ability to trick some SSH servers (including at least OpenSSH
4.3p2-9etch3) into not logging the connection. This trick doesn't
seem to work with newer versions of OpenSSH, as my
openssh-server-4.7p1-4.fc8 does log the connection. Without the
stealth advantage, the script has no real benefit over version
detection or the upcoming banner grabbing script. [Fyodor]
duplicating it in every script. This may not be the way we keep doing it, but
it's needed for now to keep from having excessive duplication in the printed
output.
line, not "\n\n", in the SMB and MSRPC scripts and modules. There are newer
versions of these files pending review, so this is just a quick measure to let
me use first paragraphs as summaries rather than first sentences.
This brings in four discrete changes:
1. The widening of ranges for T test expressions in nmap-os-db. Any expressions
that were not already ranges were expanded to cover plus and minus five of
their original values.
2. The normalization of TG expressions in nmap-os-db. Nmap is only capable of
outputting 0x20, 0x40, 0x80, and 0xFF for a TG value, but many fingerprints
had values other than these. They have all been rounded to their nearest
likely value.
3. The elimination of the U1.TOS and IE.TOSI tests (both having to do with type
of service). This was effected by setting their MatchPoints to 0.
4. A cleanup and refactoring of OS fingerprint output code. This should not
have any impact on output, except in one case: when debugging is non-zero or
verbosity is greater than one, and at least one perfect match was found,
Nmap used to print "OS Fingerprint:" before the fingerprint. Now it prints
"TCP/IP fingerprint:" in this case like in all the others.
functions. Previously system DNS resolution was encapulated inside the parallel
DNS function, inside a big if block. Now the if is on the outside and decides
which of the two functions to call.
better example of a version-detection script. I made a few small changes to the
script: shortening long lines and removing some non-functional ones. See
http://seclists.org/nmap-dev/2008/q4/0311.html.
as the "name_confidence" member of a service match. I grepped the whole source
tree and couldn't find any reference to "confidence" besides its declaration
and initialization; it builds fine without it.
do with any malware, just a security vulnerability. It remains in "default" and
"vuln". I think it was in "malware" because it used to be in the old "backdoor"
category.
an argument:
# nmap target --script >/dev/null
nmap: option `--script' requires an argument
You can use --script= but that's weird enough not to need to be mentioned.
