PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 12:41:29 +00:00
Code Issues Projects Releases Wiki Activity

misc

Browse Source
This commit is contained in:
fyodor
2005-06-24 23:50:23 +00:00
parent 1b19b91884
commit 2c2cc2f9a9
13 changed files with 3358 additions and 1343 deletions
Download Patch File Download Diff File Expand all files Collapse all files

32
CHANGELOG
View File

@@ -13,6 +13,10 @@ o Added ARP ping (-PR). Nmap can now send raw ethernet ARP requests to
detects that the conditions are met. Example usage: nmap -sP -PR detects that the conditions are met. Example usage: nmap -sP -PR
192.168.0.0/16 . This is not yet supported on Windows. 192.168.0.0/16 . This is not yet supported on Windows.
o The OS fingerprint is now provided in XML output if debugging is
enabled (-d) or verbosity is at least 2 (-v -v). This patch was
sent by Okan Demirmen (okan(a)demirmen.com)
o Added a stripped-down version of Dug Song's excellent libdnet o Added a stripped-down version of Dug Song's excellent libdnet
networking library (v. 1.10). This allows Nmap to send raw ethernet networking library (v. 1.10). This allows Nmap to send raw ethernet
frames for the new ARP ping feature. frames for the new ARP ping feature.
@@ -46,6 +50,22 @@ o Nmap distribution signing has changed. Release files are now signed
o Update random host scan (-iR) to support the latest IANA-allocated o Update random host scan (-iR) to support the latest IANA-allocated
ranges, thanks to patch by Chad Loder (cloder(a)loder.us). ranges, thanks to patch by Chad Loder (cloder(a)loder.us).
o Updated GNU shtool (a helper program used during 'make install' to
version 2.0.2, which fixes a predictable temporary filename
weakness discovered by Eric Raymond.
o Removed addport element from XML DTD, since it is no longer used
(sugested by Lionel Cons (lionel.cons(a)cern.ch)
o Added new --privileged command-line option and NMAP_PRIVILEGED
environmental variable. Either of these tell Nmap to assume that
the user has full privileges to execute raw packet scans, OS
detection and the like. This can be useful when Linux kernel
capabilities or other systems are used that allow non-root users to
perform raw packet or ethernet frame manipulation. Without this
flag or variable set, Nmap bails on UNIX if geteuid() is
nonzero.
o Added some new RPC services to nmap-rpc thanks to a patch from o Added some new RPC services to nmap-rpc thanks to a patch from
vlad902 (vlad902(a)gmail.com). vlad902 (vlad902(a)gmail.com).
@@ -69,6 +89,10 @@ o Updated the Nmap version number, description, and similar fields
that MS Visual Studio places in the binary. This was done by editing that MS Visual Studio places in the binary. This was done by editing
mswin32/nmap.rc as suggested by Chris Paget (chrisp@ngssoftware.com) mswin32/nmap.rc as suggested by Chris Paget (chrisp@ngssoftware.com)
o Fixed Nmap compilation on DragonFly BSD (and perhaps some other
systems) by applying a short patch by Joerg Sonnenberger which omits
the declaration of errno if it is a #define.
o Increased the buffer size allocated for fingerprints to prevent Nmap o Increased the buffer size allocated for fingerprints to prevent Nmap
from running out and quitting (error message: "Assertion from running out and quitting (error message: "Assertion
`servicefpalloc - servicefplen > 8' failed". Thanks to Mike Hatz `servicefpalloc - servicefplen > 8' failed". Thanks to Mike Hatz
@@ -87,10 +111,10 @@ o Changed from CVS to Subversion source control system (which
change users will see is that "Id" tags in file headers use the SVN change users will see is that "Id" tags in file headers use the SVN
format for version numbering and such. format for version numbering and such.
o Added 'leet ASCII art to the confugrator! ARTIST NOTE: If you o Added 'leet ASCII art to the confugrator! ARTIST NOTE: If you think
think the ASCII art sucks, feel free to send me alternatives. Note the ASCII art sucks, feel free to send me alternatives. Note that
that only people compiling the UNIX source code get the ASCII only people compiling the UNIX source code get this. (ASCII artist
art. (ASCII artist unknown). unknown).
Nmap 3.81 Nmap 3.81

5
NmapOps.cc
View File

@@ -178,7 +178,10 @@ void NmapOps::Initialize() {
# ifdef __amigaos__ # ifdef __amigaos__
isr00t = 1; isr00t = 1;
# else # else
isr00t = !(geteuid()); if (getenv("NMAP_PRIVILEGED"))
isr00t = 1;
else
isr00t = !(geteuid());
# endif // __amigaos__ # endif // __amigaos__
#else #else
isr00t = 1; isr00t = 1;

