PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

get rid of silly top-level trunk dir

Browse Source
This commit is contained in:
fyodor
2005-04-11 22:34:19 +00:00
commit 26ce3d66f4
346 changed files with 245872 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

3211
CHANGELOG Normal file
View File

File diff suppressed because it is too large Load Diff

445
COPYING Normal file
View File

@@ -0,0 +1,445 @@
/***************************************************************************
* COPYING -- Describes the terms under which Nmap is distributed. A copy *
* of the GNU GPL is appended to this file. *
* *
***********************IMPORTANT NMAP LICENSE TERMS************************
* *
* The Nmap Security Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap *
* is also a registered trademark of Insecure.Com LLC. This program is *
* free software; you may redistribute and/or modify it under the *
* terms of the GNU General Public License as published by the Free *
* Software Foundation; Version 2. This guarantees your right to use, *
* modify, and redistribute this software under certain conditions. If *
* you wish to embed Nmap technology into proprietary software, we may be *
* willing to sell alternative licenses (contact sales@insecure.com). *
* Many security scanner vendors already license Nmap technology such as *
* our remote OS fingerprinting database and code, service/version *
* detection system, and port scanning code. *
* *
* Note that the GPL places important restrictions on "derived works", yet *
* it does not provide a detailed definition of that term. To avoid *
* misunderstandings, we consider an application to constitute a *
* "derivative work" for the purpose of this license if it does any of the *
* following: *
* o Integrates source code from Nmap *
* o Reads or includes Nmap copyrighted data files, such as *
* nmap-os-fingerprints or nmap-service-probes. *
* o Executes Nmap and parses the results (as opposed to typical shell or *
* execution-menu apps, which simply display raw Nmap output and so are *
* not derivative works.) *
* o Integrates/includes/aggregates Nmap into a proprietary executable *
* installer, such as those produced by InstallShield. *
* o Links to a library or executes a program that does any of the above *
* *
* The term "Nmap" should be taken to also include any portions or derived *
* works of Nmap. This list is not exclusive, but is just meant to *
* clarify our interpretation of derived works with some common examples. *
* These restrictions only apply when you actually redistribute Nmap. For *
* example, nothing stops you from writing and selling a proprietary *
* front-end to Nmap. Just distribute it by itself, and point people to *
* http://www.insecure.org/nmap/ to download Nmap. *
* *
* We don't consider these to be added restrictions on top of the GPL, but *
* just a clarification of how we interpret "derived works" as it applies *
* to our GPL-licensed Nmap product. This is similar to the way Linus *
* Torvalds has announced his interpretation of how "derived works" *
* applies to Linux kernel modules. Our interpretation refers only to *
* Nmap - we don't speak for any other GPL products. *
* *
* If you have any questions about the GPL licensing restrictions on using *
* Nmap in non-GPL works, we would be happy to help. As mentioned above, *
* we also offer alternative license to integrate Nmap into proprietary *
* applications and appliances. These contracts have been sold to many *
* security vendors, and generally include a perpetual license as well as *
* providing for priority support and updates as well as helping to fund *
* the continued development of Nmap technology. Please email *
* sales@insecure.com for further information. *
* *
* As a special exception to the GPL terms, Insecure.Com LLC grants *
* permission to link the code of this program with any version of the *
* OpenSSL library which is distributed under a license identical to that *
* listed in the included Copying.OpenSSL file, and distribute linked *
* combinations including the two. You must obey the GNU GPL in all *
* respects for all of the code used other than OpenSSL. If you modify *
* this file, you may extend this exception to your version of the file, *
* but you are not obligated to do so. *
* *
* If you received these files with a written license agreement or *
* contract stating terms other than the terms above, then that *
* alternative license agreement takes precedence over these comments. *
* *
* Source is provided to this software because we believe users have a *
* right to know exactly what a program is going to do before they run it. *
* This also allows you to audit the software for security holes (none *
* have been found so far). *
* *
* Source code also allows you to port Nmap to new platforms, fix bugs, *
* and add new features. You are highly encouraged to send your changes *
* to fyodor@insecure.org for possible incorporation into the main *
* distribution. By sending these changes to Fyodor or one the *
* Insecure.Org development mailing lists, it is assumed that you are *
* offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right *
* to reuse, modify, and relicense the code. Nmap will always be *
* available Open Source, but this is important because the inability to *
* relicense code has caused devastating problems for other Free Software *
* projects (such as KDE and NASM). We also occasionally relicense the *
* code to third parties as discussed above. If you wish to specify *
* special license conditions of your contributions, just say so when you *
* send them. *
* *
* This program is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
* General Public License for more details at *
* http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included *
* with Nmap. *
* *
***************************************************************************/
GNU General Public License
----------------------------------------------------------------------------
Table of Contents
* GNU GENERAL PUBLIC LICENSE
o Preamble
o TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
o How to Apply These Terms to Your New Programs
----------------------------------------------------------------------------
GNU GENERAL PUBLIC LICENSE
Version 2, June 1991
Copyright (C) 1989, 1991 Free Software Foundation, Inc.
59 Temple Place - Suite 330, Boston, MA 02111-1307, USA
Everyone is permitted to copy and distribute verbatim copies
of this license document, but changing it is not allowed.
Preamble
The licenses for most software are designed to take away your freedom to
share and change it. By contrast, the GNU General Public License is intended
to guarantee your freedom to share and change free software--to make sure
the software is free for all its users. This General Public License applies
to most of the Free Software Foundation's software and to any other program
whose authors commit to using it. (Some other Free Software Foundation
software is covered by the GNU Library General Public License instead.) You
can apply it to your programs, too.
When we speak of free software, we are referring to freedom, not price. Our
General Public Licenses are designed to make sure that you have the freedom
to distribute copies of free software (and charge for this service if you
wish), that you receive source code or can get it if you want it, that you
can change the software or use pieces of it in new free programs; and that
you know you can do these things.
To protect your rights, we need to make restrictions that forbid anyone to
deny you these rights or to ask you to surrender the rights. These
restrictions translate to certain responsibilities for you if you distribute
copies of the software, or if you modify it.
For example, if you distribute copies of such a program, whether gratis or
for a fee, you must give the recipients all the rights that you have. You
must make sure that they, too, receive or can get the source code. And you
must show them these terms so they know their rights.
We protect your rights with two steps: (1) copyright the software, and (2)
offer you this license which gives you legal permission to copy, distribute
and/or modify the software.
Also, for each author's protection and ours, we want to make certain that
everyone understands that there is no warranty for this free software. If
the software is modified by someone else and passed on, we want its
recipients to know that what they have is not the original, so that any
problems introduced by others will not reflect on the original authors'
reputations.
Finally, any free program is threatened constantly by software patents. We
wish to avoid the danger that redistributors of a free program will
individually obtain patent licenses, in effect making the program
proprietary. To prevent this, we have made it clear that any patent must be
licensed for everyone's free use or not licensed at all.
The precise terms and conditions for copying, distribution and modification
follow.
TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND MODIFICATION
0. This License applies to any program or other work which contains a notice
placed by the copyright holder saying it may be distributed under the terms
of this General Public License. The "Program", below, refers to any such
program or work, and a "work based on the Program" means either the Program
or any derivative work under copyright law: that is to say, a work
containing the Program or a portion of it, either verbatim or with
modifications and/or translated into another language. (Hereinafter,
translation is included without limitation in the term "modification".) Each
licensee is addressed as "you".
Activities other than copying, distribution and modification are not covered
by this License; they are outside its scope. The act of running the Program
is not restricted, and the output from the Program is covered only if its
contents constitute a work based on the Program (independent of having been
made by running the Program). Whether that is true depends on what the
Program does.
1. You may copy and distribute verbatim copies of the Program's source code
as you receive it, in any medium, provided that you conspicuously and
appropriately publish on each copy an appropriate copyright notice and
disclaimer of warranty; keep intact all the notices that refer to this
License and to the absence of any warranty; and give any other recipients of
the Program a copy of this License along with the Program.
You may charge a fee for the physical act of transferring a copy, and you
may at your option offer warranty protection in exchange for a fee.
2. You may modify your copy or copies of the Program or any portion of it,
thus forming a work based on the Program, and copy and distribute such
modifications or work under the terms of Section 1 above, provided that you
also meet all of these conditions:
* a) You must cause the modified files to carry prominent notices stating
that you changed the files and the date of any change.
* b) You must cause any work that you distribute or publish, that in
whole or in part contains or is derived from the Program or any part
thereof, to be licensed as a whole at no charge to all third parties
under the terms of this License.
* c) If the modified program normally reads commands interactively when
run, you must cause it, when started running for such interactive use
in the most ordinary way, to print or display an announcement including
an appropriate copyright notice and a notice that there is no warranty
(or else, saying that you provide a warranty) and that users may
redistribute the program under these conditions, and telling the user
how to view a copy of this License. (Exception: if the Program itself
is interactive but does not normally print such an announcement, your
work based on the Program is not required to print an announcement.)
These requirements apply to the modified work as a whole. If identifiable
sections of that work are not derived from the Program, and can be
reasonably considered independent and separate works in themselves, then
this License, and its terms, do not apply to those sections when you
distribute them as separate works. But when you distribute the same sections
as part of a whole which is a work based on the Program, the distribution of
the whole must be on the terms of this License, whose permissions for other
licensees extend to the entire whole, and thus to each and every part
regardless of who wrote it.
Thus, it is not the intent of this section to claim rights or contest your
rights to work written entirely by you; rather, the intent is to exercise
the right to control the distribution of derivative or collective works
based on the Program.
In addition, mere aggregation of another work not based on the Program with
the Program (or with a work based on the Program) on a volume of a storage
or distribution medium does not bring the other work under the scope of this
License.
3. You may copy and distribute the Program (or a work based on it, under
Section 2) in object code or executable form under the terms of Sections 1
and 2 above provided that you also do one of the following:
* a) Accompany it with the complete corresponding machine-readable source
code, which must be distributed under the terms of Sections 1 and 2
above on a medium customarily used for software interchange; or,
* b) Accompany it with a written offer, valid for at least three years,
to give any third party, for a charge no more than your cost of
physically performing source distribution, a complete machine-readable
copy of the corresponding source code, to be distributed under the
terms of Sections 1 and 2 above on a medium customarily used for
software interchange; or,
* c) Accompany it with the information you received as to the offer to
distribute corresponding source code. (This alternative is allowed only
for noncommercial distribution and only if you received the program in
object code or executable form with such an offer, in accord with
Subsection b above.)
The source code for a work means the preferred form of the work for making
modifications to it. For an executable work, complete source code means all
the source code for all modules it contains, plus any associated interface
definition files, plus the scripts used to control compilation and
installation of the executable. However, as a special exception, the source
code distributed need not include anything that is normally distributed (in
either source or binary form) with the major components (compiler, kernel,
and so on) of the operating system on which the executable runs, unless that
component itself accompanies the executable.
If distribution of executable or object code is made by offering access to
copy from a designated place, then offering equivalent access to copy the
source code from the same place counts as distribution of the source code,
even though third parties are not compelled to copy the source along with
the object code.
4. You may not copy, modify, sublicense, or distribute the Program except as
expressly provided under this License. Any attempt otherwise to copy,
modify, sublicense or distribute the Program is void, and will automatically
terminate your rights under this License. However, parties who have received
copies, or rights, from you under this License will not have their licenses
terminated so long as such parties remain in full compliance.
5. You are not required to accept this License, since you have not signed
it. However, nothing else grants you permission to modify or distribute the
Program or its derivative works. These actions are prohibited by law if you
do not accept this License. Therefore, by modifying or distributing the
Program (or any work based on the Program), you indicate your acceptance of
this License to do so, and all its terms and conditions for copying,
distributing or modifying the Program or works based on it.
6. Each time you redistribute the Program (or any work based on the
Program), the recipient automatically receives a license from the original
licensor to copy, distribute or modify the Program subject to these terms
and conditions. You may not impose any further restrictions on the
recipients' exercise of the rights granted herein. You are not responsible
for enforcing compliance by third parties to this License.
7. If, as a consequence of a court judgment or allegation of patent
infringement or for any other reason (not limited to patent issues),
conditions are imposed on you (whether by court order, agreement or
otherwise) that contradict the conditions of this License, they do not
excuse you from the conditions of this License. If you cannot distribute so
as to satisfy simultaneously your obligations under this License and any
other pertinent obligations, then as a consequence you may not distribute
the Program at all. For example, if a patent license would not permit
royalty-free redistribution of the Program by all those who receive copies
directly or indirectly through you, then the only way you could satisfy both
it and this License would be to refrain entirely from distribution of the
Program.
If any portion of this section is held invalid or unenforceable under any
particular circumstance, the balance of the section is intended to apply and
the section as a whole is intended to apply in other circumstances.
It is not the purpose of this section to induce you to infringe any patents
or other property right claims or to contest validity of any such claims;
this section has the sole purpose of protecting the integrity of the free
software distribution system, which is implemented by public license
practices. Many people have made generous contributions to the wide range of
software distributed through that system in reliance on consistent
application of that system; it is up to the author/donor to decide if he or
she is willing to distribute software through any other system and a
licensee cannot impose that choice.
This section is intended to make thoroughly clear what is believed to be a
consequence of the rest of this License.
8. If the distribution and/or use of the Program is restricted in certain
countries either by patents or by copyrighted interfaces, the original
copyright holder who places the Program under this License may add an
explicit geographical distribution limitation excluding those countries, so
that distribution is permitted only in or among countries not thus excluded.
In such case, this License incorporates the limitation as if written in the
body of this License.
9. The Free Software Foundation may publish revised and/or new versions of
the General Public License from time to time. Such new versions will be
similar in spirit to the present version, but may differ in detail to
address new problems or concerns.
Each version is given a distinguishing version number. If the Program
specifies a version number of this License which applies to it and "any
later version", you have the option of following the terms and conditions
either of that version or of any later version published by the Free
Software Foundation. If the Program does not specify a version number of
this License, you may choose any version ever published by the Free Software
Foundation.
10. If you wish to incorporate parts of the Program into other free programs
whose distribution conditions are different, write to the author to ask for
permission. For software which is copyrighted by the Free Software
Foundation, write to the Free Software Foundation; we sometimes make
exceptions for this. Our decision will be guided by the two goals of
preserving the free status of all derivatives of our free software and of
promoting the sharing and reuse of software generally.
NO WARRANTY
11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE, THERE IS NO WARRANTY FOR
THE PROGRAM, TO THE EXTENT PERMITTED BY APPLICABLE LAW. EXCEPT WHEN
OTHERWISE STATED IN WRITING THE COPYRIGHT HOLDERS AND/OR OTHER PARTIES
PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF ANY KIND, EITHER EXPRESSED
OR IMPLIED, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO
THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU. SHOULD THE PROGRAM
PROVE DEFECTIVE, YOU ASSUME THE COST OF ALL NECESSARY SERVICING, REPAIR OR
CORRECTION.
12. IN NO EVENT UNLESS REQUIRED BY APPLICABLE LAW OR AGREED TO IN WRITING
WILL ANY COPYRIGHT HOLDER, OR ANY OTHER PARTY WHO MAY MODIFY AND/OR
REDISTRIBUTE THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR DAMAGES,
INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL OR CONSEQUENTIAL DAMAGES ARISING
OUT OF THE USE OR INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED TO
LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR LOSSES SUSTAINED BY YOU OR
THIRD PARTIES OR A FAILURE OF THE PROGRAM TO OPERATE WITH ANY OTHER
PROGRAMS), EVEN IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE
POSSIBILITY OF SUCH DAMAGES.
END OF TERMS AND CONDITIONS
How to Apply These Terms to Your New Programs
If you develop a new program, and you want it to be of the greatest possible
use to the public, the best way to achieve this is to make it free software
which everyone can redistribute and change under these terms.
To do so, attach the following notices to the program. It is safest to
attach them to the start of each source file to most effectively convey the
exclusion of warranty; and each file should have at least the "copyright"
line and a pointer to where the full notice is found.
one line to give the program's name and an idea of what it does.
Copyright (C) 19yy name of author
This program is free software; you can redistribute it and/or
modify it under the terms of the GNU General Public License
as published by the Free Software Foundation; either version 2
of the License, or (at your option) any later version.
This program is distributed in the hope that it will be useful,
but WITHOUT ANY WARRANTY; without even the implied warranty of
MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
GNU General Public License for more details.
You should have received a copy of the GNU General Public License
along with this program; if not, write to the Free Software
Foundation, Inc., 59 Temple Place - Suite 330, Boston, MA 02111-1307, USA.
Also add information on how to contact you by electronic and paper mail.
If the program is interactive, make it output a short notice like this when
it starts in an interactive mode:
Gnomovision version 69, Copyright (C) 19yy name of author
Gnomovision comes with ABSOLUTELY NO WARRANTY; for details
type `show w'. This is free software, and you are welcome
to redistribute it under certain conditions; type `show c'
for details.
The hypothetical commands `show w' and `show c' should show the appropriate
parts of the General Public License. Of course, the commands you use may be
called something other than `show w' and `show c'; they could even be
mouse-clicks or menu items--whatever suits your program.
You should also get your employer (if you work as a programmer) or your
school, if any, to sign a "copyright disclaimer" for the program, if
necessary. Here is a sample; alter the names:
Yoyodyne, Inc., hereby disclaims all copyright
interest in the program `Gnomovision'
(which makes passes at compilers) written
by James Hacker.
signature of Ty Coon, 1 April 1989
Ty Coon, President of Vice
This General Public License does not permit incorporating your program into
proprietary programs. If your program is a subroutine library, you may
consider it more useful to permit linking proprietary applications with the
library. If this is what you want to do, use the GNU Library General Public
License instead of this License.

127
COPYING.OpenSSL Normal file
View File

@@ -0,0 +1,127 @@
LICENSE ISSUES
==============
The OpenSSL toolkit stays under a dual license, i.e. both the conditions of
the OpenSSL License and the original SSLeay license apply to the toolkit.
See below for the actual license texts. Actually both licenses are BSD-style
Open Source licenses. In case of any license issues related to OpenSSL
please contact openssl-core@openssl.org.
OpenSSL License
---------------
/* ====================================================================
* Copyright (c) 1998-2004 The OpenSSL Project. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in
* the documentation and/or other materials provided with the
* distribution.
*
* 3. All advertising materials mentioning features or use of this
* software must display the following acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
*
* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
* endorse or promote products derived from this software without
* prior written permission. For written permission, please contact
* openssl-core@openssl.org.
*
* 5. Products derived from this software may not be called "OpenSSL"
* nor may "OpenSSL" appear in their names without prior written
* permission of the OpenSSL Project.
*
* 6. Redistributions of any form whatsoever must retain the following
* acknowledgment:
* "This product includes software developed by the OpenSSL Project
* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
*
* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
* OF THE POSSIBILITY OF SUCH DAMAGE.
* ====================================================================
*
* This product includes cryptographic software written by Eric Young
* (eay@cryptsoft.com). This product includes software written by Tim
* Hudson (tjh@cryptsoft.com).
*
*/
Original SSLeay License
-----------------------
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
* This package is an SSL implementation written
* by Eric Young (eay@cryptsoft.com).
* The implementation was written so as to conform with Netscapes SSL.
*
* This library is free for commercial and non-commercial use as long as
* the following conditions are aheared to. The following conditions
* apply to all code found in this distribution, be it the RC4, RSA,
* lhash, DES, etc., code; not just the SSL code. The SSL documentation
* included with this distribution is covered by the same copyright terms
* except that the holder is Tim Hudson (tjh@cryptsoft.com).
*
* Copyright remains Eric Young's, and as such any Copyright notices in
* the code are not to be removed.
* If this package is used in a product, Eric Young should be given attribution
* as the author of the parts of the library used.
* This can be in the form of a textual message at program startup or
* in documentation (online or textual) provided with the package.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* "This product includes cryptographic software written by
* Eric Young (eay@cryptsoft.com)"
* The word 'cryptographic' can be left out if the rouines from the library
* being used are not cryptographic related :-).
* 4. If you include any Windows specific code (or a derivative thereof) from
* the apps directory (application code) you must include an acknowledgement:
* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
*
* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* The licence and distribution terms for any publically available version or
* derivative of this code cannot be changed. i.e. this code cannot simply be
* copied and put under another distribution licence
* [including the GNU Public Licence.]
*/

214
FingerPrintResults.cc Normal file
View File

@@ -0,0 +1,214 @@
/***************************************************************************
* FingerPrintResults -- The FingerPrintResults class the results of OS *
* fingerprint matching against a certain host. *
* *
***********************IMPORTANT NMAP LICENSE TERMS************************
* *
* The Nmap Security Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap *
* is also a registered trademark of Insecure.Com LLC. This program is *
* free software; you may redistribute and/or modify it under the *
* terms of the GNU General Public License as published by the Free *
* Software Foundation; Version 2. This guarantees your right to use, *
* modify, and redistribute this software under certain conditions. If *
* you wish to embed Nmap technology into proprietary software, we may be *
* willing to sell alternative licenses (contact sales@insecure.com). *
* Many security scanner vendors already license Nmap technology such as *
* our remote OS fingerprinting database and code, service/version *
* detection system, and port scanning code. *
* *
* Note that the GPL places important restrictions on "derived works", yet *
* it does not provide a detailed definition of that term. To avoid *
* misunderstandings, we consider an application to constitute a *
* "derivative work" for the purpose of this license if it does any of the *
* following: *
* o Integrates source code from Nmap *
* o Reads or includes Nmap copyrighted data files, such as *
* nmap-os-fingerprints or nmap-service-probes. *
* o Executes Nmap and parses the results (as opposed to typical shell or *
* execution-menu apps, which simply display raw Nmap output and so are *
* not derivative works.) *
* o Integrates/includes/aggregates Nmap into a proprietary executable *
* installer, such as those produced by InstallShield. *
* o Links to a library or executes a program that does any of the above *
* *
* The term "Nmap" should be taken to also include any portions or derived *
* works of Nmap. This list is not exclusive, but is just meant to *
* clarify our interpretation of derived works with some common examples. *
* These restrictions only apply when you actually redistribute Nmap. For *
* example, nothing stops you from writing and selling a proprietary *
* front-end to Nmap. Just distribute it by itself, and point people to *
* http://www.insecure.org/nmap/ to download Nmap. *
* *
* We don't consider these to be added restrictions on top of the GPL, but *
* just a clarification of how we interpret "derived works" as it applies *
* to our GPL-licensed Nmap product. This is similar to the way Linus *
* Torvalds has announced his interpretation of how "derived works" *
* applies to Linux kernel modules. Our interpretation refers only to *
* Nmap - we don't speak for any other GPL products. *
* *
* If you have any questions about the GPL licensing restrictions on using *
* Nmap in non-GPL works, we would be happy to help. As mentioned above, *
* we also offer alternative license to integrate Nmap into proprietary *
* applications and appliances. These contracts have been sold to many *
* security vendors, and generally include a perpetual license as well as *
* providing for priority support and updates as well as helping to fund *
* the continued development of Nmap technology. Please email *
* sales@insecure.com for further information. *
* *
* As a special exception to the GPL terms, Insecure.Com LLC grants *
* permission to link the code of this program with any version of the *
* OpenSSL library which is distributed under a license identical to that *
* listed in the included Copying.OpenSSL file, and distribute linked *
* combinations including the two. You must obey the GNU GPL in all *
* respects for all of the code used other than OpenSSL. If you modify *
* this file, you may extend this exception to your version of the file, *
* but you are not obligated to do so. *
* *
* If you received these files with a written license agreement or *
* contract stating terms other than the terms above, then that *
* alternative license agreement takes precedence over these comments. *
* *
* Source is provided to this software because we believe users have a *
* right to know exactly what a program is going to do before they run it. *
* This also allows you to audit the software for security holes (none *
* have been found so far). *
* *
* Source code also allows you to port Nmap to new platforms, fix bugs, *
* and add new features. You are highly encouraged to send your changes *
* to fyodor@insecure.org for possible incorporation into the main *
* distribution. By sending these changes to Fyodor or one the *
* Insecure.Org development mailing lists, it is assumed that you are *
* offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right *
* to reuse, modify, and relicense the code. Nmap will always be *
* available Open Source, but this is important because the inability to *
* relicense code has caused devastating problems for other Free Software *
* projects (such as KDE and NASM). We also occasionally relicense the *
* code to third parties as discussed above. If you wish to specify *
* special license conditions of your contributions, just say so when you *
* send them. *
* *
* This program is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
* General Public License for more details at *
* http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included *
* with Nmap. *
* *
***************************************************************************/
/* $Id$ */
#include "FingerPrintResults.h"
#include "osscan.h"
#include "NmapOps.h"
extern NmapOps o;
FingerPrintResults::FingerPrintResults() {
num_perfect_matches = num_matches = 0;
overall_results = OSSCAN_NOMATCHES;
memset(accuracy, 0, sizeof(accuracy));
isClassified = false;
osscan_opentcpport = osscan_closedtcpport = -1;
memset(FPs, 0, sizeof(FPs));
numFPs = goodFP = 0;
}
FingerPrintResults::~FingerPrintResults() {
int i;
/* Free OS fingerprints of OS scanning was done */
for(i=0; i < numFPs; i++) {
freeFingerPrint(FPs[i]);
FPs[i] = NULL;
}
numFPs = 0;
}
const struct OS_Classification_Results *FingerPrintResults::getOSClassification() {
if (!isClassified) { populateClassification(); isClassified = true; }
return &OSR;
}
/* Are the attributes of this fingerprint good enough to warrant submission to the official DB? */
bool FingerPrintResults::fingerprintSuitableForSubmission() {
// TODO: There are many more tests I could (and should) add. Maybe related to
// UDP test, TTL, etc.
if (o.scan_delay > 500) // This can screw up the sequence timing
return false;
if (osscan_opentcpport < 0 || osscan_closedtcpport < 0 ) // then results won't be complete
return false;
return true;
}
/* Goes through fingerprinting results to populate OSR */
void FingerPrintResults::populateClassification() {
int printno, classno;
OSR.OSC_num_perfect_matches = OSR.OSC_num_matches = 0;
OSR.overall_results = OSSCAN_SUCCESS;
if (overall_results == OSSCAN_TOOMANYMATCHES) {
// The normal classification overflowed so we don't even have all the perfect matches,
// I don't see any good reason to do classification.
OSR.overall_results = OSSCAN_TOOMANYMATCHES;
return;
}
for(printno = 0; printno < num_matches; printno++) {
// a single print may have multiple classifications
for(classno = 0; classno < prints[printno]->num_OS_Classifications; classno++) {
if (!classAlreadyExistsInResults(&(prints[printno]->OS_class[classno]))) {
// Then we have to add it ... first ensure we have room
if (OSR.OSC_num_matches == MAX_FP_RESULTS) {
// Out of space ... if the accuracy of this one is 100%, we have a problem
if (accuracy[printno] == 1.0) OSR.overall_results = OSSCAN_TOOMANYMATCHES;
return;
}
// We have space, but do we even want this one? No point
// including lesser matches if we have 1 or more perfect
// matches.
if (OSR.OSC_num_perfect_matches > 0 && accuracy[printno] < 1.0) {
return;
}
// OK, we will add the new class
OSR.OSC[OSR.OSC_num_matches] = &(prints[printno]->OS_class[classno]);
OSR.OSC_Accuracy[OSR.OSC_num_matches] = accuracy[printno];
if (accuracy[printno] == 1.0) OSR.OSC_num_perfect_matches++;
OSR.OSC_num_matches++;
}
}
}
if (OSR.OSC_num_matches == 0)
OSR.overall_results = OSSCAN_NOMATCHES;
return;
}
// Go through any previously enterted classes to see if this is a dupe;
bool FingerPrintResults::classAlreadyExistsInResults(struct OS_Classification *OSC) {
int i;
for (i=0; i < OSR.OSC_num_matches; i++) {
if (!strcmp(OSC->OS_Vendor, OSR.OSC[i]->OS_Vendor) &&
!strcmp(OSC->OS_Family, OSR.OSC[i]->OS_Family) &&
!strcmp(OSC->Device_Type, OSR.OSC[i]->Device_Type) &&
!strcmp(OSC->OS_Generation? OSC->OS_Generation : "",
OSR.OSC[i]->OS_Generation? OSR.OSC[i]->OS_Generation : "")) {
// Found a duplicate!
return true;
}
}
// Went through all the results -- no duplicates found
return false;
}

161
FingerPrintResults.h Normal file
View File

@@ -0,0 +1,161 @@
/***************************************************************************
* FingerPrintResults -- The FingerPrintResults class the results of OS *
* fingerprint matching against a certain host. *
* *
***********************IMPORTANT NMAP LICENSE TERMS************************
* *
* The Nmap Security Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap *
* is also a registered trademark of Insecure.Com LLC. This program is *
* free software; you may redistribute and/or modify it under the *
* terms of the GNU General Public License as published by the Free *
* Software Foundation; Version 2. This guarantees your right to use, *
* modify, and redistribute this software under certain conditions. If *
* you wish to embed Nmap technology into proprietary software, we may be *
* willing to sell alternative licenses (contact sales@insecure.com). *
* Many security scanner vendors already license Nmap technology such as *
* our remote OS fingerprinting database and code, service/version *
* detection system, and port scanning code. *
* *
* Note that the GPL places important restrictions on "derived works", yet *
* it does not provide a detailed definition of that term. To avoid *
* misunderstandings, we consider an application to constitute a *
* "derivative work" for the purpose of this license if it does any of the *
* following: *
* o Integrates source code from Nmap *
* o Reads or includes Nmap copyrighted data files, such as *
* nmap-os-fingerprints or nmap-service-probes. *
* o Executes Nmap and parses the results (as opposed to typical shell or *
* execution-menu apps, which simply display raw Nmap output and so are *
* not derivative works.) *
* o Integrates/includes/aggregates Nmap into a proprietary executable *
* installer, such as those produced by InstallShield. *
* o Links to a library or executes a program that does any of the above *
* *
* The term "Nmap" should be taken to also include any portions or derived *
* works of Nmap. This list is not exclusive, but is just meant to *
* clarify our interpretation of derived works with some common examples. *
* These restrictions only apply when you actually redistribute Nmap. For *
* example, nothing stops you from writing and selling a proprietary *
* front-end to Nmap. Just distribute it by itself, and point people to *
* http://www.insecure.org/nmap/ to download Nmap. *
* *
* We don't consider these to be added restrictions on top of the GPL, but *
* just a clarification of how we interpret "derived works" as it applies *
* to our GPL-licensed Nmap product. This is similar to the way Linus *
* Torvalds has announced his interpretation of how "derived works" *
* applies to Linux kernel modules. Our interpretation refers only to *
* Nmap - we don't speak for any other GPL products. *
* *
* If you have any questions about the GPL licensing restrictions on using *
* Nmap in non-GPL works, we would be happy to help. As mentioned above, *
* we also offer alternative license to integrate Nmap into proprietary *
* applications and appliances. These contracts have been sold to many *
* security vendors, and generally include a perpetual license as well as *
* providing for priority support and updates as well as helping to fund *
* the continued development of Nmap technology. Please email *
* sales@insecure.com for further information. *
* *
* As a special exception to the GPL terms, Insecure.Com LLC grants *
* permission to link the code of this program with any version of the *
* OpenSSL library which is distributed under a license identical to that *
* listed in the included Copying.OpenSSL file, and distribute linked *
* combinations including the two. You must obey the GNU GPL in all *
* respects for all of the code used other than OpenSSL. If you modify *
* this file, you may extend this exception to your version of the file, *
* but you are not obligated to do so. *
* *
* If you received these files with a written license agreement or *
* contract stating terms other than the terms above, then that *
* alternative license agreement takes precedence over these comments. *
* *
* Source is provided to this software because we believe users have a *
* right to know exactly what a program is going to do before they run it. *
* This also allows you to audit the software for security holes (none *
* have been found so far). *
* *
* Source code also allows you to port Nmap to new platforms, fix bugs, *
* and add new features. You are highly encouraged to send your changes *
* to fyodor@insecure.org for possible incorporation into the main *
* distribution. By sending these changes to Fyodor or one the *
* Insecure.Org development mailing lists, it is assumed that you are *
* offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right *
* to reuse, modify, and relicense the code. Nmap will always be *
* available Open Source, but this is important because the inability to *
* relicense code has caused devastating problems for other Free Software *
* projects (such as KDE and NASM). We also occasionally relicense the *
* code to third parties as discussed above. If you wish to specify *
* special license conditions of your contributions, just say so when you *
* send them. *
* *
* This program is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
* General Public License for more details at *
* http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included *
* with Nmap. *
* *
***************************************************************************/
/* $Id$ */
#ifndef FINGERPRINTRESULTS_H
#define FINGERPRINTRESULTS_H
class FingerPrintResults;
#include "nmap.h"
/* Maximum number of results allowed in one of these things ... */
#define MAX_FP_RESULTS 36
struct OS_Classification_Results {
struct OS_Classification *OSC[MAX_FP_RESULTS];
double OSC_Accuracy[MAX_FP_RESULTS];
int OSC_num_perfect_matches; // Number of perfect matches in OSC[\]
int OSC_num_matches; // Number of matches total in OSC[] (and, of course, _accuracy[])
int overall_results; /* OSSCAN_TOOMANYMATCHES, OSSCAN_NOMATCHES, OSSCAN_SUCCESS, etc */
};
class FingerPrintResults {
public: /* For now ... a lot of the data members should be made private */
FingerPrintResults();
~FingerPrintResults();
double accuracy[MAX_FP_RESULTS]; /* Percentage of match (1.0 == perfect
match) in same order as pritns[] below */
FingerPrint *prints[MAX_FP_RESULTS]; /* ptrs to matching references --
highest accuracy matches first */
int num_perfect_matches; /* Number of 1.0 accuracy matches in prints[] */
int num_matches; /* Total number of matches in prints[] */
int overall_results; /* OSSCAN_TOOMANYMATCHES, OSSCAN_NOMATCHES,
OSSCAN_SUCCESS, etc */
/* Ensures that the results are available and then returns them. You should only call
this AFTER all matching has been completed (because results are cached and won't change
if new prints[] are added.) All OS Classes in the results will be unique, and if there are
any perfect (accuracy 1.0) matches, only those will be returned */
const struct OS_Classification_Results *getOSClassification();
int osscan_opentcpport; /* Open port used for scannig (if one found --
otherwise -1) */
int osscan_closedtcpport; /* Closed port used for scannig (if one found --
otherwise -1) */
FingerPrint *FPs[10]; /* Fingerprint data obtained from host */
int numFPs;
int goodFP;
/* Are the attributes of this fingerprint good enough to warrant submission to the official DB? */
bool fingerprintSuitableForSubmission();
private:
bool isClassified; // Whether populateClassification() has been called
/* Goes through fingerprinting results to populate OSR */
void populateClassification();
bool classAlreadyExistsInResults(struct OS_Classification *OSC);
struct OS_Classification_Results OSR;
};
#endif /* FINGERPRINTRESULTS_H */

119
HACKING Normal file
View File

@@ -0,0 +1,119 @@
Nmap HACKING
------------
Information for potential Nmap hackers!
Source is provided to Nmap because we believe users have a
right to know exactly what a program is going to do before they run
it. This also allows you to audit the software for security holes
(none have been found so far).
Source code also allows you to port Nmap to new platforms, fix bugs,
and add new features. You are highly encouraged to send your changes
to fyodor@insecure.org or nmap-dev@insecure.org for possible
incorporation into the main distribution. By sending these changes to
Fyodor or one the insecure.org development mailing lists, it is
assumed that you are offering Fyodor the unlimited, non-exclusive
right to reuse, modify, and relicense the code. This is important
because the inability to relicense code has caused devastating
problems for other Free Software projects (such as KDE and NASM).
Nmap will always be available Open Source. If you wish to specify
special license conditions of your contributions, just say so when you
send them.
Nmap is a community project and has already benefitted greatly from
outside contributors ( for examples, see the CHANGELOG or
http://www.insecure.org/nmap/#thanks ). Bugfixes, and portability
changes will almost always be accepted. Even if you do not have time
to track down and patch a problem, bug reports are always welcome.
Hackers interested in something more major, such as a new feature, are
encouraged to send a mail describing their plans to
nmap-dev@insecure.org . This is a good way to solicit feedback on
your proposals. List members or often very willing to help. You
might want to subscribe to that mailing list as well -- send a blank
email to nmap-dev-subscribe@insecure.org . While you are at it, you
might also want to subscribe to nmap-hackers via the same mechanism.
Web archives of those lists are at http://lists.insecure.org .
If you are not ready to send details of your feature to the whole
list, you can always start by mailing fyodor@insecure.org .
Some ideas of useful contributions/projects
-------------------------------------------
Of course, you are welcome to work on whatever suits your fancy. But
here are some ideas of contributions that might be particularly
useful:
Table Rendering Code -- The system nmap uses for outputing the port
status table is not very extensible. For example, witness the chaos
in Nmap.c required to support adding an Ident column to the table when
-I is specified. A simple table rendering library would be userul.
Presumably it would take some sort of specification giving the number
of columns & justification and an array of rows. Then it would decide
the appropriate column widths and print out the nicely formatted table.
NmapFE improvements -- I am currently maintaining NmapFE (also known
as xnmap) -- the GTK GUI front end to Nmap. I am very open to changes
and improvements in that program. If you have enhancement ideas, give
it a shot!
Debian/SPARC binaries -- I would like to offer Debian and SPARC native
binary packages via the web site. Right now the nmap 'distro' rule
creates the .tgz and *.rpm versions. If anyone wants to enhance that
to spit out debian packages as well, that would be great! A
'sunpackage' rule that I could run on a sparc would also be useful.
Debian & Solaris packages are already available at debian.org and
sunfreeware.com, but they are not always up-to-date.
XML Output -- We have pretty much decided on a format ( see
http://lists.insecure.org/nmap-dev/2000/Jul-Sep/0038.html ) , but the
code hasn't been written yet. An XSchema or DTD for the format would
also be useful.
How to make code contributions
------------------------------
The preferred mechanism for submitted changes is unified diffs against
the latest development release version of Nmap. Please send them to
fyodor@insecure.org or nmap-dev@insecure.org .
To make a unified diff, please follow these instructions:
1. Remove temporary files:
make clean
2. Rename your source tree:
cd ..
mv nmap-2.54BETA4 nmap-2.54BETA4-snazzy-feature
3. Unpack the original Nmap source alongside it:
tar xzf nmap-2.54BETA4.tgz
4. Generate the diffs:
diff -urNb nmap-2.54BETA4 nmap-2.54BETA4-snazzy-feature > nmap.patch
5. Check the patch and remove any unnecessary patches from the file.
6. If you've added several features, it's best to send them as
several independent patches if you can.
If you have just patched one or two files, then making patches is even
easier. For each file, just do:
cp file.c file.c.orig
[Make changes to file.c ...]
diff -u file.c.orig file.c > file.c.patch
and just send us the patch: file.c.patch.
Credits
-------
I got the idea for this HACKING file from GNet (
http://www.eecs.umich.edu/~dhelder/misc/gnet/ ) and followed the
general structure of their HACKING file.

12
INSTALL Normal file
View File

@@ -0,0 +1,12 @@
Ideally, you should be able to just type:
./configure
make
make install
If you have questions, comments or problems feel free to email
me (with detailed information on the platform you are running on
and all the output from ./configure and make as well as config.log if
one was generated) --fyodor@insecure.org

223
MACLookup.cc Normal file
View File

@@ -0,0 +1,223 @@
/***************************************************************************
* MACLookup.cc -- This relatively simple system handles looking up the *
* vendor registered to a MAC address using the nmap-mac-prefixes *
* database. *
* *
***********************IMPORTANT NMAP LICENSE TERMS************************
* *
* The Nmap Security Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap *
* is also a registered trademark of Insecure.Com LLC. This program is *
* free software; you may redistribute and/or modify it under the *
* terms of the GNU General Public License as published by the Free *
* Software Foundation; Version 2. This guarantees your right to use, *
* modify, and redistribute this software under certain conditions. If *
* you wish to embed Nmap technology into proprietary software, we may be *
* willing to sell alternative licenses (contact sales@insecure.com). *
* Many security scanner vendors already license Nmap technology such as *
* our remote OS fingerprinting database and code, service/version *
* detection system, and port scanning code. *
* *
* Note that the GPL places important restrictions on "derived works", yet *
* it does not provide a detailed definition of that term. To avoid *
* misunderstandings, we consider an application to constitute a *
* "derivative work" for the purpose of this license if it does any of the *
* following: *
* o Integrates source code from Nmap *
* o Reads or includes Nmap copyrighted data files, such as *
* nmap-os-fingerprints or nmap-service-probes. *
* o Executes Nmap and parses the results (as opposed to typical shell or *
* execution-menu apps, which simply display raw Nmap output and so are *
* not derivative works.) *
* o Integrates/includes/aggregates Nmap into a proprietary executable *
* installer, such as those produced by InstallShield. *
* o Links to a library or executes a program that does any of the above *
* *
* The term "Nmap" should be taken to also include any portions or derived *
* works of Nmap. This list is not exclusive, but is just meant to *
* clarify our interpretation of derived works with some common examples. *
* These restrictions only apply when you actually redistribute Nmap. For *
* example, nothing stops you from writing and selling a proprietary *
* front-end to Nmap. Just distribute it by itself, and point people to *
* http://www.insecure.org/nmap/ to download Nmap. *
* *
* We don't consider these to be added restrictions on top of the GPL, but *
* just a clarification of how we interpret "derived works" as it applies *
* to our GPL-licensed Nmap product. This is similar to the way Linus *
* Torvalds has announced his interpretation of how "derived works" *
* applies to Linux kernel modules. Our interpretation refers only to *
* Nmap - we don't speak for any other GPL products. *
* *
* If you have any questions about the GPL licensing restrictions on using *
* Nmap in non-GPL works, we would be happy to help. As mentioned above, *
* we also offer alternative license to integrate Nmap into proprietary *
* applications and appliances. These contracts have been sold to many *
* security vendors, and generally include a perpetual license as well as *
* providing for priority support and updates as well as helping to fund *
* the continued development of Nmap technology. Please email *
* sales@insecure.com for further information. *
* *
* As a special exception to the GPL terms, Insecure.Com LLC grants *
* permission to link the code of this program with any version of the *
* OpenSSL library which is distributed under a license identical to that *
* listed in the included Copying.OpenSSL file, and distribute linked *
* combinations including the two. You must obey the GNU GPL in all *
* respects for all of the code used other than OpenSSL. If you modify *
* this file, you may extend this exception to your version of the file, *
* but you are not obligated to do so. *
* *
* If you received these files with a written license agreement or *
* contract stating terms other than the terms above, then that *
* alternative license agreement takes precedence over these comments. *
* *
* Source is provided to this software because we believe users have a *
* right to know exactly what a program is going to do before they run it. *
* This also allows you to audit the software for security holes (none *
* have been found so far). *
* *
* Source code also allows you to port Nmap to new platforms, fix bugs, *
* and add new features. You are highly encouraged to send your changes *
* to fyodor@insecure.org for possible incorporation into the main *
* distribution. By sending these changes to Fyodor or one the *
* Insecure.Org development mailing lists, it is assumed that you are *
* offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right *
* to reuse, modify, and relicense the code. Nmap will always be *
* available Open Source, but this is important because the inability to *
* relicense code has caused devastating problems for other Free Software *
* projects (such as KDE and NASM). We also occasionally relicense the *
* code to third parties as discussed above. If you wish to specify *
* special license conditions of your contributions, just say so when you *
* send them. *
* *
* This program is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
* General Public License for more details at *
* http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included *
* with Nmap. *
* *
***************************************************************************/
/* $Id$ */
/* Character pool memory allocation */
#include "MACLookup.h"
#include "nmap.h"
#include "nmap_error.h"
struct MAC_entry {
int prefix; /* -1 means none set */
char *vendor;
};
struct MAC_hash_table {
int table_capacity; /* How many members the table can hold */
int table_members; /* How many members it has now */
struct MAC_entry **table;
} MacTable;
static int initialized = 0;
static inline int MacCharPrefix2Key(const u8 *prefix) {
return (prefix[0] << 16) + (prefix[1] << 8) + prefix[2];
}
/* Hashes the prefix into a position from 0 to table_capacity - 1. Does not
check if the position is free or anything */
static inline int MACTableHash(int prefix, int table_capacity) {
// Maybe I should think about changing this sometime.
return prefix % table_capacity;
}
void InitializeTable() {
if (initialized) return;
initialized = 1;
char filename[256];
FILE *fp;
char line[128];
int pfx, pos;
char *endptr, *p;
int lineno = 0;
struct MAC_entry *ME;
MacTable.table_capacity = 9521;
MacTable.table_members = 0;
MacTable.table = (struct MAC_entry **) safe_zalloc(MacTable.table_capacity * sizeof(struct MAC_entry *));
/* Now it is time to read in all of the entries ... */
if (nmap_fetchfile(filename, sizeof(filename), "nmap-mac-prefixes") == -1){
error("Cannot find nmap-mac-prefixes: Ethernet vendor corolation will not be performed");
return;
}
fp = fopen(filename, "r");
if (!fp) {
error("Unable to open %s. Ethernet vendor correlation will not be performed ", filename);
}
while(fgets(line, sizeof(line), fp)) {
lineno++;
if (*line == '#') continue;
if (!isxdigit(*line)) {
error("Parse error one line #%d of %s. Giving up parsing.", lineno, filename);
break;
}
/* First grab the prefix */
pfx = strtol(line, &endptr, 16);
if (!endptr || !isspace(*endptr)) {
error("Parse error one line #%d of %s. Giving up parsing.", lineno, filename);
break;
}
/* Now grab the vendor */
while(*endptr && isspace(*endptr)) endptr++;
assert(*endptr);
p = endptr;
while(*endptr && *endptr != '\n' && *endptr != '\r') endptr++;
*endptr = '\0';
// Create the new MAC_entry
ME = (struct MAC_entry *) cp_alloc(sizeof(struct MAC_entry));
ME->prefix = pfx;
ME->vendor = cp_strdup(p);
// Now insert it into the table
if (MacTable.table_members >= MacTable.table_capacity)
fatal("No space for further MAC prefixes from nmap-mac-prefixes. Increase MacTable.table_capacity");
pos = MACTableHash(pfx, MacTable.table_capacity);
while (MacTable.table[pos]) pos = (pos + 1) % MacTable.table_capacity;
MacTable.table[pos] = ME;
MacTable.table_members++;
}
fclose(fp);
return;
}
struct MAC_entry *findMACEntry(int prefix) {
int pos = MACTableHash(prefix, MacTable.table_capacity);
while (MacTable.table[pos]) {
if (MacTable.table[pos]->prefix == prefix)
return MacTable.table[pos];
pos = (pos + 1) % MacTable.table_capacity;
}
return NULL;
}
/* Takes a three byte MAC address prefix (passing the whole MAC is OK
too) and returns the company which has registered the prefix.
NULL is returned if no vendor is found for the given prefix or if there
is some other error. */
const char *MACPrefix2Corp(const u8 *prefix) {
struct MAC_entry *ent;
if (!prefix) fatal("MACPrefix2Corp called with a NULL prefix");
if (!initialized) InitializeTable();
ent = findMACEntry(MacCharPrefix2Key(prefix));
return (ent)? ent->vendor : NULL;
}

114
MACLookup.h Normal file
View File

@@ -0,0 +1,114 @@
/***************************************************************************
* MACLookup.cc -- This relatively simple system handles looking up the *
* vendor registered to a MAC address using the nmap-mac-prefixes *
* database. *
* *
***********************IMPORTANT NMAP LICENSE TERMS************************
* *
* The Nmap Security Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap *
* is also a registered trademark of Insecure.Com LLC. This program is *
* free software; you may redistribute and/or modify it under the *
* terms of the GNU General Public License as published by the Free *
* Software Foundation; Version 2. This guarantees your right to use, *
* modify, and redistribute this software under certain conditions. If *
* you wish to embed Nmap technology into proprietary software, we may be *
* willing to sell alternative licenses (contact sales@insecure.com). *
* Many security scanner vendors already license Nmap technology such as *
* our remote OS fingerprinting database and code, service/version *
* detection system, and port scanning code. *
* *
* Note that the GPL places important restrictions on "derived works", yet *
* it does not provide a detailed definition of that term. To avoid *
* misunderstandings, we consider an application to constitute a *
* "derivative work" for the purpose of this license if it does any of the *
* following: *
* o Integrates source code from Nmap *
* o Reads or includes Nmap copyrighted data files, such as *
* nmap-os-fingerprints or nmap-service-probes. *
* o Executes Nmap and parses the results (as opposed to typical shell or *
* execution-menu apps, which simply display raw Nmap output and so are *
* not derivative works.) *
* o Integrates/includes/aggregates Nmap into a proprietary executable *
* installer, such as those produced by InstallShield. *
* o Links to a library or executes a program that does any of the above *
* *
* The term "Nmap" should be taken to also include any portions or derived *
* works of Nmap. This list is not exclusive, but is just meant to *
* clarify our interpretation of derived works with some common examples. *
* These restrictions only apply when you actually redistribute Nmap. For *
* example, nothing stops you from writing and selling a proprietary *
* front-end to Nmap. Just distribute it by itself, and point people to *
* http://www.insecure.org/nmap/ to download Nmap. *
* *
* We don't consider these to be added restrictions on top of the GPL, but *
* just a clarification of how we interpret "derived works" as it applies *
* to our GPL-licensed Nmap product. This is similar to the way Linus *
* Torvalds has announced his interpretation of how "derived works" *
* applies to Linux kernel modules. Our interpretation refers only to *
* Nmap - we don't speak for any other GPL products. *
* *
* If you have any questions about the GPL licensing restrictions on using *
* Nmap in non-GPL works, we would be happy to help. As mentioned above, *
* we also offer alternative license to integrate Nmap into proprietary *
* applications and appliances. These contracts have been sold to many *
* security vendors, and generally include a perpetual license as well as *
* providing for priority support and updates as well as helping to fund *
* the continued development of Nmap technology. Please email *
* sales@insecure.com for further information. *
* *
* As a special exception to the GPL terms, Insecure.Com LLC grants *
* permission to link the code of this program with any version of the *
* OpenSSL library which is distributed under a license identical to that *
* listed in the included Copying.OpenSSL file, and distribute linked *
* combinations including the two. You must obey the GNU GPL in all *
* respects for all of the code used other than OpenSSL. If you modify *
* this file, you may extend this exception to your version of the file, *
* but you are not obligated to do so. *
* *
* If you received these files with a written license agreement or *
* contract stating terms other than the terms above, then that *
* alternative license agreement takes precedence over these comments. *
* *
* Source is provided to this software because we believe users have a *
* right to know exactly what a program is going to do before they run it. *
* This also allows you to audit the software for security holes (none *
* have been found so far). *
* *
* Source code also allows you to port Nmap to new platforms, fix bugs, *
* and add new features. You are highly encouraged to send your changes *
* to fyodor@insecure.org for possible incorporation into the main *
* distribution. By sending these changes to Fyodor or one the *
* Insecure.Org development mailing lists, it is assumed that you are *
* offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right *
* to reuse, modify, and relicense the code. Nmap will always be *
* available Open Source, but this is important because the inability to *
* relicense code has caused devastating problems for other Free Software *
* projects (such as KDE and NASM). We also occasionally relicense the *
* code to third parties as discussed above. If you wish to specify *
* special license conditions of your contributions, just say so when you *
* send them. *
* *
* This program is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
* General Public License for more details at *
* http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included *
* with Nmap. *
* *
***************************************************************************/
/* $Id$ */
#ifndef MACLOOKUP_H
#define MACLOOKUP_H
#include "nbase/nbase.h"
/* Takes a three byte MAC address prefix (passing the whole MAC is OK
too) and returns the company which has registered the prefix.
NULL is returned if no vendor is found for the given prefix or if there
is some other error. */
const char *MACPrefix2Corp(const u8 *prefix);
#endif /* MACLOOKUP_H */

322
Makefile.in Normal file
View File

@@ -0,0 +1,322 @@
NMAP_VERSION = 3.81
NMAP_NAME= nmap
NMAP_URL= http://www.insecure.org/nmap/
NMAP_PLATFORM=@host@
prefix = @prefix@
exec_prefix = @exec_prefix@
bindir = @bindir@
sbindir = @sbindir@
mandir = @mandir@
srcdir = @srcdir@
nmapdatadir = @datadir@/nmap
deskdir = $(prefix)/share/applications
NBASEDIR=@NBASEDIR@
NSOCKDIR=@NSOCKDIR@
CC = @CC@
CXX = @CXX@
CCOPT =
LIBPCAPDIR = @libpcapdir@
LIBPCREDIR = @LIBPCREDIR@
INCLS = -I$(LIBPCAPDIR)
DEFS = @DEFS@ -DNMAP_VERSION=\"$(NMAP_VERSION)\" -DNMAP_NAME=\"$(NMAP_NAME)\" -DNMAP_URL=\"$(NMAP_URL)\" -DNMAP_PLATFORM=\"$(NMAP_PLATFORM)\" -DNMAPDATADIR=\"$(nmapdatadir)\"
# For mtrace debugging -- see MTRACE define in main.cc for instructions
# Should only be enabled during debugging and not in any real release.
# DEFS += -DMTRACE=1
CXXFLAGS = @CXXFLAGS@ $(CCOPT) $(DEFS) $(INCLS)
CPPFLAGS = @CPPFLAGS@
# CFLAGS = $(CXXFLAGS)
# CFLAGS = $(DEFS) $(INCLS)
STATIC =
LDFLAGS = @LDFLAGS@ $(STATIC)
LIBS = @LIBNBASE_LIBS@ @LIBNSOCK_LIBS@ @LIBPCRE_LIBS@ @LIBPCAP_LIBS@ @OPENSSL_LIBS@ @LIBS@
# LIBS = -lefence @LIBS@
# LIBS = -lrmalloc @LIBS@
SHTOOL = ./shtool
INSTALL = $(SHTOOL) install
MAKEDEPEND = @MAKEDEPEND@
RPMTDIR=$(HOME)/rpmdir
# DESTDIR is used by some package maintainers to install Nmap under
# its usual directory structure into a different tree. See the
# CHANGELOG for more info.
DESTDIR =
TARGET = nmap
TARGETNMAPFE=@TARGETNMAPFE@
INSTALLNMAPFE=@INSTALLNMAPFE@
SRCS = main.cc nmap.cc targets.cc tcpip.cc nmap_error.cc utils.cc idle_scan.cc osscan.cc output.cc scan_engine.cc timing.cc charpool.cc services.cc protocols.cc nmap_rpc.cc portlist.cc NmapOps.cc TargetGroup.cc Target.cc FingerPrintResults.cc service_scan.cc NmapOutputTable.cc MACLookup.cc @COMPAT_SRCS@
OBJS = main.o nmap.o targets.o tcpip.o nmap_error.o utils.o idle_scan.o osscan.o output.o scan_engine.o timing.o charpool.o services.o protocols.o nmap_rpc.o portlist.o NmapOps.o TargetGroup.o Target.o FingerPrintResults.o service_scan.o NmapOutputTable.o MACLookup.o @COMPAT_OBJS@
DEPS = nmap.h nmap_amigaos.h nmap_error.h targets.h idle_scan.h osscan.h output.h scan_engine.h timing.h tcpip.h utils.h global_structures.h charpool.h services.h protocols.h nmap_rpc.h portlist.h NmapOps.h TargetGroup.h Target.h FingerPrintResults.h service_scan.h NmapOutputTable.h MACLookup.h
DATAFILES = nmap-os-fingerprints nmap-service-probes nmap-services nmap-rpc nmap-protocols nmap-mac-prefixes
# %.o : %.cc -- nope this is a GNU extension
.cc.o:
$(CXX) -c $(CPPFLAGS) $(CXXFLAGS) $< -o $@
all: $(TARGET) $(TARGETNMAPFE)
$(TARGET): $(DEPS) @PCAP_DEPENDS@ @PCRE_DEPENDS@ $(NBASEDIR)/libnbase.a $(NSOCKDIR)/src/libnsock.a $(OBJS)
@echo Compiling nmap
rm -f $@
$(CXX) $(LDFLAGS) -o $@ $(OBJS) $(LIBS)
# This empty rule is used to force execution of certain rules where I can't conveniently specify
# all of the prerequisites (e.g. recursive makes and such)
FORCE:
$(LIBPCREDIR)/libpcre.a: $(LIBPCREDIR)/Makefile FORCE
@echo Compiling libpcre; cd $(LIBPCREDIR) && $(MAKE)
$(LIBPCAPDIR)/libpcap.a: $(LIBPCAPDIR)/Makefile FORCE
@echo Compiling libpcap; cd $(LIBPCAPDIR) && $(MAKE)
$(NBASEDIR)/libnbase.a: $(NBASEDIR)/Makefile FORCE
@echo Compiling libnbase;
cd $(NBASEDIR) && $(MAKE)
$(NSOCKDIR)/src/libnsock.a: $(NSOCKDIR)/src/Makefile FORCE
@echo Compiling libnsock;
cd $(NSOCKDIR)/src && $(MAKE)
#$(LIBPCAPDIR)/Makefile:
# @echo Configuring libpcap; cd $(LIBPCAPDIR); ./configure
nmapfe/nmapfe:
# @echo "FAILURES HERE ARE OK -- THEY JUST MEAN YOU CANNOT USE nmapfe"
# -rm -f nmapfe/Makefile
# -cd nmapfe; ./configure;
@if test -f nmapfe/Makefile; then echo "Building NmapFE graphical frontend"; cd nmapfe && $(MAKE) VERSION=$(NMAP_VERSION) STATIC=$(STATIC); else echo "NmapFE will not be made -- your system lacks the capabilities (perhaps GTK) for this graphical frontend. You can still run command-line nmap!"; fi
# -cd nmapfe; test -f Makefile && $(MAKE) VERSION=$(NMAP_VERSION) STATIC=$(STATIC);
# @echo "END OF SECTION WHERE FAILURES ARE OK"
# This is unsafe on shared systems, should use mktemp
distro:
autoconf
rm -f config.cache
./configure
cd $(LIBPCAPDIR) && ./configure
$(MAKE) clean
$(MAKE)
./nmap -h > /dev/null #Make sure nmap exists
rm -f docs/nmap.usage.txt
./nmap -h > docs/nmap.usage.txt
rm -f docs/nmap_manpage.html
# nodepage option is included in man2html because of bug in that program which causes it to
# drop lines if you let it try to delete page breaks
nroff -man docs/nmap.1 | man2html -nodepage -title 'Nmap network security scanner man page' > docs/nmap_manpage.html
nroff -man docs/nmap_french.1 | man2html -nodepage -title 'Nmap network security scanner man page (French translation)' > docs/nmap_manpage-fr.html
nroff -man docs/nmap_german.1 | man2html -nodepage -title 'Nmap network security scanner man page (German translation)' > docs/nmap_manpage-de.html
nroff -man docs/nmap_italian.1 | man2html -nodepage -title 'Nmap network security scanner man page (Italian translation)' > docs/nmap_manpage-it.html
nroff -man docs/nmap_latvian.1 | man2html -nodepage -title 'Nmap network security scanner man page (Latvian translation)' > docs/nmap_manpage-lv.html
nroff -Tlatin1 -man docs/nmap_lithuanian.1 | man2html -nodepage -title 'Nmap network security scanner man page (Lithuanian translation)' > docs/nmap_manpage-lt.html
nroff -man docs/nmap_russian.1 | man2html -nodepage -title 'Nmap network security scanner man page (Russian translation)' > docs/nmap_manpage-ru.html
# We need a content-type for the Lithuanian version
sr '<HEAD>' '<HEAD><META http-equiv="Content-Type" content="text/html; charset=windows-1257">' docs/nmap_manpage-lt.html
nroff -man docs/nmap_portuguese.1 | man2html -nodepage -title 'Nmap network security scanner man page (Portuguese translation)' > docs/nmap_manpage-pt.html
nroff -man docs/nmap_spanish.1 | man2html -nodepage -title 'Nmap network security scanner man page (Spanish translation)' > docs/nmap_manpage-es.html
rm -rf /usr/tmp/nmap-$(NMAP_VERSION)
mkdir /usr/tmp/nmap-$(NMAP_VERSION)
# Make the RPM .spec file
sed -e s/\@VERSION\@/$(NMAP_VERSION)/g nmap.spec.in > nmap-$(NMAP_VERSION)-1.spec
# Canonicalize and sort Nmap OS fingerprint DB
scripts/sort-prints.pl nmap-os-fingerprints > nos && mv nos nmap-os-fingerprints
$(MAKE) clean
rm -f $(LIBPCAPDIR)/config.cache $(LIBPCAPDIR)/Makefile
unix2dos README-WIN32
cp -ra $(SRCS) $(DEPS) $(DATAFILES) nmapfe.desktop configure.ac \
config.h.in aclocal.m4 nmap_winconfig.h Makefile.in \
configure $(SHTOOL) install-sh config.guess \
nmap-$(NMAP_VERSION)-1.spec config.sub INSTALL README-WIN32 COPYING \
COPYING.OpenSSL CHANGELOG HACKING /usr/tmp/nmap-$(NMAP_VERSION)
$(SHTOOL) mkdir /usr/tmp/nmap-$(NMAP_VERSION)/mswin32
cd mswin32; cp -ra *.[hHcC] *.cc ARPA NET NETINET RPC icon1.ico \
ifaddrlist.h lib libpcap-note.txt nmap.rc \
nmap_performance.reg nmap.sln nmap.vcproj winip pcap-include \
/usr/tmp/nmap-$(NMAP_VERSION)/mswin32
$(SHTOOL) mkdir /usr/tmp/nmap-$(NMAP_VERSION)/$(LIBPCAPDIR)
cd $(LIBPCAPDIR); cp -ra --parents SUNOS4/nit_if.o.sparc \
SUNOS4/nit_if.o.sun3 SUNOS4/nit_if.o.sun4c.4.0.3c CHANGES \
CREDITS FILES INSTALL.txt LICENSE Makefile.in \
NMAP_MODIFICATIONS README README.aix README.linux \
README.tru64 TODO VERSION acconfig.h aclocal.m4 \
arcnet.h bpf_dump.c bpf_image.c config.guess config.h.in \
config.sub configure configure.ac etherent.c ethertype.h gencode.c \
gencode.h grammar.y inet.c install-sh llc.h mkdep nametoaddr.c \
nlpid.h optimize.c pcap-bpf.c pcap-dlpi.c pcap-enet.c pcap-int.h \
pcap-linux.c pcap-namedb.h pcap-nit.c pcap-nit.h pcap-null.c \
pcap-pf.c pcap-pf.h pcap-snit.c pcap-snoop.c pcap.3 pcap.c pcap.h \
ppp.h savefile.c scanner.c scanner.l sll.h tokdefs.h \
bpf/net/bpf_filter.c bpf/net/bpf.h lbl/os-aix4.h lbl/os-osf4.h \
lbl/os-solaris2.h lbl/os-sunos4.h lbl/os-ultrix4.h lbl/os-hpux11.h \
lbl/os-osf5.h atmuni31.h config.h fad-getad.c fad-gifc.c \
fad-glifc.c fad-null.c fad-win32.c pcap-bpf.h pcap-dag.c \
pcap-dag.h version.h grammar.c pcap-stdinc.h pcap-win32.c pf.h \
rawss7.h README.dag README.hpux README.Win32 snprintf.c \
sunatmpos.h Win32/Include/addrinfo.h Win32/Include/Gnuc.h \
Win32/Include/arpa/nameser.h Win32/Include/net/if.h \
Win32/Include/net/netdb.h Win32/Include/net/paths.h \
Win32/Include/bittypes.h Win32/Include/cdecl_ext.h \
Win32/Include/inetprivate.h Win32/Include/ip6_misc.h \
Win32/Include/sockstorage.h Win32/Prj/libpcap.dsp \
Win32/Prj/libpcap.dsw Win32/Src/getnetbynm.c Win32/Src/ffs.c \
Win32/Src/getaddrinfo.c Win32/Src/getnetent.c Win32/Src/getopt.c \
Win32/Src/getservent.c Win32/Src/inet_aton.c Win32/Src/inet_net.c \
Win32/Src/inet_pton.c /usr/tmp/nmap-$(NMAP_VERSION)/$(LIBPCAPDIR)
$(SHTOOL) mkdir /usr/tmp/nmap-$(NMAP_VERSION)/docs
cd docs; cp -ra README \
nmap-fingerprinting-article.txt \
nmap.deprecated.txt nmap.usage.txt nmap_doc.html \
nmap_manpage-de.html nmap_manpage-es.html \
nmap_manpage-fr.html nmap_manpage-it.html \
nmap_manpage-lt.html nmap_manpage-pt.html \
nmap_manpage-ru.html nmap_manpage.html \
nmap.1 nmapfe.1 nmap_french.1 nmap_german.1 \
nmap_italian.1 nmap_lithuanian.1 nmap_portuguese.1 \
nmap_spanish.1 nmap_russian.1 xnmap.1 nmap.dtd nmap.xsl \
/usr/tmp/nmap-$(NMAP_VERSION)/docs
$(SHTOOL) mkdir /usr/tmp/nmap-$(NMAP_VERSION)/nmapfe
cd nmapfe; cp -ra Makefile.in aclocal.m4 configure configure.ac \
nmapfe.c nmapfe.h nmapfe_sig.c nmapfe_sig.h \
nmapfe_error.c nmapfe_error.h NmapFE.dsp nmapfe.dsw \
/usr/tmp/nmap-$(NMAP_VERSION)/nmapfe
$(SHTOOL) mkdir /usr/tmp/nmap-$(NMAP_VERSION)/nbase
cd $(NBASEDIR); cp -ra Makefile.in aclocal.m4 configlocal.m4 \
nbase.vcproj configure configure.ac nbase_config.h.in \
*.c *.h CHANGELOG /usr/tmp/nmap-$(NMAP_VERSION)/nbase
$(SHTOOL) mkdir /usr/tmp/nmap-$(NMAP_VERSION)/libpcre
cd libpcre; cp -ra AUTHORS chartables.c config.guess config.in \
config.sub configure configure.ac COPYING dftables.c \
get.c INSTALL install-sh internal.h libpcre.vcproj \
LICENCE ltmain.sh Makefile.in maketables.c makevp.bat \
mkinstalldirs NEWS NMAP_MODIFICATIONS NON-UNIX-USE \
pcre.c pcre-config.in pcre.def pcre.h pcre.in \
pcre_win.h pcre_winconfig.h pcreposix.c pcreposix.h \
perltest printint.c README study.c \
/usr/tmp/nmap-$(NMAP_VERSION)/libpcre
$(SHTOOL) mkdir /usr/tmp/nmap-$(NMAP_VERSION)/nsock
$(SHTOOL) mkdir /usr/tmp/nmap-$(NMAP_VERSION)/nsock/include
$(SHTOOL) mkdir /usr/tmp/nmap-$(NMAP_VERSION)/nsock/src
cp nsock/nsock.vcproj /usr/tmp/nmap-$(NMAP_VERSION)/nsock/
cd nsock/include; cp -ra nsock.h /usr/tmp/nmap-$(NMAP_VERSION)/nsock/include/
cd nsock/src; cp -ra aclocal.m4 config.guess config.sub \
configure configure.ac error.c error.h \
filespace.c filespace.h gh_list.c gh_list.h \
install-sh Makefile.in netutils.c netutils.h \
nsock_config.h.in nsock_connect.c nsock_core.c \
nsock_event.c nsock_internal.h nsock_iod.c \
nsock_pool.c nsock_read.c nsock_ssl.h \
nsock_ssl.c nsock_timers.c \
nsock_write.c nsock_utils.c nsock_utils.h \
/usr/tmp/nmap-$(NMAP_VERSION)/nsock/src/
rm -f /usr/tmp/nmap-$(NMAP_VERSION)/nbase/nbase_config.h
# Kill the CVS crap
find /usr/tmp/nmap-$(NMAP_VERSION) -type d -name CVS | xargs rm -rf
find /usr/tmp/nmap-$(NMAP_VERSION) -exec chmod go=u-w '{}' \;
cd /usr/tmp; tar cjf nmap-$(NMAP_VERSION).tar.bz2 nmap-$(NMAP_VERSION)
cd /usr/tmp; tar czf nmap-$(NMAP_VERSION).tgz nmap-$(NMAP_VERSION)
# Make the actual RPM
# Note -- on newer systems rpmbuild -ta is needed instead.
# rpm -ta /usr/tmp/nmap-$(NMAP_VERSION).tgz
# cp -f $(RPMTDIR)/RPMS/i386/nmap-$(NMAP_VERSION)-1.i386.rpm /usr/tmp
# cp -f $(RPMTDIR)/RPMS/i386/nmap-frontend-$(NMAP_VERSION)-1.i386.rpm /usr/tmp
# cp -f $(RPMTDIR)/SRPMS/nmap-$(NMAP_VERSION)-1.src.rpm /usr/tmp
rm -rf /usr/tmp/nmap-$(NMAP_VERSION)
# Update the web site
web:
cd scripts && $(MAKE) web
clean: @PCAP_CLEAN@ @PCRE_CLEAN@ nmapfe_clean nsock_clean nbase_clean my_clean
my_clean:
rm -f $(OBJS) $(TARGET) config.cache
pcap_clean:
-cd $(LIBPCAPDIR) && $(MAKE) clean
pcre_clean:
-cd $(LIBPCREDIR) && $(MAKE) clean
nmapfe_clean:
-cd nmapfe && $(MAKE) clean
nbase_clean:
-cd $(NBASEDIR) && $(MAKE) clean
nsock_clean:
-cd $(NSOCKDIR)/src && $(MAKE) clean
pcap_dist_clean:
-cd $(LIBPCAPDIR) && $(MAKE) distclean
pcre_dist_clean:
-cd $(LIBPCREDIR) && $(MAKE) distclean
distclean: my_clean my_distclean @PCAP_DIST_CLEAN@ @PCRE_DIST_CLEAN@
my_distclean:
rm -f Makefile Makefile.bak config.h stamp-h stamp-h.in \
config.cache config.log config.status
depend:
$(MAKEDEPEND) $(INCLS) -s "# DO NOT DELETE" -- $(DEFS) -- $(SRCS)
install-nmap: $(TARGET)
$(SHTOOL) mkdir -f -p -m 755 $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(nmapdatadir)
$(INSTALL) -c -m 755 nmap -s $(DESTDIR)$(bindir)/nmap
$(INSTALL) -c -m 644 docs/$(TARGET).1 $(DESTDIR)$(mandir)/man1/$(TARGET).1
$(INSTALL) -c -m 644 docs/nmap.xsl $(DESTDIR)$(nmapdatadir)/
$(INSTALL) -c -m 644 docs/nmap.dtd $(DESTDIR)$(nmapdatadir)/
$(INSTALL) -c -m 644 nmap-services $(DESTDIR)$(nmapdatadir)/
$(INSTALL) -c -m 644 nmap-rpc $(DESTDIR)$(nmapdatadir)/
$(INSTALL) -c -m 644 nmap-os-fingerprints $(DESTDIR)$(nmapdatadir)/
$(INSTALL) -c -m 644 nmap-service-probes $(DESTDIR)$(nmapdatadir)/
$(INSTALL) -c -m 644 nmap-protocols $(DESTDIR)$(nmapdatadir)/
$(INSTALL) -c -m 644 nmap-mac-prefixes $(DESTDIR)$(nmapdatadir)/
install-nmapfe: $(TARGETNMAPFE)
$(SHTOOL) mkdir -f -p -m 755 $(DESTDIR)$(bindir) $(DESTDIR)$(mandir)/man1 $(DESTDIR)$(nmapdatadir) $(DESTDIR)$(deskdir)
@echo "If the next command fails -- you cannot use the X front end"
-test -f nmapfe/nmapfe && $(INSTALL) -c -m 755 -s nmapfe/nmapfe $(DESTDIR)$(bindir)/nmapfe && rm -f $(DESTDIR)$(bindir)/xnmap && $(SHTOOL) mkln -f -s $(DESTDIR)$(bindir)/nmapfe $(DESTDIR)$(bindir)/xnmap && $(INSTALL) -c -m 644 nmapfe.desktop $(DESTDIR)$(deskdir)/nmapfe.desktop && $(INSTALL) -c -m 644 docs/nmapfe.1 $(DESTDIR)$(mandir)/man1/nmapfe.1 && $(INSTALL) -c -m 644 docs/xnmap.1 $(DESTDIR)$(mandir)/man1/xnmap.1
install: install-nmap $(INSTALLNMAPFE)
uninstall:
rm -f $(bindir)/$(TARGET) $(bindir)/nmapfe $(bindir)/xnmap
rm -f $(deskdir)/nmapfe.desktop $(mandir)/man1/nmapfe.1
rm -f $(mandir)/man1/xnmap.1 $(mandir)/man1/nmap.1
rm -rf $(nmapdatadir)
${srcdir}/configure: configure.ac
cd ${srcdir} && autoconf
# autoheader might not change config.h.in, so touch a stamp file.
${srcdir}/config.h.in: stamp-h.in
${srcdir}/stamp-h.in: configure.ac acconfig.h \
config.h.top config.h.bot
cd ${srcdir} && autoheader
echo timestamp > ${srcdir}/stamp-h.in
config.h: stamp-h
stamp-h: config.h.in config.status
./config.status
Makefile: Makefile.in config.status
./config.status
config.status: configure
./config.status --recheck
# DO NOT DELETE -- Needed by makedepend

470
NmapOps.cc Normal file
View File

@@ -0,0 +1,470 @@
/***************************************************************************
* NmapOps.cc -- The NmapOps class contains global options, mostly based *
* on user-provided command-line settings. *
* *
***********************IMPORTANT NMAP LICENSE TERMS************************
* *
* The Nmap Security Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap *
* is also a registered trademark of Insecure.Com LLC. This program is *
* free software; you may redistribute and/or modify it under the *
* terms of the GNU General Public License as published by the Free *
* Software Foundation; Version 2. This guarantees your right to use, *
* modify, and redistribute this software under certain conditions. If *
* you wish to embed Nmap technology into proprietary software, we may be *
* willing to sell alternative licenses (contact sales@insecure.com). *
* Many security scanner vendors already license Nmap technology such as *
* our remote OS fingerprinting database and code, service/version *
* detection system, and port scanning code. *
* *
* Note that the GPL places important restrictions on "derived works", yet *
* it does not provide a detailed definition of that term. To avoid *
* misunderstandings, we consider an application to constitute a *
* "derivative work" for the purpose of this license if it does any of the *
* following: *
* o Integrates source code from Nmap *
* o Reads or includes Nmap copyrighted data files, such as *
* nmap-os-fingerprints or nmap-service-probes. *
* o Executes Nmap and parses the results (as opposed to typical shell or *
* execution-menu apps, which simply display raw Nmap output and so are *
* not derivative works.) *
* o Integrates/includes/aggregates Nmap into a proprietary executable *
* installer, such as those produced by InstallShield. *
* o Links to a library or executes a program that does any of the above *
* *
* The term "Nmap" should be taken to also include any portions or derived *
* works of Nmap. This list is not exclusive, but is just meant to *
* clarify our interpretation of derived works with some common examples. *
* These restrictions only apply when you actually redistribute Nmap. For *
* example, nothing stops you from writing and selling a proprietary *
* front-end to Nmap. Just distribute it by itself, and point people to *
* http://www.insecure.org/nmap/ to download Nmap. *
* *
* We don't consider these to be added restrictions on top of the GPL, but *
* just a clarification of how we interpret "derived works" as it applies *
* to our GPL-licensed Nmap product. This is similar to the way Linus *
* Torvalds has announced his interpretation of how "derived works" *
* applies to Linux kernel modules. Our interpretation refers only to *
* Nmap - we don't speak for any other GPL products. *
* *
* If you have any questions about the GPL licensing restrictions on using *
* Nmap in non-GPL works, we would be happy to help. As mentioned above, *
* we also offer alternative license to integrate Nmap into proprietary *
* applications and appliances. These contracts have been sold to many *
* security vendors, and generally include a perpetual license as well as *
* providing for priority support and updates as well as helping to fund *
* the continued development of Nmap technology. Please email *
* sales@insecure.com for further information. *
* *
* As a special exception to the GPL terms, Insecure.Com LLC grants *
* permission to link the code of this program with any version of the *
* OpenSSL library which is distributed under a license identical to that *
* listed in the included Copying.OpenSSL file, and distribute linked *
* combinations including the two. You must obey the GNU GPL in all *
* respects for all of the code used other than OpenSSL. If you modify *
* this file, you may extend this exception to your version of the file, *
* but you are not obligated to do so. *
* *
* If you received these files with a written license agreement or *
* contract stating terms other than the terms above, then that *
* alternative license agreement takes precedence over these comments. *
* *
* Source is provided to this software because we believe users have a *
* right to know exactly what a program is going to do before they run it. *
* This also allows you to audit the software for security holes (none *
* have been found so far). *
* *
* Source code also allows you to port Nmap to new platforms, fix bugs, *
* and add new features. You are highly encouraged to send your changes *
* to fyodor@insecure.org for possible incorporation into the main *
* distribution. By sending these changes to Fyodor or one the *
* Insecure.Org development mailing lists, it is assumed that you are *
* offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right *
* to reuse, modify, and relicense the code. Nmap will always be *
* available Open Source, but this is important because the inability to *
* relicense code has caused devastating problems for other Free Software *
* projects (such as KDE and NASM). We also occasionally relicense the *
* code to third parties as discussed above. If you wish to specify *
* special license conditions of your contributions, just say so when you *
* send them. *
* *
* This program is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
* General Public License for more details at *
* http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included *
* with Nmap. *
* *
***************************************************************************/
/* $Id$ */
#include "nmap.h"
#include "nbase.h"
#include "NmapOps.h"
NmapOps o;
NmapOps::NmapOps() {
datadir = NULL;
xsl_stylesheet = NULL;
Initialize();
}
NmapOps::~NmapOps() {
if (datadir) free(datadir);
if (xsl_stylesheet) free(xsl_stylesheet);
}
void NmapOps::ReInit() {
Initialize();
}
// no setpf() because it is based on setaf() values
int NmapOps::pf() {
return (af() == AF_INET)? PF_INET : PF_INET6;
}
int NmapOps::SourceSockAddr(struct sockaddr_storage *ss, size_t *ss_len) {
if (sourcesocklen <= 0)
return 1;
assert(sourcesocklen <= sizeof(*ss));
if (ss)
memcpy(ss, &sourcesock, sourcesocklen);
if (ss_len)
*ss_len = sourcesocklen;
return 0;
}
/* Note that it is OK to pass in a sockaddr_in or sockaddr_in6 casted
to sockaddr_storage */
void NmapOps::setSourceSockAddr(struct sockaddr_storage *ss, size_t ss_len) {
assert(ss_len > 0 && ss_len <= sizeof(*ss));
memcpy(&sourcesock, ss, ss_len);
sourcesocklen = ss_len;
}
struct in_addr NmapOps::v4source() {
const struct in_addr *addy = v4sourceip();
struct in_addr in;
if (addy) return *addy;
in.s_addr = 0;
return in;
}
const struct in_addr *NmapOps::v4sourceip() {
struct sockaddr_in *sin = (struct sockaddr_in *) &sourcesock;
if (sin->sin_family == AF_INET) {
return &(sin->sin_addr);
}
return NULL;
}
// Number of milliseconds since getStartTime(). The current time is an
// optional argument to avoid an extre gettimeofday() call.
int NmapOps::TimeSinceStartMS(struct timeval *now) {
struct timeval tv;
if (!now)
gettimeofday(&tv, NULL);
else tv = *now;
return TIMEVAL_MSEC_SUBTRACT(tv, start_time);
}
void NmapOps::Initialize() {
char tmpxsl[MAXPATHLEN];
setaf(AF_INET);
#ifndef WIN32
# ifdef __amigaos__
isr00t = 1;
# else
isr00t = !(geteuid());
# endif // __amigaos__
#else
isr00t = 1;
winip_init(); /* wrapper for all win32 initialization */
#endif
debugging = DEBUGGING;
verbose = DEBUGGING;
randomize_hosts = 0;
spoofsource = 0;
device[0] = '\0';
interactivemode = 0;
ping_group_sz = PING_GROUP_SZ;
generate_random_ips = 0;
reference_FPs = NULL;
magic_port = 33000 + (get_random_uint() % 31000);
magic_port_set = 0;
num_ping_synprobes = num_ping_ackprobes = num_ping_udpprobes = 0;
timing_level = 3;
max_parallelism = 0;
min_parallelism = 0;
max_rtt_timeout = MAX_RTT_TIMEOUT;
min_rtt_timeout = MIN_RTT_TIMEOUT;
initial_rtt_timeout = INITIAL_RTT_TIMEOUT;
min_host_group_sz = 1;
max_host_group_sz = 100000; // don't want to be restrictive unles user sets
max_tcp_scan_delay = MAX_TCP_SCAN_DELAY;
max_udp_scan_delay = MAX_UDP_SCAN_DELAY;
max_ips_to_scan = 0;
extra_payload_length = 0;
extra_payload = NULL;
scan_delay = 0;
scanflags = -1;
resume_ip.s_addr = 0;
osscan_limit = 0;
osscan_guess = 0;
numdecoys = 0;
decoyturn = -1;
osscan = 0;
servicescan = 0;
pingtype = PINGTYPE_UNKNOWN;
listscan = pingscan = allowall = ackscan = bouncescan = connectscan = 0;
rpcscan = nullscan = xmasscan = fragscan = synscan = windowscan = 0;
maimonscan = idlescan = finscan = udpscan = ipprotscan = noresolve = 0;
force = append_output = 0;
memset(logfd, 0, sizeof(FILE *) * LOG_TYPES);
ttl = -1;
nmap_stdout = stdout;
gettimeofday(&start_time, NULL);
pTrace = vTrace = false;
if (datadir) free(datadir);
datadir = NULL;
#if WIN32
Strncpy(tmpxsl, "nmap.xsl", sizeof(tmpxsl));
#else
snprintf(tmpxsl, sizeof(tmpxsl), "%s/nmap.xsl", NMAPDATADIR);
#endif
if (xsl_stylesheet) free(xsl_stylesheet);
xsl_stylesheet = strdup(tmpxsl);
}
bool NmapOps::TCPScan() {
return ackscan|bouncescan|connectscan|finscan|idlescan|maimonscan|nullscan|synscan|windowscan|xmasscan;
}
bool NmapOps::UDPScan() {
return udpscan;
}
/* this function does not currently cover cases such as TCP SYN ping
scan which can go either way based on whether the user is root or
IPv6 is being used. It will return false in those cases where a
RawScan is not neccessarily used. */
bool NmapOps::RawScan() {
if (ackscan|finscan|idlescan|ipprotscan|maimonscan|nullscan|osscan|synscan|udpscan|windowscan|xmasscan)
return true;
if (o.pingtype & (PINGTYPE_ICMP_PING|PINGTYPE_ICMP_MASK|PINGTYPE_ICMP_TS|PINGTYPE_TCP_USE_ACK|PINGTYPE_RAWTCP|PINGTYPE_UDP))
return true;
return false;
}
void NmapOps::ValidateOptions() {
if (pingtype == PINGTYPE_UNKNOWN) {
if (isr00t && af() == AF_INET) pingtype = PINGTYPE_TCP|PINGTYPE_TCP_USE_ACK|PINGTYPE_ICMP_PING;
else pingtype = PINGTYPE_TCP; // if nonr00t or IPv6
num_ping_ackprobes = 1;
ping_ackprobes[0] = DEFAULT_TCP_PROBE_PORT;
}
/* Insure that at least one scantype is selected */
if (TCPScan() + UDPScan() + ipprotscan + listscan + pingscan == 0) {
if (isr00t && af() == AF_INET)
synscan++;
else connectscan++;
// if (verbose) error("No tcp, udp, or ICMP scantype specified, assuming %s scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up).", synscan? "SYN Stealth" : "vanilla tcp connect()");
}
if (pingtype != PINGTYPE_NONE && spoofsource) {
error("WARNING: If -S is being used to fake your source address, you may also have to use -e <iface> and -P0 . If you are using it to specify your real source address, you can ignore this warning.");
}
if (pingtype != PINGTYPE_NONE && idlescan) {
error("WARNING: Many people use -P0 w/Idlescan to prevent pings from their true IP. On the other hand, timing info Nmap gains from pings can allow for faster, more reliable scans.");
sleep(2); /* Give ppl a chance for ^C :) */
}
if (numdecoys > 1 && idlescan) {
error("WARNING: Your decoys won't be used in the Idlescan portion of your scanning (although all packets sent to the target are spoofed anyway");
}
if (connectscan && spoofsource) {
error("WARNING: -S will only affect the source address used in a connect() scan if you specify one of your own addresses. Use -sS or another raw scan if you want to completely spoof your source address, but then you need to know what you're doing to obtain meaningful results.");
}
if ((pingtype & PINGTYPE_UDP) && (!o.isr00t || o.af() != AF_INET)) {
fatal("Sorry, UDP Ping (-PU) only works if you are root (because we need to read raw responses off the wire) and only for IPv4 (cause fyodor is too lazy right now to add IPv6 support and nobody has sent a patch)");
}
if ((pingtype & PINGTYPE_TCP) && (!o.isr00t || o.af() != AF_INET)) {
/* We will have to do a connect() style ping */
if (num_ping_synprobes && num_ping_ackprobes) {
fatal("Cannot use both SYN and ACK ping probes if you are nonroot or using IPv6");
}
if (num_ping_ackprobes > 0) {
memcpy(ping_synprobes, ping_ackprobes, num_ping_ackprobes * sizeof(*ping_synprobes));
num_ping_synprobes = num_ping_ackprobes;
num_ping_ackprobes = 0;
}
}
if (ipprotscan + (TCPScan() || UDPScan()) + listscan + pingscan > 1) {
fatal("Sorry, the IPProtoscan, Listscan, and Pingscan (-sO, -sL, -sP) must currently be used alone rather than combined with other scan types.");
}
if ((pingscan && pingtype == PINGTYPE_NONE)) {
fatal("-P0 (skip ping) is incompatable with -sP (ping scan). If you only want to enumerate hosts, try list scan (-sL)");
}
if (pingscan && (TCPScan() || UDPScan() || ipprotscan || listscan)) {
fatal("Ping scan is not valid with any other scan types (the other ones all include a ping scan");
}
/* We start with stuff users should not do if they are not root */
if (!isr00t) {
#ifndef WIN32 /* Win32 has perfectly fine ICMP socket support */
if (pingtype & (PINGTYPE_ICMP_PING|PINGTYPE_ICMP_MASK|PINGTYPE_ICMP_TS)) {
error("Warning: You are not root -- using TCP pingscan rather than ICMP");
pingtype = PINGTYPE_TCP;
if (num_ping_synprobes == 0)
{
num_ping_synprobes = 1;
ping_synprobes[0] = DEFAULT_TCP_PROBE_PORT;
}
}
#endif
if (ackscan|finscan|idlescan|ipprotscan|maimonscan|nullscan|synscan|udpscan|windowscan|xmasscan) {
#ifndef WIN32
fatal("You requested a scan type which requires r00t privileges, and you do not have them.\n");
#else
winip_barf(0);
#endif
}
if (numdecoys > 0) {
#ifndef WIN32
fatal("Sorry, but you've got to be r00t to use decoys, boy!");
#else
winip_barf(0);
#endif
}
if (fragscan) {
#ifndef WIN32
fatal("Sorry, but fragscan requires r00t privileges\n");
#else
winip_barf(0);
#endif
}
if (osscan) {
#ifndef WIN32
fatal("TCP/IP fingerprinting (for OS scan) requires root privileges which you do not appear to possess. Sorry, dude.\n");
#else
winip_barf(0);
#endif
}
}
if (numdecoys > 0 && rpcscan) {
error("WARNING: RPC scan currently does not make use of decoys so don't count on that protection");
}
if (bouncescan && pingtype != PINGTYPE_NONE)
log_write(LOG_STDOUT, "Hint: if your bounce scan target hosts aren't reachable from here, remember to use -P0 so we don't try and ping them prior to the scan\n");
if (ackscan+bouncescan+connectscan+finscan+idlescan+maimonscan+nullscan+synscan+windowscan+xmasscan > 1)
fatal("You specified more than one type of TCP scan. Please choose only one of -sA, -b, -sT, -sF, -sI, -sM, -sN, -sS, -sW, and -sX");
if (numdecoys > 0 && (bouncescan || connectscan)) {
error("WARNING: Decoys are irrelevant to the bounce or connect scans");
}
if (fragscan && !(ackscan|finscan|maimonscan|nullscan|synscan|windowscan|xmasscan) && \
!(pingtype&(PINGTYPE_ICMP_TS|PINGTYPE_TCP)) && !(fragscan == 8 && pingtype&PINGTYPE_ICMP_MASK) && \
!(extra_payload_length + 8 > fragscan)) {
fatal("Fragscan only works with TCP, ICMP Timestamp or ICMP Mask (mtu=8) ping types or ACK, FIN, Maimon, NULL, SYN, Window, and XMAS scan types");
}
if (osscan && bouncescan)
error("Combining bounce scan with OS scan seems silly, but I will let you do whatever you want!");
#if !defined(LINUX) && !defined(OPENBSD) && !defined(FREEBSD) && !defined(NETBSD)
if (fragscan) {
fprintf(stderr, "Warning: Packet fragmentation selected on a host other than Linux, OpenBSD, FreeBSD, or NetBSD. This may or may not work.\n");
}
#endif
if (osscan && pingscan) {
fatal("WARNING: OS Scan is unreliable with a ping scan. You need to use a scan type along with it, such as -sS, -sT, -sF, etc instead of -sP");
}
if (resume_ip.s_addr && generate_random_ips)
resume_ip.s_addr = 0;
if (magic_port_set && connectscan) {
error("WARNING: -g is incompatible with the default connect() scan (-sT). Use a raw scan such as -sS if you want to set the source port.");
}
if (max_parallelism && min_parallelism && (min_parallelism > max_parallelism)) {
fatal("--min_parallelism must be less than or equal to --max_parallelism");
}
if (af() == AF_INET6 && (numdecoys|osscan|bouncescan|fragscan|ackscan|finscan|idlescan|ipprotscan|maimonscan|nullscan|rpcscan|synscan|udpscan|windowscan|xmasscan)) {
fatal("Sorry -- IPv6 support is currently only available for connect() scan (-sT), ping scan (-sP), and list scan (-sL). Further support is under consideration.");
}
}
void NmapOps::setMaxRttTimeout(int rtt)
{
if (rtt <= 0) fatal("NmapOps::setMaxRttTimeout(): maximum round trip time must be greater than 0");
max_rtt_timeout = rtt;
if (rtt < min_rtt_timeout) min_rtt_timeout = rtt;
if (rtt < initial_rtt_timeout) initial_rtt_timeout = rtt;
}
void NmapOps::setMinRttTimeout(int rtt)
{
if (rtt < 0) fatal("NmapOps::setMaxRttTimeout(): minimum round trip time must be at least 0");
min_rtt_timeout = rtt;
if (rtt > max_rtt_timeout) max_rtt_timeout = rtt;
if (rtt > initial_rtt_timeout) initial_rtt_timeout = rtt;
}
void NmapOps::setInitialRttTimeout(int rtt)
{
if (rtt <= 0) fatal("NmapOps::setMaxRttTimeout(): initial round trip time must be greater than 0");
initial_rtt_timeout = rtt;
if (rtt > max_rtt_timeout) max_rtt_timeout = rtt;
if (rtt < min_rtt_timeout) min_rtt_timeout = rtt;
}
void NmapOps::setMinHostGroupSz(unsigned int sz) {
if (sz > max_host_group_sz)
fatal("Minimum host group size may not be set to greater than maximum size (currently %d)\n", max_host_group_sz);
min_host_group_sz = sz;
}
void NmapOps::setMaxHostGroupSz(unsigned int sz) {
if (sz < min_host_group_sz)
fatal("Maximum host group size may not be set to less than the maximum size (currently %d)\n", min_host_group_sz);
if (sz <= 0)
fatal("Max host size must be at least 1");
max_host_group_sz = sz;
}
/* Sets the Name of the XML stylesheet to be printed in XML output.
If this is never called, a default stylesheet distributed with
Nmap is used. If you call it with NULL as the xslname, no
stylesheet line is printed. */
void NmapOps::setXSLStyleSheet(char *xslname) {
if (xsl_stylesheet) free(xsl_stylesheet);
xsl_stylesheet = xslname? strdup(xslname) : NULL;
}

268
NmapOps.h Normal file
View File

@@ -0,0 +1,268 @@
/***************************************************************************
* NmapOps.h -- The NmapOps class contains global options, mostly based on *
* user-provided command-line settings. *
* *
***********************IMPORTANT NMAP LICENSE TERMS************************
* *
* The Nmap Security Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap *
* is also a registered trademark of Insecure.Com LLC. This program is *
* free software; you may redistribute and/or modify it under the *
* terms of the GNU General Public License as published by the Free *
* Software Foundation; Version 2. This guarantees your right to use, *
* modify, and redistribute this software under certain conditions. If *
* you wish to embed Nmap technology into proprietary software, we may be *
* willing to sell alternative licenses (contact sales@insecure.com). *
* Many security scanner vendors already license Nmap technology such as *
* our remote OS fingerprinting database and code, service/version *
* detection system, and port scanning code. *
* *
* Note that the GPL places important restrictions on "derived works", yet *
* it does not provide a detailed definition of that term. To avoid *
* misunderstandings, we consider an application to constitute a *
* "derivative work" for the purpose of this license if it does any of the *
* following: *
* o Integrates source code from Nmap *
* o Reads or includes Nmap copyrighted data files, such as *
* nmap-os-fingerprints or nmap-service-probes. *
* o Executes Nmap and parses the results (as opposed to typical shell or *
* execution-menu apps, which simply display raw Nmap output and so are *
* not derivative works.) *
* o Integrates/includes/aggregates Nmap into a proprietary executable *
* installer, such as those produced by InstallShield. *
* o Links to a library or executes a program that does any of the above *
* *
* The term "Nmap" should be taken to also include any portions or derived *
* works of Nmap. This list is not exclusive, but is just meant to *
* clarify our interpretation of derived works with some common examples. *
* These restrictions only apply when you actually redistribute Nmap. For *
* example, nothing stops you from writing and selling a proprietary *
* front-end to Nmap. Just distribute it by itself, and point people to *
* http://www.insecure.org/nmap/ to download Nmap. *
* *
* We don't consider these to be added restrictions on top of the GPL, but *
* just a clarification of how we interpret "derived works" as it applies *
* to our GPL-licensed Nmap product. This is similar to the way Linus *
* Torvalds has announced his interpretation of how "derived works" *
* applies to Linux kernel modules. Our interpretation refers only to *
* Nmap - we don't speak for any other GPL products. *
* *
* If you have any questions about the GPL licensing restrictions on using *
* Nmap in non-GPL works, we would be happy to help. As mentioned above, *
* we also offer alternative license to integrate Nmap into proprietary *
* applications and appliances. These contracts have been sold to many *
* security vendors, and generally include a perpetual license as well as *
* providing for priority support and updates as well as helping to fund *
* the continued development of Nmap technology. Please email *
* sales@insecure.com for further information. *
* *
* As a special exception to the GPL terms, Insecure.Com LLC grants *
* permission to link the code of this program with any version of the *
* OpenSSL library which is distributed under a license identical to that *
* listed in the included Copying.OpenSSL file, and distribute linked *
* combinations including the two. You must obey the GNU GPL in all *
* respects for all of the code used other than OpenSSL. If you modify *
* this file, you may extend this exception to your version of the file, *
* but you are not obligated to do so. *
* *
* If you received these files with a written license agreement or *
* contract stating terms other than the terms above, then that *
* alternative license agreement takes precedence over these comments. *
* *
* Source is provided to this software because we believe users have a *
* right to know exactly what a program is going to do before they run it. *
* This also allows you to audit the software for security holes (none *
* have been found so far). *
* *
* Source code also allows you to port Nmap to new platforms, fix bugs, *
* and add new features. You are highly encouraged to send your changes *
* to fyodor@insecure.org for possible incorporation into the main *
* distribution. By sending these changes to Fyodor or one the *
* Insecure.Org development mailing lists, it is assumed that you are *
* offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right *
* to reuse, modify, and relicense the code. Nmap will always be *
* available Open Source, but this is important because the inability to *
* relicense code has caused devastating problems for other Free Software *
* projects (such as KDE and NASM). We also occasionally relicense the *
* code to third parties as discussed above. If you wish to specify *
* special license conditions of your contributions, just say so when you *
* send them. *
* *
* This program is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
* General Public License for more details at *
* http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included *
* with Nmap. *
* *
***************************************************************************/
/* $Id$ */
class NmapOps {
public:
NmapOps();
~NmapOps();
void ReInit(); // Reinitialize the class to default state
void setaf(int af) { addressfamily = af; }
int af() { return addressfamily; }
// no setpf() because it is based on setaf() values
int pf();
/* Returns 0 for success, nonzero if no source has been set or any other
failure */
int SourceSockAddr(struct sockaddr_storage *ss, size_t *ss_len);
/* Note that it is OK to pass in a sockaddr_in or sockaddr_in6 casted
to sockaddr_storage */
void setSourceSockAddr(struct sockaddr_storage *ss, size_t ss_len);
// The time this obj. was instantiated or last ReInit()ed.
const struct timeval *getStartTime() { return &start_time; }
// Number of milliseconds since getStartTime(). The current time is an
// optional argument to avoid an extre gettimeofday() call.
int TimeSinceStartMS(struct timeval *now=NULL);
struct in_addr v4source();
const struct in_addr *v4sourceip();
bool TCPScan(); /* Returns true if at least one chosen scan type is TCP */
bool UDPScan(); /* Returns true if at least one chosen scan type is UDP */
/* Returns true if at least one chosen scan type uses raw packets.
It does not currently cover cases such as TCP SYN ping scan which
can go either way based on whether the user is root or IPv6 is
being used. It will return false in those cases where a RawScan
is not neccessarily used. */
bool RawScan();
void ValidateOptions(); /* Checks that the options given are
reasonable and consistant. If they aren't, the
function may bail out of Nmap or make small
adjustments (quietly or with a warning to the
user). */
int isr00t;
int debugging;
bool packetTrace() { return (debugging >= 3)? true : pTrace; }
bool versionTrace() { return packetTrace()? true : vTrace; }
// Note that packetTrace may turn on at high debug levels even if
// setPacketTrace(false) has been called
void setPacketTrace(bool pt) { pTrace = pt; }
void setVersionTrace(bool vt) { vTrace = vt; }
int verbose;
int randomize_hosts;
int spoofsource; /* -S used */
char device[64];
int interactivemode;
int ping_group_sz;
int generate_random_ips; /* -iR option */
FingerPrint **reference_FPs;
u16 magic_port;
unsigned short magic_port_set; /* Was this set by user? */
int num_ping_synprobes;
/* The "synprobes" are also used when doing a connect() ping */
u16 ping_synprobes[MAX_PROBE_PORTS];
int num_ping_ackprobes;
u16 ping_ackprobes[MAX_PROBE_PORTS];
int num_ping_udpprobes;
u16 ping_udpprobes[MAX_PROBE_PORTS];
/* Scan timing/politeness issues */
int timing_level; // 0-5, corresponding to Paranoid, Sneaky, Polite, Normal, Aggressive, Insane
int max_parallelism; // 0 means it has not been set
int min_parallelism; // 0 means it has not been set
/* These functions retrieve and set the Round Trip Time timeouts, in
milliseconds. The set versions do extra processing to insure sane
values and to adjust each other to insure consistance (e.g. that
max is always at least as high as min) */
int maxRttTimeout() { return max_rtt_timeout; }
int minRttTimeout() { return min_rtt_timeout; }
int initialRttTimeout() { return initial_rtt_timeout; }
void setMaxRttTimeout(int rtt);
void setMinRttTimeout(int rtt);
void setInitialRttTimeout(int rtt);
/* Similar functions for Host group size */
int minHostGroupSz() { return min_host_group_sz; }
int maxHostGroupSz() { return max_host_group_sz; }
void setMinHostGroupSz(unsigned int sz);
void setMaxHostGroupSz(unsigned int sz);
unsigned int maxTCPScanDelay() { return max_tcp_scan_delay; }
unsigned int maxUDPScanDelay() { return max_udp_scan_delay; }
void setMaxTCPScanDelay(unsigned int delayMS) { max_tcp_scan_delay = delayMS; }
void setMaxUDPScanDelay(unsigned int delayMS) { max_udp_scan_delay = delayMS; }
/* Sets the Name of the XML stylesheet to be printed in XML output.
If this is never called, a default stylesheet distributed with
Nmap is used. If you call it with NULL as the xslname, no
stylesheet line is printed. */
void setXSLStyleSheet(char *xslname);
/* Returns the full path or URL that should be printed in the XML
output xml-stylesheet element. Returns NULL if the whole element
should be skipped */
char *XSLStyleSheet() { return xsl_stylesheet; }
int max_ips_to_scan; // Used for Random input (-iR) to specify how
// many IPs to try before stopping. 0 means unlimited.
int extra_payload_length; /* These two are for --data_length op */
char *extra_payload;
unsigned long host_timeout;
/* Delay between probes, in milliseconds */
unsigned int scan_delay;
int scanflags; /* if not -1, this value should dictate the TCP flags
for the core portscaning routine (eg to change a
FIN scan into a PSH scan. Sort of a hack, but can
be very useful sometimes. */
struct in_addr resume_ip; /* The last IP in the log file if user
requested --restore . Otherwise
restore_ip.s_addr == 0. Also
target_struct_get will eventually set it
to 0. */
struct in_addr decoys[MAX_DECOYS];
int osscan_limit; /* Skip OS Scan if no open or no closed TCP ports */
int osscan_guess; /* Be more aggressive in guessing OS type */
int numdecoys;
int decoyturn;
int osscan;
int servicescan;
int pingtype;
int listscan;
int pingscan;
int allowall;
int fragscan; /* 0 or MTU (without IPv4 header size) */
int ackscan;
int bouncescan;
int connectscan;
int finscan;
int idlescan;
int ipprotscan;
int maimonscan;
int nullscan;
int rpcscan;
int synscan;
int udpscan;
int windowscan;
int xmasscan;
int noresolve;
int force; /* force nmap to continue on even when the outcome seems somewhat certain */
int append_output; /* Append to any output files rather than overwrite */
FILE *logfd[LOG_TYPES];
FILE *nmap_stdout; /* Nmap standard output */
int ttl; // Time to live
char *datadir;
private:
int max_rtt_timeout;
int min_rtt_timeout;
int initial_rtt_timeout;
unsigned int max_tcp_scan_delay;
unsigned int max_udp_scan_delay;
unsigned int min_host_group_sz;
unsigned int max_host_group_sz;
void Initialize();
int addressfamily; /* Address family: AF_INET or AF_INET6 */
struct sockaddr_storage sourcesock;
size_t sourcesocklen;
struct timeval start_time;
bool pTrace; // Whether packet tracing has been enabled
bool vTrace; // Whether version tracing has been enabled
char *xsl_stylesheet;
};

253
NmapOutputTable.cc Normal file
View File

@@ -0,0 +1,253 @@
/***************************************************************************
* NmapOutputTable.cc -- A relatively simple class for organizing Nmap *
* output into an orderly table for display to the user. *
* *
***********************IMPORTANT NMAP LICENSE TERMS************************
* *
* The Nmap Security Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap *
* is also a registered trademark of Insecure.Com LLC. This program is *
* free software; you may redistribute and/or modify it under the *
* terms of the GNU General Public License as published by the Free *
* Software Foundation; Version 2. This guarantees your right to use, *
* modify, and redistribute this software under certain conditions. If *
* you wish to embed Nmap technology into proprietary software, we may be *
* willing to sell alternative licenses (contact sales@insecure.com). *
* Many security scanner vendors already license Nmap technology such as *
* our remote OS fingerprinting database and code, service/version *
* detection system, and port scanning code. *
* *
* Note that the GPL places important restrictions on "derived works", yet *
* it does not provide a detailed definition of that term. To avoid *
* misunderstandings, we consider an application to constitute a *
* "derivative work" for the purpose of this license if it does any of the *
* following: *
* o Integrates source code from Nmap *
* o Reads or includes Nmap copyrighted data files, such as *
* nmap-os-fingerprints or nmap-service-probes. *
* o Executes Nmap and parses the results (as opposed to typical shell or *
* execution-menu apps, which simply display raw Nmap output and so are *
* not derivative works.) *
* o Integrates/includes/aggregates Nmap into a proprietary executable *
* installer, such as those produced by InstallShield. *
* o Links to a library or executes a program that does any of the above *
* *
* The term "Nmap" should be taken to also include any portions or derived *
* works of Nmap. This list is not exclusive, but is just meant to *
* clarify our interpretation of derived works with some common examples. *
* These restrictions only apply when you actually redistribute Nmap. For *
* example, nothing stops you from writing and selling a proprietary *
* front-end to Nmap. Just distribute it by itself, and point people to *
* http://www.insecure.org/nmap/ to download Nmap. *
* *
* We don't consider these to be added restrictions on top of the GPL, but *
* just a clarification of how we interpret "derived works" as it applies *
* to our GPL-licensed Nmap product. This is similar to the way Linus *
* Torvalds has announced his interpretation of how "derived works" *
* applies to Linux kernel modules. Our interpretation refers only to *
* Nmap - we don't speak for any other GPL products. *
* *
* If you have any questions about the GPL licensing restrictions on using *
* Nmap in non-GPL works, we would be happy to help. As mentioned above, *
* we also offer alternative license to integrate Nmap into proprietary *
* applications and appliances. These contracts have been sold to many *
* security vendors, and generally include a perpetual license as well as *
* providing for priority support and updates as well as helping to fund *
* the continued development of Nmap technology. Please email *
* sales@insecure.com for further information. *
* *
* As a special exception to the GPL terms, Insecure.Com LLC grants *
* permission to link the code of this program with any version of the *
* OpenSSL library which is distributed under a license identical to that *
* listed in the included Copying.OpenSSL file, and distribute linked *
* combinations including the two. You must obey the GNU GPL in all *
* respects for all of the code used other than OpenSSL. If you modify *
* this file, you may extend this exception to your version of the file, *
* but you are not obligated to do so. *
* *
* If you received these files with a written license agreement or *
* contract stating terms other than the terms above, then that *
* alternative license agreement takes precedence over these comments. *
* *
* Source is provided to this software because we believe users have a *
* right to know exactly what a program is going to do before they run it. *
* This also allows you to audit the software for security holes (none *
* have been found so far). *
* *
* Source code also allows you to port Nmap to new platforms, fix bugs, *
* and add new features. You are highly encouraged to send your changes *
* to fyodor@insecure.org for possible incorporation into the main *
* distribution. By sending these changes to Fyodor or one the *
* Insecure.Org development mailing lists, it is assumed that you are *
* offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right *
* to reuse, modify, and relicense the code. Nmap will always be *
* available Open Source, but this is important because the inability to *
* relicense code has caused devastating problems for other Free Software *
* projects (such as KDE and NASM). We also occasionally relicense the *
* code to third parties as discussed above. If you wish to specify *
* special license conditions of your contributions, just say so when you *
* send them. *
* *
* This program is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
* General Public License for more details at *
* http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included *
* with Nmap. *
* *
***************************************************************************/
/* $Id$ */
#include "NmapOutputTable.h"
#include "utils.h"
#include <stdlib.h>
NmapOutputTable::NmapOutputTable(int nrows, int ncols) {
numRows = nrows;
numColumns = ncols;
assert(numRows > 0);
assert(numColumns > 0);
table = (struct NmapOutputTableCell *) safe_zalloc(sizeof(struct NmapOutputTableCell) * nrows * ncols);
maxColLen = (int *) safe_zalloc(sizeof(*maxColLen) * ncols);
itemsInRow = (int *) safe_zalloc(sizeof(*itemsInRow) * nrows);
tableout = NULL;
tableoutsz = 0;
}
NmapOutputTable::~NmapOutputTable() {
unsigned int col, row;
struct NmapOutputTableCell *cell;
for(row = 0; row < numRows; row++) {
for(col = 0; col < numColumns; col++) {
cell = getCellAddy(row, col);
if (cell->weAllocated) {
assert(cell->str);
free(cell->str);
}
}
}
free(table);
free(maxColLen);
free(itemsInRow);
if (tableout) free(tableout);
}
void NmapOutputTable::addItem(unsigned int row, unsigned int column, bool copy, char *item,
int itemlen) {
struct NmapOutputTableCell *cell;
assert(row < numRows);
assert(column < numColumns);
if (itemlen < 0)
itemlen = strlen(item);
if (itemlen == 0)
return;
cell = getCellAddy(row, column);
assert(cell->str == NULL); // I'll worry about replacing members if I ever need it
itemsInRow[row]++;
cell->strlength = itemlen;
if (copy) {
cell->str = (char *) safe_malloc(itemlen + 1);
memcpy(cell->str, item, itemlen);
cell->str[itemlen] = '\0';
} else {
cell->str = item;
}
cell->weAllocated = copy;
if (maxColLen[column] < itemlen)
maxColLen[column] = itemlen;
return;
}
// Like addItem except this version takes a prinf-style format string
// followed by varargs
void NmapOutputTable::addItemFormatted(unsigned int row,
unsigned int column,
const char *fmt, ...) {
unsigned int res;
va_list ap;
va_start(ap,fmt);
char buf[4096];
res = vsnprintf(buf, sizeof(buf), fmt, ap);
va_end(ap);
if (res < 0 || res > sizeof(buf))
fatal("NmapOutputTable only supports adding up to 4096 to a cell via addItemFormatString.");
addItem(row, column, true, buf, res);
return;
}
// Returns the maximum size neccessary to create a printableTable() (the
// actual size could be less);
int NmapOutputTable::printableSize() {
int rowlen = 0;
unsigned int i;
for(i = 0; i < numColumns; i++) {
rowlen += maxColLen[i];
}
/* Add the delimeter between each column, and the final newline */
rowlen += numColumns;
return rowlen * numRows;
}
// This function sticks the entire table into a character buffer.
// Note that the buffer is likely to be reused if you call the
// function again, and it will also be invalidated if you free the
// Table. if size is not NULL, it will be filled with the size of
// the ASCII table in bytes (not including the terminating NUL
char *NmapOutputTable::printableTable(int *size) {
unsigned int col, row;
int maxsz = printableSize();
char *p;
int clen = 0;
int i;
struct NmapOutputTableCell *cell;
int validthisrow;
if (maxsz >= tableoutsz) {
tableoutsz = maxsz + 1;
tableout = (char *) safe_realloc(tableout, tableoutsz);
}
p = tableout;
for(row = 0; row < numRows; row++) {
validthisrow = 0;
for(col = 0; col < numColumns; col++) {
cell = getCellAddy(row, col);
clen = maxColLen[col];
if (cell->strlength > 0) {
memcpy(p, cell->str, cell->strlength);
p += cell->strlength;
validthisrow++;
}
// No point leaving trailing spaces ...
if (validthisrow < itemsInRow[row]) {
for(i=cell->strlength; i <= clen; i++) // one extra because of space between columns
*(p++) = ' ';
}
}
*(p++) = '\n';
}
*p = '\0';
if (size) *size = p - tableout;
return tableout;
}

174
NmapOutputTable.h Normal file
View File

@@ -0,0 +1,174 @@
/***************************************************************************
* NmapOutputTable.h -- A relatively simple class for organizing Nmap *
* output into an orderly table for display to the user. *
* *
***********************IMPORTANT NMAP LICENSE TERMS************************
* *
* The Nmap Security Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap *
* is also a registered trademark of Insecure.Com LLC. This program is *
* free software; you may redistribute and/or modify it under the *
* terms of the GNU General Public License as published by the Free *
* Software Foundation; Version 2. This guarantees your right to use, *
* modify, and redistribute this software under certain conditions. If *
* you wish to embed Nmap technology into proprietary software, we may be *
* willing to sell alternative licenses (contact sales@insecure.com). *
* Many security scanner vendors already license Nmap technology such as *
* our remote OS fingerprinting database and code, service/version *
* detection system, and port scanning code. *
* *
* Note that the GPL places important restrictions on "derived works", yet *
* it does not provide a detailed definition of that term. To avoid *
* misunderstandings, we consider an application to constitute a *
* "derivative work" for the purpose of this license if it does any of the *
* following: *
* o Integrates source code from Nmap *
* o Reads or includes Nmap copyrighted data files, such as *
* nmap-os-fingerprints or nmap-service-probes. *
* o Executes Nmap and parses the results (as opposed to typical shell or *
* execution-menu apps, which simply display raw Nmap output and so are *
* not derivative works.) *
* o Integrates/includes/aggregates Nmap into a proprietary executable *
* installer, such as those produced by InstallShield. *
* o Links to a library or executes a program that does any of the above *
* *
* The term "Nmap" should be taken to also include any portions or derived *
* works of Nmap. This list is not exclusive, but is just meant to *
* clarify our interpretation of derived works with some common examples. *
* These restrictions only apply when you actually redistribute Nmap. For *
* example, nothing stops you from writing and selling a proprietary *
* front-end to Nmap. Just distribute it by itself, and point people to *
* http://www.insecure.org/nmap/ to download Nmap. *
* *
* We don't consider these to be added restrictions on top of the GPL, but *
* just a clarification of how we interpret "derived works" as it applies *
* to our GPL-licensed Nmap product. This is similar to the way Linus *
* Torvalds has announced his interpretation of how "derived works" *
* applies to Linux kernel modules. Our interpretation refers only to *
* Nmap - we don't speak for any other GPL products. *
* *
* If you have any questions about the GPL licensing restrictions on using *
* Nmap in non-GPL works, we would be happy to help. As mentioned above, *
* we also offer alternative license to integrate Nmap into proprietary *
* applications and appliances. These contracts have been sold to many *
* security vendors, and generally include a perpetual license as well as *
* providing for priority support and updates as well as helping to fund *
* the continued development of Nmap technology. Please email *
* sales@insecure.com for further information. *
* *
* As a special exception to the GPL terms, Insecure.Com LLC grants *
* permission to link the code of this program with any version of the *
* OpenSSL library which is distributed under a license identical to that *
* listed in the included Copying.OpenSSL file, and distribute linked *
* combinations including the two. You must obey the GNU GPL in all *
* respects for all of the code used other than OpenSSL. If you modify *
* this file, you may extend this exception to your version of the file, *
* but you are not obligated to do so. *
* *
* If you received these files with a written license agreement or *
* contract stating terms other than the terms above, then that *
* alternative license agreement takes precedence over these comments. *
* *
* Source is provided to this software because we believe users have a *
* right to know exactly what a program is going to do before they run it. *
* This also allows you to audit the software for security holes (none *
* have been found so far). *
* *
* Source code also allows you to port Nmap to new platforms, fix bugs, *
* and add new features. You are highly encouraged to send your changes *
* to fyodor@insecure.org for possible incorporation into the main *
* distribution. By sending these changes to Fyodor or one the *
* Insecure.Org development mailing lists, it is assumed that you are *
* offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right *
* to reuse, modify, and relicense the code. Nmap will always be *
* available Open Source, but this is important because the inability to *
* relicense code has caused devastating problems for other Free Software *
* projects (such as KDE and NASM). We also occasionally relicense the *
* code to third parties as discussed above. If you wish to specify *
* special license conditions of your contributions, just say so when you *
* send them. *
* *
* This program is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
* General Public License for more details at *
* http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included *
* with Nmap. *
* *
***************************************************************************/
/* $Id$ */
#ifndef NMAPOUTPUTTABLE_H
#define NMAPOUTPUTTABLE_H
#include <assert.h>
#ifndef __attribute__
#define __attribute__(args)
#endif
/********************** DEFINES/ENUMS ***********************************/
/********************** STRUCTURES ***********************************/
/********************** CLASSES ***********************************/
struct NmapOutputTableCell {
char *str;
int strlength;
bool weAllocated; // If we allocated str, we must free it.
};
class NmapOutputTable {
public:
// Create a table of the given dimensions
NmapOutputTable(int nrows, int ncols);
~NmapOutputTable();
// Copy specifies whether we must make a copy of item. Otherwise we'll just save the
// ptr (and you better not free it until this table is destroyed ). Skip the itemlen parameter if you
// don't know (and the function will use strlen).
void addItem(unsigned int row, unsigned int column, bool copy, char *item, int itemlen = -1);
// Like addItem except this version takes a prinf-style format string followed by varargs
void addItemFormatted(unsigned int row, unsigned int column, const char *fmt, ...)
__attribute__ ((format (printf, 4, 5)));
// Returns the maximum size neccessary to create a printableTable() (the
// actual size could be less);
int printableSize();
// This function sticks the entire table into a character buffer.
// Note that the buffer is likely to be reused if you call the
// function again, and it will also be invalidated if you free the
// Table. if size is not NULL, it will be filled with the size of
// the ASCII table in bytes (not including the terminating NUL
char *printableTable(int *size);
private:
// The table, squished into 1D. Access a member via getCellAddy
struct NmapOutputTableCell *table;
struct NmapOutputTableCell *getCellAddy(unsigned int row, unsigned int col) {
assert(row < numRows); assert(col < numColumns);
return table + row * numColumns + col;
}
int *maxColLen; // An array that gives the maximum length of any member of each column
// (excluding terminator)
// Array that tells the number of valid (> 0 length) items in each row
int *itemsInRow;
unsigned int numRows;
unsigned int numColumns;
char *tableout; // If printableTable() is called, we returnthis
int tableoutsz; // Amount of space ALLOCATED for tableoutsz. Includes space allocated for NUL.
};
/********************** PROTOTYPES ***********************************/
#endif /* NMAPOUTPUTTABLE_H */

112
README-WIN32 Normal file
View File

@@ -0,0 +1,112 @@
This file details the installation, compilation, and limitations of
the Nmap Security Scanner for the Windows platform. If you find bugs,
you are strongly encouraged to report them to fyodor@insecure.org or
nmap-dev@insecure.org . Patches are very welcome too :).
I would like to thank the following people for doing much of the Win32
porting work:
Andy Lutomirski ( Luto@mailandnews.com )
Ryan Permeh ( ryan@eEye.com ) from eEye Digital Security ( www.eeye.com )
Nmap only exists for Win32 because of their hard work.
*** Known Issues/Bugs ***
o You cannot scan yourself (localhost). This is a Windows/WinPcap
limitation which we haven't yet found a way to workaround.
o RAS connections (eg PPP, SLIP, etc) are not supported except under
Windows 2000/XP. This is a WinPcap limitation on NT and it isn't
supported (yet) on Win98. Ethernet should work fine on all
platforms.
o All interfaces (except localhost) should work under Windows 2000 as
administrator. If you have trouble under Win2K, try the
--win_norawsock switch.
o TCP connect() scan can be agonizingly slow. You may be able to
improve this by applying the registry changes in the included
nmap_performance.reg (in nmap-VERSION/ in the Win binary
distribution, and nmap-VERSION/mswin32 in the source distro).
Apply it by double-clicking on the file, or run the command
"regedt32 nmap_performance.reg". Or you can make the changes by
hand - add the following three registry DWORD values:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters]
"MaxUserPort", with a large value like 65534 (0x0000fffe). See MS KB Q196271.
"TcpTimedWaitDelay" with the minimum value (0x0000001e). [See MS KB 149532]
"StrictTimeWaitSeqCheck" with a value of 1 (so TcpTimedWaitDelay is checked)
o The NmapFE Nmap GUI frontend port is not yet stable enough to
include with the binary distribution.
*** Using the Binary Distribution ***
There are a couple binary distributions of Windows Nmap. One is
Winmap, which is packaged in an install-shield installation wizard and
includes a graphical GUI as well as command-line Nmap. The other
distribution is the command-line zipfile, called
nmap-VERSION-win32.zip . The .zip version is usually much more
up-to-date. Here are the instructions for installing the zip
archive:
1) Make sure you have installed Winpcap Version 3.1-beta4 or later.
That version is critical as Nmap will crash if you have anything
older. This is available at
http://netgroup-serv.polito.it/winpcap/ . Winpcap is optional, but
recommended, under Windows 2000.
2) Unzip the archive using Winzip or your favorite decompression
utility -- a directory call nmap-VERSION will be extracted .
3) Consider applying the Nmap performance regisry changes discussed
above (double click on nmap_performance.reg).
4) Open a command prompt (DOS) window and cd into the new nmap-VERSION
directory. Type "nmap -h" for usage information.
*** Compiling the Nmap Source Distribution for Windows ***
Note that the only compiler I have tested (since converting from
MSVC++ 6) is Microsoft Visual Studio .Net 2003. It may or may not
work with previous (or later) compilers. I'll accept nonintrusive
patches that make it work with your compiler (without breaking
mine).
1) Decompress the archive ( nmap-VERSION.tgz ). This is the same
tarball that is used for UNIX installations.
2) Open Visual Studio and the Nmap Solution
(nmap-VERSION/mswin32/nmap.sln )
3) Build Menu -> Configuration Manager -> set all to Release
4) Build Menu -> Build Solution
5) The executable can be found in
nmap-VERSION/mswin32/Release/nmap.exe . Remember that you must
have Winpcap Version2.1-beta or later installed to run it (see
the Binary Distribution instructions above).
*** Compiling NmapFE Front-end for Windows **
[ Note -- this hasn't been tested lately and may not work. Most
people have been using NmapWin instead ]
1) Install the Windows versions of Glib, GDK, and GTK from
http://www.gimp.org/win32/ . Copy the DLLs somewhere that they can
be found ( if you don't have a better place, try c:\winnt\system32
). Also copy the include and .lib files to places where your
compiler can find them ( add the dir to VC++ via Tools -> Options
-> Directories ).
2) Use steps similar to the "compiling Nmap" list above to compile
NmapFE. The Workspace is in nmap-VERSION/nmapfe/nmapfe.dsw .
*** Final Worlds ***
As mentioned earlier, patches, suggestions, and improvements are more
than welcome! Send them to nmap-dev@insecure.org or to me personally
( fyodor@insecure.org ).
$Id$

357
Target.cc Normal file
View File

@@ -0,0 +1,357 @@
/***************************************************************************
* Target.cc -- The Target class encapsulates much of the information Nmap *
* has about a host. Results (such as ping, OS scan, etc) are stored in *
* this class as they are determined. *
* *
***********************IMPORTANT NMAP LICENSE TERMS************************
* *
* The Nmap Security Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap *
* is also a registered trademark of Insecure.Com LLC. This program is *
* free software; you may redistribute and/or modify it under the *
* terms of the GNU General Public License as published by the Free *
* Software Foundation; Version 2. This guarantees your right to use, *
* modify, and redistribute this software under certain conditions. If *
* you wish to embed Nmap technology into proprietary software, we may be *
* willing to sell alternative licenses (contact sales@insecure.com). *
* Many security scanner vendors already license Nmap technology such as *
* our remote OS fingerprinting database and code, service/version *
* detection system, and port scanning code. *
* *
* Note that the GPL places important restrictions on "derived works", yet *
* it does not provide a detailed definition of that term. To avoid *
* misunderstandings, we consider an application to constitute a *
* "derivative work" for the purpose of this license if it does any of the *
* following: *
* o Integrates source code from Nmap *
* o Reads or includes Nmap copyrighted data files, such as *
* nmap-os-fingerprints or nmap-service-probes. *
* o Executes Nmap and parses the results (as opposed to typical shell or *
* execution-menu apps, which simply display raw Nmap output and so are *
* not derivative works.) *
* o Integrates/includes/aggregates Nmap into a proprietary executable *
* installer, such as those produced by InstallShield. *
* o Links to a library or executes a program that does any of the above *
* *
* The term "Nmap" should be taken to also include any portions or derived *
* works of Nmap. This list is not exclusive, but is just meant to *
* clarify our interpretation of derived works with some common examples. *
* These restrictions only apply when you actually redistribute Nmap. For *
* example, nothing stops you from writing and selling a proprietary *
* front-end to Nmap. Just distribute it by itself, and point people to *
* http://www.insecure.org/nmap/ to download Nmap. *
* *
* We don't consider these to be added restrictions on top of the GPL, but *
* just a clarification of how we interpret "derived works" as it applies *
* to our GPL-licensed Nmap product. This is similar to the way Linus *
* Torvalds has announced his interpretation of how "derived works" *
* applies to Linux kernel modules. Our interpretation refers only to *
* Nmap - we don't speak for any other GPL products. *
* *
* If you have any questions about the GPL licensing restrictions on using *
* Nmap in non-GPL works, we would be happy to help. As mentioned above, *
* we also offer alternative license to integrate Nmap into proprietary *
* applications and appliances. These contracts have been sold to many *
* security vendors, and generally include a perpetual license as well as *
* providing for priority support and updates as well as helping to fund *
* the continued development of Nmap technology. Please email *
* sales@insecure.com for further information. *
* *
* As a special exception to the GPL terms, Insecure.Com LLC grants *
* permission to link the code of this program with any version of the *
* OpenSSL library which is distributed under a license identical to that *
* listed in the included Copying.OpenSSL file, and distribute linked *
* combinations including the two. You must obey the GNU GPL in all *
* respects for all of the code used other than OpenSSL. If you modify *
* this file, you may extend this exception to your version of the file, *
* but you are not obligated to do so. *
* *
* If you received these files with a written license agreement or *
* contract stating terms other than the terms above, then that *
* alternative license agreement takes precedence over these comments. *
* *
* Source is provided to this software because we believe users have a *
* right to know exactly what a program is going to do before they run it. *
* This also allows you to audit the software for security holes (none *
* have been found so far). *
* *
* Source code also allows you to port Nmap to new platforms, fix bugs, *
* and add new features. You are highly encouraged to send your changes *
* to fyodor@insecure.org for possible incorporation into the main *
* distribution. By sending these changes to Fyodor or one the *
* Insecure.Org development mailing lists, it is assumed that you are *
* offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right *
* to reuse, modify, and relicense the code. Nmap will always be *
* available Open Source, but this is important because the inability to *
* relicense code has caused devastating problems for other Free Software *
* projects (such as KDE and NASM). We also occasionally relicense the *
* code to third parties as discussed above. If you wish to specify *
* special license conditions of your contributions, just say so when you *
* send them. *
* *
* This program is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
* General Public License for more details at *
* http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included *
* with Nmap. *
* *
***************************************************************************/
/* $Id$ */
#include "Target.h"
#include "osscan.h"
#include "nbase.h"
#include "NmapOps.h"
extern NmapOps o;
Target::Target() {
Initialize();
}
void Target::Initialize() {
hostname = NULL;
memset(&seq, 0, sizeof(seq));
FPR = NULL;
osscan_performed = 0;
wierd_responses = flags = 0;
memset(&to, 0, sizeof(to));
device[0] = '\0';
memset(&targetsock, 0, sizeof(targetsock));
memset(&sourcesock, 0, sizeof(sourcesock));
targetsocklen = sourcesocklen = 0;
targetipstring[0] = '\0';
nameIPBuf = NULL;
memset(&MACaddress, 0, sizeof(MACaddress));
MACaddress_set = false;
htn.msecs_used = 0;
htn.toclock_running = false;
}
void Target::Recycle() {
FreeInternal();
Initialize();
}
Target::~Target() {
FreeInternal();
}
void Target::FreeInternal() {
/* Free the DNS name if we resolved one */
if (hostname)
free(hostname);
if (nameIPBuf) {
free(nameIPBuf);
nameIPBuf = NULL;
}
if (FPR) delete FPR;
}
/* Creates a "presentation" formatted string out of the IPv4/IPv6 address.
Called when the IP changes */
void Target::GenerateIPString() {
struct sockaddr_in *sin = (struct sockaddr_in *) &targetsock;
struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) &targetsock;
if (inet_ntop(sin->sin_family, (sin->sin_family == AF_INET)?
(char *) &sin->sin_addr :
#if HAVE_IPV6
(char *) &sin6->sin6_addr,
#else
(char *) NULL,
#endif
targetipstring, sizeof(targetipstring)) == NULL) {
fatal("Failed to convert target address to presentation format!?! Error: %s", strerror(socket_errno()));
}
}
/* Fills a sockaddr_storage with the AF_INET or AF_INET6 address
information of the target. This is a preferred way to get the
address since it is portable for IPv6 hosts. Returns 0 for
success. */
int Target::TargetSockAddr(struct sockaddr_storage *ss, size_t *ss_len) {
assert(ss);
assert(ss_len);
if (targetsocklen <= 0)
return 1;
assert(targetsocklen <= sizeof(*ss));
memcpy(ss, &targetsock, targetsocklen);
*ss_len = targetsocklen;
return 0;
}
/* Note that it is OK to pass in a sockaddr_in or sockaddr_in6 casted
to sockaddr_storage */
void Target::setTargetSockAddr(struct sockaddr_storage *ss, size_t ss_len) {
assert(ss_len > 0 && ss_len <= sizeof(*ss));
if (targetsocklen > 0) {
/* We had an old target sock, so we better blow away the hostname as
this one may be new. */
setHostName(NULL);
}
memcpy(&targetsock, ss, ss_len);
targetsocklen = ss_len;
GenerateIPString();
/* The ports array needs to know a name too */
ports.setIdStr(targetipstr());
}
// Returns IPv4 host address or {0} if unavailable.
struct in_addr Target::v4host() {
const struct in_addr *addy = v4hostip();
struct in_addr in;
if (addy) return *addy;
in.s_addr = 0;
return in;
}
// Returns IPv4 host address or NULL if unavailable.
const struct in_addr *Target::v4hostip() {
struct sockaddr_in *sin = (struct sockaddr_in *) &targetsock;
if (sin->sin_family == AF_INET) {
return &(sin->sin_addr);
}
return NULL;
}
/* The source address used to reach the target */
int Target::SourceSockAddr(struct sockaddr_storage *ss, size_t *ss_len) {
if (sourcesocklen <= 0)
return 1;
assert(sourcesocklen <= sizeof(*ss));
if (ss)
memcpy(ss, &sourcesock, sourcesocklen);
if (ss_len)
*ss_len = sourcesocklen;
return 0;
}
/* Note that it is OK to pass in a sockaddr_in or sockaddr_in6 casted
to sockaddr_storage */
void Target::setSourceSockAddr(struct sockaddr_storage *ss, size_t ss_len) {
assert(ss_len > 0 && ss_len <= sizeof(*ss));
memcpy(&sourcesock, ss, ss_len);
sourcesocklen = ss_len;
}
// Returns IPv4 host address or {0} if unavailable.
struct in_addr Target::v4source() {
const struct in_addr *addy = v4sourceip();
struct in_addr in;
if (addy) return *addy;
in.s_addr = 0;
return in;
}
// Returns IPv4 host address or NULL if unavailable.
const struct in_addr *Target::v4sourceip() {
struct sockaddr_in *sin = (struct sockaddr_in *) &sourcesock;
if (sin->sin_family == AF_INET) {
return &(sin->sin_addr);
}
return NULL;
}
/* You can set to NULL to erase a name or if it failed to resolve -- or
just don't call this if it fails to resolve */
void Target::setHostName(char *name) {
char *p;
if (hostname) {
free(hostname);
hostname = NULL;
}
if (name) {
if (strchr(name, '%')) {
}
p = hostname = strdup(name);
while (*p) {
// I think only a-z A-Z 0-9 . and - are allowed, but I'l be a little more
// generous.
if (!isalnum(*p) && !strchr(".-+=:_~*", *p)) {
log_write(LOG_STDOUT, "Illegal character(s) in hostname -- replacing with '*'\n");
*p = '*';
}
p++;
}
}
}
/* Generates the a printable string consisting of the host's IP
address and hostname (if available). Eg "www.insecure.org
(64.71.184.53)" or "fe80::202:e3ff:fe14:1102". The name is
written into the buffer provided, which is also returned. Results
that do not fit in bufflen will be truncated. */
const char *Target::NameIP(char *buf, size_t buflen) {
assert(buf);
assert(buflen > 8);
if (hostname) {
snprintf(buf, buflen, "%s (%s)", hostname, targetipstring);
} else Strncpy(buf, targetipstring, buflen);
return buf;
}
/* This next version returns a static buffer -- so no concurrency */
const char *Target::NameIP() {
if (!nameIPBuf) nameIPBuf = (char *) safe_malloc(MAXHOSTNAMELEN + INET6_ADDRSTRLEN);
return NameIP(nameIPBuf, MAXHOSTNAMELEN + INET6_ADDRSTRLEN);
}
/* Starts the timeout clock for the host running (e.g. you are
beginning a scan). If you do not have the current time handy,
you can pass in NULL. When done, call stopTimeOutClock (it will
also automatically be stopped of timedOut() returns true) */
void Target::startTimeOutClock(const struct timeval *now) {
assert(htn.toclock_running == false);
htn.toclock_running = true;
if (now) htn.toclock_start = *now;
else gettimeofday(&htn.toclock_start, NULL);
}
/* The complement to startTimeOutClock. */
void Target::stopTimeOutClock(const struct timeval *now) {
struct timeval tv;
assert(htn.toclock_running == true);
htn.toclock_running = false;
if (now) tv = *now;
else gettimeofday(&tv, NULL);
htn.msecs_used += TIMEVAL_MSEC_SUBTRACT(tv, htn.toclock_start);
}
/* Returns whether the host is timedout. If the timeoutclock is
running, counts elapsed time for that. Pass NULL if you don't have the
current time handy. You might as well also pass NULL if the
clock is not running, as the func won't need the time. */
bool Target::timedOut(const struct timeval *now) {
unsigned long used = htn.msecs_used;
struct timeval tv;
if (!o.host_timeout) return false;
if (htn.toclock_running) {
if (now) tv = *now;
else gettimeofday(&tv, NULL);
used += TIMEVAL_MSEC_SUBTRACT(tv, htn.toclock_start);
}
return (used > o.host_timeout)? true : false;
}
/* Returns zero if MAC address set successfully */
int Target::setMACAddress(const u8 *addy) {
if (!addy) return 1;
memcpy(MACaddress, addy, 6);
MACaddress_set = 1;
return 0;
}
/* Returns the 6-byte long MAC address, or NULL if none has been set */
const u8 *Target::MACAddress() {
return (MACaddress_set)? MACaddress : NULL;
}

