summaryrefslogtreecommitdiff
path: root/net/nmap
AgeCommit message (Collapse)AuthorFilesLines
2006-07-02Compilers other than GCC are not expected to know the -MM option torillig1-1/+9
calculate dependencies, so disable it for them.
2006-07-02devel/pcre calls itself "pcre" in the buildlink3.mk file, not "libpcre".rillig1-2/+2
2006-06-25Update to version 4.11salo6-112/+15
- bite the bullet and use GNU make, it's increasingly annoying to try avoiding it Changes: - Added a dozens of more detailed SSH version detection signatures, thanks to a SSH huge survey and integration effort by Doug Hoyte. The results of his large-scale SSH scan are posted at http://seclists.org/nmap-dev/2006/Apr-Jun/0393.html . - Fixed the Nmap Makefile (actually Makefile.in) to correctly handle include file dependencies. So if a .h file is changed, all of the .cc files which depend on it will be recompiled. Thanks to Diman Todorov (diman(a)xover.mud.at) for the patch. - Fixed a compilation problem on solaris and possibly other platforms. The error message looked like "No rule to make target `inet_aton.o', needed by `libnbase.a'". Thanks to Matt Selsky (selsky(a)columbia.edu) for the patch. Fixes PR pkg/33806 from Gilles Dauphin. - Applied a patch which helps with HP-UX compilation by linking in the nm library (-lnm). Thanks to Zakharov Mikhail (zmey20000(a)yahoo.com) for the patch. - Added version detection probes for detecting the Nessus daemon. Thanks to Adam Vartanian (flooey(a)gmail.com) for sending the patch.
2006-06-15Update to version 4.10salo3-10/+10
Changes: 4.10: ===== - Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE (http://standards.ieee.org/regauth/oui/oui.txt) as of May 31, 2006. Also added a couple unregistered OUI's (for QEMU and Bochs) suggested by Robert Millan (rmh(a)aybabtu.com). - Fixed a bug which could cause false öpen" ports when doing a UDP scan of localhost. This usually only happened when you scan tens of thousands of ports (e.g. -p- option). - Fixed a bug in service detection which could lead to a crash when "--version-intensity 0" was used with a UDP scan. Thanks to Makoto Shiotsuki (shio(a)st.rim.or.jp) for reporting the problem and Doug Hoyte for producing a patch. - Made some AIX and HP-UX portability fixes to Libdnet and NmapFE. These were sent in by Peter O'Gorman (nmap-dev(a)mlists.thewrittenword.com). - When you do a UDP«CP scan, the TCP ports are now shown first (in numerical order), followed by the UDP ports (also in order). This contrasts with the old format which showed all ports together in numerical order, regardless of protocol. This was at first a "bug", but then I started thinking this behavior may be better. If you have a preference for one format or the other, please post your reasons to nmap-dev. - Changed mass_dns system to print a warning if it can't find any available DNS servers, but not quit like it used to. Thanks to Doug Hoyte for the patch. 4.04BETA1: ========== - Integrated all of your submissions (about a thousand) from the first quarter of this year! Please keep 'em coming! The DB has increased from 3,153 signatures representing 381 protocols in 4.03 to 3,441 signatures representing 401 protocols. No other tool comes close! Many of the already existing match lines were improved too. Thanks to Version Detection Czar Doug Hoyte for doing this. - Nmap now allows multiple ingored port states. If a 65K-port scan had, 64K filtered ports, 1K closed ports, and a few dozen open ports, Nmap used to list the dozen open ones among a thousand lines of closed ports. Now Nmap will give reports like "Not shown: 64330 filtered ports, 1000 closed ports" or "All 2051 scanned ports on 192.168.0.69 are closed (1051) or filtered (1000)", and omit all of those ports from the table. Open ports are never ignored. XML output can now have multiple <extraports> directive (one for each ignored state). The number of ports in a single state before it is consolidated defaults to 26 or more, though that number increases as you add -v or -d options. With -d3 or higher, no ports will be consolidated. The XML output should probably be augmented to give the extraports directive 'ip', 'tcp', and 'udp' attributes which specify the corresponding port numbers in the given state in the same listing format as the nmaprun.scaninfo.services attribute, but that part hasn't yet been implemented. If you absoultely need the exact port numbers for each state in the XML, use -d3 for now. - Nmap now ignores certain ICMP error message rate limiting (rather than slowing down to accomidate it) in cases such as SYN scan where an ICMP message and no response mean the same thing (port filtered). This is currently only done at timing level Aggressive (-T4) or higher, though we may make it the default if we don't hear problems with it. In addition, the --defeat-rst-ratelimit option has been added, which causes Nmap not to slow down to accomidate RST rate limits when encountered. For a SYN scan, this may cause closed ports to be labeled 'filtered' becuase Nmap refused to slow down enough to correspond to the rate limiting. Learn more about this new option at http://www.insecure.org/nmap/man/ . Thanks to Martin Macok (martin.macok(a)underground.cz) for writing the patch that these changes were based on. - Moved my Nmap development environment to Visual C++ 2005 Express edition. In typical "MS Upgrade Treadmill" fashion, Visual Studio 2003 users will no longer be able to compile Nmap using the new solution files. The compilation, installation, and execution instructions at http://www.insecure.org/nmap/install/inst-windows.html have been upgraded. - Automated my Windows build system so that I just have to type a single make command in the mswin32 directory. Thanks to Scott Worley (smw(a)pobox.com>, Shane & Jenny Walters (yfisaqt(a)waltersinamerica.com), and Alex Prinsier (aphexer(a)mailhaven.com) for reading my appeal in the 4.03 CHANGELOG and assisting. - Changed the PortList class to use much more efficient data structures and algorithms which take advantage of Nmap-specific behavior patterns. Thanks to Marek Majkowski (majek(a)forest.one.pl) for the patch. - Fixed a bug which prevented certain TCPÙDP scan commands, such as "nmap -sSU -p1-65535 localhost" from scanning both TCP and UDP. Instead they gave the error message "WARNING: UDP scan was requested, but no udp ports were specified. Skipping this scan type". Thanks to Doug Hoyte for the patch. - Nmap has traditionally required you to specify -T* timing options before any more granular options like --max-rtt-timeout, otherwise the general timing option would overwrite the value from your more specific request. This has now been fixed so that the more specific options always have precendence. Thanks to Doug Hoyte for this patch. - Fixed a couple possible memory leaks reported by Ted Kremenek (kremenek(a)cs.stanford.edu) from the Stanford University sofware static analysis lab ("Checker" project). - Nmap now prints a warning when you specify a target name which resolves to multiple IP addresses. Nmap proceeds to scan only the first of those addresses (as it always has done). Thanks to Doug Hoyte for the patch. The warning looks like this: Warning: Hostname google.com resolves to 3 IPs. Using 66.102.7.99. - Disallow --host-timeout values of less than 1500ms, print a warning for values less than 15s. - Changed all instances of inet_aton() into calls to inet_pton() instead. This allowed us to remove inet_aton.c from nbase. Thanks to KX (kxmail(a)gmail.com) for the patch. - When debugging (-d) is specified, Nmap now prints a report on the timing variables in use. Thanks to Doug Hoyte for the patch. The report loos like this: ---------- Timing report ---------- hostgroups: min 1, max 100000 rtt-timeouts: init 250, min 50, max 300 scan-delay: TCP 5, UDP 1000 parallelism: min 0, max 0 max-retries: 2, host-timeout 900000 ----------------------------------- - Modified the WinPcap installer file to explicitly uninstall an existing WinPcap (if you select that you wish to replace it) rather than just overwriting the old version. Thanks to Doug Hoyte for making this change. - Added some P2P application ports to the nmap-services file. Thanks to Martin Macok for the patch. - The write buffer length increased in 4.03 was increased even further when the debugging or verbosity levels are more than 2 (e.g. -d3). Thanks to Brandon Enright (bmenrigh(a)ucsd.edu) for the patch. The goal is to prevent you from ever seeing the fatal error: "log_vwrite: write buffer not large enough -- need to increase" - Added a note to the Nmap configure dragon that people sick of him can submit their own ASCII art to nmap-dev@insecure.org . If you are wondering WTF I am talking about, it is probably because only most elite Nmap users -- the ones who compile from source on UNIX -- get to see the 'l33t ASCII Art.
2006-04-25Update to version 4.03salo3-18/+18
Changes: - Updated the LibPCRE build system to add the -fno-thread-jumps option to gcc when compiling on the new Intel-based Apple Mac OS X systems. Hopefully this resolves the version detection crashes that several people have reported on such systems. Thanks to Kurt Grutzmacher (grutz(a)jingojango.net) for sending the configure.ac patch. - Increased a write buffer length to avoid Nmap from quitting with the message "log_vwrite: write buffer not large enough -- need to increase". Thanks to Dave (dmarcher(a)pobox.com) for reporting the issue. - Made some portability fixes to keep Nmap compiling with the newest Visual Studio 2005. Thanks to KX (kxmail(a)gmail.com) for suggesting them. - Service fingerprints are now provided in the XML output whenever they would appear in the interactive output (i.e. when a service respons with data but is unrecognized). They are shown in a new 'servicefp' attribute to the 'service' tag. Thanks to Brandon Enright (bmenrigh(a)ucsd.edu) for sending the patch. - Improved the Windows build system -- mswin32/Makefile now takes care of packaging Nmap and creating the installers once Visual Studio (GUI) is done building the Release version of mswin32/nmap.sln. If someone knows how to do this (build) step on the command line (using the Makefile), please let me know. Or if you know how to at least make 'Release' (rather than Debug) the default configuration, that would be valuable. - WinPcap 3.1 binaries are now shipped in the Nmap tarball, along with a customized (for Nmap) installer written by Doug Hoyte. That new WinPcap installer is now used in the Nmap self-installer. - Fixed (I hope) a problem where aggresive --min-parallelization option values could cause Nmap to quit with the message "box(300, 100, 15) called (min,max,num)". Thanks to Richard van den Berg (richard.vandenberg(a)ins.com) for reporting the problem. - Fixed a rare crash bug thanks to a report and patch from Ganga Bhavani (GBhavani(a)everdreamcorp.com)
2006-02-12Updated to version 4.01:salo7-69/+28
Changes: - Fixed a bug that would cause bogus reverse-DNS resolution on big-endian machines. Thanks to Doug Hoyte, Seth Miller, Tony Doan, and Andrew Lutomirsky for helping to debug and patch the problem. - Fixed an important memory leak in the raw ethernet sending system. Thanks to Ganga Bhavani (GBhavani(a)everdreamcorp.com) for identifying the bug and sending a patch. - Fixed --system-dns option so that --system_dns works too. Error messages were changed to reflect the former (preferred) name. Thanks to Sean Swift (sean.swift(a)bradford.gov.uk) and Peter VanEeckhoutte (Peter.VanEeckhoutte(a)saraleefoodseurope.com) for reporting the problem. - Fixed a crash which would report this message: "NmapOutputTable.cc:143: void NmapOutputTable::addItem(unsigned int, unsigned int, bool, const char*, int): Assertion `row < numRows' failed." Thanks to Jake Schneider (Jake.Schneider(a)dynetics.com) for reporting and helping to debug the problem. - Whenever Nmap sends packets with the SYN bit set (except for OS detection), it now includes the maximum segment size (MSS) tcp option with a value of 1460. This makes it stand out less as almost all hosts set at least this option. Thanks to Juergen Schmidt (ju(a)heisec.de) for the suggestion. - Applied a patch for a Windows interface reading bug in the aDNS subsystem from Doug Hoyte. - Minor changes to recognize DragonFly BSD in configure scripts. Thanks to Joerg Sonnenberger (joerg(a)britannica.bec.de) for sending the patch. - Fixed a minor bug in an error message starting with "eth_send of ARP packet returned". Thanks to J.W. Hoogervorst (J.W.Hoogervorst(a)uva.nl) for finding this.
