PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

latest changes, including a couple doug fixes

Browse Source
This commit is contained in:
fyodor
2006-05-16 21:46:41 +00:00
parent 90d9ceaefa
commit 48a6d1ce41
10 changed files with 91 additions and 43 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
CHANGELOG
View File

@@ -39,15 +39,27 @@ o Nmap now ignores certain ICMP error message rate limiting (rather
Macok (martin.macok(a)underground.cz) for writing the patch that
these changes were based on.
o Fixed a couple possible memory leaks reported by Ted Kremenek
(kremenek(a)cs.stanford.edu) from the Stanford University sofware
static analysis lab ("Checker" project).
o Changed the PortList class to use much more efficient data
structures and algorithms which take advantage of Nmap-specific
behavior patterns. Thanks to Marek Majkowski
(majek(a)forest.one.pl) for the patch.
o Fixed a bug which prevented certain TCP+UDP scan commands, such as
"nmap -sSU -p1-65535 localhost" from scanning both TCP and UDP.
Instead they gave the error message "WARNING: UDP scan was requested,
but no udp ports were specified. Skipping this scan type". Thanks to
Doug Hoyte for the patch.
o Nmap has traditionally required you to specify -T* timing options
before any more granular options like --max-rtt-timeout, otherwise the
general timing option would overwrite the value from your more
specific request. This has now been fixed so that the more specific
options always have precendence. Thanks to Doug Hoyte for this patch.
o Fixed a couple possible memory leaks reported by Ted Kremenek
(kremenek(a)cs.stanford.edu) from the Stanford University sofware
static analysis lab ("Checker" project).
o Nmap now prints a warning when you specify a target name which
resolves to multiple IP addresses. Nmap proceeds to scan only the
first of those addresses (as it always has done). Thanks to Doug
@@ -57,6 +69,10 @@ o Nmap now prints a warning when you specify a target name which
o Disallow --host-timeout values of less than 1500ms, print a warning
for values less than 15s.
o Changed all instances of inet_aton() into calls to inet_pton()
instead. This allowed us to remove inet_aton.c from nbase. Thanks to
KX (kxmail(a)gmail.com) for the patch.
Nmap 4.03
o Updated the LibPCRE build system to add the -fno-thread-jumps option

2
TargetGroup.cc
View File

@@ -198,7 +198,7 @@ int TargetGroup::parse_expr(const char * const target_expr, int af) {
}
if (netmask != 32 || namedhost) {
targets_type = IPV4_NETMASK;
if (!inet_aton(target_net, &(startaddr))) {
if (!inet_pton(AF_INET, target_net, &(startaddr))) {
if ((target = gethostbyname(target_net))) {
int count=0;

3
configure vendored
View File

@@ -7203,9 +7203,8 @@ fi
for ac_func in bzero memcpy nanosleep strerror \
strcasestr inet_aton getopt_long_only
strcasestr getopt_long_only
do
as_ac_var=`echo "ac_cv_func_$ac_func" | $as_tr_sh`
echo "$as_me:$LINENO: checking for $ac_func" >&5

2
configure.ac
View File

@@ -656,7 +656,7 @@ fi
dnl Checks for library functions.
dnl AC_TYPE_SIGNAL
AC_CHECK_FUNCS(bzero memcpy nanosleep strerror \
strcasestr inet_aton getopt_long_only)
strcasestr getopt_long_only)
AC_LANG_PUSH(C++)
AC_MSG_CHECKING([for usleep])

