merge soc07 r5085:5094 - removed a period which could lead to slightly confusing output such as 'Read data files from: ..' when they are read from the current directory; Always print a message when the script database is updated successfully; Added a whole bunch of entries to the CHANGELOG in preparation for the first soc07 release; latest auto-generated files; add a question mark to a textual question

CHANGELOG

@@ -1,5 +1,78 @@
 # Nmap Changelog ($Id$); -*-text-*-
 
+4.22SOC1
+
+o The port selection mechanism was overhauled.  Nmap now knows
+  (roughly) how common various services are, so you can specify
+  options such as --top-ports 50 to scan the 50 most popular ports.
+  You can also use the new --port-ratio option to scan ports above a
+  given popularity level.  You can also now give the -p option service
+  names (such as 'http') and wildcards (such as http* to include
+  services such as https and http-mgmt).  There is also a bracket ([])
+  operator for scanning all known ports within a given range.  All
+  these changes, by Doug Hoyte, are described at
+  http://seclists.org/nmap-dev/2007/q2/0224.html .
+
+o Added more Nmap Scripting Engine scripts, bringing the total to 31.
+  The new ones are bruteTelnet (Eddie Bell), SMTPcommands (Jason
+  DePriest), iax2Detect (Jason), nbstat (Brandon Enright),
+  SNMPsysdescr (Thomas Buchanan), HTTPAuth (Thomas), finger (Eddie),
+  ircServerInfo (Doug Hoyte), and MSSQLm (Thomas Buchanan).
+
+o Added the --reason option which explains WHY Nmap assigned a port
+  status.  For example, a port could be listed as "filtered" because
+  no response was received, or because an ICMP network unreachable
+  message was received. [ Eddie ]
+
+o Integrated all of your 2nd generation OS detection submissions,
+  increasing the database size by 68% since 4.21ALPHA4 to 699
+  fingerprints.  The 2nd generation database is now nearly half (42%)
+  the size of the original.  Please keep those submissions coming so
+  that we can do another integration round before the SoC program ends
+  on August 20!  Thanks to David Fifield for doing most of the
+  integration work!
+
+o Integrated version detection submissions.  The database has grown by
+  more than 350 signatures since 4.21ALPHA4.  Nmap now has 4,236
+  signatures for 432 service protocols.  As usual, Doug Hoyte deserves
+  credit for the integration marathon, which he describes at
+  http://hcsw.org/blog.pl .
+
+o Added the NSE library (nselib) which is a library of useful
+  functions (which can be implemented in LUA or as loadable C/C++
+  modules) for use by NSE scripts.  We already have libraries for bit
+  operations (bit), list operations (listop), URL fetching and
+  manipulation (url), activation rules (shortport), and miscelaneous
+  commonly useful functions (stdnse).  Stoiko added the underlying
+  functionality, though numerous people contributed to the library
+  routines.
+
+o Added --servicedb and --versiondb command-line options which allow
+  you to specify a custom Nmap services (port to port number translation
+  and port frequency) file or version detection database. [ David
+  Fifield ]
+
+o The build dependencies were dramatically reduced by removing
+  unneccessary header includes and moving header includes from .h
+  files to .cc as well as adding some forward declarations.  This
+  reduced the number of makefile.dep dependencies from 1469 to 605.
+  This should make Nmap compilation faster and prevent some
+  portability problems. [David Fifield]
+
+o Upgraded from WinPcap 3.1 to WinPcap 4.0 [Eddie]
+
+o In verbose mode, Nmap now reports where it obtains data files (such as
+  nmap-services) from. [David Fifield]
+
+o Canonicalized a bunch of OS classes, device types, etc. in the OS
+  detection and version scanning databases so they are named
+  consistently. [Doug]
+
+o If we get a ICMP Protocol Unreachable from a host other than our
+  target during a port scan, we set the state to 'filtered' rather than
+  'closed'. This is consistent with how port unreachable errors work for
+  udp scan. [Kris]
+
 o Relocated OSScan warning message (could not find 1 closed and 1 open
   port). Now output.cc prints the warning along with a targets OSScan 
   results. [Eddie]
@@ -9,6 +82,33 @@ o Fixed a bug which caused port 0 to be improperly used for gen1 OS
   included by default).  Thanks to Sebastian Wolfgarten for the report
   and Kris Katterjohn for the fix.
 
