allow the sa_len to increase the size of the current structure, not
decrease it below sizeof(struct ifreq). Doing it this way makes it work
on NetBSD. This technique more or less matches that used in Unix Network
Programming, 3rd Edition, section 17.6. The old implementation was
likely incorrect, though it happened to work on FreeBSD.
usernames and passwords iterators. This will prevent brute force
scripts from running for a long time when a service is slow. These
new script arguments control the limits:
unpwdb.userlimit Limit on number of usernames.
unpwdb.passlimit Limit on number of passwords.
unpwdb.timelimit Time limit in seconds.
Pass 0 for any of these limits to disable it. [David]
before starting. There is a special function that does a trace of
directly connected targets without sending any packets, just by filling
in one hop directly to the target. The traceroute code was only checking
whether the first target in the group was directly connected, and if it
was, it assumed all of them were. Now it filters the list into two and
calls traceroute_direct on one and traceroute_remote on the other.
Fyodor discovered this problem today.
gather round-trip times for each port. The script then uses these
times to group together ports with statistically equivalent RTTs.
Ports in different groups could be the result of things such as port
forwarding to hosts behind a NAT. This is based on work by Doug
Hoyte. [Kris]
nfs-showmount scripts to use the new library. The new scripts are:
- nfs-acls shows the owner and directory mode of NFS exports
- nfs-dirlist lists the contents of NFS exports
- nfs-statfs shows file system statistics for NFS exports
[Patrik]
retest the zombie proxy and reinitialize all of the associated data
at the beginning of each run. [Kris]
The underlying code checking for this and for changing proxies goes all the
way back to r1486 (2002) and presumably before, but lastproxy was never filled
in and so was nonfunctional.
faithwriters, hotmail, myspace, phpbb, and rockyou. I kept the output at
200 lines for now until we have more comprehensive limits on the unpwdb
module.
The only password that didn't come straight out of the databases was the
empty password. I added it manually at the top. The previous version of
passwords.lst had it too.
o [Ncat] The HTTP proxy server now accepts client connections over
SSL. That means connections to the proxy can be encrypted and
authenticated. We haven't found any HTTP clients that directly
support SSL connections to proxies, but you can use Ncat as a tunnel
to an SSL-supporting Ncat proxy. This new feature was implemented by
Markus Klinik.
to verify their correctness and to check more than just the table in
ipv4-address-space. Beyond comment changes and some code movement:
* 198.51.100.0/24 and 203.0.113.0/24 are reserved by RFC5737 (Jan 2010)
* Fix 198.18.0.0/15, which was implemented wrongly. This goes back a while
and was handled somewhat like 198.18.0.0/18.
DLT_LINUX_SLL, as well as the DLT_EN10MB that was formerly supported.
This type is used on some interfaces where Linux doesn't reliably retain
the link-layer header, and when capturing on the "any" device. On such
interfaces, you would get the error
read_arp_reply_pcap called on interfaces that is datatype 113 rather than DLT_EN10MB (1)
For more on this datalink type, see
pcap-linktype(7)
http://wiki.wireshark.org/SLL
I tested this by hacking scan_engine.cc to use the "any" device:
--- scan_engine.cc (revision 16972)
+++ scan_engine.cc (working copy)
@@ -4882,7 +4882,7 @@
}
}
- USI->pd = my_pcap_open_live(Targets[0]->deviceName(), 100, (o.spoofsource)? 1 : 0, pcap_selectable_fd_valid()? 200 : 2);
+ USI->pd = my_pcap_open_live("any" /*Targets[0]->deviceName()*/, 100, (o.spoofsource)? 1 : 0, pcap_selectable_fd_valid()? 200 : 2);
if (USI->ping_scan_arp){
/* Some OSs including Windows 7 and Solaris 10 have been seen to send their
ARP replies to the broadcast address, not to the (unicast) address that
I had to use a newer version of libpcap from git. The 1.0.0 that we ship
has a bug that keeps "any" from working. You would get SIOCGIFHWADDR: No
such device.
interface addresses and netmasks.
Before, route_dst worked like this:
1) Check destination address against all interfaces, with special-case
handling for local addresses.
2) Check destination address against routing table.
Now it works like this:
1) Check destination address against local addresses.
