changelog

nmapp最强的扫描工具

# Nmap Changelog ($Id: CHANGELOG 2842 2005-09-07 22:37:43Z fyodor $)

o Added the ability for Nmap to send and properly route raw ethernet
  packets cointaining IP datagrams rather than always sending the
  packets via raw sockets. This is particularly useful for Windows,
  since Microsoft has disabled raw socket support in XP for no good
  reason.  Nmap tries to choose the best method at runtime based on
  platform, though you can override it with the new --send_eth and
  --send_ip options.

o Added ARP scanning (-PR). Nmap can now send raw ethernet ARP requests to
  determine whether hosts on a LAN are up, rather than relying on
  higher-level IP packets (which can only be sent after a successful
  ARP request and reply anyway).  This is much faster and more
  reliable (not subject to IP-level firewalling) than IP-based probes.
  The downside is that it only works when the target machine is on the
  same LAN as the scanning machine.  It is now used automatically for
  any hosts that are detected to be on a local ethernet network,
  unless --send_ip was specified.  Example usage: nmap -sP -PR
  192.168.0.0/16 .

o Added the --spoof_mac option, which asks Nmap to use the given MAC
  address for all of the raw ethernet frames it sends.  The MAC given
  can take several formats.  If it is simply the string "0", Nmap
  chooses a completely random MAC for the session.  If the given
  string is an even number of hex digits (with the pairs optionally
  separated by a colon), Nmap will use those as the MAC.  If less than
  12 hex digits are provided, Nmap fills in the remainder of the 6
  bytes with random values.  If the argument isn't a 0 or hex string,
  Nmap looks through the nmap-mac-prefixes to find a vendor name
  containing the given string (it is case insensitive).  If a match is
  found, Nmap uses the vendor's OUI (3-byte prefix) and fills out the
  remaining 3 bytes randomly.  Valid --spoof_mac argument examples are
  "Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", "0020F2", and
  "Cisco".

o Applied an enormous nmap-service-probes (version detection) update
  from SoC student Doug Hoyte (doug(a)hcsw.org).  Version 3.81 had
  1064 match lines covering 195 service protocols.  Now we have 2865
  match lines covering 359 protocols!  So the database size has nearly
  tripled!  This should make your -sV scans quicker and more
  accurate.  Thanks also go to the (literally) thousands of you who
  submitted service fingerprints.  Keep them coming!

o Applied a massive OS fingerprint update from Zhao Lei
  (zhaolei(a)gmail.com).  About 350 fingerprints were added, and many
  more were updated.  Notable additions include Mac OS X 10.4 (Tiger),
  OpenBSD 3.7, FreeBSD 5.4, Windows Server 2003 SP1, Sony AIBO (along
  with a new "robotic pet" device type category), the latest Linux 2.6
  kernels Cisco routers with IOS 12.4, a ton of VoIP devices, Tru64
  UNIX 5.1B, new Fortinet firewalls, AIX 5.3, NetBSD 2.0, Nokia IPSO
  3.8.X, and Solaris 10.  Of course there are also tons of new
  broadband routers, printers, WAPs and pretty much any other device
  you can coax an ethernet cable (or wireless card) into!

o Added 'leet ASCII art to the confugrator!  ARTIST NOTE: If you think
  the ASCII art sucks, feel free to send me alternatives.  Note that
  only people compiling the UNIX source code get this. (ASCII artist
  unknown).

o Nmap on Windows now compiles/links with the new WinPcap 3.1
  header/lib files. So please upgrade to 3.1 from
  http://www.winpcap.org before installing this version of Nmap.
  While older versions may still work, they aren't supported with Nmap.

o Nmap distribution signing has changed. Release files are now signed
  with a new Nmap Project GPG key (KeyID 6B9355D0).  Fyodor has also
  generated a new key for himself (KeyID 33599B5F).  The Nmap key has
  been signed by Fyodor's new key, which has been signed by Fyodor's
  old key so that you know they are legit.  The new keys are available
  at http://www.insecure.org/nmap/data/nmap_gpgkeys.txt , as
  docs/nmap_gpgkeys.txt in the Nmap source tarball, and on the public
  keyserver network.  Here are the fingerprints:
    pub  1024D/33599B5F 2005-04-24
         Key fingerprint = BB61 D057 C0D7 DCEF E730  996C 1AF6 EC50 3359 9B5F
    uid  Fyodor <fyodor@insecure.org>
    sub  2048g/D3C2241C 2005-04-24

    pub  1024D/6B9355D0 2005-04-24
         Key fingerprint = 436D 66AB 9A79 8425 FDA0  E3F8 01AF 9F03 6B93 55D0
    uid  Nmap Project Signing Key (http://www.insecure.org/)
    sub  2048g/A50A6A94 2005-04-24

o Fixed a crash problem related to non-portable varargs (vsnprintf)
  usage. Reports of this crash came from Alan William Somers
  (somers(a)its.caltech.edu) and Christophe (chris.branch(a)gmx.de).
  This patch was prevalent on Linux boxes running an Opteron/Athlon64
  CPU in 64-bit mode.

