This always goes to XML and grepable output. It goes to normal in
interactive output in verbose mode. The format for printing a down host
is changed slightly:
Nmap scan report for 1.1.1.1 [host down]
LOG_PLAIN or LOG_STDOUT depending on whether o.resolve_all was set, and
just always print to LOG_PLAIN like we do all the other output. This was
the cause of a discrepancy between interactive and normal output
reported at http://seclists.org/nmap-dev/2009/q4/230.
TCP timestamp clock frequency uses large timestamp values, such that
a naive uptime calculation shows a boot time before the epoch. Also
fixed a printf format specifier mismatch that was revealed by the
overflow. Toby Simmons reported the problem and helped with the fix.
first iteration. This can't happen with the current data definitions,
but if it did it would result in memcpy being passed a null pointer.
(memcpy would be asked to do a zero-byte copy, so it would probably be
okay anyway, but it's better to be safe.)
the network distance in SCAN.DS was calculated. Its value can be "L"
for localhost, "D" for a direct connection, "I" for an ICMP TTL
calculation, and "T" for a traceroute hop count. This is mainly for
the benefit of OS integration, when it is sometimes important to
distinguish between DS=1%DC=I (probably the result of forged TTLs)
and DS=1%DC=D (a true one-hop connection.) [David]
o Fixed a log_write call and a pfatal call to use a syntax which is
safer from format strings bugs. This allows Nmap to build with the
gcc -Wformat -Werror=format-security options. [Guillaume Rousse]
a layer 4 protocol used mostly for telephony related applications.
This brings the following new features:
o SCTP INIT chunk port scan (-sY): open ports return an INIT-ACK
chunk, closed ones an ABORT chunk. This is the SCTP equivalent
of a TCP SYN stealth scan.
o SCTP COOKIE-ECHO chunk port scan (-sZ): open ports are silent,
closed ports return an ABORT chunk.
o SCTP INIT chunk ping probes (-PY): host discovery using SCTP
INIT chunk packets.
o SCTP-specific IP protocol scan (-sO -p sctp).
o SCTP-specific traceroute support (--traceroute).
o The ability to use the deprecated Adler32 algorithm as specified
in RFC 2960 instead of CRC32C from RFC 4960 (--adler32).
o 42 well-known SCTP ports were added to the nmap-services file.
Part of the work on SCTP support was kindly sponsored by
Compass Security AG, Switzerland. [Daniel Roethlisberger]
host, which means that it is either found down or else all
port/script/traceroute/etc. scanning is finished. In r12798 I made it be
updated as soon as DNS resolution happened, to make the status display
"X undergoing Ping Scan" accurate. However the main loop also uses this
variable to count how many addresses have been generated so it knows
when to stop scanning random addresses. If -iR was used, only the first
hostgroup out of all the random addresses would be fully scanned and
then the scan would end. This change fixes that and also makes the
output more like it was pre-r12798; for example, if you had done name
resolution on 1024 hosts with --max-hostgroup 8, and had found the 8th
up host at the 280th one pinged, the output was
Stats: 0:00:29 elapsed; 1016 hosts completed (8 up), 8 undergoing Connect Scan
and is now
Stats: 0:00:29 elapsed; 272 hosts completed (8 up), 8 undergoing Connect Scan
scans. This is the code that prints
Host ... appears to be up.
Host ... appears to be down.
Host ... appears to be up ... good.
Host ... appears to be down, skipping it
Except that now these messages are uniform and are
Host ... is up.
Host ... is down.
In addition, the host state --reason information is printed for port
scans just as for ping scans, which appears to have been an oversight
before.
purposes of output. What this means is that the port name will not be
"unknown?" or "ssl/unknown?" if version detection failed to find a match, but
simply "unknown" or "ssl/unknown".
the value of the SEQ.G test (print suitable for submission) was the opposite of
what it should have been. This doesn't matter much because in the case of a
perfect match the submission URL isn't shown and the print itself is not
normally displayed. We want perfect matches with the new SEQ.CI test and the
online submitter will reject them if G=N.
it started by allocating six times the size of the input string because in the
worst case each byte can take up to six bytes when escaped (&#xXX;). It was
wasteful of time because it built the string up with strncat, which pads the
entire destination buffer with null bytes every time it was called. This led to
quadratic time complexity, not linear as expected.
