head 1.18; access; symbols pkgsrc-2014Q2:1.17.0.8 pkgsrc-2014Q2-base:1.17 pkgsrc-2014Q1:1.17.0.6 pkgsrc-2014Q1-base:1.17 pkgsrc-2013Q4:1.17.0.4 pkgsrc-2013Q4-base:1.17 pkgsrc-2013Q3:1.17.0.2 pkgsrc-2013Q3-base:1.17 pkgsrc-2013Q2:1.16.0.8 pkgsrc-2013Q2-base:1.16 pkgsrc-2012Q4:1.16.0.6 pkgsrc-2012Q4-base:1.16 pkgsrc-2011Q4:1.16.0.4 pkgsrc-2011Q4-base:1.16 pkgsrc-2011Q2:1.16.0.2 pkgsrc-2011Q2-base:1.16 pkgsrc-2010Q2:1.15.0.4 pkgsrc-2010Q2-base:1.15 pkgsrc-2010Q1:1.15.0.2 pkgsrc-2010Q1-base:1.15 pkgsrc-2009Q4:1.13.0.8 pkgsrc-2009Q4-base:1.13 pkgsrc-2009Q3:1.13.0.6 pkgsrc-2009Q3-base:1.13 pkgsrc-2009Q2:1.13.0.4 pkgsrc-2009Q2-base:1.13 pkgsrc-2009Q1:1.13.0.2 pkgsrc-2009Q1-base:1.13 pkgsrc-2008Q4:1.12.0.24 pkgsrc-2008Q4-base:1.12 pkgsrc-2008Q3:1.12.0.22 pkgsrc-2008Q3-base:1.12 cube-native-xorg:1.12.0.20 cube-native-xorg-base:1.12 pkgsrc-2008Q2:1.12.0.18 pkgsrc-2008Q2-base:1.12 pkgsrc-2008Q1:1.12.0.16 pkgsrc-2008Q1-base:1.12 pkgsrc-2007Q4:1.12.0.14 pkgsrc-2007Q4-base:1.12 pkgsrc-2007Q3:1.12.0.12 pkgsrc-2007Q3-base:1.12 pkgsrc-2007Q2:1.12.0.10 pkgsrc-2007Q2-base:1.12 pkgsrc-2007Q1:1.12.0.8 pkgsrc-2007Q1-base:1.12 pkgsrc-2006Q4:1.12.0.6 pkgsrc-2006Q4-base:1.12 pkgsrc-2006Q3:1.12.0.4 pkgsrc-2006Q3-base:1.12 pkgsrc-2006Q2:1.12.0.2 pkgsrc-2006Q2-base:1.12 pkgsrc-2006Q1:1.11.0.2 pkgsrc-2006Q1-base:1.11 pkgsrc-2005Q4:1.9.0.10 pkgsrc-2005Q4-base:1.9 pkgsrc-2005Q3:1.9.0.8 pkgsrc-2005Q3-base:1.9 pkgsrc-2005Q2:1.9.0.6 pkgsrc-2005Q2-base:1.9 pkgsrc-2005Q1:1.9.0.4 pkgsrc-2005Q1-base:1.9 pkgsrc-2004Q4:1.9.0.2 pkgsrc-2004Q4-base:1.9 pkgsrc-2004Q3:1.8.0.6 pkgsrc-2004Q3-base:1.8 pkgsrc-2004Q2:1.8.0.4 pkgsrc-2004Q2-base:1.8 pkgsrc-2004Q1:1.8.0.2 pkgsrc-2004Q1-base:1.8 pkgsrc-2003Q4:1.7.0.2 pkgsrc-2003Q4-base:1.7 netbsd-1-6-1:1.4.0.2 netbsd-1-6-1-base:1.4 netbsd-1-6:1.4.0.4 netbsd-1-6-RELEASE-base:1.4 pkgviews:1.3.0.4 pkgviews-base:1.3 buildlink2:1.3.0.2 buildlink2-base:1.3 netbsd-1-5-PATCH003:1.3 netbsd-1-5-PATCH001:1.1 netbsd-1-5-RELEASE:1.1 netbsd-1-4-PATCH003:1.1; locks; strict; comment @# @; 1.18 date 2014.09.05.11.51.41; author adam; state dead; branches; next 1.17; commitid op1Z276UmGyBp9Px; 1.17 date 2013.09.24.21.29.21; author drochner; state Exp; branches; next 1.16; commitid HSWi0Gtln1wXIJ6x; 1.16 date 2010.07.22.20.46.29; author pettai; state dead; branches; next 1.15; 1.15 date 2010.03.27.13.37.34; author pettai; state Exp; branches; next 1.14; 1.14 date 2010.03.21.21.58.23; author pettai; state Exp; branches; next 1.13; 1.13 date 2009.04.01.07.56.19; author apb; state Exp; branches; next 1.12; 1.12 date 2006.06.25.14.29.14; author salo; state dead; branches; next 1.11; 1.11 date 2006.02.12.17.24.23; author salo; state Exp; branches; next 1.10; 1.10 date 2006.02.01.20.39.11; author joerg; state Exp; branches; next 1.9; 1.9 date 2004.11.26.09.24.21; author adam; state Exp; branches; next 1.8; 1.8 date 2004.01.22.11.20.04; author salo; state Exp; branches; next 1.7; 1.7 date 2003.10.13.15.02.15; author salo; state Exp; branches; next 1.6; 1.6 date 2003.09.20.14.15.28; author salo; state Exp; branches; next 1.5; 1.5 date 2003.03.22.04.07.11; author salo; state Exp; branches; next 1.4; 1.4 date 2002.08.03.12.24.00; author hubertf; state Exp; branches; next 1.3; 1.3 date 2001.08.24.11.23.17; author abs; state Exp; branches; next 1.2; 1.2 date 2001.08.24.11.05.36; author abs; state Exp; branches; next 1.1; 1.1 date 2000.10.08.15.06.09; author hubertf; state Exp; branches; next ; desc @@ 1.18 log @Changes 6.47: o Integrated all of your IPv4 OS fingerprint submissions since June 2013 (2700+ of them). Added 366 fingerprints, bringing the new total to 4485. Additions include Linux 3.10 - 3.14, iOS 7, OpenBSD 5.4 - 5.5, FreeBSD 9.2, OS X 10.9, Android 4.3, and more. Many existing fingerprints were improved. Highlights: http://seclists.org/nmap-dev/2014/q3/325 o (Windows) Upgraded the included OpenSSL to version 1.0.1i. o (Windows) Upgraded the included Python to version 2.7.8. o Removed the External Entity Declaration from the DOCTYPE in Nmap's XML. This was added in 6.45, and resulted in trouble for Nmap XML parsers without network access, as well as increased traffic to Nmap's servers. The doctype is now: o [Ndiff] Fixed the installation process on Windows, which was missing the actual Ndiff Python module since we separated it from the driver script. o [Ndiff] Fixed the ndiff.bat wrapper in the zipfile Windows distribution, which was giving the error, "\Microsoft was unexpected at this time." See https://support.microsoft.com/kb/2524009 o [Zenmap] Fixed the Zenmap .dmg installer for OS X. Zenmap failed to launch, producing this error: Could not import the zenmapGUI.App module: 'dlopen(/Applications/Zenmap.app/Contents/Resources/lib/python2.6/lib-dynload/glib/_glib.so, 2): Library not loaded: /Users/david/macports-10.5/lib/libffi.5.dylib\n Referenced from: /Applications/Zenmap.app/Contents/Resources/lib/python2.6/lib-dynload/glib/_glib.so\n Reason: image not found'. o [Ncat] Fixed SOCKS5 username/password authentication. The password length was being written in the wrong place, so authentication could not succeed. o Avoid formatting NULL as "%s" when running nmap --iflist. GNU libc converts this to the string "(null)", but it caused segfault on Solaris. o [Zenmap][Ndiff] Avoid crashing when users have the antiquated PyXML package installed. Python tries to be nice and loads it when we import xml, but it isn't compatible. Instead, we force Python to use the standard library xml module. o Handle ICMP admin-prohibited messages when doing service version detection. Crash reported by Nathan Stocks was: Unexpected error in NSE_TYPE_READ callback. Error code: 101 (Network is unreachable) o [NSE] Fix a bug causing http.head to not honor redirects. o [Zenmap] Fix a bug in DiffViewer causing this crash: TypeError: GtkTextBuffer.set_text() argument 1 must be string or read-only buffer, not NmapParserSAX Crash happened when trying to compare two scans within Zenmap. @ text @$NetBSD: patch-ad,v 1.17 2013/09/24 21:29:21 drochner Exp $ --- ncat/ncat_posix.c.orig 2013-07-29 00:03:01.000000000 +0000 +++ ncat/ncat_posix.c @@@@ -123,5 +123,7 @@@@ #include "ncat.h" +#ifdef HAVE_LUA #include "ncat_lua.h" +#endif char **cmdline_split(const char *cmdexec); @ 1.17 log @fix build on systems without builtin lua (with lua option disabled, so that no pkgsrc lua is pulled in) tested by John Klos @ text @d1 1 a1 1 $NetBSD$ @ 1.16 log @Nmap 5.35DC1 [2010-07-16] Some of the highlights are: o [NSE] Added more scripts, bringing the total to 131! o Performed a major OS detection integration run. o Performed a large version detection integration run. o [Zenmap] Added the ability to print Nmap output to a printer. o [Nmap, Ncat, Nping] The default unit for time specifications is now seconds, not milliseconds, and times may have a decimal point. o Ports are now considered open during a SYN scan if a SYN packet (without the ACK flag) is received in response. o [Ncat] In listen mode, the --exec and --sh-exec options now accept a single connection and then exit, just like in normal listen mode. o UDP payloads are now stored in an external data file, nmap-payloads, instead of being hard-coded in the executable. o Added a new library, libnetutil, which contains about 2,700 lines of networking related code which is now shared between Nmap and Nping o Improved service detection match lines. o Improved our brute force password guessing list by mixing in some data sent in by Solar Designer of John the Ripper fame. o [Zenmap] IP addresses are now sorted by octet rather than their string representation. o [Ncat] When receiving a connection/datagram in listen mode, Ncat now prints the connecting source port along with the IP address. o Added EPROTO to the list of known error codes in service scan. o Updated IANA IP address space assignment list for random IP (-iR) generation. o Zenmap's "slow comprehensive scan profile" has been modified to use the best 7-probe host discovery combination we were able to find in extensive empirical testing o Zenmap now lets you save scan results in normal Nmap text output format or (as before) as XML. o [NSE] Raw packet sending at the IP layer is now supported, in addition to the existing Ethernet sending functionality. o Nmap now honors routing table entries that override interface addresses and netmasks. o [Ncat] The HTTP proxy server now accepts client connections over SSL, and added support for HTTP digest authentication of proxies, as both client and server. o Improved the MIT Kerberos version detection signatures. Plus many bugfixes and improvements. For full changelog, see http://nmap.org/changelog.html @ text @d1 1 a1 1 $NetBSD: patch-ad,v 1.15 2010/03/27 13:37:34 pettai Exp $ d3 3 a5 29 Correct handling of the length of data returned by SIOCGIFCONF. The actual length of each item is never less than sizeof(struct ifreq), but may be more than that. If the platform's struct sockaddr has an sa_len field, and if the length in sa_len is larger then the space available in ifr_ifru, then the data extends beyond the end of the ifr_ifru field by the difference in sizes. The previous code of the form len = ifr->ifr_addr.sa_len + sizeof(ifr->ifr_name); had two problems: 1) It assumes that ifr_name and ifr_ifru are the only members of struct ifreq, so that sizeof(ifr->ifr_name) is equivalent to sizeof(struct ifr) - sizeof(ifr->ifr_ifreq). This assumption may be incorrect on some thypothetical systems, and it's just as efficient to use code that avoids making the assumption. 