+o The --iflist table now provides Winpcap device names on
+  Windows. [Eddie]
+
+o The Nmap reference guide (man page) Docbook XML source is now in the
+  SVN repository at svn://svn.insecure.org/nmap/docs/refguide.xml .
+
+o NSE now has garbage collection so that if you forget to close a
+  socket before exiting a script, it is closed for you. [Stoiko]
+
+o The <portused> tag in XML output now provides the open TCP port used
+  for OS detection as well as the closed TCP and UDP ports which were
+  reported previously. [Kris]
+
+o XML output now has a <times> tag for reporting final time
+  information which was already printed in normal output in verbose
+  mode (round trip time, rtt variance, timeout, etc.) [Kris]
+
+o Changed the XML output format so that the <extrareasons> tag (part
+  of Eddie's --reason patch) falls within the <extraports> tag. [Kris]
+
+o Nmap now provides more consise OS fingerprints for submission thanks
+  to better merging. [David Fifield]
+
+o A number of changes were made to the Windows build system to handle
+  version numbers, publisher field, add/remove program support,
+  etc. [Eddie]
+
 o Improved how the Gen1 OS Detection system selects which UDP ports to
   send probes to.  [Kris]
 
@@ -20,11 +120,6 @@ o Updated nmap-mac-prefixes to latest IEEE data as of 5/18/07. Also
   Thanks to Sina Bahram for the initial report and Thomas Buchanan for
   tracking down the problem.
 
-o Added a great NetBIOS name lookup NSE script (nbstat.nse) from
-  Brandon Enright.  This queries port 137/udp on Windows machines to
-  try and determine the Windows NetBIOS name, the MAC address, and
-  logged-in username.
-
 o Added a SIP (IP phone) probe from Matt Selsky to nmap-service-probes.
 
 o Fixed a bug which prevented the NSE scripts directory from appearing
@@ -33,6 +128,9 @@ o Fixed a bug which prevented the NSE scripts directory from appearing
 o Fixed a bug in Traceroute's output.  It occured when a traced host could
   be fully consolidated, but only the first hop number was outputted. [Kris]
 
+o The new "rnd" option to -D allows you to ask Nmap to generate random
+  decoy IPs rather having to specify them all yourself. [Kris]
+
 o Fixed a Traceroute bug relating to scanning through the localhost
   interface on Windows (which previously caused a crash).  Thanks to
   Alan Jones for the report and Eddie Bell for the fix.

