Announce: nmap-3.30+V-3.00 ("Version" Scanning) [Builds Fixed]

["Jay Freeman \(saurik\)" <saurik () saurik com>]

Nmap 3.30+V-3.00

o Fixed a bug in nmap/util.cc's mmapfile() implementation and made my
  kludged "nmap compatible" version of menes' mmapbuf class actually check
  the return result for an error condition (should really just give up on
  that and use the version from menes, but my goal was to maintain as small
  a patch as I felt I could without bad compromise). Big thanks goes to
  Gisle Vanem (giva(at)bgnett.no) for noticing these problems and providing
  most of the work as a patch.

o Got everything compiling with gcc 2.96.110 by making a few really simple
  changes. For people looking at that and going "huh?" 2.96 is that line
  of versions of that RedHat was putting out themselves from CVS versions
  of gcc. Made the gcc people angry, but a lot of people now have gcc 2.96.

o The usage of -sV(V(V)) no longer requires another scan type. Considering
  how intrusive this scan is anyway, you may not want to bother doing one
  of the other stealth scans. This effectively does a TCP connect() scan as
  it detects versions/services and reuses the working connections if they
  were able to be obtained. This amazingly tends to run at about the same
  speed as using the -sS first. (I was expecting it would be insanely slow.)
  Well, on Unix at least. On Windows the entire thing runs 5 times slower no
  matter what you do, and if you use this feature I have actually yet to see
  the program finish (I keep getting tired of waiting, go off to do
something
  else, come back, and find it still running, hehe). Please note: this scan
  _may_ be vaguely inaccurate as it isn't as complicated as Fyodor's
connect()
  scan. This feature is due to a request from Jamie
(aouf77(at)dsl.pipex.com).
  Some people would call this feature "Alpha". I'm going to call it
"Ghetto".

o Added <clear/> to the file format that clears the current recieve buffer.
  This is really handy on protocols where you need to do matches
specifically
  against the response to the current command and not to the identical "ok"

  response that was sent by an earlier command.

o Fixed some bugs in the script that were accidentally added when I
converted
  to the XML file format. While doing this I added some new fingerprints for
  various FTP and SMTP servers. While doing _that_ I noticed that quite a
few
  servers out there seem to customize their FTP response string (the last
line
  of which really only has to start with "220 " and I believe has no other
  restriction). This is causing me to consider using more advanced nmap+V
  functionality to detect these services if I notice that "oh, it's FTP...
not
  quite sure _what_ though... let's try logging in and see what the response
  to that is... ok, that was somewhat helpful but still generic... a HELP?".

o Fixed OSX build. Thanks goes out to Carl Holmberg (cmholm(at)mauiholm.org)
  for reporting the problem and giving me the build error output, and also
to
  Christopher Niederauer (ccn(at)ccntech.com), who verified that my fix
worked.


FTP Information (for "released" versions):

  Source: ftp://ftp.saurik.com/pub/nmap/nmap-3.30+V-3.00.tgz
  Patch: ftp://ftp.saurik.com/pub/nmap/nmap+V-3.00
  Win32 Binary: ftp://ftp.saurik.com/pub/nmap/nmap-3.30+V-3.00.win32.zip


MD5 Sums:

f239b6e102ce12ff49375928358babb2  nmap-3.30+V-3.00.tgz
fbfbcdae5aabf92f79c87ca9cb430e4a  nmap-3.30+V-3.00.win32.zip
bb17234f00e85e6d2d24a76291793a21  nmap+V-3.00


CVS Information (for current versions):

  Repository: :pserver:anoncvs () cvs saurik com:/cvs/nmap
  Module: nmap
  Password: anoncvs


Simple Usage Instructions:

Add -sV to your scan to get service/version detection. If you are willing to
let nmap perform a number of connections to the remote machine to try
sending different data in expectation of different responses (helpful if
people are running services on the "wrong" port) then use -sVV instead. If
you would, in addition to that, like to get whatever extraneous information
I happen to pull off that port in addition to the service/version,
use -sVVV. I tend to go back and forth on whether -sVV and -sVVV should be
swapped, so far I've never changed them. If anyone has opinions please voice
up :). Another option is to make it entirely orthogonal and make the "extra
information" a different command line switch.


Example Output (for the curious; and yes, it should line up with a fixed
width font, although it is occasionally wider than 77 characters and wraps):

[root(2)@ironclad nmap-3.30+V-3.00]# ./nmap -sS -sVVV -F localhost

Starting nmap 3.30+V ( http://www.insecure.org/nmap/ ) at 2003-09-11 01:33
CDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1174 ports scanned but not shown below are in state: closed)
Port       State       Service             Protocol     Version
17/tcp     open        qotd                Go Text      GNU Go 3.2
21/tcp     open        ftp                 FTP
22/tcp     open        ssh                 SSH          1.99-OpenSSH_3.4p1
23/tcp     open        telnet              Telnet
25/tcp     open        smtp                SMTP         Sendmail
8.12.6/8.12.6
53/tcp     open        domain              DNS
80/tcp     open        http                HTTP         Apache/2.1.0-dev
(Unix)
  Modules: mod_ssl/2.1.0-dev OpenSSL/0.9.7a DAV/2 mod_jk/1.2.3-dev
SVN/0.26.0 PHP/4.3.2
  Title: Test Page for Apache Installation
110/tcp    open        pop-3               POP3         Cyrus
v2.1.11-Invoca-RPM-2.1.11-3
111/tcp    open        sunrpc              RPC
113/tcp    open        auth                AUTH
139/tcp    open        netbios-ssn         NETBIOS
143/tcp    open        imap2               IMAP         Cyrus
v2.1.11-Invoca-RPM-2.1.11-3
465/tcp    open        smtps               SSL
587/tcp    open        submission          SMTP         Sendmail
8.12.6/8.12.6
783/tcp    open        hp-alarm-mgr        SpamAssassin
953/tcp    open        rndc
993/tcp    open        imaps               SSL
995/tcp    open        pop3s               SSL
2000/tcp   open        callbook            Sieve        Cyrus timsieved
v2.1.11-Invoca-RPM-2.1.11-3
2401/tcp   open        cvspserver          CVS
5432/tcp   open        postgres            PostgreSQL   PostgreSQL 7.3
8009/tcp   open        ajp13               Ajp13        Apache Tomcat
8080/tcp   open        http-proxy          HTTP         Apache
Tomcat/4.1.18-LE-jdk14 (HTTP/1.1 Connector)

Nmap run completed -- 1 IP address (1 host up) scanned in 20.647 seconds
[root(2)@ironclad nmap-3.30+V-3.00]#

Sincerely,
Jay Freeman (saurik)
saurik () saurik com


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).