- openproxy.url: Url to make requests to the proxy
- openproxy.pattern: Pattern that should be checked inside the responses for requests HEAD and GET
pattern will never be used for CONNECT requests, that will only check for the connection code
Script now uses default pattern checks for default url
(checks for ^server: gws in www.google.com requests)
If openproxy.url is used, script performs code check, looking for codes 200,301,302.
If openproxy.url is used and openproxy.pattern also, script performs pattern check
specific revision if I have to.
Don't rebuild the script database. There are new makefile targets to handle
this and we decided that if it's broken it's better for it to be broken on the
Mac too.
- Attempts requests using HEAD and CONNECT also (not only GET, as before).
- Script now accepts destination url for doing the test as argument
- Chekings now are made using response code (200, 301, 302) and no longer google server header
installing dummy interfaces that return zero answers. The necessary
pysqlite modules are not easily available in CentOS 5.3 at least. Remove
the dependency on python-sqlite2 from zenmap.spec.in.
support various 3.X releases. Also added a match for Radmin when the
source IP is ACL'd. Thanks to Tom Sellers for the hard work and
providing a patch!
added to existing HostInfo objects. This made examining scan diffs problematic
in zenmap. The second had to do with canceling a scan and then removing it.
This would clear much of the information from the rest of the GUI.
had them. Autoconf 2.63 inserts an ac_cr definition in configure scripts
which includes a literal \r which confuses svn and causes this error message:
svn: File 'configure' has inconsistent newlines
svn: Inconsistent line ending style
The next version of autoconf will apparently resolve this, but we can't
really wait at this point. I made this same change to nmap/configure in
January '09 (r11902) and it hasn't lead to any problems.
of commands
./configure
make
make clean
make distclean
fails when makefile.dep is remade in the ncat directory:
In file included from ncat.h:12,
from ncat_main.c:4:
../nbase/nbase.h:128:26: error: nbase_config.h: No such file or directory
(Many similar messages follow.)
This happened because "make clean" deletes ncat/makefile.dep. Remaking
makefile.dep requires preprocessing C files that indirectly include
nbase_config.h, which was removed from nbase by distclean. Doing the
distclean in ncat before nbase sidesteps the issue.
listen mode works. The new default behavior is to accept only one
connection, and quit when the connection ends. This was necessary to
prevent data loss in some situations; some programs require Ncat to
send an EOF before they flush their internal buffers and finish
processing the last bit of data. See
http://seclists.org/nmap-dev/2009/q2/0528.html for more information.
Use the new -k or --keep-open option to get the old behavior, in
which Ncat will accept multiple simultaneous connection, combine all
their input, and accept more connections after a disconnection.
matching strategies. It is really great that we have so few match
lines that really need any performance attention. As long as a match
has an anchor (though ^ seems better than $ with PRCE) it should be
fast enough. We also want to avoid things like
"m|^whatever.*something.*" but we got rid of all of those in a
previous review.
The only "bad" match we have now is:
match ser2net m|\r\nser2net port \d+ device (/dev/[-\w_]+) ...snip...
I think this match should be commented out so that we can get a better
submission. With a big release coming up so soon though I don't want
to remove any useful features. I've left a comment about it's
performance and maybe myself, Doug, or somebody else will think about
the match more at a later date.
The imap-capabilities script is mostly feature-complete but I could
see adding some analysis code to warn users of non-SSL'd IMAP servers
that offer STARTTLS without NOLOGIN.
The imap "library" is really a joke. It does the minimum required to
support getting capabilities and nothing more. IMAP requires each
command to use a unique identifier like 000, 001, 002, etc. Right now
the identifier is hardcoded to a001. To make a real imap library that
supports logging in, and other IMAP features a state variable will
have to be maintained to change the command uid. It would be nice to
see the library get updated so that IMAP brute-forcing could be
supported.
Here is a mostly exhaustive list of the changes:
o Removes the SCRIPT_ENGINE_* status defines and replaces the
instances with regular boolean integer returns or changes the
procedure to return void. The latter case is better generally because
the caller ignores any status return (e.g. nmap.cc calling open_nse)
and/or the procedure raises a fatal error when unsuccessful.
o Moves the SCRIPT_ENGINE_LUA_DIR and the like to the nse_main.h header file.
o Removes the use of the SCRIPT_ENGINE_TRY (there was only one left)
and thus changes the call to l_dnet_open to a void function called
directly by luaopen_nsock (in nse_nsock.cc) instead of luaopen_nmap
(in nse_nmaplib.cc). I felt moving the function was also an
appropriate (but somewhat unrelated to the intent of the patch) change
as opening the dnet metatable is very related to opening up the
nsock library. This confines errors in opening the nsock library, including
opening the dnet metatable, to the call to luaopen_nsock.
o The FILES and DIRS defines are moved in to nse_fs.h where they are
more appropriate and localalized.
certain function that is not in OpenSSL before 0.9.7, but is required
for correct operation after 0.9.7. The technique is from Network
Security with OpenSSL, whose code is at http://www.opensslbook.com/code.html
(see ssl/common.c).
automatically converted to bare LF when input is from the console, but
not when it is from a pipe or a file. No newline translation is done
on output (it was being done before). This makes it possible to
transfer binary files with Ncat on Windows without any corruption.