2006-02-01Add DragonFly support. Also recognize DragonFly and NetBSD as OS name.joerg6-15/+70
2006-01-31Update to version 4.00salo3-17/+17
Changes: 4.00: ===== - Added the '?' command to the runtime interaction system. It prints a list of accepted commands. Thanks to Andrew Lutomirski (luto(a)myrealbox.com) for the patch. 3.9999: ======= - Generated a new libpcre/configure to cope with changes in LibPCRE 6.4 - Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE (http://standards.ieee.org/regauth/oui/oui.txt) - Updated nmap-protocols with the latest IEEE internet protocols assignments (http://www.iana.org/assignments/protocol-numbers). - Updated the Nmap version number and related fields that MS Visual Studio places in the binary. This was done by editing mswin32/nmap.rc. 3.999: ====== - Added runtime interaction support to Windows, thanks to patches from Andrew Lutomirski (luto(a)myrealbox.com) and Gisle Vanem (giva(a)bgnett.no). - Changed a couple lines of tcpip.cc (put certain IP header fields in host byte order rather than NBO) to (hopefully) support Mac OS X on Intel. Thanks to Kurt Grutzmacher (grutz(a)jingojango.net) for the patch. - Upgraded the included LibPCRE from version 6.3 to 6.4. There was a report of version detection crashes on the new Intel-based MACs with 6.3. - Fixed an issue in which the installer would malfunction in rare issues when installing to a directory with spaces in it. Thanks to Thierry Zoller (Thierry(a)Zoller.lu) for the report. 3.99: ===== - Integrated all remaining 2005 service submissions. The DB now has surpassed 3,000 signatures for the first time. There now are 3,153 signatures for 381 service protocols. Those protocols span the gamut from abc, acap, afp, and afs to zebedee, zebra, and zenimaging. It even covers obscure protocols such as http, ftp, smtp, and ssh :). Thanks to Version Detection Czar Doug Hoyte for his excellent work on this. - Created a Windows executable installer using the open source NSIS (Nullsoft Scriptable Install System). It handles Pcap installation, registry performance changes, and adding Nmap to your cmd.exe executable path. The installer source files are in mswin32/nsis/ . Thanks to Google SoC student Bo Jiang (jiangbo(a)brandeis.edu) for creating the initial version. - Fixed a backward compatibility bug in which Nmap didn't recognize the --min_rtt_timeout option (it only recognized the newly hyphenated --min-rtt-timeout). Thanks to Joshua D. Abraham (jabra(a)ccs.neu.edu) for the bug report. - Fixed compilation to again work with gcc-derivatives such as MingW. Thanks to Gisle Vanem (giva(a)bgnett.no) for sending the patches 3.98BETA1: ========== - Added run time interaction as documented at http://www.insecure.org/nmap/man/man-runtime-interaction.html . While Nmap is running, you can now press 'v' to increase verbosity, 'd' to increase the debugging level, 'p' to enable packet tracing, or the capital versions (V,D,P) to do the opposite. Any other key (such as enter) will print out a status message giving the estimated time until scan completion. This only works on UNIX for now. Do we have any volunteers to add Windows support? You would need to change a handful of UNIX-specific termio calls with the Windows equivalents. This feature was created by Paul Tarjan (ptarjan(a)stanford.edu) as part of the Google Summer of Code. - Reverse DNS resolution is now done in parallel rather than one at a time. All scans of large networks (particularly list, ping and just-a-few-ports scans) should benefit substantially from this change. If you encounter any problems, please let us know. The new --system_dns option was added so you can use the (slow) system resolver if you prefer that for some reason. You can specify a comma separated list of DNS server IP addresses for Nmap to use with the new --dns_servers option. Otherwise, Nmap looks in /etc/resolve.conf (UNIX) or the system registry (Windows) to obtain the nameservers already configured for your system. This excellent patch was written by Doug Hoyte (doug(a)hcsw.org). - Added the --badsum option, which causes Nmap to use invalid TCP or UDP checksums for packets sent to target hosts. Since virtually all host IP stacks properly drop these packets, any responses received are likely coming from a firewall or IDS that didn't bother to verify the checksum. For more details on this technique, see http://www.phrack.org/phrack/60/p60-0x0c.txt . The author of that paper, Ed3f (ed3f(a)antifork.org), is also the author of this patch (which I changed it a bit). - The 26 Nmap commands that previously included an underscore (--max_rtt_timeout, --send_eth, --host_timeout, etc.) have been renamed to use a hyphen in the preferred format (i.e. --max-rtt-timeout). Underscores are still supported for backward compatibility. - More excellent NmapFE patches from Priit Laes (amd(a)store20.com) were applied to remove all deprecated GTK API calls. This also eliminates the annoying Gtk-Critical and Gtk-WARNING runtime messages. - Changed the way the __attribute__ compiler extension is detected so that it works with the latest Fedora Core 4 updates (and perhaps other systems). Thanks to Duilio Protti (dprotti(a)fceia.unr.edu.ar) for writing the patch. The compilation error message this fixes was usually something like: "nmap.o(.rodata+0x17c): undefined reference to `__gthrw_pthread_cancel(unsigned long)" - Added some exception handling code to mswin32/winfix.cc to prevent Nmap from crashing mysteriously when you have WinPcap 3.0 or earlier (instead of the required 3.1). It now prints an error message instead asking you to upgrade, then reduces functionality to connect()-only mode. I couldn't get it working with the C++ standard try/catch() blocks, but as soon as I used the nonstandard MS conventions (__try/__except(), everything worked fine. Shrug. - Stripped the firewall API out of the libdnet included with Nmap because Nmap doesn't use it anyway. This saves space and reduces the likelihood of compilation errors and warnings. - Modified the previously useless --noninteractive option so that it deactivates runtime interaction. 3.96BETA1: ========== - Added --max_retries option for capping the maximum number of retransmissions the port scan engine will do. The value may be as low as 0 (no retransmits). A low value can increase speed, though at the risk of losing accuracy. The -T4 option now allows up to 6 retries, and -T5 allows 2. Thanks to Martin Macok (martin.macok(a)underground.cz) for writing the initial patch, which I changed quite a bit. I also updated the docs to reflect this neat new option. - Many of the Nmap low-level timing options take a value in milliseconds. You can now append an 's', 'm', or 'h' to the value to give it in seconds, minutes, or hours instead. So you can specify a 45 minute host timeout with --host_timeout 45m rather than specifying --host_timeout 2700000 and hoping you did the math right and have the correct number of zeros. This also now works for the --min_rtt_timeout, --max_rtt_timeout, --initial_rtt_timeout, --scan_delay, and --max_scan_delay options. - Improved the NmapFE port to GTK2 so it better-conforms to the new API and you don't get as many annoying messages in your terminal window. GTK2 is prettier and more functional too. Thanks to Priit Laes (amd(a)store20.com) for writing these excellent patches. - Fixed a problem which led to the error message "Failed to determine dst MAC address for target" when you try to run Nmap using a dialup/PPP adapter on Windows rather than a real ethernet card. Due to Microsoft breaking raw sockets, Nmap no longer supports dialup adapters, but it should now give you a clearer error message than the "dst MAC address" nonsense. - Debian GNU/kFreeBSD is now supported thanks to a patch to libdnet's configure.in by Petr Salinger (Petr.Salinger(a)t-systems.cz). - Tried to update to the latest autoconf only to find that there hasn't been a new version in more than two years :(. I was able to find new config.sub and config.guess files at http://cvs.savannah.gnu.org/viewcvs/config/config/ , so I updated to those. - Fixed a problem with the -e option when run on Windows (or UNIX with --send_eth) when run on an ethernet network against an external (routed) host. You would get the message "NmapArpCache() can only take IPv4 addresses. Sorry". Thanks to KX (kxmail(a)gmail.com) for helping to track down the problem. - Made some changes to allow source port zero scans (-g0). Nmap used to refuse to do this, but now it just gives a warning that it may not work on all systems. It seems to work fine on my Linux box. Thanks to Bill Dale (bill_dale(a)bellsouth.net) for suggesting this feature. - Made a change to libdnet so that Windows interfaces are listed as down if they are disconnected, unplugged, or otherwise unavailable. - Ceased including foreign translations in the Nmap tarball as they take up too much space. HTML versions can be found at http://www.insecure.org/nmap/docs.html , while XML and NROFF versions are available from http://www.insecure.org/nmap/data/man-xlate/ . - Changed INSTALL and README-WIN32 files to mostly just reference the new Nmap Install Guide at http://www.insecure.org/nmap/install/ . - Included docs/nmap-man.xml in the tarball distribution, which is the DocBook XML source for the Nmap man page. Patches to Nmap that are user-visible should include patches to the man page XML source rather than to the generated Nroff. - Fixed Nmap so it doesn't crash when you ask it to resume a previous scan, but pass in a bogus file rather than actual Nmap output. Thanks to Piotr Sobolewski (piotr_sobolewski(a)o2.pl) for the fix.
2006-01-23Made the package work with SunPro on Solaris 8. That C++ compilerrillig1-1/+8
neither knows __FUNCTION__ nor __func__.
2005-12-08Update to version 3.95salo3-15/+15
Changes: - Put Nmap on a diet, with changes to the core port scanning routine (ultra_scan) to substantially reduce memory consumption, particularly when tens of thousands of ports are scanned. - Wrote a new man page from scratch. It is much more comprehensive (more than twice as long) and (IMHO) better organized than the previous one. Read it online at http://www.insecure.org/nmap/man/ or docs/nmap.1 from the Nmap distribution. Let me know if you have any ideas for improving it. - Wrote a new "help screen", which you get when running Nmap without arguments. It is also reproduced in the man page and at http://www.insecure.org/nmap/data/nmap.usage.txt . I gave up trying to fit it within a 25-line, 80-column terminal window. It is now 78 lines and summarizes all but the most obscure Nmap options. - Removed foreign translations of the old man page from the distribution. Included the following contributed translations (nroff format) of the new man page: Brazilian Portuguese by Lucien Raven (lucienraven(a)yahoo.com.br) Portuguese (Portugal) by José Domingos (jd_pt(a)yahoo.com) and Andreia Gaita (shana.ufie(a)gmail.com). - Fixed a crash in IPID Idle scan. Thanks to Ron (iago(a)valhallalegends.com>, Bakeman (bakeman(a)physics.unr.edu), and others for reporting the problem. - Applied some small fixes so that Nmap compiles with Visual C++ 2005 Express, which is free from Microsoft at http://msdn.microsoft.com/vstudio/express/visualc/ . Thanks to KX (kxmail(a)gmail.com) and Sina Bahram (sbahram(a)nc.rr.com) - Version detection softmatches (when Nmap determines the service protocol such as smtp but isn't able to determine the app name such as Postfix) can now parse out the normal match line fields such as hostname, device type, and extra info. For example, we may not know what vendor created an sshd, but we can still parse out the protocol number. This was a patch from Doug Hoyte (doug(a)hcsw.org). - Fixed a problem which caused UDP version scanning to fail to print the matched service. Thanks to Martin Macok (martin.macok(a)underground.cz) for reporting the problem and Doug Hoyte (doug(a)hcsw.org) for fixing it. - Made the version detection "ports" directive (in nmap-service-probes) more comprehensive. This should speed up scans a bit. The patch was done by Doug Hoyte (doug(a)hcsw.org). - Integrated all of the September version detection fingerprint submissions. This was done by Version Detection Czar Doug Hoyte (doug(a)hcsw.org) and resulted in 86 new match lines. Please keep those submissions coming! - Fixed a bunch of typos and misspellings throughout the Nmap source code (mostly in comments). This was a 625-line patch by Saint Xavier (skyxav(a)skynet.be). - Added the --webxml option, which does the same thing as --stylesheet http://www.insecure.org/nmap/data/nmap.xsl , without requiring you to remember the exact URL or type that whole thing. - Fixed a possible aliasing problem in tcpip.cc by applying a patch sent in by Gwenole Beauchesne (gbeauchesne(a)mandriva.com). This problem shouldn't have had any effect on users since we already include the -fno-strict-aliasing option whenever gcc 4 is detected, but it brings us closer to being able to remove that option. - Fixed a problem with the -S and -e options (spoof/set source address, and set interface by name, respectively). The problem report and a partial patch were sent by Richard Birkett (richard(a)musicbox.net). - Fixed a problem with the -S and option on Windows reporting "Failed to resolve/decode supposed IPv4 source address". The -D (decoy) option was probably broken on that platform too. Thanks to KX (kxmail(a)gmail.com) for reporting the problem and tracking down a potential solution. - Added --thc option (undocumented) - Modified libdnet-stripped/src/eth-bsd.c to allow for up to 128 bpf devices rather than 32. This prevents errors like "Failed to open ethernet interface (fxp0)" when there are more than 32 interface aliases. Thanks to Krok (krok(a)void.ru) for reporting the problem and even sending a patch. - Fixed a minor syntax error in tcpip.h that was causing problems with GCC 4.1. Thanks to Dirk Mueller (dmuell(a)gmx.net) for reporting the problem and sending a fix. - Define INET_ADDRSTRLEN in tcpip.h if the system doesn't define it for us. This apparently aids compilation on Solaris 2.6 and 7. Thanks to Albert Chin (nmap-hackers(a)mlists.thewrittenword.com) for sending the patch.. - Fixed an inefficiency in RPC scan that could slow things down and also sometimes resulted in the spurious warning message: Ünable to find listening socket in get_rpc_results" - Fixed a compilation problem on Mac OS X and perhaps other platforms with a one-line fix to scan_engine.cc. Thanks to Felix Gröbert (felix(a)groebert.org) for notifying me of the problem. - Nmap now accepts target list files in Windows end-of-line format (\r\n) as well as standard UNIX format (\n) on all platforms. Passing a Windows style file to Nmap on UNIX didn't work before unless you ran dos2unix first. - Fixed a problem that prevented the command "nmap -sT -PT <targets>" from working from a non-privileged user account. The -PT option doesn't change default behavior in this case, but Nmap should (and now does) allow it. - Better handle ICMP type 3, code 0 (network unreachable) responses to port scan packets. These are rarely seen when scanning hosts that are actually online, but are still worth handling. - Fixed a crash occured when the --exclude option was used with netmasks on certain platforms. Thanks to Adam (nmapuser(a)globalmegahost.com) for reporting the problem and to Greg Darke (starstuff(a)optusnet.com.au) for sending a patch (I modified the patch a bit to make it more efficient). - Removed Identd scan support from NmapFE since Nmap no longer supports it. Thanks to Jonathan Dieter (jdieter99(a)gmx.net) for the patch. - Fixed a bug that caused Nmap to crash if an nmap-service-probes file was used which didn't contain the Exclude directive. - Fixed a divide-by-zero crash when you specify rather bogus command-line arguments (a TCP scan with zero tcp ports). Thanks to Bart Dopheide (dopheide(a)fmf.nl) for identifying the problem and sending a patch.