o Fixed crash when Nmap is compiled using gcc 4.X by adding the
  --fno-strict-aliasing option when that compiler is detected.  Thanks
  to Greg Darke (starstuff(a)optusnet.com.au) for discovering that
  this option fixes (hides) the problem and to Duilio J. Protti
  (dprotti(a)flowgate.net) for writing the configure patch to detect
  gcc 4 and add the option.  A better fix is to identify and rewrite
  lines that violate C99 alias rules, and we are looking into that.

o Added "rarity" feature to Nmap version detection.  This causes
  obscure probes to be skipped when they are unlikely to help.  Each
  probe now has a "rarity" value.  Probes that detect dozens of
  services such as GenericLines and GetRequest have rarity values of
  1, while the WWWOFFLEctrlstat and mydoom probes have a rarity of 9.
  When interrogating a port, Nmap always tries probes registered to
  that port number.  So even WWWOFFLEctrlstat will be tried against
  port 8081 and mydoom will be tried against open ports between 3127
  and 3198.  If none of the registered ports find a match, Nmap tries
  probes that have a rarity less than or equal to its current
  intensity level.  The intensity level defaults to 7 (so that most of
  the probes are done).  You can set the intensity level with the new
  --version_intensity option.  Alternatively, you can just use
  --version_light or --version_all which set the intensity to 2 (only
  try the most important probes and ones registered to the port
  number) and 9 (try all probes), respectively.  --version_light is
  much faster than default version detection, but also a bit less
  likely to find a match.  This feature was designed and implemented
  by Doug Hoyte (doug(a)hcsw.org).

o Added a "fallback" feature to the nmap-service-probes database.
  This allows a probe to "inherit" match lines from other probes.  It
  is currently only used for the HTTPOptions, RTSPRequest, and
  SSLSessionReq probes to inherit all of the match lines from
  GetRequest.  Some servers don't respond to the Nmap GetRequest (for
  example because it doesn't include a Host: line) but they do respond
  to some of those other 3 probes in ways that GetRequest match lines
  are general enough to match.  The fallback construct allows us to
  benefit from these matches without repeating hundreds of signatures
  in the file.  This is another feature designed and implemented
  by Doug Hoyte (doug(a)hcsw.org).

o Fixed crash with certain --excludefile or
  --exclude arguments.  Thanks to Kurt Grutzmacher
  (grutz(a)jingojango.net) and pijn trein (ptrein(a)gmail.com) for
  reporting the problem, and to Duilio J. Protti
  (dprotti(a)flowgate.net) for debugging the issue and sending the
  patch.

o Updated random scan (ip_is_reserved()) to reflect the latest IANA
  assignments.  This patch was sent in by Felix Groebert
  (felix(a)groebert.org).

o Included new Russian man page translation by
  locco_bozi(a)Safe-mail.net

o Applied pach from Steve Martin (smartin(a)stillsecure.com) which
  standardizes many OS names and corrects typos in nmap-os-fingerprints.

o Fixed a crash found during certain UDP version scans.  The crash was
  discovered and reported by Ron (iago(a)valhallalegends.com) and fixed
  by Doug Hoyte (doug(a)hcsw.com).

o Added --iflist argument which prints a list of system interfaces and
  routes detected by Nmap.

o Fixed a protocol scan (-sO) problem which led to the error message:
  "Error compiling our pcap filter: syntax error".  Thanks to Michel
  Arboi (michel(a)arboi.fr.eu.org) for reporting the problem.

o Fixed an Nmap version detection crash on Windows which led to the
  error message "Unexpected error in NSE_TYPE_READ callback.  Error
  code: 10053 (Unknown error)".  Thanks to Srivatsan
  (srivatsanp(a)adventnet.com) for reporting the problem.

o Fixed some misspellings in docs/nmap.xml reported by Tom Sellers
  (TSellers(a)trustmark.com).

o Applied some changes from  Gisle Vanem (giva(a)bgnett.no) to make
  Nmap compile with Cygwin.

o XML "osmatch" element now has a "line" attribute giving the
  reference fingerprint line number in nmap-os-fingerprints.

