From 4dc86189650e04f3395441650fcb9c1ea1fdc5df Mon Sep 17 00:00:00 2001 From: fyodor Date: Mon, 3 Sep 2007 02:55:01 +0000 Subject: [PATCH] capitalization changes --- docs/nmap.1 | 62 ++++++++++---------- docs/nmap.dtd | 2 +- docs/nmap.usage.txt | 2 +- docs/refguide.xml | 136 ++++++++++++++++++++++---------------------- idle_scan.cc | 30 +++++----- nmap.cc | 32 +++++------ scan_engine.cc | 12 ++-- tcpip.cc | 4 +- 8 files changed, 141 insertions(+), 139 deletions(-) diff --git a/docs/nmap.1 b/docs/nmap.1 index 45a3c1788..7972f7a49 100644 --- a/docs/nmap.1 +++ b/docs/nmap.1 @@ -77,7 +77,7 @@ PORT STATE SERVICE VERSION 1002/tcp open windows\-icfw? 1025/tcp open msrpc Microsoft Windows RPC 1720/tcp open H\.323/Q\.931 CompTek AquaGateKeeper -5800/tcp open vnc\-http RealVNC 4\.0 (Resolution 400x250; VNC TCP port: 5900) +5800/tcp open vnc\-http RealVNC 4\.0 (Resolution 400x250; VNC port: 5900) 5900/tcp open vnc VNC (protocol 3\.8) MAC Address: 00:A0:CC:63:85:4B (Lite\-on Communications) Device type: general purpose @@ -603,7 +603,7 @@ open|filtered\. The port is marked filtered if an ICMP unreachable error (type 3, code 1, 2, 3, 9, 10, or 13) is received\. .sp -The key advantage to these scan types is that they can sneak through certain non\-stateful firewalls and packet filtering routers\. Another advantage is that these scan types are a little more stealthy than even a SYN scan\. Don\'t count on this though \-\- most modern IDS products can be configured to detect them\. The big downside is that not all systems follow RFC 793 to the letter\. A number of systems send RST responses to the probes regardless of whether the port is open or not\. This causes all of the ports to be labeled +The key advantage to these scan types is that they can sneak through certain non\-stateful firewalls and packet filtering routers\. Another advantage is that these scan types are a little more stealthy than even a SYN scan\. Don\'t count on this though\(emmost modern IDS products can be configured to detect them\. The big downside is that not all systems follow RFC 793 to the letter\. A number of systems send RST responses to the probes regardless of whether the port is open or not\. This causes all of the ports to be labeled closed\. Major operating systems that do this are Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400\. This scan does work against most UNIX\-based systems though\. Another downside of these scans is that they can\'t distinguish open ports from certain @@ -756,6 +756,7 @@ and at least one TCP scan type (such as \fB\-sS\fR, \fB\-sF\fR, or \fB\-sT\fR)\. If no protocol qualifier is given, the port numbers are added to all protocol lists\. +.sp Ports can also be specified by name according to what the port is referred to in the \fInmap\-services\fR\. You can even use the wildcards * and ? with the names\. For example, to scan ftp and all ports whose names begin with http, use \fB\-p ftp,http*\fR\. Be careful about shell expansions and quote the argument to \-p if unsure\. @@ -791,9 +792,9 @@ for sequential port scanning instead\. .PP Point Nmap at a remote machine and it might tell you that ports 25/tcp, 80/tcp, and 53/udp are open\. Using its \fInmap\-services\fR -database of about 2,200 well\-known services, Nmap would report that those ports probably correspond to a mail server (SMTP), web server (HTTP), and name server (DNS) respectively\. This lookup is usually accurate \-\- the vast majority of daemons listening on TCP port 25 are, in fact, mail servers\. However, you should not bet your security on this! People can and do run services on strange ports\. +database of about 2,200 well\-known services, Nmap would report that those ports probably correspond to a mail server (smtp), web server (http), and name server (DNS) respectively\. This lookup is usually accurate\(emthe vast majority of daemons listening on TCP port 25 are, in fact, mail servers\. However, you should not bet your security on this! People can and do run services on strange ports\. .PP -Even if Nmap is right, and the hypothetical server above is running SMTP, HTTP, and DNS servers, that is not a lot of information\. When doing vulnerability assessments (or even simple network inventories) of your companies or clients, you really want to know which mail and DNS servers and versions are running\. Having an accurate version number helps dramatically in determining which exploits a server is vulnerable to\. Version detection helps you obtain this information\. +Even if Nmap is right, and the hypothetical server above is running smtp, http, and dns servers, that is not a lot of information\. When doing vulnerability assessments (or even simple network inventories) of your companies or clients, you really want to know which mail and DNS servers and versions are running\. Having an accurate version number helps dramatically in determining which exploits a server is vulnerable to\. Version detection helps you obtain this information\. .PP After TCP and/or UDP ports are discovered using one of the other scan methods, version detection interrogates those ports to determine more about what is actually running\. The \fInmap\-service\-probes\fR @@ -818,7 +819,7 @@ Enables version detection, as discussed above\. Alternatively, you can use .PP \fB\-\-allports\fR (Don\'t exclude any ports from version detection) .RS 4 -By default, Nmap version detection skips TCP port 9100 because some printers simply print anything sent to that port, leading to dozens of pages of HTTP get requests, binary SSL session requests, etc\. This behavior can be changed by modifying or removing the +By default, Nmap version detection skips TCP port 9100 because some printers simply print anything sent to that port, leading to dozens of pages of http get requests, binary SSL session requests, etc\. This behavior can be changed by modifying or removing the Exclude directive in \fInmap\-service\-probes\fR, or you can specify @@ -895,7 +896,7 @@ to enable OS detection along with other things\. 2nd generation OS detection is Enables 2nd generation OS detection, but never falls back to the old (1st generation) system, even if it fails to find any match\. This saves time and can reduce the number of packets sent to each target\. .RE .PP -\fB\-O1\fR (1nd Generation OS Detection Only) +\fB\-O1\fR (1st Generation OS Detection Only) .RS 4 Tells Nmap to only use the old OS detection system\. If \fB\-O2\fR @@ -904,10 +905,10 @@ just gives you a fingerprint to submit, but you don\'t know what OS the target i \fBdon\'t submit the fingerprint\fR as you don\'t know for sure whether \fB\-O1\fR -guess correctly\. If it was perfect, we wouldn\'t have bothered to create +guessed correctly\. If it was perfect, we wouldn\'t have bothered to create \fB\-O2\fR\. .sp -This option, and all other vestiges of the old OS detection system, will likely be removed in late 2006 or in 2007\. +This option, and all other vestiges of the old OS detection system, will likely be removed in 2007\. .RE .PP \fB\-\-osscan\-limit\fR (Limit OS detection to promising targets) @@ -931,23 +932,23 @@ When Nmap performs OS detection against a target and fails to find a perfect mat \fB\-\-max\-os\-tries\fR value (such as 1) speeds Nmap up, though you miss out on retries which could potentially identify the OS\. Alternatively, a high value may be set to allow even more retries when conditions are favorable\. This is rarely done, except to generate better fingerprints for submission and integration into the Nmap OS database\. This option only affects second