Let's be scanned.

Overview

Build masscanned

Masscanned

Masscanned (name inspired, of course, by masscan) is a network responder. Its purpose is to provide generic answers to as many protocols as possible, and with as few asumptions as possible on the client's intentions.

Let them talk first.

Just like masscan, masscanned implements its own, userland network stack, similarly to honeyd. It is designed to interact with scanners and opportunistic bots as far as possible, and to support as many protocols as possible.

For example, when it receives network packets:

  • masscanned answers to ARP who is-at with ARP is-at (for its IP addresses),
  • masscanned answers to ICMP Echo Request with ICMP Echo Reply,
  • masscanned answers to TCP SYN (any port) with TCP SYN/ACK on any port,
  • masscanned answers to HTTP requests (any verb) over TCP/UDP (any port) with a HTTP 401 web page.

demo

Masscanned currently supports most common protocols at layers 2-3-4, and a few application protocols:

  • Eth::ARP::REQ,
  • Eth::IPv{4,6}::ICMP::ECHO-REQ,
  • Eth::IPv{4,6}::TCP::SYN (all ports),
  • Eth::IPv{4,6}::TCP::PSHACK (all ports),
  • Eth::IPv6::ICMP::ND_NS.
  • Eth::IPv{4,6}::{TCP,UDP}::HTTP (all HTTP verbs),
  • Eth::IPv{4,6}::{TCP,UDP}::STUN,
  • Eth::IPv{4,6}::{TCP,UDP}::SSH (Server Protocol only).

Try it locally

  1. Build masscanned
$ cargo build
  1. Create a new net namespace
# ip netns add masscanned
  1. Create veth between the two namespaces
# ip link add vethmasscanned type veth peer veth netns masscanned
# ip link set vethmasscanned up
# ip -n masscanned link set veth up
  1. Set IP on local veth to have a route for outgoing packets
# ip addr add dev vethmasscanned 192.168.0.0/31
  1. Run masscanned in the namespace
# ip netns exec masscanned ./target/debug/masscanned --iface veth -v[vv]
  1. With another terminal, send packets to masscanned
# arping 192.168.0.1
# ping 192.168.0.1
# nc -n -v 192.168.0.1 80
# nc -n -v -u 192.168.0.1 80
...

Use it

A good use of masscanned is to deploy it on a VPS with one or more public IP addresses.

To use the results, the best way is to capture all network traffic on the interface masscanned is listening to/responding on. The pcaps can then be analyzed using zeek and the output files can typically be pushed in an instance of IVRE.

A documentation on how to deploy an instance of masscanned on a VPS is coming (see Issue #2).

Protocols

Layer 2

ARP

masscanned anwsers to ARP requests, for requests that target an IPv4 address that is handled by masscanned (i.e., an address that is in the IP address file given with option -f).

The answer contains the first of the following possible MAC addresses:

  • the MAC address specified with -a in command line if any,
  • the MAC address of the interface specified with -i in command line if any,
  • or the masscanned default MAC address, i.e., c0:ff:ee:c0:ff:ee.

Ethernet

masscanned answers to Ethernet frames, if and only if the following requirements are met:

  • the destination address of the frame should be handled by masscanned, which means:

    • masscanned own MAC address,
    • the broadcast MAC address ff:ff:ff:ff:ff:ff,
    • a multicast MAC address corresponding to one of the IPv4 addresses handled by masscanned (RFC 1112),
    • a multicast MAC address corresponding to one of the IPv6 addresses handled by masscanned ;
  • EtherType field is one of ARP, IPv4 or IPv6.

Note: even for a non-multicast IP address, masscanned will respond to L2 frames addressed to the corresponding multicast MAC address. For instance, if masscanned handles 10.11.12.13, it will answer to frames addressed to 01:00:5e:0b:0c:0d.

Layer 3

IPv4/IPv6

masscanned answers to IPv4 and IPv6 packets, only if:

  • no IP address is specified in a file (i.e., no -f option is specified or the file is empty),

or

  • the destination IP address of the incoming packet is one of the IP addresses handled by masscanned.

An additionnal requirement is that the next layer protocol is supported - see below.

IPv4

The following L4 protocols are suppported for an IPv4 packet:

  • ICMPv4
  • UDP
  • TCP

If the next layer protocol is not one of them, the packet is dropped.

