first build with ARP kung-fu, though far from finished with that feature

Makefile.in

@@ -1,4 +1,4 @@
-export NMAP_VERSION = 3.82
+export NMAP_VERSION = 3.82CSW
 NMAP_NAME= nmap
 NMAP_URL= http://www.insecure.org/nmap/
 NMAP_PLATFORM=@host@

Target.cc

@@ -99,6 +99,7 @@
  ***************************************************************************/
 
 /* $Id$ */
+#include <dnet.h>
 
 #include "Target.h"
 #include "osscan.h"
@@ -125,7 +126,8 @@ void Target::Initialize() {
   targetipstring[0] = '\0';
   nameIPBuf = NULL;
   memset(&MACaddress, 0, sizeof(MACaddress));
-  MACaddress_set = false;
+  memset(&SrcMACaddress, 0, sizeof(SrcMACaddress));
+  MACaddress_set = SrcMACaddress_set = false;
   htn.msecs_used = 0;
   htn.toclock_running = false;
 }
@@ -351,7 +353,18 @@ int Target::setMACAddress(const u8 *addy) {
   return 0;
 }
 
+int Target::setSrcMACAddress(const u8 *addy) {
+  if (!addy) return 1;
+  memcpy(SrcMACaddress, addy, 6);
+  SrcMACaddress_set = 1;
+  return 0;
+}
+
 /* Returns the 6-byte long MAC address, or NULL if none has been set */
 const u8 *Target::MACAddress() {
   return (MACaddress_set)? MACaddress : NULL;
 }
+
+const u8 *Target::SrcMACAddress() {
+  return (SrcMACaddress_set)? SrcMACaddress : NULL;
+}

Target.h

@@ -176,8 +176,10 @@ class Target {
 
   /* Takes a 6-byte MAC address */
   int setMACAddress(const u8 *addy);
+  int setSrcMACAddress(const u8 *addy);
   /* Returns a pointer to 6-byte MAC address, or NULL if none is set */
   const u8 *MACAddress();
+  const u8 *SrcMACAddress();
 
   struct seq_info seq;
   FingerPrintResults *FPR;
@@ -189,7 +191,7 @@ class Target {
   int wierd_responses; /* echo responses from other addresses, Ie a network broadcast address */
   unsigned int flags; /* HOST_UP, HOST_DOWN, HOST_FIREWALLED, HOST_BROADCAST (instead of HOST_BROADCAST use wierd_responses */
   struct timeout_info to;
-  char device[64]; /* The device we transmit on -- make sure to adjust some str* calls if I ever change this*/
+  char device[64]; /* The device we transmit on -- make sure to adjust some str* calls if I ever change this size*/
 
  private:
   char *hostname; // Null if unable to resolve or unset
@@ -206,6 +208,8 @@ class Target {
   char *nameIPBuf; /* for the NameIP(void) function to return */
   u8 MACaddress[6];
   bool MACaddress_set;
+  u8 SrcMACaddress[6];
+  bool SrcMACaddress_set;
   struct host_timeout_nfo htn;
 };
 

global_structures.h

@@ -228,6 +228,6 @@ struct scan_lists {
 	int prot_count;
 };
 
-typedef enum { ACK_SCAN, SYN_SCAN, FIN_SCAN, XMAS_SCAN, UDP_SCAN, CONNECT_SCAN, NULL_SCAN, WINDOW_SCAN, RPC_SCAN, MAIMON_SCAN, IPPROT_SCAN } stype;
+typedef enum { ACK_SCAN, SYN_SCAN, FIN_SCAN, XMAS_SCAN, UDP_SCAN, CONNECT_SCAN, NULL_SCAN, WINDOW_SCAN, RPC_SCAN, MAIMON_SCAN, IPPROT_SCAN, PING_SCAN, PING_SCAN_ARP} stype;
 
 #endif /*GLOBAL_STRUCTURES_H */

nmap-os-fingerprints

@@ -908,8 +908,9 @@ T7(Resp=Y%DF=N%W=0%ACK=O%Flags=R%Ops=)
 PU(Resp=N)
 
