Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Use correct lengths for FQDN, not MAXHOSTNAMELEN #140

Closed
dmiller-nmap opened this issue May 28, 2015 · 3 comments
Closed

Use correct lengths for FQDN, not MAXHOSTNAMELEN #140

dmiller-nmap opened this issue May 28, 2015 · 3 comments
Labels
bug Nmap Nping

Comments

@dmiller-nmap
Copy link

As defined in nbase.h (or in some system header file on Linux), MAXHOSTNAMELEN is 64. This is the maximum length of a hostname, but not of a DNS name, which may be longer. RFC 1035 spells out that DNS names are formed of labels, each of which must be 63 octets or less, and that labels are combined to form a DNS name (a.k.a. FQDN) which may not exceed 255 octets. Each label is length-prefixed, so the ASCII readable name may only be 253 characters.

Nmap currently uses MAXHOSTNAMELEN in some places where the 253-character length should be used instead. As a simple example (because nmap.org has wildcard DNS), you can scan the 71-character DNS name "abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789.nmap.org" with a short timeout to see that the message about "Skipping host due to host timeout" truncates the name at 64 characters:

$ nmap -p 80 abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789.nmap.org --host-timeout 1ms -Pn

Starting Nmap 6.40 ( http://nmap.org ) at 2015-05-28 18:32 UTC
Nmap scan report for abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789.nmap.org (173.255.243.189)
Host is up (0.039s latency).
rDNS record for 173.255.243.189: nmap.org
Skipping host abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789.n due to host timeout
Nmap done: 1 IP address (1 host up) scanned in 0.08 seconds

Nmap also uses this length for the proxy host for Idle scan (-sI) and for the FTP server name for Bounce scan (-b). Nping uses MAXHOSTNAMELEN, but defines it to be 128. A more complete audit should probably be made.
@dmiller-nmap
Copy link
Author

Confirmed still a problem:

  1. const char *Target::NameIP() const in Target.cc. Example command: nmap -n -sL abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789.abcdefghijklmnopqrstuvwxyz.nmap.org
  2. nmap_ftp.cc. Example command: ./nmap -b abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789.nmap.org scanme.nmap.org
  3. nmap.cc, in validation for -sI option, rejects longer DNS names. Example command: ./nmap -sI abcdefghijklmnopqrstuvwxyzabcdefghijklmnopqrstuvwxyz0123456789.nmap.org scanme.nmap.org
  4. idle_scan.cc, once you bypass the length validation above. Example command is same as the previous point.

Essentially, any time MAXHOSTNAMELEN is used to refer to or contain a DNS name, it is used incorrectly.

CC @W0naN0w

@ghost ghost mentioned this issue Jul 20, 2016
Closed
@ghost
Copy link

ghost commented Jul 20, 2016

Hello @dmiller-nmap, thank you for your observations, I opened a new PR (#462) which aims to fix this.
Waiting for your feedback,
Vincent

@ghost
Copy link

ghost commented Jul 26, 2016

Hello @dmiller-nmap, I just pushed the commit for this issue. Let me know if something goes wrong. Thank you for your time,
Vincent

sergeykhegay pushed a commit to sergeykhegay/nmap that referenced this issue Jul 27, 2016
@sergeykhegay
Use FQDN_LEN instead of MAXHOSTNAMELEN for DNS name buffers
08dc8dc 
This closes nmap#140 (issue nmap#140), namely "Use correct lengths 
for FQDN, not MAXHOSTNAMELEN"
@ezeaguerre ezeaguerre mentioned this issue Jan 13, 2022
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Nmap Nping
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@dmiller-nmap