o Reduced memory usage in several areas. The size of the internal
representation of nmap-os-db was reduced more than 90%. The size of
individual Port structures without service scan results was reduced
about 70%. When a port receives no response, Nmap now avoids
allocating a Port structure at all, so scans against filtered hosts
can be light on memory. Thanks to Pavel Kankovsky for the Post size
reduction patch. [David]
the code just took each value mod 256 and stored it as a single byte.
The OID 1.3.1000.5 would encode as follows
tag len 1.3 1000%256 5
06 03 2b e8 05
What you're supposed to do is break each value into 7-bit chunks, and
set the high bit in every octet but the last. Now it is correctly
encoded as
tag len 1.3 1000 5
06 04 2b 8768 05
The length also would not have been correct for lengths over 127, and
that is fixed also.
group. Not doing this was the cause of off-by-one errors that led to
assertion failures and, potentially, excluded hosts being scanned. Here
is the comment I added:
/* The decision to skip a range was based on the address that came immediately
before what our current array contains now. For example, if we have just
handed out 0.0.0.0 from the the range 0-5.0.0.0, and we're asked to skip
the first octet, we want to advance to 1.0.0.0. But 1.0.0.0 is what is in
the current array right now, because TargetGroup::get_next_host advances
the array after returning an address. If we didn't step back we would
erroneously skip ahead to 2.0.0.0. */
The script provides detection when version probes fail, but will default to
the value provided the version probes if that value is more precise. The
script also detects the server platform and database instance name.
[Tom]
because of a lack of responses. Otherwise there is no way for that
number to decrease after moving on to the next port, leading to an
infinite loop. Lionel Cons reported the problem and provided a debug log
at http://seclists.org/nmap-dev/2009/q4/364.
can be used in /etc/resolv.conf or with the --dns-servers option. The
parallel reverse DNS resolver still only support IPv4 addresses, but
it can look them up over IPv6. [Ankur Nandwani]
o Removed IP ID matching in packet headers returned in ICMP errors.
This was already the case for some operating systems that are known
the IDs of sent IP packets. In rare cases of ID mangling, requiring
a match could cause replies to be ignored even after other tests had
shown them to be relevant. See http://seclists.org/nmap-dev/2009/q2/580
for an example of host order affecting scan results, caused by this
phonomenon. [David]
o Added some additional matching rules to keep a reply to a SYN probe
from matching an ACK probe to the same port, or vice versa, in ping
scans that include both scan types. Such a mismatch could cause an
ineffective timing ping or traceroute probe to be selected. [David]
o Nmap now prefers to display the hostname supplied by the user instead
of the reverse-DNS name in most places. If a reverse DNS record
exists, and it differs from the user-supplied name, it is printed
like this:
Nmap scan report for www.google.com (74.125.53.103)
rDNS record for 74.125.53.103: pw-in-f103.1e100.net
See http://seclists.org/nmap-dev/2009/q4/199 for a summary of other
minor changes to output. [David]
o UPgrades to latest version of WinPcap (4.1.1)
o corrects a long-standing bug in our WinPcap installer (we surrounded
the install path in the registry with double quotes, which meant we
wouldn't uninstall our older versions during an install)
o removed the GUI option to select where the WinPcap files are
installed (all of the important ones end up in the Windows directory
anyway). WinPcap folder is installed in the same Program Files
location on x64 platforms as the official WinPcap installer uses
(although we're not sure that is the best place)
o Rob notes that he's successfully tested the installer on XP SP3,
2003 SP2 x86, Vista SP2 x86 and Windows 7 x64
characters in the target entry (those whose UTF-8 encoding contains
a byte that counts as whitespace in the Windows locale):
File "zenmapGUI\ScanNotebook.pyo", line 184, in _target_entry_changed
File "zenmapCore\NmapOptions.pyo", line 719, in render_string
UnicodeDecodeError: 'utf8' codec can't decode byte 0xc3 in position 1:
unexpected end of data
One such character is a with grave accent, U+00E0, which in UTF-8 is
C0 A0, where the A0 is interpreted as a no-break space when the
string is interpreted byte by byte. [David]
when an attempt is made to use a file descriptor whose number is not
less than FD_SETSIZE. This applies only on non-Windows platforms
where FD_SETSIZE is a limit on the value of file descriptors as well
as a limit on the number of descriptors in the set. The error will
look like
nsock_core.c:186: Attempt to FD_SET fd 1024, which is not less
than FD_SETSIZE (1024). Try using a lower parallelism.
Thanks to Brandon Enright for discovering the problem and much help
debugging it, and to Jay Fink for submitting an initial patch. [David]
o [Ncat] Fixed proxy connections in connect mode on Windows. Because
the dup function does not work on Windows, an assertion failure
would be raised reading
(fh >= 0 && (unsigned)fd < (unsigned)_nhandle)
[David]
o [Ncat] Fixed the combination of --max-conns and --exec on Windows.
The count of connected clients was not decreased when the program
spawned by --exec finished. With --max-conns 5, for example, no more
connections would be allowed after the fifth, even if some of the
earlier ones had ended. Jon Greaves reported the problem and Venkat
contributed a patch.
o [Ncat] The code that manages the count of connected clients has been
made robust with respect to signals. The code was contributed by
Solar Designer.
o The files read by the -iL (input from file) and --excludefile
options now support comments that start with # and go to the end of
the line. This was implemented by Tom Sellers.
using the Windows shell. The only reason for using the shell was to inhibit the
ceration of a terminal window, and this does the same thing. This solves
problems related to running through a shell: cancelling a scan wouldn't kill
the nmap process, and running from directories with names containing shell
metacharacters wouldn't work.
TCP timestamp clock frequency uses large timestamp values, such that
a naive uptime calculation shows a boot time before the epoch. Also
fixed a printf format specifier mismatch that was revealed by the
overflow. Toby Simmons reported the problem and helped with the fix.
remain selected after aggregating another scan or running a filter
(as long as they are still up and visible). Before the selection was
lost whenever the scan inventory was changed.
the network distance in SCAN.DS was calculated. Its value can be "L"
for localhost, "D" for a direct connection, "I" for an ICMP TTL
calculation, and "T" for a traceroute hop count. This is mainly for
the benefit of OS integration, when it is sometimes important to
distinguish between DS=1%DC=I (probably the result of forged TTLs)
and DS=1%DC=D (a true one-hop connection.) [David]
