About to do Nmap 4.03

CHANGELOG

@@ -1,5 +1,7 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+Nmap 4.03
+
 o Updated the LibPCRE build system to add the -fno-thread-jumps option
   to gcc when compiling on the new Intel-based Apple Mac OS X systems.
   Hopefully this resolves the version detection crashes that several
@@ -11,6 +13,28 @@ o Increased a write buffer length to avoid Nmap from quitting with the
   increase".  Thanks to Dave (dmarcher(a)pobox.com) for reporting the
   issue.
 
+o Made some portability fixes to keep Nmap compiling with the newest
+  Visual Studio 2005.  Thanks to KX (kxmail(a)gmail.com) for
+  suggesting them.
+
+o Service fingerprints are now provided in the XML output whenever
+  they would appear in the interactive output (i.e. when a service
+  respons with data but is unrecognized).  They are shown in a new
+  'servicefp' attribute to the 'service' tag.  Thanks to Brandon Enright
+  (bmenrigh(a)ucsd.edu) for sending the patch.
+
+o WinPcap 3.1 binaries are now shipped in the Nmap tarball, along with
+  a customized (for Nmap) installer written by Doug Hoyte.  That new
+  WinPcap installer is now used in the Nmap self-installer.
+
+o Fixed (I hope) a problem where aggresive --min-parallelization
+  option values could cause Nmap to quit with the message "box(300, 100,
+  15) called (min,max,num)".  Thanks to  Richard van den Berg
+  (richard.vandenberg(a)ins.com) for reporting the problem.
+
+o Fixed a rare crash bug thanks to a report and patch from Ganga
+  Bhavani (GBhavani(a)everdreamcorp.com)
+
 Nmap 4.02ALPHA2
 
 o Updated to a newer XSL stylesheet (for XML to HTML output

Makefile.in

@@ -1,4 +1,4 @@
-export NMAP_VERSION = 4.02CSW
+export NMAP_VERSION = 4.03
 NMAP_NAME= Nmap
 NMAP_URL= http://www.insecure.org/nmap/
 NMAP_PLATFORM=@host@

NmapOps.cc

@@ -433,6 +433,10 @@ void NmapOps::ValidateOptions() {
 
   if (af() != AF_INET) mass_dns = false;
 
+  /* Prevent performance values from getting out of whack */
+  if (min_parallelism > max_parallelism)
+    max_parallelism = min_parallelism;
+
 }
   
 void NmapOps::setMaxRttTimeout(int rtt) 

NmapOutputTable.cc

@@ -99,6 +99,10 @@
 
 /* $Id$ */
 
+#ifdef WIN32
+#include "nmap_winconfig.h"
+#endif
+
 #include "NmapOutputTable.h"
 #include "utils.h"
 

Target.cc

@@ -99,6 +99,11 @@
  ***************************************************************************/
 
 /* $Id$ */
+
+#ifdef WIN32
+#include "nmap_winconfig.h"
+#endif
+
 #include <dnet.h>
 
 #include "Target.h"

docs/nmap.1

@@ -2,7 +2,7 @@
 .\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
 .\" Instead of manually editing it, you probably should edit the DocBook XML
 .\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "NMAP" "1" "04/01/2006" "" "Nmap Reference Guide"
+.TH "NMAP" "1" "04/22/2006" "" "Nmap Reference Guide"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -840,7 +840,7 @@ of
 will keep Nmap at that slow rate. Nmap tries to detect rate limiting and adjust the scan delay accordingly, but it doesn't hurt to specify it explicitly if you already know what rate works best.
 .sp
 When Nmap adjusts the scan delay upward to cope with rate limiting, the scan slows down dramatically. The
-\fB\-\-max_scan\-delay\fR
+\fB\-\-max\-scan\-delay\fR
 option specifies the largest delay that Nmap will allow. Setting this value too low can lead to wasteful packet retransmissions and possible missed ports when the target implements strict rate limiting.
 .sp
 Another use of

docs/nmap.dtd

@@ -66,7 +66,7 @@
 <!-- I don't know exactly what these are, but the values were enumerated via:
      grep "conf=" *
 --> 
-<!ENTITY % service_confs  "( 3 | 5 | 10)" >
+<!ENTITY % service_confs  "( 0 | 3 | 5 | 10)" >
 
