PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-11 10:19:03 +00:00
Code Issues Projects Releases Wiki Activity

getting closer to 4.20ALPHA9

Browse Source
This commit is contained in:
fyodor
2006-10-14 01:25:43 +00:00
parent 25bbd2983d
commit e4ee4d5e4c
13 changed files with 93 additions and 64 deletions
Download Patch File Download Diff File Expand all files Collapse all files

9
CHANGELOG
View File

@@ -1,4 +1,9 @@
# Nmap Changelog ($Id$); -*-text-*- # Nmap Changelog ($Id$); -*-text-*-
4.20ALPHA9
o Added --open option, which causes Nmap to show only open ports.
Ports in the states "open|closed" and "unfiltered" might be open, so
those are shown unless the host has an overwhelming number of them.
o Nmap gen2 OS detection used to always do 2 retries if it fails to o Nmap gen2 OS detection used to always do 2 retries if it fails to
find a match. Now it normally does just 1 retry, but does 4 retries find a match. Now it normally does just 1 retry, but does 4 retries
@@ -6,6 +11,10 @@ o Nmap gen2 OS detection used to always do 2 retries if it fails to
new --max-os-tries option lets you specify a or higher maximum new --max-os-tries option lets you specify a or higher maximum
number of tries. number of tries.
o Fixed a confusing error message which occured when you specified a
ping scan or list scan, but also specified -p (which is only used for
port scans). Thanks to Thomas Buchanan for the patch.
4.20ALPHA8 4.20ALPHA8
o Integrated the newly submitted OS fingerprints. The DB now contains o Integrated the newly submitted OS fingerprints. The DB now contains

4
Makefile.in
View File

@@ -1,6 +1,6 @@
export NMAP_VERSION = 4.20ALPHA8 export NMAP_VERSION = 4.20ALPHA9
NMAP_NAME= Nmap NMAP_NAME= Nmap
NMAP_URL= http://Insecure.Org NMAP_URL= http://insecure.org
NMAP_PLATFORM=@host@ NMAP_PLATFORM=@host@
prefix = @prefix@ prefix = @prefix@
exec_prefix = @exec_prefix@ exec_prefix = @exec_prefix@

1
NmapOps.cc
View File

@@ -215,6 +215,7 @@ void NmapOps::Initialize() {
extra_payload_length = 0; extra_payload_length = 0;
extra_payload = NULL; extra_payload = NULL;
scan_delay = 0; scan_delay = 0;
open_only = false;
scanflags = -1; scanflags = -1;
defeat_rst_ratelimit = 0; defeat_rst_ratelimit = 0;
resume_ip.s_addr = 0; resume_ip.s_addr = 0;

3
NmapOps.h
View File

@@ -167,6 +167,8 @@ class NmapOps {
// setPacketTrace(false) has been called // setPacketTrace(false) has been called
void setPacketTrace(bool pt) { pTrace = pt; } void setPacketTrace(bool pt) { pTrace = pt; }
void setVersionTrace(bool vt) { vTrace = vt; } void setVersionTrace(bool vt) { vTrace = vt; }
bool openOnly() { return open_only; }
void setOpenOnly(bool oo) { open_only = oo; }
int verbose; int verbose;
int randomize_hosts; int randomize_hosts;
int spoofsource; /* -S used */ int spoofsource; /* -S used */
@@ -242,6 +244,7 @@ class NmapOps {
unsigned long host_timeout; unsigned long host_timeout;
/* Delay between probes, in milliseconds */ /* Delay between probes, in milliseconds */
unsigned int scan_delay; unsigned int scan_delay;
bool open_only;
int scanflags; /* if not -1, this value should dictate the TCP flags int scanflags; /* if not -1, this value should dictate the TCP flags
for the core portscaning routine (eg to change a for the core portscaning routine (eg to change a