2005-09-15Update to version 3.93salo4-33/+66
Changes: 3.93: ===== o Modified Libpcap's configure.ac to compile with the --fno-strict-aliasing option if gcc 4.X is used. This prevents when said compiler is used. This was done for Nmap in 3.90, but is apparently needed for pcap too. Thanks to Craig Humphrey (Craig.Humphrey(a)chapmantripp.com) for the discovery. o Patched libdnet to include sys/uio.h in src/tun-linux.c. This is apparently necessary on some Glibc 2.1 systems. Thanks to Rob Foehl (rwf(a)loonybin.net) for the patch. o Fixed a crash which could occur when a ridiculously short --host_timeout was specified on Windows (or on UNIX if --send_eth was specified). Nmap now also prints a warning if you specify a host_timeout of less than 1 second. Thanks to Ole Morten Grodaas (grodaas(a)gmail.com) for discovering the problem. 3.91: ===== o Fixed a crash on Windows when you -P0 scan an unused IP on a local network (or a range that contains unused IPs). This could also happen on UNIX if you specified the new --send_eth option. Thanks to Jim Carras (JFCECL(a)engr.psu.edu) for reporting the problem. o Fixed compilation on OpenBSD by applying a patch from Okan Demirmen (okan(a)demirmen.com), who maintains Nmap in the OpenBSD Ports collection. o Updated nmap-mac-prefixes to include OUIs assigned by the IEEE since April. o Updated the included libpcre (used for version detection) from version 4.3 to 6.3. A libpcre securty issue was fixed in 6.3, but that issue never affected Nmap. o Updated the included libpcap from 0.8.3 to 0.9.3. I also changed the directory name in the Nmap tarball from libpcap-possiblymodified to just libpcap. As usual, the modifications are described in the NMAP_MODIFICATIONS in that directory. 3.90: ===== o Added the ability for Nmap to send and properly route raw ethernet packets cointaining IP datagrams rather than always sending the packets via raw sockets. This is particularly useful for Windows, since Microsoft has disabled raw socket support in XP for no good reason. Nmap tries to choose the best method at runtime based on platform, though you can override it with the new --send_eth and --send_ip options. o Added ARP scanning (-PR). Nmap can now send raw ethernet ARP requests to determine whether hosts on a LAN are up, rather than relying on higher-level IP packets (which can only be sent after a successful ARP request and reply anyway). This is much faster and more reliable (not subject to IP-level firewalling) than IP-based probes. The downside is that it only works when the target machine is on the same LAN as the scanning machine. It is now used automatically for any hosts that are detected to be on a local ethernet network, unless --send_ip was specified. Example usage: nmap -sP -PR 192.168.0.0/16 . o Added the --spoof_mac option, which asks Nmap to use the given MAC address for all of the raw ethernet frames it sends. The MAC given can take several formats. If it is simply the string "0", Nmap chooses a completely random MAC for the session. If the given string is an even number of hex digits (with the pairs optionally separated by a colon), Nmap will use those as the MAC. If less than 12 hex digits are provided, Nmap fills in the remainder of the 6 bytes with random values. If the argument isn't a 0 or hex string, Nmap looks through the nmap-mac-prefixes to find a vendor name containing the given string (it is case insensitive). If a match is found, Nmap uses the vendor's OUI (3-byte prefix) and fills out the remaining 3 bytes randomly. Valid --spoof_mac argument examples are "Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", "0020F2", and "Cisco". o Applied an enormous nmap-service-probes (version detection) update from SoC student Doug Hoyte (doug(a)hcsw.org). Version 3.81 had 1064 match lines covering 195 service protocols. Now we have 2865 match lines covering 359 protocols! So the database size has nearly tripled! This should make your -sV scans quicker and more accurate. Thanks also go to the (literally) thousands of you who submitted service fingerprints. Keep them coming! o Applied a massive OS fingerprint update from Zhao Lei (zhaolei(a)gmail.com). About 350 fingerprints were added, and many more were updated. Notable additions include Mac OS X 10.4 (Tiger), OpenBSD 3.7, FreeBSD 5.4, Windows Server 2003 SP1, Sony AIBO (along with a new "robotic pet" device type category), the latest Linux 2.6 kernels Cisco routers with IOS 12.4, a ton of VoIP devices, Tru64 UNIX 5.1B, new Fortinet firewalls, AIX 5.3, NetBSD 2.0, Nokia IPSO 3.8.X, and Solaris 10. Of course there are also tons of new broadband routers, printers, WAPs and pretty much any other device you can coax an ethernet cable (or wireless card) into! o Added 'leet ASCII art to the confugrator! ARTIST NOTE: If you think the ASCII art sucks, feel free to send me alternatives. Note that only people compiling the UNIX source code get this. (ASCII artist unknown). o Added OS, device type, and hostname detection using the service detection framework. Many services print a hostname, which may be different than DNS. The services often give more away as well. If Nmap detects IIS, it reports an OS family of "Windows". If it sees HP JetDirect telnetd, it reports a device type of "printer". Rather than try to combine TCP/IP stack fingerprinting and service OS fingerprinting, they are both printed. After all, they could legitimately be different. An IP that gives a stack fingerprint match of "Linksys WRT54G broadband router" and a service fingerprint of Windows based on Kazaa running is likely a common NAT setup rather than an Nmap mistake. o Nmap on Windows now compiles/links with the new WinPcap 3.1 header/lib files. So please upgrade to 3.1 from http://www.winpcap.org before installing this version of Nmap. While older versions may still work, they aren't supported with Nmap. o The official Nmap RPM files are now compiled statically for better compatability with other systems. X86_64 (AMD Athlon64/Opteron) binaries are now available in addition to the standard i386. NmapFE RPMs are no longer distributed by Insecure.Org. o Nmap distribution signing has changed. Release files are now signed with a new Nmap Project GPG key (KeyID 6B9355D0). Fyodor has also generated a new key for himself (KeyID 33599B5F). The Nmap key has been signed by Fyodor's new key, which has been signed by Fyodor's old key so that you know they are legit. The new keys are available at http://www.insecure.org/nmap/data/nmap_gpgkeys.txt , as docs/nmap_gpgkeys.txt in the Nmap source tarball, and on the public keyserver network. Here are the fingerprints: pub 1024D/33599B5F 2005-04-24 Key fingerprint = BB61 D057 C0D7 DCEF E730 996C 1AF6 EC50 3359 9B5F uid Fyodor <fyodor@insecure.org> sub 2048g/D3C2241C 2005-04-24 pub 1024D/6B9355D0 2005-04-24 Key fingerprint = 436D 66AB 9A79 8425 FDA0 E3F8 01AF 9F03 6B93 55D0 uid Nmap Project Signing Key (http://www.insecure.org/) sub 2048g/A50A6A94 2005-04-24 o Fixed a crash problem related to non-portable varargs (vsnprintf) usage. Reports of this crash came from Alan William Somers (somers(a)its.caltech.edu) and Christophe (chris.branch(a)gmx.de). This patch was prevalent on Linux boxes running an Opteron/Athlon64 CPU in 64-bit mode. o Fixed crash when Nmap is compiled using gcc 4.X by adding the --fno-strict-aliasing option when that compiler is detected. Thanks to Greg Darke (starstuff(a)optusnet.com.au) for discovering that this option fixes (hides) the problem and to Duilio J. Protti (dprotti(a)flowgate.net) for writing the configure patch to detect gcc 4 and add the option. A better fix is to identify and rewrite lines that violate C99 alias rules, and we are looking into that. o Added "rarity" feature to Nmap version detection. This causes obscure probes to be skipped when they are unlikely to help. Each probe now has a "rarity" value. Probes that detect dozens of services such as GenericLines and GetRequest have rarity values of 1, while the WWWOFFLEctrlstat and mydoom probes have a rarity of 9. When interrogating a port, Nmap always tries probes registered to that port number. So even WWWOFFLEctrlstat will be tried against port 8081 and mydoom will be tried against open ports between 3127 and 3198. If none of the registered ports find a match, Nmap tries probes that have a rarity less than or equal to its current intensity level. The intensity level defaults to 7 (so that most of the probes are done). You can set the intensity level with the new --version_intensity option. Alternatively, you can just use --version_light or --version_all which set the intensity to 2 (only try the most important probes and ones registered to the port number) and 9 (try all probes), respectively. --version_light is much faster than default version detection, but also a bit less likely to find a match. This feature was designed and implemented by Doug Hoyte (doug(a)hcsw.org). o Added a "fallback" feature to the nmap-service-probes database. This allows a probe to "inherit" match lines from other probes. It is currently only used for the HTTPOptions, RTSPRequest, and SSLSessionReq probes to inherit all of the match lines from GetRequest. Some servers don't respond to the Nmap GetRequest (for example because it doesn't include a Host: line) but they do respond to some of those other 3 probes in ways that GetRequest match lines are general enough to match. The fallback construct allows us to benefit from these matches without repeating hundreds of signatures in the file. This is another feature designed and implemented by Doug Hoyte (doug(a)hcsw.org). o Fixed crash with certain --excludefile or --exclude arguments. Thanks to Kurt Grutzmacher (grutz(a)jingojango.net) and pijn trein (ptrein(a)gmail.com) for reporting the problem, and to Duilio J. Protti (dprotti(a)flowgate.net) for debugging the issue and sending the patch. o Updated random scan (ip_is_reserved()) to reflect the latest IANA assignments. This patch was sent in by Felix Groebert (felix(a)groebert.org). o Included new Russian man page translation by locco_bozi(a)Safe-mail.net o Applied pach from Steve Martin (smartin(a)stillsecure.com) which standardizes many OS names and corrects typos in nmap-os-fingerprints. o Fixed a crash found during certain UDP version scans. The crash was discovered and reported by Ron (iago(a)valhallalegends.com) and fixed by Doug Hoyte (doug(a)hcsw.com). o Added --iflist argument which prints a list of system interfaces and routes detected by Nmap. o Fixed a protocol scan (-sO) problem which led to the error message: "Error compiling our pcap filter: syntax error". Thanks to Michel Arboi (michel(a)arboi.fr.eu.org) for reporting the problem. o Fixed an Nmap version detection crash on Windows which led to the error message "Unexpected error in NSE_TYPE_READ callback. Error code: 10053 (Unknown error)". Thanks to Srivatsan (srivatsanp(a)adventnet.com) for reporting the problem. o Fixed some misspellings in docs/nmap.xml reported by Tom Sellers (TSellers(a)trustmark.com). o Applied some changes from Gisle Vanem (giva(a)bgnett.no) to make Nmap compile with Cygwin. o XML "osmatch" element now has a "line" attribute giving the reference fingerprint line number in nmap-os-fingerprints. o Added a distcc probes and a bunch of smtp matches from Dirk Mueller (mueller(a)kde.org) to nmap-service-probes. Also added AFS version probe and matches from Lionel Cons (lionel.cons(a)cern.ch). And even more probes and matches from Martin Macok (martin.macok(a)underground.cz) o Fixed a problem where Nmap compilation would use header files from the libpcap included with Nmap even when it was linking to a system libpcap. Thanks to Solar Designer (solar(a)openwall.com) and Okan Demirmen (okan(a)demirmen.com) for reporting the problem. o Added configure option --with-libpcap=included to tell Nmap to use the version of libpcap it ships with rather than any that may already be installed on the system. You can still use --with-libpcap=[dir] to specify that a system libpcap be installed rather than the shipped one. By default, Nmap looks at both and decides which one is likely to work best. If you are having problems on Solaris, try --with-libpcap=included . o Changed the --no-stylesheet option to --no_stylesheet to be consistant with all of the other Nmap options. Though I'm starting to like hyphens a bit better than underscores and may change all of the options to use hyphens instad at some point. o Added "Exclude" directive to nmap-service-probes grammar which causes version detection to skip listed ports. This is helpful for ports such as 9100. Some printers simply print any data sent to that port, leading to pages of HTTP requests, SMB queries, X Windows probes, etc. If you really want to scan all ports, specify --allports. This patch came from Doug Hoyte (doug(a)hcsw.org). o Added a stripped-down and heavily modified version of Dug Song's libdnet networking library (v. 1.10). This helps with the new raw ethernet features. My (extensive) changes are described in libdnet-stripped/NMAP_MODIFICATIONS o Removed WinIP library (and all Windows raw sockets code) since MS has gone and broken raw sockets. Maybe packet receipt via raw sockets will come back at some point. As part of this removal, the Windows-specific --win_help, --win_list_interfaces, --win_norawsock, --win_forcerawsock, --win_nopcap, --win_nt4route, --win_noiphlpapi, and --win_trace options have been removed. o Chagned the interesting ports array from a 65K-member array of pointers into an STL list. This noticeable reduces memory usage in some cases, and should also give a slight runtime performance boost. This patch was written by Paul Tarjan (ptarjan(a)gmail.com). o Removed the BSDFIX/BSDUFIX macros. The underlying bug in FreeBSD/NetBSD is still there though. When an IP packet is sent through a raw socket, these platforms require the total length and fragmentation offset fields of an IP packet to be in host byte order rather than network byte order, even though all the other fields must be in NBO. I believe that OpenBSD fixed this a while back. Other platforms, such as Linux, Solaris, Mac OS X, and Windows take all of the fields in network byte order. While I removed the macro, I still do the munging where required so that Nmap still works on FreeBSD. o Integrated many nmap-service-probes changes from Bo Jiang (jiangbo(a)brandeis.edu) o Added a bunch of RPC numbers from nmap-rpc maintainer Eilon Gishri (eilon(a)aristo.tau.ac.il) o Added some new RPC services to nmap-rpc thanks to a patch from vlad902 (vlad902(a)gmail.com). o Fixed a bug where Nmap would quit on Windows whenever it encountered a raw scan of localhost (including the local ethernet interface address), even when that was just one address out of a whole network being scanned. Now Nmap just warns that it is skipping raw scans when it encounters the local IP, but continues on to scan the rest of the network. Raw scans do not currently work against local IP addresses because Winpcap doesn't support reading/writing localhost interfaces due to limitations of Windows. o The OS fingerprint is now provided in XML output if debugging is enabled (-d) or verbosity is at least 2 (-v -v). This patch was sent by Okan Demirmen (okan(a)demirmen.com) o Fixed the way tcp connect scan (-sT) respons to ICMP network unreachable responses (patch by Richard Moore (rich(a)westpoint.ltd.uk). o Update random host scan (-iR) to support the latest IANA-allocated ranges, thanks to patch by Chad Loder (cloder(a)loder.us). o Updated GNU shtool (a helper program used during 'make install' to version 2.0.2, which fixes a predictable temporary filename weakness discovered by Eric Raymond. o Removed addport element from XML DTD, since it is no longer used (sugested by Lionel Cons (lionel.cons(a)cern.ch) o Added new --privileged command-line option and NMAP_PRIVILEGED environmental variable. Either of these tell Nmap to assume that the user has full privileges to execute raw packet scans, OS detection and the like. This can be useful when Linux kernel capabilities or other systems are used that allow non-root users to perform raw packet or ethernet frame manipulation. Without this flag or variable set, Nmap bails on UNIX if geteuid() is nonzero. o Changed the RPM spec file so that if you define "static" to 1 (by passing --define "static 1" to rpmbuild), static binaries are built. o Fixed Nmap compilation on Solaris x86 thanks to a patch from Simon Burr (simes(a)bpfh.net). o ultra_scan() now sets pseudo-random ACK values (rather than 0) for any TCP scans in which the initial probe packet has the ACK flag set. This would be the ACK, Xmas, Maimon, and Window scans. o Updated the Nmap version number, description, and similar fields that MS Visual Studio places in the binary. This was done by editing mswin32/nmap.rc as suggested by Chris Paget (chrisp@ngssoftware.com) o Fixed Nmap compilation on DragonFly BSD (and perhaps some other systems) by applying a short patch by Joerg Sonnenberger which omits the declaration of errno if it is a #define. o Fixed an integer overflow that prevented Nmap from scanning 2,147,483,648 hosts in one expression (e.g. 0.0.0.0/1). Problem noted by Justin Cranford (jcranford(a)n-able.com). While /1 scans are now possible, don't expect them to finish during your bathroom break. No matter how constipated you are. o Increased the buffer size allocated for fingerprints to prevent Nmap from running out and quitting (error message: "Assertion `servicefpalloc - servicefplen > 8' failed". Thanks to Mike Hatz (mhatz(a)blackcat.com) for the report. [ Actually this was done in a previous version, but I forgot which one ] o Changed from CVS to Subversion source control system (which rocks!). Neither repository is public (I'm paranoid because both CVS and SVN have had remotely exploitable security holes), so the main change users will see is that "Id" tags in file headers use the SVN format for version numbering and such.
2005-05-31Build on DragonFly BSD.salo2-1/+16
Patch from Joerg Sonnenberger via private mail.
2005-04-11Remove USE_BUILDLINK3 and NO_BUILDLINK; these are no longer used.tv1-2/+1
2005-02-24Add RMD160 digests.agc1-1/+2
2005-02-09Update to version 3.81salo2-5/+5
Changes: - Nmap now prints a warning message on Windows if Winpcap is not found (it then reverts to raw sockets mode if available, as usual). - documentation fixes and updates.
