PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-07 13:11:28 +00:00
Code Issues Projects Releases Wiki Activity

Deprecate/disable -PR option as it was not really being checked.

Browse Source 
Fixes #1361
This commit is contained in:
dmiller
2018-10-24 03:55:42 +00:00
parent 9a6f9c5abe
commit d03b10ea36
5 changed files with 16 additions and 50 deletions
Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGELOG
View File

@@ -1,5 +1,9 @@
#Nmap Changelog ($Id$); -*-text-*- #Nmap Changelog ($Id$); -*-text-*-
o [GH#1361] Deprecate and disable the -PR (ARP ping) host discovery option. ARP
ping is already used whenever possible, and the -PR option would not force it
to be used in any other case. [Daniel Miller]
o [NSE][GH#1243] Added http-sap-netweaver-leak to detect SAP Netweaver Portal o [NSE][GH#1243] Added http-sap-netweaver-leak to detect SAP Netweaver Portal
with the Knowledge Management Unit enabled with anonymous access. [ArphanetX] with the Knowledge Management Unit enabled with anonymous access. [ArphanetX]

48
docs/refguide.xml
View File

@@ -371,7 +371,8 @@ you would expect.</para>
timestamp request is omitted because it is not part of ICMPv6.) timestamp request is omitted because it is not part of ICMPv6.)
These defaults are These defaults are
equivalent to the <option>-PE -PS443 -PA80 -PP</option> options. equivalent to the <option>-PE -PS443 -PA80 -PP</option> options.
The exceptions to this are the ARP (for IPv4) and Neighbor The exceptions to this are the ARP<indexterm><primary>ARP ping</primary></indexterm>
(for IPv4) and Neighbor
Discovery<indexterm><primary>Neighbor Discovery</primary><secondary>for host discovery</secondary></indexterm> Discovery<indexterm><primary>Neighbor Discovery</primary><secondary>for host discovery</secondary></indexterm>
(for IPv6) (for IPv6)
scans which are used for any targets on a local ethernet network. scans which are used for any targets on a local ethernet network.
@@ -387,10 +388,9 @@ you would expect.</para>
ping types) can be combined. You can increase your odds of ping types) can be combined. You can increase your odds of
penetrating strict firewalls by sending many probe types using penetrating strict firewalls by sending many probe types using
different TCP ports/flags and ICMP codes. Also note that different TCP ports/flags and ICMP codes. Also note that
ARP/Neighbor Discovery ARP/Neighbor Discovery <indexterm><primary>ARP ping</primary></indexterm>
(<option>-PR</option>)<indexterm><primary><option>-PR</option></primary></indexterm>
is done by default against is done by default against
targets on a local ethernet network even if you specify other targets on a local Ethernet network even if you specify other
<option>-P*</option> options, because it is almost always faster <option>-P*</option> options, because it is almost always faster
and more effective.</para> and more effective.</para>
@@ -849,46 +849,6 @@ content can also be affected with the <option>--data</option>,
</listitem> </listitem>
</varlistentry> </varlistentry>
<varlistentry>
<term>
<option>-PR</option> (ARP Ping)
<indexterm><primary><option>-PR</option></primary></indexterm>
<indexterm><primary>ARP ping</primary></indexterm>
</term>
<listitem>
<para>One of the most common Nmap usage scenarios is to scan
an ethernet LAN. On most LANs, especially those using
private address ranges specified by <ulink role="hidepdf" url="http://www.rfc-editor.org/rfc/rfc1918.txt">RFC 1918</ulink>, the vast majority of
IP addresses are unused at any given time. When Nmap tries
to send a raw IP packet such as an ICMP echo request, the
operating system must determine the destination hardware
(ARP) address corresponding to the target IP so that it can
properly address the ethernet frame. This is often slow and
problematic, since operating systems weren't written with
the expectation that they would need to do millions of ARP
requests against unavailable hosts in a short time
period.</para>
<para>ARP scan puts Nmap and its optimized algorithms in
charge of ARP requests. And if it gets a response back,
Nmap doesn't even need to worry about the IP-based ping
packets since it already knows the host is up. This makes
ARP scan much faster and more reliable than IP-based scans.
So it is done by default when scanning ethernet hosts that Nmap
detects are on a local ethernet network. Even if different
ping types (such as <option>-PE</option> or
<option>-PS</option>) are specified, Nmap uses ARP instead
for any of the targets which are on the same LAN. If you
absolutely don't want to do an ARP scan, specify
<option>--disable-arp-ping</option>.</para>
<para>For IPv6 (-6 option), <option>-PR</option> uses ICMPv6
Neighbor Discovery instead of ARP. Neighbor Discovery, defined
in RFC 4861, can be seen as the IPv6 equivalent of ARP.</para>
</listitem>
</varlistentry>
<varlistentry> <varlistentry>
<term> <term>

