCP_HEADER_SIZE);
+		rawsock_send(spacket, TCP_SZ);
 	// FIN packet (no data)
 	} else if(TCP_HEADER(rpacket)->f_fin) {
 		tcp_decode2(TCP_HEADER(rpacket), &rseqnum, NULL);
@@ -121,19 +128,21 @@ void scan_responder_process(uint64_t ts, int len, const uint8_t *rpacket)
 		tcp_debug("> ack+fin seq=%08x ack=%08x",
 			lseqnum, rseqnum + x);
 		tcp_checksum(IP_FRAME(spacket), TCP_HEADER(spacket), 0);
-		rawsock_send(spacket, FRAME_ETH_SIZE + FRAME_IP_SIZE + TCP_HEADER_SIZE);
+		rawsock_send(spacket, TCP_SZ);
 	// ACK packet (no data)
 	} else if(TCP_HEADER(rpacket)->f_ack) {
 		tcp_decode2(TCP_HEADER(rpacket), &rseqnum, &acknum);
 
-		tcp_debug("< seqnum = %08x acked: %08x", rseqnum, acknum);
+		tcp_debug("< seqnum = %08x %sacked: %08x", rseqnum,
+			TCP_HEADER(rpacket)->f_syn?"syn-":"", acknum);
 		if(!TCP_HEADER(rpacket)->f_syn)
 			return;
 
-		uint32_t lseqnum = FIRST_SEQNUM + 1; // expected acknum for the initial answer
+		// expected acknum for the syn-ack
+		uint32_t lseqnum = tcp_first_seqnum(responder.scan_randomness) + 1;
 		if(acknum != lseqnum)
 			return;
-		rseqnum += 1; // syn-ack increases seqnum by one
+		rseqnum += 1; // syn-ack counts as one
 
 		unsigned int plen;
 		const char *payload = banner_get_query(IP_TYPE_TCP, rport, &plen);
@@ -145,7 +154,7 @@ void scan_responder_process(uint64_t ts, int len, const uint8_t *rpacket)
 			tcp_modify(TCP_HEADER(spacket), responder.source_port, rport);
 
 			tcp_checksum(IP_FRAME(spacket), TCP_HEADER(spacket), 0);
-			rawsock_send(spacket, FRAME_ETH_SIZE + FRAME_IP_SIZE + TCP_HEADER_SIZE);
+			rawsock_send(spacket, TCP_SZ);
 			tcp_debug("> ack+rst seq=%08x ack=%08x", lseqnum, rseqnum);
 			return;
 		}
@@ -158,7 +167,7 @@ void scan_responder_process(uint64_t ts, int len, const uint8_t *rpacket)
 		memcpy(TCP_DATA(spacket, TCP_HEADER_SIZE), payload, plen);
 
 		tcp_checksum(IP_FRAME(spacket), TCP_HEADER(spacket), plen);
-		rawsock_send(spacket, FRAME_ETH_SIZE + FRAME_IP_SIZE + TCP_HEADER_SIZE + plen);
+		rawsock_send(spacket, TCP_SZ + plen);
 		tcp_debug("> ack%s seq=%08x ack=%08x",
 			TCP_HEADER(spacket)->f_psh?"+psh":"", lseqnum, rseqnum);
 
@@ -180,7 +189,7 @@ void scan_responder_process(uint64_t ts, int len, const uint8_t *rpacket)
 		tcp_modify(TCP_HEADER(spacket), responder.source_port, rport);
 
 		tcp_checksum(IP_FRAME(spacket), TCP_HEADER(spacket), 0);
-		rawsock_send(spacket, FRAME_ETH_SIZE + FRAME_IP_SIZE + TCP_HEADER_SIZE);
+		rawsock_send(spacket, TCP_SZ);
 		tcp_debug("> ack+rst seq=%08x ack=%08x", lseqnum, rseqnum);
 	} else {
 		tcp_debug("want to send rst but can't..."); // because we don't know our local seqnum
@@ -193,12 +202,9 @@ static void *tcp_thread(void *unused)
 	pthread_setcancelstate(PTHREAD_CANCEL_DISABLE, NULL);
 	set_thread_name("tcp");
 
