PenTest/nmap
1
0
Fork 0
mirror of https://github.com/nmap/nmap.git synced 2025-12-06 04:31:29 +00:00
Code Issues Projects Releases Wiki Activity
Files
1bba31188426a7ba3c6afcc4cad2a99a12effd11
nmap/CHANGELOG

6494 lines
284 KiB
Plaintext
Raw Blame History

# Nmap Changelog ($Id$); -*-text-*-
o Merged in my nmap-exp/jurand/ branch that involves the Context
Sensitive help system for the Profile Editor. The purpose of the
Profile Editor is to allow you to assemble an nmap command to run
in the Zenmap program by using graphical selection of text and
checkbox input. The new help system allows you to mouse over options
used in the Profile Editor and to display a bit of an overview about
what it is used for and what proper input for that option is in the
help textbox. [Jurand Nogiec]
o Compiled the Context Sensitive Help texts along with David Fifield
in the profile_editor.xml file. [Jurand Nogiec]
o Rewrote the Icons.py get_os to use the osclass versus doing
pattern-matching on os_match. Also, added get_best_osclass to match
get_best_osmatch. [Jurand Nogiec]
o Fixed the bug where Ports/Hosts Version tabs are not populated with
the full data (i.e. "OpenSSH 4.3" vs "OpenSSH 4.3 (protocol 2.0)").
[Jurand Nogiec]
o Improvements to the Terminate scan fix, which add the function that
the cancel button for scan is only usable during an actual scan and
allows one to save partial results. [Jurand Nogiec]
o Made change that allows for graceful way for cancelling a Scan in
progress without losing the data obtained so far. I have added a
"Cancel" button that will cancel a Scan within the current tab.
The "Scanning" status is changed to "Cancelled" when the button is
clicked. [Jurand Nogiec]
o Fixed the problem where scans loaded from an XML file did not
necessarily reflect the profile and target that was shown in the
interface. I completed this by fixing that the same parse_result
method was called by both the XML "live-scan temporary" and
"save-scan" from a file, and made separate cases. [Jurand Nogiec]
o This modification handles the problem where if a user modifies the
command entry field, Zenmap does not necessarily execute this
command and instead it will follow what the Target/Entry fields
specify instead. This can lead to unpredictable results for the
end-user, which must be avoided. This avoids a bug where if you
edited a command, then selected a different target, the edited
command line would be replaced with one from the currently selected
profile. [Jurand Nogiec]
o Documentation for the ScanToolbar.py and ScanNotebook.py files in
zenmap/zenmapGUI folder. [Jurand Nogiec]
o Nsock now returns data from UDP packets individually, preserving the
packet boundary, rather than concatenating the data from multiple
packets into a single buffer. This fixes a problem related to our
reverse-DNS system, which can only handle one DNS packet at a time.
Thanks to Tim Adam of ManageSoft for debugging the problem and
sending the patch. Doug Hoyte helped with testing, and it was
applied by Fyodor.
o Fyodor made a number of performance tweaks, such as:
o increase host group sizes in many cases, so Nmap will now commonly
scan 64 hosts at a time rather than 30
o align host groups with common network boundaries, such as /24 or
/25
o Increase maximum per-target port-scan ping frequency to one every
1.25 seconds rather than every five. Port scan pings happen
against heavily firewalled hosts and the like when Nmap is not
receiving enough responses to normal scan to properly calculate
timing variables and detect packet drops.
o Added the undocumented (except here) --nogcc option which disables
global/group congestion control algorithms and so each member of a
scan group of machines is treated separately. This is just an
experimental option for now. [Fyodor]
o Added a new NSE Unpwdb (username/password database) library for
easily obtaining usernames or passwords from a list. The functions
usernames() and passwords() return a closure which returns a new
list entry with every call, or nil when the list is exhausted. You
can specify your own username and/or password lists via the script
arguments userdb and passdb, respectively. [Kris]
o The Ports/Hosts display in Zenmap now has different colors for open
and closed ports. [Vladimir]
o Fixed the "resolution errors not showing up" bug. Actually, from now
on, all errors will be displayed properly in the Zenmap window,
since stderr is also redirected there (until now, only stdout was
displayed). [Vladimir]
o NSE now works with the Ping Scan (-sP) to execute host
scripts. [Kris]
o [NSE] nse_string has been removed and equivalent, cleaner,
procedures have been moved to nse_main and nse_nsock. [Patrick]
o [NSE] Case insensitive categories. [Patrick]
o [NSE] Porttests and Hosttests tables are now in the Lua registry
where they belong. [Patrick]
o [NSE] Each thread for a script gets its own action closure (and
upvalues). See: http://seclists.org/nmap-dev/2008/q2/0549.html
[Patrick]
o [NSE] script_scan_result structure has been changed to a class,
ScriptResult, that now uses std::strings to hold a Script's output
and id. This alleviates the need to manage memory on the heap
explicitly (malloc & free). [Patrick]
o [NSE] The runlevel structure has been placed in the thread record
structure so we no longer need to manage the runlevel explicitly on
the heap. [Patrick]
o Fixed host discovery probe matching when looking at the returned TCP
data in an ICMP error message. This could lead to incorrectly
discarded responses and the debugging error message: "Bogus trynum
or sequence number in ICMP error message" [Kris]
o Added IPProto Ping (-PO) support to Traceroute, and fixed support for
IPProto Scan (-sO) and the ICMP Pings (-PE, -PP, -PM) in Traceroute
as well. These would cause Nmap to hang during Traceroute. [Kris]
o Fixed a segmentation fault in Nsock which occurred when calling
nsock_write() with a data length of -1 (which means the data is a
NULL-terminated string and Nsock should take the length itself) and
the Nsock trace level was at least 2. [Kris]
o Nsock now supports binding to a local address and setting IPv4
options with nsi_set_localaddr() and nsi_set_ipoptions(),
respectively. [Kris]
o Nmap's Nsock-utilizing subsystems (DNS, NSE, version detection) have
been updated to support the -S and --ip-options flags. [Kris]
o Added --ip-options support for the connect() scan (-sT). [Kris]
o The NSE Comm library now defaults to trying to read as many bytes as
are available rather than lines if neither the "bytes" nor "lines"
options are given. Thanks to Brandon for reporting a problem which
he noticed in the dns-test-open-recursion script. [Kris]
o Updated zoneTrans.nse to replace length bytes in returned domain
names to periods itself rather than relying on NSE's old behavior of
replacing non- printable characters with periods. Thanks to Rob
Nicholls for reporting the problem. [Kris]
o Changed the order preference of timing ping probes. [Michael]
o Enabled nmap to switch between multiple types of timing pings during
port scanning. [Michael]
o Some Zenmap crashes have been fixed: trying to "refresh" the output
of a scan loaded from a file, and trying to re-save a file loaded
from the command line in some circumstances. [David]
o The file selector in Zenmap now remembers what directory it was last
looking at. [David]
o Zenmap defaults to showing files matching both *.xml and *.usr in
the file selector. Previously it only showed those matching *.usr.
o Nmap avoids printing the sending rate in bytes per second during a
TCP connect scan. Because the number of bytes per probe is not
known, it used to print Current sending rates: 11248.85 packets / s,
0.00 bytes / s. Now it will print simply Current sending rates:
11248.85 packets / s.
o Nmap's makefile will now install menu items for launching zenmap as
a privileged or non-privileged process on linux. This will mainly
effect people who install nmap and zenmap directly from the source
code. [Michael]
o Nmap will no longer misreport a localhost-responce during -PN scans
[Michael]
o There is a new --max-rate option complementary to
--min-rate. [David]
o A bug that could cause some host discovery probes to be incorrectly
interpreted as drops was fixed. This occurred only when the IP
protocol ping (-PO) option was combined with other ping
types. [David]
o The NSE C modules in nselib-bin are now linked explicitly against
liblua. Before this, loading such modules from a static build of
Nmap failed, leading to this error whenever one was used:
SCRIPT ENGINE: error while initializing script rules:
error loading module 'bit' from file '/usr/libexec/nmap/nselib-bin/bit.so':
/usr/libexec/nmap/nselib-bin/bit.so: undefined symbol: lua_pushnumber
Because RPM builds are static this fixes NSE C modules in
RPMs. [David]
o A new attribute has been added to XML output, scanflags, which lists
all user specified --scanflags for the scan. The XML output version
and DTD have been modified to account for this. [Michael]
o The loading of the nmap-services file has been made faster. In the
common case using the default nmap-services file loading was
measured to be over nine times faster.
o The shtool build helper script has been updated to version 2.0.8. An
older version of shutil caused installation to fail when the locale
was set to et_EE. Thanks to Michal Januszewski for the bug report.
Nmap 4.68 [2008-6-28]
o Doug integrated all of your version detection submissions and
corrections for the year up to May 31. There were more than 1,000
new submissions and 18 corrections. Please keep them coming! And
don't forget that corrections are very important, so do submit them
if you ever catch Nmap making a version detection or OS detection
mistake. The version detection DB has grown to 5,054 signatures
representing 486 service protocols. Protocols span the gamut from
abc, acap, access-remote-pc, activefax, and activemq, to zebedee,
zebra, zenimaging, and zenworks. The most popular protocols are
http (1,672 signatures), telnet (519), ftp (459), smtp (344), and
pop3 (201).
o Nmap compilation on Windows is now done with Visual C++ Express 2008
rather than 2005. Windows compilation instructions have been
updated at http://nmap.org/book/inst-windows.html#inst-win-source .
[Kris]
o The Nmap Windows self-installer now automatically installs the MS
Visual C++ 2008 runtime components if they aren't already installed
on a system. These are some reasonably small DLLs that are
generally necessary for applications compiled with Visual C++ (with
dynamic linking). Many or most systems already have these installed
from other software packages. The lack of these components led to
the error message "The Application failed to initialize properly
(0xc0150002)." with Nmap 4.65. A related change is that Nmap on
Windows is now compiled with /MD rather than /MT so that it
consistently uses these runtime libraries. The patch was created by
Rob Nicholls.
o Added advanced search functionality to Zenmap so that you can locate
previous scans using criteria such as which ports were open, keywords
in the target names, OS detection results. etc. Try it out with
Ctrl-F or "Tools->Search Scan Results". [Vladimir]
o Nmap's special WinPcap installer now handles 64-bit Windows machines
by installing the proper 64-bit npf.sys. [Rob Nicholls]
o Added a new NSE Comm (common communication) library for common
network discovery tasks such as banner-grabbing (get_banner()) and
making a quick exchange of data (exchange()). 16 scripts were
updated to use this library. [Kris]
o The Nmap Scripting Engine now supports mutexes for gracefully
handling concurrency issues. Mutexes are documented at
http://nmap.org/book/nse-api.html#nse-mutex . [Patrick]
o Added a UDP SNMPv3 probe to version detection, along with 9 vendor
match lines. The patch was from Tom Sellers, who contributed other
probes and match lines to this release as well.
o Added a new timing_level() function to NSE which reports the Nmap
timing level from 0 to 5, as set by the Nmap -T option. The default
is 3. [Thomas Buchanan]
o Update the HTTP library to use the new timing_level functionality to
set connection and response timeouts. An error preventing the new
timing_level feature from working was also fixed. [Jah]
o Optimized the doAnyOutstandingProbes() function to make Nmap a bit
faster and more efficient. This makes a particularly big difference
in cases where --min-rate is being used to specify a very high
packet sending rate. [David]
o Fixed an integer overflow which prevented a target specification of
"*.*.*.*" from working. Support for the CIDR /0 is now also
available for those times you wish to scan the entire
Internet. [Kris]
o The robots.nse script has been improved to print output more
compactly and limit the number of entries of large robots.txt files
based on Nmap verbosity and debugging levels. [Eddie Bell]
o The Nmap NSE scripts have been re-categorized in a more logical
fashion. The new categories are described at
http://nmap.org/book/nse-usage.html#nse-categories . [Kris]
o Improve AIX support by linking against -lodm and -lcfg on that
platform. [David]
o Updated showHTMLTitle NSE script to follow one HTTP redirect if
necessary as long as it is on the same server. [Jah]
o Michael Pattrick and David created a new OSassist application which
streamlines the OS fingerprint submission integration process and
prevents certain previously common errors. OSassist isn't part of
Nmap, but the system was used to integrate some submissions for this
release. 13 fingerprints were added during OSassist testing, and
some existing fingerprints were improved as well. Expect many more
fingerprints coming soon.
o Improved the mapping from dnet device names (like eth0) and WinPcap
names (like \Device\NPF_{28700713...}). You can see this mapping
with --iflist, and the change should make Nmap more likely to work
on Windows machines with unusual networking configurations. [David]
o Service fingerprints in XML output are no longer be truncated to
2kb. [Michael]
o Some laptops report the IP Family as NULL for disabled WiFi cards.
This could lead to a crash with the "sin->sin_family == AF_INET6"
assertion failure. Nmap no longer quits when this is
encountered. [Michael]
o On systems without the GNU getopt_long_only() function, Nmap has its
own replacement. That replacement used to call the system's
getopt() function if it exists. But the AIX and Solaris getopt()
functions proved insufficient/buggy, so Nmap now always calls its
own internal getopt() now from its getopt_long_only()
replacement. [David]
o Integrated several service match lines from Tom Sellers.
o An error was fixed where Zenmap would crash when trying to load from
the recent scans database a file containing non-ASCII
characters. The error looked like
pysqlite2.dbapi2.OperationalError: Could not decode to UTF-8 column
'nmap_xml_output' with text
'<?xml version="1.0" encoding="iso-8859-1"?>
<nmaprun profile="nmap -T Aggressive -n -v %s" scanner="nmap" hint=""
The error would be seen when such a scan was found in using the
search interface. [David]
o Fix a Zenmap crash which occurred when local.getpreferredencoding()
returns "None". Similarly, deal with the case when a "X-MAC-KOREAN"
is returned by this function. Both problems were found with the
Zenmap crash reporter. [David]
o A whole bunch of internal Zenmap cleanup was done by David to make
the code more logical and remove dead code.
o Install icons and pixmaps under /usr/share/zenmap/{icons,pixmaps} so
they don't get mixed in with the files in
/usr/share/{icons,pixmaps}. [Jurand Nogiec]
o Fixed a Zenmap command entry problem where Zenmap would lose a
custom command you had entered into the command entry field if you
changed the target field after entering the custom command. [Jurand
Nogiec]
o The Zenmap crash reporter now includes a stack trace rather than
just the exception name. [David]
o Zenmap now executes the proper Nmap command by honoring the
nmap_command_path variable in zenmap.conf. [Jurand Nogiec]
o Fixed a bug which caused -PN to erroneously bail out for
unprivileged users. Thanks to Jabra (jabra(a)spl0it.org) for the
report. [Kris]
o Fixed several Nmap NSE memory leaks found with Valgrind. [Kris]
o Migrated some stray malloc()/realloc() calls to the Nbase
safe_malloc()/safe_realloc() versions which guard against certain
errors.
o Fixed a bunch of subtle bugs, some of which could have resulted in
a crash, reported by Ilja van Sprundel. [Kris]
o Fixed several byte-order bugs in Traceroute. [Kris]
o Fixed a crash in RateMeter::update() which could lead to an error
saying "diff >= 0.0" assertion failed. I think the problem was
actually caused by SMP machines which didn't sync the clock time
perfectly. This lead to gettimeofday() sometimes reporting that
time decreased by some microseconds. Now Nmap is willing to
tolerate decreases of up to 1 millisecond in this function. [Fyodor]
o Nmap now returns correct values for --iflist in windows even
if interface aliases have been set. Previously it would misreport
the windevices and not list all interfaces. [Michael]
o Nmap no longer crashes with an 'assert' error when its told to
access a disabled WiFi NIC on some laptops. [Michael]
o Upgraded the OpenSSL shipped for Windows to 0.9.8h. [Kris]
o The NSE http library was updated to gracefully handle certain bogus
(non-)http responses. [Jah]
o The zoneTrans.nse script now takes a "domain" script argument to
specify the desired domain name to transfer. You can narrow the
scope down with the form "zoneTrans={domain=xxx}". [Kris]
o Increase write buffer length for Nmap output on Windows. This should
prevent error messages like: "log_vwrite: vnsprintf failed. Even
after increasing bufferlen to 819200, Vsnprintf returned -1 (logt ==
1)." Thanks to prozente0 for the report. [Fyodor]
o Fixed the --script-updatedb command, which was claiming to be
"Aborting database update" even when the update was performed
perfectly. See http://seclists.org/nmap-dev/2008/q2/0623.html .
Thanks to Jah for the report.
Nmap 4.65 [2008-6-1]
o A Mac OS X Nmap/Zenmap installer is now available from the Nmap
download page! It is rather straightforward, but detailed
instructions are available anyway at
http://nmap.org/book/inst-macosx.html . As a universal installer,
it works on both Intel and PPC Macs. It is distributed as a disk
image file (.dmg) containing an mpkg package. The installed Nmap
does include OpenSSL support. It also supports Authorization
Services so that Zenmap can run as root. David created this
installer. He wants to thank Benson Kalahar and Vlad Alexa for
extensive testing of the nine test releases.
o The Windows version of Nmap now supports OpenSSL just as the UNIX
versions have for years. Both the .zip and executable installer
binary packages we ship from the Nmap download page now include
OpenSSL. [Kris, Thomas Buchanan]
o We now compile in IPv6 support on Windows. In order to use this,
you need to have IPv6 set up. It is installed by default on Vista,
but must be downloaded from Microsoft for XP. See
http://www.microsoft.com/technet/network/ipv6/ipv6faq.mspx . [Kris]
o Seven Google-sponsored Summer of Code students began working on
exciting Nmap projects full times. The winning students and their
Nmap development projects are described at
http://seclists.org/nmap-dev/2008/q2/0132.html .
o Our WinPcap installer now starts the NPF driver running as a
service immediately upon installation and after restarts. You can
disable this with new check-boxes. This behavior is important for
Vista and Windows Server 2008 machines when User Account
Control (UAC) is enabled. [Rob Nicholls]
o Nmap and Nmap-WinPcap silent installation now works. Nmap can
be silently installed with the /S option to the installer.
If you install Nmap from the zip file, you can install just
WinPcap silently with the /S option to that
installer. [Rob Nicholls]
o Our WinPcap installer is now included with the Nmap Win32 zip
file. [Fyodor]
o Numerous miscellaneous improvements were made to our Win32
installer, such as using the "Modern" NSIS UI for WinPcap,
improving the option description labels, and showing a finish
page in all cases. [Rob Nicholls]
o The nmap-dev and nmap-hackers mailing list RSS feeds at seclists.org
now include message excerpts to make it easier to identify
interesting messages and speed the process of reading through the
list. Feeds for all other mailing lists archived at SecLists.Org
have been similarly augmented. For details, see
http://seclists.org/nmap-dev/2008/q2/0333.html . [David]
o A new "default" Nmap Scripting Engine category was added. Only
scripts in this category now run by default (except for "version"
scripts which run when version detection was requested).
Previously, any scripts in the "safe" or "intrusive" categories were
run. 21 scripts are now in this default category. [Kris]
o The NSE HTTP library now uses the host name specified on the command
line when making requests, which improves script scanning against
web servers with virtual hosts. Thanks to Sven Klemm for the patch.
o Added some new and improved version detection signatures. [Brandon]
o Fixed an OS detection bug that prevented the R1.UID test result from
being recorded properly when scanning certain printers from
little-endian computers. Updated nmap-os-db to compensate for
signatures that had an incorrect U1.RID value. [Michael]
o Updated to include the latest MAC Address prefixes from the IEEE in
nmap-mac-prefixes [Fyodor]
o Updated the SMTPcommands NSE script to work better against Postfix
and reduce verbosity. [Jason DePriest, Fyodor]
o Reorganized the way ping probes are handled internally. Rather than
being stored in the NmapOps structure, they are now stored within
the individual scan_lists structures. This is a cleaner
organization. [Michael]
o Fix grepable output's "Ignored State" reporting. Only one ignored
state (the one with the highest numbers of ports) is shown. [David]
o Update to Lua version 5.1.3 [Patrick]
o Add NSE stdnse library to include tobinary, tooctal, and tohex
functions. [Patrick]
o Fixed a bug which caused the Zenmap crash reporter to, uh,
crash. [David]
o NSE engine was cleaned up significantly. nse_auxiliar was removed,
and file system manipulation functions were moved from nse_init.cc
into a new nse_fs.cc file. Numerous interfaces between Nmap and Lua
were improved. Most of these functions are now callable directly by
Lua. [Patrick]
o Fixed a bug in the showOwner NSE script which caused it to try UDP
ports instead of just TCP ports. This made it very slow in the
common case where there are many UDP ports in the open|filtered
state. Thanks to Jason DePriest for reporting the problem and Jah
for tracking it down and fixing it.
o Nbase now generates pseudo-random numbers itself rather than using
/dev/urandom on Linux and the terrible rand() function on Windows.
The new system uses ARC4 based on libdnet's
implementation. [Brandon]
o Made a number of updates and improvements to the Zenmap Users' Guide
at http://nmap.org/book/zenmap.html . [David]
o Fixed the way Zenmap handles command-line entry to prevent your
custom command-line to be overwritten with the current profile's
command just because you edited the target field. [Jurand]
o Nsock was improved to better support reading from non-network
descriptors such as stdin. This is important for the upcoming Ncat
project Mixter is working on. [Mixter]
o A bug was fixed that could cause Zenmap to crash when loading a
results file that had multibyte characters in it. The error looked
like:
Gtk-ERROR **: file gtktextsegment.c: line 196
(_gtk_char_segment_new): assertion failed:
(gtk_text_byte_begins_utf8_char (text))
[David]
o Removed a superfluous test for the existence of the C++ compiler in
the configure script. The test was not robust when configured with
CXX="ccache g++". Thanks to Rainer Müller for the report.
o Optimized cached DNS lookups so they are equally efficient when
running on big-endian or little-endian systems. [Michael]
o Fixed the nmap_command_path Zenmap configuration variable so that it
is actually used to start the specified Nmap executable
path. [Jurand Nogiec]
o Nmap now reports scan start and end times for individual hosts
within a larger scan. The information is added to the XML host
element like so: [host starttime="1198292349" endtime="1198292370"]
(but of course with angle brackets rather than square ones). It is
also printed in normal output if -d or "-v -v" are
specified. [Brandon, Kris, Fyodor]
o "make uninstall" now uninstalls Zenmap as well as Nmap. The
uninstall_zenmap script now deletes directories that were
installed. [David]
o Fixed a bug which caused Nmap to send bad checksums on Solaris 10
x86. This was due to a workaround for an Ancient Solaris 2.1 bug
which activated when the OS string matched "solaris2.1*". The
problem has now been resolved until Solaris 20 comes out and hits
our "solaris2.2*" bug workarounds. Thanks to Nathan Bills for the
problem report. Fixed by Fyodor.
o Fixed a minor memory leak in getpts_simple which occurs when no
ports are to be added to 'list'. 'porttbl' is now free'd regardless
of how the function returns. [Michael]
o Nmap now understands the RFC 4007 percent syntax for IPv6 Zone IDs.
On Windows, this ID has to be a numeric index. On Linux and some
other OS's, this ID can instead be an interface name. Some examples
of this syntax:
fe80::20f:b0ff:fec6:15af%2
fe80::20f:b0ff:fec6:15af%eth0
[Kris]
o The Zenmap installer and uninstaller are more careful about escaping
filenames and dealing with an installation root (DESTDIR). [David]
o Since assert() calls are used for various security-related tests,
their safety is now ensured by keeping NDEBUG undefined throughout
Nmap, Nbase and Nsock. [Kris]
o Fix a couple bugs in the way the Nmap build system checked for an
existing LUA library. A bashism caused one test to fail on system
which don't use bash as /bin/sh, and another bug fixed --with-liblua
configure option for specifying your own liblua. [Daniel
Roethlisberger]
o The NSE nmap.registry.args table is now available, albeit empty,
when --script-args isn't used. Now scripts don't need to check if
it's nil before attempting to index it. [Kris]
o Changed SSLv2-support.nse so that it only enumerates the list of
available ciphers with a verbosity level of at least two or with
debugging enabled. [Kris]
o Replaced kibuvDetection.nse with version detection match lines which
work better than the script. [Kris, Brandon]
o Removed mswindowsShell.nse as there is a version detection NULL
probe match which does the same thing. [Brandon, Fyodor, Kris]
o Updated IANA assignment IP list for random IP (-iR)
generation. [Kris]
Nmap 4.62 [2008-5-3]
o Added a new --min-rate option that allows specifying a minimum rate
at which to send packets. This allows you to override Nmap's
congestion control algorithms and request that Nmap try to keep at
least the rate you specify. The rate is given in packets per
second. Read more in the Nmap man page
(http://nmap.org/book/man-performance.html) [David]
o Create /nmap/macosx directory in SVN with files necessary to build
binary Mac OS X Nmap/Zenmap packages. We are trying to create
binary installer packages which are as useful and easy to use as the
Windows installer. This has involved a lot of work by David. We
aren't quite yet distributing the results on the Nmap download page,
but testing our beta versions is useful. You can find the latest
universal (PPC and Intel) binary test version by looking at David
Fifield's posts at http://seclists.org/nmap-dev/2008/q2/author.html.
You can also read /nmap/macosx/README in svn for more info.
o Nmap 2008 Summer of Code students have began working (though full
time doesn't start until late May). Learn about the winners and
their projects at http://seclists.org/nmap-dev/2008/q2/0132.html .
o Brandon added/modified a whole bunch of version detection signatures
based on systems discovered when scanning UCSD's network.
o Reformat Nmap COPYING file (e.g. remove C comment markers, reduce
line length) during Nmap windows build so that it looks much better
when presented by the Windows executable (NSIS) installer. Thanks
to Jah for the patch, which was modified slightly by Fyodor.
o Added NSE Datafiles library which reads and parses Nmap's nmap-*
data files for scripts. The functions (parse_protocols(),
parse_rpc() and parse_services()) return tables with numbers
(e.g. port numbers) indexing names (e.g. service names). The
rpcinfo.nse script was also updated to use this library. [Kris]
o Fixed a bug in the nbase random number generator (and the way it
interacted with Nmap and MS Windows) which caused duplicates in some
instances. Thanks to Jah for reporting the problem and working with
Brandon Enright, Fyodor and Kris to fix it.
o It turns out that hours contain 60 minutes, not 24. Fixed a scan
status message which was rolling over the hours column
prematurely. [David]
o Added scripting options to Zenmap profile editor and command wizard
to make use of NSE. [David]
o Zenmap now prints an exception message rather than segfaulting when
it can't open a display (such as when trying to connect to an X
server as an unauthorized user). Thanks to Aaron Leininger for the
initial report and Guilherme Polo for suggesting the fix.
o Now ports in the "unfiltered" state can be selected for attention by
NSE scripts. [Kris]
o Nbase random number generation system now avoids having a high-bit
of zero in every other byte on Windows due to Windows having such a
low RAND_MAX. [Jah]
o Added release dates for each Nmap version to this CHANGELOG going
back to Nmap 3.00 (July 31, 2002). Dates are in MM/DD/YY format.
If someone wants to track down dates for the last 22% of the file
(pre-3.00), you are welcome to do so and send a patch. Searching
Google for the version number and site:seclists.org seems to work
well. [Fyodor]
o Nmap RPM builds now use the versions of libdnet, libpcap, libpcre,
and liblua included with Nmap rather than whatever happens to be
installed on the build system. [David]
o Zenmap can now be installed in and run in directories with a space
in the name. [David]
o Fixed an assertion failure ("Target.cc:396: void
Target::stopTimeOutClock(const timeval*): Assertion
'htn.toclock_running == true' failed.")caused when a host had NSE
scripts in multiple runlevels. This also fixes --host-timeout
behavior in NSE. [Kris]
o Reduce the maximum number of socket descriptors which Nmap is
allowed to open concurrently. This resoles a bug which could cause
"Too many open files" error on Mac OS X when not running as
root. [David]
o Canonicalized service names between nmap-service-probes (version
detection DB) and nmap-services (port scanning DB). [Kris]
o Removed the "class" attribute from the tcpsequence element in XML
output. For a long time it had always been "unknown class" because
Nmap doesn't calculate a class anymore. The XML output version has
been increased from 1.01 to 1.02. [David]
o Fixed a bug on Win32 which caused an infinite loop when Nmap
encountered certain broadcast addresses. [Dudi Itzhakov]
o Fix MingW compilation by adding a signal.h include to
main.cc. [Gisle Vanem]
o Fix the test in our build system to determine if liblua is already
available or not. For example, the test needed to link with -lm
since some systems require that. [David].
o Added TIMEVAL_BEFORE and TIMEVAL_AFTER macros to test whether one
timeval is earlier than another while avoiding possible integer
overflows in a naive approach we were using previously. [David]
o Adjusted a bunch of code to avoid compilation warning messages on
some Linux machines. [Andrew J. Bennieston]
o Fixed the NmapArpCache so that it actually works. Previously, Nmap
was always falling back to the system ARP cache. Of course this
raises the question of whether NmapArpCache is needed in the first
place. [Daniel Roethlisberger]
o Fix a Zenmap bug which could cause the error message
"zenmapCore.NmapOptions.OptionNotFound: No option named '' found!"
if you create a new profile without checking any options then try to
edit it. [David]
o Zenmap now shows a more helpful error message when there is an error
in executing Nmap. [David]
o Zenmap now creates the directory ~/.zenmap-etc to store
automatically generated GTK+ and Pango files. They used to go in the
application bundle but that doesn't work on a read-only filesystem
or disk image. This is what Wireshark does (~/.wireshark-etc),
although the directory could be called anything. It doesn't have to
persist across sessions.
o Added a mechanism in Zenmap for including extra executable search
paths on specific platforms, so we can include /usr/local/bin in
PATH on Mac OS X by default and add the Nmap install directory on
Windows. [David]
o We now use --no-strip when building Zenmap Mac OS X packages to
prevent many mysterious warnings which occur when the binary is
stripped. [David]
o When Zenmap invokes Nmap, it now copies the whole environment for
the Nmap invocation rather than just providing $PATH. Windows may
need this to do proper name resolution. [David]
o Corrected uptime parsing and reporting in SNMPsysdesr.nse for an
uptime of less than 46 hours. [Kris]
o Modified the use of CXXFLAGS, CFLAGS, and CPPFLAGS in Nmap build
system to work better when building Mac OS X universal
binaries. [David]
o Added many additional PCRE option flags to the list returned by the
NSE pcre.flags() function. [Kris]
o Changed the NSE function nmap.set_port_state() so that it checks to
see if the requested port is already in the requested state. This
prevents "Duplicate port" messages during the script scan and the
inaccurate "script-set" state reason. [Kris]
o Canonicalize NSE script license text--more than half did not even
spell license correctly. They all still say that they are under
Nmap's license, just with consistent capitalization and spelling,
and now a link to Nmap legal page at
http://nmap.org/man/man-legal.html.
o Updated ripeQuery.nse to not print extraneous whitespace. [Kris]
o Switched telnet brute force password cracking NSE (bruteTelnet.nse)
to vulnerability category so it isn't executed by default. It can
take too long to run. [Eddie]
o NSE status messages now print host name and IP, rather than just the
host name (which was blank when Nmap didn't know it). [Jah]
o Allocate 128 characters for the idle scan ScanProgressMeter
title. Previously it was 32 characters. The "idle scan against " and
the \0 terminator take up 19 characters, leaving only 13, which
isn't enough to represent all IP addresses, let alone host
names. Bug reported by Stephan Fijneman, fixed by David.
Nmap 4.60 [2008-3-15]
o Nmap has moved. Everything at http://insecure.org/nmap/ can now be
found at http://nmap.org . That should save your fingers from a
little bit of typing. Even though transparent redirectors are in
place for the old URLs, please update your links and bookmarks. And
if you don't have a link to Nmap on your web site, now is a good
time to add one :).
o All of your OS detection fingerprints up until March 10, 2008 have
now been integrated by David. The second generation database has
grown from 1,085 fingerprints representing 421 operating
systems/devices, to 1,304 fingerprints representing 478 systems.
That is an increase of more than 20%. New fingerprints were added
for Mac OS X Tiger, iPod Touch, the La Fonera WAP, FreeBSD 7.0,
Linux 2.6.24, Windows 2008, Vista, OpenBSD 4.2, and of course
hundreds of broadband routers, VoIP phones, printers, some crazy
oscilloscope, etc. We get a ton of new fingerprint submissions, but
not as many corrections. Please remember to visit
http://nmap.org/submit/ if Nmap gives you bad results, whether they
are completely wrong or just a slight mistake (like Nmap says Linux
2.6.20-2.6.23, but you're running 2.6.24). Of course you need to be
certain you know exactly what is running on the target before you do
this.
o All of your service fingerprints and corrections submitted until
January 14, 2008 have now been integrated by Doug. As usual, he has
documented his adventures at http://hcsw.org/blog.pl/33 . More than
a hundred signatures were added, growing the database to 4,645
signatures for 457 services. Corrections are welcome for service
detection too -- visit http://nmap.org/submit/ if you get incorrect results.
o Nmap now saves the target name (if any) specified on the command
line, since this can differ from the reverse DNS results. It can be
particularly important when doing HTTP tests against virtual hosts.