22
docs/nmap.1
View File

@@ -784,6 +784,28 @@ to randomize the order in which ports are scanned.
.B \-\-ttl <value> .B \-\-ttl <value>
Sets the IPv4 time to live field in sent packets to the given value. Sets the IPv4 time to live field in sent packets to the given value.
.TP .TP
.B \-\-privileged
Tells Nmap to simply assume that it is privileged enough to perform
raw socket sends, packet sniffing, and similar operations that usually
require root privileges on UNIX systems. By default Nmap bails if
such operations are requested but geteuid() is not zero. --privileged
is useful with Linux kernel capabilities and similar systems that may
be configured to allow unprivileged users to perform raw-packet
scans. Be sure to provide this option flag before any flags for
options that require privileges (SYN scan, OS detection, etc.). The
NMAP_PRIVILEGED variable may be set as an equivalent alternative
--privileged.
.TP
.B \-\-interactive
Starts Nmap in interactive mode, which offers an interactive Nmap
prompt allowing easy launching of multiple scans (either synchronously
or in the background). This is useful for people who scan from
multi-user systems -- they often want to test their security without
letting everyone else on the system know exactly which systems they
are scanning. Use --interactive to activate this mode and then type
'h' for help. This option is rarely used because proper shells are
usually more familiar and feature-complete.
.TP
.B \-\-randomize_hosts .B \-\-randomize_hosts
Tells Nmap to shuffle each group of up to 2048 hosts before Tells Nmap to shuffle each group of up to 2048 hosts before
it scans them. This can make the scans less obvious to it scans them. This can make the scans less obvious to

14
docs/nmap.dtd
View File

@@ -110,7 +110,7 @@
output.c:printosscanoutput() output.c:printosscanoutput()
--> -->
<!ELEMENT host ( status, address , (address | hostnames | <!ELEMENT host ( status, address , (address | hostnames |
smurf | ports | addport | os | uptime | smurf | ports | os | uptime |
tcpsequence | ipidsequence | tcptssequence )* ) > tcpsequence | ipidsequence | tcptssequence )* ) >
@@ -137,16 +137,6 @@
<!ELEMENT smurf EMPTY > <!ELEMENT smurf EMPTY >
<!ATTLIST smurf responses %attr_numeric; #REQUIRED > <!ATTLIST smurf responses %attr_numeric; #REQUIRED >
<!-- this element is written by portlist.cc:addport() -->
<!ELEMENT addport EMPTY >
<!ATTLIST addport
state %port_states; #REQUIRED
owner CDATA #IMPLIED
portid %attr_numeric; #REQUIRED
protocol %port_protocols; #REQUIRED
>
<!-- these elements are written by output.c:printportoutput() --> <!-- these elements are written by output.c:printportoutput() -->
<!ELEMENT ports (extraports? , port*) > <!ELEMENT ports (extraports? , port*) >
@@ -154,7 +144,7 @@
<!ELEMENT extraports EMPTY > <!ELEMENT extraports EMPTY >
<!ATTLIST extraports <!ATTLIST extraports
state %port_states; #REQUIRED state %port_states; #REQUIRED
count %attr_numeric; "closed" count %attr_numeric; #REQUIRED
> >
<!ELEMENT port (state , owner? , service? ) > <!ELEMENT port (state , owner? , service? ) >

2
docs/nmap.usage.txt
View File

@@ -1,4 +1,4 @@
Nmap 3.82CSW Usage: nmap [Scan Type(s)] [Options] <host or net list> Nmap 3.82.1CSW Usage: nmap [Scan Type(s)] [Options] <host or net list>
Some Common Scan Types ('*' options require root privileges) Some Common Scan Types ('*' options require root privileges)
* -sS TCP SYN stealth port scan (default if privileged (root)) * -sS TCP SYN stealth port scan (default if privileged (root))
-sT TCP connect() port scan (default for unprivileged users) -sT TCP connect() port scan (default for unprivileged users)

7
docs/nmap.xsl
View File

@@ -536,6 +536,13 @@ function timestamp2date(stamp)
</xsl:template> </xsl:template>
<!-- ............................................................ --> <!-- ............................................................ -->
<!-- os fingerprint -->
<!-- ............................................................ -->
<xsl:template match="osfingerprint">
<li>os fingerprint: <em><xsl:value-of select="@fingerprint" /></em></li>
</xsl:template>
<!-- ............................................................ -->
<!-- uptime --> <!-- uptime -->
<!-- ............................................................ --> <!-- ............................................................ -->
<xsl:template match="uptime"> <xsl:template match="uptime">

