PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

About to release Nmap 3.84ALPHA2 if all goes well

Browse Source
This commit is contained in:
fyodor
2005-09-07 08:26:45 +00:00
parent 9e78d26845
commit 59e4189e70
15 changed files with 3219 additions and 1234 deletions
Download Patch File Download Diff File Expand all files Collapse all files

61
CHANGELOG
View File

@@ -1,5 +1,63 @@
# Nmap Changelog ($Id$)
o Fixed crash when Nmap is compiled using gcc 4.X by adding the
--fno-strict-aliasing option when that compiler is detected. Thanks
to Greg Darke (starstuff(a)optusnet.com.au) for discovering that
this option fixes (hides) the problem and to Duilio J. Protti
(dprotti(a)flowgate.net) for writing the configure patch to detect
gcc 4 and add the option. A better fix is to identify and rewrite
lines that violate C99 alias rules, and we are looking into that.
o Applied an enormous nmap-service-probes (version detection) update
from SoC student Doug Hoyte (doug(a)hcsw.org). Version 3.81 had
1064 match lines covering 195 service protocols. Now we have 2865
match lines covering 359 protocols! So the database size has nearly
tripled! This should make your -sV scans quicker and more
accurate. Thanks also go to the (literally) thousands of you who
submitted service fingerprints. Keep them coming!
o Added "rarity" feature to Nmap version detection. This causes
obscure probes to be skipped when they are unlikely to help. Each
probe now has a "rarity" value. Probes that detect dozens of
services such as GenericLines and GetRequest have rarity values of
1, while the WWWOFFLEctrlstat and mydoom probes have a rarity of 9.
When interrogating a port, Nmap always tries probes registered to
that port number. So even WWWOFFLEctrlstat will be tried against
port 8081 and mydoom will be tried against open ports between 3127
and 3198. If none of the registered ports find a match, Nmap tries
probes that have a rarity less than or equal to its current
intensity level. The intensity level defaults to 7 (so that most of
the probes are done). You can set the intensity level with the new
--version_intensity option. Alternatively, you can just use
--version_light or --version_all which set the intensity to 2 (only
try the most important probes and ones registered to the port
number) and 9 (try all probes), respectively. --version_light is
much faster than default version detection, but also a bit less
likely to find a match. This feature was designed and implemented
by Doug Hoyte (doug(a)hcsw.org).
o Added a "fallback" feature to the nmap-service-probes database.
This allows a probe to "inherit" match lines from other probes. It
is currently only used for the HTTPOptions, RTSPRequest, and
SSLSessionReq probes to inherit all of the match lines from
GetRequest. Some servers don't respond to the Nmap GetRequest (for
example because it doesn't include a Host: line) but they do respond
to some of those other 3 probes in ways that GetRequest match lines
are general enough to match. The fallback construct allows us to
benefit from these matches without repeating hundreds of signatures
in the file. This is another feature designed and implemented
by Doug Hoyte (doug(a)hcsw.org).
o Fixed crash with certain --excludefile or
--exclude arguments. Thanks to Kurt Grutzmacher
(grutz(a)jingojango.net) and pijn trein (ptrein(a)gmail.com) for
reporting the problem, and to Duilio J. Protti
(dprotti(a)flowgate.net) for debugging the issue and sending the
patch.
o Applied pach from Steve Martin (smartin(a)stillsecure.com) which
standardizes many OS names and corrects typos in nmap-os-fingerprints.
o Fixed a crash found during certain UDP version scans. The crash was
discovered and reported by Ron (iago(a)valhallalegends.com) and fixed
by Doug Hoyte (doug(a)hcsw.com).
@@ -76,9 +134,6 @@ o Applied a massive OS fingerprint update from Zhao Lei
broadband routers, printers, WAPs and pretty much any other device
you can coax an ethernet cable (or wireless card) into!
o Integrated hundreds of nmap-service-probes signatures from Doug
Hoyte (doug(a)hcsw.org)
o Added a distcc probes and a bunch of smtp matches from Dirk Mueller
(mueller(a)kde.org) to nmap-service-probes. Also added AFS version
probe and matches from Lionel Cons (lionel.cons(a)cern.ch). And

2
Makefile.in
View File

@@ -1,4 +1,4 @@
export NMAP_VERSION = 3.84ALPHA1
export NMAP_VERSION = 3.84ALPHA2
NMAP_NAME= nmap
NMAP_URL= http://www.insecure.org/nmap/
NMAP_PLATFORM=@host@