2005-02-06Updated to version 3.80salo3-6/+8
Changes: - Nmap now ships with and installs (in the same directory as other data files such as nmap-os-fingerprints) an XSL stylesheet for rendering the XML output as HTML. This stylesheet was written by Benjamin Erb ( see http://www.benjamin-erb.de/nmap/ for examples). It supports tables, version detection, color-coded port states, and more. The XML output has been augmented to include an xml-stylesheet directive pointing to nmap.xsl on the local filesystem. You can point to a different XSL file by providing the filename or URL to the new --stylesheet argument. Omit the xml-stylesheet directive entirely by specifying --no-stylesheet. The XML to HTML conversion can be done with an XSLT processor such as Saxon, Sablot, or Xalan, but modern browsers can do this on the fly -- simply load the XML output file in IE or Firefox. Some features don't currently work with Firefox's on-the-fly rendering. Perhaps some Mozilla wizard can fix that in either the XSL or the browser itself. I hate having things work better in IE :). It is often more convenient to have the stylesheet loaded from a URL rather than the local filesystem, allowing the XML to be rendered on any machine regardless of whether/where the XSL is installed. For privacy reasons (avoid loading of an external URL when you view results), Nmap uses the local filesystem by default. If you would like the latest version of the stylesheet load from the web when rendering, specify --stylesheet http://www.insecure.org/nmap/data/nmap.xsl . - Fixed fragmentation option (-f). One -f now sets sends fragments with just 8 bytes after the IP header, while -ff sends 16 bytes to reduce the number of fragments needed. You can specify your own fragmentation offset (must be a multiple of 8) with the new --mtu flag. Don't also specify -f if you use --mtu. Remember that some systems (such as Linux with connection tracking) will defragment in the kernel anyway -- so test first while sniffing with ethereal. These changes are from a patch by Martin Macok (martin.macok(a)underground.cz). - Nmap now prints the number (and total bytes) of raw IP packets sent and received when it completes, if verbose mode (-v) is enabled. The report looks like: Nmap finished: 256 IP addresses (3 hosts up) scanned in 30.632 seconds Raw packets sent: 7727 (303KB) | Rcvd: 6944 (304KB) - Fixed (I hope) an error which would cause the Windows version of Nmap to abort under some circumstances with the error message "Unexpected error in NSE_TYPE_READ callback. Error code: 10053 (Unknown error)". Problem reported by "Tony Golding" (biz(a)tonygolding.com). - Added new "closed|filtered" state. This is used for Idlescan, since that scan method can't distinguish between those two states. Nmap previously just used "closed", but this is more accurate. - Null, FIN, Maimon, and Xmas scans now mark ports as "open|filtered" instead of "open" when they fail to receive any response from the target port. After all, it could just as easily be filtered as open. This is the same change that was made to UDP scan in 3.70. Also as with UDP scan, adding version detection (-sV) will change the state from open|filtered to open if it confirms that they really are open. - Fixed a bug in ACK scan that could cause Nmap to crash with the message "Unexpected port state: 6" in some cases. Thanks to Glyn Geoghegan (glyng(a)corsaire.com) for reporting the problem. - Change IP protocol scan (-sO) so that a response from the target host in any protocol at all will prove that protocol is open. As before, no response means "open|filtered", an ICMP protocol unreachable means "closed", and most other ICMP error messages mean "filtered". - Patched a Winpcap issue that prevented read timeouts from being honored on Solaris (thus slowing down Nmap substantially). The problem report and patch were sent in by Ben Harris (bjh21(a)cam.ac.uk). - Changed IP protocol scan (-sO) so that it sends valid ICMP, TCP, and UDP headers when scanning protocols 1, 6, and 17, respectively. An empty IP header is still sent for all other protocols. This should prevent the error messages such as "sendto in send_ip_packet: sendto(3, packet, 20, 0, 192.31.33.7, 16) => Operation not permitted" that Linux (and perhaps other systems) would give when they try to interpret the raw packet. This also makes it more likely that these protocols will elicit a response, proving that the protocol is "open". - The windows build now uses header and static library files from Winpcap 3.1Beta4. It also now prints out the DLL version you are using when run with -d. I would recommend upgrading to 3.1Beta4 if you have an older Winpcap installed. - Added an NTP probe and matches to the version detection database (nmap-service-probes) thanks to a submission from Martin Macok (martin.macok@underground.cz). - Applied several Nmap service detection database updates sent in by Martin Macok (martin.macok(a)underground.cz).
2005-01-20Update to version 3.78salo2-5/+6
Changes: - The XML nmaprun element now has a startstr attribute which gives the human readable calendar time format that a scan started. Similarly the finished element now has a timestr attribute describing when the scan finished. These are in addition to the existing nmaprun/start and finished/time attributes that provided the start and finish time in UNIX time_t notation. This should help in development of better XSLT stylesheets for Nmap XML output. - Added new "closed|filtered" state. This is used for Idlescan, since that scan method can't distinguish between those two staes. Nmap previously just used "closed", but this is more accurate. - Rewrote the host IP (target specification) parser for easier maintenance and to fix a bug found by Netris (netris(a)ok.kz) - Fixed compilation on soem HP-UX 11 boxes thanks to a patch by Petter Reinholdtsen (pere(a)hungry.com). - Fixed a portability problem on some OpenBSD and FreeBSD machines thanks to a patch by Okan Demirmen (okan(a)demirmen.com). - Added an NTP probe and matches to the version detection database (nmap-service-probes) thanks to a submission from Martin Macok (martin.macok@underground.cz).
2004-11-26Changes 3.77:adam6-32/+30
o Fixed a memory leak that would generally consume several hundred bytes per down host scanned. While the effect for most scans is negligible, it was overwhelming when Scott Carlson (Scott.Carlson(a)schwab.com) tried to scan 24 million IPs (10.0.0.0/8). Thanks to him for reporting the problem. o Fixed a bug in ACK scan that could cause Nmap to crash with the message "Unexpected port state: 6" in some cases. Thanks to Glyn Geoghegan (glyng(a)corsaire.com) for reporting the problem. o Change IP protocol scan (-sO) so that a response from the target host in any protocol at all will prove that protocol is open. As before, no response means "open|filtered", an ICMP protocol unreachable means "closed", and most other ICMP error messages mean "filered". o Changed IP protocol scan (-sO) so that it sends valid ICMP, TCP, and UDP headers when scanning protocols 1, 6, and 17, respectively. An emtpy IP header is still sent for all other protocols. This should prevent the error messages such as "sendto in send_ip_packet: sendto(3, packet, 20, 0, 192.31.33.7, 16) => Operation not permitted" that Linux (and perhaps other systems) would give when they try to interpret the raw packet. This also makes it more likely that these protocols will elicit a response, proving that the protocol is "open". o Null, FIN, Maimon, and Xmas scans now mark ports as "open|filtered" instead of "open" when they fail to receive any response from the target port. After all, it could just as easily be filtered as open. This is the same change that was made to UDP scan in 3.70. Also as with UDP scan, adding version detection (-sV) will change the state from open|filtered to open if it confirms that they really are open. o Fixed a crash on Windows systems that don't include the iphlpapi DLL. This affects Win95 and perhaps other variants. Thanks to Ganga Bhavani (GBhavani(a)everdreamcorp.com) for reporting the problem and sending the patch. o Ensured that the device type, os vendor, and os family OS fingerprinting classification values are scrubbed for XML compliance in the XML output. Thanks to Matthieu Verbert (mve(a)zurich.ibm.com) for reporting the problem and sending a patch. o Changed to Nmap XML DTD to use the same xmloutputversion (1.01) as newer versions of Nmap. Thanks to Laurent Estieux (laurent.estieux(a)free.fr) for reporting the problem.
2004-11-13Replace USE_GCC_SHLIB with "USE_LANGUAGE=c c++" (the latter implies thejlam1-2/+1
former) for applications that are known to require C++.
2004-10-19Updated to version 3.75salo3-21/+12
Changes: - Implemented a huge OS fingerprint database update. The number of signatures have increased more than 20% to 1,353 and many of the existing ones are much improved. Notable updates include the fourth edition of Bell Lab's Plan9, Grandstream's BugeTone 101 IP Phone, and Bart's Network Boot Disk 2.7 (which runs MS-DOS). Oh, and Linux kernels up to 2.6.8, dozens of new Windows fingerprints including XP SP2, the latest Longhorn warez, and many modified Xboxes, OpenBSD 3.6, NetBSD up to 2.0RC4, Apple's AirPort Express WAP and OS X 10.3.3 (Panther) release, Novell Netware 6.5, FreeBSD 5.3-BETA, a bunch of Linksys and D-Link consumer junk, the latest Cisco IOS 12.2 releases, a ton of miscellaneous broadband routers and printers, and much more. - Updated nmap-mac-prefixes with the latest OUIs from the IEEE. [ http://standards.ieee.org/regauth/oui/oui.txt ] - Updated nmap-protocols with the latest IP protocols from IANA [ http://www.iana.org/assignments/protocol-numbers ] - Added a few new Nmap version detection signatures thanks to a patch from Martin Maèok (martin.macok(a)underground.cz). - Fixed a crash problem in the Windows version of Nmap, thanks to a patch from Ganga Bhavani GBhavani(a)everdreamcorp.com). - Fixed Windows service scan crashes that occur with the error message "Unexpected nsock_loop error. Error code 10022 (Unknown error)". It turns out that Windows does not allow select() calls with all three FD sets empty. Lame. The Linux select() man page even suggests calling "select with all three sets empty, n zero, and a non-null timeout as a fairly portable way to sleep with subsecond precision." Thanks to Gisle Vanem (giva(a)bgnett.no) for debugging help. - Added --max_scan_delay parameter. Nmap will sometimes increase the delay itself when it detects many dropped packets. For example, Solaris systems tend to respond with only one ICMP port unreachable packet per second during a UDP scan. So Nmap will try to detect this and lower its rate of UDP probes to one per second. This can provide more accurate results while reducing network congestion, but it can slow the scans down substantially. By default (with no -T options specified), Nmap allows this delay to grow to one second per probe. This option allows you to set a lower or higher maximum. The -T4 and -T5 scan modes now limit the maximum scan delay for TCP scans to 10 and 5 ms, respectively. - Fixed a bug that prevented RPC scan (-sR) from working for UDP ports unless service detection (-sV) was used. -sV is still usually a better approach than -sR, as the latter ONLY handles RPC. Thanks to Stephen Bishop (sbishop(a)idsec.co.uk) for reporting the problem and sending a patch. - Fixed nmap_fetchfile() to better find custom versions of data files such as nmap-services. Note that the implicitly read directory should be ~/.nmap rather than ~/nmap . So you may have to move any customized files you now have in ~/nmap . Thanks to nnposter (nnposter(a)users.sourceforge.net) for reporting the problem and sending a patch. - Changed XML output so that the MAC address [address] element comes right after the IPv4/IPv6 [address] element. Apparently this is needed to comply with the DTD ( http://www.insecure.org/nmap/data/nmap.dtd ). Thanks to Adam Morgan (adam.morgan(a)Q1Labs.com) and Florian Ebner (Florian.Ebner(a)e-bros.de) for the problem reports. - Fixed an error in the Nmap RPM spec file reported by Pascal Trouvin (pascal.trouvin(a)wanadoo.fr) - Fixed a timing problem in which a specified large --send_delay would sometimes be reduced to 1 second during a scan. Thanks to Martin Macok (martin.macok(a)underground.cz) for reporting the problem. - Fixed a timing problem with sneaky and paranoid modes (-T1 and -T0) which would cause Nmap to continually scan the same port and never hit other ports when scanning certain firewalled hosts. Thanks to Curtis Doty (Curtis(a)GreenKey.net) for reporting the problem. - Fixed a bug in the build system that caused most Nmap subdirectories to be configured twice. Changing the variable holding the name of subdirs from $subdirs to $nmap_cfg_subdirs resolved the problem -- configure must have been using that variable name for its own internal operations. Anyway, this should reduce compile time significantly. - Made a trivial change to nsock/src/nsock_event.c to work around a "a bug in GCC 3.3.1 on FreeBSD/sparc64". I found the patch by digging around the FreeBSD ports tree repository. It would be nice if the FreeBSD Nmap port maintainers would report such things to me, rather than fixing it in their own Nmap tree and then applying the patch to every future version. On the other hand, they deserve some sort of "most up-to-date" award. I stuck Nmap 3.71-PRE1 in the dist directory for a few people to test, and made no announcement or direct link. The FreeBSD crew found it and upgraded anyway :). The gcc-workaround patch was apparently submitted to the FreeBSD folks by Marius Strobl (marius(a)alchemy.franken.de). - Fixed (I hope) an OS detection timing issue which would in some cases lead to the warning that "insufficient responses for TCP sequencing (3), OS detection may be less accurate." Thanks to Adam Kerrison (adam(a)tideway.com) for reporting the problem. - Modified the warning given when files such as nmap-services exist in both the compiled in NMAPDATADIR and the current working directory. That message should now only appear once and is more clear. - Fixed ping scan subsystem to work a little bit better when --scan_delay (or some of the slower -T templates which include a scan delay) is specified. Thanks to Shahid Khan (khan(a)asia.apple.com) for suggestions. - Taught connect() scan to properly interpret ICMP protocol unreachable messages. Thanks to Alan Bishoff (abishoff(a)arc.nasa.gov) for the report. - Improved the nmapfe.desktop file to better comply with standards. Thanks to Stephane Loeuillet (stephane.loeuillet(a)tiscali.fr) for sending the patch.
2004-10-03Libtool fix for PR pkg/26633, and other issues. Update libtool to 1.5.10tv1-1/+2
in the process. (More information on tech-pkg.) Bump PKGREVISION and BUILDLINK_DEPENDS of all packages using libtool and installing .la files. Bump PKGREVISION (only) of all packages depending directly on the above via a buildlink3 include.
