PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2026-01-25 07:39:02 +00:00
Code Issues Projects Releases Wiki Activity

capitalization changes

Browse Source
This commit is contained in:
fyodor
2007-09-03 02:55:01 +00:00
parent a5d2e11cd4
commit 4dc8618965
8 changed files with 141 additions and 139 deletions
Download Patch File Download Diff File Expand all files Collapse all files

62
docs/nmap.1
View File

@@ -77,7 +77,7 @@ PORT STATE SERVICE VERSION
1002/tcp open windows\-icfw?
1025/tcp open msrpc Microsoft Windows RPC
1720/tcp open H\.323/Q\.931 CompTek AquaGateKeeper
5800/tcp open vnc\-http RealVNC 4\.0 (Resolution 400x250; VNC TCP port: 5900)
5800/tcp open vnc\-http RealVNC 4\.0 (Resolution 400x250; VNC port: 5900)
5900/tcp open vnc VNC (protocol 3\.8)
MAC Address: 00:A0:CC:63:85:4B (Lite\-on Communications)
Device type: general purpose
@@ -603,7 +603,7 @@ open|filtered\. The port is marked
filtered
if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received\.
.sp
The key advantage to these scan types is that they can sneak through certain non\-stateful firewalls and packet filtering routers\. Another advantage is that these scan types are a little more stealthy than even a SYN scan\. Don\'t count on this though \-\- most modern IDS products can be configured to detect them\. The big downside is that not all systems follow RFC 793 to the letter\. A number of systems send RST responses to the probes regardless of whether the port is open or not\. This causes all of the ports to be labeled
The key advantage to these scan types is that they can sneak through certain non\-stateful firewalls and packet filtering routers\. Another advantage is that these scan types are a little more stealthy than even a SYN scan\. Don\'t count on this though\(emmost modern IDS products can be configured to detect them\. The big downside is that not all systems follow RFC 793 to the letter\. A number of systems send RST responses to the probes regardless of whether the port is open or not\. This causes all of the ports to be labeled
closed\. Major operating systems that do this are Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400\. This scan does work against most UNIX\-based systems though\. Another downside of these scans is that they can\'t distinguish
open
ports from certain
@@ -756,6 +756,7 @@ and at least one TCP scan type (such as
\fB\-sS\fR,
\fB\-sF\fR, or
\fB\-sT\fR)\. If no protocol qualifier is given, the port numbers are added to all protocol lists\.
.sp
Ports can also be specified by name according to what the port is referred to in the
\fInmap\-services\fR\. You can even use the wildcards * and ? with the names\. For example, to scan ftp and all ports whose names begin with http, use
\fB\-p ftp,http*\fR\. Be careful about shell expansions and quote the argument to \-p if unsure\.
@@ -791,9 +792,9 @@ for sequential port scanning instead\.
.PP
Point Nmap at a remote machine and it might tell you that ports 25/tcp, 80/tcp, and 53/udp are open\. Using its
\fInmap\-services\fR
database of about 2,200 well\-known services, Nmap would report that those ports probably correspond to a mail server (SMTP), web server (HTTP), and name server (DNS) respectively\. This lookup is usually accurate \-\- the vast majority of daemons listening on TCP port 25 are, in fact, mail servers\. However, you should not bet your security on this! People can and do run services on strange ports\.
database of about 2,200 well\-known services, Nmap would report that those ports probably correspond to a mail server (smtp), web server (http), and name server (DNS) respectively\. This lookup is usually accurate\(emthe vast majority of daemons listening on TCP port 25 are, in fact, mail servers\. However, you should not bet your security on this! People can and do run services on strange ports\.
.PP
Even if Nmap is right, and the hypothetical server above is running SMTP, HTTP, and DNS servers, that is not a lot of information\. When doing vulnerability assessments (or even simple network inventories) of your companies or clients, you really want to know which mail and DNS servers and versions are running\. Having an accurate version number helps dramatically in determining which exploits a server is vulnerable to\. Version detection helps you obtain this information\.
Even if Nmap is right, and the hypothetical server above is running smtp, http, and dns servers, that is not a lot of information\. When doing vulnerability assessments (or even simple network inventories) of your companies or clients, you really want to know which mail and DNS servers and versions are running\. Having an accurate version number helps dramatically in determining which exploits a server is vulnerable to\. Version detection helps you obtain this information\.
.PP
After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running\. The
\fInmap\-service\-probes\fR
@@ -818,7 +819,7 @@ Enables version detection, as discussed above\. Alternatively, you can use
.PP
\fB\-\-allports\fR (Don\'t exclude any ports from version detection)
.RS 4
By default, Nmap version detection skips TCP port 9100 because some printers simply print anything sent to that port, leading to dozens of pages of HTTP get requests, binary SSL session requests, etc\. This behavior can be changed by modifying or removing the
By default, Nmap version detection skips TCP port 9100 because some printers simply print anything sent to that port, leading to dozens of pages of http get requests, binary SSL session requests, etc\. This behavior can be changed by modifying or removing the
Exclude
directive in
\fInmap\-service\-probes\fR, or you can specify
@@ -895,7 +896,7 @@ to enable OS detection along with other things\. 2nd generation OS detection is
Enables 2nd generation OS detection, but never falls back to the old (1st generation) system, even if it fails to find any match\. This saves time and can reduce the number of packets sent to each target\.
.RE
.PP
\fB\-O1\fR (1nd Generation OS Detection Only)
\fB\-O1\fR (1st Generation OS Detection Only)
.RS 4
Tells Nmap to only use the old OS detection system\. If
\fB\-O2\fR
@@ -904,10 +905,10 @@ just gives you a fingerprint to submit, but you don\'t know what OS the target i
\fBdon\'t submit the fingerprint\fR
as you don\'t know for sure whether
\fB\-O1\fR
guess correctly\. If it was perfect, we wouldn\'t have bothered to create
guessed correctly\. If it was perfect, we wouldn\'t have bothered to create
\fB\-O2\fR\.
.sp
This option, and all other vestiges of the old OS detection system, will likely be removed in late 2006 or in 2007\.
This option, and all other vestiges of the old OS detection system, will likely be removed in 2007\.
.RE
.PP
\fB\-\-osscan\-limit\fR (Limit OS detection to promising targets)
@@ -931,23 +932,23 @@ When Nmap performs OS detection against a target and fails to find a perfect mat
\fB\-\-max\-os\-tries\fR
value (such as 1) speeds Nmap up, though you miss out on retries which could potentially identify the OS\. Alternatively, a high value may be set to allow even more retries when conditions are favorable\. This is rarely done, except to generate better fingerprints for submission and integration into the Nmap OS database\. This option only affects second generation OS detection (\fB\-O2\fR, the default) and not the old system (\fB\-O1\fR)\.
.RE