IPv6

The following L4 protocols are suppported for an IPv6 packet:

  • ICMPv6
  • UDP
  • TCP

If the next layer protocol is not one of them, the packet is dropped.

Layer 3+/4

ICMPv4

masscanned answers to ICMPv4 packets if and only if:

  • the ICMP type of the incoming packet is EchoRequest (8),
  • the ICMP code of the incoming packet is 0.

If these conditions are met, masscanned answers with an ICMP packet of type EchoReply (0), code 0 and the same payload as the incoming packet, as specified by RFC 792.

ICMPv6

masscanned answers to ICMPv6 packets if and only if:

  • the ICMP type is NeighborSol (135) and:
    • no IP (v4 or v6) was speficied for masscanned
    • or the target address of the Neighbor Solicitation is one of masccanned

In that case, the answer is a Neighbor Advertisement (136) packet with masscanned MAC address

or

  • the ICMP type is EchoRequest (128)

In that case, the answer is a EchoReply (129) packet.

TCP

masscanned answers to the following TCP packets:

  • if the received packet has flags PSH and ACK, masscanned checks the SYNACK-cookie, and if valid answers at least a ACK, or a PSH-ACK if a supported protocol (Layer 5/6/7) has been detected,
  • if the received packet has flag ACK, it is ignored,
  • if the received packet has flag RST or FIN-ACK, it is ignored,
  • if the received packet has flag SYN, then masscanned answers with a SYN-ACK packet, setting a SYNACK-cookie in the sequence number.

UDP

masscanned answers to an UDP packet if and only if the upper-layer protocol is handled and provides an answer.

Protocols

HTTP

STUN

SSH

masscanned answers to SSH Client: Protocol messages with the following Server: Protocol message:

SSH-2.0-1\r\n

Internals

Tests

Unit tests

$ cargo test
   Compiling masscanned v0.2.0 (/zdata/workdir/masscanned)
    Finished test [unoptimized + debuginfo] target(s) in 2.34s
     Running target/debug/deps/masscanned-b86211a090e50323

running 36 tests
test client::client_info::tests::test_client_info_eq ... ok
test layer_2::arp::tests::test_arp_reply ... ok
test layer_3::ipv4::tests::test_ipv4_reply ... ok
test layer_3::ipv6::tests::test_ipv6_reply ... ok
test layer_4::icmpv6::tests::test_icmpv6_reply ... ok
test layer_2::tests::test_eth_reply ... ok
test layer_4::icmpv6::tests::test_nd_na_reply ... ok
test layer_4::tcp::tests::test_synack_cookie_ipv4 ... ok
test layer_4::icmpv4::tests::test_icmpv4_reply ... ok
test layer_4::tcp::tests::test_synack_cookie_ipv6 ... ok
test proto::http::test_http_request_field ... ok
test proto::http::test_http_request_no_field ... ok
test proto::http::test_http_request_line ... ok
test proto::http::test_http_verb ... ok
test proto::stun::tests::test_change_request_port ... ok
test proto::stun::tests::test_proto_stun_ipv6 ... ok
test proto::stun::tests::test_proto_stun_ipv4 ... ok
test proto::stun::tests::test_change_request_port_overflow ... ok
test smack::smack::tests::test_anchor_end ... ok
test smack::smack::tests::test_anchor_begin ... ok
test smack::smack::tests::test_multiple_matches ... ok
test smack::smack::tests::test_http_banner ... ok
test smack::smack::tests::test_multiple_matches_wildcard ... ok
test smack::smack::tests::test_proto ... ok
test smack::smack::tests::test_wildcard ... ok
test proto::tests::test_proto_dispatch_ssh ... ok
test proto::tests::test_proto_dispatch_stun ... ok
test synackcookie::tests::test_clientinfo ... ok
test synackcookie::tests::test_ip4_dst ... ok
test synackcookie::tests::test_ip4_src ... ok
test synackcookie::tests::test_ip4 ... ok
test synackcookie::tests::test_ip6 ... ok
test synackcookie::tests::test_key ... ok
test synackcookie::tests::test_tcp_dst ... ok
test synackcookie::tests::test_tcp_src ... ok
test smack::smack::tests::test_pattern ... ok