generation OS detection (\fB\-O2\fR, the default) and not the old system (\fB\-O1\fR)\. .RE -.SH "NSE - SCRIPTING EXTENSION TO THE NMAP NETWORK SCANNER" +.SH "NSE\(emSCRIPTING EXTENSION TO THE NMAP NETWORK SCANNER" .PP The Nmap Scripting Engine (NSE) combines the efficiency of Nmap\'s network handling with the versatility of the lightweight scripting language -\fIlua\fR\&[6], thus providing innumerable opportunities\. A more extensive documentation of the NSE (including its API) can be found at: +\fILua\fR\&[6], thus providing innumerable opportunities\. A more extensive documentation of the NSE (including its API) can be found at: \fI\%http://www.insecure.org/nmap/nse\fR\. The target of the NSE is to provide Nmap with a flexible infrastructure for extending its capabilities and offering its users a simple way of creating customized tests\. Uses for the NSE include (but definitely are not limited to): .PP \fIEnhanced Version\-detection\fR (category -version) \- While Nmap already offers its Service and Version detection system, which is unmatched in terms of efficiency and scope, this power has its downside when it comes to services requiring more complex probes\. The Skype\-Protocol version 2 for instance can be identified by sending 2 independent probes to it, which the builtin system is not laid out for: a simple NSE\-script can do the job and update the port\'s service information\. +version)\(emWhile Nmap already offers its Service and Version detection system, which is unmatched in terms of efficiency and scope, this power has its downside when it comes to services requiring more complex probes\. The Skype\-Protocol version 2 for instance can be identified by sending 2 independent probes to it, which the builtin system is not laid out for: a simple NSE\-script can do the job and update the port\'s service information\. .PP \fIMalware\-detection\fR (categories malware and -backdoor)\- Both attackers and worms often leave backdoors \- be it in form of SMTP\-servers listening on uncommon ports mostly used by spammers for mail relay, or in form of an FTP\-server giving crackers access to critical data\. A few lines of lua code can help to identify those loopholes easily\. +backdoor)\- Both attackers and worms often leave backdoors\(embe it in form of SMTP\-servers listening on uncommon ports mostly used by spammers for mail relay, or in form of an FTP\-server giving crackers access to critical data\. A few lines of Lua code can help to identify those loopholes easily\. .PP \fIVulnerability Detection\fR @@ -960,7 +961,7 @@ vulnerability)\- NSE\'s capacity in detecting risks ranges from checking for def safe, intrusive and -discovery) \- By providing you with a scripting language and a really efficient asynchronous network API on the one hand and the information gathered during earlier stages of a scan on the other hand the NSE is suited to write "client" programs for the services listening on a target machine\. These "clients" may collect information like: listings of available NFS/SMB/RPC shares, the number of channels of an irc\-network or currently logged on users\. +discovery)\(emBy providing you with a scripting language and a really efficient asynchronous network API on the one hand and the information gathered during earlier stages of a scan on the other hand the NSE is suited to write client programs for the services listening on a target machine\. These clients may collect information like: listings of available NFS/SMB/RPC shares, the number of channels of an irc\-network or currently logged on users\. .PP To reflect those different uses and to simplify the choice of which scripts to run, each script contains a field associating it with one or more of the above mentioned categories\. To maintain the matching from scripts to categories a file called \fIscript\.db\fR @@ -969,11 +970,11 @@ is installed along with the distributed scripts\. Therefore, if you, for example and check the output afterwards\. The version\-scripts are always run implicitely when a script\-scan is requested\. The \fIscript\.db\fR -is a lua\-script itself and can be updated through the +is a Lua\-script itself and can be updated through the \fB\-\-script\-updatedb\fR option\. .PP -A NSE\-script basically is a chunk of lua\-code which has (among some informational fields, like name, id and categories) 2 functions: a test whether the particular script should be run against a certain host or port (called a +A NSE\-script basically is a chunk of Lua\-code which has (among some informational fields, like name, id and categories) 2 functions: a test whether the particular script should be run against a certain host or port (called a hostrule or portrule @@ -1008,11 +1009,13 @@ subdirectory)\. .PP \fB\-\-script\-args=\fR .RS 4 -lets you provide arguments to NSE\-scripts\. Arguments are passed as name=value pairs\. The provided argument is processed and stored inside a lua\-table, to which all scripts have access\. The names are taken as strings (which have to be alphanumeric values) and used as keys inside the argument\-table\. Values are either strings or tables themselves (starting with a \'{\' and ending with a \'}\')\. Subtables make it possible to override arguments for specific scripts (e\.g\. when you want to provide different login/password pairs for different scripts)\. An argument of -user=bar,password=foo,anonFTP={password=nobody@foobar\.com} -for example results in the following table provided to NSE\-scripts: -t={user="bar",password="foo",anonFTP={password="nobody@foobar\.com"}\. Note, that if you want to override an option to a script, you should index the subtable with the script\'s -id, since this is the only way the script can "know" about it\'s special argument\. +lets you provide arguments to NSE\-scripts\. Arguments are passed as +name=value +pairs\. The provided argument is processed and stored inside a Lua table, to which all scripts have access\. The names are taken as strings (which must be alphanumeric values) and used as keys inside the +argument\-table\. Values are either strings or tables themselves (surrounded by \(oq{\(cq and \(oq}\(cq\. Subtables make it possible to override arguments for specific scripts (e\.g\. when you want to provide different login/password pairs for different scripts)\. For example, you could pass the comma\-separated arguments: +user=bar,password=foo, and +anonFTP={password=nobody@foobar\.com}\. If you want to override an option to a script, you should index the subtable with the script\'s +id, since this is the only way the script knows about its special argument\. .RE .PP \fB\-\-script\-trace\fR @@ -1024,7 +1027,7 @@ does, just one ISO layer higher\. If this option is specified all incoming and o .PP \fB\-\-script\-updatedb\fR .RS 4 -updates the script database which stores a mapping from category tags to filenames\. The database is a lua script which is interpreted once to choose a set of scripts from the categories provided to the +updates the script database which stores a mapping from category tags to filenames\. The database is a Lua script which is interpreted once to choose a set of scripts from the categories provided to the \fB\-\-script\fR argument\. It should be run if you have changed the categories @@ -1164,7 +1167,7 @@ ports isn\'t worth the extra time\. .RS 4 While the fine grained timing controls discussed in the previous section are powerful and effective, some people find them confusing\. Moreover, choosing the appropriate values can sometimes take more time than the scan you are trying to optimize\. So Nmap offers a simpler approach, with six timing templates\. You can specify them with the \fB\-T\fR -option and their number (0 \- 5) or their name\. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5)\. The first two are for IDS evasion\. Polite mode slows down the scan to use less bandwidth and target machine resources\. Normal mode is the default and so +option and their number (0\(en5) or their name\. The template names are paranoid (0), sneaky (1), polite (2), normal (3), aggressive (4), and insane (5)\. The first two are for IDS evasion\. Polite mode slows down the scan to use less bandwidth and target machine resources\. Normal mode is the default and so \fB\-T3\fR does nothing\. Aggressive mode speeds scans up by making the assumption that you are on a reasonably fast and reliable network\. Finally Insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed\. .sp @@ -1252,7 +1255,7 @@ ME as one of the decoys to represent the position for your real IP address\. If you put ME in the 6th position or later, some common port scan detectors (such as Solar Designer\'s excellent scanlogd) are unlikely to show your IP address at all\. If you don\'t use -ME, nmap will put you in a random position\. +ME, nmap will put you in a random position\. You can also use RND to generate a random, non\-reserved IP address, or RND: to generate addresses\. .sp Note that the hosts you use as decoys should be up or you might accidentally SYN flood your targets\. Also it will be pretty easy to determine which host is scanning if only one is actually up on the network\. You might want to use IP addresses instead of names (so the decoy networks don\'t see you in their nameserver logs)\. .sp @@ -1486,8 +1489,6 @@ As with XML output, this man page does not allow for documenting the entire form .PP \fB\-oA \fR (Output to all formats) .RS 4 - - As a convenience, you may specify \fB\-oA \fR\fB\fIbasename\fR\fR to store scan results in normal, XML, and grepable formats at once\. They are stored in @@ -1553,7 +1554,7 @@ may be condensed into counts if there are an overwhelming number of them\. .PP \fB\-\-iflist\fR (List interfaces and routes) .RS 4 -Prints the interface list and system routes as detected by Nmap\. This is useful for debugging routing problems or device mischaracterization (such as Nmap treating a PPP connection as Ethernet)\. +Prints the interface list and system routes as detected by Nmap\. This is useful for debugging routing problems or device mischaracterization (such as Nmap treating a PPP connection as ethernet)\. .RE .PP \fB\-\-log\-errors\fR (Log errors/warnings to normal mode output file) @@ -1575,7 +1576,7 @@ option\. All output filenames specified in that Nmap execution will then be appe .PP \fB\-\-resume \fR (Resume aborted scan) .RS 4 -Some extensive Nmap runs take a very long time \-\- on the order of days\. Such scans don\'t always run to completion\. Restrictions may prevent Nmap from being run during working hours, the network could go down, the machine Nmap is running on might suffer a planned or unplanned reboot, or Nmap itself could crash\. The admin running Nmap could cancel it for any other reason as well, by pressing +Some extensive Nmap runs take a very long time\(emon the order of days\. Such scans don\'t always run to completion\. Restrictions may prevent Nmap from being run during working hours, the network could go down, the machine Nmap is running on might suffer a planned or unplanned reboot, or Nmap itself could crash\. The admin running Nmap could cancel it for any other reason as well, by pressing ctrl\-C\. Restarting the whole scan from the beginning may be undesirable\. Fortunately, if normal (\fB\-oN\fR) or grepable (\fB\-oG\fR) logs were kept, the user can ask Nmap to resume scanning with the target it was working on when execution ceased\. Simply specify the \fB\-\-resume\fR option and pass the normal/grepable output file as its argument\. No other arguments are permitted, as Nmap parses the output file to use the same ones specified previously\. Simply call Nmap as @@ -1828,7 +1829,7 @@ file which is distributed with Nmap and also available from .SH "LEGAL NOTICES" .SS "Nmap Copyright and Licensing" .PP -The Nmap Security Scanner is (C) 1996\-2005 Insecure\.Com LLC\. Nmap is also a registered trademark of Insecure\.Com LLC\. This program is free software; you may redistribute and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; Version 2\. This guarantees your right to use, modify, and redistribute this software under certain conditions\. If you wish to embed Nmap technology into proprietary software, we may be willing to sell alternative licenses (contact +The Nmap Security Scanner is (C) 1996\-2007 Insecure\.Com LLC\. Nmap is also a registered trademark of Insecure\.Com LLC\. This program is free software; you may redistribute and/or modify it under the terms of the GNU General Public License as published by the Free Software Foundation; Version 2\. This guarantees your right to use, modify, and redistribute this software under certain conditions\. If you wish to embed Nmap technology into proprietary software, we may be willing to sell alternative licenses (contact )\. Many security scanner vendors already license Nmap technology such as host discovery, port scanning, OS detection, and service/version detection\. .PP Note that the GPL places important restrictions on @@ -1869,12 +1870,13 @@ We don\'t consider these to be added restrictions on top of the GPL, but just a \(lqderived works\(rq as it applies to our GPL\-licensed Nmap product\. This is similar to the way Linus Torvalds has announced his interpretation of how \(lqderived works\(rq -applies to Linux kernel modules\. Our interpretation refers only to Nmap \- we don\'t speak for any other GPL products\. +applies to Linux kernel modules\. Our interpretation refers only to Nmap\(emwe don\'t speak for any other GPL products\. .PP If you have any questions about the GPL licensing restrictions on using Nmap in non\-GPL works, we would be happy to help\. As mentioned above, we also offer alternative license to integrate Nmap into proprietary applications and appliances\. These contracts have been sold to many security vendors, and generally include a perpetual license as well as providing for priority support and updates as well as helping to fund the continued development of Nmap technology\. Please email for further information\. .PP + As a special exception to the GPL terms, Insecure\.Com LLC grants permission to link the code of this program with any version of the OpenSSL library which is distributed under a license identical to that listed in the included Copying\.OpenSSL file, and distribute linked combinations including the two\. You must obey the GNU GPL in all respects for all of the code used other than OpenSSL\. If you modify this file, you may extend this exception to your version of the file, but you are not obligated to do so\. .PP If you received these files with a written license agreement or contract stating terms other than the terms above, then that alternative license agreement takes precedence over these comments\. @@ -1958,7 +1960,7 @@ RFC 959 \%http://www.rfc-editor.org/rfc/rfc959.txt .RE .IP " 6." 