9
docs/nmap.1
View File

@@ -2,7 +2,7 @@
.\" It was generated using the DocBook XSL Stylesheets (version 1.69.1). .\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
.\" Instead of manually editing it, you probably should edit the DocBook XML .\" Instead of manually editing it, you probably should edit the DocBook XML
.\" source for it and then use the DocBook XSL Stylesheets to regenerate it. .\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
.TH "NMAP" "1" "09/30/2006" "" "Nmap Reference Guide" .TH "NMAP" "1" "10/01/2006" "" "Nmap Reference Guide"
.\" disable hyphenation .\" disable hyphenation
.nh .nh
.\" disable justification (adjust text to left margin only) .\" disable justification (adjust text to left margin only)
@@ -91,7 +91,7 @@ This options summary is printed when Nmap is run with no arguments, and the late
\fI\%http://insecure.org/nmap/data/nmap.usage.txt\fR. It helps people remember the most common options, but is no substitute for the in\-depth documentation in the rest of this manual. Some obscure options aren't even included here. \fI\%http://insecure.org/nmap/data/nmap.usage.txt\fR. It helps people remember the most common options, but is no substitute for the in\-depth documentation in the rest of this manual. Some obscure options aren't even included here.
.PP .PP
.nf .nf
Nmap 4.20ALPHA6 ( http://Insecure.Org ) Nmap 4.20ALPHA8 ( http://Insecure.Org )
Usage: nmap [Scan Type(s)] [Options] {target specification} Usage: nmap [Scan Type(s)] [Options] {target specification}
TARGET SPECIFICATION: TARGET SPECIFICATION:
Can pass hostnames, IP addresses, networks, etc. Can pass hostnames, IP addresses, networks, etc.
@@ -775,6 +775,11 @@ or
.TP .TP
\fB\-\-osscan\-guess\fR; \fB\-\-fuzzy\fR (Guess OS detection results) \fB\-\-osscan\-guess\fR; \fB\-\-fuzzy\fR (Guess OS detection results)
When Nmap is unable to detect a perfect OS match, it sometimes offers up near\-matches as possibilities. The match has to be very close for Nmap to do this by default. Either of these (equivalent) options make Nmap guess more aggressively. Nmap will still tell you when an imperfect match is printed and display its confidence level (percentage) for each guess. When Nmap is unable to detect a perfect OS match, it sometimes offers up near\-matches as possibilities. The match has to be very close for Nmap to do this by default. Either of these (equivalent) options make Nmap guess more aggressively. Nmap will still tell you when an imperfect match is printed and display its confidence level (percentage) for each guess.
.TP
\fB\-\-max\-os\-tries\fR (Set the maximum number of OS detection tries against a target)
When Nmap performs OS detection against a target and fails to find a perfect match, it usually repeats the attempt. By default, Nmap tries five times if conditions are favorable for OS fingerprint submission, and twice when conditions aren't so good. Specifying a lower
\fB\-\-max\-os\-tries\fR
value (such as 1) speeds Nmap up, though you miss out on retries which could potentially identify the OS. Alternatively, a high value may be set to allow even more retries when conditions are favorable. This is rarely done, except to generate better fingerprints for submission and integration into the Nmap OS database. This option only affects second generation OS detection (\fB\-O2\fR, the default) and not the old system (\fB\-O1\fR).
.SH "TIMING AND PERFORMANCE" .SH "TIMING AND PERFORMANCE"
.PP .PP
One of my highest Nmap development priorities has always been performance. A default scan (\fBnmap \fR\fB\fIhostname\fR\fR) of a host on my local network takes a fifth of a second. That is barely enough time to blink, but adds up when you are scanning tens or hundreds of thousands of hosts. Moreover, certain scan options such as UDP scanning and version detection can increase scan times substantially. So can certain firewall configurations, particularly response rate limiting. While Nmap utilizes parallelism and many advanced algorithms to accelerate these scans, the user has ultimate control over how Nmap runs. Expert users carefully craft Nmap commands to obtain only the information they care about while meeting their time constraints. One of my highest Nmap development priorities has always been performance. A default scan (\fBnmap \fR\fB\fIhostname\fR\fR) of a host on my local network takes a fifth of a second. That is barely enough time to blink, but adds up when you are scanning tens or hundreds of thousands of hosts. Moreover, certain scan options such as UDP scanning and version detection can increase scan times substantially. So can certain firewall configurations, particularly response rate limiting. While Nmap utilizes parallelism and many advanced algorithms to accelerate these scans, the user has ultimate control over how Nmap runs. Expert users carefully craft Nmap commands to obtain only the information they care about while meeting their time constraints.