.SH "NSE - SCRIPTING EXTENSION TO THE NMAP NETWORK SCANNER"
.SH "NSE\(emSCRIPTING EXTENSION TO THE NMAP NETWORK SCANNER"
.PP
The Nmap Scripting Engine (NSE) combines the efficiency of Nmap\'s network handling with the versatility of the lightweight scripting language
\fIlua\fR\&[6], thus providing innumerable opportunities\. A more extensive documentation of the NSE (including its API) can be found at:
\fILua\fR\&[6], thus providing innumerable opportunities\. A more extensive documentation of the NSE (including its API) can be found at:
\fI\%http://www.insecure.org/nmap/nse\fR\. The target of the NSE is to provide Nmap with a flexible infrastructure for extending its capabilities and offering its users a simple way of creating customized tests\. Uses for the NSE include (but definitely are not limited to):
.PP
\fIEnhanced Version\-detection\fR
(category
version) \- While Nmap already offers its Service and Version detection system, which is unmatched in terms of efficiency and scope, this power has its downside when it comes to services requiring more complex probes\. The Skype\-Protocol version 2 for instance can be identified by sending 2 independent probes to it, which the builtin system is not laid out for: a simple NSE\-script can do the job and update the port\'s service information\.
version)\(emWhile Nmap already offers its Service and Version detection system, which is unmatched in terms of efficiency and scope, this power has its downside when it comes to services requiring more complex probes\. The Skype\-Protocol version 2 for instance can be identified by sending 2 independent probes to it, which the builtin system is not laid out for: a simple NSE\-script can do the job and update the port\'s service information\.
.PP
\fIMalware\-detection\fR
(categories
malware
and
backdoor)\- Both attackers and worms often leave backdoors \- be it in form of SMTP\-servers listening on uncommon ports mostly used by spammers for mail relay, or in form of an FTP\-server giving crackers access to critical data\. A few lines of lua code can help to identify those loopholes easily\.
backdoor)\- Both attackers and worms often leave backdoors\(embe it in form of SMTP\-servers listening on uncommon ports mostly used by spammers for mail relay, or in form of an FTP\-server giving crackers access to critical data\. A few lines of Lua code can help to identify those loopholes easily\.
.PP
\fIVulnerability Detection\fR
@@ -960,7 +961,7 @@ vulnerability)\- NSE\'s capacity in detecting risks ranges from checking for def
safe,
intrusive
and
discovery) \- By providing you with a scripting language and a really efficient asynchronous network API on the one hand and the information gathered during earlier stages of a scan on the other hand the NSE is suited to write "client" programs for the services listening on a target machine\. These "clients" may collect information like: listings of available NFS/SMB/RPC shares, the number of channels of an irc\-network or currently logged on users\.
discovery)\(emBy providing you with a scripting language and a really efficient asynchronous network API on the one hand and the information gathered during earlier stages of a scan on the other hand the NSE is suited to write client programs for the services listening on a target machine\. These clients may collect information like: listings of available NFS/SMB/RPC shares, the number of channels of an irc\-network or currently logged on users\.
.PP
To reflect those different uses and to simplify the choice of which scripts to run, each script contains a field associating it with one or more of the above mentioned categories\. To maintain the matching from scripts to categories a file called
\fIscript\.db\fR
@@ -969,11 +970,11 @@ is installed along with the distributed scripts\. Therefore, if you, for example
and check the output afterwards\. The
version\-scripts are always run implicitely when a script\-scan is requested\. The
\fIscript\.db\fR
is a lua\-script itself and can be updated through the
is a Lua\-script itself and can be updated through the
\fB\-\-script\-updatedb\fR
option\.
.PP
A NSE\-script basically is a chunk of lua\-code which has (among some informational fields, like name, id and categories) 2 functions: a test whether the particular script should be run against a certain host or port (called a
A NSE\-script basically is a chunk of Lua\-code which has (among some informational fields, like name, id and categories) 2 functions: a test whether the particular script should be run against a certain host or port (called a
hostrule
or
portrule
@@ -1008,11 +1009,13 @@ subdirectory)\.
.PP
\fB\-\-script\-args=<name1=value1,name2={name3=value3},name4=value4>\fR
.RS 4
lets you provide arguments to NSE\-scripts\. Arguments are passed as name=value pairs\. The provided argument is processed and stored inside a lua\-table, to which all scripts have access\. The names are taken as strings (which have to be alphanumeric values) and used as keys inside the argument\-table\. Values are either strings or tables themselves (starting with a \'{\' and ending with a \'}\')\. Subtables make it possible to override arguments for specific scripts (e\.g\. when you want to provide different login/password pairs for different scripts)\. An argument of
user=bar,password=foo,anonFTP={password=nobody@foobar\.com}
for example results in the following table provided to NSE\-scripts:
t={user="bar",password="foo",anonFTP={password="nobody@foobar\.com"}\. Note, that if you want to override an option to a script, you should index the subtable with the script\'s
id, since this is the only way the script can "know" about it\'s special argument\.
lets you provide arguments to NSE\-scripts\. Arguments are passed as
name=value
pairs\. The provided argument is processed and stored inside a Lua table, to which all scripts have access\. The names are taken as strings (which must be alphanumeric values) and used as keys inside the
argument\-table\. Values are either strings or tables themselves (surrounded by \(oq{\(cq and \(oq}\(cq\. Subtables make it possible to override arguments for specific scripts (e\.g\. when you want to provide different login/password pairs for different scripts)\. For example, you could pass the comma\-separated arguments:
user=bar,password=foo, and
anonFTP={password=nobody@foobar\.com}\. If you want to override an option to a script, you should index the subtable with the script\'s
id, since this is the only way the script knows about its special argument\.
.RE
.PP
\fB\-\-script\-trace\fR
@@ -1024,7 +1027,7 @@ does, just one ISO layer higher\. If this option is specified all incoming and o
.PP
\fB\-\-script\-updatedb\fR
.RS 4
updates the script database which stores a mapping from category tags to filenames\. The database is a lua script which is interpreted once to choose a set of scripts from the categories provided to the
updates the script database which stores a mapping from category tags to filenames\. The database is a Lua script which is interpreted once to choose a set of scripts from the categories provided to the
\fB\-\-script\fR
argument\. It should be run if you have changed the
categories
@@ -1164,7 +1167,7 @@ ports isn\'t worth the extra time\.
.RS 4
