Changes:
- Put Nmap on a diet, with changes to the core port scanning routine
(ultra_scan) to substantially reduce memory consumption, particularly
when tens of thousands of ports are scanned.
- Wrote a new man page from scratch. It is much more comprehensive
(more than twice as long) and (IMHO) better organized than the
previous one. Read it online at http://www.insecure.org/nmap/man/
or docs/nmap.1 from the Nmap distribution. Let me know if you have
any ideas for improving it.
- Wrote a new "help screen", which you get when running Nmap without
arguments. It is also reproduced in the man page and at
http://www.insecure.org/nmap/data/nmap.usage.txt . I gave up trying
to fit it within a 25-line, 80-column terminal window. It is now 78
lines and summarizes all but the most obscure Nmap options.
- Removed foreign translations of the old man page from the
distribution. Included the following contributed translations
(nroff format) of the new man page:
Brazilian Portuguese by Lucien Raven (lucienraven(a)yahoo.com.br)
Portuguese (Portugal) by José Domingos (jd_pt(a)yahoo.com) and
Andreia Gaita (shana.ufie(a)gmail.com).
- Fixed a crash in IPID Idle scan. Thanks to Ron
(iago(a)valhallalegends.com>, Bakeman (bakeman(a)physics.unr.edu),
and others for reporting the problem.
- Applied some small fixes so that Nmap compiles with Visual C++
2005 Express, which is free from Microsoft at
http://msdn.microsoft.com/vstudio/express/visualc/ . Thanks to KX
(kxmail(a)gmail.com) and Sina Bahram (sbahram(a)nc.rr.com)
- Version detection softmatches (when Nmap determines the service
protocol such as smtp but isn't able to determine the app name such as
Postfix) can now parse out the normal match line fields such as
hostname, device type, and extra info. For example, we may not know
what vendor created an sshd, but we can still parse out the protocol
number. This was a patch from Doug Hoyte (doug(a)hcsw.org).
- Fixed a problem which caused UDP version scanning to fail to print
the matched service. Thanks to Martin Macok
(martin.macok(a)underground.cz) for reporting the problem and Doug
Hoyte (doug(a)hcsw.org) for fixing it.
- Made the version detection "ports" directive (in
nmap-service-probes) more comprehensive. This should speed up scans a
bit. The patch was done by Doug Hoyte (doug(a)hcsw.org).
- Integrated all of the September version detection fingerprint
submissions. This was done by Version Detection Czar Doug Hoyte
(doug(a)hcsw.org) and resulted in 86 new match lines. Please keep
those submissions coming!
- Fixed a bunch of typos and misspellings throughout the Nmap source
code (mostly in comments). This was a 625-line patch by Saint Xavier
(skyxav(a)skynet.be).
- Added the --webxml option, which does the same thing as
--stylesheet http://www.insecure.org/nmap/data/nmap.xsl , without
requiring you to remember the exact URL or type that whole thing.
- Fixed a possible aliasing problem in tcpip.cc by applying a patch sent in by
Gwenole Beauchesne (gbeauchesne(a)mandriva.com). This problem
shouldn't have had any effect on users since we already include the
-fno-strict-aliasing option whenever gcc 4 is detected, but it
brings us closer to being able to remove that option.
- Fixed a problem with the -S and -e options (spoof/set
source address, and set interface by name, respectively). The problem
report and a partial patch were sent by Richard Birkett
(richard(a)musicbox.net).
- Fixed a problem with the -S and option on Windows reporting "Failed
to resolve/decode supposed IPv4 source address". The -D (decoy)
option was probably broken on that platform too. Thanks to KX
(kxmail(a)gmail.com) for reporting the problem and tracking down a
potential solution.
- Added --thc option (undocumented)
- Modified libdnet-stripped/src/eth-bsd.c to allow for up to 128 bpf
devices rather than 32. This prevents errors like "Failed to open
ethernet interface (fxp0)" when there are more than 32 interface
aliases. Thanks to Krok (krok(a)void.ru) for reporting the problem
and even sending a patch.
- Fixed a minor syntax error in tcpip.h that was causing problems with
GCC 4.1. Thanks to Dirk Mueller (dmuell(a)gmx.net) for reporting
the problem and sending a fix.
- Define INET_ADDRSTRLEN in tcpip.h if the system doesn't define it
for us. This apparently aids compilation on Solaris 2.6 and 7.
Thanks to Albert Chin (nmap-hackers(a)mlists.thewrittenword.com) for
sending the patch..
- Fixed an inefficiency in RPC scan that could slow things down and
also sometimes resulted in the spurious warning message: Ünable to
find listening socket in get_rpc_results"
- Fixed a compilation problem on Mac OS X and perhaps other platforms
with a one-line fix to scan_engine.cc. Thanks to Felix Gröbert
(felix(a)groebert.org) for notifying me of the problem.
- Nmap now accepts target list files in Windows end-of-line format (\r\n)
as well as standard UNIX format (\n) on all platforms. Passing a
Windows style file to Nmap on UNIX didn't work before unless you ran
dos2unix first.
- Fixed a problem that prevented the command "nmap -sT -PT <targets>"
from working from a non-privileged user account. The -PT option
doesn't change default behavior in this case, but Nmap should (and now
does) allow it.
- Better handle ICMP type 3, code 0 (network unreachable) responses to
port scan packets. These are rarely seen when scanning hosts that
are actually online, but are still worth handling.
- Fixed a crash occured when the --exclude option was used with
netmasks on certain platforms. Thanks to Adam
(nmapuser(a)globalmegahost.com) for reporting the problem and to
Greg Darke (starstuff(a)optusnet.com.au) for sending a patch (I
modified the patch a bit to make it more efficient).
- Removed Identd scan support from NmapFE since Nmap no longer
supports it. Thanks to Jonathan Dieter (jdieter99(a)gmx.net) for the
patch.
- Fixed a bug that caused Nmap to crash if an nmap-service-probes file
was used which didn't contain the Exclude directive.
- Fixed a divide-by-zero crash when you specify rather bogus
command-line arguments (a TCP scan with zero tcp ports). Thanks to
Bart Dopheide (dopheide(a)fmf.nl) for identifying the problem and
sending a patch.
Changes:
3.93:
=====
o Modified Libpcap's configure.ac to compile with the
--fno-strict-aliasing option if gcc 4.X is used. This prevents when
said compiler is used. This was done for Nmap in 3.90, but is
apparently needed for pcap too. Thanks to Craig Humphrey
(Craig.Humphrey(a)chapmantripp.com) for the discovery.
o Patched libdnet to include sys/uio.h in src/tun-linux.c. This is
apparently necessary on some Glibc 2.1 systems. Thanks to Rob Foehl
(rwf(a)loonybin.net) for the patch.
o Fixed a crash which could occur when a ridiculously short
--host_timeout was specified on Windows (or on UNIX if --send_eth was
specified). Nmap now also prints a warning if you specify a
host_timeout of less than 1 second. Thanks to Ole Morten Grodaas
(grodaas(a)gmail.com) for discovering the problem.
3.91:
=====
o Fixed a crash on Windows when you -P0 scan an unused IP on a local
network (or a range that contains unused IPs). This could also
happen on UNIX if you specified the new --send_eth option. Thanks
to Jim Carras (JFCECL(a)engr.psu.edu) for reporting the problem.
o Fixed compilation on OpenBSD by applying a patch from Okan Demirmen
(okan(a)demirmen.com), who maintains Nmap in the OpenBSD Ports
collection.
o Updated nmap-mac-prefixes to include OUIs assigned by the IEEE since
April.
o Updated the included libpcre (used for version detection) from
version 4.3 to 6.3. A libpcre securty issue was fixed in 6.3, but
that issue never affected Nmap.
o Updated the included libpcap from 0.8.3 to 0.9.3. I also changed
the directory name in the Nmap tarball from libpcap-possiblymodified
to just libpcap. As usual, the modifications are described in the
NMAP_MODIFICATIONS in that directory.
3.90:
=====
o Added the ability for Nmap to send and properly route raw ethernet
packets cointaining IP datagrams rather than always sending the
packets via raw sockets. This is particularly useful for Windows,
since Microsoft has disabled raw socket support in XP for no good
reason. Nmap tries to choose the best method at runtime based on
platform, though you can override it with the new --send_eth and
--send_ip options.
o Added ARP scanning (-PR). Nmap can now send raw ethernet ARP requests to
determine whether hosts on a LAN are up, rather than relying on
higher-level IP packets (which can only be sent after a successful
ARP request and reply anyway). This is much faster and more
reliable (not subject to IP-level firewalling) than IP-based probes.