89
nmap-os-db
View File

@@ -83,7 +83,7 @@ IE(DFI=S%T=FF%TG=FF%TOSI=S%CD=S%SI=S%DLI=S)
# Apple eMac G4 1.25GHz, Mac OS X 10.4.7 (uname -a: Darwin 8.7.8 Darwin Kernel Version 8.7.8: Fri May 26 15:20:53 PDT 2006; root:xnu-792.6.76.obj~1/RELEASE_PPC Power Maciontosh powerpc) # Apple eMac G4 1.25GHz, Mac OS X 10.4.7 (uname -a: Darwin 8.7.8 Darwin Kernel Version 8.7.8: Fri May 26 15:20:53 PDT 2006; root:xnu-792.6.76.obj~1/RELEASE_PPC Power Maciontosh powerpc)
Fingerprint Applie Mac OS X 10.4.7 Fingerprint Applie Mac OS X 10.4.7
Class Apple | Mac OS X | 10.4.X | general purpose Class Apple | Mac OS X | 10.4.X | general purpose
SEQ(SP=F4-F6%GCD=<7%ISR=108-10A%TI=I|RD%II=I%SS=S%TS=1) SEQ(SP=AC-108%GCD=<7%ISR=EA-110%TI=I|RD%II=I%SS=S%TS=0|1|2)
OPS(O1=|M5B4NW0NNT11%O2=|M5B4NW0NNT11%O3=|M5B4NW0NNT11%O4=|M5B4NW0NNT11%O5=|M5B4NW0NNT11%O6=|M5B4NNT11) OPS(O1=|M5B4NW0NNT11%O2=|M5B4NW0NNT11%O3=|M5B4NW0NNT11%O4=|M5B4NW0NNT11%O5=|M5B4NW0NNT11%O6=|M5B4NNT11)
WIN(W1=0|FFFF%W2=0|FFFF%W3=0|FFFF%W4=0|FFFF%W5=0|FFFF%W6=0|FFFF) WIN(W1=0|FFFF%W2=0|FFFF%W3=0|FFFF%W4=0|FFFF%W5=0|FFFF%W6=0|FFFF)
ECN(R=Y%DF=N|Y%T=40%TG=40%W=0|FFFF%O=|M5B4NW0%CC=N%Q=) ECN(R=Y%DF=N|Y%T=40%TG=40%W=0|FFFF%O=|M5B4NW0%CC=N%Q=)
@@ -286,45 +286,6 @@ T7(R=Y%DF=N%T=FF%TG=FF%W=0%S=A%A=S%F=AR%O=%RD=0%Q=)
U1(R=N) U1(R=N)
IE(DFI=S%T=FF%TG=FF%TOSI=S%CD=S%SI=S%DLI=S) IE(DFI=S%T=FF%TG=FF%TOSI=S%CD=S%SI=S%DLI=S)
# Linux 2.4.20 #1473 Tue Nov 1 09:32:46 CET 2005 mips unknown, Sveasoft Firmware Version: Talisman/Basic 1.11-devsnap20051101, Linksys WRT54GS router
Fingerprint Linksys WRT54GS WAP (Linux 2.4.20 kernel) running Sveasoft Firmware
Class Linksys | Linux | 2.4.X | WAP
SEQ(SP=CA-CC%GCD=<7%ISR=CD-CF%TI=Z%II=I%TS=7)
OPS(O1=M5B4ST11NW0%O2=M5B4ST11NW0%O3=M5B4NNT11NW0%O4=M5B4ST11NW0%O5=M5B4ST11NW0%O6=M5B4ST11)
WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)
ECN(R=Y%DF=Y%T=40%TG=40%W=16D0%O=M5B4NNSNW0%CC=Y%Q=)
T1(R=Y%DF=Y%T=40%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=Y%DF=Y%T=40%TG=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW0%RD=0%Q=)
T4(R=Y%DF=Y%T=40%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=40%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(DF=N%T=40%TG=40%TOS=C0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)
IE(DFI=N%T=40%TG=40%TOSI=S%CD=S%SI=S%DLI=S)