212
Target.h Normal file
View File

@@ -0,0 +1,212 @@
/***************************************************************************
* Target.h -- The Target class encapsulates much of the information Nmap *
* has about a host. Results (such as ping, OS scan, etc) are stored in *
* this class as they are determined. *
* *
***********************IMPORTANT NMAP LICENSE TERMS************************
* *
* The Nmap Security Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap *
* is also a registered trademark of Insecure.Com LLC. This program is *
* free software; you may redistribute and/or modify it under the *
* terms of the GNU General Public License as published by the Free *
* Software Foundation; Version 2. This guarantees your right to use, *
* modify, and redistribute this software under certain conditions. If *
* you wish to embed Nmap technology into proprietary software, we may be *
* willing to sell alternative licenses (contact sales@insecure.com). *
* Many security scanner vendors already license Nmap technology such as *
* our remote OS fingerprinting database and code, service/version *
* detection system, and port scanning code. *
* *
* Note that the GPL places important restrictions on "derived works", yet *
* it does not provide a detailed definition of that term. To avoid *
* misunderstandings, we consider an application to constitute a *
* "derivative work" for the purpose of this license if it does any of the *
* following: *
* o Integrates source code from Nmap *
* o Reads or includes Nmap copyrighted data files, such as *
* nmap-os-fingerprints or nmap-service-probes. *
* o Executes Nmap and parses the results (as opposed to typical shell or *
* execution-menu apps, which simply display raw Nmap output and so are *
* not derivative works.) *
* o Integrates/includes/aggregates Nmap into a proprietary executable *
* installer, such as those produced by InstallShield. *
* o Links to a library or executes a program that does any of the above *
* *
* The term "Nmap" should be taken to also include any portions or derived *
* works of Nmap. This list is not exclusive, but is just meant to *
* clarify our interpretation of derived works with some common examples. *
* These restrictions only apply when you actually redistribute Nmap. For *
* example, nothing stops you from writing and selling a proprietary *
* front-end to Nmap. Just distribute it by itself, and point people to *
* http://www.insecure.org/nmap/ to download Nmap. *
* *
* We don't consider these to be added restrictions on top of the GPL, but *
* just a clarification of how we interpret "derived works" as it applies *
* to our GPL-licensed Nmap product. This is similar to the way Linus *
* Torvalds has announced his interpretation of how "derived works" *
* applies to Linux kernel modules. Our interpretation refers only to *
* Nmap - we don't speak for any other GPL products. *
* *
* If you have any questions about the GPL licensing restrictions on using *
* Nmap in non-GPL works, we would be happy to help. As mentioned above, *
* we also offer alternative license to integrate Nmap into proprietary *
* applications and appliances. These contracts have been sold to many *
* security vendors, and generally include a perpetual license as well as *
* providing for priority support and updates as well as helping to fund *
* the continued development of Nmap technology. Please email *
* sales@insecure.com for further information. *
* *
* As a special exception to the GPL terms, Insecure.Com LLC grants *
* permission to link the code of this program with any version of the *
* OpenSSL library which is distributed under a license identical to that *
* listed in the included Copying.OpenSSL file, and distribute linked *
* combinations including the two. You must obey the GNU GPL in all *
* respects for all of the code used other than OpenSSL. If you modify *
* this file, you may extend this exception to your version of the file, *
* but you are not obligated to do so. *
* *
* If you received these files with a written license agreement or *
* contract stating terms other than the terms above, then that *
* alternative license agreement takes precedence over these comments. *
* *
* Source is provided to this software because we believe users have a *
* right to know exactly what a program is going to do before they run it. *
* This also allows you to audit the software for security holes (none *
* have been found so far). *
* *
* Source code also allows you to port Nmap to new platforms, fix bugs, *
* and add new features. You are highly encouraged to send your changes *
* to fyodor@insecure.org for possible incorporation into the main *
* distribution. By sending these changes to Fyodor or one the *
* Insecure.Org development mailing lists, it is assumed that you are *
* offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right *
* to reuse, modify, and relicense the code. Nmap will always be *
* available Open Source, but this is important because the inability to *
* relicense code has caused devastating problems for other Free Software *
* projects (such as KDE and NASM). We also occasionally relicense the *
* code to third parties as discussed above. If you wish to specify *
* special license conditions of your contributions, just say so when you *
* send them. *
* *
* This program is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
* General Public License for more details at *
* http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included *
* with Nmap. *
* *
***************************************************************************/
/* $Id$ */
#ifndef TARGET_H
#define TARGET_H
#include "nmap.h"
#include "FingerPrintResults.h"
struct host_timeout_nfo {
unsigned long msecs_used; /* How many msecs has this Target used? */
bool toclock_running; /* Is the clock running right now? */
struct timeval toclock_start; /* When did the clock start? */
};
class Target {
public: /* For now ... a lot of the data members should be made private */
Target();
~Target();
/* Recycles the object by freeing internal objects and reinitializing
to default state */
void Recycle();
/* Fills a sockaddr_storage with the AF_INET or AF_INET6 address
information of the target. This is a preferred way to get the
address since it is portable for IPv6 hosts. Returns 0 for
success. */
int TargetSockAddr(struct sockaddr_storage *ss, size_t *ss_len);
/* Note that it is OK to pass in a sockaddr_in or sockaddr_in6 casted
to sockaddr_storage */
void setTargetSockAddr(struct sockaddr_storage *ss, size_t ss_len);
// Returns IPv4 target host address or {0} if unavailable.
struct in_addr v4host();
const struct in_addr *v4hostip();
/* The source address used to reach the target */
int SourceSockAddr(struct sockaddr_storage *ss, size_t *ss_len);
/* Note that it is OK to pass in a sockaddr_in or sockaddr_in6 casted
to sockaddr_storage */
void setSourceSockAddr(struct sockaddr_storage *ss, size_t ss_len);
struct in_addr v4source();
const struct in_addr *v4sourceip();
/* The IPv4 or IPv6 literal string for the target host */
const char *targetipstr() { return targetipstring; }
/* Give the name from the last setHostName() call, which should be
the name obtained from reverse-resolution (PTR query) of the IP (v4
or v6). If the name has not been set, or was set to NULL, an empty
string ("") is returned to make printing easier. */
const char *HostName() { return hostname? hostname : ""; }
/* You can set to NULL to erase a name or if it failed to resolve -- or
just don't call this if it fails to resolve. The hostname is blown
away when you setTargetSockAddr(), so make sure you do these in proper
order
*/
void setHostName(char *name);
/* Generates the a printable string consisting of the host's IP
address and hostname (if available). Eg "www.insecure.org
(64.71.184.53)" or "fe80::202:e3ff:fe14:1102". The name is
written into the buffer provided, which is also returned. Results
that do not fit in buflen will be truncated. */
const char *NameIP(char *buf, size_t buflen);
/* This next version returns a STATIC buffer -- so no concurrency */
const char *NameIP();
/* Starts the timeout clock for the host running (e.g. you are
beginning a scan). If you do not have the current time handy,
you can pass in NULL. When done, call stopTimeOutClock (it will
also automatically be stopped of timedOut() returns true) */
void startTimeOutClock(const struct timeval *now);
/* The complement to startTimeOutClock. */
void stopTimeOutClock(const struct timeval *now);
/* Is the timeout clock currently running? */
bool timeOutClockRunning() { return htn.toclock_running; }
/* Returns whether the host is timedout. If the timeoutclock is
running, counts elapsed time for that. Pass NULL if you don't have the
current time handy. You might as well also pass NULL if the
clock is not running, as the func won't need the time. */
bool timedOut(const struct timeval *now);
/* Takes a 6-byte MAC address */
int setMACAddress(const u8 *addy);
/* Returns a pointer to 6-byte MAC address, or NULL if none is set */
const u8 *MACAddress();
struct seq_info seq;
FingerPrintResults *FPR;
int osscan_performed; /* nonzero if an osscan was performed */
PortList ports;
/*
unsigned int up;
unsigned int down; */
int wierd_responses; /* echo responses from other addresses, Ie a network broadcast address */
unsigned int flags; /* HOST_UP, HOST_DOWN, HOST_FIREWALLED, HOST_BROADCAST (instead of HOST_BROADCAST use wierd_responses */
struct timeout_info to;
char device[64]; /* The device we transmit on -- make sure to adjust some str* calls if I ever change this*/
private:
char *hostname; // Null if unable to resolve or unset
void Initialize();
void FreeInternal(); // Free memory allocated inside this object
// Creates a "presentation" formatted string out of the IPv4/IPv6 address
void GenerateIPString();
struct sockaddr_storage targetsock, sourcesock;
size_t targetsocklen, sourcesocklen;
#ifndef INET6_ADDRSTRLEN
#define INET6_ADDRSTRLEN 46
#endif
char targetipstring[INET6_ADDRSTRLEN];
char *nameIPBuf; /* for the NameIP(void) function to return */
u8 MACaddress[6];
bool MACaddress_set;
struct host_timeout_nfo htn;
};
#endif /* TARGET_H */

508
TargetGroup.cc Normal file
View File

@@ -0,0 +1,508 @@
/***************************************************************************
* TargetGroup.cc -- The "TargetGroup" class holds a group of IP *
* addresses, such as those from a '/16' or '10.*.*.*' specification. It *
* also has a trivial HostGroupState class which handles a bunch of *
* expressions that go into TargetGroup classes. *
* *
***********************IMPORTANT NMAP LICENSE TERMS************************
* *
* The Nmap Security Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap *
* is also a registered trademark of Insecure.Com LLC. This program is *
* free software; you may redistribute and/or modify it under the *
* terms of the GNU General Public License as published by the Free *
* Software Foundation; Version 2. This guarantees your right to use, *
* modify, and redistribute this software under certain conditions. If *
* you wish to embed Nmap technology into proprietary software, we may be *
* willing to sell alternative licenses (contact sales@insecure.com). *
* Many security scanner vendors already license Nmap technology such as *
* our remote OS fingerprinting database and code, service/version *
* detection system, and port scanning code. *
* *
* Note that the GPL places important restrictions on "derived works", yet *
* it does not provide a detailed definition of that term. To avoid *
* misunderstandings, we consider an application to constitute a *
* "derivative work" for the purpose of this license if it does any of the *
* following: *
* o Integrates source code from Nmap *
* o Reads or includes Nmap copyrighted data files, such as *
* nmap-os-fingerprints or nmap-service-probes. *
* o Executes Nmap and parses the results (as opposed to typical shell or *
* execution-menu apps, which simply display raw Nmap output and so are *
* not derivative works.) *
* o Integrates/includes/aggregates Nmap into a proprietary executable *
* installer, such as those produced by InstallShield. *
* o Links to a library or executes a program that does any of the above *
* *
* The term "Nmap" should be taken to also include any portions or derived *
* works of Nmap. This list is not exclusive, but is just meant to *
* clarify our interpretation of derived works with some common examples. *
* These restrictions only apply when you actually redistribute Nmap. For *
* example, nothing stops you from writing and selling a proprietary *
* front-end to Nmap. Just distribute it by itself, and point people to *
* http://www.insecure.org/nmap/ to download Nmap. *
* *
* We don't consider these to be added restrictions on top of the GPL, but *
* just a clarification of how we interpret "derived works" as it applies *
* to our GPL-licensed Nmap product. This is similar to the way Linus *
* Torvalds has announced his interpretation of how "derived works" *
* applies to Linux kernel modules. Our interpretation refers only to *
* Nmap - we don't speak for any other GPL products. *
* *
* If you have any questions about the GPL licensing restrictions on using *
* Nmap in non-GPL works, we would be happy to help. As mentioned above, *
* we also offer alternative license to integrate Nmap into proprietary *
* applications and appliances. These contracts have been sold to many *
* security vendors, and generally include a perpetual license as well as *
* providing for priority support and updates as well as helping to fund *
* the continued development of Nmap technology. Please email *
* sales@insecure.com for further information. *
* *
* As a special exception to the GPL terms, Insecure.Com LLC grants *
* permission to link the code of this program with any version of the *
* OpenSSL library which is distributed under a license identical to that *
* listed in the included Copying.OpenSSL file, and distribute linked *
* combinations including the two. You must obey the GNU GPL in all *
* respects for all of the code used other than OpenSSL. If you modify *
* this file, you may extend this exception to your version of the file, *
* but you are not obligated to do so. *
* *
* If you received these files with a written license agreement or *
* contract stating terms other than the terms above, then that *
* alternative license agreement takes precedence over these comments. *
* *
* Source is provided to this software because we believe users have a *
* right to know exactly what a program is going to do before they run it. *
* This also allows you to audit the software for security holes (none *
* have been found so far). *
* *
* Source code also allows you to port Nmap to new platforms, fix bugs, *
* and add new features. You are highly encouraged to send your changes *
* to fyodor@insecure.org for possible incorporation into the main *
* distribution. By sending these changes to Fyodor or one the *
* Insecure.Org development mailing lists, it is assumed that you are *
* offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right *
* to reuse, modify, and relicense the code. Nmap will always be *
* available Open Source, but this is important because the inability to *
* relicense code has caused devastating problems for other Free Software *
* projects (such as KDE and NASM). We also occasionally relicense the *
* code to third parties as discussed above. If you wish to specify *
* special license conditions of your contributions, just say so when you *
* send them. *
* *
* This program is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
* General Public License for more details at *
* http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included *
* with Nmap. *
* *
***************************************************************************/
/* $Id$ */
#include "TargetGroup.h"
#include "NmapOps.h"
extern NmapOps o;
TargetGroup::TargetGroup() {
Initialize();
}
// Bring back (or start with) original state
void TargetGroup::Initialize() {
targets_type = TYPE_NONE;
memset(addresses, 0, sizeof(addresses));
memset(current, 0, sizeof(current));
memset(last, 0, sizeof(last));
ipsleft = 0;
}
/* take the object back to the begining without (mdmcl)
* reinitalizing the data structures */
int TargetGroup::rewind() {
/* For netmasks we must set the current address to the
* starting address and calculate the ips by distance */
if (targets_type == IPV4_NETMASK) {
currentaddr = startaddr;
if (startaddr.s_addr <= endaddr.s_addr) {
ipsleft = endaddr.s_addr - startaddr.s_addr + 1;
return 0;
}
else
assert(FALSE);
}
/* For ranges, we easily set current to zero and calculate
* the ips by the number of values in the columns */
else if (targets_type == IPV4_RANGES) {
memset((char *)current, 0, sizeof(current));
ipsleft = (last[0] + 1) * (last[1] + 1) *
(last[2] + 1) * (last[3] + 1);
return 0;
}
#if HAVE_IPV6
/* For IPV6 there is only one address, this function doesn't
* make much sence for IPv6 does it? */
else if (targets_type == IPV6_ADDRESS) {
ipsleft = 1;
return 0;
}
#endif
/* If we got this far there must be an error, wrong type */
return -1;
}
/* Initializes (or reinitializes) the object with a new expression, such
as 192.168.0.0/16 , 10.1.0-5.1-254 , or fe80::202:e3ff:fe14:1102 .
Returns 0 for success */
int TargetGroup::parse_expr(const char * const target_expr, int af) {
int i=0,j=0,k=0;
int start, end;
char *r,*s, *target_net;
char *addy[5];
char *hostexp = strdup(target_expr);
struct hostent *target;
unsigned long longtmp;
int namedhost = 0;
if (targets_type != TYPE_NONE)
Initialize();
ipsleft = 0;
if (af == AF_INET) {
if (strchr(hostexp, ':'))
fatal("Invalid host expression: %s -- colons only allowed in IPv6 addresses, and then you need the -6 switch", hostexp);
/*strauct in_addr current_in;*/
addy[0] = addy[1] = addy[2] = addy[3] = addy[4] = NULL;
addy[0] = r = hostexp;
/* First we break the expression up into the four parts of the IP address
+ the optional '/mask' */
target_net = strtok(hostexp, "/");
s = strtok(NULL, ""); /* find the end of the token from hostexp */
netmask = ( s ) ? atoi(s) : 32;
if ((int) netmask < 0 || netmask > 32) {
fprintf(stderr, "Illegal netmask value (%d), must be /0 - /32 . Assuming /32 (one host)\n", netmask);
netmask = 32;
}
for(i=0; *(hostexp + i); i++)
if (isupper((int) *(hostexp +i)) || islower((int) *(hostexp +i))) {
namedhost = 1;
break;
}
if (netmask != 32 || namedhost) {
targets_type = IPV4_NETMASK;
if (!inet_aton(target_net, &(startaddr))) {
if ((target = gethostbyname(target_net)))
memcpy(&(startaddr), target->h_addr_list[0], sizeof(struct in_addr));
else {
fprintf(stderr, "Failed to resolve given hostname/IP: %s. Note that you can't use '/mask' AND '[1-4,7,100-]' style IP ranges\n", target_net);
free(hostexp);
return 1;
}
}
longtmp = ntohl(startaddr.s_addr);
startaddr.s_addr = longtmp & (unsigned long) (0 - (1<<(32 - netmask)));
endaddr.s_addr = longtmp | (unsigned long) ((1<<(32 - netmask)) - 1);
currentaddr = startaddr;
if (startaddr.s_addr <= endaddr.s_addr) {
ipsleft = endaddr.s_addr - startaddr.s_addr + 1;
free(hostexp);
return 0;
}
fprintf(stderr, "Host specification invalid");
free(hostexp);
return 1;
}
else {
targets_type = IPV4_RANGES;
i=0;
while(*++r) {
if (*r == '.' && ++i < 4) {
*r = '\0';
addy[i] = r + 1;
}
else if (*r != '*' && *r != ',' && *r != '-' && !isdigit((int)*r))
fatal("Invalid character in host specification. Note in particular that square brackets [] are no longer allowed. They were redundant and can simply be removed.");
}
if (i != 3) fatal("Target host specification is illegal -- not enough dots in IP");
for(i=0; i < 4; i++) {
j=0;
do {
s = strchr(addy[i],',');
if (s) *s = '\0';
if (*addy[i] == '*') { start = 0; end = 255; }
else if (*addy[i] == '-') {
start = 0;
if (!addy[i] + 1) end = 255;
else end = atoi(addy[i]+ 1);
}
else {
start = end = atoi(addy[i]);
if ((r = strchr(addy[i],'-')) && *(r+1) ) end = atoi(r + 1);
else if (r && !*(r+1)) end = 255;
}
/* if (o.debugging > 2)
log_write(LOG_STDOUT, "The first host is %d, and the last one is %d\n", start, end); */
if (start < 0 || start > end || start > 255 || end > 255)
fatal("Your host specifications are illegal!");
if (j + (end - start) > 255)
fatal("Your host specifications are illegal!");
for(k=start; k <= end; k++)
addresses[i][j++] = k;
last[i] = j-1;
if (s) addy[i] = s + 1;
} while (s);
}
}
memset((char *)current, 0, sizeof(current));
ipsleft = (last[0] + 1) * (last[1] + 1) *
(last[2] + 1) * (last[3] + 1);
}
else {
#if HAVE_IPV6
int rc = 0;
assert(af == AF_INET6);
if (strchr(hostexp, '/')) {
fatal("Invalid host expression: %s -- slash not allowed. IPv6 addresses can currently only be specified individually", hostexp);
}
targets_type = IPV6_ADDRESS;
struct addrinfo hints;
struct addrinfo *result = NULL;
memset(&hints, 0, sizeof(hints));
hints.ai_family = PF_INET6;
rc = getaddrinfo(hostexp, NULL, &hints, &result);
if (rc != 0) {
fprintf(stderr, "Failed to resolve given IPv6 hostname/IP: %s. Note that you can't use '/mask' or '[1-4,7,100-]' style ranges for IPv6. Error cod %d: %s\n", hostexp, rc, gai_strerror(rc));
free(hostexp);
if (result) freeaddrinfo(result);
return 1;
}
assert(result->ai_addrlen == sizeof(struct sockaddr_in6));
struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) result->ai_addr;
memcpy(ip6.s6_addr, sin6->sin6_addr.s6_addr, 16);
ipsleft = 1;
freeaddrinfo(result);
#else // HAVE_IPV6
fatal("IPv6 not supported on your platform");
#endif // HAVE_IPV6
}
free(hostexp);
return 0;
}
/* For ranges, skip all hosts in an octet, (mdmcl)
* get_next_host should be used for skipping the last octet :-)
* returns: number of hosts skipped */
int TargetGroup::skip_range(_octet_nums octet) {
int hosts_skipped = 0, /* number of hosts skipped */
oct = 0, /* octect number */
i; /* simple lcv */
/* This function is only supported for RANGES! */
if (targets_type != IPV4_RANGES)
return -1;
switch (octet) {
case FIRST_OCTET:
oct = 0;
hosts_skipped = (last[1] + 1) * (last[2] + 1) * (last[3] + 1);
break;
case SECOND_OCTET:
oct = 1;
hosts_skipped = (last[2] + 1) * (last[3] + 1);
break;
case THIRD_OCTET:
oct = 2;
hosts_skipped = (last[3] + 1);
break;
default: /* Hmm, how'd you do that */
return -1;
}
/* catch if we try to take more than are left */
assert(ipsleft >= hosts_skipped - 1);
/* increment the next octect that we can above us */
for (i = oct; i >= 0; i--) {
if (current[i] < last[i]) {
current[i]++;
break;
}
else
current[i] = 0;
}
/* reset all the ones below us to zero */
for (i = oct+1; i <= 3; i++) {
current[i] = 0;
}
/* we actauly don't skip the current, it was accounted for
* by get_next_host */
ipsleft -= hosts_skipped - 1;
return hosts_skipped;
}
/* Grab the next host from this expression (if any) and uptdates its internal
state to reflect the the IP was given out. Returns 0 and
fills in ss if successful. ss must point to a pre-allocated
sockaddr_storage structure */
int TargetGroup::get_next_host(struct sockaddr_storage *ss, size_t *sslen) {
int octet;
struct sockaddr_in *sin = (struct sockaddr_in *) ss;
struct sockaddr_in6 *sin6 = (struct sockaddr_in6 *) ss;
startover: /* to handle nmap --resume where I have already
scanned many of the IPs */
assert(ss);
assert(sslen);
if (ipsleft <= 0)
return -1;
if (targets_type == IPV4_NETMASK) {
memset(sin, 0, sizeof(struct sockaddr_in));
sin->sin_family = AF_INET;
*sslen = sizeof(struct sockaddr_in);
#if HAVE_SOCKADDR_SA_LEN
sin->sin_len = *sslen;
#endif
if (currentaddr.s_addr <= endaddr.s_addr) {
sin->sin_addr.s_addr = htonl(currentaddr.s_addr++);
} else {
error("Bogus target structure passed to TargetGroup::get_next_host");
ipsleft = 0;
return -1;
}
}
else if (targets_type == IPV4_RANGES) {
memset(sin, 0, sizeof(struct sockaddr_in));
sin->sin_family = AF_INET;
*sslen = sizeof(struct sockaddr_in);
#if HAVE_SOCKADDR_SA_LEN
sin->sin_len = *sslen;
#endif
if (o.debugging > 2) {
log_write(LOG_STDOUT, "doing %d.%d.%d.%d = %d.%d.%d.%d\n", current[0], current[1], current[2], current[3], addresses[0][current[0]],addresses[1][current[1]],addresses[2][current[2]],addresses[3][current[3]]);
}
/* Set the IP to the current value of everything */
sin->sin_addr.s_addr = htonl(addresses[0][current[0]] << 24 |
addresses[1][current[1]] << 16 |
addresses[2][current[2]] << 8 |
addresses[3][current[3]]);
/* Now we nudge up to the next IP */
for(octet = 3; octet >= 0; octet--) {
if (current[octet] < last[octet]) {
/* OK, this is the column I have room to nudge upwards */
current[octet]++;
break;
} else {
/* This octet is finished so I reset it to the beginning */
current[octet] = 0;
}
}
if (octet == -1) {
/* It didn't find anything to bump up, I muast have taken the last IP */
assert(ipsleft == 1);
/* So I set current to last with the very final octet up one ... */
/* Note that this may make current[3] == 256 */
current[0] = last[0]; current[1] = last[1];
current[2] = last[2]; current[3] = last[3] + 1;
} else {
assert(ipsleft > 1); /* There must be at least one more IP left */
}
} else {
assert(targets_type == IPV6_ADDRESS);
assert(ipsleft == 1);
#if HAVE_IPV6
*sslen = sizeof(struct sockaddr_in6);
memset(sin6, 0, *sslen);
sin6->sin6_family = AF_INET6;
#ifdef SIN_LEN
sin6->sin6_len = *sslen;
#endif /* SIN_LEN */
memcpy(sin6->sin6_addr.s6_addr, ip6.s6_addr, 16);
#else
fatal("IPV6 not supported on this platform");
#endif // HAVE_IPV6
}
ipsleft--;
assert(ipsleft >= 0);
/* If we are resuming from a previous scan, we have already finished
scans up to o.resume_ip. */
if (sin->sin_family == AF_INET && o.resume_ip.s_addr) {
if (o.resume_ip.s_addr == sin->sin_addr.s_addr)
o.resume_ip.s_addr = 0; /* So that we will KEEP the next one */
goto startover; /* Try again */
}
return 0;
}
/* Returns the last given host, so that it will be given again next
time get_next_host is called. Obviously, you should only call
this if you have fetched at least 1 host since parse_expr() was
called */
int TargetGroup::return_last_host() {
int octet;
ipsleft++;
if (targets_type == IPV4_NETMASK) {
assert(currentaddr.s_addr > startaddr.s_addr);
currentaddr.s_addr--;
} else if (targets_type == IPV4_RANGES) {
for(octet = 3; octet >= 0; octet--) {
if (current[octet] > 0) {
/* OK, this is the column I have room to nudge downwards */
current[octet]--;
break;
} else {
/* This octet is already at the beginning, so I set it to the end */
current[octet] = last[octet];
}
}
assert(octet != -1);
} else {
assert(targets_type == IPV6_ADDRESS);
assert(ipsleft == 1);
}
return 0;
}
/* Lookahead is the number of hosts that can be
checked (such as ping scanned) in advance. Randomize causes each
group of up to lookahead hosts to be internally shuffled around.
The target_expressions array MUST REMAIN VALID IN MEMMORY as long as
this class instance is used -- the array is NOT copied.
*/
HostGroupState::HostGroupState(int lookahead, int rnd,
char *expr[], int numexpr) {
assert(lookahead > 0);
hostbatch = (Target **) safe_zalloc(sizeof(Target *) * lookahead);
max_batch_sz = lookahead;
current_batch_sz = 0;
next_batch_no = 0;
randomize = rnd;
target_expressions = expr;
num_expressions = numexpr;
next_expression = 0;
}
HostGroupState::~HostGroupState() {
free(hostbatch);
}

187
TargetGroup.h Normal file
View File

@@ -0,0 +1,187 @@
/***************************************************************************
* TargetGroup.h -- The "TargetGroup" class holds a group of IP addresses, *
* such as those from a '/16' or '10.*.*.*' specification. It also has a *
* trivial HostGroupState class which handles a bunch of expressions that *
* go into TargetGroup classes. *
* *
***********************IMPORTANT NMAP LICENSE TERMS************************
* *
* The Nmap Security Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap *
* is also a registered trademark of Insecure.Com LLC. This program is *
* free software; you may redistribute and/or modify it under the *
* terms of the GNU General Public License as published by the Free *
* Software Foundation; Version 2. This guarantees your right to use, *
* modify, and redistribute this software under certain conditions. If *
* you wish to embed Nmap technology into proprietary software, we may be *
* willing to sell alternative licenses (contact sales@insecure.com). *
* Many security scanner vendors already license Nmap technology such as *
* our remote OS fingerprinting database and code, service/version *
* detection system, and port scanning code. *
* *
* Note that the GPL places important restrictions on "derived works", yet *
* it does not provide a detailed definition of that term. To avoid *
* misunderstandings, we consider an application to constitute a *
* "derivative work" for the purpose of this license if it does any of the *
* following: *
* o Integrates source code from Nmap *
* o Reads or includes Nmap copyrighted data files, such as *
* nmap-os-fingerprints or nmap-service-probes. *
* o Executes Nmap and parses the results (as opposed to typical shell or *
* execution-menu apps, which simply display raw Nmap output and so are *
* not derivative works.) *
* o Integrates/includes/aggregates Nmap into a proprietary executable *
* installer, such as those produced by InstallShield. *
* o Links to a library or executes a program that does any of the above *
* *
* The term "Nmap" should be taken to also include any portions or derived *
* works of Nmap. This list is not exclusive, but is just meant to *
* clarify our interpretation of derived works with some common examples. *
* These restrictions only apply when you actually redistribute Nmap. For *
* example, nothing stops you from writing and selling a proprietary *
* front-end to Nmap. Just distribute it by itself, and point people to *
* http://www.insecure.org/nmap/ to download Nmap. *
* *
* We don't consider these to be added restrictions on top of the GPL, but *
* just a clarification of how we interpret "derived works" as it applies *
* to our GPL-licensed Nmap product. This is similar to the way Linus *
* Torvalds has announced his interpretation of how "derived works" *
* applies to Linux kernel modules. Our interpretation refers only to *
* Nmap - we don't speak for any other GPL products. *
* *
* If you have any questions about the GPL licensing restrictions on using *
* Nmap in non-GPL works, we would be happy to help. As mentioned above, *
* we also offer alternative license to integrate Nmap into proprietary *
* applications and appliances. These contracts have been sold to many *
* security vendors, and generally include a perpetual license as well as *
* providing for priority support and updates as well as helping to fund *
* the continued development of Nmap technology. Please email *
* sales@insecure.com for further information. *
* *
* As a special exception to the GPL terms, Insecure.Com LLC grants *
* permission to link the code of this program with any version of the *
* OpenSSL library which is distributed under a license identical to that *
* listed in the included Copying.OpenSSL file, and distribute linked *
* combinations including the two. You must obey the GNU GPL in all *
* respects for all of the code used other than OpenSSL. If you modify *
* this file, you may extend this exception to your version of the file, *
* but you are not obligated to do so. *
* *
* If you received these files with a written license agreement or *
* contract stating terms other than the terms above, then that *
* alternative license agreement takes precedence over these comments. *
* *
* Source is provided to this software because we believe users have a *
* right to know exactly what a program is going to do before they run it. *
* This also allows you to audit the software for security holes (none *
* have been found so far). *
* *
* Source code also allows you to port Nmap to new platforms, fix bugs, *
* and add new features. You are highly encouraged to send your changes *
* to fyodor@insecure.org for possible incorporation into the main *
* distribution. By sending these changes to Fyodor or one the *
* Insecure.Org development mailing lists, it is assumed that you are *
* offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right *
* to reuse, modify, and relicense the code. Nmap will always be *
* available Open Source, but this is important because the inability to *
* relicense code has caused devastating problems for other Free Software *
* projects (such as KDE and NASM). We also occasionally relicense the *
* code to third parties as discussed above. If you wish to specify *
* special license conditions of your contributions, just say so when you *
* send them. *
* *
* This program is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
* General Public License for more details at *
* http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included *
* with Nmap. *
* *
***************************************************************************/
/* $Id$ */
#ifndef TARGETGROUP_H
#define TARGETGROUP_H
#include "nmap.h"
class TargetGroup {
public:
/* used by get_target_types */
enum _targets_types { TYPE_NONE, IPV4_NETMASK, IPV4_RANGES, IPV6_ADDRESS };
/* used as input to skip range */
enum _octet_nums { FIRST_OCTET, SECOND_OCTET, THIRD_OCTET };
TargetGroup();
/* Initializes (or reinitializes) the object with a new expression,
such as 192.168.0.0/16 , 10.1.0-5.1-254 , or
fe80::202:e3ff:fe14:1102 . The af parameter is AF_INET or
AF_INET6 Returns 0 for success */
int parse_expr(const char * const target_expr, int af);
/* Reset the object without reinitializing it */
int rewind();
/* Grab the next host from this expression (if any). Returns 0 and
fills in ss if successful. ss must point to a pre-allocated
sockaddr_storage structure */
int get_next_host(struct sockaddr_storage *ss, size_t *sslen);
/* Returns the last given host, so that it will be given again next
time get_next_host is called. Obviously, you should only call
this if you have fetched at least 1 host since parse_expr() was
called */
int return_last_host();
/* return the target type */
char get_targets_type() {return targets_type;};
/* get the netmask */
int get_mask() {return netmask;};
/* Skip an octet in the range array */
int skip_range(_octet_nums octet);
private:
enum _targets_types targets_type;
void Initialize();
#if HAVE_IPV6
struct in6_addr ip6;
#endif
/* These 4 are used for the '/mask' style of specifying target
net (IPV4_NETMASK) */
u32 netmask;
struct in_addr startaddr;
struct in_addr currentaddr;
struct in_addr endaddr;
// These three are for the '138.[1-7,16,91-95,200-].12.1 style (IPV4_RANGES)
u8 addresses[4][256];
unsigned int current[4];
u8 last[4];
int ipsleft; /* Number of IPs left in this structure -- set to 0 if
the fields are not valid */
};
class HostGroupState {
public:
HostGroupState(int lookahead, int randomize, char *target_expressions[],
int num_expressions);
~HostGroupState();
Target **hostbatch;
int max_batch_sz; /* The size of the hostbatch[] array */
int current_batch_sz; /* The number of VALID members of hostbatch[] */
int next_batch_no; /* The index of the next hostbatch[] member to be given
back to the user */
int randomize; /* Whether each bach should be "shuffled" prior to the ping
scan (they will also be out of order when given back one
at a time to the client program */
char **target_expressions; /* An array of target expression strings, passed
to us by the client (client is also in charge
of deleting it AFTER it is done with the
hostgroup_state */
int num_expressions; /* The number of valid expressions in
target_expressions member above */
int next_expression; /* The index of the next expression we have
to handle */
TargetGroup current_expression; /* For batch chunking -- targets in queue */
};
#endif /* TARGETGROUP_H */

28
aclocal.m4 vendored Normal file
View File

@@ -0,0 +1,28 @@
dnl Type of 6th argument to recvfrom(). Usually int or socklen_t.
AC_DEFUN([RECVFROM_ARG6_TYPE],
[
AC_LANG_PUSH(C++)
AC_MSG_CHECKING([for type of 6th argument to recvfrom()])
recvfrom6_t=
for t in socklen_t int; do
AC_TRY_COMPILE([
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <sys/socket.h>],[
$t arg;
recvfrom (0, NULL, 0, 0, NULL, &arg);],[
recvfrom6_t="$t"
break])
done
if test "x$recvfrom6_t" = x; then
AC_MSG_WARN([Cannot find type for 6th argument to recvfrom(). Using socklen_t ptr])
recvfrom6_t="socklen_t"
fi
AC_MSG_RESULT($recvfrom6_t)
AC_DEFINE_UNQUOTED(recvfrom6_t, $recvfrom6_t,
[Type of 6th argument to recvfrom()])
AC_LANG_POP(C++)
])

184
charpool.cc Normal file
View File

@@ -0,0 +1,184 @@
/***************************************************************************
* charpool.cc -- Handles Nmap's "character pool" memory allocation *
* system. *
* *
***********************IMPORTANT NMAP LICENSE TERMS************************
* *
* The Nmap Security Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap *
* is also a registered trademark of Insecure.Com LLC. This program is *
* free software; you may redistribute and/or modify it under the *
* terms of the GNU General Public License as published by the Free *
* Software Foundation; Version 2. This guarantees your right to use, *
* modify, and redistribute this software under certain conditions. If *
* you wish to embed Nmap technology into proprietary software, we may be *
* willing to sell alternative licenses (contact sales@insecure.com). *
* Many security scanner vendors already license Nmap technology such as *
* our remote OS fingerprinting database and code, service/version *
* detection system, and port scanning code. *
* *
* Note that the GPL places important restrictions on "derived works", yet *
* it does not provide a detailed definition of that term. To avoid *
* misunderstandings, we consider an application to constitute a *
* "derivative work" for the purpose of this license if it does any of the *
* following: *
* o Integrates source code from Nmap *
* o Reads or includes Nmap copyrighted data files, such as *
* nmap-os-fingerprints or nmap-service-probes. *
* o Executes Nmap and parses the results (as opposed to typical shell or *
* execution-menu apps, which simply display raw Nmap output and so are *
* not derivative works.) *
* o Integrates/includes/aggregates Nmap into a proprietary executable *
* installer, such as those produced by InstallShield. *
* o Links to a library or executes a program that does any of the above *
* *
* The term "Nmap" should be taken to also include any portions or derived *
* works of Nmap. This list is not exclusive, but is just meant to *
* clarify our interpretation of derived works with some common examples. *
* These restrictions only apply when you actually redistribute Nmap. For *
* example, nothing stops you from writing and selling a proprietary *
* front-end to Nmap. Just distribute it by itself, and point people to *
* http://www.insecure.org/nmap/ to download Nmap. *
* *
* We don't consider these to be added restrictions on top of the GPL, but *
* just a clarification of how we interpret "derived works" as it applies *
* to our GPL-licensed Nmap product. This is similar to the way Linus *
* Torvalds has announced his interpretation of how "derived works" *
* applies to Linux kernel modules. Our interpretation refers only to *
* Nmap - we don't speak for any other GPL products. *
* *
* If you have any questions about the GPL licensing restrictions on using *
* Nmap in non-GPL works, we would be happy to help. As mentioned above, *
* we also offer alternative license to integrate Nmap into proprietary *
* applications and appliances. These contracts have been sold to many *
* security vendors, and generally include a perpetual license as well as *
* providing for priority support and updates as well as helping to fund *
* the continued development of Nmap technology. Please email *
* sales@insecure.com for further information. *
* *
* As a special exception to the GPL terms, Insecure.Com LLC grants *
* permission to link the code of this program with any version of the *
* OpenSSL library which is distributed under a license identical to that *
* listed in the included Copying.OpenSSL file, and distribute linked *
* combinations including the two. You must obey the GNU GPL in all *
* respects for all of the code used other than OpenSSL. If you modify *
* this file, you may extend this exception to your version of the file, *
* but you are not obligated to do so. *
* *
* If you received these files with a written license agreement or *
* contract stating terms other than the terms above, then that *
* alternative license agreement takes precedence over these comments. *
* *
* Source is provided to this software because we believe users have a *
* right to know exactly what a program is going to do before they run it. *
* This also allows you to audit the software for security holes (none *
* have been found so far). *
* *
* Source code also allows you to port Nmap to new platforms, fix bugs, *
* and add new features. You are highly encouraged to send your changes *
* to fyodor@insecure.org for possible incorporation into the main *
* distribution. By sending these changes to Fyodor or one the *
* Insecure.Org development mailing lists, it is assumed that you are *
* offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right *
* to reuse, modify, and relicense the code. Nmap will always be *
* available Open Source, but this is important because the inability to *
* relicense code has caused devastating problems for other Free Software *
* projects (such as KDE and NASM). We also occasionally relicense the *
* code to third parties as discussed above. If you wish to specify *
* special license conditions of your contributions, just say so when you *
* send them. *
* *
* This program is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
* General Public License for more details at *
* http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included *
* with Nmap. *
* *
***************************************************************************/
/* $Id$ */
/* Character pool memory allocation */
#include "charpool.h"
static char *charpool[16];
static int currentcharpool;
static int currentcharpoolsz;
static char *nextchar;
static int charpool_initialized = 0;
#define ALIGN_ON sizeof(char *)
static int cp_init(void) {
/* Create our char pool */
currentcharpool = 0;
currentcharpoolsz = 16384;
nextchar = charpool[0] = (char *) safe_malloc(currentcharpoolsz);
charpool_initialized = 1;
return 0;
}
static inline void cp_grow(void) {
/* Doh! We've got to make room */
if (++currentcharpool > 15) {
fatal("Character Pool is out of buckets!");
}
currentcharpoolsz <<= 1;
nextchar = charpool[currentcharpool] = (char *)
safe_malloc(currentcharpoolsz);
}
void *cp_alloc(int sz) {
char *p;
int modulus;
if (!charpool_initialized) cp_init();
if ((modulus = sz % ALIGN_ON))
sz += ALIGN_ON - modulus;
if ((nextchar - charpool[currentcharpool]) + sz <= currentcharpoolsz) {
p = nextchar;
nextchar += sz;
return p;
}
/* Doh! We've got to make room */
cp_grow();
return cp_alloc(sz);
}
char *cp_strdup(const char *src) {
const char *p;
char *q;
/* end points to the first illegal char */
char *end;
int modulus;
if (!charpool_initialized)
cp_init();
end = charpool[currentcharpool] + currentcharpoolsz;
q = nextchar;
p = src;
while((nextchar < end) && *p) {
*nextchar++ = *p++;
}
if (nextchar < end) {
/* Goody, we have space */
*nextchar++ = '\0';
if ((modulus = (nextchar - q) % ALIGN_ON))
nextchar += ALIGN_ON - modulus;
return q;
}
/* Doh! We ran out -- need to allocate more */
cp_grow();
return cp_strdup(src);
}

110
charpool.h Normal file
View File

@@ -0,0 +1,110 @@
/***************************************************************************
* charpool.h -- Handles Nmap's "character pool" memory allocation *
* system. *
* *
***********************IMPORTANT NMAP LICENSE TERMS************************
* *
* The Nmap Security Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap *
* is also a registered trademark of Insecure.Com LLC. This program is *
* free software; you may redistribute and/or modify it under the *
* terms of the GNU General Public License as published by the Free *
* Software Foundation; Version 2. This guarantees your right to use, *
* modify, and redistribute this software under certain conditions. If *
* you wish to embed Nmap technology into proprietary software, we may be *
* willing to sell alternative licenses (contact sales@insecure.com). *
* Many security scanner vendors already license Nmap technology such as *
* our remote OS fingerprinting database and code, service/version *
* detection system, and port scanning code. *
* *
* Note that the GPL places important restrictions on "derived works", yet *
* it does not provide a detailed definition of that term. To avoid *
* misunderstandings, we consider an application to constitute a *
* "derivative work" for the purpose of this license if it does any of the *
* following: *
* o Integrates source code from Nmap *
* o Reads or includes Nmap copyrighted data files, such as *
* nmap-os-fingerprints or nmap-service-probes. *
* o Executes Nmap and parses the results (as opposed to typical shell or *
* execution-menu apps, which simply display raw Nmap output and so are *
* not derivative works.) *
* o Integrates/includes/aggregates Nmap into a proprietary executable *
* installer, such as those produced by InstallShield. *
* o Links to a library or executes a program that does any of the above *
* *
* The term "Nmap" should be taken to also include any portions or derived *
* works of Nmap. This list is not exclusive, but is just meant to *
* clarify our interpretation of derived works with some common examples. *
* These restrictions only apply when you actually redistribute Nmap. For *
* example, nothing stops you from writing and selling a proprietary *
* front-end to Nmap. Just distribute it by itself, and point people to *
* http://www.insecure.org/nmap/ to download Nmap. *
* *
* We don't consider these to be added restrictions on top of the GPL, but *
* just a clarification of how we interpret "derived works" as it applies *
* to our GPL-licensed Nmap product. This is similar to the way Linus *
* Torvalds has announced his interpretation of how "derived works" *
* applies to Linux kernel modules. Our interpretation refers only to *
* Nmap - we don't speak for any other GPL products. *
* *
* If you have any questions about the GPL licensing restrictions on using *
* Nmap in non-GPL works, we would be happy to help. As mentioned above, *
* we also offer alternative license to integrate Nmap into proprietary *
* applications and appliances. These contracts have been sold to many *
* security vendors, and generally include a perpetual license as well as *
* providing for priority support and updates as well as helping to fund *
* the continued development of Nmap technology. Please email *
* sales@insecure.com for further information. *
* *
* As a special exception to the GPL terms, Insecure.Com LLC grants *
* permission to link the code of this program with any version of the *
* OpenSSL library which is distributed under a license identical to that *
* listed in the included Copying.OpenSSL file, and distribute linked *
* combinations including the two. You must obey the GNU GPL in all *
* respects for all of the code used other than OpenSSL. If you modify *
* this file, you may extend this exception to your version of the file, *
* but you are not obligated to do so. *
* *
* If you received these files with a written license agreement or *
* contract stating terms other than the terms above, then that *
* alternative license agreement takes precedence over these comments. *
* *
* Source is provided to this software because we believe users have a *
* right to know exactly what a program is going to do before they run it. *
* This also allows you to audit the software for security holes (none *
* have been found so far). *
* *
* Source code also allows you to port Nmap to new platforms, fix bugs, *
* and add new features. You are highly encouraged to send your changes *
* to fyodor@insecure.org for possible incorporation into the main *
* distribution. By sending these changes to Fyodor or one the *
* Insecure.Org development mailing lists, it is assumed that you are *
* offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right *
* to reuse, modify, and relicense the code. Nmap will always be *
* available Open Source, but this is important because the inability to *
* relicense code has caused devastating problems for other Free Software *
* projects (such as KDE and NASM). We also occasionally relicense the *
* code to third parties as discussed above. If you wish to specify *
* special license conditions of your contributions, just say so when you *
* send them. *
* *
* This program is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
* General Public License for more details at *
* http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included *
* with Nmap. *
* *
***************************************************************************/
/* $Id$ */
#ifndef CHARPOOL_H
#define CHARPOOL_H
#include "utils.h"
#include "nmap_error.h"
void *cp_alloc(int sz);
char *cp_strdup(const char *src);
#endif

1410
config.guess vendored Executable file
View File

File diff suppressed because it is too large Load Diff

75
config.h Normal file
View File

@@ -0,0 +1,75 @@
/* config.h. Generated automatically by configure. */
/* #undef PCAP_TIMEOUT_IGNORED */
#define HAVE_STRUCT_IP 1
#define HAVE_USLEEP 1
#define HAVE_NANOSLEEP 1
#define HAVE_STRUCT_ICMP 1
#define HAVE_IP_IP_SUM 1
/* #undef inline */
#define STDC_HEADERS 1
#define HAVE_STRING_H 1
/* #undef HAVE_GETOPT_H */
#define HAVE_STRINGS_H 1
/* #undef HAVE_BSTRING_H */
#define WORDS_BIGENDIAN 1
#define HAVE_MEMORY_H 1
/* both bzero() and memcpy() are used in the source */
#define HAVE_BZERO 1
#define HAVE_MEMCPY 1
#define HAVE_STRERROR 1
#define HAVE_SYS_PARAM_H 1
#define HAVE_SYS_SOCKIO_H 1
#define BSD_NETWORKING 1
#define HAVE_SNPRINTF 1
#define HAVE_VSNPRINTF 1
/* #undef HAVE_STRCASESTR */
/* #undef HAVE_GETOPT_LONG */
#define IN_ADDR_DEEPSTRUCT 1
/* #undef HAVE_NETINET_IN_SYSTEM_H */
/* #undef HAVE_SOCKADDR_SA_LEN */
#define HAVE_NETINET_IF_ETHER_H 1
/* #undef STUPID_SOLARIS_CHECKSUM_BUG */
/* #undef SPRINTF_RETURNS_STRING */
/* #undef LINUX */
/* #undef FREEBSD */
/* #undef OPENBSD */
#define SOLARIS 1
/* #undef SUNOS */
/* #undef BSDI */
/* #undef IRIX */
/* #undef NETBSD */

204
config.h.in Normal file
View File

@@ -0,0 +1,204 @@
/***************************************************************************
* config.h.in -- Autoconf uses this template, combined with the configure *
* script knowledge about system capabilities, to build the config.h *
* include file that lets nmap better understand system particulars. *
* *
***********************IMPORTANT NMAP LICENSE TERMS************************
* *
* The Nmap Security Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap *
* is also a registered trademark of Insecure.Com LLC. This program is *
* free software; you may redistribute and/or modify it under the *
* terms of the GNU General Public License as published by the Free *
* Software Foundation; Version 2. This guarantees your right to use, *
* modify, and redistribute this software under certain conditions. If *
* you wish to embed Nmap technology into proprietary software, we may be *
* willing to sell alternative licenses (contact sales@insecure.com). *
* Many security scanner vendors already license Nmap technology such as *
* our remote OS fingerprinting database and code, service/version *
* detection system, and port scanning code. *
* *
* Note that the GPL places important restrictions on "derived works", yet *
* it does not provide a detailed definition of that term. To avoid *
* misunderstandings, we consider an application to constitute a *
* "derivative work" for the purpose of this license if it does any of the *
* following: *
* o Integrates source code from Nmap *
* o Reads or includes Nmap copyrighted data files, such as *
* nmap-os-fingerprints or nmap-service-probes. *
* o Executes Nmap and parses the results (as opposed to typical shell or *
* execution-menu apps, which simply display raw Nmap output and so are *
* not derivative works.) *
* o Integrates/includes/aggregates Nmap into a proprietary executable *
* installer, such as those produced by InstallShield. *
* o Links to a library or executes a program that does any of the above *
* *
* The term "Nmap" should be taken to also include any portions or derived *
* works of Nmap. This list is not exclusive, but is just meant to *
* clarify our interpretation of derived works with some common examples. *
* These restrictions only apply when you actually redistribute Nmap. For *
* example, nothing stops you from writing and selling a proprietary *
* front-end to Nmap. Just distribute it by itself, and point people to *
* http://www.insecure.org/nmap/ to download Nmap. *
* *
* We don't consider these to be added restrictions on top of the GPL, but *
* just a clarification of how we interpret "derived works" as it applies *
* to our GPL-licensed Nmap product. This is similar to the way Linus *
* Torvalds has announced his interpretation of how "derived works" *
* applies to Linux kernel modules. Our interpretation refers only to *
* Nmap - we don't speak for any other GPL products. *
* *
* If you have any questions about the GPL licensing restrictions on using *
* Nmap in non-GPL works, we would be happy to help. As mentioned above, *
* we also offer alternative license to integrate Nmap into proprietary *
* applications and appliances. These contracts have been sold to many *
* security vendors, and generally include a perpetual license as well as *
* providing for priority support and updates as well as helping to fund *
* the continued development of Nmap technology. Please email *
* sales@insecure.com for further information. *
* *
* As a special exception to the GPL terms, Insecure.Com LLC grants *
* permission to link the code of this program with any version of the *
* OpenSSL library which is distributed under a license identical to that *
* listed in the included Copying.OpenSSL file, and distribute linked *
* combinations including the two. You must obey the GNU GPL in all *
* respects for all of the code used other than OpenSSL. If you modify *
* this file, you may extend this exception to your version of the file, *
* but you are not obligated to do so. *
* *
* If you received these files with a written license agreement or *
* contract stating terms other than the terms above, then that *
* alternative license agreement takes precedence over these comments. *
* *
* Source is provided to this software because we believe users have a *
* right to know exactly what a program is going to do before they run it. *
* This also allows you to audit the software for security holes (none *
* have been found so far). *
* *
* Source code also allows you to port Nmap to new platforms, fix bugs, *
* and add new features. You are highly encouraged to send your changes *
* to fyodor@insecure.org for possible incorporation into the main *
* distribution. By sending these changes to Fyodor or one the *
* Insecure.Org development mailing lists, it is assumed that you are *
* offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right *
* to reuse, modify, and relicense the code. Nmap will always be *
* available Open Source, but this is important because the inability to *
* relicense code has caused devastating problems for other Free Software *
* projects (such as KDE and NASM). We also occasionally relicense the *
* code to third parties as discussed above. If you wish to specify *
* special license conditions of your contributions, just say so when you *
* send them. *
* *
* This program is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
* General Public License for more details at *
* http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included *
* with Nmap. *
* *
***************************************************************************/
/* $Id$ */
#ifndef CONFIG_H
#define CONFIG_H
#undef PCAP_TIMEOUT_IGNORED
#undef HAVE_STRUCT_IP
#undef HAVE_USLEEP
#undef HAVE_NANOSLEEP
#undef HAVE_STRUCT_ICMP
#undef HAVE_IP_IP_SUM
#undef inline
#undef STDC_HEADERS
#undef HAVE_UNISTD_H
#undef HAVE_STRING_H
#undef HAVE_GETOPT_H
#undef HAVE_STRINGS_H
#undef HAVE_PWD_H
#undef HAVE_BSTRING_H
#undef WORDS_BIGENDIAN
#undef HAVE_MEMORY_H
/* both bzero() and memcpy() are used in the source */
#undef HAVE_BZERO
#undef HAVE_MEMCPY
#undef HAVE_STRERROR
#undef HAVE_SYS_PARAM_H
#undef HAVE_SYS_SOCKIO_H
#undef HAVE_PCRE_H
#undef HAVE_PCRE_PCRE_H
#undef BSD_NETWORKING
#undef HAVE_INET_ATON
#undef HAVE_STRCASESTR
#undef HAVE_GETOPT_LONG
#undef IN_ADDR_DEEPSTRUCT
#undef HAVE_NETINET_IN_SYSTEM_H
#undef HAVE_SOCKADDR_SA_LEN
#undef HAVE_NETINET_IF_ETHER_H
#undef HAVE_OPENSSL
#undef STUPID_SOLARIS_CHECKSUM_BUG
#undef SPRINTF_RETURNS_STRING
#undef TIME_WITH_SYS_TIME
#undef HAVE_SYS_TIME_H
#undef recvfrom6_t
#undef NEED_USLEEP_PROTO
#undef NEED_GETHOSTNAME_PROTO
#ifdef NEED_USLEEP_PROTO
#ifdef __cplusplus
extern "C" int usleep (unsigned int);
#endif
#endif
#ifdef NEED_GETHOSTNAME_PROTO
#ifdef __cplusplus
extern "C" int gethostname (char *, unsigned int);
#endif
#endif
#undef DEC
#undef LINUX
#undef FREEBSD
#undef OPENBSD
#undef SOLARIS
#undef SUNOS
#undef BSDI
#undef IRIX
#undef HPUX
#undef NETBSD
#undef MACOSX
#endif /* CONFIG_H */

1510
config.sub vendored Executable file
View File

File diff suppressed because it is too large Load Diff

9001
configure vendored Executable file
View File

File diff suppressed because it is too large Load Diff

716
configure.ac Normal file
View File

@@ -0,0 +1,716 @@
# Require autoconf 2.13 -*- mode: fundamental; -*-
AC_PREREQ(2.13)
dnl Process this file with autoconf to produce a configure script.
AC_INIT(nmap.cc)
AC_ARG_WITH(localdirs,
[ --with-localdirs Explicitly ask compiler to use /usr/local/{include,libs} if they exist ],
[ case "$with_localdirs" in
yes)
user_localdirs=1
;;
no)
user_localdirs=0
;;
esac
],
[ user_localdirs=0 ] )
if test "$user_localdirs" = 1; then
if test -d /usr/local/lib; then
LDFLAGS="$LDFLAGS -L/usr/local/lib"
fi
if test -d /usr/local/include; then
CFLAGS="$CFLAGS -I/usr/local/include"
CXXFLAGS="$CFLAGS -I/usr/local/include"
fi
fi
libpcapdir=libpcap-possiblymodified
AC_SUBST(libpcapdir)
pcredir=libpcre
AC_SUBST(pcredir)
dnl use config.h instead of -D macros
AC_CONFIG_HEADER(config.h)
dnl Checks for programs.
AC_PROG_CC
AC_PROG_CXX
if test -n "$GXX"; then
CXXFLAGS="$CXXFLAGS -Wall "
fi
AC_CHECK_PROG(CXXPROG, "$CXX", "AVAILABLE", "MISSING")
if test $CXXPROG = "MISSING"; then
AC_MSG_ERROR([Could not locate a C++ compiler. If it exists, add it to your PATH or give configure the CXX=path_to_compiler argument. Otherwise, install a C++ compiler such as g++ or install a binary package of Nmap (see http://www.insecure.org/nmap/nmap_download.html ))])
fi
dnl AC_PROG_INSTALL
dnl AC_PATH_PROG(MAKEDEPEND, makedepend)
dnl Checks for typedefs, structures, and compiler characteristics.
dnl check for void should be put in
dnl AC_MSG_CHECKING(for void)
dnl AC_TRY_COMPILE(, [void *foo = 0;],
dnl [AC_MSG_RESULT(yes); AC_DEFINE(HAVE_VOID)], [AC_MSG_RESULT(no)])
dnl so should check for 'const'
dnl AC_MSG_CHECKING(for const)
dnl AC_TRY_COMPILE(, [const int foo = 0;],
dnl [AC_MSG_RESULT(yes); AC_DEFINE(HAVE_CONST)], [AC_MSG_RESULT(no)])
dnl equiv to '#define inline' to 'inline', '__inline__', '__inline' or ''
AC_C_INLINE
if test -n "$sgi_cc"; then
AC_DEFINE(inline, )
fi
AC_SUBST(COMPAT_OBJS)
AC_SUBST(COMPAT_SRCS)
dnl Host specific hacks
AC_CANONICAL_HOST
linux=no
macosx=no
needs_cpp_precomp=no
case "$host" in
*alpha-dec-osf*)
AC_DEFINE(DEC)
;;
*-netbsd* | *-knetbsd*-gnu)
AC_DEFINE(NETBSD)
;;
*-openbsd*)
AC_DEFINE(OPENBSD)
;;
*-sgi-irix5*)
AC_DEFINE(IRIX)
if test -z "$GCC"; then
sgi_cc=yes
fi
;;
*-sgi-irix6*)
AC_DEFINE(IRIX)
if test -z "$GCC"; then
sgi_cc=yes
fi
;;
*-hpux*)
AC_DEFINE(HPUX)
;;
*-solaris2.0*)
AC_DEFINE(STUPID_SOLARIS_CHECKSUM_BUG)
AC_DEFINE(SOLARIS)
;;
*-solaris2.[[1-9]][[0-9]]*)
AC_DEFINE(SOLARIS)
;;
*-solaris2.1*)
AC_DEFINE(STUPID_SOLARIS_CHECKSUM_BUG)
AC_DEFINE(SOLARIS)
;;
*-solaris2.2*)
AC_DEFINE(STUPID_SOLARIS_CHECKSUM_BUG)
AC_DEFINE(SOLARIS)
;;
*-solaris2.3*)
AC_DEFINE(STUPID_SOLARIS_CHECKSUM_BUG)
AC_DEFINE(SOLARIS)
;;
*-solaris2.4*)
AC_DEFINE(STUPID_SOLARIS_CHECKSUM_BUG)
AC_DEFINE(SOLARIS)
;;
*-solaris2.5.1)
AC_DEFINE(STUPID_SOLARIS_CHECKSUM_BUG)
AC_DEFINE(SOLARIS)
;;
*-solaris*)
AC_DEFINE(SOLARIS)
;;
*-sunos4*)
AC_DEFINE(SUNOS)
AC_DEFINE(SPRINTF_RETURNS_STRING)
;;
*-linux*)
linux=yes
AC_DEFINE(LINUX)
AC_DEFINE(PCAP_TIMEOUT_IGNORED) # libpcap doesn't even LOOK at
# the timeout you give it under Linux
;;
*-freebsd* | *-kfreebsd*-gnu)
AC_DEFINE(FREEBSD)
;;
*-bsdi*)
AC_DEFINE(BSDI)
;;
*-apple-darwin*)
macosx=yes
AC_DEFINE(MACOSX)
needs_cpp_precomp=yes
;;
esac
dnl Checks for header files.
AC_HEADER_STDC
AC_CHECK_HEADERS(string.h getopt.h strings.h memory.h sys/param.h sys/sockio.h bstring.h sys/time.h pwd.h unistd.h )
AC_CHECK_HEADERS(netinet/in.h)
AC_CHECK_HEADERS(sys/socket.h)
AC_CHECK_HEADERS([net/if.h],[],[],
[#if HAVE_SYS_TYPES_H
# include <sys/types.h>
# endif
#if HAVE_NETINET_IN_H
# include <netinet/in.h>
# endif
#if HAVE_SYS_SOCKET_H
# include <sys/socket.h>
# endif
])
AC_CHECK_HEADERS([netinet/if_ether.h],[],[],
[#if HAVE_SYS_TYPES_H
# include <sys/types.h>
# endif
#if HAVE_NETINET_IN_H
# include <netinet/in.h>
# endif
# if HAVE_SYS_SOCKET_H
# include <sys/socket.h>
# endif
# if HAVE_NET_IF_H
# include <net/if.h>
# endif
])
AC_HEADER_TIME
dnl Checks for libraries.
dnl AC_CHECK_LIB(m, pow)
dnl on Mac OSX the math library seems to contain unwanted getopt cruft
if test $macosx = no; then
AC_CHECK_LIB(m, main)
fi
dnl If any socket libraries needed
AC_SEARCH_LIBS(gethostent, nsl)
AC_SEARCH_LIBS(setsockopt, socket)
dnl need posix4/nanosleep for solaris 2.4
AC_SEARCH_LIBS(nanosleep, posix4)
# By default, try to build nmapfe if possible
test "${with_nmapfe+set}" != "set" && with_nmapfe=yes
TARGETNMAPFE=nmapfe/nmapfe
INSTALLNMAPFE=install-nmapfe
AC_ARG_WITH(nmapfe, [ --without-nmapfe skip nmapfe X-window GUI],
[ case "$with_nmapfe" in
no)
TARGETNMAPFE=""; INSTALLNMAPFE=""
;;
esac]
)
AC_SUBST(TARGETNMAPFE)
AC_SUBST(INSTALLNMAPFE)
# First we test whether they specified openssl desires explicitly
use_openssl="yes"
specialssldir=""
AC_ARG_WITH(openssl,
[ --with-openssl=DIR Use optional openssl libs and includes from [DIR]/lib/ and [DIR]/include/openssl/)],
[ case "$with_openssl" in
yes)
;;
no)
use_openssl="no"
;;
*)
specialssldir="$with_openssl"
CXXFLAGS="$CXXFLAGS -I$with_openssl/include"
LDFLAGS="$LDFLAGS -L$with_openssl/lib"
;;
esac]
)
# If they didn't specify it, we try to find it
if test "$use_openssl" = "yes" -a -z "$specialssldir"; then
AC_CHECK_HEADER(openssl/ssl.h,,
[ use_openssl="no"
AC_MSG_WARN([Failed to find openssl/ssl.h so OpenSSL will not be used. If it is installed you can try the --with-openssl=DIR argument]) ])
if test "$use_openssl" = "yes"; then
AC_CHECK_HEADER(openssl/err.h,,
[ use_openssl="no"
AC_MSG_WARN([Failed to find openssl/err.h so OpenSSL will not be used. If it is installed you can try the --with-openssl=DIR argument]) ])
fi
if test "$use_openssl" = "yes"; then
AC_CHECK_HEADER(openssl/rand.h,,
[ use_openssl="no"
AC_MSG_WARN([Failed to find openssl/rand.h so OpenSSL will not be used. If it is installed you can try the --with-openssl=DIR argument]) ])
fi
# use_openssl="yes" given explicitly in next 2 rules to avoid adding lib to $LIBS
if test "$use_openssl" = "yes"; then
AC_CHECK_LIB(crypto, BIO_int_ctrl,
[ use_openssl="yes"],
[ use_openssl="no"
AC_MSG_WARN([Failed to find libcrypto so OpenSSL will not be used. If it is installed you can try the --with-openssl=DIR argument]) ])
fi
if test "$use_openssl" = "yes"; then
AC_CHECK_LIB(ssl, SSL_new,
[ use_openssl="yes" ],
[ use_openssl="no"
AC_MSG_WARN([Failed to find libssl so OpenSSL will not be used. If it is installed you can try the --with-openssl=DIR argument]) ])
fi
fi
OPENSSL_LIBS=
if test "$use_openssl" = "yes"; then
AC_DEFINE(HAVE_OPENSSL)
OPENSSL_LIBS="-lssl -lcrypto"
fi
AC_SUBST(OPENSSL_LIBS)
dnl Check whether libpcap is already available
have_libpcap=no
# By default, search for pcap library
test "${with_libpcap+set}" != "set" && with_libpcap=yes
AC_ARG_WITH(libpcap,
[ --with-libpcap[=DIR] Look for pcap in DIR/include and DIR/libs],
[ case "$with_libpcap" in
yes)
AC_CHECK_HEADER(pcap.h,[
AC_CHECK_LIB(pcap, pcap_datalink,
[have_libpcap=yes ])])
;;
*)
_cppflags=$CXXFLAGS
_ldflags=$LDFLAGS
CXXFLAGS="-I$with_libpcap/include $CXXFLAGS"
LDFLAGS="-L$with_libpcap/lib $LDFLAGS"
AC_CHECK_HEADER(pcap.h,[
AC_CHECK_LIB(pcap, pcap_datalink,
[have_libpcap=yes
LIBPCAP_INC=$with_libpcap/include
LIBPCAP_LIB=$with_libpcap/lib])])
LDFLAGS=$_ldflags
CXXFLAGS=$_cppflags
;;
esac]
)
if test $linux = yes; then
have_libpcap=no
fi
if test $needs_cpp_precomp = yes; then
CXXFLAGS="-no-cpp-precomp $CXXFLAGS"
fi
if test $have_libpcap = yes; then
if test "${LIBPCAP_INC+set}" = "set"; then
_cflags=$CXXFLAGS
_ldflags=$LDFLAGS
CXXFLAGS="-I$LIBPCAP_INC $CXXFLAGS"
LDFLAGS="-L$LIBPCAP_LIB $LDFLAGS"
fi
# link with -lpcap for the purposes of this test
LIBS_OLD="$LIBS"
LIBS="$LIBS -lpcap"
AC_MSG_CHECKING(if libpcap version is recent enough)
AC_TRY_RUN([
#include <stdio.h>
extern char pcap_version[];
int main() {
int major, minor;
sscanf(pcap_version,"%d.%d", &major, &minor);
if (major > 0)
exit(0);
if (minor > 4)
exit(0);
if (minor < 4)
exit(1);
if (pcap_version[3] > 'a')
exit(0);
if (pcap_version[3] == 'a') {
if(!sscanf(&pcap_version[4], "%d", &minor))
exit(1);
if (minor >= 6)
exit(0);
else
exit(1);
}
exit(1);
}],
[AC_MSG_RESULT(yes); have_libpcap=yes],
[AC_MSG_RESULT(no); have_libpcap=no],
[AC_MSG_RESULT(no); have_libpcap=no])
LIBS="$LIBS_OLD"
fi
LIBPCAP_LIBS="-lpcap"
if test $have_libpcap = yes; then
PCAP_DEPENDS=""
PCAP_CLEAN=""
PCAP_DIST_CLEAN=""
AC_DEFINE(HAVE_LIBPCAP)
else
if test "${LIBPCAP_INC+set}" = "set"; then
LDFLAGS="-L$libpcapdir $_ldflags"
CXXFLAGS="$_cflags -I$libpcapdir"
else
LDFLAGS="-L$libpcapdir $LDFLAGS"
CXXFLAGS="$CXXFLAGS -I$libpcapdir"
fi
PCAP_DEPENDS='$(LIBPCAPDIR)/libpcap.a'
PCAP_CLEAN="pcap_clean"
PCAP_DIST_CLEAN="pcap_dist_clean"
fi
AC_SUBST(PCAP_DEPENDS)
AC_SUBST(PCAP_CLEAN)
AC_SUBST(PCAP_DIST_CLEAN)
AC_SUBST(LIBPCAP_LIBS)
have_pcre=no
requested_included_pcre=no
LIBPCREDIR=libpcre
# First we test whether they specified libpcre explicitly
AC_ARG_WITH(libpcre,
[ --with-libpcre=DIR Use an existing (compiled) pcre lib from DIR/include and DIR/lib. Specify --with-libpcre=included to always use the version included with Nmap],
[ case "$with_libpcre" in
yes)
;;
included)
requested_included_pcre=yes
;;
*)
CXXFLAGS="-I$with_libpcre/include $CXXFLAGS"
LDFLAGS="-L$with_libpcre/lib $LDFLAGS"
have_pcre=yes
;;
esac]
)
# If they didn't specify it, we try to find it
if test $have_pcre != yes -a $requested_included_pcre != yes ; then
AC_CHECK_HEADER(pcre.h,
AC_CHECK_LIB(pcre, pcre_version, [have_pcre=yes ]),
[AC_CHECK_HEADERS(pcre/pcre.h,
[AC_CHECK_LIB(pcre, pcre_version, [have_pcre=yes])]
)]
)
fi
# If we still don't have it, we use our own
if test $have_pcre != yes ; then
AC_CONFIG_SUBDIRS( libpcre )
CXXFLAGS="-I$LIBPCREDIR $CXXFLAGS"
LIBPCRE_LIBS="$LIBPCREDIR/libpcre.a"
PCRE_DEPENDS="$LIBPCREDIR/libpcre.a"
PCRE_CLEAN="pcre_clean"
PCRE_DIST_CLEAN="pcre_dist_clean"
else
LIBPCRE_LIBS="-lpcre"
PCRE_DEPENDS=""
PCRE_CLEAN=""
PCRE_DIST_CLEAN=""
fi
AC_SUBST(LIBPCRE_LIBS)
AC_SUBST(LIBPCREDIR)
AC_SUBST(PCRE_DEPENDS)
AC_SUBST(PCRE_CLEAN)
AC_SUBST(PCRE_DIST_CLEAN)
dnl AC_HEADER_TIME
AC_MSG_CHECKING([struct ip])
AC_TRY_COMPILE([#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>],
[struct ip ip;],
[AC_MSG_RESULT(yes); bsd_networking=yes],
[AC_MSG_RESULT(no); bsd_networking=no]);
if test $bsd_networking = yes; then
AC_DEFINE(BSD_NETWORKING)
AC_MSG_CHECKING([ip_v in struct ip])
AC_TRY_COMPILE([#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>],
[struct ip ip; ip.ip_v;],
[AC_MSG_RESULT(yes); has_bitfields=yes],
[AC_MSG_RESULT(no); has_bitfields=no])
if test $has_bitfields = no; then
SAVE_CXXFLAGS="$CXXFLAGS"
CXXFLAGS="-D__STDC__=2"
AC_MSG_CHECKING([if setting __STDC__=2 gives ip_v])
AC_TRY_COMPILE([#include <sys/types.h>
#include <netinet/in.h>
#include <netinet/in_systm.h>
#include <netinet/ip.h>],
[struct ip ip; ip.ip_v;],
[AC_MSG_RESULT(yes); setting_stdc_helps=yes],
[AC_MSG_RESULT(no); setting_stdc_helps=no])
CXXFLAGS="$SAVE_CXXFLAGS"
if test $setting_stdc_helps = yes; then
CXXFLAGS="$CXXFLAGS -D__STDC__=2"
else
AC_MSG_RESULT(Can't figure out how to get bitfields - configure failed)
exit 1
fi
fi
fi
AC_SUBST(CXXFLAGS)
dnl This test is from the configure.in of Unix Network Programming second
dnl edition example code by W. Richard Stevens
dnl ##################################################################
dnl Check if sockaddr{} has sa_len member.
dnl
AC_CACHE_CHECK(if sockaddr{} has sa_len member, ac_cv_sockaddr_has_sa_len,
AC_TRY_COMPILE([
# include <sys/types.h>
# include <sys/socket.h>],
[unsigned int i = sizeof(((struct sockaddr *)0)->sa_len)],
ac_cv_sockaddr_has_sa_len=yes,
ac_cv_sockaddr_has_sa_len=no))
if test $ac_cv_sockaddr_has_sa_len = yes ; then
AC_DEFINE(HAVE_SOCKADDR_SA_LEN)
fi
dnl check endedness
AC_C_BIGENDIAN
AC_MSG_CHECKING([if struct in_addr is a wacky huge structure (some Sun boxes)])
AC_TRY_COMPILE([#include <netinet/in.h>], struct in_addr i; i._S_un._S_addr;, \
AC_DEFINE(IN_ADDR_DEEPSTRUCT) \
AC_MSG_RESULT(yes) , \
AC_TRY_COMPILE([#include <sys/types.h>
#include <netinet/in.h>], struct in_addr i; i.S_un.S_addr;, \
AC_DEFINE(IN_ADDR_DEEPSTRUCT) \
AC_MSG_RESULT(yes) , \
AC_MSG_RESULT(no);))
AC_CACHE_CHECK(if struct icmp exists, ac_cv_struct_icmp_exists,
AC_TRY_COMPILE([
# include <sys/types.h>
# include <sys/param.h>
# include <netinet/in_systm.h>
# include <netinet/in.h>
# define __USE_BSD
# define __FAVOR_BSD
# define __BSD_SOURCE
# include <netinet/ip.h>
# include <netinet/ip_icmp.h>],
[unsigned int i = sizeof(struct icmp)],
ac_cv_struct_icmp_exists=yes,
ac_cv_struct_icmp_exists=no))
if test $ac_cv_struct_icmp_exists = yes ; then
AC_DEFINE(HAVE_STRUCT_ICMP)
fi
AC_CACHE_CHECK(if struct ip exists, ac_cv_struct_ip_exists,
AC_TRY_COMPILE([
# include <sys/types.h>
# include <sys/param.h>
# include <netinet/in_systm.h>
# include <netinet/in.h>
# define __USE_BSD
# define __FAVOR_BSD
# define __BSD_SOURCE
# include <netinet/ip.h>],
[unsigned int i = sizeof(struct ip)],
ac_cv_struct_ip_exists=yes,
ac_cv_struct_ip_exists=no))
if test $ac_cv_struct_ip_exists = yes ; then
AC_DEFINE(HAVE_STRUCT_IP)
fi
AC_CACHE_CHECK(if struct ip has ip_sum member, ac_cv_ip_has_ip_sum,
AC_TRY_COMPILE([
# include <sys/types.h>
# include <sys/param.h>
# include <netinet/in_systm.h>
# include <netinet/in.h>
# define __USE_BSD
# define __FAVOR_BSD
# define __BSD_SOURCE
# include <netinet/ip.h>
# include <netinet/ip_icmp.h>],
[unsigned int i = sizeof(((struct ip *)0)->ip_sum)],
ac_cv_ip_has_ip_sum=yes,
ac_cv_ip_has_ip_sum=no))
if test $ac_cv_ip_has_ip_sum = yes ; then
AC_DEFINE(HAVE_IP_IP_SUM)
fi
dnl Checks for library functions.
dnl AC_TYPE_SIGNAL
AC_CHECK_FUNCS(bzero memcpy nanosleep strerror \
strcasestr inet_aton getopt_long_only)
AC_LANG_PUSH(C++)
AC_MSG_CHECKING([for usleep])
AC_TRY_LINK([#include <unistd.h>],[usleep (200);],[
AC_MSG_RESULT(yes)],[
AC_MSG_RESULT(no)
AC_MSG_CHECKING([if usleep needs custom prototype])
AC_TRY_LINK([
#include <unistd.h>
extern "C" int usleep (unsigned int);],[
usleep (200);],[
AC_MSG_RESULT(yes)
AC_DEFINE(NEED_USLEEP_PROTO)],
AC_MSG_RESULT(not found))])
AC_LANG_POP(C++)
AC_LANG_PUSH(C++)
AC_TRY_LINK([#include <stdlib.h>
#include <unistd.h>],[
char buffer[200];
gethostname (buffer, 200);], ,[
AC_MSG_CHECKING([if gethostname needs custom prototype])
AC_TRY_LINK([
#include <stdlib.h>
#include <unistd.h>
extern "C" int gethostname (char *, unsigned int);],[
char buffer[200];
gethostname (buffer, 200);],[
AC_MSG_RESULT(yes)
AC_DEFINE(NEED_GETHOSTNAME_PROTO)],
AC_MSG_RESULT(not found))])
AC_LANG_POP(C++)
RECVFROM_ARG6_TYPE
dnl AC_CHECK_FUNCS(gethostname gettimeofday select socket strdup strstr )
AC_ARG_WITH(libnbase,
[ --with-libnbase=DIR Look for nbase include/libs in DIR],
[ case "$with_libnbase" in
yes)
;;
*)
NBASEDIR="$with_libnbase"
;;
esac],
NBASEDIR="nbase"
)
LDFLAGS="$LDFLAGS -L$NBASEDIR"
CXXFLAGS="$CXXFLAGS -I$NBASEDIR"
LIBNBASE_LIBS="-lnbase"
AC_SUBST(NBASEDIR)
AC_SUBST(LIBNBASE_LIBS)
NSOCKDIR="nsock"
AC_ARG_WITH(libnsock,
[ --with-libnsock=DIR Compile and link to libnsock in DIR],
[ case "$with_nsock" in
yes)
;;
*)
NSOCKDIR="$with_nsock"
;;
esac]
)
LDFLAGS="$LDFLAGS -L$NSOCKDIR/src/"
CXXFLAGS="$CXXFLAGS -I$NSOCKDIR/include"
LIBNSOCK_LIBS="-lnsock"
AC_SUBST(NSOCKDIR)
AC_SUBST(LIBNSOCK_LIBS)
nmap_cfg_subdirs="$nmap_cfg_subdirs $NSOCKDIR/src"
dnl I need to configure nmapfe and libpcap here since the user might
dnl have specified special options (such as --prefix )
dnl
dnl But I only have to configure libpcap if I am going to use it
if test $have_libpcap = yes ; then
nmap_cfg_subdirs="$NBASEDIR $nmap_cfg_subdirs"
else
nmap_cfg_subdirs="$NBASEDIR $libpcapdir $nmap_cfg_subdirs"
fi
if test "${with_nmapfe}" = "yes"; then
dnl Check for GTK+
AC_PATH_PROG(GTK_CONFIG, gtk-config, no)
AC_MSG_CHECKING(If you have GTK+ installed)
if test "$GTK_CONFIG" = "no" ; then
AC_MSG_RESULT([no])
AC_MSG_WARN([Gtk+ has not been installed -> nmapfe will not be made])
else
GTK_NEEDED_MAJOR=1
GTK_NEEDED_MINOR=2
GTK_NEEDED_MICRO=7
GTK_MINVERSION=$GTK_NEEDED_MAJOR.$GTK_NEEDED_MINOR.$GTK_NEEDED_MICRO
ver=`gtk-config --version`
dnl Extract the information.
major=`echo $ver|sed 's/\([[0-9]]*\).\([[0-9]]*\).\([[0-9]]*\)/\1/'`
minor=`echo $ver|sed 's/\([[0-9]]*\).\([[0-9]]*\).\([[0-9]]*\)/\2/'`
micro=`echo $ver|sed 's/\([[0-9]]*\).\([[0-9]]*\).\([[0-9]]*\)/\3/'`
AC_MSG_RESULT($ver)
if test $major -lt $GTK_NEEDED_MAJOR -o $major -eq $GTK_NEEDED_MAJOR \
-a $minor -lt $GTK_NEEDED_MINOR -o $minor -eq $GTK_NEEDED_MINOR \
-a $micro -lt $GTK_NEEDED_MICRO; then
AC_MSG_WARN([An old version of GTK+ ($major.$minor.$micro) was found.\n \
You need at least version $GTK_MINVERSION.\n Subdir X-windows \
will not be made])
else
nmap_cfg_subdirs="$nmap_cfg_subdirs nmapfe"
dnl Maybe also define the flags to compile and link GTK+
dnl GTK_CXXFLAGS=`gtk-config --cflags`
dnl GTK_LIBS=`gtk-config --libs`
dnl AC_SUBST(GTK_CXXFLAGS)
dnl AC_SUBST(GTK_LIBS)
fi
fi
fi
dnl all hell broke loose when the variable was named $subdirs
AC_CONFIG_SUBDIRS( $nmap_cfg_subdirs )
dnl Configure libpcap if we need to since a lot of lamers don't
dnl already have it installed ...
dnl if test $have_libpcap = nsadf ; then
dnl echo "Have libpcap is set to $have_libpcap ";
dnl asdfasdf sdsdf sfd sdfsd
dnl AC_CONFIG_SUBDIRS( $libpcapdir )
dnl fi
AC_OUTPUT(Makefile)

8
docs/README Normal file
View File

@@ -0,0 +1,8 @@
Here are the docs for nmap. You would be better
off checking the website at http://www.insecure.org/nmap
for the latest information. Also if the man page is installed
correctly you should be able to 'man nmap'. The man page is more
up-to-date than the article. See nmap-manpage.html for an html version
of it.
-Fyodor

620
docs/nmap-fingerprinting-article.txt Normal file
View File

@@ -0,0 +1,620 @@
[ NOTE -- A more up-to-date version of this paper and translations to
many other languages are available from
http://www.insecure.org/nmap/nmap-fingerprinting-article.html ]
Remote OS detection via TCP/IP Stack FingerPrinting
by Fyodor <fyodor@insecure.org> (www.insecure.org)
October 18, 1998
ABSTRACT
This paper discusses how to glean precious information about a host by
querying its TCP/IP stack. I first present some of the "classical"
methods of determining host OS which do not involve stack
fingerprinting. Then I describe the current "state of the art" in
stack fingerprinting tools. Next comes a description of many
techniques for causing the remote host to leak information about
itself. Finally I detail my (nmap) implementation of this, followed
by a snapshot gained from nmap which discloses what OS is running on
many popular Internet sites.
REASONS
I think the usefulness of determining what OS a system is running is
pretty obvious, so I'll make this section short. One of the strongest
examples of this usefulness is that many security holes are dependent
on OS version. Lets say you are doing a penetration test and you find
port 53 open. If this is a vulnerable version of Bind, you only get
one chance to exploit it since a failed attempt will crash the daemon.
With a good TCP/IP fingerprinter, you will quickly find that this
machine is running 'Solaris 2.51' or 'Linux 2.0.35' and you can adjust
your shellcode accordingly.
A worse possibility is someone scanning 500,000 hosts in advance to
see what OS is running and what ports are open. Then when someone
posts (say) a root hole in Sun's comsat daemon, our little cracker
could grep his list for 'UDP/512' and 'Solaris 2.6' and he immediately
has pages and pages of rootable boxes. It should be noted that this
is SCRIPT KIDDIE behavior. You have demonstrated no skill and nobody
is even remotely impressed that you were able to find some vulnerable
.edu that had not patched the hole in time. Also, people will be even
_less_ impressed if you use your newfound access to deface the
department's web site with a self-aggrandizing rant about how damn
good you are and how stupid the sysadmins must be.
Another possible use is for social engineering. Lets say that you are
scanning your target company and nmap reports a 'Datavoice TxPORT
PRISM 3000 T1 CSU/DSU 6.22/2.06'. The hacker might now call up as
'Datavoice support' and discuss some issues about their PRISM 3000.
"We are going to announce a security hole soon, but first we want all
our current customers to install the patch -- I just mailed it to you
..." Some naive administrators might assume that only an authorized
engineer from Datavoice would know so much about their CSU/DSU.
Another potential use of this capability is evaluation of companies
you may want to do business with. Before you choose a new ISP, scan
them and see what equipment is in use. Those "$99/year" deals don't
sound nearly so good when you find out they have crappy routers and
offer PPP services off a bunch of Windows boxes.
CLASSICAL TECHNIQUES
Stack fingerprinting solves the problem of OS identification in a
unique way. I think this technique holds the most promise, but there
are currently many other solutions. Sadly, this is still one the most
effective of those techniques:
playground~> telnet hpux.u-aizu.ac.jp
Trying 163.143.103.12...
Connected to hpux.u-aizu.ac.jp.
Escape character is '^]'.
HP-UX hpux B.10.01 A 9000/715 (ttyp2)
login:
There is no point going to all this trouble of fingerprinting if the
machine will blatantly announce to the world exactly what it is
running! Sadly, many vendors ship _current_ systems with these kind
of banners and many admins do not turn them off. Just because there
are other ways to figure out what OS is running (such as
fingerprinting), does not mean we should just announce our OS and
architecture to every schmuck who tries to connect.
The problems with relying on this technique are that an increasing
number of people are turning banners off, many systems don't give much
information, and it is trivial for someone to "lie" in their banners.
Nevertheless, banner reading is all you get for OS and OS Version
checking if you spend $thousands on the commercial ISS scanner.
Download nmap or queso instead and save your money :).
Even if you turn off the banners, many applications will happily give
away this kind of information when asked. For example lets look at an
FTP server:
payfonez> telnet ftp.netscape.com 21
Trying 207.200.74.26...
Connected to ftp.netscape.com.
Escape character is '^]'.
220 ftp29 FTP server (UNIX(r) System V Release 4.0) ready.
SYST
215 UNIX Type: L8 Version: SUNOS
First of all, it gives us system details in its default banner. Then
if we give the 'SYST' command it happily feeds back even more information.
If anon FTP is supported, we can often download /bin/ls or other
binaries and determine what architecture it was built for.
Many other applications are too free with information. Take web
servers for example:
playground> echo 'GET / HTTP/1.0\n' | nc hotbot.com 80 | egrep '^Server:'
Server: Microsoft-IIS/4.0
playground>
Hmmm ... I wonder what OS those lamers are running.
Other classic techniques include DNS host info records (rarely
effective) and social engineering. If the machine is listening on
161/udp (snmp), you are almost guaranteed a bunch of detailed info
using 'snmpwalk' from the CMU SNMP tools distribution and the 'public'
community name.
CURRENT FINGERPRINTING PROGRAMS
Nmap is not the first OS recognition program to use TCP/IP
fingerprinting. The common IRC spoofer sirc by Johan has included
very rudimentary fingerprinting techniques since version 3 (or
earlier). It attempts to place a host in the classes "Linux",
"4.4BSD", "Win95", or "Unknown" using a few simple TCP flag tests.
Another such program is checkos, released publicly in January of this
year by Shok in Confidence Remains High Issue #7.
The fingerprinting techniques are exactly the same as SIRC, and even
the _code_ is identical in many places. Checkos was privately
available for a long time prior to the public release, so I have no
idea who swiped code from whom. But neither seems to credit the
other. One thing checkos does add is telnet banner checking, which is
useful but has the problems described earlier. [ Update: Shok wrote in
to say that chekos was never intended to be public and this is why he
didn't bother to credit SIRC for some of the code. ]
Su1d also wrote an OS checking program. His is called SS and as of
Version 3.11 it can identify 12 different OS types. I am somewhat
partial to this one since he credits my nmap program for some of the
networking code :).
Then there is queso. This program is the newest and it is a huge leap
forward from the other programs. Not only do they introduce a couple
new tests, but they were the first (that I have seen) to move the
OS fingerprints _out_ of the code. The other scanners included code like:
/* from ss */
if ((flagsfour & TH_RST) && (flagsfour & TH_ACK) && (winfour == 0) &&
(flagsthree & TH_ACK))
reportos(argv[2],argv[3],"Livingston Portmaster ComOS");
Instead, queso moves this into a configuration file which obviously
scales much better and makes adding an OS as easy as appending a few
lines to a fingerprint file.
Queso was written by Savage, one of the fine folks at Apostols.org .
One problem with all the programs describe above is that they are very
limited in the number of fingerprinting tests which limits the
granularity of answers. I want to know more than just 'this machine
is OpenBSD, FreeBSD, or NetBSD', I wish to know exactly which of those
it is as well as some idea of the release version number. In the same
way, I would rather see 'Solaris 2.6' than simply 'Solaris'. To
achieve this response granularity, I worked on a number of
fingerprinting techniques which are described in the next section.
FINGERPRINTING METHODOLOGY
There are many, many techniques which can be used to fingerprint
networking stacks. Basically, you just look for things that differ
among operating systems and write a probe for the difference. If you
combine enough of these, you can narrow down the OS very tightly. For
example nmap can reliably distinguish Solaris 2.4 vs. Solaris 2.5-2.51
vs Solaris 2.6. It can also tell Linux kernel 2.0.30 from 2.0.31-34
or 2.0.35. Here are some techniques:
The FIN probe -- Here we send a FIN packet (or any packet without an
ACK or SYN flag) to an open port and wait for a response. The
correct RFC793 behavior is to NOT respond, but many broken
implementations such as MS Windows, BSDI, CISCO, HP/UX, MVS, and
IRIX send a RESET back. Most current tools utilize this
technique.
The BOGUS flag probe -- Queso is the first scanner I have seen to use
this clever test. The idea is to set an undefined TCP "flag" ( 64
or 128) in the TCP header of a SYN packet. Linux boxes prior to
2.0.35 keep the flag set in their response. I have not found any
other OS to have this bug. However, some operating systems seem
to reset the connection when they get a SYN+BOGUS packet. This
behavior could be useful in identifying them.
TCP ISN Sampling -- The idea here is to find patterns in the initial
sequence numbers chosen by TCP implementations when responding to
a connection request. These can be categorized in to many groups
such as the traditional 64K (many old UNIX boxes), Random
increments (newer versions of Solaris, IRIX, FreeBSD, Digital
UNIX, Cray, and many others), True "random" (Linux 2.0.*, OpenVMS,
newer AIX, etc). Windows boxes (and a few others) use a "time
dependent" model where the ISN is incremented by a small fixed
amount each time period. Needless to say, this is almost as
easily defeated as the old 64K behavior. Of course my favorite
technique is "constant". The machines ALWAYS use the exact same
ISN :). I've seen this on some 3Com hubs (uses 0x803) and Apple
LaserWriter printers (uses 0xC7001).
You can also subclass groups such as random incremental by
computing variances, greatest common divisors, and other functions
on the set of sequence numbers and the differences between the
numbers.
It should be noted that ISN generation has important security
implications. For more information on this, contact "security
expert" Tsutomu "Shimmy" Shimomura at SDSC and ask him how he was
owned. Nmap is the first program I have seen to use this for OS
identification.
Don't Fragment bit -- Many operating systems are starting to set the
IP "Don't Fragment" bit on some of the packets they send. This
gives various performance benefits (though it can also be annoying
-- this is why nmap fragmentation scans do not work from Solaris
boxes). In any case, not all OS's do this and some do it in
different cases, so by paying attention to this bit we can glean
even more information about the target OS. I haven't seen this
one before either.
TCP Initial Window -- This simply involves checking the window size on
returned packets. Older scanners simply used a non-zero window on
a RST packet to mean "BSD 4.4 derived". Newer scanners such as
queso and nmap keep track of the exact window since it is actually
pretty constant by OS type. This test actually gives us a lot of
information, since some operating systems can be uniquely
identified by the window alone (for example, AIX is the only OS I
have seen which uses 0x3F25). In their "completely rewritten"
TCP stack for NT5, Microsoft uses 0x402E. Interestingly, that is
exactly the number used by OpenBSD and FreeBSD.
ACK Value -- Although you would think this would be completely
standard, implementations differ in what value they use for the
ACK field in some cases. For example, lets say you send a
FIN|PSH|URG to a closed TCP port. Most implementations will set
the ACK to be the same as your initial sequence number, though
Windows and some stupid printers will send your seq + 1. If you
send a SYN|FIN|URG|PSH to an open port, Windows is very
inconsistent. Sometimes it sends back your seq, other times it
sends S++, and still other times is sends back a seemingly random
value. One has to wonder what kind of code MS is writing that
changes its mind like this.
ICMP Error Message Quenching -- Some (smart) operating systems follow
the RFC 1812 suggestion to limit the rate at which various error
messages are sent. For example, the Linux kernel (in
net/ipv4/icmp.h) limits destination unreachable message generation
to 80 per 4 seconds, with a 1/4 second penalty if that is
exceeded. One way to test this is to send a bunch of packets to
some random high UDP port and count the number of unreachables
received. I have not seen this used before, and in fact I have
not added this to nmap (except for use in UDP port scanning).
This test would make the OS detection take a bit longer since you
need to send a bunch of packets and wait for them to return. Also
dealing with the possibility of packets dropped on the network
would be a pain.
ICMP Message Quoting -- The RFCs specify that ICMP error messages
quote some small amount of an ICMP message that causes various
errors. For a port unreachable message, almost all
implementations send only the required IP header + 8 bytes back.
However, Solaris sends back a bit more and Linux sends back even
more than that. The beauty with this is it allows nmap to
recognize Linux and Solaris hosts even if they don't have any
ports listening.
ICMP Error message echoing integrity -- I got this idea from something
Theo De Raadt (lead OpenBSD developer) posted to
comp.security.unix. As mentioned before, machines have to send
back part of your original message along with a port unreachable
error. Yet some machines tend to use your headers as 'scratch
space' during initial processing and so they are a bit warped by
the time you get them back. For example, AIX and BSDI send back an
IP 'total length' field that is 20 bytes too high. Some BSDI,
FreeBSD, OpenBSD, ULTRIX, and VAXen fuck up the IP ID that you sent
them. While the checksum is going to change due to the changed
TTL anyway, there are some machines (AIX, FreeBSD, etc.) which send
back an inconsistent or 0 checksum. Same thing goes with the UDP
checksum. All in all, nmap does nine different tests on the ICMP
errors to sniff out subtle differences like these.
Type of Service -- For the ICMP port unreachable messages I look at
the type of service (TOS) value of the packet sent back. Almost
all implementations use 0 for this ICMP error although Linux uses
0xC0. This does not indicate one of the standard TOS values, but instead is
part of the unused (AFAIK) precedence field. I do not know why
this is set, but if they change to 0 we will be able to keep
identifying the old versions _and_ we will be able to identify
between old and new.
Fragmentation Handling -- This is a favorite technique of Thomas
H. Ptacek of Secure Networks, Inc (now owned by a bunch of Windows
users at NAI). This takes advantage of the fact that different
implementations often handle overlapping IP fragments differently.
Some will overwrite the old portions with the new, and in other
cases the old stuff has precedence. There are many different
probes you can use to determine how the packet was reassembled. I
did not add this capability since I know of no portable way to send
IP fragments (in particular, it is a bitch on Solaris). For more
information on overlapping fragments, you can read their IDS paper
(www.secnet.com).
TCP Options -- These are truly a gold mine in terms of leaking
information. The beauty of these options is that:
1) They are generally optional (duh!) :) so not all hosts implement
them.
2) You know if a host implements them by sending a query with an
option set. The target generally show support of the option by
setting it on the reply.
3) You can stuff a whole bunch of options on one packet to test
everything at once.
Nmap sends these options along with almost every probe packet:
Window Scale=10; NOP; Max Segment Size = 265; Timestamp; End of Ops;
When you get your response, you take a look at which options were
returned and thus are supported. Some operating systems such as
recent FreeBSD boxes support all of the above, while others, such
as Linux 2.0.X support very few. The latest Linux 2.1.x kernels
do support all of the above. On the other hand, they are more
vulnerable to TCP sequence prediction. Go figure.
Even if several operating systems support the same set of options,
you can sometimes distinguish them by the _values_ of the options.
For example, if you send a small MSS value to a Linux box, it will
generally echo that MSS back to you. Other hosts will give you
different values.
And even if you get the same set of supported options AND the same
values, you can still differentiate via the _order_ that the
options are given, and where padding is applied. For example
Solaris returns 'NNTNWME' which means:
<no op><no op><timestamp><no op><window scale><echoed MSS>
While Linux 2.1.122 returns MENNTNW. Same options, same values,
but different order!
I have not seen any other OS detection tools utilizes TCP options,
but it is very useful.
There are a few other useful options I might probe for at some
point, such as those that support T/TCP and selective
acknowledgements.
Exploit Chronology -- Even with all the tests above, nmap is unable to
distinguish between the TCP stacks of Win95, WinNT, or Win98.
This is rather surprising, especially since Win98 came out about 4
years after Win95. You would think they would have bothered to
improve the stack in some way (like supporting more TCP options)
and so we would be able to detect the change and distinguish the
operating systems. Unfortunately, this is not the case. The NT
stack is apparently the same crappy stack they put into '95. And
they didn't bother to upgrade it for '98.
But do not give up hope, for there is a solution. You can simply
start with early Windows DOS attacks (Ping of Death, Winnuke, etc)
and move up a little further to attacks such as Teardrop and Land.
After each attack, ping them to see whether they have crashed.
When you finally crash them, you will likely have narrowed what
they are running down to one service pack or hotfix.
I have not added this functionality to nmap, although I must admit
it is very tempting :).
SYN Flood Resistance -- Some operating systems will stop accepting new
connections if you send too many forged SYN packets at them
(forging the packets avoids trouble with your kernel resetting the
connections). Many operating systems can only handle 8 packets.
Recent Linux kernels (among other operating systems) allow
various methods such as SYN cookies to prevent this from being a
serious problem. Thus you can learn something about your target
OS by sending 8 packets from a forged source to an open port and
then testing whether you can establish a connection to that port
yourself. This was not implemented in nmap since some people get
upset when you SYN flood them. Even explaining that you were
simply trying to determine what OS they are running might not help
calm them.
NMAP IMPLEMENTATION AND RESULTS
I have created a reference implementation of the OS detection
techniques mentioned above (except those I said were excluded). I
have added this to my Nmap scanner which has the advantage that it
already _knows_ what ports are open and closed for fingerprinting so
you do not have to tell it. It is also portable among Linux, *BSD,
and Solaris 2.51 and 2.6, and some other operating systems.
The new version of nmap reads a file filled with Fingerprint templates
that follow a simple grammar. Here is an example:
FingerPrint IRIX 6.2 - 6.4 # Thanks to Lamont Granquist
TSeq(Class=i800)
T1(DF=N%W=C000|EF2A%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=C000|EF2A%ACK=O%Flags=A%Ops=NNT)
T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Lets look at the first line (I'm adding '>' quote markers):
> FingerPrint IRIX 6.2 - 6.3 # Thanks to Lamont Granquist
This simply says that the fingerprint covers IRIX versions 6.2 through
6.3 and the comment states that Lamont Granquist kindly sent me the IP
addresses or fingerprints of the IRIX boxes tested.
> TSeq(Class=i800)
This means that ISN sampling put it in the "i800 class". This means
that each new sequence number is a multiple of 800 greater than the
last one.
> T1(DF=N%W=C000|EF2A%ACK=S++%Flags=AS%Ops=MNWNNT)
The test is named T1 (for test1, clever eh?). In this test we send a
SYN packet with a bunch of TCP options to an open port. DF=N means
that the "Don't fragment" bit of the response must not be set.
W=C000|EF2A means that the window advertisement we received must
be 0xC000 or EF2A. ACK=S++ means the acknowledgement we receive must
be our initial sequence number plus 1. Flags = AS means the ACK and
SYN flags were sent in the response. Ops = MNWNNT means the options
in the response must be (in this order):
<MSS (not echoed)><NOP><Window scale><NOP><NOP><Timestamp>
> T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
Test 2 involves a NULL with the same options to an open port. Resp=Y
means we must get a response. Ops= means that there must not be any
options included in the response packet. If we took out '%Ops='
entirely then any options sent would match.
> T3(Resp=Y%DF=N%W=400%ACK=S++%Flags=AS%Ops=M)
Test 3 is a SYN|FIN|URG|PSH w/options to an open port.
> T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
This is an ACK to an open port. Note that we do not have a Resp=
here. This means that lack of a response (such as the packet being
dropped on the network or an evil firewall) will not disqualify a
match as long as all the other tests match. We do this because
virtually any OS will send a response, so a lack of response is
generally an attribute of the network conditions and not the OS
itself. We put the Resp tag in tests 2 and 3 because some operating
systems _do_ drop those without responding.
> T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
> T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
> T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
These tests are a SYN, ACK, and FIN|PSH|URG, respectively, to a closed
port. The same options as always are set. Of course this is all
probably obvious given the descriptive names 'T5', 'T6', and 'T7' :).
> PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
This big sucker is the 'port unreachable' message test. You should
recognize the DF=N by now. TOS=0 means that IP type of service field
was 0. The next two fields give the (hex) values of the IP total
length field of the message IP header and the total length given in
the IP header they are echoing back to us. RID=E means the RID value
we got back in the copy of our original UDP packet was expected (ie
the same as we sent). RIPCK=E means they didn't fuck up the checksum
(if they did, it would say RIPCK=F). UCK=E means the UDP checksum is
also correct. Next comes the UDP length which was 0x134 and DAT=E
means they echoed our UDP data correctly. Since most implementations
(including this one) do not send any of our UDP data back, they get
DAT=E by default.
The version of nmap with this functionality is currently in the 6th
private beta cycle. It may be out by the time you read this in
Phrack. Then again, it might not. See http://www.insecure.org/nmap/
for the latest version.
POPULAR SITE SNAPSHOTS
Here is the fun result of all our effort. We can now take random
Internet sites and determine what OS they are using. A lot of these
people have eliminated telnet banners, etc. to keep this information
private. But this is of no use with our new fingerprinter! Also
this is a good way to expose the <your favorite crap OS> users as the
lamers that they are :)!
The command used in these examples was: nmap -sS -p 80 -O -v <host>
Also note that most of these scans were done on 10/18/98. Some of
these folks may have upgraded/changed servers since then.
Note that I do not like every site on here.
# "Hacker" sites or (in a couple cases) sites that think they are
www.l0pht.com => OpenBSD 2.2 - 2.4
www.insecure.org => Linux 2.0.31-34
www.rhino9.ml.org => Windows 95/NT # No comment :)
www.technotronic.com => Linux 2.0.31-34
www.nmrc.org => FreeBSD 2.2.6 - 3.0
www.cultdeadcow.com => OpenBSD 2.2 - 2.4
www.kevinmitnick.com => Linux 2.0.31-34 # Free Kevin!
www.2600.com => FreeBSD 2.2.6 - 3.0 Beta
www.antionline.com => FreeBSD 2.2.6 - 3.0 Beta
www.rootshell.com => Linux 2.0.35 # Changed to OpenBSD after
# they got owned.
# Security vendors, consultants, etc.
www.repsec.com => Linux 2.0.35
www.iss.net => Linux 2.0.31-34
www.checkpoint.com => Solaris 2.5 - 2.51
www.infowar.com => Win95/NT
# Vendor loyalty to their OS
www.li.org => Linux 2.0.35 # Linux International
www.redhat.com => Linux 2.0.31-34 # I wonder what distribution :)
www.debian.org => Linux 2.0.35
www.linux.org => Linux 2.1.122 - 2.1.126
www.sgi.com => IRIX 6.2 - 6.4
www.netbsd.org => NetBSD 1.3X
www.openbsd.org => Solaris 2.6 # Ahem :)
www.freebsd.org => FreeBSD 2.2.6-3.0 Beta
# Ivy league
www.harvard.edu => Solaris 2.6
www.yale.edu => Solaris 2.5 - 2.51
www.caltech.edu => SunOS 4.1.2-4.1.4 # Hello! This is the 90's :)
www.stanford.edu => Solaris 2.6
www.mit.edu => Solaris 2.5 - 2.51 # Coincidence that so many good
# schools seem to like Sun?
# Perhaps it is the 40%
# .edu discount :)
www.berkeley.edu => UNIX OSF1 V 4.0,4.0B,4.0D
www.oxford.edu => Linux 2.0.33-34 # Rock on!
# Lamer sites
www.aol.com => IRIX 6.2 - 6.4 # No wonder they are so insecure :)
www.happyhacker.org => OpenBSD 2.2-2.4 # Sick of being owned, Carolyn?
# Even the most secure OS is
# useless in the hands of an
# incompetent admin.
# Misc
www.lwn.net => Linux 2.0.31-34 # This Linux news site rocks!
www.slashdot.org => Linux 2.1.122 - 2.1.126
www.whitehouse.gov => IRIX 5.3
sunsite.unc.edu => Solaris 2.6
Notes: In their security white paper, Microsoft said about their lax
security: "this assumption has changed over the years as Windows NT
gains popularity largely because of its security features.". Hmm,
from where I stand it doesn't look like Windows is very popular among
the security community :). I only see 2 Windows boxes from the whole
group, and Windows is _easy_ for nmap to distinguish since it is so
broken (standards wise).
And of course, there is one more site we must check. This is the web
site of the ultra-secret Transmeta corporation. Interestingly the
company was funded largely by Paul Allen of Microsoft, but it employs
Linus Torvalds. So do they stick with Paul and run NT or do they side
with the rebels and join the Linux revolution? Let us see:
We use the command:
nmap -sS -F -o transmeta.log -v -O www.transmeta.com/24
This says SYN scan for known ports (from /etc/services), log the
results to 'transmeta.log', be verbose about it, do an OS scan, and
scan the class 'C' where www.transmeta.com resides. Here is the gist
of the results:
neon-best.transmeta.com (206.184.214.10) => Linux 2.0.33-34
www.transmeta.com (206.184.214.11) => Linux 2.0.30
neosilicon.transmeta.com (206.184.214.14) => Linux 2.0.33-34
ssl.transmeta.com (206.184.214.15) => Linux unknown version
linux.kernel.org (206.184.214.34) => Linux 2.0.35
www.linuxbase.org (206.184.214.35) => Linux 2.0.35 ( possibly the same
machine as above )
Well, I think this answers our question pretty clearly :).
ACKNOWLEDGEMENTS
The only reason Nmap is currently able to detect so many different
operating systems is that many people on the private beta team went to
a lot of effort to search out new and exciting boxes to fingerprint!
In particular, Jan Koum, van Hauser, Dmess0r, David O'Brien, James
W. Abendschan, Solar Designer, Chris Wilson, Stuart Stock, Mea Culpa,
Lamont Granquist, Dr. Who, Jordan Ritter, Brett Eldridge, and Pluvius
sent in tons of IP addresses of wacky boxes and/or fingerprints of
machines not reachable through the Internet.
Thanks to Richard Stallman for writing GNU Emacs. This article would
not be so well word-wrapped if I was using vi or cat and ^D.
Questions and comments can be sent to fyodor@insecure.org (if that doesn't
work for some reason, use fyodor@insecure.org). Nmap can be obtained
from http://www.insecure.org/nmap .

1173
docs/nmap.1 Normal file
View File

File diff suppressed because it is too large Load Diff

371
docs/nmap.deprecated.txt Normal file
View File

@@ -0,0 +1,371 @@
.oO Phrack 51 Oo.
Volume Seven, Issue Fifty One
xx of xx
The Art of Port Scanning
by Fyodor (fyodor@insecure.org)
[ Abstract ]
This paper details many of the techniques used to determine what ports (or
similar protocol abstraction) of a host are listening for connections. These
ports represent potential communication channels. Mapping their existence
facilitates the exchange of information with the host, and thus it is quite
useful for anyone wishing to explore their networked environment, including
hackers. Despite what you have heard from the media, the Internet is NOT
all about TCP port 80. Anyone who relies exclusively on the WWW for
information gathering is likely to gain the same level of proficiency as your
average AOLer, who does the same. This paper is also meant to serve as an
introduction to and ancillary documentation for a coding project I have been
working on. It is a full featured, robust port scanner which (I hope) solves
some of the problems I have encountered when dealing with other scanners and
when working to scan massive networks. The tool, nmap, supports the following:
- vanilla TCP connect() scanning,
- TCP SYN (half open) scanning,
- TCP FIN (stealth) scanning,
- TCP ftp proxy (bounce attack) scanning
- SYN/FIN scanning using IP fragments (bypasses packet filters),
- UDP recvfrom() scanning,
- UDP raw ICMP port unreachable scanning,
- ICMP scanning (ping-sweep), and
- reverse-ident scanning.
The freely distributable source code is appended to this paper.
[ Introduction ]
Scanning, as a method for discovering exploitable communication channels, has
been around for ages. The idea is to probe as many listeners as possible, and
keep track of the ones which are receptive or useful to your particular need.
Much of the field of advertising is based on this paradigm, and the "to current
resident" brute force style of bulk mail is an almost perfect parallel to what
we will discuss. Just stick a message in every mailbox and wait for the
responses to trickle back.
Scanning entered the h/p world along with the phone systems. Here we have this
tremendous global telecommunications network, all reachable through codes on
our telephone. Millions of numbers are reachable locally, yet we may only
be interested in 0.5% of these numbers, perhaps those that answer with a
carrier.
The logical solution to finding those numbers that interest us is to try them
all. Thus the field of "wardialing" arose. Excellent programs like Toneloc
were developed to facilitate the probing of entire exchanges and more. The
basic idea is simple. If you dial a number and your modem gives you a CONNECT,
you record it. Otherwise the computer hangs up and tirelessly dials the next
one.
While wardialing is still useful, we are now finding that many of the computers
we wish to communicate with are connected through networks such as the Internet
rather than analog phone dialups. Scanning these machines involves the same
brute force technique. We send a blizzard of packets for various protocols,
and we deduce which services are listening from the responses we receive (or
don't receive).
[ Techniques ]
Over time, a number of techniques have been developed for surveying the
protocols and ports on which a target machine is listening. They all offer
different benefits and problems. Here is a line up of the most common:
- TCP connect() scanning : This is the most basic form of tcp scanning. The
connect() system call provided by your operating system is used to open a
connection to every interesting port on the machine. If the port is listening,
connect() will succeed, otherwise the port isn't reachable. One strong
advantage to this technique is that you don't need any special privileges. Any
user on most UNIX boxes is free to use this call. Another advantage is speed.
While making a separate connect() call for every targeted port in a linear
fashion would take ages over a slow connection, you can hasten the scan by
using many sockets in parallel. Using non-blocking I/O allows you to set a low
time-out period and watch all the sockets at once. This is the fastest
scanning method supported by nmap, and is available with the -t (TCP) option.
The big downside is that this sort of scan is easily detectable and filterable.
The target hosts logs will show a bunch of connection and error messages for
the services which take the connection and then have it immediately shutdown.
- TCP SYN scanning : This technique is often referred to as "half-open"
scanning, because you don't open a full TCP connection. You send a SYN packet,
as if you are going to open a real connection and wait for a response. A
SYN|ACK indicates the port is listening. A RST is indicative of a non-
listener. If a SYN|ACK is received, you immediately send a RST to tear down
the connection (actually the kernel does this for us). The primary advantage
to this scanning technique is that fewer sites will log it. Unfortunately you
need root privileges to build these custom SYN packets. SYN scanning is the -s
option of nmap.
- TCP FIN scanning : There are times when even SYN scanning isn't clandestine
enough. Some firewalls and packet filters watch for SYNs to an unallowed port,
and programs like synlogger and courtney are available to detect these scans.
FIN packets, on the other hand, may be able to pass through unmolested. This
scanning technique was featured in detail by Uriel Maimon in Phrack 49, article
15. The idea is that closed ports tend to reply to your FIN packet with the
proper RST. Open ports, on the other hand, tend to ignore the packet in
question. This is a bug in TCP implementations and so it isn't 100% reliable
(some systems, notably Micro$oft boxes, seem to be immune). It works well on
most other systems I've tried. FIN scanning is the -U (Uriel) option of nmap.
- Fragmentation scanning : This is not a new scanning method in and of itself,
but a modification of other techniques. Instead of just sending the probe
packet, you break it into a couple of small IP fragments. You are splitting
up the TCP header over several packets to make it harder for packet filters
and so forth to detect what you are doing. Be careful with this! Some
programs have trouble handling these tiny packets. My favorite sniffer
segmentation faulted immediately upon receiving the first 36-byte fragment.
After that comes a 24 byte one! While this method won't get by packet filters
and firewalls that queue all IP fragments (like the CONFIG_IP_ALWAYS_DEFRAG
option in Linux), a lot of networks can't afford the performance hit this
causes. This feature is rather unique to scanners (at least I haven't seen
any others that do this). Thanks to daemon9 for suggesting it. The -f
instructs the specified SYN or FIN scan to use tiny fragmented packets.
- TCP reverse ident scanning : As noted by Dave Goldsmith in a 1996 Bugtraq
post, the ident protocol (rfc1413) allows for the disclosure of the username of
the owner of any process connected via TCP, even if that process didn't
initiate the connection. So you can, for example, connect to the http port
and then use identd to find out whether the server is running as root. This
can only be done with a full TCP connection to the target port (ie the -t
option). nmap's -i option queries identd for the owner of all listen()ing
ports.
- FTP bounce attack : An interesting "feature" of the ftp protocol (RFC 959) is
support for "proxy" ftp connections. In other words, I should be able to
connect from evil.com to the FTP server-PI (protocol interpreter) of target.com
to establish the control communication connection. Then I should be able to
request that the server-PI initiate an active server-DTP (data transfer
process) to send a file ANYWHERE on the internet! Presumably to a User-DTP,
although the rfc specifically states that asking one server to send a file to
another is OK. Now this may have worked well in 1985, when the rfc was
written. But nowadays, we can't have people hijacking ftp servers and
requesting that data be spit out to arbitrary points on the internet. As
*Hobbit* wrote back in 1995, this protocol flaw "can be used to post virtually
untraceable mail and news, hammer on servers at various sites, fill up disks,
try to hop firewalls, and generally be annoying and hard to track down at the
same time." What we will exploit this for is to (surprise, surprise) scan TCP
ports from a "proxy" ftp server. Thus you could connect to an ftp server
behind a firwall, and then scan ports that are more likely to be blocked (139
is a good one). If the ftp server allows reading from and writing to a
directory (such as /incoming), you can send arbitrary data to ports that you do
find open.
For port scanning, our technique is to use the PORT command to declare that
our passive "User-DTP" is listening on the target box at a certain port number.
Then we try to LIST the current directory, and the result is sent over the
Server-DTP channel. If our target host is listening on the specified port, the
transfer will be successful (generating a 150 and a 226 response). Otherwise
we will get "425 Can't build data connection: Connection refused." Then we
issue another PORT command to try the next port on the target host. The
advantages to this approach are obvious (harder to trace, potential to bypass
firewalls). The main disadvantages are that it is slow, and that some FTP
servers have finally got a clue and disabled the proxy "feature". For what it
is worth, here is a list of benners from sites where it does/doesn't work:
*Bounce attacks worked:*
220 xxxxxxx.com FTP server (Version wu-2.4(3) Wed Dec 14 ...) ready.
220 xxx.xxx.xxx.edu FTP server ready.
220 xx.Telcom.xxxx.EDU FTP server (Version wu-2.4(3) Tue Jun 11 ...) ready.
220 lem FTP server (SunOS 4.1) ready.
220 xxx.xxx.es FTP server (Version wu-2.4(11) Sat Apr 27 ...) ready.
220 elios FTP server (SunOS 4.1) ready
*Bounce attack failed:*
220 wcarchive.cdrom.com FTP server (Version DG-2.0.39 Sun May 4 ...) ready.
220 xxx.xx.xxxxx.EDU Version wu-2.4.2-academ[BETA-12](1) Fri Feb 7
220 ftp Microsoft FTP Service (Version 3.0).
220 xxx FTP server (Version wu-2.4.2-academ[BETA-11](1) Tue Sep 3 ...) ready.
220 xxx.unc.edu FTP server (Version wu-2.4.2-academ[BETA-13](6) ...) ready.
The 'x's are partly there to protect those guilty of running a flawed server,
but mostly just to make the lines fit in 80 columns. Same thing with the
ellipse points. The bounce attack is avalable with the -b <proxy_server>
option of nmap. proxy_server can be specified in standard URL format,
username:password@server:port , with everything but server being optional.
- UDP ICMP port unreachable scanning : This scanning method varies from the
above in that we are using the UDP protocol instead of TCP. While this
protocol is simpler, scanning it is actually significantly more difficult.
This is because open ports don't have to send an acknowledgement in response to
our probe, and closed ports aren't even required to send an error packet.
Fortunately, most hosts do send an ICMP_PORT_UNREACH error when you send a
packet to a closed UDP port. Thus you can find out if a port is NOT open, and
by exclusion determine which ports which are. Neither UDP packets, nor the
ICMP errors are guaranteed to arrive, so UDP scanners of this sort must also
implement retransmission of packets that appear to be lost (or you will get a
bunch of false positives). Also, this scanning technique is slow because of
compensation for machines that took RFC 1812 section 4.3.2.8 to heart and limit
ICMP error message rate. For example, the Linux kernel (in net/ipv4/icmp.h)
limits destination unreachable message generation to 80 per 4 seconds, with a
1/4 second penalty if that is exceeded. At some point I will add a better
algorithm to nmap for detecting this. Also, you will need to be root for
access to the raw ICMP socket necessary for reading the port unreachable. The
-u (UDP) option of nmap implements this scanning method for root users.
Some people think UDP scanning is lame and pointless. I usually remind them of
the recent Solaris rcpbind hole. Rcpbind can be found hiding on an
undocumented UDP port somewhere above 32770. So it doesn't matter that 111 is
blocked by the firewall. But can you find which of the more than 30,000 high
ports it is listening on? With a UDP scanner you can!
- UDP recvfrom() and write() scanning : While non-root users can't read
port unreachable errors directly, Linux is cool enough to inform the user
indirectly when they have been received. For example a second write()
call to a closed port will usually fail. A lot of scanners such as netcat
and Pluvius' pscan.c do this. I have also noticed that recvfrom() on
non-blocking UDP sockets usually return EAGAIN ("Try Again", errno 13) if
the ICMP error hasn't been received, and ECONNREFUSED ("Connection refused",
errno 111) if it has. This is the technique used for determining open ports
when non-root users use -u (UDP). Root users can also use the -l (lamer
UDP scan) options to force this, but it is a really dumb idea.
- ICMP echo scanning : This isn't really port scanning, since ICMP doesn't have
a port abstraction. But it is sometimes useful to determine what hosts in a
network are up by pinging them all. the -P option does this. Also you might
want to adjust the PING_TIMEOUT #define if you are scanning a large
network. nmap supports a host/bitmask notation to make this sort of thing
easier. For example 'nmap -P cert.org/24 152.148.0.0/16' would scan CERT's
class C network and whatever class B entity 152.148.* represents. Host/26 is
useful for 6-bit subnets within an organization.
[ Features ]
Prior to writing nmap, I spent a lot of time with other scanners exploring the
Internet and various private networks (note the avoidance of the "intranet"
buzzword). I have used many of the top scanners available today, including
strobe by Julian Assange, netcat by *Hobbit*, stcp by Uriel Maimon, pscan by
Pluvius, ident-scan by Dave Goldsmith, and the SATAN tcp/udp scanners by
Wietse Venema. These are all excellent scanners! In fact, I ended up hacking
most of them to support the best features of the others. Finally I decided
to write a whole new scanner, rather than rely on hacked versions of a dozen
different scanners in my /usr/local/sbin. While I wrote all the code, nmap
uses a lot of good ideas from its predecessors. I also incorporated some new
stuff like fragmentation scanning and options which were on my "wish list" for
other scanners. Here are some of the (IMHO) useful features of nmap:
- dynamic delay time calculations: Some scanners require that you supply a
delay time between sending packets. Well how should I know what to use?
Sure, I can ping them, but that is a pain, and plus the response time of many
hosts changes dramatically when they are being flooded with requests. nmap
tries to determine the best delay time for you. It also tries to keep track
of packet retransmissions, etc. so that it can modify this delay time during
the course of the scan. For root users, the primary technique for finding an
initial delay is to time the internal "ping" function. For non-root users, it
times an attempted connect() to a closed port on the target. It can also pick
a reasonable default value. Again, people who want to specify a delay
themselves can do so with -w (wait), but you shouldn't have to.
- retransmission: Some scanners just send out all the query packets, and
collect the responses. But this can lead to false positives or negatives in
the case where packets are dropped. This is especially important for
"negative" style scans like UDP and FIN, where what you are looking for is a
port that does NOT respond. In most cases, nmap implements a configurable
number of retransmissions for ports that don't respond.
- parallel port scanning: Some scanners simply scan ports linearly, one at a
time, until they do all 65535. This actually works for TCP on a very fast
local network, but the speed of this is not at all acceptable on a wide area
network like the Internet. nmap uses non-blocking i/o and parallel scanning
in all TCP and UDP modes. The number of scans in parallel is configurable
with the -M (Max sockets) option. On a very fast network you will actually
decrease performance if you do more than 18 or so. On slow networks, high
values increase performance dramatically.
- Flexible port specification: I don't always want to just scan all 65535
ports. Also, the scanners which only allow you to scan ports 1 - N sometimes
fall short of my need. The -p option allows you to specify an arbitrary
number of ports and ranges for scanning. For example, '-p 21-25,80,113,
60000-' does what you would expect (a trailing hyphen means up to 65536, a
leading hyphen means 1 through). You can also use the -F (fast) option, which
scans all the ports registered in your /etc/services (a la strobe).
- Flexible target specification: I often want to scan more then one host,
and I certainly don't want to list every single host on a large network to
scan. Everything that isn't an option (or option argument) in nmap is
treated as a target host. As mentioned before, you can optionally append
/mask to a hostname or IP address in order to scan all hosts with the same
initial <mask> bits of the 32 bit IP address.
- detection of down hosts: Some scanners allow you to scan large networks, but
they waste a huge amount of time scanning 65535 ports of a dead host! By
default, nmap pings each host to make sure it is up before wasting time on it.
It is also capable of bailing on hosts which seem down based on strange port
scanning errors. It is also meant to be tolerant of people who accidently scan
network addresses, broadcast addresses, etc.
- detection of your IP address: For some reason, a lot of scanners ask you to
type in your IP address as one of the parameters. Jeez, I don't want to have
to 'ifconfig' and figure out my current address every time I scan. Of course,
this is better then the scanners I've seen which require recompilation every
time you change your address! nmap first tries to detect your address during
the ping stage. It uses the address that the echo response is received on, as
that is the interface it should almost always be routed through. If it can't
do this (like if you don't have host pinging enabled), nmap tries to detect
your primary interface and uses that address. You can also use -S to specify
it directly, but you shouldn't have to (unless you want to make it look like
someone ELSE is SYN or FIN scanning a host.
Some other, more minor options:
-v (verbose): This is highly recommended for interactive use. Among other
useful messages, you will see ports come up as they are found, rather than
having to wait for the sorted summary list.
-r (randomize): This will randomize the order in which the target host's
ports are scanned.
-q (quash argv): This changes argv[0] to FAKE_ARGV ("pine" by default).
It also eliminates all other arguments, so you won't look too suspicious in
'w' or 'ps' listings.
-h for an options summary.
Also look for http://www.insecure.org/nmap/, which is the web site I plan to
put future versions and more information on. In fact, you would be well
advised to check there right now.
[ Greets ]
Of course this paper would not be complete without a shout out to all the
people who made it possible.
* Congratulations to the people at Phrack for getting this thing going again!
* Greets to the whole dc-stuff crew.
* Greets to the STUPH, Turntec, L0pht, TACD, the Guild, cDc, and all the other
groups who help keep the scene alive.
* Shout out to _eci for disclosing the coolest Windows bug in recent history.
* Thanks to the Data Haven Project (dhp.com) admins for providing such great
service for $10/month.
* And a special shout out goes to all my friends. You know who
you are and some of you (wisely) stay out of the spotlight, so I'll keep you
anonymous ... except of course for Ken and Jay, and Avenger, Grog, Cash
Monies, Ethernet Kid, Zos, JuICe, Mother Prednisone, and Karen.
And finally, we get to ...
[ The code ]
This should compile fine on any Linux box with 'gcc -O6 -o nmap nmap.c -lm'.
It is distrubuted under the terms of the GNU GENERAL PUBLIC LICENSE. If you
have problems or comments, feel free to mail me (fyodor@insecure.org).