While the fine grained timing controls discussed in the previous section are powerful and effective, some people find them confusing\. Moreover, choosing the appropriate values can sometimes take more time than the scan you are trying to optimize\. So Nmap offers a simpler approach, with six timing templates\. You can specify them with the
\fB\-T\fR
option and their number (0 \- 5) or their name\. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5)\. The first two are for IDS evasion\. Polite mode slows down the scan to use less bandwidth and target machine resources\. Normal mode is the default and so
option and their number (0\(en5) or their name\. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5)\. The first two are for IDS evasion\. Polite mode slows down the scan to use less bandwidth and target machine resources\. Normal mode is the default and so
\fB\-T3\fR
does nothing\. Aggressive mode speeds scans up by making the assumption that you are on a reasonably fast and reliable network\. Finally Insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed\.
.sp
@@ -1252,7 +1255,7 @@ ME
as one of the decoys to represent the position for your real IP address\. If you put
ME
in the 6th position or later, some common port scan detectors (such as Solar Designer\'s excellent scanlogd) are unlikely to show your IP address at all\. If you don\'t use
ME, nmap will put you in a random position\.
ME, nmap will put you in a random position\. You can also use RND to generate a random, non\-reserved IP address, or RND:<number> to generate <number> addresses\.
.sp
Note that the hosts you use as decoys should be up or you might accidentally SYN flood your targets\. Also it will be pretty easy to determine which host is scanning if only one is actually up on the network\. You might want to use IP addresses instead of names (so the decoy networks don\'t see you in their nameserver logs)\.
.sp
@@ -1486,8 +1489,6 @@ As with XML output, this man page does not allow for documenting the entire form
.PP
\fB\-oA <basename>\fR (Output to all formats)
.RS 4
As a convenience, you may specify
\fB\-oA \fR\fB\fIbasename\fR\fR
to store scan results in normal, XML, and grepable formats at once\. They are stored in
@@ -1553,7 +1554,7 @@ may be condensed into counts if there are an overwhelming number of them\.
.PP
\fB\-\-iflist\fR (List interfaces and routes)
.RS 4
Prints the interface list and system routes as detected by Nmap\. This is useful for debugging routing problems or device mischaracterization (such as Nmap treating a PPP connection as Ethernet)\.
Prints the interface list and system routes as detected by Nmap\. This is useful for debugging routing problems or device mischaracterization (such as Nmap treating a PPP connection as ethernet)\.
.RE
.PP
\fB\-\-log\-errors\fR (Log errors/warnings to normal mode output file)
@@ -1575,7 +1576,7 @@ option\. All output filenames specified in that Nmap execution will then be appe
.PP
\fB\-\-resume <filename>\fR (Resume aborted scan)
.RS 4
Some extensive Nmap runs take a very long time \-\- on the order of days\. Such scans don\'t always run to completion\. Restrictions may prevent Nmap from being run during working hours, the network could go down, the machine Nmap is running on might suffer a planned or unplanned reboot, or Nmap itself could crash\. The admin running Nmap could cancel it for any other reason as well, by pressing
Some extensive Nmap runs take a very long time\(emon the order of days\. Such scans don\'t always run to completion\. Restrictions may prevent Nmap from being run during working hours, the network could go down, the machine Nmap is running on might suffer a planned or unplanned reboot, or Nmap itself could crash\. The admin running Nmap could cancel it for any other reason as well, by pressing
ctrl\-C\. Restarting the whole scan from the beginning may be undesirable\. Fortunately, if normal (\fB\-oN\fR) or grepable (\fB\-oG\fR) logs were kept, the user can ask Nmap to resume scanning with the target it was working on when execution ceased\. Simply specify the
\fB\-\-resume\fR
option and pass the normal/grepable output file as its argument\. No other arguments are permitted, as Nmap parses the output file to use the same ones specified previously\. Simply call Nmap as
@@ -1828,7 +1829,7 @@ file which is distributed with Nmap and also available from
.SH "LEGAL NOTICES"
.SS "Nmap Copyright and Licensing"
.PP
The Nmap Security Scanner is (C) 1996\-2005 Insecure\.Com LLC\. Nmap is also a registered trademark of Insecure\.Com LLC\. This program is free software; you may redistribute and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; Version 2\. This guarantees your right to use, modify, and redistribute this software under certain conditions\. If you wish to embed Nmap technology into proprietary software, we may be willing to sell alternative licenses (contact
The Nmap Security Scanner is (C) 1996\-2007 Insecure\.Com LLC\. Nmap is also a registered trademark of Insecure\.Com LLC\. This program is free software; you may redistribute and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; Version 2\. This guarantees your right to use, modify, and redistribute this software under certain conditions\. If you wish to embed Nmap technology into proprietary software, we may be willing to sell alternative licenses (contact
<sales@insecure\.com>)\. Many security scanner vendors already license Nmap technology such as host discovery, port scanning, OS detection, and service/version detection\.
.PP
Note that the GPL places important restrictions on
@@ -1869,12 +1870,13 @@ We don\'t consider these to be added restrictions on top of the GPL, but just a
\(lqderived works\(rq
as it applies to our GPL\-licensed Nmap product\. This is similar to the way Linus Torvalds has announced his interpretation of how
\(lqderived works\(rq
applies to Linux kernel modules\. Our interpretation refers only to Nmap \- we don\'t speak for any other GPL products\.
applies to Linux kernel modules\. Our interpretation refers only to Nmap\(emwe don\'t speak for any other GPL products\.
.PP
If you have any questions about the GPL licensing restrictions on using Nmap in non\-GPL works, we would be happy to help\. As mentioned above, we also offer alternative license to integrate Nmap into proprietary applications and appliances\. These contracts have been sold to many security vendors, and generally include a perpetual license as well as providing for priority support and updates as well as helping to fund the continued development of Nmap technology\. Please email
<sales@insecure\.com>
for further information\.
.PP
As a special exception to the GPL terms, Insecure\.Com LLC grants permission to link the code of this program with any version of the OpenSSL library which is distributed under a license identical to that listed in the included Copying\.OpenSSL file, and distribute linked combinations including the two\. You must obey the GNU GPL in all respects for all of the code used other than OpenSSL\. If you modify this file, you may extend this exception to your version of the file, but you are not obligated to do so\.
.PP
If you received these files with a written license agreement or contract stating terms other than the terms above, then that alternative license agreement takes precedence over these comments\.
@@ -1958,7 +1960,7 @@ RFC 959
\%http://www.rfc-editor.org/rfc/rfc959.txt
.RE
.IP " 6." 4
lua
Lua
.RS 4
\%http://lua.org
.RE