# Firmware Version 4.30.7, Linux 2.4.20 I believe - Linksys WRT54GL WAP (Linux kernel)
# Linux (slackware) 2.4.31 #6 Sun Jun 5 19:04:47 PDT 2005 i586 unknown
# Linux (slackware) 2.4.31 #6 Sun Jun 5 19:04:47 PDT 2005 i586 k6-2 i386 GNU/Linux
# Linux 2.4.27-2-386 #1 i686 GNU/Linux
# Linux 2.4.20-pre10-ac1 #1 SMP i686 Pentium II (Deschutes) GNU/Linux
Fingerprint Linux 2.4.20 - 2.4.31 or Linksys WRT54GL WAP (runs Linux)
Class Linux | Linux | 2.4.X | general purpose
Class Linksys | Linux | 2.4.X | WAP
SEQ(SP=BD-CF%GCD=<5%ISR=C4-D4%TI=Z%II=I%TS=7)
OPS(O1=M5B4ST11NW0%O2=M5B4ST11NW0%O3=M5B4NNT11NW0%O4=M5B4ST11NW0%O5=M5B4ST11NW0%O6=M5B4ST11)
WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)
ECN(R=Y%DF=Y%T=40%TG=40%W=16D0%O=M5B4NNSNW0%CC=N%Q=)
T1(R=Y%DF=Y%T=40%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=Y%DF=Y%T=40%TG=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW0%RD=0%Q=)
T4(R=Y%DF=Y%T=40%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=40%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(DF=N%T=40%TG=40%TOS=C0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)
IE(DFI=N%T=40%TG=40%TOSI=S%CD=S%SI=S%DLI=S)
# D-Link DI-824VUP Wireless VPN Router Firmware Version: v1.05, Mon, Apr 25 2005 # D-Link DI-824VUP Wireless VPN Router Firmware Version: v1.05, Mon, Apr 25 2005
Fingerprint D-Link DI-824VUP Wireless VPN Router Fingerprint D-Link DI-824VUP Wireless VPN Router
Class D-Link | embedded || WAP Class D-Link | embedded || WAP
@@ -426,6 +387,23 @@ T7(R=Y%DF=Y%T=40%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(DF=N%T=40%TG=40%TOS=C0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G) U1(DF=N%T=40%TG=40%TOS=C0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)
IE(DFI=N%T=40%TG=40%TOSI=S%CD=S%SI=S%DLI=S) IE(DFI=N%T=40%TG=40%TOSI=S%CD=S%SI=S%DLI=S)
# Linux 2.4.20 #1473 Tue Nov 1 09:32:46 CET 2005 mips unknown, Sveasoft Firmware Version: Talisman/Basic 1.11-devsnap20051101, Linksys WRT54GS router
Fingerprint Linksys WRT54GS WAP (Linux 2.4.20 kernel) running Sveasoft Firmware
Class Linksys | Linux | 2.4.X | WAP
SEQ(SP=CA-CC%GCD=<7%ISR=CD-CF%TI=Z%II=I%TS=7)
OPS(O1=M5B4ST11NW0%O2=M5B4ST11NW0%O3=M5B4NNT11NW0%O4=M5B4ST11NW0%O5=M5B4ST11NW0%O6=M5B4ST11)
WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)
ECN(R=Y%DF=Y%T=40%TG=40%W=16D0%O=M5B4NNSNW0%CC=Y%Q=)
T1(R=Y%DF=Y%T=40%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=Y%DF=Y%T=40%TG=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW0%RD=0%Q=)