2
nmap-os-fingerprints
View File

@@ -14216,7 +14216,7 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S%Flags=AR%Ops=) T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E|F%ULEN=134%DAT=E) PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E|F%ULEN=134%DAT=E)
Fingerprint OpenBSD 3.4 - 3.6 Fingerprint OpenBSD 3.4 - 3.7
Class OpenBSD | OpenBSD | 3.X | general purpose Class OpenBSD | OpenBSD | 3.X | general purpose
TSeq(Class=TR%gcd=<6%IPID=RD|RPI%TS=2HZ) TSeq(Class=TR%gcd=<6%IPID=RD|RPI%TS=2HZ)
T1(DF=Y%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT) T1(DF=Y%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)

2
nmap-service-probes
View File

@@ -625,6 +625,8 @@ match smtp m|^220-TrendMicro IMSS SMTP proxy\r\n| v/TrendMicro SMTP Proxy///
match smtp m|^220 \S+ ESMTP server \(InterMail v(\S+)| v/InterMail smtpd/$1// match smtp m|^220 \S+ ESMTP server \(InterMail v(\S+)| v/InterMail smtpd/$1//
match smtp m|^220 \S+ -- Server ESMTP \(Sun Java System Messaging Server (\d[^\(\)]+)| v/SUN JSMS smtpd/$1// match smtp m|^220 \S+ -- Server ESMTP \(Sun Java System Messaging Server (\d[^\(\)]+)| v/SUN JSMS smtpd/$1//
match smtp m|^220 jMailer SMTP Server\r\n$| v/jMailer smtpd/// match smtp m|^220 jMailer SMTP Server\r\n$| v/jMailer smtpd///
match smtp m/^220[- ][^ ]+ Smail-([^ ]+) .*ESMTP/s v/Smail-ESMTP/$1//
match smtp m/^220[- ][^ ]+ Smail-([^ ]+) / v/Smail/$1//
softmatch smtp m|^220[\s-].*?E?SMTP[^\r]*\r\n| softmatch smtp m|^220[\s-].*?E?SMTP[^\r]*\r\n|

3
nmap.cc
View File

@@ -280,6 +280,7 @@ int nmap_main(int argc, char *argv[]) {
{"rH", no_argument, 0, 0}, {"rH", no_argument, 0, 0},
{"vv", no_argument, 0, 0}, {"vv", no_argument, 0, 0},
{"ff", no_argument, 0, 0}, {"ff", no_argument, 0, 0},
{"privileged", no_argument, 0, 0},
{"mtu", required_argument, 0, 0}, {"mtu", required_argument, 0, 0},
{"append_output", no_argument, 0, 0}, {"append_output", no_argument, 0, 0},
{"noninteractive", no_argument, 0, 0}, {"noninteractive", no_argument, 0, 0},
@@ -490,6 +491,8 @@ int nmap_main(int argc, char *argv[]) {
o.verbose += 2; o.verbose += 2;
} else if (strcmp(long_options[option_index].name, "ff") == 0) { } else if (strcmp(long_options[option_index].name, "ff") == 0) {
o.fragscan += 16; o.fragscan += 16;
} else if (strcmp(long_options[option_index].name, "privileged") == 0) {
o.isr00t = 1;
} else if (strcmp(long_options[option_index].name, "mtu") == 0) { } else if (strcmp(long_options[option_index].name, "mtu") == 0) {
o.fragscan = atoi(optarg); o.fragscan = atoi(optarg);
if (o.fragscan <= 0 || o.fragscan % 8 != 0) if (o.fragscan <= 0 || o.fragscan % 8 != 0)

12
output.cc
View File

@@ -1089,7 +1089,17 @@ void printosscanoutput(Target *currenths) {
log_write(LOG_NORMAL|LOG_SKID|LOG_STDOUT,"TCP/IP fingerprint:\n%s", mergeFPs(currenths->FPR->FPs, currenths->FPR->numFPs, currenths->FPR->osscan_opentcpport, currenths->FPR->osscan_closedtcpport, currenths->MACAddress())); log_write(LOG_NORMAL|LOG_SKID|LOG_STDOUT,"TCP/IP fingerprint:\n%s", mergeFPs(currenths->FPR->FPs, currenths->FPR->numFPs, currenths->FPR->osscan_opentcpport, currenths->FPR->osscan_closedtcpport, currenths->MACAddress()));
} }
} else { assert(0); } } else { assert(0); }
if (o.debugging || o.verbose > 1) {
log_write(LOG_XML,"<osfingerprint fingerprint=\"\n%s\" />\n",
mergeFPs(currenths->FPR->FPs, currenths->FPR->numFPs,
currenths->FPR->osscan_opentcpport,
currenths->FPR->osscan_closedtcpport,
currenths->MACAddress()));
}
log_write(LOG_XML, "</os>\n"); log_write(LOG_XML, "</os>\n");
if (currenths->seq.lastboot) { if (currenths->seq.lastboot) {

