o Add two new Script scan phases:
Script Pre-scanning phase: before any Nmap scan operation, activated by the new "prerule".
Script Post-scanning phase: after all Nmap scan operations, activated by the new "postrule".
o New environment variables:
SCRIPT_PATH
SCRIPT_NAME
SCRIPT_TYPE: the type of the rule that activated the script.
report. It looks like this.
$ ./nmap google.com -sn
Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-05-10 23:57 MDT
Nmap scan report for google.com (66.102.7.99)
Host is up (0.073s latency).
Other addresses for google.com (not scanned): 66.102.7.104
rDNS record for 66.102.7.99: lax04s01-in-f99.1e100.net
This replaces the line
Hostname google.com resolves to 2 IPs. Only scanned 66.102.7.99
This establishes a more regular syntax for some options that disable
phases of a scan:
-n no reverse DNS
-Pn no host discovery
-sn no port scan
Also, the -sP was possibly misleading because the 'P' suggests "ping
scan," when you can now do more than just pinging when you disable port
scanning. For example, -sC -sn and -sn -Pn --traceroute make sense.
changes. The first is that Port objects don't allocate memory for
service and RPC results unless that information is set. This reduces the
size of a bare Port from 92 to 40 bytes on my machine. The second change
is that PortList now has the notion of a "default port state," which is
the state of any ports that didn't receive a response. These ports don't
need an allocated Port object, which saves a lot of memory in scans
where most ports didn't get a response.
three. This corresponds to the 2 spaces now used in Ron's
stdnse.format_output function for further levels of indentation. The
first level is still special in that it contains "| " or "|_" rather
than just spaces. Here is example output from before this change:
2049/tcp open rpcbind
8080/tcp open http Apache httpd 2.2.13 ((Fedora))
|_ http-favicon: Unknown favicon MD5: 5A49412557709B4EDF6BBA9A1710B418
|_ html-title: Insecure.Org - Nmap Free Security Scanner, Tools & Hacking res...
|_ http-open-proxy: Proxy might be redirecting requests
8081/tcp open http Apache httpd 2.2.13 ((Fedora))
| html-title: 302 Found
|_ Did not follow redirect to http://seclists.org/
8082/tcp open http Apache httpd 2.2.13 ((Fedora))
|_ html-title: Nmap - Free Security Scanner For Network Exploration & Securit...
|_ http-favicon: Apache Web Server (seen on SuSE, Linux Tux favicon)
Device type: general purpose
[...]
ost script results:
| smb-os-discovery:
| OS: Unix (Samba 3.4.2-0.42.fc11)
| Name: Unknown\Unknown
|_ System time: 2009-11-24 17:18:49 UTC-8
|_ smbv2-enabled: Server doesn't support SMBv2 protocol
And after the change:
2049/tcp open rpcbind
8080/tcp open http Apache httpd 2.2.13 ((Fedora))
|_html-title: Insecure.Org - Nmap Free Security Scanner, Tools & Hacking res...
|_http-favicon: Unknown favicon MD5: 5A49412557709B4EDF6BBA9A1710B418
8081/tcp open http Apache httpd 2.2.13 ((Fedora))
| html-title: 302 Found
|_Did not follow redirect to http://seclists.org/
8082/tcp open http Apache httpd 2.2.13 ((Fedora))
|_http-favicon: Apache Web Server (seen on SuSE, Linux Tux favicon)
|_html-title: Nmap - Free Security Scanner For Network Exploration & Securit...
Device type: general purpose
...
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.4.2-0.42.fc11)
| Name: Unknown\Unknown
|_ System time: 2009-11-24 17:19:21 UTC-8
|_smbv2-enabled: Server doesn't support SMBv2 protocol
This always goes to XML and grepable output. It goes to normal in
interactive output in verbose mode. The format for printing a down host
is changed slightly:
Nmap scan report for 1.1.1.1 [host down]
LOG_PLAIN or LOG_STDOUT depending on whether o.resolve_all was set, and
just always print to LOG_PLAIN like we do all the other output. This was
the cause of a discrepancy between interactive and normal output
reported at http://seclists.org/nmap-dev/2009/q4/230.
TCP timestamp clock frequency uses large timestamp values, such that
a naive uptime calculation shows a boot time before the epoch. Also
fixed a printf format specifier mismatch that was revealed by the
overflow. Toby Simmons reported the problem and helped with the fix.
first iteration. This can't happen with the current data definitions,
but if it did it would result in memcpy being passed a null pointer.
(memcpy would be asked to do a zero-byte copy, so it would probably be
okay anyway, but it's better to be safe.)
the network distance in SCAN.DS was calculated. Its value can be "L"
for localhost, "D" for a direct connection, "I" for an ICMP TTL
calculation, and "T" for a traceroute hop count. This is mainly for
the benefit of OS integration, when it is sometimes important to
distinguish between DS=1%DC=I (probably the result of forged TTLs)
and DS=1%DC=D (a true one-hop connection.) [David]
o Fixed a log_write call and a pfatal call to use a syntax which is
safer from format strings bugs. This allows Nmap to build with the
gcc -Wformat -Werror=format-security options. [Guillaume Rousse]
a layer 4 protocol used mostly for telephony related applications.
This brings the following new features:
o SCTP INIT chunk port scan (-sY): open ports return an INIT-ACK
chunk, closed ones an ABORT chunk. This is the SCTP equivalent
of a TCP SYN stealth scan.
o SCTP COOKIE-ECHO chunk port scan (-sZ): open ports are silent,
closed ports return an ABORT chunk.
o SCTP INIT chunk ping probes (-PY): host discovery using SCTP
INIT chunk packets.
o SCTP-specific IP protocol scan (-sO -p sctp).
o SCTP-specific traceroute support (--traceroute).
o The ability to use the deprecated Adler32 algorithm as specified
in RFC 2960 instead of CRC32C from RFC 4960 (--adler32).
o 42 well-known SCTP ports were added to the nmap-services file.
Part of the work on SCTP support was kindly sponsored by
Compass Security AG, Switzerland. [Daniel Roethlisberger]
host, which means that it is either found down or else all
port/script/traceroute/etc. scanning is finished. In r12798 I made it be
updated as soon as DNS resolution happened, to make the status display
"X undergoing Ping Scan" accurate. However the main loop also uses this
variable to count how many addresses have been generated so it knows
when to stop scanning random addresses. If -iR was used, only the first
hostgroup out of all the random addresses would be fully scanned and
then the scan would end. This change fixes that and also makes the
output more like it was pre-r12798; for example, if you had done name
resolution on 1024 hosts with --max-hostgroup 8, and had found the 8th
up host at the 280th one pinged, the output was
Stats: 0:00:29 elapsed; 1016 hosts completed (8 up), 8 undergoing Connect Scan
and is now
Stats: 0:00:29 elapsed; 272 hosts completed (8 up), 8 undergoing Connect Scan