2) It assumes that ifr->ifr_addr.sa_len will never be smaller than sizeof(ifr->ifr_ifru). This assumption is incorrect on some systems, at least on NetBSD. --- tcpip.cc.orig 2010-01-15 04:55:23.000000000 +0100 +++ tcpip.cc 2010-01-27 22:46:10.000000000 +0100 @@@@ -3053,12 +3053,13 @@@@ int rc; char *p; d7 4 a10 13 - /* On some platforms (such as FreeBSD), the length of each ifr changes - based on the sockaddr type used, so we get the next length now. */ -#if HAVE_SOCKADDR_SA_LEN - len = ifr->ifr_addr.sa_len + sizeof(ifr->ifr_name); -#else + /* On some platforms struct sockaddr has an sa_len member, if + ifr_ddr.sa_len is larger then sizeof ifr_ifru, then the actual + data extends beyond the end of ifr_ifru. */ len = sizeof(struct ifreq); +#if HAVE_SOCKADDR_SA_LEN + if (ifr->ifr_addr.sa_len > sizeof(ifr->ifr_ifru)) + len += (ifr->ifr_addr.sa_len - sizeof(ifr->ifr_ifru)); #endif d12 1 a12 1 /* skip any device with no name */ @ 1.15 log @Fixed brokenness of patch-ad Ok'ed during freeze by wiz@@ @ text @d1 1 a1 1 $NetBSD: patch-ad,v 1.14 2010/03/21 21:58:23 pettai Exp $ @ 1.14 log @Nmap 5.21 [2010-01-27] (-> Nmap 5.00) Some of highlights are: o Dramatically improved the version detection database, integrating 2,596 submissions that users contributed since February 3, 2009! o Added 7 new NSE scripts for a grand total of 79! o Performed a memory consumption audit and made changes to dramatically reduce Nmap's footprint. o A major service detection submission integration. o Added some new service detection probes o Added 14 new NSE scripts for a grand total of 72! You can learn about them all at http://nmap.org/nsedoc/. Here are the new ones: o Nmap's --traceroute has been rewritten for better performance. o Integrated 1,349 fingerprints (and 81 corrections). o [NSE] Default socket parallelism has been doubled from 10 to 20. o [NSE] Now supports worker threads o Zenmap now includes ports in the services view whenever Nmap found them "interesting," whatever their state. o [Ncat, Ndiff] The exit codes of these programs now reflect whether they succeeded. o Optimize MAC address prefix lookup by using an std::map o Canonicalized the list of OS detection device types to a smaller set. o Zenmap's UI performance has improved significantly. o [NSE] socket garbage collection was rewritten for better performance. Many many bugfixes! For full changelog, see http://nmap.org/changelog.html Ok'ed during freeze by wiz@@ @ text @d1 1 a1 1 $NetBSD: patch-ad,v 1.13 2009/04/01 07:56:19 apb Exp $ d43 1 a43 1 + len = ifr->ifr_addr.sa_len > sizeof(ifr->ifr_name); @ 1.13 log @Correct handling of the length of data returned by SIOCGIFCONF. The actual length of each item is never less than sizeof(struct ifreq), but may be more than that. If the platform's struct sockaddr has an sa_len field, and if the length in sa_len is larger then the space available in ifr_ifru, then the data extends beyond the end of the ifr_ifru field by the difference in sizes. @ text @d1 1 a1 1 $NetBSD$ d27 8 a34 6 --- tcpip.cc.orig 2008-09-04 14:41:59.000000000 +0000 +++ tcpip.cc @@@@ -2890,12 +2890,10 @@@@ int sd; ifr = (struct ifreq *) buf; if (ifc.ifc_len == 0) fatal("%s: SIOCGIFCONF claims you have no network interfaces!\n", __func__); a35 1 - /* len = MAX(sizeof(struct sockaddr), ifr->ifr_addr.sa_len);*/ d38 3 a41 1 - /* len = sizeof(SA); */ d43 1 a43 1 + if (ifr->ifr_addr.sa_len > sizeof(ifr->ifr_ifru)) d47 1 a47 18 /* Debugging code @@@@ -2914,10 +2912,13 @@@@ int sd; printf("ifr = %X\n",(unsigned)(*(char **)&ifr)); */ - /* On some platforms (such as FreeBSD), the length of each ifr changes - based on the sockaddr type used, so we get the next length now */ + /* On platforms where struct sockaddr has an sa_len member, if + ifr_ddr.sa_len is larger then sizeof ifr_ifru, then the actual + data extends beyond the end of ifr_ifru. */ + len = sizeof(struct ifreq); #if HAVE_SOCKADDR_SA_LEN - len = ifr->ifr_addr.sa_len + sizeof(ifr->ifr_name); + if (ifr->ifr_addr.sa_len > sizeof(ifr->ifr_ifru)) + len += (ifr->ifr_addr.sa_len - sizeof(ifr->ifr_ifru)); #endif /* skip any device with no name */ @ 1.12 log @Update to version 4.11 - bite the bullet and use GNU make, it's increasingly annoying to try avoiding it Changes: - Added a dozens of more detailed SSH version detection signatures, thanks to a SSH huge survey and integration effort by Doug Hoyte. The results of his large-scale SSH scan are posted at http://seclists.org/nmap-dev/2006/Apr-Jun/0393.html . - Fixed the Nmap Makefile (actually Makefile.in) to correctly handle include file dependencies. So if a .h file is changed, all of the .cc files which depend on it will be recompiled. Thanks to Diman Todorov (diman(a)xover.mud.at) for the patch. - Fixed a compilation problem on solaris and possibly other platforms. The error message looked like "No rule to make target `inet_aton.o', needed by `libnbase.a'". Thanks to Matt Selsky (selsky(a)columbia.edu) for the patch. Fixes PR pkg/33806 from Gilles Dauphin. - Applied a patch which helps with HP-UX compilation by linking in the nm library (-lnm). Thanks to Zakharov Mikhail (zmey20000(a)yahoo.com) for the patch. - Added version detection probes for detecting the Nessus daemon. Thanks to Adam Vartanian (flooey(a)gmail.com) for sending the patch. @ text @d1 1 a1 1 $NetBSD: patch-ad,v 1.11 2006/02/12 17:24:23 salo Exp $ d3 40 a42 5 --- nbase/configure.orig 2006-02-02 03:18:49.000000000 +0100 +++ nbase/configure 2006-02-12 18:08:45.000000000 +0100 @@@@ -9,6 +9,8 @@@@ ## M4sh Initialization. ## ## --------------------- ## d44 4 a47 17 +LIBS= + # Be Bourne compatible if test -n "${ZSH_VERSION+set}" && (emulate sh) >/dev/null 2>&1; then emulate sh @@@@ -7081,7 +7083,7 @@@@ echo $ECHO_N "(cached) $ECHO_C" >&6 else ac_check_lib_save_LIBS=$LIBS -LIBS="-lssl $LIBS" +LIBS="-lssl -lcrypto $LIBS" cat >conftest.$ac_ext <<_ACEOF /* confdefs.h. */ _ACEOF @@@@ -7144,7 +7146,7 @@@@ #define HAVE_LIBSSL 1 _ACEOF d49 11 a59 2 - LIBS="-lssl $LIBS" + LIBS="-lssl -lcrypto $LIBS" d61 1 a61 2 else use_openssl="no" @ 1.11 log @Updated to version 4.01: Changes: - Fixed a bug that would cause bogus reverse-DNS resolution on big-endian machines. Thanks to Doug Hoyte, Seth Miller, Tony Doan, and Andrew Lutomirsky for helping to debug and patch the problem. - Fixed an important memory leak in the raw ethernet sending system. Thanks to Ganga Bhavani (GBhavani(a)everdreamcorp.com) for identifying the bug and sending a patch. - Fixed --system-dns option so that --system_dns works too. Error messages were changed to reflect the former (preferred) name. Thanks to Sean Swift (sean.swift(a)bradford.gov.uk) and Peter VanEeckhoutte (Peter.VanEeckhoutte(a)saraleefoodseurope.com) for reporting the problem. - Fixed a crash which would report this message: "NmapOutputTable.cc:143: void NmapOutputTable::addItem(unsigned int, unsigned int, bool, const char*, int): Assertion `row < numRows' failed." Thanks to Jake Schneider (Jake.Schneider(a)dynetics.com) for reporting and helping to debug the problem. - Whenever Nmap sends packets with the SYN bit set (except for OS detection), it now includes the maximum segment size (MSS) tcp option with a value of 1460. This makes it stand out less as almost all hosts set at least this option. Thanks to Juergen Schmidt (ju(a)heisec.de) for the suggestion. - Applied a patch for a Windows interface reading bug in the aDNS subsystem from Doug Hoyte. - Minor changes to recognize DragonFly BSD in configure scripts. Thanks to Joerg Sonnenberger (joerg(a)britannica.bec.de) for sending the patch. - Fixed a minor bug in an error message starting with "eth_send of ARP packet returned". Thanks to