2004-09-01Update to version 3.70.salo2-5/+5
Significant changes: - Rewrote core port scanning engine, which is now named ultra_scan(). Improved algorithms make this faster (often dramatically so) in almost all cases. Not only is it superior against single hosts, but ultra_scan() can scan many hosts (sometimes hundreds) in parallel. This offers many efficiency/speed advantages. For example, hosts often limit the ICMP port unreachable packets used by UDP scans to 1/second. That made those scans extraordinarily slow in previous versions of Nmap. But if you are scanning 100 hosts at once, suddenly you can receive 100 responses per second. Spreading the scan amongst hosts is also gentler toward the target hosts. Nmap can still scan many ports at the same time, as well. If you find cases where ultra_scan is slower or less accurate, please send a report (including exact command-lines, versions used, and output, if possible) to Fyodor. - Added --max_hostgroup option which specifies the maximum number of hosts that Nmap is allowed to scan in parallel. - Added --min_hostgroup option which specifies the minimum number of hosts that Nmap should scan in parallel (there are some exceptions where Nmap will still scan smaller groups -- see man page). Of course, Nmap will try to choose efficient values even if you don't specify hostgroup restrictions explicitly. - Rewrote TCP SYN, ACK, Window, and Connect() scans to use ultra_scan() framework, rather than the old pos_scan(). - Rewrote FIN, Xmas, NULL, Maimon, UDP, and IP Protocol scans to use ultra_scan(), rather than the old super_scan(). - Overhauled UDP scan. Ports that don't respond are now classified as "open|filtered" (open or filtered) rather than "open". The (somewhat rare) ports that actually respond with a UDP packet to the empty probe are considered open. If version detection is requested, it will be performed on open|filtered ports. Any that respond to any of the UDP probes will have their status changed to open. This avoids a the false-positive problem where filtered UDP ports appear to be open, leading to terrified newbies thinking their machine is infected by back orifice. - Nmap now estimates completion times for almost all port scan types (any that use ultra_scan()) as well as service scan (version detection). These are only shown in verbose mode (-v). On scans that take more than a minute or two, you will see occasional updates like: SYN Stealth Scan Timing: About 30.01% done; ETC: 16:04 (0:01:09 remaining) New updates are given if the estimates change significantly. - Added --exclude option, which lets you specify a comma-separated list of targets (hosts, ranges, netblocks) that should be excluded from the scan. This is useful to keep from scannig yourself, your ISP, particularly sensitive hosts, etc. The new --excludefile reads the list (newline-delimited) from a given file. All the work was done by Mark-David McLaughlin (mdmcl(a)cisco.com> and William McVey ( wam(a)cisco.com ), who sent me a well-designed and well-tested patch. - Nmap now has a "port scan ping" system. If it has received at least one response from any port on the host, but has not received responses lately (usually due to filtering), Nmap will "ping" that known-good port occasionally to detect latency, packet drop rate, etc. - Service/version detection now handles multiple hosts at once for more efficient and less-intrusive operation. - Nmap now wishes itself a happy birthday when run on September 1 in verbose mode! The first public release was on that date in 1997. - The port randomizer now has a bias toward putting commonly-accessible ports (80, 22, etc.) near the beginning of the list. Getting a response early helps Nmap calculate response times and detect packet loss, so the scan goes faster. - Host timeout system (--host_timeout) overhauled to support host parallelization. Hosts times are tracked separately, so a host that finishes a SYN scan quickly is not penalized for an exceptionally slow host being scanned at the same time. - When Nmap has not received any responses from a host, it can now use certain timing values from other hosts from the same scan group. This way Nmap doesn't have to use absolute-worst-case (300bps SLIP link to Uzbekistan) round trip timeouts and such. - Enabled MAC address reporting when using the Windows version of Nmap. Thanks to Andy Lutomirski (luto(a)stanford.edu) for writing and sending the patch. - Workaround crippled raw sockets on Microsoft Windows XP SP2 scans. I applied a patch by Andy Lutomirski (luto(a)stanford.edu) which causes Nmap to default to winpcap sends instead. The winpcap send functionality was already there for versions of Windows such as NT and Win98 that never supported Raw Sockets in the first place. - Changed how Nmap sends Arp requests on Windows to use the iphlpapi SendARP() function rather than creating it raw and reading the response from the Windows ARP cache. This works around a (reasonable) feature of Windows Firewall which ignored such unsolicited responses. The firewall is turned on by default as of Windows XP SP2. This change was implemented by Dana Epp (dana(a)vulscan.com). - Fixed some Windows portability issues discovered by Gisle Vanem (giva(a)bgnett.no). - Upgraded libpcap from version 0.7.2 to 0.8.3. This was an attempt to fix an annoying bug, which I then found was actually in my code rather than libpcap :). - Removed Ident scan (-I). It was rarely useful, and the implementation would have to be rewritten for the new ultra_scan() system. If there is significant demand, perhaps I'll put it back in sometime. - Documented the --osscan_limit option, which saves time by skipping OS detection if at least one open and one closed port are not found on the remote hosts. OS detection is much less reliable against such hosts anyway, and skipping it can save some time. - Updated nmapfe.desktop file to provide better NmapFE desktop support under Fedora Core and other systems. Thanks to Mephisto (mephisto(a)mephisto.ma.cx) for sending the patch. - Further nmapfe.desktop changes to better fit the freedesktop standard. The patch came from Murphy (m3rf(a)swimmingnoodle.com). - Fixed capitalization (with a perl script) of many over-capitalized vendor names in nmap-mac-prefixes. - Ensured that MAC address vendor names are always escaped in XML output if they contain illegal characters (particularly '&'). Thanks to Matthieu Verbert (mve(a)zurich.ibm.com) for the report and a patch. - Changed xmloutputversion in XML output from 1.0 to 1.01 to note that there was a slight change (which was actually the MAC stuff in 3.55). Thanks to Lionel CONS (lionel.cons(a)cern.ch) for the suggestion. - Many Windows portability fix and bug fixes, thanks to patch from Gisle Vanem (giva(a)bgnett.no). With these changes, he was able to compile Nmap on Windows using MingW + gcc 3.4 C++ rather than MS Visual Studio. - Removed (addport) tags from XML output. They used to provide open ports as they were discovered, but don't work now that the port scanners scan many hosts at once. They did not specify an IP address. Of course the appropriate (port) tags are still printed once scanning of a target is complete. - Configure script now detects GNU/k*BSD systems (whatever those are), thanks to patch from Robert Millan (rmh@debian.org) - Fixed various crashes and assertion failures related to the new ultra_scan() system, that were found by Arturo "Buanzo" Busleiman (buanzo(a)buanzo.com.ar), Eric (catastrophe.net), and Bill Petersen (bill.petersen(a)alcatel.com). - Fixed some minor memory leaks relating to ping and list scanning as well as the Nmap output table. These were found with valgrind ( http://valgrind.kde.org/ ). - Provide limited --packet_trace support for TCP connect() (-sT) scans. - Fixed compilation on certain Solaris machines thanks to a patch by Tom Duffy (tduffy(a)sun.com) - Fixed some warnings that crop up when compiling nbase C files with a C++ compiler. Thanks to Gisle Vanem (giva(a)bgnett.no) for sending the patch. - Tweaked the License blurb on source files and in the man page. It clarifies some issues and includes a new GPL exception that explicitly allows linking with the OpenSSL library. Some people believe that the GPL and OpenSSL licenses are incompatable without this special exception. - Fixed some serious runtime portability issues on *BSD systems. Thanks to Eric (catastrophe.net) for reporting the problem. - Changed the argument parser to better detect bogus arguments to the -iR option. - Removed a spurious warning message relating to the Windows ARP cache being empty. Patch by Gisle Vanem (giva(a)bgnett.no). - Removed some C++-style line comments (//) from nbase, because some C compilers (particularly on Solaris) barf on those. Problem reported by Raju Alluri <Raju.Alluri(a)Sun.COM>
2004-07-07Updated to version 3.55.salo3-7/+7
Changes: ======== - Added MAC address printing. If Nmap receives packet from a target machine which is on an Ethernet segment directly connected to the scanning machine, Nmap will print out the target MAC address. Nmap also now contains a database (derived from the official IEEE version) which it uses to determine the vendor name of the target ethernet interface. The Windows version of Nmap does not yet have this capability. If any Windows developer types are interesting in adding it, you just need to implement IPisDirectlyConnected() in tcpip.cc and then please send me the patch. Here are examples from normal and XML output (angle brackets replaced with [] for HTML changelog compatability): MAC Address: 08:00:20:8F:6B:2F (SUN Microsystems) [address addr="00:A0:CC:63:85:4B" vendor="Lite-on Communications" addrtype="mac" /] - Updated the XML DTD to support the newly printed MAC addresses. Thanks to Thorsten Holz (thorsten.holz(a)mmweg.rwth-aachen.de) for sending this patch. - Added a bunch of new and fixed service fingerprints for version detection. These are from Martin Macok (martin.macok(a)underground.cz). - Normalized many of the OS names in nmap-os-fingerprints (fixed capitalization, typos, etc.). Thanks to Royce Williams (royce(a)alaska.net) and Ping Huang (pshuang(a)alum.mit.edu) for sending patches. - Modified the mswine32/nmap_performance.reg Windows registry file to use an older and more compatable version. It also now includes the value "StrictTimeWaitSeqCheck"=dword:00000001 , as suggested by Jim Harrison (jmharr(a)microsoft.com). Without that latter value, the TcpTimedWaitDelay value apparently isn't checked. Windows users should apply the new registry changes by clicking on the .reg file. Or do it manually as described in README-WIN32. This file is also now available in the data directory at http://www.insecure.org/nmap/data/nmap_performance.reg - Applied patch from Gisle Vanem (giva(a)bgnett.no) which allows the Windows version of Nmap to work with WinPCAP 3.1BETA (and probably future releases). The Winpcap folks apparently changed the encoding of adaptor names in this release. - Fixed a ping scanning bug that would cause this error message: "nmap: targets.cc:196: int hostupdate (Target **, Target *, int, int, int, timeout_info *, timeval *, timeval *, pingtune *, tcpqueryinfo *, pingstyle): Assertion `pt->down_this_block > 0' failed." Thanks to Beirne Konarski (beirne(a)neo.rr.com) for reporting the problem. - If a user attempts -PO (the letter O), print an error suggesting that they probably mean -P0 (Zero) to disable ping scanning. - Applied a couple patches (with minor changes) from Oliver Eikemeier (eikemeier(a)fillmore-labs.com) which fix an edge case relating to decoy scanning IP ranges that must be sent through different interfaces, and improves the Nmap response to certain error codes returned by the FreeBSD firewall system. The patches are from http://cvsweb.freebsd.org/ports/security/nmap/files/ . - Many people have reported this error: "checking for type of 6th argument to recvfrom()... configure: error: Cannot find type for 6th argument to recvfrom()". In most cases, the cause was a missing or broken C++ compiler. That should now be detected earlier with a clearer message. - Fixed the FTP bounce scan to better detect filered ports on the target network. - Fixed some minor bugs related to the new MAC address printing feature. - Fixed a problem with UDP-scanning port 0, which was reported by Sebastian Wolfgarten (sebastian(a)wolfgarten.com). - Applied patch from Ruediger Rissmann (RRI(a)zurich.ibm.com), which helps Nmap understand an EACCESS error, which can happen at least during IPv6 scans from certain platforms to some firewalled targets. - Renamed ACK ping scan option from -PT to -PA in the documentation. Nmap has accepted both names for years and will continue to do so. - Removed the notice that Nmap is reading target specifications from a file or stdin when you specify the -iL option. It was sometimes printed to stdout even when you wanted to redirect XML or grepable output there, because it was printed during options processing before output files were handled. This change was suggested by Anders Thulin (ath(a)algonet.se). - Added --source_port as a longer, but hopefully easier to remember, alias for -g. In other words, it tries to use the constant source port number you specify for probes. This can help against poorly configured firewalls that trust source port 20, 53, and the like. - Removed undocumented (and useless) -N option. - Fixed a version detection crash reported in excellent detail by Jedi/Sector One (j(a)pureftpd.org). - Applied patch from Matt Selsky (selsky(a)columbia.edu) which helps Nmap build with OpenSSL. - Modified the configure/build system to fix library ordering problems that prevented Nmap from building on certain platforms. Thanks to Greg A. Woods (woods(a)weird.com) and Saravanan (saravanan_kovai(a)HotPop.com) for the suggestions. - Applied a patch to Makefile.in from Scott Mansfield (thephantom(a)mac.com) which enables the use of a DESTDIR variable to install the whole Nmap directory structure under a different root directory. The configure --prefix option would do the same thing in this case, but DESTDIR is apparently a standard that package maintainers like Scott are used to. An example usage is "make DESTDIR=/tmp/packageroot". - Removed unnecessary banner printing in the non-root connect() ping scan. Thanks to Tom Rune Flo (tom(a)x86.no) for the suggestion and a patch. - Updated the headers at the top of each source file (mostly to advance the copyright year to 2004 and note that Nmap is a registered trademark).
2004-03-26PKGREVISION bump after openssl-security-fix-update to 0.9.6m.wiz1-1/+2
Buildlink files: RECOMMENDED version changed to current version.
2004-02-04+ USE_LANGUAGES=c c++abs1-1/+2
2004-01-23bl3ify and allow pkgviews installation.jmmv1-5/+7
2004-01-22Updated to version 3.50.salo4-20/+20
- update DESCR Notable changes: - Integrated a ton of service fingerprints, increasing the number of signatures more than 50%. It has now exceeded 1,000 for the first time, and represents 180 unique service protocols from acap, afp, and aim to xml-rpc, zebedee, and zebra. - Implemented a huge OS fingerprint update. The number of fingerprints has increased more than 13% to 1,121. This is the first time it has exceeded 1000. Notable updates include Linux 2.6.0, Mac OS X up to 10.3.2 (Panther), OpenBSD 3.4 (normal and pf "scrub all"), FreeBSD 5.2, the latest Windows Longhorn warez, and Cisco PIX 6.3.3. As usual, there are a ton of new consumer devices from ubiquitous D-Link, Linksys, and Netgear broadband routers to a number of new IP phones including the Cisco devices commonly used by Vonage. Linksys has apparently gone special-purpose with some of their devices, such as their WGA54G "Wireless Game Adapter" and WPS54GU2 wireless print server. A cute little MP3 player called the Rio Karma was submitted multiple times and I also received and integrated fingerprints for the Handspring Treo 600 (PalmOS). - Applied some man page fixes from Eric S. Raymond (esr(a)snark.thyrsus.com). - Added version scan information to grepable output between the last two '/' delimiters (that space was previously unused). So the format is now "portnum/state/protocol/owner/servicename/rpcinfo/versioninfo" as in "53/open/tcp//domain//ISC Bind 9.2.1/" and "22/open/tcp//ssh//OpenSSH 3.5p1 (protocol 1.99)/". Thanks to MadHat (madhat(a)unspecific.com) for sending a patch (although I did it differently). Note that any '/' characters in the version (or owner) field are replaced with '|' to keep awk/cut parsing simple. The service name field has been updated so that it is the same as in normal output (except for the same sort of escaping discussed above). - Integrated an Oracle TNS service probe and match lines contributed by Frank Berger (fm.berger(a)gmx.de). New probe contributions are always appreciated! - Fixed a crash that could happen during SSL version detection due to SSL session ID cache reference counting issues. - Applied patch to nmap XML dtd (nmap.dtd) from Mario Manno (mm(a)koeln.ccc.de). This accounts for the new version scanning functionality. - Upgraded to Autoconf 2.59 (from 2.57). This should help HP-UX compilation problems reported by Petter Reinholdtsen (pere(a)hungry.com) and may have other benefits as well. - Made Ident-scan (-I) limits on the length and type of responses stricter so that rogue servers can't flood your screen with 1024 characters. The new length limit is 32. Thanks to Tom Rune Flo (tom(a)x86.no) for the suggestion and a patch. - Fingerprints for unrecognized services can now be a bit longer to avoid truncating as much useful response information. While the fingerprints can be longer now, I hope they will be less frequent because of all the newly recognized services in this version. - The nmap-service-probes "match" directive can now take a service name like "ssl/vmware-auth". The service will then be reported as vmware-auth (or whatever follows "ssl/") tunneled by SSL, yet Nmap won't actually bother initiating an SSL connection. This is useful for SSL services which can be fully recognized without the overhead of making an SSL connection. - Version scan now chops commas and whitespace from the end of vendorproductname, version, and info fields. This makes it easier to write templates incorporating lists. For example, the tcpmux service (TCP port 1) gives a list of supported services separated by CRLF. Nmap uses this new feature to print them comma separated without having an annoying trailing comma as so (linewrapped): match tcpmux m|^(sgi_[-.\w]+\r\n([-.\w]+\r\n)*)$| v/SGI IRIX tcpmux//Available services: $SUBST(1, "\r\n", ",")/
2003-11-12PKGREVISION++ after openssl update.jschauma1-1/+2
2003-10-13Update to version 3.48.salo4-74/+23
Changes since 3.45: =================== o Integrated an enormous number of version detection service submissions. The database has almost doubled in size to 663 signatures representing the following 130 services: 3dm-http afp apcnisd arkstats bittorent chargen citrix-ica cvspserver cvsup dantzretrospect daytime dict directconnect domain echo eggdrop exec finger flexlm font-service ftp ftp-proxy gnats gnutella-http hddtemp hp-gsg http http-proxy hylafax icecast ident imap imaps imsp ipp irc ircbot irc-proxy issrealsecure jabber kazaa-http kerberos-sec landesk-rc ldap linuxconf lmtp lotusnotes lpd lucent-fwadm meetingmaker melange microsoft-ds microsoft-rdp mldonkey msactivesync msdtc msrpc ms-sql-m mstask mud mysql napster ncacn_http ncp netbios-ns netbios-ssn netrek netsaint netstat netwareip networkaudio nntp nsclient nsunicast ntop-http omniback oracle-mts oracle-tns pcanywheredata pksd pmud pop2 pop3 pop3s poppass postgresql powerchute printer qotd redcarpet rendezvous rlogind rpc rsync rtsp sdmsvc sftp shell shivahose sieve slimp3 smtp smux snpp sourceoffice spamd ssc-agent ssh ssl svrloc symantec-av symantec-esm systat telnet time tinyfw upnp uucp veritasnetbackup vnc vnc-http vtun webster whois wins winshell wms X11 xfce zebra o Added the ability to execute "helper functions" in version templates, to help clean up/manipulate data captured from a server response. The first defined function is P() which includes only printable characters in a captured string. The main impetus for this is to deal with unicode strings like "W\0O\0R\0K\0G\0R\0O\0U\0P\0" that many MS protocols send. Nmap can now decode that into "WORKGROUP". o Added SUBST() helper function, which replaces strings in matched appname/version/extrainfo strings with something else. For example, VanDyke Vshell gives a banner that includes "SSH-2\.0-VShell_2_2_0_528". A substring match is used to pick out the string "2_2_0_528", and then SUBST(1,"_",".") is called on that match to form the version number 2.2.0.528. o If responses to a probe fail to match any of the registered match strings for that probe, Nmap will now try against the registered "null probe" match strings. This helps in the case that the NULL probe initially times out (perhaps because of initial DNS lookup) but the banner appears in later responses. o Applied some portability fixes (particularly for OpenBSD) from Chad Loder (cloder(a)loder.us), who is also now the OpenBSD Nmap port maintainer. o Applied some portability fixes from Marius Strobl (marius(a)alchemy.franken.de). o The tarball distribution of Nmap now strips the binary at install time thanks to a patch from Marius Strobl (marius(a)alchemy.franken.de). o Fixed a problem related to building Nmap on systems that lack PCRE libs (and thus have to use the ones included by Nmap). Thanks to Remi Denis-Courmont (deniscr6(a)cti.ecp.fr) for the repot and patch. o Alphebetized the service names in each Probe section in nmap-service-probes (makes them easier to find and add to). o Fixed the problem several people reported where Nmap would quit with a "broken pipe" error during service scanning. Thanks to Jari Ruusu (jari.ruusu(a)pp.inet.fi) for sending a patch. The actual error message was "Unexpected error in NSE_TYPE_READ callback. Error code: 32 (Broken pipe)" o Fixed protocol scan (-sO), which I had broken when adding the new output table format. It would complain "NmapOutputTable.cc:128: failed assertion `row < numRows'". Thanks to Matt Burnett (marukka(a)mac.com) for notifying me of the problem. o Upgraded Libpcap to the latest tcpdump.org version (0.7.2) from 0.7.1 o Applied a patch from Peter Marschall (peter(a)adpm.de) which adds version detection support to nmapfe. o Fixed a problem with XML output being invalid when service detection was done on SSL-tunneled ports. Thanks to the several people who reported this - it means that folks are actually using the XML output :). o Fixed (I hope) some Solaris Sune ONE compiler compilation problems reported (w/patches) by Mikael Mannstrom (candyman(a)penti.org) o Fixed the --with-openssl configure option for people who have OpenSSL installed in a path not automatically found by their compilers. Thanks to Marius Strobl (marius(a)alchemy.franken.de) for the patch. o Made some portability changes for HP-UX and possibly other types of machines, thanks to a patch from Petter Reinholdtsen (pere(a)hungry.com) o Applied a patch from Matt Selsky (selsky@columbia.edu) which fixes compilation on some Solaris boxes, and maybe others. The error said "cannot compute sizeof (char)" o Applied some patches from the NetBSD ports tree that Hubert Feyrer (hubert.feyrer(a)informatik.fh-regensburg.de) sent me. The NetBSD Nmap ports page is at http://www.NetBSD.org/packages/net/nmap/ . o Applied some Makefile patches from the FreeBSD ports tree that I found at http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/nmap/files/
2003-10-07Make this configure correctly under Linux. The configure scriptreed2-7/+18
assumed incorrectly that if you are using Linux, that you want to use the nmap-provided libpcap code; but the libpcap package works fine. (Okay'd by salo.)