2
docs/nmap.dtd
View File

@@ -21,7 +21,7 @@
specify "one each of this list of elements, in any order". If there
is a construct similar to SGML's '&' operator, please let me know.
Portions Copyright (c) 2001-2005 Insecure.Com LLC
Portions Copyright (c) 2001-2007 Insecure.Com LLC
Portions Copyright (c) 2001 by Cisco systems, Inc.
Permission to use, copy, modify, and distribute modified and

2
docs/nmap.usage.txt
View File

@@ -41,7 +41,7 @@ SERVICE/VERSION DETECTION:
--version-trace: Show detailed version scan activity (for debugging)
SCRIPT SCAN:
-sC: equivalent to --script=safe,intrusive
--script=<lua scripts>: <lua scripts> is a comma separated list of
--script=<Lua scripts>: <Lua scripts> is a comma separated list of
directories, script-files or script-categories
--script-args=<n1=v1,[n2=v2,...]>: provide arguments to scripts
--script-trace: Show all data sent and received

136
docs/refguide.xml
View File

@@ -306,10 +306,10 @@ you would expect.</para>
<para>If no host discovery options are given, Nmap
sends a TCP ACK
packet destined for port 80 and an ICMP Echo Request query
packet destined for port 80 and an ICMP echo request query
to each target machine. An exception to this is that an ARP scan is
used for any targets which are on a local ethernet network.
For unprivileged UNIX shell users, a SYN packet is sent
For unprivileged Unix shell users, a SYN packet is sent
instead of the ack using the <function>connect()</function>
system call. These defaults are equivalent to the
<option>-PA -PE</option> options. This host discovery is
@@ -374,7 +374,7 @@ you would expect.</para>
<listitem>
<para>This option tells Nmap to <emphasis>only</emphasis>
<indexterm><primary>-sP</primary></indexterm>
<indexterm><primary>Ping scan</primary></indexterm>
<indexterm><primary>ping scan</primary></indexterm>
perform a ping scan (host discovery), then print out the available hosts
that responded to the scan. No further testing (such as
port scanning or OS detection) is performed. This is one
@@ -473,7 +473,7 @@ you would expect.</para>
Either the RST or SYN/ACK response discussed previously tell
Nmap that the host is available and responsive.</para>
<para>On UNIX boxes, only the privileged user
<para>On Unix boxes, only the privileged user
<literal>root</literal> is generally able to send and
receive raw TCP packets. For unprivileged users, a
workaround is automatically employed whereby the connect()
@@ -607,7 +607,7 @@ you would expect.</para>
packets sent by the ubiquitous
<application>ping</application> program. Nmap sends an ICMP
type 8 (echo request) packet to the target IP addresses,
expecting a type 0 (Echo Reply) in return from available
expecting a type 0 (echo reply) in return from available
hosts. Unfortunately for network explorers, many hosts and
firewalls now block these packets, rather than responding as
required by <ulink
@@ -688,7 +688,7 @@ you would expect.</para>
<listitem>
<para>
Traceroutes are performed post-scan using information from the scan results to determine the port and protocol most likely to reach the target. It works with all scan types except connect scans (-sT) and idle scans (-sI). All traces use nmap's dynamic timing model and are performed in parallel.
Traceroutes are performed post-scan using information from the scan results to determine the port and protocol most likely to reach the target. It works with all scan types except connect scans (-sT) and idle scans (-sI). All traces use Nmap's dynamic timing model and are performed in parallel.
</para>
<para>
@@ -766,8 +766,8 @@ Shows the reason each port is set to a specific state and the reason each host i
<listitem>
<para>By default Nmap will try to determine your DNS servers
(for rDNS resolution) from your resolv.conf file (UNIX) or
the registry (Win32). Alternatively, you may use this
(for rDNS resolution) from your resolv.conf file (Unix) or
the Registry (Win32). Alternatively, you may use this
option to specify alternate servers. This option is not
honored if you are using <option>--system-dns</option> or an
IPv6 scan. Using multiple DNS servers is often faster,
@@ -868,14 +868,14 @@ options from across the Internet might show that port as <literal>filtered</lite
types in which open ports give no response. The lack of
response could also mean that a packet filter dropped the probe or
any response it elicited. So Nmap does not know for sure whether
the port is open or being filtered. The UDP, IP Protocol,
FIN, Null, and Xmas scans classify ports this
the port is open or being filtered. The UDP, IP protocol,
FIN, null, and Xmas scans classify ports this
way.</para></listitem></varlistentry>
<varlistentry><term>closed|filtered</term>
<listitem><para>This state is used when Nmap is unable to determine
whether a port is closed or filtered. It is only used for the IPID
Idle scan.</para></listitem></varlistentry>
idle scan.</para></listitem></varlistentry>
</variablelist>
</refsect1>
@@ -898,14 +898,14 @@ have to pay thousands of dollars for it.</para>
<para>Most of the scan types are only available to privileged users.
This is because they send and receive raw packets, which requires root
access on UNIX systems. Using an administrator account on Windows is
access on Unix systems. Using an administrator account on Windows is
recommended, though Nmap sometimes works for unprivileged users on that
platform when WinPcap has already been loaded into the OS. Requiring
root privileges was a serious limitation when Nmap was released in
1997, as many users only had access to shared shell accounts. Now,
the world is different. Computers are cheaper, far more people have
always-on direct Internet access, and desktop UNIX systems (including
Linux and MAC OS X) are prevalent. A Windows version of Nmap is now
always-on direct Internet access, and desktop Unix systems (including
Linux and Mac OS X) are prevalent. A Windows version of Nmap is now
available, allowing it to run on even more desktops. For all these
reasons, users have less need to run Nmap from limited shared shell accounts.
This is fortunate, as the privileged options make Nmap far more
@@ -916,7 +916,7 @@ that all of its insights are based on packets returned by the target
machines (or firewalls in front of them). Such hosts may be
untrustworthy and send responses intended to confuse or mislead Nmap.
Much more common are non-RFC-compliant hosts that do not respond as
they should to Nmap probes. FIN, Null, and Xmas scans are
they should to Nmap probes. FIN, null, and Xmas scans are
particularly susceptible to this problem. Such issues are specific to
certain scan types and so are
discussed in the individual scan type entries.</para>
@@ -931,8 +931,8 @@ name, usually the first. The one exception to this is the deprecated
FTP bounce scan (<option>-b</option>). By default, Nmap performs a
SYN Scan, though it substitutes a connect scan if the user does not
have proper privileges to send raw packets (requires root access on
UNIX) or if IPv6 targets were specified. Of the scans listed in this
section, unprivileged users can only execute connect and ftp bounce
Unix) or if IPv6 targets were specified. Of the scans listed in this
section, unprivileged users can only execute connect and FTP bounce
scans.</para>
<variablelist>
@@ -950,7 +950,7 @@ second on a fast network not hampered by intrusive firewalls. SYN scan
is relatively unobtrusive and stealthy, since it never completes TCP
connections. It also works against any compliant TCP stack rather
than depending on idiosyncrasies of specific platforms as Nmap's
Fin/Null/Xmas, Maimon and Idle scans do. It also allows clear,
FIN/null/Xmas, Maimon and idle scans do. It also allows clear,
reliable differentiation between the <literal>open</literal>,
<literal>closed</literal>, and <literal>filtered</literal>
states.</para>
@@ -995,7 +995,7 @@ half-open reset that SYN scan does. Not only does this take longer
and require more packets to obtain the same information, but target
machines are more likely to log the connection. A decent IDS will
catch either, but most machines have no such alarm system. Many
services on your average UNIX system will add a note to syslog, and
services on your average Unix system will add a note to syslog, and
sometimes a cryptic error message, when Nmap connects and then closes
the connection without sending data. Truly pathetic services crash
when this happens, though that is uncommon. An administrator who sees
@@ -1069,7 +1069,7 @@ hosts.</para>
<indexterm><primary>-sN</primary></indexterm>
<indexterm><primary>-sF</primary></indexterm>
<indexterm><primary>-sX</primary></indexterm>
<indexterm><primary>NULL scan</primary></indexterm>
<indexterm><primary>null scan</primary></indexterm>
<indexterm><primary>FIN scan</primary></indexterm>
<indexterm><primary>Xmas scan</primary></indexterm>
</term>
@@ -1096,7 +1096,7 @@ scan types:</para>
<variablelist>
<varlistentry><term>Null scan (<option>-sN</option>)</term>
<listitem><para>Does not set any bits (tcp flag header is 0)</para></listitem></varlistentry>
<listitem><para>Does not set any bits (TCP flag header is 0)</para></listitem></varlistentry>
<varlistentry><term>FIN scan (<option>-sF</option>)</term>
<listitem><para>Sets just the TCP FIN bit.</para></listitem></varlistentry>
@@ -1123,7 +1123,7 @@ number of systems send RST responses to the probes regardless of
whether the port is open or not. This causes all of the ports to be
labeled <literal>closed</literal>. Major operating systems that do