The downside is that it only works when the target machine is on the
same LAN as the scanning machine. It is now used automatically for
any hosts that are detected to be on a local ethernet network,
unless --send_ip was specified. Example usage: nmap -sP -PR
192.168.0.0/16 .
o Added the --spoof_mac option, which asks Nmap to use the given MAC
address for all of the raw ethernet frames it sends. The MAC given
can take several formats. If it is simply the string "0", Nmap
chooses a completely random MAC for the session. If the given
string is an even number of hex digits (with the pairs optionally
separated by a colon), Nmap will use those as the MAC. If less than
12 hex digits are provided, Nmap fills in the remainder of the 6
bytes with random values. If the argument isn't a 0 or hex string,
Nmap looks through the nmap-mac-prefixes to find a vendor name
containing the given string (it is case insensitive). If a match is
found, Nmap uses the vendor's OUI (3-byte prefix) and fills out the
remaining 3 bytes randomly. Valid --spoof_mac argument examples are
"Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", "0020F2", and
"Cisco".
o Applied an enormous nmap-service-probes (version detection) update
from SoC student Doug Hoyte (doug(a)hcsw.org). Version 3.81 had
1064 match lines covering 195 service protocols. Now we have 2865
match lines covering 359 protocols! So the database size has nearly
tripled! This should make your -sV scans quicker and more
accurate. Thanks also go to the (literally) thousands of you who
submitted service fingerprints. Keep them coming!
o Applied a massive OS fingerprint update from Zhao Lei
(zhaolei(a)gmail.com). About 350 fingerprints were added, and many
more were updated. Notable additions include Mac OS X 10.4 (Tiger),
OpenBSD 3.7, FreeBSD 5.4, Windows Server 2003 SP1, Sony AIBO (along
with a new "robotic pet" device type category), the latest Linux 2.6
kernels Cisco routers with IOS 12.4, a ton of VoIP devices, Tru64
UNIX 5.1B, new Fortinet firewalls, AIX 5.3, NetBSD 2.0, Nokia IPSO
3.8.X, and Solaris 10. Of course there are also tons of new
broadband routers, printers, WAPs and pretty much any other device
you can coax an ethernet cable (or wireless card) into!
o Added 'leet ASCII art to the confugrator! ARTIST NOTE: If you think
the ASCII art sucks, feel free to send me alternatives. Note that
only people compiling the UNIX source code get this. (ASCII artist
unknown).
o Added OS, device type, and hostname detection using the service
detection framework. Many services print a hostname, which may be
different than DNS. The services often give more away as well. If
Nmap detects IIS, it reports an OS family of "Windows". If it sees
HP JetDirect telnetd, it reports a device type of "printer". Rather
than try to combine TCP/IP stack fingerprinting and service OS
fingerprinting, they are both printed. After all, they could
legitimately be different. An IP that gives a stack fingerprint
match of "Linksys WRT54G broadband router" and a service fingerprint
of Windows based on Kazaa running is likely a common NAT setup rather
than an Nmap mistake.
o Nmap on Windows now compiles/links with the new WinPcap 3.1
header/lib files. So please upgrade to 3.1 from
http://www.winpcap.org before installing this version of Nmap.
While older versions may still work, they aren't supported with Nmap.
o The official Nmap RPM files are now compiled statically for better
compatability with other systems. X86_64 (AMD Athlon64/Opteron)
binaries are now available in addition to the standard i386. NmapFE
RPMs are no longer distributed by Insecure.Org.
o Nmap distribution signing has changed. Release files are now signed
with a new Nmap Project GPG key (KeyID 6B9355D0). Fyodor has also
generated a new key for himself (KeyID 33599B5F). The Nmap key has
been signed by Fyodor's new key, which has been signed by Fyodor's
old key so that you know they are legit. The new keys are available
at http://www.insecure.org/nmap/data/nmap_gpgkeys.txt , as
docs/nmap_gpgkeys.txt in the Nmap source tarball, and on the public
keyserver network. Here are the fingerprints:
pub 1024D/33599B5F 2005-04-24
Key fingerprint = BB61 D057 C0D7 DCEF E730 996C 1AF6 EC50 3359 9B5F
uid Fyodor <fyodor@insecure.org>
sub 2048g/D3C2241C 2005-04-24
pub 1024D/6B9355D0 2005-04-24
Key fingerprint = 436D 66AB 9A79 8425 FDA0 E3F8 01AF 9F03 6B93 55D0
uid Nmap Project Signing Key (http://www.insecure.org/)
sub 2048g/A50A6A94 2005-04-24
o Fixed a crash problem related to non-portable varargs (vsnprintf)
usage. Reports of this crash came from Alan William Somers
(somers(a)its.caltech.edu) and Christophe (chris.branch(a)gmx.de).
This patch was prevalent on Linux boxes running an Opteron/Athlon64
CPU in 64-bit mode.
o Fixed crash when Nmap is compiled using gcc 4.X by adding the
--fno-strict-aliasing option when that compiler is detected. Thanks
to Greg Darke (starstuff(a)optusnet.com.au) for discovering that
this option fixes (hides) the problem and to Duilio J. Protti
(dprotti(a)flowgate.net) for writing the configure patch to detect
gcc 4 and add the option. A better fix is to identify and rewrite
lines that violate C99 alias rules, and we are looking into that.
o Added "rarity" feature to Nmap version detection. This causes
obscure probes to be skipped when they are unlikely to help. Each
probe now has a "rarity" value. Probes that detect dozens of
services such as GenericLines and GetRequest have rarity values of
1, while the WWWOFFLEctrlstat and mydoom probes have a rarity of 9.
When interrogating a port, Nmap always tries probes registered to
that port number. So even WWWOFFLEctrlstat will be tried against
port 8081 and mydoom will be tried against open ports between 3127
and 3198. If none of the registered ports find a match, Nmap tries
probes that have a rarity less than or equal to its current
intensity level. The intensity level defaults to 7 (so that most of
the probes are done). You can set the intensity level with the new
--version_intensity option. Alternatively, you can just use
--version_light or --version_all which set the intensity to 2 (only
try the most important probes and ones registered to the port
number) and 9 (try all probes), respectively. --version_light is
much faster than default version detection, but also a bit less
likely to find a match. This feature was designed and implemented
by Doug Hoyte (doug(a)hcsw.org).
o Added a "fallback" feature to the nmap-service-probes database.
This allows a probe to "inherit" match lines from other probes. It
is currently only used for the HTTPOptions, RTSPRequest, and
SSLSessionReq probes to inherit all of the match lines from
GetRequest. Some servers don't respond to the Nmap GetRequest (for
example because it doesn't include a Host: line) but they do respond
to some of those other 3 probes in ways that GetRequest match lines
are general enough to match. The fallback construct allows us to
benefit from these matches without repeating hundreds of signatures
in the file. This is another feature designed and implemented
by Doug Hoyte (doug(a)hcsw.org).
o Fixed crash with certain --excludefile or
--exclude arguments. Thanks to Kurt Grutzmacher
(grutz(a)jingojango.net) and pijn trein (ptrein(a)gmail.com) for
reporting the problem, and to Duilio J. Protti
(dprotti(a)flowgate.net) for debugging the issue and sending the
patch.
o Updated random scan (ip_is_reserved()) to reflect the latest IANA
assignments. This patch was sent in by Felix Groebert
(felix(a)groebert.org).
o Included new Russian man page translation by
locco_bozi(a)Safe-mail.net
o Applied pach from Steve Martin (smartin(a)stillsecure.com) which
standardizes many OS names and corrects typos in nmap-os-fingerprints.
o Fixed a crash found during certain UDP version scans. The crash was
discovered and reported by Ron (iago(a)valhallalegends.com) and fixed
by Doug Hoyte (doug(a)hcsw.com).
o Added --iflist argument which prints a list of system interfaces and
routes detected by Nmap.
o Fixed a protocol scan (-sO) problem which led to the error message:
"Error compiling our pcap filter: syntax error". Thanks to Michel
Arboi (michel(a)arboi.fr.eu.org) for reporting the problem.
o Fixed an Nmap version detection crash on Windows which led to the
error message "Unexpected error in NSE_TYPE_READ callback. Error
code: 10053 (Unknown error)". Thanks to Srivatsan
(srivatsanp(a)adventnet.com) for reporting the problem.
o Fixed some misspellings in docs/nmap.xml reported by Tom Sellers
(TSellers(a)trustmark.com).
o Applied some changes from Gisle Vanem (giva(a)bgnett.no) to make
Nmap compile with Cygwin.
o XML "osmatch" element now has a "line" attribute giving the
reference fingerprint line number in nmap-os-fingerprints.
o Added a distcc probes and a bunch of smtp matches from Dirk Mueller
(mueller(a)kde.org) to nmap-service-probes. Also added AFS version
probe and matches from Lionel Cons (lionel.cons(a)cern.ch). And
even more probes and matches from Martin Macok
(martin.macok(a)underground.cz)
o Fixed a problem where Nmap compilation would use header files from
the libpcap included with Nmap even when it was linking to a system
libpcap. Thanks to Solar Designer (solar(a)openwall.com) and Okan
Demirmen (okan(a)demirmen.com) for reporting the problem.
o Added configure option --with-libpcap=included to tell Nmap to use
the version of libpcap it ships with rather than any that may already be
installed on the system. You can still use --with-libpcap=[dir] to
specify that a system libpcap be installed rather than the shipped
one. By default, Nmap looks at both and decides which one is likely
to work best. If you are having problems on Solaris, try
--with-libpcap=included .
o Changed the --no-stylesheet option to --no_stylesheet to be
consistant with all of the other Nmap options. Though I'm starting to
like hyphens a bit better than underscores and may change all of the
options to use hyphens instad at some point.
o Added "Exclude" directive to nmap-service-probes grammar which
causes version detection to skip listed ports. This is helpful for
ports such as 9100. Some printers simply print any data sent to
that port, leading to pages of HTTP requests, SMB queries, X Windows
probes, etc. If you really want to scan all ports, specify
--allports. This patch came from Doug Hoyte (doug(a)hcsw.org).
o Added a stripped-down and heavily modified version of Dug Song's
libdnet networking library (v. 1.10). This helps with the new raw
ethernet features. My (extensive) changes are described in
libdnet-stripped/NMAP_MODIFICATIONS
o Removed WinIP library (and all Windows raw sockets code) since MS
has gone and broken raw sockets. Maybe packet receipt via raw
sockets will come back at some point. As part of this removal, the
Windows-specific --win_help, --win_list_interfaces, --win_norawsock,
--win_forcerawsock, --win_nopcap, --win_nt4route, --win_noiphlpapi,
and --win_trace options have been removed.
o Chagned the interesting ports array from a 65K-member array of
pointers into an STL list. This noticeable reduces memory usage in
some cases, and should also give a slight runtime performance
boost. This patch was written by Paul Tarjan (ptarjan(a)gmail.com).
o Removed the BSDFIX/BSDUFIX macros. The underlying bug in
FreeBSD/NetBSD is still there though. When an IP packet is sent
through a raw socket, these platforms require the total length and
fragmentation offset fields of an IP packet to be in host byte order
rather than network byte order, even though all the other fields
must be in NBO. I believe that OpenBSD fixed this a while back.
