readscan filters

changyaoh · May 11, 2014 · 7f94576 · 7f94576
1 parent c82dd51
commit 7f94576
Show file tree

Hide file tree

Showing 13 changed files with 272 additions and 49 deletions.
diff --git a/src/in-binary.c b/src/in-binary.c
@@ -81,7 +81,9 @@ parse_status(struct Output *out,
 static void
 parse_status2(struct Output *out,
         enum PortStatus status, /* open/closed */
-        const unsigned char *buf, size_t buf_length)
+        const unsigned char *buf, size_t buf_length,
+        const struct RangeList *ips,
+        const struct RangeList *ports)
 {
     struct MasscanRecord record;
 
@@ -99,6 +101,18 @@ parse_status2(struct Output *out,
     if (out->when_scan_started == 0)
         out->when_scan_started = record.timestamp;
 
+    /*
+     * Filter
+     */
+    if (ips && ips->count) {
+        if (!rangelist_is_contains(ips, record.ip))
+            return;
+    }
+    if (ports && ports->count) {
+        if (!rangelist_is_contains(ports, record.port))
+            return;
+    }
+
     /*
      * Now report the result
      */
@@ -193,7 +207,10 @@ parse_banner4(struct Output *out, unsigned char *buf, size_t buf_length)
 /***************************************************************************
  ***************************************************************************/
 static void
-parse_banner9(struct Output *out, unsigned char *buf, size_t buf_length)
+parse_banner9(struct Output *out, unsigned char *buf, size_t buf_length,
+              const struct RangeList *ips,
+              const struct RangeList *ports,
+              const struct RangeList *btypes)
 {
     struct MasscanRecord record;
 
@@ -213,6 +230,22 @@ parse_banner9(struct Output *out, unsigned char *buf, size_t buf_length)
     if (out->when_scan_started == 0)
         out->when_scan_started = record.timestamp;
 
+    /*
+     * Filter
+     */
+    if (ips && ips->count) {
+        if (!rangelist_is_contains(ips, record.ip))
+            return;
+    }
+    if (ports && ports->count) {
+        if (!rangelist_is_contains(ports, record.port))
+            return;
+    }
+    if (btypes && btypes->count) {
+        if (!rangelist_is_contains(btypes, record.app_proto))
+            return;
+    }
+
     /*
      * Now print the output
      */
@@ -232,7 +265,10 @@ parse_banner9(struct Output *out, unsigned char *buf, size_t buf_length)
  * Read in the file, one record at a time.
  ***************************************************************************/
 static uint64_t
-parse_file(struct Output *out, const char *filename)
+parse_file(struct Output *out, const char *filename,
+           const struct RangeList *ips,
+           const struct RangeList *ports,
+           const struct RangeList *btypes)
 {
     FILE *fp = 0;
     unsigned char *buf = 0;
@@ -339,10 +375,12 @@ parse_file(struct Output *out, const char *filename)
         /* Depending on record type, do something different */
         switch (type) {
             case 1: /* STATUS: open */
-                parse_status(out, PortStatus_Open, buf, bytes_read);
+                if (!btypes->count)
+                    parse_status(out, PortStatus_Open, buf, bytes_read);
                 break;
             case 2: /* STATUS: closed */
-                parse_status(out, PortStatus_Closed, buf, bytes_read);
+                if (!btypes->count)
+                    parse_status(out, PortStatus_Closed, buf, bytes_read);
                 break;
             case 3: /* BANNER */
                 parse_banner3(out, buf, bytes_read);
@@ -359,13 +397,15 @@ parse_file(struct Output *out, const char *filename)
                 parse_banner4(out, buf, bytes_read);
                 break;
             case 6: /* STATUS: open */
-                parse_status2(out, PortStatus_Open, buf, bytes_read);
+                if (!btypes->count)
+                    parse_status2(out, PortStatus_Open, buf, bytes_read, ips, ports);
                 break;
             case 7: /* STATUS: closed */
-                parse_status2(out, PortStatus_Closed, buf, bytes_read);
+                if (!btypes->count)
+                    parse_status2(out, PortStatus_Closed, buf, bytes_read, ips, ports);
                 break;
             case 9:
-                parse_banner9(out, buf, bytes_read);
+                parse_banner9(out, buf, bytes_read, ips, ports, btypes);
                 break;
             case 'm': /* FILEHEADER */
                 //goto end;
@@ -395,7 +435,7 @@ parse_file(struct Output *out, const char *filename)
  * other formats. This preserves the original timestamps.
  *****************************************************************************/
 void
-convert_binary_files(struct Masscan *masscan,
+read_binary_scanfile(struct Masscan *masscan,
                      int arg_first, int arg_max, char *argv[])
 {
     struct Output *out;
@@ -420,7 +460,8 @@ convert_binary_files(struct Masscan *masscan,
      * Then arg_first=3 and arg_max=5.
      */
     for (i=arg_first; i<arg_max; i++) {
-        parse_file(out, argv[i]);
+        parse_file(out, argv[i], &masscan->targets, &masscan->ports,
+                   &masscan->banner_types);
     }
 
