space, and there was one line of mostly blank space in the cloud of
fire. The cloud looks better without the blank space and also aligns
better with the mouth.
* Updated the way authentication works on smb -- it's significantly cleaner now
* smb-enum-shares.nse gives significantly better output now (it checks if shares are writable)
* Added a script that checks if smbv2 is enabled on a server
* Added smb-psexec, a script for executing commands on a remote Windows server. I also included some default scripts, a compiled .exe to run everything, and a ton of documentation (in the form of NSEDoc)
* Added 'override' parameters to some of the functions in smb.lua, which lets the programmer override any field in an outgoing SMB packet without modifying smb.lua.
* Lots of random code cleanups in the smb-* scripts/libraries
servers. Pass that to nsock_connect_udp instead of using
sizeof(sockaddr_storage). Mac OS X return EINVAL if the length is not what's
expected for the address family.
(*p & 0x40) == 0x40
But that doesn't check that the upper half of the byte is 4. It's true for 4,
5, 6, 7, 12, 13, 14, and 15. I changed it to
(*p & 0xF0) == 0x40
can be used in /etc/resolv.conf or with the --dns-servers option. The
parallel reverse DNS resolver still only support IPv4 addresses, but
it can look them up over IPv6. [Ankur Nandwani]
to control whether translations of man pages are installed (by default
they will be). Even though we're not using gettext for translations, I
tried to make this interface as similar as possible to the gettext
configuration interface. Use can use the environment variable LINGUAS to
control which man pages get installed if you don't want all of them, for
example LINGUAS="es de". The translated man pages are not yet committed.
o Removed IP ID matching in packet headers returned in ICMP errors.
This was already the case for some operating systems that are known
the IDs of sent IP packets. In rare cases of ID mangling, requiring
a match could cause replies to be ignored even after other tests had
shown them to be relevant. See http://seclists.org/nmap-dev/2009/q2/580
for an example of host order affecting scan results, caused by this
phonomenon. [David]
o Added some additional matching rules to keep a reply to a SYN probe
from matching an ACK probe to the same port, or vice versa, in ping
scans that include both scan types. Such a mismatch could cause an
ineffective timing ping or traceroute probe to be selected. [David]
test that was applied to packets returned in ICMP error messages.
Because some operating systems modify the IP ID outside of Nmap's
control, the apply_ipid_match function had a built-in heuristic whereby
it would deactivate itself (always return true) if this seemed to be
happening. What this meant in practice was that every time a successful
match was made, a counter was incremented, and if the ratio of
successful matches to successful matches was over 80%, IP ID matching
was enforced.
The matching and heuristic could cause relevant probes to be dropped in
some cases. See http://seclists.org/nmap-dev/2009/q2/665 for an example
of this and discussion. The IP ID match was always done in combination
with other tests; so even without it we are still dealing with a
relevant probe. The IP ID distinction could at best distinguish between
retransmissions of the same probe, and it was not necessary for that in
every case, such as with most TCP probes where we can use the SEQ field.
I thought this small benefit was not worth the risk of potentially
losing replies that we care about.
that they are not the default, remove duplicate dummy fules for them,
and combine the modification with an existing one for Flex/Bison removal
in NMAP_MODIFICATIONS.
/nmap-exp/david/nmap-token. This brings in the following changes:
Use a strict tryno equality test in check_tryno_pingseq. This appears to
have no effect in the current code, because the way we traverse the
probe list backwards ensures that probes with a higher tryno are tried
first. However this protects against matching the wrong tryno if that
behavior is ever changed.
Factor out the code that checks for a match of a TCP packet.
Add some extra checks when matching up TCP probes, to avoid confusing
responses to SYN and ACK probes when they are sent to the same host on
the same port, with the same tryno and pingseq, in a ping scan that
includes both -PS and -PA. I think this is the only case where there can
be confusion. The new rules are: A SYN/ACK can only be matched to a SYN
probe. A RST/ACK can only be matched to a SYN or FIN. A bare RST cannot
be matched to a SYN or FIN.
Make an important change in the way the tryno and pingseq are encoded
for TCP probes with the ACK flag set when --source-port is in effect.
According to RFC 793, responses to ACK packets on an unestablished
connection (CLOSED and LISTEN states in particular) should send a RST
response with a SEQ value the same as the received ACK value. So for
example, if it's in the CLOSED state and wants to send a RST, it sends
<SEQ=0><ACK=SEG.SEQ+SEG.LEN><CTL=RST,ACK>
if the received packet does not have the ACK flag set, but
<SEQ=SEG.ACK><CTL=RST>
This caused a problem because in the second case, the response does not
reflect our sent SEQ value, which is where the tryno and pingseq are
encoded. The response's acknowledgement number, while not valid because
the ACK flag is not set, is typically 0. Decoding this with seq32_decode
would result in a decoding error, leading to a
Bad Sequence number from host
message. In this case the probe was allowed to match any TCP probe with
the same ports and address, even though the pingseq and tryno might be
off or the probe is a different kind of probe entirely (like a SYN
probe).
Here's a summary of what has changed, with <tryno,pingseq> standing for
an encoded tryno and pingseq.
Before:
Non-ACK probes sent with SEQ=<tryno,pingseq>, ACK=0.
ACK probes sent with SEQ=<tryno,pingseq>, ACK=random
Probes matched against ACK and ACK - 1.
Now:
Non-ACK probes sent with SEQ=<tryno,pingseq>, ACK=0.
ACK probes sent with SEQ=0, ACK=<tryno,pingseq>.
Probes matched against ACK, ACK - 1, and SEQ.
Matching against the SEQ field may also help in some other weird cases.
In the LISTEN state, the receiving TCP is supposed to check that "the
security/compartment on the incoming segment does not exactly match the
security/compartment in the TCB," and if it doesn't, return
<SEQ=SEG.ACK><CTL=RST>
just like in the ACK case. I don't know how common that sort of thing is.
o Nmap now prefers to display the hostname supplied by the user instead
of the reverse-DNS name in most places. If a reverse DNS record
exists, and it differs from the user-supplied name, it is printed
like this:
Nmap scan report for www.google.com (74.125.53.103)
rDNS record for 74.125.53.103: pw-in-f103.1e100.net
See http://seclists.org/nmap-dev/2009/q4/199 for a summary of other
minor changes to output. [David]
