PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity

Nmap 3.90

Browse Source
This commit is contained in:
fyodor
2005-09-07 22:37:43 +00:00
parent 59e4189e70
commit c939fdaf23
7 changed files with 963 additions and 764 deletions
Download Patch File Download Diff File Expand all files Collapse all files

187
CHANGELOG
View File

@@ -1,12 +1,38 @@
# Nmap Changelog ($Id$) # Nmap Changelog ($Id$)
o Fixed crash when Nmap is compiled using gcc 4.X by adding the o Added the ability for Nmap to send and properly route raw ethernet
--fno-strict-aliasing option when that compiler is detected. Thanks packets cointaining IP datagrams rather than always sending the
to Greg Darke (starstuff(a)optusnet.com.au) for discovering that packets via raw sockets. This is particularly useful for Windows,
this option fixes (hides) the problem and to Duilio J. Protti since Microsoft has disabled raw socket support in XP for no good
(dprotti(a)flowgate.net) for writing the configure patch to detect reason. Nmap tries to choose the best method at runtime based on
gcc 4 and add the option. A better fix is to identify and rewrite platform, though you can override it with the new --send_eth and
lines that violate C99 alias rules, and we are looking into that. --send_ip options.
o Added ARP scanning (-PR). Nmap can now send raw ethernet ARP requests to
determine whether hosts on a LAN are up, rather than relying on
higher-level IP packets (which can only be sent after a successful
ARP request and reply anyway). This is much faster and more
reliable (not subject to IP-level firewalling) than IP-based probes.
The downside is that it only works when the target machine is on the
same LAN as the scanning machine. It is now used automatically for
any hosts that are detected to be on a local ethernet network,
unless --send_ip was specified. Example usage: nmap -sP -PR
192.168.0.0/16 .
o Added the --spoof_mac option, which asks Nmap to use the given MAC
address for all of the raw ethernet frames it sends. The MAC given
can take several formats. If it is simply the string "0", Nmap
chooses a completely random MAC for the session. If the given
string is an even number of hex digits (with the pairs optionally
separated by a colon), Nmap will use those as the MAC. If less than
12 hex digits are provided, Nmap fills in the remainder of the 6
bytes with random values. If the argument isn't a 0 or hex string,
Nmap looks through the nmap-mac-prefixes to find a vendor name
containing the given string (it is case insensitive). If a match is
found, Nmap uses the vendor's OUI (3-byte prefix) and fills out the
remaining 3 bytes randomly. Valid --spoof_mac argument examples are
"Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", "0020F2", and
"Cisco".
o Applied an enormous nmap-service-probes (version detection) update o Applied an enormous nmap-service-probes (version detection) update
from SoC student Doug Hoyte (doug(a)hcsw.org). Version 3.81 had from SoC student Doug Hoyte (doug(a)hcsw.org). Version 3.81 had
@@ -16,6 +42,59 @@ o Applied an enormous nmap-service-probes (version detection) update
accurate. Thanks also go to the (literally) thousands of you who accurate. Thanks also go to the (literally) thousands of you who
submitted service fingerprints. Keep them coming! submitted service fingerprints. Keep them coming!
o Applied a massive OS fingerprint update from Zhao Lei
(zhaolei(a)gmail.com). About 350 fingerprints were added, and many
more were updated. Notable additions include Mac OS X 10.4 (Tiger),
OpenBSD 3.7, FreeBSD 5.4, Windows Server 2003 SP1, Sony AIBO (along
with a new "robotic pet" device type category), the latest Linux 2.6