253
docs/nmap.dtd Normal file
View File

@@ -0,0 +1,253 @@
<!--
nmap.dtd
This is the DTD for nmap's XML output (-oX) format.
$Id$
Originally written by:
William McVey <wam@cisco.com> <wam+nmap@wamber.net>
Now maintained by Fyodor <fyodor@insecure.org> as part of Nmap.
To validate using this file, simply add a DOCTYPE line similar to:
<!DOCTYPE nmaprun SYSTEM "nmap.dtd">
to the nmap output immediately below the prologue (the first line). This
should allow you to run a validating parser against the output (so long
as the dtd is in your parser's dtd search path).
Bugs:
Most of the elements are "locked" into the specific order that nmap
generates, when there really is no need for a specific ordering.
This is primarily because I don't know the xml DTD construct to
specify "one each of this list of elements, in any order". If there
is a construct similar to SGML's '&' operator, please let me know.
Since the work to write this DTD was done as part of WAM's
job duties for the Cisco Secure Consulting Services group
(http://www.cisco.com/go/securityconsulting), the following copyright
needs to be included in this and any other derived works.
# Copyright (c) 2001 by Cisco systems, Inc.
#
# Permission to use, copy, modify, and distribute modified and
# unmodified copies of this software for any purpose and without fee is
# hereby granted, provided that (a) this copyright and permission notice
# appear on all copies of the software and supporting documentation, (b)
# the name of Cisco Systems, Inc. not be used in advertising or
# publicity pertaining to distribution of the program without specific
# prior permission, and (c) notice be given in supporting documentation
# that use, modification, copying and distribution is by permission of
# Cisco Systems, Inc.
#
# Cisco Systems, Inc. makes no representations about the suitability
# of this software for any purpose. THIS SOFTWARE IS PROVIDED ``AS
# IS'' AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING,
# WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
# FITNESS FOR A PARTICULAR PURPOSE.
#
-->
<!-- parameter entities to specify common "types" used elsewhere in the DTD -->
<!ENTITY % attr_numeric "CDATA" >
<!ENTITY % attr_ipaddr "CDATA" >
<!ENTITY % attr_numeric "CDATA" >
<!ENTITY % attr_type "(ipv4 | ipv6 | mac)" >
<!ENTITY % host_states "(up|down|unknown|skipped)" >
<!-- see: nmap.c:statenum2str for list of port states -->
<!-- Maybe they should be enumerated as in scan_types below , but I -->
<!-- don't know how to escape states like open|filtered -->
<!ENTITY % port_states "CDATA" >
<!ENTITY % hostname_types "(PTR)" >
<!-- see output.c:output_xml_scaninfo_records for scan types -->
<!ENTITY % scan_types "(syn|ack|bounce|connect|null|xmas|window|maimon|fin|udp|ipproto)" >
<!-- <!ENTITY % ip_versions "(ipv4)" > -->
<!ENTITY % port_protocols "(ip|tcp|udp)" >
<!-- I don't know exactly what these are, but the values were enumerated via:
grep "conf=" *
-->
<!ENTITY % service_confs "( 3 | 5 | 10)" >
<!-- This element was started in nmap.c:nmap_main().
It represents to the topmost element of the output document.
-->
<!ELEMENT nmaprun (scaninfo?, verbose, debugging, host*, runstats?) >
<!ATTLIST nmaprun
scanner (nmap) #REQUIRED
args CDATA #IMPLIED
start %attr_numeric; #IMPLIED
startstr CDATA #IMPLIED
version CDATA #REQUIRED
xmloutputversion (1.01) #REQUIRED
>
<!-- this element is written in output.c:doscaninfo() -->
<!ELEMENT scaninfo EMPTY >
<!ATTLIST scaninfo
type %scan_types; #REQUIRED
protocol %port_protocols; #REQUIRED
numservices %attr_numeric; #REQUIRED
services CDATA #REQUIRED
>
<!-- these elements are written in nmap.c:nmap_main() -->
<!ELEMENT verbose EMPTY >
<!ATTLIST verbose level %attr_numeric; #IMPLIED >
<!ELEMENT debugging EMPTY >
<!ATTLIST debugging level %attr_numeric; #IMPLIED >
<!--
this element is started in nmap.c:nmap_main() and filled by
output.c:write_host_status(), output.c:printportoutput(), and
output.c:printosscanoutput()
-->
<!ELEMENT host ( status, address , (address | hostnames |
smurf | ports | addport | os | uptime |
tcpsequence | ipidsequence | tcptssequence )* ) >
<!-- these elements are written by output.c:write_xml_initial_hostinfo() -->
<!ELEMENT status EMPTY >
<!ATTLIST status state %host_states; #REQUIRED >
<!ELEMENT address EMPTY >
<!ATTLIST address
addr %attr_ipaddr; #REQUIRED
addrtype %attr_type; "ipv4"
vendor CDATA #IMPLIED
>
<!ELEMENT hostnames (hostname)* >
<!ELEMENT hostname EMPTY >
<!ATTLIST hostname
name CDATA #IMPLIED
type %hostname_types; #IMPLIED
>
<!-- this element is written by output.c:write_host_status() -->
<!ELEMENT smurf EMPTY >
<!ATTLIST smurf responses %attr_numeric; #REQUIRED >
<!-- this element is written by portlist.cc:addport() -->
<!ELEMENT addport EMPTY >
<!ATTLIST addport
state %port_states; #REQUIRED
owner CDATA #IMPLIED
portid %attr_numeric; #REQUIRED
protocol %port_protocols; #REQUIRED
>
<!-- these elements are written by output.c:printportoutput() -->
<!ELEMENT ports (extraports? , port*) >
<!ELEMENT extraports EMPTY >
<!ATTLIST extraports
state %port_states; #REQUIRED
count %attr_numeric; "closed"
>
<!ELEMENT port (state , owner? , service? ) >
<!ATTLIST port
protocol %port_protocols; #REQUIRED
portid %attr_numeric; #REQUIRED
>
<!ELEMENT state EMPTY >
<!ATTLIST state state %port_states; #REQUIRED >
<!ELEMENT owner EMPTY >
<!ATTLIST owner name CDATA #REQUIRED >
<!ELEMENT service EMPTY >
<!ATTLIST service
name CDATA #REQUIRED
conf %service_confs; #REQUIRED
method (table|detection|probed) #REQUIRED
version CDATA #IMPLIED
product CDATA #IMPLIED
extrainfo CDATA #IMPLIED
proto (rpc) #IMPLIED
rpcnum %attr_numeric; #IMPLIED
lowver %attr_numeric; #IMPLIED
highver %attr_numeric; #IMPLIED
>
<!-- these elements are written by output.c: printosscanoutput() -->
<!ELEMENT os ( portused* , osclass*, osmatch* ) >
<!ELEMENT portused EMPTY >
<!ATTLIST portused
state %port_states; #REQUIRED
proto %port_protocols; #REQUIRED
portid %attr_numeric; #REQUIRED
>
<!ELEMENT osclass EMPTY >
<!ATTLIST osclass
vendor CDATA #REQUIRED
osgen CDATA #IMPLIED
type CDATA #IMPLIED
accuracy CDATA #REQUIRED
osfamily CDATA #REQUIRED
>
<!ELEMENT osmatch EMPTY >
<!ATTLIST osmatch
name CDATA #REQUIRED
accuracy %attr_numeric; #REQUIRED
>
<!ELEMENT uptime EMPTY >
<!ATTLIST uptime
seconds %attr_numeric; #REQUIRED
lastboot CDATA #IMPLIED
>
<!ELEMENT tcpsequence EMPTY >
<!ATTLIST tcpsequence
index %attr_numeric; #REQUIRED
class CDATA #REQUIRED
difficulty CDATA #REQUIRED
values CDATA #REQUIRED
>
<!ELEMENT ipidsequence EMPTY >
<!ATTLIST ipidsequence
class CDATA #REQUIRED
values CDATA #REQUIRED
>
<!ELEMENT tcptssequence EMPTY >
<!ATTLIST tcptssequence
class CDATA #REQUIRED
values CDATA #IMPLIED
>
<!-- these elements are generated in output.c:printfinaloutput() -->
<!ELEMENT runstats (finished, hosts) >
<!ELEMENT finished EMPTY >
<!ATTLIST finished time %attr_numeric; #REQUIRED
timestr CDATA #IMPLIED
>
<!ELEMENT hosts EMPTY >
<!ATTLIST hosts
up %attr_numeric; "0"
down %attr_numeric; "0"
skipped %attr_numeric; "0"
total %attr_numeric; #REQUIRED
>

25
docs/nmap.usage.txt Normal file
View File

@@ -0,0 +1,25 @@
Nmap 3.81 Usage: nmap [Scan Type(s)] [Options] <host or net list>
Some Common Scan Types ('*' options require root privileges)
* -sS TCP SYN stealth port scan (default if privileged (root))
-sT TCP connect() port scan (default for unprivileged users)
* -sU UDP port scan
-sP ping scan (Find any reachable machines)
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
-sV Version scan probes open ports determining service & app names/versions
-sR RPC scan (use with other scan types)
Some Common Options (none are required, most can be combined):
* -O Use TCP/IP fingerprinting to guess remote operating system
-p <range> ports to scan. Example range: 1-1024,1080,6666,31337
-F Only scans ports listed in nmap-services
-v Verbose. Its use is recommended. Use twice for greater effect.
-P0 Don't ping hosts (needed to scan www.microsoft.com and others)
* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys
-6 scans via IPv6 rather than IPv4
-T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> General timing policy
-n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]
-oN/-oX/-oG <logfile> Output normal/XML/grepable scan logs to <logfile>
-iL <inputfile> Get targets from file; Use '-' for stdin
* -S <your_IP>/-e <devicename> Specify source address or network interface
--interactive Go into interactive mode (then press h for help)
Example: nmap -v -sS -O www.my.com 192.168.0.0/16 '192.88-90.*.*'
SEE THE MAN PAGE FOR MANY MORE OPTIONS, DESCRIPTIONS, AND EXAMPLES

622
docs/nmap.xsl Normal file
View File

@@ -0,0 +1,622 @@
<?xml version="1.0" encoding="UTF-8"?>
<!-- =========================================================================
nmap.xsl stylesheet version 0.9a
last change: 2005-02-04
Benjamin Erb, http://www.benjamin-erb.de
==============================================================================
Copyright (c) 2004 Benjamin Erb
All rights reserved.
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in the
documentation and/or other materials provided with the distribution.
3. The name of the author may not be used to endorse or promote products
derived from this software without specific prior written permission.
THIS SOFTWARE IS PROVIDED BY THE AUTHOR ``AS IS'' AND ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES
OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED.
IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY DIRECT, INDIRECT,
INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF
THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
========================================================================== -->
<xsl:stylesheet version="1.0" xmlns:xsl="http://www.w3.org/1999/XSL/Transform" xmlns:fo="http://www.w3.org/1999/XSL/Format">
<xsl:output method="html" indent="yes" encoding="UTF-8" />
<!-- global variables -->
<!-- ............................................................ -->
<xsl:variable name="nmap_xsl_version">0.9a</xsl:variable>
<!-- ............................................................ -->
<xsl:variable name="start"><xsl:value-of select="/nmaprun/@start" /></xsl:variable>
<xsl:variable name="end"><xsl:value-of select="/nmaprun/runstats/finished/@time" /> </xsl:variable>
<xsl:variable name="totaltime"><xsl:value-of select="/nmaprun/runstats/finished/@time -/nmaprun/@start" /></xsl:variable>
<!-- ............................................................ -->
<xsl:template match="/">
<xsl:apply-templates/>
</xsl:template>
<!-- root -->
<!-- ............................................................ -->
<xsl:template match="/nmaprun">
<html>
<head>
<xsl:comment>generated with nmap.xsl - version <xsl:value-of select="$nmap_xsl_version" /> by Benjamin Erb - http://www.benjamin-erb.de/nmap_xsl.php </xsl:comment>
<!-- embedded JavaScript for time conversion -->
<script language="JavaScript" type="text/javascript" >
function timestamp2date(stamp)
{
var myDate = new Date(stamp * 1000);
dateStr = myDate.toGMTString();
return dateStr;
}
</script>
<style type="text/css">
/* stylesheet print */
@media print
{
#menu
{
display:none;
}
h1
{
font-size: 13pt;
font-weight:bold;
margin:4pt 0pt 0pt 0pt;
padding:0;
}
h2
{
font-size: 12pt;
font-weight:bold;
margin:3pt 0pt 0pt 0pt;
padding:0;
}
h3
{
font-size: 9pt;
font-weight:bold;
margin:1pt 0pt 0pt 20pt;
padding:0;
}
p,ul
{
font-size: 9pt;
margin:1pt 0pt 8pt 40pt;
padding:0;
text-align:left;
}
li
{
font-size: 9pt;
margin:0;
padding:0;
text-align:left;
}
table
{
margin:1pt 0pt 8pt 40pt;
border:0px;
width:90%
}
td
{
border:0px;
border-top:1px solid black;
font-size: 9pt;
}
.head td
{
border:0px;
font-weight:bold;
font-size: 9pt;
}
}
/* stylesheet screen */
@media screen
{
body
{
margin: 0px;
background-color: #FFFFFF;
color: #000000;
text-align: center;
}
#container
{
text-align:left;
margin: 0px auto;
width: 90%;
}
h1
{
font-family: Verdana, Helvetica, sans-serif;
font-weight:bold;
font-size: 16pt;
color: #000000;
background-color:#87CEFA;
margin:10px 0px 0px 0px;
padding:5px 4px 5px 4px;
width: 100%;
border:1px solid black;
text-align: left;
}
h1 a
{
font-family: Verdana, Helvetica, sans-serif;
font-weight:bold;
font-size: 16pt;
color: #000000;
background-color:#87CEFA;
}
h2
{
font-family: Verdana, Helvetica, sans-serif;
font-weight:bold;
font-size: 12pt;
color: #000000;
margin:10px 0px 0px 0px;
padding:4px;
width: 100%;
border:1px solid black;
background-color:#F0F8FF;
text-align: left;
}
h2.green
{
color: #000000;
background-color:#CCFFCC;
border-color:#006400;
}
h2.red
{
color: #000000;
background-color:#FFCCCC;
border-color:#8B0000;
}
h3
{
font-family: Verdana, Helvetica, sans-serif;
font-weight:bold;
font-size: 10pt;
color:#000000;
background-color: #FFFFFF;
width: 75%;
text-align: left;
}
p
{
font-family: Verdana, Helvetica, sans-serif;
font-size: 10pt;
color:#000000;
background-color: #FFFFFF;
width: 75%;
text-align: left;
}
p i
{
font-family: "Courier New", Courier, mono;
font-size: 8pt;
color:#000000;
background-color: #CCCCCC;
}
ul
{
font-family: Verdana, Helvetica, sans-serif;
font-size: 10pt;
color:#000000;
background-color: #FFFFFF;
width: 75%;
text-align: left;
}
a
{
font-family: Verdana, Helvetica, sans-serif;
text-decoration: none;
font-size: 10pt;
color:#000000;
font-weight:bold;
background-color: #FFFFFF;
color: #000000;
}
a:hover
{
text-decoration: underline;
}
table
{
width: 80%;
border:0px;
color: #000000;
background-color: #000000;
margin:10px;
}
tr
{
vertical-align:top;
font-family: Verdana, Helvetica, sans-serif;
font-size: 10pt;
color:#000000;
background-color: #D1D1D1;
}
tr.head
{
background-color: #E1E1E1;
color: #000000;
font-weight:bold;
}
tr.open
{
background-color: #CCFFCC;
color: #000000;
}
tr.filtered
{
background-color: #FFDDBB;
color: #000000;
}
tr.closed
{
background-color: #FFCCCC;
color: #000000;
}
#menu li
{
display : inline;
margin : 0;
margin-right : 10px;
padding : 0;
list-style-type : none;
}
}
</style>
<title>nmap report</title>
</head>
<body>
<div id="container">
<h1>nmap scan report - scan @
<xsl:call-template name="timestamp">
<xsl:with-param name="stamp"><xsl:value-of select="$start" /></xsl:with-param>
</xsl:call-template>
</h1>
<ul id="menu">
<li><a href="#scansummary">scan summary</a></li>
<li><a href="#scaninfo">scan info</a></li>
<xsl:for-each select="host">
<li>
<xsl:element name="a">
<xsl:attribute name="href">#<xsl:value-of select="translate(address/@addr, '.', '_') " /></xsl:attribute>
<xsl:attribute name="target">_self</xsl:attribute>
<xsl:value-of select="address/@addr"/>
</xsl:element>
</li>
</xsl:for-each>
<li><a href="#runstats">runstats</a></li>
</ul>
<xsl:element name="a">
<xsl:attribute name="name">scansummary</xsl:attribute>
</xsl:element>
<h2>scan summary</h2>
<p>
<xsl:value-of select="@scanner"/> was initiated at
<xsl:call-template name="timestamp">
<xsl:with-param name="stamp"><xsl:value-of select="$start" /></xsl:with-param>
</xsl:call-template> with these arguments:<br/>
<i><xsl:value-of select="@args" /></i><br/>
The process stopped at
<xsl:call-template name="timestamp">
<xsl:with-param name="stamp"><xsl:value-of select="$end" /></xsl:with-param>
</xsl:call-template>.
<xsl:choose>
<xsl:when test="debugging/@level = '0'">Debbuging was disabled, </xsl:when>
<xsl:otherwise>Debugging was enabeld, </xsl:otherwise>
</xsl:choose>
the verbosing level was <xsl:value-of select="verbose/@level" />.
</p>
<xsl:apply-templates/>
</div>
</body>
</html>
</xsl:template>
<!-- ............................................................ -->
<!-- scaninfo -->
<!-- ............................................................ -->
<xsl:template match="scaninfo">
<xsl:element name="a">
<xsl:attribute name="name">scaninfo</xsl:attribute>
</xsl:element>
<h2>scan info</h2>
<ul>
<li><xsl:value-of select="@type" />-scan</li>
<li><xsl:value-of select="@numservices" /><xsl:text> </xsl:text><xsl:value-of select="@protocol" /> services scanned</li>
</ul>
<xsl:apply-templates/>
</xsl:template>
<!-- ............................................................ -->
<!-- runstats -->
<!-- ............................................................ -->
<xsl:template match="runstats">
<xsl:element name="a">
<xsl:attribute name="name">runstats</xsl:attribute>
</xsl:element>
<h2>runstats</h2>
<ul>
<li><xsl:value-of select="$totaltime" /> sec. scanned</li>
<li><xsl:value-of select="hosts/@total" /> host(s) scanned</li>
<li><xsl:value-of select="hosts/@up" /> host(s) online</li>
<li><xsl:value-of select="hosts/@down" /> host(s) offline</li>
</ul>
<xsl:apply-templates/>
</xsl:template>
<!-- ............................................................ -->
<!-- host -->
<!-- ............................................................ -->
<xsl:template match="host">
<xsl:element name="a">
<xsl:attribute name="name"><xsl:value-of select="translate(address/@addr, '.', '_') " /></xsl:attribute>
</xsl:element>
<xsl:choose>
<xsl:when test="status/@state = 'up'"><h2 class="green"><xsl:value-of select="address/@addr"/> (online)</h2></xsl:when>
<xsl:otherwise><h2 class="red"><xsl:value-of select="address/@addr"/> (offline)</h2></xsl:otherwise>
</xsl:choose>
<xsl:apply-templates/>
</xsl:template>
<!-- ............................................................ -->
<!-- hostnames -->
<!-- ............................................................ -->
<xsl:template match="hostnames">
<xsl:if test="hostname/@name != ''"><h3>hostnames</h3><ul> <xsl:apply-templates/></ul></xsl:if>
</xsl:template>
<!-- ............................................................ -->
<!-- hostname -->
<!-- ............................................................ -->
<xsl:template match="hostname">
<li><xsl:value-of select="@name"/> ( <xsl:value-of select="@type"/> )</li>
</xsl:template>
<!-- ............................................................ -->
<!-- ports -->
<!-- ............................................................ -->
<xsl:template match="ports">
<h3>ports</h3>
<xsl:for-each select="extraports">
<xsl:if test="@count > 0">
<p>The <xsl:value-of select="@count" /> ports scanned but not shown below are in state: <b><xsl:value-of select="@state" /></b></p>
</xsl:if>
</xsl:for-each>
<table cellspacing="1">
<tr class="head">
<td colspan="2">Port</td>
<td>State</td>
<td>Service</td>
<td>Product</td>
<td>Version</td>
<td>Extra info</td>
</tr>
<xsl:apply-templates/>
</table>
</xsl:template>
<!-- ............................................................ -->
<!-- port -->
<!-- ............................................................ -->
<xsl:template match="port">
<xsl:choose>
<xsl:when test="state/@state = 'open'">
<tr class="open">
<td><xsl:value-of select="@portid" /></td>
<td><xsl:value-of select="@protocol" /></td>
<td><xsl:value-of select="state/@state" /></td>
<td><xsl:value-of select="service/@name" /><xsl:text>&#xA0;</xsl:text></td>
<td><xsl:value-of select="service/@product" /><xsl:text>&#xA0;</xsl:text></td>
<td><xsl:value-of select="service/@version" /><xsl:text>&#xA0;</xsl:text></td>
<td><xsl:value-of select="service/@extrainfo" /><xsl:text>&#xA0;</xsl:text></td>
</tr>
</xsl:when>
<xsl:when test="state/@state = 'filtered'">
<tr class="filtered">
<td><xsl:value-of select="@portid" /></td>
<td><xsl:value-of select="@protocol" /></td>
<td><xsl:value-of select="state/@state" /></td>
<td><xsl:value-of select="service/@name" /><xsl:text>&#xA0;</xsl:text></td>
<td><xsl:value-of select="service/@product" /><xsl:text>&#xA0;</xsl:text></td>
<td><xsl:value-of select="service/@version" /><xsl:text>&#xA0;</xsl:text></td>
<td><xsl:value-of select="service/@extrainfo" /><xsl:text>&#xA0;</xsl:text></td>
</tr>
</xsl:when>
<xsl:when test="state/@state = 'closed'">
<tr class="closed">
<td><xsl:value-of select="@portid" /></td>
<td><xsl:value-of select="@protocol" /></td>
<td><xsl:value-of select="state/@state" /></td>
<td><xsl:value-of select="service/@name" /><xsl:text>&#xA0;</xsl:text></td>
<td><xsl:value-of select="service/@product" /><xsl:text>&#xA0;</xsl:text></td>
<td><xsl:value-of select="service/@version" /><xsl:text>&#xA0;</xsl:text></td>
<td><xsl:value-of select="service/@extrainfo" /><xsl:text>&#xA0;</xsl:text></td>
</tr>
</xsl:when>
<xsl:otherwise>
<tr>
<td><xsl:value-of select="@portid" /></td>
<td><xsl:value-of select="@protocol" /></td>
<td><xsl:value-of select="state/@state" /></td>
<td><xsl:value-of select="service/@name" /><xsl:text>&#xA0;</xsl:text></td>
<td><xsl:value-of select="service/@product" /><xsl:text>&#xA0;</xsl:text></td>
<td><xsl:value-of select="service/@version" /><xsl:text>&#xA0;</xsl:text></td>
<td><xsl:value-of select="service/@extrainfo" /><xsl:text>&#xA0;</xsl:text></td>
</tr>
</xsl:otherwise>
</xsl:choose>
</xsl:template>
<!-- ............................................................ -->
<!-- os -->
<!-- ............................................................ -->
<xsl:template match="os">
<xsl:if test="osmatch/@name != ''"><h3>remote operating system guess</h3></xsl:if>
<ul>
<xsl:apply-templates/>
</ul>
</xsl:template>
<!-- ............................................................ -->
<!-- os portused -->
<!-- ............................................................ -->
<xsl:template match="portused">
<li>used port <xsl:value-of select="@portid" />/<xsl:value-of select="@proto" /> (<xsl:value-of select="@state" />) </li>
</xsl:template>
<!-- ............................................................ -->
<!-- os match -->
<!-- ............................................................ -->
<xsl:template match="osmatch">
<li>os match: <b><xsl:value-of select="@name" /> </b></li>
<li>accuracy: <xsl:value-of select="@accuracy" />%</li>
</xsl:template>
<!-- ............................................................ -->
<!-- uptime -->
<!-- ............................................................ -->
<xsl:template match="uptime">
<xsl:if test="@seconds != ''"><h3>system uptime</h3></xsl:if>
<ul>
<li>uptime: <xsl:value-of select="@seconds" /> sec</li>
<li>last reboot: <xsl:value-of select="@lastboot" /></li>
</ul>
</xsl:template>
<!-- ............................................................ -->
<!-- smurf -->
<!-- ............................................................ -->
<xsl:template match="smurf">
<xsl:if test="@responses != ''"><h3>smurf responses</h3></xsl:if>
<ul>
<li><xsl:value-of select="@responses" /> responses counted</li>
</ul>
</xsl:template>
<!-- ............................................................ -->
<!-- tcpsequence -->
<!-- ............................................................ -->
<xsl:template match="tcpsequence">
<xsl:if test="@values != ''">
<h3>tcpsequence</h3>
<ul>
<li>index: <xsl:value-of select="@index" /></li>
<li>class: <xsl:value-of select="@class" /></li>
<li>difficulty: <xsl:value-of select="@difficulty" /></li>
<li>values: <xsl:value-of select="@values" /></li>
</ul>
</xsl:if>
</xsl:template>
<!-- ............................................................ -->
<!-- ipidsequence -->
<!-- ............................................................ -->
<xsl:template match="ipidsequence">
<xsl:if test="@values != ''">
<h3>ipidsequence</h3>
<ul>
<li>class: <xsl:value-of select="@class" /></li>
<li>values: <xsl:value-of select="@values" /></li>
</ul>
</xsl:if>
</xsl:template>
<!-- ............................................................ -->
<!-- tcptssequence -->
<!-- ............................................................ -->
<xsl:template match="tcptssequence">
<xsl:if test="@values != ''">
<h3>tcptssequence</h3>
<ul>
<li>class: <xsl:value-of select="@class" /></li>
<li>values: <xsl:value-of select="@values" /></li>
</ul>
</xsl:if>
</xsl:template>
<!-- ............................................................ -->
<!-- Timestamp Conversion -->
<!-- ............................................................ -->
<xsl:template name="timestamp">
<xsl:param name="stamp" />
<xsl:choose>
<!-- Prevent Firefox / Transformiix from running docuement.write() -->
<xsl:when test="system-property('xsl:vendor')!='Transformiix'">
<script language="JavaScript" type="text/javascript" >
<xsl:comment>
document.write(timestamp2date(<xsl:value-of select="$stamp"/>));
</xsl:comment>
</script>
</xsl:when>
<xsl:otherwise><xsl:value-of select="$stamp"/></xsl:otherwise>
</xsl:choose>
</xsl:template>
<!-- ............................................................ -->
</xsl:stylesheet>

449
docs/nmap_doc.html Normal file
View File

@@ -0,0 +1,449 @@
<HTML>
<HEAD>
<TITLE>Nmap: The Art of Port Scanning</TITLE>
</HEAD>
<BODY BGCOLOR="#2A0D45" TEXT="#ffffff" LINK="#ff0000" ALINK="#00ff00" VLINK="#ff0000">
<H1><CENTER>The Art of Port Scanning</CENTER></H1>
<CENTER><H1>by Fyodor <A HREF="mailto:fyodor@insecure.org">&lt;fyodor@insecure.org&gt;</A></H1></CENTER>
<CENTER>(Last significant update: Sat Sep 6 03:24:53 GMT 1997)</CENTER>
<BR><BR>
<H1>Warning, the interface to nmap has changed a bit and so not all the flags and options mentioned in this paper are still accurate. The authoritative documentation is now the man page (<A HREF="nmap_manpage.html">html version</A>). This article still contains a lot of information on port scanning though and so I recommend that nmap users read it.</H1>
<TABLE WIDTH="100%"><TR BGCOLOR="#4444aa"><TH ALIGN="CENTER">Abstract</TH></TR></TABLE>
<P>This paper details many of the techniques used to determine what ports (or
similar protocol abstraction) of a host are listening for connections. These
ports represent potential communication channels. Mapping their existence
facilitates the exchange of information with the host, and thus it is quite
useful for anyone wishing to explore their networked environment, including
hackers. Despite what you have heard from the media, the Internet is NOT
all about TCP port 80. Anyone who relies exclusively on the WWW for
information gathering is likely to gain the same level of proficiency as your
average AOLer, who does the same. This paper is also meant to serve as an
introduction to and ancillary documentation for a coding project I have been
working on. It is a full featured, robust port scanner which (I hope) solves
some of the problems I have encountered when dealing with other scanners and
when working to scan massive networks. The tool, nmap, supports the following:
<BR><BR>
<UL>
<LI><A HREF="#connect">Vanilla TCP connect() scanning</A>,
<LI><A HREF="#syn">TCP SYN (half open) scanning</A>,
<LI><A HREF="#fin">TCP FIN (stealth) scanning</A>,
<LI><A HREF="#bounce">TCP ftp proxy (bounce attack) scanning</A>,
<LI><A HREF="#frag">SYN/FIN scanning using IP fragments (bypasses packet filters)</A>,
<LI><A HREF="#recvfrom">UDP recvfrom() scanning</A>,
<LI><A HREF="#port_unreach">UDP raw ICMP port unreachable scanning</A>,
<LI><A HREF="#icmp">ICMP scanning (ping-sweep)</A>, and
<LI><A HREF="#ident">Reverse-ident scanning</A>.
</UL>
<BR><BR>
The freely distributable source code is available at <A HREF="http://www.insecure.org/nmap/">http://www.insecure.org/nmap/</A>
<BR><BR>
<TABLE WIDTH="100%"><TR BGCOLOR="#4444aa"><TH
ALIGN="CENTER">Introduction</TH></TR></TABLE>
<P>Scanning, as a method for discovering exploitable communication channels, has
been around for ages. The idea is to probe as many listeners as possible, and
keep track of the ones that are receptive or useful to your particular need.
Much of the field of advertising is based on this paradigm, and the "to current
resident" brute force style of bulk mail is an almost perfect parallel to what
we will discuss. Just stick a message in every mailbox and wait for the
responses to trickle back.
<P>Scanning entered the h/p world along with the phone systems. Here
we have this tremendous global telecommunications network, all
reachable through codes on our telephone. Millions of numbers are
reachable locally, yet we may only be interested in 0.5% of these
numbers, perhaps those that answer with a carrier.
<P>The logical solution to finding those numbers that interest us is
to try them all. Thus the field of "wardialing" arose. Excellent
programs like Toneloc were developed to facilitate the probing of
entire exchanges and more. The basic idea is simple. If you dial a
number and your modem gives you a CONNECT, you record it. Otherwise
the computer hangs up and tirelessly dials the next one.
<P>While wardialing is still useful, we are now finding that many of
the computers we wish to communicate with are connected through
networks such as the Internet rather than analog phone dialups.
Scanning these machines involves the same brute force technique. We
send a blizzard of packets for various protocols, and we deduce which
services are listening from the responses we receive (or don't
receive).
<BR><BR>
<TABLE WIDTH="100%"><TR BGCOLOR="#4444aa"><TH ALIGN="CENTER">Techniques</TH></TR></TABLE>
<P>Over time, a number of techniques have been developed for surveying the
protocols and ports on which a target machine is listening. They all offer
different benefits and problems. Here is a line up of the most common:<BR><BR>
<UL>
<LI><A NAME="connect">TCP connect() scanning : This is the most basic
form of TCP scanning. The connect() system call provided by your
operating system is used to open a connection to every interesting
port on the machine. If the port is listening, connect() will
succeed, otherwise the port isn't reachable. One strong advantage to
this technique is that you don't need any special privileges. Any
user on most UNIX boxes is free to use this call. Another advantage
is speed. While making a separate connect() call for every targeted
port in a linear fashion would take ages over a slow connection, you
can hasten the scan by using many sockets in parallel. Using
non-blocking I/O allows you to set a low time-out period and watch all
the sockets at once. This is the fastest scanning method supported by
nmap, and is available with the -t (TCP) option. The big downside is
that this sort of scan is easily detectable and filterable. The
target hosts logs will show a bunch of connection and error messages
for the services which take the connection and then have it
immediately shutdown.<BR><BR>
<LI><A NAME="syn">TCP SYN scanning : This technique is often referred
to as "half-open" scanning, because you don't open a full TCP
connection. You send a SYN packet, as if you are going to open a real
connection and wait for a response. A SYN|ACK indicates the port is
listening. A RST is indicative of a non- listener. If a SYN|ACK is
received, you immediately send a RST to tear down the connection
(actually the kernel does this for us). The primary advantage to this
scanning technique is that fewer sites will log it. Unfortunately you
need root privileges to build these custom SYN packets. SYN scanning
is the -s option of nmap.<BR><BR>
<LI><A NAME="fin">TCP FIN scanning : There are times when even SYN
scanning isn't clandestine enough. Some firewalls and packet filters
watch for SYNs to restricted ports, and programs like synlogger and
Courtney are available to detect these scans. FIN packets, on the
other hand, may be able to pass through unmolested. This scanning
technique was featured in detail by Uriel Maimon in Phrack 49, article
15. The idea is that closed ports tend to reply to your FIN packet
with the proper RST. Open ports, on the other hand, tend to ignore
the packet in question. As Alan Cox has pointed out, this is required
TCP behavior. However, some systems (notably Micro$oft boxes), are
broken in this regard. They send RST's regardless of the port state,
and thus they aren't vulnerable to this type of scan. It works well
on most other systems I've tried. Actually, it is often useful to
discriminate between a *NIX and NT box, and this can be used to do
that. FIN scanning is the -U (Uriel) option of nmap.<BR><BR>
<LI><A NAME="frag">Fragmentation scanning : This is not a new scanning
method in and of itself, but a modification of other techniques.
Instead of just sending the probe packet, you break it into a couple
of small IP fragments. You are splitting up the TCP header over
several packets to make it harder for packet filters and so forth to
detect what you are doing. Be careful with this! Some programs have
trouble handling these tiny packets. My favorite sniffer segmentation
faulted immediately upon receiving the first 36-byte fragment. After
that comes a 24 byte one! While this method won't get by packet
filters and firewalls that queue all IP fragments (like the
CONFIG_IP_ALWAYS_DEFRAG option in Linux), a lot of networks can't
afford the performance hit this causes. This feature is rather unique
to scanners (at least I haven't seen any others that do this). Thanks
to daemon9 for suggesting it. The -f instructs the specified SYN or
FIN scan to use tiny fragmented packets.<BR><BR>
<LI><A NAME="ident">TCP reverse ident scanning : As noted by Dave
Goldsmith in a 1996 Bugtraq post, the ident protocol (rfc1413) allows
for the disclosure of the username of the owner of any process
connected via TCP, even if that process didn't initiate the
connection. So you can, for example, connect to the http port and
then use identd to find out whether the server is running as root.
This can only be done with a full TCP connection to the target port
(i.e. the -t option). nmap's -i option queries identd for the owner
of all listen()ing ports.<BR><BR>
<LI><A NAME="bounce">FTP bounce attack : An interesting "feature" of
the ftp protocol (RFC 959) is support for "proxy" ftp connections. In
other words, I should be able to connect from evil.com to the FTP
server-PI (protocol interpreter) of target.com to establish the
control communication connection. Then I should be able to request
that the server-PI initiate an active server-DTP (data transfer
process) to send a file ANYWHERE on the internet! Presumably to a
User-DTP, although the RFC specifically states that asking one server
to send a file to another is OK. Now this may have worked well in
1985 when the RFC was just written. But nowadays, we can't have
people hijacking ftp servers and requesting that data be spit out to
arbitrary points on the internet. As *Hobbit* wrote back in 1995,
this protocol flaw "can be used to post virtually untraceable mail and
news, hammer on servers at various sites, fill up disks, try to hop
firewalls, and generally be annoying and hard to track down at the
same time." What we will exploit this for is to (surprise, surprise)
scan TCP ports from a "proxy" ftp server. Thus you could connect to
an ftp server behind a firewall, and then scan ports that are more
likely to be blocked (139 is a good one). If the ftp server allows
reading from and writing to a directory (such as /incoming), you can
send arbitrary data to ports that you do find open.
<P>For port scanning, our technique is to use the PORT command to declare that
our passive "User-DTP" is listening on the target box at a certain port number.
Then we try to LIST the current directory, and the result is sent over the
Server-DTP channel. If our target host is listening on the specified port, the
transfer will be successful (generating a 150 and a 226 response). Otherwise
we will get "425 Can't build data connection: Connection refused." Then we
issue another PORT command to try the next port on the target host. The
advantages to this approach are obvious (harder to trace, potential to bypass
firewalls). The main disadvantages are that it is slow, and that some FTP
servers have finally got a clue and disabled the proxy "feature". For what it
is worth, here is a list of banners from sites where it does/doesn't work:
<P>*Bounce attacks worked:*<BR><BR>
<PRE>
220 xxxxxxx.com FTP server (Version wu-2.4(3) Wed Dec 14 ...) ready.
220 xxx.xxx.xxx.edu FTP server ready.
220 xx.Telcom.xxxx.EDU FTP server (Version wu-2.4(3) Tue Jun 11 ...) ready.
220 lem FTP server (SunOS 4.1) ready.
220 xxx.xxx.es FTP server (Version wu-2.4(11) Sat Apr 27 ...) ready.
220 elios FTP server (SunOS 4.1) ready
</PRE>
<P>*Bounce attack failed:*<BR><BR>
<PRE>
220 wcarchive.cdrom.com FTP server (Version DG-2.0.39 Sun May 4 ...) ready.
220 xxx.xx.xxxxx.EDU Version wu-2.4.2-academ[BETA-12](1) Fri Feb 7
220 ftp Microsoft FTP Service (Version 3.0).
220 xxx FTP server (Version wu-2.4.2-academ[BETA-11](1) Tue Sep 3 ...) ready.
220 xxx.unc.edu FTP server (Version wu-2.4.2-academ[BETA-13](6) ...) ready.
</PRE>
The 'x's are partly there to protect those guilty of running a flawed server,
but mostly just to make the lines fit in 80 columns. Same thing with the
ellipse points. The bounce attack is available with the -b <proxy_server>
option of nmap. proxy_server can be specified in standard URL format,
username:password@server:port , with everything but server being optional.<BR><BR>
<LI><A NAME="port_unreach">UDP ICMP port unreachable scanning : This
scanning method varies from the above in that we are using the UDP
protocol instead of TCP. While this protocol is simpler, scanning it
is actually significantly more difficult. This is because open ports
don't have to send an acknowledgement in response to our probe, and
closed ports aren't even required to send an error packet.
Fortunately, most hosts do send an ICMP_PORT_UNREACH error when you
send a packet to a closed UDP port. Thus you can find out if a port
is NOT open, and by exclusion determine which ports which are.
Neither UDP packets, nor the ICMP errors are guaranteed to arrive, so
UDP scanners of this sort must also implement retransmission of
packets that appear to be lost (or you will get a bunch of false
positives). Also, this scanning technique is slow because of
compensation for machines that took RFC 1812 section 4.3.2.8 to heart
and limit ICMP error message rate. For example, the Linux kernel (in
net/ipv4/icmp.h) limits destination unreachable message generation to
80 per 4 seconds, with a 1/4 second penalty if that is exceeded. At
some point I will add a better algorithm to nmap for detecting this.
Also, you will need to be root for access to the raw ICMP socket
necessary for reading the port unreachable. The -u (UDP) option of
nmap implements this scanning method for root users.
<P>Some people think UDP scanning is lame and pointless. I usually
remind them of the recent Solaris rcpbind hole. Rpcbind can be found
hiding on an undocumented UDP port somewhere above 32770. So it
doesn't matter that 111 is blocked by the firewall. But can you find
which of the more than 30,000 high ports it is listening on? With a
UDP scanner you can!<BR><BR>
<LI><A NAME="recvfrom">UDP recvfrom() and write() scanning : While
non-root users can't read port unreachable errors directly, Linux is
cool enough to inform the user indirectly when they have been
received. For example a second write() call to a closed port will
usually fail. A lot of scanners such as netcat and Pluvius' pscan.c
does this. I have also noticed that recvfrom() on non-blocking UDP
sockets usually return EAGAIN ("Try Again", errno 13) if the ICMP
error hasn't been received, and ECONNREFUSED ("Connection refused",
errno 111) if it has. This is the technique used for determining open
ports when non-root users use -u (UDP). Root users can also use the
-l (lamer UDP scan) options to force this, but it is a really dumb
idea.<BR><BR>
<LI><A NAME="icmp">ICMP echo scanning : This isn't really port
scanning, since ICMP doesn't have a port abstraction. But it is
sometimes useful to determine what hosts in a network are up by
pinging them all. the -P option does this. ICMP scanning is now in
parallel, so it can be quite fast. To speed things up even more, you
can increase the number of pings in parallel with the '-L <num>'
option. It can also be helpful to tweek the ping timeout value with
'-T <num_seconds>'. nmap supports a host/bitmask notation to make
this sort of thing easier. For example 'nmap -P cert.org/24
152.148.0.0/16' would scan CERT's class C network and whatever class B
entity 152.148.* represents. Host/26 is useful for 6-bit subnets
within an organization. Nmap now also offers a more powerful form.
You can now do things like '150.12,17,71-79.7.*' and it will do what
you expect. For each of the four values, you can either put a single
number, a range (with '-'), a comma-separated list of numbers and
ranges, or a '*' which is just a short cut for 0-255. By default,
likely network/broadcast addresses like .0 and .255 are not scanned,
but the '-A' option allows you to do this if you wish.
</UL>
<BR><BR>
<TABLE WIDTH="100%"><TR BGCOLOR="#4444aa"><TH ALIGN="CENTER">Features</TH></TR></TABLE>
<P>Prior to writing nmap, I spent a lot of time with other scanners
exploring the Internet and various private networks (note the
avoidance of the "intranet" buzzword). I have used many of the top
scanners available today, including strobe by Julian Assange, netcat
by *Hobbit*, stcp by Uriel Maimon, pscan by Pluvius, ident-scan by
Dave Goldsmith, and the SATAN tcp/udp scanners by Wietse Venema.
These are all excellent scanners! In fact, I ended up hacking most of
them to support the best features of the others. Finally I decided to
write a whole new scanner, rather than rely on hacked versions of a
dozen different scanners in my /usr/local/sbin. While I wrote all the
code, nmap uses a lot of good ideas from its predecessors. I also
incorporated some new stuff like fragmentation scanning and options
that were on my "wish list" for other scanners. Here are some of the
(IMHO) useful features of nmap:<BR><BR>
<UL>
<LI>dynamic delay time calculations: Some scanners require that you
supply a delay time between sending packets. Well how should I know
what to use? Sure, I can ping them, but that is a pain, and plus the
response time of many hosts changes dramatically when they are being
flooded with requests. nmap tries to determine the best delay time
for you. It also tries to keep track of packet retransmissions,
etc. so that it can modify this delay time during the course of the
scan. For root users, the primary technique for finding an initial
delay is to time the internal "ping" function. For non-root users, it
times an attempted connect() to a closed port on the target. It can
also pick a reasonable default value. Again, people who want to
specify a delay themselves can do so with -w (wait), but you shouldn't
have to.<BR><BR>
<LI>retransmission: Some scanners just send out all the query packets,
and collect the responses. But this can lead to false positives or
negatives in the case where packets are dropped. This is especially
important for "negative" style scans like UDP and FIN, where what you
are looking for is a port that does NOT respond. In most cases, nmap
implements a configurable number of retransmissions for ports that
don't respond.<BR><BR>
<LI>parallel port scanning: Some scanners simply scan ports linearly,
one at a time, until they do all 65535. This actually works for TCP
on a very fast local network, but the speed of this is not at all
acceptable on a wide area network like the Internet. nmap uses
non-blocking i/o and parallel scanning in all TCP and UDP modes. The
number of scans in parallel is configurable with the -M (Max sockets)
option. On a very fast network you will actually decrease performance
if you do more than 18 or so. On slow networks, high values increase
performance dramatically.<BR><BR>
<LI>Flexible port specification: I don't always want to just scan all
65535 ports. Also, the scanners which only allow you to scan ports 1
- N sometimes fall short of my need. The -p option allows you to
specify an arbitrary number of ports and ranges for scanning. For
example, '-p 21-25,80,113, 60000-' does what you would expect (a
trailing hyphen means up to 65536, a leading hyphen means 1 through).
You can also use the -F (fast) option, which scans all the ports
registered in your /etc/services (a la strobe).<BR><BR>
<LI>Flexible target specification: I often want to scan more then one
host, and I certainly don't want to list every single host on a large
network to scan. Everything that isn't an option (or option argument)
in nmap is treated as a target host. As mentioned before, you can
optionally append /mask to a hostname or IP address in order to scan
all hosts with the same initial <mask> bits of the 32 bit IP
address. You can use the same powerful syntax as the port
specifications to specify targets like '150.12.17.71-79.7.*'. '*' is
just a shortcut for 0-255, remember to escape it from your shell if
used.<BR><BR>
<LI>detection of down hosts: Some scanners allow you to scan large
networks, but they waste a huge amount of time scanning 65535 ports of
a dead host! By default, nmap pings each host to make sure it is up
before wasting time on it. It also does thin in parallel, to speed
things up. You can change the parrallel ping lookahead with '-L' and
the ping timeout with '-T'. You can turn pinging off completely with
the '-D' command line option. This is useful for scanning networks
like microsoft.com where ICMP echo requests can't get through. Nmap
is also capable of bailing on hosts that seem down based on strange
port scanning errors. It is also meant to be tolerant of people who
accidentally scan network addresses, broadcast addresses, etc.<BR><BR>
<LI>detection of your IP address: For some reason, a lot of scanners
ask you to type in your IP address as one of the parameters. Jeez, I
don't want to have to 'ifconfig' and figure out my current address
every time I scan. Of course, this is better then the scanners I've
seen which require recompilation every time you change your address!
nmap first tries to detect your address during the ping stage. It
uses the address that the echo response is received on, as that is the
interface it should almost always be routed through. If it can't do
this (like if you don't have host pinging enabled), nmap tries to
detect your primary interface and uses that address. You can also use
-S to specify it directly, but you shouldn't have to (unless you want
to make it look like someone ELSE is SYN or FIN scanning a
host.<BR><BR>
</UL>
Some other, more minor options:<BR>
<PRE>
-v (verbose): This is highly recommended for interactive use. Among other
useful messages, you will see ports come up as they are found, rather than
having to wait for the sorted summary list.
-r (randomize): This will randomize the order in which the target host's
ports are scanned.
-q (quash argv): This changes argv[0] to FAKE_ARGV ("pine" by default).
It also eliminates all other arguments, so you won't look too suspicious in
'w' or 'ps' listings.
-h for an options summary.
-R show and resolve all hosts, even down ones.
</PRE>
Also look for <A
HREF="http://www.insecure.org/nmap/">http://www.insecure.org/nmap</A>,
which is the web site I plan to put future versions and more
information on. In fact, you would be well advised to check there
right now. (If that isn't where you are reading this).
<TABLE WIDTH="100%"><TR BGCOLOR="#4444aa"><TH ALIGN="CENTER">Example
Usage</TH></TR></TABLE>
<BR><BR>
To launch a stealth scan of the entire class 'B' networks 166.66.0.0 and
166.67.0.0 for the popularly exploitable imapd daemon:<BR>
<pre>
# nmap -Up 143 166.66.0.0/16 166.67.0.0/16
</pre>
To do a standard tcp scan on the reserved ports of host
&lt;target&gt;:<BR>
<pre>
&gt; nmap target
</pre>
To check the class 'C' network on which warez.com sits for popular
services (via fragmented SIN scan):<BR>
<pre>
# nmap -fsp 21,22,23,25,80,110 warez.com/24
</pre>
To scan the same network for all the services in your /etc/services
via (very fast) tcp scan:<BR>
<pre>
&gt; nmap -F warez.com/24
</pre>
To scan secret.pathetic.net using the ftp bounce attack off of
ftp.pathetic.net:<BR>
<pre>
&gt; nmap -Db ftp.pathetic.net secret.pathetic.net
</pre>
To find hosts that are up in the the adjacent class C's 193.14.12,
.13, .14, .15, ... , .30:<BR>
<pre>
&gt; nmap -P '193.14.[12-30].*'
</pre>
If you don't want to have to quote it to avoid shell interpretation,
this does the same thing:<BR>
<pre>
&gt; nmap -P 193.14.12-30.0-255
</pre>
</BODY>
</HTML>

950
docs/nmap_french.1 Normal file
View File

@@ -0,0 +1,950 @@
.\" nmap version 3.00, August 2002
.\" This definition swiped from the gcc(1) man page
.de Sp
.if n .sp
.if t .sp 0.4
..
.TH NMAP 1
.SH NOM
nmap \- Outil d'exploration r<>seau et analyseur de s<>curit<69>
.SH SYNOPSIS
.B nmap
[Type(s) de scan] [Options] <h<>te ou r<>seau #1 ... [#N]>
.SH DESCRIPTION
.I Nmap
a <EFBFBD>t<EFBFBD> con<EFBFBD>u pour que les administrateurs syst<EFBFBD>mes et les curieux
puissent analyser de grands r<EFBFBD>seaux pour d<EFBFBD>terminer les h<EFBFBD>tes actifs et les
services offerts.
.I nmap
supporte un grand nombre de techniques d'analyse\ : UDP, TCP
connect(), TCP SYN (mi ouvert), ftp proxy (attaque par rebond),
Reverse-ident, ICMP (balayage de ping), FIN, balayage de ACK, Xmas Tree, balayage
de SYN, Protocoles IP, et Null scan. Voir la section
.I Types de scans
pour plus de d<>tails. Nmap offre <20>galement des caract<63>ristiques avanc<6E>es
comme la d<>tection du syst<73>me d'exploitation distant via l'empreinte
TCP/IP, l'analyse furtive, le d<>lai dynamique et les calculs de retransmission,
l'analyse parall<6C>le, d<>tection de h<>tes inactifs via
des pings parall<6C>les, l'analyse avec leurres, la d<>tection des ports filtr<74>s,
analyse directe (sans portmapper) des RCP, l'analyse avec fragmentation,
et une notation puissante pour d<>signer les h<>tes et les ports.
.PP
Des efforts significatifs ont <20>t<EFBFBD> consacr<63>s pour que nmap soit utilisable
par des utilisateurs non-root. Malheureusement, la plupart des interfaces
noyaux critiques (comme les raw sockets) requi<75>rent les privil<69>ges root.
Nmap devrait donc <20>tre lanc<6E> en tant que root autant que possible
(mais pas en setuid root, <20>videmment).
.PP
Le r<>sultat de l'ex<65>cution de nmap est habituellement une liste
de ports int<6E>ressants sur les machines analys<79>es. Nmap donne pour
chaque port le nom du service, le num<75>ro, l'<27>tat et le protocole.
L'<27>tat peut <20>tre <20>\ open\ <EFBFBD>, <20>\ filtered\ <EFBFBD> ou <20>\ unfiltered\ <EFBFBD>.
<EFBFBD>\ Open\ <EFBFBD> signifie que la machine cible accepte les connexions sur ce port.
<EFBFBD>\ Filtered\ <EFBFBD> signifie qu'un pare-feu, un filtre ou un autre obstacle r<>seau
prot<EFBFBD>ge le port et emp<6D>che nmap de d<>tecter si le port est ouvert.
<EFBFBD>\ Unfiltered\ <EFBFBD> signifie que le port est ferm<72> et qu'aucun pare-feu n'a
interf<EFBFBD>r<EFBFBD> avec nmap.
Les ports <20>\ Unfiltered\ <EFBFBD> sont les plus courants et ne sont affich<63>s
que lorsque la majorit<69> des ports analys<79>s sont dans l'<27>tat <20>\ filtered\ <EFBFBD>.
.PP
En fonction des options utilis<69>es, nmap peut aussi rapporter les caract<63>ristiques
suivantes du syst<73>me d'exploitation distant\ :
type de syst<73>me d'exploitation, s<>quencement TCP, noms des utilisateurs
qui ont lanc<6E> les programmes qui <20>coutent sur chaque port, le nom DNS,
et d'autres choses encore.
.SH OPTIONS
Les options ayant du sens ensemble peuvent g<>n<EFBFBD>ralement <20>tre combin<69>es.
Certaines options sont sp<73>cifiques <20> certains modes d'analyses.
.I nmap
essaye de d<EFBFBD>tecter et de pr<EFBFBD>venir l'utilisateur
en cas de combinaisons d'options d<>mentes ou non support<72>es.
.Sp
Si vous <20>tes impatient, vous pouvez passer directement
<EFBFBD> la section des
.I exemples
<EFBFBD> la fin, qui illustre l'usage courant. Vous pouvez aussi lancer
.B nmap -h
pour un bref rappel de toutes les options.
.TP
.B TYPES DE SCANS
.TP
.B \-sS
TCP SYN scan\ : Cette technique est souvent appel<65>e scan
<EFBFBD>\ mi ouvert\ <EFBFBD>, parce qu'on ouvre une connexion TCP incompl<70>te.
On envoie un paquet SYN, comme pour une v<>ritable ouverture de connexion
et on attend une r<>ponse. Un SYN ou ACK indique
que le port est sous <20>coute, en revanche un RST signifie que personne n'<27>coute
sur ce port.
Si un SYN ou ACK est re<72>u, un RST est imm<6D>diatement envoy<6F> pour interrompre
la connexion.
Le principal avantage de cette technique est que peu de sites l'archiveront.
dans leurs logs.
Malheureusement vous avez besoin des privil<69>ges root pour construire
ces paquets SYN sur mesure. C'est le scan par d<>faut pour les utilisateurs
qui ont les privil<69>ges root.
.TP
.B \-sT
TCP connect() scan\ : C'est la forme la plus simple de scan TCP.
L'appel syst<73>me connect() fournit par votre syst<73>me d'exploitation
est utilis<69> pour ouvrir une connexion sur tous les ports int<6E>ressants
de la cible. Si le port est sur <20>coute,
connect() r<>ussira, sinon le port est injoignable.
Le principal avantage de cette technique est qu'elle ne n<>cessite pas
de privil<69>ges particuliers. Presque tous les utilisateurs de toutes les machines Unix
sont libres d'utiliser cet appel syst<73>me.
.Sp
Ce type de scan est facilement d<>tectable par l'h<>te cible
puisque les logs de la cible montreront un ensemble de connexions
et de messages d'erreurs pour les services qui ont accept<70> la connexion
qui a <20>t<EFBFBD> imm<6D>diatement coup<75>e.
C'est le scan par d<>faut pour les utilisateurs normaux (non root).
.TP
.B \-sF \-sX \-sN
Stealth FIN, Xmas Tree, ou Null scan modes\ : Parfois m<EFBFBD>me
un SYN scan n'est pas suffisamment discret.
Certains pare-feux et filtreurs de paquets regardent les
SYNs vers les ports interdits, et des programmes comme Synlogger et
Courtney peuvent d<>tecter ces scans. En revanche, ces scans avanc<6E>s
devrait pourvoir passer sans probl<62>mes.
.Sp
L'id<69>e est qu'un port ferm<72> est requis pour
r<EFBFBD>pondre au paquet de test par un RST, alors
que les ports ouverts doivent ignorer les paquets en question
(voir RFC 793 pp 64). Le FIN scan utilise
un paquet FIN nu comme testeur, alors que le scan Xmas tree
active les drapeaux URG et PUSH du paquet FIN. Le scan Null, d<>sactive tous
les drapeaux. Malheureusement Microsoft (comme d'habitude)
a d<>cid<69> d'ignorer compl<70>tement le standard et de faire les choses <20> sa fa<66>on.
C'est pourquoi ce type de scan ne fonctionne pas contre les syst<73>mes sous
Windows95/NT. Le c<>t<EFBFBD> positif est que c'est un bon moyen de distinguer deux
plates-formes.
Si le scan trouve des ports ouverts, vous savez que la machine cible n'est
pas sous Windows. Si un -sF,-sX, ou -sN scan montre tous les ports
ferm<EFBFBD>s, et qu'un scan SYN (-sS) montre tous les ports ouverts, la machine cible
fonctionne probablement sous
Windows. Ceci est moins utile depuis que nmap a son propre d<>tecteur de syst<73>me
d'exploitation int<6E>gr<67>. D'autres syst<73>mes ont le m<>me probl<62>me que Windows\ :
Cisco, BSDI, HP/UX, MVS, et IRIX.
La plupart envoient des resets depuis les ports ouverts au lieu d'ignorer
le paquet.
.TP
.B \-sP
Ping scanning\ : Parfois vous voulez juste savoir quels sont les h<>tes
actifs d'un r<>seau.
Nmap peut le faire pour vous en envoyant des paquets d'<27>cho ICMP <20> chaque adresse IP du r<>seau sp<73>cifi<66>.
Les h<>tes qui r<>pondent sont actifs. Malheureusement, certains sites comme
microsoft.com, bloquent les paquets d'<27>cho.
Toutefois nmap peut aussi envoyer un paquet TCP ack au port 80 (par d<>faut).
Si vous recevez un RST en retour, la machine est active. Une troisi<73>me
technique consiste <20> envoyer un paquet SYN et d'attendre un RST ou un SYN/ACK.
Pour les utilisateurs non-root, la m<>thode connect() est utilis<69>e.
.Sp
Par d<>faut (pour les utilisateurs root), nmap utilise la technique
ICMP et ACK en parall<6C>le. Vous pouvez changer l'option
.B \-P
d<EFBFBD>crite plus tard.
.Sp
Remarquez que le ping est fait par d<>faut de toutes fa<66>ons
et seuls les h<>tes qui r<>pondent sont analys<79>s.
N'utilisez cette option que si vous voulez faire un balayage de
ping
.B sans
faire d'analyse de ports.
.TP
.B \-sU
UDP scans\ : Cette m<>thode est utilis<69>e pour d<>terminer les ports UDP
(User Datagram Protocol, RFC 768) qui sont ouverts sur l'h<>te
Cette technique consiste <20> envoyer un paquet udp de 0 octet <20> chaque
port de la machine cible. Si on re<72>oit un message ICMP <20>\ port unreachable\ <EFBFBD>,
alors le port est ferm<72>. Autrement nous supposons qu'il est ouvert.
.Sp
Certaines personne pensent que l'analyse UDP est inutile.
J'ai pour habitude de leur rappeler le trou r<>cent dans rcpbind sous Solaris.
Rpcbind peut dissimuler un port UDP non document<6E> quelque part au dessus
de 32\ 770. Comme d<>couvrir un tel port sans scanner UDP\ ?
Il y a aussi le programme
cDc Back Orifice backdoor qui cache un port UDP configurable
sur les machines Windows. Sans m<>me mentionner tous les services courants
qui utilisent UDP tels que snmp, tftp, NFS, etc.
.Sp
Malheureusement l'analyse UDP peut <20>tre particuli<6C>rement longue puisque la plupart
des h<>tes impl<70>mente une suggestion de la RFC 1812 (section
4.3.2.8) pour limiter le d<>bit des messages d'erreurs ICMP. Par exemple,
le noyau Linux (dans net/ipv4/icmp.h) limite la g<>n<EFBFBD>ration de
message <20>\ destination unreachable\ <EFBFBD> <20> 80 pour 4 secondes, avec
une p<>nalit<69> de 1/4 secondes si ce nombre est d<>pass<73>.
Solaris a des limites encore plus strictes (<28> peu pr<70>s 2 messages par
seconde) et l'analyse n<>cessite encore plus de temps.
.I Nmap
d<EFBFBD>tecte cette limite de d<>bit et ralentit plut<75>t que d'inonder inutilement
le r<>seau avec des paquets qui seront ignor<6F>s par la machine cible.
.Sp
Comme d'habitude, Microsoft a ignor<6F> la suggestion RFC
et n'a pas impl<70>ment<6E> de limitation de taux dans les machines
Win95 et NT. C'est pourquoi nous pouvons analyser
les 65K ports d'une machine Windows
.B tr<EFBFBD>s
rapidement. Wahoo !
.TP
.B \-sO
IP protocol scans\ : Cette m<>thode est utilis<69>e
pour d<>terminer les protocoles IP support<72>s par l'h<>te.
La technique consiste <20> envoyer des paquets IP bruts sans ent<6E>te de protocole
<EFBFBD> chaque protocole sp<73>cifi<66> sur la machine cible.
Si nous recevons un message ICMP <20>\ protocol unreachable\ <EFBFBD>,
alors le protocole n'est pas utilis<69>. Autrement nous supposons qu'il est
ouvert. Remarquez que certains h<>tes (AIX, HP-UX, Digital UNIX)
et les pare-feux peuvent ne pas renvoyer les
messages <20>\ protocol unreachable\ <EFBFBD>, faisant appara<72>tre ouverts
tous les protocoles.
.Sp
Comme cette technique est tr<74>s similaire <20> l'analyse des ports UDP, la
limitation du d<>bit ICMP peut aussi appara<72>tre.
Mais comme le champ protocole d'IP n'a que 8 bits, il y a au plus 256
protocoles, donc la dur<75>e restera raisonnable.
.TP
.B \-sI <zombie host[:probeport]>
scan paresseux : cette m<>thode de scan avanc<6E>e autorise un scan TCP
v<EFBFBD>ritablement aveugle de la cible (aucun paquet ne sera envoy<6F> <20> la cible
depuis votre v<>ritable adresse IP). <20> la place, une attaque unilat<61>rale
exploite la pr<70>diction de la s<>quence d'identificateur de fragmentation IP
de l'h<>te zombie pour glaner des informations sur les ports ouverts de la cible.
Les syst<73>mes de d<>tections d'intrusion indiqueront que le scan provient de la
machine zombie sp<73>cifi<66>e (qui doit <20>tre active et v<>rifier un certain nombre de
crit<EFBFBD>res). J'envisage de donner plus d'explication <20> http://www.insecure.org/nmap/nmap_documentation.html
dans un futur proche.
.TP
.Sp
En plus d'<27>tre extraordinairement furtive (gr<67>ce <20> sa nature aveugle), ce scan
permet de s'affranchir des relations de confiance entre machines
fond<EFBFBD>es sur l'IP. La liste de ports montre les ports ouverts
.I tels que les voit l'h<>te zombie.
Aussi, vous pouvez essayer de scanner une cible en utilisant diff<66>rents zombies
<EFBFBD> qui elle fait confiance (via les r<>gles de filtrage des routeurs/paquets).
<EFBFBD>videmment cette information est cruciale pour orienter l'attaque. Autrement
votre test de p<>n<EFBFBD>tration va consommer des ressources consid<69>rables
appartenant au syst<73>me interm<72>diaire, pour s'apercevoir en fin de compte
qu'il n'y a pas de relation de confiance entre l'h<>te cible
et l'IP de la machine zombie.
.Sp
Vous pouvez ajouter un deux-point suivi par le num<EFBFBD>ro de port si vous
voulez tester un port particulier sur l'h<>te zombie pour les changement IPID.
Autrement Nmap utilisera le port qu'il utilise par d<>faut pour les pings TCP.
.TP
.B \-sA
ACK scan\ : C'est une technique avanc<6E>e qui est utilis<69> pour d<>couvrir
les r<>gles des pare-feux et pour savoir si on a affaire <20> un pare-feu ou un simple
filtreur de paquets qui bloquent les paquets SYN entrant.
.Sp
Ce type d'analyse envoie un paquet ACK (avec un num<75>ro
d'acquittement/s<>quence al<61>atoire) aux ports sp<73>cifi<66>s.
Si un RST vient en retour, les ports sont class<73>s comme
non filtr<74>s. Si rien ne revient (ou alors un message ICMP
<EFBFBD>\ unreachable\ <EFBFBD>), les ports sont class<73>s comme filtr<74>s . Remarquez
que
.I nmap
n'affiche pas les ports non filtr<74>s.
Aussi, si
.B aucun
port n'est affich<63> dans la sortie, c'est souvent un signe que tous
les tests ont fonctionn<6E> (et retourn<72> RSTs). Ce scan ne montrera <20>videment
jamais de port ouvert.
.TP
.B \-sW
Window scan\ : C'est une analyse avanc<6E>e tr<74>s similaire au
ACK scan, sauf qu'il peut parfois d<>tecter aussi bien des
ports ouverts que filtr<74>s/non filtr<74>s gr<67>ce <20> une anomalie
dans la taille de la fen<65>tre TCP rapport<72>e par certains syst<73>mes.
Parmi les syst<73>mes vuln<6C>rables se trouvent certaines versions de
AIX, Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital
UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD, OpenBSD,
OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX, et
VxWorks. Voir les archives de la liste de diffusion nmap-hackers pour une liste
exhaustive.
.TP
.B \-sR
RPC scan. Cette m<EFBFBD>thode fonctionne en combinaison
avec diverses m<>thodes d'analyse de port de nmap.
Il prend tous les ports TCP/UDP ouverts et les inonde de
commandes SunRPC NULL pour d<>terminer ceux qui sont
des ports RPC, et si c'est le cas, le programme et son num<75>ro de version
qui les servent.
Vous pouvez obtenir la m<>me information
que 'rpcinfo -p' m<>me si le portmapper cible est derri<72>re un
pare-feu (ou prot<6F>g<EFBFBD> par un wrapper TCP). Les leurres ne fonctionnent pour le
moment pas avec les scans RCP, et je dois ajouter le support pour les leurres
dans les scans UPD RCP.
.TP
.B \-sL
scan-liste. Cette m<>thode g<>n<EFBFBD>re une liste d'IP/nom sans les pinger ou les
scanner. La r<>solution de nom DNS sera r<>alis<69>e sauf si vous utilisez -n.
.TP
.B \-b <ftp relay host>
attaque par rebond FTP\ : Une caract<63>ristique int<6E>ressante du
protocole ftp (RFC 959) est le support des connexions \fBproxy\fR.
En d'autres termes, je dois <20>tre capable de me connecter depuis
mechant.com au serveur FTP de cible.com et demander que le serveur envoie
un fichier N'IMPORTE O<> sur Internet. <20>a fonctionnait bien
en 1985 quand la RFC a <20>t<EFBFBD> <20>crite. Mais dans l'Internet d'aujourd'hui
nous ne pouvons pas nous permettre d'avoir des pirates qui d<>tournent
des serveurs ftp et envoient des donn<6E>es n'importe o<> dans Internet.
J'avais <20>crit en 1995 que ce d<>faut du protocole <20>\ peut <20>tre utilis<69> pour
envoyer des courriers et nouvelles intracables,
matraquer des serveurs de sites, saturer les disques,
essayer de contourner les pare-feux et g<>n<EFBFBD>ralement <20>tre difficile <20> rep<65>rer\ <EFBFBD>.
On peut aussi l'exploiter pour faire un scan
des ports TCP depuis un serveur ftp <20>\ proxy\ <EFBFBD>. Ainsi, vous pouvez vous
connecter <20> un serveur ftp derri<72>re un pare-feu et scanner les ports
sans <20>tre bloqu<71> (139 est un bon nombre). Si le serveur ftp
autorise la lecture et l'<27>criture dans certains r<>pertoires
(tel que /incoming), vous pouvez envoyez des donn<6E>es arbitraires
aux ports que vous avez trouv<75> ouvert (nmap ne le fera toutefois pas pour vous)
.Sp
L'argument pass<73> <20> l'option \fB-b\fR est l'h<>te que vous voulez utiliser comme
proxy, dans la notation URL standard. Le format est\ :
.I username:password@server:port.
Tout sauf
.I server
est optionnel. Pour d<>terminer les serveurs qui sont
vuln<EFBFBD>rables <20> cette attaque, vous pouvez voir mon article dans
.I Phrack
51. Une version mise <20> jour est disponible <20> l'URL
http://www.insecure.org/nmap.
.TP
.B OPTIONS G<EFBFBD>N<EFBFBD>RALES
Aucune n'est n<>cessaire, mais certaines peuvent <20>tre tr<74>s utiles.
.TP
.B \-P0
Ne pas essayer de ping sur les h<>tes avant de les analyser.
Cela permet l'analyse des r<>seaux qui ne permettent pas les requ<71>tes
ou les r<>ponses ICMP <20> travers leurs pare-feux.
Microsoft.com en est un exemple, et vous devez
toujours utiliser
.B \-P0
ou
.B \-PT80
pour faire une analyse de port sur microsoft.com.
.TP
.B \-PT
Utilise TCP "ping" pour d<>terminer les h<>tes actifs. Au lieu
d'envoyer une requ<71>te d'<27>cho ICMP et d'attendre une r<>ponse, nous
envoyons des paquets TCP ACK dans le r<>seau cible
(ou contre une machine) et attendons des r<>ponses pour conclure.
Les h<>tes devraient r<>pondre par un
RST. Cette option pr<70>serve l'efficacit<69> des scan
des h<>tes qui sont actifs mais autorise l'analyse des
h<EFBFBD>tes/r<>seaux qui bloquent les paquets de ping.
Pour les utilisateurs non root,
nous utilisons connect(). Pour sp<73>cifier le port de destination
du test utilisez -PT<port number>. Le port par d<>faut est
80, car ce port n'est pas souvent filtr<74>.
.TP
.B \-PS
Cette option utilise des paquets SYN (demande de connexion) <20> la place
des paquets ACK pour les utilisateurs ROOT. Les h<>tes actifs devrait r<>pondre
par un RST (ou, rarement par un SYN | ACK).
.TP
.B \-PI
Cette option utilise un v<>ritable paquet ping (requ<71>te d'<27>cho ICMP).
Il recherche les h<>tes actifs et aussi regarde les adresses
de diffusion des sous-r<>seaux. Il y a des adresses IP
qui sont joignable de l'ext<78>rieur et qui sont traduites
en une diffusion de paquet entrant dans un r<>seau.
<EFBFBD>a devrait <20>tre supprim<69>, si d<>couvert, car <20>a permet un grand nombre
d'attaques de d<>ni de service.
.TP
.B \-PP
utilise un paquet ICMP de requ<71>te d'estampille temporelle (code 13) pour
d<EFBFBD>terminer les h<>tes qui <20>coutent.
.TP
.B \-PM
Fait la m<>me chose que
.B \-PI
et
.B \-PP
sauf qu'il utilise une requ<71>te de masque de sous-r<>seau (ICMP code 17).
.TP
.B \-PB
C'est le ping par d<>faut. Il utilise les balayages ACK (
.B \-PT
) et ICMP (
.B \-PI
) en parall<6C>le. De cette mani<6E>re, vous pouvez passer les pare-feux qui ne filtrent
que l'un des deux types de paquets.
.TP
.B \-O
Cette option active l'identification de l'h<>te distant via l'empreinte
TCP/IP. Autrement dit, nmap utilise un ensemble de techniques
pour d<>tecter les subtilit<69>s dans la pile r<>seau du syst<73>me d'exploitation
de l'ordinateur que vous <20>tes en train d'analyser. Il utilise ces informations
pour cr<63>er une <20>\ empreinte\ <EFBFBD> qui est compar<61>e avec sa base de donn<6E>es
d'empreintes connues (le fichier nmap-os-fingerprints) pour retrouver le type
de syst<73>me que vous <20>tes en train d'analyser.
.Sp
Si Nmap est incapable de deviner le syst<73>me d'exploitation de la machine,
et que les conditions sont bonnes (par exemple, au moins un port est ouvert)
Nmap fournira une URL que vous pourrez utiliser pour soumettre si vous
connaissez avec certitude le nom du syst<73>me d'exploitation <20> qui appartient
cette nouvelle empreinte.
Vous contribuerez ainsi <20> augmenter le nombre de syst<73>mes d'exploitations
d<EFBFBD>tectable par nmap et la la pr<70>cision de la d<>tection. Si vous laissez
une adresse IP dans le formulaire, la machine pourra <20>tre analys<79>e lorsque
nous ajouterons l'empreinte (pour valider que <20>a marche).
.Sp
L'option \-O active aussi plusieurs autres tests. L'un d'entre eux est la mesure
de <20>\ uptime\ <EFBFBD> (dur<75>e <20>coul<75>e depuis le dernier red<65>marrage du syst<73>me), qui utilise l'estampille TCP (RFC 1323) pour deviner la date du
dernier red<65>marrage de la machine. Ceci n'est rapport<72> que pour les machines
qui fournissent cette information.
.Sp
Un autre test activ<EFBFBD> par \-O est la classification de la pr<EFBFBD>diction
de la s<>quence TCP. C'est une mesure qui d<>crit approximativement la difficult<6C>
d'<27>tablir une connexion TCP forg<72>e contre l'h<>te distant. C'est utile
pour exploiter les relations de confiances fond<6E>es sur l'IP source
(rlogin, firewall filters, etc) ou pour cacher la source d'une attaque.
La valeur r<>elle de la difficult<6C> est calcul<75>e sur un <20>chantillon et peut
fluctuer. Il est g<>n<EFBFBD>ralement plus appropri<72> d'utiliser une classification
par nom tel que <20>\ worthy challenge\ <EFBFBD> ou <20>\ trivial joke\ <EFBFBD>. Ceci n'est
rapport<EFBFBD> dans la sortie normale qu'avec l'option -v.
.Sp
Si le mode verbeux (\-v) est activ<69> en m<>me temps que \-O,
la g<>n<EFBFBD>ration de s<>quence IPID est aussi rapport<72>e.
La plupart des machines appartiennent <20> la classe incr<63>mentale,
ce qui signifie qu'elle incr<63>mente le champ ID dans l'ent<6E>te
IP pour chaque paquet envoy<6F>. Ce qui les rend vuln<6C>rables
<EFBFBD> la collecte d'information avanc<6E>e et aux attaques par
usurpation.
.TP
.B \-I
Active l'analyse TCP reverse ident. Dave Goldsmith
dans un message <20> Bugtraq en 1996, a fait remarquer que le protocole
ident (rfc 1413) autorise la d<>couverte du nom d'utilisateur qui
poss<EFBFBD>de un processus connect<63> via TCP, m<>me si le processus n'est pas <20>
l'instigateur de la connexion. Vous pouvez ainsi vous connecter au port
http et utiliser identd pour d<>couvrir si le serveur tourne sous root.
Ceci ne peut <20>tre fait qu'avec une connexion TCP compl<70>te sur le port cible
(i.e. l'option d'analyse -sT). Quand
.B \-I
est utilis<69>, l'identd de l'h<>te distant est interrog<6F> pour chaque port
ouvert trouv<75>. <20>videmment <20>a ne fonctionne pas si l'h<>te n'utilise pas identd.
.TP
.B \-f
Cette option oblige les analyses FIN, XMAS, ou NULL
<EFBFBD> utiliser de petit paquets IP fragment<6E>s. L'id<69>e est de partager
l'ent<6E>te TCP en plusieurs paquets pour rendre leurs d<>tections plus difficile
par les filtres et les syst<73>mes de d<>tection d'intrusion, et les autres
enquiquineurs qui tentent de d<>tecter ce que vous <20>tes en train de faire.
Faites attention avec ceci, certains programmes ont des difficult<6C>s avec ces
petits paquets. Mon sniffer favori plante imm<6D>diatement lorsqu'il re<72>oit le
premier fragment de 36 octets.
Cette option est inefficace contre les filtreurs de paquets et les pare-feux
qui r<>assemblent les fragments IP
(comme l'option CONFIG_IP_ALWAYS_DEFRAG dans le noyau Linux),
certains r<>seaux ne peuvent pas supporter cette perte de performance
et ne r<>assemblent pas les paquets.
.Sp
Remarquez que je n'ai pas encore fait fonctionner cette option sur tous les
syst<EFBFBD>mes. <20>a marche parfaitement sur les machines Linux, FreeBSD et OpenBSD
et certaines personnes m'ont rapport<72> leurs succ<63>s avec d'autres saveurs
d'Unix.
.TP
.B \-v
Mode verbeux. C'est une option hautement recommand<6E>e qui fournit beaucoup
d'informations sur ce que vous <20>tes en train de faire. Vous pouvez l'utiliser
deux fois pour un effet plus important. Utiliser
.B \-d
une paire de fois si vous voulez vraiment devenir fou avec le d<>filement de
l'<27>cran\ !
.TP
.B \-h
Cette option affiche un bref r<>capitulatif des options de nmap.
Comme vous l'avez sans doute remarqu<71>, cette page de manuel n'est pas vraiment
un <20>\ bref r<>capitulatif\ <EFBFBD>. :)
.TP
.B \-oN <logfilename>
Enregistre les r<>sultats de vos analyses dans un
format
.B lisible par un humain
dans le fichier sp<73>cifi<66> en argument.
.TP
.B \-oX <logfilename>
Enregistre le r<>sultat de vos analyses dans un format
.B XML
dans le fichier sp<73>cifi<66> en argument. Ceci permet <20> des programmes
d'interpr<70>ter facilement les r<>sultats de nmap.
Vous pouvez donner l'argument '\fB-\fR' (sans les guillemets) pour envoyer la sortie sur la sortie standard
(pour les pipelines shells, etc).
Dans ce cas la sortie normale sera supprim<69>e.
Regardez attentivement les messages d'erreurs si vous utilisez ceci (ils sont
encore envoy<6F>s sur la sortie d'erreur standard).
Notez aussi que \fB-v\fR peut afficher des informations suppl<70>mentaires.
La d<>finition de type de document (DTD) d<>finissant la structure de la sortie
XML est disponible <20> http://www.insecure.org/nmap/data/nmap.dtd .
.TP
.B \-oG <logfilename>
Enregistre les r<>sultats de vos analyses dans une forme adapt<70>e pour
.B grep.
Ce format simple fournit toutes les informations sur une ligne. C'est le
m<EFBFBD>canisme pr<70>f<EFBFBD>r<EFBFBD> des programmes qui interagissent avec nmap, mais d<>sormais nous
recommandons plut<75>t la sortie XML (-oX). Ce format simple ne contient pas autant d'informations
que les autres formats. Vous pouvez donner l'argument <20>\fB-\fR<EFBFBD> (sans les guillemets) pour envoyer la sortie sur la sortie standard
(pour les pipelines shells, etc).
Dans ce cas la sortie normale sera supprim<69>e.
Regardez attentivement les messages d'erreurs si vous utilisez ceci (ils sont
encore envoy<6F>s sur la sortie d'erreur standard).
Notez aussi que \fB-v\fR peut afficher des informations suppl<70>mentaires.
.TP
.B \-oA <logfilename>
indique <20> nmap d'enregistrer dans tous les formats majeurs (normal, grep et
XML). Vous fournissez le pr<70>fixe du nom de fichier et les sorties auront
respectivement les suffixes .nmap, .gnmap et .xml .
.TP
.B \-oS <logfilename>
enregistre les r<>sultats de vos analyses en format
.B script kiddie
(NdT\ : C'est un langage dans lequel certaines lettres sont remplac<EFBFBD>es par des chiffres/symboles
typiquement exemple A devient 4, E devient 3, etc. Cette langue est utilis<EFBFBD>e par
les <EFBFBD>\ cowboyz\ <EFBFBD> d'Internet.
Cette population folklorique amuse beaucoup les autres internautes, au point qu'il existe une option pour eux dans nmap)
V0u$ poUV3z dOnn3r l'4rgUm3nt '\fB-\fR' (s4ns l3$ guIll3m3ts) poUr 3nvoy3r l4 sOrti3 sUr l4 $orti3 $t4nd4rd.
.TP
.B \--resume <logfilename>
L'analyse d'un r<>seau qui a <20>t<EFBFBD> annul<75>e par un Ctrl-C, probl<62>me de r<>seau, etc.
peut <20>tre reprise en utilisant cette option.
logfilename doit <20>tre soit un log normal (-oN) soit
un log lisible par une machine (-oM) d'une analyse avort<72>e.
Aucune autre option ne peut <20>tre donn<6E>e (ce sont obligatoirement les m<>mes que
celles du scan avort<72>).
Nmap d<>marrera sur la machine apr<70>s la derni<6E>re machine qui a <20>t<EFBFBD> analys<79>e avec succ<63>s dans le
fichier de log.
.TP
.B \--append_output
indique <20> Nmap d'<27>crire <20> la fin des fichiers de sortie au lieu de les <20>craser.
.TP
.B \-iL <inputfilename>
Lit les sp<73>cifications de la cible depuis le fichier sp<73>cifi<66>
plut<EFBFBD>t que depuis la ligne de commande. Le fichier doit contenir une liste
d'h<>tes, d'expressions de r<>seaux s<>par<61>es par des espaces, tabulations ou retour chariots.
Utilisez le tiret
pour lire depuis stdin (comme la fin d'un pipe).
Voyez la section \fIsp<EFBFBD>cification de cible\fR
pour plus d'information sur les expressions que vous pouvez mettre dans le fichier.
.TP
.B \-iR
Cette option indique <20> Nmap de g<>n<EFBFBD>rer ses propres h<>tes
<EFBFBD> analyser par tirage al<61>atoire :). <20>a ne finit jamais.
<EFBFBD>a peut <20>tre utile pour un <20>chantillon d'Internet pour estimer diverses choses.
Si vous vous ennuyez, essayez
.I nmap \-sS \-iR \-p 80
pour rechercher des serveurs web <20> regarder.
.TP
.B \-p <port ranges>
Cette option sp<73>cifie les ports que vous voulez essayer.
Par exemple '-p 23' n'essayera que le port 23 of de l'h<>te
cible. '\-p 20-30,139,60000-' analysera les ports entre 20 et 30, le port
139, et tous les ports sup<75>rieurs <20> 60000. Le comportement par d<>faut est d'analyser tous
les ports de 1 <20> 1024 ainsi que tous les ports list<73>s dans les fichiers de services fournis avec nmap.
Pour l'analyse par IP (-sO), ceci sp<73>cifie le num<75>ro de protocole que vous voulez analyser
.Sp
Lorsque vous scannez les ports TCP et UPD vous pouvez sp<73>cifier un protocole
particulier en pr<70>fixant les num<75>ros de ports par <20>\ T\ <EFBFBD>: ou <20>\ U:\ <EFBFBD>.
L'effet du sp<73>cificateur dure jusqu'<27> ce que vous en sp<73>cifiez un autre.
Par exemple, l'argument <20>\ -p U:53,111,137,T:21-25,80,139,8080\ <EFBFBD>
scannera les ports UDP 53, 111 et 137 ainsi que les ports TCP mentionn<6E>s.
Remarquez que pour scanner UDP et TCP, vous devez sp<73>cifier -sU et au moins une
analyse TCP (telle que -sS, -sF ou -sT). Si aucune sp<73>cification de
protocole n'est indiqu<71>e, les num<75>ros de ports sont ajout<75>s <20> tous les
protocoles.
.TP
.B \-F Fast scan mode.
Sp<EFBFBD>cifie que vous ne voulez analyser que les ports list<73>s
dans le fichier des services livr<76> avec nmap (ou le fichier des protocoles pour
-sO).
C'est <20>videmment plus rapide que d'analyser les 65535 ports d'un h<>te.
.TP
.B \-D <decoy1 [,decoy2][,ME],...>
r<EFBFBD>alise un scan avec leurres. Du point de vue de l'h<>te distant, les h<>tes
leurres appara<72>tront comme s'ils analysaient aussi le r<>seau cible. Ainsi,
les syst<73>mes de d<>tection d'intrusion ne pourront pas savoir parmi l'ensemble
des IP qui semblent les scanner quelle est l'IP qui effectue r<>ellement
l'analyse et quelles IP ne sont en r<>alit<69> que d'innocent leurres.
Bien que ceci puisse <20>tre contr<74> par
path tracing, response-dropping, et d'autres m<>canismes actifs,
c'est g<>n<EFBFBD>ralement une technique efficace pour dissimuler son adresse IP.
.Sp
S<EFBFBD>parez chaque h<>te-leurre par des virgules, et vous pouvez optionnellement
utiliser '\fBME\fR' (Moi) comme l'un des leurres pour repr<70>senter
la position que vous voulez utiliser pour votre adresse.
Si vous utilisez '\fBME\fR' au del<65> de la 6<>me position, la plupart des d<>tecteurs de scan
(m<>me l'excellent scanlogd de Solar Designer) seront incapables de voir votre adresse IP.
Si vous n'utilisez pas '\fBME\fR', nmap choisira une position al<61>atoire.
.Sp
Remarquez que les h<>tes leurres doivent <20>tre actifs
ou vous risquez accidentellement de faire une inondation SYN sur vos cibles.
Il est aussi presque facile de d<>terminer qui est en train de scanner si seul une
seule machine est active sur le r<>seau. Vous pouvez vouloir utiliser des adresses IP
<EFBFBD> la place des noms (ainsi les r<>seaux leurres ne vous verront pas dans les logs du serveurs de nom).
.Sp
Remarquez <20>galement que quelques d<>tecteurs (stupides) de scan bloqueront
les h<>tes qui tentent des scans de ports. Aussi vous pouvez par inadvertance
bloquer l'acc<63>s des machines leurres <20> la machine cible.
Ceci peut provoquer de grave probl<62>mes aux machines cibles si le leurre s'av<61>re <20>tre
sa passerelle internet ou m<>me <20>\ localhost\ <EFBFBD>. Il faut donc utiliser prudemment cette option.
La vraie morale de cette histoire est que les d<>tecteurs de scan ne doivent pas prendre de
mesures contre les machines qui semblent les analyser, car il se peut que ce soit des leurres\ !
.Sp
Les leurres sont utilis<69>s pour le scan initial (en utilisant ICMP,
SYN, ACK, ou autre chose) et pendant la v<>ritable phase de scan. Les leurres sont aussi
utilis<EFBFBD>s pendant la d<>tection de l'h<>te distant (
.B \-O
).
.Sp
Il ne faut pas oublier que d'utiliser un trop grand nombre de leurres
peut ralentir
le scan et m<>me le rendre impr<70>cis. De plus certains
fournisseurs d'acc<63>s <20> Internet (FAI) filtreront vos paquets usurp<72>s, bien que la plupart
n'applique aucune restriction sur les paquets usurp<72>s.
.TP
.B \-S <adresse_ip>
Dans certaines circonstances,
.I nmap
est incapable de d<>terminer l'adresse source.
.I Nmap
vous avertira si c'est le cas). Dans cette situation, utilisez
\-S avec votre adresse IP (ou l'interface depuis laquelle vous voulez envoyer les paquets).
.Sp
Une autre utilisation possible de ce drapeau est d'usurper le scan pour faire croire
aux cibles que
.B quelqu'un d'autre les scanne.
Imaginez une entreprise qui se croit r<>guli<6C>rement scann<6E>e par un concurrent\ !
Ce n'est pas l'utilisation premi<6D>re ni le but principal de ce drapeau.
Je pense que c'est juste une possibilit<69> int<6E>ressante pour les personnes qui sont au courant
avant qu'elles n'en accusent d'autres de les scanner.
.B \-e
est g<>n<EFBFBD>ralement requis pour ce type d'utilisation.
.TP
.B \-e <interface>
indique l'interface r<>seau <20> utiliser pour envoyer et recevoir les paquets.
\fBNmap\fR devrait <20>tre capable de d<>tecter ceci mais il vous pr<70>viendra s'il n'y parvient pas.
.TP
.B \-g <portnumber>
Sp<EFBFBD>cifie le num<75>ro de port source dans le scan.
Beaucoup de pare-feux et de filtreur de paquets na<6E>fs
feront une exception dans leurs r<>gles pour autoriser le passage des paquets
DNS (53) ou FTP-DATA (20) pour <20>tablir une connexion.
<EFBFBD>videmment <20>a r<>duit compl<70>tement les avantages de s<>curit<69> d'un pare-feu
puisque les intrus n'ont qu'<27> se d<>guiser en FTP ou DNS en modifiant leur
port source. <20>videmment pour un scan UDP vous devriez utiliser
53 en premier et pour les scans TCP vous devriez utiliser
20 avant 53.
Remarquer que ce n'est qu'une requ<71>te -- nmap ne le fera que s'il y parvient.
Par exemple, vous ne pouvez pas faire des analyse en parall<6C>le avec un seul port.
Aussi \fBnmap\fR changera le port source m<>me si vous utilisez \fB-g\fR.
.Sp
Sachez qu'il y a une petite p<>nalit<69> de performance sur certains scans si vous utilisez
cette option, parce que j'enregistre parfois des informations utiles dans le num<75>ro de port
source.
.TP
.B \--data_length <nombre>
Normalement nmap envoie des paquets minimalistes qui ne contiennent que l'en-t<>te.
Ainsi, les paquets TCP font 40 octets et les requ<71>tes d'<27>cho ICMP, 28 octets.
Cette option indique <20> Nmap d'ajouter le nombre sp<73>cifi<66> d'octets initialis<69>s <20> 0
<EFBFBD> la plupart des paquets qu'il envoie. La d<>tection de syst<73>me d'exploitation
(-O) n'est pas affect<63>e, mais la plupart des paquets de ping et de scan de port
le sont. <20>a ralentit les choses, mais <20>a peut <20>tre un peu moins voyant.
.TP
.B \-n
Dit <20> Nmap de ne
.B JAMAIS
faire de r<>solution DNS inverse sur une adresse IP active. Comme DNS est
souvent lent,
<EFBFBD>a peut aider <20> acc<63>l<EFBFBD>rer les choses.
.TP
.B \-R
Dit <20> Nmap de
.B TOUJOURS
faire la r<>solution DNS inverse des adresses IP cibles. Normalement
ceci n'est fait que pour les machines vivantes.
.TP
.B \-r
Dit <20> Nmap
.B DE NE PAS
changer al<61>atoirement l'ordre dans lequel les ports seront analys<79>s.
.TP
.B \-\-randomize_hosts
Dit <20> nmap de m<>langer chaque groupe comprenant jusqu'<27> 2048 h<>tes avant de les analyser.
Ceci rend les scans moins <20>vidents <20> de nombreux syst<73>mes de surveillance r<>seau,
particuli<EFBFBD>rement quand vous le combinez avec des options
pour ralentir le timing (voir ci-dessous).
.TP
.B \-M <max sockets>
Sp<EFBFBD>cifie le nombre maximum de sockets qui seront utilis<69>s en parall<6C>le
pour le scan TCP connect() (celui par d<>faut). C'est utile pour
ralentir l<>g<EFBFBD>rement le scan et <20>viter de crasher les machines cibles. Une autre
approche consiste <20> utiliser \fB-sS\fR, qui est g<>n<EFBFBD>ralement plus facile <20> g<>rer
pour les machines.
.TP
.B OPTIONS TIMING
g<EFBFBD>n<EFBFBD>ralement nmap parvient <20> s'ajuster correctement
aux caract<63>ristiques du r<>seau et <20> analyser aussi vite que possible
tout en minimisant la probabilit<69> d'<27>tre d<>tect<63>.
Cependant, il y a des cas o<> les timings par d<>faut
de Nmap ne correspondent pas <20> vos objectifs. Les options suivantes
permettent un contr<74>le fin des timings\ :
.TP
.B -T <Paranoid | Sneaky | Polite | Normal | Aggressive | Insane>
Ce sont les diff<66>rentes politiques de timing pour communiquer de
mani<EFBFBD>re pratique vos priorit<69>s <20> nmap.
.B Paranoid
analyse
.B tr<EFBFBD>s lentement
dans l'espoir d'<27>viter d'<27>tre rep<65>r<EFBFBD> par les syst<73>me de d<>tection d'intrusion.
Il s<>rialise tous les scans (pas de scan parall<6C>le) et attend au moins
5 minutes entre les envois de paquets.
.B Sneaky
c'est la m<EFBFBD>me chose, sauf qu'il attend 15 secondes entre les envois de paquets.
.B Polite
essaye de minimiser la charge sur le r<>seau et de r<>duire la probabilit<69> de
crasher des machines. Il s<>rialises les test et attend
.B au moins
0,4 secondes entre chaque.
.B Normal
c'est le comportement par d<>faut de Nmap, qui essaye de s'ex<65>cuter aussi
vite que possible sans surcharger le r<>seau ou oublier des
h<EFBFBD>tes/ports.
.B Aggressive
ajoute un d<>compte de 5 minutes par h<>te et n'attends jamais les r<>ponses
individuelles plus de 1.25 secondes.
.B Insane
ne convient qu'aux r<EFBFBD>seaux ultra-rapides o<EFBFBD> vous ne risquez par de perdre
d'informations. Il ajoute un d<>compte de 75
secondes et n'attend les r<>ponses individuelles que pendant
0,3 secondes. Il permet de balayer tr<74>s rapidement les r<>seaux.
Vous pouvez aussi r<>f<EFBFBD>rencer ces modes par num<75>ro (0-5).
Par exemple, '-T 0' donne le mode Paranoid et '-T 5' le mode Insane.
.Sp
Ces modes timings NE devrait PAS <20>tre utiliser en combinaison avec les contr<74>les
de bas niveau donn<6E>s ci-dessous.
.TP
.B --host_timeout <millisecondes>
Sp<EFBFBD>cifie la dur<75>e que \fBnmap\fR est autoris<69>e <20> consacrer
<EFBFBD> l'analyse d'un h<>te unique avant d'abandonner cette IP.
Par d<>faut il n'y a pas de temps limite pour un h<>te.
.TP
.B --max_rtt_timeout <millisecondes>
Sp<EFBFBD>cifie la dur<75>e maximale que \fBnmap\fR peut laisser s'<27>couler en attendant
une r<>ponse <20> ses tests avant de retransmettre ou de laisser tomber.
La valeur par d<>faut est 9\ 000.
.TP
.B --min_rtt_timeout <millisecondes>
Quand les h<>tes cibles commencent <20> <20>tablir un mod<6F>le de r<>ponse tr<74>s
rapidement, \fBnmap\fR diminuera la dur<75>e accord<72>e par test.
Ceci augmente la vitesse du scan, mais peut conduire <20> la perte de paquets
quand une r<>ponse prend plus de temps que d'habitude.
Avec ce param<61>tre vous pouvez garantir que \fBnmap\fR attende au moins
une certaine dur<75>e avant de laisser tomber un test.
.TP
.B --initial_rtt_timeout <millisecondes>
Sp<EFBFBD>cifie le d<>compte du test initial. Ce n'est g<>n<EFBFBD>ralement utile
que lors de l'analyse d'h<>te derri<72>re un pare-feu avec -P0.
Normalement \fBnmap\fR obtient de bonnes estimations <20> partir
du ping et des premiers tests. Le mode par d<>faut est 6\ 000.
.TP
.B --max_parallelism <nombre>
Sp<EFBFBD>cifie le nombre maximum de scans que \fBnmap\fR est autoris<69> <20> mener en parall<6C>le.
Positionner ceci <20> 1 signifie que \fBnmap\fR n'essayera jamais de
scanner plus d'un port <20> la fois. Ce nombre affecte aussi les autres scans
parall<EFBFBD>le comme le balayage de ping, RPC scan, etc.
.TP
.B --scan_delay <millisecondes>
Sp<EFBFBD>cifie la dur<75>e
.B minimum
que \fBnmap\fR doit laisser s'<27>couler entre ses envois. C'est utile pour r<>duire la
charge du r<>seau ou pour ralentir le d<>bit du scan afin de ne pas atteindre
le seuil de d<>clenchement des syst<73>mes de d<>tection d'intrusion.
.SH SP<EFBFBD>CIFICATION DE CIBLE
Tout ce qui n'est pas une option ou un argument d'option
est trait<69> par nmap comme une sp<73>cification d'h<>te.
Le cas le plus simple et une liste de nom d'h<>tes ou d'adresse IP sur la ligne
de commande.
Si vous voulez analyser un sous r<>seau d'adresses IP vous pouvez ajouter
.B '/mask'
au nom d'h<>tes
.B mask
doit <EFBFBD>tre compris entre 0 (scanner tout internet) et 32 (scanner un seul
h<EFBFBD>te). Utiliser /24 pour analyser des adresses de classe 'C'
et /16 pour la classe 'B'.
.Sp
\fBNmap\fR utilise une notation puissante pour sp<73>cifier une adresse IP
en utilisant des listes/intervalles pour chaque <20>l<EFBFBD>ment.
Ainsi vous pouvez analyser tout un r<>seau de classe B
192.168.*.* en sp<73>cifiant '192.168.*.*' ou '192.168.0-255.0-255' ou
m<EFBFBD>me '192.168.1-50,51-255.1,2,3,4,5-255'. Et bien s<>r, vous pouvez utiliser
la notation mask : '192.168.0.0/16'. Elles sont toutes <20>quivalentes
Si vous utilisez des ast<73>risques ('*'), souvenez-vous que la plupart des
shells n<>cessitent que vous les pr<70>c<EFBFBD>diez par des anti-slash ou que vous les
prot<EFBFBD>giez par des guillemets.
.Sp
Une autre chose int<6E>ressante <20> faire et de d<>couper Internet\ :
au lieu de scanner les h<>tes dans une classe 'B',
scanner '*.*.5.6-7' pour analyser toutes les adresses IP se terminant
par .5.6 ou .5.7. Pour plus d'informations sur la sp<73>cification
des h<>tes <20> analyser, voyez la section
.I exemples.
.SH EXEMPLES
Voici quelques exemples d'utilisation de \fBnmap\fR du plus simple au plus compliqu<71>.
Remarquez que les noms et adresses sont utilis<69>es pour rendre les choses
plus concr<63>tes. <20> leur place vous devriez substituer les noms et adresses
de
.B votre propre r<EFBFBD>seau.
Je ne pense pas que l'analyse de ports d'autres r<>seaux soit ill<6C>gale, ni
que l'analyse de ports doit <20>tre consid<69>r<EFBFBD>e par les autres comme une attaque.
J'ai analys<79> des centaines de milliers de machines et je n'ai re<72>u
qu'une seule plainte. Mais je ne suis pas juriste et certaines personnes pourraient
<EFBFBD>tre ennuy<75>es par les tests de
.I nmap.
Aussi demandez pr<EFBFBD>alablement la permission ou utilisez \fBnmap\fR
<EFBFBD> vos risques et p<>rils.
.Sp
.B nmap -v cible.exemple.com
.Sp
Cette option analyse tous les ports TCP r<>serv<72>s sur la machine
cible.exemple.com . Le \-v signifie d'activer le mode verbeux.
.Sp
.B nmap -sS -O cible.exemple.com/24
.Sp
Envoie un scan SYN furtif contre chaque machine active parmi
les 255 machines de classe 'C' qui sont sur cible.exemple.com.
Il essaye aussi de d<>terminer quel syst<73>me d'exploitation fonctionne sur
chaque h<>te. Ceci n<>cessite les privil<69>ges root en raison du scan SYN et
de la d<>tection de syst<73>me d'exploitation.
.Sp
.B nmap -sX -p 22,53,110,143,4564 "198.116.*.1-127"
.Sp
Envoie un scan Xmas tree <20> la premi<6D>re moiti<74>
de chacun des 255 sous-r<>seaux de l'espace d'adresse de classe B
198.116. Nous sommes en train de tester si les syst<73>mes font fonctionner sshd,
DNS, pop3d, imapd, ou port 4564. Remarquez que les scan Xmas
ne fonctionnent pas contre les machines Microsoft en raison de leur pile TCP
d<EFBFBD>ficiente. Le m<>me probl<62>me se produit aussi avec les machines
CISCO, IRIX, HP/UX, et BSDI.
.Sp
.B nmap -v --randomize_hosts -p 80 '*.*.2.3-5'
.Sp
Plut<EFBFBD>t que de se concentrer sur une plage sp<73>cifique d'IP,
il est parfois int<6E>ressant de d<>couper l'ensemble d'Internet et
d'analyser un petit <20>chantillon de chaque tranche. Cette commande
trouve tous les serveurs web sur des machines dont l'adresse IP
se termine par .2.3, .2.4 ou .2.5 .
Si vous <20>tes root, vous pouvez aussi ajouter \fB-sS\fR.
Vous trouverez plus de machine int<6E>ressantes en commen<65>ant <20> 127, aussi
vous utiliserez '127-222' <20> la place de la premi<6D>re ast<73>risque
car cette section poss<73>de une plus grande densit<69> de machine int<6E>ressantes.
.Sp
.B host -l company.com | cut '-d ' -f 4 | ./nmap -v -iL -
.Sp
Fait un transfert DNS pour d<>couvrir les h<>tes de company.com
et utiliser leurs adresses IP pour alimenter
\fInmap\fR.
Les commandes ci-dessus sont pour mon ordinateur GNU/Linux.
Vous pouvez avoir besoin d'autres commandes/options pour d'autres syst<73>mes d'exploitations.
.SH BOGUES
Bogues\ ? Quels bogues\ ? Envoyez-moi tout ce que vous trouverez.
Les patchs sont les bienvenus. Souvenez-vous
que vous pouvez aussi envoyer les empreintes de nouveaux syst<73>mes
d'exploitation pour enrichir la base de donn<6E>es.
Si une empreinte appropri<72>e est trouv<75>e, Nmap
affichera l'URL <20> laquelle vous pourrez l'envoyer.
.SH AUTEUR
.Sp
Fyodor
.I <fyodor@insecure.org>
.SH DISTRIBUTION
La derni<6E>re version de
.I nmap
peut <20>tre obtenu depuis
.I http://www.insecure.org/nmap/
.Sp
.I nmap
est (C) 1995-2001 par Insecure.Com LLC
.Sp
.I libpcap
est aussi distribu<62>e avec nmap. Il est copyright<68> par
Van Jacobson, Craig Leres et Steven McCanne, tous du
Lawrence Berkeley National Laboratory, University of
California, Berkeley, CA. La version distribu<62>e avec nmap
peut <20>tre modifi<66>e, les sources d'origine sont disponibles
<EFBFBD> ftp://ftp.ee.lbl.gov/libpcap.tar.Z .
.Sp
Ce programme est un logiciel libre, vous pouvez
le redistribuer et/ou le modifier sous les termes de la
GNU General Public License telle que publi<6C>e par
par la Free Software Foundation\ ;
Version 2. Ceci garantit votre droit d'utiliser, modifier
et redistribuer Nmap sous certaines conditions.
Si cette licence est inacceptable pour vous, Insecure.Org
pourrait <20>ventuellement vendre d'autres licences.
(contacter \fBfyodor@dhp.com\fR).
.Sp
Les sources sont fournies avec ce logiciel
car nous croyons que les utilisateurs ont le droit de savoir exactement ce que
fait un programme avant de le lancer. Ceci vous permet aussi d'auditer le
logiciel pour rechercher des trous de s<>curit<69>
(aucun n'a <20>t<EFBFBD> trouv<75> jusqu'<27> pr<70>sent).
.Sp
Le code source vous permet aussi de porter Nmap vers de nouvelles plates-formes,
corriger des bogues et ajouter de nouvelles caract<63>ristiques.
Vous <20>tes vivement encourag<61> <20> envoyer vos modifications
<EFBFBD> \fBfyodor@insecure.org\fR pour une <20>ventuelle incorporation dans
la distribution principale. En envoyant ces modifications <20>
Fyodor ou <20> quelqu'un de la liste de diffusion de d<>veloppement
de insecure.org, il est suppos<6F> que vous offrez <20>
Fyodor le droit illimit<69> et non exclusif de r<>utiliser,
modifier et relicencier le code. C'est important parce que l'impossibilit<69>
de relicencier le code a provoqu<71> des probl<62>mes d<>vastateurs dans d'autres
projets de logiciel libre (comme KDE et NASM).
Nmap sera toujours disponible en Open Source.
Si vous d<>sirez sp<73>cifier des conditions particuli<6C>res de licence pour vos
contributions, dites-le nous simplement quand vous nous les envoyez.
.Sp
Ce programme est distribu<62> dans l'espoir d'<27>tre utile, mais
.B SANS AUCUNE GARANTIE
m<EFBFBD>me la garantie implicite relative <20> la
.B QUALIT<EFBFBD> MARCHANDE
ou
.B D'APTITUDE <EFBFBD> UNE UTILISATION PARTICULI<EFBFBD>RE.
Voir la licence GPL (c'est le fichier COPYING de la
distribution \fInmap\fR.
.Sp
Remarque\ : Nmap a d<>j<EFBFBD> fait planter certaines
applications, des piles TCP/IP et m<>me des syst<73>mes d'exploitations mal <20>crits.
Par cons<6E>quent
.B Nmap ne devrait jamais <EFBFBD>tre utilis<EFBFBD> contre des syst<EFBFBD>mes qui ont une mission
critique <20> moins que vous ne soyez pr<70>t <20> souffrir d'une <20>ventuelle
interruption de service. Nous reconnaissons ici que \fbnmap\fR
peut crasher vos syst<73>mes et r<>seaux mais nous ne sommes pas responsables
des d<>g<EFBFBD>ts que Nmap pourrait provoquer.
.Sp
En raison du l<>ger risque de crashs et parce que quelques personnes
mal intentionn<6E>es utilisent nmap pour les reconnaissances pr<70>liminaires <20> une
attaque, certains administrateurs deviennent furieux et se plaignent quand leurs
syst<EFBFBD>mes sont scann<6E>s. C'est pourquoi il est plus sage de demander la permission
avant de lancer l'analyse d'un r<>seau.
.Sp
Nmap ne devrait jamais <20>tre lanc<6E> avec des privil<69>ges (par exemple suid root)
pour des raisons de s<>curit<69>.
.Sp
Toutes les versions de Nmap post<73>rieures <20> la 2.0 sont compatibles
an 2000. Il n'y a aucune raison de penser que les versions ant<6E>rieures ont des
probl<EFBFBD>mes, mais nous ne les avons pas test<73>es.
.SH TRADUCTION
S<EFBFBD>bastien Blanchet, 2002 <sebastien.blanchet AT free.fr>
.SH RELECTURE
G<EFBFBD>rard Delafond

991
docs/nmap_german.1 Normal file
View File

@@ -0,0 +1,991 @@
.\" This definition swiped from the gcc(1) man page
.de Sp
.if n .sp
.if t .sp 0.4
..
.TH NMAP 1
.SH NAME
nmap - Auswertungstool fuer Netzwerke und Security Scanner
.SH SYNTAX
.B nmap
[Scan-Typ(en)] [Optionen] <Host oder Netz #1 ... [#N]>
.SH BESCHREIBUNG
.I Nmap
wurde entwickelt, um Systemadministratoren und kuriosen Individuen die
Moeglichkeit zu geben, ansprechbare Systeme und die durch sie bereitgestellten
Dienste in grossen Netzwerken zu identifizieren.
.I nmap
unterstuetzt eine Vielzahl verschiedener Scanning-Techniken, wie zum Beispiel
UDP, TCP connect(), TCP SYN (half open), FTP-Proxy (bounce attack),
Reverse-ident, ICMP (Ping-Suchlauf), FIN, ACK-Suchlauf, Xmas-Tree,
SYN-Suchlauf, IP-Protocol und Null-Scan.
Siehe Absatz
.I Scan-Typen
fuer mehr Informationen. Ebenso ermoeglicht nmap eine Vielzahl von
zusaetzlichen Moeglichkeiten, wie das Erkennen von Betriebssystemen mittels
TCP/IP-Fingerprinting, Stealth-Scanning, dynamische Verzoegerungen und
Uebertragungswiederholungs-Berechnungen, paralleles Scanning, Entdecken
abgeschalteter Systeme mittels parallelem Scanning, Decoy-Scanning, entdecken
von Port-Filtering, direktes RPC-Scanning (ohne Portmapper), fragmentiertes
Scanning sowie flexible Ziel und Port Spezifizierung.
.PP
Ein Grossteil der Arbeit wurde in die Moeglichkeiten fuer non-root Benutzer
investiert. Leider benoetigen viele exotische Techniken (z.B. die Kernel-nahen
raw sockets) root-Privilegien. Aus diesem Grund sollte nmap stets als root
genutzt werden, sofern dies moeglich ist (natuerlich kein setuid root).
.PP
Das Resultat eines nmap-Durchlaufs ist normalerweise eine Liste saemtlicher
interessanter Ports der gescannten Geraete (falls vorhanden). Sofern eine
Zuweisung stattfinden kann, benennt nmap die well-known Ports direkt mit ihrem
Service-Namen, Portnummer, Status und Protokoll. Der Status ist
entweder 'open', 'filtered' oder 'unfiltered'. Open (dt. offen) bedeutet, dass
das Zielsystem auf diesem Port Verbindungen anzunehmen in der Lage ist.
Filtered (dt. gefiltert) weist darauf hin, dass ein dediziertes
Firewall-System, TCP/IP-Filter oder Netzwerk-Element die Arbeit von nmap
behindert und somit keine verlaesslichen Rueckschluesse gemacht werden
koennen. Unfiltered (dt. ungefiltert) heisst, dass nmap den Port kennt, jedoch
beim Zugriff keinerlei Filter-Mechanismen ausgemacht werden konnten. Der
ungefilterte Status wird in den meisten aller Faelle vorhanden sein, weshalb
ein solcher nur immer dann ausgwiesen wird, wenn die meisten der gescannten
Ports gefiltert (engl. filtered) sind.
.PP
Jenachdem, welche Optionen angewandt wurden, ist nmap in der Lage Auskunft
ueber die folgenden Charakteristiken des Zielsystems zu geben: Genutztes
Betriebssystem, TCP-Sequenznummern, Benutzername der an die Ports gebundene
Software, DNS-Name, ob es sich um ein Smurf-System handelt und viele mehr.
.SH OPTIONEN
Das Zusammenspiel verschiedener Optionen ist immer dann moeglich, wenn dies
auch Sinn macht. Einige Parameter koennen nur in Verbindung mit spezifischen
Scan-Methoden genutzt werden.
.I nmap
versucht unlogische und nicht unterstuetzte Kombinationen von Parametern
abzufangen und den Benutzer entsprechend zu warnen.
.Sp
Falls Sie ungeduldig sind, koennen Sie den Abschnitt
.I Beispiele
ueberspringen. Darin werden typische Befehlseingaben gezeigt. Ebenso kann
.B nmap -h
ausgefuehrt werden, um eine kurze Optionsreferenz ausgeben zu lassen.
.TP
.B SCAN-TYPEN
.TP
.B -sS
TCP SYN-Scan: Diese Technik wird oft als "halb-offen" (engl. "half-open")
bezeichnet, da keine volle TCP-Verbindung zustande kommt. Der Scanner schickt
ein TCP-Datagramm mit gesetzter SYN-Flagge an das Zielsystem, so wie dies im
Rahmen des Drei-Wege-Handschlags von TCP normalerweise auch der Fall ist. Nun
wird auf eine positive Rueckmeldung des Zielsystems gewartet. Kommt ein Paket
mit gesetzter SYN/ACK-Flagge zurueck, so wird der Zielport als im Status
LISTENING (dt. abhoerend) identifiziert. Im Gegenzug deutet ein RST-Datangramm
auf einen geschlossenen Port (engl. closed) hin. Wird ein SYN/ACK-Datagramm
entgegengenommen, schickt nmap (bzw. der Betriebssystem-Kernel) automatisch
ein RST zurueck, um den Verbindungsaufbau zu abzubrechen. Der primaere Vorteil
dieser Vorgehensweise ist, dass viele Systeme solcherlei Zugriffe nicht
protokollieren (Die meisten Applikationen interessieren sich nur fuer
vollstaendig etablierte Verbindungen). Leider setzt diese Scan-Technik
root-Privilegien voraus, da eine Generierung verhaeltnismaessig exotischer
Paket-Sequenzen von Noeten ist. Dies ist die standardmaessige Scan-Methode
fuer priviligierte Benutzer.
.TP
.B -sT
TCP connect()-Scan: Dies ist die klassische Form des TCP-Portscannings. Der
connect()-System-Call, der das Betriebssystem zur Verfuegung stellt, wird
immer dann genutzt, wenn eine Verbindung zum Port eines Zielsystems
hergestellt werden soll. Befindet sich der Zielport im Status LISTENING, so
wird der connect()-Zugriff erfolgreich ausfallen. Der entscheidende Vorteil
dieser Methode ist, dass keine erweiterten Rechte zur Durchfuehrung
erforderlich sind. Jeder Benutzer der meisten UNIX-Systeme ist in der Lage
solcherlei Zugriffe durchzufuehren.
.Sp
Diese Scan-Technik ist einfach zu entdecken und wird mit groesster
Wahrscheinlichkeit in den Protokoll-Dateien des Zielsystems auftauchen. Dies
ist der standardmaessig aktivierte Scan-Typ fuer unprivilegierte Anwender.
.TP
.B -sF -sX -sN
Stealth FIN-, Xmas-Tree- oder Null-Scan-Modis: Es gibt Momente, wo SYN-Scans
nicht heimlich genug ausfallen. Einige Firewall-Systeme (z.B. Packet-Filter)
sind in der Lage verdaechtige SYN-Aktivitaeten zu erkennen; ebenso koennen
Programme wie Synlogger oder Courtney die SYN-Portscans als solche ausweisen.
Diese erweiterten Scan-Techniken koennen somit in manchen Faellen ungehindert
die gewuenschten Resultate liefern.
.Sp
Die Idee ist, dass geschlossene Ports auf solcherlei Zugriffe mit einem
RST-Datagramm antworten muessten, waehrend ansprechbare Ports die Anfragen
ignorieren sollten (siehe RFC 793, S. 64). Der FIN-Scan nutzt ein
TCP-Datagramm mit gesetzter FIN-Flagge, waehrend der Xmas-Tree-Scan die
TCP-Flaggen FIN, URG und PSH aktiviert. Der Null-Scan schaltet alle optionalen
Flags ab. Leider ignoriert einmal mehr Microsoft die gaengigen Standards und
reagiert auf die exotischen Scan-Techniken ganz unerwartet. Dies bedeutet,
dass diese Scanning-Methoden nicht gegen Windows 9x, ME, NT, 2000 und XP
funktionieren. Auf der anderen Seite ist dies natuerlich hervorragend, wenn es
um das Identifizieren der TCP/IP-Implementierung von Microsoft geht: Findet
einer dieser Scans einen offenen Port, so kann davon ausgegangen werden, dass
es sich beim Zielsystem nicht um ein Windows handelt - Im Gegenzug deuten
unrealistisch viele offene Ports auf eine Windows-Maschine hin. Es gilt sich
jedoch noch die Meinung einer klassischen Scan-Methode (z.B. SYN) einzuholen.
Es gibt noch einige andere Betriebssysteme, die sich aehnlich demjenigen von
Microsoft verhalten. Dies sind zum Beispiel Cisco, BSDI, HP/UX, MVS und IRIX.
All diese retournieren ein Reset, auch wenn es sich um einen ansprechbaren
Port handelt. Mittlerweile ist diese knifflige Unterscheidungs-Arbeit mittels
exotischer Scanning-Techniken eher weniger wichtig, da nmap eine erweiterte
Methode fuer das Erkennen des eingesetzten Betriebssystems mitbringt.
.TP
.B -sP
Ping-Scanning: Manchmal ist es lediglich gefragt, welche Hosts in einem
Netzwerk aktiv sind. nmap kann diese Frage beantworten, indem eine ICMP echo
request-Anfrage an jede IP-Adresse im spezifizierten Netzwerk geschickt wird.
Hosts, die mit einer ICMP echo reply antworten, koennen als aktiv ausgewiesen
werden. Viele gewissenhafte Firewall- und Systemadministratoren filtern bzw.
verwerfen unnoetigen ICMP-Verkehr. nmap greift sodann auf eine andere Technik
zurueck. Es wird ein TCP-Datagramm mit gesetzter ACK-Flagge an einen
potentiell offenen Port des Zielsystems geschickt (standardmaessig TCP-Port
80). Wird ein RST zurueckgeschickt, so ist das Zielsystem vorhanden und
ansprechbar. Eine dritte Technik greift auf ein SYN-Datagramm zurueck, das auf
ein RST oder SYN/ACK wartet. Alle non-root Benutzer fuehren einen
connect()-Zugriff durch.
.Sp
Standardmaessig (bei root-Benutzern) fuehrt nmap beides - ICMP- und
ACK-Technik - parallel durch. Dies kann durch das Heranziehen der spaeter noch
detaillierter beschriebenen Option
.B -P
geaendert werden.
.Sp
Wichtig ist zu wissen, dass der Ping-Zugriff standardmaessig stets erfolgt.
Abhaengig der Erreichbarkeit eines Systems wird ein solches dann gescannt.
Benutzen Sie diese Option lediglich dann, wenn es um das Durchfuehren eines
Ping-Suchlaufs (
.B ohne
Portscan) geht.
.TP
.B -sU
UDP-Scans: Diese Methode wird stets dann herangezogen, wenn es um das
Identifizieren der offenen UDP-Ports (siehe RFC 768) eines Systems geht. Diese
Technik basiert darauf, dass ein UDP-Datagramm mit 0 Byte an Nutzdaten an
jeden Port des Zielsystems geschickt wird. Erhalten wir eine ICMP port
unreachable-Nachricht, so ist der Zielport geschlossen. Andererseits handelt
es sich um einen offenen Port.
.Sp
Einige Leute denken, dass UDP-Scanning sinnlos ist. Ich moechte in diesem
Zusammenhang auf die Luecke in Solaris' rpcbind hinweisen. rpcbind kann an
einem undokumentierten UDP-Port ueber 32770 gefunden werden. Bei diesem
Angriff und der vorangehenden Auswertung ist es sodann zu einem hohen Grad
irrelevant, ob Port 111 durch eine Firewall blockiert wird oder nicht. Ebenso
existiert das populaere, von cDc entwickelte Backdoor namens Back Orifice, das
durch einen frei waehlbaren UDP-Port Windows-Maschinen kontrollieren laesst.
Und nicht zu vergessen die vielen potentiell verwundbaren Dienste, die auf UDP
zurueckgreifen: SNMP, TFTP, NFS, etc.
.Sp
Traurigerweise ist UDP-Scanning in den meisten Faellen schmerzhaft langsam,
seitdem viele Betriebssystem-Entwickler der Empfehlung von RFC 1812 (Absatz
4.3.2.8) nachgekommen sind, die Anzahl ausgehender ICMP-Fehlernachrichten zu
limitieren. Zum Beispiel definiert der Linux-Kernel (in net/ipv4/icmp.h) die
Anzahl ausgehender ICMP destination unreachable-Fehlermeldungen auf 80 fuer 4
Sekunden, mit einer 1/4 Sekunde Zusatz fuer jeden Uebertritt. Solaris weist
einiges striktere Limitierungen auf (2 Nachrichten pro Sekunde), weshalb ein
UDP-Portscan gegen ein Solaris-System sehr lange dauert.
.I nmap
ist in der Lage solcherlei Limitierungen zu erkennen und mit einem dynamischen
Verlangsamen der Geschwindigkeit zu reagieren. Dies verhindert das Verstopfen
des Netzwerks mit unnoetigen Paketen, die sowieso vom Zielsystem ignoriert
werden wuerden.
.Sp
Einmal mehr typisch, ignoriert Microsoft die Empfehlungen des RFCs, weshalb
eine Einschraenkung ausgehender ICMP-Fehlermeldungen gaenzlich bei der
TCP/IP-Implementierung auf Windows 9x und NT fehlt. Das scannen saemtlicher
UDP-Ports auf einer Windows-Maschine ist somit kein groesseres Problem.
.TP
.B -sO
IP protocol-Scans: Diese Methode kommt dann zum Tragen, wenn herausgefunden
werden will, welche IP-Protokolle vom Zielsystem unterstuetzt werden. Diese
Technik basiert darauf, dass fuer jedes IP-Protokoll ein RAW IP-Paket mit
fehlendem Protokoll-Header an das Zielsystem geschickt wird. Erhalten wir eine
ICMP protocol unreachable-Fehlermeldung, so koennen wir davon ausgehen, dass
das besagte Protokoll nicht unterstuetzt wird. Faellt das Resultat anders aus,
kann mit einer Protokoll-Unterstuetzung gerechnet werden. Es ist wichtig zu
bemerken, dass einige Betriebssysteme (z.B. AIX, HP-UX und Digital UNIX) und
Firewall-Loesungen auf das Versenden der ICMP protocol
unreachable-Fehlermeldungen gaenzlich verzichten. Das Resultat eines solchen
Verhaltens ist die durch nmap generierte Ausgabe, dass saemtliche Protokolle
"offen" sind.
.Sp
Aufgrund dessen, dass diese Scan-Methode in ihren Grundzuegen auf den
Prinzipien des UDP-Portscannings aufbaut, spielt die Rate der potentiell
generierten ICMP-Fehlermeldungen eine beachtliche Wichtigkeit. Da das
IP-Protokoll Feld nur 8 Bits hat, muessen lediglich 256 Protokolle gescannt
werden, was sich in einem angemessenen Zeitrahmen erledigen laesst.
.TP
.B -sI <Zombie-Host[:Zielport]>
Idlescan: Diese erweiterte Scan-Technik ermoeglicht ein blindes Scannen der
TCP-Port eines Ziels (dies bedeutet, dass keinerlei Pakete mit der richtigen
IP-Absenderadresse verschickt werden). Stattdessen wird eine einzigartige
Attacke angewandt, die die Berechenbarkeit der IP Fragmentation ID eines
Zombie-Hosts ausnutzt. Intrusion Detection-Systeme werden den Scan-Versuch
dem spezifizierte Zombie-System zuschreiben (welches ansprechbar sein und
bestimmte Kriterien erfuellen muss). Ich habe eine Publikation zu diesem
Thema verfasst, die sich unter http://www.insecure.org/nmap/idlescan.html
findet.
.Sp
Neben der vollkommenen Sicherheit, nicht direkt erkannt werden zu koennen,
ermoeglicht dieser Scan-Typ das Erkennen von IP-basierenden
Vertrauensbeziehungen zwischen Geraeten. Das Port-Listing zeigt die offenen
Ports
.I aus der Sicht des Zombie-Systems.
Es ist sodann Moeglich das effektive Zielsystem durch verschiedene Zombies
scannen zu lassen, die eine bestehende Vertrauensbeziehung haben (via Router-
oder Packetfilter-Regeln). Ganz offensichtlich ist dies eine gewichtige
Information, wenn es um das Priorisieren von Angriffszielen geht. Andererseits
muessten Penetration Tester zuerst muehsam ein System kompromittieren, bis
verlaesslich gesagt werden kann, ob ueberhaupt die erforderliche
Vertrauensbeziehung besteht.
.Sp
Durch einen Doppelpunkt laesst sich die Portnummer des Zombiesystems
definieren. Ohne diese Angabe waehlt nmap den Standardport, der auch bei
TCP-Pings Verwendung findet (TCP-Port 80).
.TP
.B -sA
ACK-Scan: Auf diese erweiterte Scan-Technik wird normalerweise immer dann
zurueckgegriffen, wenn es um das Identifizieren eines Firewall-Regelwerks
geht. Zusaetzlich kann diese Methode eine Determinierung des Vorhandenseins
einer Stateful Inspection, die eingehende SYN-Pakete blockt, ermoeglichen.
.Sp
Dieser Scan-Typ schickt ein ACK-Paket (mit zufaellig gewaehlten
Bestaetigungs-/Sequenznummern) an den spezifizierten Zielport. Kommt ein RST
zurueck, wird der besagte Port als "unfiltered" (dt. ungefiltert) eingestuft.
Erhalten wir keine Rueckantwort (oder kommt ein ICMP unreachable zurueck), so
weist nmap den Port als "filtered" (dt. gefiltert) aus. Wichtig ist, dass
.I nmap
normalerweise keine "unfiltered" ausgibt. So sind
.B keine
Ports in der Ausgabe ein Indiz dafuer, dass alle Zugriffe durchgekommen sind
(und ein RST verursacht haben). Dieser Scan wird die Ports nie in einem
"open" (dt. offenen) Status zeigen.
.TP
.B -sW
Window-Scan: Diese erweiterte Scan-Technik ist dem ACK-Scan sehr aehnlich.
Ausser, dass hiermit manchmal auch offene, ungefilterte und gefilterte Ports
durch eine Anomalie in der durch die Betriebssysteme gewaehlten TCP window
size entdeckt werden koennen. Systeme, die gegen diese Attacke verwundbar sind,
sind einige Versionen von AIX, Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX,
OpenVMS, Digital UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD, OpenBSD,
OpenStep, QNX, Rhapsody, SunOS 4.x, Ultrix, VAX and VxWorks. Siehe das Archiv
der nmap-Hackers Mailingliste fuer eine vollstaendige Auflistung.
.TP
.B -sR
RPC-Scan: Diese Methode arbeitet in Kombination mit den meisten moeglichen
Scan-Typen von nmap zusammen. Jeder als offen identifizierte TCP- und UDP-Port
wird mit einer Vielzahl von SunRPC-Nullkommandos ueberflutet, um eine
Identifizierung von RPC-Ports vorzunehmen. Falls ein solcher gefunden wurde,
wird der Programmname und die Version ausgelesen, sofern diese Information zur
Verfuegung gestellt wird. Diese Vorgehensweise ist ebenso mit dem Heranziehen
von 'rpcinfo -p' moeglich; besonders dann, wenn des Zielsystems Portmapper
hinter einer restriktiven Firewall steht oder durch einen TCP-Wrapper
geschuetzt wird. Decoy-Scans arbeiten zur Zeit nicht mit RPC-Scans zusammen.
Irgendwann wird vielleicht Decoy-Scanning im Zusammenhang mit UDP-RPC-Scans
moeglich sein.
.TP
.B -sL
List-Scan: Diese simple Methode generiert eine Liste aller IP-Adressen und
Hostnamen, ohne die Zielsysteme direkt anzusprechen (Ping oder Portscan).
Eine Namensaufloesung ueber DNS findet stets statt, sofern dies nicht durch
das Heranziehen von -n unterbunden wird.
.TP
.B -b <FTP-Relay Host>
FTP-Bounce Attacke: Ein interessantes "Feature" des File Transport Protocols
(RFC 959) ist die Unterstuetzung von "Proxy"-FTP-Verbindungen. Mit anderen
Worten ist es moeglich, sich von boese.com auf ziel.com zu verbinden und
eine Datei ueberall hin zu schicken. Nun, dies hat wohl ausgezeichnet
funktioniert, als 1985 das besagte RFC geschrieben wurde. In der heutigen
Zeit ist es nicht mehr ohne weiteres Moeglich, sich auf fremde FTP-Server zu
verbinden und nach Belieben Dateien zu versenden. *Hobbit* schrieb 1995
folgendes zu dieser Schwachstelle: "[This protocol flaw] can be used to post
virtually untraceable mail and news, hammer on servers at various sites, fill
up disks, try to hop firewalls, and generally be annoying and hard to track
down at the same time." Bei dieser Scanning-Methode wird ein als Proxy
fungierender FTP-Server genutzt, um die offenen Ports eines Zielsystems
ausfindig zu machen. Beispielsweise kann dadurch zu einem hinter einer
Firewall positionierten FTP-Server verbunden werden, um danach interne, durch
das Firewall-Element gegen externe Zugriffe geschuetzte Ports (z.B. die
NetBIOS-Ports) anzusprechen. Falls auf dem FTP-Server ein Verzeichnis
existiert, bei dem sowohl Lese- als auch Schreibrechte vorhanden sind (z.B.
/incoming), kann eine semi-manuelle Uebergabe von Daten an die Zielports
durchgefuehrt werden (nmap nimmt einem diese Arbeit nicht ab).
.Sp
Das mit der Option '-b' uebergebene Argument, spezifiziert den als Proxy
gewollten Host, wobei die standard URL-Notation gilt. Das Format lautet
.I Benutzername:Passwort@Server:Port.
Alles, ausser
.I Server
ist optional. Wie eine Determinierung der gegen diese Zugriffsform verwundbare
Server vorgenommen werden kann, kann in meinem Artikel in
.I Phrack
51 nachgelesen werden. Eine aktualisierte Version ist auf der
.I nmap
Webseite (http://www.insecure.org/nmap) verfuegbar.
.TP
.B GENERELLE OPTIONEN
Keine der folgenden Optionen ist erforderlich. Einige von ihnen koennen jedoch
nuetzlich sein.
.TP
.B -P0
Verhindert das Pingen eines Hosts, bevor er gescannt wird. Dies ermoeglicht
das Scannen von Netzwerken, die keine ICMP echo requests (oder responses)
aufgrund einer restriktiv konfigurierten Firewall zulassen. microsoft.com ist
ein Beispiel fuer ein solches Netzwerk, in dem diese Funktion stets genutzt
werden sollte. Gebrauchen Sie
.B -P0
oder
.B -PT80
wenn ein Portscan gegen microsoft.com durchgefuehrt werden soll.
.TP
.B -PT
Benutzt einen TCP-Ping, um die Erreichbarkeit eines Hosts zu verifizieren.
Anstatt ICMP echo request-Abfragen zu verschicken und auf die entsprechenden
ICMP echo reply-Rueckantworten zu warten, wird auf ein TCP-Datagramm mit
gesetzter ACK-Flagge gesetzt. Ansprechbare Systeme sollten mit einem RST
antworten. Diese Funktion ist immer dann anzuwenden, wenn Systeme oder
Netzwerke gescannt werden sollen, die keine Erreichbarkeitsueberpruefung
mittels ICMP zulassen und trotzdem zuerst die Erreichbarkeit identifiziert
werden soll. Bei non-root Benutzern wird connect() angewandt. Um den Zielport
des Zugriffs zu spezifizieren, kann -PT<Portnummer> herangezogen werden. Der
Standardport ist einmal mehr TCP/80 (HTTP), da dieser eher selten durch einen
Filter gedeckt wird.
.TP
.B -PS
Diese Option benutzt fuer root-Benutzer SYN (Verbindungsanforderungen) anstatt
ACK-Pakete. Ansprechbare Hosts sollten mit einem RST (oder in seltenen Faellen
mit einem SYN/ACK) antworten. Das Setzen des Zielports kann auf die selbe Art
wie beim zuvor erlaeuterten -PT umgesetzt werden.
.TP
.B -PI
Diese Option nutzt einen klassischen Ping (ICMP echo request), um die
Erreichbarkeit von Systemen und Broadcast-Adressen von Subnetzen zu
identifizieren. Letztere sind extern erreichbare IP-Adressen, die eine
Umwandlung zu einem internen Broadcast des Subnetzes durchfuehren. Solcherlei
sollten verhindert werden, denn sie sind Voraussetzung fuer eine Reihe von
Denial of Service-Attacken (Smurf ist die bekannteste Variante).
.TP
.B -PP
Benutzt eine ICMP timestamp-Anfrage (Typ 13, Code 0), um ansprechbare Hosts zu
finden.
.TP
.B -PM
Das Gleiche wie
.B -PI
und
.B -PP
, ausser, dass eine ICMP address mask request (Typ 17, Code 0) zum Tragen kommt.
.TP
.B -PB
Dies ist der standardmaessig gewaehlte Ping-Typus. Er benutzt beide Techniken,
ACK (
.B -PT
) und ICMP echo requests (
.B -PI
), die jeweils parallel durchgefuehrt werden. Auf diese Weise koennen
Firewall-Elemente ausgetrickst werden, die eine der beiden Protokolle (nicht
beide) filtern. Der Zielport fuer den TCP-Zugriff kann auf die gleiche Weise
gesetzt werden, wie im zuvor erklaerten -PT.
.TP
.B -O
Diese Option aktiviert das Identifizieren des am Zielsystem eingesetzten
Betriebssystems anhand des TCP/IP-Fingerabdrucks (engl. TCP/IP fingerprint).
Es wird eine Anzahl spezifischer Tests umgesetzt, die das typische Verhalten
der jeweiligen TCP/IP-Implementierungen erkennen koennen sollen. Die
gegebenen Informationen stellen quasi einen 'Fingerabdruck' dar, der mit der
Datenbank der bekannten Betriebssystem-Fingerabdrucke (die
nmap-os-fingerprints Datei) verglichen wird.
.Sp
Falls nmap nicht in der Lage ist, eine mehr oder weniger eindeutige
Identifikation des am Zielsystem eingesetzten Betriebssystems vorzunehmen und
die gegebenen Bedingungen gut sind (mindestens ein ansprechbarer Port), gibt
nmap eine URL aus, bei der neu gefundene Fingerprints eingesendet werden
koennen. Dies setzt natuerlich voraus, dass Sie sich eindeutig im Klaren
darueber sind, um was fuer ein Betriebssystem es sich handelt. Durch diesen
Schritt koennen Sie aktiv an der Erweiterung der Datenbank mithelfen, wodurch
sie attraktiver fuer saemtliche Benutzer wird. Falls Sie beim Einsenden des
neuen Fingerabdrucks die IP-Adresse des Zielsystems mitangeben, muessen Sie
damit rechnen, dass es von uns zu Ueberpruefungszwecken gescannt wird.
.Sp
Die Option -O aktiviert ebenso einige weitere Tests. Einer dieser ist das
Messen der "Uptime". Hierzu wird das Timestamp-Feature von TCP genutzt (RFC
1323), um erkennen zu koennen, wann das Zielsystem das letzte mal neu
gestartet wurde. Diese Funktionalitaet wird natuerlich nur dann genutzt werden
koennen, wenn das Zielsystem diese Information auch entsprechend bereitstellt.
.Sp
Ein anderer Check, der durch die Option -O aktiviert wird, ist die
Klassifizierung der Berechenbarkeit der TCP-Sequenznummer des Zielsystems.
Das Ergebnis dieses Tests sagt aus, wie schwer es ist, eine bestehende
Verbindung des Zielsystems zu uebernehmen. Dies ist dann nuetzlich, wenn
auf IP-Adressen basierende Vertrauensbeziehungen (z.B. rlogin und
Firewall-Filter) missbraucht oder die Quelle eines Angriffs versteckt werden
sollen. Die mitgelieferte Difficulty-Number ist statistisch berechnet und kann
jeweils leicht abweichen. Zusaetzlich wird in knappen Worten (z.B. "worthy
challenge" or "trivial joke") der Zustand beschrieben. All dies wird nur dann
ausgegeben, wenn der Parameter -v mitangegeben wurde.
.Sp
Wenn die Option -O zusammen mit dem Verbose-Modus (-v) genutzt wird, wird
ebenso die Sequenz-Generierung der IPID ausgewiesen. Die meisten Geraete
werden als "incremental" klassifiziert, was bedeutet, dass sie fuer jedes
verschickte Paket eine Inkrementierung des ID-Felds im IP-Header vornehmen.
Ein solches Verhalten macht sie verwundbar gegen eine Reihe verschiedener
Auswertungs- und Spoofing-Attacken.
.TP
.B -6
Diese Option aktiviert die IPv6-Unterstuetzung. Saemtliche Ziele muessen mit
IPv6 zurecht kommen, sofern diese Option genutzt werden soll. Das
Spezifizieren der Ziele kann ganz normal ueber den DNS-Namen (AAAA record)
oder IPv6-Adresse (z.B. 3ffe:501:4819:2000:210:f3ff:fe03:4d0) geschehen.
Momentan sind TCP connect()- und Ping-Scans von nmap unterstuetzt. Falls UDP-
oder andere Scan-Typen genutzt werden sollen, lohnt sich ein Blick auf
http://nmap6.sourceforge.net/ .
.TP
.B -I
Hiermit wird das TCP reverse ident-Scanning aktiviert. Wie Dave Goldsmith in
einem Bugtraq-Posting aus dem Jahre 1996 publiziert hat, ermoeglicht das
ident-Protokoll (RFC 1413) das Identifizieren des Besitzers eines
TCP-Dienstes. So kann zum Beispiel eine Verbindung zum HTTP-Port des
Zielsystems hergestellt werden, um danach mittels ident herauszufinden, ob
der Webserver als root laeuft. Dies kann nur mit der Hilfe eines full-connect
TCP-Portscans (-sT) geschehen. Wenn
.B -I
aktiviert wird, wird der identd des Zielsystems fuer jeden als offen
identifizierten Port abgefragt. Logischerweise funktioniert diese ganze
Prozedur nicht, wenn das Zielsystem keinen identd aktiv hat.
.TP
.B -f
Diese Option erreicht, dass der durchgefuehrte SYN-, FIN-, Xmas- oder
Null-Scan mit fragmentierten IP-Paketen arbeitet. Die Idee ist, dass der
TCP-Header ueber mehrere Pakete verteilt werden soll, wodurch eine
Inspizierung durch Firewall- oder Intrusion Detection-Systeme erschwert wird.
Bei dieser Funktion ist Vorsicht geboten, denn viele der verbreiteten
Netzwerkanwendungen kommen mit derlei Datenverkehr nicht klar. Beispielsweise
erhielt ich bei meinem liebsten Sniffer ein segemtation fault, nachdem das
erste 36-byte Fragment eingelesen wurde. Danach kam gar ein 24-byte Paket!
Waehrend diese Methode keinen Erfolg bei Elementen verspricht, die eine
Warteschlange fuer IP-Fragmente haben (wie dies mittels der Option
CONFIG_IP_ALWAYS_DEFRAG unter Linux normalerweise der Fall ist), koennen
andere Umgebungen den enormen Aufwand fuer eine solche Analyse nicht tragen,
verzichten darauf und koennen deshalb ausgetrickst werden.
.Sp
Es bleibt zu bemerken, dass diese Option nicht auf allen Betriebssystemen
einwandfrei genutzt werden kann. Es arbeitet ohne Zwischenfaelle auf meinem
Linux, FreeBSD und OpenBSD; einige Leute berichten gar, dass es auch auf
anderen *NIX funktioniert.
.TP
.B -v
Verbose-Modus: Diese, eine sehr zu empfehlende Option, ermoeglicht eine
erweiterte Ausgabe von Informationen. Eine doppelte Nutzung ergibt einen
doppelt so grossen Effekt. Ebenso kann
.B -d
einige Male aktiviert werden, falls Sie wirklich vor einem ueberlasteten
Bildschirm verrueckt werden wollen!
.TP
.B -h
Diese handliche Funktion zeigt eine Kurzreferenz der nmap-Parameter. Wie Sie
vielleicht gemerkt haben, handelt es sich bei dieser man-Page nicht unbedingt
um eine 'handliche Kurzreferenz' :)
.TP
.B -oN <Protokoll-Dateiname>
Dies protokolliert die Resultate des Scans in einem normalen, fuer
.B Menschen lesbaren
Format in eine durch ein Argument spezifizierte Datei.
.TP
.B -oX <Protokoll-Dateiname>
Dies protokolliert die Resultate des Scans als
.B XML
in die durch ein Argument spezifizierte Datei. Dadurch koennen andere
Programme unkompliziert die durch nmap generierten Informationen auswerten und
verarbeiten. Durch das Argument '-' (ohne Anfuehrungszeichen) kann die
Ausgabe auf stdout (fuer Pipeline-Verarbeitung, etc.) umgeleitet werden. In
diesem Fall wird die normale Bildschirmausgabe unterdrueckt. Achtung vor
Fehlermeldungen (diese werden nach wie vor nach stderr geschickt). Ebenso ist
wichtig, dass '-v' in den meisten Faellen einige zusaetzliche Informationen
gewaehrleisten koennen wird. Die Dokumententypendefinition (engl. Document
Type Definition, abk. DTD), die fuer die XML-Ausgabe genutzt wird, steht unter
http://www.insecure.org/nmap/data/nmap.dtd bereit.
.TP
.B -oG <Protokoll-Dateiname>
Dies protokolliert die Resultate des Scans in eine
.B grepbare
Form in eine durch ein Argument spezifizierte Datei. Dadurch wird ein simples
Format angestrebt, welches alle Informationen auf einer Zeile ausgibt, weshalb
ganz einfach ein grep fuer Ports, OS-Informationen oder IP-Adressen umgesetzt
werden kann. Dieses einfache Format stellt meistens nicht so viele
Informationen bereit, wie dies bei anderen Ausgabevarianten der Fall ist.
Diese Form war die urspruenglich, fuer die Verarbeitung durch externe Programme
vorgehesene Dokumentierungs-Ausgabe. Mittlerweile ist jedoch XML empfohlen
(-oX). Einmal mehr kann die Angabe von '-' (ohne Anfuehrungszeichen) eine
Ausgabe auf stdout erzwingen (fuer Pipeline-Verarbeitung, etc.). Auch hier
wird die normale Ausgabe unterdrueckt. Ebenso werden Fehlermeldungen wie
ueblich auf stderr ausgegeben. Und '-v' wird in den meisten Faellen einige
zusaetzliche Informationen gewaehrleisten koennen.
.TP
.B -oA <Basisdateiname>
Dies veranlasst nmap in der Form ALLER wichtigen Formate (normal, grepbar und
XML) zu protokollieren. Sie geben den Dateinamen an, wobei nmap die
Erweiterungen in Form von basis.nmap, basis.gnmap und basis.xml automatisch
anfuegen wird.
.TP
.B -oS <Protokoll-Dateiname>
Dies protokolliert die Resultate der Scans in einem fuer
.B s|<ripT kiDd|3
lesbaren Format in eine durch ein Argument spezifizierte Datei. Durch die
Angabe des Arguments '-' (ohne Anfuehrungszeichen) kann die Ausgabe auf
stdout umgeleitet werden.
.TP
.B --resume <Protokoll-Dateiname>
Ein Netzwerk-Scan, der durch das Druecken von Control-C unterbrochen wurde,
kann durch diese Option reaktiviert werden. Der Protokoll-Dateiname muss
entweder eine normale (-oN) oder durch Maschinen verarbeitbare (-oM)
Scan-Protokoll-Datei sein. Die Angabe abweichender oder zusaetzlicher Optionen
ist nicht moeglich - Sie werden vom abgebrochenen Scan uebernommen. nmap wird
mit der zuletzt in der Protokoll-Datei erfolgreich gescannt vermerkten
Maschine starten.
.TP
.B --append_output
Weist nmap an, die Scan-Resultate an die spezifizierten Protokoll-Datei
anzuhaengen, anstatt die besagten Dateien zu ueberschreiben.
.TP
.B -iL <Eingabe-Dateiname>
Liest die Ziel-Spezifizierung ZUERST von der angegebenen Datei ein, und erst
danach von der Kommandozeileneingabe. Die Datei sollte eine Liste von Hosts
oder Netzwerken enthalten, die jeweils durch ein Leer-, Tabulator- oder
Neuezeile-Zeichen getrennt sind. Benutzen Sie einen Bindestrich (-) als
.I Eingabe-Dateiname
, falls Sie wollen, dass nmap die Zielspezifizierungen von stdin liest (wie
im Zusammenhang mit einer Pipe). Siehe den Absatz
.I Ziel-Definition
fuer zusaetzliche Informationen zu der gueltigen Ausdrucksweise.
.TP
.B -iR
Diese Option weist nmap an, zufaellig generierte Hosts zu scannen :). Dies hat
kein Ende. Eine solche Funktion ist zum Beispiel fuer eine statistische
Auswertung innerhalb des Internets nuetzlich. Falls Sie einmal wirklich sehr
gelangweilt sein sollten, so versuchen Sie
.I nmap -sS -iR -p 80
um Webserver-Systeme zu finden.
.TP
.B -p <Port-Bereich>
Diese Option spezifiziert, welche Ports gescannt werden sollen. Zum Beispiel
wird '-p 23' lediglich einen Zugriff auf den Port 23 (Telnet) der Zielsysteme
durchfuehren. '-p 20-30,139,60000-' scannt die Ports zwischen 20 und 30,
Port 139 und alle Ports groesser als 60000. Standardmaessig werden saemtliche
well-known Ports zwischen 1 und 1024 sowie alle in der services-Datei von nmap
gelisteten Dienste gescannt. Fuer einen IP-Protokoll-Scan (-sO) kann mit
dieser Option die zu scannende Protokoll-Nummer (0-255) angegeben werden.
.Sp
Werden gleichzeitig TCP- und UDP-Ports gescannt, so kann das jeweilige
Protokoll durch ein vorangestelltes "T:" oder "U:" angewaehlt werden. Die
mitgegebenen Ports gelten so lange fuer das spezifizierte
Uebertragungsprotokoll, bis ein anderes angegeben wird. Zum Beispiel werden
mit dem Argument "-p U:53,111,137,T:21-25,80,139,8080" die UDP-Ports 53, 111
und 137 sowie die TCP-Ports 21 bis 25, 80, 139 und 8080 gescannt. Wichtig ist,
dass bei einem gleichzeitigen TCP- und UDP-Scan neben der Angabe von -sU
mindestens eine TCP-Scan-Variante mitangegeben werden muss (zum Beispiel -sS,
-sF oder -sT). Wird bei der Wahl der Zielports auf das spezifizieren eines
Protokolls verzichtet, bezieht sich die Option auf saemtliche
Uebertragungsprotokolle.
.TP
.B -F
Schneller Scan-Modus (engl. Fast scan mode): Dies gibt an, dass Sie lediglich
die in der services-Datei von nmap gelisteten Dienste scannen wollen (oder bei
-sO die Protokolle der protocols-Datei). Selbstverstaendlich ist dies viel
schneller, als saemtliche 65535 Ports eines Hosts zu ueberpruefen.
.TP
.B -D <Decoy1 [,Decoy2][,ME],...>
Veranlasst einen sogenannten Decoy-Scan (dt. Lockvolgel). Bei diesem sieht es
so aus, als wuerde eine Reihe zusaetzlicher Hosts die Zielumgebung scannen.
Ein Intrusion Detection-System wird zwischen 5 und 10 Portscans verschiedener
IP-Adressen protokollieren, wobei ohne weiteres nicht genau festgestellt
werden kann, welches System den Scan wirklich durchfuehrt. Waehrend diese
Methode durch Router Path Traceing, Response-Dropping und andere "aktive"
Mechanismen niedergeschlagen werden kann, ist es doch eine extrem effektive
Technik, um die eigene IP-Adresse zu verstecken.
.Sp
Die jeweiligen Lockvoegel koennen durch ein Komma getrennt werden. Optional
kann durch die Angabe von 'ME' (dt. mich) die eigene Position in der
Zugriffsreihenfolge gewaehlt werden. Falls 'ME' in die sechste oder noch eine
spaetere Position gesetzt wird, sind einige Portscan-Detektoren (z.B. Solar
Designers scanlogd) nicht in der Lage, die richtige IP-Adresse anzuzeigen.
Falls Sie 'ME' nicht mitangeben, wird nmap eine zufaellige Position bestimmen.
.Sp
Achtung, die als Decoys angegebenen Hosts sollten vom Zielsystem erreichbar
sein. Andernfalls ist es durchaus moeglich, dass dieses durch einen SYN-Flood
in die Knie gezwungen wird. Zudem ist es relativ einfach zu erkennen, welches
System den Scan durchfuehrt, wenn nur dieses eine System wirklich im Netzwerk
aktiv ist. Es lohnt sich IP-Adressen anstatt Hostnamen bei der Spezifizierung
der Lockvogel-Systeme anzugeben (so ist keine Namensaufloesung noetig und die
Protokoll-Eintraege in den Nameservern bleibt aus).
.Sp
Ebenso weisen einige (dumme) "Portscan-Detektoren" Firewalling-Funktionalitaet
auf, und sie unterbinden die Verbindungsmoeglichkeit jeglichen Systems, das
einen Portscan durchfuehrt. So kann es durchaus sein, dass die
Verbindungsmoeglichkeit des Zielsystems zu den Lockvoegeln verhindert wird.
Dies ist dann problematisch, wenn es sich um ein wichtiges System, wie zum
Beispiel das Standard-Gateway, handelt. Also, es gilt vorsichtig im Umgang
mit dieser Option zu sein. Die Moral dieser Geschichte ist, dass
Portscan-Detektoren mit automatisierter Strike-Back Funktionalitaet keine gute
Idee sind - Hinter jedem Portscan koennte sich ein Lockvogel verbergen!
.Sp
Die Lockvoegel werden im initialen Ping-Scan (ICMP, SYN oder ACK) und waehrend
der eigentlichen Portscan-Phase verwendet. Ebenso finden sie beim Durchfuehren
einer Betriebssystem-Erkennung (
.B -O
) Verwendung.
.Sp
Es bleibt zu sagen, dass zu viele Lockvoegel einen Scan verlangsamen und
ineffizienter machen koennen. Ebenso filtern einige ISPs gespoofte Pakete
heraus, obwohl dies zur Zeit die wenigsten machen.
.TP
.B -S <IP-Adresse>
Unter bestimmten Umstaenden ist
.I nmap
nicht in der Lage, Ihre Quell-IP-Adresse zu identifizieren (
.I nmap
wird Ihnen dies mitteilen). In einer solchen Situation kann mit der Hilfe der
Option -S die IP-Adresse (der gewuenschten Schnittstelle) festgelegt werden.
.Sp
Eine andere Moeglichkeit dieser Option ist die Quelle des Scans zu spoofen, so
dass das Zielsystem glaubt, dass
.B jemand anderes
die Zugriffe durchfuehrt. Stellen Sie sich vor, dass eine Firma ploetzlich von
ihrem Konkurrenten einen Scan verzeichnet! Dies ist nicht der Hauptnutzen
dieser Option. Ich denke lediglich, dass diese Theorie einen guten Grund
bereitstellt, nicht sofort jeden als Scanner zu beschimpfen, nur weil es
scheint, dass von ihm ein Scan gestartet wurde.
.TP
.B -e <Schnittstelle>
Weist nmap an, ueber welche Schnittstelle die Daten verschickt und empfangen
werden sollen. nmap sollte in der Lage sein diesen Umstand von sich aus zu
erkennen. Falls dem nicht so ist, kann diese Option herangezogen werden.
.TP
.B -g <Portnummer>
Definiert den Quellport fuer die Scans. Einige naive
Firewall-Implementierungen machen bei DNS (53) und FTP-DATA (20) eine Ausnahme
und lassen solcherlei Verbindung entgegen der Bestimmungen im Regelwerk zu.
Obschon dieser Umstand ganz einfach durch Angreifer ausgenutzt werden kann, um
sich als FTP- oder DNS-System maskierend einen Vorteil zu verschaffen. Fuer
einen UDP-Scan sollte 53 als erstes ausprobiert werden. Bei einem TCP-Scan
bieten sich 20 und 53 an. Achtung, es handelt sich bei dieser Option lediglich
um eine Anfrage, die nicht zwingend in jeder Situation von nmap umgesetzt
werden will und kann. Zum Beispiel ist eine ISN-Analyse nicht von System:Port
zu System:Port moeglich, so dass nmap eine dynamische Portzuweisung
durchfuehrt, auch wenn anderes durch -g angegeben wurde.
.Sp
Seien Sie gewarnt, dass diese Option bei einigen Scan-Varianten
Performance-Einbussen mit sich bringt.
.TP
.B --data_length <Anzahl>
Normalerweise verschickt nmap moeglichst kleine Pakete, die lediglich aus dem
Header bestehen. So weisen TCP-Datagramme im Normalfall eine Laenge von 40 und
ICMP echo request-Anfragen 28 Bytes auf. Diese Option weist nmap an, die
verschickten Pakete um Null-Bytes zu verlaengern. Pakete zur Erkennung des
Betriebssystens (-O) sind nicht betroffen. Ganz im Gegensatz zu
Ping-Zugriffen und Portscan-Paketen. Dies verlangsamt natuerlich die Zugriffe
unter Umstaenden - Aber ebenso kann es die Unauffaelligkeit des Scans
erhoehen.
.TP
.B -n
Sagt nmap, dass
.B NIE
reverse DNS-Aufloesungen von als aktiv identifizierten IP-Adressen
durchgefuehrt werden sollen. Da DNS oft langsam ist, kann diese Option die
Zugriffe beschleunigen.
.TP
.B -R
Sagt nmap, dass
.B IMMER
reverse DNS-Aufloesungen von als Ziel spezifizierten IP-Adressen durchgefuehrt
werden sollen. Dies wird im Normalfall nur immer dann durchgefuehrt, wenn ein
Zielsystem als aktiv identifiziert werden konnte.
.TP
.B -r
Sagt nmap, dass
.B KEINE
zufaellige Wahl beim Scannen der Ports gewuenscht ist.
.TP
.B --ttl <time to live>
Setzt den "Time to live" Wert im IPv4 Header.
.TP
.B --randomize_hosts (dt. zufaellige Reihenfolge der Hosts)
Sagt nmap, dass bei einer Gruppe von bis zu 2048 Zielen eine zufaellige
Reihenfolge gewaehlt werden soll, bevor sie gescannt werden. Dies kann den
Scanvorgang fuer viele Netzwerk-Monitoring-Systeme schwieriger zu entdecken
machen; ganz besonders dann, wenn langsame Timing-Optionen angewandt werden
(siehe unten).
.TP
.B -M <Maximale Sockets>
Setzt die maximale Anzahl der Sockets bei einem parallel durchgefuehrten TCP
connect()-Scan fest. Dies ist zum Beispiel in Situationen nuetzlich, wenn der
Scanvorgang kuenstlich verlangsamt werden soll, damit das Zielsystem nicht
unter der Last der Zugriffe zusammenbricht. Eine andere Herangehensweise ist
durch -sS gegeben, die durch die Geraete oft einfacher zu handhaben ist.
.TP
.B TIMING-OPTIONEN
Normalerweise macht nmap hervorragende Arbeit, um waehrend eines Scans das
Maximum an Performance herauszuholen, ohne Fehlermeldungen zu Hosts oder Ports
zu provozieren. Trotzdem kann es Situationen geben, in denen das Timing von
nmap nicht dem von Ihnen gewuenschten entspricht. Die folgenden Optionen
ermoeglichen eine feine Skalierbarkeit der Kontrolle bezueglich des
Scan-Timings:
.TP
.B -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
Diese vordefinierten Timing-Richtlinien erlauben Ihnen nmap Ihre Prioritaeten
mitzuteilen. Der
.B Paranoid
-Modus scannt
.B sehr
langsam, in der Hoffnung, nicht von Intrusion Detection-Systemen entdeckt zu
werden. Die Scans werden in Serie geschaltet (kein paralleles Scanning) und im
Normalfall wird bis zu 5 Minuten zwischen dem Versand der Pakete gewartet.
.B Sneaky
(dt. schleichend) ist aehnlich, ausser, dass lediglich 15 Sekunden zwischen
dem Paket-Versand gewartet wird.
.B Polite
(dt. hoeflich) wird dann relevant, wenn die Netzwerkbelastung niedrig gehalten
werden will. Zum Beispiel, um Abstuerze von Systemen zu vermeiden. Die
Zugriffe werden wiederum in Serie geschaltet und zwischen den Zugriffen wird
.B mindestens
0.4 Sekunden gewartet.
.B Normal
spiegelt das normale Verhalten von nmap wieder, was einen Kompromiss zwischen
maximaler Geschwindigkeit bei absoluter Zuverlaessigkeit darstellt.
.B Aggressive
(dt. aggressiv) fuegt eine Wartezeit von 5 Minuten zwischen den einzelnen
Hosts hinzu. Es wird jedoch nie laenger als 1.25 Sekunden auf Antworten
gewartet.
.B Insane
(dt. geisteskrank) ist lediglich in sehr schnellen Netzwerken moeglich. Oder
ueberall dort, wo auf die Zuverlaessigkeit des Resultat nicht sonderlich viel
gegeben wird. Zwischen den einzelnen Systemen wird 75 und zwischen den
Zugriffen 0.3 Sekunden gewartet. Dies lohnt sich zum Beispiel fuer einen
schnellen Netzwerk-Suchlauf :). Die einzelnen Modi koennen ebenso durch eine
Nummer (0-5) referenziert werden. Zum Beispiel gibt '-T 0' den
Paranoid-Modus an und '-T 5' steht fuer Insane.
.Sp
Diese spezifischen Timing-Modi sollten NICHT zusammen mit den nun folgend
vorgestellten Timing-Optionen verwendet werden.
.TP
.B --host_timeout <Millisekunden>
Spezifiziert den Zeitraum, der nmap gegeben wird, um ein einzelnes System zu
scannen, bevor sich einer neuen IP-Adresse gewidmet wird. Der Standardwert hat
kein Timeout fuer Hosts.
.TP
.B --max_rtt_timeout <Millisekunden>
Spezifiziert den Zeitraum, der nmap gegeben wird, um eine Antwort zu warten,
bevor eine Uebertragunswiederholung eingeleitet wird oder das Timeout in Kraft
tritt. Der Standardwert ist auf 9000 gesetzt.
.TP
.B --min_rtt_timeout <Millisekunden>
Antwortet ein Host sehr schnell auf unsere Anfragen, wird nmap das Zeitlimit
fuer zukuenftige Zugriffe auf das besagte Zielsystem verkleinern. Dies bringt
einen Geschwindigkeitsvorteil mit sich, wobei jedoch auch Pakete verloren
gehen koennen, falls ploetzlich ein Antworten in der vorhergesehenen
Zeitspanne nicht mehr moeglich sein sollte. Mit dieser Option kann nmap
angewiesen werden, dass immer mindestens ein bestimmter Zeitwert gewartet
werden soll, bevor der Vorgang abgebrochen wird.
.TP
.B --initial_rtt_timeout <Millisekunden>
Spezifiziert das Timetout fuer den initialen Zugriff. Dies ist normalerweise
nur dann sinnvoll, wenn durch Firewall-Systeme geschuetzte Hosts mit der
Option -P0 gescannt werden sollen. Normalerweise ist nmap in der Lage den
RTT-Wert anhand des Ping-Zugriffs und der ersten Auswertungen optimal
festzulegen. Der Standardwert lautet 6000.
.TP
.B --max_parallelism <Anzahl>
Spezifiziert die maximale Anzahl parallel von nmap durchfuehrbaren Zugriffe.
Das Setzen dieser Option heisst fuer nmap, dass nie mehr als 1 Port auf einmal
gescannt werden soll. Ebenso sind andere Scan-Typen betroffen, die
normalerweise parallel durchgefuehrt werden koennen (z.B. Ping-Suchlauf,
RPC-Scan, etc.).
.TP
.B --min_parallelism <Anzahl>
Weist nmap an, beim Scan eine gewisse Anzahl von Ports parallel zu scannen.
Dies kann unter Umstaenden den Auswertungs-Vorgang von Firewall-Systemen
beschleunigen. Aber seien Sie vorsichtig: Die Resultate werden umso
unzuverlaessiger, desto hoeher die Anzahl paralleler Zugriffe gesetzt wird.
.TP
.B --scan_delay <Millisekunden>
Spezifiziert das
.B Minimum
der Zeit, die nmap zwischen den jeweiligen Zugriffen warten muss. Dies ist
sehr nuetzlich, um das Datenaufkommen in Netzwerken zu reduzieren oder durch
den langsameren Scanvorgang vor IDS-Tresholds verborgen zu bleiben.
.TP
.B --packet_trace
Sagt nmap, dass saemtliche verschickten und empfangenen Pakete in einem
tcpdump-aehnlichen Format dargestellt werden sollen. Dies ist ganz besonders
fuer Debugging nuetzlich. Ausserdem kann so viel ueber die Funktionsweise
gelernt werden.
.SH ZIEL-SPEZIFIKATION
Alles, das nmap nicht als Option mitgegeben wird (oder ein Argument einer
Option darstellt) wird als Ziel-Spezifikation angesehen. Die einfachste Form
dessen, ist das Auflisten von einzelnen Hostnamen oder IP-Adressen in der
Kommandozeile. Falls Sie ein Subnetz scannen wollen, so koennen Sie
.B '/Maske'
am Hostnamen oder der IP-Adresse anfuegen. Die
.B Maske
muss einen Wert zwischen 0 (das ganze Internet scannen) und 32 (den einzelnen
Host scannen) aufweisen. Benutzen Sie /24 fuer das Scannen eines Klasse
C-Netzwerks und /16 fuer ein Klasse B-Netzwerk.
.Sp
nmap greift zudem auf eine sehr maechtige Notation zurueck, die eine sehr
komfortable Spezifikation von IP-Adressbereichen zulaesst. So kann das Klasse
B-Netzwerk 192.168.*.* mit der Angabe von '192.168.*.*'
oder '192.168.0-255.0-255' oder '192.168.1-50,51-255.1,2,3,4,5-255' gescannt
werden. Und selbstverstaendlich ist auch die verbreitete Netzmasken-Notation
zulaessig: '192.168.0.0/16'. All diese Eingaben fuehren zum gleichen Ziel.
Falls Sie das Asteriks-Zeichen (dt. Stern, '*') benutzen wollen, denken Sie
daran, dass einige Shells das Escapen mittels Backslashes oder das
Auskommentieren mittels Gaensefuesschen verlangen.
.Sp
Eine andere Moeglichkeit ist genau durch das umgekehrte Herangehen gegeben.
Anstatt ein ganzes Klasse B-Netzwerk zu scannen, kann mit der Angabe
von '*.*.5.6-7' jede IP-Adresse gescannt werden, die auf .5.6 oder .5.7 endet.
Fuer zusaetzliche Informationen, konsultieren Sie den Abschnitt
.I Beispiele
.SH BEISPIELE
Hier folgen nun einige Beispiele fuer das Nutzen von nmap. Diese reichen von
einfachen ueber normale bis hin zu komplexen Ansaetzen. Es werden existente
IP-Adressen und Domainnamen verwendet, um die Beispiele konkreter zu
gestalten. Anstatt ihrer Stelle sollten Sie Adressen und Namen
.B Ihres eigenen Netzwerks
benutzen. Ich bin der Meinung, dass Portscanning fremder Netzwerke nicht
illegal ist; ebenso sollten Portscans nicht als Angriffe gewertet werden. Ich
habe tausende Maschinen gescannt und bisher erst eine Rueckmeldung erfahren.
Jedoch bin ich kein Anwalt und einige (langweilige) Leute koennten durch
mittels
.I nmap
generierter Zugriffe nervoes werden. Holen Sie sich zuerst eine Erlaubnis fuer
Ihre Aktivitaeten ein oder tragen Sie die Risiken selbst.
.Sp
.B nmap -v ziel.beispiel.com
.Sp
Diese Option scannt alle reservierten TCP-Ports am Zielsystem mit dem Namen
ziel.beispiel.com. Das -v aktiviert den Verbose-Modus.
.Sp
.B nmap -sS -O ziel.beispiel.com/24
.Sp
Hier wird ein stealth SYN-Scan gegen jede der 255 Maschinen des Klasse
C-Netzwerks von ziel.beispiel.com gestartet. Ebenso wird versucht das
Betriebssystem der aktiven Systeme zu ermitteln. Dieser Vorgang erfordert
root-Privilegien aufgrund des SYN-Scans und der Betriebssystemerkennung.
.Sp
.B nmap -sX -p 22,53,110,143,4564 "198.116.*.1-127"
.Sp
Startet einen Xmas-Tree-Scan auf die erste Haelfte der 255 moeglichen 8
Bit Subnetze des Klasse B-Adressraums von 198.116. Wir ueberpruefen, ob am
Zielsystem SSHD, DNS, POP3D, IMAPD oder der Port 4564 aktiv ist. Wichtig ist,
dass Xmas-Scans nicht gegen Microsoft-Geraete funktionieren, da einige
Abweichungen bei der Implementierung des TCP-Stacks gemacht wurden. Das gleiche
gilt fuer Cisco-, IRIX-, HP/UX- und BSDI-Maschinen.
.Sp
.B nmap -v --randomize_hosts -p 80 '*.*.2.3-5'
.Sp
Manchmal ist es nicht erforderlich einen IP-Adressbereich zu scannen. So kann
es durchaus sein, dass in einer Situation das Absuchen spezieller Geraete
noetig wird. Dieses Kommando findet saemtliche Webserver, die eine IP-Adresse
aufweisen, die auf .2.3, .2.4 oder .2.5 endet. Falls Sie root sind, so kommt
eventuell ein Hinzufuegen von -sS in Frage. Ebenso koennten mehr interessante
Systeme gefunden werden, wenn bei 127 gestartet wird (IMHO). In diesem Fall
koennen die durch die Sterne gegebenen Platzhalter durch '127-222' ersetzt
werden.
.Sp
.B host -l firma.com | cut '-d ' -f 4 | ./nmap -v -iL -
.Sp
Fuehrt einen DNS-Zonetransfer durch, um saemtliche Hosts von firma.com zu
finden. Die Ausgabe der IP-Adressen wird sodann fuer die weitere Verarbeitung
zu
.I nmap
umgeleitet. Die dokumentierte Kommandofolge funktioniert nur auf Geraeten mit
GNU/Linux. Vielleicht muessen Sie auf anderen Betriebssystemen andere Kommandos
und Optionen heranziehen.
.SH FEHLER
Fehler? Was fuer Fehler? Senden Sie sie mir, falls sie solche finden.
Entsprechende Patches waeren auch gleich nett :) Denken Sie ausserdem daran,
neue OS-Fingerabdruecke einzusenden, damit die Datenbank wachsen kann. nmap
gibt eine URL zur Uebermittlung des unbekannten Fingerabdrucks aus.
.SH AUTOR
.Sp
Fyodor
.I <fyodor@insecure.org>
.SH UEBERSETZUNG
.Sp
Marc Ruef
.I <marc.ruef@computec.ch>
.Sp
http://www.computec.ch
.Sp
Wettingen, Oktober 2002
.SH DISTRIBUTION
Die neueste Version von
.I nmap
kann jeweils von
.I http://www.insecure.org/nmap/
bezogen werden.
.Sp
.I nmap
is (C) 1995-2002 by Insecure.Com LLC
.Sp
Dieses Programm gilt als freie Software; Sie koennen sie unter den
Lizenzbestimmungen der GNU General Public License, wie sie von der Free
Software Foundation in der Version 2 publiziert wurde, weitergeben und/oder
veraendern. Dies weist Ihnen das Recht zu, die Software unter den gegebenen
Bestimmungen zu nutzen, modifizieren und weiterzugeben. Falls Sie diese
Lizenzbestimmungen nicht akzeptieren wollen, ist Insecure.Org unter Umstaenden
in der Lage, eine alternative Lizenzbestimmung auszuhandeln (kontaktieren Sie
fyodor@insecure.org).
.Sp
Der Quelltext dieser Software wird aus diesem Grund zur Verfuegung gestellt,
weil wir glauben, dass die Benutzer ein Recht darauf haben zu wissen, was die
von ihnen eingesetzten Programme machen. Dies ermoeglicht zudem das
Ueberpruefen der Software auf etwaige Sicherheitsschwachstellen (bisher wurden
keine gefunden).
.Sp
Der Quelltext ermoeglicht zudem das Portieren von nmap auf neue Plattformen,
das Beheben von Fehlern und Hinzufuegen neuer Funktionalitaeten. Ich darf Sie
bitten entsprechende Aenderungen an fyodor@insecure.org zu schicken, um eine
etwaige Zusammenarbeit zu besprechen. Durch das Senden von Neuerungen an
Fyodor oder einem der Mitglieder der Entwickler-Meilingliste erlauben Sie die
unlimitierte, nicht-exklusive Weiterverwendung, Modifizierung und
Relizensierung. Dies ist insofern wichtig, da einige andere Free Software
Projekte (zum Beispiel KDE und NASM) sich mit unnoetigen Lizenzproblemen
konfrontiert sahen. nmap wird stets als open-source zur Verfuegung stehen.
Falls Sie sich an andere Lizenzbestimmungen halten moechten, so vermerken Sie
dies doch bitte beim Einsenden Ihres Materials.
.Sp
Dieses Programm wurde in der Hoffnung entwickelt, dass es nuetzlich ist;
jedoch
.B OHNE JEGLICHE GARANTIE.
Siehe die GNU General Public License fuer zusaetzliche Informationen (sie ist
in der Datei namens COPYING, die mit
.I nmap
mitgeliefert wird, enthalten).
.Sp
Es muss zusaetzlich erwaehnt werden, dass nmap in der Lage ist, schlecht
geschriebene Anwendungen, TCP/IP-Stacks und Betriebssysteme abstuerzen zu
lassen.
.B nmap sollte nie auf mission-critical Systeme angewandt werden
, ausser, wenn ein entsprechender Ausfall (engl. downtime) verkraftet werden
kann. Wir bestaetigen hiermit, dass nmap unter Umstaenden Systeme und Netzwerke
negativ beeinflussen kann. Wir tragen keine Verantwortung fuer Probleme, die
beim Nutzen von nmap entstehen koennen.
.Sp
Aufgrund dessen, dass das Risiko eines Absturzes besteht und einige Black Hats
nmap fuer das Auswerten von Angriffszielen missbrauchen, koennen einige
Administratoren allergisch auf das Scannen ihrer Systeme reagieren. Somit ist
es stets empfehlenswert, die Erlaubnis fuer das Scannen eines Netzwerks
einzuholen.
.Sp
nmap sollte aus Sicherheitsgruenden nie mit erweiterten Privilegien (z.B. suid
root) gestartet werden.
.Sp
Dieses Produkt beinhaltet Software-Teile, die von der Apache Software
Foundation (http://www.apache.org/) entwickelt wurden. Die
.I Libpcap
portable Bibliothek wird als Teil von nmap mitgeliefert. Libpcap wurde
urspruenglich durch Van Jacobson, Craig Leres und Steven McCanne,
alle vom Lawrence Berkeley National Laboratory, Universitaet von Kalifornien,
Berkeley, CA, entwickelt. Zur Zeit wird sie von http://www.tcpdump.org
betreut.

