diff --git a/docs/nmap.1 b/docs/nmap.1
index d7998da19..d0b2c679b 100644
--- a/docs/nmap.1
+++ b/docs/nmap.1
@@ -1,11 +1,11 @@
.\" Title: nmap
.\" Author: Gordon \(lqFyodor\(rq Lyon
.\" Generator: DocBook XSL Stylesheets v1.73.2 : Give up on target after this long
\-\-scan\-delay/\-\-max\-scan\-delay : Adjust delay between probes
\-\-min\-rate : Send packets no slower than per second
+ \-\-max\-rate : Send packets no faster than per second
FIREWALL/IDS EVASION AND SPOOFING:
\-f; \-\-mtu : fragment packets (optionally w/given MTU)
\-D : Cloak a scan with decoys
@@ -267,7 +267,7 @@ to locate random web servers for browsing\.
.PP
\fB\-\-exclude \fR\fB\fIhost1\fR\fR\fB[,\fIhost2\fR[,\.\.\.]]\fR (Exclude hosts/networks)
.RS 4
-Specifies a comma\-separated list of targets to be excluded from the scan even if they are part of the overall network range you specify\. The list you pass in uses normal Nmap syntax, so it can include hostnames, CIDR netblocks, octet ranges, etc\. This can be useful when the network you wish to scan includes untouchable mission\-critical servers, systems that are known to react adversely to port scans, or subnetworks administered by other people\.
+Specifies a comma\-separated list of targets to be excluded from the scan even if they are part of the overall network range you specify\. The list you pass in uses normal Nmap syntax, so it can include hostnames, CIDR netblocks, octet ranges, etc\. This can be useful when the network you wish to scan includes untouchable mission\-critical servers, systems that are known to react adversely to port scans, or subnets administered by other people\.
.RE
.PP
\fB\-\-excludefile \fR\fB\fIexclude_file\fR\fR (Exclude list from file)
@@ -428,7 +428,7 @@ in
\fInmap\.h\fR\.
A highly uncommon port is used by default because sending to open ports is often undesirable for this particular scan type\.
.sp
-Upon hitting a closed port on the target machine, the UDP probe should elicit an ICMP port unreachable packet in return\. This signifies to Nmap that the machine is up and available\. Many other types of ICMP errors, such as host/network unreachables or TTL exceeded are indicative of a down or unreachable host\. A lack of response is also interpreted this way\. If an open port is reached, most services simply ignore the empty packet and fail to return any response\. This is why the default probe port is 31338, which is highly unlikely to be in use\. A few services, such as chargen, will respond to an empty UDP packet, and thus disclose to Nmap that the machine is available\.
+Upon hitting a closed port on the target machine, the UDP probe should elicit an ICMP port unreachable packet in return\. This signifies to Nmap that the machine is up and available\. Many other types of ICMP errors, such as host/network unreachables or TTL exceeded are indicative of a down or unreachable host\. A lack of response is also interpreted this way\. If an open port is reached, most services simply ignore the empty packet and fail to return any response\. This is why the default probe port is 31338, which is highly unlikely to be in use\. A few services, such as the Character Generator (chargen) protocol, will respond to an empty UDP packet, and thus disclose to Nmap that the machine is available\.
.sp
The primary advantage of this scan type is that it bypasses firewalls and filters that only screen TCP\. For example, I once owned a Linksys BEFW11S4 wireless broadband router\. The external interface of this device filtered all TCP ports by default, but UDP probes would still elicit port unreachable messages and thus give away the device\.
.RE
@@ -480,7 +480,7 @@ or
.RS 4
Traceroutes are performed post\-scan using information from the scan results to determine the port and protocol most likely to reach the target\. It works with all scan types except connect scans (\fB\-sT\fR) and idle scans (\fB\-sI\fR)\. All traces use Nmap\'s dynamic timing model and are performed in parallel\.