kernels Cisco routers with IOS 12.4, a ton of VoIP devices, Tru64
UNIX 5.1B, new Fortinet firewalls, AIX 5.3, NetBSD 2.0, Nokia IPSO
3.8.X, and Solaris 10. Of course there are also tons of new
broadband routers, printers, WAPs and pretty much any other device
you can coax an ethernet cable (or wireless card) into!
o Added 'leet ASCII art to the confugrator! ARTIST NOTE: If you think
the ASCII art sucks, feel free to send me alternatives. Note that
only people compiling the UNIX source code get this. (ASCII artist
unknown).
o Nmap on Windows now compiles/links with the new WinPcap 3.1
header/lib files. So please upgrade to 3.1 from
http://www.winpcap.org before installing this version of Nmap.
While older versions may still work, they aren't supported with Nmap.
o Nmap distribution signing has changed. Release files are now signed
with a new Nmap Project GPG key (KeyID 6B9355D0). Fyodor has also
generated a new key for himself (KeyID 33599B5F). The Nmap key has
been signed by Fyodor's new key, which has been signed by Fyodor's
old key so that you know they are legit. The new keys are available
at http://www.insecure.org/nmap/data/nmap_gpgkeys.txt , as
docs/nmap_gpgkeys.txt in the Nmap source tarball, and on the public
keyserver network. Here are the fingerprints:
pub 1024D/33599B5F 2005-04-24
Key fingerprint = BB61 D057 C0D7 DCEF E730 996C 1AF6 EC50 3359 9B5F
uid Fyodor <fyodor@insecure.org>
sub 2048g/D3C2241C 2005-04-24
pub 1024D/6B9355D0 2005-04-24
Key fingerprint = 436D 66AB 9A79 8425 FDA0 E3F8 01AF 9F03 6B93 55D0
uid Nmap Project Signing Key (http://www.insecure.org/)
sub 2048g/A50A6A94 2005-04-24
o Fixed a crash problem related to non-portable varargs (vsnprintf)
usage. Reports of this crash came from Alan William Somers
(somers(a)its.caltech.edu) and Christophe (chris.branch(a)gmx.de).
This patch was prevalent on Linux boxes running an Opteron/Athlon64
CPU in 64-bit mode.
o Fixed crash when Nmap is compiled using gcc 4.X by adding the
--fno-strict-aliasing option when that compiler is detected. Thanks
to Greg Darke (starstuff(a)optusnet.com.au) for discovering that
this option fixes (hides) the problem and to Duilio J. Protti
(dprotti(a)flowgate.net) for writing the configure patch to detect
gcc 4 and add the option. A better fix is to identify and rewrite
lines that violate C99 alias rules, and we are looking into that.
o Added "rarity" feature to Nmap version detection. This causes o Added "rarity" feature to Nmap version detection. This causes
obscure probes to be skipped when they are unlikely to help. Each obscure probes to be skipped when they are unlikely to help. Each
probe now has a "rarity" value. Probes that detect dozens of probe now has a "rarity" value. Probes that detect dozens of
@@ -55,6 +134,13 @@ o Fixed crash with certain --excludefile or
(dprotti(a)flowgate.net) for debugging the issue and sending the (dprotti(a)flowgate.net) for debugging the issue and sending the
patch. patch.
o Updated random scan (ip_is_reserved()) to reflect the latest IANA
assignments. This patch was sent in by Felix Groebert
(felix(a)groebert.org).
o Included new Russian man page translation by
locco_bozi(a)Safe-mail.net
o Applied pach from Steve Martin (smartin(a)stillsecure.com) which o Applied pach from Steve Martin (smartin(a)stillsecure.com) which
standardizes many OS names and corrects typos in nmap-os-fingerprints. standardizes many OS names and corrects typos in nmap-os-fingerprints.
@@ -77,74 +163,18 @@ o Fixed an Nmap version detection crash on Windows which led to the
o Fixed some misspellings in docs/nmap.xml reported by Tom Sellers o Fixed some misspellings in docs/nmap.xml reported by Tom Sellers