J.W. Hoogervorst (J.W.Hoogervorst(a)uva.nl) for finding this. @ text @d1 1 a1 1 $NetBSD$ @ 1.10 log @Add DragonFly support. Also recognize DragonFly and NetBSD as OS name. @ text @d3 2 a4 2 --- nbase/configure.orig 2006-01-25 07:50:35.000000000 +0000 +++ nbase/configure d14 1 a14 10 @@@@ -2561,7 +2563,7 @@@@ _ACEOF # libpcap doesn't even LOOK at # the timeout you give it under Linux ;; - *-freebsd* | *-kfreebsd*-gnu) + *-freebsd* | *-kfreebsd*-gnu | *-dragonfly*) cat >>confdefs.h <<\_ACEOF #define FREEBSD 1 _ACEOF @@@@ -7081,7 +7083,7 @@@@ if test "${ac_cv_lib_ssl_SSL_new+set}" = d23 1 a23 1 @@@@ -7144,7 +7146,7 @@@@ if test $ac_cv_lib_ssl_SSL_new = yes; th @ 1.9 log @Changes 3.77: o Fixed a memory leak that would generally consume several hundred bytes per down host scanned. While the effect for most scans is negligible, it was overwhelming when Scott Carlson (Scott.Carlson(a)schwab.com) tried to scan 24 million IPs (10.0.0.0/8). Thanks to him for reporting the problem. o Fixed a bug in ACK scan that could cause Nmap to crash with the message "Unexpected port state: 6" in some cases. Thanks to Glyn Geoghegan (glyng(a)corsaire.com) for reporting the problem. o Change IP protocol scan (-sO) so that a response from the target host in any protocol at all will prove that protocol is open. As before, no response means "open|filtered", an ICMP protocol unreachable means "closed", and most other ICMP error messages mean "filered". o Changed IP protocol scan (-sO) so that it sends valid ICMP, TCP, and UDP headers when scanning protocols 1, 6, and 17, respectively. An emtpy IP header is still sent for all other protocols. This should prevent the error messages such as "sendto in send_ip_packet: sendto(3, packet, 20, 0, 192.31.33.7, 16) => Operation not permitted" that Linux (and perhaps other systems) would give when they try to interpret the raw packet. This also makes it more likely that these protocols will elicit a response, proving that the protocol is "open". o Null, FIN, Maimon, and Xmas scans now mark ports as "open|filtered" instead of "open" when they fail to receive any response from the target port. After all, it could just as easily be filtered as open. This is the same change that was made to UDP scan in 3.70. Also as with UDP scan, adding version detection (-sV) will change the state from open|filtered to open if it confirms that they really are open. o Fixed a crash on Windows systems that don't include the iphlpapi DLL. This affects Win95 and perhaps other variants. Thanks to Ganga Bhavani (GBhavani(a)everdreamcorp.com) for reporting the problem and sending the patch. o Ensured that the device type, os vendor, and os family OS fingerprinting classification values are scrubbed for XML compliance in the XML output. Thanks to Matthieu Verbert (mve(a)zurich.ibm.com) for reporting the problem and sending a patch. o Changed to Nmap XML DTD to use the same xmloutputversion (1.01) as newer versions of Nmap. Thanks to Laurent Estieux (laurent.estieux(a)free.fr) for reporting the problem. @ text @d3 1 a3 1 --- nbase/configure.orig 2004-10-16 05:03:55.000000000 +0000 d14 10 a23 1 @@@@ -7074,7 +7076,7 @@@@ if test "${ac_cv_lib_ssl_SSL_new+set}" = d32 1 a32 1 @@@@ -7137,7 +7139,7 @@@@ if test $ac_cv_lib_ssl_SSL_new = yes; th @ 1.8 log @Updated to version 3.50. - update DESCR Notable changes: - Integrated a ton of service fingerprints, increasing the number of signatures more than 50%. It has now exceeded 1,000 for the first time, and represents 180 unique service protocols from acap, afp, and aim to xml-rpc, zebedee, and zebra. - Implemented a huge OS fingerprint update. The number of fingerprints has increased more than 13% to 1,121. This is the first time it has exceeded 1000. Notable updates include Linux 2.6.0, Mac OS X up to 10.3.2 (Panther), OpenBSD 3.4 (normal and pf "scrub all"), FreeBSD 5.2, the latest Windows Longhorn warez, and Cisco PIX 6.3.3. As usual, there are a ton of new consumer devices from ubiquitous D-Link, Linksys, and Netgear broadband routers to a number of new IP phones including the Cisco devices commonly used by Vonage. Linksys has apparently gone special-purpose with some of their devices, such as their WGA54G "Wireless Game Adapter" and WPS54GU2 wireless print server. A cute little MP3 player called the Rio Karma was submitted multiple times and I also received and integrated fingerprints for the Handspring Treo 600 (PalmOS). - Applied some man page fixes from Eric S. Raymond (esr(a)snark.thyrsus.com). - Added version scan information to grepable output between the last two '/' delimiters (that space was previously unused). So the format is now "portnum/state/protocol/owner/servicename/rpcinfo/versioninfo" as in "53/open/tcp//domain//ISC Bind 9.2.1/" and "22/open/tcp//ssh//OpenSSH 3.5p1 (protocol 1.99)/". Thanks to MadHat (madhat(a)unspecific.com) for sending a patch (although I did it differently). Note that any '/' characters in the version (or owner) field are replaced with '|' to keep awk/cut parsing simple. The service name field has been updated so that it is the same as in normal output (except for the same sort of escaping discussed above). - Integrated an Oracle TNS service probe and match lines contributed by Frank Berger (fm.berger(a)gmx.de). New probe contributions are always appreciated! - Fixed a crash that could happen during SSL version detection due to SSL session ID cache reference counting issues. - Applied patch to nmap XML dtd (nmap.dtd) from Mario Manno (mm(a)koeln.ccc.de). This accounts for the new version scanning functionality. - Upgraded to Autoconf 2.59 (from 2.57). This should help HP-UX compilation problems reported by Petter Reinholdtsen (pere(a)hungry.com) and may have other benefits as well. - Made Ident-scan (-I) limits on the length and type of responses stricter so that rogue servers can't flood your screen with 1024 characters. The new length limit is 32. Thanks to Tom Rune Flo (tom(a)x86.no) for the suggestion and a patch. - Fingerprints for unrecognized services can now be a bit longer to avoid truncating as much useful response information. While the fingerprints can be longer now, I hope they will be less frequent because of all the newly recognized services in this version. - The nmap-service-probes "match" directive can now take a service name like "ssl/vmware-auth". The service will then be reported as vmware-auth (or whatever follows "ssl/") tunneled by SSL, yet Nmap won't actually bother initiating an SSL connection. This is useful for SSL services which can be fully recognized without the overhead of making an SSL connection. - Version scan now chops commas and whitespace from the end of vendorproductname, version, and info fields. This makes it easier to write templates incorporating lists. For example, the tcpmux service (TCP port 1) gives a list of supported services separated by CRLF. Nmap uses this new feature to print them comma separated without having an annoying trailing comma as so (linewrapped): match tcpmux m|^(sgi_[-.\w]+\r\n([-.\w]+\r\n)*)$| v/SGI IRIX tcpmux//Available services: $SUBST(1, "\r\n", ",")/ @ text @d3 2 a4 2 --- nbase/configure.orig 2004-01-12 04:23:12.000000000 +0100 +++ nbase/configure 2004-01-22 10:19:15.000000000 +0100 d14 1 a14 1 @@@@ -7068,7 +7070,7 @@@@ d23 1 a23 1 @@@@ -7131,7 +7133,7 @@@@ @ 1.7 log @Update to version 3.48. Changes since 3.45: =================== o Integrated an enormous number of version detection service submissions. The database has almost doubled in size to 663 signatures representing the following 130 services: 3dm-http afp apcnisd arkstats bittorent chargen citrix-ica cvspserver cvsup dantzretrospect daytime dict directconnect domain echo eggdrop exec finger flexlm font-service ftp ftp-proxy gnats gnutella-http hddtemp hp-gsg http http-proxy hylafax icecast ident imap imaps imsp ipp irc ircbot irc-proxy issrealsecure jabber kazaa-http kerberos-sec landesk-rc ldap linuxconf lmtp lotusnotes lpd lucent-fwadm meetingmaker melange microsoft-ds microsoft-rdp mldonkey msactivesync msdtc msrpc ms-sql-m mstask mud mysql napster ncacn_http ncp netbios-ns netbios-ssn netrek netsaint netstat netwareip networkaudio nntp nsclient nsunicast ntop-http omniback oracle-mts oracle-tns pcanywheredata pksd pmud pop2 pop3 pop3s poppass postgresql powerchute printer qotd redcarpet rendezvous rlogind rpc rsync rtsp sdmsvc sftp shell shivahose sieve slimp3 smtp smux snpp sourceoffice spamd ssc-agent ssh ssl svrloc symantec-av symantec-esm systat telnet time tinyfw upnp uucp veritasnetbackup vnc vnc-http vtun webster whois