1
NmapOps.cc
View File

@@ -225,6 +225,7 @@ void NmapOps::Initialize() {
osscan = 0;
servicescan = 0;
override_excludeports = 0;
version_intensity = 7;
pingtype = PINGTYPE_UNKNOWN;
listscan = pingscan = allowall = ackscan = bouncescan = connectscan = 0;
rpcscan = nullscan = xmasscan = fragscan = synscan = windowscan = 0;

1
NmapOps.h
View File

@@ -246,6 +246,7 @@ class NmapOps {
// Version Detection Options
int override_excludeports;
int version_intensity;
struct in_addr decoys[MAX_DECOYS];
int osscan_limit; /* Skip OS Scan if no open or no closed TCP ports */

4
TargetGroup.cc
View File

@@ -305,8 +305,8 @@ int TargetGroup::parse_expr(const char * const target_expr, int af) {
* returns: number of hosts skipped */
int TargetGroup::skip_range(_octet_nums octet) {
unsigned long hosts_skipped = 0, /* number of hosts skipped */
oct = 0, /* octect number */
i; /* simple lcv */
oct = 0; /* octect number */
int i = 0; /* simple lcv */
/* This function is only supported for RANGES! */
if (targets_type != IPV4_RANGES)

42
configure vendored
View File

@@ -2680,6 +2680,48 @@ echo "$as_me: error: Could not locate a C++ compiler. If it exists, add it to yo
{ (exit 1); exit 1; }; }
fi
nmap_gcc_mayor_version=0
echo "$as_me:$LINENO: checking whether the compiler is gcc 4 or greater" >&5
echo $ECHO_N "checking whether the compiler is gcc 4 or greater... $ECHO_C" >&6
if test x"$GXX" = xno; then
echo "$as_me:$LINENO: result: no" >&5
echo "${ECHO_T}no" >&6
else
# On some distros, there are snapshots available as gcc4
if test -z "$ac_cv_prog_CC" || test x"$CC" = xgcc4; then
our_gcc="$CC"
else
our_gcc="$ac_cv_prog_CC"
fi
# new mayor versions must be added here
case `$our_gcc --version | sed -e 's,\..*,.,' -e q` in
*4.)
nmap_gcc_mayor_version=4
;;
*3)
nmap_gcc_mayor_version=3
;;
*2)
nmap_gcc_mayor_version=2
;;
*1)
nmap_gcc_mayor_version=1
;;
esac
if test "$nmap_gcc_mayor_version" -ge 4; then
echo "$as_me:$LINENO: result: yes" >&5
echo "${ECHO_T}yes" >&6
else
echo "$as_me:$LINENO: result: no" >&5
echo "${ECHO_T}no" >&6
fi
fi
# Remember that all following tests will run with this CXXFLAGS by default
if test "$nmap_gcc_mayor_version" -ge 4; then
CXXFLAGS="$CXXFLAGS -fno-strict-aliasing"
fi

38
configure.ac
View File

@@ -47,6 +47,44 @@ if test $CXXPROG = "MISSING"; then
AC_MSG_ERROR([Could not locate a C++ compiler. If it exists, add it to your PATH or give configure the CXX=path_to_compiler argument. Otherwise, install a C++ compiler such as g++ or install a binary package of Nmap (see http://www.insecure.org/nmap/nmap_download.html ))])
fi
nmap_gcc_mayor_version=0
AC_MSG_CHECKING([whether the compiler is gcc 4 or greater])
if test x"$GXX" = xno; then
AC_MSG_RESULT([no])
else
# On some distros, there are snapshots available as gcc4
if test -z "$ac_cv_prog_CC" || test x"$CC" = xgcc4; then
our_gcc="$CC"
else
our_gcc="$ac_cv_prog_CC"
fi
# new mayor versions must be added here
case `$our_gcc --version | sed -e 's,\..*,.,' -e q` in
*4.)
nmap_gcc_mayor_version=4
;;
*3)
nmap_gcc_mayor_version=3
;;
*2)
nmap_gcc_mayor_version=2
;;
*1)
nmap_gcc_mayor_version=1
;;
esac
if test "$nmap_gcc_mayor_version" -ge 4; then
AC_MSG_RESULT([yes])
else
AC_MSG_RESULT([no])
fi
fi
# Remember that all following tests will run with this CXXFLAGS by default
if test "$nmap_gcc_mayor_version" -ge 4; then
CXXFLAGS="$CXXFLAGS -fno-strict-aliasing"
fi
dnl AC_PROG_INSTALL
dnl AC_PATH_PROG(MAKEDEPEND, makedepend)