o Added a distcc probes and a bunch of smtp matches from Dirk Mueller
  (mueller(a)kde.org) to nmap-service-probes.  Also added AFS version
  probe and matches from Lionel Cons (lionel.cons(a)cern.ch).  And
  even more probes and matches from Martin Macok
  (martin.macok(a)underground.cz)

o Fixed a problem where Nmap compilation would use header files from
  the libpcap included with Nmap even when it was linking to a system
  libpcap.  Thanks to Solar Designer (solar(a)openwall.com) and Okan
  Demirmen (okan(a)demirmen.com) for reporting the problem.

o Added configure option --with-libpcap=included to tell Nmap to use
  the version of libpcap it ships with rather than any that may already be
  installed on the system.  You can still use --with-libpcap=[dir] to
  specify that a system libpcap be installed rather than the shipped
  one.  By default, Nmap looks at both and decides which one is likely
  to work best.  If you are having problems on Solaris, try
  --with-libpcap=included .

o Changed the --no-stylesheet option to --no_stylesheet to be
  consistant with all of the other Nmap options.  Though I'm starting to
  like hyphens a bit better than underscores and may change all of the
  options to use hyphens instad at some point.

o Added "Exclude" directive to nmap-service-probes grammar which
  causes version detection to skip listed ports.  This is helpful for
  ports such as 9100.  Some printers simply print any data sent to
  that port, leading to pages of HTTP requests, SMB queries, X Windows
  probes, etc.  If you really want to scan all ports, specify
  --allports.  This patch came from Doug Hoyte (doug(a)hcsw.org).

o Added a stripped-down and heavily modified version of Dug Song's
  libdnet networking library (v. 1.10).  This helps with the new raw
  ethernet features.  My (extensive) changes are described in
  libdnet-stripped/NMAP_MODIFICATIONS

o Removed WinIP library (and all Windows raw sockets code) since MS
  has gone and broken raw sockets.  Maybe packet receipt via raw
  sockets will come back at some point.  As part of this removal, the
  Windows-specific --win_help, --win_list_interfaces, --win_norawsock,
  --win_forcerawsock, --win_nopcap, --win_nt4route, --win_noiphlpapi,
  and --win_trace options have been removed.

o Chagned the interesting ports array from a 65K-member array of
  pointers into an STL list.  This noticeable reduces memory usage in
  some cases, and should also give a slight runtime performance
  boost. This patch was written by Paul Tarjan (ptarjan(a)gmail.com).

o Removed the BSDFIX/BSDUFIX macros.  The underlying bug in
  FreeBSD/NetBSD is still there though.  When an IP packet is sent
  through a raw socket, these platforms require the total length and
  fragmentation offset fields of an IP packet to be in host byte order
  rather than network byte order, even though all the other fields
  must be in NBO.  I believe that OpenBSD fixed this a while back.
  Other platforms, such as Linux, Solaris, Mac OS X, and Windows take
  all of the fields in network byte order.  While I removed the macro,
  I still do the munging where required so that Nmap still works on
  FreeBSD.

o Integrated many nmap-service-probes changes from Bo Jiang
  (jiangbo(a)brandeis.edu)

o Added a bunch of RPC numbers from nmap-rpc maintainer Eilon Gishri
  (eilon(a)aristo.tau.ac.il)

o Added some new RPC services to nmap-rpc thanks to a patch from
  vlad902 (vlad902(a)gmail.com).

o Fixed a bug where Nmap would quit on Windows whenever it encountered
  a raw scan of localhost (including the local ethernet interface
  address), even when that was just one address out of a whole network
  being scanned.  Now Nmap just warns that it is skipping raw scans when
  it encounters the local IP, but continues on to scan the rest of the
  network.  Raw scans do not currently work against local IP addresses
  because Winpcap doesn't support reading/writing localhost interfaces
  due to limitations of Windows.

o The OS fingerprint is now provided in XML output if debugging is
  enabled (-d) or verbosity is at least 2 (-v -v).  This patch was
  sent by Okan Demirmen (okan(a)demirmen.com)

o Fixed the way tcp connect scan (-sT) respons to ICMP network
  unreachable responses (patch by Richard Moore
  (rich(a)westpoint.ltd.uk).

o Update random host scan (-iR) to support the latest IANA-allocated
  ranges, thanks to patch by Chad Loder (cloder(a)loder.us).

o Updated GNU shtool (a helper program used during 'make install' to
  version 2.0.2, which fixes a predictable temporary filename
  weakness discovered by Eric Raymond.

o Removed addport element from XML DTD, since it is no longer used
  (sugested by Lionel Cons (lionel.cons(a)cern.ch)

o Added new --privileged command-line option and NMAP_PRIVILEGED
  environmental variable.  Either of these tell Nmap to assume that
  the user has full privileges to execute raw packet scans, OS