wins winshell wms X11 xfce zebra o Added the ability to execute "helper functions" in version templates, to help clean up/manipulate data captured from a server response. The first defined function is P() which includes only printable characters in a captured string. The main impetus for this is to deal with unicode strings like "W\0O\0R\0K\0G\0R\0O\0U\0P\0" that many MS protocols send. Nmap can now decode that into "WORKGROUP". o Added SUBST() helper function, which replaces strings in matched appname/version/extrainfo strings with something else. For example, VanDyke Vshell gives a banner that includes "SSH-2\.0-VShell_2_2_0_528". A substring match is used to pick out the string "2_2_0_528", and then SUBST(1,"_",".") is called on that match to form the version number 2.2.0.528. o If responses to a probe fail to match any of the registered match strings for that probe, Nmap will now try against the registered "null probe" match strings. This helps in the case that the NULL probe initially times out (perhaps because of initial DNS lookup) but the banner appears in later responses. o Applied some portability fixes (particularly for OpenBSD) from Chad Loder (cloder(a)loder.us), who is also now the OpenBSD Nmap port maintainer. o Applied some portability fixes from Marius Strobl (marius(a)alchemy.franken.de). o The tarball distribution of Nmap now strips the binary at install time thanks to a patch from Marius Strobl (marius(a)alchemy.franken.de). o Fixed a problem related to building Nmap on systems that lack PCRE libs (and thus have to use the ones included by Nmap). Thanks to Remi Denis-Courmont (deniscr6(a)cti.ecp.fr) for the repot and patch. o Alphebetized the service names in each Probe section in nmap-service-probes (makes them easier to find and add to). o Fixed the problem several people reported where Nmap would quit with a "broken pipe" error during service scanning. Thanks to Jari Ruusu (jari.ruusu(a)pp.inet.fi) for sending a patch. The actual error message was "Unexpected error in NSE_TYPE_READ callback. Error code: 32 (Broken pipe)" o Fixed protocol scan (-sO), which I had broken when adding the new output table format. It would complain "NmapOutputTable.cc:128: failed assertion `row < numRows'". Thanks to Matt Burnett (marukka(a)mac.com) for notifying me of the problem. o Upgraded Libpcap to the latest tcpdump.org version (0.7.2) from 0.7.1 o Applied a patch from Peter Marschall (peter(a)adpm.de) which adds version detection support to nmapfe. o Fixed a problem with XML output being invalid when service detection was done on SSL-tunneled ports. Thanks to the several people who reported this - it means that folks are actually using the XML output :). o Fixed (I hope) some Solaris Sune ONE compiler compilation problems reported (w/patches) by Mikael Mannstrom (candyman(a)penti.org) o Fixed the --with-openssl configure option for people who have OpenSSL installed in a path not automatically found by their compilers. Thanks to Marius Strobl (marius(a)alchemy.franken.de) for the patch. o Made some portability changes for HP-UX and possibly other types of machines, thanks to a patch from Petter Reinholdtsen (pere(a)hungry.com) o Applied a patch from Matt Selsky (selsky@@columbia.edu) which fixes compilation on some Solaris boxes, and maybe others. The error said "cannot compute sizeof (char)" o Applied some patches from the NetBSD ports tree that Hubert Feyrer (hubert.feyrer(a)informatik.fh-regensburg.de) sent me. The NetBSD Nmap ports page is at http://www.NetBSD.org/packages/net/nmap/ . o Applied some Makefile patches from the FreeBSD ports tree that I found at http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/nmap/files/ @ text @d3 3 a5 3 --- nbase/configure.orig 2003-10-03 10:33:24.000000000 +0200 +++ nbase/configure 2003-10-06 12:52:20.000000000 +0200 @@@@ -10,6 +10,8 @@@@ d14 1 a14 1 @@@@ -6423,7 +6425,7 @@@@ a20 1 #line $LINENO "configure" d22 2 a23 1 @@@@ -6476,7 +6478,7 @@@@ @ 1.6 log @Update to version 3.45. Also closes PR pkg/22845 by Adrian Portelli. Changes: 3.45: ===== - Added new HTTPOptions and RTSPRequest probes suggested by MadHat (madhat(a)unspecific.com) - Integrated more service signatures from MadHat (madhat(a)unspecific.com), Brian Hatch (bri(a)ifokr.org), Niels Heinen (zillion(a)safemode.org), Solar Designer (solar(a)openwall.com), Seth Master (smaster(a)stanford.edu), and Curt Wilson (netw3_security(a)hushmail.com), - Applied a patch from Solar Eclipse (solareclipse(a)phreedom.org) which increases the allowed size of the 'extrainfo' version field from 80 characters to 128. The main benefit is to allow longer apache module version strings. - Fixed Windows compilation. - Applied some updates to README-WIN32 sent in by Kirby Kuehl (kkuehl(a)cisco.com). He improved the list of suggested registry changes and also fixed a typo or two. He also attached a .reg file automate the Nmap connect() scan performance enhancing registry changes. I am now including that with the Nmap Windows binary .zip distribution (and in mswin32/ of the source distro). - Applied a one-line patch from Dmitry V. Levin (ldv@@altlinux.org) which fixes a test Nmap does during compilation to see if an existing libpcap installation is recent enough. 3.40PVT17: ========== - Wrote and posted a new paper on version scanning to http://www.insecure.org/nmap/versionscan.html . Updated nmap-service-probes and the Nmap man page to simply refer to this URL. - Integrated more service signatures from my own scanning as well as contributions from Brian Hatch (bri(a)ifokr.org), MadHat (madhat(a)unspecific.com), Max Vision (vision(a)whitehats.com), HD Moore (hdm(a)digitaloffense.net), Seth Master (smaster(a)stanford.edu), and Niels Heinen (zillion(a)safemode.org). MadHat also contributed a new probe for Windows Media Service. Many people set a LOT of signatures, which has allowed nmap-service-probes to grow from 295 to 356 signatures representing 85 service protocols! - Applied a patch (with slight changes) from Brian Hatch (bri(a)ifokr.org) which enables caching of SSL sessions so that negotiation doesn't have to be repeated when Nmap reconnects to the same between probes. - Applied a patch from Brian Hatch (bri@@ifokr.org) which optimizes the requested SSL ciphers for speed rather than security. The list was based on empirical evidence from substantial benchmarking he did with tests that resemble nmap-service-scanning. - Updated the Nmap man page to discuss the new version scanning options (-sV, -A). - I now include nmap-version/aclocal.m4 in the distribution as this is required to rebuild the configure script ( thanks to Dmitry V. Levin (ldv(a)altlinux.org) for notifying me of the problem. - Applied a patch from Dmitry V. Levin (ldv(a)altlinux.org) which detects whether the PCRE include file is or and Ryan Lowe (rlowe(a)pablowe.net) for giving me access to Mac OS X boxes. - Stripped down libpcre build system to remove libtool dependency and other cruft that Nmap doesn't need. (this was mostly a response to libtool-related issues on Mac OS X). - Added a new --version_trace option which causes Nmap to print out extensive debugging info about what version scanning is doing (this is a subset of what you would get with --packet_trace). You should usually use this in combination with at least one -d option. - Fixed a port number printing bug that would cause Nmap service fingerprints to give a negative port number when the actual port was above 32K. Thanks to Seth Master (smaster@@stanford.edu) for finding this. - Updated all the header text again to clarify our interpretation of "derived works" after some suggestions from Brian Hatch (bri(a)ifokr.org) - Updated the Nsock config.sub/config.guess to the same newer versions that Nmap uses (for Mac OS X compilation). 3.40PVT16: ========== - Fixed a compilation problem on systems w/o OpenSSL that was discovered by Solar Designer. I also fixed some compilation problems on non-IPv6 systems. It now compiles and runs on my Solaris and ancient OpenBSD systems. - Integrated more services thanks to submissions from Niels Heinen (zillion(a)safemode.org). - Canonicalized the headers at the top of each Nmap/Nsock header src file. This included clarifying our interpretation of derived works, updating the copyright date to 2003, making the header a bit wider, and a few other light changes. I've been putting this off for a while, because it required editing about a hundred !#$# files! 