1856
docs/nmap_russian.1
View File

File diff suppressed because it is too large Load Diff

210
nmap-os-fingerprints
View File

@@ -8619,6 +8619,21 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
# HP9000 Model 804 K450 running HP-UX 11.00
# Mac OS9
Fingerprint Apple Mac OS 9, or HP-UX 11.00
Class HP | HP-UX | 11.X | general purpose
Class Apple | Mac OS | 9.X | general purpose
TSeq(Class=RI%gcd=<6%SI=<4F254&>C95)
T1(DF=N%W=8000%ACK=S++%Flags=AS%Ops=MEWNNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=8000%ACK=S++%Flags=AS%Ops=MEWNNNT)
T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=70%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
# HP-UX B.11.00
# HP-UX B.11.11
Fingerprint HP-UX 11
@@ -8719,21 +8734,6 @@ T6(DF=N|Y%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N|Y%W=0%ACK=S%Flags=AR%Ops=)
PU(DF=N|Y%TOS=0%IPLEN=70%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
# HP9000 Model 804 K450 running HP-UX 11.00
# Mac OS9
Fingerprint Apple Mac OS 9, or HP-UX 11.00
Class HP | HP-UX | 11.X | general purpose
Class Apple | Mac OS | 9.X | general purpose
TSeq(Class=RI%gcd=<6%SI=<4F254&>C95)
T1(DF=N%W=8000%ACK=S++%Flags=AS%Ops=MEWNNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=N%W=8000%ACK=S++%Flags=AS%Ops=MEWNNNT)
T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=0%IPLEN=70%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
# HP-UX 7.0 B 9000/375
Fingerprint HP-UX 7.0
Class HP | HP-UX | 7.X | general purpose
@@ -13844,19 +13844,6 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
# Windows 98SE, no service packs, on AMD Sempron 2.4 GHz
Fingerprint Microsoft Windows 98SE
Class Microsoft | Windows | 95/98/ME | general purpose
TSeq(Class=RI%gcd=<6%SI=<1AA4&>D%IPID=RPI%TS=U)
T1(DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=M)
T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Fingerprint Microsoft Windows 98 SP1
Class Microsoft | Windows | 95/98/ME | general purpose
TSeq(Class=TD%gcd=<5%SI=<20)
@@ -13881,6 +13868,19 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
# Windows 98SE, no service packs, on AMD Sempron 2.4 GHz
Fingerprint Microsoft Windows 98SE
Class Microsoft | Windows | 95/98/ME | general purpose
TSeq(Class=RI%gcd=<6%SI=<1AA4&>D%IPID=RPI%TS=U)
T1(DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=M)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=M)
T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
# Microsoft Windows 98 4.10.2222.A
# "Windows 98SE, patched up to date" (1/25/03)
Fingerprint Microsoft Windows 98SE
@@ -15050,6 +15050,18 @@ T6(DF=N%W=400|800%ACK=S%Flags=AR%Ops=)
T7(DF=N%W=800|C00%ACK=S++%Flags=AR%Ops=)
PU(Resp=N)
Fingerprint Microsoft Windows XP Home Edition
Class Microsoft | Windows | NT/2K/XP | general purpose
TSeq(Class=RI%gcd=<6%SI=<23C4E&>330%IPID=I%TS=U)
T1(DF=Y%W=F424%ACK=S++%Flags=AS%Ops=MNW)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=F424%ACK=S++%Flags=AS%Ops=MNW)
T4(DF=N%W=0%ACK=O%Flags=AR%Ops=)
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=N%W=0%ACK=O%Flags=AR%Ops=)
T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
# Microsoft Windows XP Home Edition (English) SP2 build 2600.xps_p2_gdr.050301:1519
Fingerprint Microsoft Windows XP Home Edition (English) SP2
Class Microsoft | Windows | NT/2K/XP | general purpose
@@ -15063,31 +15075,6 @@ T6(DF=N%W=1000|800%ACK=S%Flags=AR%Ops=WNMETL)
T7(Resp=N)
PU(DF=N%TOS=0%IPLEN=B0%RIPTL=148%RID=F%RIPCK=E%UCK=F%ULEN=134%DAT=E)
# Microsoft Windows XP Version 5.1 Home German SP2 (Build 2600.xpsp_sp2_rtm.040803-2158 : SP2), latest Updates as of Oct 27, 2004
Fingerprint Microsoft Windows XP Home Edition (German) SP2
Class Microsoft | Windows | NT/2K/XP | general purpose
TSeq(Class=TR%gcd=<6%IPID=I)
T1(DF=N%W=805C%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=N)
T3(Resp=N)
T4(Resp=N)
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=N)
PU(DF=N%TOS=0%IPLEN=B0%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Fingerprint Microsoft Windows XP Home Edition
Class Microsoft | Windows | NT/2K/XP | general purpose
TSeq(Class=RI%gcd=<6%SI=<23C4E&>330%IPID=I%TS=U)
T1(DF=Y%W=F424%ACK=S++%Flags=AS%Ops=MNW)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=F424%ACK=S++%Flags=AS%Ops=MNW)
T4(DF=N%W=0%ACK=O%Flags=AR%Ops=)
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=N%W=0%ACK=O%Flags=AR%Ops=)
T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
# Microsoft Windows XP Home Edition (German) SP1
# ver 5.1 build 2600.xpsp2.030422-1633 : SP 1; German version
# Microsoft Windows XP Home Edition (German) SP1
@@ -15103,6 +15090,19 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E|F%ULEN=134%DAT=E)
# Microsoft Windows XP Version 5.1 Home German SP2 (Build 2600.xpsp_sp2_rtm.040803-2158 : SP2), latest Updates as of Oct 27, 2004
Fingerprint Microsoft Windows XP Home Edition (German) SP2
Class Microsoft | Windows | NT/2K/XP | general purpose
TSeq(Class=TR%gcd=<6%IPID=I)
T1(DF=N%W=805C%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=N)
T3(Resp=N)
T4(Resp=N)
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=N)
PU(DF=N%TOS=0%IPLEN=B0%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
# Microsoft Windows XP Home Edition (English) SP1 Version 5.1.2600.1106 build 2600 xpsp.1.020828-1-920
Fingerprint Microsoft Windows XP Home Edition SP1
Class Microsoft | Windows | NT/2K/XP | general purpose
@@ -15232,19 +15232,6 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=N)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
# Windows XP Professionnel (5.1) Service Pack 2
Fingerprint Microsoft Windows XP Pro SP2
Class Microsoft | Windows | NT/2K/XP | general purpose
TSeq(Class=TR%gcd=<6%IPID=I)