.sp
-Traceroute works by sending packets with a low TTL (time\-to\-live) in an attempt to elicit ICMP Time Exceeded messages from intermediate hops between the scanner and the target host\. Standard traceroute implementations start with a TTL of 1 and increment the TTL until the destination host is reached\. Nmap\'s traceroute starts with a high TTL and then decrements the TTL until it reaches 0\. Doing it backwards lets nmap employ clever caching algorithms to speed up traces over multiple hosts\. On average nmap sends 5\-10 fewer packets per host, depending on network conditions\. If a single subnet is being scanned (i\.e\. 192\.168\.0\.0/24) nmap may only have to send a single packet to most hosts\.
+Traceroute works by sending packets with a low TTL (time\-to\-live) in an attempt to elicit ICMP Time Exceeded messages from intermediate hops between the scanner and the target host\. Standard traceroute implementations start with a TTL of 1 and increment the TTL until the destination host is reached\. Nmap\'s traceroute starts with a high TTL and then decrements the TTL until it reaches 0\. Doing it backwards lets Nmap employ clever caching algorithms to speed up traces over multiple hosts\. On average Nmap sends 5\-10 fewer packets per host, depending on network conditions\. If a single subnet is being scanned (i\.e\. 192\.168\.0\.0/24) Nmap may only have to send a single packet to most hosts\.
.RE
.PP
\fB\-\-reason\fR (Host and port state reasons)
@@ -520,7 +520,7 @@ call)\. This is slower and rarely useful unless you find a bug in the Nmap paral
.PP
\fB\-\-dns\-servers \fR\fB\fIserver1\fR\fR\fB[,\fIserver2\fR[,\.\.\.]]\fR\fB \fR (Servers to use for reverse DNS queries)
.RS 4
-By default Nmap will try to determine your DNS servers (for rDNS resolution) from your resolv\.conf file (Unix) or the Registry (Win32)\. Alternatively, you may use this option to specify alternate servers\. This option is not honored if you are using
+By default, Nmap determines your DNS servers (for rDNS resolution) from your resolv\.conf file (Unix) or the Registry (Win32)\. Alternatively, you may use this option to specify alternate servers\. This option is not honored if you are using
\fB\-\-system\-dns\fR
or an IPv6 scan\. Using multiple DNS servers is often faster, especially if you choose authoritative servers for your target IP space\. This option can also improve stealth, as your requests can be bounced off just about any recursive DNS server on the internet\.
.sp
@@ -541,7 +541,9 @@ unfiltered,
open|filtered, or
closed|filtered\.
.PP
-These states are not intrinsic properties of the port itself, but describe how Nmap sees them\. For example, an Nmap scan from the same network as the target may show port 135/tcp as open, while a scan at the same time with the same options from across the Internet might show that port as
+These states are not intrinsic properties of the port itself, but describe how Nmap sees them\. For example, an Nmap scan from the same network as the target may show port
+135/tcp
+as open, while a scan at the same time with the same options from across the Internet might show that port as
filtered\.
.PP
\fBThe six port states recognized by Nmap\fR
@@ -776,6 +778,16 @@ So you can try scanning a target using various zombies that you think might be t
(via router/packet filter rules)\.
.sp
You can add a colon followed by a port number to the zombie host if you wish to probe a particular port on the zombie for IP ID changes\. Otherwise Nmap will use the port it uses by default for TCP pings (80)\.
+.sp
+Ports can also be specified by name according to what the port is referred to in the
+\fInmap\-services\fR\. You can even use the wildcards * and ? with the names\. For example, to scan ftp and all ports whose names begin with http, use
+\fB\-p ftp,http*\fR\. Be careful about shell expansions and quote the argument to \-p if unsure\.
+.sp
+Ranges of ports can be surrounded by square brackets to indicate ports inside that range that appear in
+\fInmap\-services\fR\. For example, the following will scan all ports in
+\fInmap\-services\fR
+equal to or below 1024:
+\fB\-p [\-1024]\fR\. Be careful with shell expansions and quote the argument to \-p if unsure\.