test result: ok. 36 passed; 0 failed; 0 ignored; 0 measured; 0 filtered out

Functional tests

# ./test/test_masscanned.py
tcpdump: listening on tap0, link-type EN10MB (Ethernet), snapshot length 262144 bytes
INFO    test_arp_req......................................OK
INFO    test_arp_req_other_ip.............................OK
INFO    test_ipv4_req.....................................OK
INFO    test_eth_req_other_mac............................OK
INFO    test_ipv4_req_other_ip............................OK
INFO    test_icmpv4_echo_req..............................OK
INFO    test_icmpv6_neighbor_solicitation.................OK
INFO    test_icmpv6_neighbor_solicitation_other_ip........OK
INFO    test_icmpv6_echo_req..............................OK
INFO    test_tcp_syn......................................OK
INFO    test_ipv4_tcp_psh_ack.............................OK
INFO    test_ipv6_tcp_psh_ack.............................OK
INFO    test_ipv4_tcp_http................................OK
INFO    test_ipv6_tcp_http................................OK
INFO    test_ipv4_udp_http................................OK
INFO    test_ipv6_udp_http................................OK
INFO    test_ipv4_tcp_http_ko.............................OK
INFO    test_ipv4_udp_http_ko.............................OK
INFO    test_ipv6_tcp_http_ko.............................OK
INFO    test_ipv6_udp_http_ko.............................OK
INFO    test_ipv4_udp_stun................................OK
INFO    test_ipv6_udp_stun................................OK
INFO    test_ipv4_udp_stun_change_port....................OK
INFO    test_ipv6_udp_stun_change_port....................OK
INFO    test_ipv4_tcp_ssh.................................OK
INFO    test_ipv4_udp_ssh.................................OK
INFO    test_ipv6_tcp_ssh.................................OK
INFO    test_ipv6_udp_ssh.................................OK
tcpdump: pcap_loop: The interface disappeared
604 packets captured
604 packets received by filter
0 packets dropped by kernel

Logging Policy

  • ERR: any error - will always be displayed.
  • WARN, -v: responses sent by masscanned.
  • INFO, -vv: packets not handled, packets ignored.
  • DEBUG, -vvv: all packets received and sent by masscanned.

To Do

  • Drop incoming packets if checksum is incorrect
  • Fix source address when answering to multicast packets.
Comments
  • Option to avoid responding to chosen IP addresses

    Option to avoid responding to chosen IP addresses

    This PR adds 2 options akin to ip-addr and ip-addr-file that allow to tell Masscanned to not respond to packets that are from a given IP address.

    The packets are dropped at the IP layer, following what was already done for restricting the IP addresses that Masscanned should impersonate.

    I haven't added that dropping logic in ARP (which would be based on the Sender Protocol Address), and didn't defer the decision to ICMPv6 when relevant, as I am unsure if it should. What do you think should be done here? Should such an option drop ARP requests when Sender Protocol Address is ignored? What if SPA is manipulated? Either way the two options fit my personal case and motivation for them.

    The comment that was modified in ipv6.rs is so it matches the same one in ipv4.rs, which doesn't have a typo.

    opened by Unactived 7
  • Add SMB1/SMB2

    Add SMB1/SMB2

    • answers to SMB2 protocol requests
    • answers SMB1 protocol requests
    • adds "generic" packet classes: "Packet" and "PacketDissector". This could probably be abstracted a bit more, and generalized to other masscanned protos

    SMB1

    smbclient -U "" -N -L 10.1.1.1 -d10 --option='client min protocol=NT1'
    

    image image

    SMB2

    smbclient -U "" -N -L 10.1.1.1 -d10
    

    image image

    opened by gpotter2 4
  • Update pnet requirement from 0.29.0 to 0.31.0

    Update pnet requirement from 0.29.0 to 0.31.0

    Updates the requirements on pnet to permit the latest version.

    Release notes

    Sourced from pnet's releases.