 <!-- This element was started in nmap.c:nmap_main().
      It represents to the topmost element of the output document.
@@ -169,9 +169,10 @@
                         hostname        CDATA           #IMPLIED
                         ostype          CDATA           #IMPLIED
                         devicetype      CDATA           #IMPLIED
+                        servicefp       CDATA           #IMPLIED
 >
 
-<!ELEMENT os		( portused* , osclass*, osmatch* ) >
+<!ELEMENT os		( portused* , osclass*, osmatch*, osfingerprint* ) >
 
 <!ELEMENT portused	EMPTY >
 <!ATTLIST portused
@@ -196,6 +197,11 @@
 			line    	%attr_numeric;	#REQUIRED
 >
 
+<!ELEMENT osfingerprint	EMPTY >
+<!ATTLIST osfingerprint
+			fingerprint	CDATA		#REQUIRED
+>
+
 <!ELEMENT uptime	EMPTY >
 <!ATTLIST uptime
 			seconds		%attr_numeric;	#REQUIRED

libdnet-stripped/include/dnet_winconfig.h

@@ -276,3 +276,7 @@ int	strlcpy(char *, const char *, int);
 #ifndef HAVE_STRSEP
 char	*strsep(char **, const char *);
 #endif
+
+/* Without this, Windows will give us all sorts of crap about using functions
+   like strcpy() even if they are done safely */
+#define _CRT_SECURE_NO_DEPRECATE 1

libpcre/pcre_winconfig.h

@@ -35,4 +35,8 @@ default default. */
 
 // This is set by configure on other platforms -Fyodor
 #define POSIX_MALLOC_THRESHOLD 10
+
+/* Without this, Windows will give us all sorts of crap about using functions
+   like strcpy() even if they are done safely */
+#define _CRT_SECURE_NO_DEPRECATE 1
 /* End */

mswin32/nsis/Nmap.nsi

@@ -79,9 +79,9 @@ SectionEnd
 
 
 Section "WinPcap 3.1" SecWinPcap
-  File winpcap_3_1.exe
-  Exec '"$INSTDIR\WinPcap_3_1.exe"'
-  Delete "$INSTDIR\Winpcap_3_1.exe"
+  File winpcap-nmap-3.1.A.exe
+  Exec '"$INSTDIR\winpcap-nmap-3.1.A.exe"'
+  Delete "$INSTDIR\winpcap-nmap-3.1.A.exe"
 SectionEnd
 
 

mswin32/winclude.h

@@ -65,6 +65,8 @@
 #ifndef WINCLUDE_H
 #define WINCLUDE_H
 
+#include "nmap_winconfig.h"
+
 #include <stdio.h>
 #include <stdlib.h>
 

mswin32/winpcap/LICENSE

@@ -0,0 +1,13 @@
+Copyright (c) 1999 - 2005 NetGroup, Politecnico di Torino (Italy).
+Copyright (c) 2005 CACE Technologies, Davis (California).
+All rights reserved.
+
+Redistribution and use in source and binary forms, with or without modification, are permitted provided that the following conditions are met:
+
+1. Redistributions of source code must retain the above copyright notice, this list of conditions and the following disclaimer. 
+2. Redistributions in binary form must reproduce the above copyright notice, this list of conditions and the following disclaimer in the documentation and/or other materials provided with the distribution. 
+3. Neither the name of the Politecnico di Torino, CACE Technologies nor the names of its contributors may be used to endorse or promote products derived from this software without specific prior written permission. 
+
+THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS  "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
+
+This product includes software developed by the University of California, Lawrence Berkeley Laboratory and its contributors. 

