Wrong scanned IPs when running the library

jotamartos commented 7 years ago

Hi,

First of all, thank you for your work. I started using this module some time ago and I've just found a bug when using it.

My code

var nmap = require('libnmap')
var opts = {
    verbose: true,
    range: ['192.168.56.0/29']
}

nmap.scan(opts, function(err,report){
        console.log(JSON.stringify(report));
});

Expected

I wanted to scan that range and obtain the results

Result

This is the debug output

$ node example.js
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.1-0.5
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.2-1.5
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.3-2.5
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.4-3.5
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.5-4.5
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.6-5.5
...

As you can see, those IPs are not valid ones. I didn't copy here the result (let me know if you need it).

When

That happens when setting ranges with /29, /30, /31 and /32

System information

Node version: v6.11.0

libnmap version

├─┬ libnmap@0.3.9
│ ├─┬ caller-id@0.1.0
│ │ └── stack-trace@0.0.10
│ ├── deepmerge@1.3.2
│ ├─┬ hasbin@1.2.3
│ │ └── async@1.5.2
│ ├─┬ ip-address@5.8.8
│ │ ├── jsbn@0.1.0
│ │ ├── lodash.find@4.6.0
│ │ ├── lodash.max@4.0.1
│ │ ├── lodash.merge@4.6.0
│ │ ├── lodash.padstart@4.6.1
│ │ ├── lodash.repeat@4.1.0
│ │ ├── sprintf-js@1.0.3
│ │ └── util-deprecate@1.0.2
│ └── netmask@1.0.6

OS: macOS Sierra 10.12.6

Thank you, Jota

jas- commented 7 years ago

@jotamartos this should be resolved in v0.4.1, could you confirm?

jotamartos commented 7 years ago

Hi @jas-,

I've just tested the latest version v0.4.2 and the application is totally useless. When you try to scan one range, it uses the CIDR + 1, I mean, you scan a /30 when setting a /29, you can't either use IP/32 because it scans nothing. Could you please take a look at it?

Can I also suggest you something? I looked for some NPM packages to split ranges some days ago and I found the one that you started using in these versions of the library, "cidr-js". It worked fine for me but it returned a /25, and some /26, /27,... when it should return a /24, not a big issue but I also found "ip-subnet-calculator" and it returned better results, just in case you want to test it.

Thank you.

jas- commented 7 years ago

Good monring @jotamartos,

You are right, I pushed v0.4.2 in haste. Please use v0.4.3. I have addressed the calculations for smaller subnets (when coupled with the default blocksize option is when the issue would occur).

I have also added a remedial test harness to iterate and scan all of the Class A, B & C (non-routeable) address spaces.

Hope it helps, let me know if you come across anything else. I am still looking at the CIDR + 1, and am not certain I am seeing the same thing. Could you use the debug option and provide the results & test case? Thanks.

jotamartos commented 7 years ago

Hi @jas-,

I've just tested the latest version (0.4.3) and it worked as expected but I noticed that it's passing an entire list of IPs when scanning "big" ranges, for example, it launches several of these lines when scanning a /24

Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.0 192.168.56.1 192.168.56.2 192.168.56.3 192.168.56.4 192.168.56.5 192.168.56.6 192.168.56.7 192.168.56.8 192.168.56.9 192.168.56.10 192.168.56.11 192.168.56.12 192.168.56.13 192.168.56.14 192.168.56.15
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.16 192.168.56.17 192.168.56.18 192.168.56.19 192.168.56.20 192.168.56.21 192.168.56.22 192.168.56.23 192.168.56.24 192.168.56.25 192.168.56.26 192.168.56.27 192.168.56.28 192.168.56.29 192.168.56.30 192.168.56.31
...

The version 0.3.9 showed something like this:

Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.1-16
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.17-32
...

(PS: I've just noticed that the .0 IP was not scanned, this problem is also fixed in the 0.4.3)

As I mentioned before, the "ip-subnet-calculator" NPM module helps you create /XX ranges when having an entire list of IPs, do you think this would be useful when running scans in parallel? I don't have time to do a pull requests during these days but I'll try to do it during by the end of next week.

Regarding the CIDR + 1 issue:

If you set IP/32 range, it scanned nothing
If you set IP/31 range, it only scanned the IP ...
If you set IP/24, it scanned from .0 to .127

So the result was like scanning the CIDR you set + 1, this issue is also fixed in the latest version.

Thank you so much for your work, it's helping me a lot. I think we can mark this issue as solved 👍

jas- commented 7 years ago

Good to hear.

I thought about your idea as I was implanting the fix but decided against it becuase that division only happens when a CIDR range is specified as one of the array of hosts elements.

jotamartos commented 7 years ago

Hi again @jas- ,

I'm sorry but I have bad news and it's related with the CIDR + 1 issue but I'll explain it a bit more:

Code

var nmap = require('libnmap')
var opts = {
    verbose: true,
    range: ['192.168.56.0/25']
}

nmap.scan(opts, function(err,report){
        console.log('Finished');
});

Cases

1 case: Scan 192.168.56.0/23

This works properly. I can see the NMAP jobs from 56.0 to 57.255. I assume it also works with bigger ranges.

2 case: Scan 192.168.56.0/24

This works properly. I can see the NMAP jobs from 56.0 to 56.255

3 case: Scan 192.168.56.0/25 -- The issue starts here.