Other platforms, such as Linux, Solaris, Mac OS X, and Windows take
all of the fields in network byte order. While I removed the macro,
I still do the munging where required so that Nmap still works on
FreeBSD.
o Integrated many nmap-service-probes changes from Bo Jiang
(jiangbo(a)brandeis.edu)
o Added a bunch of RPC numbers from nmap-rpc maintainer Eilon Gishri
(eilon(a)aristo.tau.ac.il)
o Added some new RPC services to nmap-rpc thanks to a patch from
vlad902 (vlad902(a)gmail.com).
o Fixed a bug where Nmap would quit on Windows whenever it encountered
a raw scan of localhost (including the local ethernet interface
address), even when that was just one address out of a whole network
being scanned. Now Nmap just warns that it is skipping raw scans when
it encounters the local IP, but continues on to scan the rest of the
network. Raw scans do not currently work against local IP addresses
because Winpcap doesn't support reading/writing localhost interfaces
due to limitations of Windows.
o The OS fingerprint is now provided in XML output if debugging is
enabled (-d) or verbosity is at least 2 (-v -v). This patch was
sent by Okan Demirmen (okan(a)demirmen.com)
o Fixed the way tcp connect scan (-sT) respons to ICMP network
unreachable responses (patch by Richard Moore
(rich(a)westpoint.ltd.uk).
o Update random host scan (-iR) to support the latest IANA-allocated
ranges, thanks to patch by Chad Loder (cloder(a)loder.us).
o Updated GNU shtool (a helper program used during 'make install' to
version 2.0.2, which fixes a predictable temporary filename
weakness discovered by Eric Raymond.
o Removed addport element from XML DTD, since it is no longer used
(sugested by Lionel Cons (lionel.cons(a)cern.ch)
o Added new --privileged command-line option and NMAP_PRIVILEGED
environmental variable. Either of these tell Nmap to assume that
the user has full privileges to execute raw packet scans, OS
detection and the like. This can be useful when Linux kernel
capabilities or other systems are used that allow non-root users to
perform raw packet or ethernet frame manipulation. Without this
flag or variable set, Nmap bails on UNIX if geteuid() is
nonzero.
o Changed the RPM spec file so that if you define "static" to 1 (by
passing --define "static 1" to rpmbuild), static binaries are built.
o Fixed Nmap compilation on Solaris x86 thanks to a patch from Simon
Burr (simes(a)bpfh.net).
o ultra_scan() now sets pseudo-random ACK values (rather than 0) for
any TCP scans in which the initial probe packet has the ACK flag set.
This would be the ACK, Xmas, Maimon, and Window scans.
o Updated the Nmap version number, description, and similar fields
that MS Visual Studio places in the binary. This was done by editing
mswin32/nmap.rc as suggested by Chris Paget (chrisp@ngssoftware.com)
o Fixed Nmap compilation on DragonFly BSD (and perhaps some other
systems) by applying a short patch by Joerg Sonnenberger which omits
the declaration of errno if it is a #define.
o Fixed an integer overflow that prevented Nmap from scanning
2,147,483,648 hosts in one expression (e.g. 0.0.0.0/1). Problem
noted by Justin Cranford (jcranford(a)n-able.com). While /1 scans
are now possible, don't expect them to finish during your bathroom
break. No matter how constipated you are.
o Increased the buffer size allocated for fingerprints to prevent Nmap
from running out and quitting (error message: "Assertion
`servicefpalloc - servicefplen > 8' failed". Thanks to Mike Hatz
(mhatz(a)blackcat.com) for the report. [ Actually this was done in a
previous version, but I forgot which one ]
o Changed from CVS to Subversion source control system (which
rocks!). Neither repository is public (I'm paranoid because both CVS
and SVN have had remotely exploitable security holes), so the main
change users will see is that "Id" tags in file headers use the SVN
format for version numbering and such.
o Fixed a memory leak that would generally consume several hundred
bytes per down host scanned. While the effect for most scans is
negligible, it was overwhelming when Scott Carlson
(Scott.Carlson(a)schwab.com) tried to scan 24 million IPs
(10.0.0.0/8). Thanks to him for reporting the problem.
o Fixed a bug in ACK scan that could cause Nmap to crash with the
message "Unexpected port state: 6" in some cases. Thanks to Glyn
Geoghegan (glyng(a)corsaire.com) for reporting the problem.
o Change IP protocol scan (-sO) so that a response from the target
host in any protocol at all will prove that protocol is open. As
before, no response means "open|filtered", an ICMP protocol
unreachable means "closed", and most other ICMP error messages mean
"filered".
o Changed IP protocol scan (-sO) so that it sends valid ICMP, TCP, and
UDP headers when scanning protocols 1, 6, and 17, respectively. An
emtpy IP header is still sent for all other protocols. This should
prevent the error messages such as "sendto in send_ip_packet:
sendto(3, packet, 20, 0, 192.31.33.7, 16) => Operation not
permitted" that Linux (and perhaps other systems) would give when
they try to interpret the raw packet. This also makes it more
likely that these protocols will elicit a response, proving that the
protocol is "open".
o Null, FIN, Maimon, and Xmas scans now mark ports as "open|filtered"
instead of "open" when they fail to receive any response from the
target port. After all, it could just as easily be filtered as open.
This is the same change that was made to UDP scan in 3.70. Also as
with UDP scan, adding version detection (-sV) will change the state
from open|filtered to open if it confirms that they really are open.
o Fixed a crash on Windows systems that don't include the iphlpapi
DLL. This affects Win95 and perhaps other variants. Thanks to Ganga
Bhavani (GBhavani(a)everdreamcorp.com) for reporting the problem and
sending the patch.
o Ensured that the device type, os vendor, and os family OS
fingerprinting classification values are scrubbed for XML compliance
in the XML output. Thanks to Matthieu Verbert
(mve(a)zurich.ibm.com) for reporting the problem and sending a patch.
o Changed to Nmap XML DTD to use the same xmloutputversion (1.01) as
newer versions of Nmap. Thanks to Laurent Estieux
(laurent.estieux(a)free.fr) for reporting the problem.
Changes:
- Implemented a huge OS fingerprint database update. The number of
signatures have increased more than 20% to 1,353 and many of the
existing ones are much improved. Notable updates include the fourth
edition of Bell Lab's Plan9, Grandstream's BugeTone 101 IP Phone,
and Bart's Network Boot Disk 2.7 (which runs MS-DOS). Oh, and Linux
kernels up to 2.6.8, dozens of new Windows fingerprints including XP
SP2, the latest Longhorn warez, and many modified Xboxes, OpenBSD
3.6, NetBSD up to 2.0RC4, Apple's AirPort Express WAP and OS X 10.3.3
(Panther) release, Novell Netware 6.5, FreeBSD 5.3-BETA, a bunch of
Linksys and D-Link consumer junk, the latest Cisco IOS 12.2
releases, a ton of miscellaneous broadband routers and printers, and
much more.
- Updated nmap-mac-prefixes with the latest OUIs from the IEEE.
[ http://standards.ieee.org/regauth/oui/oui.txt ]
- Updated nmap-protocols with the latest IP protocols from IANA
[ http://www.iana.org/assignments/protocol-numbers ]
- Added a few new Nmap version detection signatures thanks to a patch
from Martin Maèok (martin.macok(a)underground.cz).
- Fixed a crash problem in the Windows version of Nmap, thanks to a
patch from Ganga Bhavani GBhavani(a)everdreamcorp.com).
- Fixed Windows service scan crashes that occur with the error message
"Unexpected nsock_loop error. Error code 10022 (Unknown error)". It
turns out that Windows does not allow select() calls with all three
FD sets empty. Lame. The Linux select() man page even suggests
calling "select with all three sets empty, n zero, and a non-null
timeout as a fairly portable way to sleep with subsecond precision."
Thanks to Gisle Vanem (giva(a)bgnett.no) for debugging help.
- Added --max_scan_delay parameter. Nmap will sometimes increase the
delay itself when it detects many dropped packets. For example,
Solaris systems tend to respond with only one ICMP port unreachable
packet per second during a UDP scan. So Nmap will try to detect
this and lower its rate of UDP probes to one per second. This can
provide more accurate results while reducing network congestion, but
it can slow the scans down substantially. By default (with no -T
options specified), Nmap allows this delay to grow to one second per
probe. This option allows you to set a lower or higher maximum.
The -T4 and -T5 scan modes now limit the maximum scan delay for TCP
scans to 10 and 5 ms, respectively.
- Fixed a bug that prevented RPC scan (-sR) from working for UDP ports
unless service detection (-sV) was used. -sV is still usually a
better approach than -sR, as the latter ONLY handles RPC. Thanks to
Stephen Bishop (sbishop(a)idsec.co.uk) for reporting the problem and
sending a patch.