2003-09-20Update to version 3.45.salo7-28/+120
Also closes PR pkg/22845 by Adrian Portelli. Changes: 3.45: ===== - Added new HTTPOptions and RTSPRequest probes suggested by MadHat (madhat(a)unspecific.com) - Integrated more service signatures from MadHat (madhat(a)unspecific.com), Brian Hatch (bri(a)ifokr.org), Niels Heinen (zillion(a)safemode.org), Solar Designer (solar(a)openwall.com), Seth Master (smaster(a)stanford.edu), and Curt Wilson (netw3_security(a)hushmail.com), - Applied a patch from Solar Eclipse (solareclipse(a)phreedom.org) which increases the allowed size of the 'extrainfo' version field from 80 characters to 128. The main benefit is to allow longer apache module version strings. - Fixed Windows compilation. - Applied some updates to README-WIN32 sent in by Kirby Kuehl (kkuehl(a)cisco.com). He improved the list of suggested registry changes and also fixed a typo or two. He also attached a .reg file automate the Nmap connect() scan performance enhancing registry changes. I am now including that with the Nmap Windows binary .zip distribution (and in mswin32/ of the source distro). - Applied a one-line patch from Dmitry V. Levin (ldv@altlinux.org) which fixes a test Nmap does during compilation to see if an existing libpcap installation is recent enough. 3.40PVT17: ========== - Wrote and posted a new paper on version scanning to http://www.insecure.org/nmap/versionscan.html . Updated nmap-service-probes and the Nmap man page to simply refer to this URL. - Integrated more service signatures from my own scanning as well as contributions from Brian Hatch (bri(a)ifokr.org), MadHat (madhat(a)unspecific.com), Max Vision (vision(a)whitehats.com), HD Moore (hdm(a)digitaloffense.net), Seth Master (smaster(a)stanford.edu), and Niels Heinen (zillion(a)safemode.org). MadHat also contributed a new probe for Windows Media Service. Many people set a LOT of signatures, which has allowed nmap-service-probes to grow from 295 to 356 signatures representing 85 service protocols! - Applied a patch (with slight changes) from Brian Hatch (bri(a)ifokr.org) which enables caching of SSL sessions so that negotiation doesn't have to be repeated when Nmap reconnects to the same between probes. - Applied a patch from Brian Hatch (bri@ifokr.org) which optimizes the requested SSL ciphers for speed rather than security. The list was based on empirical evidence from substantial benchmarking he did with tests that resemble nmap-service-scanning. - Updated the Nmap man page to discuss the new version scanning options (-sV, -A). - I now include nmap-version/aclocal.m4 in the distribution as this is required to rebuild the configure script ( thanks to Dmitry V. Levin (ldv(a)altlinux.org) for notifying me of the problem. - Applied a patch from Dmitry V. Levin (ldv(a)altlinux.org) which detects whether the PCRE include file is <pcre.h> or <pcre - Applied a patch from Dmitry V. Levin (ldv(a)altlinux.org) which fixes typos in some error messages. The patch apparently came from the highly-secure and stable Owl and Alt Linux distributions. Check them out at http://www.openwall.com/Owl/ and http://www.altlinux.com/ - Fixed compilation on Mac OS X - thanks to Brian Hatch (bri(a)ifokr.org> and Ryan Lowe (rlowe(a)pablowe.net) for giving me access to Mac OS X boxes. - Stripped down libpcre build system to remove libtool dependency and other cruft that Nmap doesn't need. (this was mostly a response to libtool-related issues on Mac OS X). - Added a new --version_trace option which causes Nmap to print out extensive debugging info about what version scanning is doing (this is a subset of what you would get with --packet_trace). You should usually use this in combination with at least one -d option. - Fixed a port number printing bug that would cause Nmap service fingerprints to give a negative port number when the actual port was above 32K. Thanks to Seth Master (smaster@stanford.edu) for finding this. - Updated all the header text again to clarify our interpretation of "derived works" after some suggestions from Brian Hatch (bri(a)ifokr.org) - Updated the Nsock config.sub/config.guess to the same newer versions that Nmap uses (for Mac OS X compilation). 3.40PVT16: ========== - Fixed a compilation problem on systems w/o OpenSSL that was discovered by Solar Designer. I also fixed some compilation problems on non-IPv6 systems. It now compiles and runs on my Solaris and ancient OpenBSD systems. - Integrated more services thanks to submissions from Niels Heinen (zillion(a)safemode.org). - Canonicalized the headers at the top of each Nmap/Nsock header src file. This included clarifying our interpretation of derived works, updating the copyright date to 2003, making the header a bit wider, and a few other light changes. I've been putting this off for a while, because it required editing about a hundred !#$# files! 3.40PVT15: ========== - Fixed a major bug in the Nsock time caching system. This could cause service detection to inexplicably fail against certain ports in the second or later machines scanned. Thanks to Solar Designer and HD Moore for helping me track this down. - Fixed some *BSD compilation bugs found by Zillion (zillion(a)safemode.org). - Integrated more services thanks to submissions from Fyodor Yarochkin (fygrave(a)tigerteam.net), and Niels Heinen (zillion(a)safemode.org), and some of my own exploring. There are now 295 signatures. - Fixed a compilation bug found by Solar Designer on machines that don't have struct sockaddr_storage. Nsock now just uses "struct sockaddr *" like connect() does. - Fixed a bug found by Solar Designer which would cause the Nmap portscan table to be truncated in -oN output files if the results are very long. - Changed a bunch of large stack arrays (e.g. int portlookup[65536]) into dynamically allocated heap pointers. The large stack variables apparently caused problems on some architectures. This issue was reported by osamah abuoun (osamah_abuoun(a)hotmail.com). 3.40PVT14: ========== - Added IPv6 support for service scan. - Added an 'sslports' directive to nmap-service-probes. This tells Nmap which service checks to try first for SSL-wrapped ports. The syntax is the same as the normal 'ports' directive for non-ssl ports. For example, the HTTP probe has an 'sslports 443' line and SMTP-detecting probes have and 'sslports 465' line. - Integrated more services thanks to submissions from MadHat (madhat(a)unspecific.com), Solar Designer (solar(a)openwall.com), Dug Song (dugsong(a)monkey.org), pope(a)undersec.com, and Brian Hatch (bri(a)ifokr.org). There are now 288 signatures, matching these 65 service protocols: chargen cvspserver daytime domain echo exec finger font-service ftp ftp-proxy http http-proxy hylafax ident ident imap imaps ipp ircbot ircd irc-proxy issrealsecure landesk-rc ldap meetingmaker microsoft-ds msrpc mud mysql ncacn_http ncp netbios-ns netbios-ssn netsaint netwareip nntp nsclient oracle-tns pcanywheredata pop3 pop3s postgres printer qotd redcarpet rlogind rpc rsync rtsp shell smtp snpp spamd ssc-agent ssh ssl telnet time upnp uucp vnc vnc-http webster whois winshell X11 - Added a Lotus Notes probe from Fyodor Yarochkin (fygrave(a)tigerteam.net). - Dug Song wins the "award" for most obscure service fingerprint submission. Nmap now detects Dave Curry's Webster dictionary server from 1986 :). - Service fingerprints now include a 'T=SSL' attribute when SSL tunneling was used. - More portability enhancements thanks to Solar Designer and his Linux 2.0 libc5 boxes. - Applied a patch from Gisle Vanem (giva(a)bgnett.no) which improves Windows emulation of the UNIX mmap() and munmap() memory mapping calls. 3.40PVT13: ========== - Added SSL-scan-through support. If service detection finds a port to be SSL, it will transparently connect to the port using OpenSSL and use version detection to determine what service lies beneath. This feature is only enabled if OpenSSL is available at build time. A new --with-openssl=DIR configure option is available if OpenSSL is not in your default compiler paths. You can use --without-openssl to disable this functionality. Thanks to Brian Hatch (bri(a)ifokr.org) for sample code and other assistance. Make sure you use a version without known exploitable overflows. In particular, versions up to and including OpenSSL 0.9.6d and 0.9.7-beta2 contained serious vulnerabilities described at http://www.openssl.org/news/secadv_20020730.txt . Note that these vulnerabilities are well over a year old at the time of this writing. - Integrated many more services thanks to submissions from Brian Hatch, HellNBack ( hellnbak(a)nmrc.org ), MadHat, Solar Designer, Simple Nomad, and Shawn Wallis (swallis(a)ku.edu). The number of signatures has grown from 242 to 271. Thanks! - Integrated Novell Netware NCP and MS Terminal Server probes from Simple Nomad (thegnome(a)nmrc.org). - Fixed a segfault found by Solar Designer that could occur when scanning certain "evil" services. - Fixed a problem reported by Solar Designer and MadHat ( madhat(a)unspecific.com ) where Nmap would bail when certain Apache version/info responses were particularly long. It could happen in other cases as well. Now Nmap just prints a warning. - Fixed some portability issues reported by Solar Designer ( solar(a)openwall.com ) 3.40PVT12: ========== - I added probes for SSL (session startup request) and microsoft-ds (SMB Negotiate Protocol request). - I changed the default read timeout for a service probe from 7.5s to 5s. - Fixed a one-character bug that broke many scans when -sV was NOT given. Thanks to Blue Boar (BlueBoar(a)thievco.com) for the report. 3.40PVT11: ========== - Integrated many more services thanks to submissions from Simple Nomad, Solar Designer, jerickson(a)inphonic.com, Curt Wilson, and Marco Ivaldi. Thanks! The match line count has risen from 201 to 242. - Implemented a service classification scheme to separate the vendor/product name from the version number and any extra info that is provided. Instead of v/[big version string]/, the new match lines include v/[vendor/productname]/[version]/[extrainfo]/ . See the docs at the top of nmap-service-probes for more info. This doesn't change the normal output (which lumps them together anyway), but they are separate in the XML so that higher-level programs can easily match against just a product name. Here are a few examples of the improved service element: <service name="ssh" product="OpenSSH" version="3.1p1" extrainfo="protocol 1.99" method="probed" conf="10" /> <service name="domain" product="ISC Bind" version="9.2.1" method="probed" conf="10" /> <state state="open" /><service name="rpcbind" version="2" extrainfo="rpc #100000" method="probed" conf="10" /> <service name="rndc" method="table" conf="3" /> - I went through nmap-service-probes and added the vendor name to more entries. I also added the service name where the product name itself didn't make that completely obvious. - SCO Corporation of Lindon, Utah (formerly Caldera) has lately taken to an extortion campaign of demanding license fees from Linux users for code that they themselves knowingly distributed under the terms of the GNU GPL. They have also refused to accept the GPL, claiming that some preposterous theory of theirs makes it invalid. Meanwhile they have distributed GPL-licensed Nmap in (at least) their "Supplemental Open Source CD". In response to these blatant violations, and in accordance with section 4 of the GPL, we hereby terminate SCO's rights to redistribute any versions of Nmap in any of their products, including (without limitation) OpenLinux, Skunkware, OpenServer, and UNIXWare. 3.40PVT10: ========== - Added "soft matches". These are similar to normal match lines in that they provide a regex for recognizing a service (but no version). But instead of stopping at softmatch service recognition, the scan continues looking for more info. It only launches probes that are known-capable of matching the softmatched service. If no version number is found, at least the determined service is printed. A service print for submission is also provided in that case. So this provides more informative results and improves efficiency. - Cleaned up the Windows support a bit and did more testing and fixing. Windows service detection seems to be working fine for me now, although my testing is still pretty limited. This release includes a Windows binary distribution and the README-WIN32 has been updated to reflect new compilation instructions. - More service fingerprints! Thanks to Solar Designer, Max Vision, Frank Denis (Jedi/Sector One) for the submissions. I also added a bunch from my own testing. The number of match lines went from 179 to 201. - Updated XML output to handle new version and service detection information. Here are a few examples of the new output: <port protocol="tcp" portid="22"><state state="open" /><service name="ssh" version="OpenSSH 3.1p1 (protocol 1.99)" method="probed" conf="10" /></port> <port protocol="tcp" portid="111"><state state="open" /><service name="rpcbind" version="2 (rpc #100000)" method="probed" conf="10" /></port> <port protocol="tcp" portid="953"><state state="open" /><service name="rndc" method="table" conf="3" /></port> - Fixed issue where Nmap would quit when ECONNREFUSED was returned when we try to read from an already-connected TCP socket. FreeBSD does this for some reason instead of giving ECONNRESET. Thanks to Will Saxon (WillS(a)housing.ufl.edu) for the report. - Removed the SERVICEMATCH_STATIC match type from nmap-service-probes. There wasn't much benefit of this over regular expressions, so it isn't worth maintaining the extra code. 3.40PVT9: ========= - Added/fixed numerous service fingerprints thanks to submissions from Max Vision, MadHat, Seth Master. Match lines went from 164 to 179. - The Winpcap libraries used in the Windows build process have been upgraded to version 3.0. - Most of the Windows port is complete. It compiles and service scan works (I didn't test very deeply) on my WinXP box with VS.Net 2003. I try to work out remaining kinks and do some cleanup for the next version. The Windows code was restructured and improved quite a bit, but much more work remains to be done in that area. I'll probably do a Windows binary .zip release of the next version. - Various minor fixes 3.40PVT8: ========= - Service scan is now OFF by default. You can activate it with -sV. Or use the snazzy new -A (for "All recommended features" or "Aggressive") option which turns on both OS detection and service detection. - Fixed compilation on my ancient OpenBSD 2.3 machine (a Pentium 60 :) - Added/fixed numerous service fingerprints thanks to submissions from Brian Hatch, HD Moore, Anand R., and some of my own testing. The number of match lines in this version grows from 137 to 164! Please keep 'em coming! - Various important and not-so-important fixes for bugs I encountered while test scanning. - The RPC grinder no longer prints a startup message if it has no RPC-detected ports to scan. - Some of the service fingerprint length limitations are relaxed a bit if you enable debugging (-d). 