diff --git a/CHANGELOG b/CHANGELOG index cf5d7f320..9758c2527 100644 --- a/CHANGELOG +++ b/CHANGELOG @@ -1,5 +1,14 @@ # Nmap Changelog ($Id$) +o Added --max_retries option for capping the maximum number of + retransmissions the port scan engine will do. The value may be as low + as 0 (no retransmits). A low value can increase spead, though at the + risk of losing accuracy. The -T4 option now allows up to 6 retries, + and -T5 allows 2. Thanks to Martin Macok + (martin.macok(a)underground.cz) for writing the initial patch, which I + changed quite a bit. I also updated the docs to reflect this neat + new option. + o Improved the NmapFE port to GTK2 so it better-conforms to the new API and you don't get as many annoying messages in your terminal window. Thanks to Priit Laes (amd(a)store20.com) for writing these diff --git a/Makefile.in b/Makefile.in index d10afda71..6ec1dab02 100644 --- a/Makefile.in +++ b/Makefile.in @@ -1,4 +1,4 @@ -export NMAP_VERSION = 3.95 +export NMAP_VERSION = 3.96ALPHA1 NMAP_NAME= Nmap NMAP_URL= http://www.insecure.org/nmap/ NMAP_PLATFORM=@host@ diff --git a/NmapOps.cc b/NmapOps.cc index 2400da4b9..83a99fe01 100644 --- a/NmapOps.cc +++ b/NmapOps.cc @@ -208,6 +208,7 @@ void NmapOps::Initialize() { max_rtt_timeout = MAX_RTT_TIMEOUT; min_rtt_timeout = MIN_RTT_TIMEOUT; initial_rtt_timeout = INITIAL_RTT_TIMEOUT; + max_retransmissions = MAX_RETRANSMISSIONS; min_host_group_sz = 1; max_host_group_sz = 100000; // don't want to be restrictive unless user sets max_tcp_scan_delay = MAX_TCP_SCAN_DELAY; @@ -453,6 +454,14 @@ void NmapOps::setInitialRttTimeout(int rtt) if (rtt < min_rtt_timeout) min_rtt_timeout = rtt; } +void NmapOps::setMaxRetransmissions(int max_retransmit) +{ + if (max_retransmit < 0) + fatal("NmapOps::setMaxRetransmissions(): must be positive"); + max_retransmissions = max_retransmit; +} + + void NmapOps::setMinHostGroupSz(unsigned int sz) { if (sz > max_host_group_sz) fatal("Minimum host group size may not be set to greater than maximum size (currently %d)\n", max_host_group_sz); diff --git a/NmapOps.h b/NmapOps.h index 20ecb108c..01f65fe9d 100644 --- a/NmapOps.h +++ b/NmapOps.h @@ -199,6 +199,8 @@ class NmapOps { void setMaxRttTimeout(int rtt); void setMinRttTimeout(int rtt); void setInitialRttTimeout(int rtt); + void setMaxRetransmissions(int max_retransmit); + int getMaxRetransmissions() { return max_retransmissions; } /* Similar functions for Host group size */ int minHostGroupSz() { return min_host_group_sz; } @@ -284,6 +286,7 @@ class NmapOps { int max_rtt_timeout; int min_rtt_timeout; int initial_rtt_timeout; + int max_retransmissions; unsigned int max_tcp_scan_delay; unsigned int max_udp_scan_delay; unsigned int min_host_group_sz; diff --git a/docs/nmap.1 b/docs/nmap.1 index faadda057..c7d7a8392 100644 --- a/docs/nmap.1 +++ b/docs/nmap.1 @@ -2,7 +2,7 @@ .\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). .\" Instead of manually editing it, you probably should edit the DocBook XML .\" source for it and then use the DocBook XSL Stylesheets to regenerate it. -.TH "NMAP" "1" "12/11/2005" "" "Nmap Reference Guide" +.TH "NMAP" "1" "12/19/2005" "" "Nmap Reference Guide" .\" disable hyphenation .nh .\" disable justification (adjust text to left margin only) @@ -39,11 +39,11 @@ when it cannot determine which of the two states describe a port. The port table In addition to the interesting ports table, Nmap can provide further information on targets, including reverse DNS names, operating system guesses, device types, and MAC addresses. .PP A typical Nmap scan is shown in -Example\ 15.1, \(lqA representative Nmap scan\(rq. The only Nmap arguments used in this example are +Example\ 14.1, \(lqA representative Nmap scan\(rq. The only Nmap arguments used in this example are \fB\-A\fR, to enable OS and version detection, \fB\-T4\fR for faster execution, and then the two target hostnames. -Example\ 15.1.