8
portlist.cc
View File

@@ -405,14 +405,6 @@ int PortList::addPort(u16 portno, u8 protocol, char *owner, int state) {
statenum2str(state), portno, statenum2str(state), portno,
proto2ascii(protocol), msg, idstr? idstr : ""); proto2ascii(protocol), msg, idstr? idstr : "");
log_flush(LOG_STDOUT); log_flush(LOG_STDOUT);
/* Write out add port messages for XML format so wrapper libraries
can use it and not have to parse LOG_STDOUT ;), which is a
pain! REMOVED now that Nmap scans multiple hosts in parallel.
This addport does not even tell which host the new port was
on. */
// log_write(LOG_XML, "<addport state=\"%s\" portid=\"%hu\" protocol=\"%s\" owner=\"%s\"/>\n", statenum2str(state), portno, proto2ascii(protocol), ((owner && *owner) ? owner : ""));
log_flush(LOG_XML);
} }

8
scripts/Makefile
View File

@@ -3,7 +3,7 @@ CC=gcc
CPP=g++ CPP=g++
INCLUDE_FLAGS= -I.. -I../nbase -I../libpcap-possiblymodified INCLUDE_FLAGS= -I.. -I../nbase -I../libpcap-possiblymodified
LINK_FLAGS=-L.. -L../nbase -L../libpcap-possiblymodified LINK_FLAGS=-L.. -L../nbase -L../libpcap-possiblymodified
NMAP_OBJS=../osscan.o ../nmap_error.o ../utils.o ../tcpip.o ../output.o ../nmap.o ../scan_engine.o ../portlist.o ../timing.o ../nmap_rpc.o ../charpool.o ../services.o ../targets.o ../idle_scan.o ../protocols.o ../FingerPrintResults.o ../NmapOps.o ../TargetGroup.o ../Target.o ../NmapOutputTable.o ../service_scan.o ../nsock/src/libnsock.a NMAP_OBJS=../osscan.o ../nmap_error.o ../utils.o ../tcpip.o ../output.o ../nmap.o ../scan_engine.o ../portlist.o ../timing.o ../nmap_rpc.o ../charpool.o ../services.o ../targets.o ../idle_scan.o ../MACLookup.o ../protocols.o ../FingerPrintResults.o ../NmapOps.o ../TargetGroup.o ../Target.o ../NmapOutputTable.o ../service_scan.o ../nsock/src/libnsock.a
DEFINES=-DHAVE_CONFIG_H=1 DEFINES=-DHAVE_CONFIG_H=1
DATAFILES = nmap-os-fingerprints nmap-service-probes nmap-services nmap-rpc nmap-protocols nmap-mac-prefixes DATAFILES = nmap-os-fingerprints nmap-service-probes nmap-services nmap-rpc nmap-protocols nmap-mac-prefixes
SHTOOL = ../shtool SHTOOL = ../shtool
@@ -15,13 +15,13 @@ all: fingermatch fingerdiff servicematch
dummy: dummy:
fingermatch: dummy fingermatch: dummy
$(CPP) -g -Wall $(INCLUDE_FLAGS) $(LINK_FLAGS) $(DEFINES) -o $@ $@.cc $(NMAP_OBJS) -lm -lnbase -lpcap -lpcre -lssl -lcrypt $(CPP) -g -Wall $(INCLUDE_FLAGS) $(LINK_FLAGS) $(DEFINES) -o $@ $@.cc $(NMAP_OBJS) -lm -lnbase -lpcap -lpcre -lssl -lcrypt -ldnet
fingerdiff: dummy fingerdiff: dummy
$(CPP) -g -Wall $(INCLUDE_FLAGS) $(LINK_FLAGS) $(DEFINES) -o $@ $@.cc $(NMAP_OBJS) -lm -lnbase -lpcap -lpcre -lssl -lcrypt $(CPP) -g -Wall $(INCLUDE_FLAGS) $(LINK_FLAGS) $(DEFINES) -o $@ $@.cc $(NMAP_OBJS) -lm -lnbase -lpcap -lpcre -lssl -lcrypt -ldnet
servicematch: dummy servicematch: dummy
$(CPP) -g -Wall $(INCLUDE_FLAGS) $(LINK_FLAGS) $(DEFINES) -o $@ $@.cc $(NMAP_OBJS) -lm -lnbase -lpcap -lpcre -lssl -lcrypt $(CPP) -g -Wall $(INCLUDE_FLAGS) $(LINK_FLAGS) $(DEFINES) -o $@ $@.cc $(NMAP_OBJS) -lm -lnbase -lpcap -lpcre -lssl -lcrypt -ldnet
web: web:
test x$(wroot) != x test x$(wroot) != x

4584
shtool
View File

File diff suppressed because it is too large Load Diff