this are Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400.
This scan does work against most UNIX-based systems though. Another
This scan does work against most Unix-based systems though. Another
downside of these scans is that they can't distinguish <literal>open</literal> ports from
certain <literal>filtered</literal> ones, leaving you with the response
<literal>open|filtered</literal>.</para>
@@ -1203,7 +1203,7 @@ ports, then those three may very well be the truly open ones.</para>
<para>The Maimon scan is named after its discoverer, Uriel Maimon. He
described the technique in Phrack Magazine issue #49 (November 1996).
Nmap, which included this technique, was released two issues later.
This technique is exactly the same as Null, FIN, and Xmas scans, except
This technique is exactly the same as null, FIN, and Xmas scans, except
that the probe is FIN/ACK. According to RFC 793 (TCP), a RST packet
should be generated in response to such a probe whether the port is
open or closed. However, Uriel noticed that many BSD-derived systems
@@ -1250,9 +1250,9 @@ used.</para>
<varlistentry>
<term>
<option>-sI &lt;zombie
host[:probeport]&gt;</option> (Idlescan)
host[:probeport]&gt;</option> (idle scan)
<indexterm><primary>-sI</primary></indexterm>
<indexterm><primary>Idle scan</primary></indexterm>
<indexterm><primary>idle scan</primary></indexterm>
</term>
<listitem>
@@ -1281,7 +1281,7 @@ used.</para>
<para>You can add a colon followed by a port number to the
zombie host if you wish to probe a particular port on the
zombie for IPID changes. Otherwise Nmap will use the port it
uses by default for tcp pings (80).</para>
uses by default for TCP pings (80).</para>
</listitem>
</varlistentry>
@@ -1294,7 +1294,7 @@ used.</para>
</term>
<listitem>
<para>IP Protocol scan allows you to determine which IP protocols
<para>IP protocol scan allows you to determine which IP protocols
(TCP, ICMP, IGMP, etc.) are supported by target machines. This isn't
technically a port scan, since it cycles through IP protocol numbers
rather than TCP or UDP port numbers. Yet it still uses the
@@ -1340,7 +1340,7 @@ after retransmissions, the protocol is marked
<varlistentry>
<term>
<option>-b &lt;ftp relay host&gt;</option> (FTP bounce scan)
<option>-b &lt;FTP relay host&gt;</option> (FTP bounce scan)
<indexterm><primary>-b</primary></indexterm>
<indexterm><primary>FTP bounce scan</primary></indexterm>
</term>
@@ -1348,7 +1348,7 @@ after retransmissions, the protocol is marked
<para>An interesting feature of the FTP protocol (<ulink
url="http://www.rfc-editor.org/rfc/rfc959.txt">RFC 959</ulink>) is
support for so-called proxy ftp connections. This allows a user to
support for so-called proxy FTP connections. This allows a user to
connect to one FTP server, then ask that files be sent to a
third-party server. Such a feature is ripe for abuse on many levels,
so most servers have ceased supporting it. One of the abuses this
@@ -1357,7 +1357,7 @@ Simply ask the FTP server to send a file to each interesting port of a
target host in turn. The error message will describe whether the port
is open or not. This is a good way to bypass firewalls because
organizational FTP servers are often placed where they have
more access to other internal hosts than any old Internet host would. Nmap supports ftp
more access to other internal hosts than any old Internet host would. Nmap supports FTP
bounce scan with the <option>-b</option> option. It takes an argument
of the form
<replaceable>username</replaceable>:<replaceable>password</replaceable>@<replaceable>server</replaceable>:<replaceable>port</replaceable>.
@@ -1374,7 +1374,7 @@ well, in which case the default FTP port (21) on
released, but has largely been fixed. Vulnerable servers are still
around, so it is worth trying when all else fails. If bypassing a
firewall is your goal, scan the target network for open port 21 (or
even for any ftp services if you scan all ports with version
even for any FTP services if you scan all ports with version
detection), then try a bounce scan using each. Nmap will tell you
whether the host is vulnerable or not. If you are just trying to
cover your tracks, you don't need to (and, in fact, shouldn't) limit
@@ -1431,7 +1431,7 @@ way.</para>
<para><indexterm><primary>wildcard</primary></indexterm>Ports can also be specified by name according to what the
port is referred to in the <filename>nmap-services</filename>. You
can even use the wildcards * and ? with the names. For example, to scan
ftp and all ports whose names begin with http, use <option>-p ftp,http*</option>.
FTP and all ports whose names begin with http, use <option>-p ftp,http*</option>.
Be careful about shell expansions and quote the argument to -p if unsure.</para>
<para>Ranges of ports can be surrounded by square brackets to indicate
@@ -1489,14 +1489,14 @@ way.</para>
that ports 25/tcp, 80/tcp, and 53/udp are open. Using its
<filename>nmap-services</filename> database of about 2,200 well-known services,
Nmap would report that those ports probably correspond to a
mail server (smtp), web server (http), and name server (DNS)
mail server (SMTP), web server (HTTP), and name server (DNS)
respectively. This lookup is usually accurate&mdash;the vast
majority of daemons listening on TCP port 25 are, in fact, mail
servers. However, you should not bet your security on this!
People can and do run services on strange ports.</para>
<para>Even if Nmap is right, and the hypothetical server above is
running smtp, http, and dns servers, that is not a lot of
running SMTP, HTTP, and DNS servers, that is not a lot of
information. When doing vulnerability assessments (or even simple
network inventories) of your companies or clients, you really want
to know which mail and DNS servers and versions are
@@ -1511,7 +1511,7 @@ way.</para>
<filename>nmap-service-probes</filename> database contains probes
for querying various services and match expressions to recognize
and parse responses. Nmap tries to determine the service protocol
(e.g. ftp, ssh, telnet, http), the application name (e.g. ISC
(e.g. FTP, SSH, telnet, http), the application name (e.g. ISC
Bind, Apache httpd, Solaris telnetd), the version number,
hostname, device type (e.g. printer, router), the OS family
(e.g. Windows, Linux) and sometimes miscellaneous details like
@@ -1540,7 +1540,7 @@ way.</para>
on the port. Please take a couple minutes to make the submission
so that your find can benefit everyone. Thanks to these
submissions, Nmap has about 3,000 pattern matches for more than
350 protocols such as smtp, ftp, http, etc.</para>
350 protocols such as SMTP, FTP, HTTP, etc.</para>
<para>Version detection is enabled and controlled with the
following options:</para>
@@ -1715,8 +1715,8 @@ way.</para>
fluctuate. It is generally better to use the English
classification such as <quote>worthy challenge</quote> or <quote>trivial joke</quote>. This
is only reported in normal output in verbose (<option>-v</option>)
mode. When verbose mode is enabled along with <option>-O</option>, IPID Sequence
Generation is also reported. Most machines are in the
mode. When verbose mode is enabled along with <option>-O</option>, IPID sequence
generation is also reported. Most machines are in the
<quote>incremental</quote> class, which means that they increment the ID
field in the IP header for each packet they send. This makes them
vulnerable to several advanced information gathering and
@@ -1865,7 +1865,7 @@ way.</para>
to): </para>
<para>
<emphasis>Enhanced Version-detection</emphasis> (category
<emphasis>Enhanced version detection</emphasis> (category
<literal>version</literal>)&mdash;While Nmap already offers its Service and
Version detection system, which is unmatched in terms of efficiency and
scope, this power has its downside when it comes to services requiring more
@@ -1923,9 +1923,9 @@ way.</para>
(called a <literal>hostrule</literal> or <literal>portrule</literal>
respectively) and an <literal>action</literal> to be carried out if the test
returns true. Scripts have access to most information gathered by Nmap
during earlier stages. For each host this includes the ip, hostname and (if
during earlier stages. For each host this includes the IP address, hostname and (if
available) operating system. If a script is targeted at a port it has access
to the portnumber, the protocol (tcp, udp or ssl), the service running
to the portnumber, the protocol (<literal>tcp</literal>, <literal>udp</literal> or <literal>ssl</literal>), the service running
behind that port, and optionally information from a version-scan.
NSE-scripts have by convention a <literal>.nse</literal>-extension. Although
you are not required to follow this for the moment, this may change in the
@@ -2180,7 +2180,7 @@ more likely to get through a firewall. Look at the maximum round trip
time out of ten packets or so. You might want to double that for the
<option>--initial-rtt-timeout</option> and triple or quadruple it for
the <option>--max-rtt-timeout</option>. I generally do not set the
maximum rtt below 100ms, no matter what the ping times are. Nor do I
maximum RTT below 100ms, no matter what the ping times are. Nor do I
exceed 1000ms.</para>
<para><option>--min-rtt-timeout</option> is a rarely used option that
@@ -2321,7 +2321,7 @@ worth the extra time.</para>
<varlistentry>
<term>
<option>-T
&lt;Paranoid|Sneaky|Polite|Normal|Aggressive|Insane&gt;</option>
&lt;paranoid|sneaky|polite|normal|aggressive|insane&gt;</option>