     output_destroy(out);

diff --git a/src/in-binary.h b/src/in-binary.h
@@ -1,8 +1,16 @@
 #ifndef IN_BINARY_H
 #define IN_BINARY_H
 struct Masscan;
+
+/**
+ * Read that output of previous scans that were saved in the binary format
+ * (i.e. using the -oB parameter or the '--output-format binary' parameter).
+ * The intent is that the user can then re-output in another format like
+ * JSON or XML.
+ */
 void
-convert_binary_files(struct Masscan *masscan, int arg_first, int arg_max, char *argv[]);
+read_binary_scanfile(struct Masscan *masscan, 
+                     int arg_first, int arg_max, char *argv[]);
 
 #endif
 
diff --git a/src/main-conf.c b/src/main-conf.c
@@ -21,6 +21,7 @@
 #include "templ-port.h"
 #include "crypto-base64.h"
 #include "script.h"
+#include "masscan-app.h"
 
 #include <ctype.h>
 #include <limits.h>
@@ -317,6 +318,7 @@ masscan_echo(struct Masscan *masscan, FILE *fp)
     case Output_Binary:     fprintf(fp, "output-format = binary\n"); break;
     case Output_Grepable:   fprintf(fp, "output-format = grepable\n"); break;
     case Output_JSON:       fprintf(fp, "output-format = json\n"); break;
+    case Output_Certs:      fprintf(fp, "output-format = certs\n"); break;
     case Output_None:       fprintf(fp, "output-format = none\n"); break;
     case Output_Redis:
         fprintf(fp, "output-format = redis\n");
@@ -989,6 +991,21 @@ masscan_set_parameter(struct Masscan *masscan,
         if (masscan->op == 0)
             masscan->op = Operation_Scan;
     }
+    else if (EQUALS("banner-types", name) || EQUALS("banner-type", name)
+             || EQUALS("banner-apps", name) || EQUALS("banner-app", name)
+           ) {
+        enum ApplicationProtocol app;
+
+        app = masscan_string_to_app(value);
+
+        if (app)
+            rangelist_add_range(&masscan->banner_types, app, app);
+        else {
+            LOG(0, "FAIL: bad banner app: %s\n", value);
+            fprintf(stderr, "err\n");
+            exit(1);
+        }
+    }
     else if (EQUALS("exclude-ports", name) || EQUALS("exclude-port", name)) {
         unsigned is_error = 0;
         rangelist_parse_ports(&masscan->exclude_port, value, &is_error);
@@ -1360,6 +1377,7 @@ masscan_set_parameter(struct Masscan *masscan,
         else if (EQUALS("greppable", value))    x = Output_Grepable;
         else if (EQUALS("grepable", value))     x = Output_Grepable;
         else if (EQUALS("json", value))         x = Output_JSON;
+        else if (EQUALS("certs", value))        x = Output_Certs;
         else if (EQUALS("none", value))         x = Output_None;
         else if (EQUALS("redis", value))        x = Output_Redis;
         else {

diff --git a/src/main.c b/src/main.c
@@ -1523,7 +1523,11 @@ int main(int argc, char *argv[])
             for (stop=start+1; stop<(unsigned)argc && argv[stop][0] != '-'; stop++)
                 ;
 
-            convert_binary_files(masscan, start, stop, argv);
+            /*
+             * read the binary files, and output them again depending upon
+             * the output parameters
+             */
+            read_binary_scanfile(masscan, start, stop, argv);
 
         }
         break;

diff --git a/src/masscan-app.c b/src/masscan-app.c
@@ -1,8 +1,10 @@
 #include "masscan-app.h"
 #include "string_s.h"
 