887
docs/nmap_italian.1 Normal file
View File

@@ -0,0 +1,887 @@
.\" This definition swiped from the gcc(1) man page
.\" Traslated in Italian by deneb <deneb@penguin.it>
.\" Wen Aug 30 2000
.de Sp
.if n .sp
.if t .sp 0.4
..
.TH NMAP 1
.SH NOME
nmap \- Utility di esplorazione per le rete e security scanner
.SH SINTASSI
.B nmap
[Tipi Scan] [Opzioni] <host o rete #1 ... [#N]>
.SH DESCRIZIONI
.I Nmap
<EFBFBD> progettato per permettere agli ammistratori di sistema e
alle persone curiose lo scan di grandi reti al fine di
determinare quali host sono attivi e quali servizi offrono.
.I nmap
supporta un grande numero di tecniche per lo scanning come
ad esempio: UDP, TCP connect(), TCP SYN (semi aperto),
ftp proxy (bounce attack), Reverse-ident, ICMP (ping sweep),
FIN, ACK sweep, Xmas Tree, SYN sweep, e scan Null.
Vedete la sezione
.I Tipi di scan
per ulteriori informazioni.
nmap offre anche varie caratteristiche avanzate come per esempio
il rilevamento del S.O. via TCP/IP fingerprinting, lo scan stealth
(invisibile), ritardo dinamico e i calcoli delle ritrasmissioni,
lo scan parallelo, il rilevamento degli host non attivi mediante
i ping paralleli, lo scan mediante decoy, il rilevamento del
filtraggio delle porte, lo scan RPC diretto (non-portmapper),
lo scan di frammentazione, la specifica flessibile della
destinazione e delle porte.
.PP
Sforzi significativi sono stati impiegati nel rendere decenti
le performance per gli utenti non root. Sfortunatamente,
molte interfacce del kernel critiche (come ad esempio i
socket raw) richiedono i privilegi di root.
nmap dovrebbe essere eseguito da root ogni volta che <20>
possibile.
.PP
Il risultato di un'esecuzione di nmap <20> di solito una lista
di porte interessanti sulla/e macchina/e, che sono state
sottoposte allo scan (se ve ne sono). Nmap da sempre
il nome del servizio "ben noto" (se noto), il numero, lo
stato, e il protocollo. Lo stato pu<70> essere 'open' (aperto),
'filtered' (filtrato), o 'unfiltered' (non-filtrato).
Open significa che la macchina destinazione accetter<65> (
mediante accept()) le connessioni su quella porta. Filtered
significa che un firewall, filtro, o un altro ostacolo di
rete sta coprendo la porta e impedendo a nmap di determinare
se la porta <20> aperta. Unfiltered significa che nmap ha
riconosciuto la porta come chiusa e nessun firewall/filtro
sembra aver interferito con il tentativo di nmap di
rilevare se la porta fosse aperta o chiusa.
Le porte unfiltered (non-filtrate) sono il caso pi<70> comune e
sono mostrate solo quando la maggior parte delle porte
esaminate sono nello stato filtered (filtrate).
.PP
A seconda delle opzioni usate, nmap pu<70> riportare le seguenti
caratteristiche dell'host remoto: S.O. in uso, sequenziabilit<69>
TCP, nomi gli utenti che hanno eseguito i programmi che sono
associati ad una data porta, il nome del DNS, se l'host <20> un
indirizzo smurf, e poco altro.
.SH OPZIONI
Le opzioni che assieme hanno senso possono essere generalmente
combinate. Alcune opzioni sono specifiche a date modalit<69> di scan.
.I nmap
prova a rilevare e avvisare l'utente su combinazioni psicotiche o
non supportate.
.Sp
Se siete impazienti, potete passare direttamente alla sezioni di
.I esempi
posta alla fine, che dimostra l'utilizzo comune. Potete anche
eseguire
.B nmap -h
per ottenere una pagina di riferimento rapido, che elenca tutte
le opzioni.
.TP
.B TIPI DI SCAN
.TP
.B \-sT
Scan TCP connect(): Questa <EFBFBD> la forma base dello scan TCP. La
chiamata di sistema connect() fornita dal vostro sistema
operativo <EFBFBD> usata per aprire una connessione ad ogni porta
interessante sulla macchina. Se la porta <EFBFBD> in ascolto, la
connect() avr<76> luogo, altrimenti la porta non <20> raggiungibile.
Ogni utente sulla maggior parte dei sistemi UNIX <20> libero
di usare questa chiamata.
.Sp
Questo genere di scan <20> facilmente rilevabile in quanto
i log dell'host destinazione mostreranno un gruppo di connessioni
e messaggi di errore per i servizi che accettano la connessione
mediante accept() solo per chiuderla immediatamente dopo.
.TP
.B \-sS
Scan TCP SYN: Questa tecnica <20> spesso chiamata scan "semi-aperto",
perch<EFBFBD> non aprite una completa connessione TCP. Mandate un pacchetto
SYN, come se aveste intenzione di aprire una vera connessione,
e aspettate la risposta. Un SYN|ACK come risposta indica che
la porta <20> in ascolto. Un RST <20> indicativa di una porta
non in ascolto. Se viene ricevuto un SYN|ACK come risposta
, viene mandato immediatamente un RST per chiudere la connessione
( allo stato attuale il kernel del vostro S.O. lo fa per noi).
Il vantaggio primario di questa tecnica di scanning <20> che pochi
siti la loggeranno.
Sfortunatamente avete bisogno dei privilegi di root per
poter creare questi appositi pacchetti SYN.
.TP
.B \-sF \-sX \-sN
Le modalit<EFBFBD> di scan Stealth FIN, Xmas Tree, o Null:
Ci sono delle volte che anche lo scan SYN non <EFBFBD>
abbastanza anonimo. Alcuni firewall e packet filter
controllano i SYN per le porte riservate, e programmi come
Synlogger e Courtney sono disponibili per rilevare
questi scan. Questi scan avanzati, d'altra parte, possono
essere in grado di passare attraverso i firewall, packet
filter e/o programmi loggers indisturbati.
.Sp
L'idea <20> che le porte chiuse devono rispondere al vostro
pacchetto di prova con un RST, mentre le porte aperte devono
ignorare il pacchetto in questione (vedere RFC 793 pagina 64).
Lo scan FIN usa (sorpresa) un semplice pacchetto FIN come prova,
mentre lo scan Xmas attiva i flag FIN, URG, e PUSH.
Lo scan Null disattiva tutti i flag. Sfortunatamente Microsoft
(come sua consuetudine) ha deciso di ignorare completamente lo
standard e fare le cose a modo suo. Cos<6F> questo tipo di scan
non funziona contro i sistemi in cui gira Windows95/NT. Se
prendiamo la cosa dal punto di vista positivo, questo fatto
<EFBFBD> un buon modo per distinguere tra le due piattaforme.
Se lo scan trova porte aperte, sapete che la macchina non <20>
un computer con Windows. Se uno scan -sF,-sX, o -sN mostra
tutte le porte chiuse, ma uno scan SYN (-sS) vi fa vedere
porte aperte, probabilmente state guardando una macchina
Windows. Questo ora <20> meno utile in quanto nmap ha un
proprio un rilevamento di S.O. integrato. Ci sono anche
alcuni altri sistemi che violano lo standard nella stessa
maniera di Windows. Questi includono Cisco, BSDI, HP/UX, MVS,
e IRIX.
Tutti i sistemi operativi soprastanti mandano resets da
porte aperte quando invece dovrebbero solo ignorare il
pacchetto.
.TP
.B \-sP
Ping scanning:
Alcune volte volete solo sapere quali host sulla rete sono
attivi. Nmap pu<70> scoprire questo mandando pacchetti
ICMP echo request ad ogni indirizzo IP sulla rete che voi
specificate. Gli host che rispondono sono attivi. Sfortunatamente,
alcuni siti come ad esempio microsoft.com bloccano i pacchetti
echo-request. Cos<6F> nmap pu<70> mandare anche un pacchetto ack TCP (per
default) alla porta 80. Se ottenenete indietro un RST, la macchina
<EFBFBD> attiva. Una terza tecnica comporta il mandare un pacchetto
SYN e aspettare un RST o un SYN/ACK. Per gli uttenti non-root,
viene usato il metodo connect().
.Sp
Di default (per gli utenti root), nmap usa le tecniche sia ICMP
che ACK in parallelo. Potete cambiare questo comportamento con
l'opzione
.B \-P
descritta successivamente.
.Sp
Notate che il pinging comunque viene fatto di default, e solo gli
host che rispondono vengono sottoposti a scan. Usate questa opzione
solo se desiderate fare un ping sweep
.B senza
fare dei reali portscan.
.TP
.B \-sU
Scan UDP: Questo metodo viene usato per determinare quali porte UDP
(User Datagram Protocol, RFC 768) sono aprte su un host. La tecnica
<EFBFBD> mandare paccheti udp di 0 byte ad ogni porta sulla macchina
destinazione. Se riceviamo un messaggio ICMP port unreachable, allora
la porta <20> chiusa. Altrimenti presumiamo che essa sia aperta.
.Sp
Alcune persone pensano che lo scan UDP sia inutile. Di solito ricordo
loro il bug recente di rcpbind in Solaris. Rpcbind pu<70> essere trovato
nascosto su una porta UDP non documentata a patto che essa sia maggiore
di 32770. Cosi' non ha importanza se la 111 <20> bloccata dal firewall.
Ma, potete trovare quali porte alte maggiori della 30.000 siano in ascolto?
Con uno scanner UDP potete!
Esiste anche il programma backdoor Back Orifice del cDc, che
si nasconde su una porta UDP configurabile sulle macchine Windows.
Per non parlare i vari servizi comunemente vulnerabili che utilizzano
UDP come ad esempio snmp, tftp, NFS, ecc.
.Sp
Sfortunatamente lo scan UDP <20> alcune volte spaventosamente lento
in quanto molti host implementano la proposta di limitare il tasso
dei messaggi di errore ICMP fornita dalla RFC 1812 (sezione 4.3.2.8).
Per esempio, il kernel di Linux (in net/ipv4/icmp.h) limita la generazione
dei messaggi di destination unreachable ad 80 per 4 secondi, con una
penalit<EFBFBD> di 1/4 di secondo se questo limite viene sorpassato.
Solaris ha limiti pi<70> stretti (circa 2 messaggi per secondo)
e cosi si impiega pi<70> tempo per lo scan.
.I nmap
rileva questo tasso limitando e rallentando lo scan di conseguenza,
piuttosto che flooddare la rete con pacchetti inutili che saranno
ignorati dalla macchina destinazione.
.Sp
Come <20> tipico, Microsoft ha ignorato la proposta della RFC e
non sembra aver imposto nessun tasso di limitazione sulle macchine
Win95 e NT. Cos<6F> possiamo fare lo scan di tutte le 65K porte di una
macchina Windows
.B molto
velocemente.
.TP
.B \-sA
Scan ACK: Questo metodo avanzato viene usato solitamente per scoprire
gli insiemi delle regole dei firewall. In particolare, pu<70> aiutare
determinare se un firewall sia stateful o solo un
semplice filtro di pacchetti che blocca i pacchetti SYN in entrata.
.Sp
Questo tipo di scan manda un pacchetto ACK
(con acknowledgement/sequence numbers apparentemente casuali)
alle porte specificate.
Se si ha come ritorno un RST, le porta viene classificata come
"unfiltered" (non-filtrata). Se non si ritorno ( o se si ha come
ritorno un pacchetto ICMP
unreachable), la porta viene classificata come
"filtered" (filtrata). Notate che di solito
.I nmap
non stampa le porte "unfiltered",
cos<EFBFBD> se
.B non
otteniamo nessuna porta mostrata nell'output <20> di solito un
segno che tutte le prove sono state portate a termine ( e hanno
restituito dei RST). Questo scan ovviamente non mostrer<65> mai
porte nello stato "open" (aperto).
.TP
.B \-sW
Scan window: Questo scan avanzato <20> molto simile allo scan ACK,
eccetto che alcune volte pu<70> rilevare sia le port aperte che
filtrate/non filtrate a causa di un'anomalia nel TCP window size
reporting di alcuni sistemi operativi. I sistemi vulnerabili a
questo problema includono almeno alcune versioni di AIX, Amiga,
BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital
UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD, OpenBSD,
OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX, e
VxWorks. Vedere l'archivio della mailing list
.I nmap-hackers
per un'elenco completo.
.TP
.B \-sR
Scan RPC. Questo metodo funziona in combinazione con i diversi
metodi di port scan di Nmap. Esso prende tutte le porte TCP/UDP
trovate aperte e poi le flodda con comandi NULL del programma
SunRPC nel tentativo di determinare se sono porte RCP, e se
le sono, quale programma e numero di versione esse servono.
In questo modo potete effettivamente ottenere le stesse informazioni
di 'rcpinfo -p' anche se il portmapper di destinazione <20> dietro
un firewall (o protetto da TCP wrappers). I decoy non funzionano
allo stato attuale con lo scan RPC, in un qualche momento posso
aggiungere il supporto per i decoy negli scan RPC UDP.
.TP
.B \-b <ftp relay host>
FTP bounce attack: Una "caratteristica" interessante del protocollo
ftp (RFC 959) <20> il supporto per le connessioni ftp "proxy".
In altre parole, io dovrei essere in grado di connettemi da evil.com
al server FTP di target.com e richiedere che tale server mandi un
file OVUNQUE su internet! Ora questo poteva andare bene nel 1985
quando la RFC fu scritta. Ma nell'Internet di oggi non possiamo avere
persone che fanno l'hijacking dei server ftp e che richiedono che i dati
siano spediti a punti arbitrari su Internet. Come *Hobbit* scrisse
nel 1995, questo punto debole nel protocollo "pu<70> essere usato per
postare mail e news virtualmente irritracciabili, riempire i dischi,
provare a scavalcare i firewall, e generalmente <20> fastidioso e difficile
da rintracciare allo stesso tempo."
Noi sfrutteremo questo problema per (sorpesa,sopresa) fare lo scan delle
porte TCP da un server ftp "proxy". Cosi potrete collegarvi a un
server ftp dietro un firewall, e poi dare lo scan di porte che
sono molto probabilmente bloccate (la 139 <20> una porta buona).
Se il server ftp permette la lettura da e la scrittura a
qualche directory (come ad esempio /incoming), potete mandare
dati arbitrari porte che trovate aperte (anche se
nmap non fa questo per voi).
.Sp
L'argomento passato all'opzione 'b' <20> l'host che volete
usare come proxy, in una notazione standard URL. Il formato <20>:
.I username:password@server:porta.
Tutto tranne il
.I server
<EFBFBD> opzionale. Per determinare quali server siano vulenrabili a
questo attacco, potete vedere il mio articolo in
.I Phrack
51. E una versione aggiornata <20> disponibili all'URL di
.I nmap
(http://www.insecure.org/nmap)
.TP
.B OPZIONI GENERALI
Nessuna di queste opzioni <20> richiesta ma alcune possono essere abbastanza utili
.TP
.B \-P0
Non provare e fare il ping degli host completo prima di fare
lo scan degli stessi. Queso permette lo scan di reti che non
permettono ICMP echo request (o risposte) attraverso il loro
firewall.
microsoft.com <20> un esempio di tale rete, cos<6F> dovreste sempre
usare
.B \-P0
o
.B \-PT80
quando fate il portscan di microsoft.com
.TP
.B \-PT
Usate il "ping" TCP per determinare quali host sono attivi.
Invece di mandare pacchetti ICMP echo request e aspettare una
risposta, mandiamo pacchetti TCP ACK attraverso la rete
destinazione (o a una macchina singola) e poi aspettiamo
le risposte per ottenere informazioni sull'host. Gli host
che sono attivi dovrebbero rispondere con un RST. Questa
opzione preserva l'efficenza dell'esaminare solo host che
sono attivi permettendovi anche di fare lo scan di reti/host
che bloccno i pacchetti ping. Per gli utenti non root, usiamo
la funzione connect(). Per impostare la porta di destinazione
dei pacchetti di prova usiamo -PT<numero porta>. La porta di
default <20> la 80, in quanto questa porta spesso non <20> filtrata.
.TP
.B \-PS
Questa opzione usa dei pacchetti SYN (richiesta di connessione)
invece dei pacchetti ACK per gli utenti root. Gli host che sono
attivi dovrebbero rispondere con un RST (o, raramente con un SYN|ACK).
.TP
.B \-PI
Questa opzione usa un vero pacchetto ping (ICMP echo request).
Esso trova gli host che sono attivi e cerca anche nella vostra
rete indirizzi broadcast orientati alla sottorete. Questi sono
indirizzi IP che sono esternamente raggiungibili e traduce a
un broadcast di pacchetti in entrata a una sottorete di computer.
Questi dovrebbero essere eliminati se scoperti in quanto permettono
numerosi attacchi denial of service (Smurf <20> il pi<70> comune).
.TP
.B \-PB
Questo <20> il tipo di ping di default. Esso usa gli sweep ACK (
.B \-PT
) e ICMP (
.B \-PI
) in parallelo. In questo modo potete rilevare i firewall che filtrano
uno dei due (ma non entrambe).
.TP
.B \-O
Questa opzione attiva l'identificazione dell'host remoto via
TCP/IP fingerprinting. In altre parole, usa un'insieme di
tecniche per rilevare le sottigliezze nello strato sottostante
dello stack di rete del sistema operativo del computer sottoposto
a scan. Usa questa informazione per creare una 'impronta'
.I (fingerprint)
che viene confrontata con il suo database di impronte note relative
ai vari S.O. (il file nmap-os-fingerprints) per decidere a quale
tipo di sistema state facendo lo scan.
.Sp
Se trovate una macchina che <20> mal diagnosticata e ha almeno
una porta aperta, sarebbe utile se voi mi madate via mail i
dettagli (per esempio il S.O pippo versione numero <20> stato rilevato
come S.O. pluto versione numero1). Se trovate una macchina
con almeno una porta aperta con almeno una porta aperta per
quale nmap dice 'unknown operating system' (sistema operativo
sconosciuto), allora sarebbe utile se mi mandaste l'indirizzo IP
assieme con il nome del S.O. e il numero di versione. Se non
potete mandarmi l'indirizzo IP, la cosa migliore da fare <20>
di eseguire nmap con l'opzione
.B \-d
e mandarmi le tre fingerprint che dovreste ottenere assieme
al nome del S.O. e il numero di versione. Facendo questo
voi contribuite all'elenco dei sistemi operativi conosciuti ad
nmap e cos<6F> tale elenco sar<61> pi<70> accurato per tutti.
.TP
.B \-I
Questa opzione abilita lo scanning TCP reverse ident. Come
notato da Dave Goldsmith in un post del 1996 a BugTraq, il
protocollo ident (rfc 1413) permette di scoprire il nome
dell'utente appartenente ad ogni processo connesso via TCP,
anche se il processo non ha iniziato una connessione. Cos<6F>
potete, per esempio collegarvi alla porta http e poi usare
identd per scoprire se il server <20> in esecuzione con i
diritti di root. Questo scan pu<70> essere fatto solo con una
connessione TCP completa alla porta destinazione (per esempio
con l'opzione -sT). Quando viene usata l'opzione
.B \-I
l'identd dell'host remoto viene interrogato per ogni porta
aperta. Ovviamente questo scan non funziona se nell'host
non <20> in esecuzione identd.
.TP
.B \-f
Questa opzione provoca gli scan SYN, FIN, XMAS, o NULL
ad usare minuscoli pacchetti IP frammentati. L'idea <20> di
suddividere l'header TCP in diversi pacchetti per rendere
pi<EFBFBD> difficile ai filtri di pacchetti (packet filters),
ai sistemi di rilevamento delle intrusioni (IDS), e
altre seccature rilevare quello che state facendo.
State attenti con questa opzione! Alcuni programmi hanno
problemi nella gestione di questi pacchetti minuscoli.
Il mio sniffer preferito <20> andato in segmentation fault
immediatamente dopo aver ricevuto il primo frammento
di 36-byte. Dopo quello ne viene mandato un'altro da
24 byte! Sebbene questo metodo non passer<65> i filtri di
pacchetto e firewall che mettono in coda tutti i frammenti
IP (come l'opzione CONFIG_IP_ALWAYS_DEFRAG nel kernel Linux),
alcune reti non possono permettersi l'abbattimento
delle prestazioni che questa opzioni causa e cos<6F> la lasciano
disabilitata.
.Sp
Notate che non ho ancora questa opzione funzionante su tutti
i sistemi. Funziona bene per le mie mcchine Linux, FreeBSD, e
OpenBSD e alcune persone hanno r con altre varianti *NIX.
.TP
.B \-v
Modalit<EFBFBD> verbose. Questa <20> un'opzione altamente raccomandata
e da molte pi<70> informazioni su quello che sta accadendo.
Potete usarla due volte per ottendere maggiori effetti. Usate
.B \-d
un paio di volte se volete realmente impazzire con lo scrolling dello
schermo!
.TP
.B \-h
Questa comoda opzione mostra una schermata di riferimento
rapido sulle opzioni di utilizzo di nmap. Come potete aver notato,
questa man page non <20> esattamente un 'riferimento rapido' :)
.TP
.B \-oN <nomefiledilog>
Questa opzione logga i risultati dei vostri scan nella normale forma
.B chiaramente leggibile
nel file che specificate come argomento.
.TP
.B \-oM <nomefiledilog>
Questa opzione logga i risultati dei vostri scan nella forma
.B analizzabile dalla macchina
nel file che specificate come argomento. Potete dare l'argomento
\'-\' (senza apici) per inviare l'output allo stdout
(per fare shell pipe, ecc.). In questo caso l'output normale
sar<EFBFBD> sopresso. Controllate i messaggi di errore se usate
quest'ultima possibilit<69> (essi andranno ancora allo stderr).
Notate anche che \'-v\' far<61> in modo che informazioni extra
vengano stampate.
.TP
.B \-oS <nomefiledilog>
QuEsT0 l0gGa | rIsUlTaT| d3i v0sTr| Scanz iN
UnA f0rMa
.B s|<ipT kiDd|3
n3L fiL3 sPec\|fiCaT0 C0mE arGuMEnT0!
P0t3t3 Dar3 L'Arg0M3nt0 \'-\' (s3Nza Virg0L3Tt3)
p3R mAnDAr3 L'0uTput n3ll0 stDouT!@!!
.TP
.B \--resume <nomefiledilog>
Uno scan di rete che <20> stato cancellato a causa di un control-C,
problemi di rete, ecc. pu<70> essere riprestinto usando questa opzione.
Il nomefiledilog deve essere o un log normale (-oN) o un log
analizzabile dalla macchina (-oM) dello scan interrotto.
Nessun'altra opzione deve essere data (le opzioni saranno le stesse
dello scan interrotto).
Nmap inizier<65> a fare lo scan sulla macchina posta dopo l'ultima
macchina di cui <20> stato fatto lo scan nel file di log.
.TP
.B \-iL <nomedelfilediinput>
Legge le specifiche della destinazione da un file specificato
PIUTTOSTO che da linea di comando. Il file dovrebbe contenere
una lista di host o espressioni di rete separate da spazi,
caratteri di tabulazione, o newline. Usate una linea trattegiata
(-) come
.I nomedelfilediinput
se volte che nmap legga le espressioni dell'host dallo stdin
(come alla fine di una pipe). Vedere la sezione
.I specifica della destinazione
per ulteriori informazioni sulle espressioni con le quali
potete riempire il file.
.TP
.B \-iR
Questa opzioni dicono ad Nmap di generare i propri host da
esaminare prendendo semplicemente numeri casuali :). Non
terminer<EFBFBD> main. Questa opzione pu<70> essere utile per campionamenti
statistici di Internet per stimare diverse cose. Se siete
veramente annoiati, provate
.I nmap \-sS \-iR \-p 80
per trovare dei web server da guardare.
.TP
.B \-p <intervallo di porte>
Questa opzione specifica quali porte volete specificare. Per
esempio con '-p 23' Nmap prover<65> la porta 23 del/degli host
destinazione.
Con \'\-p 20-30,139,60000-\' Nmap far<61> lo scan delle porte
tra 20 e 30, la porta 139, e tutte le porte maggiori di 60000.
Di default Nmap fa lo scan sia di tutte le porte tra 1 e 1024
che di ogni porta elencata nel file services fornito con nmap.
.TP
.B \-F Modalit<EFBFBD> di scan veloce.
Specifica che desiderate esaminare solo le porte elencate nel
file servizi fornito con nmap. Questo tipo di scan <20> ovviamente
pi<EFBFBD> veloce di fare lo scan di tutte le 65535 porte di un host.
.TP
.B \-D <decoy1 [,decoy2][,ME],...>
Causa lo svolgimento di uno scan decoy, che fa in modo che
all'host remoto posto sotto scan appaiano anche lo/gli host che
specificate come decoy (esche). Cos<6F> i loro IDS potrebbero
riportare 5-10 port scan da un unico indirizzo IP, ma non sanno
quale IP stava effettuando lo scn e quali sono innocenti decoy.
Sebbene questo scan possa essere sconfitto attraverso il
router path tracing, il response-dropping e altri meccanismi "attivi",
<EFBFBD> generalmente una tecnica estremamente efficace per nascondere il
vostro indirizzo IP.
.Sp
Separate ciascun host decoy con virgole, e potete opzionalmente
usare 'ME' come uno dei decoy per rappresentare la posizione
nella quale volete il vostro indirizzo IP venga usato.
Se mettete 'ME' nella sesta posizione o oltre, per alcuni
rilevatori di portscan comuni (come ad esempio l'eccellente
scanlogd di Solar Designer) <20> molto poco probabile che
mostrino il vostro indirizzo IP. Se non usate 'ME', nmap
lo porr<72> in una posizione casuale.
.Sp
Notate che gli host che usate come decoy dovrebbero essere
attivi o potreste accidentalmente fare il SYN flood delle
destinazioni. Dovrebbe essere anche abbastanza semplice
determinare quale host <20> sottoposto a scan se uno solo <20>
allo stato attuale attivo sulla rete. Potreste voler usare
gli indirizzi IP invece dei nomi (in questo modo le rete dei
decoy non vi vedono nei log dei loro nameserver).
.Sp
Notate anche che alcuni "rilevatori di port scan" (stupidi)
firewalleranno/negheranno il routing agli host che provano
a fare il portscan. Cos<6F> potreste inavvertitamente causare
alla macchina sottoposta a scan la perdita di connettivit<69>
con le macchine decoy che state usando,
Questo potrebbe causare alle macchine target maggiori problemi
se il decoy, <20> diciamo, il suo gateway internet o anche "localhost".
Cos<EFBFBD> potreste voler essere prundenti con questa opzione.
La vera morale della storia <20> che i rilevatori dei portscan
spoofabili non dovrebbero agire contro la macchina che a loro
sembra stia eseguendo lo scan. Potrebbe essere solo un decoy!
.Sp
I decoy sono usati sia nello scan ping iniziale (usando ICMP,
SYN, ACK, o altro) e durante la fase attuale fase di port
scanning. I decoy sono anche usate durante il rilevamento
remoto del S.O. (
.B \-O
).
.Sp
Vale la pena notare che usare troppi decoy pu<EFBFBD> rallentare il
vostro scan e renderlo potenzialmente anche meno accurato.
Inoltre, alcuni ISP filtreranno i vostri pacchetti spoofati,
sebbene molti (attualmente la maggior parte) non
restringono i pacchetti IP spoffati completamente.
.TP
.B \-S <Indirizzo_IP>
In alcune circostanze,
.I nmap
pu<EFBFBD> non essere in grado di determinare il vostro indirizzo sorgente (
.I nmap
vi informer<EFBFBD> se questo <EFBFBD> il caso). In questa situazione, usate
\-S con il vostro indirizzo IP (dell'interfaccia mediante la quale
desiderate mandare i pacchetti).
.Sp
Un'altro possibile uso di questo flag <20> di spooffare lo scan
per fare in modo che le destinazioni pensino che
.B qualcun altro
le stia scannando.
Immaginate una societ<65> sulla quale un'altra rivale fa ripetutamente
dei port scan!. Questo non <20> un utilizzo supportato ( o lo scopo
principale) di questo flag. Ho gi<67> pensato che questo flag
avanza una interessante possibilit<69> di cui le persone dovrebbero
essere consapevoli prima che vadano accusando altri di fare
lo portscanning contro di loro.
.B \-e
sarebbe generalmente richiesta per questo tipo di utilizzo.
.TP
.B \-e <interfaccia
Dice ad nmap su quale interfaccia mandare e ricevere i pacchetti.
Nmap dovrebbe essere ingrado di rilevare tale interfaccia, ma
questa opzione permette di dirgliela se non <20> in grado.
.TP
.B \-g <numeroporta>
Imposta il numero di porta sorgente usata negli scan. Molti
firewall nativi e installzioni di filtri di pacchetti fanno
un'eccezione nel loro insieme di regole per permettere ai
pacchetti DNS (53) o FTP-DATA (20) di passare attraverso e
stabilire una connessione. Ovviamente questo sovverte i
vantaggi di sicurezza di un firewall in quanto gli intrusi
possono mascherarsi come FTP o DNS modificando la loro porta
sorgente.
Ovviamente per uno scan UDP dovreste prima provare uno scan UDP
e gli scan TCP dovrebbero trovare 20 prima di 53.
Notate che questa <20> solo una richiesta -- nmap la onorer<65> solo
se <20> in grado di farlo. Per esempio, non potete fare il campionamento
TCP ISN da un host:porta a un'altro host:porta, cos<6F>
nmap cambia la porta sorgente anche se avete usato -g.
.Sp
Rendetevi conto che usando questa opzione v'<27> una lieve
penalit<EFBFBD> nelle prestazione, perch<63> alcune volte io memorizzo
informazioni utili nel numero della porta sorgente.
.TP
.B \-r
Dice ad Nmap
.B DI NON
rendere casuale l'ordine nel quale le porte sono esaminate.
.TP
.B \-\-randomize_hosts
Dice ad Nmap di mescolare ciascun gruppo di host, fino a 2048
host prima di farne lo scanner. Questo pu<70> renedere gli scan
meno ovvi ai diversi sistemi di monitoraggio della rete,
specialmente quando lo combinare con opzioni di timing
lente (vedere sotto).
.TP
.B \-M <max sockets>
Imposta il numero massimo di socket che saranno usati in
parallelo per uno scan TCP connect() (lo scan di default).
Questa opzione <20> utile per rallentare di poco lo scan e evitare
il crash delle macchine remote. Un'altro approccio <20> usare
\-sS, opzione che <20> generalmente pi<70> semplice da gestire le
le macchine.
.TP
.B OPZIONI DI TIMING
Generalmente Nmap fa un ottimo lavoro nell'adattarsi alle
caratteristiche di rete a run-time e fare lo scan tanto veloce
quanto possibile minimizando le possibilit<69> che degli host/ delle
porte rimangano non rilevate. Comunque, possono esservi casi lo
stesso in qui l politica di timing impostata di default possa
non incontrare i vostri obiettivi. Le seguenti opzioni forniscono
un buon livello di controllo sul timing di uno scan:
.TP
.B -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
Queste sono possibili politiche di timing per esprimere
convenientemente le vostre priorit<69> ad Nmap.
La modalit<69>
.B Paranoid
fa gli scan
.B molto
lentamente nella speranza di evitare il rilevamento dai sistemi IDS.
Essa serializza tutti gli scan (nessuno scanning parallelo) e
generalmente aspetta almeno 5 minuti tra i pacchetti mandati.
.B Sneaky
<EFBFBD> simile, eccetto che aspetta solo 15 secondi tra i pacchetti mandati.
.B Polite
<EFBFBD> stato pensata per facilitare il carico sulla reta e ridurre le
possibilit<EFBFBD> di mandare in crash le macchine. Serializza le prove
e aspetta
.B almeno
0.4 secondi tra esse.
.B Normal
<EFBFBD> il comportamento di default di Nmap, che prova a fare gli scan
tanto velocemente quanto gli <20> possibile senza sovracaricare la
rete o mancare degli host/delle porte.
La modalit<69>
.B Aggressive
aggiunge un timeout di 5 minuti per host e non aspetta mai
pi<EFBFBD> di 1.25 secondi per le risposte di prova.
.B Insane
<EFBFBD> solo adatto per reti molto veloci o dove non vi importa
la perdit<69> di alcune informazioni. Manda in time out gli
host in 75 secondi e aspetta solo 0.3 per le prove individuali.
Pero non permette sweep di rete molto veloci :). Potete anche
fare riferimento a questi numeri. Per esempio, \'-T
0\' vi da la modalit<69> Paranoid e \'-T 5\' <20> la modalit<69> Insane.
.Sp
Queste possibili modalit<69> di timing NON dovrebbe essere usata con
i controlli a basso livello dati sotto.
.TP
.B --host_timeout <millisecondi>
Specifica la quantit<69> di tempo, permessa ad Nmap per
fare lo scan di un singolo host prima di terminare lo
scan su quel dato IP. La modalit<69> di timing impostata
per default non ha host timeout.
.TP
.B --max_rtt_timeout <millisecondi>
Specifica la somma massima di tempo permessa ad Nmap per
aspettare un risultato di una prova prima di ritrasmettere
o mandare in time-out quella prova particolare. La modalit<69>
di default imposta questo limite a circa 9000 ms.
.TP
.B --min_rtt_timeout <millisecondi>
Quando gli host destinazione iniziano a stabilire un pattern
di risposta molto velocemente, Nmap diminuir<69> la somma di tempo
data per prova. Questo velocizza lo scan, ma pu<70> condurre a
pacchetti mancati quando una risposta impiega di pi<70> del solito.
Con questo parametro potete garantire che Nmap aspetter<65>
al meno la data quantit<69> di tempo prima di terminare una prova.
.TP
.B --initial_rtt_timeout <millisecondi>
Specifica il timeout iniziale di prova. Questo <20> generalmente
utile solo quando fate lo scan di host firewallati con -P0.
Normalmente Nmap pu<70> ottenere buone stime RTT dal ping e dalle
prime prove. La modalit<69> di default usa 6000.
.TP
.B --max_parallelism <numero>
Specifica il massimo numero di scan da svolgere
in parallelo, che <20> permesso a Nmap. Se impostate questo a 1
Nmap non prover<65> mai ad esaminare pi<70> di una porta alla volta.
Questa opzione ha effetto anche sugli altri scan paralleli come
i ping sweep, lo scan RPC, ecc.
.TP
.B --scan_delay <millisecondi>
Specifica la quantit<69> di tempo
.B minima
nella quale Nmap deve aspettare tra le prove. Questa opzione
<EFBFBD> utile principalmente per ridurre il carico di rete o per
rallentare il metodo di scan per penetrare furtivamente
sotto le soglie degli IDS.
.SH SPECIFICA DELLA DESTINAZIONE
Tutto ci<63> che non <20> un'opzione (o un argomenti di un'opzione)
viene trattato in nmap come specifica dell'host destinazione.
Il caso pi<70> semplice <20> elencare hostname singoli o indirizzi IP
sulla linea di comando. Se volete fare lo scan di una sottorete
di indirizzi IP, potete aggiungere
.B '/mask'
al nome host
o all'indirizzo IP
.B mask
deve essere compreso tra 0 (fai lo scan dell'intera internet)
e 32 (fai lo scan del singolo host specificato). Usate /24 per
fare lo scan di un indirizzo di classe 'C' e /16 per fare lo scan
di un indirizzo di classe 'B'.
.Sp
Nmap ha anche un notazione pi<70> potente che vi permette di
specificare un indirizzo IP usando liste/intervalli per ogni
elemento. Cosi potete fare lo scan dell'intera rete classe 'B'
128.210.*.* specificando '128.210.*.*' o '128.210.0-255.0-255' o
anche '128.210.1-50,51-255.1,2,3,4,5-255'. E certamente potete
usare la notazione maschera: '128.210.0.0/16'. Queste sono tutte
equivalenti. Se usate asterischi ('*'), ricordatevi che la maggior
parte delle shell vi richiedono che voi ne facciate l'escape con
le backslashes o li proteggiate con gli apici.
.Sp
Un'altra cosa interessante da fare <20> quantizzare Internet
in un'altro modo. Invece di fare lo scan di tutti gli host
in una classe 'B', fate lo scan '*.*.5.6-7' per esaminare
ogni indirizzo IP che finisce in .5.6 o .5.7. Decidete i
voi i vostri numeri. Per ulteriori informazioni sulla
specifica degli host su cui fare lo scan, vedere la sezione
.I esempi
.SH ESEMPI
Ecco qui vi sono alcuni esempi di utilizzo per nmap, da quelli
semplici e normali a quelli pi<70> complessi/esoterici. Notate che
numeri attuali e alcuni nomi di dominio attuali sono stati usati
per rendere le cose pi<70> concrete. Al loro posto dovreste sostituire
gli indirizzi/nome della
.B vostra rete.
Non penso che fare il portscanning di altre reti sia illegale;
i portscan non dovrebbero essere interpretati dagli altri
come un attacco. Ho fatto lo scan di centinaia di migliaia
di macchine e ho ricevuto solo una lamentela. Ma non sono un
avvocato e alcune persone (anali) protrebbero essere infastidite
dalle prove con
.I nmap.
Ottete il permesso prima o usatelo a vostro rischio.
.Sp
.B nmap -v destinazione.esempio.com
.Sp
Questa opzione fa lo scan di tutte le porte riservate TCP sulla
macchina destinazione.esempio.com. Il \-v significa aabilita
la modalit<69> verbose.
.Sp
.B nmap -sS -O destinazione.esempio.com/24
.Sp
Lancia uno scan SYN invisibile (stealth) contro ogni macchina
che <20> attiva compresa nelle 255 macchine della classe 'C' dove
destinazione.esempio.com risiede. Prova anche a determinare
quale sistema opertivo <20> in esecuzione su ciascun host
che <20> attivo.
Questo scan richiede i privilegi di root a causa dello scan
SYN ed del rilevamento del S.O.
.Sp
.B nmap -sX -p 22,53,110,143,4564 "128.210.*.1-127"
.Sp
Manda uno scan Xmas tree alla prima meta di ciascuno delle
possibili sottoreti a 8 bit nello spazio di indirizzo classe
'B' 128.210.
Stiamo testando se i sistemi hanno in esecuzione sshd, DNS,
pop3d, imapd, o la porta 4564 aperta.
Notate che lo scan Xmas non funziona sulle macchine Microsoft
a causa del loro stack TCP deficente.
Lo stesso vale per le macchine CISCO, IRIX, HP/UX, e BSDI.
.Sp
.B nmap -v --randomize_hosts -p 80 '*.*.2.3-5'
.Sp
Piuttosto che concentrarsi su un'intervallo IP specifico,
alcune volte <20> interessante suddividere in parti l'intera Internet
e fare lo scan di una piccola parte. Questo comando trova
tutti i server web sulle macchine con gli indirizzi IP che
terminano in .2.3, .2.4, o .2.5. Se siete root potrete allo
stesso modo aggiungere -sS. Potrete anche trovare macchine
pi<EFBFBD> interessanti che iniziano con 127. cosi potreste voler usare
'127-222' invece dei primi asterischi perche quella sezione ha
una maggior densit<69> di macchine interessanti (IMHO).
.Sp
.B host -l company.com | cut '-d ' -f 4 | ./nmap -v -iL -
.Sp
Fa un DNS zone tranfer per trovare gli host in company.com
e poi da in pasto gli indirizzi IP a
.I nmap.
I comandi sopra visti sono per la mia macchina GNU/Linux.
Potreste aver bisogno di diversi comandi/opzioni su altri
sistemi operativi.
.SH BUGS
Bugs? Che bugs? Mandatemeli se li trovate. Anche patch sono
gradite :) Ricordate anche di mandare i fingerprint per i nuovi
S.O. cos<6F> possiamo far crescere il database. Nmap vi dar<61> una
URL di submission quando <20> stata trovata un'appropriata fingerprint.
.SH AUTORE
.Sp
Fyodor
.I <fyodor@insecure.org>
.SH DISTRIBUZIONE
La pi<70> recente distribuzione di nmap
.I nmap
puo' essere ottenuta al
.I http://www.insecure.org/nmap/
.Sp
.I nmap
is (C) 1997,1998,1999,2000 by Fyodor (fyodor@insecure.org)
.Sp
.I libpcap
viene anche distribuita assieme ad nmap. Il suo copyright
<EFBFBD> detenuto da Van Jacobson, Craig Leres and Steven McCanne,
tutti del Lawrence Berkeley National Laboratory, Universit<69>
della California, Berkeley, CA.
La versione distributa con nmap pu<70> essere stata modificata
i sorgenti originali sono disponibili al
ftp://ftp.ee.lbl.gov/libpcap.tar.Z .
.Sp
Questo programma <20> software libero; potete ridistribuirlo e/o
modificarlo rispettando i termini della GNU General Public
License com pubblicata dalla Free Software Foundation;
Versione 2. Questa garantisce i vostri diritti di usare, modificare
e ridistribuire Nmap sotto certe condizioni. Se questa licenza
<EFBFBD> per voi inaccettabile, Insecure.Org pu<70> essere in grado di
vendervi licenze alternative (contattate fyodor@insecure.org).
.Sp
Il sorgente viene fornito con questo software perch<63> crediamo
che gli utenti abbiano il diritto di sapere cosa esattamente
un programma ha intenzione di fare prima di eseguirlo.
Questo potrebbe anche permettevi di correggere di testare il
software per buchi alla sicurezza (non ne sono stati trovati
da molto).
.Sp
Il codice sorgente vi permette anche di fare il port di nmap
a nuove architetture, fissare i bug, e aggiungere nuove
caratteristiche. Siete fortemente incoraggiati di mandare i
vostri cambi a Fyodor per la possibile inclusione nella
distribuzione principale di Nmap. Mandando questi cambi
a Fyodor, o a nmap-hackers, si assume che voi stiate offrendo
a Fyodor il diritto illimitato, non esclusivo di riusare,
di modificare, e porre sotto nuova licenza il codice.
Se desiderate specificare condizioni speciali per la licenza
dei vostri contributi, dichiarateli prima sul contributo stesso.
.Sp
Questo programma <20> distribuito nella speranza che sia utile, ma
.B SENZA ALCUNA GARANZIA;
senza anche l'implicita garanzia di
.B COMMERCIABILITA'
o
.B ADEGUATEZZA AD UNO SCOPO PARTICOLARE.
Vedere la GNU Public License per ulteriori dettagli (essa <20> nel file
COPYING della distribuzione di
.I nmap
).
.Sp
Si dovrebbe notare che Nmap pu<70> mandare in crash determinate
applicazioni mal progettate, stack TCP/IP, e anche
sistemi operativi.
.B Nmap non dovrebbe mai essere eseguito contro sistemi,
che hanno compiti critici (detti anche mission critical systems)
a meno che non siate preparati a tollerare
il tempo in cui essi siano disattivi.
Qui riconosciamo che Nmap pu<70> mandare in crash i vostri sistemi o
reti e non ci assumiamo nessuna responabilit<69> per ogni danno o
problema che Nmap potrebbe causare.
.Sp
Tutte le versioni di Nmap a partire dalla 2.0 inclusa
non presentano problemi in tutti i loro aspetti
con il bug dell'anno 2000 (Y2K bug).
Non esiste nessuna ragione di credere che le versioni
precedenti alla 2.0 siano suscettibili a tale problema,
ma non sono state testate.

389
docs/nmap_latvian.1 Normal file
View File

@@ -0,0 +1,389 @@
.\" This definition swiped from the gcc(1) man page
.de Sp
.if n .sp
.if t .sp 0.4
..
.TH NMAP 1
.SH V<EFBFBD>RDS
nmap \- Network exploration tool and security scanner
.SH NOSAUKUMS
.B nmap
[skan<61><6E>anas metode(s)] [opcijas] <host vai t<>kls#1...[#N]>
.SH APRAKSTS
.I Ar Nmap var skan<EFBFBD>t neierobe<EFBFBD>otu daudzumu un lielumu t<EFBFBD>klus, noteikt to dro<EFBFBD><EFBFBD>bas pak<EFBFBD>pi, apzin<EFBFBD>t atv<EFBFBD>rtos portus, k<EFBFBD> ar<EFBFBD> atbilsto<EFBFBD>o servisu esam<EFBFBD>bu. <EFBFBD><EFBFBD> uzdevuma <EFBFBD>steno<EFBFBD>anai Nmap izmanto daudz da<EFBFBD><EFBFBD>das skan<EFBFBD><EFBFBD>anas metodes, k<EFBFBD> piem<EFBFBD>ram UDP, TCP connect(), TCP SYN, FTP proxy (skan<61><6E>ana caur ftp), Reverse-ident, ICMP (ping) FIN, ACK, Xmas tree, SYN, NULL metodes. Tuv<EFBFBD>k t<EFBFBD>s apskat<EFBFBD>tas noda<EFBFBD><EFBFBD> "Skan<61><6E>anas opcijas".
.I Nmap satur daudz da<EFBFBD><EFBFBD>das papildus iesp<EFBFBD>jas, konkr<EFBFBD>t<EFBFBD>k: datora oper<EFBFBD>t<EFBFBD>jsist<EFBFBD>mas noteik<EFBFBD>ana (t<>l<EFBFBD>k tekst<EFBFBD> OS) izmantojot TCP/IP steka sniegto inform<EFBFBD>ciju, "neredzamo" skan<EFBFBD><EFBFBD>anu, dinamiski <EFBFBD>ener<EFBFBD>tas aiztures un atk<EFBFBD>rtota pake<EFBFBD>u p<EFBFBD>rraid<EFBFBD><EFBFBD>ana, paral<EFBFBD>l<EFBFBD> skan<EFBFBD><EFBFBD>ana, neakt<EFBFBD>va host`a noteik<EFBFBD>ana izmantojot paral<EFBFBD>lo ping piepras<EFBFBD>jumu, skan<EFBFBD><EFBFBD>ana no neeksist<EFBFBD>jo<EFBFBD>iem hostiem, noteikt pake<EFBFBD>u filtru esam<EFBFBD>bu, tie<EFBFBD><EFBFBD> (neizmantojot portmapper) RPC skan<EFBFBD><EFBFBD>ana, skan<EFBFBD><EFBFBD>ana izmantojot IP-fragment<6E>ciju.
.I Kaut ar<EFBFBD> Nmap ir maksim<EFBFBD>li optimiz<EFBFBD>ts priek<EFBFBD> parastiem lietot<EFBFBD>jiem, daudzas t<EFBFBD> iesp<EFBFBD>jas ir at<EFBFBD>autas tikai root lietot<EFBFBD>jam. Ieteicam Nmap laist ar root ties<EFBFBD>b<EFBFBD>m.
.PP
Nmap rezult<6C>ti tiek izvad<61>ti k<> interes<65>jo<6A>o portu saraksts uz skan<61>t<EFBFBD> kompj<70>tera, protokola tips, servisa nosaukums. Portiem kl<6B>t ir apz<70>m<EFBFBD>jumi "atv<74>rts" (open), "filtr<74>ts" (filtered), "nefiltr<74>ts" (unfiltered). "atv<74>rts" noz<6F>m<EFBFBD>, ka <20>im portam var piesl<73>gties, "filtr<74>ts" - ugunsm<73>ris (firewall) pake<6B>u filtrs , vai k<>ds cits apst<73>klis ne<6E>auj Nmap noteikt, vai ports ir atv<74>rts vai n<>, "nefiltr<74>ts" - ports ir aizv<7A>rts, lai gan nekas netrauc<75>ja Nmap to skan<61>t.
.PP
Atkar<EFBFBD>b<EFBFBD> no dotaj<61>m komand<6E>m, Nmap sp<73>j noteikt <20><>das skan<61>jam<61> host`a <20>pa<70><61>bas: lietot<6F>ja OS, TCP ISN <20>ener<65><72>anas metodi, lietot<6F>ja v<>rdu (username) kam "pieder" noteikts serviss, DNS nosaukumu u.t.t.
.SH OPCIJAS
Vairumu opciju ir iesp<73>jams kombin<69>t sav<61> starp<72>.Vienas opcijas paredz<64>tas priek<65> skan<61><6E>anas meto<74>u izv<7A>l<EFBFBD>s, citas savuk<75>rt atbild par da<64><61>du papildus iesp<73>ju izmanto<74>anu, vai ar<61> atbild par da<64><61>diem skan<61><6E>anas parametriem. Palai<61>ot programmu Nmap ar opciju '-h' vienm<6E>r ir iesp<73>jams ieg<65>t inform<72>ciju par vis<69>m t<>s iesp<73>j<EFBFBD>m.
.TP
.B SKAN<EFBFBD><EFBFBD>ANAS VEIDI
.TP
.B \-sS
(scan SYN) - Izmantot TCP SYN metodi. <20>o metodi sauc par "pusatverto" skan<61><6E>anu, jo piln<6C>gs savienojums ar att<74>lin<69>t<EFBFBD> datora portu nenotiek. Nmap nos<6F>ta SYN paketi, itk<74> pieprasot nodibin<69>t savienojumu un gaida att<74>lin<69>t<EFBFBD>s sist<73>mas atbildi. Atbildot sist<73>ma nos<6F>ta paketi ar SYN|ACK mar<61><72>jumu (flag), ka ir gatava nodibin<69>t savienojumu. Kad Nmap sa<73>em SYN|ACK paketi, atpaka<6B> nekav<61>joties tiek nos<6F>t<EFBFBD>ta RST pakete liekot saprast att<74>lin<69>tajai sist<73>mai, ka nev<65>las nodibin<69>t v<>l neveikto savienojumu. Ne visas sist<73>mas fiks<6B> <20><>da tipa skan<61><6E>anu. Lietot<6F>jam vajadz<64>gas root ties<65>bas, lai var<61>tu izveidot SYN paketes.
.Sp
Lai pa<70>trin<69>tu skan<61><6E>anu, skan<61>jot lielus t<>klus, kop<6F> ar opciju '-sS' var lietot sa<73>sin<69>jumu, kur<75> at<61>auj piepras<61>t nor<6F>d<EFBFBD>to portu vis<69>m akt<6B>vaj<61>m sist<73>m<EFBFBD>m j<>su skan<61>taj<61> diapazon<6F> daudz <20>tr<74>k, nek<65> izmantojot tikai '-p' opciju. To var izdar<61>t ar sa<73>sin<69>juma -PS pal<61>dz<64>bu. Piem<65>ram, ja ir nepiecie<69>am<61>ba noteik, cik sist<73>mas noteikt<6B> diapazon<6F> ir atv<74>ru<72>as 25 portu jums ieteicams lietot <20>o sa<73>sin<69>jumu. (piem):
nmap -n -sS -p25 -PS25 24.0.0.0/8
.TP
.B \-sT
(scan TCP) - izmanto TCP connect() metodi. <EFBFBD><EFBFBD> ir visizplat<EFBFBD>t<EFBFBD>k<EFBFBD> TCP portu skan<EFBFBD><EFBFBD>anas metode. Funkcija connect(), ir iek<EFBFBD>auta jebkur<EFBFBD> OS, t<EFBFBD>dej<EFBFBD>di at<EFBFBD>aujot <EFBFBD>stenot savienojumus ar vienalga k<EFBFBD>du att<EFBFBD>lin<EFBFBD>t<EFBFBD>s sist<EFBFBD>mas portu. Ja skan<EFBFBD>jamais ports uz att<EFBFBD>lin<EFBFBD>t<EFBFBD>s sist<EFBFBD>mas b<EFBFBD>s pieejams, tad funkcija connect() norit<EFBFBD>s veiksm<EFBFBD>gi, pret<EFBFBD>j<EFBFBD> gad<EFBFBD>jum<EFBFBD> ports skait<EFBFBD>s sl<EFBFBD>gts, vai ar<EFBFBD> aizsarg<EFBFBD>ts ar ugunsm<EFBFBD>ri, vai ko taml<EFBFBD>dz<EFBFBD>gu.
.Sp
Lai izmantotu <20>o skan<61><6E>anas metodi, lietot<6F>jam nav vajadz<64>gas t.s. privili<6C><69>t<EFBFBD>s ties<65>bas. <20><>du skan<61><6E>anu <20>oti viegli konstat<61> skan<61>jam<61> dator<6F> <20>p<EFBFBD><70>nieks, jo viss tiek akur<75>ti ierakst<73>ts log fail<69>.
.TP
.B \-sF \-sX \-sN
(scan FIN, scan Xmas, scan NULL) - "neredzam<61>" FIN, Xmas Tree un NULL skan<EFBFBD><EFBFBD>ana. <EFBFBD>o metodi lieto, ja SYN skan<EFBFBD><EFBFBD>ana k<EFBFBD>du iemeslu d<EFBFBD><EFBFBD> nav iesp<EFBFBD>jama. Piem<EFBFBD>ram da<EFBFBD>i ugunsm<EFBFBD>ri filtr<EFBFBD> SYN paketes, kas tiek nos<EFBFBD>t<EFBFBD>tas uz vi<EFBFBD>u aizsarg<EFBFBD>tajiem portiem, un t<EFBFBD>das programmas k<EFBFBD> Synlogger sp<EFBFBD>j<EFBFBD>gas fiks<EFBFBD>t SYN skan<EFBFBD><EFBFBD>anas m<EFBFBD><EFBFBD>in<EFBFBD>jumu.
.Sp
Dot<EFBFBD>s skan<61><6E>anas laik<69> notiek sekojo<6A>ais. FIN skan<61><6E>anu veic ar FIN paket<65>m. Xmas Tree izmanto FIN|URG|PSH paketes, NULL skan<61><6E>anas gad<61>jum<75> tiek nos<6F>t<EFBFBD>tas nemar<61><72>tas paketes. Vadoties p<>c RFC 973 rakst<73>t<EFBFBD>, skan<61>jam<61>s sist<73>mas OS ir j<>atbild uz <20><>da veida paket<65>m, no sl<73>gtiem portiem ar RST paketi, taj<61> pa<70><61> laik<69> atv<74>rtie porti <20>o nemar<61><72>to paketi ignor<6F>.
K<EFBFBD> vienm<6E>r Microsoft Windows izstr<74>d<EFBFBD>t<EFBFBD>ji ner<65><72>in<69>s ar pie<69>emto standartu, t<>d<EFBFBD><64> <20>i skan<61><6E>anas metode b<>s neefekt<6B>va skan<61>jot jebkuru sist<73>mu, kas izmanto Microsoft veidot<6F>s OS. Ja FIN skan<61><6E>anas rezult<6C>t<EFBFBD>, tiek izmests atv<74>rto portu saraksts, tad att<74>lin<69>t<EFBFBD>s sist<73>mas OS nav Windows. Ja visas <20><>s metodes izmet pazi<7A>ojumu, ka visi porti sl<73>gti, turpret<65>m SYN skan<61><6E>ana atkl<6B>j atv<74>rtus portus, tad visticam<61>k att<74>lin<69>t<EFBFBD>s sist<73>mas OS ir Windows. J<>piebilst, ka Windows nav vien<65>g<EFBFBD> OS, kura satur <20>o nepiln<6C>bu. Pie <20><>da tipa OS var pieskait<69>t ar<61> Cisco, BSDI, IRIX, HP/UX un MVS. Visas <20>is OS neatbild nemar<61><72>t<EFBFBD>m paket<65>m.
.TP
.B \-sP
scan Ping) - ping "skan<61><6E>ana". Da<44>reiz ir nepiecie<69>am<61>ba uzzin<69>t tikai akt<6B>vo hostu adreses. Nmap to sp<73>j izdar<61>t, nos<6F>tot ICMP ECHO piepras<61>jumu katrai ip adresei nor<6F>d<EFBFBD>taj<61> diapazon<6F>. Hosts, kas atbild uz <20>o piepras<61>jumu ir akt<6B>vs, t.i. ir piesl<73>gts t<>klam.
.Sp
Da<EFBFBD>i hosti (piem<65>ram microsoft.com) blo<6C><6F> ECHO piepras<61>jumus, t<>d<EFBFBD><64> Nmap papildus nos<6F>ta TCP ACK paketi uz 80 portu (noklus<75>ti). Ja hosts atbild ar RST paketi, tad vi<76><69> ir akt<6B>vs. Tre<72><65> metode izmanto SYN paketi, par atbildi gaidot RST vai SYN|ACK paketi. Lietot<6F>jiem, kuriem nav root privil<69><6C>ijas tiek izmantota connect() metode.
.Sp
Lietot<EFBFBD>jiem ar root privil<69><6C>ij<69>m Nmap noklus<75>ti lieto abas metodes - ICMP un ACK. <20>o iest<73>dijumu var main<69>t izmantojot opciju .B \-P
, kur aprakst<73>ta zem<65>k. Ping skan<61><6E>ana tiek lietota vienm<6E>r un tikai akt<6B>v<EFBFBD>s sist<73>mas tiek skan<61>tas, t<>d<EFBFBD><64> <20>o skan<61><6E>anas metodi izmatojiet tikai ta, ja v<>laties uzzin<69>t akt<6B>vo sist<73>mu daudzumu, ne veikt to portu skan<61><6E>anu.
.TP
.B \-sU
(scan UDP) - <20><> skan<61><6E>anas metode <20>auj noteikt k<>di UDP porti (RFC 768) ir atv<74>rti uz att<74>lin<69>t<EFBFBD>s sist<73>mas. Uz katru skan<61>jam<61>s sist<73>mas portu tiek nos<6F>t<EFBFBD>ta UDP pakete, kas nesatur datus. Ja sist<73>ma atbild ar ICMP pazi<7A>ojumu "port unreachable" tad ports ir aizv<7A>rts, pret<65>j<EFBFBD> gad<61>jum<75> tas tiek uzskat<61>ts par atv<74>rtu. Da<44>i uzskata, ka skan<61>t UDP portus nav nek<65>das j<>gas. <20>in<69> gad<61>jum<75> atg<74>dinu par "slaven<65>bu" ieguvu<76>o g<>uku iek<65> d<>mona rpcbind OS Solaris. <20>is d<>mons grie<69>as uz jebkura no nedokument<6E>tajiem UDP portiem, kas ir liel<65>ki par 32770.
.Sp
Par no<6E><6F>lo<6C>anu j<>atdz<64>st, ka UDP skan<61><6E>ana velkas l<>ni, jo gandr<64>z visas OS seko RFC 1812 (sada<64>a 4.3.2.8) rekomend<6E>cij<69>m iegro<72>ot ICMP "port unreachable" <20>ener<65><72>anas <20>trumu. Piem<65>ram Linux kernelis (katalogs net/ipv4/icmp.h) ierobe<62>o <20><>da tipa pazi<7A>ojumu <20>ener<65><72>anu l<>dz 80, 4 sekund<6E>s ar 1/4 sekundes nov<6F>lo<6C>anu, ja <20><> robe<62>a tiek p<>rsniegta. OS Solaris ir v<>l strikt<6B>ki ierobe<62>ojumi (2 zi<7A>ojumi sekund<6E>), t<>d<EFBFBD><64> sist<73>mu skan<61><6E>ana kuras grie<69>as uz OS Solaris ir v<>l l<>n<EFBFBD>ka.
.Sp
Nmap nosaka <20>o ierobe<62>ojumu parametrus un atbilsto<74>i tiem samazina <20>ener<65>jamos piepras<61>jumus, t<>dej<65>di atturoties no t<>kla piem<65>slo<6C>anas ar nevajadz<64>g<EFBFBD>m paket<65>m, kuras ignor<6F> att<74>lin<69>t<EFBFBD> sist<73>ma. K<> jau ierasts komp<6D>nija Microsoft ignor<6F> visas rekomend<6E>cijas un neizmanto sav<61>s OS nek<65>dus ierobe<62>ojumus. T<>dej<65>di j<>s varat <20>oti <20>tri noskan<61>t visus 65535 UDP portus sist<73>mai, kas grie<69>as zem OS Windows.
.TP
.B \-sO
(scan Open protocol) - Dot<6F> metode tiek izmantota, lai noteiktu IP protokolus, kurus uztur att<74>lin<69>t<EFBFBD> sist<73>ma. Att<74>lin<69>tajai sist<73>mai tiek s<>t<EFBFBD>tas IP paketes, kur<75>m nav nek<65>da mar<61><72>juma. T<>s tiek s<>t<EFBFBD>tas katram protokolam. Ja par atbildi tiek sa<73>emts pazi<7A>ojums "protocol ureachable", tad doto protokolu att<74>lin<69>t<EFBFBD> sist<73>ma neuztur. Pret<65>j<EFBFBD> gad<61>jum<75> Nmap uzskata, ka protokols tiek uztur<75>ts.
.Sp
Da<EFBFBD>as OS (AIX, HP-UX, Digital UNIX) k<> ar<61> ugunsm<73>ris var blo<6C><6F>t zi<7A>ojumus "protocol ureachable", t<> rezult<6C>t<EFBFBD> visi protokoli tiks uzskat<61>ti par uztur<75>tiem.
Par cik aprakst<73>t<EFBFBD> metode ir l<>dz<64>ga UDP skan<61><6E>anas metodei, tad ICMP <20>ener<65><72>anas ierobe<62>ojumu noteik<69>ana paliek sp<73>k<EFBFBD>, ta<74>u t<>d<EFBFBD><64> ka IP paketes "header" sast<73>v tikai no 8 bitiem visus 256 protokolus izdodas noskan<61>t pie<69>emam<61> <20>trum<75>.
.TP
.B \-sA
(scan ACK) - ACK skan<61><6E>anas metode. <20><> papildus metode <20>auj noteikt ugunm<6E>ra konfigur<75>ciju (rulesets). Izmantojot <20>o metodi var noteikt, vai att<74>lin<69>t<EFBFBD> sist<73>ma ir aizsarg<72>ta ar ugunsm<73>ri vai tikai ar pake<6B>u filtru, kur<75> blo<6C><6F> ien<65>ko<6B><6F>s SYN paketes.
.Sp
Skan<EFBFBD>jamajai sist<73>mai tiek nos<6F>t<EFBFBD>ta ACK pakete (ar gad<61>juma skait<69>u acknowledgement number un sequence number). Ja par atbildi tiek sa<73>emta RST pakete, ports tiek uzskat<61>ts par nefiltr<74>tu. Ja atbilde nepien<65>k (vai ar<61> pien<65>k ICMP "port unreachable") tad ports tiek uzskat<61>ts par filtr<74>tu.
.Sp
J<EFBFBD>piebilst, ka Nmap ner<65>da "nefiltr<74>tos" portus, t<>p<EFBFBD>c, ja skan<61>jot att<74>lin<69>tu sist<73>mu jums neatkl<6B>j nevienu atv<74>rtu portu, tas noz<6F>m<EFBFBD> ka porti skait<69>s nefiltr<74>ti. <20><> metode nekad rezult<6C>tos ner<65>d<EFBFBD>s portus kuri skait<69>s atv<74>rti.
.TP
.B \-sW
(scan Window) - Izmanto TCP Window metodi. <20><> metode l<>dzin<69>s ACK skan<61><6E>anai, iz<69>emot to, ka da<64>reiz ar <20><>s metodes pal<61>dz<64>bu var noteikt k<> atv<74>rtos, t<> filtr<74>tos/nefiltr<74>tos portus. To iesp<73>jams izdar<61>t, p<>rbaudot Initial Window datus TCP paket<65>, kurus nos<6F>ta att<74>lin<69>t<EFBFBD> sist<73>ma par atbildi tai nos<6F>titajai paketei, kuru t<> nepareizi apstr<74>d<EFBFBD>.
Sist<EFBFBD>mas kur<75>s ir <20><> k<>uda: vair<69>kas AIX versijas, Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD, OpenBSD, OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX un VxWorks. Tuv<75>ku inform<72>ciju var ieg<65>t apl<70>kojot Nmap-hackers listes arh<72>vus.
.TP
.B \-sR
(scan RPC) - Izmantot RPC skan<EFBFBD><EFBFBD>anas metodi. <EFBFBD>o metodi izmanto kop<EFBFBD> ar cit<EFBFBD>m. T<EFBFBD> pal<EFBFBD>dz noteikt, k<EFBFBD>da programma apkalpo RPC portu un t<EFBFBD>s versiju. Lai to noteiktu, visi TCP/UDP porti tiek fl<EFBFBD>doti ar SunRPC NULL piepras<EFBFBD>jumiem p<EFBFBD>c tam nosakot programmu kas apkalpo RPC portu(s). Izmantojot <EFBFBD>o metodi j<EFBFBD>s viegli ieg<EFBFBD>stat t<EFBFBD>du pa<EFBFBD>u inform<EFBFBD>ciju k<EFBFBD> palai<EFBFBD>ot komandu 'rpcinfo -p', ar<EFBFBD> t<EFBFBD>d<EFBFBD> gad<EFBFBD>jum<EFBFBD>, ja att<EFBFBD>lin<EFBFBD>t<EFBFBD>s sist<EFBFBD>mas portmapper ir aizsarg<EFBFBD>ts ar ugunsm<EFBFBD>ri vai TCP_wrapper.
.TP
.B \-sL
(scan List) - Ieg<65>t skan<61>jamo adre<72>u sarakstu. <20><> opcija <20>auj jums apl<70>kot adre<72>u sarakstu, kuras TIKS skan<61>tas ar Nmap pal<61>dz<64>bu. Noklus<75>ti tiek noteikti to DNS nosaukumi. <20>o iesp<73>ju var aizliegt izmantojot -n opciju.
.TP
.B \-b <ftp relay host>
(bounce scan) - Izmantot "ftp bounce attack" uzbrukumu. <20>i interesant<6E> FTP protokola iesp<73>ja tuv<75>k aprakst<73>ta RFC 959. No hosta source.com var nodibin<69>t savienpjumu ar target.com ftp serveri un nos<6F>t<EFBFBD>t failus, kas tur atrodas uz vienalga k<>du adresi. <20>is uzbrukums tika atkl<6B>ts 1985 gad<61>, kad tika uzrakst<73>ts aug<75>min<69>tais RFC. Nmap izmanto <20>o k<><6B>du lai skan<61>tu portus no "uzticam<61>" ftp servera.
.Sp
Iesp<EFBFBD>jams piesl<73>gties ftp serverim, kuru apsarg<72> ugunsm<73>ris un noskan<61>t p<>r<EFBFBD>jos aizsarg<72>tos portus. Ja ftp serveris at<61>auj las<61>t un rakst<73>t datus k<>d<EFBFBD> katalog<6F> (piem<65>ram /incoming), j<>s varat nos<6F>t<EFBFBD>t jebk<62>dus datus uz <20>o portu. Opcija '-b', nor<6F>da ftp servera adresi, kur<75> tiek izmantots k<> "uzticamais" serveris. URL form<72>ts:
.I login:parole@serveris:ports
Adrese nepiecie<69>ama oblig<69>ti, p<>r<EFBFBD>jo var neievad<61>t.
.TP
.B PAPILDUS IESP<EFBFBD>jAS
<EFBFBD><EFBFBD>s opcijas nav nepiecie<69>ams lietot oblig<69>ti, ta<74>u da<64>reiz t<>s var b<>t diezgan noder<65>gas.
.TP
.B \-P0
(Ping 0) - Nepingot att<74>lin<69>to sist<73>mu pirms skan<61><6E>anas. <20><> opcija at<61>auj skan<61>t t<>klus kuri neat<61>auj ICMP ECHO piepras<61>jumus, vai atbildes uz tiem. piem<65>ram microsoft.com. Var izmantot .B \-P0
vai
.B \-PT80
kad skan<61>jat t<>du tiklu.
.TP
.B \-PT
(Ping TCP) - Izmantot TCP "ping". ICMP ECHO viet<65> Nmap nos<6F>ta TCP ACK paketi skan<61>jamajai sist<73>mai un gaida t<>s atbildi. Ja sist<73>ma ir "akt<6B>va" t<> atbild ar RST paketi. Lietot<6F>ju, kuriem nav root privil<69><6C>ijas tiek izmantota connect() funkcija. <20><> opcija jums <20>auj noteikt att<74>lin<69>t<EFBFBD>s sist<73>mas st<73>vokli pat t<>d<EFBFBD> gad<61>jum<75> , ja ICMP piepras<61>jumu tiek aizliegti ar ugunsm<73>ra pal<61>dz<64>bu. Lai nor<6F>d<EFBFBD>tu kuram att<74>lin<69>t<EFBFBD>s sist<73>mas portam s<>t<EFBFBD>t piepras<61>jumu izmantojiet opciju '-PT <porta_nummurs>'. Noklus<75>ti piepras<61>jums tiek s<>t<EFBFBD>ts uz 80 portu, jo tas praktiski nekad netiek filtr<74>ts.
.TP
.B \-PS
(Ping SYN) - opcija, kas ar<61>dzan tiek izmantota ping piepras<61><73>anai. <20>in<69> gad<61>jum<75> ACK paketes viet<65> tiek s<>t<EFBFBD>ta SYN pakete. Akt<6B>v<EFBFBD>s sist<73>mas atbild ar RST paketi (ret<65>k ar SYN|ACK).
.TP
.B \-PI
(Ping ICMP) - <20><> opcija ping piepras<61><73>anai izmanto norm<72>lu ping paketi (ICMP ECHO). Opcija tiek izmantota, lai mekl<6B>tu akt<6B>vas sist<73>mas, k<> ar<61> nepareizi konfigur<75>tas sist<73>mas, kuras at<61>auj veikt DoS uzbrukumus cit<69>m sist<73>m<EFBFBD>m (piem<65>ram Smurf).
.TP
.B \-PP
Izmanto ICMP timestamp piepras<61>juma paketi, lai atrastu akt<6B>vus hostus.
.TP
.B \-PM
Lidz<EFBFBD>ga k<> -PI un -PP, vien<65>g<EFBFBD> at<61><74>ir<69>ba ir netmask piepras<61>jums.
.TP
.B \-PB
(Ping Both) - Vienlaic<69>gi izmantot ACK un ICMP piepras<61>jumu.
.TP
.B \-O
(Operating system detection) - <20><> opcija <20>auj noteikt att<74>lin<69>t<EFBFBD>s sist<73>mas OS izmantojot t.s. TCP/IP steka "pirkstu nospiedumus". Citiem v<>rdiem skaidrojot, Nmap nos<6F>ta piepras<61>jumus uz att<74>lin<69>to sist<73>mu un sa<73>emot atbildi sal<61>dzina to ar savu datub<75>zi, kura glab<61>jas fail<69> Nmap-os-fingerprinting. Ja Nmap nesp<73>j noteikt att<74>lin<69>t<EFBFBD>s sist<73>mas OS jums tiek pied<65>v<EFBFBD>ts nos<6F>t<EFBFBD>t rezult<6C>tus Nmap autoram, ja j<>s zin<69>t att<74>lin<69>t<EFBFBD>s sist<73>mas OS un esat p<>rliecin<69>ts, ka Nmap nesp<73>ja to atpaz<61>t.
.TP
.B \-I
(Ident scan) - Izmanto reverse-ident skan<61><6E>anu. Ident protokols (RFC 1413) at<61>auj uzzin<69>t t<> lietot<6F>ja v<>rdu (username), kuram pieder process, kur<75> izmanto TCP, pat t<>d<EFBFBD> gad<61>jum<75> ja <20>is process nenodibina savienojumu. Piem<65>ram var piesl<73>gties http portam un izmantojot ident uzzin<69>t vai serveris grie<69>as zem root lietot<6F>ja. Tas ir iesp<73>jams tikai nodibinot "piln<6C>gu" TCP savienojumu ar skan<61>jam<61>s sist<73>mas portu (t.i. nepiecie<69>ams izmantot ar<61> opciju '-sT'). Nmap pieprasa ident`am inform<72>ciju par katru atv<74>rto portu. Protams <20><> metode nestr<74>d<EFBFBD>s ja skan<61>jam<61> sist<73>ma neuztur ident.
.TP
.B \-f
(use fragmentation) - <20><> opcija izmantojama kop<6F> ar SYN, FIN, Xmas vai NULL skan<61><6E>anas metod<6F>m un nor<6F>da uz vajadz<64>bu izmantot IP fragment<6E>ciju ar mazizm<7A>ra fragmentiem. Skan<61><6E>anas laik<69> TCP header tiek sadal<61>ta pa vair<69>k<EFBFBD>m paket<65>m, t<>dej<65>di apgr<67>tinot pake<6B>u filtriem, IDS, un taml<6D>dz<64>g<EFBFBD>m aizsardz<64>bas metod<6F>m noteikt ko tu v<>lies dar<61>t. Lietojiet <20>o opciju piesardz<64>gi. Da<44>as programmas uzkar<61>s cen<65>oties sav<61>kt kop<6F> tik s<>kus fragmentus.
.TP
.B \-v
(verbose output) - <20>o opciju ir ieteicams lietot, jo t<> sniedz vair<69>k inform<72>ciju par to kas pa<70>reiz notiek. Nmap atskait<69>s detaliz<69>t<EFBFBD>k par to ko vi<76><69> pa<70>reiz dara. Priek<65> liel<65>ka efekta ieteicams to lietot divreiz. Kop<6F> ar '-d' opciju var ieg<65>t visdetaliz<69>tako inform<72>ciju.
.TP
.B \-h
(show help) - izmet Nmap help`u.
.TP
.B \-oN <logfilename>
(output Normal) - ieraksta skan<61><6E>anas rezult<6C>tus las<61><73>anai <20>rt<72> form<72> nor<6F>d<EFBFBD>t<EFBFBD>j<EFBFBD> fail<69>.
.TP
.B \-oX <logfilename>
(output XML) - <20><> opcija ieraksta sa<73>emtos datus XML form<72>.
.TP
.B \-oG <logfilename>
(output grepable) - <20><> opcija ieraksta sa<73>emtos datus nor<6F>d<EFBFBD>taj<61> fail<69> vien<65> rindi<64><69>.
.TP
.B \-oA <basefilename>
output All) - liek Nmap logot rezult<6C>tus izmantojot visas logo<67>anas metodes (normal, grepable, un XML).
.TP
.B \-oS <logfilename>
thIs l0gz th3 r3suLtS of YouR ScanZ iN a
.B s|<ipT kiDd|3
f0rM iNto THe fiL3 U sPec\|fy 4s an arGuMEnT! U kAn gIv3
the 4rgument \'-\' (wItHOUt qUOteZ) to sh00t output iNT0
stDouT!@!!
.TP
.B \--resume <logfilename>
ja k<>da iemesla d<><64> esat bijis spiests p<>rtraukt skan<61><6E>anu nospie<69>ot <Ctrl C>, j<>s varat izmantot <20>o opciju, ja skan<61><6E>anas rezult<6C>ti ierakst<73>ti izmantojot opcijas '-oM' vai '-oN'. lai atjaunotu skan<61><6E>anu no t<>s vietas, kur p<>rtrauc<75>t. Vair<69>k nek<65>das papildus opcijas lietot nav nepiecie<69>ams.
.TP
.B \--append_output
liek Nmap rakst<73>t rezult<6C>tus t<>l<EFBFBD>k taj<61> pa<70><61> fail<69>, kur<75> izmantots iepriek<65>.
.TP
.B \-iL <inputfilename>
(input List) - las<61>t adreses no nor<6F>d<EFBFBD>t<EFBFBD> faila. Adres<65>m fail<69> j<>bur atdal<61>t<EFBFBD>m ar tuk<75>umu, ar tab, vai ar <CR><LF> kombin<69>ciju (katrs hosts jaun<75> rind<6E>).
.TP
.B \-iR
(input Random) - lietojot <20>o opciju Nmap skan<61>s gad<61>juma izv<7A>l<EFBFBD>tas adreses. <20>is process vilksies tik ilgi, kam<61>r j<>s to neaptur<75>siet. <20><> opcija ir noder<65>ga, lai veiktu Internet statistiku.
.TP
.B \-p <port ranges>
(ports) - <20><> opcija nor<6F>da Nmap, k<>dus portus nepiecie<69>ams skan<61>t. Piem. opcija '-p23' liek tam skan<61>t skan<61>s tikai 23 portu. Ja nor<6F>d<EFBFBD>s ko l<>dz<64>gu <20>ai opcijai '-p 20-30,139,60000-', Nmap skan<61>s portus no 20 l<>dz 30 ieskaitot, 139 portu un visus portus, kas liel<65>ki par 60000. Noklus<75>ti Nmap skan<61> portus no 1 l<>dz 1024.
.Sp
Skan<EFBFBD>jot TCP un UDP portus tu vari nor<6F>d<EFBFBD>t '-p U:53,11,137,T:21-25,139,8080'. Lai skan<61>tu <20><>di tev nepiecie<69>ams nor<6F>d<EFBFBD>t vismaz vienu TCP skan<61><6E>anas tipu (piem. -sS, -sF, vai -sT). Ja netiek nor<6F>d<EFBFBD>ts protokols, tad dotie porti tiek skan<61>ti visos protokolos.
.TP
.B \-F (Fast scan) -
nor<EFBFBD>da skan<EFBFBD>t tikai tos portus kas nor<EFBFBD>d<EFBFBD>ti servisu fail<EFBFBD> (iek<65>auts kop<EFBFBD> ar Nmap).
.TP
.B \-D <decoy1 [,decoy2][,ME],...>
use Decoy hosts). - <20>aj<61> re<72><65>m<EFBFBD> Nmap liek att<74>lin<69>tajai sist<73>mai dom<6F>t, ka t<> tiek skan<61>ta no vair<69>kiem hostiem.T<>dej<65>di ir gr<67>t<EFBFBD>k noteikt, no kurienes re<72>li tiek skan<61>ts. <20><> ir <20>oti efekt<6B>ga metod<6F>, lai sl<73>ptu savu IP adresi skan<61>jot.
.Sp
J<EFBFBD>s varat nor<6F>d<EFBFBD>t savu IP adresi k<> 'ME' T<> nor<6F>da, kad tiks lietota tava IP adrese. Piem<65>ram, ja tu to ieraksti k<> sesto vai v<>l t<>l<EFBFBD>k, tad daudzi skan<61><6E>anas detektori uz att<74>lin<69>t<EFBFBD>s sist<73>mas var visp<73>r neielogot tavu IP adresi. J<>piebilst, ka nor<6F>d<EFBFBD>tajiem att<74>lin<69>tajiem hostiem ir j<>b<EFBFBD>t piesl<73>gtiem pie t<>kla, pret<65>j<EFBFBD> gad<61>jum<75> j<>s varat p<>rslogot skan<61>jamo sist<73>mu ar SYN paket<65>m. J<>piebilst, ka past<73>v iesp<73>ja t<>dej<65>di noteikt tavu IP adresi, ja tevis nor<6F>d<EFBFBD>tie att<74>lin<69>tie hosti re<72>li neeksist<73>s.
.Sp
Ja tu nor<6F>di daudzus att<74>lin<69>tus hostus, tas var iev<65>rojami pal<61>lin<69>t skan<61><6E>anas <20>trumu. <20>o iesp<73>ju var izmantot jebkur<75> skan<61><6E>anas veid<69>. Da<44>i provaideri var filtr<74>t j<>su paketes, t<>dej<65>di <20>i opcija var nedot jums v<>lamos rezult<6C>tus.
.TP
.B \-S <IP_Address>
(set Source) - Ja Nmap nesp<73>j patst<73>v<EFBFBD>gi noteikt j<>su hosta ip adresi (vi<76><69> par to j<>s br<62>din<69>s), jums ir nepiecie<69>ams to vi<76>am nor<6F>d<EFBFBD>t. V<>l viens pielietojums <20>ai opcijai var b<>t - izlikties, ka skan<61><6E>ana notiek no citas IP adreses. <20>in<69> gad<61>jum<75> j<>s nevarat ieg<65>t rezult<6C>tus, ta<74>u att<74>lin<69>t<EFBFBD> sist<73>ma dom<6F>s, ka skan<61> no tevis nor<6F>d<EFBFBD>t<EFBFBD>s adreses. <20>ai gas<61>jum<75> nepiecie<69>ams lietot opciju '-S' kop<6F> ar '-e'.
.TP
.B \-e <interface>
(interface) - nor<6F>da Nmap, k<>ds interfeiss tiks izmantots lai sa<73>emtu/s<>t<EFBFBD>tu paketes. Nmap parasti pats nosaka, k<>ds interfeiss tiek lietots.
.TP
.B \-g <portnumber>
nor<6F>da porta numuru uz tava datora, kuru Nmap izmatos skan<61><6E>anai. Daudzi pake<6B>u filtri vai ugunsm<73>ri lai<61> cauri DNS paketes (53 ports)un FTP-DATA (20 ports) t<>dej<65>di at<61>aujot nodibin<69>ts savienojumu ar att<74>lin<69>tu aizsarg<72>tu sist<73>mu. Skan<61>jot UDP portus Nmap no s<>kuma izm<7A><6D>ina 53 portu, p<>ctam 20 poru. Skan<61>jot TCP portus - otr<74>d<EFBFBD>k.
.TP
.B \--data_length <number>
Parasti Nmap s<>ta mazi<7A>as paketes, kuras satur tikai header inform<72>ciju. <20><> opcija at<61>auj t<>s palielin<69>t t<>dej<65>di pal<61>linot skan<61><6E>anas <20>trumu, ta<74>u samazinot iesp<73>ju ka j<>su skan<61><6E>anu k<>ds paman<61>s.
.TP
.B \-n
nor<EFBFBD>da, lai Nmap nekad nenoteiktu DNS IP adres<65>m, kuras tas atrod. <20><> opcija var pa<70>trin<69>t skan<61><6E>anu.
.TP
.B \-R
nor<EFBFBD>da, lai Nmap vienm<6E>r noteiktu atrasto IP adre<72>u DNS.
.TP
.B \-r
(randomize off) - Nmap skan<61> visus portus noteikt<6B> sec<65>b<EFBFBD> katrai skan<61>jamai sist<73>mai.
.TP
.B \-\-randomize_hosts
Nor<EFBFBD>da lai Nmap skan<61> att<74>lin<69>to sist<73>mu portus neregul<75>ri. Piem. vienai sist<73>mai tas noskan<61> 23 portu otrai sist<73>mai noskan<61> 665 portu, tad atkal pirmajai sist<73>mai 45 utt. T<>dej<65>di ir iesp<73>jams skan<61>t 2048 sist<73>mas vienlaic<69>gi.
.TP
.B \-M <max sockets>
(Max sockets) - nor<6F>da maksim<69>lo soketu skaitu, kas tiks izmantots paral<61>li skan<61>jot ar TCP connect() metodi. T<>dej<65>di var izvair<69>ties no att<74>lin<69>to sist<73>mu nok<6F>r<EFBFBD>anas. Var izmantot ar<61> '-sS' opciju, jo SYN paketes jebkura OS "pacie<69>" viegl<67>k.
.TP
.B LAIKA IEST<EFBFBD>D<EFBFBD><EFBFBD>ANA
Parasti Nmap autom<6F>tiski nosaka k<>d<EFBFBD> laika interv<72>l<EFBFBD> tiks s<>t<EFBFBD>tas paketes un notiks skan<61><6E>ana. <20><>s opcijas paredz<64>tu, gan lai palielin<69>tu skan<61><6E>anas <20>trumu, gan lai samazin<69>tu k<>udas, gan lai pal<61>lin<69>tu <20>trumu un samazin<69>tu iesp<73>ju att<74>lin<69>t<EFBFBD>s sist<73>mas administr<74>tor<6F>m fiks<6B>t skan<61><6E>anas m<><6D>in<69>jumu.
.TP
.B -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane> (Timing options) - <EFBFBD><EFBFBD> opcija tiek izmantota, lai regul<EFBFBD>tu skan<EFBFBD><EFBFBD>anas <EFBFBD>trumu.
.B Paranoid re<EFBFBD><EFBFBD>ms tiek izmantots tad, ja ir liela iesp<EFBFBD>jam<EFBFBD>ba, ka uz att<EFBFBD>lin<EFBFBD>t<EFBFBD>s sist<EFBFBD>mas ir uzst<EFBFBD>d<EFBFBD>ts IDS. <EFBFBD>in<EFBFBD> gad<EFBFBD>jum<EFBFBD> skan<EFBFBD><EFBFBD>ana noris <EFBFBD>oti l<EFBFBD>ni. Paral<EFBFBD>la skan<EFBFBD><EFBFBD>ana netiek izmantota. Pakete tiek izs<EFBFBD>t<EFBFBD>t<EFBFBD> k<EFBFBD> minimums ar 5 min<EFBFBD><EFBFBD>u interv<EFBFBD>lu.
.B Sneaky
re<EFBFBD><EFBFBD>ms ir l<EFBFBD>dz<EFBFBD>gs Paranoid re<EFBFBD><EFBFBD>mam. Tas s<EFBFBD>ta paketes ar 15 sekun<EFBFBD>u interv<EFBFBD>lu.
.B Polite
re<EFBFBD><EFBFBD>ms tiek izmantots gad<61>jumos, kad ir vajadz<64>ba samazin<69>t t<>kla noslogot<6F>bu l<>dz minimumam. <20>in<69> re<72><65>m<EFBFBD> paketes tiek s<>t<EFBFBD>tas ar minim<69>lo interv<72>lu 0,4 sekundes.
.B Normal
re<EFBFBD><EFBFBD>mu Nmap izmanto noklus<75>ti. <20>in<69> re<72><65>m<EFBFBD> tiek nodro<72>in<69>ts maksim<69>lo iesp<73>jamo <20>trumu, taj<61> pa<70><61> laik<69> nenoslogojot t<>klu un cen<65>oties izvair<69>ties no k<><6B>d<EFBFBD>m skan<61><6E>anas gait<69>.
.B Aggressive
re<EFBFBD><EFBFBD>m<EFBFBD> tiek uzst<73>d<EFBFBD>ts 5 min<69><6E>u skan<61><6E>anas limits katram hostam, un Nmap nekad negaida ilg<6C>k par 1,25 sekundi uz atbildi.
.B Insane
re<EFBFBD><EFBFBD>ms ir ieteicams tikai priek<EFBFBD> <EFBFBD>oti <EFBFBD>triem t<EFBFBD>kliem, vai ar<EFBFBD> tad ja tu vari samierin<EFBFBD>ties ar iesp<EFBFBD>jam<EFBFBD>m k<EFBFBD><EFBFBD>d<EFBFBD>m sk<EFBFBD>n<EFBFBD><EFBFBD>anas noris<EFBFBD>. Tiek uzst<EFBFBD>d<EFBFBD>ts 75 sekun<EFBFBD>u limits katram hostam un tiek gaid<EFBFBD>ts tikai 0.3 sekundes uz atbildi.
.Sp
Katram re<72><65>mam ir piesaist<73>ts nummurs. Piem. opcija '-T0' apz<70>m<EFBFBD> paranoid re<72><65>mu, bet '-T5' - Insane
.TP
.B --host_timeout <milliseconds>
Uzst<EFBFBD>da laiku, nor<6F>dit Nmap cik ilgs laiks tiek atv<74>l<EFBFBD>ts priek<65> viena hosta piln<6C>gas noskan<61><6E>anas. Noklus<75>ti <20>is parametrs netiek izmantost. Nmap s<>k skan<61>t n<>ko<6B>o hostu p<>c tam, kad pabeidzis skan<61>t iepriek<65><6B>jo.
.TP
.B --max_rtt_timeout <milliseconds>
(maximal round-trip time timeout) - Maksim<69>lais laiks, cik ilgi Nmap gaid<69>s uz nos<6F>t<EFBFBD>to piepras<61>juma atbildi, p<>c tam nos<6F>tot jaunu, vai p<>rtraucot gaid<69><64>anu. Standart<72> tas ir nost<73>d<EFBFBD>ts uz 9000 milisekund<6E>m.
.TP
.B --min_rtt_timeout <milliseconds>
Minim<EFBFBD>lais laiks, cik ilgi Nmap gad<61>s uz nos<6F>t<EFBFBD>t<EFBFBD> piepras<61>juma atbildi. <20><> opcija var pa<70>trin<69>t skan<61><6E>anas <20>trumu, ta<74>u var tika pazaud<75>tas paketes.
.TP
.B --initial_rtt_timeout <milliseconds>
Nor<EFBFBD>da vid<69>jo laiku, cik ilgi Nmap gaid<69>s nos<6F>t<EFBFBD>t<EFBFBD> piepras<61>juma atbildi. Parasti <20>o opciju izmanto, kad tiek skan<61>tas sist<73>mas kas tiek aizsarg<72>tas ar ugunsm<73>ri. Parasti Nmap <20>o lielumu nosaka autom<6F>tiski p<>c pirmo p<>ris piepras<61>jumu noteik<69>anu. Standart<72> tas ir 6000 milisekundes
.TP
.B --max_parallelism <number>
Uzst<EFBFBD>da skaitu cik daudz paketes tiks s<>t<EFBFBD>tas paral<61>li. Ja <20>is parametrs tiek nor<6F>d<EFBFBD>ts k<> 1 tad tas noz<6F>m<EFBFBD>, ka Nmap nekad neskan<61>s vair<69>k par vienu portu reiz<69>.
.TP
.B --scan_delay <milliseconds>
Nor<6F>da minim<69>lo laiku, cik ilgi Nmap gaid<69>s starp piepras<61>jumu nos<6F>t<EFBFBD><74>anu. <20><> opcija <20>auj minim<69>li noslogot t<>klu un/vai izvair<69>ties no skan<61><6E>anas paman<61><6E>anas uz att<74>lin<69>t<EFBFBD>s sist<73>mas.
.TP
.SH SKAN<EFBFBD>JAM<EFBFBD> M<EFBFBD>R<EFBFBD>A NOR<EFBFBD>D<EFBFBD><EFBFBD>ANAS IESP<EFBFBD>JAS
Visu, kas nav opcijas vai to argumenti, Nmap pie<69>em k<> adresi vai att<74>lin<69>t<EFBFBD>s sist<73>mas DNS. Viselement<6E>r<EFBFBD>kais veids k<> nor<6F>d<EFBFBD>t skan<61>jamo hostu, ir, nor<6F>d<EFBFBD>t to aiz opcij<69>m. Ja j<>s v<>laties noskan<61>t subnet`u, jums nepiecie<69>ams nor<6F>d<EFBFBD>t parametru '/<mask>' p<>c skan<61>jam<61>s sist<73>mas DNS vai ip adreses. Subnet`a masku var nor<6F>d<EFBFBD>t <20><>dos veidos:
.Sp
'/0' - skan<61>t visu Internetu;
.Sp
'/16' - skan<61>t B klases adreses;
.Sp
'/24' - skan<61>t C klases adreses;
.Sp
'/32' - skan<61>t tikai nor<6F>d<EFBFBD>to hostu.
.TP
Nmap t<>d<EFBFBD> pa<70><61> veid<69> at<61>auj nor<6F>d<EFBFBD>t ip adreses izmantojot sarakstu, vai ar<61> diapazonu katram t<>s elementam. Piem. ir vajadz<64>ba noskan<61>t B klases subnetu ar adresi 128.210.*.*. To iesp<73>jams nor<6F>d<EFBFBD>t sekojo<6A>os veidos:
.Sp
128.210.*.*
.Sp
128.210.0-255.0-255
.Sp
128.210.1-50,51-255.1,2,3,4,5-255
.Sp
128.210.0.0/16
.TP
Visas <20><>s komandas ir vien<65>das. Ja j<>s izmantojat *, tad vair<69>kum<75> shell`os nepiecie<69>ams t<>s atdal<61>t ar ' vai apostrofu. V<>l viens piem<65>rs: Ja j<>s nor<6F>dat adresi <20><>d<EFBFBD> form<72>t<EFBFBD> '*.*.5.6-7' , tad Nmap noskan<61>s visas ip adreses, kas beidzas ar .5.6 vai .5.7
.SH PIEM<EFBFBD>RI
.Sp
.B nmap -v target.example.com
.Sp
Nor<EFBFBD>da skan<61>t visus atv<74>rtos portus hostam target.example.com. Opcija '-v' at<61>auj nov<6F>rot skan<61><6E>anas procesu detaliz<69>t<EFBFBD>k.
.Sp
.B nmap -sS -O target.example.com/24
.Sp
Visi 255 kompji ar C klases adres<65>m, no kur<75>m viens ir target.example.com tiks noskan<61>ti izmantojot SYN skan<61><6E>anas metodi. V<>l tiks noteikta OS kas grie<69>as uz <20><>m sist<73>m<EFBFBD>m. Lai izmantotu <20>o metodi jums nepiecie<69>amas root ties<65>bas.
.Sp
.B nmap -sX -p 22,53,110,143,4564 "198.116.*.1-127"
.Sp
Nmap skan<61>s pirmo pusi ar adres<65>m (0-127) katr<74> no 255 B klases subnet`iem ar Xmas skan<61><6E>anas metodi ip zon<6F> 128.210.*.*. <20>ajos hostos tiks konstat<61>ta sshd (22 ports), DNS (53), pop3 (110), imapd (143) un 4564 portu pieejam<61>ba. V<>l<EFBFBD>tos piev<65>rst uzman<61>bu faktam, ka Xmas skan<61><6E>anas metodi nevar izmantot sist<73>m<EFBFBD>m, kuras grie<69>as uz WinOS, CISCO, IRIX, HP/UX un BSDI.
.Sp
.B nmap -v --randomize_hosts -p 80 \'*.*.2.3-5\'
.Sp
Nmap mekl<6B>s visus kompjus ar IP adres<65>m, kuras beidzas ar .2.3, .2.4 un .2.5. Ja jums ir root ties<65>bas, tad j<>s var<61>t pie reizes ar<61> noskan<61>t portus izmantojot opciju '-sS'. J<>s varat atrast daudz interesantas sist<73>mas skan<61>jot diapazonu 127-222.*.*
.Sp
.B host -l company.com | cut \'-d \' -f 4 | ./nmap -v -iL -
.Sp
Atrast eksist<73>jo<6A>us hostus dom<6F>n<EFBFBD> company.com, nodot Nmap to adreses. <20><> komanda str<74>d<EFBFBD> GNU/Linux OS. Ja izmantojat citu OS jums var b<>t vajadz<64>ba rakst<73>t to sav<61>d<EFBFBD>k.
.SH IESP<EFBFBD>JAM<EFBFBD>S K<EFBFBD><EFBFBD>DAS
Ja j<EFBFBD>s gad<EFBFBD>jum<EFBFBD> konstat<EFBFBD>jat k<EFBFBD>das k<EFBFBD><EFBFBD>das Nmap darb<EFBFBD>b<EFBFBD>, l<EFBFBD>dzu pazi<EFBFBD>ojiet par to autoram
.SH AUTORS
.Sp
Fyodor
.I <fyodor@insecure.org>
.I http://www.insecure.org/nmap/
.Sp
.I nmap
is (C) 1995-2001 by Insecure.Com LLC
.Sp
This program is free software; you can redistribute it
and/or modify it under the terms of the GNU General Public
License as published by the Free Software Foundation;
Version 2. This guarantees your right to use, modify, and
redistribute Nmap under certain conditions. If this license
is unacceptable to you, Insecure.Org may be willing to sell
alternative licenses (contact fyodor@insecure.org).
.Sp
Source is provided to this software because we believe users
have a right to know exactly what a program is going to do
before they run it. This also allows you to audit the
software for security holes (none have been found so far).
.Sp
Source code also allows you to port Nmap to new platforms, fix bugs,
and add new features. You are highly encouraged to send your changes
to fyodor@insecure.org for possible incorporation into the main
distribution. By sending these changes to Fyodor or one the
insecure.org development mailing lists, it is assumed that you are
offering Fyodor the unlimited, non-exclusive right to reuse, modify,
and relicense the code. This is important because the inability to
relicense code has caused devastating problems for other Free Software
projects (such as KDE and NASM). Nmap will always be available Open
Source. If you wish to specify special license conditions of your
contributions, just say so when you send them.
.Sp
This program is distributed in the hope that it will be useful, but
.B WITHOUT ANY WARRANTY;
without even the implied warranty of
.B MERCHANTABILITY
or
.B FITNESS FOR A PARTICULAR PURPOSE.
See the GNU
General Public License for more details (it is in the COPYING file of
the
.I nmap
distribution).
.Sp
It should also be noted that Nmap has been known to crash
certain poorly written applications, TCP/IP stacks, and even
operating systems.
.B Nmap should never be run against mission critical systems
unless you are prepared to suffer downtime. We acknowledge
here that Nmap may crash your systems or networks and we
disclaim all liability for any damage or problems Nmap could
cause.
.Sp
Because of the slight risk of crashes and because a few black hats like
to use Nmap for reconnaissance prior to attacking systems, there are
administrators who become upset and may complain when their system is
scanned. Thus, it is often advisable to request permission before
doing even a light scan of a network.
.Sp
Nmap should never be run with privileges (eg suid root) for security
reasons.
.Sp
This product includes software developed by the Apache Software
Foundation (http://www.apache.org/). The
.I Libpcap
portable packet capture library is distributed along with nmap.
Libpcap was originally copyrighted by Van Jacobson, Craig Leres and
Steven McCanne, all of the Lawrence Berkeley National Laboratory,
University of California, Berkeley, CA. It is now maintained by
http://www.tcpdump.org .
.Sp
Latviski manu<6E>li p<>rtulkojis m|sc (misc@inbox.lv)
(Var gad<61>ties da<64>i g<>uki tekst<73>, ta<74>u ko lai dara, ja latvie<69>u valod<6F> nav norm<72>li datortermini.)