\ A representative Nmap scan.sp +Example\ 14.1.\ A representative Nmap scan.sp .nf # nmap \-A \-T4 scanme.nmap.org playground @@ -735,7 +735,7 @@ One of my highest Nmap development priorities has always been performance. A def .PP Techniques for improving scan times include omitting non\-critical tests, and upgrading to the latest version of Nmap (performance enhancements are made frequently). Optimizing timing parameters can also make a substantial difference. Those options are listed below. .TP -\fB\-\-min_hostgroup \fR; \fB\-\-max_hostgroup \fR (Adjust parallel scan group sizes) +\fB\-\-min_hostgroup \fR; \fB\-\-max_hostgroup \fR (Adjust parallel scan group sizes) Nmap has the ability to port scan or version scan multiple hosts in parallel. Nmap does this by dividing the target IP space into groups and then scanning one group at a time. In general, larger groups are more efficient. The downside is that host results can't be provided until the whole group is finished. So if Nmap started out with a group size of 50, the user would not receive any reports (except for the updates offered in verbose mode) until the first 50 hosts are completed. .sp By default, Nmap takes a compromise approach to this conflict. It starts out with a group size as low as five so the first results come quickly and then increases the groupsize to as high as 1024. The exact default numbers depend on the options given. For efficiency reasons, Nmap uses larger group sizes for UDP or few\-port TCP scans. @@ -779,6 +779,19 @@ and triple or quadruple it for the \fB\-\-min_rtt_timeout\fR is a rarely used option that could be useful when a network is so unreliable that even Nmap's default is too aggressive. Since Nmap only reduces the timeout down to the minimum when the network seems to be reliable, this need is unusual and should be reported as a bug to the nmap\-dev mailing list. .TP +\fB\-\-max_retries \fR (Specify the maximum number of port scan probe retransmissions) +When Nmap receives no response to a port scan probe, it could mean the port is filtered. Or maybe the probe or response was simply lost on the network. It is also possible that the target host has rate limiting enabled that temporarily blocked the response. So Nmap tries again by retransmitting the initial probe. If Nmap detects poor network reliability, it may try many more times before giving up on a port. While this benefits accuracy, it also lengthen scan times. When performance is critical, scans may be sped up by limiting the number of retransmissions allowed. You can even specify +\fB\-\-max_retries 0\fR +to prevent any retransmissions, though that is rarely recommended. +.sp +The default (with no +\fB\-T\fR +template) is to allow ten retransmissions. If a network seems reliable and the target hosts aren't rate limiting, Nmap usually only does one retransmission. So most target scans aren't even affected by dropping +\fB\-\-max_retries\fR +to a low value such as three. Such values can substantially speed scans of slow (rate limited) hosts. You usually lose some information when Nmap gives up on ports early, though that may be preferable to letting the +\fB\-\-host_timeout\fR +expire and losing all information about the target. +.TP \fB\-\-host_timeout \fR (Give up on slow target hosts) Some hosts simply take a \fIlong\fR @@ -840,11 +853,11 @@ are similar but they only wait 15 seconds and 0.4 seconds, respectively, between is Nmap's default behavior, which includes parallelization. \fBT4\fR does the equivalent of -\fB\-\-max_rtt_timeout 1250 \-\-initial_rtt_timeout 500\fR +\fB\-\-max_rtt_timeout 1250 \-\-initial_rtt_timeout 500 \-\-max_retries 6\fR and sets the maximum TCP scan delay to 10 