(Set a timing template)
<indexterm><primary>--T</primary></indexterm>
</term>
@@ -2340,7 +2340,7 @@ evasion. Polite mode slows down the scan to use less bandwidth and
target machine resources. Normal mode is the default and so
<option>-T3</option> does nothing. Aggressive mode speeds scans up by
making the assumption that you are on a reasonably fast and reliable
network. Finally Insane mode assumes that you are on an
network. Finally insane mode assumes that you are on an
extraordinarily fast network or are willing to sacrifice some accuracy
for speed.</para>
@@ -2364,7 +2364,7 @@ recommend always using <option>-T4</option>. Some people love
sometimes specify <option>-T2</option> because they think it is less
likely to crash hosts or because they consider themselves to be polite
in general. They often don't realize just how slow <option>-T
Polite</option> really is. Their scan may take ten times longer than a
polite</option> really is. Their scan may take ten times longer than a
default scan.
Machine crashes and bandwidth problems are rare with the
default timing options (<option>-T3</option>) and so I normally
@@ -2424,7 +2424,7 @@ It even supports mechanisms for bypassing poorly implemented
defenses. One of the best methods of understanding your
network security posture is to try to defeat it. Place yourself in
the mindset of an attacker, and deploy techniques from this section
against your networks. Launch an FTP bounce scan, Idle scan,
against your networks. Launch an FTP bounce scan, idle scan,
fragmentation attack, or try to tunnel through one of your own
proxies.</para>
@@ -2495,7 +2495,7 @@ lists the relevant options and describes what they do.</para>
networks. Some source
systems defragment outgoing packets in the kernel. Linux
with the iptables connection tracking module is one such
example. Do a scan while a sniffer such as Ethereal
example. Do a scan while a sniffer such as <application>Wireshark</application>
is running to ensure that sent packets are
fragmented. If your host OS is causing problems, try the <option>--send-eth</option> option to bypass the IP layer and send raw ethernet frames.</para>
</listitem>
@@ -2523,7 +2523,7 @@ lists the relevant options and describes what they do.</para>
represent the position for your real IP address. If you put
<literal>ME</literal> in the 6th position or later, some
common port scan detectors (such as Solar Designer's
excellent scanlogd) are unlikely to show your IP address at
excellent Scanlogd) are unlikely to show your IP address at
all. If you don't use <literal>ME</literal>, nmap will put
you in a random position. You can also use RND to generate
a random, non-reserved IP address, or RND:&lt;number&gt; to
@@ -2612,7 +2612,7 @@ to transfer the requested file.</para>
<para>Secure solutions to these problems exist, often in the form of
application-level proxies or protocol-parsing firewall modules.
Unfortunately there are also easier, insecure solutions. Noting that
DNS replies come from port 53 and active ftp from port 20, many admins
DNS replies come from port 53 and active FTP from port 20, many admins
have fallen into the trap of simply allowing incoming traffic from
those ports. They often assume that no attacker would notice and
exploit such firewall holes. In other cases, admins consider this a
@@ -2741,7 +2741,7 @@ support the option completely, as does UDP scan.</para>
<varlistentry>
<term>
<option>--spoof-mac &lt;mac address, prefix, or vendor
<option>--spoof-mac &lt;MAC address, prefix, or vendor
name&gt;</option> (Spoof MAC address)
<indexterm><primary>--spoof-mac</primary></indexterm>
</term>
@@ -2862,7 +2862,7 @@ described below.</para>
<variablelist><title>Nmap Output Formats</title>
<varlistentry>
<term>
<option>-oN &lt;filespec&gt;</option> (Normal output)
<option>-oN &lt;filespec&gt;</option> (normal output)
<indexterm><primary>-oN</primary></indexterm></term>
<listitem>
@@ -2932,7 +2932,7 @@ described below.</para>
<varlistentry>
<term>
<option>-oG &lt;filespec&gt;</option> (Grepable output)
<option>-oG &lt;filespec&gt;</option> (grepable output)
<indexterm><primary>-oG</primary></indexterm></term>
<listitem>
@@ -2947,9 +2947,9 @@ output for lack of a place to put them.</para>
<para>Nevertheless, grepable output is still quite popular. It is a
simple format that lists each host on one line and can be trivially
searched and parsed with standard UNIX tools such as grep, awk, cut,
searched and parsed with standard Unix tools such as grep, awk, cut,
sed, diff, and Perl. Even I usually use it for one-off tests done at the
command line. Finding all the hosts with the ssh port open or that
command line. Finding all the hosts with the SSH port open or that
are running Solaris takes only a simple grep to identify the hosts,
piped to an awk or cut command to print the desired fields.</para>
@@ -2991,7 +2991,7 @@ url="http://www.unspecific.com/nmap-oG-output" />.</para>
<replaceable>basename</replaceable>.gnmap, respectively.
As with most programs, you can prefix the filenames with a
directory path, such as
<filename>~/nmaplogs/foocorp/</filename> on UNIX or
<filename>~/nmaplogs/foocorp/</filename> on Unix or
<filename>c:\hacking\sco</filename> on Windows.</para>
</listitem>
</varlistentry>
@@ -3131,7 +3131,7 @@ overwhelming requests. Specify <option>--open</option> to only see
messages use a different system that does not yet support
this option. An alternative to using this option is
redirecting interactive output (including the standard error
stream) to a file. While most UNIX shells make that
stream) to a file. While most Unix shells make that
approach easy, it can be difficult on Windows.</para>
</listitem>
</varlistentry>
@@ -3305,7 +3305,7 @@ overwhelming requests. Specify <option>--open</option> to only see
<para>This option enables additional advanced and
aggressive options. I haven't decided exactly which it
stands for yet. Presently this enables OS Detection
stands for yet. Presently this enables OS detection
(<option>-O</option>), version scanning (<option>-sV</option>),
script scanning (<option>-sC</option>) and
traceroute (<option>--traceroute</option>). More features may be
@@ -3389,10 +3389,10 @@ overwhelming requests. Specify <option>--open</option> to only see
link) layer rather than the higher IP (network) layer. By
default, Nmap chooses the one which is generally best for
the platform it is running on. Raw sockets (IP layer) are
generally most efficient for UNIX machines, while ethernet
generally most efficient for Unix machines, while ethernet
frames are required for Windows operation since Microsoft
disabled raw socket support. Nmap still uses raw IP packets
on UNIX despite this option when there is no other choice
on Unix despite this option when there is no other choice
(such as non-ethernet connections).</para>
</listitem>
@@ -3422,7 +3422,7 @@ overwhelming requests. Specify <option>--open</option> to only see
<para>Tells Nmap to simply assume that it is privileged
enough to perform raw socket sends, packet sniffing, and
similar operations that usually require root privileges on
UNIX systems. By default Nmap quits if such operations are
Unix systems. By default Nmap quits if such operations are
requested but geteuid() is not
zero. <option>--privileged</option> is useful with Linux
kernel capabilities and similar systems that may be
@@ -3542,7 +3542,7 @@ overwhelming requests. Specify <option>--open</option> to only see
<option>v</option> / <option>V</option>
</term>
<listitem>
<para>Increase / Decrease the Verbosity</para>
<para>Increase / decrease the verbosity level</para>
</listitem>
</varlistentry>
<varlistentry>
@@ -3550,7 +3550,7 @@ overwhelming requests. Specify <option>--open</option> to only see
<option>d</option> / <option>D</option>
</term>
<listitem>
<para>Increase / Decrease the Debugging Level</para>
<para>Increase / decrease the debugging Level</para>
</listitem>
</varlistentry>
<varlistentry>
@@ -3558,7 +3558,7 @@ overwhelming requests. Specify <option>--open</option> to only see
<option>p</option> / <option>P</option>
</term>
<listitem>
<para>Turn on / off Packet Tracing</para>
<para>Turn on / off packet tracing</para>
</listitem>
</varlistentry>
<varlistentry>
@@ -3630,10 +3630,10 @@ overwhelming requests. Specify <option>--open</option> to only see
<para>Launches host enumeration and a TCP scan at the first half
of each of the 255 possible 8 bit subnets in the 198.116 class B
address space. This tests whether the systems run sshd, DNS,
pop3d, imapd, or port 4564. For any of these ports found open,
version detection is used to determine what application is
running.</para>
address space. This tests whether the systems run SSH, DNS, POP3,
or IMAP on their standard ports, or anything on port 4564. For any
of these ports found open, version detection is used to determine
what application is running.</para>
<para>
<userinput>nmap -v -iR 100000 -P0 -p 80</userinput>
@@ -3664,7 +3664,7 @@ overwhelming requests. Specify <option>--open</option> to only see
url="http://insecure.org/nmap/"/>. If the problem persists,
do some research to determine whether it has already been
discovered and addressed. Try Googling the error message or
browsing the Nmap-dev archives at <ulink
browsing the nmap-dev archives at <ulink
url="http://seclists.org/" />. Read this full munual page as
well. If nothing comes of this, mail a bug report to
<email>nmap-dev@insecure.org</email>. Please include everything

