From 5fc5941253c55cf51057329270b29fe8a53a8bd9 Mon Sep 17 00:00:00 2001 From: fyodor Date: Sun, 10 Feb 2008 05:29:12 +0000 Subject: [PATCH] some improvements suggested by Joao Medeiros -- also trying to resolve issues re: the new hidepdf ulink role. --- docs/refguide.xml | 21 ++++++++++----------- docs/scripting.xml | 4 ++-- 2 files changed, 12 insertions(+), 13 deletions(-) diff --git a/docs/refguide.xml b/docs/refguide.xml index 9af6e4c85..78b8b3115 100644 --- a/docs/refguide.xml +++ b/docs/refguide.xml @@ -297,7 +297,7 @@ you would expect. which demonstrate that an IP address is actually active (is being used by a host or network device). On many networks, only a small percentage of IP addresses are active at any given time. This is - particularly common with RFC1918-blessed private address space + particularly common with private address space such as 10.0.0.0/8. That network has 16 million IPs, but I have seen it used by companies with less than a thousand machines. Host discovery can find those machines in a sparsely allocated sea of @@ -613,7 +613,7 @@ you would expect. hosts. Unfortunately for network explorers, many hosts and firewalls now block these packets, rather than responding as required by RFC + role="hidepdf" url="http://www.rfc-editor.org/rfc/rfc1122.txt">RFC 1122. For this reason, ICMP-only scans are rarely reliable enough against unknown targets over the Internet. But for system administrators monitoring an internal @@ -623,7 +623,7 @@ you would expect. While echo request is the standard ICMP ping query, Nmap does not stop there. The ICMP standard (RFC + role="hidepdf" url="http://www.rfc-editor.org/rfc/rfc792.txt">RFC 792) also specifies timestamp request, information request, and address mask request packets as codes 13, 15, and 17, respectively. While the ostensible purpose for @@ -685,7 +685,7 @@ you would expect. One of the most common Nmap usage scenarios is to scan an ethernet LAN. On most LANs, especially those using - RFC1918-blessed private address ranges, the vast majority of + private address ranges specified by RFC 1918, the vast majority of IP addresses are unused at any given time. When Nmap tries to send a raw IP packet such as an ICMP echo request, the operating system must determine the destination hardware @@ -1058,7 +1058,7 @@ know that she has been connect scanned. While most popular services on the Internet run over the TCP protocol, UDP services +role="hidepdf" url="http://www.rfc-editor.org/rfc/rfc768.txt">UDP services are widely deployed. DNS, SNMP, and DHCP (registered ports 53, 161/162, and 67/68) are three of the most common. Because UDP scanning is generally slower and more difficult @@ -1121,7 +1121,7 @@ hosts. These three scan types (even more are possible with the option described in the next section) exploit a subtle loophole in the TCP RFC to +role="hidepdf" url="http://www.rfc-editor.org/rfc/rfc793.txt">TCP RFC to differentiate between open and closed ports. Page 65 says that if the [destination] port state is CLOSED .... an incoming segment not @@ -1247,7 +1247,7 @@ ports, then those three may very well be the truly open ones. described the technique in Phrack Magazine issue #49 (November 1996). Nmap, which included this technique, was released two issues later. This technique is exactly the same as null, FIN, and Xmas scans, except -that the probe is FIN/ACK. According to RFC 793 (TCP), a RST packet +that the probe is FIN/ACK. According to RFC 793 (TCP), a RST packet should be generated in response to such a probe whether the port is open or closed. However, Uriel noticed that many BSD-derived systems simply drop the packet if the port is open. @@ -1390,7 +1390,7 @@ after retransmissions, the protocol is marked An interesting feature of the FTP protocol (RFC 959) is +role="hidepdf" url="http://www.rfc-editor.org/rfc/rfc959.txt">RFC 959) is support for so-called proxy FTP connections. This allows a user to connect to one FTP server, then ask that files be sent to a third-party server. Such a feature is ripe for abuse on many levels, @@ -1742,8 +1742,7 @@ way. OS detection enables several other tests which make use of information that is gathered during the process anyway. One of these - is uptime measurement, which uses the TCP timestamp option (RFC - 1323) to guess when a machine was last rebooted. This is only + is uptime measurement, which uses the TCP timestamp option (RFC 1323) to guess when a machine was last rebooted. This is only reported for machines which provide this information. Another is TCP Sequence Predictability Classification. This measures approximately how hard it is to establish a forged @@ -2679,7 +2678,7 @@ support the option completely, as does UDP scan. --ip-options - The IP + The IP protocol offers several options which may be placed in packet headers. Unlike the ubiquitous TCP options, IP options are rarely seen due to practicality and security concerns. In diff --git a/docs/scripting.xml b/docs/scripting.xml index 1e1e7da50..88997a0bf 100644 --- a/docs/scripting.xml +++ b/docs/scripting.xml @@ -940,7 +940,7 @@ if(s) code_to_be_done_on_match end checks whether an IP address, provided as a string in dotted-quad notation, is part of the non-routed private IP address - space, as described in RFC 1918. These addresses are the well known + space, as described in RFC 1918. These addresses are the well known 10.0.0.0/8,192.168.0.0/16 and 172.16.0.0/12 networks. @@ -2573,7 +2573,7 @@ try(socket:send(result)) character. The server should then respond with a string of the form port-on-server, port-on-client:response-type:address-information. In case of an error the address information is omitted. This description is sufficient for our - purposes, for more details refer to RFC 1413. The protocol cannot be modeled in Nmap's version + purposes, for more details refer to RFC 1413. The protocol cannot be modeled in Nmap's version detection language for two reasons. The first is that you need to know both the local and the remote port of a connection. Version detection does not provide this data. The