milliseconds. \fBT5\fR does the equivalent of -\fB\-\-max_rtt_timeout 300 \-\-min_rtt_timeout 50 \-\-initial_rtt_timeout 250 \-\-host_timeout 900000\fR +\fB\-\-max_rtt_timeout 300 \-\-min_rtt_timeout 50 \-\-initial_rtt_timeout 250 \-\-max_retries 2 \-\-host_timeout 900000\fR as well as setting the maximum TCP scan delay to 5ms. .SH "FIREWALL/IDS EVASION AND SPOOFING" .PP @@ -1283,7 +1296,7 @@ Fyodor Hundreds of people have made valuable contributions to Nmap over the years. These are detailed in the \fICHANGELOG\fR file which is distributed with Nmap and also available from -\fI\%http://www.insecure.org/nmap/nmap_changelog.html\fR. +\fI\%http://www.insecure.org/nmap/changelog.html\fR. .SH "LEGAL NOTICES" .SS "Nmap Copyright and Licensing" .PP diff --git a/docs/nmap.usage.txt b/docs/nmap.usage.txt index 915622cf3..c83b30618 100644 --- a/docs/nmap.usage.txt +++ b/docs/nmap.usage.txt @@ -1,4 +1,4 @@ -Nmap 3.95 ( http://www.insecure.org/nmap/ ) +Nmap 3.96ALPHA1 ( http://www.insecure.org/nmap/ ) Usage: nmap [Scan Type(s)] [Options] {target specification} TARGET SPECIFICATION: Can pass hostnames, IP addresses, networks, etc. @@ -37,10 +37,11 @@ OS DETECTION: --osscan_guess: Guess OS more aggressively TIMING AND PERFORMANCE: -T[0-5]: Set timing template (higher is faster) - --min_hostgroup/max_hostgroup : Parallel host scan group sizes + --min_hostgroup/max_hostgroup : Parallel host scan group sizes --min_parallelism/max_parallelism : Probe parallelization --min_rtt_timeout/max_rtt_timeout/initial_rtt_timeout : Specifies probe round trip time. + --max_retries : Caps number of port scan probe retransmissions. --host_timeout : Give up on target after this long --scan_delay/--max_scan_delay : Adjust delay between probes FIREWALL/IDS EVASION AND SPOOFING: diff --git a/nmap-service-probes b/nmap-service-probes index 211f88547..5fabbd4be 100644 --- a/nmap-service-probes +++ b/nmap-service-probes @@ -1319,6 +1319,8 @@ match smtp-proxy m|^554 ([\d.]+) ([\w-_.]+) No mail service\r\n| p/Symantec SGS match smtp-proxy m|^220 ([\w-_.]+) ESMTP Scalix SMTP Relay ([\d.]+); .*\r\n| p/Scalix smtp relay/ v/$2/ h/$1/ match smtp-proxy m|^220 Traffic Inspector SMTP Gate \(SPAM protected\), ver\. ([\d.]+), ready at.*\r\n| p/Smart-Soft spam filtering smtp-proxy/ v/$1/ o/Windows/ +match fw1-topology m|^Q\0\0\0$| p/Checkpoint FW1 Topology/ d/firewall/ + softmatch smtp m|^220[\s-].*?E?SMTP[^\r]*\r\n| @@ -1783,6 +1785,7 @@ match honeypot m|^Microsoft Windows XP \[Version [\d.]+\]\n\(C\) Copyright 1985- match tunnelvision m|^HELLO Welcome to Tunnel Vision \(([\d.]+)\)\n| p/Tunnel Vision VPN info/ v/$1/ +match domain m|^\x80\xf0\x80\x12\0\x01\0\0\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0!\0\x01| p/Microsoft DNS/ o/Windows/ ##############################NEXT PROBE############################## Probe TCP GenericLines q|\r\n\r\n| rarity 1 @@ -3635,8 +3638,6 @@ match nameserver m|^help\r\n\r\n\0\0\0\0\x20CKAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\0\0 match nameserver m|^\x03\x03\x02$| p/Solaris Internet Name Server/ i/IEN 116/ o/Solaris/ match nameserver m|^\0\x06\x01\0\0\x01\0\0\x03\x03\x02$| p/Solaris Internet Name Server/ i/IEN 116/ o/Solaris/ -match http m|^HTTP/1\.0 \d{3} .*\r\nServer: CompaqHTTPServer/([.