- Fixed nmap_fetchfile() to better find custom versions of data files
such as nmap-services. Note that the implicitly read directory
should be ~/.nmap rather than ~/nmap . So you may have to move any
customized files you now have in ~/nmap . Thanks to nnposter
(nnposter(a)users.sourceforge.net) for reporting the problem and
sending a patch.
- Changed XML output so that the MAC address [address] element comes
right after the IPv4/IPv6 [address] element. Apparently this is
needed to comply with the DTD (
http://www.insecure.org/nmap/data/nmap.dtd ). Thanks to Adam Morgan
(adam.morgan(a)Q1Labs.com) and Florian Ebner
(Florian.Ebner(a)e-bros.de) for the problem reports.
- Fixed an error in the Nmap RPM spec file reported by Pascal Trouvin
(pascal.trouvin(a)wanadoo.fr)
- Fixed a timing problem in which a specified large --send_delay would
sometimes be reduced to 1 second during a scan. Thanks to Martin
Macok (martin.macok(a)underground.cz) for reporting the problem.
- Fixed a timing problem with sneaky and paranoid modes (-T1 and -T0)
which would cause Nmap to continually scan the same port and never
hit other ports when scanning certain firewalled hosts. Thanks to
Curtis Doty (Curtis(a)GreenKey.net) for reporting the problem.
- Fixed a bug in the build system that caused most Nmap subdirectories
to be configured twice. Changing the variable holding the name of
subdirs from $subdirs to $nmap_cfg_subdirs resolved the problem --
configure must have been using that variable name for its own internal
operations. Anyway, this should reduce compile time significantly.
- Made a trivial change to nsock/src/nsock_event.c to work around a "a
bug in GCC 3.3.1 on FreeBSD/sparc64". I found the patch by digging
around the FreeBSD ports tree repository. It would be nice if the
FreeBSD Nmap port maintainers would report such things to me, rather
than fixing it in their own Nmap tree and then applying the patch to
every future version. On the other hand, they deserve some sort of
"most up-to-date" award. I stuck Nmap 3.71-PRE1 in the dist
directory for a few people to test, and made no announcement or
direct link. The FreeBSD crew found it and upgraded anyway :). The
gcc-workaround patch was apparently submitted to the FreeBSD folks
by Marius Strobl (marius(a)alchemy.franken.de).
- Fixed (I hope) an OS detection timing issue which would in some
cases lead to the warning that "insufficient responses for TCP
sequencing (3), OS detection may be less accurate." Thanks to Adam
Kerrison (adam(a)tideway.com) for reporting the problem.
- Modified the warning given when files such as nmap-services exist in
both the compiled in NMAPDATADIR and the current working directory.
That message should now only appear once and is more clear.
- Fixed ping scan subsystem to work a little bit better when
--scan_delay (or some of the slower -T templates which include a scan
delay) is specified. Thanks to Shahid Khan (khan(a)asia.apple.com)
for suggestions.
- Taught connect() scan to properly interpret ICMP protocol
unreachable messages. Thanks to Alan Bishoff
(abishoff(a)arc.nasa.gov) for the report.
- Improved the nmapfe.desktop file to better comply with standards.
Thanks to Stephane Loeuillet (stephane.loeuillet(a)tiscali.fr) for
sending the patch.
- update DESCR
Notable changes:
- Integrated a ton of service fingerprints, increasing the number of
signatures more than 50%. It has now exceeded 1,000 for the first
time, and represents 180 unique service protocols from acap, afp,
and aim to xml-rpc, zebedee, and zebra.
- Implemented a huge OS fingerprint update. The number of
fingerprints has increased more than 13% to 1,121. This is the first
time it has exceeded 1000. Notable updates include Linux 2.6.0, Mac
OS X up to 10.3.2 (Panther), OpenBSD 3.4 (normal and pf "scrub all"),
FreeBSD 5.2, the latest Windows Longhorn warez, and Cisco PIX 6.3.3.
As usual, there are a ton of new consumer devices from ubiquitous
D-Link, Linksys, and Netgear broadband routers to a number of new IP
phones including the Cisco devices commonly used by Vonage. Linksys
has apparently gone special-purpose with some of their devices, such
as their WGA54G "Wireless Game Adapter" and WPS54GU2 wireless print
server. A cute little MP3 player called the Rio Karma was submitted
multiple times and I also received and integrated fingerprints for the
Handspring Treo 600 (PalmOS).
- Applied some man page fixes from Eric S. Raymond
(esr(a)snark.thyrsus.com).
- Added version scan information to grepable output between the last
two '/' delimiters (that space was previously unused). So the format
is now "portnum/state/protocol/owner/servicename/rpcinfo/versioninfo"
as in "53/open/tcp//domain//ISC Bind 9.2.1/" and
"22/open/tcp//ssh//OpenSSH 3.5p1 (protocol 1.99)/". Thanks to
MadHat (madhat(a)unspecific.com) for sending a patch (although I did
it differently). Note that any '/' characters in the
version (or owner) field are replaced with '|' to keep awk/cut
parsing simple. The service name field has been updated so that it
is the same as in normal output (except for the same sort of
escaping discussed above).
- Integrated an Oracle TNS service probe and match lines contributed
by Frank Berger (fm.berger(a)gmx.de). New probe contributions are
always appreciated!
- Fixed a crash that could happen during SSL version detection due to
SSL session ID cache reference counting issues.
- Applied patch to nmap XML dtd (nmap.dtd) from Mario Manno
(mm(a)koeln.ccc.de). This accounts for the new version scanning
functionality.
- Upgraded to Autoconf 2.59 (from 2.57). This should help HP-UX
compilation problems reported by Petter Reinholdtsen
(pere(a)hungry.com) and may have other benefits as well.
- Made Ident-scan (-I) limits on the length and type of responses
stricter so that rogue servers can't flood your screen with 1024
characters. The new length limit is 32. Thanks to Tom Rune Flo
(tom(a)x86.no) for the suggestion and a patch.
- Fingerprints for unrecognized services can now be a bit longer to
avoid truncating as much useful response information. While the
fingerprints can be longer now, I hope they will be less frequent
because of all the newly recognized services in this version.
- The nmap-service-probes "match" directive can now take a service
name like "ssl/vmware-auth". The service will then be reported as
vmware-auth (or whatever follows "ssl/") tunneled by SSL, yet Nmap
won't actually bother initiating an SSL connection. This is useful
for SSL services which can be fully recognized without the overhead
of making an SSL connection.
- Version scan now chops commas and whitespace from the end of
vendorproductname, version, and info fields. This makes it easier to
write templates incorporating lists. For example, the tcpmux service
(TCP port 1) gives a list of supported services separated by CRLF.
Nmap uses this new feature to print them comma separated without
having an annoying trailing comma as so (linewrapped):
match tcpmux m|^(sgi_[-.\w]+\r\n([-.\w]+\r\n)*)$|
v/SGI IRIX tcpmux//Available services: $SUBST(1, "\r\n", ",")/
Changes since 3.45:
===================
o Integrated an enormous number of version detection service
submissions. The database has almost doubled in size to 663
signatures representing the following 130 services:
3dm-http afp apcnisd arkstats bittorent chargen citrix-ica
cvspserver cvsup dantzretrospect daytime dict directconnect domain
echo eggdrop exec finger flexlm font-service ftp ftp-proxy gnats
gnutella-http hddtemp hp-gsg http http-proxy hylafax icecast ident
imap imaps imsp ipp irc ircbot irc-proxy issrealsecure jabber
kazaa-http kerberos-sec landesk-rc ldap linuxconf lmtp lotusnotes
lpd lucent-fwadm meetingmaker melange microsoft-ds microsoft-rdp
mldonkey msactivesync msdtc msrpc ms-sql-m mstask mud mysql
napster ncacn_http ncp netbios-ns netbios-ssn netrek netsaint
netstat netwareip networkaudio nntp nsclient nsunicast ntop-http
omniback oracle-mts oracle-tns pcanywheredata pksd pmud pop2 pop3
pop3s poppass postgresql powerchute printer qotd redcarpet
rendezvous rlogind rpc rsync rtsp sdmsvc sftp shell shivahose
sieve slimp3 smtp smux snpp sourceoffice spamd ssc-agent ssh ssl
svrloc symantec-av symantec-esm systat telnet time tinyfw upnp
uucp veritasnetbackup vnc vnc-http vtun webster whois wins
winshell wms X11 xfce zebra
o Added the ability to execute "helper functions" in version
templates, to help clean up/manipulate data captured from a server
response. The first defined function is P() which includes only
printable characters in a captured string. The main impetus for
this is to deal with unicode strings like
"W\0O\0R\0K\0G\0R\0O\0U\0P\0" that many MS protocols send. Nmap can
now decode that into "WORKGROUP".
o Added SUBST() helper function, which replaces strings in matched
appname/version/extrainfo strings with something else. For example,
VanDyke Vshell gives a banner that includes
"SSH-2\.0-VShell_2_2_0_528". A substring match is used to pick out
the string "2_2_0_528", and then SUBST(1,"_",".") is called on that
match to form the version number 2.2.0.528.
o If responses to a probe fail to match any of the registered match
strings for that probe, Nmap will now try against the registered "null
probe" match strings. This helps in the case that the NULL probe
initially times out (perhaps because of initial DNS lookup) but the
banner appears in later responses.
o Applied some portability fixes (particularly for OpenBSD) from Chad
Loder (cloder(a)loder.us), who is also now the OpenBSD Nmap port
maintainer.
o Applied some portability fixes from Marius Strobl
(marius(a)alchemy.franken.de).