T4(R=Y%DF=Y%T=40%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=40%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(DF=N%T=40%TG=40%TOS=C0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)
IE(DFI=N%T=40%TG=40%TOSI=S%CD=S%SI=S%DLI=S)
# Linksys WRT54GS Firmware Version: v3.37.1, Oct. 18, 2004 # Linksys WRT54GS Firmware Version: v3.37.1, Oct. 18, 2004
Fingerprint Linksys WRT54GS WAP (Linux kernel) Fingerprint Linksys WRT54GS WAP (Linux kernel)
Class Linksys | Linux | 2.4.X | WAP Class Linksys | Linux | 2.4.X | WAP
@@ -443,6 +421,28 @@ T7(R=Y%DF=Y%T=40%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(DF=N%T=40%TG=40%TOS=D0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G) U1(DF=N%T=40%TG=40%TOS=D0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)
IE(DFI=N%T=40%TG=40%TOSI=10%CD=S%SI=S%DLI=S) IE(DFI=N%T=40%TG=40%TOSI=10%CD=S%SI=S%DLI=S)
# Firmware Version 4.30.7, Linux 2.4.20 I believe - Linksys WRT54GL WAP (Linux kernel)
# Linux (slackware) 2.4.31 #6 Sun Jun 5 19:04:47 PDT 2005 i586 unknown
# Linux (slackware) 2.4.31 #6 Sun Jun 5 19:04:47 PDT 2005 i586 k6-2 i386 GNU/Linux
# Linux 2.4.27-2-386 #1 i686 GNU/Linux
# Linux 2.4.20-pre10-ac1 #1 SMP i686 Pentium II (Deschutes) GNU/Linux
Fingerprint Linux 2.4.20 - 2.4.31 or Linksys WRT54GL WAP (runs Linux)
Class Linux | Linux | 2.4.X | general purpose
Class Linksys | Linux | 2.4.X | WAP
SEQ(SP=BD-CF%GCD=<5%ISR=C4-D4%TI=Z%II=I%TS=7)
OPS(O1=M5B4ST11NW0%O2=M5B4ST11NW0%O3=M5B4NNT11NW0%O4=M5B4ST11NW0%O5=M5B4ST11NW0%O6=M5B4ST11)
WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)
ECN(R=Y%DF=Y%T=40%TG=40%W=16D0%O=M5B4NNSNW0%CC=N%Q=)
T1(R=Y%DF=Y%T=40%TG=40%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=N)
T3(R=Y%DF=Y%T=40%TG=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW0%RD=0%Q=)
T4(R=Y%DF=Y%T=40%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T5(R=Y%DF=Y%T=40%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=Y%T=40%TG=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)
T7(R=Y%DF=Y%T=40%TG=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
U1(DF=N%T=40%TG=40%TOS=C0%IPL=164%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)
IE(DFI=N%T=40%TG=40%TOSI=S%CD=S%SI=S%DLI=S)
