MAC in the doArp function as is done for ARP ping scan in
scan_engine.cc. This makes us capable of reading ARP responses that are
sent to the broadcast address.
to be the cause of a segfault reported by Ron Bowes.
nmap -PN -p4567 -sV --script=http-* x.x.x.x
Program received signal SIGSEGV, Segmentation fault.
nsock_connect_tcp (nsp=0x83b8b38, ms_iod=0x0, handler=0x80b5cf0
<l_nsock_connect_handler(void*, void*, void*)>, timeout_msecs=10000,
userdata=0x8729308, saddr=0x871a6f8, sslen=16, port=4567)
at nsock_connect.c:154
install from source may have old copies of scripts with different names,
like HTTPAuth instead of http-auth, because we don't delete the contents
of the scripts directory when installing. Rather than wipe out the whole
directory, which might contain people's custom scripts, there is now a
list of old script names in Makefile.in which are selectively deleted.
The whole list is
anonFTP
ASN
brutePOP3
bruteTelnet
chargenTest
daytimeTest
dns-safe-recursion-port
dns-safe-recursion-txid
dns-test-open-recursion
echoTest
ftpbounce
HTTPAuth
HTTP_open_proxy
HTTPpasswd
HTTPtrace
iax2Detect
ircServerInfo
ircZombieTest
MSSQLm
MySQLinfo
netbios-smb-os-discovery
popcapa
PPTPversion
promiscuous
RealVNC_auth_bypass
ripeQuery
robots
showHTMLTitle
showHTTPVersion
showOwner
showSMTPVersion
showSSHVersion
skype_v2-version
smb-enumdomains
smb-enumsessions
smb-enumshares
smb-enumusers
smb-serverstats
smb-systeminfo
SMTPcommands
SMTP_openrelay_test
SNMPcommunitybrute
SNMPsysdescr
SQLInject
SSH-hostkey
SSHv1-support
SSLv2-support
strangeSMTPport
UPnP-info
xamppDefaultPass
zoneTrans
instead of waiting until a request is made to connect. This eliminates a
little bit of bookkeeping that needed to be done to retain state on the
NSE socket. Unfortunately this alone doesn't allow binding a socket to a
source address to receive UDP data, because Nsock doesn't create the
physical socket until a connection is made.
group. Not doing this was the cause of off-by-one errors that led to
assertion failures and, potentially, excluded hosts being scanned. Here
is the comment I added:
/* The decision to skip a range was based on the address that came immediately
before what our current array contains now. For example, if we have just
handed out 0.0.0.0 from the the range 0-5.0.0.0, and we're asked to skip
the first octet, we want to advance to 1.0.0.0. But 1.0.0.0 is what is in
the current array right now, because TargetGroup::get_next_host advances
the array after returning an address. If we didn't step back we would
erroneously skip ahead to 2.0.0.0. */
message once per host, not one per hostgroup. Include the IP address and
tryno in the message. It now looks like
Warning: 64.13.134.52 giving up on port because retransmission cap hit (0).
This was suggested by Chris Clements.
This always goes to XML and grepable output. It goes to normal in
interactive output in verbose mode. The format for printing a down host
is changed slightly:
Nmap scan report for 1.1.1.1 [host down]
LOG_PLAIN or LOG_STDOUT depending on whether o.resolve_all was set, and
just always print to LOG_PLAIN like we do all the other output. This was
the cause of a discrepancy between interactive and normal output
reported at http://seclists.org/nmap-dev/2009/q4/230.
appear in reference fingerprint" and the code used to support it. This
happens all the time with submitted fingerprints and is nothing to worry
about. I don't want to be distracted from other warnings. This code was
only used by the OS fingerprint integration tools, not by Nmap itself.
if (tcp_rpc_socket > max_sd)
max_sd = tcp_rpc_socket;
The condition is always true because max_sd is initialized to -1 and that block
of code is entered only if tcp_rpc_socket > -1. It looks like the kind of thing
that would be managing a large set of sockets for select, but here we're only
selecting on one socket at a time. This was suggested by Lionel Cons.
The script provides detection when version probes fail, but will default to
the value provided the version probes if that value is more precise. The
script also detects the server platform and database instance name.
[Tom]
now a script is limited in parallelism to working on one socket at any
time. A script can now create a worker thread that will be capable of
doing work on sockets in parallel with the parent script. See [1] for
more information.
This patch also comes with condition variables that are similar to
POSIX condition variables. They are used in the same fashion as
NSE's mutexes (nmap.mutex).
[1] http://seclists.org/nmap-dev/2009/q4/294
lookup. The hash table used linear probing which got very slow as the
hash table got full. Using std::map is about 10 times faster. The hash
table was slow enough that it took the majority of the time for me in an
ARP scan of a single address.
# nmap -sP 192.168.0.190
mac_prefix_init took 0.49261 s.
Nmap done: 1 IP address (1 host up) scanned in 0.59 seconds
# nmap -sP 192.168.0.190
mac_prefix_init took 0.04392 s.
Nmap done: 1 IP address (1 host up) scanned in 0.13 seconds
The memory usage of std::map is probably greater. The hash table used
19037 pointers and about 13000 structures of size 8 (on a 32-bit
architecture), or about 176 KB. Assuming the map has left, right, and
parent pointers, and a red-black indicator per node, the usage is 16
bytes per prefix plus 8 bytes for the structure data, or 304 KB total.
But this makes fingerdiff so much faster, I want to leave it in place at
least until this round of OS integration is done.
because of a lack of responses. Otherwise there is no way for that
number to decrease after moving on to the next port, leading to an
infinite loop. Lionel Cons reported the problem and provided a debug log
at http://seclists.org/nmap-dev/2009/q4/364.
