changes. The first is that Port objects don't allocate memory for
service and RPC results unless that information is set. This reduces the
size of a bare Port from 92 to 40 bytes on my machine. The second change
is that PortList now has the notion of a "default port state," which is
the state of any ports that didn't receive a response. These ports don't
need an allocated Port object, which saves a lot of memory in scans
where most ports didn't get a response.
three. This corresponds to the 2 spaces now used in Ron's
stdnse.format_output function for further levels of indentation. The
first level is still special in that it contains "| " or "|_" rather
than just spaces. Here is example output from before this change:
2049/tcp open rpcbind
8080/tcp open http Apache httpd 2.2.13 ((Fedora))
|_ http-favicon: Unknown favicon MD5: 5A49412557709B4EDF6BBA9A1710B418
|_ html-title: Insecure.Org - Nmap Free Security Scanner, Tools & Hacking res...
|_ http-open-proxy: Proxy might be redirecting requests
8081/tcp open http Apache httpd 2.2.13 ((Fedora))
| html-title: 302 Found
|_ Did not follow redirect to http://seclists.org/
8082/tcp open http Apache httpd 2.2.13 ((Fedora))
|_ html-title: Nmap - Free Security Scanner For Network Exploration & Securit...
|_ http-favicon: Apache Web Server (seen on SuSE, Linux Tux favicon)
Device type: general purpose
[...]
ost script results:
| smb-os-discovery:
| OS: Unix (Samba 3.4.2-0.42.fc11)
| Name: Unknown\Unknown
|_ System time: 2009-11-24 17:18:49 UTC-8
|_ smbv2-enabled: Server doesn't support SMBv2 protocol
And after the change:
2049/tcp open rpcbind
8080/tcp open http Apache httpd 2.2.13 ((Fedora))
|_html-title: Insecure.Org - Nmap Free Security Scanner, Tools & Hacking res...
|_http-favicon: Unknown favicon MD5: 5A49412557709B4EDF6BBA9A1710B418
8081/tcp open http Apache httpd 2.2.13 ((Fedora))
| html-title: 302 Found
|_Did not follow redirect to http://seclists.org/
8082/tcp open http Apache httpd 2.2.13 ((Fedora))
|_http-favicon: Apache Web Server (seen on SuSE, Linux Tux favicon)
|_html-title: Nmap - Free Security Scanner For Network Exploration & Securit...
Device type: general purpose
...
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.4.2-0.42.fc11)
| Name: Unknown\Unknown
|_ System time: 2009-11-24 17:19:21 UTC-8
|_smbv2-enabled: Server doesn't support SMBv2 protocol
This always goes to XML and grepable output. It goes to normal in
interactive output in verbose mode. The format for printing a down host
is changed slightly:
Nmap scan report for 1.1.1.1 [host down]
LOG_PLAIN or LOG_STDOUT depending on whether o.resolve_all was set, and
just always print to LOG_PLAIN like we do all the other output. This was
the cause of a discrepancy between interactive and normal output
reported at http://seclists.org/nmap-dev/2009/q4/230.
TCP timestamp clock frequency uses large timestamp values, such that
a naive uptime calculation shows a boot time before the epoch. Also
fixed a printf format specifier mismatch that was revealed by the
overflow. Toby Simmons reported the problem and helped with the fix.
first iteration. This can't happen with the current data definitions,
but if it did it would result in memcpy being passed a null pointer.
(memcpy would be asked to do a zero-byte copy, so it would probably be
okay anyway, but it's better to be safe.)
the network distance in SCAN.DS was calculated. Its value can be "L"
for localhost, "D" for a direct connection, "I" for an ICMP TTL
calculation, and "T" for a traceroute hop count. This is mainly for
the benefit of OS integration, when it is sometimes important to
distinguish between DS=1%DC=I (probably the result of forged TTLs)
and DS=1%DC=D (a true one-hop connection.) [David]
o Fixed a log_write call and a pfatal call to use a syntax which is
safer from format strings bugs. This allows Nmap to build with the
gcc -Wformat -Werror=format-security options. [Guillaume Rousse]
a layer 4 protocol used mostly for telephony related applications.
This brings the following new features:
o SCTP INIT chunk port scan (-sY): open ports return an INIT-ACK
chunk, closed ones an ABORT chunk. This is the SCTP equivalent
of a TCP SYN stealth scan.
o SCTP COOKIE-ECHO chunk port scan (-sZ): open ports are silent,
closed ports return an ABORT chunk.
o SCTP INIT chunk ping probes (-PY): host discovery using SCTP
INIT chunk packets.
o SCTP-specific IP protocol scan (-sO -p sctp).
o SCTP-specific traceroute support (--traceroute).
o The ability to use the deprecated Adler32 algorithm as specified
in RFC 2960 instead of CRC32C from RFC 4960 (--adler32).
o 42 well-known SCTP ports were added to the nmap-services file.
Part of the work on SCTP support was kindly sponsored by
Compass Security AG, Switzerland. [Daniel Roethlisberger]
host, which means that it is either found down or else all
port/script/traceroute/etc. scanning is finished. In r12798 I made it be
updated as soon as DNS resolution happened, to make the status display
"X undergoing Ping Scan" accurate. However the main loop also uses this
variable to count how many addresses have been generated so it knows
when to stop scanning random addresses. If -iR was used, only the first
hostgroup out of all the random addresses would be fully scanned and
then the scan would end. This change fixes that and also makes the
output more like it was pre-r12798; for example, if you had done name
resolution on 1024 hosts with --max-hostgroup 8, and had found the 8th
up host at the 280th one pinged, the output was
Stats: 0:00:29 elapsed; 1016 hosts completed (8 up), 8 undergoing Connect Scan
and is now
Stats: 0:00:29 elapsed; 272 hosts completed (8 up), 8 undergoing Connect Scan
scans. This is the code that prints
Host ... appears to be up.
Host ... appears to be down.
Host ... appears to be up ... good.
Host ... appears to be down, skipping it
Except that now these messages are uniform and are
Host ... is up.
Host ... is down.
In addition, the host state --reason information is printed for port
scans just as for ping scans, which appears to have been an oversight
before.
purposes of output. What this means is that the port name will not be
"unknown?" or "ssl/unknown?" if version detection failed to find a match, but
simply "unknown" or "ssl/unknown".
the value of the SEQ.G test (print suitable for submission) was the opposite of
what it should have been. This doesn't matter much because in the case of a
perfect match the submission URL isn't shown and the print itself is not
normally displayed. We want perfect matches with the new SEQ.CI test and the
online submitter will reject them if G=N.
it started by allocating six times the size of the input string because in the
worst case each byte can take up to six bytes when escaped (&#xXX;). It was
wasteful of time because it built the string up with strncat, which pads the
entire destination buffer with null bytes every time it was called. This led to
quadratic time complexity, not linear as expected.
The new version uses the usual strategy of doubling the size of the buffer
whenever it runs out of space. It builds up the string using memcpy, checking
each time that there is space for the new copy.
the same as are used to decide whether to print them in the other
formats. So they will be printed if submission is desirable,
otherwise they are only printed if debuging is enabled or verbosity
is 2 or higher. [Tom Sellers]