436
docs/nmap_lithuanian.1 Normal file
View File

@@ -0,0 +1,436 @@
.\" <20> Lietuvi<76> kalb<6C> i<>vert<72>
.\" Aurimas Mikalauskas <inner@crazy.lt>
.\" 2001 03 17
.de Sp
.if n .sp
.if t .sp 0.4
..
.TH NMAP 1
.SH PAVADINIMAS
nmap \- tinklo tyrin<69>jimo <20>rankis bei saugumo skeneris
.SH SINTAKS<EFBFBD>
.B nmap
[skanavimo tipas(ai)] [opcijos] <hostas/tinklas #1 ... #n>
.SH APIB<EFBFBD>DINIMAS
.I nmap'as
yra sukurtas tam, kad leist<73> sistem<65>
administratoriams bei smalsiems individams skanuoti
didelius tinklus, siekiant nustatyti kokie hostai
yra veikiantys ir kokias paslaugas jie si<73>lo.
.I nmap'as
turi be galo daug skanavimo technologij<69>,
tai: UDP, TCP connect(), TCP SYN (pusiau atviras),
ftp proxy (bounce ataka), Reverse-ident,
ICMP(ping sweep), FIN, ACK sweep, Xmas Tree, SYN sweep,
bei Null skan'as.
.I Skanavimo Tipai
sekcijoje rasite apie tai smulkesn<73>s informacijos.
nmap'as taip pat turi nema<6D>ai pa<70>angi<67> savybi<62>, toki<6B>
kaip nutolusio kompiuterio (toliau vadinamo 'remote')
(O)peracin<69>s (S)istemos nustatymas per TCP/IP
fingerprintinima, stealth (vogtinis) skanavimas,
dinamin<EFBFBD>s pauz<75>s ir retransimisijos skai<61>iavimai,
lygiagretusis skanavimas , nepasiekiam<61> host'<27> nustatymas
skanuojant lygiagre<72>iu skanavimo metodu, decoy skanavimas,
filtruojam<EFBFBD> port<72> nustatymas, tiesioginis RPC skanavimas,
fragmentinis skanavimas, bei labai lankstus taikinio
ir port<72> nurodymas.
.PP
nmap'o autorius stengiasi kaip galima daugiau <20>vairi<72>
nmap'o galimybi<62> suteikti ne tik root vartotojui, bet ir
paprastam sistemos vartotojui, deja daug<75>lis kritini<6E>
sistemos branduolio (kernel) interfeis<69> (toki<6B> kaip
"raw socket'ai") reikalauja root'o privilegij<69>, tod<6F>l
nmap'as tur<75>t<EFBFBD> b<>ti naudojamas root'u kai tik <20>manoma.
.PP
nmap'o naudojimo rezultatas da<64>niausiai b<>na
papras<EFBFBD>iausias s<>ra<72>as <20>domi<6D> port<72>, rast<73> skanuojamoje
ma<EFBFBD>inoje(se). Nmap'as visada parodo koki<6B> paslaug<75> (service)
teikia portas, jo numer<65>, b<>sen<65> bei protokol<6F>. B<>san<61>
nusako vienas i<> trij<69> <20>od<6F>i<EFBFBD>: "open", "filtered", "unfiltered".
"open" (atviras) rei<65>kia, kad taikinys leis prisijungti prie
<EFBFBD>ito porto. "filtered" (filtruojamas) rei<65>kia, kad firewall'as
(ugnies siena), filtras ar dar ka<6B>koks <20>domus <20>rankis dengia
port<EFBFBD>, d<>l to nmap'as tiklsiai negali nustatyti ar portas
atviras. "unfiltered" (nefiltruojamas) parodo, kad portas
yra tikrai "closed" (u<>darytas) ir nera dengiamas jokio
firewall'o/filtro. Nefiltruojamas portas yra gan <20>prastas
atv<EFBFBD>jis ir yra rodomas tik tuo atveju, kai dauguma i<> skanuot<6F>
port<EFBFBD> yra filtruojami.
.PP
Priklausomai nuo to, kokios opcijos naudojamos, nmap'as
taip pat gali parodyti ir nutolusio kompiuterio: (O)peracin<69>
(S)istem<65>, TCP susekamum<75>, vartotoju vardus, kuriems priklauso
tam tikri procesai, DNS vardus ir dar vien<65> kit<69>.
.SH OPCIJOS
Prasmingos opcijos visos gali b<>ti ra<72>omos kartu (t.y. vienoje
eilut<EFBFBD>je).
.I nmap'as
stengsis pasakyti, kokias klaidas esate padar<61>
(ai<61>ku jei esate :).
.Sp
Jei esate nekantrus, galite i<>karto <20>oktelti <20> sekcij<69>
.I pavyzd<EFBFBD>iai
gale dokumento, kur gan ai<61>kiai parodo naudojim<69>. Taip pat
galite paleisti
.B nmap -h
ir pamatysite pagrindines opcijas, su trumpais apra<72>ymais.
.TP
.B SKANAVIM<EFBFBD> TIPAI
.TP
.B \-sT
papras<EFBFBD>iausias TCP connect() skanavimas. J<>s bandote prisijungti
prie kiekvieno porto i<> eil<69>s. Jei portas klausosi, nmap'as
prisijungia prie jo, taigi jei host'as logina, jis matys, kad
bandote jungtis. <20>is metodas yra tiksliausias, bet rekomenduo<75>iau
j<EFBFBD> naudoti tik tuo atveju, jei skanuojate savo ar draugo
kompiuter<EFBFBD>, t.y. tok<6F>, d<>l kurio v<>liau tikrai nesusilauksite
nemalonum<EFBFBD>.
.TP
.B \-sS
TCP SYN skanavimas, kitaip dar da<64>nai vadinamas kaip
"pusiau-atviras" skanavimas, nes n<>ra padaromas TCP prisijungimas.
J<EFBFBD>s papras<61>iausiai nusiun<75>iate TCP SYN paketuk<75> kaip kad nor<6F>damas
prisijungti ir laukiate atsakymo. Pakankamai neblogas metodas,
bet jei yra filtruojam<61> port<72> (pvz. pastatytas firewall'as) ir
host kompiuteris juos logina, - b<>site pasteb<65>tas.
.TP
.B \-sF \-sX \-sN
Stealth FIN, Xmas Tree bei Null skanavimo re<72>imai. Tai yra <20>iek
tiek saugesni skanavimo b<>dai nei TCP SYN (pastebimumo
at<EFBFBD>vilgiu), bet deja nei vienas i<> j<> neveikia M$ sistemoms.
I<EFBFBD> kitos pus<75>s, tai nebloga priemon<6F>, kurios pagalba galima
nustatyti ar tai M$ sistema ar ne, t.y. jei -sF -sX arba -sN
parodo, kad visi portai u<>daryti, o -sS rodo kelis atvirus
portus, taikinys grei<65>iausiai windows d<><64>ut<75>.
.TP
.B \-sP
Tai papras<61>iausias ping'as, kuris parodo kurie hostai tinkle
yra gyvi. Atliekama papras<61>iausiai siun<75>iant ICMP echo pra<72>ym<79>
(request). Deja kai kurie saitai (kaip mail.takas.lt) blokuoja
pra<EFBFBD>ymus. Kad i<> tikro <20>sitikinti, ar hostas negyvas, nmap'as
nusiun<EFBFBD>ia ir TCP ack paketuk<75> <20> 80 (standarti<74>kai) port<72>. Jei
gauname atgal RST, rei<65>kia hostas gyvas. Pagal standart<72>
(r00t'ui) nmap'as naudoja abu ICMP bei ACK metodus. Pakankamai
efektyvu, nes vienu metu galite patikrinti #n host<73>.
.TP
.B \-sU
UDP skanavimas. Naudojamas tam, kad nustatyti kokie UDP (User
Datagram Protocol, RFC 768) portai yra atviri.
.Sp
Kai kurie mano, kad UDP skanavimas yra beprasmi<6D>kas, bet j<>
prisiminti verta vien d<>l vienos Solaris rcpbind skyl<79>s. Taip
pat yra cDc Back Orifice trojanas, kuris atsidaro UDP port<72> ant
window's<>. Gaila tik, kad UDP skanavimas kartais gali trukti
labai ilgai.
.TP
.B \-SO
IP protokolo skanavimas. <20>is metodas yra naudojamas tam, kad
nustatyti kokius protokolus naudoja j<>s<EFBFBD> taikinys. Technika
labai paprasta: siun<75>iami IP paketai be jokio protokolo header'io
<EFBFBD> visus nurodytus protokolus. Jeigu pvz gauname "ICMP protocol
unreachible" (ICMP protoklolas nepasiekiamas) atsakym<79>, vadinasi
protokolas nenaudojamas, prie<69>ingu atveju skaitoma, kad jis
atviras.
.TP
.B \-sA
ACK skanavimas: <20>itas metodas paprastai yra naudojamas tam,
kad i<>siai<61>kinti firewall'<27> (ugnies sin<69>) taisykles. Jis gali
pad<EFBFBD>ti nustatyti ar firewall'as tikras, ar papras<61>iausias
paket<EFBFBD> filtras, blokuojantis <20>plaukian<61>ius SYN paketukus.
.TP
.B \-sW
Window skanavimas. <20>is skanavimo b<>das labai pana<6E>us <20> ACK
skan<EFBFBD>, skirtumas tik tas, kad <20>is skanavimo metodas kartais
parodo ir atvirus portus (ACK j<> nerodo).
.TP
.B \-sR
RPC skanavimas. Praskanavus parodoma kokia programa ir jos versija
laiko RPC portus atvirus.
.TP
.B \-b <ftp relay hostas>
Dar vienas pakankamai originalus skanavimo b<>das, t.y.
pasinaudojant ftp proxy serveriu. <ftp relay host'o> formatas
gali b<>ti useris:passwordas@serveris:portas . Viskas i<>skyrus
server<EFBFBD> yra neb<65>tina.
.TP
.B BENDROSIOS OPCIJOS
Nei viena i<> <20>i<EFBFBD> n<>ra b<>tina, bet kai kurios gali b<>ti pakankamai
naudingos
.TP
.B \-P0
Skanuoti i<> kart, nepaband<6E>ius i<> prad<61>i<EFBFBD> ping'int serverio.
Tai naudinga skanuojant tokius kaip mail.takas.lt, kurie
neatsakin<EFBFBD>ja <20> ICMP echo request'us. Tokiu atveju reik<69>t<EFBFBD>
naudoti
.B \-P0
arba
.B \-PT80.
.TP
.B \-PT
Naudoti TCP "ping'<27>" vietoje standartinio ICMP ping'o. Naudinga
tokiais atvejais, kai serveris neatsakin<69>ja i ICMO echo
request'us. Taip pat galima naudoti kartu su postu (-PT<portas>).
.TP
.B \-PS
Naudoja SYN (prisijungimo pra<72>ym<79>) vietoje ACP
.TP
.B \-PI
Paprastas ping'as + suranda subnet'o broadcast'u adresus tinkle.
.TP
.B \-PB
Standartinis ping'inimo metodas: naudoja ACP bei ICMP ping'us
kartu. Geriausia b<>das patikrinti firewall'us, kurie blokuoja
vien<EFBFBD> i<> j<>.
.TP
.B \-O
Viena geriausi<73> nmap'o ypatybi<62> - serverio OS'o atpa<70>inimas
pagal jo fingerprint'us (jei atvirai, pats nelabai <20>inau kas
per biesas tie fingerprintai).
.TP
.B \-I
<EFBFBD>jungiamas TCP reverse ident skanavimas. Kaip 1996 Dave'as
Goldsmith'as pasteb<65>jo, ident protokolas (rfc 1413) leid<69>ia
pamatyti, kokiam useriui priklauso procesas, kuris naudoja
TCP susijungima. Taigi, tu gali pvz prisijungti prie 80 porto
ir tada pasinaudojes inentd'u, gali pamatyti ar http serveris
yra paleistas root'u ar kokiu kitu userium.
.TP
.B \-f
Skanuojant SYN (-sS) , FIN (-sF), XMAS (-sX) arba NULL (-sN)
metodu, naudojami labai ma<6D>y<EFBFBD>iai sufragmentuoti IP paketai.
.TP
.B \-v
Verbose mode. Labai rekomenduojama opcija, ypa<70> jei norit geriau
suprasti kas <20>ia dedasi. naudodamas <20>i<EFBFBD> opcij<69> du kartus, efektas
bus dar geresnis. Gali naudoti ir dvigub<75> -d, efektas - nerealus.
Nepaband<EFBFBD>s, nesuprasi.
.TP
.B \-h
Jei norite kad nedidelis langelis jums trumpai primintu kelias
pagrindines komandas, <20>i opcija - jums.
.TP
.B \-oN <logas>
Viskas, kas vyksta ekrane bus loginama <20> "logas" fail<69>.
.TP
.B \-oX <logas>
Skanavimo rezultatai i<>saugomi XML formatu <20> fail<69>, kur<75> nurodote
kaip argument<6E> <20>iai opcijai.
.TP
.B \-oG <logas>
<EFBFBD>i opcija i<>saugo skanavimo rezultatus taip, kad j<>s juos galetum<75>te
lengvai grepinti. <20>is gan primityvus formatas i<>saugo visk<73> vienoje
eilut<EFBFBD>je.
.TP
.B \-oS <logas>
Loginama <20> fail<69> "logas" "skipt kiddie" formatu.
.TP
.B \--resume <logas>
Skanavimas, kuris buvo nutrauktas su ^C, gali b<>ti prat<61>stas,
su s<>lyga, kad viskas buvo loginama su -oN opcija.
Daugiau jokie parametrai negali b<>ti pateikti (jie bus tokie,
kokie buvo naudojami loginant). nmap'as prad<61>s skanuoti nuo
sekan<EFBFBD>ios ma<6D>inos, po tos, kuri paskutin<69> buvo s<>kmingai
nuskanuota..
.TP
.B \-iL <failas>
Nuskaito hostus (IP adresus) i<> failo "failas". Hostai faile turi
b<EFBFBD>ti atskirti tarpais, TAB'ais arba atskirose linijose. deja
opcij<EFBFBD> nurodyti joki<6B> negalite tame faile, u<>tat yra galimyb<79> jas
nurodyti komandin<69>je eilut<75>je.
.TP
.B \-iR
<EFBFBD>ita opcija priver<65>ia nmap'<27> generuoti atsitiktinius hostus. Jei
kada netur<75>site k<> veikti, pabandykite `nmap -sS -iR -p 80', kad
surastum<EFBFBD>te kelet<65> www serveri<72>.
.TP
.B \-p <portai>
Galite nurodyti kur<75>/kuriuos portus tikrinti. pvz. -p 110
patikrins ar hostas turi pop3 server<65>, taip pat galite mi<6D>riai
nurodin<EFBFBD>ti portus:
-p 21,60-90,1243 -- 21, visi nuo 60 iki 90 bei 1243 portas
-p 1- -- visi portai nuo 1 iki 65535.
.TP
.B \-F
Greitasis metodas. Skanuoja tik tuos portus, kurie nurodyti nmap'o
services faile (pagal default'<27> - /usr/local/lib/nmap/nmap-services)
.TP
.B \-D <decoy1 [,decoy2][,decoyN][,ME]>
Decoy skanavimas priver<65>ia skanuojam<61> host'<27> manyti, kad j<> vienu
metu skanuoja visi nurodyti decoy'iai. Host<73> logai gali parodyti
5-10 skanavim<69> i<> unikali<6C> IP adres<65>, bet kuris i<> j<> skanuoja
i<EFBFBD> tikro jie pasakyti negal<61>s.
.Sp
Atskirk kiekvien<65> decoy'<27> kableliais (be tarpo) ir gali tarp j<>
<EFBFBD>terpti 'ME' kaip vien<65> i<> decoy'i<>. nmap'as ten <20>terps tavo
adres<EFBFBD>. Jei <20>ito nenurodysi, nmap'as atsitiktinai i<>rinks tau
viet<EFBFBD>. Tiesa, jei 'ME' <20>ra<72>ysi 6-oje ar dar v<>lesn<73>je vietoje,
kai kurie skanavim<69> detektoriai (tokie kaip Solar Designer'io
nepakartojamas scanlog daemon'as) gali tavo IP i<>viso neparodyti.
.Sp
Nepamir<EFBFBD>k, kad hostai, kuruos naudosi kaip decoy'ius, turi b<>ti
gyvi, kitaip gali u<>-SYN-flood'inti taikin<69>, o be to labai
nesunku bus surasti skanuotoj<6F>, jei jis bus vienintelis gyvas
visame tinkle.
.Sp
Atkreipk d<>mes<65> ir <20> tai, kad kai kurie (durnesni) port<72>
skanavim<EFBFBD> detektoriai gali aplamai skanuojantiems host'ams
u<EFBFBD>drausti pri<72>jim<69>. <20>sivaizduok, kas gali nutikti, jei vien<65>
i<EFBFBD> decoy'i<> nurodytum "localhost'<27>" :)
.Sp
Decoy skanavimas gali b<>ti naudojamas kartu su ping (naudojant
ICMP, SYN, ACK, ar dar k<> nors) arba tikru port<72> skanavimu bei
bandant surasti remote OS'<27> ( -O ).
.TP
.B \-S <IP_adresas>
Kartais nmap'as gali nerasti j<>s<EFBFBD> adreso. Tokiu atveju galite
naudoti -S opcij<69> su j<>s<EFBFBD> IP adresu bei interfeisu, kuriuo
si<EFBFBD>site paketus.
.TP
.B \-e <interfeisas>
Nurodo nmap'ui kokiu interfeisu si<73>sti paketus.
(lo, ppp0, eth0 ir etc.)
.TP
.B \-g <portas>
Nurodo i<> kokio porto skanuoti. Daugelis firewall'<27> bei filtr<74>
padaro i<>imtis DNS (53) bei FTP-DATA (20) paketams.
.TP
.B \-n
Liepia nmap'ui net nem<65>ginti rezolvinti ip adres<65> i j<> vardus,
nes da<64>nai tai b<>na labai l<>tas procesas ir stabdo nmap'o darb<72>.
.TP
.B \-R
Prie<EFBFBD>ingai nei -n opcija, -R liepia nmap'ui visada pam<61>ginti
i<EFBFBD>rezolvinti ip adres<65>.
.TP
.B \-r
Nurodo nmap'ui portus skanuoti
.B NE
atsitiktine tvarka.
.TP
.B --randomize_hosts
Nmap'as atsitiktine tvarka i<>mai<61>o kiekvien<65> grup<75> i<> daugiau nei
2048 host<73> prie<69> pradedant juos skanuoti. Tai <20>iek tiek suklaidina
<EFBFBD>vairius tinklo stebejimo <20>rankius.
.TP
.B \-M <maximalus susijungimu skaicius>
Nustato naksimal<61> susijungimu skai<61>i<EFBFBD>, kuris bus naudojamas
paralel<EFBFBD>je su TCP(standarti<74>kai) skanavimu.
.TP
.B LAIKO APRIBOJIMAI
.TP
.B -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
Paranoid - pats l<><6C>iausias skanavimo b<>das, Insane - pats
grei<EFBFBD>iausias, deja ne toks tikslus, ypa<70> jei tinklas l<>tas.
Vietoj <20>od<6F>i<EFBFBD> galite naudoti ir -T (0-5), kur 0 == Paranoid,
1 == Sneaky ir t.t.
.TP
.B --host_timeout <milisekund<6E>s>
Nurodo kiek laiko nmap'as gali skanuoti duot<6F>j<EFBFBD> IP. Laikas turi
b<EFBFBD>ti nema<6D>iau nei 200 milisekund<6E>i<EFBFBD>.
.TP
.B --max_rtt_timeout <milisekund<6E>s>
Kiek daugiausia laiko nmap'as gali laukti atsakymo i<> skanuojamo
IP.
.TP
.B --scan_delay <milisekund<6E>s>
Nustato minimal<61> laiko tarp<72>, kuri nmap'as turi laukti tarp
bandym<EFBFBD>. Tai naudingiausia siekiant suma<6D>inti tinklo apkrovim<69>.
.SH TAIKINIO NURODYMO B<EFBFBD>DAI
Viskas, kas n<>ra opcijos, nmap'e suprantama kaip taikinys.
Papras<EFBFBD>iausias b<>das yra nurodyti konkre<72>ius IP arba hostus.
Jeigu norite nuskanuoti IP adres<65> subnet'<27>, galite prid<69>ti
.B /mask<73>
hostname'ui ar IP adresui.
.B Mask<EFBFBD>
turi b<>ti tarp 0
(norint nuskanuoti vis<69> internet<65>) ir 32 (norint nuskanuoti
konkret<EFBFBD> host'<27>/IP. Naudok /24 'C' klas<61>s adres<65> skanavimui
bei /16 'B' klas<61>s adres<65> skanavimui.
.Sp
nmap'as taip pat turi gan patogi<67> galimyb<79> nustatin<69>ti IP
adresus s<>ra<72>ais/atstumais. pvz. gali nuskanuoti 'B' klas<61>
u<EFBFBD>ra<EFBFBD>ydamas 128.210.*.* arba 128.210.0-255.0-255 arba dar
128.210.0-50,51-255.1,2,3,4,5-255 . Manau kad tai pakankamai
patogu ir nesud<75>tinga.
.SH KELETAS PAVYZD<EFBFBD>I<EFBFBD>
.Sp
.B nmap -sX -e lo -P0 -S 127.0.0.3 localhost
.Sp
Pasinaudodamas Xmas Tree skanavimo metodu, apsimetin<69>damas,
kad esu 127.0.0.3 Loopback protokolu skanuoju savo localhost'<27>
<EFBFBD>tai kaip atrodo ipchains'<27> log'as:
.Sp
Packet log: input DENY lo PROTO=6 127.0.0.3:37009 127.0.0.1:139
L=40 S=0x00 I=53682 F=0x0000 T=41 (#1)
.Sp
kaip matote, kernelis yra <20>sitikin<69>s, kad j<> skanuoja i<> 127.0.0.3
o tai ir yra vienas svarbiausi<73> u<>davini<6E> - likti nematomiems :)
.Sp
.B nmap -sS -O target.example.com/24
.Sp
stealth SYN metodu nuskanuoja visas 255 ma<6D>inas, esan<61>ias
target.example.com 'C' klas<61>je. Taip pat bando nustatyti
kiekvieno i<> j<> operacin<69> sistem<65>.
.Sp
.B host -l company.com | cut '-d ' -f 4 | ./nmap -v -iL -
.Sp
suranda visus *.company.com hostus ir atiduoda juos nmap'ui,
kuris savo ruo<75>tu <20>sijung<6E>s verbose mode visus juos nuskanuoja.
.Sp
.B nmap -sN -D microsoft.com,mail.takas.lt,ME -oN /root/crazy -p 1-1024 -O crazy.com
.Sp
skanauoja Null skanavimo re<72>imu, panaudoja du decoy adresus,
visk<EFBFBD> logina <20> /root/crazy fail<69>, skanuoja nuo 1 iki 1024 crazy.com
portus bei stengiasi atsp<73>ti crazy.com serverio operacin<69> sistem<65>
.SH BUGAI
Vabal<EFBFBD>liai? Kokie dar vabal<61>liai? Na.. jei rasit koki<6B>, b<>tinai
si<EFBFBD>skit autoriui: <fyodor@insecure.org> . Pachai taip pat labai
laukiami. Taip pat nepamir<69>kite si<73>sti OS'<27> fingerprintus, kad
nmap'o autoriai gal<61>t<EFBFBD> pl<70>sti duom. baz<61>. Apie tai smulkiau
galite rasti docs/nmap-fingerprinting-article.txt dokumente
arba nmap'o puslapyje: http://www.insecure.org/nmap
.SH AUTORIUS
.Sp
Fyodor
.I <fyodor@insecure.org>
.SH I<EFBFBD>VERT<EFBFBD>
.Sp
Aurimas Mikalauskas
.I <inner@crazy.lt>
.Sp
.SH PLATINIMAS
.Sp
Naujausi<EFBFBD>
.I nmap'o
versij<EFBFBD> visada galite rasti <20>ia:
.Sp
.I http://www.insecure.org/nmap/
.Sp
.I nmap
is (C) 1997,1998,1999,2000 by Fyodor (fyodor@insecure.org)
.Sp
.I libpcap'as
yra taip pat platinamas kartu su nmap'u. Autorines
teises <20> j<> turi Van Jacobson, Craig Leres ir Steven McCanne,
visi i<> Lawrence Berkeley nacionalin<69>s Laboratorijos Kalifornijos
Universiteto, Berkeley, CA. Versija platinama su nmap'u gali
b<EFBFBD>ti perra<72>in<69>jama. Sourcus galit parsisi<73>sti i<>
.I ftp://ftp.ee.lbl.gov/libpcap.tar.Z
.Sp
.SH PABAIGAI
D<EFBFBD>iaugiuosi, kad pagaliau pasiek<65>te gal<61>. Dabar jau galite skaityti
save kvalifikuotu nmap'o guru.
.Sp
beje, jei norite k<> nors prid<69>ti ar pakeisti <20>iame dokumente,
arba (neduok Dieve) radot koki<6B> tai bug'u, ra<72>ykit man adresu,
pateiktu sekcijoje
.B i<EFBFBD>vert<EFBFBD>.
<EFBFBD>iaip <20>itas manualas abejoju ar bus atnaujinamas,
bet pa<70>i<EFBFBD> naujausi<73> nmap-lt-HOWTO visada galite
rasti mano puslapyje:
.Sp
.I http://crazy.lt/~inner

1050
docs/nmap_manpage-de.html Normal file
View File

File diff suppressed because it is too large Load Diff

549
docs/nmap_manpage-es.html Normal file
View File

@@ -0,0 +1,549 @@
<HTML>
<HEAD>
<TITLE>Nmap network security scanner man page (Spanish translation)</TITLE>
</HEAD>
<BODY>
<H1>Nmap network security scanner man page (Spanish translation)</H1>
<HR>
<PRE>
<!-- Manpage converted by man2html 3.0.1 -->
<B>NMAP(1)</B> <B>NMAP(1)</B>
</PRE>
<H2>NOMBRE</H2><PRE>
nmap - Herramienta de exploracie red y escr de seguridad.
</PRE>
<H2>SINOPSIS</H2><PRE>
<B>nmap</B> [Tipos(s)de escaneo] [Opciones] &lt;servidor o red #1 ... [#N]&gt;
</PRE>
<H2>DESCRIPCI</H2><PRE>
<I>Nmap</I> ha sido dise para permitir a administradores de sistemas y gente
curiosa en general el escaneo de grandes redes para determinar qu ervi-
dores se encuentran activos y quervicios ofrecen. <I>nmap</I> es compatible
con un gran n de ticas de escaneo como: UDP, TCP connect(), TCP SYN
(half open), ftp proxy (bounce attack), Reverse-ident, ICMP (ping
sweep), FIN, ACK sweep, Xmas Tree, SYN sweep, and Null scan. V e la
secciI Tipos de Escaneo para mdetalles. <I>nmap</I> proporciona tambicaracter
icas avanzadas como la detecciemota del sistema operativo por medio de
huellas TCP/IP , escaneo tipo stealth (oculto), retraso dinco y culos
de retransmisiescaneo paralelo, deteccie servidores inactivos por medio
de pings paralelos, escaneo con seos, deteccie filtrado de puertos,
escaneo por fragmentaci especificacilexible de destino y puerto.
Se han hecho grandes esfuerzos encaminados a proporcionar un
rendimiento decente para usuarios normales (no root). Por desgracia,
muchos de los interfaces crcos del kernel ( tales como los raw sockets)
requieren privilegios de root. Deberejecutarse <I>nmap</I> como root siempre
que sea posible.
</PRE>
<H2>OPCIONES</H2><PRE>
En general, pueden combinarse aquellas opciones que tengan sentido en
conjunto. Algunas de ellas son especcas para ciertos modos de escaneo.
<I>nmap</I> trata de detectar y advertir al usuario sobre el uso de combina-
ciones de opciones sicas o no permitidas.
Si usted es una persona impaciente, puede pasar directamente a la secci
.I ejemplos al final de este documento, donde encontrarjemplos de los
usos m corrientes. Tambipuede ejecutar el comando <B>nmap</B> <B>-h</B> para una pna
de referencia rda con un listado de todas las opciones.
<B>Tipos</B> <B>de</B> <B>Escaneo</B>
<B>-sT</B> Escaneo TCP connect(): Es la forma mbca de escaneo TCP. La lla-
mada de sistema connect() proporcionada por nuestro sistema
operativo se usa para establecer una conexion todos los puertos
interesantes de la mina. Si el puerto est la escucha, connect()
tendrxito, de otro modo, el puerto resulta inalcanzable. Una
ventaja importante de esta t ica es que no resulta necesario
tener privilegios especiales. Cualquier usuario en la mayor de
los sistemas UNIX tiene permiso para usar esta llamada.
Este tipo de escaneo resulta flmente detectable dado que los
registros del servidor de destino muestran un monte conexiones y
mensajes de error para aquellos servicios que accept() (aceptan)
la conexiara luego cerrarla inmediatamente.
<B>-sS</B> Escaneo TCP SYN: A menudo se denomina a esta tica escaneo "half
open" (medio abierto), porque no se abre una conexiCP completa.
Se envun paquete SYN, como si se fuese a abrir una conexi eal y
se espera que llegue una respuesta. Un SYN|ACK indica que el
puerto est la escucha. Un RST es indicativo de que el puerto no
est la escucha. Si se recibe un SYN|ACK, se envun RST inmediata-
mente para cortar la conexien realidad es el kernel de nuestro
sistema operativo el que hace esto por nosotros). La ventaja
principal de esta tica de escaneo es que seregistrada por muchos
menos servidores que la anterior. Por desgracia se necesitan
privilegios de root para construir estos paquetes SYN modifica-
dos.
<B>-sF</B> <B>-sX</B> <B>-sN</B>
Modos Stealth FIN, Xmas Tree o Nul scan: A veces ni siquiera el
escaneo SYN resulta lo suficientemente clandestino. Algunas
firewalls y filtros de paquetes vigilan el envde paquetes SYN a
puertos restringidos, y programas disponibles como Synlogger y
Courtney detectan este tipo de escaneo. Estos tipos de escaneo
avanzado, sin embargo, pueden cruzar estas barreras sin ser
detectados.
La idea es que se requiere que los puertos cerrados respondan a
nuestro paquete de prueba con un RST, mientras que los puertos
abiertos deben ignorar los paquetes en cuestive RFC 794 pp 64).
El escaneo FIN utiliza un paquete FIN vac(sorpresa) como prueba,
mientras que el escaneo Xmas tree activa las flags FIN, URG y
PUSH. El escaneo NULL desactiva todas las flags. Por desgracia
Microsoft (como de costumbre) decidinorar el estar completamente
y hacer las cosas a su manera. Debido a esto, este tipo de esca-
neo no funcionaron sistemas basados en Windows95/NT. En el lado
positivo, esta es una buena manera de distinguir entre las dos
plataformas. Si el escaneo encuentra puertos cerrados, probable-
mente se trate de una mina UNIX, mientras que todos los puertos
abiertos es indicativo de Windows. Excepcionalmente, Cisco,
BSDI, HP/UX, MVS, y IRIX tambienv RSTs en vez de desechar el
paquete.
<B>-sP</B> Escaneo ping: A veces mente se necesita saber quervidores en una
red se encuentran activos. Nmap puede hacer esto enviando peti-
ciones de respuesta ICMP a cada direcci P de la red que se
especifica. Aquellos servidores que responden se encuentran
activos. Desafortunadamente, algunos sitios web como
microsoft.com bloquean este tipo de paquetes. Nmap puede enviar
tambi un paquete TCP ack al puerto 80 (por defecto). Si se
obtiene por respuesta un RST, esa mina estctiva. Una tercera t
ica implica el envde un paquete SYN y la espera de de un RST o
un SYN/ACK. Para usuarios no root se usa un mdo connect().
Por defecto (para usuarios no root), nmap usa las ticas ICMP y
ACK en paralelo. Se puede cambiar la opciB -p descrita made-
lante.
Ne que el envio de pings se realiza por defecto de todas maneras
y que s ente se escanean aquellos servidores de los que se
obtiene respuesta. Use esta opciente en el caso de que desee un
ping sweep (barrido ping) <B>sin</B> hacer ningpo de escaneo de puer-
tos.
<B>-sU</B> Escaneo Udp: Este mdo se usa para saber quuertos UDP (Protocolo
de Datagrama de Usuario, RFC 768) estabiertos en un servidor. La
tica consiste en enviar paquetes UCP de 0 bytes a cada puerto de
la m ina objetivo. Si se recibe un mensaje ICMP de puerto no
alcanzable, entonces el puerto esterrado. De lo contrario, asum-
imos que estbierto.
Alguna gente piensa que el escaneo UDP no tiene sentido. Normal-
mente les recuerdo el reciente agujero Solaris rcpbind. Puede
encontrarse a rcpbind escondido en un puerto UDP no documentado
en alggar por encima del 32770. Por lo tanto, no importa que el
111 estloqueado por la firewall. Pero, ¿quipuede decir en cual
de los mde 30000 puertos altos se encuentra a la escucha el pro-
grama? ¡Con un escr UDP se puede! Tenemos tambiel programa de
puerta trasera cDc Back Orifice que se oculta en un puerto UDP
configurable en las minas Windows, por no mencionar los muchos
servicios frecuentemente vulnerables que usan UDP como snmp,
tftp, NFS, etc.
Por desgracia, el escaneo UDP resulta a veces tremendamente
lento debido a que la mayorde los servidores implementan una
sugerencia recogida en el RFC 1812 (secci.3.2.8) acerca de la
limitacie la frecuencia de mensajes de error ICMP. Por ejemplo,
el kernel de Linux (en /ipv4/icmp.h) limita la generacie men-
sajes de destino inalcanzable a 80 cada cuatro segundos, con una
penalizaci e 1/4 de segundo si se rebasa dicha cantidad. Solaris
tiene unos ltes mucho m estrictos (m o menos 2 mensajes por
segundo) y por lo tanto lleva mtiempo hacerle un escaneo. <I>nmap</I>
detecta este lte de frecuencia y se ralentiza en consecuencia,
en vez de desbordar la red con paquetes ins que la mina destino
ignorar.Sp Como de costumbre, Microsoft ignorta sugerencia del
RFC y no parece que haya previsto ningpo de lte de frecuencia
para las minas Windows. Debido a esto resulta posible escanear
los 65K puertos de una mina Windows <B>muy</B> rdamente. ¡Woop!
<B>-b</B> <B>&lt;ftp</B> <B>relay</B> <B>host&gt;</B>
Ataque de rebote FTP: Una caracterica "interesante" del proto-
colo FTP (FRC 959) es la posibilidad de realizar conexiones ftp
tipo "proxy". En otras palabras, ¡me resultarposible conectarme
desde malvado.com al servidor ftp de destino.com y pedirle a ese
servidor que enviase un archivo a CUALQUIER PARTE de Internet!
Aun asesto podrhaber funcionado bien en 1985 cuando se escribi
RFC, pero en la Internet actual, no podemos permitir que la
gente vaya por ahsaltando servidores ftp y pidioles que escupan
sus datos a puntos arbitrarios de Internet. Tal y como escribi
obbit* en 1985, este defecto del protocolo "puede usarse para
enviar mensajes de correo y noticias cuyo rastro serirtualmente
imposible de seguir, machacar servidores en varios sitios web,
llenar discos, tratar de saltarse firewalls y , en general,
resultar molesto y difl de detectar al mismo tiempo." Nosotros
explotaremos este defecto para (sorpresa, sorpresa) escanear
puertos TCP desde un servidor ftp "proxy". De este modo nos podr
os conectar a un servidor ftp tras una firewall, y luego
escanear aquellos puertos que con m probabilidad se encuentren
bloqueados (el 139 es uno bueno). Si el servidor ftp permite la
lectura y escritura en algrectorio (como por ejemplo /incoming),
se pueden enviar datos arbitrarios a puertos que se encuentren
abiertos (aunque nmap no realiza esta funcior sismo).
El argumento que se pasa a la opcib es el host que se pretende
usar como proxy, en notaci RL est ar. El formato es: <I>nom-</I>
<I>bre</I><B>_</B><I>de</I><B>_</B><I>usuario:password@servidor:puerto.</I> Todo excepto <I>servidor</I>
es opcional. Para determinar quervidores son vulnerables a este
ataque, ve mi artlo en <I>Phrack</I> 51. Se encuentra disponible una
versi ctualizada en la URL de <I>nmap</I> (http://www.inse-
cure.org/nmap).
<B>Opciones</B> <B>Generales</B>
No se requiere ninguna pero algunas de ellas pueden resultar de
gran utilidad.
<B>-p0</B> No intenta hacer ping a un servidor antes de escanearlo. Esto
permite el escaneo de redes que no permiten que pasen peticiones
(o respuestas)de ecos ICMP a travde su firewall. microsoft.com
es un ejemplo de una red de este tipo, y, por lo tanto, deber
usarse siempre <B>-p0</B> o <B>-PT80</B> al escanear microsoft.com.
<B>-PT</B> Usa el ping TCP para determinar quervidores estactivos. En vez
de enviar paquetes de peticie ecos ICMP y esperar una respuesta,
se lanzan paquetes TCP ACK a travde la red de destino (o a una
sola mina) y luego se espera a que lleguen las respuestas. Los
servidores activos responden con un RST. Esta opciantiene la
eficiencia de escanear mente aquellos servidores que se encuen-
tran activos y la combina con la posibilidad de escanear
redes/servidores que bloquean los paquetes ping. Para los usuar-
ios no root se usa connect(). Para establecer el puerto de des-
tino de los paquetes de prueba use -PT &lt;n de puerto). El puerto
por defecto es el 80, dado que normalmente este puerto no es un
puerto filtrado.
<B>-PS</B> Esta opcisa paquetes SYN (peticie conexien vez de los paquetes
ACK para usuarios root. Los servidores activos deber responder
con un RST (o, en raras ocasiones, un SYN|ACK).
<B>-PI</B> Esta opcisa un paquete ping (petici e eco ICMP) verdadero.
Encuentra servidores que estactivos y tambibusca direcciones de
broadcast dirigidas a subredes en una red. Se trata de direc-
ciones IP alcanzables desde el exterior que env los paquetes IP
entrantes a una subred de servidores. Estas direcciones deber
eliminarse, si se encontrase alguna, dado que suponen un riesgo
elevado ante numerosos ataques de denegacie servicio (el mcorri-
ente es Smurf).
<B>-PB</B> Este es el tipo de ping por defecto. Usa los barridos ACK ( <B>-PT</B>
) e ICMP ( <B>-PI</B> ) en paralelo. De este modo se pueden alcanzar
firewalls que filtren uno de los dos (pero no ambos).
<B>-O</B> Esta opci ctiva la detecciemota del sistema operativo por medio
de la huella TCP/IP. En otras palabras, usa un pu de ticas para
detectar sutilezas en la pila de red subyacente del sistema
operativo de los servidores que se escanean. Usa esta informaci
ara crear una huella que luego compara con una base de datos
de huellas de sistemas operativos conocidas (el archivo nmap-os-
fingerprints) para decidir quipo de sistema se estscaneando.
Si encuentra una mina diagnosticada errmente que tenga por lo
menos un puerto abierto, me serde gran utilidad que me enviase
los detalles en un email (es decir, se encontr versixx de tal
cosa y se detectte u otro sistema operativo..). Si encuentra una
m ina con al menos un puerto abierto de la cual nmap le informe
"sistema operativo desconocido", le estaragradecido si me envi-
ase la direcciP junto con el nombre del sistema operativo y el n
de su versiSi no me puede enviar la direcci P, una alternativa
serejecutar nmap con la opciB -d y enviarme las tres huellas que
obtendrcomo resultado junto con el nombre del sistema operativo
y el n de versiAl hacer esto, estcontribuyendo a aumentar el n
importante de sistemas operativos conocidos por namp y de este
modo el programa resultarexacto para todo el mundo.
<B>-I</B> Esta opci ctiva el escaneo TCP de identificaciontraria. Tal y
como comenta Dave Goldsmith en un correo Bugtrat de 1996, el
protocolo ident (rfc 1413) permite la revelaciel nombre del
usuario propietario de cualquier proceso conectado vTCP, incluso
aunque ese proceso no haya iniciado la conexiDe este modo se
puede, por ejemplo, conectar con el puerto http y luego usar
identd para descubrir si el servidor estjecutose como root.
Esto sse puede hacer con una conexiCP completa con el puerto de
destino (o sea, la opcie escaneo -sT). Cuando se usa <B>-I,</B> se
consulta al identd del servidor remoto sobre cada uno de los
puertos abiertos encontrados en el sistema. Por supuesto, esto
no funcionari el servidor en cuestio estjecutando identd.
<B>-f</B> Esta opciace que el escaneo solicitado de tipo SYN, FIN, XMAS, o
NULL use peque paquetes IP fragmentados. La idea consiste en
dividir la cabecera TCP en varios paquetes para ponelo mdif l a
los filtros de paquetes, sistemas de deteccie intrusi otras
inconveniencias por el estilo que tratan de saber lo uno est
aciendo. ¡Tenga cuidado con esto! Algunos programas tienen prob-
lemas a la hora de manejar estos paquetes tan peque Mi sniffer
favorito produjo un error de segmentacinmediatamente despude
recibir el primer fragmento de 36 bytes. ¡Despude este viene uno
de 24 bytes! Mientras que este mdo no podron filtros de paquetes
y firewalls que ponen en cola todos los fragmentos IP (como en
el caso de la opciONFIG_IP_ALWAYS_DEFRAG en la configuraciel
kernel de Linux), tambies verdad que algunas redes no pueden
permitirse el efecto negativo que esta opci ausa sobre su
rendimiento y por lo tanto la dejan desactivada.
Ne que no he coseguido que esta opciuncione con todos los sis-
temas. Funciona bien con mis sistemas Linux, FreeBSD y OpenBSD
y algunas personas han informado de tos con otras variantes
*NIX.
<B>-v</B> Modo de informaci mpliada. Esta opciesulta muy recomendable y
proporciona gran cantidad de informaciobre lo que est ucediendo.
Puede usarla dos veces para un efecto mayor. ¡Use <B>-d</B> un par
veces si lo que quiere es volverse loco haciendo scroll en su
pantalla!
<B>-h</B> Esta opci an prica muestra una pantalla de referencia rda sobre
las opciones de uso de nmap. Quizhaya notado que esta p na de
manual no es precisamente una "referencia rda" :)
<B>-o</B> <B>&lt;nombre_de_archivo_de_registro&gt;</B>
Esta opci uarda los resultados de sus escaneos en forma <B>humana-</B>
<B>mente</B> <B>inteligible</B> en el archivo especificado como argumento.
<B>-m</B> <B>&lt;nombre_de_archivo_de_registro&gt;</B>
Esta opciuarda los resultados de sus escaneos en un formato <B>com-</B>
<B>prensible</B> <B>para</B> <B>una</B> <B>mina</B> en el archivo especificado como argu-
mento.
<B>-i</B> <B>&lt;nombre_de_archivo_de_entrada&gt;</B>
Lee especificaciones de servidores o redes de destino a partir
del archivo especificado en vez de hacerlo de la la de comandos.
El archivo debe contener una lista de expresiones de servidores
o redes separadas por espacios, tabuladores o nuevas las. Use un
gui-) como <I>nombre</I><B>_</B><I>de</I><B>_</B><I>archivo</I><B>_</B><I>de</I><B>_</B><I>entrada</I> si desea que nmap tome
las expresiones de servidores de stdin. V e la secci I
Especificacie Objetivo para minformaciobre expresiones con las
que poder completar este archivo.
<B>-p</B> <B>&lt;rango</B> <B>de</B> <B>puertos&gt;</B>
Esta opci etermina los puertos que se quieren especificar. Por
ejemplo, -p 23 probarolo el puerto 23 del servidor(es) obje-
tivo. -p 20-30,139,60000- escanea los puertos del 20 al 30, el
puerto 139 y todos los puertos por encima de 60000. Por defecto
se escanean todos los puertos entre el 1 y el 1024 asomo los que
figuran en el archivo /etc/services.
<B>-F</B> <B>Modo</B> <B>de</B> <B>escaneo</B> <B>rdo.</B>
Implica que sse desean escanear aquellos puertos que figuran en
/etc/services. Obviamente esto resulta mucho mrdo que escanear
cada uno de los 65535 puertos de un servidor.
<B>-D</B> <B>&lt;seo1</B> <B>[,seo2][,ME],...&gt;</B>
Especifica que se desea efectuar un escaneo con se os, el cual
hace que el servidor escaneado piense que la red destino del
escaneo estiendo escaneada tambipor el servidor(es) especifica-
dos como seos. Assus IDs pueden informar de entre 5 y 10 esca-
neos procedentes de direcci IP s, pero no sabrque direcci P les
estaba escaneando realmente y c eran seos inocentes.
Separe cada servidor seo con comas, y puede usar opcionalmente
ME como seo que representa la posiciue quiere que ocupe su
direcci P. Si coloca ME en la sexta posici superior, es muy
poco probable que algunos escres de puertos comunes (como el
excelente scanlogd de Solar Designer) lleguen incluso a mostrar
su direcciP. Si no se usa ME, nmap le colocar usted en una
posicileatoria.
N e que aquellos servidores usados como seos deben escontrarse
activos, o, de lo contrario podr provocar un desbordamiento
(flood) SYN en su objetivo. Por otra parte, resultarastante fl
saber quervidor estscaneando si mente hay uno activo en la red.
N e tambi que algunos (ests) "detectores de escres de puertos"
opondruna firewall o bien denegarel rutaje a aquellos servidores
que intenten escanear sus puertos. De este modo se podrprovocar
inadvertidamente que la m ina que se est ntentando escanear
perdiese contacto con los servidores usados como seos. Esto podr
causarles a los servidores escaneados verdaderos problemas si
los servidores seo fuesen, por ejemplo, su gateway a internet o
incluso "localhost". Deberusarse esta opcion extremo cuidado. La
verdadera moraleja de este asunto es que un detector de escaneos
de puertos que aparenten tener intenciones poco amistosas no
deberllevar a cabo accilguna contra la mina que aparentemente le
estscaneando. ¡Podrno ser mque un seo!
Los seos se usan tanto en el escaneo ping inicial (usando ICMP,
SYN, ACK, o lo que sea) como en la fase de escaneo de puertos
propiamente dicha. Tambise usan los seos en la fase de detecci
emota del sistema operativo ( <B>-O</B> ).
Vale la pena destacar que el uso de demasiados seos puede ralen-
tizar el proceso de escaneo y, potencialmente, hacer que sea
menos exacto. Por otra parte, algunos ISPs filtrarlos paquetes
manipulados y los desechar aunque muchos (actualmente la mayor
no ponen restricciones a este tipo de paquetes.
<B>-S</B> <B>&lt;DirecciP&gt;</B>
En determinadas circunstancias, es posible que <I>nmap</I> no sea capaz
de determinar su (de usted) direcciP de origen ( <I>nmap</I> se lo har
aber si este es el caso). En este caso, use -S con su direcciP
(del interfaz a travdel cual desea enviar los paquetes).
Otro posible uso de esta opcis el de manipular el escaneo para
hacer creer a los servidores de destino que <B>alguien</B> <B>mles</B> <B>est</B>
<B>scaneando.</B> <B>¡Imagse</B> <B>a</B> <B>una</B> <B>compaescaneada</B> <B>repetidamente</B> <B>por</B> <B>una</B>
comparival! Esta no es la funciara la que se ha dise esta opcini
su propo principal). Simplemente pienso que revela una posibili-
dad que la gente debertener en cuenta antes de acusar a los dem
de escanear sus puertos. La opciB -e ser ecesaria en general
para este tipo de uso.
<B>-e</B> <B>&lt;interfaz&gt;</B>
Le dice a nmap qunterfaz ha de usar para enviar y recibir paque-
tes. El programa deberdetectar esto por sismo, pero le informari
no es as.TP <B>-g</B> <B>&lt;n_de_puerto&gt;</B> Establece el n de puerto de origen
a usar en los escaneos. Muchas instalaciones de firewalls y fil-
tros de paquetes inocentes hacen una excepcin sus reglas para
permitir que las atraviesen y establezcan una conexiaquetes DNS
(53) o FTP-DATA (20). Evidentemente esto contraviene completa-
mente las ventajas en materia de seguridad que comporta una
firewall dado que los intrusos pueden enmascararse como DNS o
FTP con una simple modificaci e su puerto de origen. Por
supuesto, deberprobarse primero con el puerto 53 para un escaneo
UDP y los escaneos TCP deber probar el 20 antes del 53.
Ne que el uso de esta opcienaliza levemente el rendimiento del
escaneo, porque a veces se almacena informacitil en el n de
puerto de origen.
<B>-M</B> <B>&lt;max</B> <B>sockets&gt;</B>
Establece el n mmo de sockets que se usar en paralelo para un
escaneo TCP connect() (escaneo por defecto). Resulta a la hora
de ralentizar ligeramente el proceso de escaneo con el fin de
evitar que la mina de destino se cuelgue. Otra manera de hacerlo
es usar -sS, que normalmente les resulta mfl de asumir a las m
inas de destino.
<B>Especificacie</B> <B>Objetivo</B>
Cualquier cosa que no es una opcio el argumento de una opcien
namp se trata como una especificacie servidor de destino. El
caso m simple consiste en especificar servidores aislados o
direcciones IP en la la de comandos. Si pretende escanear una
subred de direcciones IP, entonces se puede ar <B>/mask</B> a la
direcciP o al nombre del servidor. <B>mask</B> debe estar entre 0
(escanea toda Internet) y 32 (escanea mente el servidor especi-
ficado). Use /24 para escanear una direccie clase C y /16 para
la clase B.
Nmap dispone tambi de una notaciucho mpotente que permite la
especificacie direcciones IP usando listas/rangos para cada ele-
mento. De este modo, se puede escanear la red de clase B com-
pleta 128.210.*.* especificando 128.210.*.* o
128.210.0-255.0-255 o incluso notacie mara: 128.210.0.0/16.
Todas ellas son equivalentes. Si se usan asteriscos (*), ha de
tenerse en cuenta que la mayorde los shells requieren que se
salga de ellos con caracteres / o que se les proteja con comil-
las.
Otra posibilidad interesante consiste en dividir Internet en el
otro sentido. En vez de escanear todos los servidores en una
clase B, se puede escanear *.*.5.6-7 para escanear todas las
direcciones IP terminadas en .5.6 o .5.7 Escoja sus propios n s.
Para m informaciobre la especificacie servidores a escanear, ve
la secciI ejemplos a continuaci
</PRE>
<H2>EJEMPLOS</H2><PRE>
A continuacie muestran algunos ejemplos del uso de nmap que abarcan
desde los usos mnormales y frecuentes a los mcomplejos o incluso esot
cos. Ne que se han incluido direciones IP y nombres de dominio reales
para hacer las cosas m concretas. Usted debersustituirlos por ns y
direcciones de su <B>propia</B> <B>red.</B> No creo que escanear otras redes sea
ilegal; ni se deber considerar los escaneos de puertos como ataques. He
escaneado cientos de miles de minas y tan she recibido una queja. Pero
no soy abogado y es posible que los intentos de <I>nmap</I> lleguen a molestar
a alguna gente. Obtenga primero el permiso para hacerlo o hlo bajo su
propia responsabilidad.
<B>nmap</B> <B>-v</B> <B>objetivo.ejemplo.com</B>
Esta opci scanea todos los puertos TCP reservados en la mina obje-
tivo.ejemplo.com. La -v implica la activaciel modo de informacimpliada.
<B>nmap</B> <B>-sS</B> <B>-O</B> <B>objetivo.ejemplo.com/24</B>
Lanza un escaneo SYN oculto contra cada una de las minas activas de las
255 minas de la classe C donde se aloja objetivo.ejemplo.com. Tambi
trata de determinar el sistema operativo usado en cada una de las minas
activas. Este escaneo requiere privilegios de roor a causa del escaneo
SYN y la detecciel sistema operativo.
<B>nmap</B> <B>-sX</B> <B>-p</B> <B>22,53,110,143</B> <B>128.210.*.1-127</B>
Envun escaneo Xmas tree a la primera mitad de cada una de las 255 posi-
bles subredes de 8 bits en el espacio de direcciones clase B 128.210
. Se trata de comprobar si los sistemas ejecutan sshd, DNS, pop3d,
imapd o el puerto 4564. Ne que el escaneo Xmas no funciona contra
servidores ejecutando cualquier sistema operativo de Microsoft debido a
una pila TCP deficiente. Lo mismo se aplica a los sistemas CISCO, IRIX,
HP/UX, y BSDI.
<B>nmap</B> <B>-v</B> <B>-p</B> <B>80</B> <B>*.*.2.3-5</B>
En vez de centrarse en un rango especco de direcciones IP, resulta a
veces interesante dividir Internet en porciones y escanear una peque
uestra de cada porciEste comando encuentra todos los servidores web en
minas cuyas direcciones IP terminen en .2.3, .2.4, o .2.5 . Si usted es
root podrar tambi-sS. Tambiencontrarinas mucho minteresantes si empieza
en 127. asue es posible que desee usar 127-222 en vez de el primer
asterisco dado que esa secci iene una densidad mucho mayor de minas
interesantes (IMHO).
<B>host</B> <B>-l</B> <B>compacom</B> <B>|</B> <B>cut</B> <B>-d</B> <B></B> <B>-f</B> <B>4</B> <B>|</B> <B>./nmap</B> <B>-v</B> <B>-i</B> <B>-</B>
Hace una transferencia de DNS de zona para descubrir los servidores en
compa com y luego pasar las direcciones IP a <I>nmap.</I> Los comandos arriba
indicados son para mi sistema Linux. Es posible que se necesiten coman-
dos/opciones diferentes para otros sistemas operativos.
</PRE>
<H2>BUGS</H2><PRE>
¿Bugs? ¿Quugs? Por favor, enve cualquier bug que descubra. Los parches
tampoco estar mal :) Recuerde enviar tambinuevas huellas de sistemas
operativos para que podamos ampliar nuestra base de datos.
</PRE>
<H2>AUTOR</H2><PRE>
Fyodor <I>&lt;fyodor@insecure.org&gt;Tipos</I> <I>de</I> <I>Escaneo</I>
</PRE>
<H2>DISTRIBUCI</H2><PRE>
La a versie <I>nmap</I> se puede obtener en <I>http://www.insecure.org/nmap</I>
<I>nmap</I> es (C) 1997,1998 de Fyodor (fyodor@insecure.org, fyodor@inse-
cure.org)
Este programa es software libre; puede redistribuirse y/o modificarse
bajo los tinos de la Licencia Pa General GNU tal y como la publica la
Fundacie Software Libre; Versi.
Este programa se distribuye con la esperanza de que pueda resultar de
utilidad, pero SIN NING TIPO DE GARANT; sin tan siquiera la garante ser
apto para su COMECIALIZACI o ADECUADO PARA UN PROPITO EN PARTICULAR. Ve
la Licencia Pa General GNU para mdetalles (estn el archivo COPYING de
la distribucie <I>nmap</I> ).
<B>NMAP(1)</B>
</PRE>
<HR>
<ADDRESS>
Man(1) output converted with
<a href="http://www.oac.uci.edu/indiv/ehood/man2html.html">man2html</a>
</ADDRESS>
</BODY>
</HTML>

887
docs/nmap_manpage-fr.html Normal file
View File

@@ -0,0 +1,887 @@
<HTML>
<HEAD>
<TITLE>Nmap network security scanner man page (French translation)</TITLE>
</HEAD>
<BODY>
<H1>Nmap network security scanner man page (French translation)</H1>
<HR>
<PRE>
<!-- Manpage converted by man2html 3.0.1 -->
<B>NMAP(1)</B> <B>NMAP(1)</B>
</PRE>
<H2>NOM</H2><PRE>
nmap - Outil dexploration rau et analyseur de sritSH SYNOPSIS <B>nmap</B>
[Type(s) de scan] [Options] &lt;hou rau #1 ... [#N]&gt;
</PRE>
<H2>DESCRIPTION</H2><PRE>
<I>Nmap</I> a conpour que les administrateurs systs et les curieux puissent
analyser de grands r aux pour drminer les h actifs et les services
offerts. <I>nmap</I> supporte un grand nombre de techniques danalyse : UDP,
TCP connect(), TCP SYN (mi ouvert), ftp proxy (attaque par rebond),
Reverse-ident, ICMP (balayage de ping), FIN, balayage de ACK, Xmas
Tree, balayage de SYN, Protocoles IP, et Null scan. Voir la section
<I>Types</I> <I>de</I> <I>scans</I> pour plus de dils. Nmap offre lement des caract stiques
avanc comme la dction du syst dexploitation distant via lempreinte
TCP/IP, lanalyse furtive, le di dynamique et les calculs de retrans-
mission, lanalyse parall, dction de h inactifs via des pings paralls,
lanalyse avec leurres, la dction des ports filtr analyse directe (sans
portmapper) des RCP, lanalyse avec fragmentation, et une notation
puissante pour dgner les h et les ports.
Des efforts significatifs ont consacrpour que nmap soit utilisable par
des utilisateurs non-root. Malheureusement, la plupart des interfaces
noyaux critiques (comme les raw sockets) requi nt les privil s root.
Nmap devrait donc e lancn tant que root autant que possible (mais pas
en setuid root, demment).
Le rltat de lextion de nmap est habituellement une liste de ports int
ssants sur les machines analys. Nmap donne pour chaque port le nom du
service, le num, lt et le protocole. Lt peut e « open », « fil-
tered » ou « unfiltered ». « Open » signifie que la machine cible
accepte les connexions sur ce port. « Filtered » signifie quun pare-
feu, un filtre ou un autre obstacle rau prot le port et empe nmap de d
cter si le port est ouvert. « Unfiltered » signifie que le port est
fermt quaucun pare-feu na interf avec nmap. Les ports « Unfiltered »
sont les plus courants et ne sont affichque lorsque la majorites ports
analyssont dans lt « filtered ».
En fonction des options utilis, nmap peut aussi rapporter les caract
stiques suivantes du syst dexploitation distant : type de syst
dexploitation, s encement TCP, noms des utilisateurs qui ont lances
programmes qui utent sur chaque port, le nom DNS, et dautres choses
encore.
</PRE>
<H2>OPTIONS</H2><PRE>
Les options ayant du sens ensemble peuvent gralement e combin. Cer-
taines options sont spfiques ertains modes danalyses. <I>nmap</I> essaye de
d cter et de prnir lutilisateur en cas de combinaisons doptions dntes
ou non support.
Si vous s impatient, vous pouvez passer directement a section des <I>exem-</I>
<I>ples</I> a fin, qui illustre lusage courant. Vous pouvez aussi lancer <B>nmap</B>
<B>-h</B> pour un bref rappel de toutes les options.
<B>TYPES</B> <B>DE</B> <B>SCANS</B>
<B>-sS</B> TCP SYN scan : Cette technique est souvent appel scan « mi
ouvert », parce quon ouvre une connexion TCP incompl. On
envoie un paquet SYN, comme pour une vtable ouverture de connex-
ion et on attend une rnse. Un SYN ou ACK indique que le port est
sous ute, en revanche un RST signifie que personne nute sur ce
port. Si un SYN ou ACK est re un RST est immatement envoyour
interrompre la connexion. Le principal avantage de cette tech-
nique est que peu de sites larchiveront. dans leurs logs.
Malheureusement vous avez besoin des privils root pour constru-
ire ces paquets SYN sur mesure. Cest le scan par dut pour les
utilisateurs qui ont les privils root.
<B>-sT</B> TCP connect() scan : Cest la forme la plus simple de scan TCP.
Lappel syst connect() fournit par votre syst dexploitation est
utilisour ouvrir une connexion sur tous les ports int ssants de
la cible. Si le port est sur ute, connect() rsira, sinon le port
est injoignable. Le principal avantage de cette technique est
quelle ne nssite pas de privils particuliers. Presque tous les
utilisateurs de toutes les machines Unix sont libres dutiliser
cet appel syst.
Ce type de scan est facilement dctable par lhcible puisque les
logs de la cible montreront un ensemble de connexions et de mes-
sages derreurs pour les services qui ont accepta connexion qui
a immatement coup Cest le scan par dut pour les utilisateurs
normaux (non root).
<B>-sF</B> <B>-sX</B> <B>-sN</B>
Stealth FIN, Xmas Tree, ou Null scan modes : Parfois m un SYN
scan nest pas suffisamment discret. Certains pare-feux et fil-
treurs de paquets regardent les SYNs vers les ports interdits,
et des programmes comme Synlogger et Courtney peuvent dcter ces
scans. En revanche, ces scans avancdevrait pourvoir passer sans
probls.
Lidest quun port fermst requis pour rndre au paquet de test
par un RST, alors que les ports ouverts doivent ignorer les
paquets en question (voir RFC 793 pp 64). Le FIN scan utilise un
paquet FIN nu comme testeur, alors que le scan Xmas tree active
les drapeaux URG et PUSH du paquet FIN. Le scan Null, d ctive
tous les drapeaux. Malheureusement Microsoft (comme dhabitude)
a ddignorer complment le standard et de faire les choses a fa .
Cest pourquoi ce type de scan ne fonctionne pas contre les syst
s sous Windows95/NT. Le cpositif est que cest un bon moyen de
distinguer deux plates-formes. Si le scan trouve des ports
ouverts, vous savez que la machine cible nest pas sous Windows.
Si un -sF,-sX, ou -sN scan montre tous les ports ferm et quun
scan SYN (-sS) montre tous les ports ouverts, la machine cible
fonctionne probablement sous Windows. Ceci est moins utile
depuis que nmap a son propre dcteur de syst dexploitation int
Dautres systs ont le m probl que Windows : Cisco, BSDI, HP/UX,
MVS, et IRIX. La plupart envoient des resets depuis les ports
ouverts au lieu dignorer le paquet.
<B>-sP</B> Ping scanning : Parfois vous voulez juste savoir quels sont les
h actifs dun rau. Nmap peut le faire pour vous en envoyant des
paquets d o ICMP haque adresse IP du rau spfiLes h qui rndent
sont actifs. Malheureusement, certains sites comme
microsoft.com, bloquent les paquets do. Toutefois nmap peut
aussi envoyer un paquet TCP ack au port 80 (par dut). Si vous
recevez un RST en retour, la machine est active. Une troisi
technique consiste nvoyer un paquet SYN et dattendre un RST ou
un SYN/ACK. Pour les utilisateurs non-root, la mode connect()
est utilis
Par dut (pour les utilisateurs root), nmap utilise la technique
ICMP et ACK en parall. Vous pouvez changer loption <B>-P</B> dite plus
tard.
Remarquez que le ping est fait par dut de toutes fa s et seuls
les h qui rndent sont analys Nutilisez cette option que si vous
voulez faire un balayage de ping <B>sans</B> faire danalyse de ports.
<B>-sU</B> UDP scans : Cette m ode est utilispour drminer les ports UDP
(User Datagram Protocol, RFC 768) qui sont ouverts sur lh Cette
technique consiste nvoyer un paquet udp de 0 octet haque port de
la machine cible. Si on ret un message ICMP « port unreach-
able », alors le port est fermAutrement nous supposons quil est
ouvert.
Certaines personne pensent que lanalyse UDP est inutile. Jai
pour habitude de leur rappeler le trou rnt dans rcpbind sous
Solaris. Rpcbind peut dissimuler un port UDP non documentuelque
part au dessus de 32 770. Comme duvrir un tel port sans scanner
UDP ? Il y a aussi le programme cDc Back Orifice backdoor qui
cache un port UDP configurable sur les machines Windows. Sans m
mentionner tous les services courants qui utilisent UDP tels que
snmp, tftp, NFS, etc.
Malheureusement lanalyse UDP peut e particuli ment longue
puisque la plupart des h implnte une suggestion de la RFC 1812
(section 4.3.2.8) pour limiter le dt des messages derreurs
ICMP. Par exemple, le noyau Linux (dans net/ipv4/icmp.h) limite
la gration de message « destination unreachable » 0 pour 4 sec-
ondes, avec une plite 1/4 secondes si ce nombre est dssSolaris a
des limites encore plus strictes (eu pr2 messages par seconde)
et lanalyse nssite encore plus de temps. <I>Nmap</I> dcte cette lim-
ite de dt et ralentit plutue dinonder inutilement le rau avec
des paquets qui seront ignorpar la machine cible.
Comme dhabitude, Microsoft a ignora suggestion RFC et na pas
impl nte limitation de taux dans les machines Win95 et NT. Cest
pourquoi nous pouvons analyser les 65K ports dune machine Win-
dows <B>trrapidement.</B> <B>Wahoo</B> <B>!</B>
<B>-sO</B> IP protocol scans : Cette mode est utilispour drminer les proto-
coles IP supportpar lh La technique consiste nvoyer des paquets
IP bruts sans ent de protocole haque protocole spfiur la machine
cible. Si nous recevons un message ICMP « protocol unreach-
able », alors le protocole nest pas utilisAutrement nous sup-
posons quil est ouvert. Remarquez que certains h (AIX, HP-UX,
Digital UNIX) et les pare-feux peuvent ne pas renvoyer les mes-
sages « protocol unreachable », faisant apparae ouverts tous les
protocoles.
Comme cette technique est trsimilaire analyse des ports UDP, la
limitation du dt ICMP peut aussi apparae. Mais comme le champ
protocole dIP na que 8 bits, il y a au plus 256 protocoles,
donc la durrestera raisonnable.
<B>-sI</B> <B>&lt;zombie</B> <B>host[:probeport]&gt;</B>
scan paresseux : cette mode de scan avancautorise un scan TCP v
tablement aveugle de la cible (aucun paquet ne sera envoy la
cible depuis votre vtable adresse IP). la place, une attaque
unilat le exploite la prction de la sence didentificateur de
fragmentation IP de lhzombie pour glaner des informations sur
les ports ouverts de la cible. Les systs de dctions dintrusion
indiqueront que le scan provient de la machine zombie sp fi (qui
doit e active et vfier un certain nombre de crits). Jenvisage
de donner plus dexplication ttp://www.inse-
cure.org/nmap/nmap_documentation.html dans un futur proche.
En plus de extraordinairement furtive (gra nature aveugle), ce scan
permet de saffranchir des relations de confiance entre machines
fond sur lIP. La liste de ports montre les ports ouverts <I>tels</I>
<I>que</I> <I>les</I> <I>voit</I> <I>lhzombie.</I> Aussi, vous pouvez essayer de scanner
une cible en utilisant diffnts zombies ui elle fait confiance
(via les res de filtrage des routeurs/paquets). idemment cette
information est cruciale pour orienter lattaque. Autrement
votre test de ptration va consommer des ressources considbles
appartenant au syst intermaire, pour sapercevoir en fin de
compte quil ny a pas de relation de confiance entre lhcible
et lIP de la machine zombie.
Vous pouvez ajouter un deux-point suivi par le num de port si
vous voulez tester un port particulier sur lhzombie pour les
changement IPID. Autrement Nmap utilisera le port quil utilise
par dut pour les pings TCP.
<B>-sA</B> ACK scan : Cest une technique avancqui est utilisour duvrir les
res des pare-feux et pour savoir si on a affaire n pare-feu ou
un simple filtreur de paquets qui bloquent les paquets SYN
entrant.
Ce type danalyse envoie un paquet ACK (avec un num
dacquittement/s ence aloire) aux ports spfi Si un RST vient en
retour, les ports sont classcomme non filtr Si rien ne revient
(ou alors un message ICMP « unreachable »), les ports sont class
comme filtr. Remarquez que <I>nmap</I> naffiche pas les ports non
filtr Aussi, si <B>aucun</B> port nest affichans la sortie, cest sou-
vent un signe que tous les tests ont fonctionnet retournSTs). Ce
scan ne montrera dement jamais de port ouvert.
<B>-sW</B> Window scan : Cest une analyse avanctrsimilaire au ACK scan,
sauf quil peut parfois dcter aussi bien des ports ouverts que
filtr non filtr gr ne anomalie dans la taille de la fene TCP
rapportpar certains systs. Parmi les systs vulnbles se trouvent
certaines versions de AIX, Amiga, BeOS, BSDI, Cray, Tru64 UNIX,
DG/UX, OpenVMS, Digital UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS,
NetBSD, OpenBSD, OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix,
VAX, et VxWorks. Voir les archives de la liste de diffusion
nmap-hackers pour une liste exhaustive.
<B>-sR</B> RPC scan. Cette mode fonctionne en combinaison avec diverses m
odes danalyse de port de nmap. Il prend tous les ports TCP/UDP
ouverts et les inonde de commandes SunRPC NULL pour drminer ceux
qui sont des ports RPC, et si cest le cas, le programme et son
num de version qui les servent. Vous pouvez obtenir la m infor-
mation que rpcinfo -p m si le portmapper cible est derri un
pare-feu (ou prot par un wrapper TCP). Les leurres ne fonction-
nent pour le moment pas avec les scans RCP, et je dois ajouter
le support pour les leurres dans les scans UPD RCP.
<B>-sL</B> scan-liste. Cette mode gre une liste dIP/nom sans les pinger ou
les scanner. La rlution de nom DNS sera rissauf si vous utilisez
-n.
<B>-b</B> <B>&lt;ftp</B> <B>relay</B> <B>host&gt;</B>
attaque par rebond FTP : Une caractstique intssante du protocole
ftp (RFC 959) est le support des connexions <B>proxy</B>. En dautres
termes, je dois e capable de me connecter depuis mechant.com au
serveur FTP de cible.com et demander que le serveur envoie un
fichier NIMPORTE O sur Internet. fonctionnait bien en 1985
quand la RFC a ite. Mais dans lInternet daujourdhui nous ne
pouvons pas nous permettre davoir des pirates qui durnent des
serveurs ftp et envoient des donn nimporte o s Internet.
Javais it en 1995 que ce dut du protocole « peut e utilisour
envoyer des courriers et nouvelles intracables, matraquer des
serveurs de sites, saturer les disques, essayer de contourner
les pare-feux et gralement e difficile ep r ». On peut aussi
lexploiter pour faire un scan des ports TCP depuis un serveur
ftp « proxy ». Ainsi, vous pouvez vous connecter n serveur ftp
derri un pare-feu et scanner les ports sans e bloqu139 est un
bon nombre). Si le serveur ftp autorise la lecture et l iture
dans certains rrtoires (tel que /incoming), vous pouvez envoyez
des donn arbitraires aux ports que vous avez trouvuvert (nmap ne
le fera toutefois pas pour vous)
Largument pass loption <B>-b</B> est lhque vous voulez utiliser
comme proxy, dans la notation URL standard. Le format est :
<I>username:password@server:port.</I> Tout sauf <I>server</I> est optionnel.
Pour drminer les serveurs qui sont vulnbles ette attaque, vous
pouvez voir mon article dans <I>Phrack</I> 51. Une version mise our est
disponible URL http://www.insecure.org/nmap.
<B>OPTIONS</B> <B>GALES</B>
Aucune nest nssaire, mais certaines peuvent e trutiles.
<B>-P0</B> Ne pas essayer de ping sur les h avant de les analyser. Cela
permet lanalyse des raux qui ne permettent pas les requs ou les
rnses ICMP ravers leurs pare-feux. Microsoft.com en est un
exemple, et vous devez toujours utiliser <B>-P0</B> ou <B>-PT80</B> pour faire
une analyse de port sur microsoft.com.
<B>-PT</B> Utilise TCP "ping" pour drminer les h actifs. Au lieu denvoyer
une requ d o ICMP et dattendre une rnse, nous envoyons des
paquets TCP ACK dans le rau cible (ou contre une machine) et
attendons des rnses pour conclure. Les h devraient rndre par un
RST. Cette option prrve lefficacites scan des h qui sont actifs
mais autorise lanalyse des h/raux qui bloquent les paquets de
ping. Pour les utilisateurs non root, nous utilisons connect().
Pour sp fier le port de destination du test utilisez -PT&lt;port
number&gt;. Le port par dut est 80, car ce port nest pas souvent
filtr .TP <B>-PS</B> Cette option utilise des paquets SYN (demande de
connexion) a place des paquets ACK pour les utilisateurs ROOT.
Les h actifs devrait rndre par un RST (ou, rarement par un SYN |
ACK).
<B>-PI</B> Cette option utilise un vtable paquet ping (requ do ICMP). Il
recherche les h actifs et aussi regarde les adresses de diffu-
sion des sous-raux. Il y a des adresses IP qui sont joignable de
lext eur et qui sont traduites en une diffusion de paquet
entrant dans un rau. devrait e supprimsi duvert, car permet un
grand nombre dattaques de d de service.
<B>-PP</B> utilise un paquet ICMP de requ destampille temporelle (code 13)
pour drminer les h qui utent.
<B>-PM</B> Fait la m chose que <B>-PI</B> et <B>-PP</B> sauf quil utilise une requ de
masque de sous-rau (ICMP code 17).
<B>-PB</B> Cest le ping par dut. Il utilise les balayages ACK ( <B>-PT</B> ) et
ICMP ( <B>-PI</B> ) en parall. De cette mani, vous pouvez passer les
pare-feux qui ne filtrent que lun des deux types de paquets.
<B>-O</B> Cette option active lidentification de lh distant via
lempreinte TCP/IP. Autrement dit, nmap utilise un ensemble de
techniques pour d cter les subtilit dans la pile rau du syst
dexploitation de lordinateur que vous s en train danalyser.
Il utilise ces informations pour cr une « empreinte » qui est
comparavec sa base de donn dempreintes connues (le fichier
nmap-os-fingerprints) pour retrouver le type de syst que vous s
en train danalyser.
Si Nmap est incapable de deviner le syst dexploitation de la
machine, et que les conditions sont bonnes (par exemple, au
moins un port est ouvert) Nmap fournira une URL que vous pourrez
utiliser pour soumettre si vous connaissez avec certitude le nom
du syst dexploitation ui appartient cette nouvelle empreinte.
Vous contribuerez ainsi ugmenter le nombre de systs dexploita-
tions dctable par nmap et la la prsion de la d ction. Si vous
laissez une adresse IP dans le formulaire, la machine pourra e
analyslorsque nous ajouterons lempreinte (pour valider que
marche).
Loption -O active aussi plusieurs autres tests. Lun dentre
eux est la mesure de « uptime » (duruldepuis le dernier redrrage
du syst ), qui utilise lestampille TCP (RFC 1323) pour deviner
la date du dernier redrrage de la machine. Ceci nest rapport ue
pour les machines qui fournissent cette information.
Un autre test activar -O est la classification de la prction de
la sence TCP. Cest une mesure qui d it approximativement la
difficult blir une connexion TCP forgcontre lhdistant. Cest
utile pour exploiter les relations de confiances fond sur lIP
source (rlogin, firewall filters, etc) ou pour cacher la source
dune attaque. La valeur rle de la difficult st calcul sur un
antillon et peut fluctuer. Il est g ralement plus appropri
utiliser une classification par nom tel que « worthy chal-
lenge » ou « trivial joke ». Ceci nest rapportans la sortie
normale quavec loption -v.
Si le mode verbeux (-v) est activn m temps que -O, la gration de
s ence IPID est aussi rapport La plupart des machines appartien-
nent a classe incrntale, ce qui signifie quelle incr nte le
champ ID dans lent IP pour chaque paquet envoyCe qui les rend
vulnbles a collecte dinformation avanc et aux attaques par
usurpation.
<B>-I</B> Active lanalyse TCP reverse ident. Dave Goldsmith dans un mes-
sage ugtraq en 1996, a fait remarquer que le protocole ident
(rfc 1413) autorise la duverte du nom dutilisateur qui poss un
processus connectia TCP, m si le processus nest pas instiga-
teur de la connexion. Vous pouvez ainsi vous connecter au port
http et utiliser identd pour duvrir si le serveur tourne sous
root. Ceci ne peut e fait quavec une connexion TCP compl sur
le port cible (i.e. loption danalyse -sT). Quand <B>-I</B> est utilis
lidentd de lhdistant est interrogour chaque port ouvert trouv
idemment ne fonctionne pas si lhnutilise pas identd.
<B>-f</B> Cette option oblige les analyses FIN, XMAS, ou NULL tiliser de
petit paquets IP fragment Lid est de partager lent TCP en
plusieurs paquets pour rendre leurs dctions plus difficile par
les filtres et les systs de dction dintrusion, et les autres
enquiquineurs qui tentent de dcter ce que vous s en train de
faire. Faites attention avec ceci, certains programmes ont des
difficultavec ces petits paquets. Mon sniffer favori plante imm
atement lorsquil ret le premier fragment de 36 octets. Cette
option est inefficace contre les filtreurs de paquets et les
pare-feux qui r semblent les fragments IP (comme loption CON-
FIG_IP_ALWAYS_DEFRAG dans le noyau Linux), certains raux ne peu-
vent pas supporter cette perte de performance et ne rsemblent
pas les paquets.
Remarquez que je nai pas encore fait fonctionner cette option
sur tous les systs. marche parfaitement sur les machines Linux,
FreeBSD et OpenBSD et certaines personnes mont rapporteurs succ
avec dautres saveurs dUnix.
<B>-v</B> Mode verbeux. Cest une option hautement recommandqui fournit
beaucoup dinformations sur ce que vous s en train de faire.
Vous pouvez lutiliser deux fois pour un effet plus important.
Utiliser <B>-d</B> une paire de fois si vous voulez vraiment devenir
fou avec le dlement de lan !
<B>-h</B> Cette option affiche un bref rpitulatif des options de nmap.
Comme vous lavez sans doute remarqucette page de manuel nest
pas vraiment un « bref rpitulatif ». :)
<B>-oN</B> <B>&lt;logfilename&gt;</B>
Enregistre les rltats de vos analyses dans un format <B>lisible</B> <B>par</B>
<B>un</B> <B>humain</B> dans le fichier spfin argument.
<B>-oX</B> <B>&lt;logfilename&gt;</B>
Enregistre le rltat de vos analyses dans un format <B>XML</B> dans le
fichier sp fi n argument. Ceci permet es programmes dinterprr
facilement les rltats de nmap. Vous pouvez donner largument
<B>-</B> (sans les guillemets) pour envoyer la sortie sur la sortie
standard (pour les pipelines shells, etc). Dans ce cas la sor-
tie normale sera supprim Regardez attentivement les messages
derreurs si vous utilisez ceci (ils sont encore envoy sur la
sortie derreur standard). Notez aussi que <B>-v</B> peut afficher des
informations supplntaires. La dnition de type de document (DTD)
d nissant la structure de la sortie XML est disponible
ttp://www.insecure.org/nmap/data/nmap.dtd .
<B>-oG</B> <B>&lt;logfilename&gt;</B>
Enregistre les rltats de vos analyses dans une forme adapt pour
<B>grep.</B> Ce format simple fournit toutes les informations sur une
ligne. Cest le mnisme prres programmes qui interagissent avec
nmap, mais drmais nous recommandons pluta sortie XML (-oX). Ce
format simple ne contient pas autant dinformations que les
autres formats. Vous pouvez donner largument «<B>-</B>» (sans les
guillemets) pour envoyer la sortie sur la sortie standard (pour
les pipelines shells, etc). Dans ce cas la sortie normale sera
supprim Regardez attentivement les messages derreurs si vous
utilisez ceci (ils sont encore envoysur la sortie derreur stan-
dard). Notez aussi que <B>-v</B> peut afficher des informations suppl
ntaires.
<B>-oA</B> <B>&lt;logfilename&gt;</B>
indique map denregistrer dans tous les formats majeurs (normal,
grep et XML). Vous fournissez le prxe du nom de fichier et les
sorties auront respectivement les suffixes .nmap, .gnmap et .xml
.
<B>-oS</B> <B>&lt;logfilename&gt;</B>
enregistre les rltats de vos analyses en format <B>script</B> <B>kiddie</B>
(NdT : Cest un langage dans lequel certaines lettres sont
remplac par des chiffres/symboles typiquement exemple A devient
4, E devient 3, etc. Cette langue est utilispar les « cowboyz »
dInternet. Cette population folklorique amuse beaucoup les
autres internautes, au point quil existe une option pour eux
dans nmap) V0u$ poUV3z dOnn3r l4rgUm3nt <B>-</B> (s4ns l3$
guIll3m3ts) poUr 3nvoy3r l4 sOrti3 sUr l4 $orti3 $t4nd4rd.
<B>--resume</B> <B>&lt;logfilename&gt;</B>
Lanalyse dun rau qui a annulpar un Ctrl-C, probl de rau, etc.
peut e reprise en utilisant cette option. logfilename doit e
soit un log normal (-oN) soit un log lisible par une machine
(-oM) dune analyse avort Aucune autre option ne peut e donn (ce
sont obligatoirement les ms que celles du scan avort Nmap drrera
sur la machine aprla derni machine qui a analysavec succdans le
fichier de log.
<B>--append_output</B>
indique map dire a fin des fichiers de sortie au lieu de les
aser.
<B>-iL</B> <B>&lt;inputfilename&gt;</B>
Lit les spfications de la cible depuis le fichier sp fi lut ue
depuis la ligne de commande. Le fichier doit contenir une liste
dh, dexpressions de raux sr par des espaces, tabulations ou
retour chariots. Utilisez le tiret pour lire depuis stdin
(comme la fin dun pipe). Voyez la section <I>spfication</I> <I>de</I> <I>cible</I>
pour plus dinformation sur les expressions que vous pouvez met-
tre dans le fichier.
<B>-iR</B> Cette option indique map de grer ses propres hnalyser par tirage
al oire :). ne finit jamais. peut e utile pour un antillon
dInternet pour estimer diverses choses. Si vous vous ennuyez,
essayez <I>nmap</I> <I>-sS</I> <I>-iR</I> <I>-p</I> <I>80</I> pour rechercher des serveurs web
egarder.
<B>-p</B> <B>&lt;port</B> <B>ranges&gt;</B>
Cette option spfie les ports que vous voulez essayer. Par exem-
ple -p 23 nessayera que le port 23 of de lhcible. -p
20-30,139,60000- analysera les ports entre 20 et 30, le port
139, et tous les ports supeurs 0000. Le comportement par dut est
danalyser tous les ports de 1 024 ainsi que tous les ports list
dans les fichiers de services fournis avec nmap. Pour lanalyse
par IP (-sO), ceci spfie le num de protocole que vous voulez
analyser
Lorsque vous scannez les ports TCP et UPD vous pouvez spfier un
protocole particulier en prxant les nums de ports par « T »: ou
« U: ». Leffet du spficateur dure jusque que vous en spfiez
un autre. Par exemple, largument « -p
U:53,111,137,T:21-25,80,139,8080 » scannera les ports UDP 53,
111 et 137 ainsi que les ports TCP mentionn Remarquez que pour
scanner UDP et TCP, vous devez spfier -sU et au moins une anal-
yse TCP (telle que -sS, -sF ou -sT). Si aucune sp fication de
protocole nest indiqu les nums de ports sont ajoutous les pro-
tocoles.
<B>-F</B> <B>Fast</B> <B>scan</B> <B>mode.</B>
Spfie que vous ne voulez analyser que les ports list dans le
fichier des services livrvec nmap (ou le fichier des protocoles
pour -sO). Cest demment plus rapide que danalyser les 65535
ports dun h
<B>-D</B> <B>&lt;decoy1</B> <B>[,decoy2][,ME],...&gt;</B>
r ise un scan avec leurres. Du point de vue de lhdistant, les h
leurres apparaont comme sils analysaient aussi le r au cible.
Ainsi, les syst s de dction dintrusion ne pourront pas savoir
parmi lensemble des IP qui semblent les scanner quelle est lIP
qui effectue r lement lanalyse et quelles IP ne sont en ritue
dinnocent leurres. Bien que ceci puisse e contrar path trac-
ing, response-dropping, et dautres mnismes actifs, cest grale-
ment une technique efficace pour dissimuler son adresse IP.
Srez chaque hleurre par des virgules, et vous pouvez option-
nellement utiliser <B>ME</B> (Moi) comme lun des leurres pour repr
nter la position que vous voulez utiliser pour votre adresse.
Si vous utilisez <B>ME</B> au dele la 6 position, la plupart des d
cteurs de scan (m lexcellent scanlogd de Solar Designer) seront
incapables de voir votre adresse IP. Si vous nutilisez pas
<B>ME</B>, nmap choisira une position aloire.
Remarquez que les h leurres doivent e actifs ou vous risquez
accidentellement de faire une inondation SYN sur vos cibles. Il
est aussi presque facile de drminer qui est en train de scanner
si seul une seule machine est active sur le rau. Vous pouvez
vouloir utiliser des adresses IP a place des noms (ainsi les r
aux leurres ne vous verront pas dans les logs du serveurs de
nom).
Remarquez lement que quelques dcteurs (stupides) de scan blo-
queront les h qui tentent des scans de ports. Aussi vous pouvez
par inadvertance bloquer laccdes machines leurres a machine
cible. Ceci peut provoquer de grave probls aux machines cibles
si le leurre sav e sa passerelle internet ou m « localhost ».
Il faut donc utiliser prudemment cette option. La vraie morale
de cette histoire est que les dcteurs de scan ne doivent pas
prendre de mesures contre les machines qui semblent les anal-
yser, car il se peut que ce soit des leurres !
Les leurres sont utilispour le scan initial (en utilisant ICMP,
SYN, ACK, ou autre chose) et pendant la vtable phase de scan.
Les leurres sont aussi utilispendant la dction de lh distant (
<B>-O</B> ).
Il ne faut pas oublier que dutiliser un trop grand nombre de
leurres peut ralentir le scan et m le rendre imprs. De plus cer-
tains fournisseurs dacc nternet (FAI) filtreront vos paquets
usurp bien que la plupart napplique aucune restriction sur les
paquets usurp
<B>-S</B> <B>&lt;adresse_ip&gt;</B>
Dans certaines circonstances, <I>nmap</I> est incapable de drminer
ladresse source. <I>Nmap</I> vous avertira si cest le cas). Dans
cette situation, utilisez -S avec votre adresse IP (ou linter-
face depuis laquelle vous voulez envoyer les paquets).
Une autre utilisation possible de ce drapeau est dusurper le
scan pour faire croire aux cibles que <B>quelquun</B> <B>dautre</B> <B>les</B>
<B>scanne.</B> Imaginez une entreprise qui se croit rliment scann par
un concurrent ! Ce nest pas lutilisation premi ni le but
principal de ce drapeau. Je pense que cest juste une
possibilit ntssante pour les personnes qui sont au courant avant
quelles nen accusent dautres de les scanner. <B>-e</B> est g rale-
ment requis pour ce type dutilisation.
<B>-e</B> <B>&lt;interface&gt;</B>
indique linterface r au tiliser pour envoyer et recevoir les
paquets. <B>Nmap</B> devrait e capable de dcter ceci mais il vous pr
endra sil ny parvient pas.
<B>-g</B> <B>&lt;portnumber&gt;</B>
Spfie le num de port source dans le scan. Beaucoup de pare-feux
et de filtreur de paquets na feront une exception dans leurs res
pour autoriser le passage des paquets DNS (53) ou FTP-DATA (20)
pour blir une connexion. idemment rit complment les avantages
de s ritun pare-feu puisque les intrus nont que diser en FTP
ou DNS en modifiant leur port source. idemment pour un scan UDP
vous devriez utiliser 53 en premier et pour les scans TCP vous
devriez utiliser 20 avant 53. Remarquer que ce nest quune
requ -- nmap ne le fera que sil y parvient. Par exemple, vous
ne pouvez pas faire des analyse en parall avec un seul port.
Aussi <B>nmap</B> changera le port source m si vous utilisez <B>-g</B>.
Sachez quil y a une petite plite performance sur certains scans
si vous utilisez cette option, parce que jenregistre parfois
des informations utiles dans le num de port source.
<B>--data_length</B> <B>&lt;nombre&gt;</B>
Normalement nmap envoie des paquets minimalistes qui ne contien-
nent que len-t. Ainsi, les paquets TCP font 40 octets et les
requ s do ICMP, 28 octets. Cette option indique map dajouter
le nombre spfioctets initialis a plupart des paquets quil
envoie. La dction de syst dexploitation (-O) nest pas affect
mais la plupart des paquets de ping et de scan de port le sont.
ralentit les choses, mais peut e un peu moins voyant.
<B>-n</B> Dit map de ne <B>JAMAIS</B> faire de rlution DNS inverse sur une
adresse IP active. Comme DNS est souvent lent, peut aider cc rer
les choses.
<B>-R</B> Dit map de <B>TOUJOURS</B> faire la rlution DNS inverse des adresses IP
cibles. Normalement ceci nest fait que pour les machines
vivantes.
<B>-r</B> Dit map <B>DE</B> <B>NE</B> <B>PAS</B> changer aloirement lordre dans lequel les
ports seront analys
<B>--randomize_hosts</B>
Dit map de mnger chaque groupe comprenant jusqu048 h avant de
les analyser. Ceci rend les scans moins dents e nombreux systs
de surveillance rau, particuliment quand vous le combinez avec
des options pour ralentir le timing (voir ci-dessous).
<B>-M</B> <B>&lt;max</B> <B>sockets&gt;</B>
Sp fie le nombre maximum de sockets qui seront utilisen parall
pour le scan TCP connect() (celui par d ut). Cest utile pour
ralentir lrement le scan et ter de crasher les machines cibles.
Une autre approche consiste tiliser <B>-sS</B>, qui est gralement plus
facile r pour les machines.
<B>OPTIONS</B> <B>TIMING</B>
g ralement nmap parvient ajuster correctement aux caractstiques
du rau et nalyser aussi vite que possible tout en minimisant la
probabilit e dctCependant, il y a des cas o timings par dut de
Nmap ne correspondent pas os objectifs. Les options suivantes
permettent un contrfin des timings :
<B>-T</B> <B>&lt;Paranoid</B> <B>|</B> <B>Sneaky</B> <B>|</B> <B>Polite</B> <B>|</B> <B>Normal</B> <B>|</B> <B>Aggressive</B> <B>|</B> <B>Insane&gt;</B>
Ce sont les diffntes politiques de timing pour communiquer de
mani pratique vos prioritmap.
<B>Paranoid</B> analyse <B>trlentement</B> dans lespoir dter de rep par les
syst de d ction dintrusion. Il salise tous les scans (pas de
scan parall) et attend au moins 5 minutes entre les envois de
paquets.
<B>Sneaky</B> cest la m chose, sauf quil attend 15 secondes entre les
envois de paquets.
<B>Polite</B> essaye de minimiser la charge sur le rau et de r ire la
probabilit e crasher des machines. Il salises les test et attend
<B>au</B> <B>moins</B> 0,4 secondes entre chaque.
<B>Normal</B> cest le comportement par dut de Nmap, qui essaye de sex
ter aussi vite que possible sans surcharger le rau ou oublier
des h/ports.
<B>Aggressive</B> ajoute un dmpte de 5 minutes par het nattends jamais
les rnses individuelles plus de 1.25 secondes.
<B>Insane</B> ne convient quaux raux ultra-rapides os ne risquez par
de perdre dinformations. Il ajoute un dmpte de 75 secondes et
nattend les r nses individuelles que pendant 0,3 secondes. Il
permet de balayer trrapidement les raux. Vous pouvez aussi r
rencer ces modes par num (0-5). Par exemple, -T 0 donne le
mode Paranoid et -T 5 le mode Insane.
Ces modes timings NE devrait PAS e utiliser en combinaison avec
les contr de bas niveau donnci-dessous.
<B>--host_timeout</B> <B>&lt;millisecondes&gt;</B>
Sp fie la durque <B>nmap</B> est autorisonsacrer analyse dun hunique
avant dabandonner cette IP. Par dut il ny a pas de temps lim-
ite pour un h
<B>--max_rtt_timeout</B> <B>&lt;millisecondes&gt;</B>
Sp fie la durmaximale que <B>nmap</B> peut laisser suler en attendant
une rnse es tests avant de retransmettre ou de laisser tomber.
La valeur par dut est 9 000.
<B>--min_rtt_timeout</B> <B>&lt;millisecondes&gt;</B>
Quand les h cibles commencent tablir un mod de rnse trrapide-
ment, <B>nmap</B> diminuera la duraccordpar test. Ceci augmente la
vitesse du scan, mais peut conduire a perte de paquets quand une
rnse prend plus de temps que dhabitude. Avec ce param e vous
pouvez garantir que <B>nmap</B> attende au moins une certaine duravant
de laisser tomber un test.
<B>--initial_rtt_timeout</B> <B>&lt;millisecondes&gt;</B>
Spfie le dmpte du test initial. Ce nest g ralement utile que
lors de lanalyse dhderri un pare-feu avec -P0. Normalement
<B>nmap</B> obtient de bonnes estimations artir du ping et des premiers
tests. Le mode par dut est 6 000.
<B>--max_parallelism</B> <B>&lt;nombre&gt;</B>
Sp fie le nombre maximum de scans que <B>nmap</B> est autoris mener en
parall. Positionner ceci signifie que <B>nmap</B> nessayera jamais
de scanner plus dun port a fois. Ce nombre affecte aussi les
autres scans parall comme le balayage de ping, RPC scan, etc.
<B>--scan_delay</B> <B>&lt;millisecondes&gt;</B>
Spfie la dur <B>minimum</B> que <B>nmap</B> doit laisser s uler entre ses
envois. Cest utile pour rire la charge du rau ou pour ralentir
le dt du scan afin de ne pas atteindre le seuil de d enchement
des systs de dction dintrusion.
</PRE>
<H2>SPIFICATION DE CIBLE</H2><PRE>
Tout ce qui nest pas une option ou un argument doption est traitar
nmap comme une spfication dh Le cas le plus simple et une liste de nom
dh ou dadresse IP sur la ligne de commande. Si vous voulez analyser
un sous rau dadresses IP vous pouvez ajouter <B>/mask</B> au nom dh <B>mask</B>
doit e compris entre 0 (scanner tout internet) et 32 (scanner un seul h
. Utiliser /24 pour analyser des adresses de classe C et /16 pour la
classe B.
<B>Nmap</B> utilise une notation puissante pour spfier une adresse IP en util-
isant des listes/intervalles pour chaque ment. Ainsi vous pouvez anal-
yser tout un rau de classe B 192.168.*.* en spfiant 192.168.*.* ou
192.168.0-255.0-255 ou m 192.168.1-50,51-255.1,2,3,4,5-255. Et bien
s ous pouvez utiliser la notation mask : 192.168.0.0/16. Elles sont
toutes ivalentes Si vous utilisez des astsques (*), souvenez-vous que
la plupart des shells nssitent que vous les prdiez par des anti-slash
ou que vous les protez par des guillemets.
Une autre chose intssante aire et de duper Internet : au lieu de scan-
ner les h dans une classe B, scanner *.*.5.6-7 pour analyser toutes
les adresses IP se terminant par .5.6 ou .5.7. Pour plus dinformations
sur la spfication des h nalyser, voyez la section <I>exemples.</I>
</PRE>
<H2>EXEMPLES</H2><PRE>
Voici quelques exemples dutilisation de <B>nmap</B> du plus simple au plus
compliquRemarquez que les noms et adresses sont utilis pour rendre les
choses plus concr s. leur place vous devriez substituer les noms et
adresses de <B>votre</B> <B>propre</B> <B>rau.</B> Je ne pense pas que lanalyse de ports
dautres raux soit illle, ni que lanalyse de ports doit e conside par
les autres comme une attaque. Jai analyses centaines de milliers de
machines et je nai re quune seule plainte. Mais je ne suis pas
juriste et certaines personnes pourraient e ennuy par les tests de
<I>nmap.</I> Aussi demandez pr ablement la permission ou utilisez <B>nmap</B> os
risques et pls.
<B>nmap</B> <B>-v</B> <B>cible.exemple.com</B>
Cette option analyse tous les ports TCP rrvsur la machine cible.exem-
ple.com . Le -v signifie dactiver le mode verbeux.
<B>nmap</B> <B>-sS</B> <B>-O</B> <B>cible.exemple.com/24</B>
Envoie un scan SYN furtif contre chaque machine active parmi les 255
machines de classe C qui sont sur cible.exemple.com. Il essaye aussi
de drminer quel syst dexploitation fonctionne sur chaque h Ceci nssite
les privils root en raison du scan SYN et de la d ction de syst
dexploitation.
<B>nmap</B> <B>-sX</B> <B>-p</B> <B>22,53,110,143,4564</B> <B>198.116.*.1-127</B>
Envoie un scan Xmas tree a premi moitie chacun des 255 sous-raux de
lespace dadresse de classe B 198.116. Nous sommes en train de tester
si les syst s font fonctionner sshd, DNS, pop3d, imapd, ou port 4564.
Remarquez que les scan Xmas ne fonctionnent pas contre les machines
Microsoft en raison de leur pile TCP dciente. Le m probl se produit
aussi avec les machines CISCO, IRIX, HP/UX, et BSDI.
<B>nmap</B> <B>-v</B> <B>--randomize_hosts</B> <B>-p</B> <B>80</B> <B>*.*.2.3-5</B>
Plutue de se concentrer sur une plage spfique dIP, il est parfois int
ssant de duper lensemble dInternet et danalyser un petit antillon de
chaque tranche. Cette commande trouve tous les serveurs web sur des
machines dont ladresse IP se termine par .2.3, .2.4 ou .2.5 . Si vous
s root, vous pouvez aussi ajouter <B>-sS</B>. Vous trouverez plus de machine
intssantes en comment 27, aussi vous utiliserez 127-222 a place de la
premi astsque car cette section poss une plus grande densit e machine
intssantes.
<B>host</B> <B>-l</B> <B>company.com</B> <B>|</B> <B>cut</B> <B>-d</B> <B></B> <B>-f</B> <B>4</B> <B>|</B> <B>./nmap</B> <B>-v</B> <B>-iL</B> <B>-</B>
Fait un transfert DNS pour duvrir les h de company.com et utiliser
leurs adresses IP pour alimenter <I>nmap</I>. Les commandes ci-dessus sont
pour mon ordinateur GNU/Linux. Vous pouvez avoir besoin dautres com-
mandes/options pour dautres systs dexploitations.
</PRE>
<H2>BOGUES</H2><PRE>
Bogues ? Quels bogues ? Envoyez-moi tout ce que vous trouverez. Les
patchs sont les bienvenus. Souvenez-vous que vous pouvez aussi envoyer
les empreintes de nouveaux systs dexploitation pour enrichir la base
de donn. Si une empreinte appropriest trouv Nmap affichera lURL aque-
lle vous pourrez lenvoyer.
</PRE>
<H2>AUTEUR</H2><PRE>
Fyodor <I>&lt;fyodor@insecure.org&gt;</I>
</PRE>
<H2>DISTRIBUTION</H2><PRE>
La derni version de <I>nmap</I> peut e obtenu depuis <I>http://www.inse-</I>
<I>cure.org/nmap/</I>
<I>nmap</I> est (C) 1995-2001 par Insecure.Com LLC
<I>libpcap</I> est aussi distribuavec nmap. Il est copyrightar Van Jacobson,
Craig Leres et Steven McCanne, tous du Lawrence Berkeley National Labo-
ratory, University of California, Berkeley, CA. La version distribuavec
nmap peut e modifi les sources dorigine sont disponibles
tp://ftp.ee.lbl.gov/libpcap.tar.Z .
Ce programme est un logiciel libre, vous pouvez le redistribuer et/ou
le modifier sous les termes de la GNU General Public License telle que
publi par par la Free Software Foundation ; Version 2. Ceci garantit
votre droit dutiliser, modifier et redistribuer Nmap sous certaines
conditions. Si cette licence est inacceptable pour vous, Insecure.Org
pourrait ntuellement vendre dautres licences. (contacter <B>fyo-</B>
<B>dor@dhp.com</B>).
Les sources sont fournies avec ce logiciel car nous croyons que les
utilisateurs ont le droit de savoir exactement ce que fait un programme
avant de le lancer. Ceci vous permet aussi dauditer le logiciel pour
rechercher des trous de sritaucun na trouvusqurnt).
Le code source vous permet aussi de porter Nmap vers de nouvelles
plates-formes, corriger des bogues et ajouter de nouvelles caract
stiques. Vous s vivement encourag envoyer vos modifications fBfyo-
dor@insecure.org pour une ntuelle incorporation dans la distribution
principale. En envoyant ces modifications yodor ou uelquun de la liste
de diffusion de dloppement de insecure.org, il est supposue vous offrez
Fyodor le droit illimitt non exclusif de r iliser, modifier et reli-
cencier le code. Cest important parce que limpossibilite relicencier
le code a provoques probls dstateurs dans dautres projets de logiciel
libre (comme KDE et NASM). Nmap sera toujours disponible en Open
Source. Si vous drez spfier des conditions particulis de licence pour
vos contributions, dites-le nous simplement quand vous nous les
envoyez.
Ce programme est distribuans lespoir d e utile, mais <B>SANS</B> <B>AUCUNE</B>
<B>GARANTIE</B> m la garantie implicite relative a <B>QUALIT</B> <B>MARCHANDE</B> ou
<B>DAPTITUDE</B> <B>UNE</B> <B>UTILISATION</B> <B>PARTICULIE.</B> Voir la licence GPL (cest le
fichier COPYING de la distribution <I>nmap</I>.
Remarque : Nmap a d fait planter certaines applications, des piles
TCP/IP et m des systs dexploitations mal its. Par cons ent <B>Nmap</B> <B>ne</B>
<B>devrait</B> <B>jamais</B> <B>e</B> <B>utilisontre</B> <B>des</B> <B>systs</B> <B>qui</B> <B>ont</B> <B>une</B> <B>mission</B> critique
oins que vous ne soyez prouffrir dune ntuelle interruption de service.
Nous reconnaissons ici que nmap peut crasher vos systs et raux mais
nous ne sommes pas responsables des dts que Nmap pourrait provoquer.
En raison du lr risque de crashs et parce que quelques personnes mal
intentionn utilisent nmap pour les reconnaissances pr minaires ne
attaque, certains administrateurs deviennent furieux et se plaignent
quand leurs systs sont scann Cest pourquoi il est plus sage de deman-
der la permission avant de lancer lanalyse dun rau.
Nmap ne devrait jamais e lancvec des privils (par exemple suid root)
pour des raisons de srit.Sp Toutes les versions de Nmap posteures a 2.0
sont compatibles an 2000. Il ny a aucune raison de penser que les ver-
sions anteures ont des probls, mais nous ne les avons pas test.
</PRE>
<H2>TRADUCTION</H2><PRE>
Sstien Blanchet, 2002 &lt;sebastien.blanchet AT free.fr&gt;
</PRE>
<H2>RELECTURE</H2><PRE>
Grd Delafond
<B>NMAP(1)</B>
</PRE>
<HR>
<ADDRESS>
Man(1) output converted with
<a href="http://www.oac.uci.edu/indiv/ehood/man2html.html">man2html</a>
</ADDRESS>
</BODY>
</HTML>

787
docs/nmap_manpage-it.html Normal file
View File

@@ -0,0 +1,787 @@
<HTML>
<HEAD>
<TITLE>Nmap network security scanner man page (Italian translation)</TITLE>
</HEAD>
<BODY>
<H1>Nmap network security scanner man page (Italian translation)</H1>
<HR>
<PRE>
<!-- Manpage converted by man2html 3.0.1 -->
<B>NMAP(1)</B> <B>NMAP(1)</B>
</PRE>
<H2>NOME</H2><PRE>
nmap - Utility di esplorazione per le rete e security scanner
</PRE>
<H2>SINTASSI</H2><PRE>
<B>nmap</B> [Tipi Scan] [Opzioni] &lt;host o rete #1 ... [#N]&gt;
</PRE>
<H2>DESCRIZIONI</H2><PRE>
<I>Nmap</I> rogettato per permettere agli ammistratori di sistema e alle per-
sone curiose lo scan di grandi reti al fine di determinare quali host
sono attivi e quali servizi offrono. <I>nmap</I> supporta un grande numero di
tecniche per lo scanning come ad esempio: UDP, TCP connect(), TCP SYN
(semi aperto), ftp proxy (bounce attack), Reverse-ident, ICMP (ping
sweep), FIN, ACK sweep, Xmas Tree, SYN sweep, e scan Null. Vedete la
sezione <I>Tipi</I> <I>di</I> <I>scan</I> per ulteriori informazioni. nmap offre anche
varie caratteristiche avanzate come per esempio il rilevamento del S.O.
via TCP/IP fingerprinting, lo scan stealth (invisibile), ritardo dinam-
ico e i calcoli delle ritrasmissioni, lo scan parallelo, il rilevamento
degli host non attivi mediante i ping paralleli, lo scan mediante
decoy, il rilevamento del filtraggio delle porte, lo scan RPC diretto
(non-portmapper), lo scan di frammentazione, la specifica flessibile
della destinazione e delle porte.
Sforzi significativi sono stati impiegati nel rendere decenti le per-
formance per gli utenti non root. Sfortunatamente, molte interfacce del
kernel critiche (come ad esempio i socket raw) richiedono i privilegi
di root. nmap dovrebbe essere eseguito da root ogni volta che ossi-
bile.
Il risultato di unesecuzione di nmap i solito una lista di porte
interessanti sulla/e macchina/e, che sono state sottoposte allo scan
(se ve ne sono). Nmap da sempre il nome del servizio "ben noto" (se
noto), il numero, lo stato, e il protocollo. Lo stato pusere open
(aperto), Open significa che la macchina destinazione accetter mediante
accept()) le connessioni su quella porta. Filtered significa che un
firewall, filtro, o un altro ostacolo di rete sta coprendo la porta e
impedendo a nmap di determinare se la porta perta. Unfiltered significa
che nmap ha riconosciuto la porta come chiusa e nessun firewall/filtro
sembra aver interferito con il tentativo di nmap di rilevare se la
porta fosse aperta o chiusa. Le porte unfiltered (non-filtrate) sono
il caso piune e sono mostrate solo quando la maggior parte delle porte
esaminate sono nello stato filtered (filtrate).
A seconda delle opzioni usate, nmap puportare le seguenti caratteris-
tiche dellhost remoto: S.O. in uso, sequenziabilitCP, nomi gli utenti
che hanno eseguito i programmi che sono associati ad una data porta, il
nome del DNS, se lhost n indirizzo smurf, e poco altro.
</PRE>
<H2>OPZIONI</H2><PRE>
Le opzioni che assieme hanno senso possono essere generalmente combi-
nate. Alcune opzioni sono specifiche a date modaliti scan. <I>nmap</I> prova
a rilevare e avvisare lutente su combinazioni psicotiche o non suppor-
tate.
Se siete impazienti, potete passare direttamente alla sezioni di <I>esempi</I>
posta alla fine, che dimostra lutilizzo comune. Potete anche eseguire
<B>nmap</B> <B>-h</B> per ottenere una pagina di riferimento rapido, che elenca tutte
le opzioni.
<B>TIPI</B> <B>DI</B> <B>SCAN</B>
<B>-sT</B> Scan TCP connect(): Questa a forma base dello scan TCP. La chia-
mata di sistema connect() fornita dal vostro sistema operativo
sata per aprire una connessione ad ogni porta interessante sulla
macchina. Se la porta n ascolto, la connect() avr uogo, altri-
menti la porta non aggiungibile. Ogni utente sulla maggior
parte dei sistemi UNIX ibero di usare questa chiamata.
Questo genere di scan acilmente rilevabile in quanto i log
dellhost destinazione mostreranno un gruppo di connessioni e
messaggi di errore per i servizi che accettano la connessione
mediante accept() solo per chiuderla immediatamente dopo.
<B>-sS</B> Scan TCP SYN: Questa tecnica pesso chiamata scan "semi-aperto",
perchon aprite una completa connessione TCP. Mandate un pac-
chetto SYN, come se aveste intenzione di aprire una vera connes-
sione, e aspettate la risposta. Un SYN|ACK come risposta indica
che la porta n ascolto. Un RST ndicativa di una porta non in
ascolto. Se viene ricevuto un SYN|ACK come risposta , viene
mandato immediatamente un RST per chiudere la connessione ( allo
stato attuale il kernel del vostro S.O. lo fa per noi). Il van-
taggio primario di questa tecnica di scanning he pochi siti la
loggeranno. Sfortunatamente avete bisogno dei privilegi di root
per poter creare questi appositi pacchetti SYN.
<B>-sF</B> <B>-sX</B> <B>-sN</B>
Le modalit i scan Stealth FIN, Xmas Tree, o Null: Ci sono delle
volte che anche lo scan SYN non abbastanza anonimo. Alcuni fire-
wall e packet filter controllano i SYN per le porte riservate, e
programmi come Synlogger e Courtney sono disponibili per rile-
vare questi scan. Questi scan avanzati, daltra parte, possono
essere in grado di passare attraverso i firewall, packet filter
e/o programmi loggers indisturbati.
Lidea he le porte chiuse devono rispondere al vostro pacchetto
di prova con un RST, mentre le porte aperte devono ignorare il
pacchetto in questione (vedere RFC 793 pagina 64). Lo scan FIN
usa (sorpresa) un semplice pacchetto FIN come prova, mentre lo
scan Xmas attiva i flag FIN, URG, e PUSH. Lo scan Null disat-
tiva tutti i flag. Sfortunatamente Microsoft (come sua consuetu-
dine) ha deciso di ignorare completamente lo standard e fare le
cose a modo suo. Cosuesto tipo di scan non funziona contro i
sistemi in cui gira Windows95/NT. Se prendiamo la cosa dal punto
di vista positivo, questo fatto n buon modo per distinguere tra
le due piattaforme. Se lo scan trova porte aperte, sapete che
la macchina non n computer con Windows. Se uno scan -sF,-sX, o
-sN mostra tutte le porte chiuse, ma uno scan SYN (-sS) vi fa
vedere porte aperte, probabilmente state guardando una macchina
Windows. Questo ora eno utile in quanto nmap ha un proprio un
rilevamento di S.O. integrato. Ci sono anche alcuni altri sis-
temi che violano lo standard nella stessa maniera di Windows.
Questi includono Cisco, BSDI, HP/UX, MVS, e IRIX. Tutti i sis-
temi operativi soprastanti mandano resets da porte aperte quando
invece dovrebbero solo ignorare il pacchetto.
<B>-sP</B> Ping scanning: Alcune volte volete solo sapere quali host sulla
rete sono attivi. Nmap puoprire questo mandando pacchetti ICMP
echo request ad ogni indirizzo IP sulla rete che voi specifi-
cate. Gli host che rispondono sono attivi. Sfortunatamente,
alcuni siti come ad esempio microsoft.com bloccano i pacchetti
echo-request. Cos map pu ndare anche un pacchetto ack TCP (per
default) alla porta 80. Se ottenenete indietro un RST, la
macchina ttiva. Una terza tecnica comporta il mandare un pac-
chetto SYN e aspettare un RST o un SYN/ACK. Per gli uttenti non-
root, viene usato il metodo connect().
Di default (per gli utenti root), nmap usa le tecniche sia ICMP
che ACK in parallelo. Potete cambiare questo comportamento con
lopzione <B>-P</B> descritta successivamente.
Notate che il pinging comunque viene fatto di default, e solo
gli host che rispondono vengono sottoposti a scan. Usate questa
opzione solo se desiderate fare un ping sweep <B>senza</B> fare dei
reali portscan.
<B>-sU</B> Scan UDP: Questo metodo viene usato per determinare quali porte
UDP (User Datagram Protocol, RFC 768) sono aprte su un host. La
tecnica andare paccheti udp di 0 byte ad ogni porta sulla
macchina destinazione. Se riceviamo un messaggio ICMP port
unreachable, allora la porta hiusa. Altrimenti presumiamo che
essa sia aperta.
Alcune persone pensano che lo scan UDP sia inutile. Di solito
ricordo loro il bug recente di rcpbind in Solaris. Rpcbind pu
sere trovato nascosto su una porta UDP non documentata a patto
che essa sia maggiore di 32770. Cosi non ha importanza se la
111 loccata dal firewall. Ma, potete trovare quali porte alte
maggiori della 30.000 siano in ascolto? Con uno scanner UDP
potete! Esiste anche il programma backdoor Back Orifice del
cDc, che si nasconde su una porta UDP configurabile sulle mac-
chine Windows. Per non parlare i vari servizi comunemente vul-
nerabili che utilizzano UDP come ad esempio snmp, tftp, NFS,
ecc.
Sfortunatamente lo scan UDP lcune volte spaventosamente lento in
quanto molti host implementano la proposta di limitare il tasso
dei messaggi di errore ICMP fornita dalla RFC 1812 (sezione
4.3.2.8). Per esempio, il kernel di Linux (in net/ipv4/icmp.h)
limita la generazione dei messaggi di destination unreachable ad
80 per 4 secondi, con una penaliti 1/4 di secondo se questo lim-
ite viene sorpassato. Solaris ha limiti pietti (circa 2 mes-
saggi per secondo) e cosi si impiega pipo per lo scan. <I>nmap</I>
rileva questo tasso limitando e rallentando lo scan di con-
seguenza, piuttosto che flooddare la rete con pacchetti inutili
che saranno ignorati dalla macchina destinazione.
Come ipico, Microsoft ha ignorato la proposta della RFC e non
sembra aver imposto nessun tasso di limitazione sulle macchine
Win95 e NT. Cosossiamo fare lo scan di tutte le 65K porte di una
macchina Windows <B>molto</B> velocemente.
<B>-sA</B> Scan ACK: Questo metodo avanzato viene usato solitamente per
scoprire gli insiemi delle regole dei firewall. In particolare,
puutare determinare se un firewall sia stateful o solo un sem-
plice filtro di pacchetti che blocca i pacchetti SYN in entrata.
Questo tipo di scan manda un pacchetto ACK (con acknowledge-
ment/sequence numbers apparentemente casuali) alle porte spec-
ificate. Se si ha come ritorno un RST, le porta viene classifi-
cata come "unfiltered" (non-filtrata). Se non si ritorno ( o se
si ha come ritorno un pacchetto ICMP unreachable), la porta
viene classificata come "filtered" (filtrata). Notate che di
solito <I>nmap</I> non stampa le porte "unfiltered", cose <B>non</B> otteniamo
nessuna porta mostrata nelloutput i solito un segno che tutte
le prove sono state portate a termine ( e hanno restituito dei
RST). Questo scan ovviamente non mostrerai porte nello stato
"open" (aperto).
<B>-sW</B> Scan window: Questo scan avanzato olto simile allo scan ACK,
eccetto che alcune volte pulevare sia le port aperte che fil-
trate/non filtrate a causa di unanomalia nel TCP window size
reporting di alcuni sistemi operativi. I sistemi vulnerabili a
questo problema includono almeno alcune versioni di AIX, Amiga,
BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital UNIX,
FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD, OpenBSD, OpenStep,
QNX, Rhapsody, SunOS 4.X, Ultrix, VAX, e VxWorks. Vedere
larchivio della mailing list <I>nmap-hackers</I> per unelenco com-
pleto.
<B>-sR</B> Scan RPC. Questo metodo funziona in combinazione con i diversi
metodi di port scan di Nmap. Esso prende tutte le porte TCP/UDP
trovate aperte e poi le flodda con comandi NULL del programma
SunRPC nel tentativo di determinare se sono porte RCP, e se le
sono, quale programma e numero di versione esse servono. In
questo modo potete effettivamente ottenere le stesse infor-
mazioni di rcpinfo -p anche se il portmapper di destinazione
ietro un firewall (o protetto da TCP wrappers). I decoy non fun-
zionano allo stato attuale con lo scan RPC, in un qualche
momento posso aggiungere il supporto per i decoy negli scan RPC
UDP.
<B>-b</B> <B>&lt;ftp</B> <B>relay</B> <B>host&gt;</B>
FTP bounce attack: Una "caratteristica" interessante del proto-
collo ftp (RFC 959) l supporto per le connessioni ftp "proxy".
In altre parole, io dovrei essere in grado di connettemi da
evil.com al server FTP di target.com e richiedere che tale
server mandi un file OVUNQUE su internet! Ora questo poteva
andare bene nel 1985 quando la RFC fu scritta. Ma nellInternet
di oggi non possiamo avere persone che fanno lhijacking dei
server ftp e che richiedono che i dati siano spediti a punti
arbitrari su Internet. Come *Hobbit* scrisse nel 1995, questo
punto debole nel protocollo "pusere usato per postare mail e
news virtualmente irritracciabili, riempire i dischi, provare a
scavalcare i firewall, e generalmente astidioso e difficile da
rintracciare allo stesso tempo." Noi sfrutteremo questo prob-
lema per (sorpesa,sopresa) fare lo scan delle porte TCP da un
server ftp "proxy". Cosi potrete collegarvi a un server ftp
dietro un firewall, e poi dare lo scan di porte che sono molto
probabilmente bloccate (la 139 na porta buona). Se il server
ftp permette la lettura da e la scrittura a qualche directory
(come ad esempio /incoming), potete mandare dati arbitrari
porte che trovate aperte (anche se nmap non fa questo per voi).
Largomento passato allopzione b host che volete usare come
proxy, in una notazione standard URL. Il formato .I user-
name:password@server:porta. Tutto tranne il <I>server</I> pzionale.
Per determinare quali server siano vulenrabili a questo attacco,
potete vedere il mio articolo in <I>Phrack</I> 51. E una versione
aggiornata isponibili allURL di <I>nmap</I> (http://www.inse-
cure.org/nmap)
<B>OPZIONI</B> <B>GENERALI</B>
Nessuna di queste opzioni ichiesta ma alcune possono essere
abbastanza utili
<B>-P0</B> Non provare e fare il ping degli host completo prima di fare lo
scan degli stessi. Queso permette lo scan di reti che non perme-
ttono ICMP echo request (o risposte) attraverso il loro fire-
wall. microsoft.com n esempio di tale rete, cosovreste sempre
usare <B>-P0</B> o <B>-PT80</B> quando fate il portscan di microsoft.com
<B>-PT</B> Usate il "ping" TCP per determinare quali host sono attivi.
Invece di mandare pacchetti ICMP echo request e aspettare una
risposta, mandiamo pacchetti TCP ACK attraverso la rete desti-
nazione (o a una macchina singola) e poi aspettiamo le risposte
per ottenere informazioni sullhost. Gli host che sono attivi
dovrebbero rispondere con un RST. Questa opzione preserva leff-
icenza dellesaminare solo host che sono attivi permettendovi
anche di fare lo scan di reti/host che bloccno i pacchetti ping.
Per gli utenti non root, usiamo la funzione connect(). Per
impostare la porta di destinazione dei pacchetti di prova usiamo
-PT&lt;numero porta&gt;. La porta di default a 80, in quanto questa
porta spesso non iltrata.
<B>-PS</B> Questa opzione usa dei pacchetti SYN (richiesta di connessione)
invece dei pacchetti ACK per gli utenti root. Gli host che sono
attivi dovrebbero rispondere con un RST (o, raramente con un
SYN|ACK).
<B>-PI</B> Questa opzione usa un vero pacchetto ping (ICMP echo request).
Esso trova gli host che sono attivi e cerca anche nella vostra
rete indirizzi broadcast orientati alla sottorete. Questi sono
indirizzi IP che sono esternamente raggiungibili e traduce a un
broadcast di pacchetti in entrata a una sottorete di computer.
Questi dovrebbero essere eliminati se scoperti in quanto permet-
tono numerosi attacchi denial of service (Smurf l piune).
<B>-PB</B> Questo l tipo di ping di default. Esso usa gli sweep ACK ( <B>-PT</B> )
e ICMP ( <B>-PI</B> ) in parallelo. In questo modo potete rilevare i
firewall che filtrano uno dei due (ma non entrambe).
<B>-O</B> Questa opzione attiva lidentificazione dellhost remoto via
TCP/IP fingerprinting. In altre parole, usa uninsieme di tec-
niche per rilevare le sottigliezze nello strato sottostante
dello stack di rete del sistema operativo del computer sotto-
posto a scan. Usa questa informazione per creare una impronta
<I>(fingerprint)</I> che viene confrontata con il suo database di
impronte note relative ai vari S.O. (il file nmap-os-finger-
prints) per decidere a quale tipo di sistema state facendo lo
scan.
Se trovate una macchina che al diagnosticata e ha almeno una
porta aperta, sarebbe utile se voi mi madate via mail i dettagli
(per esempio il S.O pippo versione numero tato rilevato come
S.O. pluto versione numero1). Se trovate una macchina con almeno
una porta aperta con almeno una porta aperta per quale nmap dice
unknown operating system (sistema operativo sconosciuto),
allora sarebbe utile se mi mandaste lindirizzo IP assieme con
il nome del S.O. e il numero di versione. Se non potete mandarmi
lindirizzo IP, la cosa migliore da fare di eseguire nmap con
lopzione <B>-d</B> e mandarmi le tre fingerprint che dovreste ottenere
assieme al nome del S.O. e il numero di versione. Facendo questo
voi contribuite allelenco dei sistemi operativi conosciuti ad
nmap e cosale elenco sariurato per tutti.
<B>-I</B> Questa opzione abilita lo scanning TCP reverse ident. Come
notato da Dave Goldsmith in un post del 1996 a BugTraq, il pro-
tocollo ident (rfc 1413) permette di scoprire il nome
dellutente appartenente ad ogni processo connesso via TCP,
anche se il processo non ha iniziato una connessione. Cos otete,
per esempio collegarvi alla porta http e poi usare identd per
scoprire se il server n esecuzione con i diritti di root. Questo
scan pu sere fatto solo con una connessione TCP completa alla
porta destinazione (per esempio con lopzione -sT). Quando viene
usata lopzione <B>-I</B> lidentd dellhost remoto viene interrogato
per ogni porta aperta. Ovviamente questo scan non funziona se
nellhost non n esecuzione identd.
<B>-f</B> Questa opzione provoca gli scan SYN, FIN, XMAS, o NULL ad usare
minuscoli pacchetti IP frammentati. Lidea i suddividere
lheader TCP in diversi pacchetti per rendere pificile ai filtri
di pacchetti (packet filters), ai sistemi di rilevamento delle
intrusioni (IDS), e altre seccature rilevare quello che state
facendo. State attenti con questa opzione! Alcuni programmi
hanno problemi nella gestione di questi pacchetti minuscoli. Il
mio sniffer preferito ndato in segmentation fault immediatamente
dopo aver ricevuto il primo frammento di 36-byte. Dopo quello ne
viene mandato unaltro da 24 byte! Sebbene questo metodo non
passer filtri di pacchetto e firewall che mettono in coda tutti
i frammenti IP (come lopzione CONFIG_IP_ALWAYS_DEFRAG nel ker-
nel Linux), alcune reti non possono permettersi labbattimento
delle prestazioni che questa opzioni causa e cosa lasciano dis-
abilitata.
Notate che non ho ancora questa opzione funzionante su tutti i
sistemi. Funziona bene per le mie mcchine Linux, FreeBSD, e
OpenBSD e alcune persone hanno r con altre varianti *NIX.
<B>-v</B> Modalit erbose. Questa nopzione altamente raccomandata e da
molte piormazioni su quello che sta accadendo. Potete usarla
due volte per ottendere maggiori effetti. Usate <B>-d</B> un paio di
volte se volete realmente impazzire con lo scrolling dello
schermo!
<B>-h</B> Questa comoda opzione mostra una schermata di riferimento rapido
sulle opzioni di utilizzo di nmap. Come potete aver notato,
questa man page non sattamente un riferimento rapido :)
<B>-oN</B> <B>&lt;nomefiledilog&gt;</B>
Questa opzione logga i risultati dei vostri scan nella normale
forma <B>chiaramente</B> <B>leggibile</B> nel file che specificate come argo-
mento.
<B>-oM</B> <B>&lt;nomefiledilog&gt;</B>
Questa opzione logga i risultati dei vostri scan nella forma
<B>analizzabile</B> <B>dalla</B> <B>macchina</B> nel file che specificate come argo-
mento. Potete dare largomento ´-´ (senza apici) per inviare
loutput allo stdout (per fare shell pipe, ecc.). In questo caso
loutput normale saropresso. Controllate i messaggi di errore se
usate questultima possibilitessi andranno ancora allo stderr).
Notate anche che ´-v´ farn modo che informazioni extra vengano
stampate.
<B>-oS</B> <B>&lt;nomefiledilog&gt;</B>
QuEsT0 l0gGa | rIsUlTaT| d3i v0sTr| Scanz iN UnA f0rMa <B>s|&lt;ipT</B>
<B>kiDd|3</B> n3L fiL3 sPecfiCaT0 C0mE arGuMEnT0! P0t3t3 Dar3
LArg0M3nt0 ´-´ (s3Nza Virg0L3Tt3) p3R mAnDAr3 L0uTput n3ll0
stDouT!@!!
<B>--resume</B> <B>&lt;nomefiledilog&gt;</B>
Uno scan di rete che tato cancellato a causa di un control-C,
problemi di rete, ecc. pusere riprestinto usando questa opzione.
Il nomefiledilog deve essere o un log normale (-oN) o un log
analizzabile dalla macchina (-oM) dello scan interrotto. Nes-
sunaltra opzione deve essere data (le opzioni saranno le stesse
dello scan interrotto). Nmap inizier fare lo scan sulla
macchina posta dopo lultima macchina di cui tato fatto lo scan
nel file di log.
<B>-iL</B> <B>&lt;nomedelfilediinput&gt;</B>
Legge le specifiche della destinazione da un file specificato
PIUTTOSTO che da linea di comando. Il file dovrebbe contenere
una lista di host o espressioni di rete separate da spazi,
caratteri di tabulazione, o newline. Usate una linea trattegiata
(-) come <I>nomedelfilediinput</I> se volte che nmap legga le espres-
sioni dellhost dallo stdin (come alla fine di una pipe). Vedere
la sezione <I>specifica</I> <I>della</I> <I>destinazione</I> per ulteriori infor-
mazioni sulle espressioni con le quali potete riempire il file.
<B>-iR</B> Questa opzioni dicono ad Nmap di generare i propri host da esam-
inare prendendo semplicemente numeri casuali :). Non terminer
ain. Questa opzione pusere utile per campionamenti statistici di
Internet per stimare diverse cose. Se siete veramente annoiati,
provate <I>nmap</I> <I>-sS</I> <I>-iR</I> <I>-p</I> <I>80</I> per trovare dei web server da
guardare.
<B>-p</B> <B>&lt;intervallo</B> <B>di</B> <B>porte&gt;</B>
Questa opzione specifica quali porte volete specificare. Per
esempio con -p 23 Nmap provera porta 23 del/degli host desti-
nazione. Con ´-p 20-30,139,60000-´ Nmap faro scan delle porte
tra 20 e 30, la porta 139, e tutte le porte maggiori di 60000.
Di default Nmap fa lo scan sia di tutte le porte tra 1 e 1024
che di ogni porta elencata nel file services fornito con nmap.
<B>-F</B> <B>Modaliti</B> <B>scan</B> <B>veloce.</B>
Specifica che desiderate esaminare solo le porte elencate nel
file servizi fornito con nmap. Questo tipo di scan vviamente pi
oce di fare lo scan di tutte le 65535 porte di un host.
<B>-D</B> <B>&lt;decoy1</B> <B>[,decoy2][,ME],...&gt;</B>
Causa lo svolgimento di uno scan decoy, che fa in modo che
allhost remoto posto sotto scan appaiano anche lo/gli host che
specificate come decoy (esche). Cos loro IDS potrebbero
riportare 5-10 port scan da un unico indirizzo IP, ma non sanno
quale IP stava effettuando lo scn e quali sono innocenti decoy.
Sebbene questo scan possa essere sconfitto attraverso il router
path tracing, il response-dropping e altri meccanismi "attivi",
eneralmente una tecnica estremamente efficace per nascondere il
vostro indirizzo IP.
Separate ciascun host decoy con virgole, e potete opzionalmente
usare ME come uno dei decoy per rappresentare la posizione
nella quale volete il vostro indirizzo IP venga usato. Se met-
tete ME nella sesta posizione o oltre, per alcuni rilevatori
di portscan comuni (come ad esempio leccellente scanlogd di
Solar Designer) olto poco probabile che mostrino il vostro indi-
rizzo IP. Se non usate ME, nmap lo porr n una posizione
casuale.
Notate che gli host che usate come decoy dovrebbero essere
attivi o potreste accidentalmente fare il SYN flood delle desti-
nazioni. Dovrebbe essere anche abbastanza semplice determinare
quale host ottoposto a scan se uno solo llo stato attuale attivo
sulla rete. Potreste voler usare gli indirizzi IP invece dei
nomi (in questo modo le rete dei decoy non vi vedono nei log dei
loro nameserver).
Notate anche che alcuni "rilevatori di port scan" (stupidi)
firewalleranno/negheranno il routing agli host che provano a
fare il portscan. Cos otreste inavvertitamente causare alla
macchina sottoposta a scan la perdita di connettiviton le mac-
chine decoy che state usando, Questo potrebbe causare alle mac-
chine target maggiori problemi se il decoy, iciamo, il suo gate-
way internet o anche "localhost". Cosotreste voler essere prun-
denti con questa opzione. La vera morale della storia he i ril-
evatori dei portscan spoofabili non dovrebbero agire contro la
macchina che a loro sembra stia eseguendo lo scan. Potrebbe
essere solo un decoy!
I decoy sono usati sia nello scan ping iniziale (usando ICMP,
SYN, ACK, o altro) e durante la fase attuale fase di port scan-
ning. I decoy sono anche usate durante il rilevamento remoto del
S.O. ( <B>-O</B> ).
Vale la pena notare che usare troppi decoy pullentare il vostro
scan e renderlo potenzialmente anche meno accurato. Inoltre,
alcuni ISP filtreranno i vostri pacchetti spoofati, sebbene
molti (attualmente la maggior parte) non restringono i pacchetti
IP spoffati completamente.
<B>-S</B> <B>&lt;Indirizzo_IP&gt;</B>
In alcune circostanze, <I>nmap</I> pun essere in grado di determinare
il vostro indirizzo sorgente ( <I>nmap</I> vi informere questo l caso).
In questa situazione, usate -S con il vostro indirizzo IP
(dellinterfaccia mediante la quale desiderate mandare i pac-
chetti).
Unaltro possibile uso di questo flag i spooffare lo scan per
fare in modo che le destinazioni pensino che <B>qualcun</B> <B>altro</B> le
stia scannando. Immaginate una societulla quale unaltra rivale
fa ripetutamente dei port scan!. Questo non n utilizzo support-
ato ( o lo scopo principale) di questo flag. Ho gi ensato che
questo flag avanza una interessante possibiliti cui le persone
dovrebbero essere consapevoli prima che vadano accusando altri
di fare lo portscanning contro di loro. <B>-e</B> sarebbe generalmente
richiesta per questo tipo di utilizzo.
<B>-e</B> <B>&lt;interfaccia</B>
Dice ad nmap su quale interfaccia mandare e ricevere i pac-
chetti. Nmap dovrebbe essere ingrado di rilevare tale interfac-
cia, ma questa opzione permette di dirgliela se non n grado.
<B>-g</B> <B>&lt;numeroporta&gt;</B>
Imposta il numero di porta sorgente usata negli scan. Molti
firewall nativi e installzioni di filtri di pacchetti fanno
uneccezione nel loro insieme di regole per permettere ai pac-
chetti DNS (53) o FTP-DATA (20) di passare attraverso e sta-
bilire una connessione. Ovviamente questo sovverte i vantaggi di
sicurezza di un firewall in quanto gli intrusi possono mascher-
arsi come FTP o DNS modificando la loro porta sorgente. Ovvia-
mente per uno scan UDP dovreste prima provare uno scan UDP e gli
scan TCP dovrebbero trovare 20 prima di 53. Notate che questa
olo una richiesta -- nmap la onorerolo se n grado di farlo. Per
esempio, non potete fare il campionamento TCP ISN da un
host:porta a unaltro host:porta, cosnmap cambia la porta sor-
gente anche se avete usato -g.
Rendetevi conto che usando questa opzione vna lieve penalitelle
prestazione, perch lcune volte io memorizzo informazioni utili
nel numero della porta sorgente.
<B>-r</B> Dice ad Nmap <B>DI</B> <B>NON</B> rendere casuale lordine nel quale le porte
sono esaminate.
<B>--randomize_hosts</B>
Dice ad Nmap di mescolare ciascun gruppo di host, fino a 2048
host prima di farne lo scanner. Questo punedere gli scan meno
ovvi ai diversi sistemi di monitoraggio della rete, specialmente
quando lo combinare con opzioni di timing lente (vedere sotto).
<B>-M</B> <B>&lt;max</B> <B>sockets&gt;</B>
Imposta il numero massimo di socket che saranno usati in paral-
lelo per uno scan TCP connect() (lo scan di default). Questa
opzione tile per rallentare di poco lo scan e evitare il crash
delle macchine remote. Unaltro approccio sare -sS, opzione che
eneralmente piplice da gestire le le macchine.
<B>OPZIONI</B> <B>DI</B> <B>TIMING</B>
Generalmente Nmap fa un ottimo lavoro nelladattarsi alle carat-
teristiche di rete a run-time e fare lo scan tanto veloce quanto
possibile minimizando le possibilithe degli host/ delle porte
rimangano non rilevate. Comunque, possono esservi casi lo stesso
in qui l politica di timing impostata di default possa non
incontrare i vostri obiettivi. Le seguenti opzioni forniscono un
buon livello di controllo sul timing di uno scan:
<B>-T</B> <B>&lt;Paranoid|Sneaky|Polite|Normal|Aggressive|Insane&gt;</B>
Queste sono possibili politiche di timing per esprimere conve-
nientemente le vostre prioritd Nmap.
La modalit.B Paranoid fa gli scan <B>molto</B> lentamente nella sper-
anza di evitare il rilevamento dai sistemi IDS. Essa serializza
tutti gli scan (nessuno scanning parallelo) e generalmente
aspetta almeno 5 minuti tra i pacchetti mandati. <B>Sneaky</B> imile,
eccetto che aspetta solo 15 secondi tra i pacchetti mandati.
<B>Polite</B> tato pensata per facilitare il carico sulla reta e
ridurre le possibiliti mandare in crash le macchine. Serializza
le prove e aspetta <B>almeno</B> 0.4 secondi tra esse. <B>Normal</B> l com-
portamento di default di Nmap, che prova a fare gli scan tanto
velocemente quanto gli ossibile senza sovracaricare la rete o
mancare degli host/delle porte. La modalitB Aggressive aggiunge
un timeout di 5 minuti per host e non aspetta mai pi1.25 secondi
per le risposte di prova. <B>Insane</B> olo adatto per reti molto
veloci o dove non vi importa la perditi alcune informazioni.
Manda in time out gli host in 75 secondi e aspetta solo 0.3 per
le prove individuali. Pero non permette sweep di rete molto
veloci :). Potete anche fare riferimento a questi numeri. Per
esempio, ´-T 0´ vi da la modalitaranoid e ´-T 5´ a modalitnsane.
Queste possibili modaliti timing NON dovrebbe essere usata con i
controlli a basso livello dati sotto.
<B>--host_timeout</B> <B>&lt;millisecondi&gt;</B>
Specifica la quantiti tempo, permessa ad Nmap per fare lo scan
di un singolo host prima di terminare lo scan su quel dato IP.
La modaliti timing impostata per default non ha host timeout.
<B>--max_rtt_timeout</B> <B>&lt;millisecondi&gt;</B>
Specifica la somma massima di tempo permessa ad Nmap per
aspettare un risultato di una prova prima di ritrasmettere o
mandare in time-out quella prova particolare. La modaliti
default imposta questo limite a circa 9000 ms.
<B>--min_rtt_timeout</B> <B>&lt;millisecondi&gt;</B>
Quando gli host destinazione iniziano a stabilire un pattern di
risposta molto velocemente, Nmap diminuira somma di tempo data
per prova. Questo velocizza lo scan, ma pu ndurre a pacchetti
mancati quando una risposta impiega di pi solito. Con questo
parametro potete garantire che Nmap aspetter al meno la data
quantiti tempo prima di terminare una prova.
<B>--initial_rtt_timeout</B> <B>&lt;millisecondi&gt;</B>
Specifica il timeout iniziale di prova. Questo eneralmente utile
solo quando fate lo scan di host firewallati con -P0. Normal-
mente Nmap pu tenere buone stime RTT dal ping e dalle prime
prove. La modaliti default usa 6000.
<B>--max_parallelism</B> <B>&lt;numero&gt;</B>
Specifica il massimo numero di scan da svolgere in parallelo,
che ermesso a Nmap. Se impostate questo a 1 Nmap non proverai ad
esaminare piuna porta alla volta. Questa opzione ha effetto
anche sugli altri scan paralleli come i ping sweep, lo scan RPC,
ecc.
<B>--scan_delay</B> <B>&lt;millisecondi&gt;</B>
Specifica la quantit i tempo <B>minima</B> nella quale Nmap deve
aspettare tra le prove. Questa opzione tile principalmente per
ridurre il carico di rete o per rallentare il metodo di scan per
penetrare furtivamente sotto le soglie degli IDS.
</PRE>
<H2>SPECIFICA DELLA DESTINAZIONE</H2><PRE>
Tutto ci e non nopzione (o un argomenti di unopzione) viene trattato
in nmap come specifica dellhost destinazione. Il caso piplice lencare
hostname singoli o indirizzi IP sulla linea di comando. Se volete fare
lo scan di una sottorete di indirizzi IP, potete aggiungere <B>/mask</B> al
nome host o allindirizzo IP <B>mask</B> deve essere compreso tra 0 (fai lo
scan dellintera internet) e 32 (fai lo scan del singolo host specifi-
cato). Usate /24 per fare lo scan di un indirizzo di classe C e /16
per fare lo scan di un indirizzo di classe B.
Nmap ha anche un notazione piente che vi permette di specificare un
indirizzo IP usando liste/intervalli per ogni elemento. Cosi potete
fare lo scan dellintera rete classe B 128.210.*.* specificando
128.210.*.* o 128.210.0-255.0-255 o anche
128.210.1-50,51-255.1,2,3,4,5-255. E certamente potete usare la
notazione maschera: 128.210.0.0/16. Queste sono tutte equivalenti. Se
usate asterischi (*), ricordatevi che la maggior parte delle shell vi
richiedono che voi ne facciate lescape con le backslashes o li pro-
teggiate con gli apici.
Unaltra cosa interessante da fare uantizzare Internet in unaltro
modo. Invece di fare lo scan di tutti gli host in una classe B, fate
lo scan *.*.5.6-7 per esaminare ogni indirizzo IP che finisce in .5.6
o .5.7. Decidete i voi i vostri numeri. Per ulteriori informazioni
sulla specifica degli host su cui fare lo scan, vedere la sezione
<I>esempi</I>
</PRE>
<H2>ESEMPI</H2><PRE>
Ecco qui vi sono alcuni esempi di utilizzo per nmap, da quelli semplici
e normali a quelli piplessi/esoterici. Notate che numeri attuali e
alcuni nomi di dominio attuali sono stati usati per rendere le cose pi
crete. Al loro posto dovreste sostituire gli indirizzi/nome della <B>vos-</B>
<B>tra</B> <B>rete.</B> Non penso che fare il portscanning di altre reti sia ille-
gale; i portscan non dovrebbero essere interpretati dagli altri come un
attacco. Ho fatto lo scan di centinaia di migliaia di macchine e ho
ricevuto solo una lamentela. Ma non sono un avvocato e alcune persone
(anali) protrebbero essere infastidite dalle prove con <I>nmap.</I> Ottete il
permesso prima o usatelo a vostro rischio.
<B>nmap</B> <B>-v</B> <B>destinazione.esempio.com</B>
Questa opzione fa lo scan di tutte le porte riservate TCP sulla
macchina destinazione.esempio.com. Il -v significa aabilita la modalit
erbose.
<B>nmap</B> <B>-sS</B> <B>-O</B> <B>destinazione.esempio.com/24</B>
Lancia uno scan SYN invisibile (stealth) contro ogni macchina che ttiva
compresa nelle 255 macchine della classe C dove destinazione.esem-
pio.com risiede. Prova anche a determinare quale sistema opertivo n
esecuzione su ciascun host che ttivo. Questo scan richiede i privilegi
di root a causa dello scan SYN ed del rilevamento del S.O.
<B>nmap</B> <B>-sX</B> <B>-p</B> <B>22,53,110,143,4564</B> <B>128.210.*.1-127</B>
Manda uno scan Xmas tree alla prima meta di ciascuno delle possibili
sottoreti a 8 bit nello spazio di indirizzo classe Stiamo testando se i
sistemi hanno in esecuzione sshd, DNS, pop3d, imapd, o la porta 4564
aperta. Notate che lo scan Xmas non funziona sulle macchine Microsoft
a causa del loro stack TCP deficente. Lo stesso vale per le macchine
CISCO, IRIX, HP/UX, e BSDI.
<B>nmap</B> <B>-v</B> <B>--randomize_hosts</B> <B>-p</B> <B>80</B> <B>*.*.2.3-5</B>
Piuttosto che concentrarsi su unintervallo IP specifico, alcune volte
nteressante suddividere in parti lintera Internet e fare lo scan di
una piccola parte. Questo comando trova tutti i server web sulle mac-
chine con gli indirizzi IP che terminano in .2.3, .2.4, o .2.5. Se
siete root potrete allo stesso modo aggiungere -sS. Potrete anche
trovare macchine pieressanti che iniziano con 127. cosi potreste voler
usare una maggior densiti macchine interessanti (IMHO).
<B>host</B> <B>-l</B> <B>company.com</B> <B>|</B> <B>cut</B> <B>-d</B> <B></B> <B>-f</B> <B>4</B> <B>|</B> <B>./nmap</B> <B>-v</B> <B>-iL</B> <B>-</B>
Fa un DNS zone tranfer per trovare gli host in company.com e poi da in
pasto gli indirizzi IP a <I>nmap.</I> I comandi sopra visti sono per la mia
macchina GNU/Linux. Potreste aver bisogno di diversi comandi/opzioni
su altri sistemi operativi.
</PRE>
<H2>BUGS</H2><PRE>
Bugs? Che bugs? Mandatemeli se li trovate. Anche patch sono gradite
:) Ricordate anche di mandare i fingerprint per i nuovi S.O. cosossiamo
far crescere il database. Nmap vi darna URL di submission quando tata
trovata unappropriata fingerprint.
</PRE>
<H2>AUTORE</H2><PRE>
Fyodor <I>&lt;fyodor@insecure.org&gt;</I>
</PRE>
<H2>DISTRIBUZIONE</H2><PRE>
La pi ente distribuzione di nmap <I>nmap</I> puo essere ottenuta al
<I>http://www.insecure.org/nmap/</I>
<I>nmap</I> is (C) 1997,1998,1999,2000 by Fyodor (fyodor@insecure.org)
<I>libpcap</I> viene anche distribuita assieme ad nmap. Il suo copyright
etenuto da Van Jacobson, Craig Leres and Steven McCanne, tutti del
Lawrence Berkeley National Laboratory, Universit della California,
Berkeley, CA. La versione distributa con nmap pusere stata modificata
i sorgenti originali sono disponibili al ftp://ftp.ee.lbl.gov/libp-
cap.tar.Z .
Questo programma oftware libero; potete ridistribuirlo e/o modificarlo
rispettando i termini della GNU General Public License com pubblicata
dalla Free Software Foundation; Versione 2. Questa garantisce i vostri
diritti di usare, modificare e ridistribuire Nmap sotto certe con-
dizioni. Se questa licenza er voi inaccettabile, Insecure.Org pusere in
grado di vendervi licenze alternative (contattate fyodor@insecure.org).
Il sorgente viene fornito con questo software perchrediamo che gli
utenti abbiano il diritto di sapere cosa esattamente un programma ha
intenzione di fare prima di eseguirlo. Questo potrebbe anche permet-
tevi di correggere di testare il software per buchi alla sicurezza (non
ne sono stati trovati da molto).
Il codice sorgente vi permette anche di fare il port di nmap a nuove
architetture, fissare i bug, e aggiungere nuove caratteristiche. Siete
fortemente incoraggiati di mandare i vostri cambi a Fyodor per la pos-
sibile inclusione nella distribuzione principale di Nmap. Mandando
questi cambi a Fyodor, o a nmap-hackers, si assume che voi stiate
offrendo a Fyodor il diritto illimitato, non esclusivo di riusare, di
modificare, e porre sotto nuova licenza il codice. Se desiderate
specificare condizioni speciali per la licenza dei vostri contributi,
dichiarateli prima sul contributo stesso.
Questo programma istribuito nella speranza che sia utile, ma <B>SENZA</B>
<B>ALCUNA</B> <B>GARANZIA;</B> senza anche limplicita garanzia di <B>COMMERCIABILITA</B> o
<B>ADEGUATEZZA</B> <B>AD</B> <B>UNO</B> <B>SCOPO</B> <B>PARTICOLARE.</B> Vedere la GNU Public License per
ulteriori dettagli (essa el file COPYING della distribuzione di <I>nmap</I> ).
Si dovrebbe notare che Nmap pundare in crash determinate applicazioni
mal progettate, stack TCP/IP, e anche sistemi operativi. <B>Nmap</B> <B>non</B>
<B>dovrebbe</B> <B>mai</B> <B>essere</B> <B>eseguito</B> <B>contro</B> <B>sistemi,</B> che hanno compiti critici
(detti anche mission critical systems) a meno che non siate preparati a
tollerare il tempo in cui essi siano disattivi. Qui riconosciamo che
Nmap pundare in crash i vostri sistemi o reti e non ci assumiamo nes-
suna responabiliter ogni danno o problema che Nmap potrebbe causare.
Tutte le versioni di Nmap a partire dalla 2.0 inclusa non presentano
problemi in tutti i loro aspetti con il bug dellanno 2000 (Y2K bug).
Non esiste nessuna ragione di credere che le versioni precedenti alla
2.0 siano suscettibili a tale problema, ma non sono state testate.
<B>NMAP(1)</B>
</PRE>
<HR>
<ADDRESS>
Man(1) output converted with
<a href="http://www.oac.uci.edu/indiv/ehood/man2html.html">man2html</a>
</ADDRESS>
</BODY>
</HTML>