    Release v0.31.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/libpnet/libpnet/compare/v0.30.0...v0.31.0

    Commits
    • 05db0f1 Release v0.31.0
    • c9bb42f Fix build warnings on Windows
    • 49768c4 Merge pull request #570 from mrmonday/dep-upgrade
    • 5e620ce Upgrade dependencies
    • a802148 Fix doc test when publishing crates
    • c24329e Merge pull request #567 from matteyeux/master
    • 98e3fe1 Merge pull request #566 from Felix-El/no_std
    • 1423378 Merge pull request #568 from cc-morning/master
    • 7091932 Update libc dependency to 0.2.117
    • 79e7969 bump version for ipnetwork in pnet_datalink
    • Additional commits viewable in compare view

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 3
  • SMB: add SessionSetup responses

    SMB: add SessionSetup responses

    • adds answers to SessionSetup requests -> NTLM challenge

    This needs https://github.com/ivre/masscanned/pull/45 to be able to work in prod / add a functional test :P

    opened by gpotter2 3
  • Refactor test suite

    Refactor test suite

    • ~~on top https://github.com/ivre/masscanned/pull/41~~
    • adds a functional test for SMB
    • full refactor of the test suite & cleanups image
    • ability to select what tests to run: TESTS=smb ./test image
    opened by gpotter2 3
  • (Applicative) protocols should be able to say whether they support TCP, UDP or both

    (Applicative) protocols should be able to say whether they support TCP, UDP or both

    Also, one (applicative) protocol should be able to transport another protocol, applicative or not.

    This will be particularly helpful for protocols supporting both TCP and UDP with minor changes (e.g., the size is added at the beginning of the packet in TCP and not in UDP; both RPC and DNS, at least, do that).

    The second part will also help for encapsulation, e.g.,VXLAN.

    opened by p-l- 2
  • Bump clap from 4.0.29 to 4.0.30

    Bump clap from 4.0.29 to 4.0.30

    Bumps clap from 4.0.29 to 4.0.30.

    Release notes

    Sourced from clap's releases.

    v4.0.30

    [4.0.30] - 2022-12-21

    Fixes

    • (error) Improve error for args_conflicts_with_subcommand
    Changelog

    Sourced from clap's changelog.

    [4.0.30] - 2022-12-21

    Fixes

    • (error) Improve error for args_conflicts_with_subcommand
    Commits
    • d2d0222 chore: Release
    • 56a0bb6 docs: Update changelog
    • b941a3e Merge pull request #4567 from epage/error
    • 453ac0b fix(parser): Be less confusing with args/subcommand conflicts
    • 2a374db test(parser): Show bad behavior
    • f632424 test(parser): Consolidate args_conflicts_with tests
    • a72f962 docs(builder): Escape non-tags
    • ac48e2d docs: Make less brittle for rust versions
    • a3381a2 docs(readme): Fix build status badge (#4559)
    • aa54204 Merge pull request #4555 from epage/reset
    • Additional commits viewable in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Bump clap from 4.0.22 to 4.0.23

    Bump clap from 4.0.22 to 4.0.23

    Bumps clap from 4.0.22 to 4.0.23.

    Release notes

    Sourced from clap's releases.

    v4.0.23

    [4.0.23] - 2022-11-11

    Fixes

    • Don't panic on reporting invalid-long errors when followed by invalid UTF8
    • (help) Clarified argument to help subcommand
    Changelog

    Sourced from clap's changelog.

    [4.0.23] - 2022-11-11

    Fixes

    • Don't panic on reporting invalid-long errors when followed by invalid UTF8
    • (help) Clarified argument to help subcommand
    Commits
    • 95144b7 chore: Release
    • 20ecae1 docs: Update changelog
    • e6a3529 Merge pull request #4474 from epage/utf8
    • e9cbed3 fix(parser): Don't panic on invalid UTF-8 values
    • 45d26e0 test(parser): Show UTF8 bug
    • 4d69e56 Merge pull request #4471 from epage/assert
    • ec03972 test(assert): Verify empty positional assert exists
    • 0d27188 Merge pull request #4465 from epage/help
    • 9376a57 fix(help): Clarify that 'help' command accepts multiple
    • See full diff in compare view

    Dependabot compatibility score

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Proposal to add logfmt logging format

    Proposal to add logfmt logging format

    Hello,

    as mentioned in another issue I'd personally enjoy the logs supporting a different, key-based format, mainly logfmt.