The data can be accessed from target->TargetName() from Nmap proper
and host.targetname from NSE scripts. The NSE HTTP library now uses
this for the Host header. Thanks to Sven Klemm for adding this
useful feature.
o Added NSE HTTP library which allows scripts to easily fetch URLs
with http.get_url() or create more complex requests with
http.request(). There is also an http.get() function which takes
components (hostname, port, and path) rather than a URL. The
HTTPAuth, robots, and showHTMLTitle NSE scripts have been updated to
use this library. Sven Klemm wrote all of this code.
o Fixed an integer overflow in the DNS caching code that caused nmap
to loop infinitely once it had expunging the cache of older
entries. Thanks to David Moore for the report, and Eddie Bell for
the fix.
o Fixed another integer overflow in the DNS caching code which caused
infinite loops. [David]
o Added IPv6 host support to the RPC scan. Attempting this before
(via -sV) caused a segmentation fault. Thanks to Will Cladek for
the report. [Kris]
o Fixed an event handling bug in NSE that could cause execution of
some in-progress scripts to be excessively delayed. [Marek]
o A new NSE table library (tab.lua) allows scripts to deliver better
formatted output. The Zone transfer script (zoneTrans.nse) has been
updated to use this new facility. [Eddie]
o Rewrote HTTPpasswd.nse to use Sven's excellent HTTP library and to
do some much-needed cleaning up. [Kris]
o Added a new MsSQL version detection probe and a bunch of match lines
developed by Tom Sellers.
o Added a new service detection probe and signatures for the memcached
service [Doug]
o Added new service detection probes and signatures for the Beast
Trojan and Firebird RDBMS. [Brandon Enright]
o Fixed a crash in Zenmap which occurred when attempting to edit or
create a new profile based on an existing one when there wasn't one
selected. The error message was:
'NoneType' object has no attribute 'toolbar'
Now a new Profile Editor is opened. Thanks to D1N (d1n@inbox.com)
for the report. [Kris]
o Fixed another crash in Zenmap which occurred when exiting the
Profile Editor (while editing an existing profile) by clicking the
"X", then going to edit the same profile again. The error message
was: "No option named '' found!". Now the same window that appears
when clicking Cancel comes up when clicking "X". Thanks to David
for reporting this bug. [Kris]
o Another Zenmap bug was fixed: ports consolidated into "extra ports"
groups are now counted and shown in the "Host Details" tab. The
closed, filtered and scanned port counts in this tab didn't contain
this information before so they were usually very inaccurate. [Kris]
o Another Zenmap bug was fixed: the --scan-delay and --max-scan-delay
buttons ("amount of time between probes") under the Advanced tab in
the Profile Editor were backwards. [Kris]
o Added the UDP Scan (-sU) and IPProto Ping (-PO) to Zenmap's Profile
Editor and Command Wizard. [Kris]
o Reordered the UDP port selection for Traceroute: a closed port is
now chosen before an open one. This is because an open UDP port is
usually due to running version detection (-sV), so a Traceroute
probe wouldn't elicit a response. [Kris]
o Add Famtech Radmin remote control software probe and signatures to
the Nmap version detection DB. [Tom Sellers, Fyodor]
o Add "Conection: Close" header to requests from HTTP NSE scripts so
that they finish faster. [Sven Klemm]
o Update SSLv2-support NSE script to run against more services which
are likely SSL. [Sven Klemm]
o A bunch of service name canonicalization was done in the Nmap
version detection file by Brandon Enright (e.g. capitalizing D-Link
and Netgear consistently).
o Upgraded the shipped LibPCRE from version 7.4 to 7.6. [Kris]
o Updated to latest (as of 3/15) autoconf config.sub/config.guess
files from http://cvs.savannah.gnu.org/viewvc/config/?root=config.
[Fyodor]
o We now escape newlines, carriage returns, and tabs (\n\r\t) in XML
output. While those are allowed in XML attributes, they get
normalized which can make formatting the output difficult for
applications which parse Nmap XML. [Joao Medeiros, David, Fyodor]
o The Zenmap man page is now installed on Unix when "make install" is
run. This was supposed to work before, but didn't. [Kris]
o Fixed a man page bug related to our DocBook to Nroff translation
software producing incorrect Nroff output. The man page no longer
uses the ".nse" string which was being confused with the Nroff
no-space mode command. [Fyodor]
o Fixed a bug in which some NSE error messages were improperly escaped
so that a message including "c:\nmap" would end up with a newline
between "c:" and "map".
o Updated IANA assignment IP list for random IP (-iR)
generation. [Kris]
o The DocBook XML source code to the Nmap Scripting Engine docs
(http://nmap.org/nse/) is now in SVN under docs/scripting.xml .
4.53 [2008-1-12]
o Impoved Windows executable installer by making uninstall work better
on systems which changed the default install path. The shortcut is
also now deleted properly on Vista. [Rob Nicholls]
o Windows installer is now generated using NSIS 2.34 rather than
2.13. [Fyodor]
o Added UPnP-info NSE script by Thomas Buchanan. It gathers
information from the UPnP service (UDP port 1900) which listens on
many network devices such as routers, printers, and networked media
players.
o Fixed a --traceroute bug (assertion failure crash) which occured
when the first hop of the first host in a tracegroup (reference
trace) times out. Thanks to Sebastián García for the bug report and
testing, and Eddie for the patch.
o Fix a problem which prevented proper port number matching in
NSE scripts (port_or_service function) due to a variable
shadowing bug. [Sven Klemm]
o Improved rpcinfo.nse to better sort and display available RPC
services. [Sven Klemm]
4.52 [2008-1-1]
o Fixed Nmap Winpcap installer to use CurrentVersion registry key on
Windows rather than VersionNumber to more reliably detect Vista
machines. This should prevent the XP version of Packet.dll from
being installed on Vista. [Rob Nicholls]
o The Nmap Scripting Engine (NSE) now supports run-time interaction
and the Nmap --host-timeout option. [Doug]
o Added nmap.fetchfile() function for scripts so they can easily find
Nmap's nmap-* data files (such as the OS/version detection DBs, port
number mapping, etc.) [Kris]
o Updated rpcinfo.nse to use nmap.fetchfile() to read from nmap-rpc
instead of having a huge table of RPC numbers. This reduced the
script's size by nearly 75%. [Kris]
o Fixed multiple NSE scripts that weren't always properly closing their
sockets. The error message was:
"bad argument #1 to 'close' (nsock expected, got no value)" [Kris]
o Added a new version detection probe for the Trend Micro OfficeScan
product line. [Tom Sellers, Doug]
4.51BETA [2007-12-21]
o David wrote a detailed Zenmap guide: http://nmap.org/book/zenmap.html
o Added rpcinfo.nse script, which contacts a listening RPC portmapper
and reports the listening services and port information (like
rpcinfo -p does). The script was written by Sven Klemm. Fyodor
then enhanced the RPC number list with all of the entries from
nmap-rpc.
o Added a new NSE script (MySQLinfo) which prints MySQL server information
such as the protocol and version numbers, status, thread id, capabilities,
and password salt. [Kris]
o Nmap's output options (-oA, -oX, etc.) now support strftime()-like
conversions in the filename. %H, %M, %S, %m, %d, %y, and %Y are
all the same as in strftime(). %T is the same as %H%M%S, %R is the
same as %H%M, and %D is the same as %m%d%y. A % followed by any
other character just yields that character (%% yields a %). This
means that "-oX 'scan-%T-%D.xml'" uses an XML file in the form of
"scan-144840-121307.xml". [Kris]
o Fixed Winpcap installer to install the right version of Packet.dll
on Windows Vista. [Fyodor]
o Fixed our Winpcap installer so that it waits for a Winpcap uninstall
(if needed) to complete before trying to install the new Winpcap.
[Jah]
o Fix a bunch of warning/error messages which contained an extra
newline. [Brandon Enright]
o Fixed an error when attempting to scan localhost as an unprivileged
user on Windows (nmap --unprivileged localhost). The error was:
"Skipping SYN Stealth Scan against localhost (127.0.0.1) because
Windows does not support scanning your own machine (localhost) this
way."
Now connect scan is used instead of SYN scan. [David]
o Fixed a bug that prevented the --resume option from working on
Windows. The error message was:
..\utils.cc(996): CreateFileMapping(), file 'testresume', length 103,
mflags 000 00006: The parameter is incorrect.(87)
[Fixed by David, reported by Rob Nicholls]
o Zenmap's new web page (http://nmap.org/zenmap/) is now shown in the
Zenmap about dialogue.
o On Windows, paths beginning with \ are now considered absolute when
used with the --script option. jah (jah(a)zadkiel.plus.com) suggested
this. [David]
o Zenmap no longer double-spaces its output (by inadvertently
duplicating newlines) when viewing scan results that were saved to a
file. [Joao Medeiros]
o Upgraded the shipped LibPCRE from version 7.2 to 7.4. [Kris]
o Fixed Zenmap crash that occurred when selecting Help from the Compare
Results window. [Kris]
o Updated robots.nse to prevent printing robots.txt comments. [Kris]
o Many version detection match lines were improved to match even when
newlines appear in binary data returned by the service. [Fixed by
Doug, suggested by Lionel Cons]
4.50 [2007-12-13]
o Bumped up the version number to the big 10th anniversary 4.50
release! See http://insecure.org/stf/Nmap-4.50-Release.html .
4.49RC7 [2007-12-10]
o A Zenmap crash was fixed. Scanning once, then scanning another target
on the same scan tab caused an ImportError ("list index out of range")
in zenmapGUI/ScanNotebook.py. Joao Medeiros reported the
bug. [David]
o Updated a couple of version detection signatures due to problem
reports by Lionel Cons. [Doug]
4.49RC6 [2007-12-8]
o NSE scripts can now be specified by absolute path to the --script
option. This was supposed to work before, but didn't. [David]
o Insert a path separator in returned paths in init_scandir on
Windows. Otherwise options such as "--scripts=scripts" (where
scripts is a directory) were failing with error messages about being
unable to access things like "C:\Nmap\scriptsanonFTP.nse" (should be
"C:\Nmap\scripts\anonFTP.nse"). [David]
o Add some "local" declarations to xamppDefaultPass.nse to avoid
errors like: "SCRIPT ENGINE: [string "Global Access"]:1: Attempted
to change the global 'socket' ..." [David]
o NSE "shortports" function now by default matches ports in the
"open|filtered" state as well as "open" ones. [Diman]
o Nsock msevent_new and msevent_delete calls fixed to handle NULL I/O
descriptors. This should fix a reported bus error crash. [Diman]
o Prevent old bit.dll and pcre.dll files from being installed in
nselib directory by Windows executable installer. Bit.dll is still
installed in nselib-bin where it belongs. Thanks to Rob Nicholls for
reporting the problem. [Fyodor]
4.49RC5 [2007-12-8]
o Don't install the orphaned and incomplete Zenmap HTML documentation.
Instead point to the Nmap documentation site, which is provides more
comprehensive and up-to-date Nmap docs. We're rapidly improving the
online Zenmap docs as well. Of course the Nmap and (new!) Zenmap
man pages are still installed on Unix. [Fyodor]
o Fix mswin32/Makefile so that the new nselib-bin directory is
properly included in the Nmap win32 zipfile distribution. Thanks
to Rob Nicholls for reporting the problem. [Fyodor]
o Fix host reason reported when the target is found to be "down" due
to no response. Nmap now reports "no-response" rather than
"unknown-reason" [Kris]
4.49RC4 [2007-12-7]
o David did a huge OS fingerprint integration marathon, going through
all of your submissions (more than 1600) since August 20. The 2nd
generation database has grown more than 30% to 1,085 entries! Many
of the existing fingerprints were improved as well. Notable new or
greatly improved entries include the iPhone, iPod Touch, Mac OS X
Leopard FreeBSD 7.0, Linux 2.6.23, Nokia cell phones (E61, E65, E70,
E90, N95), and OpenBSD 4.2. Of course there were all manner of new
printers, cable/DSL routers, switches, enterprise routers, IP
phones, cell phones and a heap of obscure equipment such as the
BeaconMedaes medical gas alarm. Windows Vista fingerprints were
also improved significantly. Please keep those OS fingerprint
submissions and corrections coming!
o Doug integrated all of your version detection fingerprints and
corrections since October 4. The DB now has an incredible 4,542
signatures for 449 service protocols. The service protocols with
the most signatures are http (1,473), telnet (459), ftp (423), smtp
(327), pop3 (188), http-proxy (111), ssh (104), imap (103), irc (46)
and nntp (44).
o Included the netbios-smb-os-discovery.nse script which uses NetBIOS
and SMB queries to guess OS version. This script was written by
Judy Novak and contributed by Sourcefire.
o Canonicalized the interface type numbers used internally by
libdnet. Also Libdnet now recognizes devices with type
INTF_TYPE_IEEE80211 as Ethernet devices. This ought to make
wireless network scanning work on Windows Vista. For more background
see http://seclists.org/nmap-dev/2007/q4/0391.html. [David]
o Documented the "--script all" option in the man page and NSE
article. This option executes all scripts in the NSE database
regardless of category. [Fyodor]
o NSE scripts can now be specified by name without the .nse
extension. So instead of using "--script
bruteTelnet.nse,HTTPpasswd.nse,SQLInject.nse,robots.nse", you can
just pass "--script bruteTelnet,HTTPpasswd,SQLInject,robots". [Kris]
o Removed some auto-generated files from the new nselib-bin directory
as they could cause compatibility problems. Also updated
mswin32/Makefile to reflect the new nselib-bin DLL location [David]
o ripeQuery.nse was updated to avoid printing some useless
information. [Kris]
o Compatibility with systems that have the pcre.h header file in its
own pcre directory should now be fixed for real. [Fyodor]
o Enhanced the radmind service detection signature and added a
deprecated radmind port to nmap-services. [Matt Selsky]
o Zenmap now gives better errors to stdout when it can't even pop up a
dialog box (such as when PyGTK can't be loaded). [David]
o Fixed a Zenmap crash which occurred on Mac OS X and possibly other
platforms. The error message said: "object of type
'ScanHostDetailsPage' has no len()". [David]
o Fixed a crash which occurred when an NSE script called
set_port_version() at times that version scanning was not
enabled. [Diman]
o Fixed the NSIS installer so that it does not include some excess
files (mswin32/* and .svn). Thanks to Alan Jones for reporting the
problem. [Fyodor]
o Renamed some Zenmap Python packages to allow Zenmap and Umit to be
installed at the same time. [David]
o Updated nmap-mac-prefixes with the latest IEEE data. Also added
back Cooperative Linux virtual NIC which was inadvertently removed in
a previous release. [Fyodor]
4.23RC3 [2007-11-27]
o Zenmap now has a man page! It isn't very long yet, but covers the
basics. Thanks to David for writing this.
o A new NSE script, promiscuous.nse, scans devices on a local network
looking for sniffers (devices running in promiscuous mode). This
script is from Marek Majkowski and is the first to use the NSE pcap
extension system (which he also wrote). The script is only in the
discovery category for now so it does not run by default. Specify
it by name for now. We may make it default after the upcoming
stable release.
o Nmap can now handle IP aliases on Windows. A given device such as
eth0 might have several IP addresses. Nmap will use the primary
address, so you need to use -S if you want to specify a different
one. [David]
o An exception (rather than luaL_argerror) is now thrown when an SSL
connection is attempted but OpenSSL isn't available. [David]
o There is now an nmap.have_ssl NSE function so you can avoid doing
NSE probes when SSL isn't available. [David]
o Zenmap gives clearer error messages when an import error occurs or
Zenmap's dump files aren't found. [David]
o Zenmap now looks for its data files relative to the directory of the
zenmap script to allow running from the build/svn directory. [David]
o NSE C modules are now installed into an nselib-bin directory. This
was needed to make the dns-test-open-recursion and zoneTrans NSE
scripts work properly, since they use the NSE bit library
(bit.so). [Diman, Fyodor]
o Axillary autoconf scripts such as config.guess, config.sub,
depcomp, install-sh, and ltmain.sh were deleted from Nmap
subdirectories because configure is smart enough to use the ones from
the parent directory. This decreases the Nmap source tarball and svn
checkout sizes. [David]
o Nmap now compiles on systems which have the libPCRE include file in
pcre/pcre.h rather than just pcre.h. Thanks to Lionel Cons for the
report. [Fyodor]
o Nmap binary is now stripped again, but it now uses -x to avoid
stripping dynamically loaded NSE functions on Mac OS X. [David]
o Normalized Zenmap's handling of results files specified on the
command line. In some cases, Zenmap would ignore specified results
files just because some unrelated options were used. [David]
o configure.ac now uses literal directory names rather than variable
references in calls to AC_CONFIG_SUBDIRS. This removes an annoying
warning message which has existed for years when you regenerate
configure. [David]
o Fixed a configure.ac error which prevented you from specifying an
alternative libnsock directory. [David]
o Check for Python in configure only if Zenmap is requested, and bail
out if Zenmap is explicitly requested (--with-zenmap) and Python is
not available. [David]
o Removed some unimplemented Zenmap command-line options and function
calls. [David]
4.23RC2 [2007-11-18]
o Static code analysis company Coverity generously offered to scan the
Nmap code base for flaws, and Kris volunteered to go through their
report and fix the ones which were actual/possible problems rather
than false positives. Their system proved quite useful, and about a
dozen potential problems were fixed. For details, see Kris'
11/15/07 SVN commits.
o Improved the Zenmap RPM file so that it should work on either Python
2.4 or Python 2.5 machines. It should also work on any platform (x86,
x86_64, etc.) [David]
o WinPcap updated from version 4.0.1 to the new 4.0.2 release. [David]
o Added PPTP version detection NSE script (PPTPversion.nse) from
Thomas Buchanan. Nmap now ships with 38 NSE scripts.
o A number of Solaris compilation fixes were added. Hopefully it
works for more Solaris users now. We also fixed an alignment issue
which could cause a bus error on Solaris. [David]
o When an NSE script changes the state of a port (e.g. from
open|filtered to open), the --reason flag is now changed to
"script-set". Also, the port state reason is now available to NSE
scripts through a "reason" element in the port-table. Thanks to
Matthew Boyle for the patch.
o When version detection changes the state of a port, the reason field
is now updated as well (to udp-response or tcp-response as
applicable). Thanks to Thomas Buchanan for the patch.
o Reworded an error message after a woman reported that it was "highly
offensive and sexist". She also noted that "times have changed and
many women now use your software" and "a sexist remark like the one
above should have no place in software." The message was: "TCP/IP
fingerprinting (for OS scan) requires root privileges. Sorry,
dude.". I checked svn blame to call out the insensitive,
chauvinistic jerk who wrote that error message, but it was me :).
o We received a bug report through Debian entitled "Nmap is a
clairvoyant" because when you run it with -v on September 1 1970, it
reports "Happy -27th Birthday to Nmap, may it live to be 73!". We
have decided that clairvoyance is a feature and ignored the report.
o We no longer strip the Nmap binary before installing it, as that was
leading to a runtime error on Mac OS X: "lazy symbol binding failed:
Symbol not found: _luaL_openlib". Unfortunately, the unstripped
Nmap binary can be much larger (e.g. 4MB vs. 800KB) so we are
working on a better fix which allows us to continue stripping the
binary on other platforms.
o Zenmap configuration/customization files renamed from ~/.umit to
~/.zenmap and umit.conf to zenmap.conf, etc. [David]
o Fixed a Zenmap bug where if you try to edit a profile and then
click cancel, that profile ends up deleted. [Luis A. Bastiao]
o The NSE shortport rules now allow for multiple matching states
(e.g. open or open|filtered) to be specified. This silently failed
before. [Eddie]
o Regenerate configure scripts with Autoconf 2.61 and update
config.guess and config.sub files with the latest versions from
http://cvs.savannah.gnu.org/viewvc/config/?root=config . [David]
4.23RC1 [2007-11-10]
o NmapFE is now gone. It had a good run as the default Nmap GUI
for more than 8 years (since April 1999). But after two years of
development, Zenmap is ready to take its place. Zenmap is portable
and provides a much better interface to executing and (especially)
viewing and analyzing Nmap results. David did the honors of
removing NmapFE.
o We have lost another old friend as well: 1st generation OS
detection system. Nmap revolutionized OS detection when this was
released in October 1998 and it served us well for more than 9 years
as the database grew to 1,684 fingerprints. But the 2nd generation
system incorporates everything we learned during all those years and
has proven itself even more effective. I couldn't bear to kill this
myself, so David did the dirty work.
o There is no longer any artificial limit on the number of ports or
protocols that can be used for host discovery. Port lists for ping
scan now use the same syntax as the -p option except that T:, U:,
and P: are not allowed. This means that you can do
nmap -PS1-1000 target
nmap -PAhttp,https target
nmap -PU'[-]' target
[David]
o Zenmap is now available packaged in RPM format. Since Zenmap is
written in Python, we no longer have to have separate x86 and x86_64
versions like we did with NmapFE (and like we still do with
Nmap). [David]
o Fixed a crash (assertion failure) which could occur during ARP Ping
scan [Kris]
o Fixed Zenmap so that it can handle asterisks in the command line
(e.g. "nmap 192.168.*.*" or "nmap -phttp* localhost") [David]
o Change the Zenmap bug report dialogue to now give instructions for
reporting issues to nmap-dev. [David]
o Modified higwidgets/higdialogs.py for compatibility with old
versions of PyGTK. [David]
o Updated IANA assignment IP list for random IP (-iR)
generation. [Kris]
o Fixed a number of spelling errors in the Reference Guide (man page)
[Doug]
4.22SOC8 [2007-10-28]
o Removed the old massping() system, since the functionality has now
been migrated into the existing ultra_scan() system (which is used
for port scanning too). Thanks to David for doing the migration,
which involved a lot of work and testing. The new system is
frequently faster and more accurate than massping(), and some of the
new algorithms benefit port scans too.
o Renamed Umit to Zenmap to reduce confusion between the version we
ship with Nmap as the integrated GUI and the version maintained
separately at umit.sourceforge.net. We are excited about Zenmap and
expect to remove NmapFE in the near future
o Integrated all of your Q3 service detection submissions! We have
now surpassed 4500 signatures and are approaching 500 service
protocols. Wow! Thanks to Doug for doing the integration. His
notes on the crazy and interesting services discovered this quarter
are at http://hcsw.org/blog.pl/31 .
o Added a new ping type: IPProto Ping. Use -PO (that is the letter O
as in prOtOcOl, not a zero). This is similar to protocol scan (-sO)
in that it sends IP headers with different protocols in the hope of
eliciting a response from targets. The default is to send with
protocols 1 (ICMP), 2 (IGMP), and 4 (IP-in-IP tunnel), but you can
specify different protocol numbers on the command line the same way
you specify TCP/UDP ports to -PS or -PU. To reduce confusion, we now
recommend that -PN be used when you don't want pings done rather
than using the old -P0 (zero). [Kris]
o The SMTPcommands.nse script was updated to support the HELP query in
addition to EHLO [Jason DePriest]
o Added --ttl support for connect() scans (-sT). [Kris]
o Combine the Zenmap setup scripts into one portable setup.py rather
than having separate versions for Windows, Unix, and Mac OS X.
o Removed a bunch of unnecessary/incomplete code and data files from
Zenmap. [ David]
o In Nbase, switched from GNU's getopt() replacement functions to
Ben Sittler's BSD-licensed (but GNU compatible) functions. [Kris]
o Include nmap.h in portreasons.h. This fixes a compilation problem
reported on OpenBSD. [David]
o Change PCRE from an NSELib module back to statically linked code due
to OpenBSD compilation problems. See
http://seclists.org/nmap-dev/2007/q4/0085.html [David]
o Fix a problem with --reason printing the wrong host discovery
reasons when ICMP destination unreachable packets arrived. [Kris]
o Nmap has better dependency tracking now such that it no longer
builds the executable every time you type 'make'. This was causing
problems where 'make; sudo make install' would create a root-owned
nmap executable because it was rebuilt as part of 'make
install'. [David]
4.22SOC7 [2007-10-11]
o Integrated all of your OS detection new fingerprint submissions and
correction reports. The grew more DB more than 18% to 825
fingerprints. Keep those submissions coming! [David]
o Made a number of significant improvements to host discovery
algorithms for better performance and reliability. [David]
o Fixed a bug which prevented the first OS detection guess from being
included in XML output. This only applies when no exact matches
were found. Thanks to Martyn Tovey of Netcraft for reporting the
problem and helping to track it down in the code.
o Improve the script scan scheduling system to prevent the system from
running out of sockets by executing too many scripts concurrently
during large scans. Thanks to Brandon Enright for finding the bug
and Stoiko for fixing it.
o Added nmap.verbosity() and nmap.debugging() functions for scripts to
determine the Nmap verbosity/debugging level. [Kris]
o Fixed a crash (assertion error) which occurred when the first hop of
the first system (reference trace) times out. [Eddie]
o UMIT no longer rewrites a bunch of script files to replace variables
such as VERSION and REVISION in the SVN working directory. [David,
Adriano]
o UMIT icon loading code simplified and made platform
independent. [David]
o Removed PIL dependency from UMIT package generation system. We now
use GTK to put the version number in the splash screen. [Adriano]
o UMIT no longer crashes just because documentation files are
missing. [Adriano]
o Removed unnecessary recent_scans.txt and target_list.txt files from
UMIT. Some unnecessary copies of Nmap data files were removed as
well. [David, Adriano]
o Updated the *.dmp preprocessed Nmap data files used by UMIT, and
also updated the scripts used to create them. [David]
o Winpcap installer was updated so that on Windows Vista it uses a
different Packet.dll and omits WanPacket.dll. [Eddie]
o Unix installation now places NSELib dynamic libraries in 'libexec'
rather than 'share' directories, since they are architecture
dependent. Thanks to Christoph J. Thompson for the patch.
o Fix bug related to users providing custom libpcre location to
configure (reported by Daniel Johnson, fixed by Stoiko). A patch
from Marek Majkowski which caps the number of sockets opened by NSE
scripts was also applied.
o The UMIT version number is automatically updated to be the same as
the Nmap version number rather than always being 0.9.4. [David]
o UMIT now sorts port numbers numerically rather than alphabetically
[Adriano]
o Three UMIT data files (options.xml, profile_editor.xml, and
wizard.xml) are installed in the shared UMIT data directory
(e.g. /usr/share/umit/misc) rather than in every user's ~/.umit
directory. [David]
o Added HTTPtrace demo NSE script by Kris, who also updated his
HTTPpasswd script.
o A bunch of capitalization/spelling canonicalization changes were
made to Nmap output. For example: ftp to FTP and idlescan to
idle scan.
o Made some improvements to the nmap.xsl stylesheet for converting
Nmap XML results to HTML reports. It now does a better job at
removing empty sections and headers. Thanks to Henrik Lund Kramshoej
for the patch.
o Updated nmap-mac-prefixes with the latest IEEE data.
o Disabled auto-generation of libpcre/pcre_chartables.c because that
was useless for our purposes and could also cause some version
control related problems. [David]
o Updated IANA assignment IP list for random IP (-iR)
generation. [Kris]
4.22SOC6 [2007-8-29]
o Included David's major massping migration project. The same
underlying engine is now uses for ping scanning as for port
scanning. We hope this will lead to better performance and
accuracy, as well as helping to de-bloat Nmap. Please test it out
and report your results to nmap-dev! For more details, see
http://seclists.org/nmap-dev/2007/q3/0277.html
o Fixed UMIT bug which occurred when installing to a non-standard
directory (e.g. a home directory). This caused Python to not be able
to find the necessary files. [Kris]
o Added an NSE script (HTTPpasswd.nse) for finding directory traversal
problems and /etc/password files on web servers. [Kris]
o Fixed an error related to version scans against SSL services on
UNIX. The error said "nsock_connect_ssl called - but nsock was
built w/o SSL support. QUITTING". Thanks to Jason DePriest for
tracking down the problem and David Fifield for fixing it.
o Removed win_dependencies cruft from UMIT directory. [Kris]
o Upgraded Libpcap from version 0.9.4 to 0.9.7 [Kris]
o Removed the effectively empty XML elements for traceroute hops which
timed out. [Eddie]
o Fixed (I hope) a problem with running Nmap on Mac OS X machines with
VMWare Fusion running. The error message started with:
"getinterfaces: Failed to open ethernet interface (vmnet8). A
possible cause on BSD operating systems is running out of BPF
devices ...." For more details, see
http://seclists.org/nmap-dev/2007/q3/0254.html.
o Check that --script arguments are reasonable when Nmap starts rather
than potentially waiting for a bunch of port scanning to finish
first. [Stoiko]
o Fixed (we hope) a UMIT problem which resulted in the error message:
"NameError: global name 'S_IRUSR' is not defined". [Adriano]
o Removed an error message which used to appear when you quit UMIT on
Windows. The message used to say "Errors occurred - See the logfile
[filename] for details." [Adriano]
o Fix permissions on files installed by Umit so that it should work
even if you do 'make install' from an account with a 077 umask.
o Add a feature to Umit that lets you search your unsaved
scans. [Eddie]
o Added back a previously removed feature which allows you to specify
'rnd' as one of your decoys (-D option) to let Nmap choose a random
IP. You also use a format such as rnd:5 to generate five random
decoys. [Kris]
o Reference guide (man page) updates to the NSE section, and some
general cleanup.
o When Nmap finishes, it now says "Nmap done" rather than "Nmap run
completed". No need to waste pixels on excess verbiage.
4.22SOC5 [2007-8-18]
o The Windows installer should actually install UMIT properly now.
o Remove umit.db from the installation process. Let Umit create a new
one on its own when needed.
o Fixed the UMIT portion of the Windows installer build system to
detect certain heinous errors (like not being able to find Python)
and bail out. [Kris]
o Prevent scripts directory from containing .svn cruft when using the
Win32 installer (thanks to David Fifield for the patch).
4.22SOC3 [2007-8-16]
o Umit is now included in the Nmap Windows executable installer.
Please give it a try and let us know what you think! Kris put a lot
of work into getting this set up.
o Added four new NSE scripts: HTTP proxy detection (Arturo 'Buanzo'
Busleiman), DNS zone transfer attempt (Eddie), detecting SQL
injection vulnerabilities on web sites (Eddie), and fetching and
displaying portions of /robots.txt from web servers (Eddie).
o All of your 2nd Quarter 2007 Nmap version detection fingerprints
were integrated by Doug. The DB now contains 4,347 signatures for
439 service protocols. Doug describes the highlights (craziest
services found) in his integration report at
http://hcsw.org/blog.pl/29 .
o NSE now supports raw IP packet sending and receiving thanks to a
patch from Marek Majkowski. Diman handled testing and applied the
patch.
o Nmap now has Snprintf() and Vsnprintf() as safer alternatives to the
standard version. The problem is that the Windows version of these
functions (_snprintf, _vsnprintf) doesn't properly terminate strings
when it has to truncate them. These wrappers ensure that the string
written is always truncated. Thanks to Kris for doing the work.
o Upgraded libpcre from version 6.7 to 7.2 [Kris]
o Merged various Umit bug fixes from SourceForge trunk: "missing import
webbrowser on umit", "Missing markup in 'OS Class' on
HostDetailsPage", "some command line options are now working
(target, profile, verbose, open result file and run an nmap
command)", "removing unused functions import from os.path",
"verbosity works on command line"
o Eddie fixed several Umit bugs. Umit now sets the file save
extension to .usr unless the user specifies something else. The
details highlight regular expression was improved and an error message was added
when no target was specified and -iR and -iL aren't used.
o reason.cc/reason.h renamed to portreasons.cc/.h because a reason.h
in the Windows platform SDK was causing conflicts. [Kris]
o Fixed a bug in --iflist which would lead to crashes. Thanks to
Michael Lawler for the report, and Eddie for the fix.
o Finished updating Winpcap to 4.01 (a few static libraries were
missed) [ Eddie ]
o Added NSE support for buffered data reads. [Stoiko]
o Added new --script-args option for passing arguments to NSE scripts
[Stoiko]
o Performed a bunch of OS fingerprint text canonicalization thanks to
reports of dozens of capitalization inconsistencies from Suicidal Bob.
o Fixed an assertion failure which could be experienced when script
scan was requested without also requesting version scan. [Stoiko]
o Fixed an output bug on systems like Windows which return -1 when
vsnprintf is passed a too-small buffer rather than returning the
size needed. Thanks to jah (jah(a)zadkiel.plus.com) for the report.
o Added sys/types.h include to portreasons.h to help OpenBSD compilation.
Thanks to Olivier Meyer for the patch.
o Many hard coded function names and instances of __FUNCTION__ were
changed to __func__ [Kris]
o Configure scripts for Nmap, Nbase, and Nsock were optimized to
remove redundant checks. This improves compilation time
performance. [Eddie]
o Updated IANA assignment IP list for random IP (-iR)
generation. [Kris]
4.22SOC2 [2007-7-11]
o NSE compilation fixes by Stoiko and Kris
4.22SOC1 [2007-7-8]
o The UMIT graphical Nmap frontend is now included (as an ALPHA TEST
release) with the Nmap tarball distribution. It isn't yet in the
RPMs or the Windows distributions. UMIT is written with Python/GTK
and has many huge advantages over NmapFE. It installs from the Nmap
source tarballs as part of the "make install" process unless you
specify --without-umit to configure. Please give UMIT a try (the
executable is named umit) and let us know the results! We hope to
include UMIT in the Windows Nmap distributions soon.
o Added more Nmap Scripting Engine scripts, bringing the total to 31.