2) Check destination address against routing table.
3) Check destination address against all interfaces.
This allows a routing table entry to override an interface, for example
in this configuration:
************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MAC
eth0 (eth0) 192.168.0.21/24 ethernet up 00:00:00:00:00:00
**************************ROUTES**************************
DST/MASK DEV GATEWAY
192.168.0.3/32 eth0 192.168.0.1
192.168.0.0/24 eth0
192.168.0.3 will not be considered directly connected, but will have its
traffic routed through 192.168.0.1.
The logic for determining when an address is directly connected has
changed. Instead of considering an address directly connected whenever
it matches an interface netmask, we consider it so when the gateway
address is 0.0.0.0 or when the gateway address is exactly equal to the
interface address. The proper way to do this would be to look at the "G"
flag from the routing table, but libdnet doesn't retain that.
counts. Brandon reported this assertion failure when running http-enum:
nmap: nsock_core.c:199: socket_count_write_dec: Assertion `(iod->writesd_count) > 0' failed.
The problem was that handle_write_result always assumed that if a call
to SSL_write failed with SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE,
that it must have been invoked because the socket was writable (and
hence the write count should be decremented). Because of how
non-blocking sockets work in OpenSSL, it's possible that we called
handle_write_result because a socket because *readable* and thus we
should decrement the read count, not the write count.
WSAEventSelect call we make to find out when the socket is ready for reading,
also makes it non-blocking for the purpose of writing. A fast-writing process
could cause a WSAEWOULDBLOCK error. This was reported by David Millis.
than one string of digits. Joe Dietz reported that an interface with
the name e1000g0 was causing the error message
Warning: Unable to open interface e1000g0 -- skipping it.
on Solaris 9. [David]
entries:
o [NSE] Raw packet sending at the IP layer is now supported, in addition to
the Ethernet sending functionality. Packets to send start with an IPv4
header and can be sent to arbitrary hosts. [Kris]
o [NSE] Added the ipidseq script to classify a host's IP ID sequence numbers
in the same way Nmap does. This can be used to test hosts' suitability for
Nmap's Idle Scan (-sI), i.e. check if a host is an idle zombie. This is
the first script to use the new raw IP sending functionality in NSE. [Kris]
o [NSE] Added the function nmap.is_privileged() to tell a script if, as far
as Nmap's concerned, it can do privileged operations. For instance, this
can be used to see if a script should be able to open a raw socket or
Ethernet interface. [Kris]
o [NSE] Added the function nmap.get_ports() to allow a script to iterate
over a host's port tables matching a certain protocol and state. [Kris,
Patrick]
and broadcast lists when a connection is broken, instead of re-reading
the descriptor from the fdinfo struct. The problem was that there were
two calls to rm_fd, and the first one invalidated the data that the
struct pointer pointed to.
For some reason this didn't cause any problems in most situations. Mak
Kolybabi reported that it caused a segfault in
ncat -l --ssl -k -v 5061 > /dev/null < /dev/zero
With SSL, new connections would try to read memory that was previously
freed, as descriptors were not being removed from the broadcast list as
they were removed from the read list.
You can see the error in these debug logs:
NCAT DEBUG: Closing connection.
NCAT DEBUG: Swapping fd[2] (4) with fd[3] (5)
NCAT DEBUG: Removed fd 4 from list, nfds 3, maxfd 5
NCAT DEBUG: Swapping fd[1] (5) with fd[1] (5)
NCAT DEBUG: Removed fd 5 from list, nfds 1, maxfd 4
The "Remove fd X" should have the same X in both lines.
make use of it. Added 5 scripts that use the new libraries:
- snmp-netstat shows listening and connected sockets
- snmp-processes shows process information including name, pid, path and
parameters
- snmp-win32-services shows the names of running Windows services
- snmp-win32-shares shows the names and path of Windows shares
- snmp-win32-software shows a list of installed Windows software
- snmp-win32-users shows a list of local Windows users
checked that the internal buffer was not empty before a send; I changed
it to have an effect only when at least one byte has been written
already.
Formerly, zero-byte sends such as socket:send("") in NSE would crash
Nmap, for both UDP and TCP. I tested this change on Linux, and for UDP
it sends a zero-byte datagram, and for TCP it sends nothing at all.