4 -lua +Lua .RS 4 \%http://lua.org .RE diff --git a/docs/nmap.dtd b/docs/nmap.dtd index 4fadba112..0420cf3c7 100644 --- a/docs/nmap.dtd +++ b/docs/nmap.dtd @@ -21,7 +21,7 @@ specify "one each of this list of elements, in any order". If there is a construct similar to SGML's '&' operator, please let me know. - Portions Copyright (c) 2001-2005 Insecure.Com LLC + Portions Copyright (c) 2001-2007 Insecure.Com LLC Portions Copyright (c) 2001 by Cisco systems, Inc. Permission to use, copy, modify, and distribute modified and diff --git a/docs/nmap.usage.txt b/docs/nmap.usage.txt index f8db369f3..5ed26bb0f 100644 --- a/docs/nmap.usage.txt +++ b/docs/nmap.usage.txt @@ -41,7 +41,7 @@ SERVICE/VERSION DETECTION: --version-trace: Show detailed version scan activity (for debugging) SCRIPT SCAN: -sC: equivalent to --script=safe,intrusive - --script=: is a comma separated list of + --script=: is a comma separated list of directories, script-files or script-categories --script-args=: provide arguments to scripts --script-trace: Show all data sent and received diff --git a/docs/refguide.xml b/docs/refguide.xml index c4a83713f..19085f8aa 100644 --- a/docs/refguide.xml +++ b/docs/refguide.xml @@ -306,10 +306,10 @@ you would expect. If no host discovery options are given, Nmap sends a TCP ACK - packet destined for port 80 and an ICMP Echo Request query + packet destined for port 80 and an ICMP echo request query to each target machine. An exception to this is that an ARP scan is used for any targets which are on a local ethernet network. - For unprivileged UNIX shell users, a SYN packet is sent + For unprivileged Unix shell users, a SYN packet is sent instead of the ack using the connect() system call. These defaults are equivalent to the options. This host discovery is @@ -374,7 +374,7 @@ you would expect. This option tells Nmap to only -sP - Ping scan + ping scan perform a ping scan (host discovery), then print out the available hosts that responded to the scan. No further testing (such as port scanning or OS detection) is performed. This is one @@ -473,7 +473,7 @@ you would expect. Either the RST or SYN/ACK response discussed previously tell Nmap that the host is available and responsive. - On UNIX boxes, only the privileged user + On Unix boxes, only the privileged user root is generally able to send and receive raw TCP packets. For unprivileged users, a workaround is automatically employed whereby the connect() @@ -607,7 +607,7 @@ you would expect. packets sent by the ubiquitous ping program. Nmap sends an ICMP type 8 (echo request) packet to the target IP addresses, - expecting a type 0 (Echo Reply) in return from available + expecting a type 0 (echo reply) in return from available hosts. Unfortunately for network explorers, many hosts and firewalls now block these packets, rather than responding as required by -Traceroutes are performed post-scan using information from the scan results to determine the port and protocol most likely to reach the target. It works with all scan types except connect scans (-sT) and idle scans (-sI). All traces use nmap's dynamic timing model and are performed in parallel. +Traceroutes are performed post-scan using information from the scan results to determine the port and protocol most likely to reach the target. It works with all scan types except connect scans (-sT) and idle scans (-sI). All traces use Nmap's dynamic timing model and are performed in parallel. @@ -766,8 +766,8 @@ Shows the reason each port is set to a specific state and the reason each host i By default Nmap will try to determine your DNS servers - (for rDNS resolution) from your resolv.conf file (UNIX) or - the registry (Win32). Alternatively, you may use this + (for rDNS resolution) from your resolv.conf file (Unix) or + the Registry (Win32). Alternatively, you may use this option to specify alternate servers. This option is not honored if you are using or an IPv6 scan. Using multiple DNS servers is often faster, @@ -868,14 +868,14 @@ options from across the Internet might show that port as filtered closed|filtered This state is used when Nmap is unable to determine whether a port is closed or filtered. It is only used for the IPID - Idle scan. + idle scan. @@ -898,14 +898,14 @@ have to pay thousands of dollars for it. Most of the scan types are only available to privileged users. This is because they send and receive raw packets, which requires root -access on UNIX systems. Using an administrator account on Windows is +access on Unix systems. Using an administrator account on Windows is recommended, though Nmap sometimes works for unprivileged users on that platform when WinPcap has already been loaded into the OS. Requiring root privileges was a serious limitation when Nmap was released in 1997, as many users only had access to shared shell accounts. Now, the world is different. Computers are cheaper, far more people have -always-on direct Internet access, and desktop UNIX systems (including -Linux and MAC OS X) are prevalent. A Windows version of Nmap is now +always-on direct Internet access, and desktop Unix systems (including +Linux and Mac OS X) are prevalent. A Windows version of Nmap is now available, allowing it to run on even more desktops. For all these reasons, users have less need to run Nmap from limited shared shell accounts. This is fortunate, as the privileged options make Nmap far more @@ -916,7 +916,7 @@ that all of its insights are based on packets returned by the target machines (or firewalls in front of them). Such hosts may be untrustworthy and send responses intended to confuse or mislead Nmap. Much more common are non-RFC-compliant hosts that do not respond as -they should to Nmap probes. FIN, Null, and Xmas scans are +they should to Nmap probes. FIN, null, and Xmas scans are particularly susceptible to this problem. Such issues are specific to certain scan types and so are discussed in the individual scan type entries. @@ -931,8 +931,8 @@ name, usually the first. The one exception to this is the deprecated FTP bounce scan (). By default, Nmap performs a SYN Scan, though it substitutes a connect scan if the user does not have proper privileges to send raw packets (requires root access on -UNIX) or if IPv6 targets were specified. Of the scans listed in this -section, unprivileged users can only execute connect and ftp bounce +Unix) or if IPv6 targets were specified. Of the scans listed in this +section, unprivileged users can only execute connect and FTP bounce scans. @@ -950,7 +950,7 @@ second on a fast network not hampered by intrusive firewalls. SYN scan is relatively unobtrusive and stealthy, since it never completes TCP connections. It also works against any compliant TCP stack rather than depending on idiosyncrasies of specific platforms as Nmap's -Fin/Null/Xmas, Maimon and Idle scans do. It also allows clear, +FIN/null/Xmas, Maimon and idle scans do. It also allows clear, reliable differentiation between the open, closed, and filtered states. @@ -995,7 +995,7 @@ half-open reset that SYN scan does. Not only does this take longer and require more packets to obtain the same information, but target machines are more likely to log the connection. A decent IDS will catch either, but most machines have no such alarm system. Many -services on your average UNIX system will add a note to syslog, and +services on your average Unix system will add a note to syslog, and sometimes a cryptic error message, when Nmap connects and then closes the connection without sending data. Truly pathetic services crash when this happens, though that is uncommon. An administrator who sees @@ -1069,7 +1069,7 @@ hosts. -sN -sF -sX -NULL scan +null scan FIN scan Xmas scan @@ -1096,7 +1096,7 @@ scan types: Null scan () - Does not set any bits (tcp flag header is 0) + Does not set any bits (TCP flag header is 0) FIN scan () Sets just the TCP FIN bit. @@ -1123,7 +1123,7 @@ number of systems send RST responses to the probes regardless of whether the port is open or not. This causes all of the ports to be labeled closed. Major operating systems that do this are Microsoft Windows, many Cisco devices, BSDI, and IBM OS/400. -This scan does work against most UNIX-based systems though. Another +This scan does work against most Unix-based systems though. Another downside of these scans is that they can't distinguish open ports from certain filtered ones, leaving you with the response open|filtered. @@ -1203,7 +1203,7 @@ ports, then those three may very well be the truly open ones. The Maimon scan is named after its discoverer, Uriel Maimon. He described the technique in Phrack Magazine issue #49 (November 1996). Nmap, which included this technique, was released two issues later. -This technique is exactly the same as Null, FIN, and Xmas scans, except +This technique is exactly the same as null, FIN, and Xmas scans, except that the probe is FIN/ACK. According to RFC 793 (TCP), a RST packet should be generated in response to such a probe whether the port is open or closed. However, Uriel noticed that many BSD-derived systems @@ -1250,9 +1250,9 @@ used. (Idlescan) + host[:probeport]> (idle scan) -sI - Idle scan + idle scan @@ -1281,7 +1281,7 @@ used. You can add a colon followed by a port number to the zombie host if you wish to probe a particular port on the zombie for IPID changes. Otherwise Nmap will use the port it - uses by default for tcp pings (80). + uses by default for TCP pings (80). @@ -1294,7 +1294,7 @@ used. -IP Protocol scan allows you to determine which IP protocols +IP protocol scan allows you to determine which IP protocols (TCP, ICMP, IGMP, etc.) are supported by target machines. This isn't technically a port scan, since it cycles through IP protocol numbers rather than TCP or UDP port numbers. Yet it still uses the @@ -1340,7 +1340,7 @@ after retransmissions, the protocol is marked - (FTP bounce scan) + (FTP bounce scan) -b FTP bounce scan @@ -1348,7 +1348,7 @@ after retransmissions, the protocol is marked An interesting feature of the FTP protocol (RFC 959) is -support for so-called proxy ftp connections. This allows a user to +support for so-called proxy FTP connections. This allows a user to connect to one FTP server, then ask that files be sent to a third-party server. Such a feature is ripe for abuse on many levels, so most servers have ceased supporting it. One of the abuses this @@ -1357,7 +1357,7 @@ Simply ask the FTP server to send a file to each interesting port of a target host in turn. The error message will describe whether the port is open or not. This is a good way to bypass firewalls because organizational FTP servers are often placed where they have -more access to other internal hosts than any old Internet host would. Nmap supports ftp +more access to other internal hosts than any old Internet host would. Nmap supports FTP bounce scan with the option. It takes an argument of the form username:password@server:port. @@ -1374,7 +1374,7 @@ well, in which case the default FTP port (21) on released, but has largely been fixed. Vulnerable servers are still around, so it is worth trying when all else fails. If bypassing a firewall is your goal, scan the target network for open port 21 (or -even for any ftp services if you scan all ports with version +even for any FTP services if you scan all ports with version detection), then try a bounce scan using each. Nmap will tell you whether the host is vulnerable or not. If you are just trying to cover your tracks, you don't need to (and, in fact, shouldn't) limit @@ -1431,7 +1431,7 @@ way. wildcardPorts can also be specified by name according to what the port is referred to in the nmap-services. You can even use the wildcards * and ? with the names. For example, to scan - ftp and all ports whose names begin with http, use . + FTP and all ports whose names begin with http, use . Be careful about shell expansions and quote the argument to -p if unsure. Ranges of ports can be surrounded by square brackets to indicate @@ -1489,14 +1489,14 @@ way. that ports 25/tcp, 80/tcp, and 53/udp are open. Using its nmap-services database of about 2,200 well-known services, Nmap would report that those ports probably correspond to a - mail server (smtp), web server (http), and name server (DNS) + mail server (SMTP), web server (HTTP), and name server (DNS) respectively. This lookup is usually accurate—the vast majority of daemons listening on TCP port 25 are, in fact, mail servers. However, you should not bet your security on this! People can and do run services on strange ports. Even if Nmap is right, and the hypothetical server above is - running smtp, http, and dns servers, that is not a lot of + running SMTP, HTTP, and DNS servers, that is not a lot of information. When doing vulnerability assessments (or even simple network inventories) of your companies or clients, you really want to know which mail and DNS servers and versions are @@ -1511,7 +1511,7 @@ way. nmap-service-probes database contains probes for querying various services and match expressions to recognize and parse responses. Nmap tries to determine the service protocol - (e.g. ftp, ssh, telnet, http), the application name (e.g. ISC + (e.g. FTP, SSH, telnet, http), the application name (e.g. ISC Bind, Apache httpd, Solaris telnetd), the version number, hostname, device type (e.g. printer, router), the OS family (e.g. Windows, Linux) and sometimes miscellaneous details like @@ -1540,7 +1540,7 @@ way. on the port. Please take a couple minutes to make the submission so that your find can benefit everyone. Thanks to these submissions, Nmap has about 3,000 pattern matches for more than - 350 protocols such as smtp, ftp, http, etc. + 350 protocols such as SMTP, FTP, HTTP, etc. Version detection is enabled and controlled with the following options: @@ -1715,8 +1715,8 @@ way. fluctuate. It is generally better to use the English classification such as worthy challenge or trivial joke. This is only reported in normal output in verbose () - mode. When verbose mode is enabled along with , IPID Sequence - Generation is also reported. Most machines are in the + mode. When verbose mode is enabled along with , IPID sequence + generation is also reported. Most machines are in the incremental class, which means that they increment the ID field in the IP header for each packet they send. This makes them vulnerable to several advanced information gathering and @@ -1865,7 +1865,7 @@ way. to): - Enhanced Version-detection (category + Enhanced version detection (category version)—While Nmap already offers its Service and Version detection system, which is unmatched in terms of efficiency and scope, this power has its downside when it comes to services requiring more @@ -1923,9 +1923,9 @@ way. (called a hostrule or portrule respectively) and an action to be carried out if the test returns true. Scripts have access to most information gathered by Nmap - during earlier stages. For each host this includes the ip, hostname and (if + during earlier stages. For each host this includes the IP address, hostname and (if available) operating system. If a script is targeted at a port it has access - to the portnumber, the protocol (tcp, udp or ssl), the service running + to the portnumber, the protocol (tcp, udp or ssl), the service running behind that port, and optionally information from a version-scan. NSE-scripts have by convention a .nse-extension. Although you are not required to follow this for the moment, this