19
docs/nmap.1
View File

@@ -2,7 +2,7 @@
.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
.\" Instead of manually editing it, you probably should edit the DocBook XML
.\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
.TH "NMAP" "1" "05/10/2006" "" "Nmap Reference Guide"
.TH "NMAP" "1" "05/15/2006" "" "Nmap Reference Guide"
.\" disable hyphenation
.nh
.\" disable justification (adjust text to left margin only)
@@ -847,6 +847,23 @@ Another use of
\fB\-\-scan\-delay\fR
is to evade threshold based intrusion detection and prevention systems (IDS/IPS).
.TP
\fB\-\-defeat\-rst\-ratelimit\fR
Many hosts have long used rate limiting to reduce the number of ICMP error messages (such as port\-unreachable errors) they send. Some systems now apply similar rate limits to the RST (reset) packets they generate. This can slow Nmap down dramatically as it adjusts its timing to reflect those rate limits. You can tell Nmap to ignore those rate limits (for port scans such as SYN scan which
\fIdon't\fR
treat nonresponsive ports as
open) by specifying
\fB\-\-defeat\-rst\-ratelimit\fR.
.sp
Using this option can reduce accuracy, as some ports will appear nonresponse because Nmap didn't wait long enough for a rate\-limited RST response. With a SYN scan, the non\-response results in the port being labeled
filtered
rather than the
closed
state we see when RST packets are received. This optional is useful when you only care about open ports, and distinguishing between
closed
and
filtered
ports isn't worth the extra time.
.TP
\fB\-T <Paranoid|Sneaky|Polite|Normal|Aggressive|Insane>\fR (Set a timing template)
While the fine grained timing controls discussed in the previous section are powerful and effective, some people find them confusing. Moreover, choosing the appropriate values can sometimes take more time than the scan you are trying to optimize. So Nmap offers a simpler approach, with six timing templates. You can specify them with the
\fB\-T\fR

