Nmap Announce mailing list archives
Nmap update
From: Fyodor <fyodor () dhp com>
Date: Thu, 17 Dec 1998 07:41:14 -0500 (EST)
Wow! You guys sure have been keeping me busy with the OS fingerprints! There were a bunch on the list and even more in my mailbox! I think I finally got them all incorporated. Thanks to these people (and anyone I missed) for sending in IP addresses or fingerprints: Bennett Todd, bobort () bigfoot com, Jonathan Scott Duff, Lamont Granquist, jfesler () gigo com, Sami Yousif, J. S. Connell, Zippy <seth () interport net>, Jeff Weisberg <jaw () Op Net> (sent in a bunch of them), Keith Woodworth <kwoody () citytel net>, tom () bpf promisc org, Kenneth Ingham <ingham () i-pi com>, Jason Ledbetter <jason () colltech com>, A.j. Effin ReznoR <spork () exo com>, Sebastian Andersson <sa () hogia net> (sent a bunch of them), Drew Morone <tdrew () cairn org>, Erik Parker <netmask () 303 org>, rain.forest.puppy <rfp () iname com>, Peter van Dijk <peter () attic vuurwerk nl>, Jamie Mcneil <J.Mcneil () rhbnc ac uk>, Daniel Seagraves <daniel () ubani umtec com> ( sent in a ton of them), spaceork <spaceork () dhp com>, Michael Dodwell <mdodwell () vic bigpond net au> (sent in a bunch of them), Noah Romer <klevin () eskimo com>, Keith Lewis <keithl () mukluk cc monash edu au> (sent a ton of them), Todd Campbell <nixwiz@ho\ me.com>, Nickolai Zeldovich <kolya () zepa net> (sent a bunch), Calle Dybedahl <qd\ tcall () esavionics se> (sent a bunch). Not bad for a day, eh? :). Keep them coming! If you send them to me ( fyodor () dhp com ), I'll add them and when I get a bunch I'll put up a new nmap-os-fingerprints file and let everyone know. You guys increased the nmap-os-fingerprints size by 25% in one day! Way to go! Instead of relasing just the new nmap-os-fingerprints file, I released a whole nmap 2.01 because it has an important OS scanning problem. Can anyone see the *two* bugs here? (self test -- don't mail in the answer ): /* Next we check whether the Don't Fragment bit is set */ AVs[1].attribute = "DF"; if(ip->ip_off && 0x4000) { strcpy(AVs[1].value,"Y"); } else strcpy(AVs[1].value, "N"); This shouldn't affect many people, but I did notice it in a few of the fingerprints sent in. The new version is at http://www.insecure.org/nmap/ . If you did a 'make install' last time, you need to do it again this time or nmap will use the old nmap-os-fingerprints if it finds them in /usr/local/lib (or wherever). Here are a few quick notes related to recent posts (or not): ** I am going to start distributing nmap with its own services file instead of using /etc/services . Some operating systems (like FreeBSD) have pretty much everything, whereas others are missing a lot of the entries from the assigned numbers RFC. Also the one that comes with nmap will contain Netbus, Back Orifice, certain "well known" RPC ports, and other things you often won't find in /etc/services ** I have avoided putting SNMP querying and other application-specific features since I think that adding application layer security support could bloat nmap significantly and make it too hard to maintain, not to mention it could never be close to comprehensive. I think I'll focus nmap on quickly and accurately finding out what operating system is running and what services it offers. I'm probably going to leave stuff like SNMP querying, exploit testing, RPC/portmapper interaction, DNS zone transfers, etc to other specialized tools. I am trying to make nmap interact well with these other tools though. Check out the new -m option which gives parseable output. I actually may put in 1 or 2 from the above at some point, but not real soon. If I do do applications, I will use a module/plug in interface so *other* people can write and maintain the application specific portions :). ** I am going to start an nmap-announce mailing list for announcements of new stable versions. I'll bet there are some people who can't take this much mail (although I expect it will probably quite down somewhat). Discussions and patches will still go here, and I will probably release nmap versions to this list a little sooner for testing before they got out to nmap-announce. I'll write when the list is ready. ** A couple people mentioned that they are getting OS Scan segfaults, if anyone knows GDB and can send me more information, that would be great. It would also be useful to know what platform you are running on, what kind of network you are on, and what version of gcc/egcs you used to compile it. Also if it only segfualts against a certain machine it would be useful if you can send me the IP. Of course if you want to figure it all out yourself and send me a patch, that would be great :). ** In general, you cannot just take the fingerprint nmap gives you and stick it into nmap-os-fingerprints. That may work a lot of the time, but often the fingerprints must be cleaned up and generalized. I try to post the general technique later today. If I stay up much longer before sleeping, I'll end up going to work tomorrow when everyone else is leaving (again) :). Thanks again for all the fingerprints and comments. Cheers, Fyodor -- Fyodor 'finger pgp () www insecure org | pgp -fka' Frustrated by firewalls? Try nmap: http://www.insecure.org/nmap/ "In addition, we're trying to do a much better job of staying in touch with our teenage children and others to learn the latest hacker techniques so we can be one step ahead of them rather than several steps behind." --Kenneth H. Bacon, Pentagon Assistant Secretary of Defense
Current thread:
- Nmap update Fyodor (Dec 17)
- Re: Nmap update Jesús Cea Avión (Dec 17)