The new version uses the usual strategy of doubling the size of the buffer
whenever it runs out of space. It builds up the string using memcpy, checking
each time that there is space for the new copy.
the same as are used to decide whether to print them in the other
formats. So they will be printed if submission is desirable,
otherwise they are only printed if debuging is enabled or verbosity
is 2 or higher. [Tom Sellers]
This brings in four discrete changes:
1. The widening of ranges for T test expressions in nmap-os-db. Any expressions
that were not already ranges were expanded to cover plus and minus five of
their original values.
2. The normalization of TG expressions in nmap-os-db. Nmap is only capable of
outputting 0x20, 0x40, 0x80, and 0xFF for a TG value, but many fingerprints
had values other than these. They have all been rounded to their nearest
likely value.
3. The elimination of the U1.TOS and IE.TOSI tests (both having to do with type
of service). This was effected by setting their MatchPoints to 0.
4. A cleanup and refactoring of OS fingerprint output code. This should not
have any impact on output, except in one case: when debugging is non-zero or
verbosity is greater than one, and at least one perfect match was found,
Nmap used to print "OS Fingerprint:" before the fingerprint. Now it prints
"TCP/IP fingerprint:" in this case like in all the others.
value of the "args" attribute.
On Windows, I created a user account with the name "Kurt Gödel". When I ran a
scan in Zenmap, Nmap created a temporary XML file that started like
<?xml version="1.0" ?>
<?xml-stylesheet href="nmap.xsl" type="text/xsl"?>
<!-- Nmap 4.75 scan initiated Wed Sep 10 11:16:58 2008 as: nmap -T4 -F -oX c:\docume~1\kurtgö~1\locals~1\temp\zenmap-bcbuy6.xml 192.168.0.1 -->
<nmaprun scanner="nmap" args="nmap -T4 -F -oX c:\docume~1\kurtgö~1\locals~1\temp\zenmap-bcbuy6.xml 192.168.0.1" start="1221067018" startstr="Wed Sep 10 11:16:58 2008" version="4.75" xmloutputversion="1.02">
Notice the ö characters in the file names. They were not in UTF-8 but probably
whatever the filesystem encoding is. Because Nmap's XML does not declare an
encoding, it defaults to UTF-8, meaning this particular file was not even
well-formed. In Zenmap it caused a crash like
CRASH REPORTED:
SYS.PLATFORM: win32
OS.NAME: nt
Zenmap Version: 4.75
TRACEBACK:
Traceback (most recent call last):
File "C:\cygwin\home\david\nmap\zenmap\zenmapGUI\ScanNotebook.py", line 387, in verify_execution
self.load_from_command(scan)
File "C:\cygwin\home\david\nmap\zenmap\zenmapGUI\ScanNotebook.py", line 400, in load_from_command
parsed = self._parse(command.get_xml_output_filename())
File "C:\cygwin\home\david\nmap\zenmap\zenmapGUI\ScanNotebook.py", line 444, in _parse
parsed.parse_file(file_to_parse)
File "C:\cygwin\home\david\nmap\zenmap\zenmapCore\NmapParser.py", line 749, in parse_file
self.parse(f)
File "C:\cygwin\home\david\nmap\zenmap\zenmapCore\NmapParser.py", line 743, in parse
self.parser.parse(f)
File "c:\Python25\lib\xml\sax\expatreader.py", line 107, in parse
xmlreader.IncrementalParser.parse(self, source)
File "c:\Python25\lib\xml\sax\xmlreader.py", line 123, in parse
self.feed(buffer)
File "c:\Python25\lib\xml\sax\expatreader.py", line 211, in feed
self._err_handler.fatalError(exc)
File "c:\Python25\lib\xml\sax\handler.py", line 38, in fatalError
raise exception
SAXParseException: c:\docume~1\kurtgö~1\locals~1\temp\zenmap-bcbuy6.xml:3:92: not well-formed (invalid token)
Plus Internet Explorer wouldn't even open it.
This change escapes the XML so it looks like
<?xml version="1.0" ?>
<?xml-stylesheet href="nmap.xsl" type="text/xsl"?>
<!-- Nmap 4.75 scan initiated Wed Sep 10 11:52:19 2008 as: nmap -PE -PA21,23,80,3389 -A -v -T4 -oX c:\docume~1\kurtgö~1\locals~1\temp\zenmap-zih7f5.xml 192.168.0.1 -->
<nmaprun scanner="nmap" args="nmap -PE -PA21,23,80,3389 -A -v -T4 -oX c:\docume~1\kurtgö~1\locals~1\temp\zenmap-zih7f5.xml 192.168.0.1" start="1221069139" startstr="Wed Sep 10 11:52:19 2008" version="4.75" xmloutputversion="1.02">