The new ones are bruteTelnet (Eddie Bell), SMTPcommands (Jason
DePriest), iax2Detect (Jason), nbstat (Brandon Enright),
SNMPsysdescr (Thomas Buchanan), HTTPAuth (Thomas), finger (Eddie),
ircServerInfo (Doug Hoyte), and MSSQLm (Thomas Buchanan).
o Added the --reason option which explains WHY Nmap assigned a port
status. For example, a port could be listed as "filtered" because
no response was received, or because an ICMP network unreachable
message was received. [ Eddie ]
o Integrated all of your 2nd generation OS detection submissions,
increasing the database size by 68% since 4.21ALPHA4 to 699
fingerprints. The 2nd generation database is now nearly half (42%)
the size of the original. Please keep those submissions coming so
that we can do another integration round before the SoC program ends
on August 20! Thanks to David Fifield for doing most of the
integration work!
o Integrated version detection submissions. The database has grown by
more than 350 signatures since 4.21ALPHA4. Nmap now has 4,236
signatures for 432 service protocols. As usual, Doug Hoyte deserves
credit for the integration marathon, which he describes at
http://hcsw.org/blog.pl .
o Added the NSE library (NSELib) which is a library of useful
functions (which can be implemented in LUA or as loadable C/C++
modules) for use by NSE scripts. We already have libraries for bit
operations (bit), list operations (listop), URL fetching and
manipulation (url), activation rules (shortport), and miscellaneous
commonly useful functions (stdnse). Stoiko added the underlying
functionality, though numerous people contributed to the library
routines.
o Added --servicedb and --versiondb command-line options which allow
you to specify a custom Nmap services (port to port number translation
and port frequency) file or version detection database. [ David
Fifield ]
o The build dependencies were dramatically reduced by removing
unnecessary header includes and moving header includes from .h
files to .cc as well as adding some forward declarations. This
reduced the number of makefile.dep dependencies from 1469 to 605.
This should make Nmap compilation faster and prevent some
portability problems. [David Fifield]
o Upgraded from WinPcap 3.1 to WinPcap 4.01 and fixed a WinPcap installer
error. [Eddie]
o In verbose mode, Nmap now reports where it obtains data files (such as
nmap-services) from. [David Fifield]
o Canonicalized a bunch of OS classes, device types, etc. in the OS
detection and version scanning databases so they are named
consistently. [Doug]
o If we get a ICMP Protocol Unreachable from a host other than our
target during a port scan, we set the state to 'filtered' rather than
'closed'. This is consistent with how port unreachable errors work for
udp scan. [Kris]
o Relocated OSScan warning message (could not find 1 closed and 1 open
port). Now output.cc prints the warning along with a targets OSScan
results. [Eddie]
o Fixed a bug which caused port 0 to be improperly used for gen1 OS
detection in some cases when your scan includes port 0 (it isn't
included by default). Thanks to Sebastian Wolfgarten for the report
and Kris Katterjohn for the fix.
o The --iflist table now provides Winpcap device names on
Windows. [Eddie]
o The Nmap reference guide (man page) DocBook XML source is now in the
SVN repository at svn://svn.insecure.org/nmap/docs/refguide.xml .
o NSE now has garbage collection so that if you forget to close a
socket before exiting a script, it is closed for you. [Stoiko]
o The [portused] tag in XML output now provides the open TCP port used
for OS detection as well as the closed TCP and UDP ports which were
reported previously. [Kris]
o XML output now has a [times] tag for reporting final time
information which was already printed in normal output in verbose
mode (round trip time, rtt variance, timeout, etc.) [Kris]
o Changed the XML output format so that the [extrareasons] tag (part
of Eddie's --reason patch) falls within the [extraports] tag. [Kris]
o Nmap now provides more concise OS fingerprints for submission thanks
to better merging. [David Fifield]
o A number of changes were made to the Windows build system to handle
version numbers, publisher field, add/remove program support,
etc. [Eddie]
o The Nmap -A option now enables the traceroute option too [Eddie]
o Improved how the Gen1 OS Detection system selects which UDP ports to
send probes to. [Kris]
o Updated nmap-mac-prefixes to latest IEEE data as of 5/18/07. Also
removed some high (greater than 0x80) characters from some company
names because they were causing this error on Windows when Nmap is
compiled in Debug mode:
isctype.c Line 56: Expression: (unsigned)(c + 1) <= 256".
Thanks to Sina Bahram for the initial report and Thomas Buchanan for
tracking down the problem.
o Added a SIP (IP phone) probe from Matt Selsky to nmap-service-probes.
o Fixed a bug which prevented the NSE scripts directory from appearing
in the Win32 .zip version of Nmap.
o Fixed a bug in --traceroute output. It occurred when a traced host could
be fully consolidated, but only the first hop number was outputted. [Kris]
o The new "rnd" option to -D allows you to ask Nmap to generate random
decoy IPs rather having to specify them all yourself. [Kris]
o Fixed a Traceroute bug relating to scanning through the localhost
interface on Windows (which previously caused a crash). Thanks to
Alan Jones for the report and Eddie Bell for the fix.
o Fixed a traceroute bug related to tracing between interfaces of a
multi-homed host. Thanks to David Fifield for reporting the problem
and Eddie Bell for the fix.
o Service detection (-sV) and OS detection (-O) are now (rightfully)
disabled when used with the IPProto Scan (-sO). Using the Service
Scan like this led to premature exiting, and the OS Scan led to gross
inaccuracies. [Kris]
o Updated IANA assignment IP list for random IP (-iR) generation. [Kris]
4.21ALPHA4 [2007-3-20]
o Performed another big OS detection run. The DB has grown almost 10%
to 417 fingerprints. All submissions up to February 6 have been
processed. Please keep them coming!
o Fixed XML output so that the opening [os] tag is printed again. The
line which prints this was somehow removed when NSE was integrated.
Thanks to Joshua Abraham for reporting the problem.
o Fixed a small bug in traceroute progress output which didn't
properly indicate completion. [Kris]
o Fixed a portability problem related to the new traceroute
functionality so that it compiles on Mac OS X. Thanks to Christophe
Thil for reporting the problem and sending the 1-line fix.
o Updated nmap-mac-prefixes to include the latest MAC prefix (OUI)
data from the IEEE as of March 20, 2007.
4.21ALPHA3 [2007-3-16]
o Just fixed a packaging problem with the 4.21ALPHA2 release (thanks
to Alan Jones for reporting it).
4.21ALPHA2 [2007-3-15]
o Performed a huge OS detection submission integration marathon. More
than 500 submissions were processed, increasing the 2nd generation
OS DB size 65% to 381 fingerprints. And many of the existing ones
were improved. We still have a bit more than 500 submissions (sent
after January 16) to process. Please keep those submissions coming!
o Integrated all of your Q32006 service fingerprint submissions. The
nmap-service-probe DB grew from 3,671 signatures representing 415
service protocols to 3,877 signatures representing 426 services. Big
thanks to version detection czar Doug Hoyte for doing this. Notable
changes are described at http://hcsw.org/blog.pl?a=20&b=20 .
o Nmap now has traceroute support, thanks to an excellent patch by
Eddie Bell. The new system uses Nmap data to determine which sort of
packets are most likely to slip through the target network and
produce useful results. The system is well optimized for speed and
bandwidth efficiency, and the clever output system avoids repeating
the same initial hops for each target system. Enable this
functionality by specifying --traceroute.
o Nmap now has a public Subversion (SVN) source code repository. See
the announcement at http://seclists.org/nmap-dev/2006/q4/0253.html
and then the updated usage instructions at
http://seclists.org/nmap-dev/2006/q4/0281.html .
o Fixed a major accuracy bug in gen1 OS detection (some debugging code
was accidentally left in). Thanks to Richard van den Berg for finding
the problem.
o Changed the IP protocol scan so that it sends proper IGMP headers when
scanning that protocol. This makes it much more likely that the host
will respond, proving that it's "open". [Kris]
o Improved the algorithm for classifying the TCP timestamp frequency
for OS detection. The new algorithm is described at
http://nmap.org/osdetect/osdetect-methods.html#osdetect-ts .
o Fixed the way Nmap detects whether one of its data files (such as
nmap-services) exists and has permissions which allow it to be read.
o Added a bunch of nmap-services port listings from Stephanie Wen.
o Update IANA assignment IP list for random IP (-iR) generation.
Thanks to Kris Katterjohn for the patch.
o Fix nmap.xsl (the transform for rendering Nmap XML results as HTML)
to fix some bugs related to OS detection output. Thanks to Tom
Sellers for the patch.
o Fixed a bug which prevented the --without-liblua compilation option
from working. Thanks to Kris Katterjohn for the patch.
o Fixed a bug which caused nmap --iflist to crash (and might have
caused crashes in other circumstances too). Thanks to Kris
Katterjohn for the report and Diman Todorov for the fix.
o Applied a bunch of code cleanup patches from Kris Katterjohn.
o Some scan types were fixed when used against localhost. The UDP Scan
doesn't find it's own port, the TCP Scan won't print a message (with -d)
about an unexpected packet (for the same reason), and the IPProto Scan
won't list every port as "open" when using --data-length >= 8. [Kris]
o The IPProto Scan should be more accurate when scanning protocol 17 (UDP).
ICMP Port Unreachables are now checked for, and UDP is listed as "open"
if it receives one rather than "open|filtered" or "filtered". [Kris]
o The --scanflags option now also accepts "ECE", "CWR", "ALL" and "NONE" as
arguments. [Kris]
o The --packet-trace option was added to NmapFE. The Ordered Ports (-r)
option in now available to non-root users on NmapFE as well. [Kris]
4.21ALPHA1 [2006-12-10]
o Integrated the Nmap Scripting Engine (NSE) into mainline Nmap.
Diman Todorov and I have been working on this for more than six months, and
we hope it will expand Nmap's capabilities in many cool ways. We're
accepting (and writing) general purpose scripts to put into Nmap
proper, and you can also write personal scripts to deal with issues
specific to your environment. The system is documented at
http://nmap.org/nse/ .
o Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE
(http://standards.ieee.org/regauth/oui/oui.txt) as of December 7.
4.20 [2006-12-7]
o Integrated the latest OS fingerprint submissions. The 2nd
generation DB size has grown to 231 fingerprints. Please keep them
coming! New fingerprints include Mac OS X Server 10.5 pre-release,
NetBSD 4.99.4, Windows NT, and much more.
o Fixed a segmentation fault in the new OS detection system
which was reported by Craig Humphrey and Sebastian Garcia.
o Fixed a TCP sequence prediction difficulty indicator bug. The index
is supposed to go from 0 ("trivial joke") to about 260 (OpenBSD).
But some systems generated ISNs so insecurely that Nmap went
berserk and reported a negative difficulty index. This generally
only affects some printers, crappy cable modems, and Microsoft
Windows (old versions). Thanks to Sebastian Garcia for helping me
track down the problem.
4.20RC2 [2006-12-2]
o Integrated all of your OS detection submissions since RC1. The DB
has increased 13% to 214 fingerprints. Please keep them coming!
New fingerprints include versions of z/OS, OpenBSD, Linux, AIX,
FreeBSD, Cisco CatOS, IPSO firewall, and a slew of printers and
misc. devices. We also got our first Windows 95 fingerprint,
submitted anonymously of course :).
o Fixed (I hope) the "getinterfaces: intf_loop() failed" error which
was seen on Windows Vista. The problem was apparently in
intf-win32.c of libdnet (need to define MIB_IF_TYPE_MAX to
MAX_IF_TYPE rather than 32). Thanks to Dan Griffin
(dan(a)jwsecure.com) for tracking this down!
o Applied a couple minor bug fixes for IP options
support and packet tracing. Thanks to Michal Luczaj
(regenrecht(a)o2.pl) for reporting them.
o Incorporated SLNP (Simple Library Network Protocol) version
detection support. Thanks to Tibor Csogor (tibi(a)tiborius.net) for
the patch.
4.20RC1 [2006-11-20]
o Fixed (I hope) a bug related to Pcap capture on Mac OS X. Thanks to
Christophe Thil for reporting the problem and to Kurt Grutzmacher
and Diman Todorov for helping to track it down.
o Integrated all of your OS detection submissions since ALPHA11. The
DB has increased 27% to 189 signatures. Notable additions include
the Apple Airport Express, Windows Vista RC1, OpenBSD 4.0, a Sony
TiVo device, and tons of broadband routers, printers, switches, and
Linux kernels. Keep those submissions coming!
o Upgraded the included LibPCRE from version 6.4 to 6.7. Thanks to
Jochen Voss (voss(a)seehuhn.de) for the suggestion (he found some bugs
in 6.4)
4.20ALPHA11 [2006-11-2]
o Integrated all of your OS detection submissions, bringing the
database up to 149 fingerprints. This is an increase of 28% from
ALPHA10. Notable additions include FreeBSD 6.1, a bunch of HP
LaserJet printers, and HP-UX 11.11. We also got a bunch of more
obscure submissions like Minix 3.1.2a and "Ember InSight Adapter for
programming EM2XX-family embedded devices". Who doesn't have a few
of those laying around? I'm hoping that all the obscure submissions
mean that more of the mainstream systems are being detected out of
the box! Please keep those submissions (obscure or otherwise)
coming!
4.20ALPHA10 [2006-10-23]
o Integrated tons of new OS fingerprints. The DB now contains 116
fingerprints, which is up 63% since the previous version. Please keep
the submissions coming!
4.20ALPHA9 [2006-10-13]
o Integrated the newly submitted OS fingerprints. The DB now contains
71 fingerprints, up 27% from 56 in ALPHA8. Please keep them coming!
We still only have 4.2% as many fingerprints as the gen1 database.
o Added the --open option, which causes Nmap to show only open ports.
Ports in the states "open|closed" and "unfiltered" might be open, so
those are shown unless the host has an overwhelming number of them.
o Nmap gen2 OS detection used to always do 2 retries if it fails to
find a match. Now it normally does just 1 retry, but does 4 retries
if conditions are good enough to warrant fingerprint submission.
This should speed things up on average. A new --max-os-tries option
lets you specify a higher lower maximum number of tries.
o Added --unprivileged option, which is the opposite of --privileged.
It tells Nmap to treat the user as lacking network raw socket and
sniffing privileges. This is useful for testing, debugging, or when
the raw network functionality of your operating system is somehow
broken.
o Fixed a confusing error message which occured when you specified a
ping scan or list scan, but also specified -p (which is only used for
port scans). Thanks to Thomas Buchanan for the patch.
o Applied some small cleanup patches from Kris Katterjohn
4.20ALPHA8 [2006-9-30]
o Integrated the newly submitted OS fingerprints. The DB now contains
56, up 33% from 42 in ALPHA7. Please keep them coming! We still only
have 3.33% as many signatures as the gen1 database.
o Nmap 2nd generation OS detection now has a more sophisticated
mechanism for guessing a target OS when there is no exact match in the
database (see http://nmap.org/osdetect/osdetect-guess.html )
o Rewrote mswin32/nmap.rc to remove cruft and hopefully reduce some
MFC-related compilation problems we've seen. Thanks to KX
(kxmail(a)gmail.com) for doing this.
o NmapFE now uses a spin button for verbosity and debugging options so
that you can specify whatever verbosity (-v) or debugging (-d) level
you desire. The --randomize-hosts option was also added to NmapFE.
Thanks to Kris Katterjohn for the patches.
o A dozen or so small patches to Nmap and NmapFE by Kris Katterjohn.
o Removed libpcap/Win32 and libpcap/msdos as Nmap doesn't use them.
This reduces the Nmap tar.bz2 by about 50K. Thanks to Kris Katterjohn
for the suggestion.
4.20ALPHA7 [2006-9-12]
o Did a bunch of Nmap 2nd generation fingerprint integration work.
Thanks to everyone who sent some in, though we still need a lot more.
Also thanks to Zhao for a bunch of help with the integration tools.
4.20ALPHA6 had 12 fingerprints, this new version has 42. The old DB
(still included) has 1,684.
o Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE
(http://standards.ieee.org/regauth/oui/oui.txt) as of September 6, 2006.
Also added the unregistered PearPC virtual NIC prefix, as suggested
by Robert Millan (rmh(a)aybabtu.com).
o Applied some small internal cleanup patches by Kris Katterjohn.
4.20ALPHA6 [2006-9-2]
o Fixed a bug in 2nd generation OS detection which would (usually) prevent
fingerprints from being printed when systems don't respond to the 1st
ICMP echo probe (the one with bogus code value of 9). Thanks to
Brandon Enright for reporting and helping me debug the problem.
o Fixed some problematic Nmap version detection signatures which could
cause warning messages. Thanks to Brandon Enright for the initial patch.
4.20ALPHA5 [2006-8-31]
o Worked with Zhao to improve the new OS detection system with
better algorithms, probe changes, and bug fixes. We're
now ready to start growing the new database! If Nmap gives you
fingerprints, please submit them at the given URL. The DB is still
extremely small. The new system is extensively documented at
http://nmap.org/osdetect/ .
o Nmap now supports IP options with the new --ip-options flag. You
can specify any options in hex, or use "R" (record route), "T"
(record timestamp), "U") (record route & timestamp), "S [route]"
(strict source route), or "L [route]" (loose source route). Specify
--packet-trace to display IP options of responses. For further
information and examples, see http://nmap.org/man/ and
http://seclists.org/nmap-dev/2006/q3/0052.html . Thanks to Marek
Majkowski for writing and sending the patch.
o Integrated all 2nd quarter service detection fingerprint
submissions. Please keep them coming! We now have 3,671 signatures
representing 415 protocols. Thanks to version detection czar Doug
Hoyte for doing this.
o Nmap now uses the (relatively) new libpcap pcap_get_selectable_fd
API on systems which support it. This means that we no longer need
to hack the included Pcap to better support Linux. So Nmap will now
link with an existing system libpcap by default on that platform if
one is detected. Thanks to Doug Hoyte for the patch.
o Updated the included libpcap from 0.9.3 to 0.9.4. The changes I
made are in libpcap/NMAP_MODIFICATIONS . By default, Nmap will now
use the included libpcap unless version 0.9.4 or greater is already
installed on the system.
o Applied some nsock bugfixes from Diman Todorov. These don't affect
the current version of Nmap, but are important for his Nmap
Scripting Engine, which I hope to integrate into mainline Nmap in
September.
o Fixed a bug which would occasionally cause Nmap to crash with the
message "log_vwrite: write buffer not large enough". I thought I
conquered it in a previous release -- thanks to Doug Hoyte for finding a
corner case which proved me wrong.
o Fixed a bug in the rDNS system which prevented us from querying
certain authoritative DNS servers which have recursion explicitly
disabled. Thanks to Doug Hoyte for the patch.
o --packet-trace now reports TCP options (thanks to Zhao Lei for the
patch). Thanks to the --ip-options addition also found in this
release, IP options are printed too.
o Cleaned up Nmap DNS reporting to be a little more useful and
concise. Thanks to Doug Hoyte for the patch.
o Applied a bunch of small internal cleanup patches by Kris Katterjohn
(katterjohn(a)gmail.com).
o Fixed the 'distclean' make target to be more comprehensive. Thanks
to Thomas Buchanan (Thomas.Buchanan(a)thecompassgrp.net) for the
patch.
Nmap 4.20ALPHA4 [2006-7-4]
o Nmap now provides progress statistics in the XML output in verbose
mode. Here are some examples of the format (etc is "estimated time
until completion) and times are in UNIX time_t (seconds since 1970)
format. Angle braces have been replaced by square braces:
[taskbegin task="SYN Stealth Scan" time="1151384685" /]
[taskprogress task="SYN Stealth Scan" time="1151384715"
percent="13.85" remaining="187" etc="1151384902" /]
[taskend task="SYN Stealth Scan" time="1151384776" /]
[taskbegin task="Service scan" time="1151384776" /]
[taskend task="Service scan" time="1151384788" /]
Thanks to Adam Vartanian (flooey(a)gmail.com) for the patch.
o Updated the Windows installer to give an option checkbox for
performing the Nmap performance registry changes. The default is to
do so. Thanks to Adam Vartanian (flooey(a)gmail.com) for the patch.
o Applied several code cleanup patches from Marek Majkowski.
o Added --release-memory option, which causes Nmap to release all
accessible memory buffers before quitting (rather than let the OS do
it). This is only useful for debugging memory leaks.
o Fixed a bug related to bogus completion time estimates when you
request an estimate (through runtime interaction) right when Nmap is
starting.a subsystem (such as a port scan or version detection).
Thanks to Diman Todorov for reporting the problem and Doug Hoyte for
writing a fix.
o Nmap no longer gets random numbers from OpenSSL when it is available
because that turned out to be slower than Nmap's other methods
(e.g. /dev/urandom on Linux, /dev/arandom on OpenBSD, etc.). Thanks
to Marek Majkowski for reporting the problem.
o Updated the Windows binary distributions (self-installer and .zip)
to include the new 2nd generation OS detection DB (nmap-os-db).
Thanks to Sina Bahram for reporting the problem.
o Fixed the --max-retries option, which wasn't being honored. Thanks
to Jon Passki (jon.passki(a)hursk.com) for the patch.
Nmap 4.20ALPHA3 [2006-6-29]
o Added back Win32 support thanks to a patch by KX
o Fixed the English translation of TCP sequence difficulty reported by
Brandon Enright, and also removed fingerprint printing for 1st
generation fingerprints (I don't really want to deal with those
anymore). Thanks to Zhao Lei for writing this patch.
o Fix a problem which caused OS detection to be done in some cases
even if the user didn't request it. Thanks to Diman Todorov for the
fix.
Nmap 4.20ALPHA2 [2006-6-24]
o Included nmap-os-db (the new OS detection DB) within the release.
Oops! Thanks to Brandon Enright (bmenrigh(a)ucsd.edu) for catching
this problem with 4.20ALPHA1.
o Added a fix for the crash in the new OS detection which would come
with the message "Probe doesn't exist! Probe type: 1. Probe subid: 1"
Nmap 4.20ALPHA1 [2006-6-24]
o Integrated initial 2nd generation OS detection patch! The system is
documented at http://nmap.org/osdetect/ . Thanks to Zhao Lei
for helping with the coding and design.
o portlist.cc was refactored to remove some code duplication. Thanks
to Diman Todorov for the patch.
Nmap 4.11 [2006-6-23]
o Added a dozens of more detailed SSH version detection signatures, thanks
to a SSH huge survey and integration effort by Doug Hoyte. The
results of his large-scale SSH scan are posted at
http://seclists.org/nmap-dev/2006/Apr-Jun/0393.html .
o Fixed the Nmap Makefile (actually Makefile.in) to correctly handle
include file dependencies. So if a .h file is changed, all of the
.cc files which depend on it will be recompiled. Thanks to Diman
Todorov (diman(a)xover.mud.at) for the patch.
o Fixed a compilation problem on solaris and possibly other platforms.
The error message looked like "No rule to make target `inet_aton.o',
needed by `libnbase.a'". Thanks to Matt Selsky
(selsky(a)columbia.edu) for the patch.
o Applied a patch which helps with HP-UX compilation by linking in the
nm library (-lnm). Thanks to Zakharov Mikhail
(zmey20000(a)yahoo.com) for the patch.
o Added version detection probes for detecting the Nessus daemon.
Thanks to Adam Vartanian (flooey(a)gmail.com) for sending the patch.
Nmap 4.10 [2006-6-12]
o Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE
(http://standards.ieee.org/regauth/oui/oui.txt) as of May 31, 2006.
Also added a couple unregistered OUI's (for QEMU and Bochs)
suggested by Robert Millan (rmh(a)aybabtu.com).
o Fixed a bug which could cause false "open" ports when doing a UDP
scan of localhost. This usually only happened when you scan tens of
thousands of ports (e.g. -p- option).
o Fixed a bug in service detection which could lead to a crash when
"--version-intensity 0" was used with a UDP scan. Thanks to Makoto
Shiotsuki (shio(a)st.rim.or.jp) for reporting the problem and Doug
Hoyte for producing a patch.
o Made some AIX and HP-UX portability fixes to Libdnet and NmapFE.
These were sent in by Peter O'Gorman
(nmap-dev(a)mlists.thewrittenword.com).
o When you do a UDP+TCP scan, the TCP ports are now shown first (in
numerical order), followed by the UDP ports (also in order). This
contrasts with the old format which showed all ports together in
numerical order, regardless of protocol. This was at first a "bug",
but then I started thinking this behavior may be better. If you
have a preference for one format or the other, please post your
reasons to nmap-dev.
o Changed mass_dns system to print a warning if it can't find any
available DNS servers, but not quit like it used to. Thanks to Doug
Hoyte for the patch.
Nmap 4.04BETA1 [2006-5-31]
o Integrated all of your submissions (about a thousand) from the first
quarter of this year! Please keep 'em coming! The DB has increased
from 3,153 signatures representing 381 protocols in 4.03 to 3,441
signatures representing 401 protocols. No other tool comes close!
Many of the already existing match lines were improved too. Thanks
to Version Detection Czar Doug Hoyte for doing this.
o Nmap now allows multiple ignored port states. If a 65K-port scan
had, 64K filtered ports, 1K closed ports, and a few dozen open
ports, Nmap used to list the dozen open ones among a thousand lines
of closed ports. Now Nmap will give reports like "Not shown: 64330
filtered ports, 1000 closed ports" or "All 2051 scanned ports on
192.168.0.69 are closed (1051) or filtered (1000)", and omit all of
those ports from the table. Open ports are never ignored. XML
output can now have multiple [extraports] directive (one for each
ignored state). The number of ports in a single state before it is
consolidated defaults to 26 or more, though that number increases as
you add -v or -d options. With -d3 or higher, no ports will be
consolidated. The XML output should probably be augmented to give
the extraports directive 'ip', 'tcp', and 'udp' attributes which
specify the corresponding port numbers in the given state in the
same listing format as the nmaprun.scaninfo.services attribute, but
that part hasn't yet been implemented. If you absoultely need the
exact port numbers for each state in the XML, use -d3 for now.
o Nmap now ignores certain ICMP error message rate limiting (rather
than slowing down to accomidate it) in cases such as SYN scan where
an ICMP message and no response mean the same thing (port filtered).
This is currently only done at timing level Aggressive (-T4) or
higher, though we may make it the default if we don't hear problems
with it. In addition, the --defeat-rst-ratelimit option has been
added, which causes Nmap not to slow down to accomidate RST rate
limits when encountered. For a SYN scan, this may cause closed
ports to be labeled 'filtered' becuase Nmap refused to slow down
enough to correspond to the rate limiting. Learn more about this
new option at http://nmap.org/man/ . Thanks to Martin
Macok (martin.macok(a)underground.cz) for writing the patch that
these changes were based on.
o Moved my Nmap development environment to Visual C++ 2005 Express
edition. In typical "MS Upgrade Treadmill" fashion, Visual Studio
2003 users will no longer be able to compile Nmap using the new
solution files. The compilation, installation, and execution
instructions at http://nmap.org/install/inst-windows.html have been
upgraded.
o Automated my Windows build system so that I just have to type a
single make command in the mswin32 directory. Thanks to Scott
Worley (smw(a)pobox.com>, Shane & Jenny Walters
(yfisaqt(a)waltersinamerica.com), and Alex Prinsier
(aphexer(a)mailhaven.com) for reading my appeal in the 4.03
CHANGELOG and assisting.
o Changed the PortList class to use much more efficient data
structures and algorithms which take advantage of Nmap-specific
behavior patterns. Thanks to Marek Majkowski
(majek(a)forest.one.pl) for the patch.
o Fixed a bug which prevented certain TCP+UDP scan commands, such as
"nmap -sSU -p1-65535 localhost" from scanning both TCP and UDP.
Instead they gave the error message "WARNING: UDP scan was requested,
but no udp ports were specified. Skipping this scan type". Thanks to
Doug Hoyte for the patch.
o Nmap has traditionally required you to specify -T* timing options
before any more granular options like --max-rtt-timeout, otherwise the
general timing option would overwrite the value from your more
specific request. This has now been fixed so that the more specific
options always have precendence. Thanks to Doug Hoyte for this patch.
o Fixed a couple possible memory leaks reported by Ted Kremenek
(kremenek(a)cs.stanford.edu) from the Stanford University sofware
static analysis lab ("Checker" project).
o Nmap now prints a warning when you specify a target name which
resolves to multiple IP addresses. Nmap proceeds to scan only the
first of those addresses (as it always has done). Thanks to Doug
Hoyte for the patch. The warning looks like this:
Warning: Hostname google.com resolves to 3 IPs. Using 66.102.7.99.
o Disallow --host-timeout values of less than 1500ms, print a warning
for values less than 15s.
o Changed all instances of inet_aton() into calls to inet_pton()
instead. This allowed us to remove inet_aton.c from nbase. Thanks to
KX (kxmail(a)gmail.com) for the patch.
o When debugging (-d) is specified, Nmap now prints a report on the
timing variables in use. Thanks to Doug Hoyte for the patch. The
report loos like this:
---------- Timing report ----------
hostgroups: min 1, max 100000
rtt-timeouts: init 250, min 50, max 300
scan-delay: TCP 5, UDP 1000
parallelism: min 0, max 0
max-retries: 2, host-timeout 900000
-----------------------------------
o Modified the WinPcap installer file to explicitly uninstall an
existing WinPcap (if you select that you wish to replace it) rather
than just overwriting the old version. Thanks to Doug Hoyte for
making this change.
o Added some P2P application ports to the nmap-services file. Thanks
to Martin Macok for the patch.
o The write buffer length increased in 4.03 was increased even further
when the debugging or verbosity levels are more than 2 (e.g. -d3).
Thanks to Brandon Enright (bmenrigh(a)ucsd.edu) for the patch. The
goal is to prevent you from ever seeing the fatal error:
"log_vwrite: write buffer not large enough -- need to increase"
o Added a note to the Nmap configure dragon that people sick of him
can submit their own ASCII art to nmap-dev@insecure.org . If you
are wondering WTF I am talking about, it is probably because only
most elite Nmap users -- the ones who compile from source on UNIX --
get to see the 'l33t ASCII Art.
Nmap 4.03 [2006-4-22]
o Updated the LibPCRE build system to add the -fno-thread-jumps option
to gcc when compiling on the new Intel-based Apple Mac OS X systems.
Hopefully this resolves the version detection crashes that several
people have reported on such systems. Thanks to Kurt Grutzmacher
(grutz(a)jingojango.net) for sending the configure.ac patch.
o Made some portability fixes to keep Nmap compiling with the newest
Visual Studio 2005. Thanks to KX (kxmail(a)gmail.com) for
suggesting them.
o Service fingerprints are now provided in the XML output whenever
they would appear in the interactive output (i.e. when a service
response with data but is unrecognized). They are shown in a new
'servicefp' attribute to the 'service' tag. Thanks to Brandon Enright
(bmenrigh(a)ucsd.edu) for sending the patch.
o Improved the Windows build system -- mswin32/Makefile now takes care
of packaging Nmap and creating the installers once Visual Studio (GUI)
is done building the Release version of mswin32/nmap.sln. If someone
knows how to do this (build) step on the command line (using the
Makefile), please let me know. Or if you know how to at least make
'Release' (rather than Debug) the default configuration, that would be
valuable.
o WinPcap 3.1 binaries are now shipped in the Nmap tarball, along with
a customized installer written by Doug Hoyte. That new WinPcap
installer is now used by the Nmap self-installer (if you request
WinPcap installation). Some Nmap users were uncomfortable with a
"phone home" feature of the official WinPcap installer. It connects
back to CACE Technologies, ostensibly to display news and (more
recently) advertisements. Our new installer omits that feature, but
should be otherwise perfectly compatible with WinPcap 3.1.
o Fixed (I hope) a problem where aggressive --min-parallelization
option values could cause Nmap to quit with the message "box(300, 100,
15) called (min,max,num)". Thanks to Richard van den Berg
(richard.vandenberg(a)ins.com) for reporting the problem.
o Fixed a rare crash bug thanks to a report and patch from Ganga
Bhavani (GBhavani(a)everdreamcorp.com)
o Increased a write buffer length to keep Nmap from quitting with the
message "log_vwrite: write buffer not large enough -- need to
increase". Thanks to Dave (dmarcher(a)pobox.com) for reporting the
issue.
Nmap 4.02ALPHA2 [2006-3-8]
o Updated to a newer XSL stylesheet (for XML to HTML output
transformation) by Benjamin Erb. This new version includes IP
address sorting, removal of javascript requirements, some new
address, hostname, and Nmap version information, and various minor
tweaks and fixes.
o Cleaned up the Amiga port code to use atexit() rather than the
previous macro hack. Thanks to Kris Katterjohn (katterjohn(a)gmail.com)
for the patch. Applied maybe half a dozen new other code cleanup
patches from him as well.
o Made some changes to various Nmap initialization functions which
help ALT Linux (altlinux.org) and Owl (openwall.com) developers run
Nmap in a chroot environment. Thanks to Dmitry V. Levin
(ldv(a)altlinux.org) for the patch.
o Cleaned up the code a bit by making a bunch (nearly 100) global
symbols (mostly function calls) static. I was also able to removed
some unused functions and superfluous config.h.in defines. Thanks
to Dmitry V. Levin (ldv(a)altlinux.org) for sending a list of
candidate symbols.
o Nmap now tests for the existence of data files using stat(2) rather
than testing whether they can be opened for reading (with fopen).
This is because some device files (tape drives, etc.) may react badly
to being opened at all. Thanks to Dmitry V. Levin
(ldv(a)altlinux.org) for the suggestion.
o Changed Nmap to cache interface information rather than opening and
closing it (with dnet's eth_open and eth_close functions) all the
time.
o Applied a one-character Visual Studio 2005 compatibility patch from
kx (kxmail(a)gmail.com). It changed getch() into _getch() on Windows.