The library is supposed to scan from 56.0 to 56.127 but the debug output is the following one:

Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.0 192.168.56.1 192.168.56.2 192.168.56.3 192.168.56.4 192.168.56.5 192.168.56.6 192.168.56.7
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.8 192.168.56.9 192.168.56.10 192.168.56.11 192.168.56.12 192.168.56.13 192.168.56.14 192.168.56.15
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.16 192.168.56.17 192.168.56.18 192.168.56.19 192.168.56.20 192.168.56.21 192.168.56.22 192.168.56.23
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.24 192.168.56.25 192.168.56.26 192.168.56.27 192.168.56.28 192.168.56.29 192.168.56.30 192.168.56.31
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.32 192.168.56.33 192.168.56.34 192.168.56.35 192.168.56.36 192.168.56.37 192.168.56.38 192.168.56.39
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.40 192.168.56.41 192.168.56.42 192.168.56.43 192.168.56.44 192.168.56.45 192.168.56.46 192.168.56.47
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.48 192.168.56.49 192.168.56.50 192.168.56.51 192.168.56.52 192.168.56.53 192.168.56.54 192.168.56.55
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.56 192.168.56.57 192.168.56.58 192.168.56.59 192.168.56.60 192.168.56.61 192.168.56.62 192.168.56.63
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.64 192.168.56.65 192.168.56.66 192.168.56.67 192.168.56.68 192.168.56.69 192.168.56.70 192.168.56.71
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.72 192.168.56.73 192.168.56.74 192.168.56.75 192.168.56.76 192.168.56.77 192.168.56.78 192.168.56.79
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.80 192.168.56.81 192.168.56.82 192.168.56.83 192.168.56.84 192.168.56.85 192.168.56.86 192.168.56.87
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.88 192.168.56.89 192.168.56.90 192.168.56.91 192.168.56.92 192.168.56.93 192.168.56.94 192.168.56.95
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.96 192.168.56.97 192.168.56.98 192.168.56.99 192.168.56.100 192.168.56.101 192.168.56.102 192.168.56.103
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.104 192.168.56.105 192.168.56.106 192.168.56.107 192.168.56.108 192.168.56.109 192.168.56.110 192.168.56.111
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.112 192.168.56.113 192.168.56.114 192.168.56.115 192.168.56.116 192.168.56.117 192.168.56.118 192.168.56.119

The last IP is 119 so there are some IPs that are not properly scanned

The same thing happens with /26 and /27.

Let me know if you need more information to debug this issue.

Thank you Jota

jas- commented 7 years ago

@jotamartos Can you try version v0.4.4, it is not yet available through NPM so you will have to change your package.json to reflect the github branch that reflects the fix.

jotamartos commented 7 years ago

Awesome! I've just tested it and it worked properly, this is the debug information when scanning a /25 range.

Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.0 192.168.56.1 192.168.56.2 192.168.56.3 192.168.56.4 192.168.56.5 192.168.56.6 192.168.56.7
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.8 192.168.56.9 192.168.56.10 192.168.56.11 192.168.56.12 192.168.56.13 192.168.56.14 192.168.56.15
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.16 192.168.56.17 192.168.56.18 192.168.56.19 192.168.56.20 192.168.56.21 192.168.56.22 192.168.56.23
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.24 192.168.56.25 192.168.56.26 192.168.56.27 192.168.56.28 192.168.56.29 192.168.56.30 192.168.56.31
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.32 192.168.56.33 192.168.56.34 192.168.56.35 192.168.56.36 192.168.56.37 192.168.56.38 192.168.56.39
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.40 192.168.56.41 192.168.56.42 192.168.56.43 192.168.56.44 192.168.56.45 192.168.56.46 192.168.56.47
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.48 192.168.56.49 192.168.56.50 192.168.56.51 192.168.56.52 192.168.56.53 192.168.56.54 192.168.56.55
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.56 192.168.56.57 192.168.56.58 192.168.56.59 192.168.56.60 192.168.56.61 192.168.56.62 192.168.56.63
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.64 192.168.56.65 192.168.56.66 192.168.56.67 192.168.56.68 192.168.56.69 192.168.56.70 192.168.56.71
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.72 192.168.56.73 192.168.56.74 192.168.56.75 192.168.56.76 192.168.56.77 192.168.56.78 192.168.56.79
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.80 192.168.56.81 192.168.56.82 192.168.56.83 192.168.56.84 192.168.56.85 192.168.56.86 192.168.56.87
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.88 192.168.56.89 192.168.56.90 192.168.56.91 192.168.56.92 192.168.56.93 192.168.56.94 192.168.56.95
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.96 192.168.56.97 192.168.56.98 192.168.56.99 192.168.56.100 192.168.56.101 192.168.56.102 192.168.56.103
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.104 192.168.56.105 192.168.56.106 192.168.56.107 192.168.56.108 192.168.56.109 192.168.56.110 192.168.56.111
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.112 192.168.56.113 192.168.56.114 192.168.56.115 192.168.56.116 192.168.56.117 192.168.56.118 192.168.56.119
Running: nmap  --host-timeout=120s -T4 -oX - -p1-1024 192.168.56.120 192.168.56.121 192.168.56.122 192.168.56.123 192.168.56.124 192.168.56.125 192.168.56.126 192.168.56.127

I think we can close this again, feel free to do it when updating master 👍

jas- / node-libnmap

Wrong scanned IPs when running the library #47