# Linux 2.4.29 i686 GNU/Linux (I am using Slackware 10.1 with the default kernel) # Linux 2.4.29 i686 GNU/Linux (I am using Slackware 10.1 with the default kernel)
Fingerprint Linux 2.4.29 (X86) (Slackware 10.1) Fingerprint Linux 2.4.29 (X86) (Slackware 10.1)
Class Linux | Linux | 2.4.X | general purpose Class Linux | Linux | 2.4.X | general purpose
@@ -812,15 +812,16 @@ U1(DF=N%T=80%TG=80%TOS=0%IPL=B0%UN=0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUL=G%RUD=G)
IE(DFI=S%T=80%TG=80%TOSI=Z%CD=Z%SI=S%DLI=S) IE(DFI=S%T=80%TG=80%TOSI=Z%CD=Z%SI=S%DLI=S)
# Microsoft Windows XP Professional (all patches up to date 9/29/06) Winver: Build 2600.xpsp_sp2_gdr.050301-1519 : Service Pack 2 # Microsoft Windows XP Professional (all patches up to date 9/29/06) Winver: Build 2600.xpsp_sp2_gdr.050301-1519 : Service Pack 2
# Microsoft Windows XP version 5.1 (build 2600.xpsp_sp2_gdr.050301-1519: Service Pack 2)
Fingerprint Microsoft Windows XP SP2 Fingerprint Microsoft Windows XP SP2
Class Microsoft | Windows | XP | general purpose Class Microsoft | Windows | XP | general purpose
SEQ(SP=DC-100%GCD=<7%ISR=100-110%TI=I%II=I%SS=S%TS=0) SEQ(SP=DA-100%GCD=<7%ISR=100-110%TI=I%II=I%SS=S%TS=0)
OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT00NNS%O5=M5B4NW0NNT00NNS%O6=M5B4NNT00NNS) OPS(O1=M5B4NW0NNT00NNS%O2=M5B4NW0NNT00NNS%O3=M5B4NW0NNT00%O4=M5B4NW0NNT00NNS%O5=M5B4NW0NNT00NNS%O6=M5B4NNT00NNS)
WIN(W1=FC00%W2=FC00%W3=FC80%W4=FD58%W5=FD58%W6=FC94) WIN(W1=FAF0|FC00%W2=FB90|FC00%W3=FC80%W4=FB40|FD58%W5=FB40|FD58%W6=FB8B|FC94)
ECN(R=Y%DF=Y%T=80%TG=80%W=FC00%O=M5B4NW0NNS%CC=N%Q=) ECN(R=Y%DF=Y%T=80%TG=80%W=FAF0|FC00%O=M5B4NW0NNS%CC=N%Q=)
T1(R=Y%DF=Y%T=80%TG=80%S=O%A=S+%F=AS%RD=0%Q=) T1(R=Y%DF=Y%T=80%TG=80%S=O%A=S+%F=AS%RD=0%Q=)
T2(R=Y%DF=N%T=80%TG=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=) T2(R=Y%DF=N%T=80%TG=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)
T3(R=Y%DF=Y%T=80%TG=80%W=FC94%S=O%A=S+%F=AS%O=M5B4NW0NNT00NNS%RD=0%Q=) T3(R=Y%DF=Y%T=80%TG=80%W=FB8B|FC94%S=O%A=S+%F=AS%O=M5B4NW0NNT00NNS%RD=0%Q=)
T4(R=Y%DF=N%T=80%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=) T4(R=Y%DF=N%T=80%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)
T5(R=Y%DF=N%T=80%TG=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=) T5(R=Y%DF=N%T=80%TG=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)
T6(R=Y%DF=N%T=80%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=) T6(R=Y%DF=N%T=80%TG=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)