Nmap 4.02ALPHA1 [2006-3-13]
o Added the --log-errors option, which causes most warnings and error
messages that are printed to interactive-mode output (stdout/stderr)
to also be printed to the normal-format output file (if you
specified one). This will not work for most errors related to bad
command-line arguments, as Nmap may not have initialized its output
files yet. In addition, some Nmap error/warning messages use a
different system that does not yet support this option.
o Rewrote much of the Nmap results output functions to be more
efficient and support --log-errors.
o Fixed a flaw in the scan engine which could (in rare cases)
lead to a deadlock situation that prevents a scan from completing.
Thanks to Ganga Bhavani (GBhavani(a)everdreamcorp.com) for reporting
and helping to debug the problem.
o If the pcap_open_live() call (initiates sniffing) fails, Nmap now
tries up to two more times after waiting a little while. This is
attempt to work around a rare bug on Windows in which the
pcap_open_live() fails for unknown reasons.
o Fixed a flaw in the runtime interaction in which Nmap would include
hosts currently being scanned in the number of hosts "completed"
statistic.
o Fixed a crash in OS scan which could occur on Windows when a DHCP
lease issue causes the system to lose its IP address. Nmap still
quits, but at least it gives a proper error message now. Thanks to
Ganga Bhavani (GBhavani(a)everdreamcorp.com) for the patch.
o Applied more than half a dozen small code cleanup patches from
Kris Katterjohn (katterjohn(a)gmail.com).
o Modified the configure script to accept CXX when specified as an
absolute path rather than just the executable name. Thanks to
Daniel Roethlisberger (daniel(a)roe.ch) for this patch.
Nmap 4.01 [2006-2-9]
o Fixed a bug that would cause bogus reverse-DNS resolution on
big-endian machines. Thanks to Doug Hoyte, Seth Miller, Tony Doan,
and Andrew Lutomirsky for helping to debug and patch the problem.
o Fixed an important memory leak in the raw ethernet sending system.
Thanks to Ganga Bhavani (GBhavani(a)everdreamcorp.com) for
identifying the bug and sending a patch.
o Fixed --system-dns option so that --system_dns works too. Error
messages were changed to reflect the former (preferred) name.
Thanks to Sean Swift (sean.swift(a)bradford.gov.uk) and Peter
VanEeckhoutte (Peter.VanEeckhoutte(a)saraleefoodseurope.com) for
reporting the problem.
o Fixed a crash which would report this message:
"NmapOutputTable.cc:143: void NmapOutputTable::addItem(unsigned int,
unsigned int, bool, const char*, int): Assertion `row < numRows'
failed." Thanks to Jake Schneider (Jake.Schneider(a)dynetics.com) for
reporting and helping to debug the problem.
o Whenever Nmap sends packets with the SYN bit set (except for OS
detection), it now includes the maximum segment size (MSS) tcp
option with a value of 1460. This makes it stand out less as almost
all hosts set at least this option. Thanks to Juergen Schmidt
(ju(a)heisec.de) for the suggestion.
o Applied a patch for a Windows interface reading bug in the aDNS
subsystem from Doug Hoyte.
o Minor changes to recognize DragonFly BSD in configure
scripts. Thanks to Joerg Sonnenberger (joerg(a)britannica.bec.de)
for sending the patch.
o Fixed a minor bug in an error message starting with "eth_send of ARP
packet returned". Thanks to J.W. Hoogervorst
(J.W.Hoogervorst(a)uva.nl) for finding this.
Nmap 4.00 [2006-1-31]
o Added the '?' command to the runtime interaction system. It prints a
list of accepted commands. Thanks to Andrew Lutomirski
(luto(a)myrealbox.com) for the patch.
o See the announcement at
http://www.insecure.org/stf/Nmap-4.00-Release.html for high-level
changes since 3.50.
Nmap 3.9999 [2006-1-28]
o Generated a new libpcre/configure to cope with changes in LibPCRE
6.4
o Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE
(http://standards.ieee.org/regauth/oui/oui.txt)
o Updated nmap-protocols with the latest IEEE internet protocols
assignments (http://www.iana.org/assignments/protocol-numbers).
o Updated the Nmap version number and related fields that MS Visual
Studio places in the binary. This was done by editing
mswin32/nmap.rc.
Nmap 3.999 [2006-1-26]
o Added runtime interaction support to Windows, thanks to patches from
Andrew Lutomirski (luto(a)myrealbox.com) and Gisle Vanem (giva(a)bgnett.no).
o Changed a couple lines of tcpip.cc (put certain IP header fields in
host byte order rather than NBO) to (hopefully) support Mac OS X on
Intel. Thanks to Kurt Grutzmacher (grutz(a)jingojango.net) for the
patch.
o Upgraded the included LibPCRE from version 6.3 to 6.4. There was a
report of version detection crashes on the new Intel-based MACs with
6.3.
o Fixed an issue in which the installer would malfunction in rare
issues when installing to a directory with spaces in it. Thanks to
Thierry Zoller (Thierry(a)Zoller.lu) for the report.
Nmap 3.99 [2006-1-25]
o Integrated all remaining 2005 service submissions. The DB now has
surpassed 3,000 signatures for the first time. There now are 3,153
signatures for 381 service protocols. Those protocols span the
gamut from abc, acap, afp, and afs to zebedee, zebra, and
zenimaging. It even covers obscure protocols such as http, ftp,
smtp, and ssh :). Thanks to Version Detection Czar Doug Hoyte for
his excellent work on this.
o Created a Windows executable installer using the open source NSIS
(Nullsoft Scriptable Install System). It handles Pcap installation,
registry performance changes, and adding Nmap to your cmd.exe
executable path. The installer source files are in mswin32/nsis/ .
Thanks to Google SoC student Bo Jiang (jiangbo(a)brandeis.edu) for
creating the initial version.
o Fixed a backward compatibility bug in which Nmap didn't recognize
the --min_rtt_timeout option (it only recognized the newly
hyphenated --min-rtt-timeout). Thanks to Joshua D. Abraham
(jabra(a)ccs.neu.edu) for the bug report.
o Fixed compilation to again work with gcc-derivatives such as
MingW. Thanks to Gisle Vanem (giva(a)bgnett.no) for sending the
patches
Nmap 3.98BETA1 [2006-1-22]
o Added run time interaction as documented at
http://nmap.org/man/man-runtime-interaction.html .
While Nmap is running, you can now press 'v' to increase verbosity,
'd' to increase the debugging level, 'p' to enable packet tracing,
or the capital versions (V,D,P) to do the opposite. Any other key
(such as enter) will print out a status message giving the estimated
time until scan completion. This only works on UNIX for now. Do we
have any volunteers to add Windows support? You would need to
change a handful of UNIX-specific termio calls with the Windows
equivalents. This feature was created by Paul Tarjan
(ptarjan(a)stanford.edu) as part of the Google Summer of Code.
o Reverse DNS resolution is now done in parallel rather than one at a
time. All scans of large networks (particularly list, ping and
just-a-few-ports scans) should benefit substantially from this
change. If you encounter any problems, please let us know. The new
--system_dns option was added so you can use the (slow) system
resolver if you prefer that for some reason. You can specify a
comma separated list of DNS server IP addresses for Nmap to use with
the new --dns_servers option. Otherwise, Nmap looks in
/etc/resolve.conf (UNIX) or the system registry (Windows) to obtain
the nameservers already configured for your system. This excellent
patch was written by Doug Hoyte (doug(a)hcsw.org).
o Added the --badsum option, which causes Nmap to use invalid TCP or
UDP checksums for packets sent to target hosts. Since virtually all
host IP stacks properly drop these packets, any responses received
are likely coming from a firewall or IDS that didn't bother to
verify the checksum. For more details on this technique, see
http://www.phrack.org/phrack/60/p60-0x0c.txt . The author of that
paper, Ed3f (ed3f(a)antifork.org), is also the author of this patch
(which I changed it a bit).
o The 26 Nmap commands that previously included an underscore
(--max_rtt_timeout, --send_eth, --host_timeout, etc.) have been
renamed to use a hyphen in the preferred format
(i.e. --max-rtt-timeout). Underscores are still supported for
backward compatibility.
o More excellent NmapFE patches from Priit Laes (amd(a)store20.com)
were applied to remove all deprecated GTK API calls. This also
eliminates the annoying Gtk-Critical and Gtk-WARNING runtime messages.
o Changed the way the __attribute__ compiler extension is detected so
that it works with the latest Fedora Core 4 updates (and perhaps other
systems). Thanks to Duilio Protti (dprotti(a)fceia.unr.edu.ar) for
writing the patch. The compilation error message this fixes was
usually something like: "nmap.o(.rodata+0x17c): undefined reference
to `__gthrw_pthread_cancel(unsigned long)"
o Added some exception handling code to mswin32/winfix.cc to prevent
Nmap from crashing mysteriously when you have WinPcap 3.0 or earlier
(instead of the required 3.1). It now prints an error message instead
asking you to upgrade, then reduces functionality to connect()-only
mode. I couldn't get it working with the C++ standard try/catch()
blocks, but as soon as I used the nonstandard MS conventions
(__try/__except(), everything worked fine. Shrug.
o Stripped the firewall API out of the libdnet included with Nmap
because Nmap doesn't use it anyway. This saves space and reduces the
likelihood of compilation errors and warnings.
o Modified the previously useless --noninteractive option so that it
deactivates runtime interaction.
Nmap 3.96BETA1 [2005-12-29]
o Added --max_retries option for capping the maximum number of
retransmissions the port scan engine will do. The value may be as low
as 0 (no retransmits). A low value can increase speed, though at the
risk of losing accuracy. The -T4 option now allows up to 6 retries,
and -T5 allows 2. Thanks to Martin Macok
(martin.macok(a)underground.cz) for writing the initial patch, which I
changed quite a bit. I also updated the docs to reflect this neat
new option.
o Many of the Nmap low-level timing options take a value in
milliseconds. You can now append an 's', 'm', or 'h' to the value
to give it in seconds, minutes, or hours instead. So you can specify a
45 minute host timeout with --host_timeout 45m rather than specifying
--host_timeout 2700000 and hoping you did the math right and have the
correct number of zeros. This also now works for the
--min_rtt_timeout, --max_rtt_timeout, --initial_rtt_timeout,
--scan_delay, and --max_scan_delay options.
o Improved the NmapFE port to GTK2 so it better-conforms to the new
API and you don't get as many annoying messages in your terminal
window. GTK2 is prettier and more functional too. Thanks to Priit
Laes (amd(a)store20.com) for writing these
excellent patches.
o Fixed a problem which led to the error message "Failed to determine
dst MAC address for target" when you try to run Nmap using a
dialup/PPP adapter on Windows rather than a real ethernet card. Due
to Microsoft breaking raw sockets, Nmap no longer supports dialup
adapters, but it should now give you a clearer error message than
the "dst MAC address" nonsense.
o Debian GNU/kFreeBSD is now supported thanks to a patch to libdnet's
configure.in by Petr Salinger (Petr.Salinger(a)t-systems.cz).
o Tried to update to the latest autoconf only to find that there
hasn't been a new version in more than two years :(. I was able to
find new config.sub and config.guess files at
http://cvs.savannah.gnu.org/viewcvs/config/config/ , so I updated to
those.
o Fixed a problem with the -e option when run on Windows (or UNIX with
--send_eth) when run on an ethernet network against an external
(routed) host. You would get the message "NmapArpCache() can only
take IPv4 addresses. Sorry". Thanks to KX (kxmail(a)gmail.com) for
helping to track down the problem.
o Made some changes to allow source port zero scans (-g0). Nmap used
to refuse to do this, but now it just gives a warning that it may not
work on all systems. It seems to work fine on my Linux box. Thanks
to Bill Dale (bill_dale(a)bellsouth.net) for suggesting this feature.
o Made a change to libdnet so that Windows interfaces are listed as
down if they are disconnected, unplugged, or otherwise unavailable.
o Ceased including foreign translations in the Nmap tarball as they
take up too much space. HTML versions can be found at
http://nmap.org/docs.html , while XML and NROFF versions
are available from http://nmap.org/data/man-xlate/ .
o Changed INSTALL and README-WIN32 files to mostly just reference the
new Nmap Install Guide at http://nmap.org/install/ .
o Included docs/nmap-man.xml in the tarball distribution, which is the
DocBook XML source for the Nmap man page. Patches to Nmap that are
user-visible should include patches to the man page XML source rather
than to the generated Nroff.
o Fixed Nmap so it doesn't crash when you ask it to resume a previous
scan, but pass in a bogus file rather than actual Nmap output. Thanks
to Piotr Sobolewski (piotr_sobolewski(a)o2.pl) for the fix.
Nmap 3.95 [2005-12-8]
o Fixed a crash in IPID Idle scan. Thanks to Ron
(iago(a)valhallalegends.com>, Bakeman (bakeman(a)physics.unr.edu),
and others for reporting the problem.
o Fixed an inefficiency in RPC scan that could slow things down and
also sometimes resulted in the spurious warning message: "Unable to
find listening socket in get_rpc_results"
o Fixed a 3.94ALPHA3 bug that caused UDP scan results to be listed as
TCP ports instead. Thanks to Justin M Cacak (jcacak(a)nebraska.edu)
for reporting the problem.
Nmap 3.94ALPHA3 [2005-12-6]
o Updated NmapFE to build with GTK2 rather than obsolete GTK1. Thanks
to Mike Basinger (dbasinge(a)speakeasy.net) and Meethune Bhowmick
(meethune(a)oss-institute.org) for developing the
patch. I made some changes as well to prevent compilation warnings.
The new NmapFE now seems to work, though I do get "Gtk-CRITICAL"
assertion error messages. If someone has time to look into this, that
would be appreciated.
o Fixed a compilation problem on Mac OS X and perhaps other platforms
with a one-line fix to scan_engine.cc. Thanks to Felix Gröbert
(felix(a)groebert.org) for notifying me of the problem.
o Fixed a problem that prevented the command "nmap -sT -PT [targets]"
from working from a non-privileged user account. The -PT option
doesn't change default behavior in this case, but Nmap should (and now
does) allow it.
o Applied another VS 2005 compatibility patch from KX (kxmail(a)gmail.com).
o Define INET_ADDRSTRLEN in tcpip.h if the system doesn't define it
for us. This apparently aids compilation on Solaris 2.6 and 7.
Thanks to Albert Chin (nmap-hackers(a)mlists.thewrittenword.com) for
sending the patch..
Nmap 3.94ALPHA2 [2005-12-4]
o Put Nmap on a diet, with changes to the core port scanning routine
(ultra_scan) to substantially reduce memory consumption, particularly
when tens of thousands of ports are scanned.
o Fixed a problem with the -S and option on Windows reporting "Failed
to resolve/decode supposed IPv4 source address". The -D (decoy)
option was probably broken on that platform too. Thanks to KX
(kxmail(a)gmail.com) for reporting the problem and tracking down a
potential solution.
o Better handle ICMP type 3, code 0 (network unreachable) responses to
port scan packets. These are rarely seen when scanning hosts that
are actually online, but are still worth handling.
o Applied some small fixes so that Nmap compiles with Visual C++
2005 Express, which is free from Microsoft at
http://msdn.microsoft.com/vstudio/express/visualc/ . Thanks to KX
(kxmail(a)gmail.com) and Sina Bahram (sbahram(a)nc.rr.com)
o Removed foreign translations of the old man page from the
distribution. Included the following contributed translations
(nroff format) of the new man page:
Brazilian Portuguese by Lucien Raven (lucienraven(a)yahoo.com.br)
Portuguese (Portugal) by José Domingos (jd_pt(a)yahoo.com) and
Andreia Gaita (shana.ufie(a)gmail.com).
o Added --thc option (undocumented)
o Modified libdnet-stripped/src/eth-bsd.c to allow for up to 128 bpf
devices rather than 32. This prevents errors like "Failed to open
ethernet interface (fxp0)" when there are more than 32 interface
aliases. Thanks to Krok (krok(a)void.ru) for reporting the problem
and even sending a patch.
Nmap 3.94ALPHA1 [2005-11-27]
o Wrote a new man page from scratch. It is much more comprehensive
(more than twice as long) and (IMHO) better organized than the
previous one. Read it online at http://nmap.org/man/
or docs/nmap.1 from the Nmap distribution. Let me know if you have
any ideas for improving it.
o Wrote a new "help screen", which you get when running Nmap without
arguments. It is also reproduced in the man page and at
http://nmap.org/data/nmap.usage.txt . I gave up trying
to fit it within a 25-line, 80-column terminal window. It is now 78
lines and summarizes all but the most obscure Nmap options.
o Version detection softmatches (when Nmap determines the service
protocol such as smtp but isn't able to determine the app name such as
Postfix) can now parse out the normal match line fields such as
hostname, device type, and extra info. For example, we may not know
what vendor created an sshd, but we can still parse out the protocol
number. This was a patch from Doug Hoyte (doug(a)hcsw.org).
o Fixed a problem which caused UDP version scanning to fail to print
the matched service. Thanks to Martin Macok
(martin.macok(a)underground.cz) for reporting the problem and Doug
Hoyte (doug(a)hcsw.org) for fixing it.
o Made the version detection "ports" directive (in
nmap-service-probes) more comprehensive. This should speed up scans a
bit. The patch was done by Doug Hoyte (doug(a)hcsw.org).
o Added the --webxml option, which does the same thing as
--stylesheet http://nmap.org/data/nmap.xsl , without
requiring you to remember the exact URL or type that whole thing.
o Fixed a crash occurred when the --exclude option was used with
netmasks on certain platforms. Thanks to Adam
(nmapuser(a)globalmegahost.com) for reporting the problem and to
Greg Darke (starstuff(a)optusnet.com.au) for sending a patch (I
modified the patch a bit to make it more efficient).
o Fixed a problem with the -S and -e options (spoof/set
source address, and set interface by name, respectively). The problem
report and a partial patch were sent by Richard Birkett
(richard(a)musicbox.net).
o Fixed a possible aliasing problem in tcpip.cc by applying a patch sent in by
Gwenole Beauchesne (gbeauchesne(a)mandriva.com). This problem
shouldn't have had any effect on users since we already include the
-fno-strict-aliasing option whenever gcc 4 is detected, but it
brings us closer to being able to remove that option.
o Fixed a bug that caused Nmap to crash if an nmap-service-probes file
was used which didn't contain the Exclude directive.
o Fixed a bunch of typos and misspellings throughout the Nmap source
code (mostly in comments). This was a 625-line patch by Saint Xavier
(skyxav(a)skynet.be).
o Nmap now accepts target list files in Windows end-of-line format (\r\n)
as well as standard UNIX format (\n) on all platforms. Passing a
Windows style file to Nmap on UNIX didn't work before unless you ran
dos2unix first.
o Removed Identd scan support from NmapFE since Nmap no longer
supports it. Thanks to Jonathan Dieter (jdieter99(a)gmx.net) for the
patch.
o Integrated all of the September version detection fingerprint
submissions. This was done by Version Detection Czar Doug Hoyte
(doug(a)hcsw.org) and resulted in 86 new match lines. Please keep
those submissions coming!
o Fixed a divide-by-zero crash when you specify rather bogus
command-line arguments (a TCP scan with zero tcp ports). Thanks to
Bart Dopheide (dopheide(a)fmf.nl) for identifying the problem and
sending a patch.
o Fixed a minor syntax error in tcpip.h that was causing problems with
GCC 4.1. Thanks to Dirk Mueller (dmuell(a)gmx.net) for reporting
the problem and sending a fix.
Nmap 3.93 [2005-9-12]
o Modified Libpcap's configure.ac to compile with the
-fno-strict-aliasing option if gcc 4.X is used. This prevents
crashes when said compiler is used. This was done for Nmap in 3.90, but is
apparently needed for pcap too. Thanks to Craig Humphrey
(Craig.Humphrey(a)chapmantripp.com) for the discovery.
o Patched libdnet to include sys/uio.h in src/tun-linux.c. This is
apparently necessary on some Glibc 2.1 systems. Thanks to Rob Foehl
(rwf(a)loonybin.net) for the patch.
o Fixed a crash which could occur when a ridiculously short
--host_timeout was specified on Windows (or on UNIX if --send_eth was
specified). Nmap now also prints a warning if you specify a
host_timeout of less than 1 second. Thanks to Ole Morten Grodaas
(grodaas(a)gmail.com) for discovering the problem.
Nmap 3.91 [2005-9-11]
o Fixed a crash on Windows when you -P0 scan an unused IP on a local
network (or a range that contains unused IPs). This could also
happen on UNIX if you specified the new --send_eth option. Thanks
to Jim Carras (JFCECL(a)engr.psu.edu) for reporting the problem.
o Fixed compilation on OpenBSD by applying a patch from Okan Demirmen
(okan(a)demirmen.com), who maintains Nmap in the OpenBSD Ports
collection.
o Updated nmap-mac-prefixes to include OUIs assigned by the IEEE since
April.
o Updated the included libpcre (used for version detection) from
version 4.3 to 6.3. A libpcre security issue was fixed in 6.3, but
that issue never affected Nmap.
o Updated the included libpcap from 0.8.3 to 0.9.3. I also changed
the directory name in the Nmap tarball from libpcap-possiblymodified
to just libpcap. As usual, the modifications are described in the
NMAP_MODIFICATIONS in that directory.
Nmap 3.90 [2005-9-8]
o Added the ability for Nmap to send and properly route raw ethernet
packets containing IP datagrams rather than always sending the
packets via raw sockets. This is particularly useful for Windows,
since Microsoft has disabled raw socket support in XP for no good
reason. Nmap tries to choose the best method at runtime based on
platform, though you can override it with the new --send_eth and
--send_ip options.
o Added ARP scanning (-PR). Nmap can now send raw ethernet ARP requests to
determine whether hosts on a LAN are up, rather than relying on
higher-level IP packets (which can only be sent after a successful
ARP request and reply anyway). This is much faster and more
reliable (not subject to IP-level firewalling) than IP-based probes.
The downside is that it only works when the target machine is on the
same LAN as the scanning machine. It is now used automatically for
any hosts that are detected to be on a local ethernet network,
unless --send_ip was specified. Example usage: nmap -sP -PR
192.168.0.0/16 .
o Added the --spoof_mac option, which asks Nmap to use the given MAC
address for all of the raw ethernet frames it sends. The MAC given
can take several formats. If it is simply the string "0", Nmap
chooses a completely random MAC for the session. If the given
string is an even number of hex digits (with the pairs optionally
separated by a colon), Nmap will use those as the MAC. If less than
12 hex digits are provided, Nmap fills in the remainder of the 6
bytes with random values. If the argument isn't a 0 or hex string,
Nmap looks through the nmap-mac-prefixes to find a vendor name
containing the given string (it is case insensitive). If a match is
found, Nmap uses the vendor's OUI (3-byte prefix) and fills out the
remaining 3 bytes randomly. Valid --spoof_mac argument examples are
"Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", "0020F2", and
"Cisco".
o Applied an enormous nmap-service-probes (version detection) update
from SoC student Doug Hoyte (doug(a)hcsw.org). Version 3.81 had
1064 match lines covering 195 service protocols. Now we have 2865
match lines covering 359 protocols! So the database size has nearly
tripled! This should make your -sV scans quicker and more
accurate. Thanks also go to the (literally) thousands of you who
submitted service fingerprints. Keep them coming!
o Applied a massive OS fingerprint update from Zhao Lei
(zhaolei(a)gmail.com). About 350 fingerprints were added, and many
more were updated. Notable additions include Mac OS X 10.4 (Tiger),
OpenBSD 3.7, FreeBSD 5.4, Windows Server 2003 SP1, Sony AIBO (along
with a new "robotic pet" device type category), the latest Linux 2.6
kernels Cisco routers with IOS 12.4, a ton of VoIP devices, Tru64
UNIX 5.1B, new Fortinet firewalls, AIX 5.3, NetBSD 2.0, Nokia IPSO
3.8.X, and Solaris 10. Of course there are also tons of new
broadband routers, printers, WAPs and pretty much any other device
you can coax an ethernet cable (or wireless card) into!
o Added 'leet ASCII art to the configurator! ARTIST NOTE: If you think
the ASCII art sucks, feel free to send me alternatives. Note that
only people compiling the UNIX source code get this. (ASCII artist
unknown).
o Added OS, device type, and hostname detection using the service
detection framework. Many services print a hostname, which may be
different than DNS. The services often give more away as well. If
Nmap detects IIS, it reports an OS family of "Windows". If it sees
HP JetDirect telnetd, it reports a device type of "printer". Rather
than try to combine TCP/IP stack fingerprinting and service OS
fingerprinting, they are both printed. After all, they could
legitimately be different. An IP that gives a stack fingerprint
match of "Linksys WRT54G broadband router" and a service fingerprint
of Windows based on Kazaa running is likely a common NAT setup rather
than an Nmap mistake.
o Nmap on Windows now compiles/links with the new WinPcap 3.1
header/lib files. So please upgrade to 3.1 from
http://www.winpcap.org before installing this version of Nmap.
While older versions may still work, they aren't supported with Nmap.
o The official Nmap RPM files are now compiled statically for better
compatibility with other systems. X86_64 (AMD Athlon64/Opteron)
binaries are now available in addition to the standard i386. NmapFE
RPMs are no longer distributed by Insecure.Org.
o Nmap distribution signing has changed. Release files are now signed
with a new Nmap Project GPG key (KeyID 6B9355D0). Fyodor has also
generated a new key for himself (KeyID 33599B5F). The Nmap key has
been signed by Fyodor's new key, which has been signed by Fyodor's
old key so that you know they are legit. The new keys are available
at http://nmap.org/data/nmap_gpgkeys.txt , as
docs/nmap_gpgkeys.txt in the Nmap source tarball, and on the public
keyserver network. Here are the fingerprints:
pub 1024D/33599B5F 2005-04-24
Key fingerprint = BB61 D057 C0D7 DCEF E730 996C 1AF6 EC50 3359 9B5F
uid Fyodor <fyodor@insecure.org>
sub 2048g/D3C2241C 2005-04-24
pub 1024D/6B9355D0 2005-04-24
Key fingerprint = 436D 66AB 9A79 8425 FDA0 E3F8 01AF 9F03 6B93 55D0
uid Nmap Project Signing Key (http://www.insecure.org/)
sub 2048g/A50A6A94 2005-04-24
o Fixed a crash problem related to non-portable varargs (vsnprintf)
usage. Reports of this crash came from Alan William Somers
(somers(a)its.caltech.edu) and Christophe (chris.branch(a)gmx.de).
This patch was prevalent on Linux boxes running an Opteron/Athlon64
CPU in 64-bit mode.
o Fixed crash when Nmap is compiled using gcc 4.X by adding the
-fno-strict-aliasing option when that compiler is detected. Thanks
to Greg Darke (starstuff(a)optusnet.com.au) for discovering that
this option fixes (hides) the problem and to Duilio J. Protti
(dprotti(a)flowgate.net) for writing the configure patch to detect
gcc 4 and add the option. A better fix is to identify and rewrite
lines that violate C99 alias rules, and we are looking into that.
o Added "rarity" feature to Nmap version detection. This causes
obscure probes to be skipped when they are unlikely to help. Each
probe now has a "rarity" value. Probes that detect dozens of
services such as GenericLines and GetRequest have rarity values of
1, while the WWWOFFLEctrlstat and mydoom probes have a rarity of 9.
When interrogating a port, Nmap always tries probes registered to
that port number. So even WWWOFFLEctrlstat will be tried against
port 8081 and mydoom will be tried against open ports between 3127
and 3198. If none of the registered ports find a match, Nmap tries
probes that have a rarity less than or equal to its current
intensity level. The intensity level defaults to 7 (so that most of
the probes are done). You can set the intensity level with the new
--version_intensity option. Alternatively, you can just use
--version_light or --version_all which set the intensity to 2 (only
try the most important probes and ones registered to the port
number) and 9 (try all probes), respectively. --version_light is
much faster than default version detection, but also a bit less
likely to find a match. This feature was designed and implemented
by Doug Hoyte (doug(a)hcsw.org).
o Added a "fallback" feature to the nmap-service-probes database.
This allows a probe to "inherit" match lines from other probes. It
is currently only used for the HTTPOptions, RTSPRequest, and
SSLSessionReq probes to inherit all of the match lines from
GetRequest. Some servers don't respond to the Nmap GetRequest (for
example because it doesn't include a Host: line) but they do respond
to some of those other 3 probes in ways that GetRequest match lines
are general enough to match. The fallback construct allows us to
benefit from these matches without repeating hundreds of signatures
in the file. This is another feature designed and implemented
by Doug Hoyte (doug(a)hcsw.org).
o Fixed crash with certain --excludefile or
--exclude arguments. Thanks to Kurt Grutzmacher
(grutz(a)jingojango.net) and pijn trein (ptrein(a)gmail.com) for
reporting the problem, and to Duilio J. Protti
(dprotti(a)flowgate.net) for debugging the issue and sending the
patch.
o Updated random scan (ip_is_reserved()) to reflect the latest IANA
assignments. This patch was sent in by Felix Groebert
(felix(a)groebert.org).
o Included new Russian man page translation by
locco_bozi(a)Safe-mail.net
o Applied patch from Steve Martin (smartin(a)stillsecure.com) which
standardizes many OS names and corrects typos in nmap-os-fingerprints.
o Fixed a crash found during certain UDP version scans. The crash was
discovered and reported by Ron (iago(a)valhallalegends.com) and fixed
by Doug Hoyte (doug(a)hcsw.com).
o Added --iflist argument which prints a list of system interfaces and
routes detected by Nmap.
o Fixed a protocol scan (-sO) problem which led to the error message:
"Error compiling our pcap filter: syntax error". Thanks to Michel
Arboi (michel(a)arboi.fr.eu.org) for reporting the problem.
o Fixed an Nmap version detection crash on Windows which led to the
error message "Unexpected error in NSE_TYPE_READ callback. Error
code: 10053 (Unknown error)". Thanks to Srivatsan
(srivatsanp(a)adventnet.com) for reporting the problem.
o Fixed some misspellings in docs/nmap.xml reported by Tom Sellers
(TSellers(a)trustmark.com).
o Applied some changes from Gisle Vanem (giva(a)bgnett.no) to make
Nmap compile with Cygwin.
o XML "osmatch" element now has a "line" attribute giving the
reference fingerprint line number in nmap-os-fingerprints.
o Added a distcc probes and a bunch of smtp matches from Dirk Mueller
(mueller(a)kde.org) to nmap-service-probes. Also added AFS version
probe and matches from Lionel Cons (lionel.cons(a)cern.ch). And
even more probes and matches from Martin Macok
(martin.macok(a)underground.cz)
o Fixed a problem where Nmap compilation would use header files from
the libpcap included with Nmap even when it was linking to a system
libpcap. Thanks to Solar Designer (solar(a)openwall.com) and Okan
Demirmen (okan(a)demirmen.com) for reporting the problem.
o Added configure option --with-libpcap=included to tell Nmap to use
the version of libpcap it ships with rather than any that may already be
installed on the system. You can still use --with-libpcap=[dir] to
specify that a system libpcap be installed rather than the shipped
one. By default, Nmap looks at both and decides which one is likely
to work best. If you are having problems on Solaris, try
--with-libpcap=included .
o Changed the --no-stylesheet option to --no_stylesheet to be
consistent with all of the other Nmap options. Though I'm starting to
like hyphens a bit better than underscores and may change all of the
options to use hyphens instead at some point.
o Added "Exclude" directive to nmap-service-probes grammar which
causes version detection to skip listed ports. This is helpful for
ports such as 9100. Some printers simply print any data sent to
that port, leading to pages of HTTP requests, SMB queries, X Windows
probes, etc. If you really want to scan all ports, specify
--allports. This patch came from Doug Hoyte (doug(a)hcsw.org).
o Added a stripped-down and heavily modified version of Dug Song's
libdnet networking library (v. 1.10). This helps with the new raw
ethernet features. My (extensive) changes are described in
libdnet-stripped/NMAP_MODIFICATIONS
o Removed WinIP library (and all Windows raw sockets code) since MS
has gone and broken raw sockets. Maybe packet receipt via raw
sockets will come back at some point. As part of this removal, the
Windows-specific --win_help, --win_list_interfaces, --win_norawsock,
--win_forcerawsock, --win_nopcap, --win_nt4route, --win_noiphlpapi,
and --win_trace options have been removed.
o Changed the interesting ports array from a 65K-member array of
pointers into an STL list. This noticeable reduces memory usage in
some cases, and should also give a slight runtime performance
boost. This patch was written by Paul Tarjan (ptarjan(a)gmail.com).
o Removed the BSDFIX/BSDUFIX macros. The underlying bug in
FreeBSD/NetBSD is still there though. When an IP packet is sent
through a raw socket, these platforms require the total length and
fragmentation offset fields of an IP packet to be in host byte order
rather than network byte order, even though all the other fields
must be in NBO. I believe that OpenBSD fixed this a while back.