-/***************************************************************************
- ***************************************************************************/
+/******************************************************************************
+ * When outputing results, we call this function to print out the type of 
+ * banner that we've collected
+ ******************************************************************************/
 const char *
 masscan_app_to_string(enum ApplicationProtocol proto)
 {
@@ -35,3 +37,43 @@ masscan_app_to_string(enum ApplicationProtocol proto)
         return tmp;
     }
 }
+
+/******************************************************************************
+ ******************************************************************************/
+enum ApplicationProtocol
+masscan_string_to_app(const char *str)
+{
+    const static struct {
+        const char *name;
+        enum ApplicationProtocol value;
+    } list[] = {
+        {"ssh1",    PROTO_SSH1},
+        {"ssh2",    PROTO_SSH2},
+        {"ssh",     PROTO_SSH2},
+        {"http",    PROTO_HTTP},
+        {"ftp",     PROTO_FTP1},
+        {"dns-ver", PROTO_DNS_VERSIONBIND},
+        {"snmp",    PROTO_SNMP},
+        {"ssh2",    PROTO_SSH2},
+        {"nbtstat", PROTO_NBTSTAT},
+        {"ssl",     PROTO_SSL3},
+        {"pop",     PROTO_POP3},
+        {"imap",    PROTO_IMAP4},
+        {"x509",    PROTO_X509_CERT},
+        {"zeroaccess", PROTO_UDP_ZEROACCESS},
+        {"title", PROTO_HTML_TITLE},
+        {"html", PROTO_HTML_FULL},
+        {"ntp", PROTO_NTP},
+        {"vuln", PROTO_VULN},
+        {"heartbleed", PROTO_HEARTBLEED},
+
+        {0,0}
+    };
+    size_t i;
+
+    for (i=0; list[i].name; i++) {
+        if (strcmp(str, list[i].name) == 0)
+            return list[i].value;
+    }
+    return 0;
+}
diff --git a/src/masscan-app.h b/src/masscan-app.h
@@ -32,5 +32,7 @@ enum ApplicationProtocol {
 const char *
 masscan_app_to_string(enum ApplicationProtocol proto);
 
+enum ApplicationProtocol
+masscan_string_to_app(const char *str);
 
 #endif
diff --git a/src/masscan.h b/src/masscan.h
@@ -52,6 +52,7 @@ enum OutputFormat {
     Output_Grepable     = 0x0080,   /* -oG, "grepable" */
     Output_Redis        = 0x0100, 
     Output_None         = 0x0200,
+    Output_Certs        = 0x0400,
     Output_All          = 0xFFBF,   /* not supported */
 };
 
@@ -126,6 +127,11 @@ struct Masscan
      * range 64k-128k, thus, allowing us to scan both at the same time.
      */
     struct RangeList ports;
+
+    /**
+     * Only output these types of banners
+     */
+    struct RangeList banner_types;
 
     /**
      * IPv4 addresses/ranges that are to be exluded from the scan. This takes

diff --git a/src/out-certs.c b/src/out-certs.c
@@ -0,0 +1,69 @@
+#include "output.h"
+#include "masscan-app.h"
+#include "masscan-status.h"
+#include "string_s.h"
+#include <ctype.h>
+
+
+/****************************************************************************
+ ****************************************************************************/
+static void
+cert_out_open(struct Output *out, FILE *fp)
+{
+}
+
+
+/****************************************************************************
+ ****************************************************************************/
+static void
+cert_out_close(struct Output *out, FILE *fp)
+{    
+    fprintf(fp, "{finished: 1}\n");
+}
+
+/******************************************************************************
+ ******************************************************************************/
+static void
+cert_out_status(struct Output *out, FILE *fp, time_t timestamp, int status,
+                unsigned ip, unsigned ip_proto, unsigned port, unsigned reason, unsigned ttl)
+{
+
+}
+
+
+/******************************************************************************
+ ******************************************************************************/
+static void
+cert_out_banner(struct Output *out, FILE *fp, time_t timestamp,
+                unsigned ip, unsigned ip_proto, unsigned port,
+                enum ApplicationProtocol proto, 
+                unsigned ttl,
+                const unsigned char *px, unsigned length)
+{
+    unsigned i;
+    if (length > 5 && memcmp(px, "cert:", 5) == 0) {
+        px += 5;
+        length -= 5;
+    }
+
+    printf("-----BEGIN CERTIFICATE-----\n");
+    for (i=0; i<length; i += 72) {
+        unsigned len = length - i;
+        if (len > 72)
+            len = 72;
+        printf("%.*s\n", len, px+i);
+    }
+    printf("-----END CERTIFICATE-----\n");
+}
+
+/****************************************************************************
+ ****************************************************************************/
+const struct OutputType certs_output = {
+    "cert",
+    0,
+    cert_out_open,
+    cert_out_close,
+    cert_out_status,
+    cert_out_banner
+};
+
diff --git a/src/output.c b/src/output.c
@@ -413,6 +413,9 @@ output_create(const struct Masscan *masscan, unsigned thread_index)
     case Output_JSON:
         out->funcs = &json_output;
         break;
+    case Output_Certs:
+        out->funcs = &certs_output;
+        break;
     case Output_Binary:
         out->funcs = &binary_output;
         break;

diff --git a/src/output.h b/src/output.h
@@ -123,6 +123,7 @@ const char *normalize_string(const unsigned char *px, size_t length,
 extern const struct OutputType text_output;
 extern const struct OutputType xml_output;
 extern const struct OutputType json_output;
+extern const struct OutputType certs_output;
 extern const struct OutputType binary_output;
 extern const struct OutputType null_output;
 extern const struct OutputType redis_output;