3.40PVT7: ========= - Added a whole bunch of services submitted by Brian Hatch (bri(a)ifokr.org). I also added a few Windows-related probes. Nmap-service-probes has gone from 101 match strings to 137. Please keep the submissions coming. - The question mark now only appears for ports in the OPEN state and when service detection was requested. - I now print a separator bar between service fingerprints when Nmap prints more than one for a given host so that users understand to submit them individually (suggested by Brian Hatch (bri(a)ifokr.org)) - Fixed a bug that would cause Nmap to print "empty" service fingerprints consisting of just a semi-colon. Thanks to Brian Hatch (bri(a)ifokr.org) for reporting this. 3.40PVT6: ========= - Banner-scanned hundreds of thousands of machines for ports 21,23,25,110,3306 to collect default banners. Where the banner made the service name/version obvious, I integrated them into nmap-service-probes. This increased the number of 'match' lines from 27 to more than 100. - Created the service fingerprint submission page at http://www.insecure.org/cgi-bin/servicefp-submit.cgi - Changed the service fingerprint format slightly for easier processing by scripts. - Applied a large portability patch from Albert Chin-A-Young (china(a)thewrittenword.com). This cleans up a number of things, particularly for IRIX, Tru64, and Solaris. - Applied NmapFE patch from Peter Marschall (peter(a)adpm.de) which "makes sure changes in the relay host and scanned port entry fields are displayed immediately, and also keeps the fields editable after de- and reactivating them." 3.40PVT4: ========= - Limited the size of service fingerprints to roughly 1024 bytes. This was suggested by Niels Heinen (niels(a)heinen.ws), because the previous limit was excessive. The number of fingerprints printed is also now limited to 10. - Fixed a segmentation fault that could occur when ping-scanning large networks. - Fixed service scan to gracefully handle host_timeout occurrences when they happen during a service scan. - Fixed a service_scan bug that would cause an error when hosts send data and then close() during the NULL probe (when we haven't sent anything). - Applied a patch from Solar Designer (solar(a)openwall.com) which corrects some errors in the Russian man page translation and also a couple typos in the regular man page. Then I spell-checked the man page to reduce future instances of foreigners sending in diffs to correct my English :). 3.40PVT3: ========= - Nmap now prints a "service fingerprint" for services that it is unable to match despite returning data. The web submission page it references is not yet available. - Service detection now does RPC grinding on ports it detects to be running RPC. - Fixed a bug that would cause Nmap to quit with an Nsock error when --host_timeout was used (or when -T5 was used, which sets it implicitly). - Fixed a bug that would cause Nmap to fail to print the OS fingerprint in certain cases. Thanks to Ste Jones (root(a)networkpenetration.com) for the problem report. 3.40PVT2: ========= - Nmap now has a simple VERSION detection scheme. The 'match' lines in nmap-service-probes can specify a template version string (referencing subexpression matches from the regex in a perl-like manner) so that the version is determined at the same time as the service. This handles many common services in a highly efficient manner. A more complex form of version detection (that initiates further communication w/the target service) may be necessary eventually to handle services that aren't as forthcoming with version details. - The Nmap port state table now wastes less whitespace due to using a new and stingy NmapOutputTable class. This makes it easier to read, and also leaves more room for version info and possibly other enhancements. - Added 's' option to match lines in nmap-service-probes. Just as with the perl 's' option, this one causes '.' in the regular expression to match any character INCLUDING newline. - The WinPcap header timestamp is no longer used on Windows as it sometimes can be a couple seconds different than gettimeofday() (which is really _ftime() on Windows) for some reason. Thanks to Scott Egbert (scott.egbert(a)citigroup.com) for the report. - Applied a patch by Matt Selsky (selsky(a)columbia.edu) which fixes configure.in in such a way that the annoying header file "present but cannot be compiled" warning for Solaris. - Applied another patch from Matt that (we hope) fixes the "present but cannot be compiled" warning -- this time for Mac OS X. - Port table header names are now capitalized ("SERVICE", "PORT", etc) 3.40PVT1: ========= - Initial implementation of service detection. Nmap will now probe ports to determine what is listening, rather than guessing based on the nmap-services table lookup. This can be very useful for services on unidentified ports and for UDP services where it is not always clear (without these probes) whether the port is really open or just firewalled. It is also handy for when services are run on the well-known-port of another protocol -- this is happening more and more as users try to circumvent increasingly strict firewall policies. - Nmap now uses the excellent libpcre (Perl Compatible Regular Expressions) library from http://www.pcre.org/ . Many systems already have this, otherwise Nmap will use the copy it now includes. If your libpcre is hidden away in some nonstandard place, give ./configure the new --with-libpcre=DIR directive. - Nmap now uses the C++ Standard Template Library (STL). This makes programming easier, but if it causes major portability or bloat problems, I'll reluctantly remove it. - Applied a patch from Javier Kohen (jkohen(a)coresecurity.com) which normalizes the names of many Microsoft entries in the nmap-os-fingerprints file. - Applied a patch by Florin Andrei (florin(a)sgi.com) to the Nmap RPM spec file. This uses the 'Epoch' flag to prevent the Redhat Network tool from marking my RPMs as "obsolete" and "upgrading" to earlier Redhat-built versions. A compilation flag problem is also fixed.
2003-07-17s/netbsd.org/NetBSD.org/grant1-2/+2
2003-07-09USE_GCC_SHLIBgrant1-1/+2
2003-07-04Updated to version 3.30.salo2-5/+5
Changes: - Implemented the largest-ever OS fingerprint update! Roughtly 300 fingerprints were added/modified. These massive changes span the gamut from AIX 5.1 to the ZyXEL Prestige broadband router line. Notable updates include OpenBSD 3.3, FreeBSD 5.1, Mac OS X 10.2.6, Windows 2003 server, and more WAPs and broadband routers than you can shake a stick at. Someone even submitted a fingerprint for Debian Linux running on the Microsoft Xbox. You have to love that irony :). Thanks to everyone who submitted fingerprints using the URL Nmap gives you when it gets a clean reading but is stumped. The fingerprint DB now contains almost 1000 fingerprints. - Went through every one of the fingerprints to normalize the descriptions a bit. I also looked up what all of the devices are (thanks E*Bay and Google!). Results like "Nexland ISB Pro800 Turbo" and "Siemens 300E Release 6.5" are much more useful when you add the words "cable modem" and "business phone system" - Added a new classification system to nmap-os-fingerprints. In addition to the standard text description, each entry is now classified by vendor name (e.g. Sun), underlying OS (e.g. Solaris), OS generation (e.g. 7), and device type ("general purpose", router, switch, game console, etc). This can be useful if you want to (say) locate and eliminate the SCO systems on a network, or find the wireless access points (WAPs) by scanning from the wired side. - Classification system described above is now used to print out a "device type" line and OS categories for matches. The free-form English details are still printed as well. Nmap can sometimes provide classifications even where it used to provide nothing because of "too many matches". These have been added to XML output as well. They are not printed for the "grepable output", as I consider that format deprecated. - Nmap will now sometimes guess in the "no exact matches" case, even if you don't use the secret --osscan_guess or -fuzzy options. - Applied another huge NmapFE patch from Peter Marschall (peter(a)adpm.de). This revamps the interface to use a tabbed format that allows for many more Nmap options to be used. It also cleans up some crufty parts of the code. Let Fyodor and Peter know what you think (and if you encounter any problems). - Windows and Amiga ports now use packet receive times from libpcap. Let Fyodor know if you get any "time computation problem" errors. - Updated version of the Russian man page translation from Alex Volkov (alex(a)cherepovets-city.ru).
2003-06-17Updated to version 3.28.salo2-5/+5
Changes: - Fixed (i hope) an issue that would cause Nmap to print "Serious time computation problem in adjust_timeout ..." and quit. The ultimate cause was demonstrated by this --packet_trace snippet that Russel Miller (rmiller(a)duskglow.com) sent me: SENT (0.0500s) ICMP 0.0.0.0 > 127.0.0.1 Echo request (type=8/code=0) ... RCVD (0.0450s) ICMP 127.0.0.1 > 127.0.0.1 Echo reply (type=0/code=0) ... As you can see, the ping reply appears to come BEFORE the request was sent(!). This sort of thing happens on at least Linux and Windows. The send time is obtained from gettimeofday(NULL), while receive time libpcap packet header. - For years, Nmap has added -I/usr/local/include and -L/usr/local/lib to the compiler line to grab local libraries. I have removed this behavior by default, and added a '--with_localdirs' configure option that adds it back. If Nmap fails to compile now without the above option, please let me know. I can change the default back if this change causes more problems than it solves. People (such as certain ports tree packagers) who know they don't want /usr/local should specify --without_localdirs rather than relying on that always being the default. - Fixed (I hope) a problem that led to the error message "Assertion `tqi->sockets[probe_port_num][seq] == -1' failed". - Fixed a problem that would cause Nmap on Windows to send ICMP ping packets from 0.0.0.0 instead of the appropriate source IP. Thanks to Yeti (boxed(a)blueyonder.co.uk) for the report. - Applied some changes from Solar Designer (solar(a)openwall.com) which fix some typos and also suggest safer /tmp/ behavior in the HACKING file and Lithuanian man page. These changes are for the Nmap package of his Openwall GNU/*/Linux (Owl) distribution. [ http://www.openwall.com/Owl/ ] - For Solaris, I now define NET_SIZE_T to size_t rather than socklen_t in nmap.h. Isn't that exciting?!!! Hopefully this will help compilation on Solaris 2.6 (and perhaps earlier). If any Solaris users notice new compilation problems, please let me know. Thanks to Al Smith (Al.Smith(a)aeschi.ch.eu.org) for reporting the issue. - Removed an errant getopt() prototype in nbase/getopt.h which should hopefully improve compilation on certain Solaris boxes and BSD variants. - SCO operating systems are no longer supported due to their recent (and absurd) attacks against Linux and IBM. Bug reports relating to UnixWare will be ignored, or possibly even laughed at derisively. Note that I have no reason to believe anyone has ever used Nmap on SCO systems. Unixware sucks. - Fixed a problem with small --max_parallism values when non-root ping scanning that would cause Nmap to say "sendconnecttcpquery: Could not scavenge a free socket!" and quit. Problem was reported by Justin A (justin(a)bouncybouncy.net) as Debian Bug #195463. - Changed many single-quotes (') into double quotes (") in the man page due to a disagreement over whether to represent them as (') or (\') in nroff. - Included --packet_trace support for Explicit Congestion Notification (rfc 2481/3168) flags thanks to a patch sent in by Maik Pfeil (root(a)bundesspionageministerium.de) - Included --packet_trace support for a few (unusual) ICMP types in case Nmap receives them. The patch was also sent by Maik Pfeil. - Fixed a problem with redirecting XML/Grep/Machine output to stdout on Windows (e.g. -oX - ). Problem was reported by Wei Jiang (Wei.Jiang(a)bindview.com) - Made "-g -Wall" compiler flags dependent on availability of gcc/g++ sine some other compilers do not support them.
2003-04-28Update to version 2.37.salo3-11/+11
Changes: - Nmap now compiles under Amiga thanks to patches sent by Diego Casorran (dcr8520@amiga.org). - Fixed a backwards WIN32 ifdef that broke UDP and small-fragment scans for some operating systems other than Linux and Windows. Thanks to Guido van Rooij (guido@gvr.org) for reporting the problem and sending a patch. - Applied patch from Marius Strobl (marius@alchemy.franken.de) which improves the definition of NET_SIZE_T on FreeBSD so that it compiles on 64-bit platforms.
2003-04-28Take maintainership. hubertf ok, the original maintainer of nmapfe is notsalo1-2/+2
reachable on the given email address anymore.
2003-04-27Updated to version 3.26.salo2-6/+6
Addresses PR pkg/21338 by Simon Hitzemann. Changes: - Fixed Mac OS X Compilation (at least on most of the machines tested). You will probably need to type "./configure CPP=/usr/bin/cpp" instead of simply "./configure". If you still have trouble, drop me an email. Thanks to everyone who provided or offered shell accounts! - Fixed a segmentation fault several people reported that was introduced in 3.25. This problem manifests itself intermittently in many normal situations involving large-network scanning. So all 3.25 users are urged to upgrade.
2003-04-22Updated to version 3.25.salo2-6/+6
Based on a patch sent by Simon Hitzemann via PR pkg/21245. Changes: - fetch .tar.bz2 files - UDP-based "ping" scanning (-PU) has been added. Works like -PS and -PA - "Assertion `pt->down_this_block > 0' failed" seems to be fixed now. - GCC dependency reported by Ayamura Kikuchi has been fixed. - "assertion failure" after --max_rtt_timeout < 3000 has been fixed. - Packet receive times are now taken from libpcap which improves performance a bit. - Fixed a bug that ignored RST responses while using -PS or -PA - Ping scan performance improved when many instances of Nmap are executed concurrently. - Fixed a problem that caused BSD Make to bail out (never noticed that on NetBSD). - Fixed a divide by zero error when nonroot users requested ICMP pings. Now it prints a warning and uses TCP connect() ping. - Nmap is now a bit more tolerant of corrupt nmap-services and nmap-protocols. - Some portnumbers have been added. - --packet_trace support for Windows added. - Removed superfluous "addport" line in XML output. - wintcpip.cc and tcpip.cc have been merged into tcpip.cc - Fixed assertion failure crashes related to combining port 0 scans and OS scan. - Compilation problems on systems without IPv6 support have been fixed. - Applied patch from Jochen Erwied which fixes the format strings used for printing certain timestamps. - Upgraded to autoconf 2.57 - Renamed configure.ac to configure.in - Changed the wording of NmapFE Gnome entries to better-comply with Gnome's Human Interface Guidelines.