30
idle_scan.cc
View File

@@ -337,7 +337,7 @@ static void initialize_idleproxy(struct idle_proxy_info *proxy, char *proxyName,
proxy->host.setHostName(name);
if (resolve(name, &ss, &sslen, o.pf()) == 0) {
fatal("Could not resolve idlescan zombie host: %s", name);
fatal("Could not resolve idle scan zombie host: %s", name);
}
proxy->host.setTargetSockAddr(&ss, sslen);
@@ -489,7 +489,7 @@ static void initialize_idleproxy(struct idle_proxy_info *proxy, char *proxyName,
}
if (probes_returned == 0)
fatal("Idlescan zombie %s (%s) port %hu cannot be used because it has not returned any of our probes -- perhaps it is down or firewalled.",
fatal("Idle scan zombie %s (%s) port %hu cannot be used because it has not returned any of our probes -- perhaps it is down or firewalled.",
proxy->host.HostName(), proxy->host.targetipstr(),
proxy->probe_port);
@@ -497,10 +497,10 @@ static void initialize_idleproxy(struct idle_proxy_info *proxy, char *proxyName,
switch(proxy->seqclass) {
case IPID_SEQ_INCR:
case IPID_SEQ_BROKEN_INCR:
log_write(LOG_PLAIN, "Idlescan using zombie %s (%s:%hu); Class: %s\n", proxy->host.HostName(), proxy->host.targetipstr(), proxy->probe_port, ipidclass2ascii(proxy->seqclass));
log_write(LOG_PLAIN, "Idle scan using zombie %s (%s:%hu); Class: %s\n", proxy->host.HostName(), proxy->host.targetipstr(), proxy->probe_port, ipidclass2ascii(proxy->seqclass));
break;
default:
fatal("Idlescan zombie %s (%s) port %hu cannot be used because IPID sequencability class is: %s. Try another proxy.", proxy->host.HostName(), proxy->host.targetipstr(), proxy->probe_port, ipidclass2ascii(proxy->seqclass));
fatal("Idle scan zombie %s (%s) port %hu cannot be used because IPID sequencability class is: %s. Try another proxy.", proxy->host.HostName(), proxy->host.targetipstr(), proxy->probe_port, ipidclass2ascii(proxy->seqclass));
}
proxy->latestid = ipids[probes_returned - 1];
@@ -509,7 +509,7 @@ static void initialize_idleproxy(struct idle_proxy_info *proxy, char *proxyName,
if (probes_returned < NUM_IPID_PROBES) {
/* Yikes! We're already losing packets ... clamp down a bit ... */
if (o.debugging)
error("idlescan initial zombie qualification test: %d probes sent, only %d returned", NUM_IPID_PROBES, probes_returned);
error("Idle scan initial zombie qualification test: %d probes sent, only %d returned", NUM_IPID_PROBES, probes_returned);
proxy->current_groupsz = MIN(12, proxy->max_groupsz);
proxy->current_groupsz = MAX(proxy->current_groupsz, proxy->min_groupsz);
proxy->senddelay += 5000;
@@ -605,7 +605,7 @@ static void adjust_idle_timing(struct idle_proxy_info *proxy,
if (!notidlewarning && o.verbose) {
notidlewarning = 1;
error("WARNING: Idlescan has erroneously detected phantom ports -- is the proxy %s (%s) really idle?", proxy->host.HostName(), proxy->host.targetipstr());
error("WARNING: idle scan has erroneously detected phantom ports -- is the proxy %s (%s) really idle?", proxy->host.HostName(), proxy->host.targetipstr());
}
} else {
/* W00p We got a perfect match. That means we get a slight increase
@@ -622,10 +622,10 @@ static void adjust_idle_timing(struct idle_proxy_info *proxy,
}
/* OK, now this is the hardcore idlescan function which actually does
/* OK, now this is the hardcore idle scan function which actually does
the testing (most of the other cruft in this file is just
coordination, preparation, etc). This function simply uses the
Idlescan technique to try and count the number of open ports in the
idle scan technique to try and count the number of open ports in the
given port array. The sent_time and rcv_time are filled in with
the times that the probe packet & response were sent/received.
They can be NULL if you don't want to use them. The purpose is for
@@ -722,7 +722,7 @@ static int idlescan_countopen2(struct idle_proxy_info *proxy,
if (tries == 0 && sleeptime < 500)
sleeptime = 500;
if (o.debugging > 1) error("In preparation for idlescan probe try #%d, sleeping for %d usecs", tries, sleeptime);
if (o.debugging > 1) error("In preparation for idle scan probe try #%d, sleeping for %d usecs", tries, sleeptime);
if (sleeptime > 0)
usleep(sleeptime);
@@ -786,7 +786,7 @@ static int idlescan_countopen2(struct idle_proxy_info *proxy,
/* The job of this function is to use the Idlescan technique to count
/* The job of this function is to use the idle scan technique to count
the number of open ports in the given list. Under the covers, this
function just farms out the hard work to another function */
static int idlescan_countopen(struct idle_proxy_info *proxy,
@@ -818,7 +818,7 @@ static int idlescan_countopen(struct idle_proxy_info *proxy,
if (openports < 0 || openports > numports ) {
/* Oh f*ck!!!! */
fatal("Idlescan is unable to obtain meaningful results from proxy %s (%s). I'm sorry it didn't work out.", proxy->host.HostName(),
fatal("Idle scan is unable to obtain meaningful results from proxy %s (%s). I'm sorry it didn't work out.", proxy->host.HostName(),
proxy->host.targetipstr());
}
@@ -827,7 +827,7 @@ static int idlescan_countopen(struct idle_proxy_info *proxy,
return openports;
}
/* Recursively Idlescans scans a group of ports using a depth-first
/* Recursively idle scans scans a group of ports using a depth-first
divide-and-conquer strategy to find the open one(s) */
static int idle_treescan(struct idle_proxy_info *proxy, Target *target,
@@ -844,7 +844,7 @@ static int idle_treescan(struct idle_proxy_info *proxy, Target *target,
if (o.debugging > 1) {
error("%s: Called against %s with %d ports, starting with %hu. expectedopen: %d", __func__, target->targetipstr(), numports, ports[0], expectedopen);
error("IDLESCAN TIMING: grpsz: %.3f delay: %d srtt: %d rttvar: %d\n",
error("IDLE SCAN TIMING: grpsz: %.3f delay: %d srtt: %d rttvar: %d\n",
proxy->current_groupsz, proxy->senddelay, target->to.srtt,
target->to.rttvar);
}
@@ -978,11 +978,11 @@ void idle_scan(Target *target, u16 *portarray, int numports,
int portsleft;
time_t starttime;
char scanname[32];
Snprintf(scanname, sizeof(scanname), "Idlescan against %s", target->NameIP());
Snprintf(scanname, sizeof(scanname), "idle scan against %s", target->NameIP());
ScanProgressMeter SPM(scanname);
if (numports == 0) return; /* nothing to scan for */
if (!proxyName) fatal("Idlescan requires a proxy host");
if (!proxyName) fatal("idle scan requires a proxy host");
if (*lastproxy && strcmp(proxyName, lastproxy))
fatal("%s: You are not allowed to change proxies midstream. Sorry", __func__);