T1(DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=C00|800|400%ACK=S%Flags=AR%Ops=WNMETL)
T3(Resp=Y%DF=N%W=C00|800|400%ACK=S++%Flags=AR%Ops=WNMETL)
T4(DF=N%W=400|1000%ACK=S%Flags=AR%Ops=WNMETL)
T5(DF=N%W=C00%ACK=S++%Flags=AR%Ops=WNMETL)
T6(DF=N%W=800|400%ACK=S%Flags=AR%Ops=WNMETL)
T7(DF=N%W=400|800%ACK=S++%Flags=AR%Ops=WNMETL)
PU(Resp=N)
# Microaodr Windows XP Pro with SP! and latest Windows Update patches as of June 1, 2005
Fingerprint Microsoft Windows XP Pro SP1
Class Microsoft | Windows | NT/2K/XP | general purpose
@@ -15416,6 +15403,20 @@ T6(DF=N%W=C00|400|800%ACK=S%Flags=R%Ops=WNMETL)
T7(DF=N%W=1000|800%ACK=S%Flags=R%Ops=WNMETL)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
# Microsoft Windows Version 5.1 Build 2600.xpsp2.030825-2117: Service Pack 1
# Microsoft Windows XP Professional SP1 build 2600, latest windows updates (march 27, 2005)
Fingerprint Microsoft Windows XP Pro SP1
Class Microsoft | Windows | NT/2K/XP | general purpose
TSeq(Class=RI%gcd=<6%SI=<1B1AC&>29E%IPID=I%TS=U)
T1(DF=N%W=2000|4000%ACK=S++%Flags=AS%Ops=M)
T2(Resp=N)
T3(Resp=N)
T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=N)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
# Windows XP Professional 2002 - Service Pack 1 - Hotfixes
# Windows XP Profesional build 2600.xpsp2.030422-1633: Service Pack 1
# Windows XP Professional SP1 build 2600.xpsp1.030422-166: Service Pack 1
@@ -15489,6 +15490,19 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
# Windows XP Professionnel (5.1) Service Pack 2
Fingerprint Microsoft Windows XP Pro SP2
Class Microsoft | Windows | NT/2K/XP | general purpose
TSeq(Class=TR%gcd=<6%IPID=I)
T1(DF=Y%W=FFFF%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=C00|800|400%ACK=S%Flags=AR%Ops=WNMETL)
T3(Resp=Y%DF=N%W=C00|800|400%ACK=S++%Flags=AR%Ops=WNMETL)
T4(DF=N%W=400|1000%ACK=S%Flags=AR%Ops=WNMETL)
T5(DF=N%W=C00%ACK=S++%Flags=AR%Ops=WNMETL)
T6(DF=N%W=800|400%ACK=S%Flags=AR%Ops=WNMETL)
T7(DF=N%W=400|800%ACK=S++%Flags=AR%Ops=WNMETL)
PU(Resp=N)
# Microsoft Windows XP Professional Service Pack 2 Build 5 1 2600
Fingerprint Microsoft Windows XP Pro SP2
Class Microsoft | Windows | NT/2K/XP | general purpose
@@ -15753,6 +15767,19 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=N)
PU(DF=N%TOS=0%IPLEN=B0%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
# Microsoft Windows Version 5.1 (Build 2600.XPSP_SP2_GDR.050301-1519 : Service Pack 2)
Fingerprint Microsoft Windows XP SP2
Class Microsoft | Windows | NT/2K/XP | general purpose
TSeq(Class=TR%gcd=<6%IPID=I)
T1(DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=B0%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
# Microsoft Windows XP Professional Build 2600.xpsp_sp2_rtm.040803-2158 : Service Pack 2
# Microsoft Windows XP Professional SP2 build 2600.xpsp_sp2_rtm.040803-2158
# Microsoft Windows XP Professional SP2 and latest Windows Updates patches as of Dec 15, 2004
@@ -15791,33 +15818,6 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=B0%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
# Microsoft Windows Version 5.1 (Build 2600.XPSP_SP2_GDR.050301-1519 : Service Pack 2)
Fingerprint Microsoft Windows XP SP2
Class Microsoft | Windows | NT/2K/XP | general purpose
TSeq(Class=TR%gcd=<6%IPID=I)
T1(DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T2(Resp=Y%DF=N%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(DF=Y%W=402E%ACK=S++%Flags=AS%Ops=MNWNNT)
T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=B0%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
# Microsoft Windows Version 5.1 Build 2600.xpsp2.030825-2117: Service Pack 1
# Microsoft Windows XP Professional SP1 build 2600, latest windows updates (march 27, 2005)
Fingerprint Microsoft Windows XP Pro SP1
Class Microsoft | Windows | NT/2K/XP | general purpose
TSeq(Class=RI%gcd=<6%SI=<1B1AC&>29E%IPID=I%TS=U)
T1(DF=N%W=2000|4000%ACK=S++%Flags=AS%Ops=M)
T2(Resp=N)
T3(Resp=N)
T4(DF=N%W=0%ACK=O%Flags=R%Ops=)
T5(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=N)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
# HP Jornada running Windows CE 2.11 (Handheld/PC Pro 3.0) running on StrongARM 1100
Fingerprint HP Jornada running Microsoft Windows CE 2.11 (Handheld/PC Pro 3.0 PDA)
Class Microsoft | Windows | PocketPC/CE | PDA
@@ -15896,18 +15896,6 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=N)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Fingerprint Microsoft Windows Longhorn eval build 4051
Class Microsoft | Windows || general purpose
TSeq(Class=TR%gcd=<6%IPID=I%TS=100HZ)
T1(DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T2(Resp=Y%DF=Y%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=0%ACK=O%Flags=AR%Ops=)
T4(DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E|F%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Fingerprint Microsoft Windows 2000 Server SP3
Class Microsoft | Windows || general purpose
TSeq(Class=RI%gcd=<6%SI=<30714&>2A7%IPID=I)
@@ -15920,6 +15908,18 @@ T6(DF=N%W=0%ACK=O%Flags=R%Ops=)
T7(DF=N%W=0%ACK=S++%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=38%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Fingerprint Microsoft Windows Longhorn eval build 4051
Class Microsoft | Windows || general purpose
TSeq(Class=TR%gcd=<6%IPID=I%TS=100HZ)
T1(DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T2(Resp=Y%DF=Y%W=0%ACK=S%Flags=AR%Ops=)
T3(Resp=Y%DF=Y%W=0%ACK=O%Flags=AR%Ops=)
T4(DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(DF=N%TOS=0%IPLEN=164%RIPTL=148%RID=E|F%RIPCK=E%UCK=E%ULEN=134%DAT=E)
Fingerprint MikroTik RouterOS 2.7.20
Class MikroTik | RouterOS || software router
TSeq(Class=RI%gcd=<6%SI=<1B9B36E&>46A4A%IPID=Z%TS=100HZ)

