Many scripts were documented as using timespecs (10s, 5000ms, etc) for
timeout script-args, but one 1 or 2 actually did. Now all timeout
script-args will accept timespecs, except those which took a number of
milliseconds, which remain unchanged.
Also fixed some documentation issues (missing script name in arg
description, missing nsedoc for args, etc)
Kenneth Frazier reported that sometimes Nmap would use name servers from
inactive interfaces. Let's try checking the interface GUIDs against
those known by libpcap.
http://seclists.org/nmap-dev/2013/q1/292
Service Location Protocol version 2 specified by RFC 2608. Partially
implemented by srvloc.lua library. Probe checks for
service:service-agent, which should be implemented by all Service Agents
(servers). Match line only matches version 2, since I don't have any
other versions to test. Expect we will get more service fingerprints to
clarify.
I don't find anywhere in the history where this value has ever varied.
This is an old post from Doug where he mentions possibly different
values, but they appear to have been unused.
http://seclists.org/nmap-dev/2006/q1/147
Changed two existing match lines to softmatches as they were triggering against messages instructing the client to change protocols to SSL. This was preventing nmap from checking the service on SSL as it though a match was found. See http://seclists.org/nmap-dev/2013/q1/280
We never intend to ask for a service on a port other than the one we
connect to. By my reading of RFC 2616 section 14.23, we can leave the
port number off in this case. Robin Wood reported that
https://twitter.com/ gives you a redirect instead of a page if you send
it
Host: twitter.com:443
rather than
Host: twitter.com
http://seclists.org/nmap-dev/2013/q1/267
This prevents potentially reading (and buffering) every input host while
looking for more targets to fill up the current hostgroup. One of the
criteria that can split hostgroups is interface. Suppose you have an
input list of targets whose interfaces are
eth0 eth0 eth0 wlan0 wlan0 wlan0 wlan0 wlan0 wlan0...
The first three eth0 will go in the first group, and then the following
wlan0 will start to be buffered while we look for more eth0. But we will
only look ahead 64 targets, then go ahead and scan the three eth0.
This allows some targets to be skipped over yet remembered so they can
be dealt with later. The idea is that because ping groups are not
allowed
to have duplicate IPs, we continue searching for non-duplicates in order
to fill up a ping group, then return to what were formerly duplicates.
This prevents potentially large ping groups from being split into small
groups.
For example, if the list of targets is
A B C D A B E A F G
the ping groups used to be
(A B C D) (A B E) (A F G)
but now they are
(A B C D E F G) (A B) (A]
A similar thing can be done for port scan hostgroups, but this already
does most of the work because ping groups are generally bigger than
hostgroups and have pretty much the same restrictions.
Apparently SCTP can't have the same kind of half-open sockets that TCP
has. When one direction is closed, we can't do anything further with the
socket.
http://seclists.org/nmap-dev/2013/q1/227
This eliminates the ambiguity that could exist when, say, both o.udp and
o.sctp were both set. The code would use whichever it happened to test
first. This also makes TCP mode explicit with IPPROTO_TCP.
At high scan rates, there was nothing to prevent trying to set or clear
socket descriptors above FD_SETSIZE, which is usually around 1024. I got
a reliable assertion failures with the command
nmap -sT -p- --min-rate 100000 scanme.nmap.org
The problem only affected -sT scans. A similar protection was added to
Nsock in r15808.
Fixed a bug that prevented Nmap from finding any interfaces when one
of them had the type ARP_HDR_APPLETALK; this was the case for
AppleTalk interfaces. However, This support is not complete
since AppleTalk interfaces use different size hardware addresses
than Ethernet. Nmap IP level scans should work without any problem,
please refer to the '--send-ip' switch and to the following thread:
http://seclists.org/nmap-dev/2013/q1/214
This bug was reported by Steven Gregory Johnson on IRC.
Compare to this similar test in Nmap's scan_engine.cc:
if (scantype != CONNECT_SCAN && Targets[0]->ifType() == devt_loopback) {
log_write(LOG_STDOUT, "Skipping %s against %s because Windows does not support scanning your own machine (localhost) this way.\n", scantype2str(scantype), Targets[0]->NameIP());
return;
}
rndbit made a report--unfortunately we con't fix it, but we can make the
error message clearer.
http://seclists.org/nmap-dev/2013/q1/187