o The tarball distribution of Nmap now strips the binary at install
time thanks to a patch from Marius Strobl
(marius(a)alchemy.franken.de).
o Fixed a problem related to building Nmap on systems that lack PCRE
libs (and thus have to use the ones included by Nmap). Thanks to Remi
Denis-Courmont (deniscr6(a)cti.ecp.fr) for the repot and patch.
o Alphebetized the service names in each Probe section in
nmap-service-probes (makes them easier to find and add to).
o Fixed the problem several people reported where Nmap would quit with
a "broken pipe" error during service scanning. Thanks to Jari Ruusu
(jari.ruusu(a)pp.inet.fi) for sending a patch. The actual error
message was "Unexpected error in NSE_TYPE_READ callback. Error
code: 32 (Broken pipe)"
o Fixed protocol scan (-sO), which I had broken when adding the new
output table format. It would complain "NmapOutputTable.cc:128:
failed assertion `row < numRows'". Thanks to Matt Burnett
(marukka(a)mac.com) for notifying me of the problem.
o Upgraded Libpcap to the latest tcpdump.org version (0.7.2) from
0.7.1
o Applied a patch from Peter Marschall (peter(a)adpm.de) which adds
version detection support to nmapfe.
o Fixed a problem with XML output being invalid when service detection
was done on SSL-tunneled ports. Thanks to the several people who
reported this - it means that folks are actually using the XML
output :).
o Fixed (I hope) some Solaris Sune ONE compiler compilation problems
reported (w/patches) by Mikael Mannstrom (candyman(a)penti.org)
o Fixed the --with-openssl configure option for people who have
OpenSSL installed in a path not automatically found by their
compilers. Thanks to Marius Strobl (marius(a)alchemy.franken.de) for
the patch.
o Made some portability changes for HP-UX and possibly other types of
machines, thanks to a patch from Petter Reinholdtsen (pere(a)hungry.com)
o Applied a patch from Matt Selsky (selsky@columbia.edu) which fixes
compilation on some Solaris boxes, and maybe others. The error said
"cannot compute sizeof (char)"
o Applied some patches from the NetBSD ports tree that Hubert Feyrer
(hubert.feyrer(a)informatik.fh-regensburg.de) sent me. The NetBSD
Nmap ports page is at http://www.NetBSD.org/packages/net/nmap/ .
o Applied some Makefile patches from the FreeBSD ports tree that I
found at http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/nmap/files/
assumed incorrectly that if you are using Linux, that you want to
use the nmap-provided libpcap code; but the libpcap package works
fine. (Okay'd by salo.)
Also closes PR pkg/22845 by Adrian Portelli.
Changes:
3.45:
=====
- Added new HTTPOptions and RTSPRequest probes suggested by MadHat
(madhat(a)unspecific.com)
- Integrated more service signatures from MadHat
(madhat(a)unspecific.com), Brian Hatch (bri(a)ifokr.org), Niels
Heinen (zillion(a)safemode.org), Solar Designer
(solar(a)openwall.com), Seth Master
(smaster(a)stanford.edu), and Curt Wilson
(netw3_security(a)hushmail.com),
- Applied a patch from Solar Eclipse (solareclipse(a)phreedom.org)
which increases the allowed size of the 'extrainfo' version field from
80 characters to 128. The main benefit is to allow longer apache module
version strings.
- Fixed Windows compilation.
- Applied some updates to README-WIN32 sent in by Kirby Kuehl
(kkuehl(a)cisco.com). He improved the list of suggested registry
changes and also fixed a typo or two. He also attached a .reg file
automate the Nmap connect() scan performance enhancing registry
changes. I am now including that with the Nmap Windows binary .zip
distribution (and in mswin32/ of the source distro).
- Applied a one-line patch from Dmitry V. Levin (ldv@altlinux.org)
which fixes a test Nmap does during compilation to see if an existing
libpcap installation is recent enough.
3.40PVT17:
==========
- Wrote and posted a new paper on version scanning to
http://www.insecure.org/nmap/versionscan.html . Updated
nmap-service-probes and the Nmap man page to simply refer to this
URL.
- Integrated more service signatures from my own scanning as well as
contributions from Brian Hatch (bri(a)ifokr.org), MadHat
(madhat(a)unspecific.com), Max Vision (vision(a)whitehats.com), HD
Moore (hdm(a)digitaloffense.net), Seth Master
(smaster(a)stanford.edu), and Niels Heinen (zillion(a)safemode.org).
MadHat also contributed a new probe for Windows Media Service. Many
people set a LOT of signatures, which has allowed
nmap-service-probes to grow from 295 to 356 signatures representing
85 service protocols!
- Applied a patch (with slight changes) from Brian Hatch
(bri(a)ifokr.org) which enables caching of SSL sessions so that
negotiation doesn't have to be repeated when Nmap reconnects to the same
between probes.
- Applied a patch from Brian Hatch (bri@ifokr.org) which optimizes the
requested SSL ciphers for speed rather than security. The list was
based on empirical evidence from substantial benchmarking he did with
tests that resemble nmap-service-scanning.
- Updated the Nmap man page to discuss the new version scanning
options (-sV, -A).
- I now include nmap-version/aclocal.m4 in the distribution as this is
required to rebuild the configure script ( thanks to Dmitry V. Levin
(ldv(a)altlinux.org) for notifying me of the problem.
- Applied a patch from Dmitry V. Levin (ldv(a)altlinux.org) which
detects whether the PCRE include file is <pcre.h> or <pcre
- Applied a patch from Dmitry V. Levin (ldv(a)altlinux.org) which
fixes typos in some error messages. The patch apparently came from
the highly-secure and stable Owl and Alt Linux distributions. Check
them out at http://www.openwall.com/Owl/ and
http://www.altlinux.com/
- Fixed compilation on Mac OS X - thanks to Brian Hatch
(bri(a)ifokr.org> and Ryan Lowe (rlowe(a)pablowe.net) for giving me
access to Mac OS X boxes.
- Stripped down libpcre build system to remove libtool dependency and
other cruft that Nmap doesn't need. (this was mostly a response to
libtool-related issues on Mac OS X).
- Added a new --version_trace option which causes Nmap to print out extensive
debugging info about what version scanning is doing (this is a subset
of what you would get with --packet_trace). You should usually use
this in combination with at least one -d option.
- Fixed a port number printing bug that would cause Nmap service
fingerprints to give a negative port number when the actual port was
above 32K. Thanks to Seth Master (smaster@stanford.edu) for finding
this.
- Updated all the header text again to clarify our interpretation of
"derived works" after some suggestions from Brian Hatch
(bri(a)ifokr.org)
- Updated the Nsock config.sub/config.guess to the same newer versions
that Nmap uses (for Mac OS X compilation).
3.40PVT16:
==========
- Fixed a compilation problem on systems w/o OpenSSL that was
discovered by Solar Designer. I also fixed some compilation
problems on non-IPv6 systems. It now compiles and runs on my
Solaris and ancient OpenBSD systems.
- Integrated more services thanks to submissions from Niels Heinen
(zillion(a)safemode.org).
- Canonicalized the headers at the top of each Nmap/Nsock header src
file. This included clarifying our interpretation of derived works,
updating the copyright date to 2003, making the header a bit wider,
and a few other light changes. I've been putting this off for a
while, because it required editing about a hundred !#$# files!
3.40PVT15:
==========
- Fixed a major bug in the Nsock time caching system. This could
cause service detection to inexplicably fail against certain ports in
the second or later machines scanned. Thanks to Solar Designer and HD
Moore for helping me track this down.
- Fixed some *BSD compilation bugs found by
Zillion (zillion(a)safemode.org).
- Integrated more services thanks to submissions from Fyodor Yarochkin
(fygrave(a)tigerteam.net), and Niels Heinen
(zillion(a)safemode.org), and some of my own exploring. There are
now 295 signatures.
- Fixed a compilation bug found by Solar Designer on machines that
don't have struct sockaddr_storage. Nsock now just uses "struct
sockaddr *" like connect() does.
- Fixed a bug found by Solar Designer which would cause the Nmap
portscan table to be truncated in -oN output files if the results are
very long.
- Changed a bunch of large stack arrays (e.g. int portlookup[65536])
into dynamically allocated heap pointers. The large stack variables
apparently caused problems on some architectures. This issue was
reported by osamah abuoun (osamah_abuoun(a)hotmail.com).
3.40PVT14:
==========
- Added IPv6 support for service scan.
- Added an 'sslports' directive to nmap-service-probes. This tells
Nmap which service checks to try first for SSL-wrapped ports. The
syntax is the same as the normal 'ports' directive for non-ssl ports.
For example, the HTTP probe has an 'sslports 443' line and
SMTP-detecting probes have and 'sslports 465' line.
- Integrated more services thanks to submissions from MadHat
(madhat(a)unspecific.com), Solar Designer (solar(a)openwall.com), Dug
Song (dugsong(a)monkey.org), pope(a)undersec.com, and Brian Hatch
(bri(a)ifokr.org). There are now 288 signatures, matching these 65
service protocols:
chargen cvspserver daytime domain echo exec finger font-service
ftp ftp-proxy http http-proxy hylafax ident ident imap imaps ipp
ircbot ircd irc-proxy issrealsecure landesk-rc ldap meetingmaker
microsoft-ds msrpc mud mysql ncacn_http ncp netbios-ns netbios-ssn
netsaint netwareip nntp nsclient oracle-tns pcanywheredata pop3
pop3s postgres printer qotd redcarpet rlogind rpc rsync rtsp shell
smtp snpp spamd ssc-agent ssh ssl telnet time upnp uucp vnc
vnc-http webster whois winshell X11
- Added a Lotus Notes probe from Fyodor Yarochkin
(fygrave(a)tigerteam.net).