2083
nmap-service-probes
View File

File diff suppressed because it is too large Load Diff

11
nmap.cc
View File

@@ -296,6 +296,9 @@ int nmap_main(int argc, char *argv[]) {
{"spoof_mac", required_argument, 0, 0},
{"ttl", required_argument, 0, 0}, /* Time to live */
{"allports", no_argument, 0, 0},
{"version_intensity", required_argument, 0, 0},
{"version_light", no_argument, 0, 0},
{"version_all", no_argument, 0, 0},
{0, 0, 0, 0}
};
@@ -384,6 +387,14 @@ int nmap_main(int argc, char *argv[]) {
spoofmac = optarg;
} else if (strcmp(long_options[option_index].name, "allports") == 0) {
o.override_excludeports = 1;
} else if (strcmp(long_options[option_index].name, "version_intensity") == 0) {
o.version_intensity = atoi(optarg);
if (o.version_intensity < 0 || o.version_intensity > 9)
fatal("version_intensity must be between 0 and 9");
} else if (strcmp(long_options[option_index].name, "version_light") == 0) {
o.version_intensity = 2;
} else if (strcmp(long_options[option_index].name, "version_all") == 0) {
o.version_intensity = 9;
} else if (strcmp(long_options[option_index].name, "scan_delay") == 0) {
o.scan_delay = atoi(optarg);
if (o.scan_delay <= 0) {

1
nmap.h
View File

@@ -304,6 +304,7 @@ void *realloc();
#define MAX_DECOYS 128 /* How many decoys are allowed? */
#define MAXFALLBACKS 20 /* How many comma separated fallbacks are allowed in the service-probes file? */
/* Default maximum send delay between probes to the same host */
#ifndef MAX_TCP_SCAN_DELAY

2
nmap_winconfig.h
View File

@@ -104,7 +104,7 @@
#ifndef NMAP_WINCONFIG_H
#define NMAP_WINCONFIG_H
#define NMAP_VERSION "3.84ALPHA1"
#define NMAP_VERSION "3.84ALPHA2"
#define NMAP_NAME "nmap"
#define NMAP_URL "http://www.insecure.org/nmap"
#define NMAP_PLATFORM "i686-pc-windows-windows"