docs/nmap.1

@@ -2,7 +2,7 @@
 .\" It was generated using the DocBook XSL Stylesheets (version 1.69.1).
 .\" Instead of manually editing it, you probably should edit the DocBook XML
 .\" source for it and then use the DocBook XSL Stylesheets to regenerate it.
-.TH "NMAP" "1" "03/20/2007" "" "Nmap Reference Guide"
+.TH "NMAP" "1" "07/04/2007" "" "Nmap Reference Guide"
 .\" disable hyphenation
 .nh
 .\" disable justification (adjust text to left margin only)
@@ -91,7 +91,7 @@ This options summary is printed when Nmap is run with no arguments, and the late
 \fI\%http://insecure.org/nmap/data/nmap.usage.txt\fR. It helps people remember the most common options, but is no substitute for the in\-depth documentation in the rest of this manual. Some obscure options aren't even included here.
 .PP
 .nf
-Nmap 4.21ALPHA2 ( http://insecure.org )
+Nmap 4.21ALPHA4 ( http://insecure.org )
 Usage: nmap [Scan Type(s)] [Options] {target specification}
 TARGET SPECIFICATION:
   Can pass hostnames, IP addresses, networks, etc.
@@ -118,7 +118,6 @@ SCAN TECHNIQUES:
   \-sO: IP protocol scan
   \-b <ftp relay host>: FTP bounce scan
   \-\-traceroute: Trace hop path to each host
-  \-\-reason: Display the reason a port is in a particular state
 PORT SPECIFICATION AND SCAN ORDER:
   \-p <port ranges>: Only scan specified ports
     Ex: \-p22; \-p1\-65535; \-p U:53,111,137,T:21\-25,80,139,8080
@@ -382,9 +381,6 @@ Traceroutes are performed post\-scan using information from the scan results to
 .sp
 Traceroute works by sending packets with a low TTL (time\-to\-live) in an attempt to illicit ICMP TTL_EXCCEDED messages from intermediate hops between the scanner and the target host. Standard traceroute implementation start with a TTL of 1 and increment the TTL until the destination host is reached. Nmap's traceroute starts with a high TTL and then decrements the TTL until it reaches 0. Doing it backwards lets nmap employ clever caching algorithms to speed up traces over multiple hosts. On average nmap sends 5\-10 fewer packets per host, depending on network conditions. If a single subnet is being scanned (i.e. 192.168.0.0/24) nmap may only have to send a single packet to most hosts.
 .TP
-\fB\-\-reason\fR (Host and port state reasons)
-Shows the reason each port is set to a specific state and the reason each host is up or down. This option displays the type of the packet that determined a port or hosts state. For example, A RST packet from a closed port or an echo reply from an alive host. The information nmap can provide is determined by the type of scan or ping. The SYN scan and SYN ping (\fB\-sS and -PT\fR) are very detailed. Whilst the TCP connect scan and ping (\fB\-sT\fR) are limited by the implementation of connect(). This feature is automatically enabled by the debug flag (\fB\-d\fR) and the results are stored in XML log files even if this option is not specified.
-.TP
 \fB\-n\fR (No DNS resolution)
 Tells Nmap to
 \fInever\fR
@@ -672,8 +668,10 @@ file which comes with nmap (or the protocols file for
 \fB\-sO\fR). This is much faster than scanning all 65535 ports on a host. Because this list contains so many TCP ports (more than 1200), the speed difference from a default TCP scan (about 1650 ports) isn't dramatic. The difference can be enormous if you specify your own tiny
 \fInmap\-services\fR
 file using the
+\fB\-\-servicedb\fR
+or
 \fB\-\-datadir\fR
-option.
+options.
 .TP
 \fB\-r\fR (Don't randomize ports)
 By default, Nmap randomizes the scanned port order (except that certain commonly accessible ports are moved near the beginning for efficiency reasons). This randomization is normally desirable, but you can specify
@@ -998,7 +996,7 @@ ME
 as one of the decoys to represent the position for your real IP address. If you put
 ME
 in the 6th position or later, some common port scan detectors (such as Solar Designer's excellent scanlogd) are unlikely to show your IP address at all. If you don't use
-ME, nmap will put you in a random position.
+ME, nmap will put you in a random position. You can also use RND to generate a random, non\-reserved IP address, or RND:<number> to generate <number> addresses.
 .sp
 Note that the hosts you use as decoys should be up or you might accidentally SYN flood your targets. Also it will be pretty easy to determine which host is scanning if only one is actually up on the network. You might want to use IP addresses instead of names (so the decoy networks don't see you in their nameserver logs).
 .sp
@@ -1333,7 +1331,11 @@ Nmap obtains some special data at runtime in files named
 \fInmap\-protocols\fR,
 \fInmap\-rpc\fR,
 \fInmap\-mac\-prefixes\fR, and
-\fInmap\-os\-fingerprints\fR. Nmap first searches these files in the directory specified with the
+\fInmap\-os\-fingerprints\fR. If the location of any of these files has been specified (using the
+\fB\-\-servicedb\fR
+or
+\fB\-\-versiondb\fR
+options), that location is used for that file. After that, Nmap searches these files in the directory specified with the
 \fB\-\-datadir\fR
 option (if any). Any files not found there, are searched for in the directory specified by the NMAPDIR environmental variable. Next comes
 \fI~/.nmap\fR
@@ -1343,6 +1345,20 @@ or
 \fI/usr/share/nmap\fR
 . As a last resort, Nmap will look in the current directory.
 .TP
+\fB\-\-servicedb <services file>\fR (Specify custom services file)
+Asks Nmap to use the specified services file rather than the
+\fInmap\-services\fR
+data file that comes with Nmap. Using this option also causes a fast scan (\fB\-F\fR) to be used. See the description for
+\fB\-\-datadir\fR
+for more information on Nmap's data files.
+.TP
+\fB\-\-versiondb <service probes file>\fR (Specify custom service probes file)
+Asks Nmap to use the specified service probes file rather than the
+\fInmap\-service\-probes\fR
+data file that comes with Nmap. See the description for
+\fB\-\-datadir\fR
+for more information on Nmap's data files.
+.TP
 \fB\-\-send\-eth\fR (Use raw ethernet sending)
 Asks Nmap to send packets at the raw ethernet (data link) layer rather than the higher IP (network) layer. By default, Nmap chooses the one which is generally best for the platform it is running on. Raw sockets (IP layer) are generally most efficient for UNIX machines, while ethernet frames are required for Windows operation since Microsoft disabled raw socket support. Nmap still uses raw IP packets on UNIX despite this option when there is no other choice (such as non\-ethernet connections).
 .TP
@@ -1544,7 +1560,8 @@ instead. Regular expression support is provided by the
 [14]\&\fILibdnet\fR
 networking library, which was written by Dug Song. A modified version is distributed with Nmap. Nmap can optionally link with the
 [15]\&\fIOpenSSL cryptography toolkit\fR
-for SSL version detection support. All of the third\-party software described in this paragraph is freely redistributable under BSD\-style software licenses.
+for SSL version detection support. The Nmap Scripting Engine uses an embedded version of the
+[16]\&\fILua programming language\fR. All of the third\-party software described in this paragraph is freely redistributable under BSD\-style software licenses.
 .SS "US Export Control Classification"
 .PP
 US Export Control: Insecure.Com LLC believes that Nmap falls under US ECCN (export control classification number) 5D992. This category is called
@@ -1595,3 +1612,6 @@ US Export Control: Insecure.Com LLC believes that Nmap falls under US ECCN (expo
 .TP 4
 15.\ OpenSSL cryptography toolkit
 \%http://www.openssl.org
+.TP 4
+16.\ Lua programming language
+\%http://www.lua.org