mswin32/winpcap/winpcap-nmap.nsi

@@ -0,0 +1,146 @@
+;; Custom winpcap for nmap
+;; Started by Doug Hoyte, April 2006
+
+;--------------------------------
+
+; The name of the installer
+Name "winpcap-nmap-3.1"
+
+; The file to write
+OutFile "winpcap-nmap-3.1.A.exe"
+
+; The default installation directory
+InstallDir $PROGRAMFILES\WinPcap
+
+LicenseText "Winpcap License"
+LicenseData "LICENSE"
+
+;--------------------------------
+
+Page license
+Page directory
+Page instfiles
+
+UninstPage uninstConfirm
+UninstPage instfiles
+
+;--------------------------------
+
+; This function is called on startup. IfSilent checks
+; if the flag /S was specified. If so, it sets the installer
+; to run in "silent mode" which displays no windows and accepts
+; all defaults.
+
+; We also check if there is a previously installed winpcap
+; on this system. If it's the same as the version we're installing,
+; abort the install. If not, prompt the user about whether to
+; replace it or not.
+
+Function .onInit
+  var /GLOBAL inst_ver
+  var /GLOBAL my_ver
+
+  IfSilent do_silent no_silent
+
+  do_silent:
+    SetSilent silent
+    return
+
+  no_silent:
+
+    IfFileExists "$SYSDIR\wpcap.dll" do_version_check
+    return
+
+  do_version_check:
+
+    GetDllVersion "$SYSDIR\wpcap.dll" $R0 $R1
+    IntOp $R2 $R0 / 0x00010000
+    IntOp $R3 $R0 & 0x0000FFFF
+    IntOp $R4 $R1 / 0x00010000
+    IntOp $R5 $R1 & 0x0000FFFF
+    StrCpy $inst_ver "$R2.$R3.$R4.$R5"
+
+    GetDllVersion "wpcap.dll" $R0 $R1
+    IntOp $R2 $R0 / 0x00010000
+    IntOp $R3 $R0 & 0x0000FFFF
+    IntOp $R4 $R1 / 0x00010000
+    IntOp $R5 $R1 & 0x0000FFFF
+    StrCpy $my_ver "$R2.$R3.$R4.$R5"
+
+    StrCmp $inst_ver $my_ver same_ver
+
+    MessageBox MB_YESNO|MB_ICONQUESTION "WinPcap version $inst_ver exists on this system. Replace with version $my_ver" IDYES finish
+    quit
+
+  same_ver:
+    MessageBox MB_OK "Skipping WinPcap installation since version $inst_ver already exists on this system.  Uninstall that version first if you wish to force install."
+    quit
+
+  finish:
+
+FunctionEnd
+
+;--------------------------------
+
+; The stuff to install
+Section "" ;No components page, name is not important
+
+  ; Set output path to the installation directory.
+  SetOutPath $INSTDIR
+  
+  ; Put file there
+  File daemon_mgm.exe
+  File NetMonInstaller.exe
+  File npf_mgm.exe
+  File rpcapd.exe
+  File LICENSE
+
+  WriteUninstaller "uninstall.exe"
+
+  SetOutPath $SYSDIR
+
+  File Packet.dll
+  File pthreadVC.dll
+  File WanPacket.dll
+  File wpcap.dll
+
+  SetOutPath $SYSDIR\drivers
+
+  File npf.sys
+
+  ; Install some basic registry keys
+  WriteRegStr HKLM "Software\WinPcap" "" '"$INSTDIR"'
+
+  ; Write the uninstall keys for Windows
+  WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\winpcap-nmap" "DisplayName" "winpcap-nmap 3.1"
+  WriteRegStr HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\winpcap-nmap" "UninstallString" '"$INSTDIR\uninstall.exe"'
+  WriteRegDWORD HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\winpcap-nmap" "NoModify" 1
+  WriteRegDWORD HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\winpcap-nmap" "NoRepair" 1
+
+SectionEnd ; end the section
+
+
+;--------------------------------
+
+Section "Uninstall"
+
+  DeleteRegKey HKLM "Software\Microsoft\Windows\CurrentVersion\Uninstall\winpcap-nmap"
+  DeleteRegKey HKLM "Software\WinPcap"
+
+  Delete $INSTDIR\daemon_mgm.exe
+  Delete $INSTDIR\NetMonInstaller.exe
+  Delete $INSTDIR\npf_mgm.exe
+  Delete $INSTDIR\rpcapd.exe
+  Delete $INSTDIR\LICENSE
+  Delete $INSTDIR\uninstall.exe
+
+  Delete $SYSDIR\Packet.dll
+  Delete $SYSDIR\pthreadVC.dll
+  Delete $SYSDIR\WanPacket.dll
+  Delete $SYSDIR\wpcap.dll
+
+  Delete $SYSDIR\drivers\npf.sys
+
+  RMDir "$INSTDIR"
+
+SectionEnd