120
service_scan.cc
View File

@@ -827,10 +827,16 @@ int ServiceProbeMatch::getVersionStr(const u8 *subject, int subjectlen,
ServiceProbe::ServiceProbe() {
int i;
probename = NULL;
probestring = NULL;
totalwaitms = DEFAULT_SERVICEWAITMS;
probestringlen = 0; probeprotocol = -1;
// The default rarity level for a probe without a rarity
// directive - should almost never have to be relied upon.
rarity = 5;
fallbackStr = NULL;
for (i=0; i<MAXFALLBACKS+1; i++) fallbacks[i] = NULL;
}
ServiceProbe::~ServiceProbe() {
@@ -842,6 +848,8 @@ ServiceProbe::~ServiceProbe() {
for(vi = matches.begin(); vi != matches.end(); vi++) {
delete *vi;
}
if (fallbackStr) free(fallbackStr);
}
void ServiceProbe::setName(const char *name) {
@@ -1003,6 +1011,22 @@ bool ServiceProbe::serviceIsPossible(const char *sname) {
return false;
}
// Takes a string following a Rarity directive in the probes file.
// The string should contain a single integer between 1 and 9. The
// default rarity is 5. This function will bail if the string is invalid.
void ServiceProbe::setRarity(const char *portstr, int lineno) {
int tp;
tp = atoi(portstr);
if (tp < 1 || tp > 9)
fatal("ServiceProbe::setRarity: Rarity directive on line %d of nmap-service-probes must be between 1 and 9", lineno);
rarity = tp;
}
// Takes a match line in a probe description and adds it to the
// list of matches for this probe. This function should be passed
// the whole line starting with "match" or "softmatch" in
@@ -1071,6 +1095,10 @@ void parse_nmap_service_probe_file(AllProbes *AP, char *filename) {
newProbe->setProbablePorts(SERVICE_TUNNEL_NONE, line + 6, lineno);
} else if (strncmp(line, "sslports ", 9) == 0) {
newProbe->setProbablePorts(SERVICE_TUNNEL_SSL, line + 9, lineno);
} else if (strncmp(line, "rarity ", 7) == 0) {
newProbe->setRarity(line + 7, lineno);
} else if (strncmp(line, "fallback ", 9) == 0) {
newProbe->fallbackStr = strdup(line + 9);
} else if (strncmp(line, "totalwaitms ", 12) == 0) {
long waitms = strtol(line + 12, NULL, 10);
if (waitms < 100 || waitms > 300000)
@@ -1093,6 +1121,8 @@ void parse_nmap_service_probe_file(AllProbes *AP, char *filename) {
}
fclose(fp);
AP->compileFallbacks();
}
// Parses the nmap-service-probes file, and adds each probe to
@@ -1189,6 +1219,65 @@ int AllProbes::isExcluded(unsigned short port, int proto) {
}
// Before this function is called, the fallbacks exist as unparsed
// comma-separated strings in the fallbackStr field of each probe.
// This function fills out the fallbacks array in each probe with
// an ordered list of pointers to which probes to try. This is both for
// efficiency and to deal with odd cases like the NULL probe and falling
// back to probes later in the file. This function also free()s all the
// fallbackStrs.
void AllProbes::compileFallbacks() {
vector<ServiceProbe *>::iterator curr;
char *tp;
int i;
curr = probes.begin();
// The NULL probe is a special case:
nullProbe->fallbacks[0] = nullProbe;
while (curr != probes.end()) {
if ((*curr)->fallbackStr == NULL) {
// A non-NULL probe without a fallback directive. We
// just use "Itself,NULL" unless it's UDP, then just "Itself".
(*curr)->fallbacks[0] = *curr;
if ((*curr)->getProbeProtocol() == IPPROTO_TCP)
(*curr)->fallbacks[1] = nullProbe;
} else {
// A non-NULL probe *with* a fallback directive. We use:
// TCP: "Itself,<directive1>,...,<directiveN>,NULL"
// UDP: "Itself,<directive1>,...,<directiveN>"
(*curr)->fallbacks[0] = *curr;
i = 1;
tp = strtok((*curr)->fallbackStr, ",\r\n\t "); // \r and \n because string will be terminated with them
while (tp != NULL && i<(MAXFALLBACKS-1)) {
(*curr)->fallbacks[i] = getProbeByName(tp, (*curr)->getProbeProtocol());
if ((*curr)->fallbacks[i] == NULL)
fatal("AllProbes::compileFallbacks: Unknown fallback specified in Probe %s: '%s'", (*curr)->getName(), tp);
i++;
tp = strtok(NULL, ",\r\n\t ");
}
if (i == MAXFALLBACKS-1)
fatal("AllProbes::compileFallbacks: MAXFALLBACKS exceeded on probe '%s'", (*curr)->getName());
if ((*curr)->getProbeProtocol() == IPPROTO_TCP)
(*curr)->fallbacks[i] = nullProbe;
}
if ((*curr)->fallbackStr) free((*curr)->fallbackStr);
(*curr)->fallbackStr = NULL;