docs/nmap.usage.txt

@@ -1,4 +1,4 @@
-Nmap 4.21ALPHA4 ( http://insecure.org )
+Nmap 4.22SOC1 ( http://insecure.org )
 Usage: nmap [Scan Type(s)] [Options] {target specification}
 TARGET SPECIFICATION:
   Can pass hostnames, IP addresses, networks, etc.
@@ -29,8 +29,10 @@ SCAN TECHNIQUES:
 PORT SPECIFICATION AND SCAN ORDER:
   -p <port ranges>: Only scan specified ports
     Ex: -p22; -p1-65535; -p U:53,111,137,T:21-25,80,139,8080
-  -F: Fast - Scan only the ports listed in the nmap-services file)
+  -F: Fast mode - Scan fewer ports than the default scan
   -r: Scan ports consecutively - don't randomize
+  --top-ports <number>: Scan <number> most common ports
+  --port-ratio <ratio>: Scan ports more common than <ratio>
 SERVICE/VERSION DETECTION:
   -sV: Probe open ports to determine service/version info
   --version-intensity <level>: Set from 0 (light) to 9 (try all probes)

mswin32/winpcap/winpcap-nmap.nsi

@@ -71,7 +71,7 @@ Function .onInit
 
     StrCmp $inst_ver $my_ver same_ver
 
-    MessageBox MB_YESNO|MB_ICONQUESTION "WinPcap version $inst_ver exists on this system. Replace with version $my_ver" IDYES finish
+    MessageBox MB_YESNO|MB_ICONQUESTION "WinPcap version $inst_ver exists on this system. Replace with version $my_ver?" IDYES finish
     quit
 
   same_ver:

nse_main.cc

@@ -93,10 +93,7 @@ int script_updatedb() {
 		goto finishup;
 	}
 
-	SCRIPT_ENGINE_DEBUGGING(
-		log_write(LOG_STDOUT, "%s: Rule database successfully updated.\n", 
-			SCRIPT_ENGINE);
-	)
+	log_write(LOG_STDOUT, "NSE script database updated successfully.\n");
 
 finishup:
 	lua_close(l);

output.cc

@@ -1894,7 +1894,7 @@ void printdatafilepaths() {
   } else if (num_dirs == 1 && o.verbose && !o.debugging) {
     /* If all the files were from the same directory and we're in verbose mode,
        print a brief message unless we are also in debugging mode. */
-    log_write(LOG_PLAIN, "Read data files from: %s.\n", dir.c_str());
+    log_write(LOG_PLAIN, "Read data files from: %s\n", dir.c_str());
   } else if (num_dirs == 1 && o.debugging || num_dirs > 1) {
     /* If files were read from more than one directory, or if they were read
        from one directory and we are in debugging mode, display all the files