may change in the @@ -2180,7 +2180,7 @@ more likely to get through a firewall. Look at the maximum round trip time out of ten packets or so. You might want to double that for the and triple or quadruple it for the . I generally do not set the -maximum rtt below 100ms, no matter what the ping times are. Nor do I +maximum RTT below 100ms, no matter what the ping times are. Nor do I exceed 1000ms. is a rarely used option that @@ -2321,7 +2321,7 @@ worth the extra time. + <paranoid|sneaky|polite|normal|aggressive|insane> (Set a timing template) --T @@ -2340,7 +2340,7 @@ evasion. Polite mode slows down the scan to use less bandwidth and target machine resources. Normal mode is the default and so does nothing. Aggressive mode speeds scans up by making the assumption that you are on a reasonably fast and reliable -network. Finally Insane mode assumes that you are on an +network. Finally insane mode assumes that you are on an extraordinarily fast network or are willing to sacrifice some accuracy for speed. @@ -2364,7 +2364,7 @@ recommend always using . Some people love sometimes specify because they think it is less likely to crash hosts or because they consider themselves to be polite in general. They often don't realize just how slow really is. Their scan may take ten times longer than a +polite really is. Their scan may take ten times longer than a default scan. Machine crashes and bandwidth problems are rare with the default timing options () and so I normally @@ -2424,7 +2424,7 @@ It even supports mechanisms for bypassing poorly implemented defenses. One of the best methods of understanding your network security posture is to try to defeat it. Place yourself in the mindset of an attacker, and deploy techniques from this section -against your networks. Launch an FTP bounce scan, Idle scan, +against your networks. Launch an FTP bounce scan, idle scan, fragmentation attack, or try to tunnel through one of your own proxies. @@ -2495,7 +2495,7 @@ lists the relevant options and describes what they do. networks. Some source systems defragment outgoing packets in the kernel. Linux with the iptables connection tracking module is one such - example. Do a scan while a sniffer such as Ethereal + example. Do a scan while a sniffer such as Wireshark is running to ensure that sent packets are fragmented. If your host OS is causing problems, try the option to bypass the IP layer and send raw ethernet frames. @@ -2523,7 +2523,7 @@ lists the relevant options and describes what they do. represent the position for your real IP address. If you put ME in the 6th position or later, some common port scan detectors (such as Solar Designer's - excellent scanlogd) are unlikely to show your IP address at + excellent Scanlogd) are unlikely to show your IP address at all. If you don't use ME, nmap will put you in a random position. You can also use RND to generate a random, non-reserved IP address, or RND:<number> to @@ -2612,7 +2612,7 @@ to transfer the requested file. Secure solutions to these problems exist, often in the form of application-level proxies or protocol-parsing firewall modules. Unfortunately there are also easier, insecure solutions. Noting that -DNS replies come from port 53 and active ftp from port 20, many admins +DNS replies come from port 53 and active FTP from port 20, many admins have fallen into the trap of simply allowing incoming traffic from those ports. They often assume that no attacker would notice and exploit such firewall holes. In other cases, admins consider this a @@ -2741,7 +2741,7 @@ support the option completely, as does UDP scan. - (Spoof MAC address) --spoof-mac @@ -2862,7 +2862,7 @@ described below. Nmap Output Formats - (Normal output) + (normal output) -oN @@ -2932,7 +2932,7 @@ described below. - (Grepable output) + (grepable output) -oG @@ -2947,9 +2947,9 @@ output for lack of a place to put them. Nevertheless, grepable output is still quite popular. It is a simple format that lists each host on one line and can be trivially -searched and parsed with standard UNIX tools such as grep, awk, cut, +searched and parsed with standard Unix tools such as grep, awk, cut, sed, diff, and Perl. Even I usually use it for one-off tests done at the -command line. Finding all the hosts with the ssh port open or that +command line. Finding all the hosts with the SSH port open or that are running Solaris takes only a simple grep to identify the hosts, piped to an awk or cut command to print the desired fields. @@ -2991,7 +2991,7 @@ url="http://www.unspecific.com/nmap-oG-output" />. basename.gnmap, respectively. As with most programs, you can prefix the filenames with a directory path, such as - ~/nmaplogs/foocorp/ on UNIX or + ~/nmaplogs/foocorp/ on Unix or c:\hacking\sco on Windows. @@ -3131,7 +3131,7 @@ overwhelming requests. Specify to only see messages use a different system that does not yet support this option. An alternative to using this option is redirecting interactive output (including the standard error - stream) to a file. While most UNIX shells make that + stream) to a file. While most Unix shells make that approach easy, it can be difficult on Windows. @@ -3305,7 +3305,7 @@ overwhelming requests. Specify to only see This option enables additional advanced and aggressive options. I haven't decided exactly which it - stands for yet. Presently this enables OS Detection + stands for yet. Presently this enables OS detection (), version scanning (), script scanning () and traceroute (). More features may be @@ -3389,10 +3389,10 @@ overwhelming requests. Specify to only see link) layer rather than the higher IP (network) layer. By default, Nmap chooses the one which is generally best for the platform it is running on. Raw sockets (IP layer) are - generally most efficient for UNIX machines, while ethernet + generally most efficient for Unix machines, while ethernet frames are required for Windows operation since Microsoft disabled raw socket support. Nmap still uses raw IP packets - on UNIX despite this option when there is no other choice + on Unix despite this option when there is no other choice (such as non-ethernet connections). @@ -3422,7 +3422,7 @@ overwhelming requests. Specify to only see Tells Nmap to simply assume that it is privileged enough to perform raw socket sends, packet sniffing, and similar operations that usually require root privileges on - UNIX systems. By default Nmap quits if such operations are + Unix systems. By default Nmap quits if such operations are requested but geteuid() is not zero. is useful with Linux kernel capabilities and similar systems that may be @@ -3542,7 +3542,7 @@ overwhelming requests. Specify to only see / - Increase / Decrease the Verbosity + Increase / decrease the verbosity level @@ -3550,7 +3550,7 @@ overwhelming requests. Specify to only see / - Increase / Decrease the Debugging Level + Increase / decrease the debugging Level @@ -3558,7 +3558,7 @@ overwhelming requests. Specify to only see / - Turn on / off Packet Tracing + Turn on / off packet tracing @@ -3630,10 +3630,10 @@ overwhelming requests. Specify to only see Launches host enumeration and a TCP scan at the first half of each of the 255 possible 8 bit subnets in the 198.116 class B - address space. This tests whether the systems run sshd, DNS, - pop3d, imapd, or port 4564. For any of these ports found open, - version detection is used to determine what application is - running. + address space. This tests whether the systems run SSH, DNS, POP3, + or IMAP on their standard ports, or anything on port 4564. For any + of these