\w\d]+)\r\n|s p/Compaq Insight Manager HTTP server/ v/$1/ - ##############################NEXT PROBE############################## Probe TCP Help q|HELP\r\n| rarity 3 diff --git a/nmap.cc b/nmap.cc index 450cf1b6e..421e991fe 100644 --- a/nmap.cc +++ b/nmap.cc @@ -264,6 +264,7 @@ int nmap_main(int argc, char *argv[]) { {"host_timeout", required_argument, 0, 0}, {"scan_delay", required_argument, 0, 0}, {"max_scan_delay", required_argument, 0, 0}, + {"max_retries", required_argument, 0, 0}, {"oA", required_argument, 0, 0}, {"oN", required_argument, 0, 0}, {"oM", required_argument, 0, 0}, @@ -418,6 +419,11 @@ int nmap_main(int argc, char *argv[]) { } o.setMaxTCPScanDelay(scand); o.setMaxUDPScanDelay(scand); + } else if (strcmp(long_options[option_index].name, "max_retries") == 0) { + int num_retrans = atoi(optarg); + if (num_retrans < 0) + fatal("max_retransmissions must be positive"); + o.setMaxRetransmissions(num_retrans); } else if (strcmp(long_options[option_index].name, "randomize_hosts") == 0 || strcmp(long_options[option_index].name, "rH") == 0) { o.randomize_hosts = 1; @@ -748,6 +754,7 @@ int nmap_main(int argc, char *argv[]) { o.setMaxRttTimeout(1250); o.setInitialRttTimeout(500); o.setMaxTCPScanDelay(10); + o.setMaxRetransmissions(6); } else if (*optarg == '5' || (strcasecmp(optarg, "Insane") == 0)) { o.timing_level = 5; o.setMinRttTimeout(50); @@ -755,6 +762,7 @@ int nmap_main(int argc, char *argv[]) { o.setInitialRttTimeout(250); o.host_timeout = 900000; o.setMaxTCPScanDelay(5); + o.setMaxRetransmissions(2); } else { fatal("Unknown timing mode (-T argment). Use either \"Paranoid\", \"Sneaky\", \"Polite\", \"Normal\", \"Aggressive\", \"Insane\" or a number from 0 (Paranoid) to 5 (Insane)"); } @@ -1611,10 +1619,11 @@ printf("%s %s ( %s )\n" " --osscan_guess: Guess OS more aggressively\n" "TIMING AND PERFORMANCE:\n" " -T[0-5]: Set timing template (higher is faster)\n" - " --min_hostgroup/max_hostgroup : Parallel host scan group sizes\n" + " --min_hostgroup/max_hostgroup : Parallel host scan group sizes\n" " --min_parallelism/max_parallelism : Probe parallelization\n" " --min_rtt_timeout/max_rtt_timeout/initial_rtt_timeout : Specifies\n" " probe round trip time.\n" + " --max_retries : Caps number of port scan probe retransmissions.\n" " --host_timeout : Give up on target after this long\n" " --scan_delay/--max_scan_delay : Adjust delay between probes\n" "FIREWALL/IDS EVASION AND SPOOFING:\n" diff --git a/nmap.h b/nmap.h index f8710b421..8d3043cdc 100644 --- a/nmap.h +++ b/nmap.h @@ -335,6 +335,10 @@ void *realloc(); #define INITIAL_RTT_TIMEOUT 1000 /* Allow 1 second initially for packet responses */ #define HOST_TIMEOUT 0 /* By default allow unlimited time to scan each host */ +#ifndef MAX_RETRANSMISSIONS +#define MAX_RETRANSMISSIONS 10 /* 11 probes to port at maximum */ +#endif + /* If nmap is called with one of the names below, it will start up in interactive mode -- alternatively, you can rename Nmap any of the following names to have it start up interactivey by default. */ #define INTERACTIVE_NAMES { "BitchX", "Calendar", "X", "awk", "bash", "bash2", "calendar", "cat", "csh", "elm", "emacs", "ftp", "fvwm", "g++", "gcc", "gimp", "httpd", "irc", "man", "mutt", "nc", "ncftp", "netscape", "perl", "pine", "ping", "sleep", "slirp", "ssh", "sshd", "startx", "tcsh", "telnet", "telnetd", "tia", "top", "vi", "vim", "xdvi", "xemacs", "xterm", "xv" } diff --git a/scan_engine.cc b/scan_engine.cc index d1f3860c4..62e0270bd 100644 --- a/scan_engine.cc +++ b/scan_engine.cc @@ -1139,7 +1139,7 @@ static void init_perf_values(struct ultra_scan_performance_vars *perf) { perf->group_drop_cwnd_divisor = 2.0; perf->group_drop_ccthresh_divisor = (o.timing_level < 4)? 2.0 : 1.5; perf->host_drop_ccthresh_divisor = (o.timing_level < 4)? 2.0 : 1.5; - perf->tryno_cap = 12; + perf->tryno_cap = o.getMaxRetransmissions(); } /* Order of initializations in this function CAN BE IMPORTANT, so be careful @@ -3283,7 +3283,7 @@ void processData(UltraScanInfo *USI) { if (tryno_capped && lastRetryCappedWarning != USI) { /* Perhaps I should give this on a per-host basis. Oh well, hopefully it is rare anyway. */ - printf("Warning: Giving up on some ports due to excessive retransmissions\n"); + printf("Warning: Finishing early because retransmission cap hit.\n"); lastRetryCappedWarning = USI; } continue;