Previously this would be omitted if the service was not otherwise
discovered, and the port it was on was not in nmap-services. (There was
not problem if the port was present in nmap-services with a name of
"unknown".)
This avoids a failure when writing long strings on Windows. Previously
we tried only one reallocation of the write buffer, and panicked if that
failed.
http://seclists.org/nmap-dev/2012/q1/514
svn merge --ignore-ancestry svn://svn.insecure.org/nmap@26621 svn://svn.insecure.org/nmap-exp/luis/nmap-os6
This is the IPv6 OS detection branch. "nmap -6 -O" works now, though at
this point it only prints fingerprints and not OS guesses, because we
need to collect more submissions.
hostcmp is documented to determine whether "a and b are considered the
same hostnames." But what it's really doing is testing whether a
contains b. This isn't even symmetric, so I think it's wrong.
returning floating-point seconds. Everywhere o.TimeSinceStartMS was
called, the return value was being divided by 1000.0, which had the same
effect but would overflow when the difference exceeded about 25 days
(2^31 milliseconds). This patch is by Daniel Miller.
quoting of whitespace using double quotes and backslashes. This
allows recovering the original command line array even when
arguments contain whitespace. [David]
referencing deallocated memory.
The class was defined basically as follows:
class ScriptResult
{
private:
std::string output;
public:
std::string get_output() const
{
return this->output;
}
};
The problem was when it was used like this, as in our script output
routines:
const char *s = sr.get_output().c_str();
printf("%s\n", s);
The reason is that the temporary std::string returned by get_output goes
out of scope after the line containing it, which invalidates the memory
pointed to by c_str(). By the time of the printf, s may be pointing to
deallocated memory.
This could have been fixed by returning a const reference that would
remain valid as long as the ScriptResult's output member is valid:
const std::string& get_output() const
{
return this->output;
}
However I noticed that get_output() was always immediately followed by a
c_str(), so I just had get_output return that instead, which has the
same period of validity.
This problem became visiable when compiling with Visual C++ 2010. The
first four bytes of script output in normal output would be garbage
(probably some kind of free list pointer). It didn't happen in XML
output, because the get_output-returned string happened to remain in
scope during that.
* Adding path-mtu.nse for Path MTU Discovery
* Nmap now stores the MTU for interfaces (from SIOCGIFMTU or libdnet)
* Scripts can access the MTU for host.interface via host.interface_mtu
* Nmap prints the MTU for interfaces in --iflist
o Add two new Script scan phases:
Script Pre-scanning phase: before any Nmap scan operation, activated by the new "prerule".
Script Post-scanning phase: after all Nmap scan operations, activated by the new "postrule".
o New environment variables:
SCRIPT_PATH
SCRIPT_NAME
SCRIPT_TYPE: the type of the rule that activated the script.
report. It looks like this.
$ ./nmap google.com -sn
Starting Nmap 5.30BETA1 ( http://nmap.org ) at 2010-05-10 23:57 MDT
Nmap scan report for google.com (66.102.7.99)
Host is up (0.073s latency).
Other addresses for google.com (not scanned): 66.102.7.104
rDNS record for 66.102.7.99: lax04s01-in-f99.1e100.net
This replaces the line
Hostname google.com resolves to 2 IPs. Only scanned 66.102.7.99
This establishes a more regular syntax for some options that disable
phases of a scan:
-n no reverse DNS
-Pn no host discovery
-sn no port scan
Also, the -sP was possibly misleading because the 'P' suggests "ping
scan," when you can now do more than just pinging when you disable port
scanning. For example, -sC -sn and -sn -Pn --traceroute make sense.
changes. The first is that Port objects don't allocate memory for
service and RPC results unless that information is set. This reduces the
size of a bare Port from 92 to 40 bytes on my machine. The second change
is that PortList now has the notion of a "default port state," which is
the state of any ports that didn't receive a response. These ports don't
need an allocated Port object, which saves a lot of memory in scans
where most ports didn't get a response.
three. This corresponds to the 2 spaces now used in Ron's
stdnse.format_output function for further levels of indentation. The
first level is still special in that it contains "| " or "|_" rather
than just spaces. Here is example output from before this change:
2049/tcp open rpcbind
8080/tcp open http Apache httpd 2.2.13 ((Fedora))
|_ http-favicon: Unknown favicon MD5: 5A49412557709B4EDF6BBA9A1710B418
|_ html-title: Insecure.Org - Nmap Free Security Scanner, Tools & Hacking res...
|_ http-open-proxy: Proxy might be redirecting requests
8081/tcp open http Apache httpd 2.2.13 ((Fedora))
| html-title: 302 Found
|_ Did not follow redirect to http://seclists.org/
8082/tcp open http Apache httpd 2.2.13 ((Fedora))
|_ html-title: Nmap - Free Security Scanner For Network Exploration & Securit...
|_ http-favicon: Apache Web Server (seen on SuSE, Linux Tux favicon)
Device type: general purpose
[...]
ost script results:
| smb-os-discovery:
| OS: Unix (Samba 3.4.2-0.42.fc11)
| Name: Unknown\Unknown
|_ System time: 2009-11-24 17:18:49 UTC-8
|_ smbv2-enabled: Server doesn't support SMBv2 protocol
And after the change:
2049/tcp open rpcbind
8080/tcp open http Apache httpd 2.2.13 ((Fedora))
|_html-title: Insecure.Org - Nmap Free Security Scanner, Tools & Hacking res...
|_http-favicon: Unknown favicon MD5: 5A49412557709B4EDF6BBA9A1710B418
8081/tcp open http Apache httpd 2.2.13 ((Fedora))
| html-title: 302 Found
|_Did not follow redirect to http://seclists.org/
8082/tcp open http Apache httpd 2.2.13 ((Fedora))
|_http-favicon: Apache Web Server (seen on SuSE, Linux Tux favicon)
|_html-title: Nmap - Free Security Scanner For Network Exploration & Securit...
Device type: general purpose
...
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.4.2-0.42.fc11)
| Name: Unknown\Unknown
|_ System time: 2009-11-24 17:19:21 UTC-8
|_smbv2-enabled: Server doesn't support SMBv2 protocol
This always goes to XML and grepable output. It goes to normal in
interactive output in verbose mode. The format for printing a down host
is changed slightly:
Nmap scan report for 1.1.1.1 [host down]
LOG_PLAIN or LOG_STDOUT depending on whether o.resolve_all was set, and
just always print to LOG_PLAIN like we do all the other output. This was
the cause of a discrepancy between interactive and normal output
reported at http://seclists.org/nmap-dev/2009/q4/230.