nmap-services

@@ -2243,6 +2243,8 @@ ciscopop          45000/udp  # Cisco Postoffice Protocol for Cisco Secure IDS
 dbbrowse          47557/tcp  # Databeam Corporation
 dbbrowse          47557/udp  # Databeam Corporation
 compaqdiag        49400/tcp  # Compaq Web-based management
+iiimsf            50000/tcp  # Internet/Intranet Input Method Server Framework
+iiimsf            50002/tcp  # Internet/Intranet Input Method Server Framework
 bo2k              54320/tcp  # Back Orifice 2K Default Port
 bo2k              54321/udp  # Back Orifice 2K Default Port
 netprowler-manager 61439/tcp

nmap.spec.in

@@ -18,7 +18,7 @@ Name: %{name}
 Version: %{version}
 Release: %{release}
 Epoch: 2
-Copyright: GPL
+License: http://www.insecure.org/nmap/man/man-legal.html
 Group: Applications/System
 Source0: http://www.insecure.org/nmap/dist/%{name}-%{version}.tgz
 URL: http://www.insecure.org/nmap/

nmap_dns.cc

@@ -150,6 +150,9 @@
 // * Figure out best way to estimate completion time
 //   and display it in a ScanProgressMeter 
 
+#ifdef WIN32
+#include "nmap_winconfig.h"
+#endif
 
 #include <stdlib.h>
 #include <limits.h>

nmap_winconfig.h

@@ -103,10 +103,13 @@
 
 #ifndef NMAP_WINCONFIG_H
 #define NMAP_WINCONFIG_H
-
-#define NMAP_VERSION "4.02CSW"
+/* Without this, Windows will give us all sorts of crap about using functions
+   like strcpy() even if they are done safely */
+#define _CRT_SECURE_NO_DEPRECATE 1
+#define NMAP_VERSION "4.03"
 #define NMAP_NAME "Nmap"
 #define NMAP_URL "http://www.insecure.org/nmap"
 #define NMAP_PLATFORM "i686-pc-windows-windows"
 #define NMAPDATADIR "c:\\nmap" /* FIXME: I really need to make this dynamic */
+
 #endif /* NMAP_WINCONFIG_H */

output.cc

@@ -166,10 +166,11 @@ static int getServiceXMLBuf(struct serviceDeductions *sd, char *xmlbuf,
   char rpcbuf[128];
   char *xml_product = NULL, *xml_version = NULL, *xml_extrainfo = NULL;
   char *xml_hostname = NULL, *xml_ostype = NULL, *xml_devicetype = NULL;
+  char *xml_servicefp = NULL, *xml_servicefp_temp = NULL;
 
   if (xmlbuflen < 1) return -1;
   xmlbuf[0] = '\0';  
-  if (!sd->name) return 0;
+  if (!sd->name && !sd->service_fp) return 0;
 
   if (sd->product) {
     xml_product = xml_convert(sd->product);
@@ -219,6 +220,16 @@ static int getServiceXMLBuf(struct serviceDeductions *sd, char *xmlbuf,
     versionxmlstring += '\"';
   }
 