ports found open, version detection is used to determine + what application is running. nmap -v -iR 100000 -P0 -p 80 @@ -3664,7 +3664,7 @@ overwhelming requests. Specify to only see url="http://insecure.org/nmap/"/>. If the problem persists, do some research to determine whether it has already been discovered and addressed. Try Googling the error message or - browsing the Nmap-dev archives at . Read this full munual page as well. If nothing comes of this, mail a bug report to nmap-dev@insecure.org. Please include everything diff --git a/idle_scan.cc b/idle_scan.cc index 437ca7075..60555e3b2 100644 --- a/idle_scan.cc +++ b/idle_scan.cc @@ -337,7 +337,7 @@ static void initialize_idleproxy(struct idle_proxy_info *proxy, char *proxyName, proxy->host.setHostName(name); if (resolve(name, &ss, &sslen, o.pf()) == 0) { - fatal("Could not resolve idlescan zombie host: %s", name); + fatal("Could not resolve idle scan zombie host: %s", name); } proxy->host.setTargetSockAddr(&ss, sslen); @@ -489,7 +489,7 @@ static void initialize_idleproxy(struct idle_proxy_info *proxy, char *proxyName, } if (probes_returned == 0) - fatal("Idlescan zombie %s (%s) port %hu cannot be used because it has not returned any of our probes -- perhaps it is down or firewalled.", + fatal("Idle scan zombie %s (%s) port %hu cannot be used because it has not returned any of our probes -- perhaps it is down or firewalled.", proxy->host.HostName(), proxy->host.targetipstr(), proxy->probe_port); @@ -497,10 +497,10 @@ static void initialize_idleproxy(struct idle_proxy_info *proxy, char *proxyName, switch(proxy->seqclass) { case IPID_SEQ_INCR: case IPID_SEQ_BROKEN_INCR: - log_write(LOG_PLAIN, "Idlescan using zombie %s (%s:%hu); Class: %s\n", proxy->host.HostName(), proxy->host.targetipstr(), proxy->probe_port, ipidclass2ascii(proxy->seqclass)); + log_write(LOG_PLAIN, "Idle scan using zombie %s (%s:%hu); Class: %s\n", proxy->host.HostName(), proxy->host.targetipstr(), proxy->probe_port, ipidclass2ascii(proxy->seqclass)); break; default: - fatal("Idlescan zombie %s (%s) port %hu cannot be used because IPID sequencability class is: %s. Try another proxy.", proxy->host.HostName(), proxy->host.targetipstr(), proxy->probe_port, ipidclass2ascii(proxy->seqclass)); + fatal("Idle scan zombie %s (%s) port %hu cannot be used because IPID sequencability class is: %s. Try another proxy.", proxy->host.HostName(), proxy->host.targetipstr(), proxy->probe_port, ipidclass2ascii(proxy->seqclass)); } proxy->latestid = ipids[probes_returned - 1]; @@ -509,7 +509,7 @@ static void initialize_idleproxy(struct idle_proxy_info *proxy, char *proxyName, if (probes_returned < NUM_IPID_PROBES) { /* Yikes! We're already losing packets ... clamp down a bit ... */ if (o.debugging) - error("idlescan initial zombie qualification test: %d probes sent, only %d returned", NUM_IPID_PROBES, probes_returned); + error("Idle scan initial zombie qualification test: %d probes sent, only %d returned", NUM_IPID_PROBES, probes_returned); proxy->current_groupsz = MIN(12, proxy->max_groupsz); proxy->current_groupsz = MAX(proxy->current_groupsz, proxy->min_groupsz); proxy->senddelay += 5000; @@ -605,7 +605,7 @@ static void adjust_idle_timing(struct idle_proxy_info *proxy, if (!notidlewarning && o.verbose) { notidlewarning = 1; - error("WARNING: Idlescan has erroneously detected phantom ports -- is the proxy %s (%s) really idle?", proxy->host.HostName(), proxy->host.targetipstr()); + error("WARNING: idle scan has erroneously detected phantom ports -- is the proxy %s (%s) really idle?", proxy->host.HostName(), proxy->host.targetipstr()); } } else { /* W00p We got a perfect match. That means we get a slight increase @@ -622,10 +622,10 @@ static void adjust_idle_timing(struct idle_proxy_info *proxy, } -/* OK, now this is the hardcore idlescan function which actually does +/* OK, now this is the hardcore idle scan function which actually does the testing (most of the other cruft in this file is just coordination, preparation, etc). This function simply uses the - Idlescan technique to try and count the number of open ports in the + idle scan technique to try and count the number of open ports in the given port array. The sent_time and rcv_time are filled in with the times that the probe packet & response were sent/received. They can be NULL if you don't want to use them. The purpose is for @@ -722,7 +722,7 @@ static int idlescan_countopen2(struct idle_proxy_info *proxy, if (tries == 0 && sleeptime < 500) sleeptime = 500; - if (o.debugging > 1) error("In preparation for idlescan probe try #%d, sleeping for %d usecs", tries, sleeptime); + if (o.debugging > 1) error("In preparation for idle scan probe try #%d, sleeping for %d usecs", tries, sleeptime); if (sleeptime > 0) usleep(sleeptime); @@ -786,7 +786,7 @@ static int idlescan_countopen2(struct idle_proxy_info *proxy, -/* The job of this function is to use the Idlescan technique to count +/* The job of this function is to use the idle scan technique to count the number of open ports in the given list. Under the covers, this function just farms out the hard work to another function */ static int idlescan_countopen(struct idle_proxy_info *proxy, @@ -818,7 +818,7 @@ static int idlescan_countopen(struct idle_proxy_info *proxy, if (openports < 0 || openports > numports ) { /* Oh f*ck!!!! */ - fatal("Idlescan is unable to obtain meaningful results from proxy %s (%s). I'm sorry it didn't work out.", proxy->host.HostName(), + fatal("Idle scan is unable to obtain meaningful results from proxy %s (%s). I'm sorry it didn't work out.", proxy->host.HostName(), proxy->host.targetipstr()); } @@ -827,7 +827,7 @@ static int idlescan_countopen(struct idle_proxy_info *proxy, return openports; } -/* Recursively Idlescans scans a group of ports using a depth-first +/* Recursively idle scans scans a group of ports using a depth-first divide-and-conquer strategy to find the open one(s) */ static int idle_treescan(struct idle_proxy_info *proxy, Target *target, @@ -844,7 +844,7 @@ static int idle_treescan(struct idle_proxy_info *proxy, Target *target, if (o.debugging > 1) { error("%s: Called against %s with %d ports, starting with %hu. expectedopen: %d", __func__, target->targetipstr(), numports, ports[0], expectedopen); - error("IDLESCAN TIMING: grpsz: %.3f delay: %d srtt: %d rttvar: %d\n", + error("IDLE SCAN TIMING: grpsz: %.3f delay: %d srtt: %d rttvar: %d\n", proxy->current_groupsz, proxy->senddelay, target->to.srtt, target->to.rttvar); } @@ -978,11 +978,11 @@ void idle_scan(Target *target, u16 *portarray, int numports, int portsleft; time_t starttime; char scanname[32]; - Snprintf(scanname, sizeof(scanname), "Idlescan against %s", target->NameIP()); + Snprintf(scanname, sizeof(scanname), "idle scan against %s", target->NameIP()); ScanProgressMeter SPM(scanname); if (numports == 0) return; /* nothing to scan for */ - if (!proxyName) fatal("Idlescan requires a proxy host"); + if (!proxyName) fatal("idle scan requires a proxy host"); if (*lastproxy && strcmp(proxyName, lastproxy)) fatal("%s: You are not allowed to change proxies midstream. Sorry", __func__); diff --git a/nmap.cc b/nmap.cc index 79c8f7644..c93961acb 100644 --- a/nmap.cc +++ b/nmap.cc @@ -235,9 +235,9 @@ printf("%s %s ( %s )\n" " -sU: UDP Scan\n" " -sN/sF/sX: TCP Null, FIN, and Xmas scans\n" " --scanflags : Customize TCP scan flags\n" - " -sI : Idlescan\n" + " -sI : Idle scan\n" " -sO: IP protocol scan\n" - " -b : FTP bounce scan\n" + " -b : FTP bounce scan\n" " --traceroute: Trace hop path to each host\n" " --reason: Display the reason a port is in a particular state\n" "PORT SPECIFICATION AND SCAN ORDER:\n" @@ -469,7 +469,7 @@ int nmap_main(int argc, char *argv[]) { short randomize=1; short quashargv = 0; char **host_exp_group; - char *idleProxy = NULL; /* The idle host used to "Proxy" an Idlescan */ + char *idleProxy = NULL; /* The idle host used to "Proxy" an idle scan */ int num_host_exp_groups; char *machinefilename = NULL, *kiddiefilename = NULL, *normalfilename = NULL, *xmlfilename = NULL; @@ -1390,17 +1390,17 @@ int nmap_main(int argc, char *argv[]) { } - /* If he wants to bounce off of an ftp site, that site better damn well be reachable! */ + /* If he wants to bounce off of an FTP site, that site better damn well be reachable! */ if (o.bouncescan) { if (!inet_pton(AF_INET, ftp.server_name, &ftp.server)) { if ((target = gethostbyname(ftp.server_name))) memcpy(&ftp.server, target->h_addr_list[0], 4); else { - fatal("Failed to resolve ftp bounce proxy hostname/IP: %s", + fatal("Failed to resolve FTP bounce proxy hostname/IP: %s", ftp.server_name); } } else if (o.verbose) - log_write(LOG_STDOUT, "Resolved ftp bounce attack proxy to %s (%s).