32
nmap.cc
View File

@@ -235,9 +235,9 @@ printf("%s %s ( %s )\n"
" -sU: UDP Scan\n"
" -sN/sF/sX: TCP Null, FIN, and Xmas scans\n"
" --scanflags <flags>: Customize TCP scan flags\n"
" -sI <zombie host[:probeport]>: Idlescan\n"
" -sI <zombie host[:probeport]>: Idle scan\n"
" -sO: IP protocol scan\n"
" -b <ftp relay host>: FTP bounce scan\n"
" -b <FTP relay host>: FTP bounce scan\n"
" --traceroute: Trace hop path to each host\n"
" --reason: Display the reason a port is in a particular state\n"
"PORT SPECIFICATION AND SCAN ORDER:\n"
@@ -469,7 +469,7 @@ int nmap_main(int argc, char *argv[]) {
short randomize=1;
short quashargv = 0;
char **host_exp_group;
char *idleProxy = NULL; /* The idle host used to "Proxy" an Idlescan */
char *idleProxy = NULL; /* The idle host used to "Proxy" an idle scan */
int num_host_exp_groups;
char *machinefilename = NULL, *kiddiefilename = NULL,
*normalfilename = NULL, *xmlfilename = NULL;
@@ -1390,17 +1390,17 @@ int nmap_main(int argc, char *argv[]) {
}
/* If he wants to bounce off of an ftp site, that site better damn well be reachable! */
/* If he wants to bounce off of an FTP site, that site better damn well be reachable! */
if (o.bouncescan) {
if (!inet_pton(AF_INET, ftp.server_name, &ftp.server)) {
if ((target = gethostbyname(ftp.server_name)))
memcpy(&ftp.server, target->h_addr_list[0], 4);
else {
fatal("Failed to resolve ftp bounce proxy hostname/IP: %s",
fatal("Failed to resolve FTP bounce proxy hostname/IP: %s",
ftp.server_name);
}
} else if (o.verbose)
log_write(LOG_STDOUT, "Resolved ftp bounce attack proxy to %s (%s).\n",
log_write(LOG_STDOUT, "Resolved FTP bounce attack proxy to %s (%s).\n",
ftp.server_name, inet_ntoa(ftp.server));
}
fflush(stdout);
@@ -2400,7 +2400,7 @@ char *scantype2str(stype scantype) {
case FIN_SCAN: return "FIN Scan"; break;
case XMAS_SCAN: return "XMAS Scan"; break;
case UDP_SCAN: return "UDP Scan"; break;
case CONNECT_SCAN: return "Connect() Scan"; break;
case CONNECT_SCAN: return "Connect Scan"; break;
case NULL_SCAN: return "NULL Scan"; break;
case WINDOW_SCAN: return "Window Scan"; break;
case RPC_SCAN: return "RPCGrind Scan"; break;
@@ -2426,7 +2426,7 @@ char *statenum2str(int state) {
switch(state) {
case PORT_OPEN: return "open"; break;
case PORT_FILTERED: return "filtered"; break;
case PORT_UNFILTERED: return "UNfiltered"; break;
case PORT_UNFILTERED: return "unfiltered"; break;
case PORT_CLOSED: return "closed"; break;
case PORT_OPENFILTERED: return "open|filtered"; break;
case PORT_CLOSEDFILTERED: return "closed|filtered"; break;
@@ -2456,7 +2456,7 @@ int ftp_anon_connect(struct ftpinfo *ftp) {
sock.sin_port = htons(ftp->port);
res = connect(sd, (struct sockaddr *) &sock, sizeof(struct sockaddr_in));
if (res < 0 ) {
fatal("Your ftp bounce proxy server won't talk to us!");
fatal("Your FTP bounce proxy server won't talk to us!");
}
if (o.verbose || o.debugging) log_write(LOG_STDOUT, "Connected:");
while ((res = recvtime(sd, recvbuf, sizeof(recvbuf) - 1,7, NULL)) > 0)
@@ -2465,7 +2465,7 @@ int ftp_anon_connect(struct ftpinfo *ftp) {
log_write(LOG_STDOUT, "%s", recvbuf);
}
if (res < 0) {
pfatal("recv problem from ftp bounce server");
pfatal("recv problem from FTP bounce server");
}
Snprintf(command, 511, "USER %s\r\n", ftp->user);
@@ -2473,12 +2473,12 @@ int ftp_anon_connect(struct ftpinfo *ftp) {
send(sd, command, strlen(command), 0);
res = recvtime(sd, recvbuf, sizeof(recvbuf) - 1,12, NULL);
if (res <= 0) {
pfatal("recv problem from ftp bounce server");
pfatal("recv problem from FTP bounce server");
}
recvbuf[res] = '\0';
if (o.debugging) log_write(LOG_STDOUT, "sent username, received: %s", recvbuf);
if (recvbuf[0] == '5') {
fatal("Your ftp bounce server doesn't like the username \"%s\"", ftp->user);
fatal("Your FTP bounce server doesn't like the username \"%s\"", ftp->user);
}
Snprintf(command, 511, "PASS %s\r\n", ftp->pass);
@@ -2486,14 +2486,14 @@ int ftp_anon_connect(struct ftpinfo *ftp) {
send(sd, command, strlen(command), 0);
res = recvtime(sd, recvbuf, sizeof(recvbuf) - 1,12, NULL);
if (res < 0) {
pfatal("recv problem from ftp bounce server");
pfatal("recv problem from FTP bounce server");
}
if (!res) error("Timeout from bounce server ...");
else {
recvbuf[res] = '\0';
if (o.debugging) log_write(LOG_STDOUT, "sent password, received: %s", recvbuf);
if (recvbuf[0] == '5') {
fatal("Your ftp bounce server refused login combo (%s/%s)",
fatal("Your FTP bounce server refused login combo (%s/%s)",
ftp->user, ftp->pass);
}
}
@@ -2503,9 +2503,9 @@ int ftp_anon_connect(struct ftpinfo *ftp) {
log_write(LOG_STDOUT, "%s", recvbuf);
}
if (res < 0) {
pfatal("recv problem from ftp bounce server");
pfatal("recv problem from FTP bounce server");
}
if (o.verbose) log_write(LOG_STDOUT, "Login credentials accepted by ftp server!\n");
if (o.verbose) log_write(LOG_STDOUT, "Login credentials accepted by FTP server!\n");
ftp->sd = sd;
return sd;

12
scan_engine.cc
View File

@@ -4618,7 +4618,7 @@ void bounce_scan(Target *target, u16 *portarray, int numports,
if (o.verbose || o.debugging) {
struct tm *tm = localtime(&starttime);
assert(tm);
log_write(LOG_STDOUT, "Initiating TCP ftp bounce scan against %s at %02d:%02d\n", target->NameIP(hostname, sizeof(hostname)), tm->tm_hour, tm->tm_min );
log_write(LOG_STDOUT, "Initiating TCP FTP bounce scan against %s at %02d:%02d\n", target->NameIP(hostname, sizeof(hostname)), tm->tm_hour, tm->tm_min );
}
for(i=0; i < numports; i++) {
@@ -4635,7 +4635,7 @@ void bounce_scan(Target *target, u16 *portarray, int numports,
gh_perror("send in %s", __func__);
if (retriesleft) {
if (o.verbose || o.debugging)
log_write(LOG_STDOUT, "Our ftp proxy server hung up on us! retrying\n");
log_write(LOG_STDOUT, "Our FTP proxy server hung up on us! retrying\n");
retriesleft--;
close(sd);
ftp->sd = ftp_anon_connect(ftp);
@@ -4652,7 +4652,7 @@ void bounce_scan(Target *target, u16 *portarray, int numports,
} else { /* Our send is good */
res = recvtime(sd, recvbuf, 2048, 15, NULL);
if (res <= 0)
perror("recv problem from ftp bounce server");
perror("recv problem from FTP bounce server");
else { /* our recv is good */
recvbuf[res] = '\0';
@@ -4660,10 +4660,10 @@ void bounce_scan(Target *target, u16 *portarray, int numports,
portarray[i], recvbuf);
if (recvbuf[0] == '5') {
if (portarray[i] > 1023) {
fatal("Your ftp bounce server sucks, it won't let us feed bogus ports!");
fatal("Your FTP bounce server sucks, it won't let us feed bogus ports!");
}
else {
error("Your ftp bounce server doesn't allow privileged ports, skipping them.");
error("Your FTP bounce server doesn't allow privileged ports, skipping them.");
while(i < numports && portarray[i] < 1024) i++;
if (!portarray[i]) {
fatal("And you didn't want to scan any unpriviliged ports. Giving up.");
@@ -4674,7 +4674,7 @@ void bounce_scan(Target *target, u16 *portarray, int numports,
if (send(sd, "LIST\r\n", 6, 0) > 0 ) {
res = recvtime(sd, recvbuf, 2048,12, &timedout);
if (res < 0) {
perror("recv problem from ftp bounce server");
perror("recv problem from FTP bounce server");
} else if (res == 0) {
if (timedout)
target->ports.addPort(portarray[i], IPPROTO_TCP, NULL,

4
tcpip.cc
View File

@@ -550,7 +550,7 @@ static const char *ippackethdrinfo(const u8 *packet, u32 len) {
ping = (struct ppkt *) ((ip->ip_hl * 4) + (char *) ip);
switch(ping->type) {
case 0:
strcpy(icmptype, "Echo reply"); break;
strcpy(icmptype, "echo reply"); break;
case 3:
ip2 = (struct ip *) ((char *) ip + (ip->ip_hl * 4) + 8);
tcp = (struct tcp_hdr *) ((char *) ip2 + (ip2->ip_hl * 4));
@@ -625,7 +625,7 @@ static const char *ippackethdrinfo(const u8 *packet, u32 len) {
else strcpy(icmptype, "unknown redirect");
break;
case 8:
strcpy(icmptype, "Echo request"); break;
strcpy(icmptype, "echo request"); break;
case 11:
if (ping->code == 0)
strcpy(icmptype, "TTL=0 during transit");