DiabloHorn on #nmap noticed that Nmap was ignoring ICMP Time Exceeded
messages while trying to map firewall rules using --ttl.
get_pcap_result() was handling ICMP type 3 (Destination Unreachable),
but not type 11 (Time Exceeded). Now ports that elicit this response
will be marked filtered (to be consistent with existing Connect scan
behavior) and will report time-exceeded from (IP) for the reason.
This was not a common issue, since host discovery already accounted for
it. Port scans would only be affected when skipping host discovery.
Similar changes to r30653, but may break compatibility with people using
integer millisecond values, which are now treated as number of seconds.
To get same behavior, use ms after number, e.g. 5000 becomes 5000ms or
5s
Many scripts were documented as using timespecs (10s, 5000ms, etc) for
timeout script-args, but one 1 or 2 actually did. Now all timeout
script-args will accept timespecs, except those which took a number of
milliseconds, which remain unchanged.
Also fixed some documentation issues (missing script name in arg
description, missing nsedoc for args, etc)
Kenneth Frazier reported that sometimes Nmap would use name servers from
inactive interfaces. Let's try checking the interface GUIDs against
those known by libpcap.
http://seclists.org/nmap-dev/2013/q1/292
Service Location Protocol version 2 specified by RFC 2608. Partially
implemented by srvloc.lua library. Probe checks for
service:service-agent, which should be implemented by all Service Agents
(servers). Match line only matches version 2, since I don't have any
other versions to test. Expect we will get more service fingerprints to
clarify.
I don't find anywhere in the history where this value has ever varied.
This is an old post from Doug where he mentions possibly different
values, but they appear to have been unused.
http://seclists.org/nmap-dev/2006/q1/147
Changed two existing match lines to softmatches as they were triggering against messages instructing the client to change protocols to SSL. This was preventing nmap from checking the service on SSL as it though a match was found. See http://seclists.org/nmap-dev/2013/q1/280
We never intend to ask for a service on a port other than the one we
connect to. By my reading of RFC 2616 section 14.23, we can leave the
port number off in this case. Robin Wood reported that
https://twitter.com/ gives you a redirect instead of a page if you send
it
Host: twitter.com:443
rather than
Host: twitter.com
http://seclists.org/nmap-dev/2013/q1/267
This prevents potentially reading (and buffering) every input host while
looking for more targets to fill up the current hostgroup. One of the
criteria that can split hostgroups is interface. Suppose you have an
input list of targets whose interfaces are
eth0 eth0 eth0 wlan0 wlan0 wlan0 wlan0 wlan0 wlan0...
The first three eth0 will go in the first group, and then the following
wlan0 will start to be buffered while we look for more eth0. But we will
only look ahead 64 targets, then go ahead and scan the three eth0.
This allows some targets to be skipped over yet remembered so they can
be dealt with later. The idea is that because ping groups are not
allowed
to have duplicate IPs, we continue searching for non-duplicates in order
to fill up a ping group, then return to what were formerly duplicates.
This prevents potentially large ping groups from being split into small
groups.
For example, if the list of targets is
A B C D A B E A F G
the ping groups used to be
(A B C D) (A B E) (A F G)
but now they are
(A B C D E F G) (A B) (A]
A similar thing can be done for port scan hostgroups, but this already
does most of the work because ping groups are generally bigger than
hostgroups and have pretty much the same restrictions.