\n", + log_write(LOG_STDOUT, "Resolved FTP bounce attack proxy to %s (%s).\n", ftp.server_name, inet_ntoa(ftp.server)); } fflush(stdout); @@ -2400,7 +2400,7 @@ char *scantype2str(stype scantype) { case FIN_SCAN: return "FIN Scan"; break; case XMAS_SCAN: return "XMAS Scan"; break; case UDP_SCAN: return "UDP Scan"; break; - case CONNECT_SCAN: return "Connect() Scan"; break; + case CONNECT_SCAN: return "Connect Scan"; break; case NULL_SCAN: return "NULL Scan"; break; case WINDOW_SCAN: return "Window Scan"; break; case RPC_SCAN: return "RPCGrind Scan"; break; @@ -2426,7 +2426,7 @@ char *statenum2str(int state) { switch(state) { case PORT_OPEN: return "open"; break; case PORT_FILTERED: return "filtered"; break; - case PORT_UNFILTERED: return "UNfiltered"; break; + case PORT_UNFILTERED: return "unfiltered"; break; case PORT_CLOSED: return "closed"; break; case PORT_OPENFILTERED: return "open|filtered"; break; case PORT_CLOSEDFILTERED: return "closed|filtered"; break; @@ -2456,7 +2456,7 @@ int ftp_anon_connect(struct ftpinfo *ftp) { sock.sin_port = htons(ftp->port); res = connect(sd, (struct sockaddr *) &sock, sizeof(struct sockaddr_in)); if (res < 0 ) { - fatal("Your ftp bounce proxy server won't talk to us!"); + fatal("Your FTP bounce proxy server won't talk to us!"); } if (o.verbose || o.debugging) log_write(LOG_STDOUT, "Connected:"); while ((res = recvtime(sd, recvbuf, sizeof(recvbuf) - 1,7, NULL)) > 0) @@ -2465,7 +2465,7 @@ int ftp_anon_connect(struct ftpinfo *ftp) { log_write(LOG_STDOUT, "%s", recvbuf); } if (res < 0) { - pfatal("recv problem from ftp bounce server"); + pfatal("recv problem from FTP bounce server"); } Snprintf(command, 511, "USER %s\r\n", ftp->user); @@ -2473,12 +2473,12 @@ int ftp_anon_connect(struct ftpinfo *ftp) { send(sd, command, strlen(command), 0); res = recvtime(sd, recvbuf, sizeof(recvbuf) - 1,12, NULL); if (res <= 0) { - pfatal("recv problem from ftp bounce server"); + pfatal("recv problem from FTP bounce server"); } recvbuf[res] = '\0'; if (o.debugging) log_write(LOG_STDOUT, "sent username, received: %s", recvbuf); if (recvbuf[0] == '5') { - fatal("Your ftp bounce server doesn't like the username \"%s\"", ftp->user); + fatal("Your FTP bounce server doesn't like the username \"%s\"", ftp->user); } Snprintf(command, 511, "PASS %s\r\n", ftp->pass); @@ -2486,14 +2486,14 @@ int ftp_anon_connect(struct ftpinfo *ftp) { send(sd, command, strlen(command), 0); res = recvtime(sd, recvbuf, sizeof(recvbuf) - 1,12, NULL); if (res < 0) { - pfatal("recv problem from ftp bounce server"); + pfatal("recv problem from FTP bounce server"); } if (!res) error("Timeout from bounce server ..."); else { recvbuf[res] = '\0'; if (o.debugging) log_write(LOG_STDOUT, "sent password, received: %s", recvbuf); if (recvbuf[0] == '5') { - fatal("Your ftp bounce server refused login combo (%s/%s)", + fatal("Your FTP bounce server refused login combo (%s/%s)", ftp->user, ftp->pass); } } @@ -2503,9 +2503,9 @@ int ftp_anon_connect(struct ftpinfo *ftp) { log_write(LOG_STDOUT, "%s", recvbuf); } if (res < 0) { - pfatal("recv problem from ftp bounce server"); + pfatal("recv problem from FTP bounce server"); } - if (o.verbose) log_write(LOG_STDOUT, "Login credentials accepted by ftp server!\n"); + if (o.verbose) log_write(LOG_STDOUT, "Login credentials accepted by FTP server!\n"); ftp->sd = sd; return sd; diff --git a/scan_engine.cc b/scan_engine.cc index c1782bd6e..c0bc3e60c 100644 --- a/scan_engine.cc +++ b/scan_engine.cc @@ -4618,7 +4618,7 @@ void bounce_scan(Target *target, u16 *portarray, int numports, if (o.verbose || o.debugging) { struct tm *tm = localtime(&starttime); assert(tm); - log_write(LOG_STDOUT, "Initiating TCP ftp bounce scan against %s at %02d:%02d\n", target->NameIP(hostname, sizeof(hostname)), tm->tm_hour, tm->tm_min ); + log_write(LOG_STDOUT, "Initiating TCP FTP bounce scan against %s at %02d:%02d\n", target->NameIP(hostname, sizeof(hostname)), tm->tm_hour, tm->tm_min ); } for(i=0; i < numports; i++) { @@ -4635,7 +4635,7 @@ void bounce_scan(Target *target, u16 *portarray, int numports, gh_perror("send in %s", __func__); if (retriesleft) { if (o.verbose || o.debugging) - log_write(LOG_STDOUT, "Our ftp proxy server hung up on us! retrying\n"); + log_write(LOG_STDOUT, "Our FTP proxy server hung up on us! retrying\n"); retriesleft--; close(sd); ftp->sd = ftp_anon_connect(ftp); @@ -4652,7 +4652,7 @@ void bounce_scan(Target *target, u16 *portarray, int numports, } else { /* Our send is good */ res = recvtime(sd, recvbuf, 2048, 15, NULL); if (res <= 0) - perror("recv problem from ftp bounce server"); + perror("recv problem from FTP bounce server"); else { /* our recv is good */ recvbuf[res] = '\0'; @@ -4660,10 +4660,10 @@ void bounce_scan(Target *target, u16 *portarray, int numports, portarray[i], recvbuf); if (recvbuf[0] == '5') { if (portarray[i] > 1023) { - fatal("Your ftp bounce server sucks, it won't let us feed bogus ports!"); + fatal("Your FTP bounce server sucks, it won't let us feed bogus ports!"); } else { - error("Your ftp bounce server doesn't allow privileged ports, skipping them."); + error("Your FTP bounce server doesn't allow privileged ports, skipping them."); while(i < numports && portarray[i] < 1024) i++; if (!portarray[i]) { fatal("And you didn't want to scan any unpriviliged ports. Giving up."); @@ -4674,7 +4674,7 @@ void bounce_scan(Target *target, u16 *portarray, int numports, if (send(sd, "LIST\r\n", 6, 0) > 0 ) { res = recvtime(sd, recvbuf, 2048,12, &timedout); if (res < 0) { - perror("recv problem from ftp bounce server"); + perror("recv problem from FTP bounce server"); } else if (res == 0) { if (timedout) target->ports.addPort(portarray[i], IPPROTO_TCP, NULL, diff --git a/tcpip.cc b/tcpip.cc index 5aa281044..06d2b1ad3 100644 --- a/tcpip.cc +++ b/tcpip.cc @@ -550,7 +550,7 @@ static const char *ippackethdrinfo(const u8 *packet, u32 len) { ping = (struct ppkt *) ((ip->ip_hl * 4) + (char *) ip); switch(ping->type) { case 0: - strcpy(icmptype, "Echo reply"); break; + strcpy(icmptype, "echo reply"); break; case 3: ip2 = (struct ip *) ((char *) ip + (ip->ip_hl * 4) + 8); tcp = (struct tcp_hdr *) ((char *) ip2 + (ip2->ip_hl * 4)); @@ -625,7 +625,7 @@ static const char *ippackethdrinfo(const u8 *packet, u32 len) { else strcpy(icmptype, "unknown redirect"); break; case 8: - strcpy(icmptype, "Echo request"); break; + strcpy(icmptype, "echo request"); break; case 11: if (ping->code == 0) strcpy(icmptype, "TTL=0 during transit");