Page 1 of 3 123 LastLast
Results 1 to 10 of 29

Thread: NMAP 3.55 is out!!

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885

    NMAP 3.55 is out!!

    Yep, my favorite scanner is now up to v 3.55.

    Grab it at www.insecure.org/nmap/nmap_download.html


    woot!!



    Here is what Fyodor has to say about this release:


    The coolest new feature is MAC address detection and vendor lookup. That can be very useful for systems/network administrators trying to track machines with dynamic IPs. It also augments OS detection in determining what a system is -- a system with a Cisco ethernet card is probably a router. Note the MAC address field in this example:

    # nmap -A -T4 wap

    Starting nmap 3.55 ( http://www.insecure.org/nmap/ ) at 2004-07-07 01:38 PDT Insufficient responses for TCP sequencing (0), OS detection may be less accurate Interesting ports on wap.yuma.net (192.168.0.6): (The 1659 ports scanned but not shown below are in state: closed)
    PORT STATE SERVICE VERSION
    80/tcp open http NetGear MR-series WAP (MR814; Embedded HTTPD 1.00, 1999(c) Delta Networks Inc.)
    MAC Address: 00:09:5B:3F:7D:5E (Netgear)
    Device type: WAP
    Running: Compaq embedded, Netgear embedded
    OS details: WAP: Compaq iPAQ Connection Point or Netgear MR814

    Nmap run completed -- 1 IP address (1 host up) scanned in 13.750 seconds

    Other changes include more service fingerprints, a number of crash fixes, better OS detection names, portability fixes, and more. Here is the CHANGELOG since 3.50:

    o Added MAC address printing. If Nmap receives packet from a target
    machine which is on an Ethernet segment directly connected to the
    scanning machine, Nmap will print out the target MAC address. Nmap
    also now contains a database (derived from the official IEEE
    version) which it uses to determine the vendor name of the target
    ethernet interface. The Windows version of Nmap does not yet have
    this capability. If any Windows developer types are interesting in
    adding it, you just need to implement IPisDirectlyConnected() in
    tcpip.cc and then please send me the patch. Here are examples from
    normal and XML output (angle brackets replaced with [] for HTML
    changelog compatability):
    MAC Address: 08:00:20:8F:6B:2F (SUN Microsystems)
    [address addr="00:A0:CC:63:85:4B" vendor="Lite-on Communications" addrtype="mac" /]

    o Updated the XML DTD to support the newly printed MAC addresses.
    Thanks to Thorsten Holz (thorsten.holz(a)mmweg.rwth-******.de) for
    sending this patch.

    o Added a bunch of new and fixed service fingerprints for version
    detection. These are from Martin MaÚok
    (martin.macok(a)underground.cz).

    o Normalized many of the OS names in nmap-os-fingerprints (fixed
    capitalization, typos, etc.). Thanks to Royce Williams
    (royce(a)alaska.net) and Ping Huang (pshuang(a)alum.mit.edu) for
    sending patches.

    o Modified the mswine32/nmap_performance.reg Windows registry file to
    use an older and more compatable version. It also now includes the
    value "StrictTimeWaitSeqCheck"=dword:00000001 , as suggested by Jim
    Harrison (jmharr(a)microsoft.com). Without that latter value, the
    TcpTimedWaitDelay value apparently isn't checked. Windows users
    should apply the new registry changes by clicking on the .reg file.
    Or do it manually as described in README-WIN32. This file is also
    now available in the data directory at
    http://www.insecure.org/nmap/data/nmap_performance.reg

    o Applied patch from Gisle Vanem (giva(a)bgnett.no) which allows the
    Windows version of Nmap to work with WinPCAP 3.1BETA (and probably
    future releases). The Winpcap folks apparently changed the encoding
    of adaptor names in this release.

