misc

CHANGELOG

@@ -13,6 +13,10 @@ o Added ARP ping (-PR). Nmap can now send raw ethernet ARP requests to
   detects that the conditions are met.  Example usage: nmap -sP -PR
   192.168.0.0/16 .  This is not yet supported on Windows.
 
+o The OS fingerprint is now provided in XML output if debugging is
+  enabled (-d) or verbosity is at least 2 (-v -v).  This patch was
+  sent by Okan Demirmen (okan(a)demirmen.com)
+
 o Added a stripped-down version of Dug Song's excellent libdnet
   networking library (v. 1.10).  This allows Nmap to send raw ethernet
   frames for the new ARP ping feature.
@@ -46,6 +50,22 @@ o Nmap distribution signing has changed. Release files are now signed
 o Update random host scan (-iR) to support the latest IANA-allocated
   ranges, thanks to patch by Chad Loder (cloder(a)loder.us).
 
+o Updated GNU shtool (a helper program used during 'make install' to
+  version 2.0.2, which fixes a predictable temporary filename
+  weakness discovered by Eric Raymond.
+
+o Removed addport element from XML DTD, since it is no longer used
+  (sugested by Lionel Cons (lionel.cons(a)cern.ch)
+
+o Added new --privileged command-line option and NMAP_PRIVILEGED
+  environmental variable.  Either of these tell Nmap to assume that
+  the user has full privileges to execute raw packet scans, OS
+  detection and the like.  This can be useful when Linux kernel
+  capabilities or other systems are used that allow non-root users to
+  perform raw packet or ethernet frame manipulation.  Without this
+  flag or variable set, Nmap bails on UNIX if geteuid() is
+  nonzero.
+
 o Added some new RPC services to nmap-rpc thanks to a patch from
   vlad902 (vlad902(a)gmail.com).
 
@@ -69,6 +89,10 @@ o Updated the Nmap version number, description, and similar fields
   that MS Visual Studio places in the binary.  This was done by editing
   mswin32/nmap.rc as suggested by Chris Paget (chrisp@ngssoftware.com)
 
+o Fixed Nmap compilation on DragonFly BSD (and perhaps some other
+  systems) by applying a short patch by Joerg Sonnenberger which omits
+  the declaration of errno if it is a #define.
+
 o Increased the buffer size allocated for fingerprints to prevent Nmap
   from running out and quitting (error message: "Assertion
   `servicefpalloc - servicefplen > 8' failed".  Thanks to Mike Hatz
@@ -87,10 +111,10 @@ o Changed from CVS to Subversion source control system (which
   change users will see is that "Id" tags in file headers use the SVN
   format for version numbering and such.
 
-o Added 'leet ASCII art to the confugrator!  ARTIST NOTE: If you
-  think the ASCII art sucks, feel free to send me alternatives.  Note
-  that only people compiling the UNIX source code get the ASCII
-  art. (ASCII artist unknown).
+o Added 'leet ASCII art to the confugrator!  ARTIST NOTE: If you think
+  the ASCII art sucks, feel free to send me alternatives.  Note that
+  only people compiling the UNIX source code get this. (ASCII artist
+  unknown).
 
 Nmap 3.81
 

NmapOps.cc

@@ -178,7 +178,10 @@ void NmapOps::Initialize() {
 # ifdef __amigaos__
     isr00t = 1;
 # else
-    isr00t = !(geteuid());
+    if (getenv("NMAP_PRIVILEGED"))
+      isr00t = 1;
+    else
+      isr00t = !(geteuid());
 # endif // __amigaos__
 #else
   isr00t = 1;

docs/nmap.1

@@ -784,6 +784,28 @@ to randomize the order in which ports are scanned.
 .B \-\-ttl <value>
 Sets the IPv4 time to live field in sent packets to the given value.
 .TP
+.B \-\-privileged
+Tells Nmap to simply assume that it is privileged enough to perform
+raw socket sends, packet sniffing, and similar operations that usually
+require root privileges on UNIX systems.  By default Nmap bails if
+such operations are requested but geteuid() is not zero.  --privileged
+is useful with Linux kernel capabilities and similar systems that may
+be configured to allow unprivileged users to perform raw-packet
+scans.  Be sure to provide this option flag before any flags for
+options that require privileges (SYN scan, OS detection, etc.).  The
+NMAP_PRIVILEGED variable may be set as an equivalent alternative
+--privileged.
+.TP
+.B \-\-interactive
+Starts Nmap in interactive mode, which offers an interactive Nmap
+prompt allowing easy launching of multiple scans (either synchronously
+or in the background). This is useful for people who scan from
+multi-user systems -- they often want to test their security without
+letting everyone else on the system know exactly which systems they
+are scanning. Use --interactive to activate this mode and then type
+'h' for help.  This option is rarely used because proper shells are 
+usually more familiar and feature-complete.
+.TP
 .B \-\-randomize_hosts
 Tells Nmap to shuffle each group of up to 2048 hosts before
 it scans them.  This can make the scans less obvious to

docs/nmap.dtd

@@ -110,7 +110,7 @@
      output.c:printosscanoutput()
 -->
 <!ELEMENT host		( status, address , (address | hostnames |
-                          smurf | ports | addport | os | uptime | 
+                          smurf | ports | os | uptime | 
                           tcpsequence | ipidsequence | tcptssequence )* ) >
 