    I'm proposing to do it myself and PR, but would just like to be sure it's fine by maintainers / makes sense first. e.g. are you already in the process of adding json?

    I think I'd just pretty much copy ConsoleLogger's implementation, along adding a --format CLI option with default as current.

    opened by Unactived 1
  • Update clap requirement from 3.1.12 to 4.0.2

    Update clap requirement from 3.1.12 to 4.0.2

    Updates the requirements on clap to permit the latest version.

    Release notes

    Sourced from clap's releases.

    v4.0.2

    [4.0.2] - 2022-09-28

    Fixes

    • (parser) SetFalse should conflict with itself like SetTrue and Set
    • (parser) Allow one-off overrides
    Changelog

    Sourced from clap's changelog.

    [4.0.2] - 2022-09-28

    Fixes

    • (parser) SetFalse should conflict with itself like SetTrue and Set
    • (parser) Allow one-off overrides

    [4.0.1] - 2022-09-28

    Fixes

    • (derive) Ensure #[clap(...)] attribute still works

    [4.0.0] - 2022-09-28

    Highlights

    Arg::num_args(range)

    Clap has had several ways for controlling how many values will be captured without always being clear on how they interacted, including

    • Arg::multiple_values(true)
    • Arg::number_of_values(4)
    • Arg::min_values(2)
    • Arg::max_values(20)
    • Arg::takes_value(true)

    These have now all been collapsed into Arg::num_args which accepts both single values and ranges of values. num_args controls how many raw arguments on the command line will be captured as values per occurrence and independent of value delimiters.

    See Issue 2688 for more background.

    Polishing Help

    Clap strives to give a polished CLI experience out of the box with little ceremony. With some feedback that has accumulated over time, we took this release as an opportunity to re-evaluate our --help output to make sure it is meeting that goal.

    In doing this evaluation, we wanted to keep in mind:

    • Whether other CLIs had ideas that make sense to apply
    • Providing an experience that fits within the rest of applications and works across all shells

    Before:

    git
    A fictional versioning CLI
    

    USAGE: </tr></table>

    ... (truncated)

    Commits
    • 4524127 chore: Release
    • d279f7f docs: Update changelog
    • 929c87c Merge pull request #4281 from epage/override
    • 3683e2c fix(parser): Allow one-off self-overrides
    • 2d78749 fix(parser): SetFalse should also not allow self-override
    • bf42ff0 chore: Release
    • 824f658 docs: Update changelog
    • 7b886d2 Merge pull request #4278 from intgr/zsh-completion-fix-multiple-args-handling
    • 89cae3a fix(complete): Fix handling of multiple arguments
    • f6602c5 chore: Release
    • Additional commits viewable in compare view

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Update pnet requirement from 0.29.0 to 0.30.0

    Update pnet requirement from 0.29.0 to 0.30.0

    Updates the requirements on pnet to permit the latest version.

    Release notes

    Sourced from pnet's releases.

    Release v0.30.0

    What's Changed

    New Contributors

    Full Changelog: https://github.com/libpnet/libpnet/compare/v0.29.0...v0.30.0

    Commits
    • 0d7f305 Release v0.30.0
    • 9e06711 Merge pull request #562 from Felix-El/no_std
    • a1ba846 std feature to enable #[no_std] use
    • 44f17c8 Merge pull request #549 from greenbaum/illumos
    • a8cb175 Merge pull request #555 from infosechoudini/benches
    • ce67226 Merge pull request #561 from pkubaj/patch-1
    • ce180d3 Fix build on architectures with unsigned char
    • 7b2ddc9 changed benches to criterion so to stay on stable toolchain
    • 9ab461b moved benches from inside pnet_packet/src/ethernet.rs to pnet_packet/benches/...
    • da0124d Merge pull request #552 from libpnet/dependabot/cargo/ipnetwork-0.19.0
    • Additional commits viewable in compare view

    Dependabot will resolve any conflicts with this PR as long as you don't alter it yourself. You can also trigger a rebase manually by commenting @dependabot rebase.