    o Fixed a ping scanning bug that would cause this error message: "nmap:
    targets.cc:196: int hostupdate (Target **, Target *, int, int, int,
    timeout_info *, timeval *, timeval *, pingtune *, tcpqueryinfo *,
    pingstyle): Assertion `pt->down_this_block > 0' failed." Thanks to
    Beirne Konarski (beirne(a)neo.rr.com) for reporting the problem.

    o If a user attempts -PO (the letter O), print an error suggesting
    that they probably mean -P0 (Zero) to disable ping scanning.

    o Applied a couple patches (with minor changes) from Oliver Eikemeier
    (eikemeier(a)fillmore-labs.com) which fix an edge case relating to
    decoy scanning IP ranges that must be sent through different
    interfaces, and improves the Nmap response to certain error codes
    returned by the FreeBSD firewall system. The patches are from
    http://cvsweb.freebsd.org/ports/security/nmap/files/ .

    o Many people have reported this error: "checking for type of 6th
    argument to recvfrom()... configure: error: Cannot find type for 6th
    argument to recvfrom()". In most cases, the cause was a missing or
    broken C++ compiler. That should now be detected earlier with a
    clearer message.

    o Fixed the FTP bounce scan to better detect filered ports on the
    target network.

    o Fixed some minor bugs related to the new MAC address printing
    feature.

    o Fixed a problem with UDP-scanning port 0, which was reported by
    Sebastian Wolfgarten (sebastian(a)wolfgarten.com).

    o Applied patch from Ruediger Rissmann (RRI(a)zurich.ibm.com), which
    helps Nmap understand an EACCESS error, which can happen at least
    during IPv6 scans from certain platforms to some firewalled targets.

    o Renamed ACK ping scan option from -PT to -PA in the documentation.
    Nmap has accepted both names for years and will continue to do
    so.

    o Removed the notice that Nmap is reading target specifications from a
    file or stdin when you specify the -iL option. It was sometimes
    printed to stdout even when you wanted to redirect XML or grepable
    output there, because it was printed during options processing before
    output files were handled. This change was suggested by Anders Thulin
    (ath(a)algonet.se).

    o Added --source_port as a longer, but hopefully easier to remember,
    alias for -g. In other words, it tries to use the constant source
    port number you specify for probes. This can help against poorly
    configured firewalls that trust source port 20, 53, and the like.

    o Removed undocumented (and useless) -N option.

    o Fixed a version detection crash reported in excellent detail by
    Jedi/Sector One (j(a)pureftpd.org).

    o Applied patch from Matt Selsky (selsky(a)columbia.edu) which helps
    Nmap build with OpenSSL.

    o Modified the configure/build system to fix library ordering problems
    that prevented Nmap from building on certain platforms. Thanks to
    Greg A. Woods (woods(a)weird.com) and Saravanan
    (saravanan_kovai(a)HotPop.com) for the suggestions.

    o Applied a patch to Makefile.in from Scott Mansfield
    (thephantom(a)mac.com) which enables the use of a DESTDIR variable
    to install the whole Nmap directory structure under a different root
    directory. The configure --prefix option would do the same thing in
    this case, but DESTDIR is apparently a standard that package
    maintainers like Scott are used to. An example usage is
    "make DESTDIR=/tmp/packageroot".

    o Removed unnecessary banner printing in the non-root connect() ping
    scan. Thanks to Tom Rune Flo (tom(a)x86.no) for the suggestion and
    a patch.

    o Updated the headers at the top of each source file (mostly to
    advance the copyright year to 2004 and note that Nmap is a registered
    trademark).

    As usual, 3.55 is available from http://www.insecure.org/nmap/nmap_download.html , including Windows (.zip format) binaries.

