three. This corresponds to the 2 spaces now used in Ron's
stdnse.format_output function for further levels of indentation. The
first level is still special in that it contains "| " or "|_" rather
than just spaces. Here is example output from before this change:
2049/tcp open rpcbind
8080/tcp open http Apache httpd 2.2.13 ((Fedora))
|_ http-favicon: Unknown favicon MD5: 5A49412557709B4EDF6BBA9A1710B418
|_ html-title: Insecure.Org - Nmap Free Security Scanner, Tools & Hacking res...
|_ http-open-proxy: Proxy might be redirecting requests
8081/tcp open http Apache httpd 2.2.13 ((Fedora))
| html-title: 302 Found
|_ Did not follow redirect to http://seclists.org/
8082/tcp open http Apache httpd 2.2.13 ((Fedora))
|_ html-title: Nmap - Free Security Scanner For Network Exploration & Securit...
|_ http-favicon: Apache Web Server (seen on SuSE, Linux Tux favicon)
Device type: general purpose
[...]
ost script results:
| smb-os-discovery:
| OS: Unix (Samba 3.4.2-0.42.fc11)
| Name: Unknown\Unknown
|_ System time: 2009-11-24 17:18:49 UTC-8
|_ smbv2-enabled: Server doesn't support SMBv2 protocol
And after the change:
2049/tcp open rpcbind
8080/tcp open http Apache httpd 2.2.13 ((Fedora))
|_html-title: Insecure.Org - Nmap Free Security Scanner, Tools & Hacking res...
|_http-favicon: Unknown favicon MD5: 5A49412557709B4EDF6BBA9A1710B418
8081/tcp open http Apache httpd 2.2.13 ((Fedora))
| html-title: 302 Found
|_Did not follow redirect to http://seclists.org/
8082/tcp open http Apache httpd 2.2.13 ((Fedora))
|_http-favicon: Apache Web Server (seen on SuSE, Linux Tux favicon)
|_html-title: Nmap - Free Security Scanner For Network Exploration & Securit...
Device type: general purpose
...
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.4.2-0.42.fc11)
| Name: Unknown\Unknown
|_ System time: 2009-11-24 17:19:21 UTC-8
|_smbv2-enabled: Server doesn't support SMBv2 protocol
FingerTest structures are supposed to have an array of AVals that are
allocated as a block and linked internally. But for OPS and WIN, each
AVal was allocated individually and linked together. When the FingerTest
was later freed, it freed only the first link in the chain.
1) I wrote a function that formats output from scripts in a consistent way. Although we haven't really come to a concensus on how it should look yet, it's easy to change when we do.
2) New script: smb-enum-groups.nse. Enumerate the local groups on a system and their membership.
MAC in the doArp function as is done for ARP ping scan in
scan_engine.cc. This makes us capable of reading ARP responses that are
sent to the broadcast address.
to be the cause of a segfault reported by Ron Bowes.
nmap -PN -p4567 -sV --script=http-* x.x.x.x
Program received signal SIGSEGV, Segmentation fault.
nsock_connect_tcp (nsp=0x83b8b38, ms_iod=0x0, handler=0x80b5cf0
<l_nsock_connect_handler(void*, void*, void*)>, timeout_msecs=10000,
userdata=0x8729308, saddr=0x871a6f8, sslen=16, port=4567)
at nsock_connect.c:154
install from source may have old copies of scripts with different names,
like HTTPAuth instead of http-auth, because we don't delete the contents
of the scripts directory when installing. Rather than wipe out the whole
directory, which might contain people's custom scripts, there is now a
list of old script names in Makefile.in which are selectively deleted.
The whole list is
anonFTP
ASN
brutePOP3
bruteTelnet
chargenTest
daytimeTest
dns-safe-recursion-port
dns-safe-recursion-txid
dns-test-open-recursion
echoTest
ftpbounce
HTTPAuth
HTTP_open_proxy
HTTPpasswd
HTTPtrace
iax2Detect
ircServerInfo
ircZombieTest
MSSQLm
MySQLinfo
netbios-smb-os-discovery
popcapa
PPTPversion
promiscuous
RealVNC_auth_bypass
ripeQuery
robots
showHTMLTitle
showHTTPVersion
showOwner
showSMTPVersion
showSSHVersion
skype_v2-version
smb-enumdomains
smb-enumsessions
smb-enumshares
smb-enumusers
smb-serverstats
smb-systeminfo
SMTPcommands
SMTP_openrelay_test
SNMPcommunitybrute
SNMPsysdescr
SQLInject
SSH-hostkey
SSHv1-support
SSLv2-support
strangeSMTPport
UPnP-info
xamppDefaultPass
zoneTrans
instead of waiting until a request is made to connect. This eliminates a
little bit of bookkeeping that needed to be done to retain state on the
NSE socket. Unfortunately this alone doesn't allow binding a socket to a
source address to receive UDP data, because Nsock doesn't create the
physical socket until a connection is made.
group. Not doing this was the cause of off-by-one errors that led to
assertion failures and, potentially, excluded hosts being scanned. Here
is the comment I added:
/* The decision to skip a range was based on the address that came immediately
before what our current array contains now. For example, if we have just
handed out 0.0.0.0 from the the range 0-5.0.0.0, and we're asked to skip
the first octet, we want to advance to 1.0.0.0. But 1.0.0.0 is what is in
the current array right now, because TargetGroup::get_next_host advances
the array after returning an address. If we didn't step back we would
erroneously skip ahead to 2.0.0.0. */