- Dug Song wins the "award" for most obscure service fingerprint
submission. Nmap now detects Dave Curry's Webster dictionary server
from 1986 :).
- Service fingerprints now include a 'T=SSL' attribute when SSL
tunneling was used.
- More portability enhancements thanks to Solar Designer and his Linux
2.0 libc5 boxes.
- Applied a patch from Gisle Vanem (giva(a)bgnett.no) which improves
Windows emulation of the UNIX mmap() and munmap() memory mapping calls.
3.40PVT13:
==========
- Added SSL-scan-through support. If service detection finds a port to be
SSL, it will transparently connect to the port using OpenSSL and use
version detection to determine what service lies beneath. This
feature is only enabled if OpenSSL is available at build time. A
new --with-openssl=DIR configure option is available if OpenSSL is
not in your default compiler paths. You can use --without-openssl
to disable this functionality. Thanks to Brian Hatch
(bri(a)ifokr.org) for sample code and other assistance. Make sure
you use a version without known exploitable overflows. In
particular, versions up to and including OpenSSL 0.9.6d and
0.9.7-beta2 contained serious vulnerabilities described at
http://www.openssl.org/news/secadv_20020730.txt . Note that these
vulnerabilities are well over a year old at the time of this
writing.
- Integrated many more services thanks to submissions from Brian
Hatch, HellNBack ( hellnbak(a)nmrc.org ), MadHat, Solar Designer,
Simple Nomad, and Shawn Wallis (swallis(a)ku.edu). The number of
signatures has grown from 242 to 271. Thanks!
- Integrated Novell Netware NCP and MS Terminal Server probes from
Simple Nomad (thegnome(a)nmrc.org).
- Fixed a segfault found by Solar Designer that could occur when
scanning certain "evil" services.
- Fixed a problem reported by Solar Designer and MadHat (
madhat(a)unspecific.com ) where Nmap would bail when certain Apache
version/info responses were particularly long. It could happen in
other cases as well. Now Nmap just prints a warning.
- Fixed some portability issues reported by Solar Designer
( solar(a)openwall.com )
3.40PVT12:
==========
- I added probes for SSL (session startup request) and microsoft-ds
(SMB Negotiate Protocol request).
- I changed the default read timeout for a service probe from 7.5s to 5s.
- Fixed a one-character bug that broke many scans when -sV was NOT
given. Thanks to Blue Boar (BlueBoar(a)thievco.com) for the report.
3.40PVT11:
==========
- Integrated many more services thanks to submissions from Simple
Nomad, Solar Designer, jerickson(a)inphonic.com, Curt Wilson, and
Marco Ivaldi. Thanks! The match line count has risen from 201 to 242.
- Implemented a service classification scheme to separate the
vendor/product name from the version number and any extra info that
is provided. Instead of v/[big version string]/, the new match
lines include v/[vendor/productname]/[version]/[extrainfo]/ . See
the docs at the top of nmap-service-probes for more info. This
doesn't change the normal output (which lumps them together anyway),
but they are separate in the XML so that higher-level programs can
easily match against just a product name. Here are a few examples
of the improved service element:
<service name="ssh" product="OpenSSH" version="3.1p1"
extrainfo="protocol 1.99" method="probed" conf="10" />
<service name="domain" product="ISC Bind" version="9.2.1"
method="probed" conf="10" />
<state state="open" /><service name="rpcbind" version="2"
extrainfo="rpc #100000" method="probed" conf="10" />
<service name="rndc" method="table" conf="3" />
- I went through nmap-service-probes and added the vendor name to more
entries. I also added the service name where the product name
itself didn't make that completely obvious.
- SCO Corporation of Lindon, Utah (formerly Caldera) has lately taken
to an extortion campaign of demanding license fees from Linux users
for code that they themselves knowingly distributed under the terms
of the GNU GPL. They have also refused to accept the GPL, claiming
that some preposterous theory of theirs makes it invalid. Meanwhile
they have distributed GPL-licensed Nmap in (at least) their
"Supplemental Open Source CD". In response to these blatant
violations, and in accordance with section 4 of the GPL, we hereby
terminate SCO's rights to redistribute any versions of Nmap in any
of their products, including (without limitation) OpenLinux,
Skunkware, OpenServer, and UNIXWare.
3.40PVT10:
==========
- Added "soft matches". These are similar to normal match lines in
that they provide a regex for recognizing a service (but no version).
But instead of stopping at softmatch service recognition, the scan
continues looking for more info. It only launches probes that are
known-capable of matching the softmatched service. If no version
number is found, at least the determined service is printed. A
service print for submission is also provided in that case. So this
provides more informative results and improves efficiency.
- Cleaned up the Windows support a bit and did more testing and
fixing. Windows service detection seems to be working fine for me
now, although my testing is still pretty limited. This release
includes a Windows binary distribution and the README-WIN32 has been
updated to reflect new compilation instructions.
- More service fingerprints! Thanks to Solar Designer, Max Vision,
Frank Denis (Jedi/Sector One) for the submissions. I also added a
bunch from my own testing. The number of match lines went from 179
to 201.
- Updated XML output to handle new version and service detection
information. Here are a few examples of the new output:
<port protocol="tcp" portid="22"><state state="open" /><service
name="ssh" version="OpenSSH 3.1p1 (protocol 1.99)" method="probed"
conf="10" /></port>
<port protocol="tcp" portid="111"><state state="open" /><service
name="rpcbind" version="2 (rpc #100000)" method="probed" conf="10" /></port>
<port protocol="tcp" portid="953"><state state="open" /><service
name="rndc" method="table" conf="3" /></port>
- Fixed issue where Nmap would quit when ECONNREFUSED was returned
when we try to read from an already-connected TCP socket. FreeBSD
does this for some reason instead of giving ECONNRESET. Thanks to
Will Saxon (WillS(a)housing.ufl.edu) for the report.
- Removed the SERVICEMATCH_STATIC match type from
nmap-service-probes. There wasn't much benefit of this over regular
expressions, so it isn't worth maintaining the extra code.
3.40PVT9:
=========
- Added/fixed numerous service fingerprints thanks to submissions from
Max Vision, MadHat, Seth Master. Match lines went
from 164 to 179.
- The Winpcap libraries used in the Windows build process have been
upgraded to version 3.0.
- Most of the Windows port is complete. It compiles and service scan
works (I didn't test very deeply) on my WinXP box with VS.Net 2003.
I try to work out remaining kinks and do some cleanup for the next
version. The Windows code was restructured and improved quite a bit,
but much more work remains to be done in that area. I'll probably
do a Windows binary .zip release of the next version.
- Various minor fixes
3.40PVT8:
=========
- Service scan is now OFF by default. You can activate it with -sV.
Or use the snazzy new -A (for "All recommended features" or
"Aggressive") option which turns on both OS detection and service
detection.
- Fixed compilation on my ancient OpenBSD 2.3 machine (a Pentium 60 :)
- Added/fixed numerous service fingerprints thanks to submissions from
Brian Hatch, HD Moore, Anand R., and some of my own testing. The
number of match lines in this version grows from 137 to 164! Please
keep 'em coming!
- Various important and not-so-important fixes for bugs I encountered
while test scanning.
- The RPC grinder no longer prints a startup message if it has no
RPC-detected ports to scan.
- Some of the service fingerprint length limitations are relaxed a bit
if you enable debugging (-d).
3.40PVT7:
=========
- Added a whole bunch of services submitted by Brian Hatch
(bri(a)ifokr.org). I also added a few Windows-related probes.
Nmap-service-probes has gone from 101 match strings to 137. Please
keep the submissions coming.
- The question mark now only appears for ports in the OPEN state and
when service detection was requested.
- I now print a separator bar between service fingerprints when Nmap
prints more than one for a given host so that users understand to
submit them individually (suggested by Brian Hatch (bri(a)ifokr.org))
- Fixed a bug that would cause Nmap to print "empty" service
fingerprints consisting of just a semi-colon. Thanks to Brian Hatch
(bri(a)ifokr.org) for reporting this.
3.40PVT6:
=========
- Banner-scanned hundreds of thousands of machines for ports
21,23,25,110,3306 to collect default banners. Where the banner made
the service name/version obvious, I integrated them into
nmap-service-probes. This increased the number of 'match' lines from
27 to more than 100.
- Created the service fingerprint submission page at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi
- Changed the service fingerprint format slightly for easier
processing by scripts.
- Applied a large portability patch from Albert Chin-A-Young
(china(a)thewrittenword.com). This cleans up a number of things,
particularly for IRIX, Tru64, and Solaris.
- Applied NmapFE patch from Peter Marschall (peter(a)adpm.de) which
"makes sure changes in the relay host and scanned port entry fields
are displayed immediately, and also keeps the fields editable after
de- and reactivating them."
3.40PVT4:
=========
- Limited the size of service fingerprints to roughly 1024 bytes.
This was suggested by Niels Heinen (niels(a)heinen.ws), because the previous
limit was excessive. The number of fingerprints printed is also now
limited to 10.
- Fixed a segmentation fault that could occur when ping-scanning large
networks.
- Fixed service scan to gracefully handle host_timeout occurrences when
they happen during a service scan.
- Fixed a service_scan bug that would cause an error when hosts send
data and then close() during the NULL probe (when we haven't sent
anything).
- Applied a patch from Solar Designer (solar(a)openwall.com) which
corrects some errors in the Russian man page translation and also a
couple typos in the regular man page. Then I spell-checked the man
page to reduce future instances of foreigners sending in diffs to
correct my English :).