12
nmap.cc
View File

@@ -258,6 +258,7 @@ printf("%s %s ( %s )\n"
" -oA <basename>: Output in the three major formats at once\n" " -oA <basename>: Output in the three major formats at once\n"
" -v: Increase verbosity level (use twice for more effect)\n" " -v: Increase verbosity level (use twice for more effect)\n"
" -d[level]: Set or increase debugging level (Up to 9 is meaningful)\n" " -d[level]: Set or increase debugging level (Up to 9 is meaningful)\n"
" --open: Only show open (or possibly open) ports\n"
" --packet-trace: Show all packets sent and received\n" " --packet-trace: Show all packets sent and received\n"
" --iflist: Print host interfaces and routes (for debugging)\n" " --iflist: Print host interfaces and routes (for debugging)\n"
" --log-errors: Log errors/warnings to the normal-format output file\n" " --log-errors: Log errors/warnings to the normal-format output file\n"
@@ -505,6 +506,7 @@ int nmap_main(int argc, char *argv[]) {
{"max-hostgroup", required_argument, 0, 0}, {"max-hostgroup", required_argument, 0, 0},
{"min_hostgroup", required_argument, 0, 0}, {"min_hostgroup", required_argument, 0, 0},
{"min-hostgroup", required_argument, 0, 0}, {"min-hostgroup", required_argument, 0, 0},
{"open", no_argument, 0, 0},
{"scanflags", required_argument, 0, 0}, {"scanflags", required_argument, 0, 0},
{"defeat_rst_ratelimit", no_argument, 0, 0}, {"defeat_rst_ratelimit", no_argument, 0, 0},
{"defeat-rst-ratelimit", no_argument, 0, 0}, {"defeat-rst-ratelimit", no_argument, 0, 0},
@@ -638,6 +640,8 @@ int nmap_main(int argc, char *argv[]) {
o.setMinHostGroupSz(atoi(optarg)); o.setMinHostGroupSz(atoi(optarg));
if (atoi(optarg) > 100) if (atoi(optarg) > 100)
error("Warning: You specified a highly aggressive --min-hostgroup."); error("Warning: You specified a highly aggressive --min-hostgroup.");
} else if (optcmp(long_options[option_index].name, "open") == 0) {
o.setOpenOnly(true);
} else if (strcmp(long_options[option_index].name, "scanflags") == 0) { } else if (strcmp(long_options[option_index].name, "scanflags") == 0) {
o.scanflags = parse_scanflags(optarg); o.scanflags = parse_scanflags(optarg);
if (o.scanflags < 0) { if (o.scanflags < 0) {
@@ -1150,8 +1154,8 @@ int nmap_main(int argc, char *argv[]) {
} }
} }
if ((o.pingscan || o.listscan) && fastscan) { if ((o.pingscan || o.listscan) && (portlist || fastscan)) {
fatal("The fast scan (-F) is incompatible with ping scan"); fatal("You cannot use -F (fast scan) or -p (explicit port selection) with PING scan or LIST scan");
} }
if (portlist) { if (portlist) {
@@ -1170,10 +1174,6 @@ int nmap_main(int argc, char *argv[]) {
ports = getfastports(o.TCPScan(), o.UDPScan()); ports = getfastports(o.TCPScan(), o.UDPScan());
} }
if ((o.pingscan || o.listscan) && ports) {
fatal("You cannot use -F (fast scan) or -p (explicit port selection) with PING scan or LIST scan");
}
#ifdef WIN32 #ifdef WIN32
if (o.sendpref & PACKET_SEND_IP) { if (o.sendpref & PACKET_SEND_IP) {
error("WARNING: raw IP (rather than raw ethernet) packet sending attempted on Windows. This probably won't work. Consider --send-eth next time.\n"); error("WARNING: raw IP (rather than raw ethernet) packet sending attempted on Windows. This probably won't work. Consider --send-eth next time.\n");

4
nmap_winconfig.h
View File

@@ -106,9 +106,9 @@
/* Without this, Windows will give us all sorts of crap about using functions /* Without this, Windows will give us all sorts of crap about using functions
like strcpy() even if they are done safely */ like strcpy() even if they are done safely */
#define _CRT_SECURE_NO_DEPRECATE 1 #define _CRT_SECURE_NO_DEPRECATE 1
#define NMAP_VERSION "4.20ALPHA8" #define NMAP_VERSION "4.20ALPHA9"
#define NMAP_NAME "Nmap" #define NMAP_NAME "Nmap"
#define NMAP_URL "http://insecure.org/nmap" #define NMAP_URL "http://insecure.org"
#define NMAP_PLATFORM "i686-pc-windows-windows" #define NMAP_PLATFORM "i686-pc-windows-windows"
#define NMAPDATADIR "c:\\nmap" /* FIXME: I really need to make this dynamic */ #define NMAPDATADIR "c:\\nmap" /* FIXME: I really need to make this dynamic */

7
nmapfe/nmapfe_sig.c
View File

@@ -236,9 +236,8 @@ static char *next_token(char *buf, char *token, int tokensz)
static char *build_command() static char *build_command()
{ {
int size = 2560; /* this should be long enough ;-) */
static char *command = NULL; static char *command = NULL;
static int command_size = 0; int command_size = 2560;
/* Find how much to malloc() */ /* Find how much to malloc() */
// size = strlen(gtk_entry_get_text(GTK_ENTRY(opt.range_text))) + // size = strlen(gtk_entry_get_text(GTK_ENTRY(opt.range_text))) +
@@ -250,8 +249,8 @@ static int command_size = 0;
// 2560; // 2560;
/* We get 60 from the chars required for each option */ /* We get 60 from the chars required for each option */
if (size > command_size) if (!command)
command = realloc(command, size); command = safe_malloc(command_size);
strcpy(command, "nmap "); strcpy(command, "nmap ");