71
nmap.cc
View File

@@ -470,6 +470,16 @@ int nmap_main(int argc, char *argv[]) {
size_t sslen;
int option_index;
bool iflist = false;
// Pre-specified timing parameters.
// These are stored here during the parsing of the arguments so that we can
// set the defaults specified by any timing template options (-T2, etc) BEFORE
// any of these. In other words, these always take precedence over the templates.
int pre_max_parallelism=-1, pre_scan_delay=-1, pre_max_scan_delay=-1;
int pre_init_rtt_timeout=-1, pre_min_rtt_timeout=-1, pre_max_rtt_timeout=-1;
int pre_max_retries=-1;
long pre_host_timeout=-1;
struct option long_options[] =
{
{"version", no_argument, 0, 'V'},
@@ -593,18 +603,18 @@ int nmap_main(int argc, char *argv[]) {
if (l < 20) {
error("WARNING: You specified a round-trip time timeout (%ld ms) that is EXTRAORDINARILY SMALL. Accuracy may suffer.", l);
}
o.setMaxRttTimeout(l);
pre_max_rtt_timeout = l;
} else if (optcmp(long_options[option_index].name, "min-rtt-timeout") == 0) {
l = tval2msecs(optarg);
if (l < 0) fatal("Bogus --min-rtt-timeout argument specified");
if (l > 50000) {
error("Warning: min-rtt-timeout is given in milliseconds, your value seems pretty large.");
}
o.setMinRttTimeout(l);
pre_min_rtt_timeout = l;
} else if (optcmp(long_options[option_index].name, "initial-rtt-timeout") == 0) {
l = tval2msecs(optarg);
if (l <= 0) fatal("Bogus --initial-rtt-timeout argument specified. Must be positive");
o.setInitialRttTimeout(l);
pre_init_rtt_timeout = l;
} else if (strcmp(long_options[option_index].name, "excludefile") == 0) {
excludefd = fopen(optarg, "r");
if (!excludefd) {
@@ -634,9 +644,9 @@ int nmap_main(int argc, char *argv[]) {
error("Warning: Your --min-parallelism option is pretty high! This can hurt reliability.");
}
} else if (optcmp(long_options[option_index].name, "host-timeout") == 0) { l = tval2msecs(optarg);
if (l <= 1500) fatal("--host-timeout must be greater than 1500 milliseconds");
o.host_timeout = l;
if (o.host_timeout < 15000) {
if (l <= 1500) fatal("--host-timeout is specified in milliseconds unless you qualify it by appending 's', 'm', 'h', or 'd'. The value must be greater than 1500 milliseconds");
pre_host_timeout = l;
if (l < 15000) {
error("host-timeout is given in milliseconds, so you specified less than 15 seconds (%lims). This is allowed but not recommended.", o.host_timeout);
}
} else if (strcmp(long_options[option_index].name, "ttl") == 0) {
@@ -667,22 +677,17 @@ int nmap_main(int argc, char *argv[]) {
} else if (optcmp(long_options[option_index].name, "scan-delay") == 0) {
l = tval2msecs(optarg);
if (l < 0) fatal("Bogus --scan-delay argument specified.");
o.scan_delay = l;
if (o.scan_delay > o.maxTCPScanDelay()) o.setMaxTCPScanDelay(o.scan_delay);
if (o.scan_delay > o.maxUDPScanDelay()) o.setMaxUDPScanDelay(o.scan_delay);
o.max_parallelism = 1;
pre_scan_delay = l;
} else if (optcmp(long_options[option_index].name, "defeat-rst-ratelimit") == 0) {
o.defeat_rst_ratelimit = 1;
} else if (optcmp(long_options[option_index].name, "max-scan-delay") == 0) {
l = tval2msecs(optarg);
if (l < 0) fatal("--max-scan-delay cannot be negative.");
o.setMaxTCPScanDelay(l);
o.setMaxUDPScanDelay(l);
pre_max_scan_delay = l;
} else if (optcmp(long_options[option_index].name, "max-retries") == 0) {
int num_retrans = atoi(optarg);
if (num_retrans < 0)
int pre_max_retries = atoi(optarg);
if (pre_max_retries < 0)
fatal("max-retransmissions must be positive");
o.setMaxRetransmissions(num_retrans);
} else if (optcmp(long_options[option_index].name, "randomize-hosts") == 0
|| strcmp(long_options[option_index].name, "rH") == 0) {
o.randomize_hosts = 1;
@@ -860,9 +865,9 @@ int nmap_main(int argc, char *argv[]) {
}
break;
case 'M':
o.max_parallelism = atoi(optarg);
if (o.max_parallelism < 1) fatal("Argument to -M must be at least 1!");
if (o.max_parallelism > 900) {
pre_max_parallelism = atoi(optarg);
if (pre_max_parallelism < 1) fatal("Argument to -M must be at least 1!");
if (pre_max_parallelism > 900) {
error("Warning: Your max-parallelism (-M) option is extraordinarily high, which can hurt reliability");
}
break;
@@ -1051,6 +1056,26 @@ int nmap_main(int argc, char *argv[]) {
signal(SIGSEGV, sigdie);
#endif
// After the arguments are fully processed we now make any of the timing
// tweaks the user might've specified:
if (pre_max_parallelism != -1) o.max_parallelism = pre_max_parallelism;
if (pre_scan_delay != -1) {
o.scan_delay = pre_scan_delay;
if (o.scan_delay > o.maxTCPScanDelay()) o.setMaxTCPScanDelay(o.scan_delay);
if (o.scan_delay > o.maxUDPScanDelay()) o.setMaxUDPScanDelay(o.scan_delay);
o.max_parallelism = 1;
}
if (pre_max_scan_delay != -1) {
o.setMaxTCPScanDelay(pre_max_scan_delay);
o.setMaxUDPScanDelay(pre_max_scan_delay);
}
if (pre_init_rtt_timeout != -1) o.setInitialRttTimeout(pre_init_rtt_timeout);
if (pre_min_rtt_timeout != -1) o.setMinRttTimeout(pre_min_rtt_timeout);
if (pre_max_rtt_timeout != -1) o.setMaxRttTimeout(pre_max_rtt_timeout);
if (pre_max_retries != -1) o.setMaxRetransmissions(pre_max_retries);
if (pre_host_timeout != -1) o.host_timeout = pre_host_timeout;
if (o.osscan)
o.reference_FPs = parse_fingerprint_reference_file();
@@ -1216,7 +1241,7 @@ int nmap_main(int argc, char *argv[]) {
/* If he wants to bounce off of an ftp site, that site better damn well be reachable! */
if (o.bouncescan) {
if (!inet_aton(ftp.server_name, &ftp.server)) {
if (!inet_pton(AF_INET, ftp.server_name, &ftp.server)) {
if ((target = gethostbyname(ftp.server_name)))
memcpy(&ftp.server, target->h_addr_list[0], 4);
else {
@@ -1658,7 +1683,7 @@ int gather_logfile_resumption_state(char *fname, int *myargc, char ***myargv) {
q = strchr(found, ' ');
if (!q) fatal("Unable to parse supposed log file %s. Sorry", fname);
*q = '\0';
if (inet_aton(found, &lastip) == 0)
if (inet_pton(AF_INET, found, &lastip) == 0)
fatal("Unable to parse supposed log file %s. Sorry", fname);
*q = ' ';
} else {
@@ -1686,7 +1711,7 @@ int gather_logfile_resumption_state(char *fname, int *myargc, char ***myargv) {
q = strchr(found, ')');
if (!q) fatal("Unable to parse supposed log file %s. Sorry", fname);
*q = '\0';
if (inet_aton(found, &lastip) == 0)
if (inet_pton(AF_INET, found, &lastip) == 0)
fatal("Unable to parse ip (%s) supposed log file %s. Sorry", found, fname);
*q = ')';
} else {
@@ -1748,9 +1773,9 @@ struct scan_lists *getpts(char *origexpr) {
if (o.TCPScan())
range_type |= SCAN_TCP_PORT;
else if (o.UDPScan())
if (o.UDPScan())
range_type |= SCAN_UDP_PORT;
else if (o.ipprotscan)
if (o.ipprotscan)
range_type |= SCAN_PROTOCOLS;
porttbl = (u8 *) safe_zalloc(65536);