curr++;
}
}
ServiceNFO::ServiceNFO(AllProbes *newAP) {
target = NULL;
@@ -1282,7 +1371,7 @@ void ServiceNFO::addToServiceFingerprint(const char *probeName, const u8 *resp,
if (servicefplen == 0) {
timep = time(NULL);
ltime = localtime(&timep);
servicefplen = snprintf(servicefp, spaceleft, "SF-Port%hu-%s:V=%s%s%%D=%d/%d%%Time=%X%%P=%s", portno, proto2ascii(proto, true), NMAP_VERSION, (tunnel == SERVICE_TUNNEL_SSL)? "%T=SSL" : "", ltime->tm_mon + 1, ltime->tm_mday, (int) timep, NMAP_PLATFORM);
servicefplen = snprintf(servicefp, spaceleft, "SF-Port%hu-%s:V=%s%s%%I=%d%%D=%d/%d%%Time=%X%%P=%s", portno, proto2ascii(proto, true), NMAP_VERSION, (tunnel == SERVICE_TUNNEL_SSL)? "%T=SSL" : "", o.version_intensity, ltime->tm_mon + 1, ltime->tm_mday, (int) timep, NMAP_PLATFORM);
}
// Note that we give the total length of the response, even though we
@@ -1421,9 +1510,11 @@ bool dropdown = false;
while (current_probe != AP->probes.end()) {
// The protocol must be right, it must be a nonmatching port ('cause we did those),
// and we better either have no soft match yet, or the soft service match must
// be available via this probe.
// be available via this probe. Also, the Probe's rarity must be <= to our
// version detection intensity level.
if ((proto == (*current_probe)->getProbeProtocol()) &&
!(*current_probe)->portIsProbable(tunnel, portno) &&
(*current_probe)->getRarity() <= o.version_intensity &&
(!softMatchFound || (*current_probe)->serviceIsPossible(probe_matched))) {
// Valid, probe. Let's do it!
return *current_probe;
@@ -1893,7 +1984,7 @@ void servicescan_read_handler(nsock_pool nsp, nsock_event nse, void *mydata) {
const u8 *readstr;
int readstrlen;
const struct MatchDetails *MD;
bool nullprobecheat = false; // We cheated and found a match in the NULL probe to a non-null-probe response
int fallbackDepth=0;
assert(type == NSE_TYPE_READ);
@@ -1906,17 +1997,10 @@ void servicescan_read_handler(nsock_pool nsp, nsock_event nse, void *mydata) {
svc->appendtocurrentproberesponse(readstr, readstrlen);
// now get the full version
readstr = svc->getcurrentproberesponse(&readstrlen);
// Now let us try to match it.
MD = probe->testMatch(readstr, readstrlen);
// Sometimes a service doesn't respond quickly enough to the NULL
// scan, even though it would have match. In that case, Nmap can
// end up tediously going through every probe without finding a
// match. So we test the NULL probe matches if the probe-specific
// matches fail
if (!MD && !probe->isNullProbe() && probe->getProbeProtocol() == IPPROTO_TCP && svc->AP->nullProbe) {
MD = svc->AP->nullProbe->testMatch(readstr, readstrlen);
nullprobecheat = true;
for (MD = NULL; probe->fallbacks[fallbackDepth] != NULL; fallbackDepth++) {
MD = (probe->fallbacks[fallbackDepth])->testMatch(readstr, readstrlen);
if (MD && MD->serviceName) break; // Found one!
}
if (MD && MD->serviceName) {
@@ -1930,14 +2014,16 @@ void servicescan_read_handler(nsock_pool nsp, nsock_event nse, void *mydata) {
} else {
if (o.debugging > 1)
if (MD->product || MD->version || MD->info)
printf("Service scan %smatch: %s:%hi is %s%s. Version: |%s|%s|%s|\n", nullprobecheat? "NULL-CHEAT " : "",
printf("Service scan match (Probe %s matched with %s): %s:%hi is %s%s. Version: |%s|%s|%s|\n",
probe->getName(), (*probe->fallbacks[fallbackDepth]).getName(),
svc->target->NameIP(), svc->portno, (svc->tunnel == SERVICE_TUNNEL_SSL)? "SSL/" : "",
MD->serviceName, (MD->product)? MD->product : "", (MD->version)? MD->version : "",
(MD->info)? MD->info : "");
else
printf("Service scan %s%s match: %s:%hi is %s%s\n", nullprobecheat? "NULL-CHEAT " : "",
(MD->isSoft)? "soft" : "hard", svc->target->NameIP(),
svc->portno, (svc->tunnel == SERVICE_TUNNEL_SSL)? "SSL/" : "", MD->serviceName);
printf("Service scan %s match (Probe %s matched with %s): %s:%hi is %s%s\n",
(MD->isSoft)? "soft" : "hard",
probe->getName(), (*probe->fallbacks[fallbackDepth]).getName(),
svc->target->NameIP(), svc->portno, (svc->tunnel == SERVICE_TUNNEL_SSL)? "SSL/" : "", MD->serviceName);
svc->probe_matched = MD->serviceName;
if (MD->product)
Strncpy(svc->product_matched, MD->product, sizeof(svc->product_matched));