    For the more paranoid (smart) members of the list, here are the md5
    hashes:

    ee77bc8a64e0bfb931cb3947e5813038 nmap-3.55-1.i386.rpm 5509246e00ae24f4325f3b92102d34a3 nmap-3.55-1.src.rpm 88b5f010f43b0e2ee0c2cfb468796aa9 nmap-3.55.tar.bz2 cfebe22d1fb2a4eaea144c8dbbc0aa30 nmap-3.55.tgz e949755a80bb2a7cbe10a53069686442 nmap-3.55-win32.zip 1df56ab6f787e980543f38cf963d4b3d nmap-frontend-3.55-1.i386.rpm

    These release notes should be signed with my PGP key, which is available at http://www.insecure.org/fyodor_gpgkey.txt . The key fingerprint is: 97 2F 93 AB 9C B0 09 80 D9 51 40 6B B9 BC E1 7E

    Enjoy! And please let me know if you find any problems.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    thanks! i'll go and download it right away

  3. #3
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    I just tested the new WAP fingerprint feature....certainly cool but not as precise as I had hoped. Here is what I got when I nailed one of my WAPs. IP addresses changed for obvious reasons.


    [root@lab-box-Fed2]#NMAP -A -T4 10.10.10.0/24

    Interesting ports on 10.10.10.10:
    (The 1657 ports scanned but not shown below are in state: closed)
    PORT STATE SERVICE VERSION
    22/tcp open ssh Cisco SSH 1.25 (protocol 1.5)
    23/tcp open telnet?
    80/tcp open http?
    Device type: terminal server|WAP|telecom-misc|specialized|remote management|firewall|switch
    Running: Copper Mountain embedded, 3Com embedded, TrueTime embedded, Compaq embedded, SonicWall embedded, Enterasys embedded,
    Cisco embedded
    OS details: Embedded device: HP Switch, Copper Mountain DSL Concentrator, Compaq Remote Insight Lights-Out remote console car
    d, 3Com NBX 25 phone system or Home Wireless Gateway, or TrueTime NTP clock, SonicWall SOHO firewall, Enterasys Matrix E1, or
    Accelerated Networks VoDSL, or Cisco 360 Access Point

    Interesting ports on 10.10.10.11:
    (The 1659 ports scanned but not shown below are in state: closed)
    PORT STATE SERVICE VERSION
    23/tcp open telnet Cisco telnetd (IOS 12.X)
    Device type: router
    Running: Cisco IOS 12.X
    OS details: Cisco router running IOS 12.1.5-12.2.13a

    Host 10.10.10.255 seems to be a subnet broadcast address (returned 1 extra pings). Still scanning it due to ping response f
    rom its own IP.
    Warning: OS detection will be MUCH less reliable because we did not find at least 1 open and 1 closed TCP port
    Interesting ports on 10.10.10.255:
    (The 1659 ports scanned but not shown below are in state: filtered)
    PORT STATE SERVICE VERSION
    80/tcp closed http
    Too many fingerprints match this host to give specific OS details

    Nmap run completed -- 256 IP addresses (6 hosts up) scanned in 161.062 seconds
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  4. #4
    Senior Member Info Tech Geek's Avatar
    Join Date
    Jan 2003
    Location
    Vernon, CT
    Posts
    828
    Originally posted here by lepricaun
    thanks! i'll go and download it right away
    Have fun, because if you have any issues you better be located at HOPE or your SoL. There will not be any support since everyone will be at The Fifth Hope. Good thing I made the last minute decision to go.

    Hello everyone,

    I am just about to leave for a week in New York, including attending
    HOPE 5 ( http://www.the-fifth-hope.org/hoop/ ). Perhaps I'll see some
    of you there.

    Now there are (smart) people who would advise against releasing a new
    stable version of Nmap just hours before my flight. I might come back
    next week to thousands of mails saying "you forgot to set read
    permission on the tarball, you dolt!" or "it doesn't even compile on [some
    important OS]!"

    I'm gonna risk it anyway.

  5. #5
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Compiled without issue on:
    =============================
    Fedora Core 2 fully patched
    Slackware 9.1 and 10.0 fully patched
    RH Enterprise Server fully patched

    Runs fine on:
    =============================
    Win32 command line version
    All of the above
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  6. #6
    Senior Member
    Join Date
    Oct 2002
    Posts
    4,055
    Thanks for alerting me thehorse13. Compiled successfully on OpenBSD 3.5 and am currently working on Win98.
    Space For Rent.. =]

  7. #7
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    More infoz on systems it works fine on...