3.40PVT15: ========== - Fixed a major bug in the Nsock time caching system. This could cause service detection to inexplicably fail against certain ports in the second or later machines scanned. Thanks to Solar Designer and HD Moore for helping me track this down. - Fixed some *BSD compilation bugs found by Zillion (zillion(a)safemode.org). - Integrated more services thanks to submissions from Fyodor Yarochkin (fygrave(a)tigerteam.net), and Niels Heinen (zillion(a)safemode.org), and some of my own exploring. There are now 295 signatures. - Fixed a compilation bug found by Solar Designer on machines that don't have struct sockaddr_storage. Nsock now just uses "struct sockaddr *" like connect() does. - Fixed a bug found by Solar Designer which would cause the Nmap portscan table to be truncated in -oN output files if the results are very long. - Changed a bunch of large stack arrays (e.g. int portlookup[65536]) into dynamically allocated heap pointers. The large stack variables apparently caused problems on some architectures. This issue was reported by osamah abuoun (osamah_abuoun(a)hotmail.com). 3.40PVT14: ========== - Added IPv6 support for service scan. - Added an 'sslports' directive to nmap-service-probes. This tells Nmap which service checks to try first for SSL-wrapped ports. The syntax is the same as the normal 'ports' directive for non-ssl ports. For example, the HTTP probe has an 'sslports 443' line and SMTP-detecting probes have and 'sslports 465' line. - Integrated more services thanks to submissions from MadHat (madhat(a)unspecific.com), Solar Designer (solar(a)openwall.com), Dug Song (dugsong(a)monkey.org), pope(a)undersec.com, and Brian Hatch (bri(a)ifokr.org). There are now 288 signatures, matching these 65 service protocols: chargen cvspserver daytime domain echo exec finger font-service ftp ftp-proxy http http-proxy hylafax ident ident imap imaps ipp ircbot ircd irc-proxy issrealsecure landesk-rc ldap meetingmaker microsoft-ds msrpc mud mysql ncacn_http ncp netbios-ns netbios-ssn netsaint netwareip nntp nsclient oracle-tns pcanywheredata pop3 pop3s postgres printer qotd redcarpet rlogind rpc rsync rtsp shell smtp snpp spamd ssc-agent ssh ssl telnet time upnp uucp vnc vnc-http webster whois winshell X11 - Added a Lotus Notes probe from Fyodor Yarochkin (fygrave(a)tigerteam.net). - Dug Song wins the "award" for most obscure service fingerprint submission. Nmap now detects Dave Curry's Webster dictionary server from 1986 :). - Service fingerprints now include a 'T=SSL' attribute when SSL tunneling was used. - More portability enhancements thanks to Solar Designer and his Linux 2.0 libc5 boxes. - Applied a patch from Gisle Vanem (giva(a)bgnett.no) which improves Windows emulation of the UNIX mmap() and munmap() memory mapping calls. 3.40PVT13: ========== - Added SSL-scan-through support. If service detection finds a port to be SSL, it will transparently connect to the port using OpenSSL and use version detection to determine what service lies beneath. This feature is only enabled if OpenSSL is available at build time. A new --with-openssl=DIR configure option is available if OpenSSL is not in your default compiler paths. You can use --without-openssl to disable this functionality. Thanks to Brian Hatch (bri(a)ifokr.org) for sample code and other assistance. Make sure you use a version without known exploitable overflows. In particular, versions up to and including OpenSSL 0.9.6d and 0.9.7-beta2 contained serious vulnerabilities described at http://www.openssl.org/news/secadv_20020730.txt . Note that these vulnerabilities are well over a year old at the time of this writing. - Integrated many more services thanks to submissions from Brian Hatch, HellNBack ( hellnbak(a)nmrc.org ), MadHat, Solar Designer, Simple Nomad, and Shawn Wallis (swallis(a)ku.edu). The number of signatures has grown from 242 to 271. Thanks! - Integrated Novell Netware NCP and MS Terminal Server probes from Simple Nomad (thegnome(a)nmrc.org). - Fixed a segfault found by Solar Designer that could occur when scanning certain "evil" services. - Fixed a problem reported by Solar Designer and MadHat ( madhat(a)unspecific.com ) where Nmap would bail when certain Apache version/info responses were particularly long. It could happen in other cases as well. Now Nmap just prints a warning. - Fixed some portability issues reported by Solar Designer ( solar(a)openwall.com ) 3.40PVT12: ========== - I added probes for SSL (session startup request) and microsoft-ds (SMB Negotiate Protocol request). - I changed the default read timeout for a service probe from 7.5s to 5s. - Fixed a one-character bug that broke many scans when -sV was NOT given. Thanks to Blue Boar (BlueBoar(a)thievco.com) for the report. 3.40PVT11: ========== - Integrated many more services thanks to submissions from Simple Nomad, Solar Designer, jerickson(a)inphonic.com, Curt Wilson, and Marco Ivaldi. Thanks! The match line count has risen from 201 to 242. - Implemented a service classification scheme to separate the vendor/product name from the version number and any extra info that is provided. Instead of v/[big version string]/, the new match lines include v/[vendor/productname]/[version]/[extrainfo]/ . See the docs at the top of nmap-service-probes for more info. This doesn't change the normal output (which lumps them together anyway), but they are separate in the XML so that higher-level programs can easily match against just a product name. Here are a few examples of the improved service element: - I went through nmap-service-probes and added the vendor name to more entries. I also added the service name where the product name itself didn't make that completely obvious. - SCO Corporation of Lindon, Utah (formerly Caldera) has lately taken to an extortion campaign of demanding license fees from Linux users for code that they themselves knowingly distributed under the terms of the GNU GPL. They have also refused to accept the GPL, claiming that some preposterous theory of theirs makes it invalid. Meanwhile they have distributed GPL-licensed Nmap in (at least) their "Supplemental Open Source CD". In response to these blatant violations, and in accordance with section 4 of the GPL, we hereby terminate SCO's rights to redistribute any versions of Nmap in any of their products, including (without limitation) OpenLinux, Skunkware, OpenServer, and UNIXWare. 3.40PVT10: ========== - Added "soft matches". These are similar to normal match lines in that they provide a regex for recognizing a service (but no version). But instead of stopping at softmatch service recognition, the scan continues looking for more info. It only launches probes that are known-capable of matching the softmatched service. If no version number is found, at least the determined service is printed. A service print for submission is also provided in that case. So this provides more informative results and improves efficiency. - Cleaned up the Windows support a bit and did more testing and fixing. Windows service detection seems to be working fine for me now, although my testing is still pretty limited. This release includes a Windows binary distribution and the README-WIN32 has been updated to reflect new compilation instructions. - More service fingerprints! Thanks to Solar Designer, Max Vision, Frank Denis (Jedi/Sector One) for the submissions. I also added a bunch from my own testing. The number of match lines went from 179 to 201. - Updated XML output to handle new version and service detection information. Here are a few examples of the new output: - Fixed issue where Nmap would quit when ECONNREFUSED was returned when we try to read from an already-connected TCP socket. FreeBSD does this for some reason instead of giving ECONNRESET. Thanks to Will Saxon (WillS(a)housing.ufl.edu) for the report. - Removed the SERVICEMATCH_STATIC match type from nmap-service-probes. There wasn't much benefit of this over regular expressions, so it isn't worth maintaining the extra code. 3.40PVT9: ========= - Added/fixed numerous service fingerprints thanks to submissions from Max Vision, MadHat, Seth Master. Match lines went from 164 to 179. - The Winpcap libraries used in the Windows build process have been upgraded to version 3.0. - Most of the Windows port is complete. It compiles and service scan works (I didn't test very deeply) on my WinXP box with VS.Net 2003. I try to work out remaining kinks and do some cleanup for the next version. The Windows code was restructured and improved quite a bit, but much more work remains to be done in that area. I'll probably do a Windows binary .zip release of the next version. - Various minor fixes 3.40PVT8: ========= - Service scan is now OFF by default. You can activate it with -sV. Or use the snazzy new -A (for "All recommended features" or "Aggressive") option which turns on both OS detection and service detection. - Fixed compilation on my ancient OpenBSD 2.3 machine (a Pentium 60 :) - Added/fixed numerous service fingerprints thanks to submissions from Brian Hatch, HD Moore, Anand R., and some of my own testing. The number of match lines in this version grows from 137 to 164! Please keep 'em coming! - Various important and not-so-important fixes for bugs I encountered while test scanning. - The RPC grinder no longer prints a startup message if it has no RPC-detected ports to scan. - Some of the service fingerprint length limitations are relaxed a bit if you enable debugging (-d). 