it was 32 characters. The "idle scan against " and the \0 terminator take up 19
characters, leaving only 13, which isn't enough to represent all IP addresses,
let alone host names.
represents a significant portion of our total returned fingerprints.
I especially liked adding the X-ray machine...
Here is the "changelog":
* Added Tolis BRU (Backup and Restore Utility)
* Added HP Digital Sender Service client
* Added Apple iChat Server file transfer proxy
* Added PBS/Maui Roll Rocks Cluster service
* Added CommVault Galaxy data backup
* Added Ad-Aware SE Enterprise
* Added Pharos Notify printing client
* Added Apple Remote Events
* Added Novell Groupwise SSL match so the SSL tunneling works
* Added Novell Groupwise HTTP services (holy crap there are a lot!)
* Changed "Compaq Diagnostis httpd" to correct spelling and removed o/Windows/
* Changed winshell to include i/**BACKDOOR**/
* Added Bruker AXS X-ray controller status (I was tempted to set d// to death-ray :-p)
line length) during Nmap windows build so that it looks much better
when presented by the Windows executable (NSIS) installer. Thanks
to Jah for the patch (which was modified slightly by Fyodor).
just the tip of the iceberg so there is lots more to come as I work
through everything.
Here is the list of changes:
* Added XML softmatch (commented out for the time being)
* Added Juniper Junoscript XML interface match
* Changed "ROOT SHELL" match to include i/**BACKDOOR**/
* Added FreeBSD rshd match
* Added IQinVision IQeye3 service matches (telnetd, fingerd, httpd,
logind rtspd)
* Added d/cluster/ as a new device type
* Added Ganglia XML Grid monitor detection
* Added Barracuda Networks Spam Firewall smtpd (default banner only)
* Added Serv-U SSL required banner (error 431)
* Changed Safenet to SafeNet in all locations
* Added SafeNet Sentinel Keys License Monitor httpd
* Changed "vsftpd or WU-FTPD" to a softmatch because much more than just
vsftpd and WU-FTPD match it
* Added Treck Embedded ftpd
* Changed Sony PCS-G70 telnet banner to be more generic so it can match
G50, etc
* Changed SubEthaEdit service to BEEP
* Added Apple Xgrid Controller (BEEP/ANTP protocol)
* Added dCache distribute storage node
* Changed the nessus match lines to anchor to the start of a line and
upped their rarity to cut down on false positives
* Added two matches for Dell OpenManage (one GetRequest, one HELP)
* Added HighPoint RAID Raidman web server
* Added Ruckus Media Player (Ruckus music service client)
This changes the DNS engine to use addto_etchosts to add entries from
/etc/hosts into the DNS cache, rather than just inserting them using
push_front.
The reason for this is that there is a static unsigned variable in
addto_etchosts that keeps track of how many entries there are in the
cache. Using push_front bypassed this variable, allowing the entries in
/etc/hosts to sneak in under the radar. Thus is was possible for the
cache to contain, say, 266 entries when it thought it only had 256.
When the cache size is greater than or equal to 256, addto_etchosts runs
a deletion pass aiming to reduce the number of entries to 126. But the
peculiar loop logic of that function means that more than 256 entries
can be deleted. (How many more depends in part on how many entries there
are in /etc/hosts. There must be at least one for the hang to occur.)
When this happens, the signed counter underflows and becomes large
positive, ~65000. The code empties the cache trying to get the counter
under 127, but it can never happen.
To reproduce the hang, make an /etc/hosts file like this:
1.0.0.1 host-1-1
1.0.0.2 host-1-2
1.0.0.3 host-1-3
1.0.0.4 host-1-4
1.0.0.5 host-1-5
1.0.0.6 host-1-6
1.0.0.7 host-1-7
1.0.0.8 host-1-8
1.0.0.9 host-1-9
1.0.0.10 host-1-10
2.0.0.1 host-2
3.0.0.1 host-3
...
254.0.0.1 host-254
255.0.0.1 host-255
The hang can occur with even one entry in /etc/hosts, but saturating the
cache like this makes the hang less dependent on network conditions.
Then list-scan a netblock that is greater in size than 256 and is dense
in DNS entries (at least 256 entries per 4096 IP addresses). For
example,
nmap -sL scanme.nmap.org/22
works for me currently.