Other platforms, such as Linux, Solaris, Mac OS X, and Windows take
all of the fields in network byte order. While I removed the macro,
I still do the munging where required so that Nmap still works on
FreeBSD.
o Integrated many nmap-service-probes changes from Bo Jiang
(jiangbo(a)brandeis.edu)
o Added a bunch of RPC numbers from nmap-rpc maintainer Eilon Gishri
(eilon(a)aristo.tau.ac.il)
o Added some new RPC services to nmap-rpc thanks to a patch from
vlad902 (vlad902(a)gmail.com).
o Fixed a bug where Nmap would quit on Windows whenever it encountered
a raw scan of localhost (including the local ethernet interface
address), even when that was just one address out of a whole network
being scanned. Now Nmap just warns that it is skipping raw scans when
it encounters the local IP, but continues on to scan the rest of the
network. Raw scans do not currently work against local IP addresses
because Winpcap doesn't support reading/writing localhost interfaces
due to limitations of Windows.
o The OS fingerprint is now provided in XML output if debugging is
enabled (-d) or verbosity is at least 2 (-v -v). This patch was
sent by Okan Demirmen (okan(a)demirmen.com)
o Fixed the way tcp connect scan (-sT) response to ICMP network
unreachable responses (patch by Richard Moore
(rich(a)westpoint.ltd.uk).
o Update random host scan (-iR) to support the latest IANA-allocated
ranges, thanks to patch by Chad Loder (cloder(a)loder.us).
o Updated GNU shtool (a helper program used during 'make install' to
version 2.0.2, which fixes a predictable temporary filename
weakness discovered by Eric Raymond.
o Removed addport element from XML DTD, since it is no longer used
(suggested by Lionel Cons (lionel.cons(a)cern.ch)
o Added new --privileged command-line option and NMAP_PRIVILEGED
environmental variable. Either of these tell Nmap to assume that
the user has full privileges to execute raw packet scans, OS
detection and the like. This can be useful when Linux kernel
capabilities or other systems are used that allow non-root users to
perform raw packet or ethernet frame manipulation. Without this
flag or variable set, Nmap bails on UNIX if geteuid() is
nonzero.
o Changed the RPM spec file so that if you define "static" to 1 (by
passing --define "static 1" to rpmbuild), static binaries are built.
o Fixed Nmap compilation on Solaris x86 thanks to a patch from Simon
Burr (simes(a)bpfh.net).
o ultra_scan() now sets pseudo-random ACK values (rather than 0) for
any TCP scans in which the initial probe packet has the ACK flag set.
This would be the ACK, Xmas, Maimon, and Window scans.
o Updated the Nmap version number, description, and similar fields
that MS Visual Studio places in the binary. This was done by editing
mswin32/nmap.rc as suggested by Chris Paget (chrisp(a)ngssoftware.com)
o Fixed Nmap compilation on DragonFly BSD (and perhaps some other
systems) by applying a short patch by Joerg Sonnenberger which omits
the declaration of errno if it is a #define.
o Fixed an integer overflow that prevented Nmap from scanning
2,147,483,648 hosts in one expression (e.g. 0.0.0.0/1). Problem
noted by Justin Cranford (jcranford(a)n-able.com). While /1 scans
are now possible, don't expect them to finish during your bathroom
break. No matter how constipated you are.
o Increased the buffer size allocated for fingerprints to prevent Nmap
from running out and quitting (error message: "Assertion
`servicefpalloc - servicefplen > 8' failed". Thanks to Mike Hatz
(mhatz(a)blackcat.com) for the report. [ Actually this was done in a
previous version, but I forgot which one ]
o Changed from CVS to Subversion source control system (which
rocks!). Neither repository is public (I'm paranoid because both CVS
and SVN have had remotely exploitable security holes), so the main
change users will see is that "Id" tags in file headers use the SVN
format for version numbering and such.
Nmap 3.81 [2005-2-7]
o Nmap now ships with and installs (in the same directory as other
data files such as nmap-os-fingerprints) an XSL stylesheet for
rendering the XML output as HTML. This stylesheet was written by
Benjamin Erb ( see http://www.benjamin-erb.de/nmap/ for examples).
It supports tables, version detection, color-coded port states, and
more. The XML output has been augmented to include an
xml-stylesheet directive pointing to nmap.xsl on the local
filesystem. You can point to a different XSL file by providing the
filename or URL to the new --stylesheet argument. Omit the
xml-stylesheet directive entirely by specifying --no-stylesheet.
The XML to HTML conversion can be done with an XSLT processor such
as Saxon, Sablot, or Xalan, but modern browsers can do this on the
fly -- simply load the XML output file in IE or Firefox. Some
features don't currently work with Firefox's on-the-fly rendering.
Perhaps some Mozilla wizard can fix that in either the XSL or the
browser itself. I hate having things work better in IE :). It is
often more convenient to have the stylesheet loaded from a URL
rather than the local filesystem, allowing the XML to be rendered on
any machine regardless of whether/where the XSL is installed. For
privacy reasons (avoid loading of an external URL when you view
results), Nmap uses the local filesystem by default. If you would
like the latest version of the stylesheet loaded from the web when
rendering, specify --stylesheet http://nmap.org/data/nmap.xsl .
o Fixed fragmentation option (-f). One -f now sets sends fragments
with just 8 bytes after the IP header, while -ff sends 16 bytes to
reduce the number of fragments needed. You can specify your own
fragmentation offset (must be a multiple of 8) with the new --mtu
flag. Don't also specify -f if you use --mtu. Remember that some
systems (such as Linux with connection tracking) will defragment in
the kernel anyway -- so test first while sniffing with ethereal.
These changes are from a patch by Martin Macok
(martin.macok(a)underground.cz).
o Nmap now prints the number (and total bytes) of raw IP packets sent
and received when it completes, if verbose mode (-v) is enabled. The
report looks like:
Nmap finished: 256 IP addresses (3 hosts up) scanned in 30.632 seconds
Raw packets sent: 7727 (303KB) | Rcvd: 6944 (304KB)
o Fixed (I hope) an error which would cause the Windows version of
Nmap to abort under some circumstances with the error message
"Unexpected error in NSE_TYPE_READ callback. Error code: 10053
(Unknown error)". Problem reported by "Tony Golding"
(biz(a)tonygolding.com).
o Added new "closed|filtered" state. This is used for Idle scan, since
that scan method can't distinguish between those two states. Nmap
previously just used "closed", but this is more accurate.
o Null, FIN, Maimon, and Xmas scans now mark ports as "open|filtered"
instead of "open" when they fail to receive any response from the
target port. After all, it could just as easily be filtered as open.
This is the same change that was made to UDP scan in 3.70. Also as
with UDP scan, adding version detection (-sV) will change the state
from open|filtered to open if it confirms that they really are open.
o Fixed a bug in ACK scan that could cause Nmap to crash with the
message "Unexpected port state: 6" in some cases. Thanks to Glyn
Geoghegan (glyng(a)corsaire.com) for reporting the problem.
o Change IP protocol scan (-sO) so that a response from the target
host in any protocol at all will prove that protocol is open. As
before, no response means "open|filtered", an ICMP protocol
unreachable means "closed", and most other ICMP error messages mean
"filtered".
o Patched a libpcap issue that prevented read timeouts from being
honored on Solaris (thus slowing down Nmap substantially). The
problem report and patch were sent in by Ben Harris
(bjh21(a)cam.ac.uk).
o Changed IP protocol scan (-sO) so that it sends valid ICMP, TCP, and
UDP headers when scanning protocols 1, 6, and 17, respectively. An
empty IP header is still sent for all other protocols. This should
prevent the error messages such as "sendto in send_ip_packet:
sendto(3, packet, 20, 0, 192.31.33.7, 16) => Operation not
permitted" that Linux (and perhaps other systems) would give when
they try to interpret the raw packet. This also makes it more
likely that these protocols will elicit a response, proving that the
protocol is "open".
o The windows build now uses header and static library files from
Winpcap 3.1Beta4. It also now prints out the DLL version you are
using when run with -d. I would recommend upgrading to 3.1Beta4 if
you have an older Winpcap installed.
o Nmap now prints a warning message on Windows if Winpcap is not found
(it then reverts to raw sockets mode if available, as usual).
o Added an NTP probe and matches to the version detection database
(nmap-service-probes) thanks to a submission from Martin
Macok (martin.macok(a)underground.cz).
o Applied several Nmap service detection database updates sent in by
Martin Macok (martin.macok(a)underground.cz).
o The XML nmaprun element now has a startstr attribute which gives the
human readable calendar time format that a scan started. Similarly
the finished element now has a timestr attribute describing when the
scan finished. These are in addition to the existing nmaprun/start
and finished/time attributes that provided the start and finish time
in UNIX time_t notation. This should help in development of
XSLT stylesheets for Nmap XML output.
o Fixed a memory leak that would generally consume several hundred
bytes per down host scanned. While the effect for most scans is
negligible, it was overwhelming when Scott Carlson
(Scott.Carlson(a)schwab.com) tried to scan 16.8 million IPs
(10.0.0.0/8). Thanks to him for reporting the problem. Also thanks
to Valgrind ( http://valgrind.kde.org ) for making it easy to debug.
o Fixed a crash on Windows systems that don't include the iphlpapi
DLL. This affects Win95 and perhaps other variants. Thanks to Ganga
Bhavani (GBhavani(a)everdreamcorp.com) for reporting the problem and
sending the patch.
o Ensured that the device type, os vendor, and os family OS
fingerprinting classification values are scrubbed for XML compliance
in the XML output. Thanks to Matthieu Verbert
(mve(a)zurich.ibm.com) for reporting the problem and sending a patch.
o Rewrote the host IP (target specification) parser for easier
maintenance and to fix a bug found by Netris (netris(a)ok.kz)
o Changed to Nmap XML DTD to use the same xmloutputversion (1.01) as
newer versions of Nmap. Thanks to Laurent Estieux
(laurent.estieux(a)free.fr) for reporting the problem.
o Fixed compilation on some HP-UX 11 boxes thanks to a patch by Petter
Reinholdtsen (pere(a)hungry.com).
o Fixed a portability problem on some OpenBSD and FreeBSD machines
thanks to a patch by Okan Demirmen (okan(a)demirmen.com).
o Applied Martin Macok's (martin.macok(a)underground.cz) "cosmetics
patch", which fixes a few typos and minor problems.
Nmap 3.75 [2004-10-18]
o Implemented a huge OS fingerprint database update. The number of
fingerprints increased more than 20% to 1,353 and many of the
existing ones are much improved. Notable updates include the fourth
edition of Bell Lab's Plan9, Grandstream's BugeTone 101 IP Phone,
and Bart's Network Boot Disk 2.7 (which runs MS-DOS). Oh, and Linux
kernels up to 2.6.8, dozens of new Windows fingerprints including XP
SP2, the latest Longhorn warez, and many modified Xboxes, OpenBSD
3.6, NetBSD up to 2.0RC4, Apple's AirPort Express WAP and OS X
10.3.3 (Panther) release, Novell Netware 6.5, FreeBSD 5.3-BETA, a
bunch of Linksys and D-Link consumer junk, the latest Cisco IOS 12.2
releases, a ton of miscellaneous broadband routers and printers, and
much more.
o Updated nmap-mac-prefixes with the latest OUIs from the IEEE.
[ http://standards.ieee.org/regauth/oui/oui.txt ]
o Updated nmap-protocols with the latest IP protocols from IANA
[ http://www.iana.org/assignments/protocol-numbers ]
o Added a few new Nmap version detection signatures thanks to a patch
from Martin Macok (martin.macok(a)underground.cz).
o Fixed a crash problem in the Windows version of Nmap, thanks to a
patch from Ganga Bhavani GBhavani(a)everdreamcorp.com).
o Fixed Windows service scan crashes that occur with the error message
"Unexpected nsock_loop error. Error code 10022 (Unknown error)". It
turns out that Windows does not allow select() calls with all three
FD sets empty. Lame. The Linux select() man page even suggests
calling "select with all three sets empty, n zero, and a non-null
timeout as a fairly portable way to sleep with subsecond precision."
Thanks to Gisle Vanem (giva(a)bgnett.no) for debugging help.
o Added --max_scan_delay parameter. Nmap will sometimes increase the
delay itself when it detects many dropped packets. For example,
Solaris systems tend to respond with only one ICMP port unreachable
packet per second during a UDP scan. So Nmap will try to detect
this and lower its rate of UDP probes to one per second. This can
provide more accurate results while reducing network congestion, but
it can slow the scans down substantially. By default (with no -T
options specified), Nmap allows this delay to grow to one second per
probe. This option allows you to set a lower or higher maximum.
The -T4 and -T5 scan modes now limit the maximum scan delay for TCP
scans to 10 and 5 ms, respectively.
o Fixed a bug that prevented RPC scan (-sR) from working for UDP ports
unless service detection (-sV) was used. -sV is still usually a
better approach than -sR, as the latter ONLY handles RPC. Thanks to
Stephen Bishop (sbishop(a)idsec.co.uk) for reporting the problem and
sending a patch.
o Fixed nmap_fetchfile() to better find custom versions of data files
such as nmap-services. Note that the implicitly read directory
should be ~/.nmap rather than ~/nmap . So you may have to move any
customized files you now have in ~/nmap . Thanks to nnposter
(nnposter(a)users.sourceforge.net) for reporting the problem and
sending a patch.
o Changed XML output so that the MAC address [address] element comes
right after the IPv4/IPv6 [address] element. Apparently this is
needed to comply with the DTD ( http://nmap.org/data/nmap.dtd ).
Thanks to Adam Morgan (adam.morgan(a)Q1Labs.com) and Florian Ebner
(Florian.Ebner(a)e-bros.de) for the problem reports.
o Fixed an error in the Nmap RPM spec file reported by Pascal Trouvin
(pascal.trouvin(a)wanadoo.fr)
o Fixed a timing problem in which a specified large --send_delay would
sometimes be reduced to 1 second during a scan. Thanks to Martin
Macok (martin.macok(a)underground.cz) for reporting the problem.
o Fixed a timing problem with sneaky and paranoid modes (-T1 and -T0)
which would cause Nmap to continually scan the same port and never
hit other ports when scanning certain firewalled hosts. Thanks to
Curtis Doty (Curtis(a)GreenKey.net) for reporting the problem.
o Fixed a bug in the build system that caused most Nmap subdirectories
to be configured twice. Changing the variable holding the name of
subdirs from $subdirs to $nmap_cfg_subdirs resolved the problem --
configure must have been using that variable name for its own internal
operations. Anyway, this should reduce compile time significantly.
o Made a trivial change to nsock/src/nsock_event.c to work around a "a
bug in GCC 3.3.1 on FreeBSD/sparc64". I found the patch by digging
around the FreeBSD ports tree repository. It would be nice if the
FreeBSD Nmap port maintainers would report such things to me, rather
than fixing it in their own Nmap tree and then applying the patch to
every future version. On the other hand, they deserve some sort of
"most up-to-date" award. I stuck Nmap 3.71-PRE1 in the dist
directory for a few people to test, and made no announcement or
direct link. The FreeBSD crew found it and upgraded anyway :). The
gcc-workaround patch was apparently submitted to the FreeBSD folks
by Marius Strobl (marius(a)alchemy.franken.de).
o Fixed (I hope) an OS detection timing issue which would in some
cases lead to the warning that "insufficient responses for TCP
sequencing (3), OS detection may be less accurate." Thanks to Adam
Kerrison (adam(a)tideway.com) for reporting the problem.
o Modified the warning given when files such as nmap-services exist in
both the compiled in NMAPDATADIR and the current working directory.
That message should now only appear once and is more clear.
o Fixed ping scan subsystem to work a little bit better when
--scan_delay (or some of the slower -T templates which include a scan
delay) is specified. Thanks to Shahid Khan (khan(a)asia.apple.com)
for suggestions.
o Taught connect() scan to properly interpret ICMP protocol
unreachable messages. Thanks to Alan Bishoff
(abishoff(a)arc.nasa.gov) for the report.
o Improved the nmapfe.desktop file to better comply with standards.
Thanks to Stephane Loeuillet (stephane.loeuillet(a)tiscali.fr) for
sending the patch.
Nmap 3.70 [2004-8-31]
o Rewrote core port scanning engine, which is now named ultra_scan().
Improved algorithms make this faster (often dramatically so) in
almost all cases. Not only is it superior against single hosts, but
ultra_scan() can scan many hosts (sometimes hundreds) in parallel.
This offers many efficiency/speed advantages. For example, hosts
often limit the ICMP port unreachable packets used by UDP scans to
1/second. That made those scans extraordinarily slow in previous
versions of Nmap. But if you are scanning 100 hosts at once,
suddenly you can receive 100 responses per second. Spreading the
scan amongst hosts is also gentler toward the target hosts. Nmap
can still scan many ports at the same time, as well. If you find
cases where ultra_scan is slower or less accurate, please send a
report (including exact command-lines, versions used, and output, if
possible) to Fyodor.
o Added --max_hostgroup option which specifies the maximum number of
hosts that Nmap is allowed to scan in parallel.
o Added --min_hostgroup option which specifies the minimum number of
hosts that Nmap should scan in parallel (there are some exceptions
where Nmap will still scan smaller groups -- see man page). Of
course, Nmap will try to choose efficient values even if you don't
specify hostgroup restrictions explicitly.
o Rewrote TCP SYN, ACK, Window, and Connect() scans to use
ultra_scan() framework, rather than the old pos_scan().
o Rewrote FIN, Xmas, NULL, Maimon, UDP, and IP Protocol scans to use
ultra_scan(), rather than the old super_scan().
o Overhauled UDP scan. Ports that don't respond are now classified as
"open|filtered" (open or filtered) rather than "open". The (somewhat
rare) ports that actually respond with a UDP packet to the empty
probe are considered open. If version detection is requested, it
will be performed on open|filtered ports. Any that respond to any of
the UDP probes will have their status changed to open. This avoids a
the false-positive problem where filtered UDP ports appear to be
open, leading to terrified newbies thinking their machine is
infected by back orifice.
o Nmap now estimates completion times for almost all port scan types
(any that use ultra_scan()) as well as service scan (version
detection). These are only shown in verbose mode (-v). On scans
that take more than a minute or two, you will see occasional updates
like:
SYN Stealth Scan Timing: About 30.01% done; ETC: 16:04 (0:01:09 remaining)
New updates are given if the estimates change significantly.
o Added --exclude option, which lets you specify a comma-separated
list of targets (hosts, ranges, netblocks) that should be excluded
from the scan. This is useful to keep from scanning yourself, your
ISP, particularly sensitive hosts, etc. The new --excludefile reads
the list (newline-delimited) from a given file. All the work was
done by Mark-David McLaughlin (mdmcl(a)cisco.com> and William McVey
( wam(a)cisco.com ), who sent me a well-designed and well-tested
patch.
o Nmap now has a "port scan ping" system. If it has received at least
one response from any port on the host, but has not received
responses lately (usually due to filtering), Nmap will "ping" that
known-good port occasionally to detect latency, packet drop rate,
etc.
o Service/version detection now handles multiple hosts at once for
more efficient and less-intrusive operation.
o Nmap now wishes itself a happy birthday when run on September 1 in
verbose mode! The first public release was on that date in 1997.
o The port randomizer now has a bias toward putting
commonly-accessible ports (80, 22, etc.) near the beginning of the
list. Getting a response early helps Nmap calculate response times and
detect packet loss, so the scan goes faster.
o Host timeout system (--host_timeout) overhauled to support host
parallelization. Hosts times are tracked separately, so a host that
finishes a SYN scan quickly is not penalized for an exceptionally
slow host being scanned at the same time.
o When Nmap has not received any responses from a host, it can now
use certain timing values from other hosts from the same scan
group. This way Nmap doesn't have to use absolute-worst-case
(300bps SLIP link to Uzbekistan) round trip timeouts and such.
o Enabled MAC address reporting when using the Windows version
of Nmap. Thanks to Andy Lutomirski (luto(a)stanford.edu) for
writing and sending the patch.
o Workaround crippled raw sockets on Microsoft Windows XP SP2 scans.
I applied a patch by Andy Lutomirski (luto(a)stanford.edu) which
causes Nmap to default to WinPcap sends instead. The WinPcap send
functionality was already there for versions of Windows such as NT and
Win98 that never supported Raw Sockets in the first place.
o Changed how Nmap sends ARP requests on Windows to use the iphlpapi
SendARP() function rather than creating it raw and reading the
response from the Windows ARP cache. This works around a
(reasonable) feature of Windows Firewall which ignored such
unsolicited responses. The firewall is turned on by default as of
Windows XP SP2. This change was implemented by Dana Epp
(dana(a)vulscan.com).
o Fixed some Windows portability issues discovered by Gisle Vanem
(giva(a)bgnett.no).
o Upgraded libpcap from version 0.7.2 to 0.8.3. This was an attempt
to fix an annoying bug, which I then found was actually in my code
rather than libpcap :).
o Removed Ident scan (-I). It was rarely useful, and the
implementation would have to be rewritten for the new ultra_scan()
system. If there is significant demand, perhaps I'll put it back in
sometime.
o Documented the --osscan_limit option, which saves time by skipping
OS detection if at least one open and one closed port are not found on
the remote hosts. OS detection is much less reliable against such
hosts anyway, and skipping it can save some time.
o Updated nmapfe.desktop file to provide better NmapFE desktop support
under Fedora Core and other systems. Thanks to Mephisto
(mephisto(a)mephisto.ma.cx) for sending the patch.
o Further nmapfe.desktop changes to better fit the freedesktop
standard. The patch came from Murphy (m3rf(a)swimmingnoodle.com).
o Fixed capitalization (with a Perl script) of many over-capitalized
vendor names in nmap-mac-prefixes.
o Ensured that MAC address vendor names are always escaped in XML
output if they contain illegal characters (particularly '&'). Thanks
to Matthieu Verbert (mve(a)zurich.ibm.com) for the report and a patch.
o Changed xmloutputversion in XML output from 1.0 to 1.01 to note that
there was a slight change (which was actually the MAC stuff in 3.55).
Thanks to Lionel CONS (lionel.cons(a)cern.ch) for the suggestion.
o Many Windows portability fix and bug fixes, thanks to patch from
Gisle Vanem (giva(a)bgnett.no). With these changes, he was able to
compile Nmap on Windows using MingW + gcc 3.4 C++ rather than MS
Visual Studio.
o Removed (addport) tags from XML output. They used to provide open
ports as they were discovered, but don't work now that the port
scanners scan many hosts at once. They did not specify an IP
address. Of course the appropriate (port) tags are still printed
once scanning of a target is complete.
o Configure script now detects GNU/k*BSD systems (whatever those are),
thanks to patch from Robert Millan (rmh(a)debian.org)
o Fixed various crashes and assertion failures related to the new
ultra_scan() system, that were found by Arturo "Buanzo" Busleiman
(buanzo(a)buanzo.com.ar), Eric (catastrophe.net), and Bill Petersen
(bill.petersen(a)alcatel.com).
o Fixed some minor memory leaks relating to ping and list scanning as
well as the Nmap output table. These were found with Valgrind (
http://valgrind.kde.org/ ).
o Provide limited --packet_trace support for TCP connect() (-sT)
scans.
o Fixed compilation on certain Solaris machines thanks to a patch by
Tom Duffy (tduffy(a)sun.com)
o Fixed some warnings that crop up when compiling Nbase C files with a
C++ compiler. Thanks to Gisle Vanem (giva(a)bgnett.no) for sending
the patch.
o Tweaked the License blurb on source files and in the man page. It
clarifies some issues and includes a new GPL exception that
explicitly allows linking with the OpenSSL library. Some people
believe that the GPL and OpenSSL licenses are incompatible without
this special exception.
o Fixed some serious runtime portability issues on *BSD systems.
Thanks to Eric (catastrophe.net) for reporting the problem.
o Changed the argument parser to better detect bogus arguments to the
-iR option.
o Removed a spurious warning message relating to the Windows ARP cache
being empty. Patch by Gisle Vanem (giva(a)bgnett.no).
o Removed some C++-style line comments (//) from nbase, because some C
compilers (particularly on Solaris) barf on those. Problem reported
by Raju Alluri <Raju.Alluri(a)Sun.COM>
Nmap 3.55 [2004-7-7]
o Added MAC address printing. If Nmap receives packet from a target
machine which is on an Ethernet segment directly connected to the
scanning machine, Nmap will print out the target MAC address. Nmap
also now contains a database (derived from the official IEEE
version) which it uses to determine the vendor name of the target
ethernet interface. The Windows version of Nmap does not yet have
this capability. If any Windows developer types are interesting in
adding it, you just need to implement IPisDirectlyConnected() in
tcpip.cc and then please send me the patch. Here are examples from
normal and XML output (angle brackets replaced with [] for HTML
changelog compatibility):
MAC Address: 08:00:20:8F:6B:2F (SUN Microsystems)
[address addr="00:A0:CC:63:85:4B" vendor="Lite-on Communications" addrtype="mac" /]
o Updated the XML DTD to support the newly printed MAC addresses.
Thanks to Thorsten Holz (thorsten.holz(a)mmweg.rwth-aachen.de) for
sending this patch.
o Added a bunch of new and fixed service fingerprints for version
detection. These are from Martin Macok
(martin.macok(a)underground.cz).
o Normalized many of the OS names in nmap-os-fingerprints (fixed
capitalization, typos, etc.). Thanks to Royce Williams
(royce(a)alaska.net) and Ping Huang (pshuang(a)alum.mit.edu) for
sending patches.
o Modified the mswine32/nmap_performance.reg Windows registry file to
use an older and more compatible version. It also now includes the
value "StrictTimeWaitSeqCheck"=dword:00000001 , as suggested by Jim
Harrison (jmharr(a)microsoft.com). Without that latter value, the
TcpTimedWaitDelay value apparently isn't checked. Windows users
should apply the new registry changes by clicking on the .reg file.
Or do it manually as described in README-WIN32. This file is also
now available in the data directory at
http://nmap.org/data/nmap_performance.reg
o Applied patch from Gisle Vanem (giva(a)bgnett.no) which allows the
Windows version of Nmap to work with WinPCAP 3.1BETA (and probably
future releases). The Winpcap folks apparently changed the encoding
of adapter names in this release.
o Fixed a ping scanning bug that would cause this error message: "nmap:
targets.cc:196: int hostupdate (Target **, Target *, int, int, int,
timeout_info *, timeval *, timeval *, pingtune *, tcpqueryinfo *,
pingstyle): Assertion `pt->down_this_block > 0' failed." Thanks to
Beirne Konarski (beirne(a)neo.rr.com) for reporting the problem.
o If a user attempts -PO (the letter O), print an error suggesting
that they probably mean -P0 (Zero) to disable ping scanning.
o Applied a couple patches (with minor changes) from Oliver Eikemeier
(eikemeier(a)fillmore-labs.com) which fix an edge case relating to
decoy scanning IP ranges that must be sent through different
interfaces, and improves the Nmap response to certain error codes
returned by the FreeBSD firewall system. The patches are from
http://cvsweb.freebsd.org/ports/security/nmap/files/ .
o Many people have reported this error: "checking for type of 6th
argument to recvfrom()... configure: error: Cannot find type for 6th
argument to recvfrom()". In most cases, the cause was a missing or
broken C++ compiler. That should now be detected earlier with a
clearer message.
o Fixed the FTP bounce scan to better detect filtered ports on the
target network.
o Fixed some minor bugs related to the new MAC address printing
feature.
o Fixed a problem with UDP-scanning port 0, which was reported by
Sebastian Wolfgarten (sebastian(a)wolfgarten.com).
o Applied patch from Ruediger Rissmann (RRI(a)zurich.ibm.com), which
helps Nmap understand an EACCESS error, which can happen at least
during IPv6 scans from certain platforms to some firewalled targets.
o Renamed ACK ping scan option from -PT to -PA in the documentation.
Nmap has accepted both names for years and will continue to do
so.
o Removed the notice that Nmap is reading target specifications from a
file or stdin when you specify the -iL option. It was sometimes
printed to stdout even when you wanted to redirect XML or grepable
output there, because it was printed during options processing before
output files were handled. This change was suggested by Anders Thulin
(ath(a)algonet.se).
o Added --source_port as a longer, but hopefully easier to remember,
alias for -g. In other words, it tries to use the constant source
port number you specify for probes. This can help against poorly
configured firewalls that trust source port 20, 53, and the like.
o Removed undocumented (and useless) -N option.
o Fixed a version detection crash reported in excellent detail by
Jedi/Sector One (j(a)pureftpd.org).
o Applied patch from Matt Selsky (selsky(a)columbia.edu) which helps
Nmap build with OpenSSL.
o Modified the configure/build system to fix library ordering problems
that prevented Nmap from building on certain platforms. Thanks to
Greg A. Woods (woods(a)weird.com) and Saravanan
(saravanan_kovai(a)HotPop.com) for the suggestions.
o Applied a patch to Makefile.in from Scott Mansfield
(thephantom(a)mac.com) which enables the use of a DESTDIR variable
to install the whole Nmap directory structure under a different root
directory. The configure --prefix option would do the same thing in
this case, but DESTDIR is apparently a standard that package
maintainers like Scott are used to. An example usage is
"make DESTDIR=/tmp/packageroot".
o Removed unnecessary banner printing in the non-root connect() ping
scan. Thanks to Tom Rune Flo (tom(a)x86.no) for the suggestion and
a patch.
o Updated the headers at the top of each source file (mostly to
advance the copyright year to 2004 and note that Nmap is a registered
trademark).
o The SInfo line of submitted fingerprints now provides the target's
OUI (first three bytes of the MAC address) if available. Example:
"M=00A0CC". To save a couple bytes, the "Time" field in SInfo has
been renamed to "Tm". The OUI helps identify the device vendor, and
is only available when the source and target machines are on the
same ethernet network.
Nmap 3.50 [2004-1-18]
o Integrated a ton of service fingerprints, increasing the number of
signatures more than 50%. It has now exceeded 1,000 for the first
time, and represents 180 unique service protocols from acap, afp,
and aim to xml-rpc, zebedee, and zebra.
o Implemented a huge OS fingerprint update. The number of
fingerprints has increased more than 13% to 1,121. This is the first
time it has exceeded 1000. Notable updates include Linux 2.6.0, Mac
OS X up to 10.3.2 (Panther), OpenBSD 3.4 (normal and pf "scrub all"),
FreeBSD 5.2, the latest Windows Longhorn warez, and Cisco PIX 6.3.3.
As usual, there are a ton of new consumer devices from ubiquitous
D-Link, Linksys, and Netgear broadband routers to a number of new IP
phones including the Cisco devices commonly used by Vonage. Linksys
has apparently gone special-purpose with some of their devices, such
as their WGA54G "Wireless Game Adapter" and WPS54GU2 wireless print
server. A cute little MP3 player called the Rio Karma was submitted
multiple times and I also received and integrated fingerprints for the
Handspring Treo 600 (PalmOS).
o Applied some man page fixes from Eric S. Raymond
(esr(a)snark.thyrsus.com).
o Added version scan information to grepable output between the last
two '/' delimiters (that space was previously unused). So the format
is now "portnum/state/protocol/owner/servicename/rpcinfo/versioninfo"
as in "53/open/tcp//domain//ISC Bind 9.2.1/" and
"22/open/tcp//ssh//OpenSSH 3.5p1 (protocol 1.99)/". Thanks to
MadHat (madhat(a)unspecific.com) for sending a patch (although I did
it differently). Note that any '/' characters in the
version (or owner) field are replaced with '|' to keep awk/cut
parsing simple. The service name field has been updated so that it
is the same as in normal output (except for the same sort of
escaping discussed above).
o Integrated an Oracle TNS service probe and match lines contributed
by Frank Berger (fm.berger(a)gmx.de). New probe contributions are
always appreciated!
o Fixed a crash that could happen during SSL version detection due to
SSL session ID cache reference counting issues.
o Applied patch from Rob Foehl (rwf(a)loonybin.net) which fixes the
--with_openssl=DIR configure argument.
o Applied patch to nmap XML dtd (nmap.dtd) from Mario Manno
(mm(a)koeln.ccc.de). This accounts for the new version scanning
functionality.
o Updated the Windows build system so that you don't have to manually
copy nmap-service-probes to the output directory. I also updated
the README-WIN32 to elaborate further on the build process.
o Added configure option --with-libpcre=included which causes Nmap to
build with its included version of libpcre even if an acceptable
version is available on the system.
o Upgraded to Autoconf 2.59 (from 2.57). This should help HP-UX
compilation problems reported by Petter Reinholdtsen
(pere(a)hungry.com) and may have other benefits as well.
o Applied patch from Przemek Galczewski (sako(a)avet.com.pl) which
adds spaces to the XML output in places that apparently help certain
older XML parsers.
o Made Ident-scan (-I) limits on the length and type of responses
stricter so that rogue servers can't flood your screen with 1024
characters. The new length limit is 32. Thanks to Tom Rune Flo
(tom(a)x86.no) for the suggestion and a patch.
o Fingerprints for unrecognized services can now be a bit longer to
avoid truncating as much useful response information. While the
fingerprints can be longer now, I hope they will be less frequent
because of all the newly recognized services in this version.
o The nmap-service-probes "match" directive can now take a service
name like "ssl/vmware-auth". The service will then be reported as
vmware-auth (or whatever follows "ssl/") tunneled by SSL, yet Nmap
won't actually bother initiating an SSL connection. This is useful
for SSL services which can be fully recognized without the overhead
of making an SSL connection.
o Version scan now chops commas and whitespace from the end of
vendorproductname, version, and info fields. This makes it easier to
write templates incorporating lists. For example, the tcpmux service
(TCP port 1) gives a list of supported services separated by CRLF.