3.40PVT7: ========= - Added a whole bunch of services submitted by Brian Hatch (bri(a)ifokr.org). I also added a few Windows-related probes. Nmap-service-probes has gone from 101 match strings to 137. Please keep the submissions coming. - The question mark now only appears for ports in the OPEN state and when service detection was requested. - I now print a separator bar between service fingerprints when Nmap prints more than one for a given host so that users understand to submit them individually (suggested by Brian Hatch (bri(a)ifokr.org)) - Fixed a bug that would cause Nmap to print "empty" service fingerprints consisting of just a semi-colon. Thanks to Brian Hatch (bri(a)ifokr.org) for reporting this. 3.40PVT6: ========= - Banner-scanned hundreds of thousands of machines for ports 21,23,25,110,3306 to collect default banners. Where the banner made the service name/version obvious, I integrated them into nmap-service-probes. This increased the number of 'match' lines from 27 to more than 100. - Created the service fingerprint submission page at http://www.insecure.org/cgi-bin/servicefp-submit.cgi - Changed the service fingerprint format slightly for easier processing by scripts. - Applied a large portability patch from Albert Chin-A-Young (china(a)thewrittenword.com). This cleans up a number of things, particularly for IRIX, Tru64, and Solaris. - Applied NmapFE patch from Peter Marschall (peter(a)adpm.de) which "makes sure changes in the relay host and scanned port entry fields are displayed immediately, and also keeps the fields editable after de- and reactivating them." 3.40PVT4: ========= - Limited the size of service fingerprints to roughly 1024 bytes. This was suggested by Niels Heinen (niels(a)heinen.ws), because the previous limit was excessive. The number of fingerprints printed is also now limited to 10. - Fixed a segmentation fault that could occur when ping-scanning large networks. - Fixed service scan to gracefully handle host_timeout occurrences when they happen during a service scan. - Fixed a service_scan bug that would cause an error when hosts send data and then close() during the NULL probe (when we haven't sent anything). - Applied a patch from Solar Designer (solar(a)openwall.com) which corrects some errors in the Russian man page translation and also a couple typos in the regular man page. Then I spell-checked the man page to reduce future instances of foreigners sending in diffs to correct my English :). 3.40PVT3: ========= - Nmap now prints a "service fingerprint" for services that it is unable to match despite returning data. The web submission page it references is not yet available. - Service detection now does RPC grinding on ports it detects to be running RPC. - Fixed a bug that would cause Nmap to quit with an Nsock error when --host_timeout was used (or when -T5 was used, which sets it implicitly). - Fixed a bug that would cause Nmap to fail to print the OS fingerprint in certain cases. Thanks to Ste Jones (root(a)networkpenetration.com) for the problem report. 3.40PVT2: ========= - Nmap now has a simple VERSION detection scheme. The 'match' lines in nmap-service-probes can specify a template version string (referencing subexpression matches from the regex in a perl-like manner) so that the version is determined at the same time as the service. This handles many common services in a highly efficient manner. A more complex form of version detection (that initiates further communication w/the target service) may be necessary eventually to handle services that aren't as forthcoming with version details. - The Nmap port state table now wastes less whitespace due to using a new and stingy NmapOutputTable class. This makes it easier to read, and also leaves more room for version info and possibly other enhancements. - Added 's' option to match lines in nmap-service-probes. Just as with the perl 's' option, this one causes '.' in the regular expression to match any character INCLUDING newline. - The WinPcap header timestamp is no longer used on Windows as it sometimes can be a couple seconds different than gettimeofday() (which is really _ftime() on Windows) for some reason. Thanks to Scott Egbert (scott.egbert(a)citigroup.com) for the report. - Applied a patch by Matt Selsky (selsky(a)columbia.edu) which fixes configure.in in such a way that the annoying header file "present but cannot be compiled" warning for Solaris. - Applied another patch from Matt that (we hope) fixes the "present but cannot be compiled" warning -- this time for Mac OS X. - Port table header names are now capitalized ("SERVICE", "PORT", etc) 3.40PVT1: ========= - Initial implementation of service detection. Nmap will now probe ports to determine what is listening, rather than guessing based on the nmap-services table lookup. This can be very useful for services on unidentified ports and for UDP services where it is not always clear (without these probes) whether the port is really open or just firewalled. It is also handy for when services are run on the well-known-port of another protocol -- this is happening more and more as users try to circumvent increasingly strict firewall policies. - Nmap now uses the excellent libpcre (Perl Compatible Regular Expressions) library from http://www.pcre.org/ . Many systems already have this, otherwise Nmap will use the copy it now includes. If your libpcre is hidden away in some nonstandard place, give ./configure the new --with-libpcre=DIR directive. - Nmap now uses the C++ Standard Template Library (STL). This makes programming easier, but if it causes major portability or bloat problems, I'll reluctantly remove it. - Applied a patch from Javier Kohen (jkohen(a)coresecurity.com) which normalizes the names of many Microsoft entries in the nmap-os-fingerprints file. - Applied a patch by Florin Andrei (florin(a)sgi.com) to the Nmap RPM spec file. This uses the 'Epoch' flag to prevent the Redhat Network tool from marking my RPMs as "obsolete" and "upgrading" to earlier Redhat-built versions. A compilation flag problem is also fixed. @ text @d3 2 a4 2 --- nbase/configure.orig 2003-09-13 06:24:43.000000000 +0200 +++ nbase/configure 2003-09-17 02:08:19.000000000 +0200 d14 1 a14 37 @@@@ -3314,7 +3316,7 @@@@ # If they didn't specify it, we try to find it -if test "$use_openssl" == "yes" -a "${specialssldir+set}" == "set" ; then +if test "$use_openssl" = "yes" -a "${specialssldir+set}" = "set" ; then if test "${ac_cv_header_openssl_ssl_h+set}" = set; then echo "$as_me:$LINENO: checking for openssl/ssl.h" >&5 echo $ECHO_N "checking for openssl/ssl.h... $ECHO_C" >&6 @@@@ -3456,7 +3458,7 @@@@ - if test "$use_openssl" == "yes"; then + if test "$use_openssl" = "yes"; then if test "${ac_cv_header_openssl_err_h+set}" = set; then echo "$as_me:$LINENO: checking for openssl/err.h" >&5 echo $ECHO_N "checking for openssl/err.h... $ECHO_C" >&6 @@@@ -3599,7 +3601,7 @@@@ fi - if test "$use_openssl" == "yes"; then + if test "$use_openssl" = "yes"; then if test "${ac_cv_header_openssl_rand_h+set}" = set; then echo "$as_me:$LINENO: checking for openssl/rand.h" >&5 echo $ECHO_N "checking for openssl/rand.h... $ECHO_C" >&6 @@@@ -3742,7 +3744,7 @@@@ fi - if test "$use_openssl" == "yes"; then + if test "$use_openssl" = "yes"; then echo "$as_me:$LINENO: checking for SSL_new in -lssl" >&5 echo $ECHO_N "checking for SSL_new in -lssl... $ECHO_C" >&6 @@@@ -3750,7 +3752,7 @@@@ d23 1 a23 1 @@@@ -3803,7 +3805,7 @@@@ a31 9 @@@@ -3816,7 +3818,7 @@@@ fi fi -if test "$use_openssl" == "yes"; then +if test "$use_openssl" = "yes"; then cat >>confdefs.h <<\_ACEOF #define HAVE_OPENSSL 1 _ACEOF @ 1.5 log @Updated to version 3.20. Based on patch sent by Juan RP via PR pkg/20839. Changes: Nmap 3.20: ========== o The random IP input option (-iR) now takes an argument