Re: Nmap 3.80 preview

[Fyodor <fyodor () insecure org>]

On Mon, Feb 07, 2005 at 12:29:54PM +0100, Martin Macok wrote:
> On Mon, Feb 07, 2005 at 01:41:06AM -0800, Fyodor wrote:
>
> > I hope to improve on this when I move away from raw sockets and to
> > sending raw ethernet frames by default. I'm tired of all these silly
> > restrictions.
>
> Will it stop working on non-ethernet networks? Is it worth it? Those
> restrictions on unix systems are usually easy to turn off.

Good points.  I won't make Nmap ethernet only.  Raw sockets would be
kept as a backup.  Plus, support for sending on other link layers
could be added.  Here are some of the driving reasons for the change:

o Microsoft intentionally crippled WinXP to break raw socket support
  as of SP2.

o All sorts of UNIX systems muddle with raw packets in quirky ways,
  from defragmenting packets, to setting the DF bit or IPID, to
  performing validation checks (the 3.81 change to include proper tcp,
  udp, and icmp headers for version scan because Linux was blocking
  the outgoing packets is an example of this), to blocking outgoing
  packets via the host firewall, and more.

o Sending at the MAC level will allow us to do all sorts of cool
  stuff.  For example, ARP scanning could be much faster and more
  reliable than most other ping scanning techniques on a local network.

Cheers,
Fyodor


---------------------------------------------------------------------
For help using this (nmap-dev) mailing list, send a blank email to 
nmap-dev-help () insecure org . List archive: http://seclists.org