.RE
.PP
\fB\-sO\fR (IP protocol scan)
@@ -838,7 +850,7 @@ T:
or
U:\. The qualifier lasts until you specify another qualifier\. For example, the argument
\fB\-p U:53,111,137,T:21\-25,80,139,8080\fR
-would scan UDP ports 53,111,and 137, as well as the listed TCP ports\. Note that to scan both UDP & TCP, you have to specify
+would scan UDP ports 53,111,and 137, as well as the listed TCP ports\. Note that to scan both UDP and TCP, you have to specify
\fB\-sU\fR
and at least one TCP scan type (such as
\fB\-sS\fR,
@@ -847,7 +859,8 @@ and at least one TCP scan type (such as
.sp
Ports can also be specified by name according to what the port is referred to in the
-\fInmap\-services\fR\. You can even use the wildcards * and ? with the names\. For example, to scan FTP and all ports whose names begin with http, use
+\fInmap\-services\fR\. You can even use the wildcards * and ? with the names\. For example, to scan FTP and all ports whose names begin with
+\(lqhttp\(rq, use
\fB\-p ftp,http*\fR\. Be careful about shell expansions and quote the argument to
\fB\-p\fR
if unsure\.
@@ -865,7 +878,7 @@ if unsure\.
.RS 4
Specifies that you only wish to scan for ports listed in the
\fInmap\-services\fR
-file which comes with nmap (or the protocols file for
+file which comes with Nmap (or the protocols file for
\fB\-sO\fR)\. This is much faster than scanning all 65535 ports on a host\. Because this list contains so many TCP ports (more than 1200), the speed difference from a default TCP scan (about 1650 ports) isn\'t dramatic\. The difference can be enormous if you specify your own tiny
\fInmap\-services\fR
file using the
@@ -881,9 +894,31 @@ By default, Nmap randomizes the scanned port order (except that certain commonly
\fB\-r\fR
for sequential port scanning instead\.
.RE
+.PP
+\fB\-\-port\-ratio \fR
+.RS 4
+Scans all ports in
+\fInmap\-services\fR
+file with a ratio greater than the number specified as the argument\. (new format
+\fInmap\-services\fR
+only\.)
+.RE
+.PP
+\fB\-\-top\-ports \fR
+.RS 4
+Scans the N highest\-ratio ports found in
+\fInmap\-services\fR
+file\. (new format
+\fInmap\-services\fR
+only\.)
+.RE
.SH "SERVICE AND VERSION DETECTION"
.PP
-Point Nmap at a remote machine and it might tell you that ports 25/tcp, 80/tcp, and 53/udp are open\. Using its
+Point Nmap at a remote machine and it might tell you that ports
+25/tcp,
+80/tcp, and
+53/udp
+are open\. Using its
\fInmap\-services\fR
database of about 2,200 well\-known services,
Nmap would report that those ports probably correspond to a mail server (SMTP), web server (HTTP), and name server (DNS) respectively\. This lookup is usually accurate\(emthe vast majority of daemons listening on TCP port 25 are, in fact, mail servers\. However, you should not bet your security on this! People can and do run services on strange ports\.
@@ -892,7 +927,7 @@ Even if Nmap is right, and the hypothetical server above is running SMTP, HTTP,
.PP
After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running\. The
\fInmap\-service\-probes\fR
-database contains probes for querying various services and match expressions to recognize and parse responses\. Nmap tries to determine the service protocol (e\.g\. FTP, SSH, telnet, HTTP), the application name (e\.g\. ISC BIND, Apache httpd, Solaris telnetd), the version number, hostname, device type (e\.g\. printer, router), the OS family (e\.g\. Windows, Linux) and sometimes miscellaneous details like whether an X server is open to connections, the SSH protocol version, or the KaZaA user name)\. Of course, most services don\'t provide all of this information\. If Nmap was compiled with OpenSSL support, it will connect to SSL servers to deduce the service listening behind that encryption layer\.