specifying how many IPs you want to scan (e.g. -iR 1000). Specify 0 for the old neverending scan behavior. o Fixed a tricky memory leak discovered by Mugz (mugz@@x-mafia.com). o Fixed output truncation problem noted by Lionel CONS (lionel.cons@@cern.ch) o Fixed a bug that would cause certain incoming ICMP error messages to be improperly ignored. Nmap 3.15BETA3: =============== o Made numerous improvements to the timing behavior of "-T Aggressive" (same as -T4) scans. It is now recommended for regular use by impatient people with a fast connection. "-T Insane" mode has also been updated, but we only recommend that for, well, insane people. o Made substantial changes to the SYN/connect()/Window scanning algorithms for improved speeds, especially against heavily filtered hosts. If you notice any timing problems (misidentified ports, etc.), please send me the details (including full Nmap output and a description of what is wrong). Reports of any timing problems with -T4 would be helpful as well. o Changed Nmap such that ALL syn scan packets are sent from the port you specify with -g. Retransmissions used to utilize successively higher ports. This change has a downside in that some operating systems (such as Linux) often won't reply to the retransmissions because they reuse the same connection specifier quad (srcip:srcport:dstip:dstport). Overall I think this is a win. o Added timestamps to "Starting nmap" line and each host port scan in verbose (-v) mode. These are in ISO 8601 standard format because unlike President Bush, we actually care about International consensus :). o Nmap now comes by default in .tar.bz2 format, which compresses about 20% further. You can still find .tgz in the dist directory at http://download.insecure.org/nmap/dist/?M=D . o Various other minor bugfixes, new services, fingerprints, etc. Nmap 3.15BETA2: =============== o I added support for a brand new "port" that many of you may have never scanned before! UDP & TCP "port 0" (and IP protocol 0) are now permitted if you specify 0 explicitly. An argument like "-p -40" would still scan ports 1-40. Unlike ports, protocol 0 IS now scanned by default. This now works for ping probes too (e.g., -PS, -PA). o Applied patch by Martin Kluge (martin@@elxsi.info) which adds --ttl option, which sets the outgoing IPv4 TTL field in packets sent via all raw scan types (including ping scans and OS detection). The patch "should work" on Windows, but hasn't been tested. A TTL of 0 is supported, and even tends to work on a LAN: 14:17:19.474293 192.168.0.42.60214 > 192.168.0.40.135: S 3265375623:3265375623(0) win 1024 [ttl 0] (id 35919, len 40) 14:17:19.474456 192.168.0.40.135 > 192.168.0.42.60214: S 2805154856:2805154856(0) ack 3265375624 win 64240 (DF) (ttl 128, id 49889, len 44) o Applied patch by Gabriel L. Somlo ( somlo@@acns.colostate.edu ) which extends the multi-ping-port functionality to nonroot and IPv6 connect() users. o I added a new --datadir command line option which allows you to specify the highest priority directory for Nmap data files nmap-services, nmap-os-fingerprints, and nmap-rpc. Any files which aren't in the given dir, will be searched for in the $NMAPDIR environmental variable, ~/nmap/, a compiled in data directory (e.g. /usr/share/nmap), and finally the current directory. o Fixed Windows (VC++ 6) compilation, thanks to patches from Kevin Davis (computerguy@@cfl.rr.com) and Andy Lutomirski (luto@@stanford.edu) o Included new Latvian man page translation by "miscelerious options" (misc@@inbox.lv) o Fixed Solaris compilation when Sun make is used rather than GNU make. Thanks to Tom Duffy (tduffy@@sun.com) for assistance. o Applied patch from Stephen Bishop (sbishop@@idsec.co.uk) which prevends certain false-positive responses when Nmap raw TCP ping scans are being run in parallel. o To emphasize the highly professional nature of Nmap, I changed all instances of "fucked up" in error message text into "b0rked". o Fixed a problem with nmap-frontend RPMs that would cause a bogus /bin/xnmap link to be created (it should only create /usr/bin/xnmap). Thanks to Juho Schultz (juho.schultz@@astro.helsinki.fi) for reporting the problem. o I made the maximum number of allowed routes and interfaces allowed on the scanning machine dynamic rather than hardcoded #defines of 1024 and 128. You never know -- some wacko probably has that many :). Nmap 3.15BETA1: =============== o Integrated the largest OS fingerprint DB updates ever! Thanks to everyone who contributed signatures! New or substantially modified fingerprints included the latest Windows 2K/XP changes, Cisco IOS 12.2-based routers and PIX 6.3 firewalls, FreeBSD 5.0, AIX 5.1, OpenBSD 3.2, Tru64 5.1A, IBM OS/400 V5R1M0, dozens of wireless APs, VOIP devices, firewalls, printers, print servers, cable modems, webcams, etc. We've even got some mod-chipped Xbox fingerprints now! o Applied NetBSD portability patch by Darren Reed (darrenr@@reed.wattle.id.au) o Updated Makefile to better-detect if it can't make nmapfe and provide a clearer error message. Also fixed a couple compiler warnings on some *BSD platforms. o Applied patch from "Max" (nmap@@webwizarddesign.com) which adds the port owner to the "addport" XML output lines which are printed (only in verbose mode, I think) as each open port is discovered. o I killed the annoying whitespace that is normally appended after the service name. Now it is only there when an owner was found via -sI (in which case there is a fourth column and so "service" must be exactly 24 characters). Nmap 3.10ALPHA9: ================ o Reworked the "ping scan" algorithm (used for any scan except -P0 or -sL) to be more robust in the face of low-bandwidth and congested connections. This also improves reliability in the multi-port and multi-type ping cases described below. o "Ping types" are no longer exclusive -- you can now do combinations such as "-PS22,53,80 -PT113 -PN -PE" in order to increase your odds of passing through strict filters. The "PB" flag is now deprecated since you can achieve the same result via "PE" and "PT" options. o Applied patch (with modest changes) by Gabriel L. Somlo (somlo@@acns.colostate.edu), which allows multiple TCP probe ports in raw (root) mode. See the previous item for an example. o Fixed a libpcap compilation issue noted by Josef 'Jupp' Schugt (deusxmachina@@webmail.co.za) which relates to the definition (or lack thereof) of ARPHRD_HDLC (used for Cisco HDLC frames). o Tweaked the version number (-V) output slightly. Nmap 3.10ALPHA7: ================ o Upgraded libpcap from version 0.6.2 to 0.7.1. Updated the libpcap-possiblymodified/NMAP_MODIFICATIONS file to give a much more extensive list (including diffs) of the changes included in the Nmap bundled version of Libpcap. o Applied patch to fix a libpcap alignment bug found by Tom Duffy (tduffy@@sun.com). o Fixed Windows compilation. o Applied patch by Chad Loder (cloder@@loder.us) of Rapid7 which fixes OpenBSD compilation. I believe Chad is now the official OpenBSD Nmap "port" maintainer. His patch also adjusted random-scan (-iR) to include the recently allocated 82.0.0.0/8 space. o Fixed (I hope) a few compilation problems on non-IPv6-enabled machines which were noted by Josef 'Jupp' Schugt (jupp@@gmx.de) o Included some man page translations which were inadvertently missed in previous tarballs. o Applied patch from Matthieu Verbert (mve@@zurich.ibm.com) which places the Nmap man pages under ${prefix}/share/man rather than ${prefix}/man when installed via RPM. Maybe the tarball install should do this too? Opinions? o Applied patch from R Anderson (listbox@@pole-position.org) which improves the way ICMP port unreachables from intermediate hosts are handled during UDP scans. o Added note to man page related to Nmap US export control. I believe Nmap falls under ECCN 5D992, which has no special restrictions beyond the standard export denial to a handful of rogue nations such as Iraq and North Korea. o Added a warning that some hosts may be skipped and/or repeated when someone tries to --resume a --randomize_hosts scan. This was suggested by Crayden Mantelium (crayden@@sensewave.com) o Fixed a minor memory leak noted by Michael Davis (mike@@datanerds.net). Nmap 3.10ALPHA4: ================ o Applied patch by Max Schubert (nmap@@webwizarddesign.com) which adds an add-port XML tag whenever a new port is found open when Nmap is running in verbose mode. The new tag looks like: I also updated docs/nmap.dtd to recognize this new tag. o Added German translation of Nmap manpage by Marc Ruef (marc.ruef@@computec.ch). It