3.40PVT3:
=========
- Nmap now prints a "service fingerprint" for services that it is
unable to match despite returning data. The web submission page it
references is not yet available.
- Service detection now does RPC grinding on ports it detects to be
running RPC.
- Fixed a bug that would cause Nmap to quit with an Nsock error when
--host_timeout was used (or when -T5 was used, which sets it
implicitly).
- Fixed a bug that would cause Nmap to fail to print the OS
fingerprint in certain cases. Thanks to Ste Jones
(root(a)networkpenetration.com) for the problem report.
3.40PVT2:
=========
- Nmap now has a simple VERSION detection scheme. The 'match' lines in
nmap-service-probes can specify a template version string
(referencing subexpression matches from the regex in a perl-like
manner) so that the version is determined at the same time as the
service. This handles many common services in a highly efficient
manner. A more complex form of version detection (that initiates
further communication w/the target service) may be necessary
eventually to handle services that aren't as forthcoming with
version details.
- The Nmap port state table now wastes less whitespace due to using a new
and stingy NmapOutputTable class. This makes it easier to read, and
also leaves more room for version info and possibly other enhancements.
- Added 's' option to match lines in nmap-service-probes. Just as
with the perl 's' option, this one causes '.' in the regular
expression to match any character INCLUDING newline.
- The WinPcap header timestamp is no longer used on Windows as it
sometimes can be a couple seconds different than gettimeofday() (which
is really _ftime() on Windows) for some reason. Thanks to Scott
Egbert (scott.egbert(a)citigroup.com) for the report.
- Applied a patch by Matt Selsky (selsky(a)columbia.edu) which fixes
configure.in in such a way that the annoying header file "present but
cannot be compiled" warning for Solaris.
- Applied another patch from Matt that (we hope) fixes the "present
but cannot be compiled" warning -- this time for Mac OS X.
- Port table header names are now capitalized ("SERVICE", "PORT", etc)
3.40PVT1:
=========
- Initial implementation of service detection. Nmap will now probe
ports to determine what is listening, rather than guessing based on
the nmap-services table lookup. This can be very useful for
services on unidentified ports and for UDP services where it is not
always clear (without these probes) whether the port is really open
or just firewalled. It is also handy for when services are run on
the well-known-port of another protocol -- this is happening more
and more as users try to circumvent increasingly strict firewall
policies.
- Nmap now uses the excellent libpcre (Perl Compatible Regular
Expressions) library from http://www.pcre.org/ . Many systems
already have this, otherwise Nmap will use the copy it now includes.
If your libpcre is hidden away in some nonstandard place, give
./configure the new --with-libpcre=DIR directive.
- Nmap now uses the C++ Standard Template Library (STL). This makes
programming easier, but if it causes major portability or bloat
problems, I'll reluctantly remove it.
- Applied a patch from Javier Kohen (jkohen(a)coresecurity.com) which
normalizes the names of many Microsoft entries in the
nmap-os-fingerprints file.
- Applied a patch by Florin Andrei (florin(a)sgi.com) to the Nmap RPM
spec file. This uses the 'Epoch' flag to prevent the Redhat Network
tool from marking my RPMs as "obsolete" and "upgrading" to earlier
Redhat-built versions. A compilation flag problem is also fixed.
Based on patch sent by Juan RP via PR pkg/20839.
Changes:
Nmap 3.20:
==========
o The random IP input option (-iR) now takes an argument specifying
how many IPs you want to scan (e.g. -iR 1000). Specify 0 for the old
neverending scan behavior.
o Fixed a tricky memory leak discovered by Mugz (mugz@x-mafia.com).
o Fixed output truncation problem noted by Lionel CONS (lionel.cons@cern.ch)
o Fixed a bug that would cause certain incoming ICMP error messages to
be improperly ignored.
Nmap 3.15BETA3:
===============
o Made numerous improvements to the timing behavior of "-T Aggressive"
(same as -T4) scans. It is now recommended for regular use by
impatient people with a fast connection. "-T Insane" mode has also
been updated, but we only recommend that for, well, insane people.
o Made substantial changes to the SYN/connect()/Window scanning
algorithms for improved speeds, especially against heavily filtered
hosts. If you notice any timing problems (misidentified ports,
etc.), please send me the details (including full Nmap output and a
description of what is wrong). Reports of any timing problems with
-T4 would be helpful as well.
o Changed Nmap such that ALL syn scan packets are sent from the port
you specify with -g. Retransmissions used to utilize successively
higher ports. This change has a downside in that some operating
systems (such as Linux) often won't reply to the retransmissions
because they reuse the same connection specifier quad
(srcip:srcport:dstip:dstport). Overall I think this is a win.
o Added timestamps to "Starting nmap" line and each host port scan in
verbose (-v) mode. These are in ISO 8601 standard format because
unlike President Bush, we actually care about International
consensus :).
o Nmap now comes by default in .tar.bz2 format, which compresses about
20% further. You can still find .tgz in the dist directory at
http://download.insecure.org/nmap/dist/?M=D .
o Various other minor bugfixes, new services, fingerprints, etc.
Nmap 3.15BETA2:
===============
o I added support for a brand new "port" that many of you may have
never scanned before! UDP & TCP "port 0" (and IP protocol 0) are now
permitted if you specify 0 explicitly. An argument like "-p -40"
would still scan ports 1-40. Unlike ports, protocol 0 IS now scanned
by default. This now works for ping probes too (e.g., -PS, -PA).
o Applied patch by Martin Kluge (martin@elxsi.info) which adds --ttl
option, which sets the outgoing IPv4 TTL field in packets sent via
all raw scan types (including ping scans and OS detection). The
patch "should work" on Windows, but hasn't been tested. A TTL of 0
is supported, and even tends to work on a LAN:
14:17:19.474293 192.168.0.42.60214 > 192.168.0.40.135: S 3265375623:3265375623(0) win 1024 [ttl 0] (id 35919, len 40)
14:17:19.474456 192.168.0.40.135 > 192.168.0.42.60214: S 2805154856:2805154856(0) ack 3265375624 win 64240 <mss 1460> (DF) (ttl 128, id 49889, len 44)
o Applied patch by Gabriel L. Somlo ( somlo@acns.colostate.edu ) which
extends the multi-ping-port functionality to nonroot and IPv6
connect() users.
o I added a new --datadir command line option which allows you to
specify the highest priority directory for Nmap data files
nmap-services, nmap-os-fingerprints, and nmap-rpc. Any files which
aren't in the given dir, will be searched for in the $NMAPDIR
environmental variable, ~/nmap/, a compiled in data directory
(e.g. /usr/share/nmap), and finally the current directory.
o Fixed Windows (VC++ 6) compilation, thanks to patches from Kevin
Davis (computerguy@cfl.rr.com) and Andy Lutomirski
(luto@stanford.edu)
o Included new Latvian man page translation by
"miscelerious options" (misc@inbox.lv)
o Fixed Solaris compilation when Sun make is used rather than GNU
make. Thanks to Tom Duffy (tduffy@sun.com) for assistance.
o Applied patch from Stephen Bishop (sbishop@idsec.co.uk) which
prevends certain false-positive responses when Nmap raw TCP ping scans
are being run in parallel.
o To emphasize the highly professional nature of Nmap, I changed all
instances of "fucked up" in error message text into "b0rked".
o Fixed a problem with nmap-frontend RPMs that would cause a bogus
/bin/xnmap link to be created (it should only create
/usr/bin/xnmap). Thanks to Juho Schultz
(juho.schultz@astro.helsinki.fi) for reporting the problem.
o I made the maximum number of allowed routes and interfaces allowed
on the scanning machine dynamic rather than hardcoded #defines of 1024
and 128. You never know -- some wacko probably has that many :).
Nmap 3.15BETA1:
===============
o Integrated the largest OS fingerprint DB updates ever! Thanks to
everyone who contributed signatures! New or substantially modified
fingerprints included the latest Windows 2K/XP changes, Cisco IOS
12.2-based routers and PIX 6.3 firewalls, FreeBSD 5.0, AIX 5.1,
OpenBSD 3.2, Tru64 5.1A, IBM OS/400 V5R1M0, dozens of wireless APs,
VOIP devices, firewalls, printers, print servers, cable modems,
webcams, etc. We've even got some mod-chipped Xbox fingerprints
now!
o Applied NetBSD portability patch by Darren Reed
(darrenr@reed.wattle.id.au)
o Updated Makefile to better-detect if it can't make nmapfe and
provide a clearer error message. Also fixed a couple compiler
warnings on some *BSD platforms.
o Applied patch from "Max" (nmap@webwizarddesign.com) which adds the
port owner to the "addport" XML output lines which are printed (only
in verbose mode, I think) as each open port is discovered.
o I killed the annoying whitespace that is normally appended after the
service name. Now it is only there when an owner was found via -sI
(in which case there is a fourth column and so "service" must be
exactly 24 characters).
Nmap 3.10ALPHA9:
================
o Reworked the "ping scan" algorithm (used for any scan except -P0 or
-sL) to be more robust in the face of low-bandwidth and congested
connections. This also improves reliability in the multi-port and
multi-type ping cases described below.
o "Ping types" are no longer exclusive -- you can now do combinations
such as "-PS22,53,80 -PT113 -PN -PE" in order to increase your odds of
passing through strict filters. The "PB" flag is now deprecated
since you can achieve the same result via "PE" and "PT" options.
o Applied patch (with modest changes) by Gabriel L. Somlo
(somlo@acns.colostate.edu), which allows multiple TCP probe ports in
raw (root) mode. See the previous item for an example.
o Fixed a libpcap compilation issue noted by Josef 'Jupp' Schugt
(deusxmachina@webmail.co.za) which relates to the definition (or
lack thereof) of ARPHRD_HDLC (used for Cisco HDLC frames).
o Tweaked the version number (-V) output slightly.
