This brings in four discrete changes:
1. The widening of ranges for T test expressions in nmap-os-db. Any expressions
that were not already ranges were expanded to cover plus and minus five of
their original values.
2. The normalization of TG expressions in nmap-os-db. Nmap is only capable of
outputting 0x20, 0x40, 0x80, and 0xFF for a TG value, but many fingerprints
had values other than these. They have all been rounded to their nearest
likely value.
3. The elimination of the U1.TOS and IE.TOSI tests (both having to do with type
of service). This was effected by setting their MatchPoints to 0.
4. A cleanup and refactoring of OS fingerprint output code. This should not
have any impact on output, except in one case: when debugging is non-zero or
verbosity is greater than one, and at least one perfect match was found,
Nmap used to print "OS Fingerprint:" before the fingerprint. Now it prints
"TCP/IP fingerprint:" in this case like in all the others.
to reuse an ACK ping probe from host detection during a SYN port scan. This can
greatly speed up a scan if the SYN scan finds only filtered ports.
One difficulty with implementing this is that not all ping probes are
appropriate for all scan types.
nmap -PA -sU scanme.nmap.org
would cache the ACK ping probe and send ACK pings during the UDP scan. But the
pcap filter for the UDP scan doesn't catch TCP packets, so the replies would
not be noticed and they would show up as dropped pings. Likewise,
nmap -PR -sS 192.168.0.1
would segfault when it tried to use an uninitialized Ethernet descriptor to
send an ARP ping during the SYN scan, which would use raw sockets.
To fix this I added a function pingprobe_is_appropriate that determines whether
a given ping probe is appropriate for the current scan type. If not, the
constructor for HostScanStats just erases the ping probe.
More types of ping probes could be made "appropriate." TCP timing pings work
during a UDP scan if only the pcap filter is expanded to include TCP packets.
within a larger scan. The information is added to the XML host
element like so: [host starttime="1198292349" endtime="1198292370"]
(but of couse with angle brackets rather than square ones). It is
also printed in normal output if -d or "-v -v" are
specified. [Brandon, Kris, Fyodor]
line, since this can differ from the reverse DNS results. It can be
particularly important when doing HTTP tests against virtual hosts.
The data can be accessed from target->HostName() from Nmap proper
and host.targetname from NSE scripts. The NSE HTTP library now uses
this for the Host header. Thanks to Sven Klemm for adding this
useful feature.