    Dependabot commands and options

    You can trigger Dependabot actions by commenting on this PR:

    • @dependabot rebase will rebase this PR
    • @dependabot recreate will recreate this PR, overwriting any edits that have been made to it
    • @dependabot merge will merge this PR after your CI passes on it
    • @dependabot squash and merge will squash and merge this PR after your CI passes on it
    • @dependabot cancel merge will cancel a previously requested merge and block automerging
    • @dependabot reopen will reopen this PR if it is closed
    • @dependabot close will close this PR and stop Dependabot recreating it. You can achieve the same result by closing it manually
    • @dependabot ignore this major version will close this PR and stop Dependabot creating any more for this major version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this minor version will close this PR and stop Dependabot creating any more for this minor version (unless you reopen the PR or upgrade to it yourself)
    • @dependabot ignore this dependency will close this PR and stop Dependabot creating any more for this dependency (unless you reopen the PR or upgrade to it yourself)
    dependencies 
    opened by dependabot[bot] 1
  • Logging MAC broadcasts

    Logging MAC broadcasts

    Hello,

    I would like to log ARP activity concerning a machine running masscanned, using masscanned. By that I include ARP Requests who-has (assuming the machine sees it).

    However, in my current setup, masscanned seems to detect those when the destination MAC is the unicast MAC of the machine, but not when it's a broadcast (I haven't tested multicast as of writing this).

    About ARP handling, the README states that

    masscanned anwsers to ARP requests, for requests that target an IPv4 address that is handled by masscanned (i.e., an address that is in the IP address file given with option -f

    So it doesn't talk about the frame. (oh uh I guess typo at anwsers btw)

    About Ethernet handling, the README states that

    masscanned answers to Ethernet frames, if and only if the following requirements are met:

    • the destination address of the frame should be handled by masscanned, which means:

      • masscanned own MAC address,
      • the broadcast MAC address ff:ff:ff:ff:ff:ff,
      • a multicast MAC address corresponding to one of the IPv4 addresses handled by masscanned (RFC 1112),
      • a multicast MAC address corresponding to one of the IPv6 addresses handled by masscanned ;
    • EtherType field is one of ARP, IPv4 or IPv6.

    My environment is a Debian 11 machine. I'm using the arping binary from the APT iputils-arping package (NOT from the arping package, which gives a close but different utility).

    That binary's convention is to send its first packet as a MAC broadcast. It is stated in their manpage:

    -b
               Send only MAC level broadcasts. Normally arping starts from sending broadcast, and switch to unicast after reply received.
    

    And I can confirm it by running a tcpdump -qen -i INTERFACE arp along, with which I get:

    ATTACKER_MAC   > ff:ff:ff:ff:ff:ff, ARP, length 42: Request who-has MASSCANNED_IP (ff:ff:ff:ff:ff:ff) tell ATTACKER_IP, length 28
    MASSCANNED_MAC > ATTACKER_MAC,      ARP, length 42: Reply           MASSCANNED_IP is-at MASSCANNED_MAC,                 length 28
    

    So the machine running masscanned is answering to the ARP requests, itself. It does so as long as it's up.

    However masscanned doesn't seem to pickup on it (when it's a broadcast) though the asked IP is the IP it's assigned to respond for (and though it does when the MAC is unicast).

    It doesn't appear in eth either. There's just nothing.

    That means another machine can just run arping -f, arping -c 1 or arping -b against the machine IP and I won't know about it, which is rather frustrating.

    I'm unsure if this is

    1. some sort of race condition : the system handling and clearing the request too fast for masscanned to see?
    2. similarly, these things maybe staying in kernel space, never for a user space application like masscanned to see
    3. a bug/untreated case on masscanned's part / in its dependencies
    4. something peculiar about my setup I haven't considered, and didn't see doc about how it could be a problem

    For 1. , I tried doing arptables -P INPUT DROP, i.e. setting the default policy to drop ARP requests (after accepting only some source IPs, and not the one I run arping from). But it didn't change anything for that issue. The machine's still answering and it's still not masscanned.

    My motivation for that was that I'm doing the equivalent with iptables (DROP all INPUT in a specific interface) to "leave IP traffic to masscanned", and in that case it's working like a charm (instead of veth shenigans I don't understand and that'd make me lose the info of the original IP sender).

    For 2. , I'm unsure of how I'd go about it. Ideally I'd send packets to user space in some way, and have masscanned pick them up normally in some way. ebtables (ebtables-nft) has a built-in ulog "thing" to pass the packets to a userspace daemon through "netlink multicast sockets", which I assume is generally ulogd. And I have little idea what this all means. I guess if all else fails I could do something with ebtables' log "thing" that syslogs it instead, and forget about masscanned for that ARP edgecase.

    Also I could probably be using nft itself directly but it seems daunting 😨 and also doesn't seem to accomodate ARP more than ebtables-nft.

    For 3. , I haven't really looked into it, at first glance I don't really get how ARP is handled and thus it doesn't seem like a simple thing to look through.

    4 is pretty clear in and of itself

    I'm opening this issue to ask if you've encountered / thought about this, and maybe would have ideas how to go around it, similarly as to how there's a tutorial of one way to setup masscanned in a peculiar environment, making use of veths.

    Sorry for the wall of text and keep in mind I know little about networking or Rust, and nothing about kernel thingies.

    opened by Unactived 3
  • IP addresses selection enhancements

    IP addresses selection enhancements

    Hello,

    at the moment, using the tool one can specify an exact list of IP addresses to impersonate in a file, or it defaults to all of them.

    It could be nice to:

    • be able to specify them from the command line, maybe in a comma-separated list
    • be able to use CIDR notation or another way to specify a range of IP addresses
    • be able to ignore specific addresses, when impersonating all of them / a range (e.g. with CIDR)

    These last two can probably be achieved by careful routing of what to listen to masscanned, e.g. as done in https://masscanned.readthedocs.io/en/latest/usage.html where it's to ignore tcp on a port, but it still looks to me as an interesting feature to have directly in the tool.

    In its current state the related part of the codebase already seems to, at least initially, want to support "blacklisting" IPs, but not fully.

    e.g. the function to extract ip addresses from the given file, defined at https://github.com/ivre/masscanned/blob/851a418add74d13189bb0f46786d2b4f91f69cb2/src/utils/parsers.rs#L97-L135 takes a blacklist Option argument, likely to ignore ip addresses, but doesn't act on it. And when it's called at https://github.com/ivre/masscanned/blob/851a418add74d13189bb0f46786d2b4f91f69cb2/src/masscanned.rs#L179 the argument is hardcoded to None.

    Maybe this is written down in some todo/roadmap but since I don't have access to it I'm asking anyway.

    opened by Unactived 2
  • Bug in Smack with wildcards

    Bug in Smack with wildcards

    When two patterns are added to the smack, with wildcards, and such as wildcards of one pattern overlaps the other one, the smack fails to match in some situations.

    The minimalistic example that has been added as a test case (failing for now) is the following:

        fn test_wildcard_collision() {
            let mut smack = Smack::new("test".to_string(), SMACK_CASE_INSENSITIVE);
            smack.add_pattern(
                b"****abcd",
                0,
                SmackFlags::ANCHOR_BEGIN | SmackFlags::WILDCARDS,
            );
            smack.add_pattern(
                b"******abcd",
                1,
                SmackFlags::ANCHOR_BEGIN | SmackFlags::WILDCARDS,
            );
            smack.compile();
            let mut state = BASE_STATE;
            let mut offset = 0;
            let id = smack.search_next(&mut state, &b"xxxxabcd".to_vec(), &mut offset);
            assert!(id == 0);
            let mut state = BASE_STATE;
            let mut offset = 0;
            let mut id = smack.search_next(&mut state, &b"xxxxxxabcd".to_vec(), &mut offset);
            assert!(id == 1);
            let mut state = BASE_STATE;
            let mut offset = 0;
            let mut id = smack.search_next(&mut state, &b"xxxxaxabcd".to_vec(), &mut offset);
            assert!(id == 1);
        }
    

    In this example, the last search (xxxxaxabcd) fails, while it shouldn't:

    • after reading the first four characters, the smack cannot decide between the two patterns,
    • after reading the first a, it still could be either of the two patterns,
    • but when the fifh x is read, then it should be decided that it cannot be the second pattern,
    • eventually, after reading the whole string, it should be decided that the first pattern matches (while it currently does not).

    Note that this don't happen if the first a in the string to parse is replaced by a b for instance.

    opened by Frky 1
  • Bug in TCP protocol parsers

    Bug in TCP protocol parsers

    State of FSM is not currently stored in TCB structure, which means it is lost between each packets.

    Hence, for instance, parsing a HTTP request received in two different TCP packets (same TCP connection) fails.

    opened by Frky 0
  • Logs enhancements

    Logs enhancements

    Hi everyone,

    That project seems interesting. However, can logs be enhanced to get a proper format to ingest it into whatever {ELK, Splunk, whatever} platform?

    At least, mandatory things would be:

    • scanning time (timestamp)
    • source ip address
    • interface which got the packets to
    • probe

    Just a quick search and I found this which might be interesting : https://rust-lang-nursery.github.io/rust-cookbook/development_tools/debugging/config_log.html

    Thanks for that project, looking forward to it.

    opened by PaulSec 7
Releases(v0.2.0)
Owner
IVRE
Network recon framework, published by @cea-sec & @ANSSI-FR
IVRE
Simple color picker that lets the user create harmonic palettes with ease.

epick Simple color picker that lets the user create harmonic palettes with ease. Get it You can checkout the web demo over here or get a native binary

Wojciech Kępka 101 Dec 19, 2022
Docker containers on a synthetic network. Run applications in a context that lets you manipulate their network conditions.

Synthetic Network Docker containers on a synthetic network. Run applications in a context that lets you manipulate their network conditions. Dependenc

Daily 58 Dec 15, 2022
Fusion is a cross-platform App Dev ToolKit build on Rust . Fusion lets you create Beautiful and Fast apps for mobile and desktop platform.

Fusion is a cross-platform App Dev ToolKit build on Rust . Fusion lets you create Beautiful and Fast apps for mobile and desktop platform.

Fusion 1 Oct 19, 2021
koyo is a cli tool that lets you run commands as another user. It is similar to doas or sudo.

koyo is a cli tool that lets you run commands as another user. It is similar to doas or sudo.

null 3 Nov 27, 2021
Searchbuddy is a browser extension that lets you chat with people that are searching for what you're searching for.

searchbuddy Make friends while searching! Searchbuddy is a browser extension that lets you chat with people that are searching for what you're searchi

Joseph Gerber 14 May 23, 2022
A Garry's Mod module that lets you check which fonts are available on the system

gm_fontsx Since apparently we're never getting a proper way to check for installed fonts on Garry's Mod, this has to exist ?? Usage require("fontsx")

Earu 4 Mar 14, 2022
A bit like tee, a bit like script, but all with a fake tty. Lets you remote control and watch a process

teetty teetty is a wrapper binary to execute a command in a pty while providing remote control facilities. This allows logging the stdout of a process

Armin Ronacher 259 Jan 3, 2023
ISG lets you use YouTube as cloud storage for ANY files, not just video

I was working on this instead of my finals, hope you appreciate it. I'll add all relevant executables when I can Infinite-Storage-Glitch AKA ISG (writ

HistidineDwarf 3.6k Feb 23, 2023
Managed game servers, matchmaking, and DDoS mitigation that lets you focus on building your game

Managed game servers, matchmaking, and DDoS mitigation that lets you focus on building your game. Home - Docs - Twitter - Discord ?? Features Everythi

Rivet 58 Jun 25, 2023
Terminal UI for leetcode. Lets you browse questions through different topics. View, solve, run and submit questions from TUI.

Leetcode TUI Use Leetcode in your terminal. Why this TUI: My motivation for creating leetcode-tui stemmed from my preference for tools that are lightw

Akarsh 8 Aug 10, 2023
⚡️(cd with env) Is a configurable cd wrapper that lets you define your environment per directory.

⚡️cdwe (cd with env) A simple configurable cd wrapper that provides powerful utilities for customizing your envionment per directory. (For ZSH / BASH

teo 20 Aug 6, 2023
An anyrun plugin that lets you search NixOS options.

anyrun-nixos-options An anyrun plugin that lets you search NixOS options. how 2 build? nix build ... or cargo build optionally :) Configuration This p

Michał 4 Aug 24, 2023
Lets you tweak Assassin's Creed Mirage in various ways.

Mirage Tweaks Lets you tweak Assassin's Creed Mirage in various ways. Currently supports adjusting the eject height and sprint speed. Usage Get the la

Assassin's Creed Community 3 Nov 3, 2023