(TSellers(a)trustmark.com). (TSellers(a)trustmark.com).
o Updated random scan (ip_is_reserved()) to reflect the latest IANA
assignments. This patch was sent in by Felix Groebert
(felix(a)groebert.org).
o Applied some changes from Gisle Vanem (giva(a)bgnett.no) to make o Applied some changes from Gisle Vanem (giva(a)bgnett.no) to make
Nmap compile with Cygwin. Nmap compile with Cygwin.
o XML "osmatch" element now has a "line" attribute giving the o XML "osmatch" element now has a "line" attribute giving the
reference fingerprint line number in nmap-os-fingerprints. reference fingerprint line number in nmap-os-fingerprints.
Nmap 3.84ALPHA1
o Added the ability for Nmap to send and properly route raw ethernet
packets cointaining IP datagrams rather than always sending the
packets via raw sockets. This is particularly useful for Windows,
since Microsoft has disabled raw socket support in XP for no good
reason. Nmap tries to choose the best method at runtime based on
platform, though you can override it with the new --send_eth and
--send_ip options.
o Added ARP scanning (-PR). Nmap can now send raw ethernet ARP requests to
determine whether hosts on a LAN are up, rather than relying on
higher-level IP packets (which can only be sent after a successful
ARP request and reply anyway). This is much faster and more
reliable (not subject to IP-level firewalling) than IP-based probes.
The downside is that it only works when the target machine is on the
same LAN as the scanning machine. It is now used automatically for
any hosts that are detected to be on a local ethernet network,
unless --send_ip was specified. Example usage: nmap -sP -PR
192.168.0.0/16 .
o Added the --spoof_mac option, which asks Nmap to use the given MAC
address for all of the raw ethernet frames it sends. The MAC given
can take several formats. If it is simply the string "0", Nmap
chooses a completely random MAC for the session. If the given
string is an even number of hex digits (with the pairs optionally
separated by a colon), Nmap will use those as the MAC. If less than
12 hex digits are provided, Nmap fills in the remainder of the 6
bytes with random values. If the argument isn't a 0 or hex string,
Nmap looks through the nmap-mac-prefixes to find a vendor name
containing the given string (it is case insensitive). If a match is
found, Nmap uses the vendor's OUI (3-byte prefix) and fills out the
remaining 3 bytes randomly. Valid --spoof_mac argument examples are
"Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", "0020F2", and
"Cisco".
o Applied a massive OS fingerprint update from Zhao Lei
(zhaolei(a)gmail.com). About 350 fingerprints were added, and many
more were updated. Notable additions include Mac OS X 10.4 (Tiger),
OpenBSD 3.7, FreeBSD 5.4, Windows Server 2003 SP1, Sony AIBO (along
with a new "robotic pet" device type category), the latest Linux 2.6
kernels Cisco routers with IOS 12.4, a ton of VoIP devices, Tru64
UNIX 5.1B, new Fortinet firewalls, AIX 5.3, NetBSD 2.0, Nokia IPSO
3.8.X, and Solaris 10. Of course there are also tons of new
broadband routers, printers, WAPs and pretty much any other device
you can coax an ethernet cable (or wireless card) into!
o Added a distcc probes and a bunch of smtp matches from Dirk Mueller o Added a distcc probes and a bunch of smtp matches from Dirk Mueller
(mueller(a)kde.org) to nmap-service-probes. Also added AFS version (mueller(a)kde.org) to nmap-service-probes. Also added AFS version
probe and matches from Lionel Cons (lionel.cons(a)cern.ch). And probe and matches from Lionel Cons (lionel.cons(a)cern.ch). And
