Nmap update

[Fyodor <fyodor () dhp com>]

Wow!  You guys sure have been keeping me busy with the OS
fingerprints!  There were a bunch on the list and even more in my
mailbox!  I think I finally got them all incorporated.

Thanks to these people (and anyone I missed) for sending in IP
addresses or fingerprints:

Bennett Todd, bobort () bigfoot com, Jonathan Scott Duff, Lamont
Granquist, jfesler () gigo com, Sami Yousif, J. S. Connell, Zippy
<seth () interport net>, Jeff Weisberg <jaw () Op Net> (sent in a bunch of
them), Keith Woodworth <kwoody () citytel net>, tom () bpf promisc org,
Kenneth Ingham <ingham () i-pi com>, Jason Ledbetter
<jason () colltech com>, A.j. Effin ReznoR <spork () exo com>, Sebastian
Andersson <sa () hogia net> (sent a bunch of them), Drew Morone
<tdrew () cairn org>, Erik Parker <netmask () 303 org>, rain.forest.puppy
<rfp () iname com>, Peter van Dijk <peter () attic vuurwerk nl>, Jamie
Mcneil <J.Mcneil () rhbnc ac uk>, Daniel Seagraves
<daniel () ubani umtec com> ( sent in a ton of them), spaceork
<spaceork () dhp com>, Michael Dodwell <mdodwell () vic bigpond net au>
(sent in a bunch of them), Noah Romer <klevin () eskimo com>, Keith Lewis
<keithl () mukluk cc monash edu au> (sent a ton of them), Todd Campbell
<nixwiz@ho\ me.com>, Nickolai Zeldovich <kolya () zepa net> (sent a
bunch), Calle Dybedahl <qd\ tcall () esavionics se> (sent a bunch).

Not bad for a day, eh? :).  Keep them coming!  If you send them to me
( fyodor () dhp com ), I'll add them and when I get a bunch I'll put up a
new nmap-os-fingerprints file and let everyone know.

You guys increased the nmap-os-fingerprints size by 25% in one day!
Way to go!

Instead of relasing just the new nmap-os-fingerprints file, I released
a whole nmap 2.01 because it has an important OS scanning problem.
Can anyone see the *two* bugs here? (self test -- don't mail in the
answer ):

  /* Next we check whether the Don't Fragment bit is set */
  AVs[1].attribute = "DF";
  if(ip->ip_off && 0x4000) {
    strcpy(AVs[1].value,"Y");
  } else strcpy(AVs[1].value, "N");

This shouldn't affect many people, but I did notice it in a few of the
fingerprints sent in.

The new version is at http://www.insecure.org/nmap/ .  If you did a
'make install' last time, you need to do it again this time or nmap
will use the old nmap-os-fingerprints if it finds them in
/usr/local/lib (or wherever).

Here are a few quick notes related to recent posts (or not):

**  I am going to start distributing nmap with its own services file
    instead of using /etc/services .  Some operating systems (like
    FreeBSD) have pretty much everything, whereas others are missing a
    lot of the entries from the assigned numbers RFC.  Also the one
    that comes with nmap will contain Netbus, Back Orifice, certain
    "well known" RPC ports, and other things you often won't find in 
    /etc/services
 
**  I have avoided putting SNMP querying and other application-specific
    features since I think that adding application layer security
    support could bloat nmap significantly and make it too hard to
    maintain, not to mention it could never be close to comprehensive.
    I think I'll focus nmap on quickly and accurately finding out what
    operating system is running and what services it offers.  I'm
    probably going to leave stuff like SNMP querying, exploit testing,
    RPC/portmapper interaction, DNS zone transfers, etc to other
    specialized tools.  I am trying to make nmap interact well with
    these other tools though.  Check out the new -m option which gives
    parseable output.  I actually may put in 1 or 2 from the above at
    some point, but not real soon.  If I do do applications, I will
    use a module/plug in interface so *other* people can write and
    maintain the application specific portions :).

**  I am going to start an nmap-announce mailing list for
    announcements of new stable versions.  I'll bet there are some
    people who can't take this much mail (although I expect it will
    probably quite down somewhat).  Discussions and patches
    will still go here, and I will probably release nmap versions to
    this list a little sooner for testing before they got out to
    nmap-announce.  I'll write when the list is ready.

**  A couple people mentioned that they are getting OS Scan segfaults,
    if anyone knows GDB and can send me more information, that would
    be great.  It would also be useful to know what platform you are
    running on, what kind of network you are on, and what version of
    gcc/egcs you used to compile it.  Also if it only segfualts
    against a certain machine it would be useful if you can send me
    the IP.  Of course if you want to figure it all out yourself and
    send me a patch, that would be great :).

** In general, you cannot just take the fingerprint nmap gives you and
    stick it into nmap-os-fingerprints.  That may work a lot of the
    time, but often the fingerprints must be cleaned up and
    generalized.  I try to post the general technique later today.  If
    I stay up much longer before sleeping, I'll end up going to work
    tomorrow when everyone else is leaving (again) :).

Thanks again for all the fingerprints and comments.

Cheers,
Fyodor



--
Fyodor                            'finger pgp () www insecure org | pgp -fka'
Frustrated by firewalls?          Try nmap: http://www.insecure.org/nmap/
"In addition, we're trying to do a much better job of staying in touch
with our teenage children and others to learn the latest hacker techniques
so we can be one step ahead of them rather than several steps behind." 
 --Kenneth H. Bacon, Pentagon Assistant Secretary of Defense