 
@@ -137,16 +137,6 @@
 <!ELEMENT smurf		EMPTY >
 <!ATTLIST smurf		responses	%attr_numeric;	#REQUIRED >
 
-<!-- this element is written by portlist.cc:addport() -->
-<!ELEMENT addport         EMPTY >
-<!ATTLIST addport         
-                        state           %port_states;    #REQUIRED
-                        owner           CDATA            #IMPLIED
-                        portid          %attr_numeric;   #REQUIRED
-                        protocol        %port_protocols; #REQUIRED
->
-
-
 <!-- these elements are written by output.c:printportoutput() -->
 
 <!ELEMENT ports		(extraports? , port*) >
@@ -154,7 +144,7 @@
 <!ELEMENT extraports	EMPTY >
 <!ATTLIST extraports
 			state		%port_states;	#REQUIRED
-			count		%attr_numeric;	"closed"
+			count		%attr_numeric;  #REQUIRED	
 >
 
 <!ELEMENT port		(state , owner? , service? ) >

docs/nmap.usage.txt

@@ -1,4 +1,4 @@
-Nmap 3.82CSW Usage: nmap [Scan Type(s)] [Options] <host or net list>
+Nmap 3.82.1CSW Usage: nmap [Scan Type(s)] [Options] <host or net list>
 Some Common Scan Types ('*' options require root privileges)
 * -sS TCP SYN stealth port scan (default if privileged (root))
   -sT TCP connect() port scan (default for unprivileged users)

docs/nmap.xsl

@@ -536,6 +536,13 @@ function timestamp2date(stamp)
 </xsl:template>
 <!-- ............................................................ -->
 
+<!-- os fingerprint -->
+<!-- ............................................................ -->
+<xsl:template match="osfingerprint">
+<li>os fingerprint: <em><xsl:value-of select="@fingerprint" /></em></li>
+</xsl:template>
+<!-- ............................................................ -->
+
 <!-- uptime -->
 <!-- ............................................................ -->
 <xsl:template match="uptime">

nmap-os-fingerprints

@@ -14216,7 +14216,7 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
 T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
 PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E|F%ULEN=134%DAT=E)
 
-Fingerprint OpenBSD 3.4 - 3.6
+Fingerprint OpenBSD 3.4 - 3.7
 Class OpenBSD | OpenBSD | 3.X | general purpose
 TSeq(Class=TR%gcd=<6%IPID=RD|RPI%TS=2HZ)
 T1(DF=Y%W=4000%ACK=S++%Flags=AS%Ops=MNWNNT)

nmap-service-probes

@@ -625,6 +625,8 @@ match smtp m|^220-TrendMicro IMSS SMTP proxy\r\n| v/TrendMicro SMTP Proxy///
 match smtp m|^220 \S+ ESMTP server \(InterMail v(\S+)| v/InterMail smtpd/$1//
 match smtp m|^220 \S+ -- Server ESMTP \(Sun Java System Messaging Server (\d[^\(\)]+)| v/SUN JSMS smtpd/$1//
 match smtp m|^220 jMailer SMTP Server\r\n$| v/jMailer smtpd///
+match smtp m/^220[- ][^ ]+ Smail-([^ ]+) .*ESMTP/s v/Smail-ESMTP/$1//
+match smtp m/^220[- ][^ ]+ Smail-([^ ]+) / v/Smail/$1//
 
 softmatch smtp m|^220[\s-].*?E?SMTP[^\r]*\r\n|
 

nmap.cc

@@ -280,6 +280,7 @@ int nmap_main(int argc, char *argv[]) {
       {"rH", no_argument, 0, 0},
       {"vv", no_argument, 0, 0},
       {"ff", no_argument, 0, 0},
+      {"privileged", no_argument, 0, 0},
       {"mtu", required_argument, 0, 0},
       {"append_output", no_argument, 0, 0},
       {"noninteractive", no_argument, 0, 0},
@@ -490,6 +491,8 @@ int nmap_main(int argc, char *argv[]) {
 	o.verbose += 2;
       } else if (strcmp(long_options[option_index].name, "ff") == 0) {
 	o.fragscan += 16; 
+      } else if (strcmp(long_options[option_index].name, "privileged") == 0) {
+	o.isr00t = 1;
       } else if (strcmp(long_options[option_index].name, "mtu") == 0) {
         o.fragscan = atoi(optarg);
         if (o.fragscan <= 0 || o.fragscan % 8 != 0)

output.cc

@@ -1090,6 +1090,16 @@ void printosscanoutput(Target *currenths) {
 	}
       } else { assert(0); }
    