Nmap uses this new feature to print them comma separated without
having an annoying trailing comma as so (linewrapped):
match tcpmux m|^(sgi_[-.\w]+\r\n([-.\w]+\r\n)*)$|
v/SGI IRIX tcpmux//Available services: $SUBST(1, "\r\n", ",")/
Nmap 3.48 [2003-10-6]
o Integrated an enormous number of version detection service
submissions. The database has almost doubled in size to 663
signatures representing the following 130 services:
3dm-http afp apcnisd arkstats bittorent chargen citrix-ica
cvspserver cvsup dantzretrospect daytime dict directconnect domain
echo eggdrop exec finger flexlm font-service ftp ftp-proxy gnats
gnutella-http hddtemp hp-gsg http http-proxy hylafax icecast ident
imap imaps imsp ipp irc ircbot irc-proxy issrealsecure jabber
kazaa-http kerberos-sec landesk-rc ldap linuxconf lmtp lotusnotes
lpd lucent-fwadm meetingmaker melange microsoft-ds microsoft-rdp
mldonkey msactivesync msdtc msrpc ms-sql-m mstask mud mysql
napster ncacn_http ncp netbios-ns netbios-ssn netrek netsaint
netstat netwareip networkaudio nntp nsclient nsunicast ntop-http
omniback oracle-mts oracle-tns pcanywheredata pksd pmud pop2 pop3
pop3s poppass postgresql powerchute printer qotd redcarpet
rendezvous rlogind rpc rsync rtsp sdmsvc sftp shell shivahose
sieve slimp3 smtp smux snpp sourceoffice spamd ssc-agent ssh ssl
svrloc symantec-av symantec-esm systat telnet time tinyfw upnp
uucp veritasnetbackup vnc vnc-http vtun webster whois wins
winshell wms X11 xfce zebra
o Added the ability to execute "helper functions" in version
templates, to help clean up/manipulate data captured from a server
response. The first defined function is P() which includes only
printable characters in a captured string. The main impetus for
this is to deal with Unicode strings like
"W\0O\0R\0K\0G\0R\0O\0U\0P\0" that many MS protocols send. Nmap can
now decode that into "WORKGROUP".
o Added SUBST() helper function, which replaces strings in matched
appname/version/extrainfo strings with something else. For example,
VanDyke Vshell gives a banner that includes
"SSH-2\.0-VShell_2_2_0_528". A substring match is used to pick out
the string "2_2_0_528", and then SUB21ST(1,"_",".") is called on that
match to form the version number 2.2.0.528.
o If responses to a probe fail to match any of the registered match
strings for that probe, Nmap will now try against the registered "null
probe" match strings. This helps in the case that the NULL probe
initially times out (perhaps because of initial DNS lookup) but the
banner appears in later responses.
o Applied some portability fixes (particularly for OpenBSD) from Chad
Loder (cloder(a)loder.us), who is also now the OpenBSD Nmap port
maintainer.
o Applied some portability fixes from Marius Strobl
(marius(a)alchemy.franken.de).
o The tarball distribution of Nmap now strips the binary at install
time thanks to a patch from Marius Strobl
(marius(a)alchemy.franken.de).
o Fixed a problem related to building Nmap on systems that lack PCRE
libs (and thus have to use the ones included by Nmap). Thanks to Remi
Denis-Courmont (deniscr6(a)cti.ecp.fr) for the report and patch.
o Alphabetized the service names in each Probe section in
nmap-service-probes (makes them easier to find and add to).
o Fixed the problem several people reported where Nmap would quit with
a "broken pipe" error during service scanning. Thanks to Jari Ruusu
(jari.ruusu(a)pp.inet.fi) for sending a patch. The actual error
message was "Unexpected error in NSE_TYPE_READ callback. Error
code: 32 (Broken pipe)"
o Fixed protocol scan (-sO), which I had broken when adding the new
output table format. It would complain "NmapOutputTable.cc:128:
failed assertion `row < numRows'". Thanks to Matt Burnett
(marukka(a)mac.com) for notifying me of the problem.
o Upgraded Libpcap to the latest tcpdump.org version (0.7.2) from
0.7.1
o Applied a patch from Peter Marschall (peter(a)adpm.de) which adds
version detection support to nmapfe.
o Fixed a problem with XML output being invalid when service detection
was done on SSL-tunneled ports. Thanks to the several people who
reported this - it means that folks are actually using the XML
output :).
o Fixed (I hope) some Solaris Sun ONE compiler compilation problems
reported (w/patches) by Mikael Mannstrom (candyman(a)penti.org)
o Fixed the --with-openssl configure option for people who have
OpenSSL installed in a path not automatically found by their
compilers. Thanks to Marius Strobl (marius(a)alchemy.franken.de) for
the patch.
o Made some portability changes for HP-UX and possibly other types of
machines, thanks to a patch from Petter Reinholdtsen (pere(a)hungry.com)
o Applied a patch from Matt Selsky (selsky(a)columbia.edu) which fixes
compilation on some Solaris boxes, and maybe others. The error said
"cannot compute sizeof (char)"
o Applied some patches from the NetBSD ports tree that Hubert Feyrer
(hubert.feyrer(a)informatik.fh-regensburg.de) sent me. The NetBSD
Nmap ports page is at http://www.NetBSD.org/packages/net/nmap/ .
o Applied some Makefile patches from the FreeBSD ports tree that I
found at http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/nmap/files/
Nmap 3.45 [2003-9-15]
o Integrated more service signatures from MadHat
(madhat(a)unspecific.com), Brian Hatch (bri(a)ifokr.org), Niels
Heinen (zillion(a)safemode.org), Solar Designer
(solar(a)openwall.com), Seth Master
(smaster(a)stanford.edu), and Curt Wilson
(netw3_security(a)hushmail.com). We now have 378 signatures
recognizing 86 unique service protocols.
o Added new HTTPOptions and RTSPRequest probes suggested by MadHat
(madhat(a)unspecific.com)
o Changed the .spec file to compile Nmap RPMs without SSL support to
improve compatibility (Some users might not have OpenSSL, and even
those who do might not have the right version (libopenssl.so.2 vs
libopenssl.so.4, etc).
o Applied a patch from Solar Eclipse (solareclipse(a)phreedom.org)
which increases the allowed size of the 'extrainfo' version field from
80 characters to 128. The main benefit is to allow longer apache module
version strings.
o Fixed Windows compilation and improved the Windows port slightly (no
more macro to redefine read().
o Applied some updates to README-WIN32 sent in by Kirby Kuehl
(kkuehl(a)cisco.com). He improved the list of suggested registry
changes and also fixed a typo or two. He also attached a .reg file
automate the Nmap connect() scan performance enhancing registry
changes. I am now including that with the Nmap Windows binary .zip
distribution (and in mswin32/ of the source distro).
o Applied a one-line patch from Dmitry V. Levin (ldv(a)altlinux.org)
which fixes a test Nmap does during compilation to see if an existing
libpcap installation is recent enough.
Nmap 3.40PVT17 [2003-9-12]
o Wrote and posted a new paper on version scanning to
http://nmap.org/versionscan.html . Updated nmap-service-probes and
the Nmap man page to simply refer to this URL.
o Integrated more service signatures from my own scanning as well as
contributions from Brian Hatch (bri(a)ifokr.org), MadHat
(madhat(a)unspecific.com), Max Vision (vision(a)whitehats.com), HD
Moore (hdm(a)digitaloffense.net), Seth Master
(smaster(a)stanford.edu), and Niels Heinen (zillion(a)safemode.org).
MadHat also contributed a new probe for Windows Media Service. Many
people set a LOT of signatures, which has allowed
nmap-service-probes to grow from 295 to 356 signatures representing
85 service protocols!
o Applied a patch (with slight changes) from Brian Hatch
(bri(a)ifokr.org) which enables caching of SSL sessions so that
negotiation doesn't have to be repeated when Nmap reconnects to the same
between probes.
o Applied a patch from Brian Hatch (bri(a)ifokr.org) which optimizes the
requested SSL ciphers for speed rather than security. The list was
based on empirical evidence from substantial benchmarking he did with
tests that resemble nmap-service-scanning.
o Updated the Nmap man page to discuss the new version scanning
options (-sV, -A).
o I now include nmap-version/aclocal.m4 in the distribution as this is
required to rebuild the configure script ( thanks to Dmitry V. Levin
(ldv(a)altlinux.org) for notifying me of the problem.
o Applied a patch from Dmitry V. Levin (ldv(a)altlinux.org) which
detects whether the PCRE include file is <pcre.h> or <pcre
o Applied a patch from Dmitry V. Levin (ldv(a)altlinux.org) which
fixes typos in some error messages. The patch apparently came from
the highly-secure and stable Owl and Alt Linux distributions. Check
them out at http://www.openwall.com/Owl/ and
http://www.altlinux.com/
o Fixed compilation on Mac OS X - thanks to Brian Hatch
(bri(a)ifokr.org> and Ryan Lowe (rlowe(a)pablowe.net) for giving me
access to Mac OS X boxes.
o Stripped down libpcre build system to remove libtool dependency and
other cruft that Nmap doesn't need. (this was mostly a response to
libtool-related issues on Mac OS X).
o Added a new --version_trace option which causes Nmap to print out extensive
debugging info about what version scanning is doing (this is a subset
of what you would get with --packet_trace). You should usually use
this in combination with at least one -d option.
o Fixed a port number printing bug that would cause Nmap service
fingerprints to give a negative port number when the actual port was
above 32K. Thanks to Seth Master (smaster(a)stanford.edu) for finding
this.
o Updated all the header text again to clarify our interpretation of
"derived works" after some suggestions from Brian Hatch
(bri(a)ifokr.org)
o Updated the Nsock config.sub/config.guess to the same newer versions
that Nmap uses (for Mac OS X compilation).
Nmap 3.40PVT16 [2003-9-6]
o Fixed a compilation problem on systems w/o OpenSSL that was
discovered by Solar Designer. I also fixed some compilation
problems on non-IPv6 systems. It now compiles and runs on my
Solaris and ancient OpenBSD systems.
o Integrated more services thanks to submissions from Niels Heinen
(zillion(a)safemode.org).
o Canonicalized the headers at the top of each Nmap/Nsock header source
file. This included clarifying our interpretation of derived works,
updating the copyright date to 2003, making the header a bit wider,
and a few other light changes. I've been putting this off for a
while, because it required editing about a hundred !#$# files!
Nmap 3.40PVT15 [2003-9-5]
o Fixed a major bug in the Nsock time caching system. This could
cause service detection to inexplicably fail against certain ports in
the second or later machines scanned. Thanks to Solar Designer and HD
Moore for helping me track this down.
o Fixed some *BSD compilation bugs found by
Zillion (zillion(a)safemode.org).
o Integrated more services thanks to submissions from Fyodor Yarochkin
(fygrave(a)tigerteam.net), and Niels Heinen
(zillion(a)safemode.org), and some of my own exploring. There are
now 295 signatures.
o Fixed a compilation bug found by Solar Designer on machines that
don't have struct sockaddr_storage. Nsock now just uses "struct
sockaddr *" like connect() does.
o Fixed a bug found by Solar Designer which would cause the Nmap
portscan table to be truncated in -oN output files if the results are
very long.
o Changed a bunch of large stack arrays (e.g. int portlookup[65536])
into dynamically allocated heap pointers. The large stack variables
apparently caused problems on some architectures. This issue was
reported by osamah abuoun (osamah_abuoun(a)hotmail.com).
Nmap 3.40PVT14 [2003-9-4]
o Added IPv6 support for service scan.
o Added an 'sslports' directive to nmap-service-probes. This tells
Nmap which service checks to try first for SSL-wrapped ports. The
syntax is the same as the normal 'ports' directive for non-ssl ports.
For example, the HTTP probe has an 'sslports 443' line and
SMTP-detecting probes have and 'sslports 465' line.
o Integrated more services thanks to submissions from MadHat
(madhat(a)unspecific.com), Solar Designer (solar(a)openwall.com), Dug
Song (dugsong(a)monkey.org), pope(a)undersec.com, and Brian Hatch
(bri(a)ifokr.org). There are now 288 signatures, matching these 65
service protocols:
chargen cvspserver daytime domain echo exec finger font-service
ftp ftp-proxy http http-proxy hylafax ident ident imap imaps ipp
ircbot ircd irc-proxy issrealsecure landesk-rc ldap meetingmaker
microsoft-ds msrpc mud mysql ncacn_http ncp netbios-ns netbios-ssn
netsaint netwareip nntp nsclient oracle-tns pcanywheredata pop3
pop3s postgres printer qotd redcarpet rlogind rpc rsync rtsp shell
smtp snpp spamd ssc-agent ssh ssl telnet time upnp uucp vnc
vnc-http webster whois winshell X11
o Added a Lotus Notes probe from Fyodor Yarochkin
(fygrave(a)tigerteam.net).
o Dug Song wins the "award" for most obscure service fingerprint
submission. Nmap now detects Dave Curry's Webster dictionary server
from 1986 :).
o Service fingerprints now include a 'T=SSL' attribute when SSL
tunneling was used.
o More portability enhancements thanks to Solar Designer and his Linux
2.0 libc5 boxes.
o Applied a patch from Gisle Vanem (giva(a)bgnett.no) which improves
Windows emulation of the UNIX mmap() and munmap() memory mapping calls.
Nmap 3.40PVT13 [2003-9-1]
o Added SSL-scan-through support. If service detection finds a port to be
SSL, it will transparently connect to the port using OpenSSL and use
version detection to determine what service lies beneath. This
feature is only enabled if OpenSSL is available at build time. A
new --with-openssl=DIR configure option is available if OpenSSL is
not in your default compiler paths. You can use --without-openssl
to disable this functionality. Thanks to Brian Hatch
(bri(a)ifokr.org) for sample code and other assistance. Make sure
you use a version without known exploitable overflows. In
particular, versions up to and including OpenSSL 0.9.6d and
0.9.7-beta2 contained serious vulnerabilities described at
http://www.openssl.org/news/secadv_20020730.txt . Note that these
vulnerabilities are well over a year old at the time of this
writing.
o Integrated many more services thanks to submissions from Brian
Hatch, HellNBack ( hellnbak(a)nmrc.org ), MadHat, Solar Designer,
Simple Nomad, and Shawn Wallis (swallis(a)ku.edu). The number of
signatures has grown from 242 to 271. Thanks!
o Integrated Novell Netware NCP and MS Terminal Server probes from
Simple Nomad (thegnome(a)nmrc.org).
o Fixed a segfault found by Solar Designer that could occur when
scanning certain "evil" services.
o Fixed a problem reported by Solar Designer and MadHat (
madhat(a)unspecific.com ) where Nmap would bail when certain Apache
version/info responses were particularly long. It could happen in
other cases as well. Now Nmap just prints a warning.
o Fixed some portability issues reported by Solar Designer
( solar(a)openwall.com )
Nmap 3.40PVT12 [2003-8-24]
o I added probes for SSL (session startup request) and microsoft-ds
(SMB Negotiate Protocol request).
o I changed the default read timeout for a service probe from 7.5s to 5s.
o Fixed a one-character bug that broke many scans when -sV was NOT
given. Thanks to Blue Boar (BlueBoar(a)thievco.com) for the report.
Nmap 3.40PVT11 [2003-8-23]
o Integrated many more services thanks to submissions from Simple
Nomad, Solar Designer, jerickson(a)inphonic.com, Curt Wilson, and
Marco Ivaldi. Thanks! The match line count has risen from 201 to 242.
o Implemented a service classification scheme to separate the
vendor/product name from the version number and any extra info that
is provided. Instead of v/[big version string]/, the new match
lines include v/[vendor/productname]/[version]/[extrainfo]/ . See
the docs at the top of nmap-service-probes for more info. This
doesn't change the normal output (which lumps them together anyway),
but they are separate in the XML so that higher-level programs can
easily match against just a product name. Here are a few examples
of the improved service element:
<service name="ssh" product="OpenSSH" version="3.1p1"
extrainfo="protocol 1.99" method="probed" conf="10" />
<service name="domain" product="ISC Bind" version="9.2.1"
method="probed" conf="10" />
<state state="open" /><service name="rpcbind" version="2"
extrainfo="rpc #100000" method="probed" conf="10" />
<service name="rndc" method="table" conf="3" />
o I went through nmap-service-probes and added the vendor name to more
entries. I also added the service name where the product name
itself didn't make that completely obvious.
o SCO Corporation of Lindon, Utah (formerly Caldera) has lately taken
to an extortion campaign of demanding license fees from Linux users
for code that they themselves knowingly distributed under the terms
of the GNU GPL. They have also refused to accept the GPL, claiming
that some preposterous theory of theirs makes it invalid. Meanwhile
they have distributed GPL-licensed Nmap in (at least) their
"Supplemental Open Source CD". In response to these blatant
violations, and in accordance with section 4 of the GPL, we hereby
terminate SCO's rights to redistribute any versions of Nmap in any
of their products, including (without limitation) OpenLinux,
Skunkware, OpenServer, and UNIXWare.
Nmap 3.40PVT10 [2003-8-18]
o Added "soft matches". These are similar to normal match lines in
that they provide a regex for recognizing a service (but no version).
But instead of stopping at softmatch service recognition, the scan
continues looking for more info. It only launches probes that are
known-capable of matching the softmatched service. If no version
number is found, at least the determined service is printed. A
service print for submission is also provided in that case. So this
provides more informative results and improves efficiency.
o Cleaned up the Windows support a bit and did more testing and
fixing. Windows service detection seems to be working fine for me
now, although my testing is still pretty limited. This release
includes a Windows binary distribution and the README-WIN32 has been
updated to reflect new compilation instructions.
o More service fingerprints! Thanks to Solar Designer, Max Vision,
Frank Denis (Jedi/Sector One) for the submissions. I also added a
bunch from my own testing. The number of match lines went from 179
to 201.
o Updated XML output to handle new version and service detection
information. Here are a few examples of the new output:
<port protocol="tcp" portid="22"><state state="open" /><service
name="ssh" version="OpenSSH 3.1p1 (protocol 1.99)" method="probed"
conf="10" /></port>
<port protocol="tcp" portid="111"><state state="open" /><service
name="rpcbind" version="2 (rpc #100000)" method="probed" conf="10" /></port>
<port protocol="tcp" portid="953"><state state="open" /><service
name="rndc" method="table" conf="3" /></port>
o Fixed issue where Nmap would quit when ECONNREFUSED was returned
when we try to read from an already-connected TCP socket. FreeBSD
does this for some reason instead of giving ECONNRESET. Thanks to
Will Saxon (WillS(a)housing.ufl.edu) for the report.
o Removed the SERVICEMATCH_STATIC match type from
nmap-service-probes. There wasn't much benefit of this over regular
expressions, so it isn't worth maintaining the extra code.
Nmap 3.40PVT9 [2003-8-16]
o Added/fixed numerous service fingerprints thanks to submissions from
Max Vision, MadHat, Seth Master. Match lines went
from 164 to 179.
o The Winpcap libraries used in the Windows build process have been
upgraded to version 3.0.
o Most of the Windows port is complete. It compiles and service scan
works (I didn't test very deeply) on my WinXP box with VS.Net 2003.
I try to work out remaining kinks and do some cleanup for the next
version. The Windows code was restructured and improved quite a bit,
but much more work remains to be done in that area. I'll probably
do a Windows binary .zip release of the next version.
o Various minor fixes
Nmap 3.40PVT8 [2003-8-12]
o Service scan is now OFF by default. You can activate it with -sV.
Or use the snazzy new -A (for "All recommended features" or
"Aggressive") option which turns on both OS detection and service
detection.
o Fixed compilation on my ancient OpenBSD 2.3 machine (a Pentium 60 :)
o Added/fixed numerous service fingerprints thanks to submissions from
Brian Hatch, HD Moore, Anand R., and some of my own testing. The
number of match lines in this version grows from 137 to 164! Please
keep 'em coming!
o Various important and not-so-important fixes for bugs I encountered
while test scanning.
o The RPC grinder no longer prints a startup message if it has no
RPC-detected ports to scan.
o Some of the service fingerprint length limitations are relaxed a bit
if you enable debugging (-d).
Nmap 3.40PVT7 [2003-8-10]
o Added a whole bunch of services submitted by Brian Hatch
(bri(a)ifokr.org). I also added a few Windows-related probes.
Nmap-service-probes has gone from 101 match strings to 137. Please
keep the submissions coming.
o The question mark now only appears for ports in the OPEN state and
when service detection was requested.
o I now print a separator bar between service fingerprints when Nmap
prints more than one for a given host so that users understand to
submit them individually (suggested by Brian Hatch (bri(a)ifokr.org))
o Fixed a bug that would cause Nmap to print "empty" service
fingerprints consisting of just a semi-colon. Thanks to Brian Hatch
(bri(a)ifokr.org) for reporting this.
Nmap 3.40PVT6 [2003-8-8]
o Banner-scanned hundreds of thousands of machines for ports
21,23,25,110,3306 to collect default banners. Where the banner made
the service name/version obvious, I integrated them into
nmap-service-probes. This increased the number of 'match' lines from
27 to more than 100.
o Created the service fingerprint submission page at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi
o Changed the service fingerprint format slightly for easier
processing by scripts.
o Applied a large portability patch from Albert Chin-A-Young
(china(a)thewrittenword.com). This cleans up a number of things,
particularly for IRIX, Tru64, and Solaris.
o Applied NmapFE patch from Peter Marschall (peter(a)adpm.de) which
"makes sure changes in the relay host and scanned port entry fields
are displayed immediately, and also keeps the fields editable after
de- and reactivating them."
Nmap 3.40PVT4 [2003-7-28]
o Limited the size of service fingerprints to roughly 1024 bytes.
This was suggested by Niels Heinen (niels(a)heinen.ws), because the previous
limit was excessive. The number of fingerprints printed is also now
limited to 10.
o Fixed a segmentation fault that could occur when ping-scanning large
networks.
o Fixed service scan to gracefully handle host_timeout occurrences when
they happen during a service scan.
o Fixed a service_scan bug that would cause an error when hosts send
data and then close() during the NULL probe (when we haven't sent
anything).
o Applied a patch from Solar Designer (solar(a)openwall.com) which
corrects some errors in the Russian man page translation and also a
couple typos in the regular man page. Then I spell-checked the man
page to reduce future instances of foreigners sending in diffs to
correct my English :).
Nmap 3.40PVT3 [2003-7-28]
o Nmap now prints a "service fingerprint" for services that it is
unable to match despite returning data. The web submission page it
references is not yet available.
o Service detection now does RPC grinding on ports it detects to be
running RPC.
o Fixed a bug that would cause Nmap to quit with an Nsock error when
--host_timeout was used (or when -T5 was used, which sets it
implicitly).
o Fixed a bug that would cause Nmap to fail to print the OS
fingerprint in certain cases. Thanks to Ste Jones
(root(a)networkpenetration.com) for the problem report.
Nmap 3.40PVT2 [2003-7-26]
o Nmap now has a simple VERSION detection scheme. The 'match' lines in
nmap-service-probes can specify a template version string
(referencing subexpression matches from the regex in a Perl-like
manner) so that the version is determined at the same time as the
service. This handles many common services in a highly efficient
manner. A more complex form of version detection (that initiates
further communication w/the target service) may be necessary
eventually to handle services that aren't as forthcoming with
version details.
o The Nmap port state table now wastes less whitespace due to using a new
and stingy NmapOutputTable class. This makes it easier to read, and
also leaves more room for version info and possibly other enhancements.
o Added 's' option to match lines in nmap-service-probes. Just as
with the Perl 's' option, this one causes '.' in the regular
expression to match any character INCLUDING newline.
o The WinPcap header timestamp is no longer used on Windows as it
sometimes can be a couple seconds different than gettimeofday() (which
is really _ftime() on Windows) for some reason. Thanks to Scott
Egbert (scott.egbert(a)citigroup.com) for the report.
o Applied a patch by Matt Selsky (selsky(a)columbia.edu) which fixes
configure.in in such a way that the annoying header file "present but
cannot be compiled" warning for Solaris.
o Applied another patch from Matt that (we hope) fixes the "present
but cannot be compiled" warning -- this time for Mac OS X.
o Port table header names are now capitalized ("SERVICE", "PORT", etc)
Nmap 3.40PVT1 [2003-7-17]
o Initial implementation of service detection. Nmap will now probe
ports to determine what is listening, rather than guessing based on
the nmap-services table lookup. This can be very useful for
services on unidentified ports and for UDP services where it is not
always clear (without these probes) whether the port is really open
or just firewalled. It is also handy for when services are run on
the well-known-port of another protocol -- this is happening more
and more as users try to circumvent increasingly strict firewall
policies.
o Nmap now uses the excellent libpcre (Perl Compatible Regular
Expressions) library from http://www.pcre.org/ . Many systems
already have this, otherwise Nmap will use the copy it now includes.
If your libpcre is hidden away in some nonstandard place, give
./configure the new --with-libpcre=DIR directive.
o Nmap now uses the C++ Standard Template Library (STL). This makes
programming easier, but if it causes major portability or bloat
problems, I'll reluctantly remove it.
o Applied a patch from Javier Kohen (jkohen(a)coresecurity.com) which
normalizes the names of many Microsoft entries in the
nmap-os-fingerprints file.
o Applied a patch by Florin Andrei (florin(a)sgi.com) to the Nmap RPM
spec file. This uses the 'Epoch' flag to prevent the Redhat Network
tool from marking my RPMs as "obsolete" and "upgrading" to earlier
Redhat-built versions. A compilation flag problem is also fixed.
Nmap 3.30 [2003-6-28]
o Implemented the largest-ever OS fingerprint update! Roughly 300
fingerprints were added/modified. These massive changes span the
gamut from AIX 5.1 to the ZyXEL Prestige broadband router line.
Notable updates include OpenBSD 3.3, FreeBSD 5.1, Mac OS X 10.2.6,
Windows 2003 server, and more WAPs and broadband routers than you
can shake a stick at. Someone even submitted a fingerprint for
Debian Linux running on the Microsoft Xbox. You have to love that
irony :). Thanks to everyone who submitted fingerprints using the
URL Nmap gives you when it gets a clean reading but is stumped. The
fingerprint DB now contains almost 1000 fingerprints.
o Went through every one of the fingerprints to normalize the
descriptions a bit. I also looked up what all of the devices are
(thanks E*Bay and Google!). Results like "Nexland ISB Pro800 Turbo"
and "Siemens 300E Release 6.5" are much more useful when you add the
words "cable modem" and "business phone system"
o Added a new classification system to nmap-os-fingerprints. In
addition to the standard text description, each entry is now
classified by vendor name (e.g. Sun), underlying OS (e.g. Solaris),
OS generation (e.g. 7), and device type ("general purpose", router,
switch, game console, etc). This can be useful if you want to (say)
locate and eliminate the SCO systems on a network, or find the
wireless access points (WAPs) by scanning from the wired side.
o Classification system described above is now used to print out a
"device type" line and OS categories for matches. The free-form
English details are still printed as well. Nmap can sometimes
provide classifications even where it used to provide nothing
because of "too many matches". These have been added to XML output
as well. They are not printed for the "grepable output", as I
consider that format deprecated.
o Nmap will now sometimes guess in the "no exact matches" case, even
if you don't use the secret --osscan_guess or -fuzzy options.
o Applied another huge NmapFE patch from Peter Marschall
(peter(a)adpm.de). This revamps the interface to use a tabbed
format that allows for many more Nmap options to be used. It also
cleans up some crufty parts of the code. Let me and Peter know what
you think (and if you encounter any problems).
o Windows and Amiga ports now use packet receive times from libpcap.
Let me know if you get any "time computation problem" errors.
o Updated version of the Russian man page translation from Alex Volkov
(alex(a)cherepovets-city.ru).
Nmap 3.28 [2003-6-14]
o Fixed (I hope) an issue that would cause Nmap to print "Serious time
computation problem in adjust_timeout ..." and quit. The ultimate
cause was demonstrated by this --packet_trace snippet that Russel
Miller (rmiller(a)duskglow.com) sent me:
SENT (0.0500s) ICMP 0.0.0.0 > 127.0.0.1 Echo request (type=8/code=0) ...
RCVD (0.0450s) ICMP 127.0.0.1 > 127.0.0.1 Echo reply (type=0/code=0) ...
As you can see, the ping reply appears to come BEFORE the request
was sent(!). This sort of thing happens on at least Linux and
Windows. The send time is obtained from gettimeofday(timeval, NULL),
while receive time libpcap packet header. If anyone knows why this
occurs, or (even better) knows a good way to fix it, let me know.
For now, I am allowing the response to come up to .05s "before" the
request. That is gross.
o For years, Nmap has added -I/usr/local/include and -L/usr/local/lib
to the compiler line to grab local libraries. I have removed this
behavior by default, and added a '--with-localdirs' configure option
that adds it back. If Nmap fails to compile now without the above
option, please let me know. I can change the default back if this
change causes more problems than it solves. People (such as certain
ports tree packagers) who know they don't want /usr/local should
specify --without-localdirs rather than relying on that always being
the default.
o Fixed (I hope) a problem that led to the error message "Assertion
`tqi->sockets[probe_port_num][seq] == -1' failed".
o Fixed a problem that would cause Nmap on Windows to send ICMP ping
packets from 0.0.0.0 instead of the appropriate source IP. Thanks
to Yeti (boxed(a)blueyonder.co.uk) for the report.
o Applied some changes from Solar Designer (solar(a)openwall.com)
which fix some typos and also suggest safer /tmp/ behavior in the
HACKING file and Lithuanian man page. These changes are for the
Nmap package of his Openwall GNU/*/Linux (Owl) distribution.
[ http://www.openwall.com/Owl/ ]
o For Solaris, I now define NET_SIZE_T to size_t rather than socklen_t
in nmap.h. Isn't that exciting?!!! Hopefully this will help
compilation on Solaris 2.6 (and perhaps earlier). If any Solaris
users notice new compilation problems, please let me know. Thanks to
Al Smith (Al.Smith(a)aeschi.ch.eu.org) for reporting the issue.
o Removed an errant getopt() prototype in nbase/getopt.h which should
hopefully improve compilation on certain Solaris boxes and BSD
variants.
o SCO operating systems are no longer supported due to their recent
(and absurd) attacks against Linux and IBM. Bug reports relating to
UnixWare will be ignored, or possibly even laughed at derisively.
Note that I have no reason to believe anyone has ever used Nmap on
SCO systems. UnixWare and OpenServer suck.
o Fixed a problem with small --max_parallelism values when non-root ping
scanning that would cause Nmap to say "sendconnecttcpquery: Could
not scavenge a free socket!" and quit. Problem was reported by
Justin A (justin(a)bouncybouncy.net) as Debian Bug #195463.
o Applied (with a few modifications) a large NmapFE patch from Peter
Marschall (peter(a)adpm.de). This patch adds a bunch more scan/ping
options and cleans up some redundant NmapFE code.
o Included new Russian man page translation by Alex Volkov
(alex(a)cherepovets-city.ru)
o Changed many single-quotes (') into double quotes (") in the man
page due to a disagreement over whether to represent them as (') or
(\') in nroff.
o Included --packet_trace support for Explicit Congestion Notification
(RFC 2481/3168) flags thanks to a patch sent in by Maik Pfeil
(root(a)bundesspionageministerium.de)
o Included --packet_trace support for a few (unusual) ICMP types in
case Nmap receives them. The patch was also sent by Maik Pfeil.
o Fixed a problem with redirecting XML/Grep/Machine output to stdout
on Windows (e.g. -oX - ). Problem was reported by Wei Jiang
(Wei.Jiang(a)bindview.com)
o Made "-g -Wall" compiler flags dependent on availability of gcc/g++
sine some other compilers do not support them.
o I spam-protected the email addresses in this file. I fervently hope
that within 5 years we will be able to defeat this scourge through
technology and laws, so that we may again list our email addresses
openly without fear of abuse by criminal spammers. Oh, and it would
be a shame if the spiders went through this whole page and only
found uce@ftc.gov, rhundt@fcc.gov, jquello@fcc.gov, sness@fcc.gov,
president@whitehouse.gov, haesslich@loyalty.org, and rchong@fcc.gov.
Nmap 3.27 [2003-4-28]
o Nmap now compiles under Amiga thanks to patches sent by Diego
Casorran (dcr8520(a)amiga.org).
o Fixed a backwards WIN32 ifdef that broke UDP and small-fragment
scans for some operating systems other than Linux and Windows.
Thanks to Guido van Rooij (guido(a)gvr.org) for reporting the problem
and sending a patch.
o Applied patch from Marius Strobl (marius(a)alchemy.franken.de) which improves
the definition of NET_SIZE_T on FreeBSD so that it compiles on
64-bit platforms.
Nmap 3.26 [2003-4-24]
o Fixed Mac OS X Compilation (at least on most of the machines
tested). You will probably need to type
"./configure CPP=/usr/bin/cpp" instead of simply "./configure". If
you still have trouble, drop me an email. Thanks to everyone who
provided or offered shell accounts!
o Fixed a segmentation fault several people reported that was
introduced in 3.25. This problem manifests itself intermittently
in many normal situations involving large-network scanning. So all
3.25 users are urged to upgrade. Pre-3.25 users should upgrade too,
since 3.25 included so many improvements :).