5
nmap.h
View File

@@ -464,9 +464,4 @@ const char *seqidx2difficultystr(unsigned long idx);
int nmap_fetchfile(char *filename_returned, int bufferlen, char *file);
int gather_logfile_resumption_state(char *fname, int *myargc, char ***myargv);
/* From glibc 2.0.6 because Solaris doesn't seem to have this function */
#ifndef HAVE_INET_ATON
int inet_aton(register const char *, struct in_addr *);
#endif
#endif /* NMAP_H */

2
nmap_dns.cc
View File

@@ -953,7 +953,7 @@ static void parse_etchosts(char *fname) {
while (*tp == ' ' || *tp == '\t') tp++;
if (sscanf(tp, "%15s %255s", ipaddrstr, hname) == 2) {
if (inet_aton(ipaddrstr, &ia)) {
if (inet_pton(AF_INET, ipaddrstr, &ia)) {
he = new host_elem;
he->name = strdup(hname);
he->addr = (u32) ia.s_addr;

2
tcpip.cc
View File

@@ -780,7 +780,7 @@ int resolve(char *hostname, struct in_addr *ip) {
if (!hostname || !*hostname)
fatal("NULL or zero-length hostname passed to resolve()");
if (inet_aton(hostname, ip))
if (inet_pton(AF_INET, hostname, ip))
return 1; /* damn, that was easy ;) */
if ((h = gethostbyname(hostname))) {
memcpy(ip, h->h_addr_list[0], sizeof(struct in_addr));

4
tcpip.h
View File

@@ -750,10 +750,6 @@ char *readip_pcap(pcap_t *pd, unsigned int *len, long to_usec,
int read_arp_reply_pcap(pcap_t *pd, u8 *sendermac, struct in_addr *senderIP,
long to_usec, struct timeval *rcvdtime);
#ifndef HAVE_INET_ATON
int inet_aton(register const char *, struct in_addr *);
#endif
/* Examines the given tcp packet and obtains the TCP timestamp option
information if available. Note that the CALLER must ensure that
"tcp" contains a valid header (in particular the th_off must be the