374
docs/nmap_manpage-lt.html Normal file
View File

@@ -0,0 +1,374 @@
<HTML>
<HEAD><META http-equiv="Content-Type" content="text/html; charset=windows-1257">
<TITLE>Nmap network security scanner man page (Lithuanian translation)</TITLE>
</HEAD>
<BODY>
<H1>Nmap network security scanner man page (Lithuanian translation)</H1>
<HR>
<PRE>
<!-- Manpage converted by man2html 3.0.1 -->
<B>NMAP(1)</B> <B>NMAP(1)</B>
</PRE>
<H2>PAVADINIMAS</H2><PRE>
nmap - tinklo tyrinmo nkis bei saugumo skeneris
</PRE>
<H2>SINTAKS.B nmap</H2><PRE>
[skanavimo tipas(ai)] [opcijos] &lt;hostas/tinklas #1 ... #n&gt;
</PRE>
<H2>APIBINIMAS</H2><PRE>
<I>nmap'as</I> yra sukurtas tam, kad leistteministratoriams bei smalsiems
individams skanuoti didelius tinklus, siekiant nustatyti kokie hostai
yra veikiantys ir kokias paslaugas jie si.I nmap'as turi be galo daug
skanavimo technologiji: UDP, TCP connect(), TCP SYN (pusiau atviras),
ftp proxy (bounce ataka), Reverse-ident, ICMP(ping sweep), FIN, ACK
sweep, Xmas Tree, SYN sweep, bei Null skan'as. <I>Skanavimo</I> <I>Tipai</I> sekci-
joje rasite apie tai smulkesninformacijos. nmap'as taip pat turi nema
savybikip nutolusio kompiuterio (toliau vadinamo 'remote') (O)peracin
(S)istemos nustatymas per TCP/IP fingerprintinima, stealth (vogtinis)
skanavimas, dinaminpauz ir retransimisijos skai vimai, lygiagretusis
skanavimas , nepasiekiamt'tatymas skanuojant lygiagre skanavimo metodu,
decoy skanavimas, filtruojamttatymas, tiesioginis RPC skanavimas, frag-
mentinis skanavimas, bei labai lankstus taikinio ir portodymas.
nmap'o autorius stengiasi kaip galima daugiau irip'o galimybieikti ne
tik root vartotojui, bet ir paprastam sistemos vartotojui, deja daug s
kritini temos branduolio (kernel) interfeis ki p "raw socket'ai")
reikalauja root'o privilegijdnmap'as tur b audojamas root'u kai tik
noma.
nmap'o naudojimo rezultatas daiai baprasusias smitstnuojamoje maje(se).
Nmap'as visada parodo kokiaslaugservice) teikia portas, jo numer b bei
protokol B nusako vienas iijopen", "filtered", "unfiltered". "open"
(atviras) rei, kad taikinys leis prisijungti prie porto. "filtered"
(filtruojamas) rei , kad firewall'as (ugnies siena), filtras ar dar ka
mus nkis dengia portdto nmap'as tiklsiai negali nustatyti ar portas
atviras. "unfiltered" (nefiltruojamas) parodo, kad portas yra tikrai
"closed" (uas) ir nera dengiamas jokio firewall'o/filtro. Nefiltruoja-
mas portas yra gan astas atvs ir yra rodomas tik tuo atveju, kai dau-
guma ianuott filtruojami.
Priklausomai nuo to, kokios opcijos naudojamos, nmap'as taip pat gali
parodyti ir nutolusio kompiuterio: (O)peracinS)istemTCP susekamumvarto-
toju vardus, kuriems priklauso tam tikri procesai, DNS vardus ir dar
vienit.SH OPCIJOS Prasmingos opcijos visos gali bas kartu (t.y. vienoje
eilut). <I>nmap'as</I> stengsis pasakyti, kokias klaidas esate padar ai jei
esate :).
Jei esate nekantrus, galite ito elti ekcijI pavyzdale dokumento, kur
gan aii parodo naudojimTaip pat galite paleisti <B>nmap</B> <B>-h</B> ir pamatysite
pagrindines opcijas, su trumpais aprais.
<B>SKANAVIMTIPAI</B>
<B>-sT</B> papras usias TCP connect() skanavimas. Jndote prisijungti prie
kiekvieno porto il Jei portas klausosi, nmap'as prisijungia prie
jo, taigi jei host'as logina, jis matys, kad bandote jungtis. s
metodas yra tiksliausias, bet rekomenduo u j audoti tik tuo
atveju, jei skanuojate savo ar draugo kompiutert.y. tokdkurio v
au tikrai nesusilauksite nemalonum P <B>-sS</B> TCP SYN skanavimas,
kitaip dar da adinamas kaip "pusiau-atviras" skanavimas, nes n
padaromas TCP prisijungimas. J pras usiai nusiun te TCP SYN
paketukaip kad normas prisijungti ir laukiate atsakymo. Pakanka-
mai neblogas metodas, bet jei yra filtruojamtz. pastatytas fire-
wall'as) ir host kompiuteris juos logina, - b pastebs.
<B>-sF</B> <B>-sX</B> <B>-sN</B>
Stealth FIN, Xmas Tree bei Null skanavimo re Tai yra tiek
saugesni skanavimo bnei TCP SYN (pastebimumo atu), bet deja nei
vienas i neveikia M$ sistemoms. Itos pus tai nebloga priemon
kurios pagalba galima nustatyti ar tai M$ sistema ar ne, t.y.
jei -sF -sX arba -sN parodo, kad visi portai ui, o -sS rodo
kelis atvirus portus, taikinys greiusiai windows dt.TP <B>-sP</B> Tai
papras usias ping'as, kuris parodo kurie hostai tinkle yra gyvi.
Atliekama paprasusiai siunnt ICMP echo pra (request). Deja kai
kurie saitai (kaip mail.takas.lt) blokuoja pras. Kad ikro tik-
inti, ar hostas negyvas, nmap'as nusiun ir TCP ack paketuk 80
(standarti ) portJei gauname atgal RST, rei hostas gyvas. Pagal
standartr00t'ui) nmap'as naudoja abu ICMP bei ACK metodus.
Pakankamai efektyvu, nes vienu metu galite patikrinti #n hostP
<B>-sU</B> UDP skanavimas. Naudojamas tam, kad nustatyti kokie UDP
(User Datagram Protocol, RFC 768) portai yra atviri.
Kai kurie mano, kad UDP skanavimas yra beprasmi, bet jrisiminti
verta vien dvienos Solaris rcpbind skyl Taip pat yra cDc Back
Orifice trojanas, kuris atsidaro UDP portnt window'sila tik, kad
UDP skanavimas kartais gali trukti labai ilgai.
<B>-SO</B> IP protokolo skanavimas. s metodas yra naudojamas tam, kad nus-
tatyti kokius protokolus naudoja j aikinys. Technika labai
paprasta: siunmi IP paketai be jokio protokolo header'io isus
nurodytus protokolus. Jeigu pvz gauname "ICMP protocol unreachi-
ble" (ICMP protoklolas nepasiekiamas) atsakymvadinasi protokolas
nenaudojamas, prieu atveju skaitoma, kad jis atviras.
<B>-sA</B> ACK skanavimas: s metodas paprastai yra naudojamas tam, kad iiti
firewall'nies sinisykles. Jis gali pad nustatyti ar firewall'as
tikras, ar paprasusias pakettras, blokuojantis aukians SYN pake-
tukus.
<B>-sW</B> Window skanavimas. s skanavimo blabai panaCK skan skirtumas tik
tas, kad skanavimo metodas kartais parodo ir atvirus portus (ACK
jodo).
<B>-sR</B> RPC skanavimas. Praskanavus parodoma kokia programa ir jos ver-
sija laiko RPC portus atvirus.
<B>-b</B> <B>&lt;ftp</B> <B>relay</B> <B>hostas&gt;</B>
Dar vienas pakankamai originalus skanavimo b t.y. pasinaudojant
ftp proxy serveriu. &lt;ftp relay host'o&gt; formatas gali b
seris:passwordas@serveris:portas . Viskas irus serverra neb.
<B>BENDROSIOS</B> <B>OPCIJOS</B>
Nei viena ia b, bet kai kurios gali bakankamai naudingos
<B>-P0</B> Skanuoti i rt, nepabandadng'int serverio. Tai naudinga skanuo-
jant tokius kaip mail.takas.lt, kurie neatsakin CMP echo
request'us. Tokiu atveju reik naudoti <B>-P0</B> arba <B>-PT80.</B>
<B>-PT</B> Naudoti TCP "ping' vietoje standartinio ICMP ping'o. Naudinga
tokiais atvejais, kai serveris neatsakin i ICMO echo request'us.
Taip pat galima naudoti kartu su postu (-PT&lt;portas&gt;).
<B>-PS</B> Naudoja SYN (prisijungimo pra) vietoje ACP
<B>-PI</B> Paprastas ping'as + suranda subnet'o broadcast'u adresus tinkle.
<B>-PB</B> Standartinis ping'inimo metodas: naudoja ACP bei ICMP ping'us
kartu. Geriausia bpatikrinti firewall'us, kurie blokuoja vien.
<B>-O</B> Viena geriausi p'o ypatybi erverio OS'o atpas pagal jo finger-
print'us (jei atvirai, pats nelabai kas per biesas tie
fingerprintai).
<B>-I</B> jungiamas TCP reverse ident skanavimas. Kaip 1996 Dave'as Gold-
smith'as pasteb, ident protokolas (rfc 1413) leidmatyti, kokiam
useriui priklauso procesas, kuris naudoja TCP susijungima.
Taigi, tu gali pvz prisijungti prie 80 porto ir tada pasinaudo-
jes inentd'u, gali pamatyti ar http serveris yra paleistas
root'u ar kokiu kitu userium.
<B>-f</B> Skanuojant SYN (-sS) , FIN (-sF), XMAS (-sX) arba NULL (-sN)
metodu, naudojami labai ma sufragmentuoti IP paketai.
<B>-v</B> Verbose mode. Labai rekomenduojama opcija, ypaei norit geriau
suprasti kas dedasi. naudodamas opciju kartus, efektas bus dar
geresnis. Gali naudoti ir dvigubd, efektas - nerealus. Nepaband
nesuprasi.
<B>-h</B> Jei norite kad nedidelis langelis jums trumpai primintu kelias
pagrindines komandas, pcija - jums.
<B>-oN</B> <B>&lt;logas&gt;</B>
Viskas, kas vyksta ekrane bus loginama logas" fail.TP <B>-oX</B>
<B>&lt;logas&gt;</B> Skanavimo rezultatai igomi XML formatu ail kur urodote
kaip argumentiai opcijai.
<B>-oG</B> <B>&lt;logas&gt;</B>
opcija i go skanavimo rezultatus taip, kad jos galetum lengvai
grepinti. s gan primityvus formatas igo viskienoje eilut.
<B>-oS</B> <B>&lt;logas&gt;</B>
Loginama aillogas" "skipt kiddie" formatu.
<B>--resume</B> <B>&lt;logas&gt;</B>
Skanavimas, kuris buvo nutrauktas su ^C, gali bratas, su s ga,
kad viskas buvo loginama su -oN opcija. Daugiau jokie parame-
trai negali bateikti (jie bus tokie, kokie buvo naudojami logi-
nant). nmap'as prad skanuoti nuo sekan s ma s, po tos, kuri
paskutinuvo singai nuskanuota..
<B>-iL</B> <B>&lt;failas&gt;</B>
Nuskaito hostus (IP adresus) iilo "failas". Hostai faile turi b
tskirti tarpais, TAB'ais arba atskirose linijose. deja opcij
odyti jokialite tame faile, u ra galimyb as nurodyti komandin
eilut.
<B>-iR</B> ta opcija priver nmap'eneruoti atsitiktinius hostus. Jei kada
neturte keikti, pabandykite `nmap -sS -iR -p 80', kad surastum
kelet ww serveri P <B>-p</B> <B>&lt;portai&gt;</B> Galite nurodyti kururiuos portus
tikrinti. pvz. -p 110 patikrins ar hostas turi pop3 server taip
pat galite mii nurodin portus:
-p 21,60-90,1243 -- 21, visi nuo 60 iki 90 bei 1243
portas
-p 1- -- visi portai nuo 1 iki 65535.
<B>-F</B> Greitasis metodas. Skanuoja tik tuos portus, kurie nurodyti
nmap'o services faile (pagal default' /usr/local/lib/nmap/nmap-
services)
<B>-D</B> <B>&lt;decoy1</B> <B>[,decoy2][,decoyN][,ME]&gt;</B>
Decoy skanavimas priver skanuojamost'anyti, kad jienu metu skan-
uoja visi nurodyti decoy'iai. Hostai gali parodyti 5-10 skanavim
unikaliadrest kuris i skanuoja ikro jie pasakyti negal
Atskirk kiekvienecoy'ableliais (be tarpo) ir gali tarp j rpti
'ME' kaip vien coy'i ap'as ten rps tavo adresJei nenurodysi,
nmap'as atsitiktinai iks tau vietTiesa, jei 'ME' 6-oje ar dar v
sn vietoje, kai kurie skanavim ektoriai (tokie kaip Solar
Designer'io nepakartojamas scanlog daemon'as) gali tavo IP i o
neparodyti.
Nepamir kad hostai, kuruos naudosi kaip decoy'ius, turi byvi,
kitaip gali uflood'inti taikino be to labai nesunku bus surasti
skanuotojjei jis bus vienintelis gyvas visame tinkle.
Atkreipk dsr ai, kad kai kurie (durnesni) portnavimektoriai gali
aplamai skanuojantiems host'ams uti pri m sivaizduok, kas gali
nutikti, jei viencoy'iodytum "localhost':)
Decoy skanavimas gali baudojamas kartu su ping (naudojant ICMP,
SYN, ACK, ar dar kors) arba tikru portnavimu bei bandant surasti
remote OS' -O ).
<B>-S</B> <B>&lt;IP_adresas&gt;</B>
Kartais nmap'as gali nerasti jdreso. Tokiu atveju galite naudoti
-S opciju jP adresu bei interfeisu, kuriuo si paketus.
<B>-e</B> <B>&lt;interfeisas&gt;</B>
Nurodo nmap'ui kokiu interfeisu sipaketus. (lo, ppp0, eth0 ir
etc.)
<B>-g</B> <B>&lt;portas&gt;</B>
Nurodo ikio porto skanuoti. Daugelis firewall' filtraro iis DNS
(53) bei FTP-DATA (20) paketams.
<B>-n</B> Liepia nmap'ui net nemnti rezolvinti ip adresdus, nes daai babai
ls procesas ir stabdo nmap'o darb.TP <B>-R</B> Prieai nei -n opcija, -R
liepia nmap'ui visada pamnti iolvinti ip adres .TP <B>-r</B> Nurodo
nmap'ui portus skanuoti <B>NE</B> atsitiktine tvarka.
<B>--randomize_hosts</B>
Nmap'as atsitiktine tvarka i iekvien rupugiau nei 2048 hoste
adedant juos skanuoti. Tai tiek suklaidina irius tinklo stebe-
jimo nkius.
<B>-M</B> <B>&lt;maximalus</B> <B>susijungimu</B> <B>skaicius&gt;</B>
Nustato naksimal ijungimu skai, kuris bus naudojamas paralel su
TCP(standarti) skanavimu.
<B>LAIKO</B> <B>APRIBOJIMAI</B>
<B>-T</B> <B>&lt;Paranoid|Sneaky|Polite|Normal|Aggressive|Insane&gt;</B>
Paranoid - pats lausias skanavimo b Insane - pats grei usias,
deja ne toks tikslus, ypaei tinklas ls. Vietoj galite naudoti
ir -T (0-5), kur 0 == Paranoid, 1 == Sneaky ir t.t.
<B>--host_timeout</B> <B>&lt;milisekund</B>
Nurodo kiek laiko nmap'as gali skanuoti duot IP. Laikas turi b
ema ei 200 milisekundTP <B>--max_rtt_timeout</B> <B>&lt;milisekund</B> Kiek dau-
giausia laiko nmap'as gali laukti atsakymo ianuojamo IP.
<B>--scan_delay</B> <B>&lt;milisekund</B>
Nustato minimalko tarpkuri nmap'as turi laukti tarp bandym i
naudingiausia siekiant sumatinklo apkrovim
</PRE>
<H2>TAIKINIO NURODYMO BAI</H2><PRE>
Viskas, kas n opcijos, nmap'e suprantama kaip taikinys. Paprasusias b
yra nurodyti konkres IP arba hostus. Jeigu norite nuskanuoti IP adres
net' galite prid <B>/mask</B> <B>hostname'ui</B> <B>ar</B> <B>IP</B> <B>adresui.</B> <B>Maskturi</B> <B>barp</B> <B>0</B>
(norint nuskanuoti visnternetir 32 (norint nuskanuoti konkrett'P. Nau-
dok /24 'C' klasadresnavimui bei /16 'B' klasadresnavimui.
nmap'as taip pat turi gan patogialimybustatin IP adresus s/atstumais.
pvz. gali nuskanuoti 'B' klasamas 128.210.*.* arba 128.210.0-255.0-255
arba dar 128.210.0-50,51-255.1,2,3,4,5-255 . Manau kad tai pakankamai
patogu ir nesudnga.
</PRE>
<H2>KELETAS PAVYZD.Sp</H2><PRE>
<B>nmap</B> <B>-sX</B> <B>-e</B> <B>lo</B> <B>-P0</B> <B>-S</B> <B>127.0.0.3</B> <B>localhost</B>
Pasinaudodamas Xmas Tree skanavimo metodu, apsimetin mas, kad esu
127.0.0.3 Loopback protokolu skanuoju savo localhost'tai kaip atrodo
ipchains''as:
Packet log: input DENY lo PROTO=6 127.0.0.3:37009 127.0.0.1:139 L=40
S=0x00 I=53682 F=0x0000 T=41 (#1)
kaip matote, kernelis yra tikin kad jkanuoja i7.0.0.3 o tai ir yra
vienas svarbiausiaviniikti nematomiems :)
<B>nmap</B> <B>-sS</B> <B>-O</B> <B>target.example.com/24</B>
stealth SYN metodu nuskanuoja visas 255 mas, esan s target.example.com
'C' klas. Taip pat bando nustatyti kiekvieno i operacinistem.Sp <B>host</B> <B>-l</B>
<B>company.com</B> <B>|</B> <B>cut</B> <B>'-d</B> <B>'</B> <B>-f</B> <B>4</B> <B>|</B> <B>./nmap</B> <B>-v</B> <B>-iL</B> <B>-</B>
suranda visus *.company.com hostus ir atiduoda juos nmap'ui, kuris savo
ruoijungverbose mode visus juos nuskanuoja.
<B>nmap</B> <B>-sN</B> <B>-D</B> <B>microsoft.com,mail.takas.lt,ME</B> <B>-oN</B> <B>/root/crazy</B> <B>-p</B> <B>1-1024</B> <B>-O</B>
<B>crazy.com</B>
skanauoja Null skanavimo re panaudoja du decoy adresus, visk ogina
root/crazy fail skanuoja nuo 1 iki 1024 crazy.com portus bei stengiasi
atsp crazy.com serverio operacinistemSH BUGAI Vabalai? Kokie dar vabal
ai? Na.. jei rasit koki tinai si autoriui: &lt;fyodor@insecure.org&gt; .
Pachai taip pat labai laukiami. Taip pat nepamire siOS'gerprintus, kad
nmap'o autoriai gal pl i duom. baz Apie tai smulkiau galite rasti
docs/nmap-fingerprinting-article.txt dokumente arba nmap'o puslapyje:
http://www.insecure.org/nmap
</PRE>
<H2>AUTORIUS</H2><PRE>
Fyodor <I>&lt;fyodor@insecure.org&gt;</I>
</PRE>
<H2>IERT.Sp</H2><PRE>
Aurimas Mikalauskas <I>&lt;inner@crazy.lt&gt;</I>
</PRE>
<H2>PLATINIMAS</H2><PRE>
NaujausiI nmap'o versijisada galite rasti :
<I>http://www.insecure.org/nmap/</I>
<I>nmap</I> is (C) 1997,1998,1999,2000 by Fyodor (fyodor@insecure.org)
<I>libpcap'as</I> yra taip pat platinamas kartu su nmap'u. Autorines teises
uri Van Jacobson, Craig Leres ir Steven McCanne, visi iwrence Berkeley
nacionalinLaboratorijos Kalifornijos Universiteto, Berkeley, CA. Ver-
sija platinama su nmap'u gali b erra jama. Sourcus galit parsisi i
ftp://ftp.ee.lbl.gov/libpcap.tar.Z
</PRE>
<H2>PABAIGAI</H2><PRE>
D uosi, kad pagaliau pasiek galDabar jau galite skaityti save kvali-
fikuotu nmap'o guru.
beje, jei norite kors prid ar pakeisti e dokumente, arba (neduok Dieve)
radot koki bug'u, rat man adresu, pateiktu sekcijoje <B>itaip</B> <B>s</B> <B>manualas</B>
<B>abejoju</B> <B>ar</B> <B>bus</B> <B>atnaujinamas,</B> bet pa naujausimap-lt-HOWTO visada galite
rasti mano puslapyje:
<I>http://crazy.lt/~inner</I>
<B>NMAP(1)</B>
</PRE>
<HR>
<ADDRESS>
Man(1) output converted with
<a href="http://www.oac.uci.edu/indiv/ehood/man2html.html">man2html</a>
</ADDRESS>
</BODY>
</HTML>

604
docs/nmap_manpage-lv.html Normal file
View File

@@ -0,0 +1,604 @@
<HTML>
<HEAD>
<TITLE>Nmap network security scanner man page (Latvian translation)</TITLE>
</HEAD>
<BODY>
<H1>Nmap network security scanner man page (Latvian translation)</H1>
<HR>
<PRE>
<!-- Manpage converted by man2html 3.0.1 -->
<B>NMAP(1)</B> <B>NMAP(1)</B>
</PRE>
<H2>VDS</H2><PRE>
nmap - Network exploration tool and security scanner
</PRE>
<H2>NOSAUKUMS</H2><PRE>
<B>nmap</B> [skannas metode(s)] [opcijas] &lt;host vai ts#1...[#N]&gt;
</PRE>
<H2>APRAKSTS</H2><PRE>
<I>Ar</I> <I>Nmap</I> <I>var</I> <I>skanneierobeaudzumu</I> <I>un</I> <I>lielumu</I> <I>tus,</I> <I>noteikt</I> <I>to</I> <I>dros</I> <I>pak,</I>
<I>apzinatvos</I> <I>portus,</I> <I>krtbilstoervisu</I> <I>esam.</I> <I>uzdevuma</I> <I>eno</I> <I>i</I> <I>Nmap</I> <I>izmanto</I>
<I>daudz</I> <I>da</I> <I>skannas</I> <I>metodes,</I> <I>kiemm</I> <I>UDP,</I> <I>TCP</I> <I>connect(),</I> <I>TCP</I> <I>SYN,</I> <I>FTP</I> <I>proxy</I>
<I>(skanna</I> <I>caur</I> <I>ftp),</I> <I>Reverse-ident,</I> <I>ICMP</I> <I>(ping)</I> <I>FIN,</I> <I>ACK,</I> <I>Xmas</I> <I>tree,</I> <I>SYN,</I>
<I>NULL</I> <I>metodes.</I> <I>Tuv</I> <I>tapskats</I> <I>nodaSkannas</I> <I>opcijas</I> <I>.</I> <I>Nmap</I> <I>satur</I> <I>daudz</I> <I>da</I>
<I>papildus</I> <I>iesps,</I> <I>konkrk:</I> <I>datora</I> <I>operjsists</I> <I>noteik</I> <I>(tk</I> <I>tekstS)</I> <I>izmantojot</I>
<I>TCP/IP</I> <I>steka</I> <I>sniegto</I> <I>informju,</I> <I>neredzamo</I> <I>skannu,</I> <I>dinamiski</I> <I>ers</I> <I>aiztures</I>
<I>un</I> <I>atkota</I> <I>pakeaidna,</I> <I>paral</I> <I>skanna,</I> <I>neakt</I> <I>hosta</I> <I>noteik</I> <I>izmantojot</I> <I>paral</I>
<I>ping</I> <I>pieprasmu,</I> <I>skanna</I> <I>no</I> <I>neeksist</I> <I>hostiem,</I> <I>noteikt</I> <I>pakeiltru</I> <I>esam,</I> <I>tie</I>
<I>neizmantojot</I> <I>portmapper)</I> <I>RPC</I> <I>skanna,</I> <I>skanna</I> <I>izmantojot</I> <I>IP-fragmentju.</I>
<I>Kaut</I> <I>armap</I> <I>ir</I> <I>maksim</I> <I>optimiz</I> <I>priekrastiem</I> <I>lietotem,</I> <I>daudzas</I> <I>tesps</I> <I>ir</I> <I>at</I>
<I>tas</I> <I>tikai</I> <I>root</I> <I>lietotm.</I> <I>Ieteicam</I> <I>Nmap</I> <I>laist</I> <I>ar</I> <I>root</I> <I>tiesm.</I>
Nmap rezult tiek izvad knteresortu saraksts uz skan kompj, protokola
tips, servisa nosaukums. Portiem klir apzjumi "atvs" (open), "filtr "
(filtered), "nefiltr" (unfiltered). "atvs" noz, ka portam var pieslies,
"filtr" - ugunsm(firewall) pakeiltrs , vai k cits apst is ne j Nmap
noteikt, vai ports ir atvs vai n"nefiltr" - ports ir aizvs, lai gan
nekas netrauc Nmap to skan
Atkar no dotajkomand Nmap spnoteikt s skanmosta s: lietot OS, TCP ISN
er nas metodi, lietot vu (username) kam "pieder" noteikts serviss, DNS
nosaukumu u.t.t.
</PRE>
<H2>OPCIJAS</H2><PRE>
Vairumu opciju ir iespms kombinsavtarpienas opcijas paredzs priekan nas
meto s, citas savuk atbild par daapildus iesp izmanto, vai artbild par
da skannas parametriem. Palaiogrammu Nmap ar opciju -h vienmir iespms
iegformju par vistiespm.
<B>SKANANAS</B> <B>VEIDI</B>
<B>-sS</B> (scan SYN) - Izmantot TCP SYN metodi. metodi sauc par
"pusatverto" skannu, jo piln savienojums ar att n datora portu
nenotiek. Nmap nosYN paketi, itkieprasot nodibinsavienojumu un
gaida attns sists atbildi. Atbildot sist nosaketi ar SYN|ACK mar
umu (flag), ka ir gatava nodibinsavienojumu. Kad Nmap saSYN|ACK
paketi, atpakaekavties tiek nos RST pakete liekot saprast att n
jai sisti, ka nevs nodibinvneveikto savienojumu. Ne visas sists
fiks tipa skannu. Lietotm vajadzs root tiess, lai var izveidot
SYN paketes.
Lai pain skannu, skant lielus tus, kopr opciju -sS var lietot
sanmu, kurj pieprasnorto portu visaktjsistm j kan j iapazon audz
nek zmantojot tikai -p opciju. To var izdarar sanma -PS pal.
Piemm, ja ir nepiecieba noteik, cik sists noteiktiapazonr atv 25
portu jums ieteicams lietot anmu. (piem):
nmap -n -sS -p25 -PS25 24.0.0.0/8
<B>-sT</B> (scan TCP) - izmanto TCP connect() metodi. ir visizplatkCP
portu skannas metode. Funkcija connect(), ir iekta jebkurS, t j
atjot enot savienojumus ar vienalga k attns sists portu. Ja skan
mais ports uz attns sists beejams, tad funkcija connect() norit
veiksm , pret gad morts skaitsls, vai arizsarg ar ugunsmvai ko
taml.
Lai izmantotu kannas metodi, lietotm nav vajadz s t.s. privili
ties s. du skannu i viegli konstatkanmatorpieks, jo viss tiek
akur ierakst log fail
<B>-sF</B> <B>-sX</B> <B>-sN</B>
(scan FIN, scan Xmas, scan NULL) - "neredzamFIN, Xmas Tree un
NULL skanna. metodi lieto, ja SYN skanna k iemeslu dnav iespma.
Piemm dansmiltrYN paketes, kas tiek noss uz vi izsarg jiem por-
tiem, un ts programmas kynlogger spgas fiksSYN skannas mnmu.
Dot skan nas laikotiek sekojo. FIN skannu veic ar FIN paket Xmas
Tree izmanto FIN|URG|PSH paketes, NULL skannas gad m iek nos s
nemaras paketes. Vadoties pRFC 973 rakst, skanmsists OS ir jbild
uz veida paket no sliem portiem ar RST paketi, taj a aik tv ie
porti emar o paketi ignor KienmMicrosoft Windows izstrt nernar
pieo standartu, ti skannas metode befekt skant jebkuru sist, kas
izmanto Microsoft veidotOS. Ja FIN skannas rezult, tiek izmests
atvo portu saraksts, tad attns sists OS nav Windows. Ja visas
metodes izmet pazimu, ka visi porti sli, turpretSYN skanna atkl
atvus portus, tad visticamattns sists OS ir Windows. Jebilst, ka
Windows nav vien OS, kura satur epiln. Pie tipa OS var pieskait
arisco, BSDI, IRIX, HP/UX un MVS. Visas OS neatbild nemarpaket
<B>-sP</B> scan Ping) - ping "skanna". Dair nepiecieba uzzintikai akt hostu
adreses. Nmap to spizdar nosICMP ECHO pieprasmu katrai ip adre-
sei nortajiapazonHosts, kas atbild uz ieprasmu ir akt, t.i. ir
piesls tam.
Dati (piemm microsoft.com) bloECHO pieprasmus, tmap papildus nos
CP ACK paketi uz 80 portu (noklus ). Ja hosts atbild ar RST
paketi, tad vi r akt. Treetode izmanto SYN paketi, par atbildi
gaidot RST vai SYN|ACK paketi. Lietotem, kuriem nav root privil
jas tiek izmantota connect() metode.
Lietotem ar root priviljNmap noklus lieto abas metodes - ICMP un
ACK. iestjumu var mainizmantojot opciju .B -P , kur aprakst zem
Ping skanna tiek lietota vienmun tikai akts sists tiek skans, to
skannas metodi izmatojiet tikai ta, ja v ties uzzin akt sist
daudzumu, ne veikt to portu skannu.
<B>-sU</B> (scan UDP) - skannas metode j noteikt k UDP porti (RFC 768) ir
atvi uz attns sists. Uz katru skanmsist s portu tiek nos UDP
pakete, kas nesatur datus. Ja sist atbild ar ICMP pazimu "port
unreachable" tad ports ir aizvs, pret gadmas tiek uzskat par atv
u. Dakata, ka skanUDP portus nav neks js. nadmtgnu par "slaven"
ieguvuu iekmona rpcbind OS Solaris. s d ns grie jebkura no
nedokumentjiem UDP portiem, kas ir liel par 32770.
Par nonu jdz, ka UDP skanna velkas l, jo gandrvisas OS seko RFC
1812 (sada4.3.2.8) rekomendjiegroMP "port unreachable" er nas
umu. Piem m Linux kernelis (katalogs net/ipv4/icmp.h) ierobea
tipa pazimu ernu l 80, 4 sekundar 1/4 sekundes nov, ja obe k p
niegta. OS Solaris ir vstrikt ierobe (2 zimi sekund tist skanna
kuras grie OS Solaris ir vlka.
Nmap nosaka erobe parametrus un atbilsto iem samazina er mos
piepras mus, tj atturoties no ta piemos ar nevajadzm paket kuras
ignorttn sist. Kau ierasts kompja Microsoft ignor isas rekomend
jas un neizmanto sav OS neks ierobes. Tj jrat i i noskanvisus
65535 UDP portus sisti, kas griem OS Windows.
<B>-sO</B> (scan Open protocol) - Dotetode tiek izmantota, lai noteiktu IP
protokolus, kurus uztur att n sist. Attnjai sisti tiek ss IP
paketes, kurnav nek maruma. Ttiek ss katram protokolam. Ja par
atbildi tiek sa s pazims "protocol ureachable", tad doto pro-
tokolu attn sist neuztur. Pret gadm map uzskata, ka protokols
tiek uztur.
Da (AIX, HP-UX, Digital UNIX) krgunsmvar blo zimus "protocol
ureachable", tezult visi protokoli tiks uzskat par uzturem. Par
cik aprakst metode ir l UDP skannas metodei, tad ICMP ernas
ierobe noteik paliek sp, tata IP paketes "header" sasttikai no 8
bitiem visus 256 protokolus izdodas noskanpiemtrum
<B>-sA</B> (scan ACK) - ACK skan nas metode. papildus metode j noteikt
ugunmonfigurju (rulesets). Izmantojot etodi var noteikt, vai att
n sist ir aizsarg ar ugunsmai tikai ar pakeiltru, kuroienSYN
paketes.
Skanmajai sisti tiek nos ACK pakete (ar gadma skait acknowledge-
ment number un sequence number). Ja par atbildi tiek saa RST
pakete, ports tiek uzskat par nefiltr. Ja atbilde nepien(vai ar
ienICMP "port unreachable") tad ports tiek uzskat par filtr.
J ebilst, ka Nmap ner "nefiltrs" portus, tc, ja skant attn sist
jums neatklnevienu atvu portu, tas noz ka porti skait nefiltr .
metode nekad rezults ners portus kuri skaitatvi.
<B>-sW</B> (scan Window) - Izmanto TCP Window metodi. metode linACK skan
nai, izt to, ka daar metodes pal var noteikt k tv os, t iltr
s/nefiltr s portus. To iespms izdar paudot Initial Window datus
TCP paketkurus nosttn sist par atbildi tai nosjai paketei, kuru
t epareizi apstr . Sist s kurir a: vairs AIX versijas, Amiga,
BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital UNIX,
FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD, OpenBSD, OpenStep,
QNX, Rhapsody, SunOS 4.X, Ultrix, VAX un VxWorks. Tuv inform ju
var ieglt Nmap-hackers listes arhs.
<B>-sR</B> (scan RPC) - Izmantot RPC skannas metodi. metodi izmanto kopr
cit Tal noteikt, k programma apkalpo RPC portu un tversiju. Lai
to noteiktu, visi TCP/UDP porti tiek fl ar SunRPC NULL piepras
miem ptam nosakot programmu kas apkalpo RPC portu(s). Izmantojot
etodi j egli ieg t panformju kalaimandu rpcinfo -p, ar gadmja
attns sists portmapper ir aizsarg ar ugunsmai TCP_wrapper.
<B>-sL</B> (scan List) - Ieganmo adrearakstu. opcija j jums apl adre arak-
stu, kuras TIKS skans ar Nmap pal. Noklus tiek noteikti to DNS
nosaukumi. iesp var aizliegt izmantojot -n opciju.
<B>-b</B> <B>&lt;ftp</B> <B>relay</B> <B>host&gt;</B>
(bounce scan) - Izmantot "ftp bounce attack" uzbrukumu.
interesant TP protokola iesp tuv aprakst RFC 959. No hosta
source.com var nodibinsavienpjumu ar target.com ftp serveri un
nos failus, kas tur atrodas uz vienalga k adresi. s uzbrukums
tika atkl 1985 gadkad tika uzrakst augis RFC. Nmap izmanto u lai
skan portus no "uzticamftp servera.
Iesp ms piesl ies ftp serverim, kuru apsarggunsmun noskanpjos
aizsargs portus. Ja ftp serveris atj lasun rakstdatus k katalog
piem m /incoming), jrat nosjebks datus uz ortu. Opcija -b, nor
ftp servera adresi, kurek izmantots kuzticamais" serveris. URL
form: <I>login:parole@serveris:ports</I> Adrese nepiecie oblig, pjo var
neievad
<B>PAPILDUS</B> <B>IESPAS</B>
s opcijas nav nepiecie lietot oblig, tadatvar bezgan noders.
<B>-P0</B> (Ping 0) - Nepingot attn sist pirms skannas. opcija atj skantus
kuri neat j ICMP ECHO pieprasmus, vai atbildes uz tiem. piemm
microsoft.com. Var izmantot .B -P0 vai <B>-PT80</B> kad skant t tiklu.
<B>-PT</B> (Ping TCP) - Izmantot TCP "ping". ICMP ECHO vietmap nosCP ACK
paketi skanmajai sisti un gaida tatbildi. Ja sist ir "akt " t
tbild ar RST paketi. Lietot , kuriem nav root priviljas tiek
izmantota connect() funkcija. opcija jums j noteikt attns sists
st kli pat t gadm ja ICMP pieprasmu tiek aizliegti ar ugunsmal.
Lai nortu kuram attns sists portam spieprasmu izmantojiet opciju
-PT &lt;porta_nummurs&gt;. Noklus pieprasms tiek s uz 80 portu, jo
tas praktiski nekad netiek filtr.
<B>-PS</B> (Ping SYN) - opcija, kas aran tiek izmantota ping pieprasnai. n
ad m CK paketes vietiek s SYN pakete. Akts sists atbild ar RST
paketi (retar SYN|ACK).
<B>-PI</B> (Ping ICMP) - opcija ping pieprasnai izmanto norm ping paketi
(ICMP ECHO). Opcija tiek izmantota, lai mekl akts sists, kr
epareizi konfigurs sists, kuras atj veikt DoS uzbrukumus citsist
m (piemm Smurf).
<B>-PP</B> Izmanto ICMP timestamp pieprasma paketi, lai atrastu akts hos-
tus.
<B>-PM</B> Lidz kPI un -PP, vien at ir netmask pieprasms.
<B>-PB</B> (Ping Both) - Vienlaic izmantot ACK un ICMP pieprasmu.
<B>-O</B> (Operating system detection) - opcija j noteikt attns sists OS
izmantojot t.s. TCP/IP steka "pirkstu nospiedumus". Citiem viem
skaidrojot, Nmap nosieprasmus uz attn sist un sat atbildi salina
to ar savu datub, kura glabs failmap-os-fingerprinting. Ja Nmap
nespnoteikt attns sists OS jums tiek pied ts nos rezult s Nmap
autoram, ja j n attns sists OS un esat piecin, ka Nmap nesp to
atpaz
<B>-I</B> (Ident scan) - Izmanto reverse-ident skan nu. Ident protokols
(RFC 1413) atj uzzintietot vu (username), kuram pieder process,
kurmanto TCP, pat t gadma process nenodibina savienojumu. Piem m
var piesl ies http portam un izmantojot ident uzzinvai serveris
griem root lietot. Tas ir iespms tikai nodibinot "piln " TCP
savienojumu ar skanmsists portu (t.i. nepiecie izmantot arpciju
-sT). Nmap pieprasa identam informju par katru atv o portu.
Protams etode nestrs ja skanmist neuztur ident.
<B>-f</B> (use fragmentation) - pcija izmantojama kopr SYN, FIN, Xmas vai
NULL skannas metodun nor uz vajadz izmantot IP fragment ju ar
mazizm fragmentiem. Skan nas laikCP header tiek sadal pa vairm
paket tj apgrt pakeiltriem, IDS, un tamlm aizsardzs metodnoteikt
ko tu v es dar Lietojiet pciju piesardz. Daogrammas uzkarcenes
sav kopik ss fragmentus.
<B>-v</B> (verbose output) - opciju ir ieteicams lietot, jo t niedz vair
inform ju par to kas paz notiek. Nmap atskaitdetalizk par to ko
viaz dara. Priekel efekta ieteicams to lietot divreiz. Kopr -d
opciju var iegsdetalizko informju.
<B>-h</B> (show help) - izmet Nmap helpu.
<B>-oN</B> <B>&lt;logfilename&gt;</B>
(output Normal) - ieraksta skannas rezults lasnai ormort fail.TP
<B>-oX</B> <B>&lt;logfilename&gt;</B> (output XML) - pcija ieraksta saos datus XML
form
<B>-oG</B> <B>&lt;logfilename&gt;</B>
(output grepable) - pcija ieraksta saos datus nortajailienindi
<B>-oA</B> <B>&lt;basefilename&gt;</B>
output All) - liek Nmap logot rezults izmantojot visas logos
metodes (normal, grepable, un XML).
<B>-oS</B> <B>&lt;logfilename&gt;</B>
thIs l0gz th3 r3suLtS of YouR ScanZ iN a <B>s|&lt;ipT</B> <B>kiDd|3</B> f0rM iNto
THe fiL3 U sPecfy 4s an arGuMEnT! U kAn gIv3 the 4rgument ´-´
(wItHOUt qUOteZ) to sh00t output iNT0 stDouT!@!!
<B>--resume</B> <B>&lt;logfilename&gt;</B>
ja k iemesla desat bijis spiests praukt skannu nospietrl C&gt;, j
rat izmantot pciju, ja skannas rezult ierakst izmantojot opcijas
-oM vai -oN. lai atjaunotu skannu no tvietas, kur prauc Vair
neks papildus opcijas lietot nav nepiecie.
<B>--append_output</B>
liek Nmap rakst rezult s t k tajaailkurmantots iepriek.TP <B>-iL</B>
<B>&lt;inputfilename&gt;</B> (input List) - lasadreses no nortaila. Adresfail
r atdal m ar tuk, ar tab, vai ar &lt;CR&gt;&lt;LF&gt; kombinju (katrs hosts
jaunind
<B>-iR</B> (input Random) - lietojot pciju Nmap skangadma izvtas adreses. s
process vilksies tik ilgi, kamj neapturet. opcija ir noder, lai
veiktu Internet statistiku.
<B>-p</B> <B>&lt;port</B> <B>ranges&gt;</B>
(ports) - pcija nor Nmap, ks portus nepiecie skan Piem. opcija
-p23 liek tam skanskantikai 23 portu. Ja nors ko l opcijai -p
20-30,139,60000-, Nmap skanportus no 20 l 30 ieskaitot, 139
portu un visus portus, kas liel par 60000. Noklus Nmap skanortus
no 1 l 1024.
Skan t TCP un UDP portus tu vari nor t -p
U:53,11,137,T:21-25,139,8080. Lai skan tev nepiecie nort vis-
maz vienu TCP skannas tipu (piem. -sS, -sF, vai -sT). Ja netiek
norts protokols, tad dotie porti tiek skan visos protokolos.
<B>-F</B> <B>(Fast</B> <B>scan)</B> <B>-</B>
nor skantikai tos portus kas norti servisu failiekts kopr Nmap).
<B>-D</B> <B>&lt;decoy1</B> <B>[,decoy2][,ME],...&gt;</B>
use Decoy hosts). - jemap liek attnjai sisti dom ka tiek skan no
vair em hostiem.Tj ir grnoteikt, no kurienes re tiek skan. ir i
efekt metodlai slu savu IP adresi skant.
Jrat nort savu IP adresi kME Tor, kad tiks lietota tava IP
adrese. Piemm, ja tu to ieraksti kesto vai vtk, tad daudzi skan
nas detektori uz attns sists var vispneielogot tavu IP adresi. J
ebilst, ka nor tajiem attnjiem hostiem ir jt piesliem pie ta,
pret gadmrat plogot skanmo sist ar SYN paket J ebilst, ka past
iesp t j noteikt tavu IP adresi, ja tevis nortie attne hosti re
neeksist
Ja tu nor daudzus attns hostus, tas var ievjami palnskannas umu.
iesp var izmantot jebkurkannas veidDavaideri var filtrjaketes, t
j pcija var nedot jums vmos rezults.
<B>-S</B> <B>&lt;IP_Address&gt;</B>
(set Source) - Ja Nmap nesppatstgi noteikt josta ip adresi (viar
to j n, jums ir nepiecie to vinort. Vviens pielietojums opcijai
var bizlikties, ka skanna notiek no citas IP adreses. nadm varat
ieg zult s, ta attn sist dom ka skano tevis nortadreses. i gasm
epiecie lietot opciju -S kopr -e.
<B>-e</B> <B>&lt;interface&gt;</B>
(interface) - nor Nmap, k interfeiss tiks izmantots lai sa u/s
paketes. Nmap parasti pats nosaka, k interfeiss tiek lietots.
<B>-g</B> <B>&lt;portnumber&gt;</B>
nor porta numuru uz tava datora, kuru Nmap izmatos skannai.
Daudzi pakeiltri vai ugunsmaii DNS paketes (53 ports)un FTP-DATA
(20 ports) t j atjot nodibin savienojumu ar attn aizsarg sist.
Skant UDP portus Nmap no sma izmna 53 portu, pam 20 poru. Skan t
TCP portus - otrk.
<B>--data_length</B> <B>&lt;number&gt;</B>
Parasti Nmap s azi paketes, kuras satur tikai header informju.
opcija atj tpalielintj palnot skannas umu, tasamazinot iesp ka j
kannu k paman
<B>-n</B> nor , lai Nmap nekad nenoteiktu DNS IP adres kuras tas atrod.
opcija var painskannu.
<B>-R</B> nor, lai Nmap vienmnoteiktu atrasto IP adreNS.
<B>-r</B> (randomize off) - Nmap skanisus portus noteiktec katrai skan mai
sisti.
<B>--randomize_hosts</B>
Nor lai Nmap skanttn sist portus neregul. Piem. vienai sisti tas
noskan3 portu otrai sisti noskan65 portu, tad atkal pirmajai
sisti 45 utt. Tj ir iespms skan2048 sists vienlaic.
<B>-M</B> <B>&lt;max</B> <B>sockets&gt;</B>
(Max sockets) - nor maksim soketu skaitu, kas tiks izmantots
paral skant ar TCP connect() metodi. Tj var izvair es no att n
sist nokanas. Var izmantot ar-sS opciju, jo SYN paketes jebkura
OS "pacieiegl
<B>LAIKA</B> <B>IESTANA</B>
Parasti Nmap automski nosaka k laika interv tiks ss paketes un
notiks skan na. s opcijas paredz, gan lai palielin skannas umu,
gan lai samazin kas, gan lai paln umu un samazin iesp attns sist
s administrrfiksskannas mnmu.
<B>-T</B> <B>&lt;Paranoid|Sneaky|Polite|Normal|Aggressive|Insane&gt;</B> <B>(Timing</B> <B>options)</B> <B>-</B>
<B>opcija</B> <B>tiek</B> <B>izmantota,</B> <B>lai</B> <B>regulskannas</B> <B>umu.</B>
<B>Paranoid</B> <B>re</B> <B>iek</B> <B>izmantots</B> <B>tad,</B> <B>ja</B> <B>ir</B> <B>liela</B> <B>iespm,</B> <B>ka</B> <B>uz</B> <B>attns</B>
<B>sists</B> <B>ir</B> <B>uzstts</B> <B>IDS.</B> <B>nadmkanna</B> <B>noris</B> <B>i</B> <B>l.</B> <B>Paral</B> <B>skan</B> <B>na</B> <B>netiek</B>
<B>izmantota.</B> <B>Pakete</B> <B>tiek</B> <B>izs</B> <B>kinimums</B> <B>ar</B> <B>5</B> <B>minnterv.</B> <B>Sneaky</B>
re r l Paranoid re Tas saketes ar 15 sekunerv. <B>Polite</B> reiek
izmantots gadmos, kad ir vajadz samazinta noslogot l minimumam.
n e aketes tiek ss ar minim interv 0,4 sekundes. <B>Normal</B> remap
izmanto noklus. neiek nodrots maksim iespmo umu, tajaaik enoslo-
gojot t u un cenes izvaires no kskannas gait.B Aggressive reiek
uzstts 5 minkannas limits katram hostam, un Nmap nekad negaida
ilg par 1,25 sekundi uz atbildi. <B>Insane</B> rer ieteicams tikai
priekti iem tiem, vai arad ja tu vari samierines ar iespmk sk s
noris Tiek uzst ts 75 sekunits katram hostam un tiek gaid tikai
0.3 sekundes uz atbildi.
Katram reir piesaist nummurs. Piem. opcija -T0 apz paranoid re
bet -T5 - Insane
<B>--host_timeout</B> <B>&lt;milliseconds&gt;</B>
Uzst laiku, nort Nmap cik ilgs laiks tiek atvts priekena hosta
pilns noskannas. Noklus parametrs netiek izmantost. Nmap sskan n
ostu ptam, kad pabeidzis skaniepriek.
<B>--max_rtt_timeout</B> <B>&lt;milliseconds&gt;</B>
(maximal round-trip time timeout) - Maksimis laiks, cik ilgi
Nmap gaiduz nos pieprasma atbildi, ptam nosjaunu, vai p raucot
gaidnu. Standartas ir nostts uz 9000 milisekund
<B>--min_rtt_timeout</B> <B>&lt;milliseconds&gt;</B>
Minim is laiks, cik ilgi Nmap gad uz nos pieprasma atbildi.
opcija var painskannas umu, tavar tika pazauds paketes.
<B>--initial_rtt_timeout</B> <B>&lt;milliseconds&gt;</B>
Nor vid laiku, cik ilgi Nmap gaidnos pieprasma atbildi. Parasti
pciju izmanto, kad tiek skans sists kas tiek aizsargs ar ugunsm
Parasti Nmap ielumu nosaka automski ppirmo ps pieprasmu noteik .
Standartas ir 6000 milisekundes
<B>--max_parallelism</B> <B>&lt;number&gt;</B>
Uzst skaitu cik daudz paketes tiks ss paral. Ja parametrs tiek
norts k tad tas noz, ka Nmap nekad neskan vair par vienu portu
reiz
<B>--scan_delay</B> <B>&lt;milliseconds&gt;</B>
Nor minim laiku, cik ilgi Nmap gaidstarp pieprasmu nosnu.
opcija j minim noslogot tu un/vai izvaires no skannas paman nas
uz attns sists.
<B>SKANAMMNORANAS</B> <B>IESPAS</B>
Visu, kas nav opcijas vai to argumenti, Nmap piekdresi vai attns
sists DNS. Viselementkais veids kort skanmo hostu, ir, nor t to
aiz opcij Ja j laties noskan subnetu, jums nepiecie nort
parametru /&lt;mask&gt; pskanmsists DNS vai ip adreses. Subneta
masku var nort s veidos:
Nmap t pa eid t j nor t ip adreses izmantojot sarakstu, vai ariapazonu
katram telementam. Piem. ir vajadznoskan B klases subnetu ar adresi
128.210.*.*. To iespms nort sekojoveidos:
128.210.*.*
128.210.0-255.0-255
128.210.1-50,51-255.1,2,3,4,5-255
128.210.0.0/16
Visas komandas ir vien s. Ja jmantojat *, tad vairmhellos nepieciet
atdalar vai apostrofu. Vviens piem: Ja jrt adresi form *.*.5.6-7 ,
tad Nmap noskanvisas ip adreses, kas beidzas ar .5.6 vai .5.7
</PRE>
<H2>PIEMI</H2><PRE>
<B>nmap</B> <B>-v</B> <B>target.example.com</B>
Nor skan visus atvos portus hostam target.example.com. Opcija -v atj
novt skannas procesu detalizk.
<B>nmap</B> <B>-sS</B> <B>-O</B> <B>target.example.com/24</B>
Visi 255 kompji ar C klases adres no kur viens ir target.example.com
tiks noskan izmantojot SYN skannas metodi. Vtiks noteikta OS kas grie
sistm. Lai izmantotu etodi jums nepiecies root tiess.
<B>nmap</B> <B>-sX</B> <B>-p</B> <B>22,53,110,143,4564</B> <B>198.116.*.1-127</B>
Nmap skanpirmo pusi ar adres(0-127) katro 255 B klases subnetiem ar
Xmas skannas metodi ip zon28.210.*.*. jos hostos tiks konstat sshd (22
ports), DNS (53), pop3 (110), imapd (143) un 4564 portu pieejam. V tos
piev t uzman faktam, ka Xmas skannas metodi nevar izmantot sistm, kuras
grie WinOS, CISCO, IRIX, HP/UX un BSDI.
<B>nmap</B> <B>-v</B> <B>--randomize_hosts</B> <B>-p</B> <B>80</B> <B>´*.*.2.3-5´</B>
Nmap meklvisus kompjus ar IP adres kuras beidzas ar .2.3, .2.4 un .2.5.
Ja jums ir root tiess, tad jrpie reizes aroskanportus izmantojot opciju
-sS. Jrat atrast daudz interesantas sists skant diapazonu 127-222.*.*
<B>host</B> <B>-l</B> <B>company.com</B> <B>|</B> <B>cut</B> <B>´-d</B> <B>´</B> <B>-f</B> <B>4</B> <B>|</B> <B>./nmap</B> <B>-v</B> <B>-iL</B> <B>-</B>
Atrast eksist hostus dom company.com, nodot Nmap to adreses. komanda
str GNU/Linux OS. Ja izmantojat citu OS jums var bjadz rakstto savk.
</PRE>
<H2>IESPAM KDAS</H2><PRE>
Ja jdmonstatt ks kas Nmap darb, lpaziet par to autoram
</PRE>
<H2>AUTORS</H2><PRE>
Fyodor <I>&lt;fyodor@insecure.org&gt;</I> <I>http://www.insecure.org/nmap/</I>
<I>nmap</I> is (C) 1995-2001 by Insecure.Com LLC
This program is free software; you can redistribute it and/or modify it
under the terms of the GNU General Public License as published by the
Free Software Foundation; Version 2. This guarantees your right to
use, modify, and redistribute Nmap under certain conditions. If this
license is unacceptable to you, Insecure.Org may be willing to sell
alternative licenses (contact fyodor@insecure.org).
Source is provided to this software because we believe users have a
right to know exactly what a program is going to do before they run it.
This also allows you to audit the software for security holes (none
have been found so far).
Source code also allows you to port Nmap to new platforms, fix bugs,
and add new features. You are highly encouraged to send your changes
to fyodor@insecure.org for possible incorporation into the main distri-
bution. By sending these changes to Fyodor or one the insecure.org
development mailing lists, it is assumed that you are offering Fyodor
the unlimited, non-exclusive right to reuse, modify, and relicense the
code. This is important because the inability to relicense code has
caused devastating problems for other Free Software projects (such as
KDE and NASM). Nmap will always be available Open Source. If you wish
to specify special license conditions of your contributions, just say
so when you send them.
This program is distributed in the hope that it will be useful, but
<B>WITHOUT</B> <B>ANY</B> <B>WARRANTY;</B> without even the implied warranty of <B>MER-</B>
<B>CHANTABILITY</B> or <B>FITNESS</B> <B>FOR</B> <B>A</B> <B>PARTICULAR</B> <B>PURPOSE.</B> See the GNU General
Public License for more details (it is in the COPYING file of the <I>nmap</I>
distribution).
It should also be noted that Nmap has been known to crash certain
poorly written applications, TCP/IP stacks, and even operating systems.
<B>Nmap</B> <B>should</B> <B>never</B> <B>be</B> <B>run</B> <B>against</B> <B>mission</B> <B>critical</B> <B>systems</B> unless you
are prepared to suffer downtime. We acknowledge here that Nmap may
crash your systems or networks and we disclaim all liability for any
damage or problems Nmap could cause.
Because of the slight risk of crashes and because a few black hats like
to use Nmap for reconnaissance prior to attacking systems, there are
administrators who become upset and may complain when their system is
scanned. Thus, it is often advisable to request permission before
doing even a light scan of a network.
Nmap should never be run with privileges (eg suid root) for security
reasons.
This product includes software developed by the Apache Software Founda-
tion (http://www.apache.org/). The <I>Libpcap</I> portable packet capture
library is distributed along with nmap. Libpcap was originally copy-
righted by Van Jacobson, Craig Leres and Steven McCanne, all of the
Lawrence Berkeley National Laboratory, University of California, Berke-
ley, CA. It is now maintained by http://www.tcpdump.org .
Latviski manu pulkojis m|sc (misc@inbox.lv) (Var gades daki teksttako
lai dara, ja latviealodav norm datortermini.)
<B>NMAP(1)</B>
</PRE>
<HR>
<ADDRESS>
Man(1) output converted with
<a href="http://www.oac.uci.edu/indiv/ehood/man2html.html">man2html</a>
</ADDRESS>
</BODY>
</HTML>

775
docs/nmap_manpage-pt.html Normal file
View File

@@ -0,0 +1,775 @@
<HTML>
<HEAD>
<TITLE>Nmap network security scanner man page (Portuguese translation)</TITLE>
</HEAD>
<BODY>
<H1>Nmap network security scanner man page (Portuguese translation)</H1>
<HR>
<PRE>
<!-- Manpage converted by man2html 3.0.1 -->
<B>NMAP(1)</B> <B>NMAP(1)</B>
</PRE>
<H2>NOME</H2><PRE>
nmap - Ferramenta de explora de rede e scanner de seguran
</PRE>
<H2>SYNOPSIS</H2><PRE>
<B>nmap</B> [Tipo(s) de Scan] [Ops] &lt;computador ou rede #1 ... [#N]&gt;
</PRE>
<H2>DESCRICAO</H2><PRE>
<I>Nmap</I> rojetado para permitir aos administradores de sistemas e indivos
curiosos explorar grandes redes para determinar quais computadores est
ativos e quais servi sfornecidos. <I>Nmap</I> suporta um grande n de ticas de
scan, como: UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounce
attack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep, Xmas Tree,
SYN sweep, IP Protocol, and Null scan. Veja as ses de <I>Tipos</I> <I>de</I> <I>Scan</I>
para maiores detalhes. Nmap, tamb oferece um n de avanas caractericas,
como: detec remota do SO via TCP/IP fingerprinting, stealth scanning,
dynamic delay e retransmission calculations, scanning paralelo, detec
de hosts inativos atravde pings paralelos, decoy scanning, detec de
portas filtradas, scanning direto de RPC (nportmapper), fragmentation
scanning e flexibilidade do alvo e especifica de porta.
Esfor significantes tem sido gastos na performance do nmap para usu os
comuns, usuos nroot. Infelizmente, vas interfaces crcas do kernel (como
os sockets raw) requerem privilos de root. Nmap deve ser executado como
root sempre que possl.
O resultado da execu do nmap sualmente uma lista de portas interes-
santes na(s) mina(s) sendo explorada(s). Nmap sempre fornece o nome do
servi o n , o estado, e o protocolo das portas "bem conhecidas". O
estado pode ser tanto aberto (open), filtrado(filtered) ou n fil-
trado (unfiltered). Aberto significa que a mina alvo aceitaraccept())
conexna porta. Filtrado significa que o firewall, filtro ou outro obst
lo da rede estobrindo a porta e prevenindo o nmap de determinar quando
a porta estberta. Nfiltrado significa que a porta onhecida pelo nmap
para estar fechada e nenhum firewall/filtro parece estar interferindo
com a tentativa de determina-lelo nmap. Portas n filtradas s um caso
comum e smostradas, somente, quando a maioria das portas exploradas est
no estado filtrado.
Dependendo da op usada, o nmap pode, tamb reportar as seguintes
caracter icas do host remoto: SO em uso, sequenciabilidade do TCP, os
nomes dos usuos executando os programas em determinadas portas, o nome
DNS, quando um host tem um endereco de smurf, e vas outras.
</PRE>
<H2>OPES</H2><PRE>
Op s que juntamente fazem sentido podem geralmente ser combinadas. Vas
ops sespeccas para certos modos de scan. <I>Nmap</I> tenta capturar e avisar
o usuo sobre erros ou combinas nsuportadas de ops.
Se vocstmpaciente, vocode ir direto para a se de <I>exemplos</I> no final, os
quais demonstram o uso comum do nmap. Vocode, tamb executar <B>nmap</B> <B>-h</B>
para uma rda pna de referia, a qual lista todas as ops.
<B>TIPOS</B> <B>DE</B> <B>SCAN</B>
<B>-sT</B> TCP connect() scan: Esta mais bca forma de TCP scanning. A
chamada de sistema, connect(), provida pelo seu sistema opera-
cional sada para abrir uma conexpara toda porta interessante na
mina. Se a porta esto estado listening, connect() irer sucesso,
por outro lado a porta nserlcana. Uma grande vantagem desta tica
ue vocprecisa de nenhum privilo especial. Qualquer usuo em UNIX
estivre para usar esta chamada.
Este tipo de scan acilmente detectl pelo log do host alvo, o
qual mostrar grupo de conexe mensagens de erro para os servi os
quais aceitam, accept(), a conexsomente para ta imediatamente
desligada.
<B>-sS</B> TCP SYN scan: Esta tica uito conhecida como "half-open" scan-
ning, porque nabre uma conexTCP completa. enviado um pacote com
o flag SYN setado, como se fosse abrir uma conexreal e sperado
pela resposta. Uma resposta SYN/ACK indica que a porta esto
estado listening. O flag RST ma indica de estado nlistening. Se
o flag SYN/ACK ecebido, o flag RST mediatamente enviado para
encerrar a conex(atualmente o n do SO faz isso por n A principal
vantagem desta t ica de scanning ue poucos sites irregistra-lo
arquivo de log. Desafortunadamente ecesso privilos de super usuo
(root) para construir estes pacotes SYN customizados.
<B>-sF</B> <B>-sX</B> <B>-sN</B>
Modos Stealth FIN, Xmas Tree, ou Null scan: Algumas vezes nem
mesmo a tica SYN scanning landestina suficiente. Vos firewalls e
filtros de pacotes observam por SYNs para portas restritas, e
programas como Synlogger e Courtney estdispon is para detectar
este tipo de scan. Por outro lado, scans avanos (stealth FIN,
Xmas Tree, ou Null scan), podem ser capazes de passar atrav
destes filtros sem serem molestados.
A id ue portas fechadas sexigidas por responder aos pacotes de
teste com um RST, enquanto portas abertas precisam ignorar os
pacotes em quest(veja RFC 793 pp 64). A tica de scan FIN utiliza
o limitado pacote FIN como teste, enquanto a tica de scan Xmas
Tree seta os flags FIN, URG e PUSH. A tica de scan Null nseta
nenhum flag. Desafortunadamente a Microsoft (como usual) decidiu
completamente ignorar o padre faz as coisas do seu pro jeito.
Enteste tipo de scan nfuncionarontra sistemas executando Win-
dows95/NT. Do lado positivo, est uma a maneira de distinguir
entre duas plataformas. Se o scan encontrar portas abertas, ossl
saber que a mina nutiliza o Windows. Se as ticas de scan -sF,
-sX ou -sN mostram todas as portas fechadas, mesmo assim a t ica
de scan SYN (-sS) mostra portas sendo abertas, vocoderstar
olhando para uma mina Windows. Esta maneira menos usada pelo
nmap para testar a detec do SO. Exitem, tamb alguns outros sis-
temas que sdescobertos da mesma maneira que descobrimos o win-
dows. Estes incluem Cisco, BSDI, HP/UX, MVS, and IRIX. Todos
acima enviam resets (RST) de portas abertas quando estes devem,
somente, descartar o pacote.
<B>-sP</B> Ping scanning: Algumas vezes vocomente quer saber quais os hosts
da rede estativos. O Nmap pode fazer isso enviando um pacote de
requisi ICMP (ICMP echo request) para todo endereIP especificado
da rede. Os hosts que respondem estvivos. Desafortunadamente, v
os sites, como a microsoft.com, bloqueiam pacotes de requisi
ICMP (echo request). Ent o nmap pode, tamb enviar um pacote ACK
TCP para (por defini) a porta 80. Se negarmos o flag RST nova-
mente, a mina esta viva. A terceira t ica envolve o envio de
pacotes SYN e a espera pelo pacote com o flag RST ou os flags
SYN/ACK. O mdo connect() sado por usuos comuns (nroot).
Por defini (para super usuos), o nmap usa tanto as ticas do ICMP
e a do flag ACK em paralelo. Vocode mudar as <B>-P</B> ops descritas
mais a frente.
Note que o ping, por defini, eito de qualquer forma, e somente
os hosts que respondem sscanneados. Somente use esta op se voc
esejar vasculhar <B>sem</B> fazer qualquer scan real de portas.
<B>-sU</B> UDP scans: Este mdo sado para determinar quais portas UDP (User
Datagram Protocol, RFC 768) estabertas no host. A tica implica
em enviar 0 bytes de dados de pacotes UDP para cada porta da m
ina alvo. Se necebermos uma mensagem de ICMP port unreachable
(porta ICMP nalcana), enta porta estechada. Por outro lado n
ssumimos que a porta estberta.
V as pessoas pensam que a tica UDP scanning upluo. Eu, usual-
mente, lembro desta como uma recente falha no rpcbind do
Solaris. O Rpcbind pode ser encontrado escondido em uma porta
UDP ndocumentada em algum lugar acima de 32770. Entnimporta que
a porta 111 esteja bloqueada por um firewall. Por vocode encon-
trar quais as portas altas, maiores de 30.000, que estno estado
listening? Com o scanner UDP vocode! Existe, tamb o programa cDc
Back Orifice backdoor o qual se oculta em uma porta UDP configur
l em minas Windows. Alguns servi comumente vulneris que utilizam
o UDP s snmp, tftp, NFS, etc.
Desafortunadamente UDP scanning lgumas vezes, dolorosamente,
vagarosa desde que a maioria dos hosts implementam a sugestda
RFC 1812 (se 4.3.2.8) de limitar a taxa de mensagens de erro
ICMP. Por exemplo, o n do Linux (em net/ipv4/icmp.h) limita a
gera de mensagens de destination unreachable para 80 por 4
segundos, com 1/4 segundos de penalidade se esta for excedida. O
Solaris tem um limite muito mais restrito (mais ou menos 2 men-
sagens por segundo) e assim gasta um tempo maior para realizar o
scan. <I>Nmap</I> detecta esta taxa limitante e reduz conformemente,
por outro lado inunda a rede com pacotes sem uso que irser igno-
rados pela mina alvo.
Como co, a Microsoft ignorou a sugestda RFC e nparece ter feito
nenhuma taxa limitante por completo no Win95 e no NT. Entossl
scannear, <B>rapidamente</B> , todas as portas de 64K das m inas win-
dows. Beleza!
<B>-sO</B> Scan do Protocolo IP: Este mdo sado para determinar quais proto-
colos IPs susados no host. A tica consiste em enviar pacotes IP
raw sem promover nenhum cabeho para cada protocolo especco na m
ina alvo. Se necebermos uma mensagem do protocolo ICMP unreach-
able, ent o protocolo nestendo usado. Por outro lado nssumimos
que estberto. Note que vos hosts (AIX, HP-UX, Digital UNIX) e
firewalls podem n enviar mensagens de protocolo unreachable.
Assim faz parecer que todos os protocolos est"abertos".
Isso porque a tica implementada uito similar ao scanning da
porta UDP, onde a taxa limite de ICMP pode ser aplicada tamb Por
o campo do protocolo IP tem somente 8 bits, entno mmo 256 proto-
colos podem ser testados, os quais devem ser possis de serem
testados em tempo razol.
<B>-sA</B> ACK scan: Este mdo avano sualmente usado para mapear o conjunto
de regras de um firewall. Em particular, esta pode ajudar a
determinar quando um firewall tateful ou somente um filtro de
pacotes simples que bloqueia pacotes SYN de chegada.
Este tipo de scan envia pacotes com o flag ACK setado para uma
porta especca. Se um RST voltar, a porta lassificada como "nfil-
trada". Se nvoltar nada ou um ICMP unreachable voltar, a porta
lassificada como "filtrada". Note que o <I>nmap</I> usualmente nimprime
portas "n filtradas", obtendo, assim, <B>nenhuma</B> porta mostrada na
sa sualmente um sinal que todos os testes foram suscedidos (e
retornado RSTs). Esta tica de scan nunca irobviamente, mostrar
portas no estado "aberto".
<B>-sW</B> Window scan: Este scan avano uito similar ao ACK scan, exceto
que as vezes pode ser possl detectar portas abertas mesmo sendo
filtradas, isso devido a anomalia do tamanho da janela TCP
reportado por vos sistemas operacionais. Sistemas vulneris para
isso incluem no mmo vas versdo AIX, Amiga, BeOS, BSDI, Cray,
Tru64 UNIX, DG/UX, OpenVMS, Digital UNIX, FreeBSD, HP-UX, OS/2,
IRIX, MacOS, NetBSD, OpenBSD, OpenStep, QNX, Rhapsody, SunOS
4.X, Ultrix, VAX, and VxWorks. Vejam no arquivo, na lista de
discussnmap-hackers, a lista completa.
<B>-sR</B> RPC scan. Este mdo trabalha em combina com vas ticas de scan de
portas do Nmap. Ele pega todas as portas TCP/UDP encontradas
abertas e inunda elas com comandos NULL de programas SunRPC numa
tentativa de determinar quando elas sportas RPC, e se s qual
programa e versdos servi. Com este mdo vocode efetivamente obter
a mesma informa como se usasse rpcinfo -p mesmo se o portmap-
per alvo estiver atrde um firewall (ou protegido pelo TCP wrap-
pers). Decoy n trabalha correntemente com RPC scan, em algum
ponto eu posso adicionar o suporte decoy para UDP RPC scans.
<B>-b</B> <B>&lt;ftp</B> <B>relay</B> <B>host&gt;</B>
FTP bounce attack: Uma interessante "caracterica" do protocolo
ftp (RFC 959) ustentada para conex ftp "proxy". Em outras
palavras, eu devo ser capaz de conectar do evil.com para um
servidor FTP, target.com, e requerer que o servidor envie um
arquivo para qualquer lugar na internet! Isto pode ter sido
explorado bem em 1985 quando a RFC foi escrita. Porna internet
hoje, npodemos ter pessoas hijacking servidores ftp e requisi-
tando que os dados sejam jogados para arbitros pontos na inter-
net. Como *Hobbit* escreveu em 1995, este protocolo torna in
"pode ser usado para portar virtualmente ndeterminis emails ou
news, forjando em servidores vos sites, preenchendo discos, ten-
tando saltar firewalls, e geralmente sendo aborrecido, ficando,
assim, difl seguir a pista ao mesmo tempo." O que nremos explo-
rar disto scan de portas TCP do servidor "proxy" de ftp. Entvoc
ode conectar a um servidor ftp atrdo firewall, e ent scannear
portas que est mais prov lmente bloqueadas (139 ma boa). Se o
servidor ftp permitir ler de e escrever para algum diret (como
/incoming), vocode enviar dados arbitros para portas que vocchar
abertas (nmap nfaz isso por voc
Os argumentos passados para a op b host que vocuer usar como
proxy, na nota de padr URL. O formato .I username:pass-
word@server:port. Tudo, menos o <I>server</I> pcional. Para determi-
nar quais servidores svulneris para este ataque, vocode ver meu
artigo em <I>Phrack</I> 51. A versatualizada est ispon l em <I>nmap</I> URL
(http://www.insecure.org/nmap).
<B>OPES</B> <B>GERAIS</B>
Nenhuma destas srequeridas, poralgumas podem ser absolutamente
proveitosas.
<B>-P0</B> Pinga os hosts antes de scanneos. Isto permite scannear as redes
que n permitem ICMP echo requests (ou responses) atravdos seus
firewalls. microsoft.com m exemplo desta rede, e entvoceve sem-
pre usar <B>-P0</B> ou <B>-PT80</B> quando portscanning microsoft.com.
<B>-PT</B> Use TCP "ping" para determinar quais hosts estativos. Ao invez
de enviar pacotes ICMP echo request e esperar pelas respostas, n
nviamos pacotes TCP ACK por toda parte na rede alvo (ou para uma
simples mina) e entesperamos por respostas. Hosts que est ativos
devem responder com um RST. Esta op preserva a eficiia de
somente scannear hosts que est ativos, enquanto ainda permite
scannear redes/hosts que bloquearam pacotes ping. Para usuos n
root, sado o connect(). Para setar a porta destino dos pacotes
de teste usem -PT&lt;n da porta&gt;. A porta default 0, desde que est
orta uitas vezes nfiltrada.
<B>-PS</B> Estp usa pacotes com SYN (connection request) ao invez de
pacotes com ACK para usu os root. Hosts que estativos devem
responder com RST (ou, raramente, um SYN|ACK).
<B>-PI</B> Estp usa um pacote ping verdadeiro (ICMP echo request). Esta
encontra os hosts que estativos e tambprocura por um enderede
broadcast para a subrede da sua rede. Estes sendere IPs que s
externamente alcaneis e traduzidos para broadcast de pacotes IP
de chegada para uma subrede de computadores. Estes devem ser
eliminados se encontrado, como ele permitem por numerosos
ataques de nega de servi(DoS) (Smurf mais comum).
<B>-PB</B> Este tipo de ping default. Ele usa tanto pacotes com ACK ( <B>-PT</B>
) e pacotes ICMP ( <B>-PI</B> ) sweeps em paralelo. Desta maneira voc
ode obter os firewalls que filtram cada uma (pornambas).
<B>-O</B> Esta op ativa a identifica de hosts remotos via TCP/IP finger-
printing. Em outras palavras, ela usa uma grande quantidade de t
icas para detectar sutilezas na pilha de rede do sistema opera-
cional do computador que vocstcanneando. Ele usa estas informas
para criar a fingerprint a qual omparada com sua base de dados
de conhecidos fingerprints de SOs (o arquivo nmap-os-finger-
prints) para decidir qual o tipo de sistema que vocstscanneando.
Se o Nmap estesabilitado para resolver o SO da mina, e as condis
sboas (ex. ao menos uma porta aberta), Nmap irrover a URL que
voc ode usar para submeter a fingerprint se voconhecer (com
certeza) o SO sendo executado na m ina. Por fazer isso voc
ontribui para o conjunto de sistemas operacionais conhecidos
pelo nmap e entserais correto para todos.
A op -O tambpossibilita classificar e fazer o prognostico da
sequ ia TCP. Esta ma medida que descreve aproximadamente qual a
dificuldade em estabelecer uma conexTCP forjada contra um host
remoto. Esta til para explorar o IP de origem baseado na rela
de confian(rlogin, firewall filters, etc) ou por esconder a
origem do ataque. O n difficulty mostrado aseado em uma simples
amostra estatica e pode variar. Este n eralmente melhor apresen-
tado como uma frase em Inglcomo "worthy challenge" ou "trivial
joke".
<B>-I</B> Esta ativa o scanning do ident reverso TCP. Como notado por Dave
Goldsmith em 1996 na mensagem para a Bugtraq, o protocolo ident
(rfc 1413) permite revelar o username dos donos dos processos
conectados via TCP, mesmo se estes processos niniciaram a conex
Entvocode, por exemplo, conectar a porta http e entusar o identd
para encontrar quando o servidor estendo executado como root.
Isto pode somente ser feito com uma conex TCP completa para a
porta alvo (ex.: a op de scanning -sT). Quando <B>-I</B> sada, o identd
do host remoto esquisado para cada porta aberta encontrada.
Obviamente isso nfunciona se o host nestiver rodando o identd.
<B>-f</B> Esta op requere os flags SYN, FIN, XMAS, ou NULL scan para usar
cuidadosos pacotes IP fragmentados. A id ividir o cabe ho TCP
sobre vos pacotes para ficar difl para o filtro de pacotes, sis-
temas de detec de intrus e outros aborrecimentos para detectar o
que voc st azendo. Seja cuidadoso com isso! Vos programas tem
preocupas lidando com estes cuidadosos pacotes. Enquanto este m
do n obtem pacotes filtrados e firewalls que enfileram todos os
fragmentos IP (como a op CONFIG_IP_ALWAYS_DEFRAG no kernel do
linux), v as redes nconseguem assegurar o golpe de performance
que este fato causa, entelhor deixar este desabilitado.
Note que esta op, ainda, nesta funcionando em todos os sistemas.
Esta funciona bem para o Linux, FreeBSD, e OpenBSD e outras pes-
soas tem reportado sucessos com outras varias *NIX.
<B>-v</B> Modo Verbose. Esta ma op altamente recomendada e fornece mais
informa s sobre o que esta acontecendo. Vocode usa duas vezes
para um melhor efeito. Use <B>-d</B> em conjunto se vocealmente quiser
ficar louco com a quantidade de informas na tela!
<B>-h</B> Esta c a op mostra uma rda tela de referia das ops usadas no
nmap. Como voceve ter notado, estan page n xatamente uma r da
referia :o)
<B>-oN</B> <B>&lt;logfilename&gt;</B>
Este log mostra o resultado do seu scan em uma forma <B>humanamente</B>
<B>legl</B> no arquivo que vocspecificou como argumento.
<B>-oX</B> <B>&lt;logfilename&gt;</B>
Este log mostra o resultado do seu scan na forma de <B>XML</B> no
arquivo que vocspecificou como argumento. Isto permite aos pro-
gramas facilmente capturar e interpretar os resultados do Nmap.
Voc ode fornecer o argumento ´-´(sem quotas) para colocar em uma
stdout (para shell pipelines, etc). Neste caso uma sa normal ser
uprimida. Tomar cuidado para as mensagem de erro se vocsta
usando esta (elas, ainda, irpara stderr). Tamb note que ´-v´
pode causar algumas informas extras para ser impressas.
<B>-oG</B> <B>&lt;logfilename&gt;</B>
Este log mostra o resultado do seu scan na forma do <B>grepable</B> no
arquivo que vocspecificou como argumento. Este simples formato
prov odas as informas em uma linha (entvocode facilmente usar o
grep para portas ou obter informas de SOs e ver todos os endere
IPs). Este mecanismo preferido pelos programas para interagir
com o Nmap, poragora ecomendado usar a sa em XML (-oX). Este
simples formato pode nconter tantas informas quanto os outros
formatos. Vocode fornecer o argumento ´-´(sem quotas) para colo-
car em uma stdout (para shell pipelines, etc). Neste caso uma sa
normal seruprimida. Tomar cuidado para as mensagem de erro se
voc sta usando esta (elas, ainda, irpara stderr). Tamb note que
´-v´ irornecer vas informas extras para ser impressas.
<B>-oS</B> <B>&lt;logfilename&gt;</B>
thIs l0gz th3 r3suLtS of YouR ScanZ iN a <B>s|&lt;ipT</B> <B>kiDd|3</B> f0rM iNto
THe fiL3 U sPecfy 4s an arGuMEnT! U kAn gIv3 the 4rgument ´-´
(wItHOUt qUOteZ) to sh00t output iNT0 stDouT!@!!
<B>--resume</B> <B>&lt;logfilename&gt;</B>
O scan de rede que ancelado devido a um control-C, interrup da
rede, etc. pode ser resumido usando esta op. O logfilename pre-
cisa ser normal (-oN) ou parsable na mina (-oM) para registrar o
scan abortado. Nenhuma outra op pode ser usada. Nmap comea mina
depois que a a foi scanneada com sucesso e armazenada no arquivo
de log.
<B>-iL</B> <B>&lt;inputfilename&gt;</B>
feita a leitura de um arquivo alvo especificado na linha de
comando. O arquivo deve conter uma lista de hosts ou express de
rede separados por espa, tabs, ou novas linhas. Use o hn (-)
como <I>inputfilename</I> se vocuisesse que o nmap leia expressdo hosts
de stdin (como no final do pipe). Veja a se <I>especifica</I> <I>do</I> <I>alvo</I>
para maiores informas nas expressque vocreenchero arquivo.
<B>-iR</B> Esta op fala para o Nmap para gerar seus pros hosts para scann-
ear, usando simplesmente ns randomicos :o). Isso nunca irermi-
nar. Isso pode ser muito para tirar amostras estaticas da inter-
net para estimar vas coisas. Se vocunca estiver realmente ente-
diado, tente <I>nmap</I> <I>-sS</I> <I>-iR</I> <I>-p</I> <I>80</I> para encontrar v os servidores
web para observar.
<B>-p</B> <B>&lt;port</B> <B>ranges&gt;</B>
Esta op especifica quais portas vocuer para descrever. Por exem-
plo -p 23 irentar somente a porta 23 do host(s) alvo. ´-p
20-30,139,60000-´ ir cannear portas entre 20 e 30, porta 139, e
todas as portas maiores que 60000. Por defini ara scannear todas
as portas entre 1 e 1024 tbem quanto qualquer porta listada no
arquivo de servi o qual vem com o nmap. Para o scan de protoco-
los IP (-sO), especifica o n do protocolo que voceseja para
(0-255).
<B>-F</B> <B>Modo</B> <B>de</B> <B>scan</B> <B>rdo.</B>
Especifica que vocomente deseja scannear por portas catalogadas
no arquivo services o qual vem com o nmap (ou o arquivo de pro-
tocolos para -sO). Este bviamente muito mais rdo do que scannear
todas 65535 portas no host.
<B>-D</B> <B>&lt;decoy1</B> <B>[,decoy2][,ME],...&gt;</B>
O processo de decoy scan serxecutado fazendo ele mostrar-se para
o host remoto que o(s) host(s) que vocspecificou como decoys est
scanneando a rede alvo tamb Entseus IDS precisarreportar 5-10
scan de portas de um endereIP, poreles nsaberqual o endere IP
que os estava scanneando e quais eram os decoys inocentes.
Enquanto isto pode ser descoberto atravde uma rota, respostas
soltas, e outras mecanismos ativos, este eralmente uma tica
extremamente efetiva para esconder seu endereIP.
Separando cada decoy host com vulas, vocode usar opcionalmente
ME como um dos decoys para representar a posi que vocuer seu
endereIP para ser usado. Se vocolocar ME na sexta posi ou
outra maior, vas detectores comuns de scan de portas nserrazois
para mostrar seu endereIP por completo. Se vocusar ME, o nmap
irolocar vocm uma posi randomica.
Note que os hosts que vocsa como decoys devem estar ativos ou
vocrecisarcidentalmente inundar com pacotes SYN seu alvo. Tamb
ele ser uito f l para determinar quais hosts estscanneando se
somente um esttualmente ativo na rede. Voc ever uerer usar o
endere IP ao invez de nomes (entredes decoy nirver vocm seus
nameserver logs).
Tamb note que vos (ests) "detectores de scan de portas" ir fire-
wall/deny roteamento para hosts que tentam fazer o scan de por-
tas. Entvocrecisa descuidadosamente causar a perda de conexda m
ina que vocstcanneando com a mina decoy que vocsta usando. Isto
pode causar maiores problemas para a mina alvo se o decoy est
endo usado, digo, seu internet gateway ou atlocalhost". Entvoc
ode querer ser cuidadoso com esta op. A real moral da hist ue os
detectores de scan de portas spoofable ndevem gastar as contra a
mina que parece estar scanneando suas portas. Este pode ser
somente um decoy, ou seja, uma isca, uma armadilha!
Decoys s usados tanto em ping scan inicial (usando ICMP, SYN,
ACK, ou o que seja) e durante a fase de atual scanneamento de
porta. Decoy stambusados durante a detec remota de SO ( <B>-O</B> ).
Este m digno registrador que usa vos decoys que podem atrasar
seu scan e potencialmente atazer este menos preciso. Tamb v os
ISPs filtram pacotes spoofed, embora vos (correntemente a maio-
ria) nrestrigem pacotes IP spoofed por inteiro.
<B>-S</B> <B>&lt;IP_Address&gt;</B>
Em vas circunstias, <I>nmap</I> pode n ser capaz de determinar seu
endere de origem ( <I>nmap</I> irviso se este caso). Nesta situa, use
-S com seu endereIP (atrav da interface que voc eseja enviar
pacotes).
Outro possl uso deste flag ara spoofar o scan para fazer o alvo
pensar que <B>algumais</B> estcanneando. Imagine uma companhia sendo
repetidamente port scanned pelo seu competidor! Este nm uso
suportado (ou o principal propo) deste flag. Eu penso somente
que isso levanta uma interessante discuss em que as pessoas
devem estar cientes antes que elas acusem outras pessoas de
estar scanneando suas portas. <B>-e</B> geralmente serequerida para
este tipo de uso.
<B>-e</B> <B>&lt;interface&gt;</B>
Fala para o nmap qual interface enviar e receber pacotes. Nmap
deve ser capaz de detectar isto, poreste contarara voce npuder.
<B>-g</B> <B>&lt;portnumber&gt;</B>
Conjunto de ns de portas de origens usadas no scan. V os ing os
firewalls e filtros de pacotes instalados fazem uma exce em seus
conjuntos de regras para permitir pacotes DNS (53) ou FTP-DATA
(20) para entrar e estabelecer a conex Obviamente isto contesta
completamente as vantagens de seguran do firewall desde que
intrusos podem somente mascarar como FTP ou DNS por modificar
suas portas de origem. Obviamente para UDP scan voceve tentar 53
primeiro e TCP scans devem tentar 20 antes da porta 53. Note que
isso omente uma requisi -- nmap honrarsso somente quando esta
estiver h l para. Por exemplo, vocpode amostrar todo TCP ISN de
um host:porta para um host:porta, entnmap muda a porta de origem
mesmo que seja usado -g.
Seja ciente que existe uma penalidade na performance em vos
scans por usar esta op, porque eu algumas vezes armazeno informa
s no n da porta de origem.
<B>-r</B> Fala para o Nmap para <B></B> randomizar a ordem na qual as portas
serscanneada.
<B>--randomize_hosts</B>
Fala para o Nmap para embaralhar cada grupo acima de 2048 hosts
antes de scanneos. Isto pode fazer o scan menos evidente para v
os sistemas de monitora de rede, especialmente quando voc ombina
estes com as ops de baixo tempo (slow timing) (veja abaixo).
<B>-M</B> <B>&lt;max</B> <B>sockets&gt;</B>
Conjunto m mo de ns de sockets que sersado em paralelo pelo TCP
connect() scan (por defini). Esta til para diminuir um pouco o
scan e anular a possibilidade de travar a mina remota. Outra
aproxima ara usar -sS, a qual eralmente f l para as m inas
descreverem.
<B>OPES</B> <B>DE</B> <B>TEMPO</B>
Geralmente o Nmap faz um bom trabalho em ajustar para as
caractericas da rede um tempo de execu e scanning t r do quanto
possl enquanto minimiza as chances do hosts/portas serem ndetec-
tadas. Entretanto, existem vos casos onde a pol ca de tempo
default do Nmap pode nencontrar seus objetivos. As seguintes ops
prov um fino nl de controle sobre o tempo de scan:
<B>-T</B> <B>&lt;Paranoid|Sneaky|Polite|Normal|Aggressive|Insane&gt;</B>
Estas spolcas de tempo preservados para convenientemente expres-
sar suas prioridades para o Nmap. <B>Paranoid</B> modo de scan <B>muito</B>
lento na esperande prevenir a detec pelo sistema IDS. Este seri-
aliza todos os scans (scanning nparalelo) e geralmente espera no
mmo 5 minutos entre o envio de pacotes. <B>Sneaky</B> imilar, exceto
que somente espera 15 segundos entre o envio de pacotes. <B>Polite</B>
tem o significado para facilitar a carga na rede e reduzir as
chances de travar a mina. Ele serializa os testes e espera <B>no</B> <B>m</B>
<B>mo</B> 0.4 segundos entre eles. <B>Normal</B> comportamento default do
Nmap, o qual tenta executar trdo quanto possl sem sobrecarregar
a rede ou perder hosts/portas. <B>Aggressive</B> esse modo adiciona um
timeout de 5 minutos por host e nunca espera mais que 1.25
segundos para testar as respostas. <B>Insane</B> omente adequando para
redes muito rdas ou onde vocse importa em perder algumas informa
s. Nesta op o timeout dos hosts acontecem em 75 segundos e
espera somente 0.3 segundos por teste individual. Esta
possibilita, de qualquer forma, uma varredura extremamente r da
na rede :o). Vocode tambreferenciar isso por ns (0-5). Por exem-
plo, ´-T 0´ fornece para voc modo Paranoid e ´-T 5´ modo
Insane.
Estes modos, para preservar o tempo, NÏ devem ser usados em
combina com controles de baixo nl, como os fornecidos abaixo.
<B>--host_timeout</B> <B>&lt;milliseconds&gt;</B>
Especifica a soma de tempo que o Nmap permite para gastar scan-
neando um simples host antes de desistir daquele IP. O modo de
tempo default ntem o timeout do host.
<B>--max_rtt_timeout</B> <B>&lt;milliseconds&gt;</B>
Especifica a soma mma de tempo do Nmap tem permitido para
esperar pela resposta de teste antes de retransmitir ou ocorrer
um timeout de um particular teste. O modo default seta este
valor em 9000.
<B>--min_rtt_timeout</B> <B>&lt;milliseconds&gt;</B>
Quando um host alvo comea estabelecer um padrde resposta muito r
do, Nmap irontrair a soma de tempo fornecida por teste. Isto
aumenta a velocidade do scan, porpode levar a perder pacotes
quando a resposta gasta mais tempo que o usual. Com este par tro
voc ode garantir que o Nmap irsperar ao menos a soma de tempo
fornecida antes de abrir mdo teste.
<B>--initial_rtt_timeout</B> <B>&lt;milliseconds&gt;</B>
Especifica o timeout do teste inicial. Isto eralmente quando
scanning firewalled hosts com -P0. Normalmente o Nmap pode obter
boas estimativas RTT do ping e dos primeiros testes. O modo
default usa 6000.
<B>--max_parallelism</B> <B>&lt;number&gt;</B>
Especifica o n mmo de Nmap scans permitidos para serem performa-
dos em paralelo. Ajustando este para 1 significa que o Nmap
nunca ir entar scannear mais que uma porta por vez. Este, tamb
afeta outros scans paralelos como o ping sweep, RPC scan, etc.
<B>--scan_delay</B> <B>&lt;milliseconds&gt;</B>
Especifica a <B>mma</B> soma de tempo que o Nmap precisa esperar entre
testes. Este na maioria das vezes, para reduzir a carga da rede
ou para diminuir a maneira de scan para esquivar-se do IDS.
</PRE>
<H2>ESPECIFICAO DO ALVO</H2><PRE>
Tudo que nma op (ou argumento de op) no nmap ratado como especifica do
host alvo. No caso mais simples sregistrados simples hostnames ou
endere IPs na linha de comando. Se vocuiser scannear uma subrede de
endere IPs, voc ode anexar <B>/mask</B> para o hostname ou endereIP. <B>mask</B>
precisa estar entre 0 (faz o scan de toda internet) e 32 (faz o scan de
um simples host especificado). Use /24 para scannear a classe de endere
C e /16 para a classe de endereB.
Nmap, tamb tem a mais poderosa nota a qual permite voc specificar um
endere IP usando uma lista/fileira para cada elemento. Entvocode scann-
ear todo o endere classe B da rede 192.168.*.* especificando
192.168.*.* ou 192.168.0-255.0-255 ou at
192.168.1-50,51-255.1,2,3,4,5-255. E laro, vocode usar a nota de mara:
192.168.0.0/16. Estes todos sequivalentes.
Outra coisa interessante para fazer ividir em peda a Internet de outra
maneira. Ao invez de scannear todos os hosts da classe B, scan
*.*.5.6-7 com o objetivo de explorar todos os endere IPs que terminam
em .5.6 ou .5.7 escolhendo seus pros ns. Para mais informas dos hosts
especcos para scannear, veja a se de <I>exemplos.</I>
</PRE>
<H2>EXEMPLOS</H2><PRE>
Aqui existem vos exemplos de uso do nmap, do simples e normal para um
pouco mais complexo/esotco. Note que ns atuais e vos nomes de dom os
atuais s usados para tornar as coisas mais concretas. Em seus lugares
voceve substituir por endere/nomes da <B>sua</B> <B>pra</B> <B>rede.</B> Eu n penso que
scannear portas de outras rede legal; nem deve o scanneamento de portas
ser feito por outros como um ataque. Eu tenho scanneado centenas de
milhares de m inas e tenho recebido somente uma reclama. Poreu nsou
advogado e alguma pessoa pode estar irritado pelos testes do <I>nmap</I>
<B>nmap</B> <B>-v</B> <B>target.example.com</B>
Esta op faz o scan de todas as portas TCP reservadas na m ina tar-
get.example.com. A op -v significa ligar o modo verbose.
<B>nmap</B> <B>-sS</B> <B>-O</B> <B>target.example.com/24</B>
Lan um stealth SYN scan contra cada mina que esttiva, abrangendo todas
as 255 minas de classe C onde target.example.com reside. Este exem-
plo, tamb tenta determinar o sistema operacional que esta executando em
cada host que esta ativo. Este requere privilos de root (super usu o)
por causa da tica SYN scan e da detec de SOs.
<B>nmap</B> <B>-sX</B> <B>-p</B> <B>22,53,110,143,4564</B> <B>198.116.*.1-127</B>
Envia um Xmas tree scan para a primeira metade de cada uma das 255 pos-
sibilidades de subredes de 8 bit no espa de endere classe B em
198.116. N stamos testando quando o sistema executa sshd, DNS, pop3d,
imapd, ou a porta 4564. Note que o Xmas scan ntrabalha com a Microsoft
devido a sua deficiente pilha TCP. O mesmo acontece com CISCO, IRIX,
HP/UX, e BSDI.
<B>nmap</B> <B>-v</B> <B>--randomize_hosts</B> <B>-p</B> <B>80</B> <B>*.*.2.3-5</B>
Em lugar de focar somente um especco IP, nteressante, algumas vezes,
abranger um fatia de toda a internet e fazer o scan de um pequena
amostra de cada fatia. Este comando encontra todos os servidores web em
m inas com endere IPs terminando em .2.3, .2.4, ou .2.5. Se voc super
usuo (root) vocode adicionar -sS. Tamb vocrncontrar mais minas interes-
santes come do com 127., entvocode querer usar 127-222 ao invez dos
primeiros astericos porque essa parte tem uma alta densidade de m inas
interessantes (IMHO).
<B>host</B> <B>-l</B> <B>company.com</B> <B>|</B> <B>cut</B> <B>-d</B> <B></B> <B>-f</B> <B>4</B> <B>|</B> <B>./nmap</B> <B>-v</B> <B>-iL</B> <B>-</B>
Fazer uma transferia de zona de DNS para encontrar hosts em company.com
e entalimentar os endere IPs para o <I>nmap.</I> Os comandos acima s para
minha caixa GNU/Linux. Vocode precisar de diferentes comandos/ops em
outros sistemas operacionais.
</PRE>
<H2>BUGS</H2><PRE>
Bugs? O que ugs? Envie-me os bugs que vocncontrar. Patches s uma boa
tamb :o) Lembrem-se de, tamb enviar novos SO fingerprints para que pos-
samos aumentar nossa base de dados. O Nmap irornecer para vocma URL de
submissquando um apropriado fingerprint for encontrado.
</PRE>
<H2>AUTOR</H2><PRE>
Fyodor <I>&lt;fyodor@insecure.org&gt;</I>
</PRE>
<H2>TRADUTOR</H2><PRE>
Ant Pires de Castro Jr <I>&lt;apcastro@ic.unicamp.br&gt;;</I> <I>&lt;apcastro@onde-</I>
<I>for.com.br&gt;</I> Texto traduzido em 17 de Outubro de 2000.
</PRE>
<H2>NOTA DO TRADUTOR</H2><PRE>
Esta tradu foi realizada usando a man page oficial do nmap (NMAP
2.54BETA7), e n possui nenhum compromisso com www.insecure.org. Este
trabalho foi realizado pela livre e expont a vontade do tradutor.
Qualquer corre desta pode ser feita enviando um email para o tradutor.
</PRE>
<H2>DISTRIBUIO</H2><PRE>
A mais nova vers do <I>nmap</I> pode ser obtida em <I>http://www.inse-</I>
<I>cure.org/nmap/</I>
<I>nmap</I>
(C) 1997,1998,1999,2000 por Fyodor (fyodor@insecure.org)
<I>libpcap</I> tamb distribu junto com nmap. Esta ma copyrighted por Van
Jacobson, Craig Leres and Steven McCanne, todos do Laborat Nacional de
Lawrence em Berkeley, University of California, Berkeley, CA. A vers
distribu com o nmap pode ser modificada, a fonte original estisponl em
ftp://ftp.ee.lbl.gov/libpcap.tar.Z .
Este programa m software livre; vocode redistribuo e/ou modifico sobre
os termos da LicenPa Geral GNU como publicado pelo Free Software Foun-
dation; Vers 2. Esta garante seu direito de usar, modificar e redis-
tribuir o Nmap sobre certas condis. Se esta licenfor inaceitl para voco
Insecure.Org pode estar querendo negociar alternativas licen (entre em
contato com fyodor@insecure.org).
O co de origem ornecido para este software porque n creditamos que os
usu os tem o direito de conhecer exatamente qual o programa ele irsar
antes de executo. Isto, tamb permite vocuditar o software para furos de
seguran(nenhum foi encontrado).
O co de origem tambpermite vocortar o Nmap para novas plataformas, con-
sertar bugs, e adicionar novas caractericas. Vocsta altamente encora-
jado para enviar suas mudan para fyodor@insecure.org para possis
encorporas em sua principal distribui. Por enviar estas mudan para Fyo-
dor ou uma das listas de discussdos desenvolvedores insecure.org, ser
ssumido que vocstferecendo nenhum limite a Fyodor, n exclusivo direito
de reusar, modificar, e relicenciar o co. Isto mportante por causa da
incapacidade para relicenciar cos, isso tem causado devastadores prob-
lemas para outros projetos de software livres (como KDE e NASM). O co
fonte do Nmap sempre estarisponl. Se voc esejar especificar especiais
condis de licendas suas contribuis, somente diga quando vocs enviar.
Este programa istribu na esperande ser por.B SEM NENHUMA GARANTIA; sem
mesmo implicar garantia de <B>COMERCIABILIDADE</B> ou <B>ADAPTAO</B> <B>PARA</B> <B>UM</B> <B>PROP</B> <B>ITO</B>
<B>PARTICULAR.</B> Veja a Licen P a Geral GNU por mais detalhes (esta esto
arquivo COPYING da distribui do <I>nmap</I> ).
Tambdeve ser notado que o Nmap tem sido conhecido por travar certas
aplica s pobremente escritas, pilhas TCP/IP, e mesmo certos sistemas
operacionais. <B>O</B> <B>Nmap</B> <B>nunca</B> <B>deve</B> <B>ser</B> <B>executado</B> <B>contra</B> <B>sistemas</B> <B>crcos</B> <B>de</B>
<B>miss</B> <B>ao</B> <B>menos</B> <B>que</B> <B>vocsteja</B> <B>preparado</B> <B>para</B> <B>sofrer</B> <B>com</B> <B>o</B> <B>tempo</B> <B>ocioso.</B> <B>N</B>
<B>econhecemos</B> <B>aqui</B> <B>que</B> <B>o</B> <B>Nmap</B> <B>pode</B> <B>travar</B> <B>seu</B> <B>sistema</B> <B>ou</B> <B>rede</B> <B>e</B> <B>n</B> <B>enunci-</B>
<B>amos</B> <B>todas</B> <B>responsabilidades</B> <B>por</B> <B>qualquer</B> <B>dano</B> <B>ou</B> <B>problemas</B> <B>que</B> <B>o</B> <B>Nmap</B>
<B>possa</B> <B>causar.</B>
Por menosprezar os riscos de travar e por causa de vos usu os mal osos
gostarem de usar o Nmap para fazer o levantamento topolo da rede antes
de atacar o sistema, existem administradores que estpreocupados e podem
reclamar quando seus sistemas sscanneados. Por isso, uitas vezes conve-
niente requerer permissantes de fazer, mesmo que seja, um simples scan
na rede.
O Nmap nunca deve ser executado com privilos (ex.: suid root) por razde
seguran
Todas as versdo Nmap igual u maiores que 2.0 sacreditadas nter proble-
mas, em todos os aspectos, com o bug do ano 2000 (Y2K). Por nexiste raz
para acreditar que versanteriores a 2.0 ssusceptis a problemas, porn as
testamos.
<B>NMAP(1)</B>
</PRE>
<HR>
<ADDRESS>
Man(1) output converted with
<a href="http://www.oac.uci.edu/indiv/ehood/man2html.html">man2html</a>
</ADDRESS>
</BODY>
</HTML>

369
docs/nmap_manpage-ru.html Normal file
View File

@@ -0,0 +1,369 @@
<HTML>
<HEAD>
<TITLE>Nmap network security scanner man page (Russian translation)</TITLE>
</HEAD>
<BODY>
<H1>Nmap network security scanner man page (Russian translation)</H1>
<HR>
<PRE>
<!-- Manpage converted by man2html 3.0.1 -->
<B>NMAP(1)</B> <B>NMAP(1)</B>
</PRE>
<H2>nmap - `NN N .</H2><PRE>
</PRE>
<H2>.B nmap</H2><PRE>
[( NN] [] &lt; #1,[#N]&gt;
<I>Nmap</I> ^ NN , N ` ® .I nmap NN, UDP, TCP connect(), TCP SYN (), FTP
proxy ( ftp), Reverse-ident, ICMP (ping), FIN, ACK, Xmas tree, SYN
NULL- NN. N .I NN. Nmap , `: C (- L ` `TCP/IP, " NN, NN, K
ping-, NN ,, (portmapper) RPC-NN, NN IP-GC `ZN IP-D N
Nmap NNL ZN l``N , . "", " ". "" , L . " , ,Nmap "" , NN Nmap
, Nmap NmapE ( N `.
ZNÉ Nmap N z É TCP ISN, (username) D`, W N, l NIP-D
</PRE>
<H2>OPTIONS</H2><PRE>
ÉT . É^NN, Z@ T NN. <I>nmap</I> E ZN É
, Nmap n <B>nmap</B> <B>-h</B> T É.
<B>NN.</B>
<B>-sT</B> TTCP connect(). NN TCP-. connect(), QT L. ZN R` N connect()
( , E ZN , N .
, N NN Å( N , log- TN C. , D, W .
<B>-sS</B> TCP SYN. "" NN TCP-N E Nmap SYN- , E G SYN|ACK ZE , L
. RST . Nmap SYN|ACK, W RST- (LC .NN. T rootN SYN-.
NNÉ -sS K H N É-p. TÉ-PS &lt;&gt;.
<B>-sF</B> <B>-sX</B> <B>-sN</B>
"" FIN, Xmas Tree NULL-NN.E, SYN-NN M ZL "@ SYN- Syn-
logger Courtney SYN-NN.
E N-NN ` FIN- as Tree G FIN|URG|PSH, `NULL-NN G. S C RFC
973 64, N ` , RST, . B Microsoft Windows, , N `Win-
dows RST- K Nmap C , FIN-NN , Windows. `SYN-NN
Windows. L, Windows Q Q TK Cisco, BSDI, IRIX, HP/UX MVS. W
RST-.
<B>-sP</B> Ping-" N N". ` D K N. Nmap TW ICMP-" b IP-DZN. W K. (
microsoft.com) . Nmap TCP ACK- 80-N `( ). RST- K SYN-E RST
SYN|ACK. T root,connect().
root-Nmap` - ICMP ACK. É <B>-P</B> N.
, ping-NNE K NN. É E, ping- NN .
<B>-sU</B> TUDP-UDP-(RFC 768) N N W UDP-. ICMP-" ", , . E , N .
@ N N UDP- . E "" rpcbind Solaris. N UDP- 32770.
111-
L, NN UDP- , KC RFC 1812 ( 4.3.2.8) ICMP-" ". Linux (
net/ipv4/icmp.h) 80 4 0,25 Solaris(2 , NN Solaris . <I>nmap</I>
E , ]Q , Å
, Microsoft `Ll
65535 UDP- l
Windows.
<B>-sO</B> N IP.IP-, N. E IP-- ``N n " ", . E Nmap , .
(AIX, HP-UX, Digital UNIX) T " ". N" ( ). N`` NN UDP-, É
ICMP- K "b IP-` 8 256 NN
<B>-sI</B> <B>&lt;zombie_[:]&gt;</B>
N "". BNN . Å, IP-D. IdleScan, -". B NN `IP.
m".
Å ", Å "", . C Å"Rb. ZT IPID ". E Nmap ` "tcp
ping".
T N, D http://www.cherepovets-city.ru/insecure/runmap/runmap-
idlescan.htm.
<B>-sA</B> TACK-NN. W (ruleset) n N , SYN-.
N `W ACK- ( J ^ acknowledgement number sequence number).
RST- SÉ ". L( ICMP-i, SÉ ". , <I>nmap</I> " ` NN, , . ]E N,
` `"" NN.
<B>-sW</B> TTCP Window. ACK-NN, , ,T ^ Initial Window TCP-, N, C
J AIX, Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Dig-
ital UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD, OpenBSD,
OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX VxWorks. C R
nmap-hackers.
<B>-sR</B> RPC-NN. NNERPC-, . TCP/UDP-`NULL-M SunRPC, RPC- C ,
rpcinfo -p, portmapper N ` TCP-wrapper.
<B>-sL</B> ND É D, NN Nmap, NN. N`, É-n. E, `` D
<B>-b</B> <B>&lt;ftp</B> <B>relay</B> <B>host&gt;</B>
TK" FTP". "" `FTP (RFC 959) `"" (proxy) ftp-. M `source.com
ftp- target.com W, DInternet! , Q 1985 (` RFC). Nmap "" N
N " ftp-n ftp-" N ( 139-. ftp- ( /incoming), W
ZE-b, W URL `ftp, ". URL <I>:@:.</I>
`ZTT ZT
<B>.</B> É T ( LQ Nmap ZN),
<B>-P0</B> ping- NNÉ , ICMP-` . microsoft.com, É’-P0-PT80(. ), `
N .
<B>-PT</B> <B>[_]</B>
TCP "ping". `ICMP-l Nmap W TCP ACK- N E K RST- -root É
connect(). É N l ` ICMP-``. ZN `Nl W ACK- É -PT&lt;1&gt;[,
2][...]. N 80-, K`
<B>-PS</B> <B>[_]</B>
, Q ping-. ACK- TCP "ping" SYN- RST- ( - SYN|ACK).
<B>-PU</B> <B>[_]</B>
TUDP Ping. Nmap W UDP- ZN EICMP "port unreachable" ( UDP) K¬
UDP,
<B>-PE</B> É ping-`L ping-( ICMP-i. K `D ICMP- M. W W "" .
<B>-PP</B> ICMP "timestamp request (code 13)" K .
<B>-PM</B> `É.B -PE <B>-PP</B> , "netmask request" (ICMP code 17).
<B>-PB</B> ping- . ACK ( <B>-PT</B> ) ICMP ( <B>-PE</B> ).
<B>-O</B> É C N ` `TCP/IP. M Nmap K L, É NL` NN LN", N " ` WN N
nmap-os-fingerprinting, E N n
` Å , Nmap - D. , M TD W Nmap É -d
<B>-6</B> E`IPv6. IPv6 É ZN L DNS ( AAAA) IP-D
3ffe:501:4819:2000:210:f3ff:fe03:4d0. , TCP connect()-NN TCP
connect() Ping-NN. UDP NN, http://nmap6.sourceforge.net/
<B>-I</B> Treverse-ident NN. Ident (RFC 1413) (username) , TCP, . ,
http identd root. N " TCP- N ( É’-sT). Nmap identd N `
. , , Å identd.
<B>-f</B> É SYN, FIN, Xmas NULL-NNZE IP-GC G. E TCP- G ( i n "" IP- G
TCP-
^C , Nmap . É! ""TG , " Z 36- Gn 24-G.
<B>-v</B> T" ". É Q Nmap C.`ZT V. ` VÉ <B>-d</B> .
<B>-h</B> Nmap ZNÉT N, Q
<B>-oN</B> <B>&lt;~</B> E NN ZN
<B>-oX</B> <B>&lt;</B> <B>~</B> E NN , ZN Rl T <B>XML</B> M Nmapn R - ( stdout. E . Document
Type Definition (DTD) Nmap TXML
http://www.insecure.org/nmap/data/nmap.dtd .
<B>-oG</B> <B>&lt;~</B> E NN , ZN Rl T grep. T, . É-oM (. ) I MS XML. R`-.
<B>-oA</B> <B>&lt;_~</B>
E TH (L, grep XML). ZT base.nmap, base.gnmap base.xml.
<B>-oS</B> <B>&lt;~</B> J.B s|&lt;ipT kiDd|3: thIs l0gz th3 r3suLtS of YouR ScanZ iN a
s|&lt;ipT kiDd|3 f0rM iNto THe fiL3 U sPecfy 4s an arGuMEnT! U kAn
gIv3 the 4rgument - (wItHOUt qUOteZ) to sh00t output iNT0 stD-
ouT!@!!
<B>--resume</B> <B>&lt;~</B>
NN C &lt;Ctrl C&gt;, É,NN É’-oG -oN. E Nmap ZN ÉlS N.É
ZT NN É ZN N. Nmap NN D, ".
<B>--append_output</B>
ENmap NN ,,
<B>-iL</B> <B>&lt;~</B> EN Å nT IP-D MKMÉC&lt;CR&gt;&lt;LF&gt; ( - ). StdIn `C H, V ` -.
CTH "Å b.
<B>-iR</B> <B>&lt;&gt;</B> VÉ, Nmap NTJ N D JÅ .TN Internet.
<B>-p</B> <B>&lt;PZ(_&gt;</B>
ÉZENmap, . -p 23 NN 23 ` Å. ZN -p 20-30,139,60000- Nmap
NT 20 30 , 139 60000 ( 65535). N Nmap NPZ 1-1024, services.
<B>-F</B> NN. ENmap NN ¬ services. N Nmap NL 65535 .
<B>-D</B> <B>&lt;_1,[_2],[,ME],...&gt;</B>
Nmap "E DZ@ R.N `ENN ( IP-D), LIP-D.
` K ZT IP-D
(R ME) . R ME É,N-(, scanlogd W`Solar Designeri IP-D.
ZL R ME, Nmap JÉ. ZT` IP-D , ZN, L ÉT E "" N SYN-.
l É V
, N- NN. N. CE, ZL `D`localhost. KÉ.
NN, ` C ZL , NN E. J T ( , E E .
<B>-S</B> <B>&lt;IP-D</B>
Nmap W IP-D ` ( , ZTIP-D R` É( D, ). É- N NN Å ` . E
N `ENN ZN D.
<B>-e</B> <B>&lt;</B> ZENmap,/ ZE R`É Nmap M T
<B>-g</B> <B>&lt;~</B> ZE` , Nmap NN. DNS ( 53) FTP-DATA ( 20). ", TK W 53-20-.
<B>--data_length</B> <B>&lt;</B>
Nmap ] TCP-40 , `ICMP "echo requests" - 28. É(ZN. W É
<B>-n</B> ZTD DNS-DE NN.
<B>-R</B> ZTD DNS-D
<B>-r</B> W N J
<B>-ttl</B> <B>&lt;^&gt;</B>
E TTL W IPv4 ^.
<B>--randomize_hosts</B>
ENmap JN 2048 NNÉ NN lÉ @NN.
<B>-M</B> <B>&lt;_</B> EL TCP connect() NN. ` ^NN, ]E" N n Å É’-sS, SYN-NN " CM
<B>--packet_trace</B>
E TTCPDump.
<B>--datadir</B> <B>[</B>
Nmap E nmap-services, nmap-protocols, nmap-rpc, nmap-os-fin-
gerprints. Nmap --nmapdir. Q NMAPDIR, ~/nmap, `
/usr/share/nmap . Nmap . .
Nmap WE N. , -, L NN, -, . I WQ `,, É
<B>-T</B> <B>&lt;Paranoid|Sneaky|Polite|Normal|Aggressive|Insane&gt;</B>
`ÉENN.ZE Rn <B>Paranoid</B> E, ` N-. NN . NN . Nmap NN TL 5 .B
Sneaky Paranoid. `E L W 15 . .B Polite E, ` "" N n TL 0,4
<B>Normal</B> Nmap . NNL,. <B>Aggressive</B> E NN l 5 , N E1,25
<B>Insane</B> NNNN `W 75 , `N - 0,3
ZT N . É’-T0 Paranoid, `-T5 - Insane. C . , É’-T Nmap
, É ( .
<B>--host_timeout</B> <B>&lt;</B>
E Nmap NN l IP-D. N Nmap DNN .
<B>--max_rtt_timeout</B> <B>&lt;</B>
EN Ll Nmap E N, T N ^ 9000
<B>--min_rtt_timeout</B> <B>&lt;</B>
N N, Nmap Z NN, , . ÉEÀ NN , Nmap E TZN ,
<B>--initial_rtt_timeout</B> <B>&lt;</B>
E . É NN ,, É -P0. Nmap W ^ nW 6000
<B>--max_parallelism</B> <B>&lt;&gt;</B>
EL NN, Nmap. `` 1 , Nmap ` NT `
<B>--min_parallelism</B> <B>&lt;&gt;</B>
E NN, Nmap. E
<B>--scan_delay</B> <B>&lt;</B>
E MÉ NN.
<B>ÉR,</B> <B>Nmap</B>
D Å `( l NN). N - ZTD ZN ÉR. IP-D ZT <B>/mask</B> ("b) IP-D N n
T^:
Nmap ZTÅIP-D, PZ . S B D128.210.*.*. : 128.210.*.*
128.210.0-255.0-255 128.210.1-50,51-255.1,2,3,4,5-255
128.210.0.0/16 . , " (*), "" PM . ZL Å IP-D
*.*.5.6-7, Nmap NIP-D, N 5.6 5.7. Nmap .
Nmap`ZN .
<B>nmap</B> <B>-v</B> <B>target.example.com</B>
TNTCP- target.example.com. -vNN.
<B>nmap</B> <B>-sS</B> <B>-O</B> <B>target.example.com/24</B>
SYN-NN 255 D S C, target.example.com. , N. T root.
<B>nmap</B> <B>-sX</B> <B>-p</B> <B>22,53,110,143,4564</B> <B>198.116.*.1-127</B>
Xmas-NN D(0-127) 255 S B DN 128.210.*.*. H sshd (22 ), DNS (53),
pop3d (110), imapd (143) `4564. ]EN, Xmas-NN Windows, CISCO, IRIX,
HP/UX BSDI.
<B>nmap</B> <B>-v</B> <B>--randomize_hosts</B> <B>-p</B> <B>80</B> <B>*.*.2.3-5</B>
Nmap , IP-DN .2.3, , ZW É’-sS. J D 127. ZT127-222. T
<B>host</B> <B>-l</B> <B>company.com</B> <B>|</B> <B>cut</B> <B>-d</B> <B></B> <B>-f</B> <B>4</B> <B>|</B> <B>./nmap</B> <B>-v</B> <B>-iL</B> <B>-</B>
DNS company.com, Nmap D. `GNU/Linux. `^
<B>,</B>
, - WC. W Nmap. `URL, `
Q : Nmap 3.release by Fyodor <I>&lt;fyodor@insecure.org&gt;</I>
: RuNmap 3. <I>&lt;alex@cherepovets-city.ru&gt;</I>
Nmap RuNmap D
<I>http://www.cherepovets-city.ru/insecure</I>
<I>http://www.insecure.org/</I>
<I>nmap</I> (C) 1995-2003 by Insecure.Com LLC
`l N GNU General Public License, Free Software Foundation; 2. WÉÅ,
Å (sales@insecure.com).
ÅN, (GNU GPL), , [, .
GE WT E` , `. , N
NmapT W Dalex@cherepovets-city.ru , Insecure.Org W ÉÅNS GNU GPL.
E .
` W , ` , , ` <B>,</B> <B>.</B> GNU General Public License ( COPYING <I>nmap</I> ).
Nmap, TCP/IP, C. <B>Nmap</B> N, ( @¬ àNmap. GE ì
`Nmap T ( suid root).
` <I>Libpcap</I> Nmap. W Wz Van Jacobson, Craig Leres Steven McCanne,Lawrence
Berkley , , Q Nmap, É. D http://www.tcpdump.org .
W D: <I>alex@cherepovets-city.ru</I>
<B>NMAP(1)</B>
</PRE>
<HR>
<ADDRESS>
Man(1) output converted with
<a href="http://www.oac.uci.edu/indiv/ehood/man2html.html">man2html</a>
</ADDRESS>
</BODY>
</HTML>