Nmap 3.25 [2003-4-19]
o I added UDP-based "ping" scanning. The -PU option can take an
optional portlist like the TCP "ping" options (-PS, -PA), but it sends
a UDP packet to the targets and expects hosts that are up to reply
with a port unreachable (or possibly a UDP response if the port is
open). This one is likely to work best against closed ports, since
many open ports don't respond to empty requests.
o Fixed (I hope) problem where Nmap would abort, complaining that
"Assertion `pt->down_this_block > 0' failed". Thanks to
ray(a)24hoursecurity.org and mugz(a)x-mafia.com for reporting and
helping me debug this problem.
o Fixed a GCC dependency reported by Ayamura Kikuchi
(ayamura(a)keio.net)
o Fixed an "assertion failure" which would cause Nmap to exit when you
specify a --max_rtt_timeout below 3000. Thanks to Tammy Rathbun
(rathbun2(a)llnl.gov) and Jan Roger Wilkens (jrw(a)proseq.net) for
reporting this.
o Packet receive times are now obtained from libpcap rather than
simply using the time the packets are passed to Nmap. This should
improve performance slightly. I was not able to get this to work
properly on Windows (either pcap or raw) -- join the nmap-dev list
if you have ideas.
o Fixed bug that caused Nmap to ignore certain RST responses when you
do both -PS and -PA.
o Modified ping scan to work better when many instances of Nmap are
executed concurrently.
o I'm now linking directly to the gzip compressed version of Nmap on
the homepage as well as the .bz2.
o Fixed a portability problem that caused BSD Make to bail out.
o Fixed a divide by zero error caused when non-root users (on UNIX)
explicitly request ICMP pings (which require root privileges). Now it
prints a warning and uses the normal non-root TCP connect() ping.
Jaroslav Sladek (jup(a)matfyz.cz) found the bug and provided the patch.
o Made Nmap more tolerant of corrupt nmap-services and nmap-protocols
files thanks to report & patch sent by Phix (phix(a)hush.com)
o Added some more port numbers sent in by Seth Master
(smaster(a)stanford.edu). He has been a frequent nmap-services
contributor in the last couple months.
o Added --packet_trace support to Windows
o Removed superfluous "addport" line in the XML output (patch from Max
Schubert (nmap(a)webwizarddesign.com)).
o Merged wintcpip.cc into tcpip.cc to avoid the headache of
maintaining many nearly-identical functions.
o Fixed an assertion failure crash related to combining port 0 scans
and OS scan. Thanks to A.Jones(a)mvv.de for reporting this.
o Fixed some compilation problems on systems without IPv6 support --
patch sent by Jochen Erwied (Jochen.Erwied(a)mbs-software.info)
o Applied patch from Jochen Erwied (Jochen.Erwied(a)mbs-software.info)
which fixes the format strings used for printing certain timestamps.
o Upgraded to autoconf 2.57, including the latest config.guess/config.sub
o Renamed configure.ac files to configure.in as recommended by the
latest autoconf documentation.
o Changed the wording of NmapFE Gnome entries to better-comply with
Gnome's Human Interface Guidelines (HIG). Suggested by Axel Krauth
(krauth(a)fmi.uni-passau.de)
Nmap 3.20 [2003-3-18]
o The random IP input option (-iR) now takes an argument specifying
how many IPs you want to scan (e.g. -iR 1000). Specify 0 for the old
never-ending scan behavior.
o Fixed a tricky memory leak discovered by Mugz (mugz(a)x-mafia.com).
o Fixed output truncation problem noted by Lionel CONS (lionel.cons(a)cern.ch)
o Fixed a bug that would cause certain incoming ICMP error messages to
be improperly ignored.
Nmap 3.15BETA3 [2003-3-16]
o Made numerous improvements to the timing behavior of "-T Aggressive"
(same as -T4) scans. It is now recommended for regular use by
impatient people with a fast connection. "-T Insane" mode has also
been updated, but we only recommend that for, well, insane people.
o Made substantial changes to the SYN/connect()/Window scanning
algorithms for improved speeds, especially against heavily filtered
hosts. If you notice any timing problems (misidentified ports,
etc.), please send me the details (including full Nmap output and a
description of what is wrong). Reports of any timing problems with
-T4 would be helpful as well.
o Changed Nmap such that ALL syn scan packets are sent from the port
you specify with -g. Retransmissions used to utilize successively
higher ports. This change has a downside in that some operating
systems (such as Linux) often won't reply to the retransmissions
because they reuse the same connection specifier quad
(srcip:srcport:dstip:dstport). Overall I think this is a win.
o Added timestamps to "Starting nmap" line and each host port scan in
verbose (-v) mode. These are in ISO 8601 standard format because
unlike President Bush, we actually care about International
consensus :).
o Nmap now comes by default in .tar.bz2 format, which compresses about
20% further. You can still find .tgz in the dist directory at
http://download.insecure.org/nmap/dist/?M=D .
o Various other minor bug fixes, new services, fingerprints, etc.
Nmap 3.15BETA2 [2003-2-26]
o I added support for a brand new "port" that many of you may have
never scanned before! UDP & TCP "port 0" (and IP protocol 0) are now
permitted if you specify 0 explicitly. An argument like "-p -40"
would still scan ports 1-40. Unlike ports, protocol 0 IS now scanned
by default. This now works for ping probes too (e.g., -PS, -PA).
o Applied patch by Martin Kluge (martin(a)elxsi.info) which adds --ttl
option, which sets the outgoing IPv4 TTL field in packets sent via
all raw scan types (including ping scans and OS detection). The
patch "should work" on Windows, but hasn't been tested. A TTL of 0
is supported, and even tends to work on a LAN:
14:17:19.474293 192.168.0.42.60214 > 192.168.0.40.135: S 326:326(0) [ttl 0]
14:17:19.474456 192.168.0.40.135 > 192.168.0.42.60214: S 280:280(0) ack 326 (ttl 128)
o Applied patch by Gabriel L. Somlo ( somlo(a)acns.colostate.edu ) which
extends the multi-ping-port functionality to nonroot and IPv6
connect() users.
o I added a new --datadir command line option which allows you to
specify the highest priority directory for Nmap data files
nmap-services, nmap-os-fingerprints, and nmap-rpc. Any files which
aren't in the given dir, will be searched for in the $NMAPDIR
environmental variable, ~/nmap/, a compiled in data directory
(e.g. /usr/share/nmap), and finally the current directory.
o Fixed Windows (VC++ 6) compilation, thanks to patches from Kevin
Davis (computerguy(a)cfl.rr.com) and Andy Lutomirski
(luto(a)stanford.edu)
o Included new Latvian man page translation by
"miscelerious options" (misc(a)inbox.lv)
o Fixed Solaris compilation when Sun make is used rather than GNU
make. Thanks to Tom Duffy (tduffy(a)sun.com) for assistance.
o Applied patch from Stephen Bishop (sbishop(a)idsec.co.uk) which
prevents certain false-positive responses when Nmap raw TCP ping scans
are being run in parallel.
o To emphasize the highly professional nature of Nmap, I changed all
instances of "fucked up" in error message text into "b0rked".
o Fixed a problem with nmap-frontend RPMs that would cause a bogus
/bin/xnmap link to be created (it should only create
/usr/bin/xnmap). Thanks to Juho Schultz
(juho.schultz(a)astro.helsinki.fi) for reporting the problem.
o I made the maximum number of allowed routes and interfaces allowed
on the scanning machine dynamic rather than hardcoded #defines of 1024
and 128. You never know -- some wacko probably has that many :).
Nmap 3.15BETA1 [2003-2-19]
o Integrated the largest OS fingerprint DB updates ever! Thanks to
everyone who contributed signatures! New or substantially modified
fingerprints included the latest Windows 2K/XP changes, Cisco IOS
12.2-based routers and PIX 6.3 firewalls, FreeBSD 5.0, AIX 5.1,
OpenBSD 3.2, Tru64 5.1A, IBM OS/400 V5R1M0, dozens of wireless APs,
VOIP devices, firewalls, printers, print servers, cable modems,
webcams, etc. We've even got some mod-chipped Xbox fingerprints
now!
o Applied NetBSD portability patch by Darren Reed
(darrenr(a)reed.wattle.id.au)
o Updated Makefile to better-detect if it can't make nmapfe and
provide a clearer error message. Also fixed a couple compiler
warnings on some *BSD platforms.
o Applied patch from "Max" (nmap(a)webwizarddesign.com) which adds the
port owner to the "addport" XML output lines which are printed (only
in verbose mode, I think) as each open port is discovered.
o I killed the annoying whitespace that is normally appended after the
service name. Now it is only there when an owner was found via -sI
(in which case there is a fourth column and so "service" must be
exactly 24 characters).
Nmap 3.10ALPHA9 [2002-12-25]
o Reworked the "ping scan" algorithm (used for any scan except -P0 or
-sL) to be more robust in the face of low-bandwidth and congested
connections. This also improves reliability in the multi-port and
multi-type ping cases described below.
o "Ping types" are no longer exclusive -- you can now do combinations
such as "-PS22,53,80 -PT113 -PN -PE" in order to increase your odds of
passing through strict filters. The "PB" flag is now deprecated
since you can achieve the same result via "PE" and "PT" options.
o Applied patch (with modest changes) by Gabriel L. Somlo
(somlo(a)acns.colostate.edu), which allows multiple TCP probe ports in
raw (root) mode. See the previous item for an example.
o Fixed a libpcap compilation issue noted by Josef 'Jupp' Schugt
(deusxmachina(a)webmail.co.za) which relates to the definition (or
lack thereof) of ARPHRD_HDLC (used for Cisco HDLC frames).
o Tweaked the version number (-V) output slightly.
Nmap 3.10ALPHA7 [2002-12-18]
o Upgraded libpcap from version 0.6.2 to 0.7.1. Updated the
libpcap-possiblymodified/NMAP_MODIFICATIONS file to give a much
more extensive list (including diffs) of the changes included
in the Nmap bundled version of Libpcap.
o Applied patch to fix a libpcap alignment bug found by Tom Duffy
(tduffy(a)sun.com).
o Fixed Windows compilation.
o Applied patch by Chad Loder (cloder(a)loder.us) of Rapid7 which
fixes OpenBSD compilation. I believe Chad is now the official
OpenBSD Nmap "port" maintainer. His patch also adjusted
random-scan (-iR) to include the recently allocated 82.0.0.0/8
space.
o Fixed (I hope) a few compilation problems on
non-IPv6-enabled machines which were noted by Josef 'Jupp'
Schugt (jupp(a)gmx.de)
o Included some man page translations which were inadvertently
missed in previous tarballs.
o Applied patch from Matthieu Verbert (mve(a)zurich.ibm.com) which
places the Nmap man pages under ${prefix}/share/man rather than
${prefix}/man when installed via RPM. Maybe the tarball
install should do this too? Opinions?
o Applied patch from R Anderson (listbox(a)pole-position.org) which
improves the way ICMP port unreachables from intermediate hosts
are handled during UDP scans.
o Added note to man page related to Nmap US export control. I
believe Nmap falls under ECCN 5D992, which has no special
restrictions beyond the standard export denial to a handful of
rogue nations such as Iraq and North Korea.
o Added a warning that some hosts may be skipped and/or repeated
when someone tries to --resume a --randomize_hosts scan. This
was suggested by Crayden Mantelium (crayden(a)sensewave.com)
o Fixed a minor memory leak noted by Michael Davis
(mike(a)datanerds.net).
Nmap 3.10ALPHA4 [2002-11-11]
o Applied patch by Max Schubert (nmap(a)webwizarddesign.com) which adds
an add-port XML tag whenever a new port is found open when Nmap is
running in verbose mode. The new tag looks like:
[addport state="open" portid="22" protocol="tcp"/]
I also updated docs/nmap.dtd to recognize this new tag.
o Added German translation of Nmap man page by Marc Ruef
(marc.ruef(a)computec.ch). It is also available at
http://nmap.org/data/nmap_manpage-de.html
o Includes a brand new French translation of the man page by Sebastien
Blanchet. You could probably guess that it is available at
http://nmap.org/data/nmap_manpage-fr.html
o Applied some patches from Chad Loder (cloder(a)loder.us) which update
the random IP allocation pool and improve OpenBSD support. Some
were from the OBSD Nmap patchlist.
o Fixed a compile problem on machines without PF_INET6. Thanks to
Josef 'Jupp' Schugt (deusxmachina(a)webmail.co.za) for noting this.
Nmap 3.10ALPHA3 [2002-9-15]
o Added --min_parallelism option, which makes scans more aggressive
and MUCH faster in certain situations -- especially against
firewalled hosts. It is basically the opposite of --max_parallelism
(-M). Note that reliability can be lost if you push it too far.
o Added --packet_trace option, which tells Nmap to display all of the
packets it sends and receives in a format similar to tcpdump. I
mostly added this for debugging purposes, but people wishing to learn
how Nmap works or for experts wanting to ensure Nmap is doing
exactly what they expect. If you want this feature supported under
Windows, please send me a patch :).
o Fixed a segmentation fault in Idlescan (-sI).
o Made Idlescan timing more conservative when -P0 is specified to
improve accuracy.
o Fixed an infinite-loop condition that could occur during certain
dropped-packet scenarios in an Idle scan.
o Nmap now reports execution times to millisecond precision (rather
than rounding to the nearest second).
o Fixed an infinite loop caused by invalid port arguments. Problem
noted by fejed (fejed(a)uddf.net).
Nmap 3.10ALPHA2 [2002-8-31]
o Fixed compilation and IPv6 support on FreeBSD (tested on
4.6-STABLE). Thanks to Niels Heinen (niels.heinen(a)ubizen.com) for
suggestions.
o Made some portability changes based on suggestions by Josef 'Jupp'
Schugt (jupp(a)gmx.de)
o Fixed compilation and IPv6 support on Solaris 9 (haven't tested
earlier versions).
Nmap 3.10ALPHA1 [2002-8-28]
o IPv6 is now supported for TCP scan (-sT), connect()-style ping
scan (-sP), and list scan (-sL)! Just specify the -6 option and the
IPv6 numbers or DNS names. Netmask notation is not currently
supported -- I'm not sure how useful it is for IPv6, where even petty
end users may be allocated trillions of addresses (/80). If you
need one of the scan types that hasn't been ported yet, give
Sebastien Peterson's patch a try at http://nmap6.sourceforge.net/ .
If there is demand, I may integrate more of that into Nmap.
o Major code restructuring, which included conversion to C++ -- so
you'll need g++ or another C++ compiler. I accidentally let a C++
requirement slip in a while back and found that almost everyone has
such a compiler. Windows (VC++) users: see the README-WIN32 for new
compilation instructions.
o Applied patch from Axel Nennker (Axel.Nennker(a)t-systems.com) which
adds a --without-nmapfe option to the configure script. This is
useful if your system doesn't have the proper libraries (e.g. GTK) or
if you think GUIs are for sissies :).
o Removed arbitrary max_parallelism (-M) limitations, as suggested by
William McVey ( wam(a)cisco.com ).
o Added DEC OSF to the platforms that require the BSDFIX() macro due
to taking IP length and offset fields in host rather than network byte
order. Suggested by Dean Bennett (deanb(a)gbtn.net)
o Fixed an debug statement C ambiguity discovered by Kronos
(kronos(a)kronoz.cjb.net)
Nmap 3.00 [2002-7-31]
o Woohoo! :)
Nmap 2.99RC2
o Fixed an important memory initialization bug which was causing
crashes on Mac OS X (and possibly other platforms). The problem was
located by Pieter ten Pierick (P.tenPierick(a)chello.nl)
o Various minor bugfixes/cleanup
Nmap 2.99RC1
o Implemented the biggest OS fingerprint update since December 1999!
More than 200 fingerprints were added/modified. This includes
OpenBSD 3.1, Solaris 9, Mac OS 10.1.5, OS/400, FreeBSD 4.6, The
latest MS WinXP changes, new CISCO equiptment, and loads of network
devices such as VoIP phones, switches, printers, WAPs, etc.
o Updated build system to work on MacOS X.
o I removed "credit" lines from the nmap-os-fingerprints file out of
concern that evil spammers might harvest the 602 addresses. Plus
those took up 28K and the size of nmap-os-fingerprints has already
caused trouble for some handheld devices. If anyone actually cares
about the "fame" of being listed, let me know and I'll put you back
in. I still appreciate everyone who submits fingerprints! I just
don't want you to be spammed when the fingerprint file goes online.
o Minor usage screen (nmap -h) fix suggested by Martin Kluge
( martin(a)elxsi.info )
o Insured that the initial pound (#) in C preprocessor directives is
always in column 1 (portability fix). Problem noted by Shamsher
Sran (ssran(a)bechtel.com)
Nmap 2.54BETA37
o Made SYN scan the default for privileged (root) users. This offers
far better performance for Windows users due to their broken
connect() call, and is usually even preferred on UNIX because it is
more stealthy and less likely to crash applications listening on the
target host.
o Fixed a problem noted by Ping Huang (pshuang(a)alum.mit.edu) relating
to -PI scans of a machine's own non-localhost interfaces (eg
scanning your ethernet address).
o Applied patch from Patrice Goetghebeur (pgoetghebeur(a)mac.com) which
fixes PPP/SLIP support on Mac OS X.
o Applied dozens of nmap-services portnumber mapping updates
researched and sent by palante(a)subterrain.net
o Updated nmap-rpc to the latest version from Eilon Gishri
(eilon(a)aristo.tau.ac.il)
o Fixed --resume option to better detect all of the previously scanned
hosts in an -oN file (bug report from Adam.Scott(a)predictive.com )
o Adjusted random IP generator (for -iR) to account for newly
allocated ip space from
http://www.iana.org/assignments/ipv4-address-space as noted by Chad
Loder (cloder(a)acm.org)
o Updated config.sub and config.guess to the versions in
automake-1.6.2 .
o Applied patch from Markus A. Nonym (g17m0(a)lycos.com) which checks
for a recent version of GTK+ in ./configure before even trying to
build NmapFE (avoids the previous ugly compiler errors).
o Applied patch from benkj(a)gmx.it which fixes misbehavior when Nmap
would receive EOF (including ^D) in interactive mode.
o Fixed format string bugs (not the security-related kind) found by
Takehiro YONEKURA (yonekura(a)obliguard.com) and Kuk-hyeon Lee
(errai(a)inzen.com)
o Applied patch from Greg Steuck (greg-nmap-dev(a)nest.cx) which fixes
an alignment problem in charpool.c that could cause bus errors on
64-bit platforms.
o Applied portability fix patch from Matt Christian (mattc(a)visi.com)
Nmap 2.54BETA36
o Fixed major connect scan problem introduced in BETA35
o Changed NmapFE to use the version number 2.54BETA36 rather than
0.2.54BETA36. I had to do this because RedHat took the liberty of
releasing a so-called "2.54BETA31" version of nmap-frontend in their
7.3 distribution. Thus my upgrades were failing to install on such
systems because a "later" version is already installed.
Nmap 2.54BETA35
o Fixed an issue that could cause the abort message "Serious time
computation problem in adjust_timeout ...". If you still see this,
please let me know.
o Fixed Windows compilation (and I really mean it this time -- tested
myself).
o Applied configure script patch to recognize Solaris 2.10 when it
eventually becomes available (from James Carlson
(james.d.carlson(a)east.sun.com)
o Applied some portability fixes from Albert Chin
(china(a)thewrittenword.com)
o Applied libpcap aclocal.m4 patch to enable debugging (-g) when
compiling libpcap with gcc. Patch from Ping Huang
(pshuang(a)alum.mit.edu)
o Restructured "TCP probe port" output message a bit as suggested by
Ping Huang (pshuang(a)alum.mit.edu)
Nmap 2.54BETA34
o Windows compilation fixed thanks to new VC++ project file (nmap.dsp) sent
by Evan Sparks (gmplague(a)sdf.lonestar.org) (I had forgotten to include
the new main.c).
o Various nmap-services updates
o Fixed a bunch of typos and capitalization issues in
nmap-os-fingerprints by applying patch sent in by Royce Williams
(royce(a)alaska.net).
Nmap 2.54BETA33
o Tons of OS fingerprint updates. More than 100 fingerprints added or
changed, including OpenBSD 3, FreeBSD 4.5, Solaris 9 pre-release,
Commodor 64 (with the TFE Ethernet Card and uIP stack), Compaq iPAQ,
Cisco IOS 12.2(8), AIX 5.1, IRIX 6.5.15, various
Redback/Racal/Juniper/BigIP/HP/Siemens/Brocade/Quantum devices,
numerous printers/switches, KRONOS network clock, WTI Network Power
Switch, Windows XP, and many more. Thanks to everyone who
contributed!
o Applied fix for an important RPC scanning bug sent in by Pasi Eronen
(pasi.eronen(a)nixu.com)
o Applied fix for nasty OS fingerprinting bug found by William
Robertson (wkr(a)cs.ucsb.edu)
o Do not show uptime when obviously spoofed (eg OpenBSD 3.0)
o Slightly changed (I hope improved) the whitespace in Nmap output so
that messages relating to the same host are kept together (and
different hosts different separated by newlines).
o Moved main() function into a new file, cleverly named main.c.
Nmap 2.54BETA32
o Applied Windows pinging fix and from Andy Lutomirski
(Luto(a)myrealbox.com)
o Applied a few more Windows fixes from Andy.
o Fixed a flaw in several error-checking statements noted by Giacomo
Cariello (jwk(a)bug.it)
o Applied Win32 compilation fixes sent by Kirby Kuehl (kkuehl(a)cisco.com)
and jens.vogt(a)bluewin.ch
Nmap 2.54BETA31
o Added ICMP Timestamp and Netmask ping types (-PP and -PM). These
(especially timestamp) can be useful against some hosts that do not
respond to normal ping (-PI) packets.
o Documented the --data_length option and made it work with all the
ICMP ping types (echo request, netmask, and timestamp).
o Added check for strings.h before including it in portlist.c . This
fixes a compilation problem on some versions of Windows. Problem
first noted by Michael Vorin (mvorin(a)hotmail.com)
o Applied patch from Andy Lutomirski (Luto(a)myrealbox.com) which fixes
a crash on some Windows platforms when timeouts occur.
o Fixed "grepable output" (-oG) so that it prints IPID sequence class
rather than printing the TCP ISN sequence index twice. Problem
noted by Russell Fulton (r.fulton(a)auckland.ac.nz)
o Added mysterious, undocumented --scanflags option.
o Applied patch from Andy Lutomirski (Luto(a)myrealbox.com) which fixes
some important Windows bugs. Apparently this can cause a dramatic
speedup in some circumstances. The patch had other misc. changes
too.
o Fix bug noted by Chris V (iselldrugstokidsonline(a)yahoo.com) in which
Nmap could segmentation fault with the (bogus) command: './nmap -sO
-p 1-65535 hostname' (protocol only can go up to 255). That being
said, Nmap should never segfault just because of bogus options.
o Fixed problem noted by Maximiliano (emax25(a)arnet.com.ar) where Nmap
would get stuck in a (nearly) infinite loop when you try to "resume"
a random host (-iR) scan.
o Included a number of fingerprint updates, but I still have many more
web submissions to go through. Also made some nmap-services
portlist updates.
o Included a bunch of fixes (mostly to prevent compiler warnings) from
William McVey (wam(a)cisco.com)
Nmap 2.54BETA30
o Added a Document Type Definition (DTD) for the Nmap XML output
format (-oX) to the docs directory. This allows validating parsers
to check nmap XML output files for correctness. It is also useful
for application programmers to understand the XML output structure.
The DTD was written by William McVey (wam(a)cisco.com) of Cisco Secure
Consulting Services ( http://www.cisco.com/go/securityconsulting ).
o Merged in a number of Windows fixes/updates from Andy Lutomirski
(Luto(a)myrealbox.com)
o Merged in fixes/updates (mostly to the Windows functionality) from
Matt Hargett (matt(a)use.net)
o Applied patch by Colin Phipps (cph(a)netcraft.com) which correctly
encodes special characters in the XML output.
o Applied patch by William McVey (wam(a)cisco.com) which adds the uptime
information printed with -O to the XML output format.
o Fixed byte-order bug in Windows packet matching code which caused
-PS and -PT to fail. Bug found and patch sent by Tim Adam.
o Fixed segfault problem with "-sU -F". Nobody reported this until I
noticed it :(. Anytime you see "Segmentation Fault" in the latest
version of Nmap, it is probably a bug -- please mail me the command
you used, the OS/platform you are running on, and whether it is
reproducable.
o Added a convenience option "-oA (basefilename)". This tells Nmap to
log in ALL the major formats (normal, grepable, and XML). You give
a base for the filename, and the output files will be base.nmap,
base.gnmap, and base.xml.
o Documented the --append_output option which tells Nmap to append
scan results to any output files you have specified rather than
overwriting the files.
o Integrate TIMEVAL_SEC_SUBTRACT() fix by Scott Renfro (scott(a)renfro.org)
which improves timing accuracy.
Nmap 2.54BETA29
o Integrated William McVey's multi-portlist patch. This allows you to
specify different port numbers when scanning both TCP & UDP. For
example, if you want to UDP for 53,111 and 137 while TCP scanning
for 21-25,80,139,515,6000,8080 you could do: nmap -sSU -p
U:53,111,137,T:21-25,80,139,515,6000,8080 target.com . Prior to
this patch, you had to either use different Nmap executions or scan
both UDP & TCP of each port. See the man page for more usage info.
o Added/updated a bunch of fingerprints, including Windows XP release
candidates #1 & #2, OpenBSD 2.9, various home gateways/cable modem,
MacOS X 10.0.4, Linux 2.4.7, Guantlet Firewall 4.0a, a few Cisco
routers, and, most importantly, the Alcatel Advanced Reflexes IP
Phone :). Many other fingerprints were updated as well.
o Found and fixed some relatively major memory leaks based on reports
sent in by H D Moore (hdm(a)secureaustin.com), mugz
(mugz(a)x-mafia.org), and Steven Van Acker (deepstar(a)ulyssis.org)
o Applied patch from Chad Loder (chad_loder(a)rapid7.com) which improves
random target host selection (-iR) by excluding more undesirable
addresses.
o Fixed portscan timing bug found by H D Moore (hdm(a)secureaustin.com).
This bug can occur when you specify a --max_rtt_timeout but not
--initial_rtt_timeout and then scan certain firewalled hosts.
o Fixed port number printing bug found by "Stephen Leavitt"
(stephen_j_leavitt(a)hotmail.com)
o The Nmap source tarball now extracts with more lenient permissions
(sometimes world-readable or world-executable, but never
world-writable). If you don't want this, set your umask to 077
(which is what I do). Suggested by Line Printer (lps(a)rahul.net)
Nmap 2.54BETA28
o I hope that I have fixed the Libpcap "Unknown datalink type" problem that
many people reported. If you still receive this error, please send
me the following info:
1) Full output of Nmap including the command you typed
2) What OS/OS version you are using
3) What type of interface is the scan going through (PPP, ISDN, ethernet,
PPPoE, etc)
4) Whether you compiled from source or used the RPM version
o Hopefully fixed Libpcap lex/yacc generated file problem that
plagued a few folks.
o Various minor fixes/changes/updates
Nmap 2.54BETA27
o Fixed bug that caused "adding open port" messages to be printed even
when verbose mode was not specified. (patch sent by Doug Hoyte.
o Fixed bug in zombie:port option parsing in Idlescan as well a few
other bugs in patch sent by Germano Caronni (gec(a)acm.org)
o Fixed Windows compilation (I broke it when I added Idlescan).
o Fixed a (Win32 only) port identification bug which would cause some
ports to be listed as "unknown" even when Nmap should know their
name. This was found at patched by David Griffiths
(davidg(a)intrinsica.co.uk).
o Fixed more nmap-os-fingerprints syntax/grammar violations found by
Raymond Mercier of VIGILANTe
o Fixed a memory leak in Nbase str*casecmp() functions by applying
patch sent by Matt (matt(a)use.net). I plan to kill this whole
strcasecmp.c file as soon as possible (it is a mess).
Nmap 2.54BETA26
o Added Idlescan (IPID blind scan). The usage syntax is
"-sI [zombie]".
o Fixed a bunch of fingerprints that were corrupt due to violations of
the fingerprint syntax/grammar (problems were found by Raymond
Mercier of VIGILANTe )
o Fixed command-line option parsing bug found
by "m r rao" (mrrao(a)del3.vsnl.net.in )
o Fixed an OS fingerprinting bug that caused many extra packets to be
sent if you request a lot of decoys.
o Added some debug code to help diagnose the "Unknown datalink type"
error. If Nmap is giving you this error, please send the following
info to fyodor@insecure.org : 1) The full output from Nmap
(including the command arguments) 2) What OS and OS version are you
using 3) What type of adaptor are you using (modem, ethernet, FDDI,
etc)
o Added a bunch of IDS sensor/console/agent port numbers from
Patrick Mueller (pmueller(a)neohapsis.com)
Nmap 2.54BETA25
o Added a whole bunch of new OS fingerprints (and adjustments) ranging
from big important ones (Linux 2.4.X, OpenBSD 2.9, FreeBSD 4.3,
Cisco 12.2.1, MacOS X, etc) to some that are more obscure ( such as
Apple Color LaserWriter 12/660 PS and VirtualAccess LinxpeedPro 120 )
o Upgraded Libpcap to the latest version (0.6.2) from tcpdump.org. I
modified the build system slightly by shipping pre-generated
scanner.c/grammer.c (instead of using lex/yacc) and I also upgraded
to the newest config.sub/config.guess .
o Fixed some issues with the new Libpcap under Linux (patches will be
sent to the developers).
o Added "All zeros" IP.ID sequence classification to account for the
new Linux 2.4 scheme which seems to use 0 whenever the DF bit is set
(probably a good idea).
o Tweaked TCP Timestamp and IP.ID sequence classification algorithms
Nmap 2.54BETA24
o Fixed compilation problems on MacOS X publis release. Thanks to
Nicolas Dawson (nizcolas(a)myrealbox.com) for securing an account for
me.
o On the suggestion of the ever-helpful LaMont Jones (lamont(a)hp.com),
I obtained the newest config.guess/config.sub from
http://subversions.gnu.org/cgi-bin/cvsweb/config and made
libpcap/nbase use symlinks rather than copeis of the file
o Applied patch from LaMont Jones (lamont(a)hp.com) which makes Nmap
compatible with gcc 3.0 (apparently printf() is a macro in that
version)
o Applied patch from Colin Phipps (cph(a)netcraft.com) which fixes a
problem that kept UDP RPC scanning from working unless you were also
doing a TCP scan.
o Applied a patch from Chris Eagle (cseagle(a)redshift.com) which fixes
Windows compilation (I broke it with a recent change).
o Updated Lithuanian translation of man page based on a newer version sent
by Aurimas Mikalauskas (inner(a)crazy.lt)
o Killed carriage returns in nmap.c and nmapfe.c, which caused
problems for some (SGI) compilers. Problem noted by Artur
Niederstebruch (artur(a)sgi.com)
o Updated to latest version of rpc program number list, maintained by
Eilon Gishri (eilon(a)aristo.tau.ac.il)
o Fixed a quoting bug in the Nmap man page found by
Rasmus Andersson (rasmus(a)pole-position.org)
o Applied RPM spec file changes from "Benjamin Reed"
(ranger(a)befunk.com) which allows you to avoid building the frontend
by adding "--define frontend 0" to the build command (eg --rebuild,
--ba, etc).
Nmap 2.54BETA22
o Eliminated usage of u_int32_t (was causing compilation errors on
some Sun and HP boxes). Problem first noted by Nick Munger
(nmunger(a)Oswego.EDU) and Ralf Hildebrandt
(Ralf.Hildebrandt(a)innominate.com) and Antonin Sprinzl
(Antonin.Sprinzl(a)tuwien.ac.at)
o Defined integer-width typedefs such as u32/s32/u16/etc. in Nbase.
Went through much of the Nmap code and substituted these in where
correct lengths are important (port numbers, IP addresses, etc).
Nmap 2.54BETA21
o Cleaned up a few build/distribution issues that were reported by
LaMont Jones (lamont(a)hp.com)
o Fixed compiler warning noted by Gabor Z. Papp (gzp(a)papp.hu) )
Nmap 2.54BETA20
o Added TCP Timestamp sequence checking for OS detection and
Netcraft-style uptime tests.
o Found and fixed (I hope) byte alignment problem which was causing
bus errors on SPARC64 ( reported by H D Moore
(hdm(a)secureaustin.com) and Matthew Franz (mfranz(a)cisco.com) )
o Apple Darwin (Mac OS X) 1.2 portability patch from Rob Braun
(bbraun(a)synack.net)
o Added IPID sequence number predictability report (also now used in
OS detection).
o Show actual IPID, TCP ISN, and TCP timestamp values in XML format
output rather than just the cooked results.
o Suppress IPID and TCP ISN predictability report unless you use -v
(you need -O as well).
o Applied Solaris 8 compilation fixes from Germano Caronni (
gec(a)acm.org )
o Applied configure.in variable name typo fixes from Christian
Weisgerber (naddy(a)openbsd.org)
o Applied some more changes from Andy Lutomirski
(Luto(a)mailandnews.com) which provides better detection and
reporting from some heinous errors.
o Added -n and -R (always/never DNS resolve) options to the man page.
Nmap 2.54BETA19
o I ported NmapFE to Windows so that Win32 users can use the graphical
interface. It generally works, although I haven't tested much.
Patches welcome!
o Various little fixes and cleanups, especially to the Windows port.
o Applied patch from Andy Lutomirski (Luto(a)mailandnews.com) which
enhances some of the Win* error messages and adds the --win_trace
debugging option.
o Applied some patches from Jay Freeman (saurik(a)saurik.com)
o New --data_length option adds indicated number of random data
bytes to send with scan packet and tcp ping packet (does not
currently work with ICMP ping packet). Does not affect OS
detection, RPC, or connect() scan packets.
o Windows portability fixes
o Various other little fixes.
o Renamed rpc.h and error.h because they conflict with Windows include
files. By the way, this was a pain to figure out because VC++ is
such a crappy compiler! It basically just says problem in
"foobar.h" without giving you any idea how foobar.h got included!
gcc gives you a nice message tracing the chain of include files!