 # Apple AirPort Express (Apple Base Station V6.0)
-Fingerprint Apple AirPort Express WAP
+Fingerprint Apple AirPort Express WAP or Dell Fiber Channel Bridge Module
 Class Apple | embedded || WAP
+Class Dell | embedded || storage-misc
 TSeq(Class=RI%gcd=<6%SI=<A9830&>1000%TS=2HZ)
 T1(DF=Y%W=2000%ACK=S++%Flags=AS%Ops=MNWNNT)
 T2(Resp=N)

nmap-service-probes

@@ -1976,7 +1976,7 @@ match afs m|^[\d\D]{28}\s*(OpenAFS)\s+stable\s+([\d\.]+)\s+([^\0]+)\0| v/$1/$2/$
 match afs m|^[\d\D]{28}\s*(OpenAFS)([\d\.]{3}[^\s\0]*)\s+([^\0]+)\0| v/$1/$2/$3/
 match afs m|^[\d\D]{28}\s*(OpenAFS)([\d\.]{3}[^\s\0]*)\0| v/$1/$2//
 # Transarc AFS
-match afs m|^[\d\D]{28}\s*Base\sconfiguration\safs([\d\.]+)\s+([^\s\0\;]+)[\0\;]| v/Transarc AFS/$1/$2/
+match afs m|^[\d\D]{28}\s*Base\sconfiguration\safs([\d\.]+)\s+[^\s\0\;]+[\0\;]| v/Transarc AFS/$1/$2/
 # Arla
 match afs m|^[\d\D]{28}\s*arla-([\d\.]+)\0| v/Arla/$1//
 

nmap.cc

@@ -601,6 +601,8 @@ int nmap_main(int argc, char *argv[]) {
 	o.pingtype |= PINGTYPE_ICMP_TS;
       else if (*optarg == '0' || *optarg == 'N' || *optarg == 'D')      
 	o.pingtype = PINGTYPE_NONE;
+      else if (*optarg == 'R')
+	o.pingtype |= PINGTYPE_ARP;
       else if (*optarg == 'S') {
 	o.pingtype |= (PINGTYPE_TCP|PINGTYPE_TCP_USE_SYN);
 	if (isdigit((int) *(optarg+1)))
@@ -1792,6 +1794,8 @@ char *scantype2str(stype scantype) {
   case RPC_SCAN: return "RPCGrind Scan"; break;
   case MAIMON_SCAN: return "Maimon Scan"; break;
   case IPPROT_SCAN: return "IPProto Scan"; break;
+  case PING_SCAN: return "Ping Scan"; break;
+  case PING_SCAN_ARP: return "ARP Ping Scan"; break;
   default: assert(0); break;
   }
 

nmap.h

@@ -357,6 +357,7 @@ void *realloc();
 #define PINGTYPE_RAWTCP 128
 #define PINGTYPE_CONNECTTCP 256
 #define PINGTYPE_UDP  512
+#define PINGTYPE_ARP 1024
 
 /* TCP/IP ISN sequence prediction classes */
 #define SEQ_UNKNOWN 0

osscan.cc

@@ -144,7 +144,7 @@ int testno;
 int  timeout;
 int avnum;
 unsigned int sequence_base;
-unsigned int openport;
+unsigned long openport;
 unsigned int bytes;
 unsigned int closedport = 31337;
 Port *tport = NULL;
@@ -227,7 +227,7 @@ snprintf(filter, sizeof(filter), "dst host %s and (icmp or (tcp and src host %s)
  }
 
 if (o.verbose && openport != (unsigned long) -1)
-  log_write(LOG_STDOUT, "For OSScan assuming port %d is open, %d is closed, and neither are firewalled\n", openport, closedport);
+  log_write(LOG_STDOUT, "For OSScan assuming port %lu is open, %d is closed, and neither are firewalled\n", openport, closedport);
 
  current_port = o.magic_port + NUM_SEQ_SAMPLES +1;
 
@@ -422,7 +422,7 @@ if (o.verbose && openport != (unsigned long) -1)
 	 if ((tcp->th_flags & TH_RST)) {
 	   /*	 readtcppacket((char *) ip, ntohs(ip->ip_len));*/	 
 	   if (si->responses == 0) {	 
-	     fprintf(stderr, "WARNING:  RST from port %hu -- is this port really open?\n", openport);
+	     fprintf(stderr, "WARNING:  RST from port %lu -- is this port really open?\n", openport);
 	     /* We used to quit in this case, but left-overs from a SYN
 		scan or lame-ass TCP wrappers can cause this! */
 	   }