1107
docs/nmap_manpage.html Normal file
View File

File diff suppressed because it is too large Load Diff

412
docs/nmap_portuguese.1 Normal file
View File

@@ -0,0 +1,412 @@
.\"Traduzido para a lingua Portuguesa
.\"Ant<6E>nio Pires de Castro Jr. <apcastro@ic.unicamp.br>
.\"<apcastro@cultura.com.br>, <apcastro@ondefor.com.br>
.\"em 17/10/2000
.\"This definition swiped from the gcc(1) man page
.de Sp
.if n .sp
.if t .sp 0.4
..
.TH NMAP 1
.SH NOME
nmap \- Ferramenta de explora<72><61>o de rede e scanner de seguran<61>a.
.SH SYNOPSIS
.B nmap
[Tipo(s) de Scan] [Op<4F><70>es] <computador ou rede #1 ... [#N]>
.SH DESCRICAO
.I Nmap
<EFBFBD> projetado para permitir aos administradores de sistemas e indiv<69>duos curiosos explorar grandes redes para determinar quais computadores est<73>o ativos e quais servi<76>os s<>o fornecidos.
.I Nmap
suporta um grande n<>mero de t<>cnicas de scan, como: UDP, TCP connect(), TCP SYN (half open), ftp proxy (bounce attack), Reverse-ident, ICMP (ping sweep), FIN, ACK sweep, Xmas Tree, SYN sweep, IP Protocol, and Null scan. Veja as se<73><65>es de
.I Tipos de Scan
para maiores detalhes. Nmap, tamb<6D>m, oferece um n<>mero de avan<61>adas caracter<65>sticas, como: detec<65><63>o remota do SO via TCP/IP fingerprinting, stealth scanning, dynamic delay e retransmission calculations, scanning paralelo, detec<65><63>o de hosts inativos atrav<61>s de pings paralelos, decoy scanning, detec<65><63>o de portas filtradas, scanning direto de RPC (n<>o-portmapper), fragmentation scanning e flexibilidade do alvo e especifica<63><61>o de porta.
.PP
Esfor<EFBFBD>os significantes tem sido gastos na performance do nmap para usu<73>rios comuns, usu<73>rios n<>o-root. Infelizmente, v<>rias interfaces cr<63>ticas do kernel (como os sockets raw) requerem privil<69>gios de root. Nmap deve ser executado como root sempre que poss<73>vel.
.PP
O resultado da execu<63><75>o do nmap <20> usualmente uma lista de portas
interessantes na(s) m<>quina(s) sendo explorada(s). Nmap sempre fornece o nome do servi<76>o, o n<>mero, o estado, e o protocolo das portas "bem conhecidas". O estado pode ser tanto 'aberto' (open), 'filtrado'(filtered) ou n<>o filtrado (unfiltered). Aberto significa que a m<>quina alvo aceitar<61> (accept()) conex<65>es na porta. Filtrado significa que o firewall, filtro ou outro obst<73>culo da rede est<73> cobrindo a porta e prevenindo o nmap de determinar quando a porta est<73> aberta. N<>o filtrado significa que a porta <20> conhecida pelo nmap para estar fechada e nenhum firewall/filtro parece estar interferindo com a tentativa de determina-l<> pelo nmap. Portas n<>o filtradas s<>o um caso comum e s<>o mostradas, somente, quando a maioria das portas exploradas est<73>o no estado filtrado.
.PP
Dependendo da op<6F><70>o usada, o nmap pode, tamb<6D>m, reportar as seguintes caracter<65>sticas do host remoto: SO em uso, sequenciabilidade do TCP, os nomes dos usu<73>rios executando os programas em determinadas portas, o nome DNS, quando um host tem um endereco de smurf, e v<>rias outras.
.SH OP<EFBFBD><EFBFBD>ES
Op<EFBFBD><EFBFBD>es que juntamente fazem sentido podem geralmente ser combinadas. V<>rias op<6F><70>es s<>o espec<65>ficas para certos modos de scan.
.I Nmap
tenta capturar e avisar o usu<EFBFBD>rio sobre erros ou combina<EFBFBD><EFBFBD>es n<EFBFBD>o suportadas de op<EFBFBD><EFBFBD>es.
.Sp
Se voc<6F> est<73> impaciente, voc<6F> pode ir direto para a se<73><65>o de
.I exemplos
no final, os quais demonstram o uso comum do nmap. Voc<6F> pode, tamb<6D>m, executar
.B nmap -h
para uma r<>pida p<>gina de refer<65>ncia, a qual lista todas as op<6F><70>es.
.TP
.B TIPOS DE SCAN
.TP
.B \-sT
TCP connect() scan: Esta <EFBFBD> a mais b<EFBFBD>sica forma de TCP scanning. A chamada de sistema, connect(), provida pelo seu sistema operacional <EFBFBD> usada para abrir uma conex<EFBFBD>o para toda porta interessante na m<EFBFBD>quina. Se a porta est<EFBFBD> no estado listening, connect() ir<EFBFBD> ter sucesso, por outro lado a porta n<EFBFBD>o ser<EFBFBD> alcan<EFBFBD>ada. Uma grande vantagem desta t<EFBFBD>cnica <EFBFBD> que voc<EFBFBD> n<EFBFBD>o precisa de nenhum privil<EFBFBD>gio especial. Qualquer usu<EFBFBD>rio em UNIX est<EFBFBD> livre para usar esta chamada.
.Sp
Este tipo de scan <20> facilmente detect<63>vel pelo log do host alvo, o qual mostrar<61> o grupo de conex<65>es e mensagens de erro para os servi<76>os os quais aceitam, accept(), a conex<65>o somente para t<>-la imediatamente desligada.
.TP
.B \-sS
TCP SYN scan: Esta t<>cnica <20> muito conhecida como "half-open" scanning,
porque n<>o abre uma conex<65>o TCP completa. <20> enviado um pacote com o flag SYN
setado, como se fosse abrir uma conex<65>o real e <20> esperado pela resposta. Uma
resposta SYN/ACK indica que a porta est<73> no estado listening. O flag RST <20>
uma indica<63><61>o de estado n<>o listening. Se o flag SYN/ACK <20> recebido, o flag
RST <20> imediatamente enviado para encerrar a conex<65>o (atualmente o n<>cleo do SO faz isso por n<>s). A principal vantagem desta t<>cnica de scanning <20> que poucos sites ir<69>o registra-l<> no arquivo de log. Desafortunadamente <20> necess<73>rio privil<69>gios de super usu<73>rio (root) para construir estes pacotes SYN customizados.
.TP
.B \-sF \-sX \-sN
Modos Stealth FIN, Xmas Tree, ou Null scan: Algumas vezes nem mesmo a
t<EFBFBD>cnica SYN scanning <20> clandestina suficiente. V<>rios firewalls e filtros de pacotes observam por SYNs para portas restritas, e programas como Synlogger e Courtney est<73>o dispon<6F>veis para detectar este tipo de scan. Por outro lado, scans avan<61>ados (stealth FIN, Xmas Tree, ou Null scan), podem ser capazes de passar atrav<61>s destes filtros sem serem molestados.
.Sp
A id<69>ia <20> que portas fechadas s<>o exigidas por responder aos pacotes de teste com um RST, enquanto portas abertas precisam ignorar os pacotes em quest<73>o (veja RFC 793 pp 64). A t<>cnica de scan FIN utiliza o limitado pacote FIN como teste, enquanto a t<>cnica de scan Xmas Tree seta os flags FIN, URG e PUSH. A t<>cnica de scan Null n<>o seta nenhum flag. Desafortunadamente a Microsoft (como usual) decidiu completamente ignorar o padr<64>o e faz as coisas do seu pr<70>prio jeito. Ent<6E>o este tipo de scan n<>o funcionar<61> contra sistemas executando Windows95/NT. Do lado positivo, est<73> <20> uma <20>tima maneira de distinguir entre duas plataformas. Se o scan encontrar portas abertas, <20> poss<73>vel saber que a m<>quina n<>o utiliza o Windows. Se as t<>cnicas de scan -sF, -sX ou -sN mostram todas as portas fechadas, mesmo assim a t<>cnica de scan SYN (-sS) mostra portas sendo abertas, voc<6F> poder<65> estar olhando para uma m<>quina Windows. Esta <20> a maneira menos usada pelo nmap para testar a detec<65><63>o do SO. Exitem, tamb<6D>m, alguns outros sistemas que s<>o descobertos da mesma maneira que descobrimos o windows. Estes incluem Cisco, BSDI, HP/UX, MVS, and IRIX. Todos acima enviam resets (RST) de portas abertas quando estes devem, somente, descartar o pacote.
.TP
.B \-sP
Ping scanning: Algumas vezes voc<6F> somente quer saber quais os hosts da rede
est<EFBFBD>o ativos. O Nmap pode fazer isso enviando um pacote de requisi<73><69>o ICMP
(ICMP echo request) para todo endere<72>o IP especificado da rede. Os hosts que
respondem est<73>o vivos. Desafortunadamente, v<>rios sites, como a
microsoft.com, bloqueiam pacotes de requisi<73><69>o ICMP (echo request). Ent<6E>o, o
nmap pode, tamb<6D>m, enviar um pacote ACK TCP para (por defini<6E><69>o) a porta 80.
Se n<>s pegarmos o flag RST novamente, a m<>quina esta viva. A terceira t<>cnica envolve o envio de pacotes SYN e a espera pelo pacote com o flag RST ou os flags SYN/ACK. O m<>todo connect() <20> usado por usu<73>rios comuns (n<>o root).
.Sp
Por defini<6E><69>o (para super usu<73>rios), o nmap usa tanto as t<>cnicas do ICMP e a do flag ACK em paralelo. Voc<6F> pode mudar as
.B \-P
op<EFBFBD><EFBFBD>es descritas mais a frente.
.Sp
Note que o ping, por defini<6E><69>o, <20> feito de qualquer forma, e somente os hosts que respondem s<>o scanneados. Somente use esta op<6F><70>o se voc<6F> desejar vasculhar
.B sem
fazer qualquer scan real de portas.
.TP
.B \-sU
UDP scans: Este m<>todo <20> usado para determinar quais portas UDP (User Datagram Protocol, RFC 768) est<73>o abertas no host. A t<>cnica implica em enviar 0 bytes de dados de pacotes UDP para cada porta da m<>quina alvo. Se n<>s recebermos uma mensagem de ICMP port unreachable (porta ICMP n<>o alcan<61>ada), ent<6E>o a porta est<73> fechada. Por outro lado n<>s assumimos que a porta est<73> aberta.
.Sp
V<EFBFBD>rias pessoas pensam que a t<>cnica UDP scanning <20> sup<75>rfluo. Eu, usualmente, lembro desta como uma recente falha no rpcbind do Solaris. O Rpcbind pode ser encontrado escondido em uma porta UDP n<>o documentada em algum lugar acima de 32770. Ent<6E>o n<>o importa que a porta 111 esteja bloqueada por um firewall. Por<6F>m, voc<6F> pode encontrar quais as portas altas, maiores de 30.000, que est<73>o no estado listening? Com o scanner UDP voc<6F> pode! Existe, tamb<6D>m, o programa cDc Back Orifice backdoor o qual se oculta em uma porta UDP configur<75>vel em m<>quinas Windows. Alguns servi<76>os comumente vulner<65>veis que utilizam o UDP s<>o: snmp, tftp, NFS, etc.
.Sp
Desafortunadamente UDP scanning <20> algumas vezes, dolorosamente, vagarosa desde que a maioria dos hosts implementam a sugest<73>o da RFC 1812 (se<73><65>o 4.3.2.8) de limitar a taxa de mensagens de erro ICMP. Por exemplo, o n<>cleo do Linux (em net/ipv4/icmp.h) limita a gera<72><61>o de mensagens de destination unreachable para 80 por 4 segundos, com 1/4 segundos de penalidade se esta for excedida. O Solaris tem um limite muito mais restrito (mais ou menos 2 mensagens por segundo) e assim gasta um tempo maior para realizar o scan.
.I Nmap
detecta esta taxa limitante e reduz conformemente, por outro lado inunda a rede com pacotes sem uso que ir<69>o ser ignorados pela m<>quina alvo.
.Sp
Como <20> t<>pico, a Microsoft ignorou a sugest<73>o da RFC e n<>o parece ter feito nenhuma taxa limitante por completo no Win95 e no NT. Ent<6E>o <20> poss<73>vel scannear,
.B rapidamente
, todas as portas de 64K das m<>quinas windows. Beleza!
.TP
.B \-sO
Scan do Protocolo IP: Este m<>todo <20> usado para determinar quais protocolos IPs s<>o usados no host. A t<>cnica consiste em enviar pacotes IP raw sem promover nenhum cabe<62>alho para cada protocolo espec<65>fico na m<>quina alvo. Se n<>s recebermos uma mensagem do protocolo ICMP unreachable, ent<6E>o o protocolo n<>o est<73> sendo usado. Por outro lado n<>s assumimos que est<73> aberto. Note que v<>rios hosts (AIX, HP-UX, Digital UNIX) e firewalls podem n<>o enviar mensagens de protocolo unreachable. Assim faz parecer que todos os protocolos est<73>o "abertos".
.Sp
Isso porque a t<>cnica implementada <20> muito similar ao scanning da porta UDP, onde a taxa limite de ICMP pode ser aplicada tamb<6D>m. Por<6F>m o campo do protocolo IP tem somente 8 bits, ent<6E>o no m<>ximo 256 protocolos podem ser testados, os quais devem ser poss<73>veis de serem testados em tempo razo<7A>vel.
.TP
.B \-sA
ACK scan: Este m<>todo avan<61>ado <20> usualmente usado para mapear o conjunto de regras de um firewall. Em particular, esta pode ajudar a determinar quando um firewall <20> stateful ou somente um filtro de pacotes simples que bloqueia pacotes SYN de chegada.
.Sp
Este tipo de scan envia pacotes com o flag ACK setado para uma porta espec<65>fica. Se um RST voltar, a porta <20> classificada como "n<>o filtrada". Se n<>o voltar nada ou um ICMP unreachable voltar, a porta <20> classificada como "filtrada". Note que o
.I nmap
usualmente n<>o imprime portas "n<>o filtradas", obtendo, assim,
.B nenhuma
porta mostrada na sa<73>da <20> usualmente um sinal que todos os testes foram suscedidos (e retornado RSTs). Esta t<>cnica de scan nunca ir<69>, obviamente, mostrar portas no estado "aberto".
.TP
.B \-sW
Window scan: Este scan avan<61>ado <20> muito similar ao ACK scan, exceto que as vezes pode ser poss<73>vel detectar portas abertas mesmo sendo filtradas, isso devido a anomalia do tamanho da janela TCP reportado por v<>rios sistemas operacionais. Sistemas vulner<65>veis para isso incluem no m<>nimo v<>rias vers<72>es do AIX, Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX, OpenVMS, Digital UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD, OpenBSD, OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX, and VxWorks. Vejam no arquivo, na lista de discuss<73>o nmap-hackers, a lista completa.
.TP
.B \-sR
RPC scan. Este m<EFBFBD>todo trabalha em combina<EFBFBD><EFBFBD>o com v<EFBFBD>rias t<EFBFBD>cnicas de scan de portas do Nmap. Ele pega todas as portas TCP/UDP encontradas abertas e inunda elas com comandos NULL de programas SunRPC numa tentativa de determinar quando elas s<EFBFBD>o portas RPC, e se s<EFBFBD>o, qual programa e vers<EFBFBD>o dos servi<EFBFBD>os. Com este m<EFBFBD>todo voc<EFBFBD> pode efetivamente obter a mesma informa<EFBFBD><EFBFBD>o como se usasse 'rpcinfo -p' mesmo se o portmapper alvo estiver atr<EFBFBD>s de um firewall (ou protegido pelo TCP wrappers). Decoy n<EFBFBD>o trabalha correntemente com RPC scan, em algum ponto eu posso adicionar o suporte decoy para UDP RPC scans.
.TP
.B \-b <ftp relay host>
FTP bounce attack: Uma interessante "caracter<65>stica" do protocolo ftp (RFC 959) <20> sustentada para conex<65>es ftp "proxy". Em outras palavras, eu devo ser capaz de conectar do evil.com para um servidor FTP, target.com, e requerer que o servidor envie um arquivo para qualquer lugar na internet! Isto pode ter sido explorado bem em 1985 quando a RFC foi escrita. Por<6F>m na internet hoje, n<>s n<>o podemos ter pessoas hijacking servidores ftp e requisitando que os dados sejam jogados para arbitr<74>rios pontos na internet. Como *Hobbit* escreveu em 1995, este protocolo torna in<69>til "pode ser usado para portar virtualmente n<>o determin<69>veis emails ou news, forjando em servidores v<>rios sites, preenchendo discos, tentando saltar firewalls, e geralmente sendo aborrecido, ficando, assim, dif<69>cil seguir a pista ao mesmo tempo." O que n<>s iremos explorar disto <20> o scan de portas TCP do servidor "proxy" de ftp. Ent<6E>o voc<6F> pode conectar a um servidor ftp atr<74>s do firewall, e ent<6E>o scannear portas que est<73>o mais prov<6F>velmente bloqueadas (139 <20> uma boa). Se o servidor ftp permitir ler de e escrever para algum diret<65>rio (como /incoming), voc<6F> pode enviar dados arbitr<74>rios para portas que voc<6F> achar abertas (nmap n<>o faz isso por voc<6F>).
.Sp
Os argumentos passados para a op<6F><70>o 'b' <20> o host que voc<6F> quer usar como proxy, na nota<74><61>o de padr<64>o URL. O formato <20>:
.I username:password@server:port.
Tudo, menos o
.I server
<EFBFBD> opcional. Para determinar quais servidores s<>o vulner<65>veis para este ataque, voc<6F> pode ver meu artigo em
.I Phrack
51. A vers<72>o atualizada est<73> dispon<6F>vel em
.I nmap
URL (http://www.insecure.org/nmap).
.TP
.B OP<EFBFBD><EFBFBD>ES GERAIS
Nenhuma destas s<>o requeridas, por<6F>m algumas podem ser absolutamente proveitosas.
.TP
.B \-P0
Pinga os hosts antes de scanne<6E>-los. Isto permite scannear as redes que n<>o permitem ICMP echo requests (ou responses) atrav<61>s dos seus firewalls. microsoft.com <20> um exemplo desta rede, e ent<6E>o voc<6F> deve sempre usar
.B \-P0
ou
.B \-PT80
quando portscanning microsoft.com.
.TP
.B \-PT
Use TCP "ping" para determinar quais hosts est<73>o ativos. Ao invez de enviar pacotes ICMP echo request e esperar pelas respostas, n<>s enviamos pacotes TCP ACK por toda parte na rede alvo (ou para uma simples m<>quina) e ent<6E>o esperamos por respostas. Hosts que est<73>o ativos devem responder com um RST. Esta op<6F><70>o preserva a efici<63>ncia de somente scannear hosts que est<73>o ativos, enquanto ainda permite scannear redes/hosts que bloquearam pacotes ping. Para usu<73>rios n<>o root, <20> usado o connect(). Para setar a porta destino dos pacotes de teste usem -PT<n<>mero da porta>. A porta default <20> 80, desde que est<73> porta <20> muitas vezes n<>o filtrada.
.TP
.B \-PS
Est<EFBFBD> op<6F><70>o usa pacotes com SYN (connection request) ao invez de pacotes com ACK para usu<73>rios root. Hosts que est<73>o ativos devem responder com RST (ou, raramente, um SYN|ACK).
.TP
.B \-PI
Est<EFBFBD> op<6F><70>o usa um pacote ping verdadeiro (ICMP echo request). Esta encontra os hosts que est<73>o ativos e tamb<6D>m procura por um endere<72>o de broadcast para a subrede da sua rede. Estes s<>o endere<72>os IPs que s<>o externamente alcan<61><6E>veis e traduzidos para broadcast de pacotes IP de chegada para uma subrede de computadores. Estes devem ser eliminados se encontrado, como ele permitem por numerosos ataques de nega<67><61>o de servi<76>o (DoS) (Smurf <20> o mais comum).
.TP
.B \-PB
Este <20> o tipo de ping default. Ele usa tanto pacotes com ACK (
.B \-PT
) e pacotes ICMP (
.B \-PI
) sweeps em paralelo. Desta maneira voc<6F> pode obter os firewalls que
filtram cada uma (por<6F>m n<>o ambas).
.TP
.B \-O
Esta op<6F><70>o ativa a identifica<63><61>o de hosts remotos via TCP/IP fingerprinting. Em outras palavras, ela usa uma grande quantidade de t<>cnicas para detectar sutilezas na pilha de rede do sistema operacional do computador que voc<6F> est<73> scanneando. Ele usa estas informa<6D><61>es para criar a 'fingerprint' a qual <20> comparada com sua base de dados de conhecidos fingerprints de SOs (o arquivo nmap-os-fingerprints) para decidir qual o tipo de sistema que voc<6F> est<73> escanneando.
.Sp
Se o Nmap est<73> desabilitado para resolver o SO da m<>quina, e as condi<64><69>es s<>o boas (ex. ao menos uma porta aberta), Nmap ir<69> prover a URL que voc<6F> pode usar para submeter a fingerprint se voc<6F> conhecer (com certeza) o SO sendo executado na m<>quina. Por fazer isso voc<6F> contribui para o conjunto de sistemas operacionais conhecidos pelo nmap e ent<6E>o ser<65> mais correto para todos.
.Sp
A op<6F><70>o \-O tamb<6D>m possibilita classificar e fazer o prognostico da
sequ<EFBFBD>ncia TCP. Esta <20> uma medida que descreve aproximadamente qual a
dificuldade em estabelecer uma conex<65>o TCP forjada contra um host remoto.
Esta <20> <20>til para explorar o IP de origem baseado na rela<6C><61>o de confian<61>a
(rlogin, firewall filters, etc) ou por esconder a origem do ataque. O n<>mero
difficulty mostrado <20> baseado em uma simples amostra estat<61>stica e pode
variar. Este n<>mero <20> geralmente melhor apresentado como uma frase em Ingl<67>s como "worthy challenge" ou "trivial joke".
.TP
.B \-I
Esta ativa o scanning do ident reverso TCP. Como notado por Dave Goldsmith em 1996 na mensagem para a Bugtraq, o protocolo ident (rfc 1413) permite revelar o username dos donos dos processos conectados via TCP, mesmo se estes processos n<>o iniciaram a conex<65>o. Ent<6E>o voc<6F> pode, por exemplo, conectar a porta http e ent<6E>o usar o identd para encontrar quando o servidor est<73> sendo executado como root. Isto pode somente ser feito com uma conex<65>o TCP completa para a porta alvo (ex.: a op<6F><70>o de scanning -sT). Quando
.B \-I
<EFBFBD> usada, o identd do host remoto <20> pesquisado para cada porta aberta encontrada. Obviamente isso n<>o funciona se o host n<>o estiver rodando o identd.
.TP
.B \-f
Esta op<6F><70>o requere os flags SYN, FIN, XMAS, ou NULL scan para usar cuidadosos pacotes IP fragmentados. A id<69>ia <20> dividir o cabe<62>alho TCP sobre v<>rios pacotes para ficar dif<69>cil para o filtro de pacotes, sistemas de detec<65><63>o de intrus<75>o, e outros aborrecimentos para detectar o que voc<6F> est<73> fazendo. Seja cuidadoso com isso! V<>rios programas tem preocupa<70><61>es lidando com estes cuidadosos pacotes. Enquanto este m<>todo n<>o obtem pacotes filtrados e firewalls que enfileram todos os fragmentos IP (como a op<6F><70>o CONFIG_IP_ALWAYS_DEFRAG no kernel do linux), v<>rias redes n<>o conseguem assegurar o golpe de performance que este fato causa, ent<6E>o <20> melhor deixar este desabilitado.
.Sp
Note que esta op<6F><70>o, ainda, n<>o esta funcionando em todos os sistemas. Esta
funciona bem para o Linux, FreeBSD, e OpenBSD e outras pessoas tem reportado
sucessos com outras varia<69><61>es *NIX.
.TP
.B \-v
Modo Verbose. Esta <20> uma op<6F><70>o altamente recomendada e fornece mais informa<6D><61>es sobre o que esta acontecendo. Voc<6F> pode us<75>-la duas vezes para um melhor efeito. Use
.B \-d
em conjunto se voc<6F> realmente quiser ficar louco com a quantidade de informa<6D><61>es na tela!
.TP
.B \-h
Esta c<>moda op<6F><70>o mostra uma r<>pida tela de refer<65>ncia das op<6F><70>es usadas no nmap. Como voc<6F> deve ter notado, est<73> man page n<>o <20> exatamente uma 'r<>pida refer<65>ncia' :o)
.TP
.B \-oN <logfilename>
Este log mostra o resultado do seu scan em uma forma
.B humanamente leg<EFBFBD>vel
no arquivo que voc<6F> especificou como argumento.
.TP
.B \-oX <logfilename>
Este log mostra o resultado do seu scan na forma de
.B XML
no arquivo que voc<6F> especificou como argumento. Isto permite aos programas facilmente capturar e interpretar os resultados do Nmap. Voc<6F> pode fornecer o argumento \'-\'(sem quotas) para colocar em uma stdout (para shell pipelines, etc). Neste caso uma sa<73>da normal ser<65> suprimida. Tomar cuidado para as mensagem de erro se voc<6F> esta usando esta (elas, ainda, ir<69>o para stderr). Tamb<6D>m, note que \'-v\' pode causar algumas informa<6D><61>es extras para ser impressas.
.TP
.B \-oG <logfilename>
Este log mostra o resultado do seu scan na forma do
.B grepable
no arquivo que voc<6F> especificou como argumento. Este simples formato prov<6F> todas as informa<6D><61>es em uma linha (ent<6E>o voc<6F> pode facilmente usar o grep para portas ou obter informa<6D><61>es de SOs e ver todos os endere<72>os IPs). Este <20> o mecanismo preferido pelos programas para interagir com o Nmap, por<6F>m agora <20> recomendado usar a sa<73>da em XML (-oX). Este simples formato pode n<>o conter tantas informa<6D><61>es quanto os outros formatos. Voc<6F> pode fornecer o argumento \'-\'(sem quotas) para colocar em uma stdout (para shell pipelines, etc). Neste caso uma sa<73>da normal ser<65> suprimida. Tomar cuidado para as mensagem de erro se voc<6F> esta usando esta (elas, ainda, ir<69>o para stderr). Tamb<6D>m, note que \'-v\' ir<69> fornecer v<>rias informa<6D><61>es extras para ser impressas.
.TP
.B \-oS <logfilename>
thIs l0gz th3 r3suLtS of YouR ScanZ iN a
.B s|<ipT kiDd|3
f0rM iNto THe fiL3 U sPec\|fy 4s an arGuMEnT! U kAn gIv3
the 4rgument \'-\' (wItHOUt qUOteZ) to sh00t output iNT0
stDouT!@!!
.TP
.B \--resume <logfilename>
O scan de rede que <20> cancelado devido a um control-C, interrup<75><70>o da rede, etc. pode ser resumido usando esta op<6F><70>o. O logfilename precisa ser normal (-oN) ou parsable na m<>quina (-oM) para registrar o scan abortado. Nenhuma outra op<6F><70>o pode ser usada. Nmap come<6D>ar<61> na m<>quina depois que a <20>ltima foi scanneada com sucesso e armazenada no arquivo de log.
.TP
.B \-iL <inputfilename>
<EFBFBD> feita a leitura de um arquivo alvo especificado na linha de comando. O arquivo deve conter uma lista de hosts ou express<73>es de rede separados por espa<70>os, tabs, ou novas linhas. Use o h<>fen (-) como
.I inputfilename
se voc<EFBFBD> quisesse que o nmap leia express<EFBFBD>es do hosts de stdin (como no final do pipe). Veja a se<EFBFBD><EFBFBD>o
.I especifica<EFBFBD><EFBFBD>o do alvo
para maiores informa<6D><61>es nas express<73>es que voc<6F> preencher<65> no arquivo.
.TP
.B \-iR
Esta op<6F><70>o fala para o Nmap para gerar seus pr<70>prios hosts para scannear, usando simplesmente n<>meros randomicos :o). Isso nunca ir<69> terminar. Isso pode ser muito <20>til para tirar amostras estat<61>sticas da internet para estimar v<>rias coisas. Se voc<6F> nunca estiver realmente entediado, tente
.I nmap \-sS \-iR \-p 80
para encontrar v<>rios servidores web para observar.
.TP
.B \-p <port ranges>
Esta op<6F><70>o especifica quais portas voc<6F> quer para descrever. Por exemplo '-p 23' ir<69> tentar somente a porta 23 do host(s) alvo. \'\-p 20-30,139,60000-\' ir<69> scannear portas entre 20 e 30, porta 139, e todas as portas maiores que 60000. Por defini<6E><69>o <20> para scannear todas as portas entre 1 e 1024 t<>o bem quanto qualquer porta listada no arquivo de servi<76>os o qual vem com o nmap. Para o scan de protocolos IP (-sO), especifica o n<>mero do protocolo que voc<6F> deseja para (0-255).
.TP
.B \-F Modo de scan r<EFBFBD>pido.
Especifica que voc<6F> somente deseja scannear por portas catalogadas no arquivo services o qual vem com o nmap (ou o arquivo de protocolos para -sO). Este <20> obviamente muito mais r<>pido do que scannear todas 65535 portas no host.
.TP
.B \-D <decoy1 [,decoy2][,ME],...>
O processo de decoy scan ser<65> executado fazendo ele mostrar-se para o host
remoto que o(s) host(s) que voc<6F> especificou como decoys est<73>o scanneando a rede alvo tamb<6D>m. Ent<6E>o seus IDS precisar<61>o reportar 5-10 scan de portas de um <20>nico endere<72>o IP, por<6F>m eles n<>o saber<65>o qual o endere<72>o IP que os estava scanneando e quais eram os decoys inocentes. Enquanto isto pode ser descoberto atrav<61>s de uma rota, respostas soltas, e outras mecanismos ativos, este <20> geralmente uma t<>cnica extremamente efetiva para esconder seu endere<72>o IP.
.Sp
Separando cada decoy host com v<>rgulas, voc<6F> pode usar opcionalmente 'ME' como um dos decoys para representar a posi<73><69>o que voc<6F> quer seu endere<72>o IP para ser usado. Se voc<6F> colocar 'ME' na sexta posi<73><69>o ou outra maior, v<>rias detectores comuns de scan de portas n<>o ser<65>o razo<7A>veis para mostrar seu endere<72>o IP por completo. Se voc<6F> n<>o usar 'ME', o nmap ir<69> colocar voc<6F> em uma posi<73><69>o randomica.
.Sp
Note que os hosts que voc<6F> usa como decoys devem estar ativos ou voc<6F> precisar<61> acidentalmente inundar com pacotes SYN seu alvo. Tamb<6D>m, ele ser<65> muito f<>cil para determinar quais hosts est<73>o scanneando se somente um est<73> atualmente ativo na rede. Voc<6F> dever<65> querer usar o endere<72>o IP ao invez de nomes (ent<6E>o redes decoy n<>o ir<69>o ver voc<6F> em seus nameserver logs).
.Sp
Tamb<EFBFBD>m, note que v<>rios (est<73>pidos) "detectores de scan de portas" ir<69>o firewall/deny roteamento para hosts que tentam fazer o scan de portas. Ent<6E>o voc<6F> precisa descuidadosamente causar a perda de conex<65>o da m<>quina que voc<6F> est<73> scanneando com a m<>quina decoy que voc<6F> esta usando. Isto pode causar maiores problemas para a m<>quina alvo se o decoy est<73> sendo usado, digo, seu internet gateway ou at<61> "localhost". Ent<6E>o voc<6F> pode querer ser cuidadoso com esta op<6F><70>o. A real moral da hist<73>ria <20> que os detectores de scan de portas spoofable n<>o devem gastar a<><61>es contra a m<>quina que parece estar scanneando suas portas. Este pode ser somente um decoy, ou seja, uma isca, uma armadilha!
.Sp
Decoys s<>o usados tanto em ping scan inicial (usando ICMP, SYN, ACK, ou o que seja) e durante a fase de atual scanneamento de porta. Decoy s<>o tamb<6D>m usados durante a detec<65><63>o remota de SO (
.B \-O
).
.Sp
Este <20> um digno registrador que usa v<>rios decoys que podem atrasar seu scan e potencialmente at<61> fazer este menos preciso. Tamb<6D>m, v<>rios ISPs filtram pacotes spoofed, embora v<>rios (correntemente a maioria) n<>o restrigem pacotes IP spoofed por inteiro.
.TP
.B \-S <IP_Address>
Em v<>rias circunst<73>ncias,
.I nmap
pode n<>o ser capaz de determinar seu endere<72>o de origem (
.I nmap
ir<EFBFBD> avis<EFBFBD>-lo se este <EFBFBD> o caso). Nesta situa<EFBFBD><EFBFBD>o, use
\-S com seu endere<72>o IP (atrav<61>s da interface que voc<6F> deseja enviar pacotes).
.Sp
Outro poss<73>vel uso deste flag <20> para spoofar o scan para fazer o alvo pensar que
.B algu<EFBFBD>m mais
est<EFBFBD> scanneando. Imagine uma companhia sendo repetidamente port scanned pelo seu competidor! Este n<>o <20> um uso suportado (ou o principal prop<6F>sito) deste flag. Eu penso somente que isso levanta uma interessante discuss<73>o, em que as pessoas devem estar cientes antes que elas acusem outras pessoas de estar scanneando suas portas.
.B \-e
geralmente ser<65> requerida para este tipo de uso.
.TP
.B \-e <interface>
Fala para o nmap qual interface enviar e receber pacotes. Nmap deve ser capaz de detectar isto, por<6F>m este contar<61> para voc<6F> se n<>o puder.
.TP
.B \-g <portnumber>
Conjunto de n<>meros de portas de origens usadas no scan. V<>rios ing<6E>nuos firewalls e filtros de pacotes instalados fazem uma exce<63><65>o em seus conjuntos de regras para permitir pacotes DNS (53) ou FTP-DATA (20) para entrar e estabelecer a conex<65>o. Obviamente isto contesta completamente as vantagens de seguran<61>a do firewall desde que intrusos podem somente mascarar como FTP ou DNS por modificar suas portas de origem. Obviamente para UDP scan voc<6F> deve tentar 53 primeiro e TCP scans devem tentar 20 antes da porta 53. Note que isso <20> somente uma requisi<73><69>o -- nmap honrar<61> isso somente quando esta estiver h<>bil para. Por exemplo, voc<6F> n<>o pode amostrar todo TCP ISN de um host:porta para um host:porta, ent<6E>o nmap muda a porta de origem mesmo que seja usado -g.
.Sp
Seja ciente que existe uma penalidade na performance em v<>rios scans por usar esta op<6F><70>o, porque eu algumas vezes armazeno informa<6D><61>es <20>teis no n<>mero da porta de origem.
.TP
.B \-r
Fala para o Nmap para
.B N<EFBFBD>O
randomizar a ordem na qual as portas ser<65>o scanneada.
.TP
.B \-\-randomize_hosts
Fala para o Nmap para embaralhar cada grupo acima de 2048 hosts antes de scanne<6E>-los. Isto pode fazer o scan menos evidente para v<>rios sistemas de monitora<72><61>o de rede, especialmente quando voc<6F> combina estes com as op<6F><70>es de baixo tempo (slow timing) (veja abaixo).
.TP
.B \-M <max sockets>
Conjunto m<>ximo de n<>meros de sockets que ser<65> usado em paralelo pelo TCP connect() scan (por defini<6E><69>o). Esta <20> <20>til para diminuir um pouco o scan e anular a possibilidade de travar a m<>quina remota. Outra aproxima<6D><61>o <20> para usar \-sS, a qual <20> geralmente f<>cil para as m<>quinas descreverem.
.TP
.B OP<EFBFBD><EFBFBD>ES DE TEMPO
Geralmente o Nmap faz um bom trabalho em ajustar para as caracter<65>sticas da rede um tempo de execu<63><75>o e scanning t<>o r<>pido quanto poss<73>vel enquanto minimiza as chances do hosts/portas serem n<>o detectadas. Entretanto, existem v<>rios casos onde a pol<6F>tica de tempo default do Nmap pode n<>o encontrar seus objetivos. As seguintes op<6F><70>es prov<6F>em um fino n<>vel de controle sobre o tempo de scan:
.TP
.B -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
Estas s<>o pol<6F>ticas de tempo preservados para convenientemente expressar suas prioridades para o Nmap.
.B Paranoid
modo de scan
.B muito
lento na esperan<61>a de prevenir a detec<65><63>o pelo sistema IDS. Este serializa todos os scans (scanning n<>o paralelo) e geralmente espera no m<>nimo 5 minutos entre o envio de pacotes.
.B Sneaky
<EFBFBD> similar, exceto que somente espera 15 segundos entre o envio de pacotes.
.B Polite
tem o significado para facilitar a carga na rede e reduzir as chances de travar a m<>quina. Ele serializa os testes e espera
.B no m<EFBFBD>nimo
0.4 segundos entre eles.
.B Normal
<EFBFBD> o comportamento default do Nmap, o qual tenta executar t<>o r<>pido quanto poss<73>vel sem sobrecarregar a rede ou perder hosts/portas.
.B Aggressive
esse modo adiciona um timeout de 5 minutos por host e nunca espera mais que 1.25 segundos para testar as respostas.
.B Insane
<EFBFBD> somente adequando para redes muito r<EFBFBD>pidas ou onde voc<EFBFBD> n<EFBFBD>o se importa em perder algumas informa<EFBFBD><EFBFBD>es. Nesta op<EFBFBD><EFBFBD>o o timeout dos hosts acontecem em 75 segundos e espera somente 0.3 segundos por teste individual. Esta possibilita, de qualquer forma, uma varredura extremamente r<EFBFBD>pida na rede :o). Voc<EFBFBD> pode tamb<EFBFBD>m referenciar isso por n<EFBFBD>meros (0-5). Por exemplo, \'-T 0\' fornece para voc<EFBFBD> o modo Paranoid e \'-T 5\' <EFBFBD> o modo Insane.
.Sp
Estes modos, para preservar o tempo, N<>O devem ser usados em combina<6E><61>o com controles de baixo n<>vel, como os fornecidos abaixo.
.TP
.B --host_timeout <milliseconds>
Especifica a soma de tempo que o Nmap permite para gastar scanneando um simples host antes de desistir daquele IP. O modo de tempo default n<>o tem o timeout do host.
.TP
.B --max_rtt_timeout <milliseconds>
Especifica a soma m<>xima de tempo do Nmap tem permitido para esperar pela resposta de teste antes de retransmitir ou ocorrer um timeout de um particular teste. O modo default seta este valor em 9000.
.TP
.B --min_rtt_timeout <milliseconds>
Quando um host alvo come<6D>a a estabelecer um padr<64>o de resposta muito r<>pido, Nmap ir<69> contrair a soma de tempo fornecida por teste. Isto aumenta a velocidade do scan, por<6F>m pode levar a perder pacotes quando a resposta gasta mais tempo que o usual. Com este par<61>metro voc<6F> pode garantir que o Nmap ir<69> esperar ao menos a soma de tempo fornecida antes de abrir m<>o do teste.
.TP
.B --initial_rtt_timeout <milliseconds>
Especifica o timeout do teste inicial. Isto <20> geralmente <20>til quando scanning firewalled hosts com -P0. Normalmente o Nmap pode obter boas estimativas RTT do ping e dos primeiros testes. O modo default usa 6000.
.TP
.B --max_parallelism <number>
Especifica o n<>mero m<>ximo de Nmap scans permitidos para serem performados em paralelo. Ajustando este para 1 significa que o Nmap nunca ir<69> tentar scannear mais que uma porta por vez. Este, tamb<6D>m, afeta outros scans paralelos como o ping sweep, RPC scan, etc.
.TP
.B --scan_delay <milliseconds>
Especifica a
.B m<EFBFBD>nima
soma de tempo que o Nmap precisa esperar entre testes. Este <20>, na maioria das vezes, <20>til para reduzir a carga da rede ou para diminuir a maneira de scan para esquivar-se do IDS.
.SH ESPECIFICA<EFBFBD><EFBFBD>O DO ALVO
Tudo que n<>o <20> uma op<6F><70>o (ou argumento de op<6F><70>o) no nmap <20> tratado como especifica<63><61>o do host alvo. No caso mais simples s<>o registrados simples hostnames ou endere<72>os IPs na linha de comando. Se voc<6F> quiser scannear uma subrede de endere<72>os IPs, voc<6F> pode anexar
.B '/mask'
para o hostname ou endere<EFBFBD>o IP.
.B mask
precisa estar entre 0 (faz o scan de toda internet) e 32 (faz o scan de um simples host especificado). Use /24 para scannear a classe de endere<EFBFBD>o 'C' e /16 para a classe de endere<EFBFBD>o 'B'.
.Sp
Nmap, tamb<6D>m, tem a mais poderosa nota<74><61>o a qual permite voc<6F> especificar um
endere<EFBFBD>o IP usando uma lista/fileira para cada elemento. Ent<6E>o voc<6F> pode scannear todo o endere<72>o classe 'B' da rede 192.168.*.* especificando '192.168.*.*' ou '192.168.0-255.0-255' ou at<61> '192.168.1-50,51-255.1,2,3,4,5-255'. E <20> claro, voc<6F> pode usar a nota<74><61>o de m<>scara: '192.168.0.0/16'. Estes todos s<>o equivalentes.
.Sp
Outra coisa interessante para fazer <20> dividir em peda<64>os a Internet de outra maneira. Ao invez de scannear todos os hosts da classe 'B', scan '*.*.5.6-7' com o objetivo de explorar todos os endere<72>os IPs que terminam em .5.6 ou .5.7 escolhendo seus pr<70>prios n<>meros. Para mais informa<6D><61>es dos hosts espec<65>ficos para scannear, veja a se<73><65>o de
.I exemplos.
.SH EXEMPLOS
Aqui existem v<>rios exemplos de uso do nmap, do simples e normal para um pouco mais complexo/esot<6F>rico. Note que n<>meros atuais e v<>rios nomes de dom<6F>nios atuais s<>o usados para tornar as coisas mais concretas. Em seus lugares voc<6F> deve substituir por endere<72>os/nomes da
.B sua pr<EFBFBD>pria rede.
Eu n<>o penso que scannear portas de outras rede <20> ilegal; nem deve o scanneamento de portas ser feito por outros como um ataque. Eu tenho scanneado centenas de milhares de m<>quinas e tenho recebido somente uma reclama<6D><61>o. Por<6F>m eu n<>o sou advogado e alguma pessoa pode estar irritado pelos testes do
.I nmap
. Primeiramente, obtenha permiss<EFBFBD>o ou use sobre seu pr<EFBFBD>prio risco.
.Sp
.B nmap -v target.example.com
.Sp
Esta op<6F><70>o faz o scan de todas as portas TCP reservadas na m<>quina target.example.com. A op<6F><70>o \-v significa ligar o modo verbose.
.Sp
.B nmap -sS -O target.example.com/24
.Sp
Lan<EFBFBD>a um stealth SYN scan contra cada m<>quina que est<73> ativa, abrangendo todas as 255 m<>quinas de classe 'C' onde target.example.com reside. Este exemplo, tamb<6D>m, tenta determinar o sistema operacional que esta executando em cada host que esta ativo. Este requere privil<69>gios de root (super usu<73>rio) por causa da t<>cnica SYN scan e da detec<65><63>o de SOs.
.Sp
.B nmap -sX -p 22,53,110,143,4564 "198.116.*.1-127"
.Sp
Envia um Xmas tree scan para a primeira metade de cada uma das 255 possibilidades de subredes de 8 bit no espa<70>o de endere<72>os classe 'B' em 198.116. N<>s estamos testando quando o sistema executa sshd, DNS, pop3d, imapd, ou a porta 4564. Note que o Xmas scan n<>o trabalha com a Microsoft devido a sua deficiente pilha TCP. O mesmo acontece com CISCO, IRIX, HP/UX, e BSDI.
.Sp
.B nmap -v --randomize_hosts -p 80 '*.*.2.3-5'
.Sp
Em lugar de focar somente um espec<65>fico IP, <20> interessante, algumas vezes, abranger um fatia de toda a internet e fazer o scan de um pequena amostra de cada fatia. Este comando encontra todos os servidores web em m<>quinas com endere<72>os IPs terminando em .2.3, .2.4, ou .2.5. Se voc<6F> <20> super usu<73>rio (root) voc<6F> pode adicionar -sS. Tamb<6D>m, voc<6F> ir<69> encontrar mais m<>quinas interessantes come<6D>ando com 127., ent<6E>o voc<6F> pode querer usar '127-222' ao invez dos primeiros aster<65>sticos porque essa parte tem uma alta densidade de m<>quinas interessantes
(IMHO).
.Sp
.B host -l company.com | cut '-d ' -f 4 | ./nmap -v -iL -
.Sp
Fazer uma transfer<65>ncia de zona de DNS para encontrar hosts em company.com e ent<6E>o alimentar os endere<72>os IPs para o
.I nmap.
Os comandos acima s<>o para minha caixa GNU/Linux. Voc<6F> pode precisar de diferentes comandos/op<6F><70>es em outros sistemas operacionais.
.SH BUGS
Bugs? O que <EFBFBD> bugs? Envie-me os bugs que voc<EFBFBD> encontrar. Patches s<EFBFBD>o uma boa tamb<EFBFBD>m :o) Lembrem-se de, tamb<EFBFBD>m, enviar novos SO fingerprints para que possamos aumentar nossa base de dados. O Nmap ir<EFBFBD> fornecer para voc<EFBFBD> uma URL de submiss<EFBFBD>o quando um apropriado fingerprint for encontrado.
.SH AUTOR
.Sp
Fyodor
.I <fyodor@insecure.org>
.SH TRADUTOR
.Sp
Ant<EFBFBD>nio Pires de Castro Jr
.I <apcastro@ic.unicamp.br>; <apcastro@ondefor.com.br>
Texto traduzido em 17 de Outubro de 2000.
.SH NOTA DO TRADUTOR
.Sp
Esta tradu<64><75>o foi realizada usando a man page oficial do nmap (NMAP 2.54BETA7), e n<>o possui nenhum compromisso com www.insecure.org. Este trabalho foi realizado pela livre e expont<6E>nea vontade do tradutor. Qualquer corre<72><65>o desta pode ser feita enviando um email para o tradutor.
.SH DISTRIBUI<EFBFBD><EFBFBD>O
A mais nova vers<72>o do
.I nmap
pode ser obtida em
.I http://www.insecure.org/nmap/
.Sp
.I nmap
(C) 1997,1998,1999,2000 por Fyodor (fyodor@insecure.org)
.Sp
.I libpcap
<EFBFBD>, tamb<6D>m, distribu<62>da junto com nmap. Esta <20> uma copyrighted por Van Jacobson, Craig Leres and Steven McCanne, todos do Laborat<61>rio Nacional de Lawrence em Berkeley, University of California, Berkeley, CA. A vers<72>o distribu<62>da com o nmap pode ser modificada, a fonte original est<73> dispon<6F>vel em ftp://ftp.ee.lbl.gov/libpcap.tar.Z .
.Sp
Este programa <20> um software livre; voc<6F> pode redistribu<62>-lo e/ou modific<69>-lo sobre os termos da Licen<65>a P<>blica Geral GNU como publicado pelo Free Software Foundation; Vers<72>o 2. Esta garante seu direito de usar, modificar e redistribuir o Nmap sobre certas condi<64><69>es. Se esta licen<65>a for inaceit<69>vel para voc<6F>, o Insecure.Org pode estar querendo negociar alternativas licen<65>as (entre em contato com fyodor@insecure.org).
.Sp
O c<>digo de origem <20> fornecido para este software porque n<>s acreditamos que os usu<73>rios tem o direito de conhecer exatamente qual o programa ele ir<69> usar antes de execut<75>-lo. Isto, tamb<6D>m, permite voc<6F> auditar o software para furos de seguran<61>a (nenhum foi encontrado).
.Sp
O c<>digo de origem tamb<6D>m permite voc<6F> portar o Nmap para novas plataformas, consertar bugs, e adicionar novas caracter<65>sticas. Voc<6F> esta altamente encorajado para enviar suas mudan<61>as para fyodor@insecure.org para poss<73>veis encorpora<72><61>es em sua principal distribui<75><69>o. Por enviar estas mudan<61>as para Fyodor ou uma das listas de discuss<73>o dos desenvolvedores insecure.org, ser<65> assumido que voc<6F> est<73> oferecendo nenhum limite a Fyodor, n<>o-exclusivo direito de reusar, modificar, e relicenciar o c<>digo. Isto <20> importante por causa da incapacidade para relicenciar c<>digos, isso tem causado devastadores problemas para outros projetos de software livres (como KDE e NASM). O c<>digo fonte do Nmap sempre estar<61> dispon<6F>vel. Se voc<6F> desejar especificar especiais condi<64><69>es de licen<65>a das suas contribui<75><69>es, somente diga quando voc<6F> as enviar.
.Sp
Este programa <20> distribu<62>do na esperan<61>a de ser <20>til, por<6F>m
.B SEM NENHUMA GARANTIA;
sem mesmo implicar garantia de
.B COMERCIABILIDADE
ou
.B ADAPTA<EFBFBD><EFBFBD>O PARA UM PROP<EFBFBD>SITO PARTICULAR.
Veja a Licen<65>a P<>blica Geral GNU por mais detalhes (esta est<73> no arquivo COPYING da distribui<75><69>o do
.I nmap
).
.Sp
Tamb<EFBFBD>m deve ser notado que o Nmap tem sido conhecido por travar certas aplica<63><61>es pobremente escritas, pilhas TCP/IP, e mesmo certos sistemas operacionais.
.B O Nmap nunca deve ser executado contra sistemas cr<EFBFBD>ticos de miss<EFBFBD>o ao menos que voc<EFBFBD> esteja preparado para sofrer com o tempo ocioso. N<EFBFBD>s reconhecemos aqui que o Nmap pode travar seu sistema ou rede e n<EFBFBD>s renunciamos todas responsabilidades por qualquer dano ou problemas que o Nmap possa causar.
.Sp
Por menosprezar os riscos de travar e por causa de v<>rios usu<73>rios mal<61>ciosos gostarem de usar o Nmap para fazer o levantamento topol<6F>gico da rede antes de atacar o sistema, existem administradores que est<73>o preocupados e podem reclamar quando seus sistemas s<>o scanneados. Por isso, <20> muitas vezes conveniente requerer permiss<73>o antes de fazer, mesmo que seja, um simples scan na rede.
.Sp
O Nmap nunca deve ser executado com privil<69>gios (ex.: suid root) por raz<61>es de seguran<61>a.
.Sp
Todas as vers<72>es do Nmap igual <20> ou maiores que 2.0 s<>o acreditadas n<>o ter problemas, em todos os aspectos, com o bug do ano 2000 (Y2K). Por<6F>m, n<>o existe raz<61>o para acreditar que vers<72>es anteriores a 2.0 s<>o suscept<70>veis a problemas, por<6F>m n<>s n<>o as testamos.

836
docs/nmap_russian.1 Normal file
View File

@@ -0,0 +1,836 @@
.\" This definition swiped from the gcc(1) man page
.de Sp
.if n .sp
.if t .sp 0.4
..
.TH NMAP 1
.SH <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
nmap \- <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>.
.SH <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
.B nmap
[<5B><><EFBFBD><EFBFBD><EFBFBD>(<28>) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>] [<5B><><EFBFBD><EFBFBD><EFBFBD>] <<3C><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> #1,[#N]>
.SH <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
.I Nmap
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
.I nmap
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD> UDP,
TCP connect(), TCP SYN (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>), FTP proxy (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> ftp),
Reverse-ident, ICMP (ping), FIN, ACK, Xmas tree, SYN <20> NULL-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
.I <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
Nmap <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD><EFBFBD> - <EFBFBD><EFBFBD>) <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> TCP/IP, "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ping-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> portmapper) RPC-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.PP
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>: "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>", "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" <20> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>".
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> Nmap <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>"
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>).
.PP
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, Nmap <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>: <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
TCP ISN, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (username) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20>.<2E>.
.SH OPTIONS
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.I nmap
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.Sp
<EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
.I <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
.B nmap -h
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-sT
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> TCP connect(). <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
TCP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> connect(), <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> connect() <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28>.<2E>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>), <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.Sp
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28>.<2E>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>
log-<2D><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-sS
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> TCP SYN. <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>"
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> TCP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. Nmap <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> SYN-<2D><><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> SYN|ACK <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD><EFBFBD><EFBFBD> RST <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> SYN|ACK, <EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
RST-<2D><><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD>). <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> root <EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> SYN-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.Sp
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> -sS <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> -p. <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> -PS <<3C><><EFBFBD><EFBFBD>>.
.TP
.B \-sF \-sX \-sN
"<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" FIN, Xmas Tree <EFBFBD> NULL-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD> SYN-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>"
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> SYN-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> Synlogger
<EFBFBD><EFBFBD><EFBFBD> Courtney <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> SYN-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20> FIN-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> FIN-<2D><><EFBFBD><EFBFBD><EFBFBD>. <20> Xmas Tree <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
FIN|URG|PSH, <20> NULL-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> RFC 973 <20>. 64, <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> RST, <20>
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Microsoft Windows, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Windows <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> RST-<2D><><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20> <20> Nmap <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> FIN-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><> <20><><EFBFBD> <20><> Windows. <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20> SYN-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20> <20><> Windows.
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, Windows <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> Cisco, BSDI, IRIX, HP/UX <20> MVS.
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> RST-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-sP
Ping-"<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>". <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>. Nmap <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ICMP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>" <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> microsoft.com) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> TCP ACK-<2D><><EFBFBD><EFBFBD><EFBFBD> <20><> 80-<2D> <20><><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> (<28><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>). <20><><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
RST-<2D><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> SYN-<2D><><EFBFBD><EFBFBD><EFBFBD> <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> RST <20><><EFBFBD><EFBFBD> SYN|ACK.
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> root, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> connect().
.Sp
<EFBFBD><EFBFBD><EFBFBD> root-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> - ICMP <20> ACK. <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
.B \-P
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> ping-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ping-<2D><><EFBFBD><EFBFBD><EFBFBD>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-sU
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> UDP-<2D><><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> UDP-<2D><><EFBFBD><EFBFBD><EFBFBD> (RFC 768) <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> UDP-<2D><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ICMP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>",
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> UDP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD>" <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> rpcbind
<EFBFBD><EFBFBD> Solaris. <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
UDP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 32770. <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>, <20><>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> 111-<2D> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD>.
.Sp
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> UDP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> RFC 1812
(<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 4.3.2.8) <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
ICMP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>". <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD> Linux
(<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> net/ipv4/icmp.h) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> 80 <20><> 4 <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 0,25 <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20> <20><> Solaris <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (2 <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>), <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Solaris <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.I nmap
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.Sp
<20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, Microsoft <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> 65535 UDP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<20><> Windows.
.Sp
.TP
.B \-sO
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> IP. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>", <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> (AIX, HP-UX, Digital UNIX) <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>".
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>"
(<28>.<2E>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>). <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> UDP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
ICMP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> "<22><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>"
IP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><> 8 <20><><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 256 <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-sI <zombie_<65><5F><EFBFBD><EFBFBD>[:<3A><><EFBFBD><EFBFBD>]>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>". <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> IdleScan, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>-"<22><><EFBFBD><EFBFBD><EFBFBD>".
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> IP.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>-"<22><><EFBFBD><EFBFBD><EFBFBD>".
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD>",
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>", <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>".
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> IPID <20><> <20><><EFBFBD><EFBFBD><EFBFBD>-"<22><><EFBFBD><EFBFBD><EFBFBD>".
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> "tcp ping".
.Sp
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD> <20><>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
http://www.cherepovets-city.ru/insecure/runmap/runmap-idlescan.htm.
.TP
.B \-sA
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ACK-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (ruleset) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> SYN-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.Sp
<EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ACK-<2D><><EFBFBD><EFBFBD><EFBFBD>
(<28><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> acknowledgement number <20> sequence number).
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> RST-<2D><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>".
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ICMP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>),
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>". <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD>
.I nmap
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" <20><><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-sW
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> TCP Window. <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><> ACK-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><>, <20><><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>/<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> Initial Window TCP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> AIX, Amiga, BeOS, BSDI, Cray, Tru64 UNIX, DG/UX,
OpenVMS, Digital UNIX, FreeBSD, HP-UX, OS/2, IRIX, MacOS, NetBSD,
OpenBSD, OpenStep, QNX, Rhapsody, SunOS 4.X, Ultrix, VAX <20> VxWorks.
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> nmap-hackers.
.TP
.B \-sR
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> RPC-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> RPC-<2D><><EFBFBD><EFBFBD>, <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> TCP/UDP-<2D><><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> NULL-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
SunRPC, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> RPC-<2D><><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 'rpcinfo -p', <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD>
portmapper <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>
TCP-wrapper'<27><>.
.TP
.B \-sL
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Nmap, <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> -n.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20>.<2E>.
.TP
.B \-b <ftp relay host>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> FTP". <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>"
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> FTP (RFC 959) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" (proxy)
ftp-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> source.com
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> ftp-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> target.com <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> Internet! <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> 1985 <20><><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> RFC).
Nmap <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> "<22><><EFBFBD><EFBFBD>" <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>"
ftp-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> ftp-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD>"
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD>
(<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 139-<2D>). <20><><EFBFBD><EFBFBD> ftp-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> /incoming), <20><> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>.
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> '-b', <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> URL <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ftp,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>". <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> URL <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
.I <EFBFBD><EFBFBD><EFBFBD>_<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:<3A><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>@<40><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:<3A><><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28>.<2E>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20> <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>),
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-P0
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ping-<2D><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ICMP-<2D><><EFBFBD>
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> microsoft.com, <20> <20><>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> '-P0'<27><><EFBFBD> '-PT80'(<28><>. <20><><EFBFBD><EFBFBD>), <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>.
.TP
.B \-PT [<5B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>_<EFBFBD><5F><EFBFBD><EFBFBD><EFBFBD><EFBFBD>]
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> TCP "ping". <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ICMP-<2D><><EFBFBD>, Nmap
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> TCP ACK-<2D><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> RST-<2D><><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD> <20><>-root
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> connect(). <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
ICMP-<2D><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ACK-<2D><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
-PT<<3C><><EFBFBD><EFBFBD>1>[,<2C><><EFBFBD><EFBFBD>2][...]. <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 80-<2D> <20><><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-PS [<5B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>_<EFBFBD><5F><EFBFBD><EFBFBD><EFBFBD><EFBFBD>]
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> ping-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
ACK-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> TCP "ping" <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> SYN-<2D><><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> RST-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD> - SYN|ACK).
.TP
.B \-PU [<5B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>_<EFBFBD><5F><EFBFBD><EFBFBD><EFBFBD><EFBFBD>]
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> UDP Ping. Nmap <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> UDP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> ICMP "port unreachable" (<28><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> UDP) <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> UDP, <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-PE
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ping-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
ping-<2D><><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ICMP-<2D><><EFBFBD>). <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ICMP-<2D><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-PP
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> ICMP "timestamp request (code 13)" <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-PM
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
.B \-PE
<EFBFBD>
.B \-PP
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> "netmask request" (ICMP code 17).
.TP
.B \-PB
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> ping-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> ACK (
.B \-PT
) <20> ICMP (
.B \-PE
).
.TP
.B \-O
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> TCP/IP. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, Nmap <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD> <20><>. <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>", <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD>
nmap-os-fingerprinting, <20> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD>
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>.
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><> Nmap <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> - <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD> <20><>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> '-d' <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-6
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> IPv6. <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
IPv6 <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> DNS (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> AAAA) <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
3ffe:501:4819:2000:210:f3ff:fe03:4d0. <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> TCP connect()-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> TCP connect() Ping-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> UDP <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> http://nmap6.sourceforge.net/
.TP
.B \-I
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> reverse-ident <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Ident (RFC 1413)
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (username) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
TCP, <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> http <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> identd <20><><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> root. <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" TCP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
(<28>.<2E>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> '-sT'). Nmap <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> identd
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> identd.
.TP
.B \-f
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> SYN, FIN, Xmas <20><><EFBFBD> NULL-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> TCP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>) <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" <20><><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD> TCP-<2D><><EFBFBD><EFBFBD><EFBFBD>.
.Sp
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>! <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" <20><><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
"<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 36-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 24-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-v
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>". <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> Nmap <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><> <20> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
.B \-d
<EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-h
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-oN <<3C><><EFBFBD>_<EFBFBD><5F><EFBFBD><EFBFBD><EFBFBD>>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
.B <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-oX <<3C><><EFBFBD>_<EFBFBD><5F><EFBFBD><EFBFBD><EFBFBD>>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
.B XML
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> Nmap'<27>.
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> '-' (<28><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>) <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> stdout.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. Document Type Definition (DTD)
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> XML <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>:
http://www.insecure.org/nmap/data/nmap.dtd .
.TP
.B \-oG <<3C><><EFBFBD>_<EFBFBD><5F><EFBFBD><EFBFBD><EFBFBD>>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> grep. <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> -oM
(<28><>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>) <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> XML. <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> '-'.
.TP
.B \-oA <<3C><><EFBFBD><EFBFBD>_<EFBFBD><5F><EFBFBD><EFBFBD><EFBFBD>_<EFBFBD><5F><EFBFBD><EFBFBD><EFBFBD>>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, grep <20> XML).
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
base.nmap, base.gnmap <20> base.xml.
.TP
.B \-oS <<3C><><EFBFBD>_<EFBFBD><5F><EFBFBD><EFBFBD><EFBFBD>>
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
.B s|<ipT kiDd|3:
thIs l0gz th3 r3suLtS of YouR ScanZ iN a s|<ipT kiDd|3
f0rM iNto THe fiL3 U sPec\|fy 4s an arGuMEnT! U kAn gIv3
the 4rgument '-' (wItHOUt qUOteZ) to sh00t output iNT0
stDouT!@!!
.TP
.B \--resume <<3C><><EFBFBD>_<EFBFBD><5F><EFBFBD><EFBFBD><EFBFBD>>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <Ctrl C>,
<EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD>-<2D><><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> '-oG' <20><><EFBFBD> '-oN'.
<EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. Nmap
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>".
.TP
.B \--append_output
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>.
.TP
.B \-iL <<3C><><EFBFBD>_<EFBFBD><5F><EFBFBD><EFBFBD><EFBFBD>>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <CR><LF> (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> - <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>).
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> StdIn <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> '-'. <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>".
.TP
.B \-iR <<3C><><EFBFBD><EFBFBD><EFBFBD>_<EFBFBD><5F><EFBFBD><EFBFBD><EFBFBD><EFBFBD>>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, Nmap <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Internet.
.TP
.B \-p <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>(<28>)_<><5F><EFBFBD><EFBFBD><EFBFBD><EFBFBD>>
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap, <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, '-p 23' <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 23 <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> '-p 20-30,139,60000-' Nmap <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> 20 <20><> 30 <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, 139 <20> <20><>
60000 <20> <20><><EFBFBD><EFBFBD> (<28><> 65535). <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
1-1024, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> services.
.TP
.B \-F
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> services. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><> Nmap <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> 65535 <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-D <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>_<EFBFBD><5F><EFBFBD><EFBFBD>1,[<5B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>_<EFBFBD><5F><EFBFBD><EFBFBD>2],[,ME],...>
<EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>), <20><><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD>
(<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 'ME') <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 'ME' <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, scanlogd <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Solar Designer'<27>) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 'ME',
Nmap <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> IP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> SYN-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>.
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20>
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> 'localhost'.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>.
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><> <20><><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>), <20> <20> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-S <IP-<2D><><EFBFBD><EFBFBD><EFBFBD>>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
(<28> <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>), <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> (<28>.<2E>. <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>).
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> - <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>-<2D><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20>
'-S' <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> '-e'.
.TP
.B \-e <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap, <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>/<2F><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>. Nmap <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-g <<3C><><EFBFBD><EFBFBD><EFBFBD>_<EFBFBD><5F><EFBFBD><EFBFBD><EFBFBD>>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> DNS
(<28><><EFBFBD><EFBFBD> 53) <20> FTP-DATA (<28><><EFBFBD><EFBFBD> 20) <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD>" <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> 53-<2D> <20><><EFBFBD> 20-<2D> <20><><EFBFBD><EFBFBD>.
.TP
.B \--data_length <<3C><><EFBFBD><EFBFBD><EFBFBD>>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
TCP-<2D><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> 40 <20><><EFBFBD><EFBFBD>, <20> ICMP "echo requests" - 28. <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><>)
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-n
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> DNS-<2D><><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-R
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> DNS-<2D><><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-r
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-ttl <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD> TTL <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> IPv4 <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-\-randomize_hosts
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> 2048 <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B \-M <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>_<EFBFBD><5F><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> TCP connect() <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD>" <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> '-sS', <20><><EFBFBD> <20><><EFBFBD>
SYN-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B --packet_trace
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> TCPDump.
.TP
.B --datadir [<5B><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>]
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> nmap-services, nmap-protocols,
nmap-rpc, <20> nmap-os-fingerprints. <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
--nmapdir. <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> NMAPDIR, <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> ~/nmap,
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> /usr/share/nmap . <20> <20><><EFBFBD><EFBFBD><EFBFBD> Nmap <20><><EFBFBD><EFBFBD> <20><> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD> <EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B -T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD>
.B Paranoid
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> 5 <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
.B Sneaky
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Paranoid. <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 15 <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
.B Polite
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>. <20> <20><><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 0,4 <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
.B Normal
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
.B Aggressive
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 5 <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 1,25 <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
.B Insane
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 75 <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> - 0,3 <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> '-T0' <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Paranoid, <EFBFBD> '-T5' - Insane. <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> '-T' <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Nmap <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>).
.TP
.B --host_timeout <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD>.<2E>. Nmap <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B --max_rtt_timeout <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
Nmap <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 9000 <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B --min_rtt_timeout <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, Nmap
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD>.<2E>. Nmap <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD>.
.TP
.B --initial_rtt_timeout <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> '-P0'. <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 6000 <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B --max_parallelism <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 1 <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> Nmap
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B --min_parallelism <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.B --scan_delay <<3C><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD> <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.TP
.SH <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, Nmap <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28>.<2E>. <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>).
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> - <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
.B '/mask'
("<22><><EFBFBD><EFBFBD><EFBFBD>") <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
'/0' - <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
'/16' - <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> B;
'/24' - <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD>;
'/32' - <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.Sp
Nmap <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> B <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 128.210.*.*.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
128.210.*.*
128.210.0-255.0-255
128.210.1-50,51-255.1,2,3,4,5-255
128.210.0.0/16
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>"
('*'), <20><> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> "<22><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>" <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> '*.*.5.6-7',
Nmap <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> IP-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> 5.6 <20><><EFBFBD><EFBFBD> 5.7.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>.
.SH <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.Sp
.B nmap -v target.example.com
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> TCP-<2D><><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> target.example.com.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> '-v' <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.Sp
.B nmap -sS -O target.example.com/24
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> SYN-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> 255 <20><><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> C, <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> target.example.com. <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> root.
.Sp
.B nmap -sX -p 22,53,110,143,4564 "198.116.*.1-127"
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Xmas-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (0-127) <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><>
255 <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> B <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 128.210.*.*. <20><> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> sshd (22 <20><><EFBFBD><EFBFBD>), DNS (53), pop3d (110), imapd
(143) <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> 4564. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> Xmas-<2D><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><> Windows, CISCO, IRIX, HP/UX <20> BSDI.
.Sp
.B nmap -v --randomize_hosts -p 80 '*.*.2.3-5'
.Sp
Nmap <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, IP-<2D><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> .2.3,
.2.4 <EFBFBD> .2.5. <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> root, <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> '-sS'. <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> 127. <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> '127-222'.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>!
.Sp
.B "host -l company.com | cut '-d ' -f 4 | ./nmap -v -iL -"
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> DNS <20><><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> company.com,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20> Nmap <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> GNU/Linux.
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>.
.SH <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>-<2D><><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> -
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap. <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> URL, <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.SH <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>: Nmap 3.<2E><>
release by Fyodor
.I <fyodor@insecure.org>
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>: RuNmap 3.<2E><>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
.I <alex@cherepovets-city.ru>
.SH <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <EFBFBD> RuNmap <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
.Sp
.I http://www.cherepovets-city.ru/insecure
.Sp
.I http://www.insecure.org/
.Sp
.I nmap
(C) 1995-2003 by Insecure.Com LLC
.Sp
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> GNU General
Public License, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Free Software Foundation; <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> 2.
<EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD> <20><> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (sales@insecure.com).
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> (GNU GPL), <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>.
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> alex@cherepovets-city.ru <20>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD>,
<EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Insecure.Org <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD> <20><>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> GNU GPL. <20><><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD>.
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><>, <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD> <20><><EFBFBD>, <20><><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><>
.B <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>;
<EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><>, <20><><EFBFBD> <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
.B <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> GNU
General Public License (<28><><EFBFBD><EFBFBD> COPYING <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
.I nmap
).
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> TCP/IP, <20> <20><><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.B <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> (<28><><EFBFBD>) <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap. <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>.
.Sp
<EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Nmap <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> (<28><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> suid root).
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
.I Libpcap
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> Nmap. <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
Van Jacobson, Craig Leres <EFBFBD> Steven McCanne, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> Lawrence Berkley <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>,
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD> Nmap, <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
<EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>. <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <EFBFBD><EFBFBD> <EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD>
http://www.tcpdump.org .
.Sp
<EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD><EFBFBD> <20><> <20><><EFBFBD><EFBFBD><EFBFBD><EFBFBD>:
.I alex@cherepovets-city.ru

549
docs/nmap_spanish.1 Normal file
View File

@@ -0,0 +1,549 @@
.\"Traducido al espa<70>ol por
.\"Antonio Aneiros <aneiros@ctv.es>
.\"el 04-08-1999
.de Sp
.if n .sp
.if t .sp 0.4
..
.TH NMAP 1
.SH NOMBRE
nmap \- Herramienta de exploraci<63>n de red y esc<73>ner de seguridad.
.SH SINOPSIS
.B nmap
[Tipos(s)de escaneo] [Opciones] <servidor o red #1 ... [#N]>
.SH DESCRIPCI<EFBFBD>N
.I Nmap
ha sido dise<73>ado para permitir a administradores de sistemas y gente curiosa
en general el escaneo de grandes redes para determinar qu<71> servidores se
encuentran activos y qu<71> servicios ofrecen.
.I nmap
es compatible con un gran n<>mero de t<>cnicas de escaneo como: UDP, TCP connect(),
TCP SYN (half open), ftp proxy (bounce attack), Reverse-ident, ICMP (ping
sweep), FIN, ACK sweep, Xmas Tree, SYN sweep, and Null scan. V<>ase la secci<63>n
.I Tipos de Escaneo
para m<>s detalles.
.I nmap
proporciona tambi<62>n caracter<65>sticas avanzadas como la detecci<63>n remota del
sistema operativo por medio de huellas TCP/IP , escaneo tipo stealth (oculto),
retraso din<69>mico y c<>lculos de retransmisi<73>n, escaneo paralelo, detecci<63>n de
servidores inactivos por medio de pings paralelos, escaneo con se<73>uelos,
detecci<EFBFBD>n de filtrado de puertos, escaneo por fragmentaci<63>n y especificaci<63>n
flexible de destino y puerto.
.PP
Se han hecho grandes esfuerzos encaminados a proporcionar un rendimiento
decente para usuarios normales (no root). Por desgracia, muchos de los
interfaces cr<63>ticos del kernel ( tales como los raw sockets) requieren
privilegios de root.
Deber<EFBFBD>a ejecutarse
.I nmap
como root siempre que sea posible.
.SH OPCIONES
En general, pueden combinarse aquellas opciones que tengan sentido en conjunto.
Algunas de ellas son espec<65>ficas para ciertos modos de escaneo.
.I nmap
trata de detectar y advertir al usuario sobre el uso de combinaciones de
opciones sic<69>ticas o no permitidas.
.Sp
Si usted es una persona impaciente, puede pasar directamente a la secci<63>n
.I ejemplos
al final de este documento, donde encontrar<61> ejemplos de los usos m<>s
corrientes. Tambi<62>n puede ejecutar el comando
.B nmap -h
para una p<>gina de referencia r<>pida con un listado de todas las opciones.
.TP
.B Tipos de Escaneo
.TP
.B \-sT
Escaneo TCP connect(): Es la forma m<>s b<>sica de escaneo TCP. La llamada de
sistema connect() proporcionada por nuestro sistema operativo se usa para
establecer una conexi<78>n con todos los puertos interesantes de la m<>quina. Si
el puerto est<73> a la escucha, connect() tendr<64> <20>xito, de otro modo, el puerto
resulta inalcanzable. Una ventaja importante de esta t<>cnica es que no resulta
necesario tener privilegios especiales. Cualquier usuario en la mayor<6F>a de los
sistemas UNIX tiene permiso para usar esta llamada.
.Sp
Este tipo de escaneo resulta f<>cilmente detectable dado que los registros del
servidor de destino muestran un mont<6E>n de conexiones y mensajes de error para
aquellos servicios que accept() (aceptan) la conexi<78>n para luego cerrarla
inmediatamente.
.TP
.B \-sS
Escaneo TCP SYN: A menudo se denomina a esta t<>cnica escaneo "half open" (medio
abierto), porque no se abre una conexi<78>n TCP completa. Se env<6E>a un paquete
SYN, como si se fuese a abrir una conexi<78>n real y se espera que llegue una
respuesta. Un SYN|ACK indica que el puerto est<73> a la escucha. Un RST es
indicativo de que el puerto no est<73> a la escucha. Si se recibe un SYN|ACK, se
env<EFBFBD>a un RST inmediatamente para cortar la conexi<78>n (en realidad es el kernel
de nuestro sistema operativo el que hace esto por nosotros). La ventaja
principal de esta t<>cnica de escaneo es que ser<65> registrada por muchos menos
servidores que la anterior. Por desgracia se necesitan privilegios de root
para construir estos paquetes SYN modificados.
.TP
.B \-sF \-sX \-sN
Modos Stealth FIN, Xmas Tree o Nul scan: A veces ni siquiera el escaneo SYN
resulta lo suficientemente clandestino. Algunas firewalls y filtros de
paquetes vigilan el env<6E>o de paquetes SYN a puertos restringidos, y programas
disponibles como Synlogger y Courtney detectan este tipo de escaneo. Estos
tipos de escaneo avanzado, sin embargo, pueden cruzar estas barreras sin ser
detectados.
.Sp
La idea es que se requiere que los puertos cerrados respondan a nuestro
paquete de prueba con un RST, mientras que los puertos abiertos deben ignorar
los paquetes en cuesti<74>n (v<>ase RFC 794 pp 64). El escaneo FIN utiliza un
paquete FIN vac<61>o (sorpresa) como prueba, mientras que el escaneo Xmas tree
activa las flags FIN, URG y PUSH. El escaneo NULL desactiva todas las flags.
Por desgracia Microsoft (como de costumbre) decidi<64> ignorar el est<73>ndar
completamente y hacer las cosas a su manera. Debido a esto, este tipo de
escaneo no funcionar<61> con sistemas basados en Windows95/NT. En el lado
positivo, esta es una buena manera de distinguir entre las dos plataformas. Si
el escaneo encuentra puertos cerrados, probablemente se trate de una m<>quina
UNIX, mientras que todos los puertos abiertos es indicativo de Windows.
Excepcionalmente, Cisco, BSDI, HP/UX, MVS, y IRIX tambi<62>n env<6E>an RSTs en vez
de desechar el paquete.
.TP
.B \-sP
Escaneo ping: A veces <20>nicamente se necesita saber qu<71> servidores en una red
se encuentran activos. Nmap puede hacer esto enviando peticiones de respuesta
ICMP a cada direcci<63>n IP de la red que se especifica. Aquellos servidores que
responden se encuentran activos. Desafortunadamente, algunos sitios web como
microsoft.com bloquean este tipo de paquetes. Nmap puede enviar
tambi<EFBFBD>n un paquete TCP ack al puerto 80 (por defecto). Si se obtiene por
respuesta un RST, esa m<>quina est<73> activa. Una tercera t<>cnica implica el
env<EFBFBD>o de un paquete SYN y la espera de de un RST o un SYN/ACK. Para usuarios
no root se usa un m<>todo connect().
.Sp
Por defecto (para usuarios no root), nmap usa las t<>cnicas ICMP y ACK en
paralelo. Se puede cambiar la opci<63>n
.B \-p
descrita m<>s adelante.
.Sp
N<EFBFBD>tese que el envio de pings se realiza por defecto de todas maneras y que
s<EFBFBD>lamente se escanean aquellos servidores de los que se obtiene respuesta. Use
esta opci<63>n s<>lamente en el caso de que desee un ping sweep (barrido ping)
.B sin
hacer ning<6E>n tipo de escaneo de puertos.
.TP
.B \-sU
Escaneo Udp: Este m<>todo se usa para saber qu<71> puertos UDP (Protocolo de
Datagrama de Usuario, RFC 768) est<73>n abiertos en un servidor. La t<>cnica
consiste en enviar paquetes UCP de 0 bytes a cada puerto de la m<>quina
objetivo. Si se recibe un mensaje ICMP de puerto no alcanzable, entonces el
puerto est<73> cerrado. De lo contrario, asumimos que est<73> abierto.
.Sp
Alguna gente piensa que el escaneo UDP no tiene sentido. Normalmente les
recuerdo el reciente agujero Solaris rcpbind. Puede encontrarse a rcpbind
escondido en un puerto UDP no documentado en alg<6C>n lugar por encima del 32770.
Por lo tanto, no importa que el 111 est<73> bloqueado por la firewall.
Pero, <20>qui<75>n puede decir en cual de los m<>s de 30000 puertos altos se
encuentra a la escucha el programa? <20>Con un esc<73>ner UDP se puede! Tenemos
tambi<EFBFBD>n el programa de puerta trasera cDc Back Orifice que se oculta en un
puerto UDP configurable en las m<>quinas Windows, por no mencionar los muchos
servicios frecuentemente vulnerables que usan UDP como snmp, tftp, NFS, etc.
.Sp
Por desgracia, el escaneo UDP resulta a veces tremendamente lento debido a que
la mayor<6F>a de los servidores implementan una sugerencia recogida en el RFC
1812 (secci<63>n 4.3.2.8) acerca de la limitaci<63>n de la frecuencia de mensajes de
error ICMP. Por ejemplo, el kernel de Linux (en /ipv4/icmp.h) limita la
generaci<EFBFBD>n de mensajes de destino inalcanzable a 80 cada cuatro segundos, con
una penalizaci<63>n de 1/4 de segundo si se rebasa dicha cantidad. Solaris tiene
unos l<>mites mucho m<>s estrictos (m<>s o menos 2 mensajes por segundo) y por lo
tanto lleva m<>s tiempo hacerle un escaneo.
.I nmap
detecta este l<>mite de frecuencia y se ralentiza en consecuencia, en vez de
desbordar la red con paquetes in<69>tiles que la m<>quina destino ignorar<61>.
.Sp
Como de costumbre, Microsoft ignor<6F> esta sugerencia del RFC y no parece que
haya previsto ning<6E>n tipo de l<>mite de frecuencia para las m<>quinas Windows.
Debido a esto resulta posible escanear los 65K puertos de una m<>quina Windows
.B muy
r<EFBFBD>pidamente. <20>Woop!
.TP
.B \-b <ftp relay host>
Ataque de rebote FTP: Una caracter<65>stica "interesante" del protocolo FTP (FRC
959) es la posibilidad de realizar conexiones ftp tipo "proxy". En otras
palabras, <20>me resultar<61>a posible conectarme desde malvado.com al servidor ftp
de destino.com y pedirle a ese servidor que enviase un archivo a CUALQUIER
PARTE de Internet! Aun as<61>, esto podr<64>a haber funcionado bien en 1985 cuando
se escribi<62> el RFC, pero en la Internet actual, no podemos permitir que la
gente vaya por ah<61> asaltando servidores ftp y pidi<64>ndoles que escupan sus
datos a puntos arbitrarios de Internet. Tal y como escribi<62> *Hobbit* en 1985,
este defecto del protocolo "puede usarse para enviar mensajes de correo y
noticias cuyo rastro ser<65> virtualmente imposible de seguir, machacar
servidores en varios sitios web, llenar discos, tratar de saltarse firewalls y
, en general, resultar molesto y dif<69>cil de detectar al mismo tiempo." Nosotros
explotaremos este defecto para (sorpresa, sorpresa) escanear puertos TCP desde
un servidor ftp "proxy". De este modo nos podr<64>amos conectar a un servidor ftp
tras una firewall, y luego escanear aquellos puertos que con m<>s probabilidad
se encuentren bloqueados (el 139 es uno bueno). Si el servidor ftp permite la
lectura y escritura en alg<6C>n directorio (como por ejemplo /incoming), se
pueden enviar datos arbitrarios a puertos que se encuentren abiertos (aunque
nmap no realiza esta funci<63>n por s<> mismo).
.Sp
El argumento que se pasa a la opci<63>n 'b' es el host que se pretende usar como
proxy, en notaci<63>n URL est<73>ndar. El formato es:
.I nombre_de_usuario:password@servidor:puerto.
Todo excepto
.I servidor
es opcional. Para determinar qu<71> servidores son vulnerables a este ataque,
v<EFBFBD>ase mi art<72>culo en
.I Phrack
51. Se encuentra disponible una versi<73>n actualizada en la URL de
.I nmap
(http://www.insecure.org/nmap).
.TP
.B Opciones Generales
No se requiere ninguna pero algunas de ellas pueden resultar de gran utilidad.
.TP
.B \-p0
No intenta hacer ping a un servidor antes de escanearlo. Esto permite el
escaneo de redes que no permiten que pasen peticiones (o respuestas)de ecos
ICMP a trav<61>s de su firewall. microsoft.com es un ejemplo de una red de este
tipo, y, por lo tanto, deber<65>a usarse siempre
.B \-p0
o
.B \-PT80
al escanear microsoft.com.
.TP
.B \-PT
Usa el ping TCP para determinar qu<71> servidores est<73>n activos. En vez de enviar
paquetes de petici<63>n de ecos ICMP y esperar una respuesta, se lanzan paquetes
TCP ACK a trav<61>s de la red de destino (o a una sola m<>quina) y luego se espera
a que lleguen las respuestas. Los servidores activos responden con un RST.
Esta opci<63>n mantiene la eficiencia de escanear <20>nicamente aquellos servidores
que se encuentran activos y la combina con la posibilidad de escanear
redes/servidores que bloquean los paquetes ping. Para los usuarios no root
se usa connect(). Para establecer el puerto de destino de los paquetes de
prueba use -PT <n<>mero de puerto). El puerto por defecto es el 80, dado que
normalmente este puerto no es un puerto filtrado.
.TP
.B \-PS
Esta opci<63>n usa paquetes SYN (petici<63>n de conexi<78>n) en vez de los paquetes ACK
para usuarios root. Los servidores activos deber<65>an responder con un RST (o,
en raras ocasiones, un SYN|ACK).
.TP
.B \-PI
Esta opci<63>n usa un paquete ping (petici<63>n de eco ICMP) verdadero. Encuentra
servidores que est<73>n activos y tambi<62>n busca direcciones de broadcast
dirigidas a subredes en una red. Se trata de direcciones IP
alcanzables desde el exterior que env<6E>an los paquetes IP entrantes a una subred
de servidores. Estas direcciones deber<65>an eliminarse, si se encontrase alguna,
dado que suponen un riesgo elevado ante numerosos ataques de denegaci<63>n de
servicio (el m<>s corriente es Smurf).
.TP
.B \-PB
Este es el tipo de ping por defecto. Usa los barridos ACK (
.B \-PT
) e ICMP (
.B \-PI
) en paralelo. De este modo se pueden alcanzar firewalls que filtren uno de los
dos (pero no ambos).
.TP
.B \-O
Esta opci<63>n activa la detecci<63>n remota del sistema operativo por medio de la
huella TCP/IP. En otras palabras, usa un pu<70>ado de t<>cnicas para detectar
sutilezas en la pila de red subyacente del sistema operativo de los servidores
que se escanean. Usa esta informaci<63>n para crear una 'huella' que luego
compara con una base de datos de huellas de sistemas operativos conocidas (el
archivo nmap-os-fingerprints) para decidir qu<71> tipo de sistema se est<73>
escaneando.
.Sp
Si encuentra una m<>quina diagnosticada err<72>neamente que tenga por lo menos un
puerto abierto, me ser<65>a de gran utilidad que me enviase los detalles en un
email (es decir, se encontr<74> la versi<73>n xxx de tal cosa y se detect<63> este u
otro sistema operativo..). Si encuentra una m<>quina con al menos un puerto
abierto de la cual nmap le informe "sistema operativo desconocido",
le estar<61>a agradecido si me enviase la direcci<63>n IP junto con el nombre del
sistema operativo y el n<>mero de su versi<73>n. Si no me puede enviar la
direcci<EFBFBD>n IP, una alternativa ser<65>a ejecutar nmap con la opci<63>n
.B \-d
y enviarme las tres huellas que obtendr<64>a como resultado junto con el nombre
del sistema operativo y el n<>mero de versi<73>n. Al hacer esto, est<73>
contribuyendo a aumentar el n<>mero importante de sistemas operativos conocidos
por namp y de este modo el programa resultar<61> m<>s exacto para todo el mundo.
.TP
.B \-I
Esta opci<63>n activa el escaneo TCP de identificaci<63>n contraria. Tal y como
comenta Dave Goldsmith en un correo Bugtrat de 1996, el protocolo ident (rfc
1413) permite la revelaci<63>n del nombre del usuario propietario de cualquier
proceso conectado v<>a TCP, incluso aunque ese proceso no haya iniciado la
conexi<EFBFBD>n. De este modo se puede, por ejemplo, conectar con el puerto http y
luego usar identd para descubrir si el servidor est<73> ejecut<75>ndose como root.
Esto s<>lo se puede hacer con una conexi<78>n TCP completa con el puerto de
destino (o sea, la opci<63>n de escaneo -sT).
Cuando se usa
.B \-I,
se consulta al identd del servidor remoto sobre cada uno de los puertos
abiertos encontrados en el sistema. Por supuesto, esto no funcionar<61> si el
servidor en cuesti<74>n no est<73> ejecutando identd.
.TP
.B \-f
Esta opci<63>n hace que el escaneo solicitado de tipo SYN, FIN, XMAS, o NULL use
peque<EFBFBD>os paquetes IP fragmentados. La idea consiste en dividir la cabecera TCP
en varios paquetes para pon<6F>rselo m<>s dif<69>cil a los filtros de paquetes,
sistemas de detecci<63>n de intrusi<73>n y otras inconveniencias por el estilo que
tratan de saber lo uno est<73> haciendo. <20>Tenga cuidado con esto! Algunos
programas tienen problemas a la hora de manejar estos paquetes tan peque<75>os.
Mi sniffer favorito produjo un error de segmentaci<63>n inmediatamente despu<70>s de
recibir el primer fragmento de 36 bytes. <20>Despu<70>s de este viene uno de 24
bytes! Mientras que este m<>todo no podr<64> con filtros de paquetes y firewalls
que ponen en cola todos los fragmentos IP (como en el caso de la opci<63>n
CONFIG_IP_ALWAYS_DEFRAG en la configuraci<63>n del kernel de Linux), tambi<62>n
es verdad que algunas redes no pueden permitirse el efecto negativo que esta
opci<EFBFBD>n causa sobre su rendimiento y por lo tanto la dejan desactivada.
.Sp
N<EFBFBD>tese que no he coseguido que esta opci<63>n funcione con todos los sistemas.
Funciona bien con mis sistemas Linux, FreeBSD y OpenBSD y algunas personas
han informado de <20>xitos con otras variantes *NIX.
.TP
.B \-v
Modo de informaci<63>n ampliada. Esta opci<63>n resulta muy recomendable y
proporciona gran cantidad de informaci<63>n sobre lo que est<73> sucediendo. Puede
usarla dos veces para un efecto mayor. <20>Use
.B \-d
un par veces si lo que quiere es volverse loco haciendo scroll en su pantalla!
.TP
.B \-h
Esta opci<63>n tan pr<70>ctica muestra una pantalla de referencia r<>pida sobre las
opciones de uso de nmap. Quiz<69>s haya notado que esta p<>gina de manual no es
precisamente una "referencia r<>pida" :)
.TP
.B \-o <nombre_de_archivo_de_registro>
Esta opci<63>n guarda los resultados de sus escaneos en forma
.B humanamente inteligible
en el archivo especificado como argumento.
.TP
.B \-m <nombre_de_archivo_de_registro>
Esta opci<63>n guarda los resultados de sus escaneos en un formato
.B comprensible para una m<EFBFBD>quina
en el archivo especificado como argumento.
.TP
.B \-i <nombre_de_archivo_de_entrada>
Lee especificaciones de servidores o redes de destino a partir del archivo
especificado en vez de hacerlo de la l<>nea de comandos. El archivo debe
contener una lista de expresiones de servidores o redes separadas por
espacios, tabuladores o nuevas l<>neas. Use un gui<75>n (-) como
.I nombre_de_archivo_de_entrada
si desea que nmap tome las expresiones de servidores de stdin. V<>ase la secci<63>n
.I Especificaci<EFBFBD>n de Objetivo
para m<>s informaci<63>n sobre expresiones con las que poder completar este
archivo.
.TP
.B \-p <rango de puertos>
Esta opci<63>n determina los puertos que se quieren especificar. Por ejemplo, '-p
23' probar<61> solo el puerto 23 del servidor(es) objetivo. '-p
20-30,139,60000-' escanea los puertos del 20 al 30, el puerto 139 y todos los
puertos por encima de 60000. Por defecto se escanean todos los puertos entre
el 1 y el 1024 as<61> como los que figuran en el archivo /etc/services.
.TP
.B \-F Modo de escaneo r<EFBFBD>pido.
Implica que s<>lo se desean escanear aquellos puertos que figuran en
/etc/services. Obviamente esto resulta mucho m<>s r<>pido que escanear cada uno
de los 65535 puertos de un servidor.
.TP
.B \-D <se<73>uelo1 [,se<73>uelo2][,ME],...>
Especifica que se desea efectuar un escaneo con se<73>uelos, el cual hace que el
servidor escaneado piense que la red destino del escaneo est<73> siendo escaneada
tambi<EFBFBD>n por el servidor(es) especificados como se<73>uelos. As<41>, sus IDs pueden
informar de entre 5 y 10 escaneos procedentes de direcci<63>nes IP <20>nicas, pero
no sabr<62>n que direcci<63>n IP les estaba escaneando realmente y c<>ales eran
se<EFBFBD>uelos inocentes.
.Sp
Separe cada servidor se<EFBFBD>uelo con comas, y puede usar opcionalmente 'ME' como
se<EFBFBD>uelo que representa la posici<63>n que quiere que ocupe su direcci<63>n IP. Si
coloca 'ME' en la sexta posici<63>n o superior, es muy poco probable que algunos
esc<EFBFBD>neres de puertos comunes (como el excelente scanlogd de Solar Designer)
lleguen incluso a mostrar su direcci<63>n IP. Si no se usa 'ME', nmap le colocar<61>
a usted en una posici<63>n aleatoria.
.Sp
N<EFBFBD>tese que aquellos servidores usados como se<73>uelos deben escontrarse activos,
o, de lo contrario podr<64>a provocar un desbordamiento (flood) SYN en su
objetivo. Por otra parte, resultar<61> bastante f<>cil saber qu<71> servidor est<73>
escaneando si <20>nicamente hay uno activo en la red.
.Sp
N<EFBFBD>tese tambi<62>n que algunos (est<73>pidos) "detectores de esc<73>neres de puertos"
opondr<EFBFBD>n una firewall o bien denegar<61>n el rutaje a aquellos servidores que
intenten escanear sus puertos. De este modo se podr<64>a provocar
inadvertidamente que la m<>quina que se est<73> intentando escanear perdiese
contacto con los servidores usados como se<73>uelos. Esto podr<64>a causarles a los
servidores escaneados verdaderos problemas si los servidores se<73>uelo fuesen,
por ejemplo, su gateway a internet o incluso "localhost". Deber<65>a usarse esta
opci<EFBFBD>n con extremo cuidado. La verdadera moraleja de este asunto es que un
detector de escaneos de puertos que aparenten tener intenciones poco
amistosas no deber<65>a llevar a cabo acci<63>n alguna contra la m<>quina que
aparentemente le est<73> escaneando. <20>Podr<64>a no ser m<>s que un se<73>uelo!
.Sp
Los se<73>uelos se usan tanto en el escaneo ping inicial (usando ICMP, SYN, ACK,
o lo que sea) como en la fase de escaneo de puertos propiamente dicha. Tambi<62>n
se usan los se<73>uelos en la fase de detecci<63>n remota del sistema operativo (
.B \-O
).
.Sp
Vale la pena destacar que el uso de demasiados se<73>uelos puede ralentizar el
proceso de escaneo y, potencialmente, hacer que sea menos exacto. Por otra
parte, algunos ISPs filtrar<61>n los paquetes manipulados y los desechar<61>n,
aunque muchos (actualmente la mayor<6F>a) no ponen restricciones a este tipo de
paquetes.
.TP
.B \-S <Direcci<63>n_IP>
En determinadas circunstancias, es posible que
.I nmap
no sea capaz de determinar su (de usted) direcci<63>n IP de origen (
.I nmap
se lo har<61> saber si este es el caso). En este caso, use -S con su direcci<63>n IP
(del interfaz a trav<61>s del cual desea enviar los paquetes).
.Sp
Otro posible uso de esta opci<63>n es el de manipular el escaneo para hacer creer
a los servidores de destino que
.B alguien m<EFBFBD>s
les est<73> escaneando. <20>Imag<61>nese a una compa<70><61>a escaneada repetidamente por una
compa<EFBFBD><EFBFBD>a rival! Esta no es la funci<63>n para la que se ha dise<73>ado esta opci<63>n
(ni su prop<6F>sito principal). Simplemente pienso que revela una posibilidad que
la gente deber<65>a tener en cuenta antes de acusar a los dem<65>s de escanear sus
puertos.
La opci<63>n
.B \-e
ser<EFBFBD> necesaria en general para este tipo de uso.
.TP
.B \-e <interfaz>
Le dice a nmap qu<71> interfaz ha de usar para enviar y recibir paquetes. El
programa deber<65>a detectar esto por s<> mismo, pero le informar<61> si no es as<61>.
.TP
.B \-g <n<>mero_de_puerto>
Establece el n<>mero de puerto de origen a usar en los escaneos. Muchas
instalaciones de firewalls y filtros de paquetes inocentes hacen una excepci<63>n
en sus reglas para permitir que las atraviesen y establezcan una conexi<78>n
paquetes DNS (53) o FTP-DATA (20). Evidentemente esto contraviene
completamente las ventajas en materia de seguridad que comporta una firewall
dado que los intrusos pueden enmascararse como DNS o FTP con una simple
modificaci<EFBFBD>n de su puerto de origen. Por supuesto, deber<65>a probarse primero
con el puerto 53 para un escaneo UDP y los escaneos TCP deber<65>an probar el 20
antes del 53.
.Sp
N<EFBFBD>tese que el uso de esta opci<63>n penaliza levemente el rendimiento del
escaneo, porque a veces se almacena informaci<63>n <20>til en el n<>mero de puerto
de origen.
.TP
.B \-M <max sockets>
Establece el n<>mero m<>ximo de sockets que se usar<61>n en paralelo para un
escaneo TCP connect() (escaneo por defecto). Resulta <20>til a la hora de
ralentizar ligeramente el proceso de escaneo con el fin de evitar que
la m<>quina de destino se cuelgue. Otra manera de hacerlo es usar \-sS, que
normalmente les resulta m<>s f<>cil de asumir a las m<>quinas de destino.
.TP
.B Especificaci<EFBFBD>n de Objetivo
Cualquier cosa que no es una opci<63>n (o el argumento de una opci<63>n) en namp se
trata como una especificaci<63>n de servidor de destino. El caso m<>s simple
consiste en especificar servidores aislados o direcciones IP en la l<>nea de
comandos. Si pretende escanear una subred de direcciones IP, entonces se puede
a<EFBFBD>adir
.B '/mask'
a la direcci<63>n IP o al nombre del servidor.
.B mask
debe estar entre 0 (escanea toda Internet) y 32 (escanea <20>nicamente el
servidor especificado). Use /24 para escanear una direcci<63>n de clase 'C' y /16
para la clase 'B'.
.Sp
Nmap dispone tambi<62>n de una notaci<63>n mucho m<>s potente que permite la
especificaci<EFBFBD>n de direcciones IP usando listas/rangos para cada elemento. De
este modo, se puede escanear la red de clase 'B' completa 128.210.*.*
especificando '128.210.*.*' o '128.210.0-255.0-255' o incluso
'128.210.1-50,51-255.1,2,3,4,5-255'. Y, por supuesto, se puede usar la
notaci<EFBFBD>n de m<>scara: '128.210.0.0/16'. Todas ellas son equivalentes. Si se
usan asteriscos ('*'), ha de tenerse en cuenta que la mayor<6F>a de los shells
requieren que se salga de ellos con caracteres / o que se les proteja con
comillas.
.Sp
Otra posibilidad interesante consiste en dividir Internet en el otro sentido.
En vez de escanear todos los servidores en una clase 'B', se puede
escanear '*.*.5.6-7' para escanear todas las direcciones IP terminadas en .5.6 o .5.7
Escoja sus propios n<>meros. Para m<>s informaci<63>n sobre la especificaci<63>n de
servidores a escanear, v<>ase la secci<63>n
.I ejemplos
a continuaci<63>n.
.SH EJEMPLOS
A continuaci<63>n se muestran algunos ejemplos del uso de nmap que abarcan desde
los usos m<>s normales y frecuentes a los m<>s complejos o incluso esot<6F>ricos.
N<EFBFBD>tese que se han incluido direciones IP y nombres de dominio reales para hacer
las cosas m<>s concretas. Usted deber<65>a sustituirlos por n<>meros y direcciones
de su
.B propia red.
No creo que escanear otras redes sea ilegal; ni se deber<65>an considerar los
escaneos de puertos como ataques. He escaneado cientos de miles de m<>quinas y
tan s<>lo he recibido una queja. Pero no soy abogado y es posible que los
intentos de
.I nmap
lleguen a molestar a alguna gente. Obtenga primero el permiso para hacerlo o
h<EFBFBD>galo bajo su propia responsabilidad.
.Sp
.B nmap -v objetivo.ejemplo.com
.Sp
Esta opci<63>n escanea todos los puertos TCP reservados en la m<>quina
objetivo.ejemplo.com. La \-v implica la activaci<63>n del modo de informaci<63>n
ampliada.
.Sp
.B nmap -sS -O objetivo.ejemplo.com/24
.Sp
Lanza un escaneo SYN oculto contra cada una de las m<>quinas activas de las 255
m<EFBFBD>quinas de la classe 'C' donde se aloja objetivo.ejemplo.com. Tambi<62>n trata
de determinar el sistema operativo usado en cada una de las m<>quinas activas.
Este escaneo requiere privilegios de roor a causa del escaneo SYN y la
detecci<EFBFBD>n del sistema operativo.
.Sp
.B nmap -sX -p 22,53,110,143 "128.210.*.1-127"
.Sp
Env<EFBFBD>a un escaneo Xmas tree a la primera mitad de cada una de las 255 posibles
subredes de 8 bits en el espacio de direcciones clase 'B' 128.210 . Se trata
de comprobar si los sistemas ejecutan sshd, DNS, pop3d, imapd o el puerto
4564. N<>tese que el escaneo Xmas no funciona contra servidores ejecutando
cualquier sistema operativo de Microsoft debido a una pila TCP deficiente. Lo
mismo se aplica a los sistemas CISCO, IRIX, HP/UX, y BSDI.
.Sp
.B nmap -v -p 80 '*.*.2.3-5'
.Sp
En vez de centrarse en un rango espec<65>fico de direcciones IP, resulta a veces
interesante dividir Internet en porciones y escanear una peque<75>a muestra de
cada porci<63>n. Este comando encuentra todos los servidores web en m<>quinas
cuyas direcciones IP terminen en .2.3, .2.4, o .2.5 . Si usted es root podr<64>a
a<EFBFBD>adir tambi<62>n -sS. Tambi<62>n encontrar<61> m<>quinas mucho m<>s interesantes
si empieza en 127. as<61> que es posible que desee usar '127-222' en vez de el
primer asterisco dado que esa secci<63>n tiene una densidad mucho mayor de
m<EFBFBD>quinas interesantes (IMHO).
.Sp
.B host -l compa<EFBFBD><EFBFBD>a.com | cut '-d ' -f 4 | ./nmap -v -i -
.Sp
Hace una transferencia de DNS de zona para descubrir los servidores en
compa<EFBFBD><EFBFBD>a.com y luego pasar las direcciones IP a
.I nmap.
Los comandos arriba indicados son para mi sistema Linux. Es posible que se
necesiten comandos/opciones diferentes para otros sistemas operativos.
.SH BUGS
<EFBFBD>Bugs? <20>Qu<51> bugs? Por favor, env<6E>eme cualquier bug que descubra. Los parches
tampoco estar<61>an mal :) Recuerde enviar tambi<62>n nuevas huellas de sistemas
operativos para que podamos ampliar nuestra base de datos.
.SH AUTOR
.Sp
Fyodor
.I <fyodor@insecure.org>Tipos de Escaneo
.SH DISTRIBUCI<EFBFBD>N
La <20>ltima versi<73>n de
.I nmap
se puede obtener en
.I http://www.insecure.org/nmap
.Sp
.I nmap
es (C) 1997,1998 de Fyodor (fyodor@insecure.org, fyodor@insecure.org)
.Sp
Este programa es software libre; puede redistribuirse y/o modificarse bajo los
t<EFBFBD>rminos de la Licencia P<>blica General GNU tal y como la publica la Fundaci<63>n
de Software Libre; Versi<73>n 2.
.Sp
Este programa se distribuye con la esperanza de que pueda resultar de
utilidad, pero SIN NING<4E>N TIPO DE GARANT<4E>A; sin tan siquiera la garant<6E>a e ser
apto para su COMECIALIZACI<43>N o ADECUADO PARA UN PROP<4F>SITO EN PARTICULAR. V<>ase
la Licencia P<>blica General GNU para m<>s detalles (est<73> en el archivo COPYING
de la distribuci<63>n de
.I nmap
).

81
docs/nmapfe.1 Normal file
View File

@@ -0,0 +1,81 @@
.\" This definition swiped from the gcc(1) man page
.de Sp
.if n .sp
.if t .sp 0.4
..
.TH NMAPFE 1
.SH NAME
nmapfe (xnmap) \- GTK+ graphical frontend to the Nmap Security Scanner
.SH SYNOPSIS
.B nmapfe
[ any Glib options such as --display ]
.SH DESCRIPTION
.I Nmapfe
(also known as xnmap) is a convenient X Window front end for the Nmap
Security Scanner. Most of the options correspond directly to Nmap
options, which are described in detail in the Nmap man page. We
recommend you read that first. There is also limited help available
via the NmapFE "Help" menu.
.SH AUTHOR
.Sp
NmapFE was originally written by Zach Smith
.I <key@aye.net>
.Sp
It is now maintained by Fyodor
.I <fyodor@insecure.org>
.Sp
Feel free to write me ( fyodor@insecure.org ) with
questions or bug reports.
.SH DISTRIBUTION
The newest version of
.I nmapfe
can be obtained from
.I http://www.insecure.org/nmap/
.Sp
.I nmapfe
is (C) 1999, 2000 by Fyodor (fyodor@insecure.org)
.Sp
This program is free software; you can redistribute it
and/or modify it under the terms of the GNU General Public
License as published by the Free Software Foundation;
Version 2. This guarantees your right to use, modify, and
redistribute Nmap under certain conditions. If this license
is unacceptable to you, Insecure.Org may be willing to sell
alternative licenses (contact fyodor@insecure.org ).
.Sp
Source is provided to this software because we believe users
have a right to know exactly what a program is going to do
before they run it. This also allows you to audit the
software for security holes (none have been found so far).
.Sp
Source code also allows you to port nmapfe to new platforms,
fix bugs, and add new features. You are highly encouraged
to send your changes to Fyodor for possible incorporation
into the main Nmap distribution. By sending these changes
to Fyodor or nmap-hackers, it is assumed that you are
offering Fyodor the unlimited, non-exclusive right to reuse,
modify, and relicense the code. If you wish to specify
special license conditions of your contributions, please
state them up front.
.Sp
This program is distributed in the hope that it will be useful, but
.B WITHOUT ANY WARRANTY;
without even the implied warranty of
.B MERCHANTABILITY
or
.B FITNESS FOR A PARTICULAR PURPOSE.
See the GNU
General Public License for more details (it is in the COPYING file of
the
.I nmap
distribution).
.Sp
It should also be noted that Nmap has been known to crash
certain poorly written applications, TCP/IP stacks, and even
operating systems.
.B Nmap should never be run against mission critical systems
unless you are prepared to suffer downtime. We acknowledge
here that Nmap may crash your systems or networks and we
disclaim all liability for any damage or problems Nmap could
cause.

1
docs/xnmap.1 Normal file
View File

@@ -0,0 +1 @@
.so man1/nmapfe.1

233
global_structures.h Normal file
View File

@@ -0,0 +1,233 @@
/***************************************************************************
* global_structures.h -- Common structure definitions used by Nmap *
* components. *
* *
***********************IMPORTANT NMAP LICENSE TERMS************************
* *
* The Nmap Security Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap *
* is also a registered trademark of Insecure.Com LLC. This program is *
* free software; you may redistribute and/or modify it under the *
* terms of the GNU General Public License as published by the Free *
* Software Foundation; Version 2. This guarantees your right to use, *
* modify, and redistribute this software under certain conditions. If *
* you wish to embed Nmap technology into proprietary software, we may be *
* willing to sell alternative licenses (contact sales@insecure.com). *
* Many security scanner vendors already license Nmap technology such as *
* our remote OS fingerprinting database and code, service/version *
* detection system, and port scanning code. *
* *
* Note that the GPL places important restrictions on "derived works", yet *
* it does not provide a detailed definition of that term. To avoid *
* misunderstandings, we consider an application to constitute a *
* "derivative work" for the purpose of this license if it does any of the *
* following: *
* o Integrates source code from Nmap *
* o Reads or includes Nmap copyrighted data files, such as *
* nmap-os-fingerprints or nmap-service-probes. *
* o Executes Nmap and parses the results (as opposed to typical shell or *
* execution-menu apps, which simply display raw Nmap output and so are *
* not derivative works.) *
* o Integrates/includes/aggregates Nmap into a proprietary executable *
* installer, such as those produced by InstallShield. *
* o Links to a library or executes a program that does any of the above *
* *
* The term "Nmap" should be taken to also include any portions or derived *
* works of Nmap. This list is not exclusive, but is just meant to *
* clarify our interpretation of derived works with some common examples. *
* These restrictions only apply when you actually redistribute Nmap. For *
* example, nothing stops you from writing and selling a proprietary *
* front-end to Nmap. Just distribute it by itself, and point people to *
* http://www.insecure.org/nmap/ to download Nmap. *
* *
* We don't consider these to be added restrictions on top of the GPL, but *
* just a clarification of how we interpret "derived works" as it applies *
* to our GPL-licensed Nmap product. This is similar to the way Linus *
* Torvalds has announced his interpretation of how "derived works" *
* applies to Linux kernel modules. Our interpretation refers only to *
* Nmap - we don't speak for any other GPL products. *
* *
* If you have any questions about the GPL licensing restrictions on using *
* Nmap in non-GPL works, we would be happy to help. As mentioned above, *
* we also offer alternative license to integrate Nmap into proprietary *
* applications and appliances. These contracts have been sold to many *
* security vendors, and generally include a perpetual license as well as *
* providing for priority support and updates as well as helping to fund *
* the continued development of Nmap technology. Please email *
* sales@insecure.com for further information. *
* *
* As a special exception to the GPL terms, Insecure.Com LLC grants *
* permission to link the code of this program with any version of the *
* OpenSSL library which is distributed under a license identical to that *
* listed in the included Copying.OpenSSL file, and distribute linked *
* combinations including the two. You must obey the GNU GPL in all *
* respects for all of the code used other than OpenSSL. If you modify *
* this file, you may extend this exception to your version of the file, *
* but you are not obligated to do so. *
* *
* If you received these files with a written license agreement or *
* contract stating terms other than the terms above, then that *
* alternative license agreement takes precedence over these comments. *
* *
* Source is provided to this software because we believe users have a *
* right to know exactly what a program is going to do before they run it. *
* This also allows you to audit the software for security holes (none *
* have been found so far). *
* *
* Source code also allows you to port Nmap to new platforms, fix bugs, *
* and add new features. You are highly encouraged to send your changes *
* to fyodor@insecure.org for possible incorporation into the main *
* distribution. By sending these changes to Fyodor or one the *
* Insecure.Org development mailing lists, it is assumed that you are *
* offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right *
* to reuse, modify, and relicense the code. Nmap will always be *
* available Open Source, but this is important because the inability to *
* relicense code has caused devastating problems for other Free Software *
* projects (such as KDE and NASM). We also occasionally relicense the *
* code to third parties as discussed above. If you wish to specify *
* special license conditions of your contributions, just say so when you *
* send them. *
* *
* This program is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
* General Public License for more details at *
* http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included *
* with Nmap. *
* *
***************************************************************************/
/* $Id$ */
#ifndef GLOBAL_STRUCTURES_H
#define GLOBAL_STRUCTURES_H
class TargetGroup;
class Target;
/* Stores "port info" which is TCP/UDP ports or RPC program ids */
struct portinfo {
unsigned long portno; /* TCP/UDP port or RPC program id or IP protocool */
short trynum;
int sd[3]; /* Socket descriptors for connect_scan */
struct timeval sent[3];
int state;
int next; /* not struct portinfo * for historical reasons */
int prev;
};
struct portinfolist {
struct portinfo *openlist;
struct portinfo *firewalled;
struct portinfo *testinglist;
};
struct udpprobeinfo {
u16 iptl;
u16 ipid;
u16 ipck;
u16 sport;
u16 dport;
u16 udpck;
u16 udplen;
u8 patternbyte;
struct in_addr target;
};
struct connectsockinfo {
fd_set fds_read;
fd_set fds_write;
fd_set fds_except;
struct portinfo *socklookup[2048]; /* index socket descriptor -> scan[]
index. No OS better give us
an SD > 2047!@#$ */
int maxsd;
};
/* The runtime statistics used to decide how fast to proced and how
many ports we can try at once */
struct scanstats {
int packet_incr;
int initial_packet_width; /* Number of queries in parallel we should
start with */
double fallback_percent;
int numqueries_outstanding; /* How many unexpired queries are on the 'net
right now? */
double numqueries_ideal; /* How many do we WANT to be on the 'net right now? */
int max_width; /* What is the MOST we will tolerate at once. Can be
modified via --max_parallelism */
int min_width; /* We must always allow at least this many at once. Can
be modified via --min_parallelism*/
int ports_left;
int changed; /* Has anything changed since last round? */
int alreadydecreasedqueries;
};
struct ftpinfo {
char user[64];
char pass[256]; /* methinks you're paranoid if you need this much space */
char server_name[MAXHOSTNAMELEN + 1];
struct in_addr server;
u16 port;
int sd; /* socket descriptor */
};
struct AVal {
char *attribute;
char value[128];
struct AVal *next;
};
struct OS_Classification {
char *OS_Vendor;
char *OS_Family;
char *OS_Generation; /* Can be NULL if unclassified */
char *Device_Type;
};
#define MAX_OS_CLASSIFICATIONS_PER_FP 8
typedef struct FingerTest {
char *OS_name;
struct OS_Classification OS_class[MAX_OS_CLASSIFICATIONS_PER_FP];
int num_OS_Classifications;
int line; /* For reference prints, the line # in nmap-os-fingerprints */
const char *name;
struct AVal *results;
struct FingerTest *next;
} FingerPrint;
struct timeout_info {
int srtt; /* Smoothed rtt estimate (microseconds) */
int rttvar; /* Rout trip time variance */
int timeout; /* Current timeout threshold (microseconds) */
};
struct seq_info {
int responses;
int seqclass; /* SEQ_* defines in nmap.h */
int ts_seqclass; /* TS_SEQ_* defines in nmap.h */
time_t uptime; /* time of latest system boot (or 0 if unknown ) */
int ipid_seqclass; /* IPID_SEQ_* defines in nmap.h */
u32 seqs[NUM_SEQ_SAMPLES];
u32 timestamps[NUM_SEQ_SAMPLES];
int index;
u16 ipids[NUM_SEQ_SAMPLES];
time_t lastboot; /* 0 means unknown */
};
/* The various kinds of port/protocol scans we can have
* Each element is to point to an array of port/protocol numbers
*/
struct scan_lists {
unsigned short *tcp_ports;
int tcp_count;
unsigned short *udp_ports;
int udp_count;
unsigned short *prots;
int prot_count;
};
typedef enum { ACK_SCAN, SYN_SCAN, FIN_SCAN, XMAS_SCAN, UDP_SCAN, CONNECT_SCAN, NULL_SCAN, WINDOW_SCAN, RPC_SCAN, MAIMON_SCAN, IPPROT_SCAN } stype;
#endif /*GLOBAL_STRUCTURES_H */

1004
idle_scan.cc Normal file
View File

File diff suppressed because it is too large Load Diff

120
idle_scan.h Normal file
View File

@@ -0,0 +1,120 @@
/***************************************************************************
* idle_scan.h -- Includes the function specific to "Idle Scan" support *
* (-sI). This is an extraordinarily cool scan type that can allow for *
* completely blind scanning (eg no packets sent to the target from your *
* own IP address) and can also be used to penetrate firewalls and scope *
* out router ACLs. This is one of the "advanced" scans meant for *
* epxerienced Nmap users. *
* *
***********************IMPORTANT NMAP LICENSE TERMS************************
* *
* The Nmap Security Scanner is (C) 1996-2004 Insecure.Com LLC. Nmap *
* is also a registered trademark of Insecure.Com LLC. This program is *
* free software; you may redistribute and/or modify it under the *
* terms of the GNU General Public License as published by the Free *
* Software Foundation; Version 2. This guarantees your right to use, *
* modify, and redistribute this software under certain conditions. If *
* you wish to embed Nmap technology into proprietary software, we may be *
* willing to sell alternative licenses (contact sales@insecure.com). *
* Many security scanner vendors already license Nmap technology such as *
* our remote OS fingerprinting database and code, service/version *
* detection system, and port scanning code. *
* *
* Note that the GPL places important restrictions on "derived works", yet *
* it does not provide a detailed definition of that term. To avoid *
* misunderstandings, we consider an application to constitute a *
* "derivative work" for the purpose of this license if it does any of the *
* following: *
* o Integrates source code from Nmap *
* o Reads or includes Nmap copyrighted data files, such as *
* nmap-os-fingerprints or nmap-service-probes. *
* o Executes Nmap and parses the results (as opposed to typical shell or *
* execution-menu apps, which simply display raw Nmap output and so are *
* not derivative works.) *
* o Integrates/includes/aggregates Nmap into a proprietary executable *
* installer, such as those produced by InstallShield. *
* o Links to a library or executes a program that does any of the above *
* *
* The term "Nmap" should be taken to also include any portions or derived *
* works of Nmap. This list is not exclusive, but is just meant to *
* clarify our interpretation of derived works with some common examples. *
* These restrictions only apply when you actually redistribute Nmap. For *
* example, nothing stops you from writing and selling a proprietary *
* front-end to Nmap. Just distribute it by itself, and point people to *
* http://www.insecure.org/nmap/ to download Nmap. *
* *
* We don't consider these to be added restrictions on top of the GPL, but *
* just a clarification of how we interpret "derived works" as it applies *
* to our GPL-licensed Nmap product. This is similar to the way Linus *
* Torvalds has announced his interpretation of how "derived works" *
* applies to Linux kernel modules. Our interpretation refers only to *
* Nmap - we don't speak for any other GPL products. *
* *
* If you have any questions about the GPL licensing restrictions on using *
* Nmap in non-GPL works, we would be happy to help. As mentioned above, *
* we also offer alternative license to integrate Nmap into proprietary *
* applications and appliances. These contracts have been sold to many *
* security vendors, and generally include a perpetual license as well as *
* providing for priority support and updates as well as helping to fund *
* the continued development of Nmap technology. Please email *
* sales@insecure.com for further information. *
* *
* As a special exception to the GPL terms, Insecure.Com LLC grants *
* permission to link the code of this program with any version of the *
* OpenSSL library which is distributed under a license identical to that *
* listed in the included Copying.OpenSSL file, and distribute linked *
* combinations including the two. You must obey the GNU GPL in all *
* respects for all of the code used other than OpenSSL. If you modify *
* this file, you may extend this exception to your version of the file, *
* but you are not obligated to do so. *
* *
* If you received these files with a written license agreement or *
* contract stating terms other than the terms above, then that *
* alternative license agreement takes precedence over these comments. *
* *
* Source is provided to this software because we believe users have a *
* right to know exactly what a program is going to do before they run it. *
* This also allows you to audit the software for security holes (none *
* have been found so far). *
* *
* Source code also allows you to port Nmap to new platforms, fix bugs, *
* and add new features. You are highly encouraged to send your changes *
* to fyodor@insecure.org for possible incorporation into the main *
* distribution. By sending these changes to Fyodor or one the *
* Insecure.Org development mailing lists, it is assumed that you are *
* offering Fyodor and Insecure.Com LLC the unlimited, non-exclusive right *
* to reuse, modify, and relicense the code. Nmap will always be *
* available Open Source, but this is important because the inability to *
* relicense code has caused devastating problems for other Free Software *
* projects (such as KDE and NASM). We also occasionally relicense the *
* code to third parties as discussed above. If you wish to specify *
* special license conditions of your contributions, just say so when you *
* send them. *
* *
* This program is distributed in the hope that it will be useful, but *
* WITHOUT ANY WARRANTY; without even the implied warranty of *
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU *
* General Public License for more details at *
* http://www.gnu.org/copyleft/gpl.html , or in the COPYING file included *
* with Nmap. *
* *
***************************************************************************/
/* $Id$ */
#ifndef IDLE_SCAN_H
#define IDLE_SCAN_H
#include "portlist.h"
#include "tcpip.h"
#include "global_structures.h"
#include <nbase.h>
/* Handles the scan types where no positive-acknowledgement of open
port is received (those scans are in pos_scan). Super_scan
includes scans such as FIN/XMAS/NULL/Maimon/UDP and IP Proto scans */
void idle_scan(Target *target, u16 *portarray, int numports,
char *proxy);
#endif /* IDLE_SCAN_H */

250
install-sh Executable file
View File

@@ -0,0 +1,250 @@
#! /bin/sh
#
# install - install a program, script, or datafile
# This comes from X11R5 (mit/util/scripts/install.sh).
#
# Copyright 1991 by the Massachusetts Institute of Technology
#
# Permission to use, copy, modify, distribute, and sell this software and its
# documentation for any purpose is hereby granted without fee, provided that
# the above copyright notice appear in all copies and that both that
# copyright notice and this permission notice appear in supporting
# documentation, and that the name of M.I.T. not be used in advertising or
# publicity pertaining to distribution of the software without specific,
# written prior permission. M.I.T. makes no representations about the
# suitability of this software for any purpose. It is provided "as is"
# without express or implied warranty.
#
# Calling this script install-sh is preferred over install.sh, to prevent
# `make' implicit rules from creating a file called install from it
# when there is no Makefile.
#
# This script is compatible with the BSD install script, but was written
# from scratch. It can only install one file at a time, a restriction
# shared with many OS's install programs.
# set DOITPROG to echo to test this script
# Don't use :- since 4.3BSD and earlier shells don't like it.
doit="${DOITPROG-}"
# put in absolute paths if you don't have them in your path; or use env. vars.
mvprog="${MVPROG-mv}"
cpprog="${CPPROG-cp}"
chmodprog="${CHMODPROG-chmod}"
chownprog="${CHOWNPROG-chown}"
chgrpprog="${CHGRPPROG-chgrp}"
stripprog="${STRIPPROG-strip}"
rmprog="${RMPROG-rm}"
mkdirprog="${MKDIRPROG-mkdir}"
transformbasename=""
transform_arg=""
instcmd="$mvprog"
chmodcmd="$chmodprog 0755"
chowncmd=""
chgrpcmd=""
stripcmd=""
rmcmd="$rmprog -f"
mvcmd="$mvprog"
src=""
dst=""
dir_arg=""
while [ x"$1" != x ]; do
case $1 in
-c) instcmd="$cpprog"
shift
continue;;
-d) dir_arg=true
shift
continue;;
-m) chmodcmd="$chmodprog $2"
shift
shift
continue;;
-o) chowncmd="$chownprog $2"
shift
shift
continue;;
-g) chgrpcmd="$chgrpprog $2"
shift
shift
continue;;
-s) stripcmd="$stripprog"
shift
continue;;
-t=*) transformarg=`echo $1 | sed 's/-t=//'`
shift
continue;;
-b=*) transformbasename=`echo $1 | sed 's/-b=//'`
shift
continue;;
*) if [ x"$src" = x ]
then
src=$1
else
# this colon is to work around a 386BSD /bin/sh bug
:
dst=$1
fi
shift
continue;;
esac
done
if [ x"$src" = x ]
then
echo "install: no input file specified"
exit 1
else
true
fi
if [ x"$dir_arg" != x ]; then
dst=$src
src=""
if [ -d $dst ]; then
instcmd=:
else
instcmd=mkdir
fi
else
# Waiting for this to be detected by the "$instcmd $src $dsttmp" command
# might cause directories to be created, which would be especially bad
# if $src (and thus $dsttmp) contains '*'.
if [ -f $src -o -d $src ]
then
true
else
echo "install: $src does not exist"
exit 1
fi
if [ x"$dst" = x ]
then
echo "install: no destination specified"
exit 1
else
true
fi
# If destination is a directory, append the input filename; if your system
# does not like double slashes in filenames, you may need to add some logic
if [ -d $dst ]
then
dst="$dst"/`basename $src`
else
true
fi
fi
## this sed command emulates the dirname command
dstdir=`echo $dst | sed -e 's,[^/]*$,,;s,/$,,;s,^$,.,'`
# Make sure that the destination directory exists.
# this part is taken from Noah Friedman's mkinstalldirs script
# Skip lots of stat calls in the usual case.
if [ ! -d "$dstdir" ]; then
defaultIFS='
'
IFS="${IFS-${defaultIFS}}"
oIFS="${IFS}"
# Some sh's can't handle IFS=/ for some reason.
IFS='%'
set - `echo ${dstdir} | sed -e 's@/@%@g' -e 's@^%@/@'`
IFS="${oIFS}"
pathcomp=''
while [ $# -ne 0 ] ; do
pathcomp="${pathcomp}${1}"
shift
if [ ! -d "${pathcomp}" ] ;
then
$mkdirprog "${pathcomp}"
else
true
fi
pathcomp="${pathcomp}/"
done
fi
if [ x"$dir_arg" != x ]
then
$doit $instcmd $dst &&
if [ x"$chowncmd" != x ]; then $doit $chowncmd $dst; else true ; fi &&
if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dst; else true ; fi &&
if [ x"$stripcmd" != x ]; then $doit $stripcmd $dst; else true ; fi &&
if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dst; else true ; fi
else
# If we're going to rename the final executable, determine the name now.
if [ x"$transformarg" = x ]
then
dstfile=`basename $dst`
else
dstfile=`basename $dst $transformbasename |
sed $transformarg`$transformbasename
fi
# don't allow the sed command to completely eliminate the filename
if [ x"$dstfile" = x ]
then
dstfile=`basename $dst`
else
true
fi
# Make a temp file name in the proper directory.
dsttmp=$dstdir/#inst.$$#
# Move or copy the file name to the temp name
$doit $instcmd $src $dsttmp &&
trap "rm -f ${dsttmp}" 0 &&
# and set any options; do chmod last to preserve setuid bits
# If any of these fail, we abort the whole thing. If we want to
# ignore errors from any of these, just make sure not to ignore
# errors from the above "$doit $instcmd $src $dsttmp" command.
if [ x"$chowncmd" != x ]; then $doit $chowncmd $dsttmp; else true;fi &&
if [ x"$chgrpcmd" != x ]; then $doit $chgrpcmd $dsttmp; else true;fi &&
if [ x"$stripcmd" != x ]; then $doit $stripcmd $dsttmp; else true;fi &&
if [ x"$chmodcmd" != x ]; then $doit $chmodcmd $dsttmp; else true;fi &&
# Now rename the file to the real destination.
$doit $rmcmd -f $dstdir/$dstfile &&
$doit $mvcmd $dsttmp $dstdir/$dstfile
fi &&
exit 0

10
libpcap-possiblymodified/.cvsignore Normal file
View File

@@ -0,0 +1,10 @@
config.log
config.cache
config.status
config.h
.devel
Makefile
scanner.c
grammar.c
tokdefs.h
version.c

386
libpcap-possiblymodified/CHANGES Normal file
View File

@@ -0,0 +1,386 @@
@(#) $Header$ (LBL)
Tue. March 30, 2004. mcr@sandelman.ottawa.on.ca. Summary for 3.8.3 release
Fixed minor problem in gencode.c that would appear on 64-bit
platforms.
Version number is now sane.
Mon. March 29, 2004. mcr@sandelman.ottawa.on.ca. Summary for 3.8.2 release
updates for autoconf 2.5
fixes for ppp interfaces for freebsd 4.1
pcap gencode can generate code for 802.11, IEEE1394, and pflog.
Wed. November 12, 2003. mcr@sandelman.ottawa.on.ca. Summary for 0.8 release
added pcap_findalldevs()
Win32 patches from NetGroup, Politecnico di Torino (Italy)
OpenBSD pf, DLT_PFLOG added
Many changes to ATM support.
lookup pcap_lookupnet()
Added DLT_ARCNET_LINUX, DLT_ENC, DLT_IEEE802_11_RADIO, DLT_SUNATM,
DLT_IP_OVER_FC, DLT_FRELAY, others.
Sigh. More AIX wonderfulness.
Document updates.
Changes to API: pcap_next_ex(), pcap_breakloop(), pcap_dump_flush(),
pcap_list_datalinks(), pcap_set_datalink(),
pcap_lib_version(), pcap_datalink_val_to_name(),
pcap_datalink_name_to_val(), new error returns.
Tuesday, February 25, 2003. fenner@research.att.com. 0.7.2 release
Support link types that use 802.2 always, never, and sometimes.
Don't decrease the size of the BPF buffer from the default.
Support frame relay.
Handle 32-bit timestamps in DLPI, and pass the right buffer size.
Handle Linux systems with modern kernel but without
SOL_PACKET in the userland headers.
Linux support for ARPHRD_RAWHDLC.
Handle 32-bit timestamps in snoop.
Support eg (Octane/O2xxx/O3xxx Gigabit) devices.
Add new reserved DLT types.
Monday October 23, 2001. mcr@sandelman.ottawa.on.ca. Summary for 0.7 release
Added pcap_findalldevs() call to get list of interfaces in a MI way.
pcap_stats() has been documented as to what its counters mean on
each platform.
Tuesday January 9, 2001. guy@alum.mit.edu. Summary for 0.6 release
New Linux libpcap implementation, which, in 2.2 and later
kernels, uses PF_PACKET sockets and supports kernel packet
filtering (if compiled into the kernel), and supports the "any"
device for capturing on all interfaces. Cleans up promiscuous
mode better on pre-2.2 kernels, and has various other fixes
(handles 2.4 ARPHRD_IEEE802_TR, handles ISDN devices better,
doesn't show duplicate packets on loopback interface, etc.).
Fixed HP-UX libpcap implementation to correctly get the PPA for
an interface, to allow interfaces to be opened by interface name.
libpcap savefiles have system-independent link-layer type values
in the header, rather than sometimes platform-dependent DLT_
values, to make it easier to exchange capture files between
different OSes.
Non-standard capture files produced by some Linux tcpdumps, e.g.
the one from Red Hat Linux 6.2 and later, can now be read.
Updated autoconf stock files.
Filter expressions can filter on VLAN IDs and various OSI
protocols, and work on Token Ring (with non-source-routed
packets).
"pcap_open_dead()" added to allow compiling filter expressions
to pcap code without opening a capture device or capture file.
Header files fixed to allow use in C++ programs.
Removed dependancy on native headers for packet layout.
Removed Linux specific headers that were shipped.
Security fixes: Strcpy replaced with strlcpy, sprintf replaced
with snprintf.
Fixed bug that could cause subsequent "pcap_compile()"s to fail
erroneously after one compile failed.
Assorted other bug fixes.
README.aix and README.linux files added to describe
platform-specific issues.
"getifaddrs()" rather than SIOCGIFCONF used, if available.
v0.5 Sat Jun 10 11:09:15 PDT 2000
itojun@iijlab.net
- Brought in KAME IPv6/IPsec bpf compiler.
- Fixes for NetBSD.
- Support added for OpenBSD DLT_LOOP and BSD/OS DLT_C_HDLC (Cisco HDLC),
and changes to work around different BSDs having different DLT_ types
with the same numeric value.
Assar Westerlund <assar@sics.se>
- Building outside the source code tree fixed.
- Changed to write out time stamps with 32-bit seconds and microseconds
fields, regardless of whether those fields are 32 bits or 64 bits in
the OS's native "struct timeval".
- Changed "pcap_lookupdev()" to dynamically grow the buffer into which
the list of interfaces is read as necessary in order to hold the
entire list.
Greg Troxel <gdt@ir.bbn.com>
- Added a new "pcap_compile_nopcap()", which lets you compile a filter
expression into a BPF program without having an open live capture or
capture file.
v0.4 Sat Jul 25 12:40:09 PDT 1998
- Fix endian problem with DLT_NULL devices. From FreeBSD via Bill
Fenner (fenner@parc.xerox.com)
- Fix alignment problem with FDDI under DLPI. This was causing core
dumps under Solaris.
- Added configure options to disable flex and bison. Resulted from a
bug report by barnett@grymoire.crd.ge.com (Bruce Barnett). Also added
options to disable gcc and to force a particular packet capture type.
- Added support for Fore ATM interfaces (qaa and fa) under IRIX. Thanks
to John Hawkinson (jhawk@mit.edu)
- Change Linux PPP and SLIP to use DLT_RAW since the kernel does not
supply any "link layer" data.
- Change Linux to use SIOCGIFHWADDR ioctl to determine link layer type.
Thanks to Thomas Sailer (sailer@ife.ee.ethz.ch)
- Change IRIX PPP to use DLT_RAW since the kernel does not supply any
"link layer" data.
- Modified to support the new BSD/OS 2.1 PPP and SLIP link layer header
formats.
- Added some new SGI snoop interface types. Thanks to Steve Alexander
(sca@refugee.engr.sgi.com)
- Fixes for HP-UX 10.20 (which is similar to HP-UX 9). Thanks to
Richard Allen (ra@hp.is) and Steinar Haug (sthaug@nethelp.no)
- Fddi supports broadcast as reported by Jeff Macdonald
(jeff@iacnet.com). Also correct ieee802 and arcnet.
- Determine Linux pcap buffer size at run time or else it might not be
big enough for some interface types (e.g. FDDI). Thanks to Jes
Sorensen (Jes.Sorensen@cern.ch)
- Fix some linux alignment problems.
- Document promisc argument to pcap_open_live(). Reported by Ian Marsh
(ianm@sics.se)
- Support Metricom radio packets under Linux. Thanks to Kevin Lai
(laik@gunpowder.stanford.edu)
- Bind to interface name under Linux to avoid packets from multiple
interfaces on multi-homed hosts. Thanks to Kevin Lai
(laik@gunpowder.stanford.edu)
- Change L_SET to SEEK_SET for HP-UX. Thanks to Roland Roberts
(rroberts@muller.com)
- Fixed an uninitialized memory reference found by Kent Vander Velden
(graphix@iastate.edu)
- Fixed lex pattern for IDs to allow leading digits. As reported by
Theo de Raadt (deraadt@cvs.openbsd.org)
- Fixed Linux include file problems when using GNU libc.
- Ifdef ARPHRD_FDDI since not all versions of the Linux kernel have it.
Reported reported by Eric Jacksch (jacksch@tenebris.ca)
- Fixed bug in pcap_dispatch() that kept it from returning on packet
timeouts.
- Changed ISLOOPBACK() macro when IFF_LOOPBACK isn't available to check
for "lo" followed by an eos or digit (newer versions of Linux
apparently call the loopback "lo" instead of "lo0").
- Fixed Linux networking include files to use ints instead of longs to
avoid problems with 64 bit longs on the alpha. Thanks to Cristian
Gafton (gafton@redhat.com)
v0.3 Sat Nov 30 20:56:27 PST 1996
- Added Linux support.
- Fixed savefile bugs.
- Solaris x86 fix from Tim Rylance (t.rylance@elsevier.nl)
- Add support for bpf kernel port filters.
- Remove duplicate atalk protocol table entry. Thanks to Christian
Hopps (chopps@water.emich.edu)
- Fixed pcap_lookupdev() to ignore nonexistent devices. This was
reported to happen under BSD/OS by David Vincenzetti
(vince@cryptonet.it)
- Avoid solaris compiler warnings. Thanks to Bruce Barnett
(barnett@grymoire.crd.ge.com)
v0.2.1 Sun Jul 14 03:02:26 PDT 1996
- Fixes for HP-UX 10. Thanks in part to to Thomas Wolfram
(wolf@prz.tu-berlin.de) and Rick Jones (raj@hpisrdq.cup.hp.com)
- Added support for SINIX. Thanks to Andrej Borsenkow
(borsenkow.msk@sni.de)
- Fixes for AIX (although this system is not yet supported). Thanks to
John Hawkinson (jhawk@mit.edu)
- Use autoconf's idea of the top level directory in install targets.
Thanks to John Hawkinson.
- Add missing autoconf packet capture result message. Thanks to Bill
Fenner (fenner@parc.xerox.com)
- Fixed padding problems in the pf module.
- Fixed some more alignment problems on the alpha.
- Added explicit netmask support. Thanks to Steve Nuchia
(steve@research.oknet.com)
- Fixed to handle raw ip addresses such as 0.0.0.1 without "left
justifing"
- Add "sca" keyword (for DEC cluster services) as suggested by Terry
Kennedy (terry@spcvxa.spc.edu)
- Add "atalk" keyword as suggested by John Hawkinson.
- Add "igrp" keyword.
- Fixed HID definition in grammar.y to be a string, not a value.
- Use $CC when checking gcc version. Thanks to Carl Lindberg
(carl_lindberg@blacksmith.com)
- Removed obsolete reference to pcap_immediate() from the man page.
Michael Stolarchuk (mts@terminator.rs.itd.umich.edu)
- DLT_NULL has a 4 byte family header. Thanks to Jeffrey Honig
(jch@bsdi.com)
v0.2 Sun Jun 23 02:28:42 PDT 1996
- Add support for HP-UX. Resulted from code contributed by Tom Murray
(tmurray@hpindck.cup.hp.com) and Philippe-Andri Prindeville
(philipp@res.enst.fr)
- Update INSTALL with a reminder to install include files. Thanks to
Mark Andrews (mandrews@aw.sgi.com)
- Fix bpf compiler alignment bug on the alpha.
- Use autoconf to detect architectures that can't handle misaligned
accesses.
- Added loopback support for snoop. Resulted from report Steve
Alexander (sca@engr.sgi.com)
v0.1 Fri Apr 28 18:11:03 PDT 1995
- Fixed compiler and optimizer bugs. The BPF filter engine uses unsigned
comparison operators, while the code generator and optimizer assumed
signed semantics in several places. Thanks to Charlie Slater
(cslater@imatek.com) for pointing this out.
- Removed FDDI ifdef's, they aren't really needed. Resulted from report
by Gary Veum (veum@boa.gsfc.nasa.gov).
- Add pcap-null.c which allows offline use of libpcap on systems that
don't support live package capture. This feature resulting from a
request from Jan van Oorschot (j.p.m.voorschot@et.tudelft.nl).
- Make bpf_compile() reentrant. Fix thanks to Pascal Hennequin
(Pascal.Hennequin@hugo.int-evry.fr).
- Port to GNU autoconf.
- Fix pcap-dlpi.c to work with isdn. Resulted from report by Flemming
Johansen (fsj@csd.cri.dk).
- Handle multi-digit interface unit numbers (aka ppa's) under dlpi.
Resulted from report by Daniel Ehrlich (ehrlich@cse.psu.edu).
- Fix pcap-dlpi.c to work in non-promiscuous mode. Resulted from report
by Jeff Murphy (jcmurphy@acsu.buffalo.edu).
- Add support for "long jumps". Thanks to Jeffrey Mogul
(mogul@pa.dec.com).
- Fix minor problems when compiling with BDEBUG as noticed by Scott
Bertilson (scott@unet.umn.edu).
- Declare sys_errlist "const char *const" to avoid problems under
FreeBSD. Resulted from report by jher@eden.com.
v0.0.6 Fri Apr 28 04:07:13 PDT 1995
- Add missing variable declaration missing from 0.0.6
v0.0.5 Fri Apr 28 00:22:21 PDT 1995
- Workaround for problems when pcap_read() returns 0 due to the timeout
expiring.
v0.0.4 Thu Apr 20 20:41:48 PDT 1995
- Change configuration to not use gcc v2 flags with gcc v1.
- Fixed a bug in pcap_next(); if pcap_dispatch() returns 0, pcap_next()
should also return 0. Thanks to Richard Stevens (rstevens@noao.edu).
- Fixed configure to test for snoop before dlpi to avoid problems under
IRIX 5. Thanks to J. Eric Townsend (jet@abulafia.genmagic.com).
- Hack around deficiency in Ultrix's make.
- Fix two bugs related to the Solaris pre-5.3.2 bufmod bug; handle
savefiles that have more than snapshot bytes of data in them (so we
can read old savefiles) and avoid writing such files.
- Added checkioctl which is used with gcc to check that the
"fixincludes" script has been run.
v0.0.3 Tue Oct 18 18:13:46 PDT 1994
- Fixed configure to test for snoop before dlpi to avoid problems under
IRIX 5. Thanks to J. Eric Townsend (jet@abulafia.genmagic.com).
v0.0.2 Wed Oct 12 20:56:37 PDT 1994
- Implement timeout in the dlpi pcap_open_live(). Thanks to Richard
Stevens.
- Determine pcap link type from dlpi media type. Resulted from report
by Mahesh Jethanandani (mahesh@npix.com).
v0.0.1 Fri Jun 24 14:50:57 PDT 1994
- Fixed bug in nit_setflags() in pcap-snit.c. The streams ioctl timeout
wasn't being initialized sometimes resulting in an "NIOCSFLAGS:
Invalid argument" error under OSF/1. Reported by Matt Day
(mday@artisoft.com) and Danny Mitzel (dmitzel@whitney.hitc.com).
- Turn on FDDI support by default.
v0.0 Mon Jun 20 19:20:16 PDT 1994
- Initial release.
- Fixed bug with greater/less keywords, reported by Mark Andrews
(mandrews@alias.com).
- Fix bug where '|' was defined as BPF_AND instead of BPF_OR, reported
by Elan Amir (elan@leeb.cs.berkeley.edu).
- Machines with little-endian byte ordering are supported thanks to
Jeff Mogul.
- Add hack for version 2.3 savefiles which don't have caplen and len
swapped thanks to Vern Paxson.
- Added "&&" and "||" aliases for "and" and "or" thanks to Vern Paxson.
- Added length, inbound and outbound keywords.