Nmap 2.54BETA16
o Upgraded to latest version of Winpcap ( 2.1-beta )
o Merged in Windows port code from Ryan Permeh ( ryan(a)eeye.com) and
Andy Lutomirski ( Luto(a)mailandnews.com ).
o Took out C++ compiler test from nbase configure script. It was
inserted accidently, but I found it interesting that only 2 people
complained about this causing them problems. I guess most everyone
already has C++ compilers.
o Applied patch from Steve Bleazard (steve(a)bleazard.com) which fixed
bug in internal Smoothed Round Trim Time calculations.
o Fixed CFLAGS computation error in configure. Problem discovered and
patched by Fredrik Lundholm (exce7(a)ce.chalmers.se)
o Added more debugging code for "Unknown datalink type" error -- if
you get this, please send me the full error msg including hex
values.
o Added Portuguese man page translations from Antonio Pires de Castro
Junior (apcastro(a)ic.unicamp.br).
o Capitalized all references to God in error messages.
Nmap 2.54BETA7
o Applied patch from Hubert Feyrer
(hubert.feyrer(a)informatik.fh-regensburg.de) which adds support for
the new NetBSD DLT_PPP_* types.
o Updated to Eilon Gishri's (eilon(a)aristo.tau.ac.il) newest version
of nmap-rpc at ftp://ftp.tau.ac.il/pub/users/eilon/rpc/rpc
o Moved a bunch of the scanning engine related functions to new files
(scan_engine.c and scan_engine.h ). Timing functions were moved to
the new timing.c/timing.h . Other stuff was shifted to
tcpip.c/tcpip.h. At some point, nmap.c will only contain the Nmap
command line UI.
o Updated Russian version of man page from Alex Volkov (topcat(a)nm.ru)
Nmap 2.54BETA6
o Added XML output (-oX). Hopefully this will help those of you
writing Nmap front ends and other tools that utilize Nmap. The
"machine-readable" output has been renamed "grepable" (-oG) to
emphasize that XML is now the preferred machine-readable output
format. But don't worry if your tool uses -oM , that format (and
the deprecated -oM flag) won't go away any time soon (if ever).
Thanks to Stou Sandalski (tangui(a)cell2000.net) and Fredrick Paul
Eisele (phreed(a)gmail.com) for sending proposals that inspired the
format used.
o Applied patch from Stefan Rapp (s.rapp(a)hrz.uni-dortmund.de) which
fixes a variable argument integer promotion problem in the new
snprintf compatibility file. This is important for Redhat 7
systems.
o Reorganized output-related routines so that they now reside in
output.c & output.h. Let me know if I accidently screwed up the
behavior of any scan types in the process.
Nmap 2.54BETA5
o Revamped the 'compatibility libraries' subsystem. Moved all of that
to a new library called 'libnbase' and changed Nmap and NmapFE to
use that. I included a better version of *snprintf and some other
compatibility files. Obviously I cannot test these changes on every
whacked OS that needs this compatibility cruft, so please let me
know if you run into compilation problems.
o Fixed a problem found by Martyn Tovey (martyn(a)netcraft.com) when
using Nmap on platforms that dislike division by zero.
o Removed 128.210.*.* addresses from Nmap man page due to complaints
from Purdue security staff.
o Fixed FreeBSD (some versions) compilation problem found by Martyn
Tovey (martyn(a)netcraft.com)
Nmap 2.54BETA4
o Upgraded to the very latest Libpcap version ( the 9/3/00 CVS
snapshot ). This version is from the tcpdump.org group rather than
the Lawrence Livermore crew. The most important advantage is Linux
Socket Filter support (so you won't have that annoying syslog
message about Nmap using the obsolete SOCK_PACKET interface).
o I tried to install Nmap on yet another machine without lex/yacc or
flex/bison. That was the last straw! I am now shipping the
generated C files, which eliminates the lex/yacc requirement.
o Applied patch by Jay Freeman (saurik) (saurik(a)saurik.com) to make
Nmap C++-clean (this was lot of tedious work! Thanks!). Note that
Nmap still uses a normal C compiler by default, but Nmap derivatives
may appreciate C++ compatibility. Note that this only applies to
"Nmap proper", not libpcap.
o Added a HACKING file for people who want to help with Nmap
development. It describes preferred patch formats, development
resources, and offers a number of useful changes that would likely
be accepted into the main tree.
o Fixed a configure.in error found by Vacuum
(vacuum(a)technotronic.com) which could cause compilation errors.
o Fingerprint file adjustments for better Win* detection
o Ensure libpcap is not configured and/or installed if you already
have a "new enough" version (0.4a6+) installed.
o Included Italian translation of Nmap man page from Giorgio Zoppi
(deneb(a)supereva.it) .
o Fixed a SYN scan problem that could cause a major slowdown on some
busy networks.
o Fixed a crash problem in NmapFE reported by sverre ( sverre(a)gmx.net )
o Added an "SInfo" line to most printed fingerprints. It looks
similar to this:
SInfo(V=2.54BETA4%P=i686-pc-linux-gnu%D=9/4%Time=9681031%O=7%C=1)
and contains information useful when fingerprints are reported (Nmap
version/platform, scan date, and open/closed ports used)
o Fixed RPCGrind (-sR) scan. It has been almost completely broken
since 2.54BETA2 (which has been out for two weeks) and nobody
reported it! I noticed the problem myself during testing of
something else. I am disappointed that nobody bothered to even let
me know that this was broken. Does anyone even use RPC Scan?
o Various other small fixes/improvements
Nmap 2.54BETA3
o Went through and added/adjusted a bunch of fingerprints. A lot of
people submitted Windows Millenium Edition (WinME) beta
fingerprints, but nobody submitted IPs for them. So please let me
know if this version detects your WinME boxes.
o Applied NmapFE patch from Michael Fischer v. Mollard (mfvm(a)gmx.de)
which made did the following:
o Added delete event so that NmapFE always quits when you kill it
with your window manager
o added the menubar to the vbox instead to the fixed widget
o Various small fixes/improvements
Nmap 2.54BETA2
o Added a shortcut which can make single port SYN scans of a network
much faster. For example, if a new sendmail vulnerability is found,
this reduces the time it takes to scan your whole network for port
25. This shortcut takes effect when you do "-PS[port] -sS
-p[port]". For example 'nmap -n -sS -p25 -PS25 24.0.0.0/8". This
optimization doubled the scan speed in a 30,000 IP test I performed.
o Added -sL (List scan). Just as ping scan (-sP) allows you to short
circuit the scan right after pinging, -sL allows you to short
circuit the scan right after target selection. This allows you to
see what hosts WOULD be scanned without actually doing it. The
hosts will be resolved unles you use -n. Primary uses:
1) Get all the IPs in a network (like A.B.C.D/16) and take out
machines that are too fragile to be scanned safely before
calling Nmap with the new list (using -iL).
2) Test that a complex spec like 128.4,5,7-9.*.7 does what you
expect before actual scanning.
3) When all you want to do is resolve a bunch of IPs.
4) You just want results of a zone transfer (if it is implemented).
o Added some new fingerprints and adjusted some others based on
submissions to the DB (I still have a lot more to go through so
don't worry if your submission is still not detected).
o Added a warning when you scan 0 hosts (eg "nmap -v"). There are
various other output tweaks as well.
o Ensured that 0.0.0.0 can be scanned by nmap (although on some OSs,
like Linux, it won't work due to what seem to be kernel bugs). Oh
well. I'll look into it later.
Nmap 2.54BETA1
o Added an extremely cool scan type by Gerhard Rieger ( rieger at
iue.tuwien.ac.at ) -- IP Protocol scanning. Basically it sends a
bunch of IP headers (no data) with different "protocol" fields to
the host. The host then (usually) sends back a protocol unreachable
for those that it does not support. By exclusion, nmap can make a
list of those that are supported. This is similar in concept to
(and is implemented using most of the same scanning routines as) UDP
scanning. Note that some hosts do not send back protocol
unreachables -- in that case all protocols will appear "open".
o Fixed an uninitialized variable problem in NmapFE (found by Alvin
Starr (alvin at iplink.net )
o Fixed a packaging problem that lead to the Nmap man page being
included twice in the .tgz .
o Fixed dangling nroff include in xnmap man page (noted by Debian Nmap
package maintainer LaMont Jones (lamont(a)security.hp.com)
o Give a warning when no targets at all are specified
o Updated 'make uninstall' so that it deletes all relevant files
o Included latest nmap-rpc from Eilon Gishri (eilon at aristo.tau.ac.il)
o Eliminated -I. from Nmap's and NmapFE's makefiles (suggested by "Jay
Freeman (saurik)" (saurik at saurik.com)
o Added Russian documentation by Alex Volkov
o Added Lithuanian documentation from Aurimas Mikalauskas (inner(a)dammit.lt)
Nmap 2.53
o Fixed a commenting issue that could cause trouble for non-GNU
compilers (first found by Jan-Frode Myklebust (janfrode at
parallab.uib.no))
o A few new services to nmap-services
Nmap 2.52
o Added very simple man pages for xnmap/nmapfe (lack of man pages for
these was noticed by LaMont Jones (lamont(a)hp.com), the Debian Nmap
package maintainer, based on bug report by Adrian Bunk
(bunk(a)fs.tum.de ).
o Fixed a "Status: Down" machine name output problem in machine
parseable logs found by Alek O. Komarnitsky (alek(a)ast.lmco.com)
o Took some wierd files out of the doc directory (cd, grep , vi, and
.swp)
o Fixed some typos found by Thomas Klausner (wiz(a)danbala.ifoer.tuwien.ac.at)
o Updated nmap-rpc with new entries found in the latest version of
Eilon Gishri's rpc list.
Nmap 2.51
o Fixed target parsing bug found by Steve Horsburgh (shorsburgh(a)horsburgh.com).
o Changed makefile/rpm to store fingerprint, rpc, and services file in
$prefix/share/nmap rather than $prefix/lib/nmap , since these files
are architecture independent. You should now use ./configure
--datadir instead of ./configure --libdir to change the default
location. Suggested by Thomas Klausner
(wiz(a)danbala.ifoer.tuwien.ac.at).
o I am now including Eilon Gishri's (eilon(a)aristo.tau.ac.il) rpc
number list (which he recently merged with the Nmap 2.50 rpc list).
o Included Spanish and French HTML versions of the Nmap man page (may
not always be up to date).
Nmap 2.50
o Fixed an IP calculation error which could occur in some cases where
you scan machines on different devices (like lo and eth0). This
problem was discoved by Jonathan Fine (jfine(a)psu.edu).
o Fixed a problem that could, in rare cases, cause a SYN scan scan to
crash (the error message was "attempt to add port number X with
illegal state 0"). This problem was reported by Erik Benner
(erik(a)xyzzy.net)
o Changed the .spec file so that RPM versions create a xnmap link to
nmapfe ( the normal make install has done this for a long time ).
Nmap 2.3BETA21
o A number of people reported problems with nmapfe in various
environments (specifically gdk errors, hangs, and crashes). I think
that is now fixed. Let me know if you still have the problem (make
sure the title bar says BETA21).
o Added a bunch of OS fingerprints based on all the contributions in
the last month or so.
o Fixed a bug that completely broke RPC scanning in BETA19.
o Added list of ports scanned near the top of each machine log WHEN
-v was specified. Here is an example of the format:
# Ports scanned: TCP(13;1-10,22,25) UDP(0;)
The "13" above is the number of TCP ports being scanned.
o Got rid of a snprintf() from nmapfe sine some systems don't have it
:( and I'm to lazy to integrate in the snprintf that comes with nmap
right now.
o Fixed important target IP range parsing bug found by Jean-Yves Simon
( lethalwp(a)linuxbe.org ).
o Applied patch by albert chin (china at thewrittenword.com) which
adds --with-libpcap[=DIR] option to configure and and adds an
elegant approach for -lnsl and -lsocket checking to configure .
o Fixed a bug which could cause Nmap to mark a port filtered based on
ICMP dest. unreachable packets relating to a different host than the
one being scanned.
o Fixed output problem relating to ident scan noted by Peter Marschall
( peter.marschall at mayn.de )
o Applied patch to services.c by Andrew Brown (atatat(a)atatdot.net)
which prevents some useless debugging (-d) output when reading some
kindss of /etc/services files.
o Added "Host: [machinename] (ip) Status: Down" to machine logs when
the verbose option is given (just like down hosts are reported to
stdout when verbose is given). Suggested by Alek Komarnitsky.
o Applied NetBSD compatibility patch provided by Mipam (reinoud at
ibbnet.org) which changes an autoconf macro to check for
getopt_long_only instead of getopt_long.
o Nmap used to print an inaccuracy warning when no open TCP ports were
found on the target machine. Due to a bug, this was not always
being printed. Problem found by Matt (matt at use.net) and Ajay
Gupta2 (Ajay.Gupta2 at ey.com).
o Added the number of ports in the ignored state right after the state
name in machine parseable logs. It used to looke like: "Ignored
State: closed" whereas now it looks like: "Ignored State: closed
(1508)" Meaning that 1508 ports were closed and thus are not
specifically enumerated.
o Changed all nmapfe calls to gdk_font_load into gdk_fontset_load .
Bennett Feitell (bfeitell at panix.com) suggested that this fixed
some nmapfe font problems.
Nmap 2.3BETA20
o Applied patch sent in by s.rapp(a)hrz.uni-dortmund.de which fixes a
memory alignment bug in osscan.c which could cause core dumps on
machines which require aligned access (like SPARC).
o Fixed a compilation problem on machines that do not have MAP_FAILED
defined (as a return value to mmap). Problem noted by Phil
Stracchino (alaric(a)babcom.com).
Nmap 2.3BETA19
o Tweaked the output so that it now tells how many ports are not shown
and what state the ignored ports are in. This info could be
inferred before by people who had studied the manpage, but now the
info is explicitly available. I cleaned up a bunch of stuff
internally to make this happen. I hope I didn't break anything!
o Changed NmapFE so that it always kills any running Nmap process when
you press exit. Problem noted by Marc Renner
(mrenner(a)ci.marysville.wa.us)
o Apparently some Linux (glibc) systems now come with a "strcasestr"
function. So I have made autoconf look for this and use the native
version if supported. (problem noted by Sami Farin
(sfarin(a)ratol.fi)).
o Added a new attribute "Ignored State: xxx" to the machine parseable
logs, where xxx is the state (closed, filtered, or UNfiltered) that
is being ignored. Ports in that state are not listed (they weren't
listed in earlier versions either). Perhaps I should list ALL ports
for machine parseable output. Opinions?
o Merged in a patch sent in by Mipam (reinoud(a)ibbnet.org) which is
apparently part of the OpenBSD Nmap "port". Although Nmap seems to
work fine for me on my OpenBSD 2.4 box, a couple OpenBSD users have
complained of problems. Hopefully this will help. (it adds DLT_LOOP
and DLT_ENC offset cases when reading from libpcap).
o A few really minor bugfixes.
Nmap 2.3BETA18
o Fixed a very important bug that occurred when SYN scanning
localhost. Many thanks to Dries Schellekens (
gwyllion(a)ace.ulyssis.student.kuleuven.ac.be ) for first reporting
the problem.
o Uros Prestor from TurboLinux informed us that the latest versions of
Nmap work with Linux on the upcoming Intel Merced/Itanium IA-64
processors. He also said that the TurboLinux distribution includes
Nmap. Kudos to them! As well as the other distros that support
Nmap (Debian, Red Hat, Suse, Trinux) and of course FreeBSD, NetBSD,
& OpenBSD. Does anyone know if Nmap ships with the latest from
Mandrake or Corel? The latest Solaris includes some Free software.
If anyone can get them to ship Nmap, I will buy you a case of beer
:).
o Added a #define to change vsnprintf to vsprintf on machines which do
not support the former (mostly Solaris 2.5.1 and earlier). This
function is less safe. For people who care about security, we
recommend an upgrade to Solaris 8 (or Linux/*BSD).
o Changed the NmapFE version to 0.[nmap_version] rather than always
leaving it at 0.9.5 (which was confusing). Thanks to J.D.K. Chipps
(jdkc(a)woptura.com) for noticing this.
o Added support for "-vv" (means the same as "-v -v"). Older versions
of Nmap supported it (noted by George Kurtz).
Nmap 2.3BETA17
o Added ACK scanning. This scan technique (which van Houser and
others have been bugging me to add for years :), is great for
testing firewall rulesets. It can NOT find open ports, but it can
distinguish between filtered/unfilterd by sending an ACK packet to
each port and waiting for a RST to come back. Filtered ports will
not send back a RST (or will send ICMP unreachables). This scan
type is activated with -sA .
o Documented the Window scan (-sW) which Lamont Granquist added in
September 99.
o Added a whole bunch of OS fingerprints that people have submitted.
o "Protocol" field in output eliminated. It is now printed right next
to the number (/etc/services style). Like "22/tcp". I wonder what
I should put in the extra white space this leaves on the report :).
o Added --resume option to continue a large network scan where you
left off. This is useful for recovering from errors (modem drops
carrier, network outage, etc). It also allows you to start and stop
for policy reasons (like if a client only wants you to scan on
weekends or at night) or if you want to run the scan on a different
host. Usage is 'nmap --resume logfile' where logfile can be either
normal (-oN) or machine parseable (-oM) logfile from the scan that
was aborted. No other options can be given (the options in the
logfile from the original scan will be used). Nmap will start off
with the host after the last one successfully scanned in the log
file.
o Added --append_output option which causes -oN/-oM/-oS to APPEND to
the output file you specify rather than overwriting it.
o Various internal code cleanup, makefile fixes, etc.
o Changed version number from 2.3BETA* to 2.30BETA* to appease various
packaging systems that thought 2.3BETA was < 2.12 .
o Nmap output to files now correctly flushes output after scanning for
each host is finished.
o Fixed compiler -L flags error found by Ralf Hildebrandt
(R.Hildebrandt(a)tu-bs.de)
o Fixed configure scripts so that options you give to the Nmap
configure (like --prefix ) are also passed to the nmapfe configure
script. This problem was noted by Ralf Hildebrandt
(R.Hildebrandt(a)tu-bs.de). While I was at it, I added some other
cleanups to the system.
o Added --noninteractive option for when nmap is called from scripts
(where stuff like prompting users for info is unacceptable). It
does not currently do anything (Nmap never prompts) and script
writers should probably wait until at least May '2000 so their
scripts still work with earlier versions of Nmap.
o Updated to the latest config.guess and config.sub from Autoconf 2.13
o Applied patch by Sven (s.carstens(a)gmx.de> which fixes a
segmentation fault problem in Nmapfe colored mode as well as some
output niceties.
o Changed some C++ comments to C-style for portability (noticed by
"Sergei V. Rousakov" (sergei(a)cas.Vanderbilt.Edu) )
Nmap 2.3BETA14
o Peter Kosinar (goober(a)gjh.sk) performed some cleanup of the output
routines and as a bonus he added skript kiddie output mode!!! Try
it out by adding "-oS - " to your nmap command line. Note that
using '-' to represent stdout instead of a filename is something you
can do with any of the output modes.
o Ensured that Nmap always gives up on ident scan after the first port
attempt finds it to be closed (problem noticed by Matt
(matt(a)use.net))
o Changed strsep's in nmapfe to more portable strtok's (should
especially help Nmapfe compiles on Solaris)
o Changed permutation algorithm to make port order and host order
shuffling more random.
o Various minor changes and internal code cleanup.
o Fixed integer overflow that was limiting the max --host_timeout
value to about 2,000,000 milliseconds (~1/2 hour). The limit is now
about 4,000,000,000 milliseconds (~1 month). I really hope you
don't need more than that :).
Nmap 2.3BETA13
o I made Nmap smarter about detecting filtering during UDP, Xmas,
NULL, and FIN scans.
o Updated Nmapfe to 0.9.5 (+ a patch from NmapFE author Zach Smith)
o Fixed a problem where NmapFE would fail to honor $PATH (Noticed by
K. Scott Rowe (kscott(a)nmt.edu)
o Added a couple ICMP unreachable messages Nmap was missing (found by
Bifrost (bifrost(a)minions.com)).
o Internal cleanup that improves the way some port lists are stored.
o Added some more RPC numbers from (mmmorris(a)netscape.net)
o Relaxed the dependency requirements of nmapfe rpm (now will accept
any version of Nmap).
Nmap 2.3BETA12
o Added interactive mode which adds convenience for managing nmap
sessions and also enhances privacy. Get to it with --interactive
and then type 'h' for help.
o Added/modified many fingerprints including the latest 2.3.X Linux
releases, the latest Win2000 builds, the Apple Airport Wireless
device, and several dozen more.
o Migrated to RPM .spec file sent in by Tim Powers
(timp(a)redhat.com). That is the file they will be using to package
Nmap with the power tools CD in the next Redhat release. The most
important changes are that Nmap (only the RPM version) now installs
in /usr/* instead of /usr/local/* and the frontend is now
dynamically linked with GTK and comes in a separate rpm.
o The -i (input from list) option has been deprecated. From now on
you should use -iL [filename] to read from a list or -iR to have
Nmap generate random IPs to scan. This -iR option is new.
o The -o and -m options have been deprecated. From now on, you should
use -oN for normal (human readable) output and -oM for machine
parseable output. At some point I might add -oH (HTML output) or
-oSK (sKr|pt kiDdi3 0uTPut).
o Added --randomize_hosts option, which causes hosts be be scanned in
non-sequential order. This makes scans less conspicuous. For
efficiency reasons, the hosts are chopped into groups of 2048 and
then each group is internally shuffled (the groups still go in
order).
o Rearranged the help ('nmap -h' or 'nmap' or 'nmap --help') screen to
be shorter (37 -> 23 lines!) and include some of the new features of
this release. The man page was updated as well.
o Fixed longstanding bug where nmap -sS mylocalnetwork/24 would not
successfully scan the host running nmap.
o Internal improvements to make scanning faster with -i (input list)
or when you specify multiple machines on the command line.
o Uses faster GCD algorithm and fixed several typos (sent in by Peter
Kosinar).
o Provide more information in machine/human readable output files
(start time, end time, RPC program name, Nmap version number)
o Killed the -A option (if you don't know what that is then you won't
miss it. In fact, even if you do know what it is you won't miss
it.)
Nmap 2.3BETA10
o Added about 70 new OS fingerprints so that Nmap can detect more
systems. The most important new fingerprints are probably:
* The new SP5+ NT boxes -- After all these years MS FINALLY made
sequence prediction harder (on NT anyway).
* Solaris 8 Pre-Release
* Sega Dreamcast (Hack that!)
* Latest Windows 2000 builds
* OpenBSD 2.6
Nmap 2.3BETA9
o Applied patch by Mark Abene (Phiber Optik) to fix several type
length issues so that it works on Linux/Alpha.
o Applied patch by Matthieu Verbert (mve(a)zurich.ibm.com) to speed up OSScan
Nmap 2.3Beta8
o Added "firewall mode" timing optimizations which can decrease the
ammount of time neccessary to SYN or connect scan some heavily
filtered hosts.
o Added min_rtt_timeout timing option (see man page for details)
o Changed "TCP Ping" to use a random ACK value rather than 0 (an IDS
called Snort was using this to detect Nmap TCP Pings).
o Some changes for better Alpha/Linux support based on investigation
by Bill Beers (wbeers(a)carolina.rr.com)
o Applied changes for FDDI support by Tobias J. Nijweide (tobias(a)mesa.nl)
o Applied a socket binding patch from LaMont Jones
(lamont(a)security.hp.com) which can be useful when using -S to
specify one of multiple interfaces on a machine.
o Made OS detection smart enough to first check scan results for a
known closed port instead of immediately resorting to a random one.
This improves OS detection against some machines behind packet
filters. (suggested by van Hauser)
o Applied a shortcut suggestion by Thomas Reinke which can lead to a
tremendous speedup against some firewalled hosts.
o Added some ports commonly used for RPC to nmap-services
o Fixed a problem with the timing of an RPC scan (could come before
the UDP scans they rely on)
o Added a number of new ports to nmap-services
Nmap 2.3Beta6
o Added sophisticated timing controls to give the user much more
control over Nmap's speed. This allows you to make Nmap much more
aggressive to scan hosts faster, or you can make Nmap more "polite"
-- slower but less likely to wreak havoc on your Network. You can
even enforce large delays between sending packets to sneak under IDS
thresholds and prevent detection. See the new "Timing Options"
section of the Nmap man page for more information on using this.
o Applied Lamont Granquist's (lamontg(a)u.washington.edu) Window scan
patch (I changed the name from ACK scan to Window scan since I may
add another scan that uses ACK packets and I don't want them to be
confused). -sW activates this scan type. It is mostly effective
against BSD, AIX, Digital UNIX, and various older HP/UX, SunOS, and
VAX. (See nmap-hackers mailing list archives for an extensive list).
o Added various long options people expect to see like --version ,
--help , --usage , etc. Some of the new timing options are also long.
I had to add getopt_long C files since most non-Linux boxes don't
support getopt_long in libc.
o Human readable (-o) output changed to include the time/date of the
scan. Suggested by van Hauser.
Nmap 2.3-Beta5
o Changed RPC output based on suggestions by David O'Brien
(obrien(a)NUXI.com) and Lance Spitzner (lance(a)spitzner.net). I
got rid of the "(Non-RPC)" unnecessary clutter which appeared after
each non RPC port and the "(untested)" that appeard after each
"filtered" port.
o Added a ton of new OS fingerprints people submitted. I had about
400 in my inbox. Of course, almost 100 of them were submissions for
www.windows2000test.com :).
o Changed the machine parseable output of RPC information to include
the version information. If we figured out the RPC info, it is now
provided as "program-num*lowversion-highversion". If we didn't get
the number, but we think the port is RPC, the field simply contains
"R". If we believe the port is NOT RPC, then the field contains
"N". If the field is empty, we did not RPC scan the port. Thanks
to H D Moore (nlog(a)ings.com) for making me aware how much the
earlier machine parseable RPC logging sucked :).
Nmap 2.3-Beta4
o Added direct (non-portmapper) RPC scanning to determine what RPC
program is listening on a particular port. This works for UDP and
TCP ports and is currently implemented using sockets (which means
you can't use decoys, but on the other hand you don't have to be
root). Thanks go to ga (ga(a)capyork.com) for writing sample code
to demonstrate the technique. The RPC services list included with
nmap was compiled by Vik Bajaj (vbajaj(a)sas.upenn.edu) with help
from various members of the nmap-hackers list.
o Fixed a problem that could cause freezes when you scan machines on
at least two different types of interfaces as part of the same
command.
o Identified and found workaround for Linux kernel bug which allows
connect() to sometimes succeed inapropriately when scanning closed
ports on localhost.
o Fixed problems relating to people who specify the same port more
than once on the command line. While the right answer is "well,
don't do that!", I decided to fix nmap to handle this gracefully.
o Tweaked UDP scanning to be more effective against Solaris ICMP error
limiting.
o Fixed strtol() integer overflow problem found by Renaud Deraison
(deraison(a)cvs.nessus.org)
o The HTML translation of the Man page at
http://nmap.org/nmap_manpage.html should now be
complete (man2html was dropping lines before).
o Added a note in the man page that Nmap 2.0+ is believed to be
COMPLETELY Y2K COMPLIANT! I've been getting a lot of letters from
laywers about that recently. You should still be able to port scan
on Jan 1st (well ... as long as you have electricity and gangs of
looting thugs haven't stolen your computers :)
Nmap 2.2-Beta4
o Integrated nmapfe code from Zach Smith to allow the nmapfe output
window to resize when you resize the nmapfe window.
o Integrated patch sent in by Stefan Erben (stefan(a)erben.com) which
allows nmap to recognize and ignore null interfaces. If you were
getting a bogus error like "eth0 not found in /proc/net/route" then
this should solve your problem.
o Applied patch from Alexander Savelyev (fano(a)ham.kiev.ua) which
gives nmap the parameters necessary to support SLIP and PPP on BSDI
systems.
o Upgraded to a new version of shtool (1.2.3)
Nmap 2.2-Beta3
o Adopted Ralf S. Engelschall's excellent shtool script for
simplifying the nmap makefile and making it more portable
o Various other minor changes to nmapfe.
Nmap 2.2-Beta2
o Cleaned up build environment more, fixed up RPM and Makefile.in,
eliminated the automake stuff.
o Added nmapfe feature to show nmap command as you change options
o Changed nmapfe to use a global MyWidgets struct rather than tons of
global vars all over the place.
o Made nmapfe much smarter about rejecting stupid option attempts. It
now tries to correct things when you specify illegal options.
o GTK+ 1.0 compatibility fixes
o Integrated nmapfe changes from Zach
Nmap 2.2-BETA1
o Integrated in nmapfe -- a cool front end wrottem by Zach Smith (matrxweb(a)hotmail.com)
Nmap 2.12
o Changed the way tcp connect() scan determines the results of a
connect() call. Hopefully this will make nmap a little more
portable.
o Got rid of the security warning message for people who are missing
/dev/random and /dev/urandom due to complaints about the warning.
This only silences the warnings -- it still uses relatively weak
random number generation under Solaris and other systems that lack
this functionality.
o Eliminated pow() calls on Linux boxes. I think some sort of glibc
bug was causing nmap to sigsegv in some cases inside of pow(). Most
people weren't affected, but those who were would almost always
SIGSEGV with -O.
o Fixed an rpm problem noted by Mark Smith (marks(a)senet.com.au)
Nmap 2.11
o Many new fingerprints added. I received more than 300 submissions
between this release and the last one.
o Fixed IRIX problems which prevented OS scanning from working on that
platform. The problem was researched and solution found by Lamont
Granquist (lamontg(a)u.washington.edu). You can also thank him for
porting nmap to almost every UNIX around.
o Added support for '-m -' to redirect machine readable logs to stdout
for shell pipelining, etc. I also changed machine readable output
to show service names now that we use a nmap specific services file
rather than /etc/services. These features were suggested by Dan
Farmer. You can also thank him for SATAN (the auditing tool).
o Fixed a link-list bug that could cause hangs in UDP,FIN,NULL, and
XMAS scans. Also fixed a ptr problem that could cause SIGSEGV.
These problem were discovered and tracked down by Ben Laurie
(ben(a)algroup.co.uk). You can also thank him for Apache, OpenSSL,
and Apache-SSL.
o Fixed installation problem for people without a /usr/local/man/man1
directory. Found by Jeffrey Robertson (a-jeffro(a)microsoft.com).
I guess you can thank him for Win98 ;).
o Several other little fixes to the installation script and minor
scanner tweaks.
Nmap 2.10
o Private test release
Nmap 2.09
o Private test release
Nmap 2.08
o Bugfix for problem that can cause nmap to appear to "freeze up" for
long periods of time when run on some busy networks. (found by
Lamont Granquist)
Nmap 2.07
o Fixed a lockup on Solaris (and perhaps other proprietary UNIX
systems) caused by a lack of /dev/random & /dev/urandom and a rand()
that only returns values up to 65535. Users of Free operating
systems like Linux, FreeBSD, or OpenBSD probably shouldn't bother
upgrading.
Nmap 2.06
o Fixed compile problems on machines which lack snprintf() (found by
Ken Williams (jkwilli2(a)unity.ncsu.edu))
o Added the squid proxy to nmap-services (suggested by Holger Heimann)
o Fixed a problem where the new memory allocation system was handing
out misaligned pointers.
o Fixed another memory allocation bug which probably doesn't cause any
real-life problems.
o Made nmap look in more places for nmap-os-fingerprints
Nmap 2.05
o Tons of new fingerprints. The number has grown by more than 25%.
In particular, Charles M. Hannum (root(a)ihack.net) fixed several
problems with NetBSD that made it easy to fingerprint and he sent me
a huge new batch of fingerprints for various NetBSD releases down to
1.2. Other people sent NetBSD fingerprints down to 1.0. I finally
got some early Linux fingerprints in (down to 1.09).
o Nmap now comes with its own nmap-services which I created by merging
the /etc/services from a bunch of OS' and then adding Netbus, Back
Orifice, etc.
o Random number generation now takes advantage of the /dev/urandom or
/dev/random that most Free operating systems offer.
o Increased the maximum number of OS guesses nmap will make, told nmap
never to give you two matches where the OS names are byte-to-byte
equivalent. Fixed nmap to differentiate between "no OS matches
found" and "too many OS matches to list".
o Fixed an information leak in the packet TTL values (found by HD
Moore (hdmoore(a)usa.net))
o Fixed the problem noted by Savva Uspensky about offsets used for
various operating systems' PPP/SLIP headers. Due to lack of
responses regarding other operating systems, I have made assumptions
about what works for BSDI, NetBSD, and SOLARIS. If this version no
longer works on your modem, please let me know (and tell me whether
you are using SLIP/PPP and what OS you are running).
o Machine parseable logs are now more machine parseable (I now use a
tab to seperate test result fields rather than the more ambiguous
spaces. This may break a few things which rely on the old format.
Sorry. They should be easy to fix.
o Added my nmap-fingerprintinting-article.txt to the distribution in
the docs directory.
o Fixed problem where nmap -sS (my_ethernet_or_ppp_ip_address) would
not correctly scan localhost (due to the kernel rerouting the
traffic through localhost). Nmap should now detect and work around
this behavior.
o Applied patch sent to my by Bill Fenner (fenner(a)parc.xerox.com)
which fixes various SunOS compatibility problems.
o Changed the makefile 'all' target to use install-sh rather than
mkdir -p (doesn't work on some systems)
o Documentation updated and clarified slightly.
o Added this CHANGELOG file to the distribution.
Reference in New Issue View Git Blame Copy Permalink