Nmap 3.10ALPHA7:
================
o Upgraded libpcap from version 0.6.2 to 0.7.1. Updated the
libpcap-possiblymodified/NMAP_MODIFICATIONS file to give a much
more extensive list (including diffs) of the changes included
in the Nmap bundled version of Libpcap.
o Applied patch to fix a libpcap alignment bug found by Tom Duffy
(tduffy@sun.com).
o Fixed Windows compilation.
o Applied patch by Chad Loder (cloder@loder.us) of Rapid7 which
fixes OpenBSD compilation. I believe Chad is now the official
OpenBSD Nmap "port" maintainer. His patch also adjusted
random-scan (-iR) to include the recently allocated 82.0.0.0/8
space.
o Fixed (I hope) a few compilation problems on
non-IPv6-enabled machines which were noted by Josef 'Jupp'
Schugt (jupp@gmx.de)
o Included some man page translations which were inadvertently
missed in previous tarballs.
o Applied patch from Matthieu Verbert (mve@zurich.ibm.com) which
places the Nmap man pages under ${prefix}/share/man rather than
${prefix}/man when installed via RPM. Maybe the tarball
install should do this too? Opinions?
o Applied patch from R Anderson (listbox@pole-position.org) which
improves the way ICMP port unreachables from intermediate hosts
are handled during UDP scans.
o Added note to man page related to Nmap US export control. I
believe Nmap falls under ECCN 5D992, which has no special
restrictions beyond the standard export denial to a handful of
rogue nations such as Iraq and North Korea.
o Added a warning that some hosts may be skipped and/or repeated
when someone tries to --resume a --randomize_hosts scan. This
was suggested by Crayden Mantelium (crayden@sensewave.com)
o Fixed a minor memory leak noted by Michael Davis
(mike@datanerds.net).
Nmap 3.10ALPHA4:
================
o Applied patch by Max Schubert (nmap@webwizarddesign.com) which adds
an add-port XML tag whenever a new port is found open when Nmap is
running in verbose mode. The new tag looks like:
<addport state="open" portid="22" protocol="tcp"/>
I also updated docs/nmap.dtd to recognize this new tag.
o Added German translation of Nmap manpage by Marc Ruef
(marc.ruef@computec.ch). It is also available at
http://www.insecure.org/nmap/data/nmap_manpage-de.html
o Includes a brand new French translation of the manpage by Sebastien
Blanchet. You could probably guess that it is available at
http://www.insecure.org/nmap/data/nmap_manpage-fr.html
o Applied some patches from Chad Loder (cloder@loder.us) which update
the random IP allocation pool and improve OpenBSD support. Some
were from the OBSD Nmap patchlist.
o Fixed a compile problem on machines without PF_INET6. Thanks to
Josef 'Jupp' Schugt (deusxmachina@webmail.co.za) for noting this.
Nmap 3.10ALPHA3:
================
o Added --min_parallelism option, which makes scans more aggressive
and MUCH faster in certain situations -- especially against
firewalled hosts. It is basically the opposite of --max_parallelism
(-M). Note that reliability can be lost if you push it too far.
o Added --packet_trace option, which tells Nmap to display all of the
packets it sends and receives in a format similar to tcpdump. I
mostly added this for debugging purposes, but ppl wishing to learn
how Nmap works or for experts wanting to ensure Nmap is doing
exactly what they epect. If you want this feature supported under
Windows, please send me a patch :).
o Fixed a segmentation fault in Idlescan (-sI).
o Made Idlescan timing more conservative when -P0 is specified to
improve accuracy.
o Fixed an infinite-loop condition that could occur during certain
dropped-packet scenarios in an Idle scan.
o Nmap now reports execution times to millisecond precision (rather
than rouding to the nearest second).
o Fixed an infinite loop caused by invalid port arguments. Problem
noted by fejed (fejed@uddf.net).
Nmap 3.10ALPHA2:
================
o Fixed compilation and IPv6 support on FreeBSD (tested on
4.6-STABLE). Thanks to Niels Heinen (niels.heinen@ubizen.com) for
suggestions.
o Made some portability changes based on suggestions by Josef 'Jupp'
Schugt (jupp@gmx.de)
o Fixed compilation and IPv6 support on Solaris 9 (haven't tested
earlier versions).
Nmap 3.10ALPHA1:
================
o IPv6 is now supported for TCP scan (-sT), connect()-style ping
scan (-sP), and list scan (-sL)! Just specify the -6 option and the
IPv6 numbers or DNS names. Netmask notation is not currently
supported -- I'm not sure how useful it is for IPv6, where even petty
end users may be allocated trillions of addresses (/80). If you
need one of the scan types that hasn't been ported yet, give
Sebastien Peterson's patch a try at http://nmap6.sourceforge.net/ .
If there is demand, I may integrate more of that into Nmap.
o Major code restructing, which included conversion to C++ -- so
you'll need g++ or another C++ compiler. I accidently let a C++
requirement slip in a while back and found that almost everyone has
such a compiler. Windows (VC++) users: see the README-WIN32 for new
compilation instructions.
o Applied patch from Axel Nennker (Axel.Nennker@t-systems.com) which
adds a --without-nmapfe option to the configure script. This si
useful if your system doesn't have the proper libraries (eg GTK) or
if you think GUIs are for sissies :).
o Removed arbitrary max_parallelism (-M) limitations, as suggested by
William McVey ( wam@cisco.com ).
o Added DEC OSF to the platforms that require the BSDFIX() macro due
to taking ip length and offset fields in host rather than network byte
order. Suggested by Dean Bennett (deanb@gbtn.net)
o Fixed an debug statement C ambiguity discovered by Kronos
(kronos@kronoz.cjb.net)
* Added protocol scan (-sO), which determines what IP protocols
(TCP, IGMP, GRE, UDP, ICMP, etc) are supported by a given host.
This uses a clever technique designed and implemented by Gerhard
Rieger .
* Nmap now recognizes more than 700 operating system versions and
network devices (printers, webcams, routers, etc) thanks to
thousands of contributions from the user community! Many
operating systems were even recognized by Nmap prior to their
official release. Nmap3 also recognizes 2148 port assignments,
451 SunRPC services, and 144 IP protocols.
* Added Idlescan (-sI), which bounces the scan off a "zombie"
machine. This can be used to bypass certain (poorly configured)
firewalls and packet filters. In addition, this is the most
stealthy Nmap scan mode, as no packets are sent to the target
from your true IP address.
* The base Nmap package now builds and functions under Windows! It
is distributed in three forms: build-it-yourself source code, a
simple command-line package, or along with a nice GUI interface
(NmapWin) and a fancy installer. This is due to the hard work of
Ryan Permeh (from eEye), Andy Lutomirski, and Jens Vogt.
* Mac OS X is now supported, as well as the latest versions of
Linux, OpenBSD, Solaris, FreeBSD, and most other UNIX platforms.
Nmap has also been ported to several handheld devices -- see the
Related Projects page for further information.
* XML output (-oX) is now available for smooth interoperability
between Nmap and other tools.
* Added ICMP Timestamp and Netmask ping types (-PP and -PM). These
(especially timestamp) can be useful against some hosts that do
not respond to normal ping (-PI) packets. Nmap still allows TCP
"ping" as well.
* Nmap can now detect the uptime of many hosts when the OS Scan
option (-O) is used.
* Several new tests have been added to make OS detection more
accurate and provide more granular version information.
* Removed 128.210.*.* addresses from Nmap man page examples due to
complaints from Purdue security staff.
* The --data_length option was added, allowing for longer probe
packets. Among other uses, this defeats certain simplistic IDS
signatures.
* You can now specify distinct port UDP and TCP port numbers in a
single scan command using a command like 'nmap -sSU -p
U:53,111,137,T:21-25,80,139,515,6000,8080 target.com'. See the
man page for more usage info.
* Added mysterious, undocumented --scanflags and --fuzzy options.
* Nmap now provides IPID as well as TCP ISN sequence
predictability reports if you use -v and -O.
* SYN scan is now the default scan type for privileged (root)
users. This is usually offers greater performance while reducing
network traffic.
* Capitalized all references to God in error messages.
* Added List scan (-sL) which enumerates targets without scanning
them.
* The Nmap "random IP" scanning mode is now smart enough to skip
many unallocated netblocks.
* Tons of more minor features, bugfixes, and portability enhancements.
-- Fixed a "Status: Down" machine name output problem in machine
parseable logs found by Alek O. Komarnitsky ( alek (at) ast.lmco.com )
-- Took some wierd files out of the doc directory (cd, grep , vi, and
.swp)
-- Fixed some typos found by Thomas Klausner ( wiz (at)
danbala.ifoer.tuwien.ac.at )
Fixes PR 10054 by Reinoud Koornstra (reinoud@ibbnet.org).
Maintainer shared my opinion about architecture independent data files
belonging into share/ instead of lib/.
Other changes against 2.50: Target parsing bug fixed, new rpc number list.
Important changes since 2.12:
Remote OS identification by fingerprint, recognition of RPC programs
listening on the respective ports, scan timing controls, ACK/window
scanning, stop/restart scans, output readability improved, and lots of
bug fixes.
salo
adam
reed
hubertf
rafal
abs
he
wiz