even more probes and matches from Martin Macok even more probes and matches from Martin Macok
(martin.macok(a)underground.cz) (martin.macok(a)underground.cz)
o Nmap on Windows now compiles/links with the new WinPcap 3.1
header/lib files. So please upgrade to 3.1 from
http://www.winpcap.org before installing this version of Nmap.
While older versions may still work, they aren't supported with Nmap.
o Fixed a problem where Nmap compilation would use header files from o Fixed a problem where Nmap compilation would use header files from
the libpcap included with Nmap even when it was linking to a system the libpcap included with Nmap even when it was linking to a system
libpcap. Thanks to Solar Designer (solar(a)openwall.com) and Okan libpcap. Thanks to Solar Designer (solar(a)openwall.com) and Okan
@@ -172,7 +202,7 @@ o Added "Exclude" directive to nmap-service-probes grammar which
o Added a stripped-down and heavily modified version of Dug Song's o Added a stripped-down and heavily modified version of Dug Song's
libdnet networking library (v. 1.10). This helps with the new raw libdnet networking library (v. 1.10). This helps with the new raw
ethernet features. My changes are described in ethernet features. My (extensive) changes are described in
libdnet-stripped/NMAP_MODIFICATIONS libdnet-stripped/NMAP_MODIFICATIONS
o Removed WinIP library (and all Windows raw sockets code) since MS o Removed WinIP library (and all Windows raw sockets code) since MS
@@ -224,38 +254,9 @@ o Fixed the way tcp connect scan (-sT) respons to ICMP network
unreachable responses (patch by Richard Moore unreachable responses (patch by Richard Moore
(rich(a)westpoint.ltd.uk). (rich(a)westpoint.ltd.uk).
o Fixed a crash problem related to non-portable varargs (vsnprintf)
usage. Reports of this crash came from Alan William Somers
(somers(a)its.caltech.edu) and Christophe (chris.branch(a)gmx.de).
This patch was prevalent on Linux boxes running an Opteron/Athlon64
CPU in 64-bit mode.
o Nmap distribution signing has changed. Release files are now signed
with a new Nmap Project GPG key (KeyID 6B9355D0). Fyodor has also
generated a new key for himself (KeyID 33599B5F). The Nmap key has
been signed by Fyodor's new key, which has been signed by Fyodor's
old key so that you know they are legit. The new keys are available
at http://www.insecure.org/nmap/data/nmap_gpgkeys.txt , as
docs/nmap_gpgkeys.txt in the Nmap source tarball, and on the public
keyserver network. Here are the fingerprints:
pub 1024D/33599B5F 2005-04-24
Key fingerprint = BB61 D057 C0D7 DCEF E730 996C 1AF6 EC50 3359 9B5F
uid Fyodor <fyodor@insecure.org>
sub 2048g/D3C2241C 2005-04-24
pub 1024D/6B9355D0 2005-04-24
Key fingerprint = 436D 66AB 9A79 8425 FDA0 E3F8 01AF 9F03 6B93 55D0
uid Nmap Project Signing Key (http://www.insecure.org/)
sub 2048g/A50A6A94 2005-04-24
o Update random host scan (-iR) to support the latest IANA-allocated o Update random host scan (-iR) to support the latest IANA-allocated
ranges, thanks to patch by Chad Loder (cloder(a)loder.us). ranges, thanks to patch by Chad Loder (cloder(a)loder.us).
o Added 'leet ASCII art to the confugrator! ARTIST NOTE: If you think
the ASCII art sucks, feel free to send me alternatives. Note that
only people compiling the UNIX source code get this. (ASCII artist
unknown).
o Updated GNU shtool (a helper program used during 'make install' to o Updated GNU shtool (a helper program used during 'make install' to
version 2.0.2, which fixes a predictable temporary filename version 2.0.2, which fixes a predictable temporary filename
weakness discovered by Eric Raymond. weakness discovered by Eric Raymond.