2
osscan.cc
View File

@@ -1472,7 +1472,7 @@ o.current_scantype = OS_SCAN;
if (o.verbose) { if (o.verbose) {
starttimems = o.TimeSinceStartMS(); starttimems = o.TimeSinceStartMS();
log_write(LOG_STDOUT|LOG_NORMAL|LOG_SKID, "Initiating gen1 OS Detection against %s at %.3fs\n", target->targetipstr(), starttimems / 1000.0); log_write(LOG_STDOUT, "Initiating gen1 OS Detection against %s at %.3fs\n", target->targetipstr(), starttimems / 1000.0);
} }
if (target->FPR1 == NULL) if (target->FPR1 == NULL)

2
osscan2.cc
View File

@@ -2849,7 +2849,7 @@ OsScanInfo::OsScanInfo(vector<Target *> &Targets) {
#ifdef WIN32 #ifdef WIN32
if (Targets[targetno]->ifType() == devt_loopback) { if (Targets[targetno]->ifType() == devt_loopback) {
log_write(LOG_STDOUT, "Skipping OS Scan against %s because it doesn't work against your own machine (localhsot)\n", Targets[targetno]->NameIP()); log_write(LOG_STDOUT, "Skipping OS Scan against %s because it doesn't work against your own machine (localhost)\n", Targets[targetno]->NameIP());
continue; continue;
} }
#endif #endif

7
output.cc
View File

@@ -473,7 +473,12 @@ void printportoutput(Target *currenths, PortList *plist) {
if (prevstate == PORT_UNKNOWN) if (prevstate == PORT_UNKNOWN)
log_write(LOG_NORMAL|LOG_SKID|LOG_STDOUT, "Not shown: "); log_write(LOG_NORMAL|LOG_SKID|LOG_STDOUT, "Not shown: ");
else log_write(LOG_NORMAL|LOG_SKID|LOG_STDOUT, ", "); else log_write(LOG_NORMAL|LOG_SKID|LOG_STDOUT, ", ");
log_write(LOG_NORMAL|LOG_SKID|LOG_STDOUT, "%d %s %s", plist->getStateCounts(istate), statenum2str(istate), o.ipprotscan? "protocols": "ports"); char desc[32];
if (o.ipprotscan)
snprintf(desc, sizeof(desc), (plist->getStateCounts(istate) == 1)? "protocol" : "protocols");
else
snprintf(desc, sizeof(desc), (plist->getStateCounts(istate) == 1)? "port" : "ports");
log_write(LOG_NORMAL|LOG_SKID|LOG_STDOUT, "%d %s %s", plist->getStateCounts(istate), statenum2str(istate), desc);
prevstate = istate; prevstate = istate;
} }
if (prevstate != PORT_UNKNOWN) log_write(LOG_NORMAL|LOG_SKID|LOG_STDOUT, "\n"); if (prevstate != PORT_UNKNOWN) log_write(LOG_NORMAL|LOG_SKID|LOG_STDOUT, "\n");

8
portlist.cc
View File

@@ -678,10 +678,16 @@ bool PortList::isIgnoredState(int state) {
state == PORT_FRESH) state == PORT_FRESH)
return false; /* Cannot be ignored */ return false; /* Cannot be ignored */
/* If openonly, we always ignore states that don't at least have open
as a possibility. */
if (o.openOnly() && state != PORT_OPENFILTERED && state != PORT_UNFILTERED
&& getStateCounts(state) > 0)
return true;
int max_per_state = 25; // Ignore states with more ports than this int max_per_state = 25; // Ignore states with more ports than this
/* We will show more ports when verbosity is requested */ /* We will show more ports when verbosity is requested */
if (o.verbose || o.debugging) if (o.verbose || o.debugging)
max_per_state *= (o.verbose + 50 * o.debugging); max_per_state *= (o.verbose + 20 * o.debugging);
if (getStateCounts(state) > max_per_state) if (getStateCounts(state) > max_per_state)
return true; return true;