+    if (o.debugging || o.verbose > 1) {
+
+      log_write(LOG_XML,"<osfingerprint fingerprint=\"\n%s\" />\n", 
+		mergeFPs(currenths->FPR->FPs, currenths->FPR->numFPs, 
+			 currenths->FPR->osscan_opentcpport, 
+			 currenths->FPR->osscan_closedtcpport, 
+			 currenths->MACAddress()));
+    }
+
+ 
     log_write(LOG_XML, "</os>\n");
 
      if (currenths->seq.lastboot) {

portlist.cc

@@ -405,14 +405,6 @@ int PortList::addPort(u16 portno, u8 protocol, char *owner, int state) {
 	      statenum2str(state), portno, 
 	      proto2ascii(protocol), msg, idstr? idstr : "");
     log_flush(LOG_STDOUT);
-    
-    /* Write out add port messages for XML format so wrapper libraries
-       can use it and not have to parse LOG_STDOUT ;), which is a
-       pain! REMOVED now that Nmap scans multiple hosts in parallel.
-       This addport does not even tell which host the new port was
-       on. */    
-    //    log_write(LOG_XML, "<addport state=\"%s\" portid=\"%hu\" protocol=\"%s\" owner=\"%s\"/>\n", statenum2str(state), portno, proto2ascii(protocol), ((owner && *owner) ? owner : ""));
-    log_flush(LOG_XML); 
   }
 
 

scripts/Makefile

@@ -3,7 +3,7 @@ CC=gcc
 CPP=g++
 INCLUDE_FLAGS= -I.. -I../nbase -I../libpcap-possiblymodified
 LINK_FLAGS=-L.. -L../nbase -L../libpcap-possiblymodified
-NMAP_OBJS=../osscan.o ../nmap_error.o ../utils.o ../tcpip.o ../output.o ../nmap.o ../scan_engine.o ../portlist.o ../timing.o ../nmap_rpc.o ../charpool.o ../services.o ../targets.o ../idle_scan.o ../protocols.o ../FingerPrintResults.o ../NmapOps.o ../TargetGroup.o ../Target.o ../NmapOutputTable.o ../service_scan.o ../nsock/src/libnsock.a
+NMAP_OBJS=../osscan.o ../nmap_error.o ../utils.o ../tcpip.o ../output.o ../nmap.o ../scan_engine.o ../portlist.o ../timing.o ../nmap_rpc.o ../charpool.o ../services.o ../targets.o ../idle_scan.o ../MACLookup.o ../protocols.o ../FingerPrintResults.o ../NmapOps.o ../TargetGroup.o ../Target.o ../NmapOutputTable.o ../service_scan.o ../nsock/src/libnsock.a
 DEFINES=-DHAVE_CONFIG_H=1
 DATAFILES = nmap-os-fingerprints nmap-service-probes nmap-services nmap-rpc nmap-protocols nmap-mac-prefixes
 SHTOOL = ../shtool
@@ -15,13 +15,13 @@ all: fingermatch fingerdiff servicematch
 dummy:
 
 fingermatch: dummy
-	$(CPP) -g -Wall $(INCLUDE_FLAGS) $(LINK_FLAGS) $(DEFINES) -o $@ $@.cc $(NMAP_OBJS) -lm -lnbase -lpcap -lpcre -lssl -lcrypt
+	$(CPP) -g -Wall $(INCLUDE_FLAGS) $(LINK_FLAGS) $(DEFINES) -o $@ $@.cc $(NMAP_OBJS) -lm -lnbase -lpcap -lpcre -lssl -lcrypt -ldnet
 
 fingerdiff: dummy
-	$(CPP) -g -Wall $(INCLUDE_FLAGS) $(LINK_FLAGS) $(DEFINES) -o $@ $@.cc $(NMAP_OBJS) -lm -lnbase -lpcap -lpcre -lssl -lcrypt
+	$(CPP) -g -Wall $(INCLUDE_FLAGS) $(LINK_FLAGS) $(DEFINES) -o $@ $@.cc $(NMAP_OBJS) -lm -lnbase -lpcap -lpcre -lssl -lcrypt -ldnet
 
 servicematch: dummy
-	$(CPP) -g -Wall $(INCLUDE_FLAGS) $(LINK_FLAGS) $(DEFINES) -o $@ $@.cc $(NMAP_OBJS) -lm -lnbase -lpcap -lpcre -lssl -lcrypt
+	$(CPP) -g -Wall $(INCLUDE_FLAGS) $(LINK_FLAGS) $(DEFINES) -o $@ $@.cc $(NMAP_OBJS) -lm -lnbase -lpcap -lpcre -lssl -lcrypt -ldnet
 
 web:
 	test x$(wroot) != x