Nmap Development mailing list archives
Announce: nmap-3.30+V-3.00 ("Version" Scanning) [Builds Fixed]
From: "Jay Freeman \(saurik\)" <saurik () saurik com>
Date: Thu, 11 Sep 2003 01:36:03 -0500
Nmap 3.30+V-3.00 o Fixed a bug in nmap/util.cc's mmapfile() implementation and made my kludged "nmap compatible" version of menes' mmapbuf class actually check the return result for an error condition (should really just give up on that and use the version from menes, but my goal was to maintain as small a patch as I felt I could without bad compromise). Big thanks goes to Gisle Vanem (giva(at)bgnett.no) for noticing these problems and providing most of the work as a patch. o Got everything compiling with gcc 2.96.110 by making a few really simple changes. For people looking at that and going "huh?" 2.96 is that line of versions of that RedHat was putting out themselves from CVS versions of gcc. Made the gcc people angry, but a lot of people now have gcc 2.96. o The usage of -sV(V(V)) no longer requires another scan type. Considering how intrusive this scan is anyway, you may not want to bother doing one of the other stealth scans. This effectively does a TCP connect() scan as it detects versions/services and reuses the working connections if they were able to be obtained. This amazingly tends to run at about the same speed as using the -sS first. (I was expecting it would be insanely slow.) Well, on Unix at least. On Windows the entire thing runs 5 times slower no matter what you do, and if you use this feature I have actually yet to see the program finish (I keep getting tired of waiting, go off to do something else, come back, and find it still running, hehe). Please note: this scan _may_ be vaguely inaccurate as it isn't as complicated as Fyodor's connect() scan. This feature is due to a request from Jamie (aouf77(at)dsl.pipex.com). Some people would call this feature "Alpha". I'm going to call it "Ghetto". o Added <clear/> to the file format that clears the current recieve buffer. This is really handy on protocols where you need to do matches specifically against the response to the current command and not to the identical "ok" response that was sent by an earlier command. o Fixed some bugs in the script that were accidentally added when I converted to the XML file format. While doing this I added some new fingerprints for various FTP and SMTP servers. While doing _that_ I noticed that quite a few servers out there seem to customize their FTP response string (the last line of which really only has to start with "220 " and I believe has no other restriction). This is causing me to consider using more advanced nmap+V functionality to detect these services if I notice that "oh, it's FTP... not quite sure _what_ though... let's try logging in and see what the response to that is... ok, that was somewhat helpful but still generic... a HELP?". o Fixed OSX build. Thanks goes out to Carl Holmberg (cmholm(at)mauiholm.org) for reporting the problem and giving me the build error output, and also to Christopher Niederauer (ccn(at)ccntech.com), who verified that my fix worked. FTP Information (for "released" versions): Source: ftp://ftp.saurik.com/pub/nmap/nmap-3.30+V-3.00.tgz Patch: ftp://ftp.saurik.com/pub/nmap/nmap+V-3.00 Win32 Binary: ftp://ftp.saurik.com/pub/nmap/nmap-3.30+V-3.00.win32.zip MD5 Sums: f239b6e102ce12ff49375928358babb2 nmap-3.30+V-3.00.tgz fbfbcdae5aabf92f79c87ca9cb430e4a nmap-3.30+V-3.00.win32.zip bb17234f00e85e6d2d24a76291793a21 nmap+V-3.00 CVS Information (for current versions): Repository: :pserver:anoncvs () cvs saurik com:/cvs/nmap Module: nmap Password: anoncvs Simple Usage Instructions: Add -sV to your scan to get service/version detection. If you are willing to let nmap perform a number of connections to the remote machine to try sending different data in expectation of different responses (helpful if people are running services on the "wrong" port) then use -sVV instead. If you would, in addition to that, like to get whatever extraneous information I happen to pull off that port in addition to the service/version, use -sVVV. I tend to go back and forth on whether -sVV and -sVVV should be swapped, so far I've never changed them. If anyone has opinions please voice up :). Another option is to make it entirely orthogonal and make the "extra information" a different command line switch. Example Output (for the curious; and yes, it should line up with a fixed width font, although it is occasionally wider than 77 characters and wraps): [root(2)@ironclad nmap-3.30+V-3.00]# ./nmap -sS -sVVV -F localhost Starting nmap 3.30+V ( http://www.insecure.org/nmap/ ) at 2003-09-11 01:33 CDT Interesting ports on localhost.localdomain (127.0.0.1): (The 1174 ports scanned but not shown below are in state: closed) Port State Service Protocol Version 17/tcp open qotd Go Text GNU Go 3.2 21/tcp open ftp FTP 22/tcp open ssh SSH 1.99-OpenSSH_3.4p1 23/tcp open telnet Telnet 25/tcp open smtp SMTP Sendmail 8.12.6/8.12.6 53/tcp open domain DNS 80/tcp open http HTTP Apache/2.1.0-dev (Unix) Modules: mod_ssl/2.1.0-dev OpenSSL/0.9.7a DAV/2 mod_jk/1.2.3-dev SVN/0.26.0 PHP/4.3.2 Title: Test Page for Apache Installation 110/tcp open pop-3 POP3 Cyrus v2.1.11-Invoca-RPM-2.1.11-3 111/tcp open sunrpc RPC 113/tcp open auth AUTH 139/tcp open netbios-ssn NETBIOS 143/tcp open imap2 IMAP Cyrus v2.1.11-Invoca-RPM-2.1.11-3 465/tcp open smtps SSL 587/tcp open submission SMTP Sendmail 8.12.6/8.12.6 783/tcp open hp-alarm-mgr SpamAssassin 953/tcp open rndc 993/tcp open imaps SSL 995/tcp open pop3s SSL 2000/tcp open callbook Sieve Cyrus timsieved v2.1.11-Invoca-RPM-2.1.11-3 2401/tcp open cvspserver CVS 5432/tcp open postgres PostgreSQL PostgreSQL 7.3 8009/tcp open ajp13 Ajp13 Apache Tomcat 8080/tcp open http-proxy HTTP Apache Tomcat/4.1.18-LE-jdk14 (HTTP/1.1 Connector) Nmap run completed -- 1 IP address (1 host up) scanned in 20.647 seconds [root(2)@ironclad nmap-3.30+V-3.00]# Sincerely, Jay Freeman (saurik) saurik () saurik com --------------------------------------------------------------------- For help using this (nmap-dev) mailing list, send a blank email to nmap-dev-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).
Current thread:
- Announce: nmap-3.30+V-3.00 ("Version" Scanning) [Builds Fixed] Jay Freeman (saurik) (Sep 10)