2003-03-22Updated to version 3.20.salo5-78/+52
Based on patch sent by Juan RP via PR pkg/20839. Changes: Nmap 3.20: ========== o The random IP input option (-iR) now takes an argument specifying how many IPs you want to scan (e.g. -iR 1000). Specify 0 for the old neverending scan behavior. o Fixed a tricky memory leak discovered by Mugz (mugz@x-mafia.com). o Fixed output truncation problem noted by Lionel CONS (lionel.cons@cern.ch) o Fixed a bug that would cause certain incoming ICMP error messages to be improperly ignored. Nmap 3.15BETA3: =============== o Made numerous improvements to the timing behavior of "-T Aggressive" (same as -T4) scans. It is now recommended for regular use by impatient people with a fast connection. "-T Insane" mode has also been updated, but we only recommend that for, well, insane people. o Made substantial changes to the SYN/connect()/Window scanning algorithms for improved speeds, especially against heavily filtered hosts. If you notice any timing problems (misidentified ports, etc.), please send me the details (including full Nmap output and a description of what is wrong). Reports of any timing problems with -T4 would be helpful as well. o Changed Nmap such that ALL syn scan packets are sent from the port you specify with -g. Retransmissions used to utilize successively higher ports. This change has a downside in that some operating systems (such as Linux) often won't reply to the retransmissions because they reuse the same connection specifier quad (srcip:srcport:dstip:dstport). Overall I think this is a win. o Added timestamps to "Starting nmap" line and each host port scan in verbose (-v) mode. These are in ISO 8601 standard format because unlike President Bush, we actually care about International consensus :). o Nmap now comes by default in .tar.bz2 format, which compresses about 20% further. You can still find .tgz in the dist directory at http://download.insecure.org/nmap/dist/?M=D . o Various other minor bugfixes, new services, fingerprints, etc. Nmap 3.15BETA2: =============== o I added support for a brand new "port" that many of you may have never scanned before! UDP & TCP "port 0" (and IP protocol 0) are now permitted if you specify 0 explicitly. An argument like "-p -40" would still scan ports 1-40. Unlike ports, protocol 0 IS now scanned by default. This now works for ping probes too (e.g., -PS, -PA). o Applied patch by Martin Kluge (martin@elxsi.info) which adds --ttl option, which sets the outgoing IPv4 TTL field in packets sent via all raw scan types (including ping scans and OS detection). The patch "should work" on Windows, but hasn't been tested. A TTL of 0 is supported, and even tends to work on a LAN: 14:17:19.474293 192.168.0.42.60214 > 192.168.0.40.135: S 3265375623:3265375623(0) win 1024 [ttl 0] (id 35919, len 40) 14:17:19.474456 192.168.0.40.135 > 192.168.0.42.60214: S 2805154856:2805154856(0) ack 3265375624 win 64240 <mss 1460> (DF) (ttl 128, id 49889, len 44) o Applied patch by Gabriel L. Somlo ( somlo@acns.colostate.edu ) which extends the multi-ping-port functionality to nonroot and IPv6 connect() users. o I added a new --datadir command line option which allows you to specify the highest priority directory for Nmap data files nmap-services, nmap-os-fingerprints, and nmap-rpc. Any files which aren't in the given dir, will be searched for in the $NMAPDIR environmental variable, ~/nmap/, a compiled in data directory (e.g. /usr/share/nmap), and finally the current directory. o Fixed Windows (VC++ 6) compilation, thanks to patches from Kevin Davis (computerguy@cfl.rr.com) and Andy Lutomirski (luto@stanford.edu) o Included new Latvian man page translation by "miscelerious options" (misc@inbox.lv) o Fixed Solaris compilation when Sun make is used rather than GNU make. Thanks to Tom Duffy (tduffy@sun.com) for assistance. o Applied patch from Stephen Bishop (sbishop@idsec.co.uk) which prevends certain false-positive responses when Nmap raw TCP ping scans are being run in parallel. o To emphasize the highly professional nature of Nmap, I changed all instances of "fucked up" in error message text into "b0rked". o Fixed a problem with nmap-frontend RPMs that would cause a bogus /bin/xnmap link to be created (it should only create /usr/bin/xnmap). Thanks to Juho Schultz (juho.schultz@astro.helsinki.fi) for reporting the problem. o I made the maximum number of allowed routes and interfaces allowed on the scanning machine dynamic rather than hardcoded #defines of 1024 and 128. You never know -- some wacko probably has that many :). Nmap 3.15BETA1: =============== o Integrated the largest OS fingerprint DB updates ever! Thanks to everyone who contributed signatures! New or substantially modified fingerprints included the latest Windows 2K/XP changes, Cisco IOS 12.2-based routers and PIX 6.3 firewalls, FreeBSD 5.0, AIX 5.1, OpenBSD 3.2, Tru64 5.1A, IBM OS/400 V5R1M0, dozens of wireless APs, VOIP devices, firewalls, printers, print servers, cable modems, webcams, etc. We've even got some mod-chipped Xbox fingerprints now! o Applied NetBSD portability patch by Darren Reed (darrenr@reed.wattle.id.au) o Updated Makefile to better-detect if it can't make nmapfe and provide a clearer error message. Also fixed a couple compiler warnings on some *BSD platforms. o Applied patch from "Max" (nmap@webwizarddesign.com) which adds the port owner to the "addport" XML output lines which are printed (only in verbose mode, I think) as each open port is discovered. o I killed the annoying whitespace that is normally appended after the service name. Now it is only there when an owner was found via -sI (in which case there is a fourth column and so "service" must be exactly 24 characters). Nmap 3.10ALPHA9: ================ o Reworked the "ping scan" algorithm (used for any scan except -P0 or -sL) to be more robust in the face of low-bandwidth and congested connections. This also improves reliability in the multi-port and multi-type ping cases described below. o "Ping types" are no longer exclusive -- you can now do combinations such as "-PS22,53,80 -PT113 -PN -PE" in order to increase your odds of passing through strict filters. The "PB" flag is now deprecated since you can achieve the same result via "PE" and "PT" options. o Applied patch (with modest changes) by Gabriel L. Somlo (somlo@acns.colostate.edu), which allows multiple TCP probe ports in raw (root) mode. See the previous item for an example. o Fixed a libpcap compilation issue noted by Josef 'Jupp' Schugt (deusxmachina@webmail.co.za) which relates to the definition (or lack thereof) of ARPHRD_HDLC (used for Cisco HDLC frames). o Tweaked the version number (-V) output slightly. Nmap 3.10ALPHA7: ================ o Upgraded libpcap from version 0.6.2 to 0.7.1. Updated the libpcap-possiblymodified/NMAP_MODIFICATIONS file to give a much more extensive list (including diffs) of the changes included in the Nmap bundled version of Libpcap. o Applied patch to fix a libpcap alignment bug found by Tom Duffy (tduffy@sun.com). o Fixed Windows compilation. o Applied patch by Chad Loder (cloder@loder.us) of Rapid7 which fixes OpenBSD compilation. I believe Chad is now the official OpenBSD Nmap "port" maintainer. His patch also adjusted random-scan (-iR) to include the recently allocated 82.0.0.0/8 space. o Fixed (I hope) a few compilation problems on non-IPv6-enabled machines which were noted by Josef 'Jupp' Schugt (jupp@gmx.de) o Included some man page translations which were inadvertently missed in previous tarballs. o Applied patch from Matthieu Verbert (mve@zurich.ibm.com) which places the Nmap man pages under ${prefix}/share/man rather than ${prefix}/man when installed via RPM. Maybe the tarball install should do this too? Opinions? o Applied patch from R Anderson (listbox@pole-position.org) which improves the way ICMP port unreachables from intermediate hosts are handled during UDP scans. o Added note to man page related to Nmap US export control. I believe Nmap falls under ECCN 5D992, which has no special restrictions beyond the standard export denial to a handful of rogue nations such as Iraq and North Korea. o Added a warning that some hosts may be skipped and/or repeated when someone tries to --resume a --randomize_hosts scan. This was suggested by Crayden Mantelium (crayden@sensewave.com) o Fixed a minor memory leak noted by Michael Davis (mike@datanerds.net). Nmap 3.10ALPHA4: ================ o Applied patch by Max Schubert (nmap@webwizarddesign.com) which adds an add-port XML tag whenever a new port is found open when Nmap is running in verbose mode. The new tag looks like: <addport state="open" portid="22" protocol="tcp"/> I also updated docs/nmap.dtd to recognize this new tag. o Added German translation of Nmap manpage by Marc Ruef (marc.ruef@computec.ch). It is also available at http://www.insecure.org/nmap/data/nmap_manpage-de.html o Includes a brand new French translation of the manpage by Sebastien Blanchet. You could probably guess that it is available at http://www.insecure.org/nmap/data/nmap_manpage-fr.html o Applied some patches from Chad Loder (cloder@loder.us) which update the random IP allocation pool and improve OpenBSD support. Some were from the OBSD Nmap patchlist. o Fixed a compile problem on machines without PF_INET6. Thanks to Josef 'Jupp' Schugt (deusxmachina@webmail.co.za) for noting this. Nmap 3.10ALPHA3: ================ o Added --min_parallelism option, which makes scans more aggressive and MUCH faster in certain situations -- especially against firewalled hosts. It is basically the opposite of --max_parallelism (-M). Note that reliability can be lost if you push it too far. o Added --packet_trace option, which tells Nmap to display all of the packets it sends and receives in a format similar to tcpdump. I mostly added this for debugging purposes, but ppl wishing to learn how Nmap works or for experts wanting to ensure Nmap is doing exactly what they epect. If you want this feature supported under Windows, please send me a patch :). o Fixed a segmentation fault in Idlescan (-sI). o Made Idlescan timing more conservative when -P0 is specified to improve accuracy. o Fixed an infinite-loop condition that could occur during certain dropped-packet scenarios in an Idle scan. o Nmap now reports execution times to millisecond precision (rather than rouding to the nearest second). o Fixed an infinite loop caused by invalid port arguments. Problem noted by fejed (fejed@uddf.net). Nmap 3.10ALPHA2: ================ o Fixed compilation and IPv6 support on FreeBSD (tested on 4.6-STABLE). Thanks to Niels Heinen (niels.heinen@ubizen.com) for suggestions. o Made some portability changes based on suggestions by Josef 'Jupp' Schugt (jupp@gmx.de) o Fixed compilation and IPv6 support on Solaris 9 (haven't tested earlier versions). Nmap 3.10ALPHA1: ================ o IPv6 is now supported for TCP scan (-sT), connect()-style ping scan (-sP), and list scan (-sL)! Just specify the -6 option and the IPv6 numbers or DNS names. Netmask notation is not currently supported -- I'm not sure how useful it is for IPv6, where even petty end users may be allocated trillions of addresses (/80). If you need one of the scan types that hasn't been ported yet, give Sebastien Peterson's patch a try at http://nmap6.sourceforge.net/ . If there is demand, I may integrate more of that into Nmap. o Major code restructing, which included conversion to C++ -- so you'll need g++ or another C++ compiler. I accidently let a C++ requirement slip in a while back and found that almost everyone has such a compiler. Windows (VC++) users: see the README-WIN32 for new compilation instructions. o Applied patch from Axel Nennker (Axel.Nennker@t-systems.com) which adds a --without-nmapfe option to the configure script. This si useful if your system doesn't have the proper libraries (eg GTK) or if you think GUIs are for sissies :). o Removed arbitrary max_parallelism (-M) limitations, as suggested by William McVey ( wam@cisco.com ). o Added DEC OSF to the platforms that require the BSDFIX() macro due to taking ip length and offset fields in host rather than network byte order. Suggested by Dean Bennett (deanb@gbtn.net) o Fixed an debug statement C ambiguity discovered by Kronos (kronos@kronoz.cjb.net)
2002-10-10buildlink1 -> buildlink2.wiz1-3/+3
2002-08-03Update nmap to 3.00. Changes:hubertf9-95/+60
* Added protocol scan (-sO), which determines what IP protocols (TCP, IGMP, GRE, UDP, ICMP, etc) are supported by a given host. This uses a clever technique designed and implemented by Gerhard Rieger . * Nmap now recognizes more than 700 operating system versions and network devices (printers, webcams, routers, etc) thanks to thousands of contributions from the user community! Many operating systems were even recognized by Nmap prior to their official release. Nmap3 also recognizes 2148 port assignments, 451 SunRPC services, and 144 IP protocols. * Added Idlescan (-sI), which bounces the scan off a "zombie" machine. This can be used to bypass certain (poorly configured) firewalls and packet filters. In addition, this is the most stealthy Nmap scan mode, as no packets are sent to the target from your true IP address. * The base Nmap package now builds and functions under Windows! It is distributed in three forms: build-it-yourself source code, a simple command-line package, or along with a nice GUI interface (NmapWin) and a fancy installer. This is due to the hard work of Ryan Permeh (from eEye), Andy Lutomirski, and Jens Vogt. * Mac OS X is now supported, as well as the latest versions of Linux, OpenBSD, Solaris, FreeBSD, and most other UNIX platforms. Nmap has also been ported to several handheld devices -- see the Related Projects page for further information. * XML output (-oX) is now available for smooth interoperability between Nmap and other tools. * Added ICMP Timestamp and Netmask ping types (-PP and -PM). These (especially timestamp) can be useful against some hosts that do not respond to normal ping (-PI) packets. Nmap still allows TCP "ping" as well. * Nmap can now detect the uptime of many hosts when the OS Scan option (-O) is used. * Several new tests have been added to make OS detection more accurate and provide more granular version information. * Removed 128.210.*.* addresses from Nmap man page examples due to complaints from Purdue security staff. * The --data_length option was added, allowing for longer probe packets. Among other uses, this defeats certain simplistic IDS signatures. * You can now specify distinct port UDP and TCP port numbers in a single scan command using a command like 'nmap -sSU -p U:53,111,137,T:21-25,80,139,515,6000,8080 target.com'. See the man page for more usage info. * Added mysterious, undocumented --scanflags and --fuzzy options. * Nmap now provides IPID as well as TCP ISN sequence predictability reports if you use -v and -O. * SYN scan is now the default scan type for privileged (root) users. This is usually offers greater performance while reducing network traffic. * Capitalized all references to God in error messages. * Added List scan (-sL) which enumerates targets without scanning them. * The Nmap "random IP" scanning mode is now smart enough to skip many unallocated netblocks. * Tons of more minor features, bugfixes, and portability enhancements.
2001-12-06Add patch-af (recognize mipseb in config.sub).rafal1-1/+2
2001-12-06Add patch to make this build on mipseb platforms.rafal1-0/+25
2001-10-31Move pkg/ files into package's toplevel directoryzuntum2-1/+1
2001-09-10Use libpcap buildlink.mk instead of OS-test.wiz1-5/+3
By Stoned Elipot in pkg/13920.
2001-08-24Fix fo linux a different way - make more like NetBSD configuration and useabs7-39/+36
net/libpcap. Also fix DEPENDS for Solaris and Linux
2001-08-24Rework NetBSD hack to not break Linux buildabs6-75/+106
2001-04-21Move to sha1 checksum, and/or add distfile sizes.wiz1-2/+3
2001-04-17+ move the distfile digest/checksum value from files/md5 to distinfoagc3-10/+8
+ move the patch digest/checksum values from files/patch-sum to distinfo