scripts/script.db

@@ -1,35 +1,37 @@
-Entry{ category = "intrusive", filename = "SSLv2-support.nse" }
-Entry{ category = "discovery", filename = "finger.nse" }
-Entry{ category = "demo", filename = "showSSHVersion.nse" }
-Entry{ category = "vulnerability", filename = "xamppDefaultPass.nse" }
-Entry{ category = "intrusive", filename = "HTTPAuth.nse" }
 Entry{ category = "intrusive", filename = "dns-test-open-recursion.nse" }
-Entry{ category = "demo", filename = "showHTMLTitle.nse" }
-Entry{ category = "safe", filename = "showHTMLTitle.nse" }
-Entry{ category = "discovery", filename = "nbstat.nse" }
-Entry{ category = "safe", filename = "nbstat.nse" }
-Entry{ category = "backdoor", filename = "mswindowsShell.nse" }
-Entry{ category = "demo", filename = "showSMTPVersion.nse" }
-Entry{ category = "safe", filename = "showOwner.nse" }
 Entry{ category = "backdoor", filename = "RealVNC_auth_bypass.nse" }
-Entry{ category = "demo", filename = "daytimeTest.nse" }
-Entry{ category = "", filename = "showHTTPVersion.nse" }
-Entry{ category = "demo", filename = "chargenTest.nse" }
-Entry{ category = "intrusive", filename = "SSHv1-support.nse" }
-Entry{ category = "discovery", filename = "MSSQLm.nse" }
-Entry{ category = "intrusive", filename = "MSSQLm.nse" }
-Entry{ category = "demo", filename = "echoTest.nse" }
-Entry{ category = "version", filename = "skype_v2-version.nse" }
-Entry{ category = "intrusive", filename = "SMTP_openrelay_test.nse" }
-Entry{ category = "intrusive", filename = "anonFTP.nse" }
-Entry{ category = "discovery", filename = "ripeQuery.nse" }
-Entry{ category = "backdoor", filename = "strangeSMTPport.nse" }
-Entry{ category = "discovery", filename = "SNMPsysdesr.nse" }
-Entry{ category = "safe", filename = "SNMPsysdesr.nse" }
+Entry{ category = "safe", filename = "showOwner.nse" }
+Entry{ category = "intrusive", filename = "SSLv2-support.nse" }
 Entry{ category = "malware", filename = "ircZombieTest.nse" }
-Entry{ category = "intrusive", filename = "ftpbounce.nse" }
+Entry{ category = "version", filename = "skype_v2-version.nse" }
+Entry{ category = "demo", filename = "echoTest.nse" }
+Entry{ category = "intrusive", filename = "bruteTelnet.nse" }
 Entry{ category = "discovery", filename = "SMTPcommands.nse" }
 Entry{ category = "intrusive", filename = "SMTPcommands.nse" }
+Entry{ category = "discovery", filename = "ripeQuery.nse" }
+Entry{ category = "demo", filename = "chargenTest.nse" }
+Entry{ category = "backdoor", filename = "strangeSMTPport.nse" }
+Entry{ category = "safe", filename = "iax2Detect.nse" }
+Entry{ category = "discovery", filename = "iax2Detect.nse" }
+Entry{ category = "demo", filename = "showSMTPVersion.nse" }
+Entry{ category = "demo", filename = "showHTMLTitle.nse" }
+Entry{ category = "safe", filename = "showHTMLTitle.nse" }
+Entry{ category = "backdoor", filename = "mswindowsShell.nse" }
+Entry{ category = "intrusive", filename = "anonFTP.nse" }
 Entry{ category = "malware", filename = "kibuvDetection.nse" }
+Entry{ category = "demo", filename = "SMTP_openrelay_test.nse" }
+Entry{ category = "discovery", filename = "nbstat.nse" }
+Entry{ category = "safe", filename = "nbstat.nse" }
+Entry{ category = "discovery", filename = "SNMPsysdesr.nse" }
+Entry{ category = "safe", filename = "SNMPsysdesr.nse" }
+Entry{ category = "intrusive", filename = "HTTPAuth.nse" }
+Entry{ category = "discovery", filename = "finger.nse" }
+Entry{ category = "", filename = "showHTTPVersion.nse" }
+Entry{ category = "intrusive", filename = "SSHv1-support.nse" }
+Entry{ category = "intrusive", filename = "ftpbounce.nse" }
+Entry{ category = "vulnerability", filename = "xamppDefaultPass.nse" }
+Entry{ category = "demo", filename = "showSSHVersion.nse" }
 Entry{ category = "discovery", filename = "ircServerInfo.nse" }
-Entry{ category = "intrusive", filename = "bruteTelnet.nse" }
+Entry{ category = "discovery", filename = "MSSQLm.nse" }
+Entry{ category = "intrusive", filename = "MSSQLm.nse" }
+Entry{ category = "demo", filename = "daytimeTest.nse" }