2
Makefile.in
View File

@@ -1,4 +1,4 @@
export NMAP_VERSION = 3.84ALPHA2 export NMAP_VERSION = 3.90
NMAP_NAME= nmap NMAP_NAME= nmap
NMAP_URL= http://www.insecure.org/nmap/ NMAP_URL= http://www.insecure.org/nmap/
NMAP_PLATFORM=@host@ NMAP_PLATFORM=@host@

2
docs/nmap.usage.txt
View File

@@ -1,4 +1,4 @@
Nmap 3.84ALPHA1 Usage: nmap [Scan Type(s)] [Options] <host or net list> Nmap 3.84ALPHA2 Usage: nmap [Scan Type(s)] [Options] <host or net list>
Some Common Scan Types ('*' options require root privileges) Some Common Scan Types ('*' options require root privileges)
* -sS TCP SYN stealth port scan (default if privileged (root)) * -sS TCP SYN stealth port scan (default if privileged (root))
-sT TCP connect() port scan (default for unprivileged users) -sT TCP connect() port scan (default for unprivileged users)

1521
docs/nmap_manpage-ru.html
View File

File diff suppressed because it is too large Load Diff

9
nmap-service-probes
View File

@@ -1638,7 +1638,6 @@ match telnet m|^\xff\xfb\x01\xff\xfb\x03\x1b\[2J\x1b\[0;0H\x1b\[K\x1b\[7mTelnet
match telnet m|^Telnet server disabled\r\n$| p/F5 BigIP load balancer telnetd/ i/telnet disabled/ d/load balancer/ match telnet m|^Telnet server disabled\r\n$| p/F5 BigIP load balancer telnetd/ i/telnet disabled/ d/load balancer/
match telnet m|^\xff\xfd\x01\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\x03\r\r\n login: | p/Linksys WRT54G router telnetd/ i/Sveasoft firmware/ d/router/ match telnet m|^\xff\xfd\x01\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\x03\r\r\n login: | p/Linksys WRT54G router telnetd/ i/Sveasoft firmware/ d/router/
match telnet m|^\xff\xfd\x01\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\x03\r\r\n\(none\) login: | p/BusyBox telnetd/ match telnet m|^\xff\xfd\x01\xff\xfd\x1f\xff\xfd!\xff\xfb\x01\xff\xfb\x03\r\r\n\(none\) login: | p/BusyBox telnetd/
match telnet m|^\xff\xfb\x03\xff\xfb\x01$| p/Nokia M1112 router telnetd/ d/router/
match telnet m|^\xff\xfb\x01Copyright \(C\) \d+ by Compaq Computer Corp\. \r\n\rlogin: | p/Compaq 5450 switch telnetd/ d/switch/ match telnet m|^\xff\xfb\x01Copyright \(C\) \d+ by Compaq Computer Corp\. \r\n\rlogin: | p/Compaq 5450 switch telnetd/ d/switch/
match telnet m|^\n\r\n\rTHIS IS A MUD BASED ON\.\.\.\.\.\n\r\n\r ROM Version (.*)\n| p/ROM-based MUD/ v/$1/ match telnet m|^\n\r\n\rTHIS IS A MUD BASED ON\.\.\.\.\.\n\r\n\r ROM Version (.*)\n| p/ROM-based MUD/ v/$1/
match telnet m|^\r\n.*Based\(loosely\) on CircleMUD ([\d.]+)|s p/CircleMUD-based MUD telnetd/ v/$1/ match telnet m|^\r\n.*Based\(loosely\) on CircleMUD ([\d.]+)|s p/CircleMUD-based MUD telnetd/ v/$1/
@@ -1954,6 +1953,14 @@ match solfe m|^\x02\0\x01\xfb\xff\xfb\xff\xff\xff\xff\xffNOSUP| p/HP PNM Solid F
match sstp m|^SSTP/([\d.]+) 400 Bad Request\r\n\r\n\0$| p/Sakura Script Transfer Protocol/ i/Protocol $1/ match sstp m|^SSTP/([\d.]+) 400 Bad Request\r\n\r\n\0$| p/Sakura Script Transfer Protocol/ i/Protocol $1/
match smux m|^A\x01\x02$| p/Linux SNMP multiplexer/ o/Linux/ match smux m|^A\x01\x02$| p/Linux SNMP multiplexer/ o/Linux/
# This could go into the NULL probe, but the problem is that it is a prefix
# of what other routers (at least HP JetDirect printer telentd) send.
# And at least the JD sends the string below first, before it send the
# rest in other packets. So it is best to capture this one here in
# GenericLines.
match telnet m|^\xff\xfb\x03\xff\xfb\x01$| p/Nokia M1112 router telnetd/ d/router/
# Solaris 9 # Solaris 9
match uucp m|^login: Please enter user name: Password: $| p/Solaris uucpd/ o/Solaris/ match uucp m|^login: Please enter user name: Password: $| p/Solaris uucpd/ o/Solaris/
# SunOS 4 # SunOS 4

2
nmap_winconfig.h
View File

@@ -104,7 +104,7 @@
#ifndef NMAP_WINCONFIG_H #ifndef NMAP_WINCONFIG_H
#define NMAP_WINCONFIG_H #define NMAP_WINCONFIG_H
#define NMAP_VERSION "3.84ALPHA2" #define NMAP_VERSION "3.90"
#define NMAP_NAME "nmap" #define NMAP_NAME "nmap"
#define NMAP_URL "http://www.insecure.org/nmap" #define NMAP_URL "http://www.insecure.org/nmap"
#define NMAP_PLATFORM "i686-pc-windows-windows" #define NMAP_PLATFORM "i686-pc-windows-windows"

4
tcpip.cc
View File

@@ -1990,7 +1990,9 @@ void set_pcap_filter(const char *device,
#endif #endif
char err0r[256]; char err0r[256];
if (pcap_lookupnet(device, &localnet, &netmask, err0r) < 0) // Cast below is becaue OpenBSD apparently has a version that takes a
// non-const device (hopefully they don't actually write to it).
if (pcap_lookupnet( (char *) device, &localnet, &netmask, err0r) < 0)
fatal("Failed to lookup subnet/netmask for device (%s): %s", device, err0r); fatal("Failed to lookup subnet/netmask for device (%s): %s", device, err0r);
va_start(ap, bpf); va_start(ap, bpf);