    Compiled and runs fine
    =======================
    Solaris 8 fully patched
    Solaris 9 fully patched
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  8. #8
    Junior Member
    Join Date
    Jun 2004
    Posts
    17
    Thanks for this Update Thehorse..
    Well i got it running perfectly on a win98 Box, just about ready to try it on a Debian box too..

    cheers
    1+1=2
    Math\'s teacher at day.
    ub3r l337 g33k at night.
    What a complicated life indeed.

  9. #9
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915
    Hey Hey,

    It also compiles fine on Suse 9.1

    suse:~/nmap-3.55 # nmap -A -T4 192.168.1.100

    Interesting ports on desktop.homenet (192.168.1.100):
    (The 1652 ports scanned but not shown below are in state: closed)
    PORT STATE SERVICE VERSION
    80/tcp open http?
    135/tcp open msrpc Microsoft Windows msrpc
    139/tcp open netbios-ssn
    443/tcp open https?
    445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
    1025/tcp open msrpc Microsoft Windows msrpc
    1040/tcp open netsaint?
    5000/tcp open upnp Microsoft Windows UPnP


    MAC Address: 00:0C:6E:CA:72:4A (Asustek Computer)
    Device type: general purpose
    Running: Microsoft Windows 95/98/ME|NT/2K/XP
    OS details: Microsoft Windows Millennium Edition (Me), Windows 2000 Professional or Advanced Server, or Windows XP

    Nmap run completed -- 1 IP address (1 host up) scanned in 43.386 seconds
    suse:~/nmap-3.55 #
    The MAC Address Vendor Identification is definately a cool feature. I am running an Asus motherboard and the NIC is onboard, so it's correct. However it's a VIA Rhine II NIC so I'm kind of surprised that it wasn't identified as being VIA.

    Peace,
    HT

    [Edit]

    My Scan also turned up a few ports which couldn't be service fingerprinted. The software opening the ports was Skype Beta 0.98.0.6 (VoIP IM) on Windows XP. If anyone is interested, the fingerprints are:

    ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
    SF-Port80-TCP:V=3.55%D=7/7%Time=40EC2702%P=i686-pc-linux-gnu%r(GetRequest,
    SF:1A,"HTTP/1\.0\x20404\x20Not\x20Found\r\n\r\n")%r(X11Probe,E,"B\xb5\xeb\
    SF:xb6\xdfcP\xe5_\xe1b\x81pH")%r(LPDString,E,"\xbe\^\xd8\x14P5\x05\x91\x90
    SF:\xed\|\x9d\xe6\x18")%r(TerminalServer,E,"W\x8b\+\xed\xafv<>>\xd5t\xf2\"
    SF:b");
    ==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
    SF-Port443-TCP:V=3.55%D=7/7%Time=40EC2707%P=i686-pc-linux-gnu%r(GetRequest
    SF:,1A,"HTTP/1\.0\x20404\x20Not\x20Found\r\n\r\n")%r(X11Probe,E,"\xb6\xe2Q
    SF:Y\xc7\xed\xff8\xdck\x7f\xca\x89\)")%r(LPDString,E,"\x94\\A/\xd8\xb4\xaa
    SF:;\xc7\xc8\x05\xbe\xe2\xd4")%r(TerminalServer,E,"4\0\xb1\xe7\x92\x11\x8d
    SF:M\xca\xcc\]{@\r");


    Also a good one for TheHorse13, Any Idea how I comment on invalid Service Fingerprints?

    1025/tcp open msrpc Microsoft Windows msrpc
    This is actually my Lexmark Printer Port Scanner (LexPPS.exe)

    [/Edit]

  10. #10
    er0k
    Guest
    wonder if this one will make a movie :P (nmap was used in the second ? matrix movie )

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •