Module: Masscan::Parsers::Binary

Defined in:

lib/masscan/parsers/binary.rb

Overview

Note:

Ported from https://github.com/robertdavidgraham/masscan/blob/1.3.2/src/in-binary.c

Parses the masscan -oB output format.

Defined Under Namespace

Classes: CorruptedFile

Constant Summary

BUF_MAX =

Maximum buffer length for a single record.

1024 * 1024

PSEUDO_RECORD_SIZE =

The "pseudo record" length

99

MASSCAN_VERSION_FAMILY =

Masscan binary format version compatibility.

"1.1"

MASSCAN_MAGIC =

The masscan binary format magic string.

"masscan/#{MASSCAN_VERSION_FAMILY}"

IP_PROTOCOLS =

Mapping of IP protocol numbers to keywords.

{
  Socket::IPPROTO_ICMP   => :icmp,
  Socket::IPPROTO_ICMPV6 => :icmp,

  Socket::IPPROTO_TCP => :tcp,
  Socket::IPPROTO_UDP => :udp,

  132 => :sctp # Socket::IPPROTO_SCTP might not always be defined
}

APP_PROTOCOLS =

List of application protocol keywords.

[
  nil,
  :heur,
  :ssh1,
  :ssh2,
  :http,
  :ftp,
  :dns_versionbind,
  :snmp,             # simple network management protocol, udp/161
  :nbtstat,          # netbios, udp/137
  :ssl3,
  :smb,              # SMB tcp/139 and tcp/445
  :smtp,
  :pop3,
  :imap4,
  :udp_zeroaccess,
  :x509_cert,
  :html_title,
  :html_full,
  :ntp,              # network time protocol, udp/123
  :vuln,
  :heartbleed,
  :ticketbleed,
  :vnc_rfb,
  :safe,
  :memcached,
  :scripting,
  :versioning,
  :coap,         # constrained app proto, udp/5683, RFC7252
  :telnet,
  :rdp,          # Microsoft Remote Desktop Protocol tcp/3389
  :http_server,  # HTTP "Server:" field
]

Class Method Summary

• .decode_ipv4(ip) ⇒ IPAddr

  Decodes an IPv4 address from an integer.

• .decode_ipv6(ipv6_hi, ipv6_lo) ⇒ IPAddr

  Decodes an IPv6 address from two 64bit integers.

• .decode_reason(reason) ⇒ Array<:fin, :syn, :rst, :psh, :ack, :urg, :ece, :cwr>

  Decodes a reason bitflag.

• .decode_timestamp(timestamp) ⇒ Time

  Decodes a timestamp from an integer.

• .lookup_app_protocol(proto) ⇒ Symbol^?

  Looks up an application protocol number.

• .lookup_ip_protocol(proto) ⇒ :icmp, ...

  Looks up an IP protocol number.

• .open(path) {|file| ... } ⇒ File

  Opens a binary file for parsing.

• .parse(io) {|record| ... } ⇒ Enumerator

  Parses masscan binary data.

• .parse_banner3(buffer) ⇒ Buffer

  Parses a banner record.

• .parse_banner4(buffer) ⇒ Buffer

  Parses a banner record.

• .parse_banner6(buffer) ⇒ Buffer

  Parses a banner record.

• .parse_banner9(buffer) ⇒ Buffer

  Parses a banner record.

• .parse_status(buffer, status) ⇒ Status

  Parses a status record.

• .parse_status2(buffer, status) ⇒ Status

  Parses a status record.

• .parse_status6(buffer, status) ⇒ Status

  Parses a status record.

• .read_multibyte_uint(io) ⇒ Integer^?

  Reads a multi-byte unsigned integer.

• .read_pseudo_record(io) ⇒ String

  Reads the "pseudo record" at the beginning of the file.

Class Method Details

.decode_ipv4(ip) ⇒ IPAddr

Decodes an IPv4 address from an integer.

Parameters:

• ip (Integer) —

  The IP in raw integer form.

Returns:

• (IPAddr) —

  The decoded IPv4 address.

# File 'lib/masscan/parsers/binary.rb', line 218

def self.decode_ipv4(ip)
  IPAddr.new(ip,Socket::AF_INET)
end

.decode_ipv6(ipv6_hi, ipv6_lo) ⇒ IPAddr

Decodes an IPv6 address from two 64bit integers.

Parameters:

• ipv6_hi (Integer) —

  The top-half of the 128bit IPv6 address.

• ipv6_lo (Integer) —

  The top-half of the 128bit IPv6 address.

Returns:

• (IPAddr) —

  The decoded IPv6 address.

# File 'lib/masscan/parsers/binary.rb', line 234

def self.decode_ipv6(ipv6_hi,ipv6_lo)
  IPAddr.new((ipv6_hi << 64) | ipv6_lo,Socket::AF_INET6)
end

.decode_reason(reason) ⇒ Array<:fin, :syn, :rst, :psh, :ack, :urg, :ece, :cwr>

Decodes a reason bitflag.

Parameters:

• reason (Integer) —

  The reason bitflag.

Returns:

• (Array<:fin, :syn, :rst, :psh, :ack, :urg, :ece, :cwr>) —

  The reason flags.

# File 'lib/masscan/parsers/binary.rb', line 273

def self.decode_reason(reason)
  flags = []
  flags << :fin if (reason & 0x01) != 0
  flags << :syn if (reason & 0x02) != 0
  flags << :rst if (reason & 0x04) != 0
  flags << :psh if (reason & 0x08) != 0
  flags << :ack if (reason & 0x10) != 0
  flags << :urg if (reason & 0x20) != 0
  flags << :ece if (reason & 0x40) != 0
  flags << :cwr if (reason & 0x80) != 0
  flags
end

.decode_timestamp(timestamp) ⇒ Time

Decodes a timestamp from an integer.

Parameters:

• timestamp (Integer) —

  The raw UNIX timestamp integer.

Returns:

• (Time) —

  The decoded time value.

# File 'lib/masscan/parsers/binary.rb', line 205

def self.decode_timestamp(timestamp)
  Time.at(timestamp)
end

.lookup_app_protocol(proto) ⇒ Symbol^?

Looks up an application protocol number.

Parameters:

• proto (Integer) —

  The application protocol number.

Returns:

• (Symbol, nil) —

  The application protocol keyword.

See Also:

• APP_PROTOCOLS

# File 'lib/masscan/parsers/binary.rb', line 332

def self.lookup_app_protocol(proto)
  APP_PROTOCOLS[proto]
end

.lookup_ip_protocol(proto) ⇒ :icmp, ...

Looks up an IP protocol number.

Parameters:

• proto (Integer) —

  The IP protocol number.

Returns:

• (:icmp, :tcp, :udp, :sctp, nil) —

  The IP protocol keyword.

See Also:

• IP_PROTOCOLS

# File 'lib/masscan/parsers/binary.rb', line 260

def self.lookup_ip_protocol(proto)
  IP_PROTOCOLS[proto]
end

.open(path) {|file| ... } ⇒ File

Opens a binary file for parsing.

Parameters:

• path (String) —

  The path to the file.

Yields:

• (file) —

  If a block is given, it will be passed the opened file. Once the block returns, the file will be closed.

Yield Parameters:

• The (File) —

  opened file.

Returns:

• (File) —

  If no block was given, the opened file will be returned.

# File 'lib/masscan/parsers/binary.rb', line 34

def self.open(path,&block)
  File.open(path,'rb',&block)
end

.parse(io) {|record| ... } ⇒ Enumerator

Parses masscan binary data.

Parameters:

• io (IO) —

  The IO object to read from.

Yields:

• (record) —

  If a block is given, it will be passed each parsed record.

Yield Parameters:

• record (Status, Banner) —

  A parsed record, either a Status or a Banner object.

Returns:

• (Enumerator) —

  If no block is given, it will return an Enumerator.

# File 'lib/masscan/parsers/binary.rb', line 59

def self.parse(io)
  return enum_for(__method__,io) unless block_given?

  pseudo = read_pseudo_record(io)

  # look for the start time
  if (match = pseudo.match(/s:(\d+)/))
    start_time = decode_timestamp(match[1].to_i)
  end

  total_records = 0

  # read all records
  loop do
    # read the TYPE field
    unless (type = read_multibyte_uint(io))
      return
    end

    # read the LENGTH field
    unless (length = read_multibyte_uint(io))
      return
    end

    if length > BUF_MAX
      raise(CorruptedFile,"file corrupted")
    end

    # read the remainder of the record
    buffer = io.read(length)

    if buffer.length < length
      return
    end

    # parse the specific record type
    record = case type
             when 1 # STATUS: open
               parse_status(buffer,:open)
             when 2 # STATUS: closed
               parse_status(buffer,:closed)
             when 3 # BANNER
               parse_banner3(buffer)
             when 4
               io.getbyte
               parse_banner4(buffer)
             when 5
               parse_banner4(buffer)
             when 6 # STATUS: open
               parse_status2(buffer,:open)
             when 7 # STATUS: closed
               parse_status2(buffer,:closed)
             when 9
               parse_banner9(buffer)
             when 10 # Open6
               parse_status6(buffer,:open)
             when 11 # Closed6
               parse_status6(buffer,:closed)
             when 13 # Banner6
               parse_banner6(buffer)
             when 109 # 'm'.ord # FILEHEADER
               next
             else
               raise(CorruptedFile,"unknown type: #{type.inspect}")
             end

    if record
      start_time ||= record.timestamp

      yield record

      total_records += 1
    end
  end

  return total_records
end

.parse_banner3(buffer) ⇒ Buffer

Parses a banner record.

Parameters:

• buffer (String) —

  The buffer to parse.

Returns:

• (Buffer) —

  The parsed buffer record.

# File 'lib/masscan/parsers/binary.rb', line 391

def self.parse_banner3(buffer)
  timestamp, ip, port, app_proto, payload = buffer.unpack('L>L>S>S>A*')

  timestamp = decode_timestamp(timestamp)
  ip        = decode_ipv4(ip)
  app_proto = lookup_app_protocol(app_proto)

  # defaults
  ip_proto = :tcp
  ttl = 0

  return Banner.new(
    protocol:     ip_proto,
    port:         port,
    ttl:          ttl,
    ip:           ip,
    timestamp:    timestamp,
    app_protocol: app_proto,
    payload:      payload
  )
end

.parse_banner4(buffer) ⇒ Buffer

Parses a banner record.

Parameters:

• buffer (String) —

  The buffer to parse.

Returns:

• (Buffer) —

  The parsed buffer record.

# File 'lib/masscan/parsers/binary.rb', line 422

def self.parse_banner4(buffer)
  if buffer.length < 13
    return
  end

  timestamp, ip, ip_proto, port, app_proto, payload = buffer.unpack('L>L>CS>S>A*')

  timestamp = decode_timestamp(timestamp)
  ip        = decode_ipv4(ip)
  ip_proto  = lookup_ip_protocol(ip_proto)
  app_proto = lookup_app_protocol(app_proto)

  # defaults
  ttl = 0

  return Banner.new(
    protocol:     ip_proto,
    port:         port,
    ttl:          ttl,
    ip:           ip,
    timestamp:    timestamp,
    app_protocol: app_proto,
    payload:      payload
  )
end

.parse_banner6(buffer) ⇒ Buffer

Parses a banner record.

Parameters:

• buffer (String) —

  The buffer to parse.

Returns:

• (Buffer) —

  The parsed buffer record.

# File 'lib/masscan/parsers/binary.rb', line 570

def self.parse_banner6(buffer)
  timestamp, ip_proto, port, app_proto, ttl, ip_version, ipv6_hi, ipv6_lo, payload = buffer.unpack('L>CS>S>CCQ>Q>A*')
  timestamp  ||= 0xffffffff
  protocol   ||= 0xff
  port       ||= 0xffff
  app_proto  ||= 0xffff
  ttl        ||= 0xff
  ip_version ||= 0xff
  ipv6_hi    ||= 0xffffffff_ffffffff
  ipv6_lo    ||= 0xffffffff_ffffffff

  timestamp = decode_timestamp(timestamp)
  ip_proto  = lookup_ip_protocol(ip_proto)
  app_proto = lookup_app_protocol(app_proto)
  ipv6      = decode_ipv6(ipv6_hi,ipv6_lo)

  return Banner.new(
    protocol:     ip_proto,
    port:         port,
    ttl:          ttl,
    ip:           ipv6,
    timestamp:    timestamp,
    app_protocol: app_proto,
    payload:      payload
  )
end

.parse_banner9(buffer) ⇒ Buffer

Parses a banner record.

Parameters:

• buffer (String) —

  The buffer to parse.

Returns:

• (Buffer) —

  The parsed buffer record.

# File 'lib/masscan/parsers/binary.rb', line 496

def self.parse_banner9(buffer)
  if buffer.length < 14
    return
  end

  timestamp, ip, ip_proto, port, app_proto, ttl, payload = buffer.unpack('L>L>CS>S>CA*')
  timestamp = decode_timestamp(timestamp)
  ip        = decode_ipv4(ip)
  ip_proto  = lookup_ip_protocol(ip_proto)
  app_proto = lookup_app_protocol(app_proto)

  return Banner.new(
    protocol:     ip_proto,
    port:         port,
    ttl:          ttl,
    ip:           ip,
    timestamp:    timestamp,
    app_protocol: app_proto,
    payload:      payload
  )
end

.parse_status(buffer, status) ⇒ Status

Parses a status record.

Parameters:

• buffer (String) —

  The buffer to parse.

• status (:open, :closed) —

  Indicates whether the port status is open or closed.

Returns:

• (Status) —

  The parsed status record.

# File 'lib/masscan/parsers/binary.rb', line 348

def self.parse_status(buffer,status)
  if buffer.length < 12
    return
  end

  timestamp, ip, port, reason, ttl = buffer.unpack("L>L>S>CC")

  timestamp = decode_timestamp(timestamp)
  ip        = decode_ipv4(ip)
  reason    = decode_reason(reason)

  # if ARP, there will be a MAC address after the record
  mac = if ip == 0 && buffer.length >= 12+6
          buffer[12+6,6]
        end

  protocol = case port
             when 53, 123, 137, 161 then  :udp
             when 36422, 36412, 2905 then :sctp
             else                         :tcp
             end

  return Status.new(
    status:    status,
    protocol:  protocol,
    port:      port,
    reason:    reason,
    ttl:       ttl,
    ip:        ip,
    timestamp: timestamp,
    mac:       mac
  )
end

.parse_status2(buffer, status) ⇒ Status

Parses a status record.

Parameters:

• buffer (String) —

  The buffer to parse.

• status (:open, :closed) —

  Indicates whether the port status is open or closed.

Returns:

• (Status) —

  The parsed status record.

# File 'lib/masscan/parsers/binary.rb', line 460

def self.parse_status2(buffer,status)
  if buffer.length < 13
    return
  end

  timestamp, ip, ip_proto, port, reason, ttl = buffer.unpack('L>L>CS>CC')
  timestamp = decode_timestamp(timestamp)
  ip        = decode_ipv4(ip)
  ip_proto  = lookup_ip_protocol(ip_proto)
  reason    = decode_reason(reason)

  mac = if ip == 0 && buffer.length >= 13+6
          buffer[13,6]
        end

  return Status.new(
    status:    status,
    protocol:  ip_proto,
    port:      port,
    reason:    reason,
    ttl:       ttl,
    ip:        ip,
    timestamp: timestamp,
    mac:       mac
  )
end

.parse_status6(buffer, status) ⇒ Status

Parses a status record.

Parameters:

• buffer (String) —

  The buffer to parse.

• status (:open, :closed) —

  Indicates whether the port status is open or closed.

Returns:

• (Status) —

  The parsed status record.

# File 'lib/masscan/parsers/binary.rb', line 530

def self.parse_status6(buffer,status)
  timestamp, ip_proto, port, reason, ttl, ip_version, ipv6_hi, ipv6_lo = buffer.unpack('L>CS>CCCQ>Q>')
  timestamp  ||= 0xffffffff
  ip_proto   ||= 0xff
  port       ||= 0xffff
  reason     ||= 0xff
  ttl        ||= 0xff
  ip_version ||= 0xff
  ipv6_hi    ||= 0xffffffff_ffffffff
  ipv6_lo    ||= 0xffffffff_ffffffff

  unless ip_version == 6
    raise(CorruptedFile,"expected ip_version to be 6: #{ip_version.inspect}")
  end

  timestamp = decode_timestamp(timestamp)
  ip_proto  = lookup_ip_protocol(ip_proto)
  reason    = decode_reason(reason)
  ipv6      = decode_ipv6(ipv6_hi,ipv6_lo)

  return Status.new(
    status:    status,
    protocol:  ip_proto,
    port:      port,
    reason:    reason,
    ttl:       ttl,
    ip:        ipv6,
    timestamp: timestamp
  )
end

.read_multibyte_uint(io) ⇒ Integer^?

Reads a multi-byte unsigned integer.

Parameters:

• io (IO) —

  The IO object to read from.

Returns:

• (Integer, nil) —

  The unsigned integer, or nil if End-of-Stream was reached.

# File 'lib/masscan/parsers/binary.rb', line 178

def self.read_multibyte_uint(io)
  unless (b = io.getbyte)
    return
  end

  type = b & 0x7f

  while (b & 0x80) != 0
    unless (b = io.getbyte)
      return
    end

    type = (type << 7) | (b & 0x7f)
  end

  return type
end

.read_pseudo_record(io) ⇒ String

Reads the "pseudo record" at the beginning of the file.

Parameters:

• io (IO) —

  The IO object to read from.

Returns:

• (String) —

  The read buffer.

# File 'lib/masscan/parsers/binary.rb', line 155

def self.read_pseudo_record(io)
  buffer = io.read(PSEUDO_RECORD_SIZE)

  if buffer.length < PSEUDO_RECORD_SIZE
    raise(CorruptedFile,"invalid masscan binary format")
  end

  unless buffer.start_with?(MASSCAN_MAGIC)
    raise(CorruptedFile,"unknown file format (expected #{MASSCAN_MAGIC})")
  end

  return buffer
end