+database contains probes for querying various services and match expressions to recognize and parse responses\. Nmap tries to determine the service protocol (e\.g\. FTP, SSH, Telnet, HTTP), the application name (e\.g\. ISC BIND, Apache httpd, Solaris telnetd), the version number, hostname, device type (e\.g\. printer, router), the OS family (e\.g\. Windows, Linux) and sometimes miscellaneous details like whether an X server is open to connections, the SSH protocol version, or the KaZaA user name)\. Of course, most services don\'t provide all of this information\. If Nmap was compiled with OpenSSL support, it will connect to SSL servers to deduce the service listening behind that encryption layer\.
When RPC services are discovered, the Nmap RPC grinder
(\fB\-sR\fR)
is automatically used to determine the RPC program and version numbers\. Some UDP ports are left in the
@@ -928,7 +963,7 @@ directive\.
.PP
\fB\-\-version\-intensity \fR\fB\fIintensity\fR\fR (Set version scan intensity)
.RS 4
-When performing a version scan (\fB\-sV\fR), nmap sends a series of probes, each of which is assigned a rarity value between 1 and 9\. The lower\-numbered probes are effective against a wide variety of common services, while the higher numbered ones are rarely useful\. The intensity level specifies which probes should be applied\. The higher the number, the more likely it is the service will be correctly identified\. However, high intensity scans take longer\. The intensity must be between 0 and 9\.
+When performing a version scan (\fB\-sV\fR), Nmap sends a series of probes, each of which is assigned a rarity value between 1 and 9\. The lower\-numbered probes are effective against a wide variety of common services, while the higher numbered ones are rarely useful\. The intensity level specifies which probes should be applied\. The higher the number, the more likely it is the service will be correctly identified\. However, high intensity scans take longer\. The intensity must be between 0 and 9\.
The default is 7\.
@@ -973,7 +1008,7 @@ database of more than a thousand known OS fingerprints and prints out the OS det
.PP
If Nmap is unable to guess the OS of a machine, and conditions are good (e\.g\. at least one open port and one closed port were found), Nmap will provide a URL you can use to submit the fingerprint if you know (for sure) the OS running on the machine\. By doing this you contribute to the pool of operating systems known to Nmap and thus it will be more accurate for everyone\.
.PP
-OS detection enables several other tests which make use of information that is gathered during the process anyway\. One of these is uptime measurement, which uses the TCP timestamp option (\fIRFC 1323\fR\&[7]) to guess when a machine was last rebooted\. This is only reported for machines which provide this information\. Another is TCP Sequence Predictability Classification\. This measures approximately how hard it is to establish a forged TCP connection against the remote host\. It is useful for exploiting source\-IP based trust relationships (rlogin, firewall filters, etc) or for hiding the source of an attack\. This sort of spoofing is rarely performed any more, but many machines are still vulnerable to it\. The actual difficulty number is based on statistical sampling and may fluctuate\. It is generally better to use the English classification such as
+OS detection enables some other tests which make use of information that is gathered during the process anyway\. One of these is TCP Sequence Predictability Classification\. This measures approximately how hard it is to establish a forged TCP connection against the remote host\. It is useful for exploiting source\-IP based trust relationships (rlogin, firewall filters, etc) or for hiding the source of an attack\. This sort of spoofing is rarely performed any more, but many machines are still vulnerable to it\. The actual difficulty number is based on statistical sampling and may fluctuate\. It is generally better to use the English classification such as
\(lqworthy challenge\(rq
or
\(lqtrivial joke\(rq\. This is only reported in normal output in verbose (\fB\-v\fR) mode\. When verbose mode is enabled along with
@@ -981,6 +1016,8 @@ or
\(lqincremental\(rq
class, which means that they increment the ID field in the IP header for each packet they send\. This makes them vulnerable to several advanced information gathering and spoofing attacks\.
.PP
+Another bit of extra information enabled by OS detection is a guess at a target\'s uptime\. This uses the TCP timestamp option (\fIRFC 1323\fR\&[7]) to guess when a machine was last rebooted\. The guess can be inaccurate due to the timestamp counter not being initialized to zero or the counter overflowing and wrapping around, so it is printed only in verbose mode\.