21
service_scan.h
View File

@@ -267,6 +267,14 @@ class ServiceProbe {
// be detected by the matches in this probe;
bool serviceIsPossible(const char *sname);
// Takes a string following a Rarity directive in the probes file.
// The string should contain a single integer between 1 and 9. The
// default rarity is 5. This function will bail if the string is invalid.
void setRarity(const char *portstr, int lineno);
// Simply returns the rarity of this probe
const int getRarity() { return rarity; }
// Takes a match line in a probe description and adds it to the
// list of matches for this probe. This function should be passed
// the whole line starting with "match" or "softmatch" in
@@ -286,6 +294,9 @@ class ServiceProbe {
// return NULL if there are no match lines at all in this probe.
const struct MatchDetails *testMatch(const u8 *buf, int buflen);
char *fallbackStr;
ServiceProbe *fallbacks[MAXFALLBACKS+1];
private:
void setPortVector(std::vector<u16> *portv, const char *portstr,
int lineno);
@@ -295,6 +306,7 @@ class ServiceProbe {
int probestringlen;
std::vector<u16> probableports;
std::vector<u16> probablesslports;
int rarity;
std::vector<const char *> detectedServices;
int probeprotocol;
std::vector<ServiceProbeMatch *> matches; // first-ever use of STL in Nmap!
@@ -310,6 +322,15 @@ public:
std::vector<ServiceProbe *> probes; // All the probes except nullProbe
ServiceProbe *nullProbe; // No probe text - just waiting for banner
// Before this function is called, the fallbacks exist as unparsed
// comma-separated strings in the fallbackStr field of each probe.
// This function fills out the fallbacks array in each probe with
// an ordered list of pointers to which probes to try. This is both for
// efficiency and to deal with odd cases like the NULL probe and falling
// back to probes later in the file. This function also free()s all the
// fallbackStrs.
void compileFallbacks();
int isExcluded(unsigned short port, int proto);
struct scan_lists *excludedports;
};