is also available at http://www.insecure.org/nmap/data/nmap_manpage-de.html o Includes a brand new French translation of the manpage by Sebastien Blanchet. You could probably guess that it is available at http://www.insecure.org/nmap/data/nmap_manpage-fr.html o Applied some patches from Chad Loder (cloder@@loder.us) which update the random IP allocation pool and improve OpenBSD support. Some were from the OBSD Nmap patchlist. o Fixed a compile problem on machines without PF_INET6. Thanks to Josef 'Jupp' Schugt (deusxmachina@@webmail.co.za) for noting this. Nmap 3.10ALPHA3: ================ o Added --min_parallelism option, which makes scans more aggressive and MUCH faster in certain situations -- especially against firewalled hosts. It is basically the opposite of --max_parallelism (-M). Note that reliability can be lost if you push it too far. o Added --packet_trace option, which tells Nmap to display all of the packets it sends and receives in a format similar to tcpdump. I mostly added this for debugging purposes, but ppl wishing to learn how Nmap works or for experts wanting to ensure Nmap is doing exactly what they epect. If you want this feature supported under Windows, please send me a patch :). o Fixed a segmentation fault in Idlescan (-sI). o Made Idlescan timing more conservative when -P0 is specified to improve accuracy. o Fixed an infinite-loop condition that could occur during certain dropped-packet scenarios in an Idle scan. o Nmap now reports execution times to millisecond precision (rather than rouding to the nearest second). o Fixed an infinite loop caused by invalid port arguments. Problem noted by fejed (fejed@@uddf.net). Nmap 3.10ALPHA2: ================ o Fixed compilation and IPv6 support on FreeBSD (tested on 4.6-STABLE). Thanks to Niels Heinen (niels.heinen@@ubizen.com) for suggestions. o Made some portability changes based on suggestions by Josef 'Jupp' Schugt (jupp@@gmx.de) o Fixed compilation and IPv6 support on Solaris 9 (haven't tested earlier versions). Nmap 3.10ALPHA1: ================ o IPv6 is now supported for TCP scan (-sT), connect()-style ping scan (-sP), and list scan (-sL)! Just specify the -6 option and the IPv6 numbers or DNS names. Netmask notation is not currently supported -- I'm not sure how useful it is for IPv6, where even petty end users may be allocated trillions of addresses (/80). If you need one of the scan types that hasn't been ported yet, give Sebastien Peterson's patch a try at http://nmap6.sourceforge.net/ . If there is demand, I may integrate more of that into Nmap. o Major code restructing, which included conversion to C++ -- so you'll need g++ or another C++ compiler. I accidently let a C++ requirement slip in a while back and found that almost everyone has such a compiler. Windows (VC++) users: see the README-WIN32 for new compilation instructions. o Applied patch from Axel Nennker (Axel.Nennker@@t-systems.com) which adds a --without-nmapfe option to the configure script. This si useful if your system doesn't have the proper libraries (eg GTK) or if you think GUIs are for sissies :). o Removed arbitrary max_parallelism (-M) limitations, as suggested by William McVey ( wam@@cisco.com ). o Added DEC OSF to the platforms that require the BSDFIX() macro due to taking ip length and offset fields in host rather than network byte order. Suggested by Dean Bennett (deanb@@gbtn.net) o Fixed an debug statement C ambiguity discovered by Kronos (kronos@@kronoz.cjb.net) @ text @d3 2 a4 2 --- nbase/configure.orig 2003-03-22 04:36:20.000000000 +0100 +++ nbase/configure 2003-03-22 04:39:41.000000000 +0100 d14 63 @ 1.4 log @Update nmap to 3.00. Changes: * Added protocol scan (-sO), which determines what IP protocols (TCP, IGMP, GRE, UDP, ICMP, etc) are supported by a given host. This uses a clever technique designed and implemented by Gerhard Rieger . * Nmap now recognizes more than 700 operating system versions and network devices (printers, webcams, routers, etc) thanks to thousands of contributions from the user community! Many operating systems were even recognized by Nmap prior to their official release. Nmap3 also recognizes 2148 port assignments, 451 SunRPC services, and 144 IP protocols. * Added Idlescan (-sI), which bounces the scan off a "zombie" machine. This can be used to bypass certain (poorly configured) firewalls and packet filters. In addition, this is the most stealthy Nmap scan mode, as no packets are sent to the target from your true IP address. * The base Nmap package now builds and functions under Windows! It is distributed in three forms: build-it-yourself source code, a simple command-line package, or along with a nice GUI interface (NmapWin) and a fancy installer. This is due to the hard work of Ryan Permeh (from eEye), Andy Lutomirski, and Jens Vogt. * Mac OS X is now supported, as well as the latest versions of Linux, OpenBSD, Solaris, FreeBSD, and most other UNIX platforms. Nmap has also been ported to several handheld devices -- see the Related Projects page for further information. * XML output (-oX) is now available for smooth interoperability between Nmap and other tools. * Added ICMP Timestamp and Netmask ping types (-PP and -PM). These (especially timestamp) can be useful against some hosts that do not respond to normal ping (-PI) packets. Nmap still allows TCP "ping" as well. * Nmap can now detect the uptime of many hosts when the OS Scan option (-O) is used. * Several new tests have been added to make OS detection more accurate and provide more granular version information. * Removed 128.210.*.* addresses from Nmap man page examples due to complaints from Purdue security staff. * The --data_length option was added, allowing for longer probe packets. Among other uses, this defeats certain simplistic IDS signatures. * You can now specify distinct port UDP and TCP port numbers in a single scan command using a command like 'nmap -sSU -p U:53,111,137,T:21-25,80,139,515,6000,8080 target.com'. See the man page for more usage info. * Added mysterious, undocumented --scanflags and --fuzzy options. * Nmap now provides IPID as well as TCP ISN sequence predictability reports if you use -v and -O. * SYN scan is now the default scan type for privileged (root) users. This is usually offers greater performance while reducing network traffic. * Capitalized all references to God in error messages. * Added List scan (-sL) which enumerates targets without scanning them. * The Nmap "random IP" scanning mode is now smart enough to skip many unallocated netblocks. * Tons of more minor features, bugfixes, and portability enhancements. @ text @d3 11 a13 20 --- nmap-services.orig Sat Jul 20 11:19:26 2002 +++ nmap-services @@@@ -1748,7 +1748,7 @@@@ dls-monitor 2048/udp # nfs 2049/tcp # networked file system nfs 2049/udp # networked file system -distrib-net-losers 2064/tcp # A group of lamers working on a silly closed-source client for solving the RSA cryptographic challenge. This is the keyblock proxy port. +distrib-net-kbproxy 2064/tcp # keyblock proxy port for distributed.net-clients knetd 2053/tcp # dlsrpn 2065/tcp # Data Link Switch Read Port Number dlsrpn 2065/udp # Data Link Switch Read Port Number @@@@ -1809,7 +1809,7 @@@@ cfs 3049/tcp # cryptographic file system (nfs) (proposed) cfs 3049/udp # cryptographic file system (nfs) PowerChute 3052/tcp -distrib-net-proxy 3064/tcp # Stupid closed source distributed.net project proxy port +distrib-net-proxy 3064/tcp # distributed.net project proxy port sj3 3086/tcp # SJ3 (kanji input) squid-http 3128/tcp # squid-ipc 3130/udp # @ 1.3 log @Fix fo linux a different way - make more like NetBSD configuration and use net/libpcap. Also fix DEPENDS for Solaris and Linux @ text @d3 1 a3 1 --- nmap-services.orig Tue May 9 07:21:44 2000 d5 1 a5 1 @@@@ -1725,7 +1725,7 @@@@ d9 1 a9 1 -distrib-netassholes 2064/tcp # A group of lamers working on a silly closed-source client for solving the RSA cryptographic challenge. This is the keyblock proxy port. d11 1 d14 1 a14 3 dlswpn 2067/tcp # Data Link Switch Write Port Number @@@@ -1783,7 +1783,7 @@@@ deslogind 3006/tcp # d17 1 @ 1.2 log @Rework NetBSD hack to not break Linux build @ text @@ 1.1 log @Fix nmap to work with our non-standard DLT_PPP_* values. Patches mostly by Itojun. @ text @d3 20 a22 15 --- tcpip.c.orig Sun Apr 30 02:12:24 2000 +++ tcpip.c @@@@ -995,6 +995,12 @@@@ #ifdef DLT_PPP_BSDOS case DLT_PPP_BSDOS: #endif +#ifdef DLT_PPP_SERIAL + case DLT_PPP_SERIAL: +#endif +#ifdef DLT_PPP_ETHER + case DLT_PPP_ETHER: +#endif #if (FREEBSD || OPENBSD || NETBSD || BSDI) offset = 4; #else @