+.PP
A paper documenting the workings, usage, and customization of OS detection is available at \fI\%http://nmap.org/book/osdetect.html\fR\.
.PP
@@ -1250,14 +1287,9 @@ is
for a slow scan of one packet every ten seconds\.
.sp
\fB\-\-max\-rate\fR, like
-\fB\-\-min\-rate\fR, is a global option affecting an entire scan\. It affects only port and host discovery scans\. Unlike
-\fB\-\-min\-rate\fR, which is a
-\(lqbest\-effort\(rq
-option,
-\fB\-\-max\-rate\fR
-is a hard upper bound on the scanning rate\.
+\fB\-\-min\-rate\fR, is a global option affecting an entire scan\. It affects only port and host discovery scans\.
.sp
-Nmap may go slower than the maximum rate if conditions require it\. To keep the sending rate within a specified range, use
+The sending rate may temporarily exceed the maximum to make up for unpredictable delays, but on average the rate will stay at or below the maximum\. Nmap may go slower than the maximum rate if conditions require it\. To keep the sending rate within a specified range, use
\fB\-\-min\-rate\fR
and
\fB\-\-max\-rate\fR
@@ -1678,9 +1710,9 @@ from \fI\%http://nmap.org/book/output-formats-grepable-output.html\fR\.
As a convenience, you may specify
\fB\-oA \fR\fB\fIbasename\fR\fR
to store scan results in normal, XML, and grepable formats at once\. They are stored in
-\fIbasename\fR\.nmap,
-\fIbasename\fR\.xml, and
-\fIbasename\fR\.gnmap, respectively\. As with most programs, you can prefix the filenames with a directory path, such as
+\fI\fIbasename\fR\fR\fI\.nmap\fR,
+\fI\fIbasename\fR\fR\fI\.xml\fR, and
+\fI\fIbasename\fR\fR\fI\.gnmap\fR, respectively\. As with most programs, you can prefix the filenames with a directory path, such as
\fI~/nmaplogs/foocorp/\fR
on Unix or
\fIc:\ehacking\esco\fR
@@ -1945,7 +1977,7 @@ Prints a short help screen with the most common command flags\. Running Nmap wit
.RE
.SH "RUNTIME INTERACTION"
.PP
-During the execution of nmap, all key presses are captured\. This allows you to interact with the program without aborting and restarting it\. Certain special keys will change options, while any other keys will print out a status message telling you about the scan\. The convention is that
+During the execution of Nmap, all key presses are captured\. This allows you to interact with the program without aborting and restarting it\. Certain special keys will change options, while any other keys will print out a status message telling you about the scan\. The convention is that
\fIlowercase letters increase\fR
the amount of printing, and
\fIuppercase letters decrease\fR
diff --git a/docs/nmap.usage.txt b/docs/nmap.usage.txt
index 2f55327cf..85be1de87 100644
--- a/docs/nmap.usage.txt
+++ b/docs/nmap.usage.txt
@@ -1,4 +1,4 @@
-Nmap 4.68 ( http://nmap.org )
+Nmap 4.69BETA1 ( http://nmap.org )
Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc.
@@ -63,6 +63,7 @@ TIMING AND PERFORMANCE:
--host-timeout : Give up on target after this long
--scan-delay/--max-scan-delay : Adjust delay between probes
--min-rate : Send packets no slower than per second
+ --max-rate : Send packets no faster than per second
FIREWALL/IDS EVASION AND SPOOFING:
-f; --mtu : fragment packets (optionally w/given MTU)
-D : Cloak a scan with decoys
diff --git a/docs/zenmap.1 b/docs/zenmap.1
index 530b4f469..ec4bdecb5 100644
--- a/docs/zenmap.1
+++ b/docs/zenmap.1
@@ -1,11 +1,11 @@
.\" Title: zenmap
.\" Author:
.\" Generator: DocBook XSL Stylesheets v1.73.2