8
nmap.cc
View File

@@ -1161,8 +1161,10 @@ void parse_options(int argc, char **argv) {
} }
o.pingtype |= PINGTYPE_NONE; o.pingtype |= PINGTYPE_NONE;
} }
else if (*optarg == 'R') else if (*optarg == 'R') {
o.pingtype |= PINGTYPE_ARP; if (o.verbose > 0)
error("The -PR option is deprecated. ARP scan is always done when possible.");
}
else if (*optarg == 'S') { else if (*optarg == 'S') {
if (ports.syn_ping_count > 0) if (ports.syn_ping_count > 0)
fatal("Only one -PS option is allowed. Combine port ranges with commas."); fatal("Only one -PS option is allowed. Combine port ranges with commas.");
@@ -1238,7 +1240,7 @@ void parse_options(int argc, char **argv) {
assert(ports.proto_ping_count > 0); assert(ports.proto_ping_count > 0);
} }
} else { } else {
fatal("Illegal Argument to -P, use -Pn, -PE, -PS, -PA, -PP, -PM, -PU, -PY, -PR, or -PO"); fatal("Illegal Argument to -P, use -Pn, -PE, -PS, -PA, -PP, -PM, -PU, -PY, or -PO");
} }
break; break;
case 'p': case 'p':

2
nmap.h
View File

@@ -292,7 +292,7 @@
/* # define PINGTYPE_RAWTCP 128 used to be here, but was never used. */ /* # define PINGTYPE_RAWTCP 128 used to be here, but was never used. */
#define PINGTYPE_CONNECTTCP 256 #define PINGTYPE_CONNECTTCP 256
#define PINGTYPE_UDP 512 #define PINGTYPE_UDP 512
#define PINGTYPE_ARP 1024 /* #define PINGTYPE_ARP 1024 // Not used; see o.implicitARPPing */
#define PINGTYPE_PROTO 2048 #define PINGTYPE_PROTO 2048
#define PINGTYPE_SCTP_INIT 4096 #define PINGTYPE_SCTP_INIT 4096

4
targets.cc
View File

@@ -591,7 +591,7 @@ static void refresh_hostbatch(HostGroupState *hs, const addrset *exclude_group,
hs->hostbatch[0]->af() == AF_INET && hs->hostbatch[0]->af() == AF_INET &&
hs->hostbatch[0]->directlyConnected() && hs->hostbatch[0]->directlyConnected() &&
o.sendpref != PACKET_SEND_IP_STRONG && o.sendpref != PACKET_SEND_IP_STRONG &&
(pingtype == PINGTYPE_ARP || o.implicitARPPing)) { o.implicitARPPing) {
arpping(hs->hostbatch, hs->current_batch_sz); arpping(hs->hostbatch, hs->current_batch_sz);
arpping_done = true; arpping_done = true;
} }
@@ -602,7 +602,7 @@ static void refresh_hostbatch(HostGroupState *hs, const addrset *exclude_group,
hs->hostbatch[0]->af() == AF_INET6 && hs->hostbatch[0]->af() == AF_INET6 &&
hs->hostbatch[0]->directlyConnected() && hs->hostbatch[0]->directlyConnected() &&
o.sendpref != PACKET_SEND_IP_STRONG && o.sendpref != PACKET_SEND_IP_STRONG &&
(pingtype == PINGTYPE_ARP || o.implicitARPPing)) { o.implicitARPPing) {
arpping(hs->hostbatch, hs->current_batch_sz); arpping(hs->hostbatch, hs->current_batch_sz);
arpping_done = true; arpping_done = true;
} }