+  if (sd->service_fp) {
+    xml_servicefp_temp = xml_convert(sd->service_fp);
+    xml_servicefp = xml_sf_convert(xml_servicefp_temp);
+    versionxmlstring += " servicefp=\"";
+    versionxmlstring += xml_servicefp;
+    free(xml_servicefp_temp); xml_servicefp_temp = NULL;
+    free(xml_servicefp); xml_servicefp = NULL;
+    versionxmlstring += '\"';
+  }
+
   if (o.rpcscan && sd->rpc_status == RPC_STATUS_GOOD_PROG) {
     snprintf(rpcbuf, sizeof(rpcbuf), 
 	     " rpcnum=\"%li\" lowver=\"%i\" highver=\"%i\" proto=\"rpc\"", 
@@ -227,7 +238,7 @@ static int getServiceXMLBuf(struct serviceDeductions *sd, char *xmlbuf,
 
   snprintf(xmlbuf, xmlbuflen, 
 	   "<service name=\"%s\"%s %smethod=\"%s\" conf=\"%d\"%s />", 
-	   sd->name,
+	   sd->name? sd->name : "unknown",
 	   versionxmlstring.c_str(),
 	   (sd->service_tunnel == SERVICE_TUNNEL_SSL)? "tunnel=\"ssl\" " : "",
 	   (sd->dtype == SERVICE_DETECTION_TABLE)? "table" : "probed", 
@@ -357,7 +368,7 @@ void printportoutput(Target *currenths, PortList *plist) {
   char rpcinfo[64];
   char rpcmachineinfo[64];
   char portinfo[64];
-  char xmlbuf[512];
+  char xmlbuf[2560];
   char grepvers[256];
   char grepown[64];
   char *p;
@@ -725,6 +736,37 @@ void log_vwrite(int logt, const char *fmt, va_list ap) {
   return;
 }
 
+/* Remove all "\nSF:" from fingerprints */
+char* xml_sf_convert (const char* str) {
+  char *temp = (char *) safe_malloc(strlen(str) + 1);
+  char *dst = temp, *src = (char *)str;
+  char *ampptr = 0;
+  int charcount = 0;
+
+  while(*src && charcount < 2035) { /* 2048 - 14 */
+    if (strncmp(src, "\nSF:", 4) == 0) {
+      src += 4;
+      continue;
+    }
+    /* Needed so "&something;" is not truncated midway */
+    if (*src == '&') {
+      ampptr = dst;
+    }
+    else if (*src == ';') {
+      ampptr = 0;
+    }
+    *dst++ = *src++;
+    charcount++;
+  }
+  if (ampptr != 0) {
+    *ampptr = '\0';
+  }
+  else {
+    *dst = '\0';
+  }
+  return temp;
+}
+
 /* Write some information (printf style args) to the given log stream(s).
  Remember to watch out for format string bugs.  */
 void log_write(int logt, const char *fmt, ...)

output.h

@@ -203,4 +203,5 @@ void printStatusMessage();
 void printfinaloutput();
 
 char* xml_convert (const char* str);
+char* xml_sf_convert (const char* str);
 #endif /* OUTPUT_H */

scan_engine.cc

@@ -100,6 +100,10 @@
 
 /* $Id$ */
 
+#ifdef WIN32
+#include "nmap_winconfig.h"
+#endif
+
 #include <dnet.h>
 
 #include "scan_engine.h"
@@ -1232,7 +1236,8 @@ void UltraScanInfo::Init(vector<Target *> &Targets, struct scan_lists *pts, styp
      again if they are).  when will be now, if the function returns
      true */
 bool UltraScanInfo::sendOK(struct timeval *when) {
-  struct timeval lowhtime, tmptv;
+  struct timeval lowhtime = {0};
+  struct timeval tmptv;
   list<HostScanStats *>::iterator host;
   bool ggood = false;
   bool hgood = false;
@@ -3227,7 +3232,7 @@ static void processData(UltraScanInfo *USI) {
   int expire_us = 0;
 