88
libpcap-possiblymodified/CREDITS Normal file
View File

@@ -0,0 +1,88 @@
This file lists people who have contributed to libpcap:
The current maintainers:
Bill Fenner <fenner@research.att.com>
Fulvio Risso <risso@polito.it>
Guy Harris <guy@alum.mit.edu>
Hannes Gredler <hannes@juniper.net>
Jun-ichiro itojun Hagino <itojun@iijlab.net>
Michael Richardson <mcr@sandelman.ottawa.on.ca>
Additional people who have contributed patches:
Alan Bawden <Alan@LCS.MIT.EDU>
Alexey Kuznetsov <kuznet@ms2.inr.ac.ru>
Albert Chin <china@thewrittenword.com>
Andrew Brown <atatat@atatdot.net>
Antti Kantee <pooka@netbsd.org>
Arkadiusz Miskiewicz <misiek@pld.org.pl>
Armando L. Caro Jr. <acaro@mail.eecis.udel.edu>
Assar Westerlund <assar@sics.se>
Brian Ginsbach <ginsbach@cray.com>
Charles M. Hannum <mycroft@netbsd.org>
Chris G. Demetriou <cgd@netbsd.org>
Chris Pepper <pepper@mail.reppep.com>
Darren Reed <darrenr@reed.wattle.id.au>
David Kaelbling <drk@sgi.com>
David Young <dyoung@ojctech.com>
Don Ebright <Don.Ebright@compuware.com>
Eric Anderson <anderse@hpl.hp.com>
Franz Schaefer <schaefer@mond.at>
Gianluca Varenni <varenni@netgroup-serv.polito.it>
Gisle Vanem <giva@bgnett.no>
Graeme Hewson <ghewson@cix.compulink.co.uk>
Greg Stark <gsstark@mit.edu>
Greg Troxel <gdt@ir.bbn.com>
Guillaume Pelat <endymion_@users.sourceforge.net>
Hyung Sik Yoon <hsyn@kr.ibm.com>
Igor Khristophorov <igor@atdot.org>
Jan-Philip Velders <jpv@veldersjes.net>
Jason R. Thorpe <thorpej@netbsd.org>
Javier Achirica <achirica@ttd.net>
Jean Tourrilhes <jt@hpl.hp.com>
Jefferson Ogata <jogata@nodc.noaa.gov>
Jesper Peterson <jesper@endace.com>
John Bankier <jbankier@rainfinity.com>
Jon Lindgren <jonl@yubyub.net>
Juergen Schoenwaelder <schoenw@ibr.cs.tu-bs.de>
Kazushi Sugyo <sugyo@pb.jp.nec.com>
Klaus Klein <kleink@netbsd.org>
Koryn Grant <koryn@endace.com>
Krzysztof Halasa <khc@pm.waw.pl>
Lorenzo Cavallaro <sullivan@sikurezza.org>
Loris Degioanni <loris@netgroup-serv.polito.it>
Love H<>rnquist-<2D>strand <lha@stacken.kth.se>
Maciej W. Rozycki <macro@ds2.pg.gda.pl>
Marcus Felipe Pereira <marcus@task.com.br>
Martin Husemann <martin@netbsd.org>
Mike Wiacek <mike@iroot.net>
Monroe Williams <monroe@pobox.com>
Octavian Cerna <tavy@ylabs.com>
Olaf Kirch <okir@caldera.de>
Onno van der Linden <onno@simplex.nl>
Paul Mundt <lethal@linux-sh.org>
Pavel Kankovsky <kan@dcit.cz>
Peter Fales <peter@fales-lorenz.net>
Peter Jeremy <peter.jeremy@alcatel.com.au>
Phil Wood <cpw@lanl.gov>
Rafal Maszkowski <rzm@icm.edu.pl>
Rick Jones <raj@cup.hp.com>
Scott Barron <sb125499@ohiou.edu>
Scott Gifford <sgifford@tir.com>
Sebastian Krahmer <krahmer@cs.uni-potsdam.de>
Shaun Clowes <delius@progsoc.uts.edu.au>
Solomon Peachy <pizza@shaftnet.org>
Stefan Hudson <hudson@mbay.net>
Takashi Yamamoto <yamt@mwd.biglobe.ne.jp>
Tony Li <tli@procket.com>
Torsten Landschoff <torsten@debian.org>
Uns Lider <unslider@miranda.org>
Uwe Girlich <Uwe.Girlich@philosys.de>
Xianjie Zhang <xzhang@cup.hp.com>
Yen Yen Lim
Yoann Vandoorselaere <yoann@prelude-ids.org>
The original LBL crew:
Steve McCanne
Craig Leres
Van Jacobson

104
libpcap-possiblymodified/FILES Normal file
View File

@@ -0,0 +1,104 @@
CHANGES
CREDITS
FILES
INSTALL.txt
LICENSE
Makefile.in
README
README.aix
README.dag
README.hpux
README.linux
README.tru64
README.Win32
SUNOS4/nit_if.o.sparc
SUNOS4/nit_if.o.sun3
SUNOS4/nit_if.o.sun4c.4.0.3c
TODO
VERSION
acconfig.h
aclocal.m4
arcnet.h
atmuni31.h
bpf/net/bpf_filter.c
bpf_dump.c
bpf_image.c
config.guess
config.h.in
config.sub
configure
configure.in
etherent.c
ethertype.h
fad-getad.c
fad-gifc.c
fad-glifc.c
fad-null.c
fad-win32.c
gencode.c
gencode.h
grammar.y
inet.c
install-sh
lbl/os-aix4.h
lbl/os-hpux11.h
lbl/os-osf4.h
lbl/os-osf5.h
lbl/os-solaris2.h
lbl/os-sunos4.h
lbl/os-ultrix4.h
llc.h
mkdep
nametoaddr.c
nlpid.h
optimize.c
packaging/pcap.spec
pcap-bpf.c
pcap-bpf.h
pcap-dag.c
pcap-dag.h
pcap-dlpi.c
pcap-enet.c
pcap-int.h
pcap-linux.c
pcap-namedb.h
pcap-nit.c
pcap-nit.h
pcap-null.c
pcap-pf.c
pcap-pf.h
pcap-stdinc.h
pcap-snit.c
pcap-snoop.c
pcap-win32.c
pcap.3
pcap.c
pcap.h
pf.h
ppp.h
rawss7.h
savefile.c
scanner.l
sll.h
snprintf.c
sunatmpos.h
Win32/Include/Gnuc.h
Win32/Include/addrinfo.h
Win32/Include/bittypes.h
Win32/Include/cdecl_ext.h
Win32/Include/inetprivate.h
Win32/Include/ip6_misc.h
Win32/Include/sockstorage.h
Win32/Include/arpa/nameser.h
Win32/Include/net/if.h
Win32/Include/net/netdb.h
Win32/Include/net/paths.h
Win32/Src/ffs.c
Win32/Src/getaddrinfo.c
Win32/Src/getnetbynm.c
Win32/Src/getnetent.c
Win32/Src/getopt.c
Win32/Src/getservent.c
Win32/Src/inet_aton.c
Win32/Src/inet_net.c
Win32/Src/inet_pton.c

374
libpcap-possiblymodified/INSTALL.txt Normal file
View File

@@ -0,0 +1,374 @@
@(#) $Header$ (LBL)
To build libpcap, run "./configure" (a shell script). The configure
script will determine your system attributes and generate an
appropriate Makefile from Makefile.in. Next run "make". If everything
goes well you can su to root and run "make install". However, you need
not install libpcap if you just want to build tcpdump; just make sure
the tcpdump and libpcap directory trees have the same parent
directory.
If configure says:
configure: warning: cannot determine packet capture interface
configure: warning: (see INSTALL for more info)
then your system either does not support packet capture or your system
does support packet capture but libpcap does not support that
particular type. (If you have HP-UX, see below.) If your system uses a
packet capture not supported by libpcap, please send us patches; don't
forget to include an autoconf fragment suitable for use in
configure.in.
It is possible to override the default packet capture type, although
the circumstance where this works are limited. For example if you have
installed bpf under SunOS 4 and wish to build a snit libpcap:
./configure --with-pcap=snit
Another example is to force a supported packet capture type in the case
where the configure scripts fails to detect it.
You will need an ANSI C compiler to build libpcap. The configure script
will abort if your compiler is not ANSI compliant. If this happens, use
the GNU C compiler, available via anonymous ftp:
ftp://ftp.gnu.org/pub/gnu/gcc/
If you use flex, you must use version 2.4.6 or higher. The configure
script automatically detects the version of flex and will not use it
unless it is new enough. You can use "flex -V" to see what version you
have (unless it's really old). The current version of flex is available
via anonymous ftp:
ftp://ftp.ee.lbl.gov/flex-*.tar.Z
As of this writing, the current version is 2.5.4.
If you use bison, you must use flex (and visa versa). The configure
script automatically falls back to lex and yacc if both flex and bison
are not found.
Sometimes the stock C compiler does not interact well with flex and
bison. The list of problems includes undefined references for alloca.
You can get around this by installing gcc or manually disabling flex
and bison with:
./configure --without-flex --without-bison
If your system only has AT&T lex, this is okay unless your libpcap
program uses other lex/yacc generated code. (Although it's possible to
map the yy* identifiers with a script, we use flex and bison so we
don't feel this is necessary.)
Some systems support the Berkeley Packet Filter natively; for example
out of the box OSF and BSD/OS have bpf. If your system does not support
bpf, you will need to pick up:
ftp://ftp.ee.lbl.gov/bpf-*.tar.Z
Note well: you MUST have kernel source for your operating system in
order to install bpf. An exception is SunOS 4; the bpf distribution
includes replacement kernel objects for some of the standard SunOS 4
network device drivers. See the bpf INSTALL document for more
information.
If you use Solaris, there is a bug with bufmod(7) that is fixed in
Solaris 2.3.2 (aka SunOS 5.3.2). Setting a snapshot length with the
broken bufmod(7) results in data be truncated from the FRONT of the
packet instead of the end. The work around is to not set a snapshot
length but this results in performance problems since the entire packet
is copied to user space. If you must run an older version of Solaris,
there is a patch available from Sun; ask for bugid 1149065. After
installing the patch, use "setenv BUFMOD_FIXED" to enable use of
bufmod(7). However, we recommend you run a more current release of
Solaris.
If you use the SPARCompiler, you must be careful to not use the
/usr/ucb/cc interface. If you do, you will get bogus warnings and
perhaps errors. Either make sure your path has /opt/SUNWspro/bin
before /usr/ucb or else:
setenv CC /opt/SUNWspro/bin/cc
before running configure. (You might have to do a "make distclean"
if you already ran configure once).
Also note that "make depend" won't work; while all of the known
universe uses -M, the SPARCompiler uses -xM to generate makefile
dependencies.
If you are trying to do packet capture with a FORE ATM card, you may or
may not be able to. They usually only release their driver in object
code so unless their driver supports packet capture, there's not much
libpcap can do.
If you get an error like:
tcpdump: recv_ack: bind error 0x???
when using DLPI, look for the DL_ERROR_ACK error return values, usually
in /usr/include/sys/dlpi.h, and find the corresponding value.
Under {DEC OSF/1, Digital UNIX, Tru64 UNIX}, packet capture must be
enabled before it can be used. For instructions on how to enable packet
filter support, see:
ftp://ftp.digital.com/pub/Digital/dec-faq/Digital-UNIX
Look for the "How do I configure the Berkeley Packet Filter and capture
tcpdump traces?" item.
Once you enable packet filter support, your OSF system will support bpf
natively.
Under Ultrix, packet capture must be enabled before it can be used. For
instructions on how to enable packet filter support, see:
ftp://ftp.digital.com/pub/Digital/dec-faq/ultrix
If you use HP-UX, you must have at least version 9 and either the
version of cc that supports ANSI C (cc -Aa) or else use the GNU C
compiler. You must also buy the optional streams package. If you don't
have:
/usr/include/sys/dlpi.h
/usr/include/sys/dlpi_ext.h
then you don't have the streams package. In addition, we believe you
need to install the "9.X LAN and DLPI drivers cumulative" patch
(PHNE_6855) to make the version 9 DLPI work with libpcap.
The DLPI streams package is standard starting with HP-UX 10.
The HP implementation of DLPI is a little bit eccentric. Unlike
Solaris, you must attach /dev/dlpi instead of the specific /dev/*
network pseudo device entry in order to capture packets. The PPA is
based on the ifnet "index" number. Under HP-UX 9, it is necessary to
read /dev/kmem and the kernel symbol file (/hp-ux). Under HP-UX 10,
DLPI can provide information for determining the PPA. It does not seem
to be possible to trace the loopback interface. Unlike other DLPI
implementations, PHYS implies MULTI and SAP and you get an error if you
try to enable more than one promiscuous mode at a time.
It is impossible to capture outbound packets on HP-UX 9. To do so on
HP-UX 10, you will, apparently, need a late "LAN products cumulative
patch" (at one point, it was claimed that this would be PHNE_18173 for
s700/10.20; at another point, it was claimed that the required patches
were PHNE_20892, PHNE_20725 and PHCO_10947, or newer patches), and to do
so on HP-UX 11 you will, apparently, need the latest lancommon/DLPI
patches and the latest driver patch for the interface(s) in use on HP-UX
11 (at one point, it was claimed that patches PHNE_19766, PHNE_19826,
PHNE_20008, and PHNE_20735 did the trick).
Furthermore, on HP-UX 10, you will need to turn on a kernel switch by
doing
echo 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem
You would have to arrange that this happen on reboots; the right way to
do that would probably be to put it into an executable script file
"/sbin/init.d/outbound_promisc" and making
"/sbin/rc2.d/S350outbound_promisc" a symbolic link to that script.
Finally, testing shows that there can't be more than one simultaneous
DLPI user per network interface.
If you use Linux, this version of libpcap is known to compile and run
under Red Hat 4.0 with the 2.0.25 kernel. It may work with earlier 2.X
versions but is guaranteed not to work with 1.X kernels. Running more
than one libpcap program at a time, on a system with a 2.0.X kernel, can
cause problems since promiscuous mode is implemented by twiddling the
interface flags from the libpcap application; the packet capture
mechanism in the 2.2 and later kernels doesn't have this problem. Also,
packet timestamps aren't very good. This appears to be due to haphazard
handling of the timestamp in the kernel.
Note well: there is rumoured to be a version of tcpdump floating around
called 3.0.3 that includes libpcap and is supposed to support Linux.
You should be advised that neither the Network Research Group at LBNL
nor the Tcpdump Group ever generated a release with this version number.
The LBNL Network Research Group notes with interest that a standard
cracker trick to get people to install trojans is to distribute bogus
packages that have a version number higher than the current release.
They also noted with annoyance that 90% of the Linux related bug reports
they got are due to changes made to unofficial versions of their page.
If you are having trouble but aren't using a version that came from
tcpdump.org, please try that before submitting a bug report!
On Linux, libpcap will not work if the kernel does not have the packet
socket option enabled; see the README.linux file for information about
this.
If you use AIX, you may not be able to build libpcap from this release.
We do not have an AIX system in house so it's impossible for us to test
AIX patches submitted to us. We are told that you must link against
/lib/pse.exp, that you must use AIX cc or a GNU C compiler newer than
2.7.2, and that you may need to run strload before running a libpcap
application.
Read the README.aix file for information on installing libpcap and
configuring your system to be able to support libpcap.
If you use NeXTSTEP, you will not be able to build libpcap from this
release. We hope to support this operating system in some future
release of libpcap.
If you use SINIX, you should be able to build libpcap from this
release. It is known to compile and run on SINIX-Y/N 5.42 with the C-DS
V1.0 or V1.1 compiler. But note that in some releases of SINIX, yacc
emits incorrect code; if grammar.y fails to compile, change every
occurence of:
#ifdef YYDEBUG
to:
#if YYDEBUG
Another workaround is to use flex and bison.
If you use SCO, you might have trouble building libpcap from this
release. We do not have a machine running SCO and have not had reports
of anyone successfully building on it. Since SCO apparently supports
DLPI, it's possible the current version works. Meanwhile, SCO provides
a tcpdump binary as part of their "Network/Security Tools" package:
http://www.sco.com/technology/internet/goodies/#SECURITY
There is also a README that explains how to enable packet capture.
If you use UnixWare, you will not be able to build libpcap from this
release. We hope to support this operating system in some future
release of libpcap. Meanwhile, there appears to be an UnixWare port of
libpcap 0.0 (and tcpdump 3.0) in:
ftp://ftp1.freebird.org/pub/mirror/freebird/internet/systools/
UnixWare appears to use a hacked version of DLPI.
If linking tcpdump fails with "Undefined: _alloca" when using bison on
a Sun4, your version of bison is broken. In any case version 1.16 or
higher is recommended (1.14 is known to cause problems 1.16 is known to
work). Either pick up a current version from:
ftp://ftp.gnu.org/pub/gnu/bison
or hack around it by inserting the lines:
#ifdef __GNUC__
#define alloca __builtin_alloca
#else
#ifdef sparc
#include <alloca.h>
#else
char *alloca ();
#endif
#endif
right after the (100 line!) GNU license comment in bison.simple, remove
grammar.[co] and fire up make again.
If you use SunOS 4, your kernel must support streams NIT. If you run a
libpcap program and it dies with:
/dev/nit: No such device
You must add streams NIT support to your kernel configuration, run
config and boot the new kernel.
If you are running a version of SunOS earlier than 4.1, you will need
to replace the Sun supplied /sys/sun{3,4,4c}/OBJ/nit_if.o with the
appropriate version from this distribution's SUNOS4 subdirectory and
build a new kernel:
nit_if.o.sun3-sunos4 (any flavor of sun3)
nit_if.o.sun4c-sunos4.0.3c (SS1, SS1+, IPC, SLC, etc.)
nit_if.o.sun4-sunos4 (Sun4's not covered by
nit_if.o.sun4c-sunos4.0.3c)
These nit replacements fix a bug that makes nit essentially unusable in
pre-SunOS 4.1. In addition, our sun4c-sunos4.0.3c nit gives you
timestamps to the resolution of the SS-1 clock (1 us) rather than the
lousy 20ms timestamps Sun gives you (tcpdump will print out the full
timestamp resolution if it finds it's running on a SS-1).
FILES
-----
CHANGES - description of differences between releases
CREDITS - people that have helped libpcap along
FILES - list of files exported as part of the distribution
INSTALL.txt - this file
LICENSE - the license under which tcpdump is distributed
Makefile.in - compilation rules (input to the configure script)
README - description of distribution
README.aix - notes on using libpcap on AIX
README.dag - notes on using libpcap to capture on Endace DAG devices
README.hpux - notes on using libpcap on HP-UX
README.linux - notes on using libpcap on Linux
README.tru64 - notes on using libpcap on Digital/Tru64 UNIX
README.Win32 - notes on using libpcap on Win32 systems (with WinPcap)
SUNOS4 - pre-SunOS 4.1 replacement kernel nit modules
VERSION - version of this release
acconfig.h - support for post-2.13 autoconf
aclocal.m4 - autoconf macros
arcnet.h - ARCNET definitions
atmuni31.h - ATM Q.2931 definitions
bpf/net - copy of bpf_filter.c
bpf_dump.c - BPF program printing routines
bpf_filter.c - symlink to bpf/net/bpf_filter.c
bpf_image.c - BPF disassembly routine
config.guess - autoconf support
config.h.in - autoconf input
config.sub - autoconf support
configure - configure script (run this first)
configure.in - configure script source
etherent.c - /etc/ethers support routines
ethertype.h - Ethernet protocol types and names definitions
fad-getad.c - pcap_findalldevs() for systems with getifaddrs()
fad-gifc.c - pcap_findalldevs() for systems with only SIOCGIFLIST
fad-glifc.c - pcap_findalldevs() for systems with SIOCGLIFCONF
fad-null.c - pcap_findalldevs() for systems without capture support
fad-win32.c - pcap_findalldevs() for WinPcap
gencode.c - BPF code generation routines
gencode.h - BPF code generation definitions
grammar.y - filter string grammar
inet.c - network routines
install-sh - BSD style install script
lbl/os-*.h - OS-dependent defines and prototypes
llc.h - 802.2 LLC SAP definitions
mkdep - construct Makefile dependency list
nametoaddr.c - hostname to address routines
nlpid.h - OSI network layer protocol identifier definitions
net - symlink to bpf/net
optimize.c - BPF optimization routines
packaging - packaging information for building libpcap RPMs
pcap-bpf.c - BSD Packet Filter support
pcap-bpf.h - BPF definitions
pcap-dag.c - Endace DAG device capture support
pcap-dag.h - Endace DAG device capture support
pcap-dlpi.c - Data Link Provider Interface support
pcap-enet.c - enet support
pcap-int.h - internal libpcap definitions
pcap-linux.c - Linux packet socket support
pcap-namedb.h - public libpcap name database definitions
pcap-nit.c - SunOS Network Interface Tap support
pcap-nit.h - SunOS Network Interface Tap definitions
pcap-null.c - dummy monitor support (allows offline use of libpcap)
pcap-pf.c - Ultrix and Digital/Tru64 UNIX Packet Filter support
pcap-pf.h - Ultrix and Digital/Tru64 UNIX Packet Filter definitions
pcap-stdinc.h - includes and #defines for compiling on Win32 systems
pcap-snit.c - SunOS 4.x STREAMS-based Network Interface Tap support
pcap-snoop.c - IRIX Snoop network monitoring support
pcap-win32.c - WinPcap capture support
pcap.3 - manual entry
pcap.c - pcap utility routines
pcap.h - public libpcap definitions
pf.h - OpenBSD DLT_PFLOG definitions
ppp.h - Point to Point Protocol definitions
rawss7.h - information on DLT_ types for SS7
savefile.c - offline support
scanner.l - filter string scanner
sll.h - definitions for Linux cooked mode fake link-layer header
snprintf.c - snprintf and vsnprintf for platforms that lack them
sunatmpos.h - definitions for SunATM capturing
Win32 - headers and routines for building on Win32 systems

19
libpcap-possiblymodified/LICENSE Normal file
View File

@@ -0,0 +1,19 @@
License: BSD
Redistribution and use in source and binary forms, with or without
modification, are permitted provided that the following conditions
are met:
1. Redistributions of source code must retain the above copyright
notice, this list of conditions and the following disclaimer.
2. Redistributions in binary form must reproduce the above copyright
notice, this list of conditions and the following disclaimer in
the documentation and/or other materials provided with the
distribution.
3. The names of the authors may not be used to endorse or promote
products derived from this software without specific prior
written permission.
THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.

203
libpcap-possiblymodified/Makefile.in Normal file
View File

@@ -0,0 +1,203 @@
# Copyright (c) 1993, 1994, 1995, 1996
# The Regents of the University of California. All rights reserved.
#
# Redistribution and use in source and binary forms, with or without
# modification, are permitted provided that: (1) source code distributions
# retain the above copyright notice and this paragraph in its entirety, (2)
# distributions including binary code include the above copyright notice and
# this paragraph in its entirety in the documentation or other materials
# provided with the distribution, and (3) all advertising materials mentioning
# features or use of this software display the following acknowledgement:
# ``This product includes software developed by the University of California,
# Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
# the University nor the names of its contributors may be used to endorse
# or promote products derived from this software without specific prior
# written permission.
# THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
# WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
#
# @(#) $Header$ (LBL)
#
# Various configurable paths (remember to edit Makefile.in, not Makefile)
#
# Top level hierarchy
prefix = @prefix@
exec_prefix = @exec_prefix@
# Pathname of directory to install the include files
includedir = @includedir@
# Pathname of directory to install the library
libdir = @libdir@
# Pathname of directory to install the man page
mandir = @mandir@
# VPATH
srcdir = @srcdir@
VPATH = @srcdir@
#
# You shouldn't need to edit anything below.
#
CC = @CC@
CCOPT = @V_CCOPT@
INCLS = -I. @V_INCLS@
DEFS = @DEFS@ @V_DEFS@
LIBS = @V_LIBS@
# Standard CFLAGS
CFLAGS = $(CCOPT) $(INCLS) $(DEFS)
INSTALL = @INSTALL@
INSTALL_PROGRAM = @INSTALL_PROGRAM@
INSTALL_DATA = @INSTALL_DATA@
RANLIB = @RANLIB@
#
# Flex and bison allow you to specify the prefixes of the global symbols
# used by the generated parser. This allows programs to use lex/yacc
# and link against libpcap. If you don't have flex or bison, get them.
#
LEX = flex
YACC = yacc
# Explicitly define compilation rule since SunOS 4's make doesn't like gcc.
# Also, gcc does not remove the .o before forking 'as', which can be a
# problem if you don't own the file but can write to the directory.
.c.o:
@rm -f $@
$(CC) $(CFLAGS) -c $(srcdir)/$*.c
PSRC = pcap-@V_PCAP@.c
FSRC = fad-@V_FINDALLDEVS@.c
SSRC = @SSRC@
CSRC = pcap.c inet.c gencode.c optimize.c nametoaddr.c \
etherent.c savefile.c bpf_filter.c bpf_image.c bpf_dump.c
GENSRC = scanner.c grammar.c version.c
LIBOBJS = @LIBOBJS@
SRC = $(PSRC) $(FSRC) $(CSRC) $(SSRC) $(GENSRC)
# We would like to say "OBJ = $(SRC:.c=.o)" but Ultrix's make cannot
# hack the extra indirection
OBJ = $(PSRC:.c=.o) $(FSRC:.c=.o) $(CSRC:.c=.o) $(SSRC:.c=.o) $(GENSRC:.c=.o) $(LIBOBJS)
HDR = pcap.h pcap-int.h pcap-namedb.h pcap-nit.h pcap-pf.h \
ethertype.h gencode.h gnuc.h
GENHDR = \
tokdefs.h version.h
TAGHDR = \
pcap-bpf.h
TAGFILES = \
$(SRC) $(HDR) $(TAGHDR)
CLEANFILES = $(OBJ) libpcap.a version.c lex.yy.c
all: libpcap.a
libpcap.a: $(OBJ)
@rm -f $@
ar rc $@ $(OBJ) $(LIBS)
$(RANLIB) $@
scanner.c: $(srcdir)/scanner.l
@rm -f $@
$(LEX) -t $< > $$$$.$@; mv $$$$.$@ $@
scanner.o: scanner.c tokdefs.h
$(CC) $(CFLAGS) -c scanner.c
pcap.o: version.h
tokdefs.h: grammar.c
grammar.c: $(srcdir)/grammar.y
@rm -f grammar.c tokdefs.h
$(YACC) -d $<
mv y.tab.c grammar.c
mv y.tab.h tokdefs.h
grammar.o: grammar.c
@rm -f $@
$(CC) $(CFLAGS) -Dyylval=pcap_lval -c grammar.c
version.o: version.c
$(CC) $(CFLAGS) -c version.c
snprintf.o: $(srcdir)/missing/snprintf.c
$(CC) $(CFLAGS) -o $@ -c $(srcdir)/missing/snprintf.c
version.c: $(srcdir)/VERSION
@rm -f $@
sed -e 's/.*/char pcap_version[] = "&";/' $(srcdir)/VERSION > $@
#
# NOTE: this really is supposed to be static; importing a string
# from a shared library does not work very well on many
# versions of UNIX (Solaris, Linux, and the BSDs, for example),
# so we make the version string static and return it from
# a function, which does work.
#
version.h: $(srcdir)/VERSION
@rm -f $@
sed -e 's/.*/static const char pcap_version_string[] = "libpcap version &";/' $(srcdir)/VERSION > $@
bpf_filter.c: $(srcdir)/bpf/net/bpf_filter.c
rm -f bpf_filter.c
ln -s $(srcdir)/bpf/net/bpf_filter.c bpf_filter.c
bpf_filter.o: bpf_filter.c
$(CC) $(CFLAGS) -c bpf_filter.c
install:
[ -d $(DESTDIR)$(libdir) ] || \
(mkdir -p $(DESTDIR)$(libdir); chmod 755 $(DESTDIR)$(libdir))
$(INSTALL_DATA) libpcap.a $(DESTDIR)$(libdir)/libpcap.a
$(RANLIB) $(DESTDIR)$(libdir)/libpcap.a
[ -d $(DESTDIR)$(includedir) ] || \
(mkdir -p $(DESTDIR)$(includedir); chmod 755 $(DESTDIR)$(includedir))
$(INSTALL_DATA) $(srcdir)/pcap.h $(DESTDIR)$(includedir)/pcap.h
$(INSTALL_DATA) $(srcdir)/pcap-bpf.h \
$(DESTDIR)$(includedir)/pcap-bpf.h
$(INSTALL_DATA) $(srcdir)/pcap-namedb.h \
$(DESTDIR)$(includedir)/pcap-namedb.h
[ -d $(DESTDIR)$(mandir)/man3 ] || \
(mkdir -p $(DESTDIR)$(mandir)/man3; chmod 755 $(DESTDIR)$(mandir)/man3)
$(INSTALL_DATA) $(srcdir)/pcap.3 \
$(DESTDIR)$(mandir)/man3/pcap.3
uninstall:
rm -f $(DESTDIR)$(libdir)/libpcap.a
rm -f $(DESTDIR)$(includedir)/pcap.h
rm -f $(DESTDIR)$(includedir)/pcap-bpf.h
rm -f $(DESTDIR)$(includedir)/pcap-namedb.h
rm -f $(DESTDIR)$(mandir)/man3/pcap.3
clean:
rm -f $(CLEANFILES)
distclean:
rm -f $(CLEANFILES) Makefile config.cache config.log config.status \
config.h gnuc.h os-proto.h bpf_filter.c stamp-h stamp-h.in
tags: $(TAGFILES)
ctags -wtd $(TAGFILES)
tar:
@cwd=`pwd` ; dir=`basename $$cwd` ; name=libpcap-`cat VERSION` ; \
list="" ; tar="tar chf" ; \
for i in `cat FILES` ; do list="$$list $$name/$$i" ; done; \
echo \
"rm -f ../$$name; ln -s $$dir ../$$name" ; \
rm -f ../$$name; ln -s $$dir ../$$name ; \
echo \
"(cd .. ; $$tar - [lots of files]) | compress > /tmp/$$name.tar.Z" ; \
(cd .. ; $$tar - $$list) | compress > /tmp/$$name.tar.Z ; \
echo \
"rm -f ../$$name" ; \
rm -f ../$$name
depend: $(GENSRC) $(GENHDR) bpf_filter.c
./mkdep -c $(CC) $(DEFS) $(INCLS) $(SRC)

242
libpcap-possiblymodified/NMAP_MODIFICATIONS Normal file
View File

@@ -0,0 +1,242 @@
Nmap currently includes a modified version of the tcpdump.org release
of libpcap version 0.8.3 (released March 30, 2004). My
(fyodor@insecure.org) modifications are as follows:
o Included this file, renamed directory from libpcap-0.8.3 to
libpcap-possiblymodified.
o Renamed configure.in to configure.ac, which is the name now
recommended by the autoconf project.
o Removed the .cvsignore file, all 'CVS' directories, the 'packaging' directory, and the install-sh script.
o Added the gcc debugging flag (-g) to aclocal.m4 if gcc is being used:
--- libpcap-0.8.3/aclocal.m4 2003-11-16 01:45:51.000000000 -0800
+++ libpcap-possiblymodified/aclocal.m4 2004-07-31 22:34:47.000000000 -0700
@@ -1,4 +1,4 @@
-dnl @(#) $Header$ (LBL)
+dnl @(#) $Header$ (LBL)
dnl
dnl Copyright (c) 1995, 1996, 1997, 1998
dnl The Regents of the University of California. All rights reserved.
@@ -76,7 +76,7 @@
if test "$GCC" = yes ; then
if test "$SHLICC2" = yes ; then
ac_cv_lbl_gcc_vers=2
- $1="-O2"
+ $1="-g -O2"
else
AC_MSG_CHECKING(gcc version)
AC_CACHE_VAL(ac_cv_lbl_gcc_vers,
@@ -87,7 +87,7 @@
-e 's/\..*//'`)
AC_MSG_RESULT($ac_cv_lbl_gcc_vers)
if test $ac_cv_lbl_gcc_vers -gt 1 ; then
- $1="-O2"
+ $1="-g -O2"
fi
fi
else
o The config.sub and config.guess have been upgraded (in the distribution
file they are just symlinks to the corresponding files in the nmap dir
o Changed pcap-linux.c by adding a select() call guarding recvfrom()
to insure that it returns after the timeout period specified in
pcap_open_live() rather than blocking forever.
--- libpcap-0.8.3/pcap-linux.c 2003-11-21 02:20:46.000000000 -0800
+++ libpcap-possiblymodified/pcap-linux.c 2004-07-31 22:34:47.000000000 -0700
@@ -27,7 +27,7 @@
#ifndef lint
static const char rcsid[] _U_ =
- "@(#) $Header$ (LBL)";
+ "@(#) $Header$ (LBL)";
#endif
/*
@@ -96,6 +96,7 @@
#include <netinet/in.h>
#include <linux/if_ether.h>
#include <net/if_arp.h>
+#include <assert.h>
/*
* If PF_PACKET is defined, we can use {SOCK_RAW,SOCK_DGRAM}/PF_PACKET
@@ -483,6 +484,32 @@
return -2;
}
fromlen = sizeof(from);
+ /* If the user specified a timeout in pcap_open_live(),
+ we will honor the timeout and return even if no packets
+ have arrived */
+ if (handle->md.timeout > 0) {
+ fd_set readfs;
+ struct timeval tv;
+ int res;
+
+ FD_ZERO(&readfs);
+ FD_SET(handle->fd, &readfs);
+ bzero((void *) &tv, sizeof(tv));
+ tv.tv_sec = handle->md.timeout / 1000;
+ tv.tv_usec = (handle->md.timeout % 1000 ) * 1000;
+ do {
+ /* since this is in pcap-linux.c, we can assume
+ Linux select() behavior WRT decrementing tv */
+ res = select(handle->fd + 1, &readfs, NULL, NULL, &tv);
+ if (res == 1) break;
+ if (res == 0) return 0;
+ assert(res == -1);
+ if (errno == EINTR) continue;
+ snprintf(handle->errbuf, sizeof(handle->errbuf), "select: %s", pcap_strerror(errno));
+ return -1;
+ } while (1);
+ }
+
packet_len = recvfrom(
handle->fd, bp + offset,
handle->bufsize - offset, MSG_TRUNC,
o Eliminated Lex/Yacc requirement (I now ship the generated .c files).
This involved:
o Changes to Makefile.in
--- libpcap-0.8.3/Makefile.in 2003-12-14 17:42:23.000000000 -0800
+++ libpcap-possiblymodified/Makefile.in 2004-07-31 22:34:47.000000000 -0700
@@ -17,7 +17,7 @@
# WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
# MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
#
-# @(#) $Header$ (LBL)
+# @(#) $Header$ (LBL)
#
# Various configurable paths (remember to edit Makefile.in, not Makefile)
@@ -60,8 +60,8 @@
# used by the generated parser. This allows programs to use lex/yacc
# and link against libpcap. If you don't have flex or bison, get them.
#
-LEX = @V_LEX@
-YACC = @V_YACC@
+LEX = flex
+YACC = yacc
# Explicitly define compilation rule since SunOS 4's make doesn't like gcc.
# Also, gcc does not remove the .o before forking 'as', which can be a
@@ -94,7 +94,7 @@
TAGFILES = \
$(SRC) $(HDR) $(TAGHDR)
-CLEANFILES = $(OBJ) libpcap.a $(GENSRC) $(GENHDR) lex.yy.c
+CLEANFILES = $(OBJ) libpcap.a version.c lex.yy.c
all: libpcap.a
o Ripped LEX/YACC detection code from configure.in:
--- libpcap-0.8.3/configure.in 2004-03-28 13:43:34.000000000 -0800
+++ libpcap-possiblymodified/configure.ac 2004-07-31 22:34:47.000000000 -0700
@@ -1,4 +1,4 @@
-dnl @(#) $Header$ (LBL)
+dnl @(#) $Header$ (LBL)
dnl
dnl Copyright (c) 1994, 1995, 1996, 1997
dnl The Regents of the University of California. All rights reserved.
@@ -6,7 +6,7 @@
dnl Process this file with autoconf to produce a configure script.
dnl
-AC_REVISION($Revision$)
+AC_REVISION($Revision$)
AC_PREREQ(2.50)
AC_INIT(pcap.c)
@@ -341,25 +341,6 @@
AC_MSG_ERROR(Specifying the capture type as 'dag' requires the DAG API to be present; use --with-dag=DIR)
fi
-
-AC_LBL_LEX_AND_YACC(V_LEX, V_YACC, pcap_)
-if test "$V_LEX" = lex ; then
-# Some versions of lex can't handle the definitions section of scanner.l .
-# Try lexing it and complain if it can't deal.
- AC_CACHE_CHECK([for capable lex], tcpdump_cv_capable_lex,
- if lex -t scanner.l > /dev/null 2>&1; then
- tcpdump_cv_capable_lex=yes
- else
- tcpdump_cv_capable_lex=insufficient
- fi)
- if test $tcpdump_cv_capable_lex = insufficient ; then
- AC_MSG_ERROR([Your operating system's lex is insufficient to compile
- libpcap. flex is a lex replacement that has many advantages, including
- being able to compile libpcap. For more information, see
- http://www.gnu.org/software/flex/flex.html .])
- fi
-fi
-
case "$host_os" in
aix*)
@@ -420,11 +401,9 @@
AC_SUBST(V_DEFS)
AC_SUBST(V_INCLS)
AC_SUBST(V_LIBS)
-AC_SUBST(V_LEX)
AC_SUBST(V_PCAP)
AC_SUBST(V_FINDALLDEVS)
AC_SUBST(V_RANLIB)
-AC_SUBST(V_YACC)
AC_SUBST(SSRC)
AC_PROG_INSTALL
o An OpenBSD portability fix to make loopback work:
diff -w -u -r1.1 pcap-bpf.h
--- pcap-bpf.h 1 Aug 2004 05:34:47 -0000 1.1
+++ pcap-bpf.h 29 Jan 2005 20:32:24 -0000
@@ -235,12 +235,14 @@
* OpenBSD DLT_LOOP, for loopback devices; it's like DLT_NULL, except
* that the AF_ type in the link-layer header is in network byte order.
*
- * OpenBSD defines it as 12, but that collides with DLT_RAW, so we
- * define it as 108 here. If OpenBSD picks up this file, it should
- * define DLT_LOOP as 12 in its version, as per the comment above -
- * and should not use 108 as a DLT_ value.
+ * OpenBSD defines it as 12, but that collides with DLT_RAW, so 108 is
+ * used for other platforms.
*/
+#ifdef __OpenBSD__
+#define DLT_LOOP 12
+#else
#define DLT_LOOP 108
+#endif
/*
* Encapsulated packets for IPsec; DLT_ENC is 13 in OpenBSD, but that's
The following patch removes some code that apparently causes libpcap on
Solaris to wait for 64K chunks before returning in some cases, regardless of
the timeout values. Problem report and patch came from
Ben Harris (bjh21(a)cam.ac.uk)
--- pcap-dlpi.c 1 Aug 2004 05:34:47 -0000 1.4
+++ pcap-dlpi.c 1 Feb 2005 20:29:29 -0000
@@ -675,16 +675,6 @@
}
}
- /*
- ** Set the chunk length.
- */
- chunksize = CHUNKSIZE;
- if (strioctl(p->fd, SBIOCSCHUNK, sizeof(chunksize), (char *)&chunksize)
- != 0) {
- snprintf(ebuf, PCAP_ERRBUF_SIZE, "SBIOCSCHUNKP: %s",
- pcap_strerror(errno));
- goto bad;
- }
#endif
/*

94
libpcap-possiblymodified/README Normal file
View File

@@ -0,0 +1,94 @@
@(#) $Header$ (LBL)
LIBPCAP 0.8
Now maintained by "The Tcpdump Group"
See www.tcpdump.org
Please send inquiries/comments/reports to tcpdump-workers@tcpdump.org
Anonymous CVS is available via:
cvs -d :pserver:tcpdump@cvs.tcpdump.org:/tcpdump/master login
(password "anoncvs")
cvs -d :pserver:tcpdump@cvs.tcpdump.org:/tcpdump/master checkout libpcap
Version 0.8 of LIBPCAP can be retrieved with the CVS tag "libpcap_0_8rel1":
cvs -d :pserver:tcpdump@cvs.tcpdump.org:/tcpdump/master checkout -r libpcap_0_8rel1 libpcap
Please send patches against the master copy to patches@tcpdump.org.
formerly from Lawrence Berkeley National Laboratory
Network Research Group <libpcap@ee.lbl.gov>
ftp://ftp.ee.lbl.gov/libpcap.tar.Z (0.4)
This directory contains source code for libpcap, a system-independent
interface for user-level packet capture. libpcap provides a portable
framework for low-level network monitoring. Applications include
network statistics collection, security monitoring, network debugging,
etc. Since almost every system vendor provides a different interface
for packet capture, and since we've developed several tools that
require this functionality, we've created this system-independent API
to ease in porting and to alleviate the need for several
system-dependent packet capture modules in each application.
Note well: this interface is new and is likely to change.
For some platforms there are README.{system} files that discuss issues
with the OS's interface for packet capture on those platforms, such as
how to enable support for that interface in the OS, if it's not built in
by default.
The libpcap interface supports a filtering mechanism based on the
architecture in the BSD packet filter. BPF is described in the 1993
Winter Usenix paper ``The BSD Packet Filter: A New Architecture for
User-level Packet Capture''. A compressed PostScript version can be
found at
ftp://ftp.ee.lbl.gov/papers/bpf-usenix93.ps.Z
or
http://www.tcpdump.org/papers/bpf-usenix93.ps.Z
and a gzipped version can be found at
http://www.tcpdump.org/papers/bpf-usenix93.ps.gz
A PDF version can be found at
http://www.tcpdump.org/papers/bpf-usenix93.pdf
Although most packet capture interfaces support in-kernel filtering,
libpcap utilizes in-kernel filtering only for the BPF interface.
On systems that don't have BPF, all packets are read into user-space
and the BPF filters are evaluated in the libpcap library, incurring
added overhead (especially, for selective filters). Ideally, libpcap
would translate BPF filters into a filter program that is compatible
with the underlying kernel subsystem, but this is not yet implemented.
BPF is standard in 4.4BSD, BSD/OS, NetBSD, FreeBSD, and OpenBSD. DEC
OSF/1/Digital UNIX/Tru64 UNIX uses the packetfilter interface but has
been extended to accept BPF filters (which libpcap utilizes). Also, you
can add BPF filter support to Ultrix using the kernel source and/or
object patches available in:
ftp://gatekeeper.dec.com/pub/DEC/net/bpfext42.tar.Z.
Linux, in the 2.2 kernel and later kernels, has a "Socket Filter"
mechanism that accepts BPF filters; see the README.linux file for
information on configuring that option.
Problems, bugs, questions, desirable enhancements, etc. should be sent
to the address "tcpdump-workers@tcpdump.org". Bugs, support requests,
and feature requests may also be submitted on the SourceForge site for
libpcap at
http://sourceforge.net/projects/libpcap/
Source code contributions, etc. should be sent to the email address
"patches@tcpdump.org", or submitted as patches on the SourceForge site
for libpcap.
Current versions can be found at www.tcpdump.org, or the SourceForge
site for libpcap.
- The TCPdump team

46
libpcap-possiblymodified/README.Win32 Normal file
View File

@@ -0,0 +1,46 @@
Under Win32, libpcap is integrated in the WinPcap packet capture system.
WinPcap provides a framework that allows libpcap to capture the packets
under Windows 95, Windows 98, Windows ME, Windows NT 4, Windows 2000
and Windows XP.
WinPcap binaries and source code can be found at http://winpcap.polito.it:
they include also a developer's pack with all the necessary to compile
libpcap-based applications under Windows.
How to compile libpcap with Visual Studio
-----------------------------------------
In order to compile libpcap you will need:
- version 6 (or higher) of Microsoft Visual Studio
- The November 2001 (or later) edition of Microsoft Platform
Software Development Kit (SDK), that contains some necessary includes
for IPv6 support. You can download it from http://www.microsoft.com/sdk
- the latest WinPcap sources from http://winpcap.polito.it/install
The WinPcap source code already contains a recent (usually the latest
stable) version of libpcap. If you need to compile a different one,
simply download it from www.tcpdump.org and copy the sources in the
winpcap\wpcap\libpcap folder of the WinPcap distribution. If you want to
compile a libpcap source retrieved from the tcpdump.org CVS, you will
have to create the scanner and the grammar by hand (with lex and yacc)
or with the cygnus makefile, since The Visual Studio project is not able
to build them.
Open the project file winpcap\wpcap\prj\wpcap.dsw with Visual Studio and
build wpcap.dll. wpcap.lib, the library file to link with the applications,
will be generated in winpcap\wpcap\lib\. wpcap.dll will be generated in
winpcap\wpcap\prj\release or winpcap\wpcap\prj\debug depending on the type
of binary that is being created.
How to compile libpcap with Cygnus
----------------------------------
To build wpcap.dll, cd to the directory WPCAP/PRJ of the WinPcap source code
distribution and type "make". libwpcap.a, the library file to link with the
applications, will be generated in winpcap\wpcap\lib\. wpcap.dll will be
generated in winpcap\wpcap\prj.
Remember, you CANNOT use the MSVC-generated .lib files with gcc, use
libwpcap.a instead.
"make install" installs wpcap.dll in the Windows system folder.

78
libpcap-possiblymodified/README.aix Normal file
View File

@@ -0,0 +1,78 @@
Using BPF:
(1) AIX 4.x's version of BPF is undocumented and somewhat unstandard; the
current BPF support code includes changes that should work around
that; it appears to compile and work on at least one AIX 4.3.3
machine.
Note that the BPF driver and the "/dev/bpf" devices might not exist
on your machine; AIX's tcpdump loads the driver and creates the
devices if they don't already exist. Our libpcap should do the
same, and the configure script should detect that it's on an AIX
system and choose BPF even if the devices aren't there.
(2) If libpcap doesn't compile on your machine when configured to use
BPF, or if the workarounds fail to make it work correctly, you
should send to tcpdump-workers@tcpdump.org a detailed bug report (if
the compile fails, send us the compile error messages; if it
compiles but fails to work correctly, send us as detailed as
possible a description of the symptoms, including indications of the
network link-layer type being wrong or time stamps being wrong).
If you fix the problems yourself, please send to patches@tcpdump.org
a patch, so we can incorporate them into the next release.
If you don't fix the problems yourself, you can, as a workaround,
make libpcap use DLPI instead of BPF.
This can be done by specifying the flag:
--with-pcap=dlpi
to the "configure" script for libpcap.
If you use DLPI:
(1) It is a good idea to have the latest version of the DLPI driver on
your system, since certain versions may be buggy and cause your AIX
system to crash. DLPI is included in the fileset bos.rte.tty. I
found that the DLPI driver that came with AIX 4.3.2 was buggy, and
had to upgrade to bos.rte.tty 4.3.2.4:
lslpp -l bos.rte.tty
bos.rte.tty 4.3.2.4 COMMITTED Base TTY Support and Commands
Updates for AIX filesets can be obtained from:
ftp://service.software.ibm.com/aix/fixes/
These updates can be installed with the smit program.
(2) After compiling libpcap, you need to make sure that the DLPI driver
is loaded. Type:
strload -q -d dlpi
If the result is:
dlpi: yes
then the DLPI driver is loaded correctly.
If it is:
dlpi: no
Then you need to type:
strload -f /etc/dlpi.conf
Check again with strload -q -d dlpi that the dlpi driver is loaded.
Alternatively, you can uncomment the lines for DLPI in
/etc/pse.conf and reboot the machine; this way DLPI will always
be loaded when you boot your system.
(3) There appears to be a problem in the DLPI code in some versions of
AIX, causing a warning about DL_PROMISC_MULTI failing; this might
be responsible for DLPI not being able to capture outgoing packets.

48
libpcap-possiblymodified/README.dag Normal file
View File

@@ -0,0 +1,48 @@
The following instructions apply if you have a Linux or FreeBSD platform and
want libpcap to support the DAG range of passive network monitoring cards from
Endace (http://www.endace.com, see below for further contact details).
1) Install and build the DAG software distribution by following the
instructions supplied with that package. Current Endace customers can download
the DAG software distibution from https://www.endace.com
2) Configure libcap. To allow the 'configure' script to locate the DAG
software distribution use the '--with-dag' option:
./configure --with-dag=DIR
Where DIR is the root of the DAG software distribution, for example
/var/src/dag. If the DAG software is correctly detected 'configure' will
report:
checking whether we have DAG API... yes
If 'configure' reports that there is no DAG API, the directory may have been
incorrectly specified or the DAG software was not built before configuring
libpcap.
See also the libpcap INSTALL.txt file for further libpcap configuration
options.
Building libpcap at this stage will include support for both the native packet
capture stream (linux or bpf) and for capturing from DAG cards. To build
libpcap with only DAG support specify the capture type as 'dag' when
configuring libpcap:
./configure --with-dag=DIR --with-pcap=dag
Applications built with libpcap configured in this way will only detect DAG
cards and will not capture from the native OS packet stream.
----------------------------------------------------------------------
Please submit bug reports via <support@endace.com>.
Please also visit our Web pages at:
http://www.endace.com/
http://dag.cs.waikato.ac.nz/
For more information about Endace DAG cards contact <sales@endace.com>.

246
libpcap-possiblymodified/README.hpux Normal file
View File

@@ -0,0 +1,246 @@
HP-UX patches to fix packet capture problems
Note that packet-capture programs such as tcpdump may, on HP-UX, not be
able to see packets sent from the machine on which they're running.
Some articles on groups.google.com discussing this are:
http://groups.google.com/groups?selm=82ld3v%2480i%241%40mamenchi.zrz.TU-Berlin.DE
which says:
Newsgroups: comp.sys.hp.hpux
Subject: Re: Did someone made tcpdump working on 10.20 ?
Date: 12/08/1999
From: Lutz Jaenicke <jaenicke@emserv1.ee.TU-Berlin.DE>
In article <82ks5i$5vc$1@news1.dti.ne.jp>, mtsat <mtsat@iris.dti.ne.jp>
wrote:
>Hello,
>
>I downloaded and compiled tcpdump3.4 a couple of week ago. I tried to use
>it, but I can only see incoming data, never outgoing.
>Someone (raj) explained me that a patch was missing, and that this patch
>must me "patched" (poked) in order to see outbound data in promiscuous mode.
>Many things to do .... So the question is : did someone has already this
>"ready to use" PHNE_**** patch ?
Two things:
1. You do need a late "LAN products cumulative patch" (e.g. PHNE_18173
for s700/10.20).
2. You must use
echo 'lanc_outbound_promisc_flag/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem
You can insert this e.g. into /sbin/init.d/lan
Best regards,
Lutz
and
http://groups.google.com/groups?selm=88cf4t%24p03%241%40web1.cup.hp.com
which says:
Newsgroups: comp.sys.hp.hpux
Subject: Re: tcpdump only shows incoming packets
Date: 02/15/2000
From: Rick Jones <foo@bar.baz.invalid>
Harald Skotnes <harald@cc.uit.no> wrote:
> I am running HPUX 11.0 on a C200 hanging on a 100Mb switch. I have
> compiled libpcap-0.4 an tcpdump-3.4 and it seems to work. But at a
> closer look I only get to see the incoming packets not the
> outgoing. I have tried tcpflow-0.12 which also uses libpcap and the
> same thing happens. Could someone please give me a hint on how to
> get this right?
Search/Read the archives ?-)
What you are seeing is expected, un-patched, behaviour for an HP-UX
system. On 11.00, you need to install the latest lancommon/DLPI
patches, and then the latest driver patch for the interface(s) in use.
At that point, a miracle happens and you should start seeing outbound
traffic.
[That article also mentions the patch that appears below.]
and
http://groups.google.com/groups?selm=38AA973E.96BE7DF7%40cc.uit.no
which says:
Newsgroups: comp.sys.hp.hpux
Subject: Re: tcpdump only shows incoming packets
Date: 02/16/2000
From: Harald Skotnes <harald@cc.uit.no>
Rick Jones wrote:
...
> What you are seeing is expected, un-patched, behaviour for an HP-UX
> system. On 11.00, you need to install the latest lancommon/DLPI
> patches, and then the latest driver patch for the interface(s) in
> use. At that point, a miracle happens and you should start seeing
> outbound traffic.
Thanks a lot. I have this problem on several machines running HPUX
10.20 and 11.00. The machines where patched up before y2k so did not
know what to think. Anyway I have now installed PHNE_19766,
PHNE_19826, PHNE_20008, PHNE_20735 on the C200 and now I can see the
outbound traffic too. Thanks again.
(although those patches may not be the ones to install - there may be
later patches).
And another message to tcpdump-workers@tcpdump.org, from Rick Jones:
Date: Mon, 29 Apr 2002 15:59:55 -0700
From: Rick Jones
To: tcpdump-workers@tcpdump.org
Subject: Re: [tcpdump-workers] I Can't Capture the Outbound Traffic
...
http://itrc.hp.com/ would be one place to start in a search for the most
up-to-date patches for DLPI and the lan driver(s) used on your system (I
cannot guess because 9000/800 is too generic - one hs to use the "model"
command these days and/or an ioscan command (see manpage) to guess what
the drivers (btlan[3456], gelan, etc) might be involved in addition to
DLPI.
Another option is to upgrade to 11i as outbound promiscuous mode support
is there in the base OS, no patches required.
Another posting:
http://groups.google.com/groups?selm=7d6gvn%24b3%241%40ocean.cup.hp.com
indicates that you need to install the optional STREAMS product to do
captures on HP-UX 9.x:
Newsgroups: comp.sys.hp.hpux
Subject: Re: tcpdump HP/UX 9.x
Date: 03/22/1999
From: Rick Jones <foo@bar.baz>
Dave Barr (barr@cis.ohio-state.edu) wrote:
: Has anyone ported tcpdump (or something similar) to HP/UX 9.x?
I'm reasonably confident that any port of tcpdump to 9.X would require
the (then optional) STREAMS product. This would bring DLPI, which is
what one uses to access interfaces in promiscuous mode.
I'm not sure that HP even sells the 9.X STREAMS product any longer,
since HP-UX 9.X is off the pricelist (well, maybe 9.10 for the old 68K
devices).
Your best bet is to be up on 10.20 or better if that is at all
possible. If your hardware is supported by it, I'd go with HP-UX 11.
If you want to see the system's own outbound traffic, you'll never get
that functionality on 9.X, but it might happen at some point for 10.20
and 11.X.
rick jones
(as per other messages cited here, the ability to see the system's own
outbound traffic did happen).
Rick Jones reports that HP-UX 11i needs no patches for outbound
promiscuous mode support.
An additional note, from Jost Martin, for HP-UX 10.20:
Q: How do I get ethereral on HPUX to capture the _outgoing_ packets
of an interface
A: You need to get PHNE_20892,PHNE_20725 and PHCO_10947 (or
newer, this is as of 4.4.00) and its dependencies. Then you can
enable the feature as descibed below:
Patch Name: PHNE_20892
Patch Description: s700 10.20 PCI 100Base-T cumulative patch
To trace the outbound packets, please do the following
to turn on a global promiscuous switch before running
the promiscuous applications like snoop or tcpdump:
adb -w /stand/vmunix /dev/mem
lanc_outbound_promisc_flag/W 1
(adb will echo the result showing that the flag has
been changed)
$quit
(Thanks for this part to HP-support, Ratingen)
The attached hack does this and some security-related stuff
(thanks to hildeb@www.stahl.bau.tu-bs.de (Ralf Hildebrandt) who
posted the security-part some time ago)
<<hack_ip_stack>>
(Don't switch IP-forwarding off, if you need it !)
Install the hack as /sbin/init.d/hacl_ip_stack (adjust
permissions !) and make a sequencing-symlink
/sbin/rc2.d/S350hack_ip_stack pointing to this script.
Now all this is done on every reboot.
Here's the "hack_ip_stack" script:
-----------------------------------Cut Here-------------------------------------
#!/sbin/sh
#
# nettune: hack kernel parms for safety
OKAY=0
ERROR=-1
# /usr/contrib/bin fuer nettune auf Pfad
PATH=/sbin:/usr/sbin:/usr/bin:/usr/contrib/bin
export PATH
##########
# main #
##########
case $1 in
start_msg)
print "Tune IP-Stack for security"
exit $OKAY
;;
stop_msg)
print "This action is not applicable"
exit $OKAY
;;
stop)
exit $OKAY
;;
start)
;; # fall through
*)
print "USAGE: $0 {start_msg | stop_msg | start | stop}" >&2
exit $ERROR
;;
esac
###########
# start #
###########
#
# tcp-Sequence-Numbers nicht mehr inkrementieren sondern random
# Syn-Flood-Protection an
# ip_forwarding aus
# Source-Routing aus
# Ausgehende Packets an ethereal/tcpdump etc.
/usr/contrib/bin/nettune -s tcp_random_seq 2 || exit $ERROR
/usr/contrib/bin/nettune -s hp_syn_protect 1 || exit $ERROR
/usr/contrib/bin/nettune -s ip_forwarding 0 || exit $ERROR
echo 'ip_block_source_routed/W1' | /usr/bin/adb -w /stand/vmunix /dev/kmem || exit $ERROR
echo 'lanc_outbound_promisc_flag/W 1' | adb -w /stand/vmunix /dev/mem || exit $ERROR
exit $OKAY
-----------------------------------Cut Here-------------------------------------

88
libpcap-possiblymodified/README.linux Normal file
View File

@@ -0,0 +1,88 @@
In order for libpcap to be able to capture packets on a Linux system,
the "packet" protocol must be supported by your kernel. If it is not,
you may get error messages such as
modprobe: can't locate module net-pf-17
in "/var/adm/messages", or may get messages such as
socket: Address family not supported by protocol
from applications using libpcap.
You must configure the kernel with the CONFIG_PACKET option for this
protocol; the following note is from the Linux "Configure.help" file for
the 2.0[.x] kernel:
Packet socket
CONFIG_PACKET
The Packet protocol is used by applications which communicate
directly with network devices without an intermediate network
protocol implemented in the kernel, e.g. tcpdump. If you want them
to work, choose Y.
This driver is also available as a module called af_packet.o ( =
code which can be inserted in and removed from the running kernel
whenever you want). If you want to compile it as a module, say M
here and read Documentation/modules.txt; if you use modprobe or
kmod, you may also want to add "alias net-pf-17 af_packet" to
/etc/modules.conf.
and the note for the 2.2[.x] kernel says:
Packet socket
CONFIG_PACKET
The Packet protocol is used by applications which communicate
directly with network devices without an intermediate network
protocol implemented in the kernel, e.g. tcpdump. If you want them
to work, choose Y. This driver is also available as a module called
af_packet.o ( = code which can be inserted in and removed from the
running kernel whenever you want). If you want to compile it as a
module, say M here and read Documentation/modules.txt. You will
need to add 'alias net-pf-17 af_packet' to your /etc/conf.modules
file for the module version to function automatically. If unsure,
say Y.
In addition, there is an option that, in 2.2 and later kernels, will
allow packet capture filters specified to programs such as tcpdump to be
executed in the kernel, so that packets that don't pass the filter won't
be copied from the kernel to the program, rather than having all packets
copied to the program and libpcap doing the filtering in user mode.
Copying packets from the kernel to the program consumes a significant
amount of CPU, so filtering in the kernel can reduce the overhead of
capturing packets if a filter has been specified that discards a
significant number of packets. (If no filter is specified, it makes no
difference whether the filtering isn't performed in the kernel or isn't
performed in user mode. :-))
The option for this is the CONFIG_FILTER option; the "Configure.help"
file says:
Socket filtering
CONFIG_FILTER
The Linux Socket Filter is derived from the Berkeley Packet Filter.
If you say Y here, user-space programs can attach a filter to any
socket and thereby tell the kernel that it should allow or disallow
certain types of data to get through the socket. Linux Socket
Filtering works on all socket types except TCP for now. See the text
file linux/Documentation/networking/filter.txt for more information.
If unsure, say N.
Statistics:
Statistics reported by pcap are platform specific. The statistics
reported by pcap_stats on Linux are as follows:
2.2.x
=====
ps_recv Number of packets that were accepted by the pcap filter
ps_drops Always 0, this statistic is not gatherd on this platform
2.4.x
=====
ps_rec Number of packets that were accepted by the pcap filter
ps_drops Number of packets that had passed filtering but were not
passed on to pcap due to things like buffer shortage, etc.
This is useful because these are packets you are interested in
but won't be reported by, for example, tcpdump output.

49
libpcap-possiblymodified/README.tru64 Normal file
View File

@@ -0,0 +1,49 @@
The following instructions are applicable to Tru64 UNIX
(formerly Digital UNIX (formerly DEC OSF/1)) version 4.0, and
probably to later versions as well; at least some options apply to
Digital UNIX 3.2 - perhaps all do.
In order to use kernel packet filtering on this system, you have
to configure it in such a way:
Kernel configuration
--------------------
The packet filtering kernel option must be enabled at kernel
installation. If it was not the case, you can rebuild the kernel with
"doconfig -c" after adding the following line in the kernel
configuration file (/sys/conf/<HOSTNAME>):
option PACKETFILTER
or use "doconfig" without any arguments to add the packet filter driver
option via the kernel option menu (see the system administration
documentation for information on how to do this).
Device configuration
--------------------
Devices used for packet filtering must be created thanks to
the following command (executed in the /dev directory):
./MAKEDEV pfilt
Interface configuration
-----------------------
In order to capture all packets on a network, you may want to allow
applications to put the interface on that network into "local copy"
mode, so that tcpdump can see packets sent by the host on which it's
running as well as packets received by that host, and to put the
interface into "promiscuous" mode, so that tcpdump can see packets on
the network segment not sent to the host on which it's running, by using
the pfconfig(1) command:
pfconfig +c +p <network_device>
or allow application to put any interface into "local copy" or
"promiscuous" mode by using the command:
pfconfig +c +p -a
Note: all instructions given require root privileges.

BIN
libpcap-possiblymodified/SUNOS4/nit_if.o.sparc Normal file
View File

Binary file not shown.

BIN
libpcap-possiblymodified/SUNOS4/nit_if.o.sun3 Normal file
View File

Binary file not shown.

BIN
libpcap-possiblymodified/SUNOS4/nit_if.o.sun4c.4.0.3c Normal file
View File

Binary file not shown.

42
libpcap-possiblymodified/TODO Normal file
View File

@@ -0,0 +1,42 @@
TODO list for libpcap
=======================
Important stuff (to be done before the next release)
---------------
General
- configure should not be in the CVS. Most open source projects have an
autogen.sh script to run autoconf etc. after checkout. I think we
should stick to the standard.
- The source files should be better documented. There is no official
design guideline for what is done where. There should be a common coding
style (okay, you can guess that by looking at the code) and a guide for
what needs to be documented.
Linux kernel interface
- Currently there is a race condition in that a socket is activated at the
same time it is opened - before applying a filter. This has to
be corrected so that capture starts when pcap_read is called for the
first time.
Less urgent items
-----------------
- Better documentation and cleanup of the interface. I am seeing a few
problems at the first glance which needs fixing:
+ pcap_lookupnet makes little to no sense with protocols != IPv4
+ not very well suited for interactive programs (think ethereal). There
should be a way for the application to get a file descriptor which it
has to monitor and a callback in pcap which has to be called on
activity (XXX - "pcap_fileno()" handles the first part, although
"select()" and "poll()" don't work on BPF devices on most BSDs, and
you can call "pcap_dispatch()" as the dispatch routine after putting
the descriptor into non-blocking mode)
+ too many functions. There are a lot of functions for everything which
violates the KISS principle. Why do we need pcap_strerror, pcap_perror
and pcap_geterr?
+ the manpage has a brief description of each function but where is the
big picture? Seems like you need to buy UNP for that...

1
libpcap-possiblymodified/VERSION Normal file
View File

@@ -0,0 +1 @@
0.8.3

46
libpcap-possiblymodified/Win32/Include/Gnuc.h Normal file
View File

@@ -0,0 +1,46 @@
/* @(#) $Header$ (LBL) */
/* Define __P() macro, if necessary */
#ifndef __P
#if __STDC__
#define __P(protos) protos
#else
#define __P(protos) ()
#endif
#endif
/* inline foo */
#ifndef __cplusplus
#ifdef __GNUC__
#define inline __inline
#else
#define inline
#endif
#endif
/*
* Handle new and old "dead" routine prototypes
*
* For example:
*
* __dead void foo(void) __attribute__((volatile));
*
*/
#ifdef __GNUC__
#ifndef __dead
#define __dead volatile
#endif
#if __GNUC__ < 2 || (__GNUC__ == 2 && __GNUC_MINOR__ < 5)
#ifndef __attribute__
#define __attribute__(args)
#endif
#endif
#else
#ifndef __dead
#define __dead
#endif
#ifndef __attribute__
#define __attribute__(args)
#endif
#endif

122
libpcap-possiblymodified/Win32/Include/addrinfo.h Normal file
View File

@@ -0,0 +1,122 @@
/*
* Copyright (C) 1995, 1996, 1997, 1998, and 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id$ */
#ifndef HAVE_ADDRINFO
/*
* Error return codes from getaddrinfo()
*/
#define EAI_ADDRFAMILY 1 /* address family for hostname not supported */
#define EAI_AGAIN 2 /* temporary failure in name resolution */
#define EAI_BADFLAGS 3 /* invalid value for ai_flags */
#define EAI_FAIL 4 /* non-recoverable failure in name resolution */
#define EAI_FAMILY 5 /* ai_family not supported */
#define EAI_MEMORY 6 /* memory allocation failure */
#define EAI_NODATA 7 /* no address associated with hostname */
#define EAI_NONAME 8 /* hostname nor servname provided, or not known */
#define EAI_SERVICE 9 /* servname not supported for ai_socktype */
#define EAI_SOCKTYPE 10 /* ai_socktype not supported */
#define EAI_SYSTEM 11 /* system error returned in errno */
#define EAI_BADHINTS 12
#define EAI_PROTOCOL 13
#define EAI_MAX 14
/* internal error */
#define NETDB_INTERNAL -1 /* see errno */
/*
* Flag values for getaddrinfo()
*/
#define AI_PASSIVE 0x00000001 /* get address to use bind() */
#define AI_CANONNAME 0x00000002 /* fill ai_canonname */
#define AI_NUMERICHOST 0x00000004 /* prevent name resolution */
/* valid flags for addrinfo */
#define AI_MASK (AI_PASSIVE | AI_CANONNAME | AI_NUMERICHOST)
#define AI_ALL 0x00000100 /* IPv6 and IPv4-mapped (with AI_V4MAPPED) */
#define AI_V4MAPPED_CFG 0x00000200 /* accept IPv4-mapped if kernel supports */
#define AI_ADDRCONFIG 0x00000400 /* only if any address is assigned */
#define AI_V4MAPPED 0x00000800 /* accept IPv4-mapped IPv6 address */
/* special recommended flags for getipnodebyname */
#define AI_DEFAULT (AI_V4MAPPED_CFG | AI_ADDRCONFIG)
struct addrinfo {
int ai_flags; /* AI_PASSIVE, AI_CANONNAME */
int ai_family; /* PF_xxx */
int ai_socktype; /* SOCK_xxx */
int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
size_t ai_addrlen; /* length of ai_addr */
char *ai_canonname; /* canonical name for hostname */
struct sockaddr *ai_addr; /* binary address */
struct addrinfo *ai_next; /* next structure in linked list */
};
extern void freeaddrinfo (struct addrinfo *);
extern void freehostent (struct hostent *);
extern char *gai_strerror (int);
extern int getaddrinfo (const char *, const char *,
const struct addrinfo *, struct addrinfo **);
extern int getnameinfo (const struct sockaddr *, size_t, char *,
size_t, char *, size_t, int);
extern struct hostent *getipnodebyaddr (const void *, size_t, int, int *);
extern struct hostent *getipnodebyname (const char *, int, int, int *);
extern int inet_pton (int, const char *, void *);
extern const char *inet_ntop (int, const void *, char *, size_t);
#endif /* HAVE_ADDRINFO */
/*
* Constants for getnameinfo()
*/
#ifndef NI_MAXHOST
#define NI_MAXHOST 1025
#endif
#ifndef NI_MAXSERV
#define NI_MAXSERV 32
#endif
/*
* Flag values for getnameinfo()
*/
#ifndef NI_NOFQDN
#define NI_NOFQDN 0x00000001
#endif
#ifndef NI_NUMERICHOST
#define NI_NUMERICHOST 0x00000002
#endif
#ifndef NI_NAMEREQD
#define NI_NAMEREQD 0x00000004
#endif
#ifndef NI_NUMERICSERV
#define NI_NUMERICSERV 0x00000008
#endif
#ifndef NI_DGRAM
#define NI_DGRAM 0x00000010
#endif

349
libpcap-possiblymodified/Win32/Include/arpa/nameser.h Normal file
View File

@@ -0,0 +1,349 @@
/*
* ++Copyright++ 1983, 1989, 1993
* -
* Copyright (c) 1983, 1989, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
* -
* Portions Copyright (c) 1993 by Digital Equipment Corporation.
*
* Permission to use, copy, modify, and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies, and that
* the name of Digital Equipment Corporation not be used in advertising or
* publicity pertaining to distribution of the document or software without
* specific, written prior permission.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
* WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL EQUIPMENT
* CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
* DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
* PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
* ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
* SOFTWARE.
* -
* --Copyright--
*/
/*
* @(#)nameser.h 8.1 (Berkeley) 6/2/93
* nameser.h,v 1.2 1995/05/06 14:23:54 hjl Exp
*/
#ifndef _NAMESER_H_
#define _NAMESER_H_
#ifndef WIN32
#include <sys/param.h>
#if (!defined(BSD)) || (BSD < 199306)
# include <sys/bitypes.h>
#else
# include <sys/types.h>
#endif
#include <sys/cdefs.h>
#else
#include <pcap-stdinc.h>
#define __LITTLE_ENDIAN 1
#define __BYTE_ORDER __LITTLE_ENDIAN
#endif
/*
* revision information. this is the release date in YYYYMMDD format.
* it can change every day so the right thing to do with it is use it
* in preprocessor commands such as "#if (__BIND > 19931104)". do not
* compare for equality; rather, use it to determine whether your resolver
* is new enough to contain a certain feature.
*/
#define __BIND 19940417 /* interface version stamp */
/*
* Define constants based on rfc883
*/
#define PACKETSZ 512 /* maximum packet size */
#define MAXDNAME 256 /* maximum domain name */
#define MAXCDNAME 255 /* maximum compressed domain name */
#define MAXLABEL 63 /* maximum length of domain label */
#define HFIXEDSZ 12 /* #/bytes of fixed data in header */
#define QFIXEDSZ 4 /* #/bytes of fixed data in query */
#define RRFIXEDSZ 10 /* #/bytes of fixed data in r record */
#define INT32SZ 4 /* for systems without 32-bit ints */
#define INT16SZ 2 /* for systems without 16-bit ints */
#define INADDRSZ 4 /* for sizeof(struct inaddr) != 4 */
/*
* Internet nameserver port number
*/
#define NAMESERVER_PORT 53
/*
* Currently defined opcodes
*/
#define QUERY 0x0 /* standard query */
#define IQUERY 0x1 /* inverse query */
#define STATUS 0x2 /* nameserver status query */
/*#define xxx 0x3 *//* 0x3 reserved */
#define NS_NOTIFY_OP 0x4 /* notify secondary of SOA change */
#ifdef ALLOW_UPDATES
/* non standard - supports ALLOW_UPDATES stuff from Mike Schwartz */
# define UPDATEA 0x9 /* add resource record */
# define UPDATED 0xa /* delete a specific resource record */
# define UPDATEDA 0xb /* delete all named resource record */
# define UPDATEM 0xc /* modify a specific resource record */
# define UPDATEMA 0xd /* modify all named resource record */
# define ZONEINIT 0xe /* initial zone transfer */
# define ZONEREF 0xf /* incremental zone referesh */
#endif
/*
* Currently defined response codes
*/
#ifdef HAVE_ADDRINFO
#define NOERROR 0 /* no error */
#endif /* HAVE_ADDRINFO */
#define FORMERR 1 /* format error */
#define SERVFAIL 2 /* server failure */
#define NXDOMAIN 3 /* non existent domain */
#define NOTIMP 4 /* not implemented */
#define REFUSED 5 /* query refused */
#ifdef ALLOW_UPDATES
/* non standard */
# define NOCHANGE 0xf /* update failed to change db */
#endif
/*
* Type values for resources and queries
*/
#define T_A 1 /* host address */
#define T_NS 2 /* authoritative server */
#define T_MD 3 /* mail destination */
#define T_MF 4 /* mail forwarder */
#define T_CNAME 5 /* canonical name */
#define T_SOA 6 /* start of authority zone */
#define T_MB 7 /* mailbox domain name */
#define T_MG 8 /* mail group member */
#define T_MR 9 /* mail rename name */
#define T_NULL 10 /* null resource record */
#define T_WKS 11 /* well known service */
#define T_PTR 12 /* domain name pointer */
#define T_HINFO 13 /* host information */
#define T_MINFO 14 /* mailbox information */
#define T_MX 15 /* mail routing information */
#define T_TXT 16 /* text strings */
#define T_RP 17 /* responsible person */
#define T_AFSDB 18 /* AFS cell database */
#define T_X25 19 /* X_25 calling address */
#define T_ISDN 20 /* ISDN calling address */
#define T_RT 21 /* router */
#define T_NSAP 22 /* NSAP address */
#define T_NSAP_PTR 23 /* reverse NSAP lookup (deprecated) */
#define T_SIG 24 /* security signature */
#define T_KEY 25 /* security key */
#define T_PX 26 /* X.400 mail mapping */
#define T_GPOS 27 /* geographical position (withdrawn) */
#define T_AAAA 28 /* IP6 Address */
#define T_LOC 29 /* Location Information */
/* non standard */
#define T_UINFO 100 /* user (finger) information */
#define T_UID 101 /* user ID */
#define T_GID 102 /* group ID */
#define T_UNSPEC 103 /* Unspecified format (binary data) */
/* Query type values which do not appear in resource records */
#define T_AXFR 252 /* transfer zone of authority */
#define T_MAILB 253 /* transfer mailbox records */
#define T_MAILA 254 /* transfer mail agent records */
#define T_ANY 255 /* wildcard match */
/*
* Values for class field
*/
#define C_IN 1 /* the arpa internet */
#define C_CHAOS 3 /* for chaos net (MIT) */
#define C_HS 4 /* for Hesiod name server (MIT) (XXX) */
/* Query class values which do not appear in resource records */
#define C_ANY 255 /* wildcard match */
/*
* Status return codes for T_UNSPEC conversion routines
*/
#define CONV_SUCCESS 0
#define CONV_OVERFLOW (-1)
#define CONV_BADFMT (-2)
#define CONV_BADCKSUM (-3)
#define CONV_BADBUFLEN (-4)
#ifndef __BYTE_ORDER
#if (BSD >= 199103)
# include <machine/endian.h>
#else
#ifdef linux
# include <endian.h>
#else
#define __LITTLE_ENDIAN 1234 /* least-significant byte first (vax, pc) */
#define __BIG_ENDIAN 4321 /* most-significant byte first (IBM, net) */
#define __PDP_ENDIAN 3412 /* LSB first in word, MSW first in long (pdp)*/
#if defined(vax) || defined(ns32000) || defined(sun386) || defined(i386) || \
defined(MIPSEL) || defined(_MIPSEL) || defined(BIT_ZERO_ON_RIGHT) || \
defined(__alpha__) || defined(__alpha)
#define __BYTE_ORDER __LITTLE_ENDIAN
#endif
#if defined(sel) || defined(pyr) || defined(mc68000) || defined(sparc) || \
defined(is68k) || defined(tahoe) || defined(ibm032) || defined(ibm370) || \
defined(MIPSEB) || defined(_MIPSEB) || defined(_IBMR2) || defined(DGUX) ||\
defined(apollo) || defined(__convex__) || defined(_CRAY) || \
defined(__hppa) || defined(__hp9000) || \
defined(__hp9000s300) || defined(__hp9000s700) || \
defined (BIT_ZERO_ON_LEFT) || defined(m68k)
#define __BYTE_ORDER __BIG_ENDIAN
#endif
#endif /* linux */
#endif /* BSD */
#endif /* __BYTE_ORDER */
#if !defined(__BYTE_ORDER) || \
(__BYTE_ORDER != __BIG_ENDIAN && __BYTE_ORDER != __LITTLE_ENDIAN && \
__BYTE_ORDER != __PDP_ENDIAN)
/* you must determine what the correct bit order is for
* your compiler - the next line is an intentional error
* which will force your compiles to bomb until you fix
* the above macros.
*/
error "Undefined or invalid __BYTE_ORDER";
#endif
/*
* Structure for query header. The order of the fields is machine- and
* compiler-dependent, depending on the byte/bit order and the layout
* of bit fields. We use bit fields only in int variables, as this
* is all ANSI requires. This requires a somewhat confusing rearrangement.
*/
typedef struct {
unsigned id :16; /* query identification number */
#if __BYTE_ORDER == __BIG_ENDIAN
/* fields in third byte */
unsigned qr: 1; /* response flag */
unsigned opcode: 4; /* purpose of message */
unsigned aa: 1; /* authoritive answer */
unsigned tc: 1; /* truncated message */
unsigned rd: 1; /* recursion desired */
/* fields in fourth byte */
unsigned ra: 1; /* recursion available */
unsigned pr: 1; /* primary server req'd (!standard) */
unsigned unused :2; /* unused bits (MBZ as of 4.9.3a3) */
unsigned rcode :4; /* response code */
#endif
#if __BYTE_ORDER == __LITTLE_ENDIAN || __BYTE_ORDER == __PDP_ENDIAN
/* fields in third byte */
unsigned rd :1; /* recursion desired */
unsigned tc :1; /* truncated message */
unsigned aa :1; /* authoritive answer */
unsigned opcode :4; /* purpose of message */
unsigned qr :1; /* response flag */
/* fields in fourth byte */
unsigned rcode :4; /* response code */
unsigned unused :2; /* unused bits (MBZ as of 4.9.3a3) */
unsigned pr :1; /* primary server req'd (!standard) */
unsigned ra :1; /* recursion available */
#endif
/* remaining bytes */
unsigned qdcount :16; /* number of question entries */
unsigned ancount :16; /* number of answer entries */
unsigned nscount :16; /* number of authority entries */
unsigned arcount :16; /* number of resource entries */
} HEADER;
/*
* Defines for handling compressed domain names
*/
#define INDIR_MASK 0xc0
/*
* Structure for passing resource records around.
*/
struct rrec {
int16_t r_zone; /* zone number */
int16_t r_class; /* class number */
int16_t r_type; /* type number */
u_int32_t r_ttl; /* time to live */
int r_size; /* size of data area */
char *r_data; /* pointer to data */
};
//extern u_int16_t _getshort __P((const u_char *));
//extern u_int32_t _getlong __P((const u_char *));
/*
* Inline versions of get/put short/long. Pointer is advanced.
*
* These macros demonstrate the property of C whereby it can be
* portable or it can be elegant but rarely both.
*/
#define GETSHORT(s, cp) { \
register u_char *t_cp = (u_char *)(cp); \
(s) = ((u_int16_t)t_cp[0] << 8) \
| ((u_int16_t)t_cp[1]) \
; \
(cp) += INT16SZ; \
}
#define GETLONG(l, cp) { \
register u_char *t_cp = (u_char *)(cp); \
(l) = ((u_int32_t)t_cp[0] << 24) \
| ((u_int32_t)t_cp[1] << 16) \
| ((u_int32_t)t_cp[2] << 8) \
| ((u_int32_t)t_cp[3]) \
; \
(cp) += INT32SZ; \
}
#define PUTSHORT(s, cp) { \
register u_int16_t t_s = (u_int16_t)(s); \
register u_char *t_cp = (u_char *)(cp); \
*t_cp++ = t_s >> 8; \
*t_cp = t_s; \
(cp) += INT16SZ; \
}
#define PUTLONG(l, cp) { \
register u_int32_t t_l = (u_int32_t)(l); \
register u_char *t_cp = (u_char *)(cp); \
*t_cp++ = t_l >> 24; \
*t_cp++ = t_l >> 16; \
*t_cp++ = t_l >> 8; \
*t_cp = t_l; \
(cp) += INT32SZ; \
}
#endif /* !_NAMESER_H_ */

86
libpcap-possiblymodified/Win32/Include/bittypes.h Normal file
View File

@@ -0,0 +1,86 @@
/*
* Copyright (C) 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef _BITTYPES_H
#define _BITTYPES_H
#ifndef HAVE_U_INT8_T
#if SIZEOF_CHAR == 1
typedef unsigned char u_int8_t;
typedef signed char int8_t;
#elif SIZEOF_INT == 1
typedef unsigned int u_int8_t;
typedef signed int int8_t;
#else /* XXX */
#error "there's no appropriate type for u_int8_t"
#endif
#define HAVE_U_INT8_T 1
#define HAVE_INT8_T 1
#endif /* HAVE_U_INT8_T */
#ifndef HAVE_U_INT16_T
#if SIZEOF_SHORT == 2
typedef unsigned short u_int16_t;
typedef signed short int16_t;
#elif SIZEOF_INT == 2
typedef unsigned int u_int16_t;
typedef signed int int16_t;
#elif SIZEOF_CHAR == 2
typedef unsigned char u_int16_t;
typedef signed char int16_t;
#else /* XXX */
#error "there's no appropriate type for u_int16_t"
#endif
#define HAVE_U_INT16_T 1
#define HAVE_INT16_T 1
#endif /* HAVE_U_INT16_T */
#ifndef HAVE_U_INT32_T
#if SIZEOF_INT == 4
typedef unsigned int u_int32_t;
typedef signed int int32_t;
#elif SIZEOF_LONG == 4
typedef unsigned long u_int32_t;
typedef signed long int32_t;
#elif SIZEOF_SHORT == 4
typedef unsigned short u_int32_t;
typedef signed short int32_t;
#else /* XXX */
#error "there's no appropriate type for u_int32_t"
#endif
#define HAVE_U_INT32_T 1
#define HAVE_INT32_T 1
#endif /* HAVE_U_INT32_T */
#endif /* _BITTYPES_H */

37
libpcap-possiblymodified/Win32/Include/cdecl_ext.h Normal file
View File

@@ -0,0 +1,37 @@
/*
* Copyright (C) 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#ifndef HAVE_PORTABLE_PROTOTYPE
#if defined(__STDC__) || defined(__cplusplus)
#define __P(protos) protos /* full-blown ANSI C */
#else
#define __P(protos) () /* traditional C preprocessor */
#endif
#endif /* !HAVE_PORTABLE_PROTOTYPE */

67
libpcap-possiblymodified/Win32/Include/inetprivate.h Normal file
View File

@@ -0,0 +1,67 @@
/*
* Copyright (c) 1999 - 2003
* NetGroup, Politecnico di Torino (Italy)
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the Politecnico di Torino nor the names of its
* contributors may be used to endorse or promote products derived from
* this software without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
* "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
* LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR
* A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
* OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT
* LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE,
* DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY
* THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT
* (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE
* OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
*
*/
#include <sys/types.h>
#include <string.h>
#include <stdlib.h>
#include <ctype.h>
#include <net/netdb.h>
#include <stdio.h>
#include <errno.h>
#include <arpa/nameser.h>
extern void _sethtent(int f);
extern void _endhtent(void);
extern struct hostent *_gethtent(void);
extern struct hostent *_gethtbyname(const char *name);
extern struct hostent *_gethtbyaddr(const char *addr, int len,
int type);
extern int _validuser(FILE *hostf, const char *rhost,
const char *luser, const char *ruser, int baselen);
extern int _checkhost(const char *rhost, const char *lhost, int len);
#if 0
extern void putlong(u_long l, u_char *msgp);
extern void putshort(u_short l, u_char *msgp);
extern u_int32_t _getlong(register const u_char *msgp);
extern u_int16_t _getshort(register const u_char *msgp);
extern void p_query(char *msg);
extern void fp_query(char *msg, FILE *file);
extern char *p_cdname(char *cp, char *msg, FILE *file);
extern char *p_rr(char *cp, char *msg, FILE *file);
extern char *p_type(int type);
extern char * p_class(int class);
extern char *p_time(u_long value);
#endif
extern char * hostalias(const char *name);
extern void sethostfile(char *name);
extern void _res_close (void);
extern void ruserpass(const char *host, char **aname, char **apass);

159
libpcap-possiblymodified/Win32/Include/ip6_misc.h Normal file
View File

@@ -0,0 +1,159 @@
/*
* Copyright (c) 1993, 1994, 1997
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that: (1) source code distributions
* retain the above copyright notice and this paragraph in its entirety, (2)
* distributions including binary code include the above copyright notice and
* this paragraph in its entirety in the documentation or other materials
* provided with the distribution, and (3) all advertising materials mentioning
* features or use of this software display the following acknowledgement:
* ``This product includes software developed by the University of California,
* Lawrence Berkeley Laboratory and its contributors.'' Neither the name of
* the University nor the names of its contributors may be used to endorse
* or promote products derived from this software without specific prior
* written permission.
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR IMPLIED
* WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
* MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*
* @(#) $Header$ (LBL)
*/
/*
* This file contains a collage of declarations for IPv6 from FreeBSD not present in Windows
*/
#include <winsock2.h>
#ifndef __MINGW32__
#include <ws2tcpip.h>
#endif /* __MINGW32__ */
#define IN_MULTICAST(a) IN_CLASSD(a)
#define IN_EXPERIMENTAL(a) ((((u_int32_t) (a)) & 0xe0000000) == 0xe0000000)
#define IN_LOOPBACKNET 127
#ifdef __MINGW32__
/* IPv6 address */
struct in6_addr
{
union
{
u_int8_t u6_addr8[16];
u_int16_t u6_addr16[8];
u_int32_t u6_addr32[4];
} in6_u;
#define s6_addr in6_u.u6_addr8
#define s6_addr16 in6_u.u6_addr16
#define s6_addr32 in6_u.u6_addr32
#define s6_addr64 in6_u.u6_addr64
};
#define IN6ADDR_ANY_INIT { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,0 }
#define IN6ADDR_LOOPBACK_INIT { 0,0,0,0,0,0,0,0,0,0,0,0,0,0,0,1 }
#endif /* __MINGW32__ */
#ifdef __MINGW32__
typedef unsigned short sa_family_t;
#define __SOCKADDR_COMMON(sa_prefix) \
sa_family_t sa_prefix##family
/* Ditto, for IPv6. */
struct sockaddr_in6
{
__SOCKADDR_COMMON (sin6_);
u_int16_t sin6_port; /* Transport layer port # */
u_int32_t sin6_flowinfo; /* IPv6 flow information */
struct in6_addr sin6_addr; /* IPv6 address */
};
#define IN6_IS_ADDR_V4MAPPED(a) \
((((u_int32_t *) (a))[0] == 0) && (((u_int32_t *) (a))[1] == 0) && \
(((u_int32_t *) (a))[2] == htonl (0xffff)))
#define IN6_IS_ADDR_MULTICAST(a) (((u_int8_t *) (a))[0] == 0xff)
#define IN6_IS_ADDR_LINKLOCAL(a) \
((((u_int32_t *) (a))[0] & htonl (0xffc00000)) == htonl (0xfe800000))
#define IN6_IS_ADDR_LOOPBACK(a) \
(((u_int32_t *) (a))[0] == 0 && ((u_int32_t *) (a))[1] == 0 && \
((u_int32_t *) (a))[2] == 0 && ((u_int32_t *) (a))[3] == htonl (1))
#endif /* __MINGW32__ */
#define ip6_vfc ip6_ctlun.ip6_un2_vfc
#define ip6_flow ip6_ctlun.ip6_un1.ip6_un1_flow
#define ip6_plen ip6_ctlun.ip6_un1.ip6_un1_plen
#define ip6_nxt ip6_ctlun.ip6_un1.ip6_un1_nxt
#define ip6_hlim ip6_ctlun.ip6_un1.ip6_un1_hlim
#define ip6_hops ip6_ctlun.ip6_un1.ip6_un1_hlim
#define nd_rd_type nd_rd_hdr.icmp6_type
#define nd_rd_code nd_rd_hdr.icmp6_code
#define nd_rd_cksum nd_rd_hdr.icmp6_cksum
#define nd_rd_reserved nd_rd_hdr.icmp6_data32[0]
/*
* IPV6 extension headers
*/
#define IPPROTO_HOPOPTS 0 /* IPv6 hop-by-hop options */
#define IPPROTO_IPV6 41 /* IPv6 header. */
#define IPPROTO_ROUTING 43 /* IPv6 routing header */
#define IPPROTO_FRAGMENT 44 /* IPv6 fragmentation header */
#define IPPROTO_ESP 50 /* encapsulating security payload */
#define IPPROTO_AH 51 /* authentication header */
#define IPPROTO_ICMPV6 58 /* ICMPv6 */
#define IPPROTO_NONE 59 /* IPv6 no next header */
#define IPPROTO_DSTOPTS 60 /* IPv6 destination options */
#define IPPROTO_PIM 103 /* Protocol Independent Multicast. */
#define IPV6_RTHDR_TYPE_0 0
/* Option types and related macros */
#define IP6OPT_PAD1 0x00 /* 00 0 00000 */
#define IP6OPT_PADN 0x01 /* 00 0 00001 */
#define IP6OPT_JUMBO 0xC2 /* 11 0 00010 = 194 */
#define IP6OPT_JUMBO_LEN 6
#define IP6OPT_ROUTER_ALERT 0x05 /* 00 0 00101 */
#define IP6OPT_RTALERT_LEN 4
#define IP6OPT_RTALERT_MLD 0 /* Datagram contains an MLD message */
#define IP6OPT_RTALERT_RSVP 1 /* Datagram contains an RSVP message */
#define IP6OPT_RTALERT_ACTNET 2 /* contains an Active Networks msg */
#define IP6OPT_MINLEN 2
#define IP6OPT_BINDING_UPDATE 0xc6 /* 11 0 00110 */
#define IP6OPT_BINDING_ACK 0x07 /* 00 0 00111 */
#define IP6OPT_BINDING_REQ 0x08 /* 00 0 01000 */
#define IP6OPT_HOME_ADDRESS 0xc9 /* 11 0 01001 */
#define IP6OPT_EID 0x8a /* 10 0 01010 */
#define IP6OPT_TYPE(o) ((o) & 0xC0)
#define IP6OPT_TYPE_SKIP 0x00
#define IP6OPT_TYPE_DISCARD 0x40
#define IP6OPT_TYPE_FORCEICMP 0x80
#define IP6OPT_TYPE_ICMP 0xC0
#define IP6OPT_MUTABLE 0x20
#ifdef __MINGW32__
#ifndef EAI_ADDRFAMILY
struct addrinfo {
int ai_flags; /* AI_PASSIVE, AI_CANONNAME */
int ai_family; /* PF_xxx */
int ai_socktype; /* SOCK_xxx */
int ai_protocol; /* 0 or IPPROTO_xxx for IPv4 and IPv6 */
size_t ai_addrlen; /* length of ai_addr */
char *ai_canonname; /* canonical name for hostname */
struct sockaddr *ai_addr; /* binary address */
struct addrinfo *ai_next; /* next structure in linked list */
};
#endif
#endif /* __MINGW32__ */

230
libpcap-possiblymodified/Win32/Include/net/if.h Normal file
View File

@@ -0,0 +1,230 @@
/*
* Copyright (c) 1982, 1986, 1989, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)if.h 8.1 (Berkeley) 6/10/93
* $FreeBSD: src/sys/net/if.h,v 1.49.2.1 1999/08/29 16:28:15 peter Exp $
*/
#ifndef _NET_IF_H_
#define _NET_IF_H_
/*
* <net/if.h> does not depend on <sys/time.h> on most other systems. This
* helps userland compatability. (struct timeval ifi_lastchange)
*/
#ifndef KERNEL
#include <pcap-stdinc.h>
#endif
/*
* Structure describing information about an interface
* which may be of interest to management entities.
*/
struct if_data {
/* generic interface information */
u_char ifi_type; /* ethernet, tokenring, etc */
u_char ifi_physical; /* e.g., AUI, Thinnet, 10base-T, etc */
u_char ifi_addrlen; /* media address length */
u_char ifi_hdrlen; /* media header length */
u_char ifi_recvquota; /* polling quota for receive intrs */
u_char ifi_xmitquota; /* polling quota for xmit intrs */
u_long ifi_mtu; /* maximum transmission unit */
u_long ifi_metric; /* routing metric (external only) */
u_long ifi_baudrate; /* linespeed */
/* volatile statistics */
u_long ifi_ipackets; /* packets received on interface */
u_long ifi_ierrors; /* input errors on interface */
u_long ifi_opackets; /* packets sent on interface */
u_long ifi_oerrors; /* output errors on interface */
u_long ifi_collisions; /* collisions on csma interfaces */
u_long ifi_ibytes; /* total number of octets received */
u_long ifi_obytes; /* total number of octets sent */
u_long ifi_imcasts; /* packets received via multicast */
u_long ifi_omcasts; /* packets sent via multicast */
u_long ifi_iqdrops; /* dropped on input, this interface */
u_long ifi_noproto; /* destined for unsupported protocol */
u_long ifi_recvtiming; /* usec spent receiving when timing */
u_long ifi_xmittiming; /* usec spent xmitting when timing */
struct timeval ifi_lastchange; /* time of last administrative change */
};
/* ws2tcpip.h has interface flags: IFF_* */
#if 0
#define IFF_UP 0x1 /* interface is up */
#define IFF_BROADCAST 0x2 /* broadcast address valid */
#define IFF_DEBUG 0x4 /* turn on debugging */
#define IFF_LOOPBACK 0x8 /* is a loopback net */
#define IFF_POINTOPOINT 0x10 /* interface is point-to-point link */
/*#define IFF_NOTRAILERS 0x20 * obsolete: avoid use of trailers */
#define IFF_RUNNING 0x40 /* resources allocated */
#define IFF_NOARP 0x80 /* no address resolution protocol */
#define IFF_PROMISC 0x100 /* receive all packets */
#define IFF_ALLMULTI 0x200 /* receive all multicast packets */
#define IFF_OACTIVE 0x400 /* transmission in progress */
#define IFF_SIMPLEX 0x800 /* can't hear own transmissions */
#define IFF_LINK0 0x1000 /* per link layer defined bit */
#define IFF_LINK1 0x2000 /* per link layer defined bit */
#define IFF_LINK2 0x4000 /* per link layer defined bit */
#define IFF_ALTPHYS IFF_LINK2 /* use alternate physical connection */
#define IFF_MULTICAST 0x8000 /* supports multicast */
#endif /* 0 */
/* flags set internally only: */
#define IFF_CANTCHANGE \
(IFF_BROADCAST|IFF_POINTOPOINT|IFF_RUNNING|IFF_OACTIVE|\
IFF_SIMPLEX|IFF_MULTICAST|IFF_ALLMULTI)
#define IFQ_MAXLEN 50
#define IFNET_SLOWHZ 1 /* granularity is 1 second */
/*
* Message format for use in obtaining information about interfaces
* from getkerninfo and the routing socket
*/
struct if_msghdr {
u_short ifm_msglen; /* to skip over non-understood messages */
u_char ifm_version; /* future binary compatability */
u_char ifm_type; /* message type */
int ifm_addrs; /* like rtm_addrs */
int ifm_flags; /* value of if_flags */
u_short ifm_index; /* index for associated ifp */
struct if_data ifm_data;/* statistics and other data about if */
};
/*
* Message format for use in obtaining information about interface addresses
* from getkerninfo and the routing socket
*/
struct ifa_msghdr {
u_short ifam_msglen; /* to skip over non-understood messages */
u_char ifam_version; /* future binary compatability */
u_char ifam_type; /* message type */
int ifam_addrs; /* like rtm_addrs */
int ifam_flags; /* value of ifa_flags */
u_short ifam_index; /* index for associated ifp */
int ifam_metric; /* value of ifa_metric */
};
/*
* Message format for use in obtaining information about multicast addresses
* from the routing socket
*/
struct ifma_msghdr {
u_short ifmam_msglen; /* to skip over non-understood messages */
u_char ifmam_version; /* future binary compatability */
u_char ifmam_type; /* message type */
int ifmam_addrs; /* like rtm_addrs */
int ifmam_flags; /* value of ifa_flags */
u_short ifmam_index; /* index for associated ifp */
};
/*
* Interface request structure used for socket
* ioctl's. All interface ioctl's must have parameter
* definitions which begin with ifr_name. The
* remainder may be interface specific.
*/
struct ifreq {
#define IFNAMSIZ 16
char ifr_name[IFNAMSIZ]; /* if name, e.g. "en0" */
union {
struct sockaddr ifru_addr;
struct sockaddr ifru_dstaddr;
struct sockaddr ifru_broadaddr;
short ifru_flags;
int ifru_metric;
int ifru_mtu;
int ifru_phys;
int ifru_media;
caddr_t ifru_data;
} ifr_ifru;
#define ifr_addr ifr_ifru.ifru_addr /* address */
#define ifr_dstaddr ifr_ifru.ifru_dstaddr /* other end of p-to-p link */
#define ifr_broadaddr ifr_ifru.ifru_broadaddr /* broadcast address */
#define ifr_flags ifr_ifru.ifru_flags /* flags */
#define ifr_metric ifr_ifru.ifru_metric /* metric */
#define ifr_mtu ifr_ifru.ifru_mtu /* mtu */
#define ifr_phys ifr_ifru.ifru_phys /* physical wire */
#define ifr_media ifr_ifru.ifru_media /* physical media */
#define ifr_data ifr_ifru.ifru_data /* for use by interface */
};
#define _SIZEOF_ADDR_IFREQ(ifr) \
((ifr).ifr_addr.sa_len > sizeof(struct sockaddr) ? \
(sizeof(struct ifreq) - sizeof(struct sockaddr) + \
(ifr).ifr_addr.sa_len) : sizeof(struct ifreq))
struct ifaliasreq {
char ifra_name[IFNAMSIZ]; /* if name, e.g. "en0" */
struct sockaddr ifra_addr;
struct sockaddr ifra_broadaddr;
struct sockaddr ifra_mask;
};
struct ifmediareq {
char ifm_name[IFNAMSIZ]; /* if name, e.g. "en0" */
int ifm_current; /* current media options */
int ifm_mask; /* don't care mask */
int ifm_status; /* media status */
int ifm_active; /* active options */
int ifm_count; /* # entries in ifm_ulist array */
int *ifm_ulist; /* media words */
};
/*
* Structure used in SIOCGIFCONF request.
* Used to retrieve interface configuration
* for machine (useful for programs which
* must know all networks accessible).
*/
struct ifconf {
int ifc_len; /* size of associated buffer */
union {
caddr_t ifcu_buf;
struct ifreq *ifcu_req;
} ifc_ifcu;
#define ifc_buf ifc_ifcu.ifcu_buf /* buffer address */
#define ifc_req ifc_ifcu.ifcu_req /* array of structures returned */
};
#ifdef KERNEL
#ifdef MALLOC_DECLARE
MALLOC_DECLARE(M_IFADDR);
MALLOC_DECLARE(M_IFMADDR);
#endif
#endif
/* XXX - this should go away soon */
#ifdef KERNEL
#include <net/if_var.h>
#endif
#endif /* !_NET_IF_H_ */

164
libpcap-possiblymodified/Win32/Include/net/netdb.h Normal file
View File

@@ -0,0 +1,164 @@
/*-
* Copyright (c) 1980, 1983, 1988, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)netdb.h 8.1 (Berkeley) 6/2/93
* netdb.h,v 1.4 1995/08/14 04:05:04 hjl Exp
* -
* Portions Copyright (c) 1993 by Digital Equipment Corporation.
*
* Permission to use, copy, modify and distribute this software for any
* purpose with or without fee is hereby granted, provided that the above
* copyright notice and this permission notice appear in all copies, and that
* the name of Digital Equipment Corporation not be used in advertising or
* publicity pertaining to distribution of the document or software without
* specific, written prior permission.
*
* THE SOFTWARE IS PROVIDED "AS IS" AND DIGITAL EQUIPMENT CORP. DISCLAIMS ALL
* WARRANTIES WITH REGARD TO THIS SOFTWARE, INCLUDING ALL IMPLIED WARRANTIES
* OF MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL DIGITAL EQUIPMENT
* CORPORATION BE LIABLE FOR ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL
* DAMAGES OR ANY DAMAGES WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR
* PROFITS, WHETHER IN AN ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS
* ACTION, ARISING OUT OF OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS
* SOFTWARE.
* -
* --Copyright--
*/
#ifndef _NETDB_H_
#define _NETDB_H_
#if defined(_POSIX_THREAD_SAFE_FUNCTIONS) || defined(_REENTRANT)
#include <stdio.h>
#include <netinet/in.h>
#endif
#include <winsock2.h>
#include <net/paths.h>
#define _PATH_HEQUIV __PATH_ETC_INET"/hosts.equiv"
#define _PATH_HOSTS __PATH_ETC_INET"/hosts"
#define _PATH_NETWORKS __PATH_ETC_INET"/networks"
#define _PATH_PROTOCOLS __PATH_ETC_INET"/protocols"
#define _PATH_SERVICES __PATH_ETC_INET"/services"
#define _PATH_RESCONF __PATH_ETC_INET"/resolv.conf"
#define _PATH_RPC __PATH_ETC_INET"/rpc"
struct rpcent {
char *r_name; /* name of server for this rpc program */
char **r_aliases; /* alias list */
int r_number; /* rpc program number */
};
#ifndef WIN32
#if defined(_POSIX_THREAD_SAFE_FUNCTIONS) || defined(_REENTRANT)
#define __NETDB_MAXALIASES 35
#define __NETDB_MAXADDRS 35
/*
* Error return codes from gethostbyname() and gethostbyaddr()
* (left in extern int h_errno).
*/
#define h_errno (*__h_errno_location ())
#else
extern int h_errno;
#endif
#endif
#define NETDB_INTERNAL -1 /* see errno */
#define NETDB_SUCCESS 0 /* no problem */
//#include <features.h>
void endhostent (void);
void endnetent (void);
void endprotoent (void);
void endservent (void);
void endrpcent (void);
struct hostent *gethostent (void);
struct netent *getnetbyaddr (long, int); /* u_long? */
struct netent *getnetbyname (const char *);
struct netent *getnetent (void);
struct protoent *getprotoent (void);
struct servent *getservent (void);
struct rpcent *getrpcent (void);
struct rpcent *getrpcbyname (const char *);
struct rpcent *getrpcbynumber (int);
void herror (const char *);
void sethostent (int);
/* void sethostfile (const char *); */
void setnetent (int);
void setprotoent (int);
void setservent (int);
void setrpcent (int);
#if defined(_POSIX_THREAD_SAFE_FUNCTIONS) || defined(_REENTRANT)
struct hostent *gethostbyaddr_r (const char *__addr,
int __length, int __type,
struct hostent *__result,
char *__buffer, int __buflen, int *__h_errnop);
struct hostent *gethostbyname_r (const char * __name,
struct hostent *__result, char *__buffer,
int __buflen, int *__h_errnop);
struct hostent *gethostent_r (struct hostent *__result,
char *__buffer, int __buflen, int *__h_errnop);
struct netent *getnetbyaddr_r (long __net, int __type,
struct netent *__result, char *__buffer,
int __buflen);
struct netent *getnetbyname_r (const char * __name,
struct netent *__result, char *__buffer,
int __buflen);
struct netent *getnetent_r (struct netent *__result,
char *__buffer, int __buflen);
struct protoent *getprotobyname_r (const char * __name,
struct protoent *__result, char *__buffer,
int __buflen);
struct protoent *getprotobynumber_r (int __proto,
struct protoent *__result, char *__buffer,
int __buflen);
struct protoent *getprotoent_r (struct protoent *__result,
char *__buffer, int __buflen);
struct servent *getservbyname_r (const char * __name,
const char *__proto, struct servent *__result,
char *__buffer, int __buflen);
struct servent *getservbyport_r (int __port,
const char *__proto, struct servent *__result,
char *__buffer, int __buflen);
struct servent *getservent_r (struct servent *__result,
char *__buffer, int __buflen);
int *__h_errno_location (void);
#endif
#endif /* !_NETDB_H_ */

105
libpcap-possiblymodified/Win32/Include/net/paths.h Normal file
View File

@@ -0,0 +1,105 @@
/*
* Copyright (c) 1989 The Regents of the University of California.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*
* @(#)paths.h 5.15 (Berkeley) 5/29/91
*/
#ifndef _PATHS_H_
#define _PATHS_H_
#if 0
#define __PATH_ETC_INET "/usr/etc/inet"
#else
#define __PATH_ETC_INET "/etc"
#endif
/* Default search path. */
#define _PATH_DEFPATH "/usr/local/bin:/usr/bin:/bin:."
#define _PATH_DEFPATH_ROOT "/sbin:/bin:/usr/sbin:/usr/bin"
#define _PATH_BSHELL "/bin/sh"
#define _PATH_CONSOLE "/dev/console"
#define _PATH_CSHELL "/bin/csh"
#define _PATH_DEVDB "/var/run/dev.db"
#define _PATH_DEVNULL "/dev/null"
#define _PATH_DRUM "/dev/drum"
#define _PATH_HEQUIV __PATH_ETC_INET"/hosts.equiv"
#define _PATH_KMEM "/dev/kmem"
#define _PATH_MAILDIR "/var/spool/mail"
#define _PATH_MAN "/usr/man"
#define _PATH_MEM "/dev/mem"
#define _PATH_LOGIN "/bin/login"
#define _PATH_NOLOGIN "/etc/nologin"
#define _PATH_SENDMAIL "/usr/sbin/sendmail"
#define _PATH_SHELLS "/etc/shells"
#define _PATH_TTY "/dev/tty"
#define _PATH_UNIX "/vmlinux"
#define _PATH_VI "/usr/bin/vi"
/* Provide trailing slash, since mostly used for building pathnames. */
#define _PATH_DEV "/dev/"
#define _PATH_TMP "/tmp/"
#define _PATH_VARRUN "/var/run/"
#define _PATH_VARTMP "/var/tmp/"
#define _PATH_KLOG "/proc/kmsg"
#define _PATH_LOGCONF __PATH_ETC_INET"/syslog.conf"
#if 0
#define _PATH_LOGPID __PATH_ETC_INET"/syslog.pid"
#else
#define _PATH_LOGPID "/var/run/syslog.pid"
#endif
#define _PATH_LOG "/dev/log"
#define _PATH_CONSOLE "/dev/console"
#if 0
#define _PATH_UTMP "/var/adm/utmp"
#define _PATH_WTMP "/var/adm/wtmp"
#define _PATH_LASTLOG "/var/adm/lastlog"
#else
#define _PATH_UTMP "/var/run/utmp"
#define _PATH_WTMP "/var/log/wtmp"
#define _PATH_LASTLOG "/var/log/lastlog"
#endif
#define _PATH_LOCALE "/usr/lib/locale"
#define _PATH_RWHODIR "/var/spool/rwho"
#if _MIT_POSIX_THREADS
/* For the MIT pthreads */
#define _PATH_PTY "/dev/"
#define _PATH_TZDIR "/usr/lib/zoneinfo"
#define _PATH_TZFILE "/usr/lib/zoneinfo/localtime"
#endif
#endif /* !_PATHS_H_ */

38
libpcap-possiblymodified/Win32/Include/sockstorage.h Normal file
View File

@@ -0,0 +1,38 @@
/*
* Copyright (C) 1999 WIDE Project.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. Neither the name of the project nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE PROJECT AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE PROJECT OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
struct sockaddr_storage {
#ifdef HAVE_SOCKADDR_SA_LEN
u_int8_t __ss_len;
u_int8_t __ss_family;
u_int8_t fill[126];
#else
u_int8_t __ss_family;
u_int8_t fill[127];
#endif /* HAVE_SOCKADDR_SA_LEN */
};

168
libpcap-possiblymodified/Win32/Prj/libpcap.dsp Normal file
View File

@@ -0,0 +1,168 @@
# Microsoft Developer Studio Project File - Name="libpcap" - Package Owner=<4>
# Microsoft Developer Studio Generated Build File, Format Version 6.00
# ** DO NOT EDIT **
# TARGTYPE "Win32 (x86) Static Library" 0x0104
CFG=libpcap - Win32 Debug
!MESSAGE This is not a valid makefile. To build this project using NMAKE,
!MESSAGE use the Export Makefile command and run
!MESSAGE
!MESSAGE NMAKE /f "libpcap.mak".
!MESSAGE
!MESSAGE You can specify a configuration when running NMAKE
!MESSAGE by defining the macro CFG on the command line. For example:
!MESSAGE
!MESSAGE NMAKE /f "libpcap.mak" CFG="libpcap - Win32 Debug"
!MESSAGE
!MESSAGE Possible choices for configuration are:
!MESSAGE
!MESSAGE "libpcap - Win32 Release" (based on "Win32 (x86) Static Library")
!MESSAGE "libpcap - Win32 Debug" (based on "Win32 (x86) Static Library")
!MESSAGE
# Begin Project
# PROP AllowPerConfigDependencies 0
# PROP Scc_ProjName ""
# PROP Scc_LocalPath ""
CPP=cl.exe
RSC=rc.exe
!IF "$(CFG)" == "libpcap - Win32 Release"
# PROP BASE Use_MFC 0
# PROP BASE Use_Debug_Libraries 0
# PROP BASE Output_Dir "Release"
# PROP BASE Intermediate_Dir "Release"
# PROP BASE Target_Dir ""
# PROP Use_MFC 0
# PROP Use_Debug_Libraries 0
# PROP Output_Dir "Release"
# PROP Intermediate_Dir "Release"
# PROP Target_Dir ""
# ADD BASE CPP /nologo /W3 /GX /O2 /D "WIN32" /D "NDEBUG" /D "_MBCS" /D "_LIB" /YX /FD /c
# ADD CPP /nologo /MT /W3 /GX /O2 /I "../../" /I "../../lbl/" /I "../../bpf/" /I "../include/" /I "../../../../common" /D "NDEBUG" /D "YY_NEVER_INTERACTIVE" /D yylval=pcap_lval /D "_USRDLL" /D "LIBPCAP_EXPORTS" /D "HAVE_STRERROR" /D "__STDC__" /D "INET6" /D "_WINDOWS" /D "_MBCS" /D SIZEOF_CHAR=1 /D SIZEOF_SHORT=2 /D SIZEOF_INT=4 /D "HAVE_ADDRINFO" /D "WIN32" /D _U_= /D "HAVE_SNPRINTF" /D "HAVE_VSNPRINTF" /YX /FD /c
# ADD BASE RSC /l 0x409 /d "NDEBUG"
# ADD RSC /l 0x409 /d "NDEBUG"
BSC32=bscmake.exe
# ADD BASE BSC32 /nologo
# ADD BSC32 /nologo
LIB32=link.exe -lib
# ADD BASE LIB32 /nologo
# ADD LIB32 /nologo
!ELSEIF "$(CFG)" == "libpcap - Win32 Debug"
# PROP BASE Use_MFC 0
# PROP BASE Use_Debug_Libraries 1
# PROP BASE Output_Dir "Debug"
# PROP BASE Intermediate_Dir "Debug"
# PROP BASE Target_Dir ""
# PROP Use_MFC 0
# PROP Use_Debug_Libraries 1
# PROP Output_Dir "Debug"
# PROP Intermediate_Dir "Debug"
# PROP Target_Dir ""
# ADD BASE CPP /nologo /W3 /Gm /GX /ZI /Od /D "WIN32" /D "_DEBUG" /D "_MBCS" /D "_LIB" /YX /FD /GZ /c
# ADD CPP /nologo /MTd /W3 /Gm /GX /ZI /Od /I "../../" /I "../../lbl/" /I "../../bpf/" /I "../include/" /I "../../../../common" /D "_DEBUG" /D "YY_NEVER_INTERACTIVE" /D yylval=pcap_lval /D "_USRDLL" /D "LIBPCAP_EXPORTS" /D "HAVE_STRERROR" /D "__STDC__" /D "INET6" /D "_WINDOWS" /D "_MBCS" /D SIZEOF_CHAR=1 /D SIZEOF_SHORT=2 /D SIZEOF_INT=4 /D "HAVE_ADDRINFO" /D "WIN32" /D _U_= /D "HAVE_SNPRINTF" /D "HAVE_VSNPRINTF" /YX /FD /GZ /c
# ADD BASE RSC /l 0x409 /d "_DEBUG"
# ADD RSC /l 0x409 /d "_DEBUG"
BSC32=bscmake.exe
# ADD BASE BSC32 /nologo
# ADD BSC32 /nologo
LIB32=link.exe -lib
# ADD BASE LIB32 /nologo
# ADD LIB32 /nologo
!ENDIF
# Begin Target
# Name "libpcap - Win32 Release"
# Name "libpcap - Win32 Debug"
# Begin Source File
SOURCE=..\..\bpf_dump.c
# End Source File
# Begin Source File
SOURCE=..\..\bpf\net\bpf_filter.c
# End Source File
# Begin Source File
SOURCE=..\..\bpf_image.c
# End Source File
# Begin Source File
SOURCE=..\..\etherent.c
# End Source File
# Begin Source File
SOURCE="..\..\fad-win32.c"
# End Source File
# Begin Source File
SOURCE=..\Src\ffs.c
# End Source File
# Begin Source File
SOURCE=..\..\gencode.c
# End Source File
# Begin Source File
SOURCE=..\Src\getnetbynm.c
# End Source File
# Begin Source File
SOURCE=..\Src\getnetent.c
# End Source File
# Begin Source File
SOURCE=..\Src\getservent.c
# End Source File
# Begin Source File
SOURCE=..\..\grammar.c
# End Source File
# Begin Source File
SOURCE=..\..\inet.c
# End Source File
# Begin Source File
SOURCE=..\Src\inet_aton.c
# End Source File
# Begin Source File
SOURCE=..\Src\inet_net.c
# End Source File
# Begin Source File
SOURCE=..\Src\inet_pton.c
# End Source File
# Begin Source File
SOURCE=..\..\nametoaddr.c
# End Source File
# Begin Source File
SOURCE=..\..\optimize.c
# End Source File
# Begin Source File
SOURCE="..\..\Pcap-win32.c"
# End Source File
# Begin Source File
SOURCE=..\..\pcap.c
# End Source File
# Begin Source File
SOURCE=..\..\savefile.c
# End Source File
# Begin Source File
SOURCE=..\..\scanner.c
# End Source File
# End Target
# End Project

29
libpcap-possiblymodified/Win32/Prj/libpcap.dsw Normal file
View File

@@ -0,0 +1,29 @@
Microsoft Developer Studio Workspace File, Format Version 6.00
# WARNING: DO NOT EDIT OR DELETE THIS WORKSPACE FILE!
###############################################################################
Project: "libpcap"=".\libpcap.dsp" - Package Owner=<4>
Package=<5>
{{{
}}}
Package=<4>
{{{
}}}
###############################################################################
Global:
Package=<5>
{{{
}}}
Package=<3>
{{{
}}}
###############################################################################

54
libpcap-possiblymodified/Win32/Src/ffs.c Normal file
View File

@@ -0,0 +1,54 @@
/*-
* Copyright (c) 1990, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#if defined(LIBC_SCCS) && !defined(lint)
static char sccsid[] = "@(#)ffs.c 8.1 (Berkeley) 6/4/93";
#endif /* LIBC_SCCS and not lint */
#include <string.h>
/*
* ffs -- vax ffs instruction
*/
int
ffs(mask)
register int mask;
{
register int bit;
if (mask == 0)
return(0);
for (bit = 1; !(mask & 1); bit++)
mask >>= 1;
return(bit);
}

1119
libpcap-possiblymodified/Win32/Src/getaddrinfo.c Normal file
View File

File diff suppressed because it is too large Load Diff

44
libpcap-possiblymodified/Win32/Src/getnetbynm.c Normal file
View File

@@ -0,0 +1,44 @@
/*
* Copyright (c) 1983 Regents of the University of California.
* All rights reserved.
*
* Redistribution and use in source and binary forms are permitted
* provided that the above copyright notice and this paragraph are
* duplicated in all such forms and that any documentation,
* advertising materials, and other materials related to such
* distribution and use acknowledge that the software was developed
* by the University of California, Berkeley. The name of the
* University may not be used to endorse or promote products derived
* from this software without specific prior written permission.
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
#if defined(LIBC_SCCS) && !defined(lint)
static char sccsid[] = "@(#)getnetbyname.c 5.5 (Berkeley) 6/27/88";
#endif /* LIBC_SCCS and not lint */
#include "inetprivate.h"
extern int _net_stayopen;
struct netent *
getnetbyname(const char *name)
{
register struct netent *p;
register char **cp;
setnetent(_net_stayopen);
while (p = getnetent()) {
if (strcmp(p->n_name, name) == 0)
break;
for (cp = p->n_aliases; *cp != 0; cp++)
if (strcmp(*cp, name) == 0)
goto found;
}
found:
if (!_net_stayopen)
endnetent();
return (p);
}

119
libpcap-possiblymodified/Win32/Src/getnetent.c Normal file
View File

@@ -0,0 +1,119 @@
/*
* Copyright (c) 1983 Regents of the University of California.
* All rights reserved.
*
* Redistribution and use in source and binary forms are permitted
* provided that the above copyright notice and this paragraph are
* duplicated in all such forms and that any documentation,
* advertising materials, and other materials related to such
* distribution and use acknowledge that the software was developed
* by the University of California, Berkeley. The name of the
* University may not be used to endorse or promote products derived
* from this software without specific prior written permission.
* THIS SOFTWARE IS PROVIDED ``AS IS'' AND WITHOUT ANY EXPRESS OR
* IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED
* WARRANTIES OF MERCHANTIBILITY AND FITNESS FOR A PARTICULAR PURPOSE.
*/
#if defined(LIBC_SCCS) && !defined(lint)
static char sccsid[] = "@(#)getnetent.c 5.5 (Berkeley) 6/27/88";
#endif /* LIBC_SCCS and not lint */
#include "inetprivate.h"
#define MAXALIASES 35
static char NETDB[] = _PATH_NETWORKS;
static FILE *netf = NULL;
static char line[BUFSIZ+1];
static struct netent net;
static char *net_aliases[MAXALIASES];
static char *any(char *, char *);
int _net_stayopen;
extern u_int32_t inet_network(const char *cp);
void
setnetent(f)
int f;
{
if (netf == NULL)
netf = fopen(NETDB, "r" );
else
rewind(netf);
_net_stayopen |= f;
}
void
endnetent()
{
if (netf) {
fclose(netf);
netf = NULL;
}
_net_stayopen = 0;
}
struct netent *
getnetent()
{
char *p;
register char *cp, **q;
if (netf == NULL && (netf = fopen(NETDB, "r" )) == NULL)
return (NULL);
again:
p = fgets(line, BUFSIZ, netf);
if (p == NULL)
return (NULL);
if (*p == '#')
goto again;
cp = any(p, "#\n");
if (cp == NULL)
goto again;
*cp = '\0';
net.n_name = p;
cp = any(p, " \t");
if (cp == NULL)
goto again;
*cp++ = '\0';
while (*cp == ' ' || *cp == '\t')
cp++;
p = any(cp, " \t");
if (p != NULL)
*p++ = '\0';
net.n_net = inet_network(cp);
net.n_addrtype = AF_INET;
q = net.n_aliases = net_aliases;
if (p != NULL)
cp = p;
while (cp && *cp) {
if (*cp == ' ' || *cp == '\t') {
cp++;
continue;
}
if (q < &net_aliases[MAXALIASES - 1])
*q++ = cp;
cp = any(cp, " \t");
if (cp != NULL)
*cp++ = '\0';
}
*q = NULL;
return (&net);
}
static char *
any(cp, match)
register char *cp;
char *match;
{
register char *mp, c;
while (c = *cp) {
for (mp = match; *mp; mp++)
if (*mp == c)
return (cp);
cp++;
}
return ((char *)0);
}

121
libpcap-possiblymodified/Win32/Src/getopt.c Normal file
View File

@@ -0,0 +1,121 @@
/*
* Copyright (c) 1987, 1993, 1994
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#if defined(LIBC_SCCS) && !defined(lint)
static char sccsid[] = "@(#)getopt.c 8.3 (Berkeley) 4/27/95";
#endif /* LIBC_SCCS and not lint */
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int opterr = 1, /* if error message should be printed */
optind = 1, /* index into parent argv vector */
optopt, /* character checked for validity */
optreset; /* reset getopt */
char *optarg; /* argument associated with option */
#define BADCH (int)'?'
#define BADARG (int)':'
#define EMSG ""
/*
* getopt --
* Parse argc/argv argument vector.
*/
int
getopt(nargc, nargv, ostr)
int nargc;
char * const *nargv;
const char *ostr;
{
#ifdef WIN32
char *__progname="windump";
#else
extern char *__progname;
#endif
static char *place = EMSG; /* option letter processing */
char *oli; /* option letter list index */
if (optreset || !*place) { /* update scanning pointer */
optreset = 0;
if (optind >= nargc || *(place = nargv[optind]) != '-') {
place = EMSG;
return (-1);
}
if (place[1] && *++place == '-') { /* found "--" */
++optind;
place = EMSG;
return (-1);
}
} /* option letter okay? */
if ((optopt = (int)*place++) == (int)':' ||
!(oli = strchr(ostr, optopt))) {
/*
* if the user didn't specify '-' as an option,
* assume it means -1.
*/
if (optopt == (int)'-')
return (-1);
if (!*place)
++optind;
if (opterr && *ostr != ':')
(void)fprintf(stderr,
"%s: illegal option -- %c\n", __progname, optopt);
return (BADCH);
}
if (*++oli != ':') { /* don't need argument */
optarg = NULL;
if (!*place)
++optind;
}
else { /* need an argument */
if (*place) /* no white space */
optarg = place;
else if (nargc <= ++optind) { /* no arg */
place = EMSG;
if (*ostr == ':')
return (BADARG);
if (opterr)
(void)fprintf(stderr,
"%s: option requires an argument -- %c\n",
__progname, optopt);
return (BADCH);
}
else /* white space */
optarg = nargv[optind];
place = EMSG;
++optind;
}
return (optopt); /* dump back option letter */
}

125
libpcap-possiblymodified/Win32/Src/getservent.c Normal file
View File

@@ -0,0 +1,125 @@
/*
* Copyright (c) 1983, 1993
* The Regents of the University of California. All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#if defined(LIBC_SCCS) && !defined(lint)
static char sccsid[] = "@(#)getservent.c 8.1 (Berkeley) 6/4/93";
#endif /* LIBC_SCCS and not lint */
#include <sys/types.h>
#include <string.h>
#include <stdlib.h>
#include <ctype.h>
#include <net/netdb.h>
#include <stdio.h>
#include <errno.h>
#include <arpa/nameser.h>
#define MAXALIASES 35
static char SERVDB[] = _PATH_SERVICES;
static FILE *servf = NULL;
static char line[BUFSIZ+1];
static struct servent serv;
static char *serv_aliases[MAXALIASES];
int _serv_stayopen;
void
setservent(f)
int f;
{
if (servf == NULL)
servf = fopen(SERVDB, "r" );
else
rewind(servf);
_serv_stayopen |= f;
}
void
endservent()
{
if (servf) {
fclose(servf);
servf = NULL;
}
_serv_stayopen = 0;
}
struct servent *
getservent()
{
char *p;
register char *cp, **q;
if (servf == NULL && (servf = fopen(SERVDB, "r" )) == NULL)
return (NULL);
again:
if ((p = fgets(line, BUFSIZ, servf)) == NULL)
return (NULL);
if (*p == '#')
goto again;
cp = strpbrk(p, "#\n");
if (cp == NULL)
goto again;
*cp = '\0';
serv.s_name = p;
p = strpbrk(p, " \t");
if (p == NULL)
goto again;
*p++ = '\0';
while (*p == ' ' || *p == '\t')
p++;
cp = strpbrk(p, ",/");
if (cp == NULL)
goto again;
*cp++ = '\0';
serv.s_port = htons((u_short)atoi(p));
serv.s_proto = cp;
q = serv.s_aliases = serv_aliases;
cp = strpbrk(cp, " \t");
if (cp != NULL)
*cp++ = '\0';
while (cp && *cp) {
if (*cp == ' ' || *cp == '\t') {
cp++;
continue;
}
if (q < &serv_aliases[MAXALIASES - 1])
*q++ = cp;
cp = strpbrk(cp, " \t");
if (cp != NULL)
*cp++ = '\0';
}
*q = NULL;
return (&serv);
}

61
libpcap-possiblymodified/Win32/Src/inet_aton.c Normal file
View File

@@ -0,0 +1,61 @@
/*
* Copyright (c) 1995, 1996, 1997 Kungliga Tekniska H<>gskolan
* (Royal Institute of Technology, Stockholm, Sweden).
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
*
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
*
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
*
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the Kungliga Tekniska
* H<>gskolan and its contributors.
*
* 4. Neither the name of the Institute nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE INSTITUTE AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE INSTITUTE OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
/* $Id$ */
#ifndef lint
static const char rcsid[] _U_ =
"@(#) $Header$";
#endif
#include <sys/types.h>
#include <pcap-stdinc.h>
/* Minimal implementation of inet_aton.
* Cannot distinguish between failure and a local broadcast address. */
#ifndef INADDR_NONE
#define INADDR_NONE 0xffffffff
#endif
int
inet_aton(const char *cp, struct in_addr *addr)
{
addr->s_addr = inet_addr(cp);
return (addr->s_addr == INADDR_NONE) ? 0 : 1;
}

101
libpcap-possiblymodified/Win32/Src/inet_net.c Normal file
View File

@@ -0,0 +1,101 @@
/*
* Copyright (c) 1983, 1993
* The Regents of the University of California. All rights reserved.
* All rights reserved.
*
* Redistribution and use in source and binary forms, with or without
* modification, are permitted provided that the following conditions
* are met:
* 1. Redistributions of source code must retain the above copyright
* notice, this list of conditions and the following disclaimer.
* 2. Redistributions in binary form must reproduce the above copyright
* notice, this list of conditions and the following disclaimer in the
* documentation and/or other materials provided with the distribution.
* 3. All advertising materials mentioning features or use of this software
* must display the following acknowledgement:
* This product includes software developed by the University of
* California, Berkeley and its contributors.
* 4. Neither the name of the University nor the names of its contributors
* may be used to endorse or promote products derived from this software
* without specific prior written permission.
*
* THIS SOFTWARE IS PROVIDED BY THE REGENTS AND CONTRIBUTORS ``AS IS'' AND
* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
* ARE DISCLAIMED. IN NO EVENT SHALL THE REGENTS OR CONTRIBUTORS BE LIABLE
* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
* SUCH DAMAGE.
*/
#if defined(LIBC_SCCS) && !defined(lint)
static char sccsid[] = "@(#)inet_network.c 8.1 (Berkeley) 6/4/93";
#endif /* LIBC_SCCS and not lint */
#include "inetprivate.h"
/*
* Internet network address interpretation routine.
* The library routines call this routine to interpret
* network numbers.
*/
u_int32_t
inet_network(const char *cp)
{
register u_long val, base, n;
register char c;
u_long parts[4], *pp = parts;
register int i;
again:
/*
* Collect number up to ``.''.
* Values are specified as for C:
* 0x=hex, 0=octal, other=decimal.
*/
val = 0; base = 10;
/*
* The 4.4BSD version of this file also accepts 'x__' as a hexa
* number. I don't think this is correct. -- Uli
*/
if (*cp == '0') {
if (*++cp == 'x' || *cp == 'X')
base = 16, cp++;
else
base = 8;
}
while ((c = *cp)) {
if (isdigit(c)) {
val = (val * base) + (c - '0');
cp++;
continue;
}
if (base == 16 && isxdigit(c)) {
val = (val << 4) + (c + 10 - (islower(c) ? 'a' : 'A'));
cp++;
continue;
}
break;
}
if (*cp == '.') {
if (pp >= parts + 4)
return (INADDR_NONE);
*pp++ = val, cp++;
goto again;
}
if (*cp && !isspace(*cp))
return (INADDR_NONE);
*pp++ = val;
n = pp - parts;
if (n > 4)
return (INADDR_NONE);
for (val = 0, i = 0; i < (int)n; i++) {
val <<= 8;
val |= parts[i] & 0xff;
}
return (val);
}

Some files were not shown because too many files have changed in this diff Show More