-	enum {
-		packet_sz = FRAME_ETH_SIZE + FRAME_IP_SIZE + TCP_HEADER_SIZE
-	};
-	uint8_t _Alignas(uint32_t) packet[packet_sz];
+	uint8_t _Alignas(uint32_t) packet[TCP_SZ];
 	// Copy the prepared structure from the "global" packet buffer
-	memcpy(packet, responder.buffer, packet_sz);
+	memcpy(packet, responder.buffer, TCP_SZ);
 
 	do {
 		usleep(BANNER_TIMEOUT * 1000 / 2);
@@ -230,7 +236,7 @@ static void *tcp_thread(void *unused)
 				tcp_modify(TCP_HEADER(packet), responder.source_port, srcport);
 
 				tcp_checksum(IP_FRAME(packet), TCP_HEADER(packet), 0);
-				rawsock_send(packet, packet_sz);
+				rawsock_send(packet, TCP_SZ);
 				tcp_debug("> rst seq=%08x", lseqnum);
 			}
 

src/scan.c

@@ -86,7 +86,7 @@ int scan_main(const char *interface, int quiet)
 	atomic_store(&pkts_recv, 0);
 	atomic_store(&status_bits, 0);
 	if(banners && ip_type == IP_TYPE_TCP) {
-		if(scan_responder_init(outfile, &outdef, source_port) < 0)
+		if(scan_responder_init(outfile, &outdef, source_port, scan_randomness) < 0)
 			goto err;
 	}
 	if(!banners && ip_type == IP_TYPE_UDP)
@@ -188,7 +188,7 @@ static void *send_thread_tcp(void *unused)
 		goto err;
 	rawsock_ip_modify(IP_FRAME(packet), TCP_HEADER_SIZE, dstaddr);
 	tcp_prepare(TCP_HEADER(packet));
-	tcp_make_syn(TCP_HEADER(packet), FIRST_SEQNUM);
+	tcp_make_syn(TCP_HEADER(packet), tcp_first_seqnum(scan_randomness));
 	ports_iter_begin(&ports, &it);
 
 	while(1) {

src/scan.h

@@ -11,8 +11,6 @@ struct ports;
 #define FINISH_WAIT_TIME 5    // s
 #define BANNER_TIMEOUT   2500 // ms
 
-#define FIRST_SEQNUM 0xf0000000
-
 void scan_set_general(const struct ports *ports, int max_rate, int show_closed, int banners);
 void scan_set_network(const uint8_t *source_addr, int source_port, uint8_t ip_type);
 void scan_set_output(FILE *outfile, const struct outputdef *outdef);
@@ -32,7 +30,7 @@ int scan_reader_main(FILE *infile);
 #define TCP_DATA(buf, data_offset) ( (uint8_t*) &(buf)[FRAME_ETH_SIZE + FRAME_IP_SIZE + data_offset] )
 #define UDP_DATA(buf) TCP_DATA(buf, UDP_HEADER_SIZE)
 
-int scan_responder_init(FILE *outfile, const struct outputdef *outdef, uint16_t source_port);
+int scan_responder_init(FILE *outfile, const struct outputdef *outdef, uint16_t source_port, uint32_t scan_randomness);
 void scan_responder_process(uint64_t ts, int len, const uint8_t *rpacket);
 void scan_responder_finish();
 

src/tcp.h

@@ -42,6 +42,11 @@ void tcp_decode_header(const struct tcp_header *pkt, unsigned int *data_offset);
 void tcp_decode(const struct tcp_header *pkt, int *srcport, int *dstport);
 void tcp_decode2(const struct tcp_header *pkt, uint32_t *seqnum, uint32_t *acknum);
 
+static inline uint32_t tcp_first_seqnum(uint32_t rnd) {
+	rnd &= ~(1 << 15); // make room to avoid overflow
+	return rnd;
+}
+
 
 int tcp_state_init(void);
 void tcp_state_create(const uint8_t *srcaddr, uint16_t srcport,