diff --git a/CHANGELOG b/CHANGELOG index 87b13cdce..b66692681 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -34,13 +34,6 @@ o [Ncat] Added NCAT_PROTO, NCAT_REMOTE_ADDR, NCAT_REMOTE_PORT, NCAT_LOCAL_ADDR Nmap 6.40 [2013-07-29] -o [Nsock] Added initial proxy support to Nsock. Nmap version detection and - NSE can now establish TCP connections through chains of proxies. HTTP - CONNECT and SOCKS4 protocols are supported, with some limitations. Use the - Nmap --proxies option with a chain of one or more proxies as the argument - (example: http://localhost:8080,socks4://someproxy.example.com) [Henri - Doreau] - o [Ncat] Added --lua-exec. This feature is basically the equivalent of 'ncat --sh-exec "lua "' and allows you to run Lua scripts with Ncat, redirecting all stdin and stdout operations to the socket connection. See @@ -65,23 +58,14 @@ o Integrated your latest IPv6 OS submissions and corrections. We're still fingerprints (if Nmap doesn't find a good match) and corrections (if Nmap guesses wrong) are useful. [David Fifield] -o Updated the Nmap license agreement to close some loopholes and stop some - abusers. It's particularly targeted at companies which distribute - malware-laden Nmap installers as we caught Download.com doing last - year--http://insecure.org/news/download-com-fiasco.html. The updated - license is in the all the normal places, including - https://svn.nmap.org/nmap/COPYING. - -o [NSE] Oops, there was a vulnerability in one of our 437 NSE scripts. If - you ran the (fortunately non-default) http-domino-enum-passwords script - with the (fortunately also non-default) domino-enum-passwords.idpath - parameter against a malicious server, it could cause an arbitrarily named - file to to be written to the client system. Thanks to Trustwave researcher - Piotr Duszynski for discovering and reporting the problem. We've fixed - that script, and also updated several other scripts to use a new - stdnse.filename_escape function for extra safety. This breaks our record - of never having a vulnerability in the 16 years that Nmap has existed, but - that's still a fairly good run! [David, Fyodor] +o [Nsock] Added initial proxy support to Nsock. Nmap version detection + and NSE can now establish TCP connections through chains of one or + more CONNECT or SOCKS4 proxies. Use the Nmap --proxies option with a + chain of one or more proxies as the argument (example: + http://localhost:8080,socks4://someproxy.example.com). Note that + only version detection and NSE are supported so far (no port + scanning or host discovery), and there are other limitations + described in the man page. [Henri Doreau] o [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 446. They are all listed at http://nmap.org/nsedoc/, and the summaries are @@ -140,6 +124,24 @@ o [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 446. versions 2.1.2 and above and tries to determine version and configuration information. [Marin Maržić] +o Updated the Nmap license agreement to close some loopholes and stop some + abusers. It's particularly targeted at companies which distribute + malware-laden Nmap installers as we caught Download.com doing last + year--http://insecure.org/news/download-com-fiasco.html. The updated + license is in the all the normal places, including + https://svn.nmap.org/nmap/COPYING. + +o [NSE] Oops, there was a vulnerability in one of our 437 NSE scripts. If + you ran the (fortunately non-default) http-domino-enum-passwords script + with the (fortunately also non-default) domino-enum-passwords.idpath + parameter against a malicious server, it could cause an arbitrarily named + file to to be written to the client system. Thanks to Trustwave researcher + Piotr Duszynski for discovering and reporting the problem. We've fixed + that script, and also updated several other scripts to use a new + stdnse.filename_escape function for extra safety. This breaks our record + of never having a vulnerability in the 16 years that Nmap has existed, but + that's still a fairly good run! [David, Fyodor] + o Unicast CIDR-style IPv6 range scanning is now supported, so you can specify targets such as en.wikipedia.org/120. Obviously it will take ages if you specify a huge space. For example, a /64 contains diff --git a/docs/refguide.xml b/docs/refguide.xml index 690d5c928..6d4dbc6be 100644 --- a/docs/refguide.xml +++ b/docs/refguide.xml @@ -3437,38 +3437,39 @@ work properly. Relay TCP connections via a chain of - proxies. + URLs (Relay TCP connections through a chain of + proxies) proxy proxies - Asks Nmap to establish TCP connections via the supplied chain of - proxies. Connections are - established to the first node of the chain, which is in turn asked to - connect to the second one... to eventually reach the target. This - technique degrades performance, mostly by introducing latency. It is - up to the user to adjust timeouts and other scan parameters - accordingly when invoking nmap. Typically, some proxies might refuse - to handle as many concurrent connections as nmap's default - parallelism. - The option takes a list of proxies as argument, expressed as - URLs like proto://host:port. Use commas to separate - node URLs of a chain. No authentication is supported yet. Valid + Asks Nmap to establish TCP connections with a final + target through supplied chain of one or more HTTP or SOCKS4 + proxies. Proxies + can help hide the true source of a scan or evade certain + firewall restrictions, but they can hamper scan performance + by increasing latency. Users may need to adjust Nmap + timeouts and other scan parameters accordingly. In + particular, a lower may + help because some proxies refuse to handle as many + concurrent connections as Nmap opens by default. + + This option takes a list of proxies as argument, expressed as + URLs in the format proto://host:port. Use commas to separate + node URLs in a chain. No authentication is supported yet. Valid protocols are HTTP and SOCKS4. Warning: this feature is still under development and has limitations. It is implemented within the nsock library and thus has - no effect on the ping, port scanning and OS discovery phases. Only - NSE and version scan already benefit from this option. Also, SSL - connections are not supported yet, as well as proxy-side DNS - resolving (hostnames are always resolved by nmap). In other words, - the current implementation does not aim to provide strong - anonymity. + no effect on the ping, port scanning and OS discovery phases + of a scan. Only NSE and version scan benefit from this + option so far—other features may disclose your true address. SSL + connections are not yet supported, nor is proxy-side DNS + resolution (hostnames are always resolved by nmap). diff --git a/nmap.cc b/nmap.cc index 0d40739c8..90fcde328 100644 --- a/nmap.cc +++ b/nmap.cc @@ -333,7 +333,7 @@ static void printusage(int rc) { " -S : Spoof source address\n" " -e : Use specified interface\n" " -g/--source-port : Use given port number\n" - " --proxies : Relay TCP connections through a chain of proxies\n" + " --proxies : Relay connections through HTTP/SOCKS4 proxies\n" " --data-length : Append random data to sent packets\n" " --ip-options : Send packets with specified ip options\n" " --ttl : Set IP time-to-live field\n"