   bool tryno_capped = false, tryno_mayincrease = false;
-  struct timeval tv_start;
+  struct timeval tv_start = {0};
   if (o.debugging) {
     gettimeofday(&USI->now, NULL);
     tv_start = USI->now;

scripts/Makefile

@@ -85,9 +85,12 @@ distro:
            pcap-include/pcap-bpf.h pcap-include/sched.h \
            pcap-include/Ntddpack.h pcap-include/tme.h \
            pcap-include/tcp_session.h pcap-include/pcap-int.h \
-           nsis/AddToPath.nsh nsis/Nmap.nsi \
-           resource.h RPC/Rpc_cut.h winclude.h winfix.cc winfix.h \
-           /usr/tmp/nmap-$(NMAP_VERSION)/mswin32
+           winpcap/daemon_mgm.exe winpcap/LICENSE winpcap/NetMonInstaller.exe \
+           winpcap/npf_mgm.exe winpcap/npf.sys winpcap/Packet.dll \
+           winpcap/pthreadVC.dll winpcap/rpcapd.exe winpcap/WanPacket.dll \
+           winpcap/winpcap-nmap.nsi winpcap/wpcap.dll nsis/AddToPath.nsh \
+           nsis/Nmap.nsi resource.h RPC/Rpc_cut.h winclude.h winfix.cc \
+           winfix.h Makefile /usr/tmp/nmap-$(NMAP_VERSION)/mswin32
 	$(SHTOOL) mkdir /usr/tmp/nmap-$(NMAP_VERSION)/$(LIBPCAPDIR)
 	cd ../$(LIBPCAPDIR); cp -a --parents acconfig.h aclocal.m4 arcnet.h \
             atmuni31.h bpf/net/bpf.h bpf/net/bpf_filter.c \

targets.cc

@@ -1797,7 +1797,7 @@ if (hs->randomize) {
 	 !hs->hostbatch[i]->timedOut(&now))
        if (!setTargetNextHopMAC(hs->hostbatch[i]))
 	 fatal("%s: Failed to determine dst MAC address for target %s", 
-	       __FUNCTION__, hs->hostbatch[hidx]->NameIP());
+	       __FUNCTION__, hs->hostbatch[i]->NameIP());
  }
 
  /* TODO: Maybe I should allow real ping scan of directly connected

tcpip.cc

@@ -99,7 +99,9 @@
  ***************************************************************************/
 
 /* $Id$ */
-
+#ifdef WIN32
+#include "nmap_winconfig.h"
+#endif
 #include <dnet.h>
 #include "tcpip.h"
 #include "NmapOps.h"
@@ -718,9 +720,9 @@ fatal("Call to pcap_open_live(%s, %d, %d, %d) failed three times. Reported error
           "*BSD:  If you are getting device not configured, you need to recompile your kernel with Berkeley Packet Filter support.  If you are getting No such file or directory, try creating the device (eg cd /dev; MAKEDEV <device>; or use mknod).\n"
           "SOLARIS:  If you are trying to scan localhost and getting '/dev/lo0: No such file or directory', complain to Sun.  I don't think Solaris can support advanced localhost scans.  You can probably use \"-P0 -sT localhost\" though.\n\n", pcapdev, snaplen, promisc, to_ms, err0r);
       } else {
-	error("pcap_open_live(%s, %d, %d, %d) FAILED. Reported error: %s.  Will wait %d seconds then retry.", pcapdev, snaplen, promisc, to_ms, err0r, (int) pow(5, failed));	
+	error("pcap_open_live(%s, %d, %d, %d) FAILED. Reported error: %s.  Will wait %d seconds then retry.", pcapdev, snaplen, promisc, to_ms, err0r, (int) pow(5.0, failed));	
       }
-      sleep((int) pow(5, failed));
+      sleep((int) pow(5.0, failed));
     }
   } while (!pt);