Results 1 to 10 of 10

Thread: NMAP 3.90 Released!

  1. #1
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885

    NMAP 3.90 Released!

    Lots of new goodies in this build!

    Read below...

    Several anxious people have reminded me lately that it has been 7 months since the last formal Nmap release (3.81). While that is quite a stretch, I have been working non-stop and made some fundamental changes to Nmap that took a while to stabilize. I have also integrated some work from the Google SoC students (and more is coming). I am pleased to present the results in the form of Nmap 3.90. I think you'll find it worth the wait. A version number increase of 0.09 may not sound like much, but ls indicates the true extent of changes:

    -rw------- 1 fyodor fyodor 7987200 Feb 7 05:41 nmap-3.81.tar
    -rw------- 1 fyodor fyodor 10608640 Sep 8 03:16 nmap-3.90.tar

    At a high level, changes include the ability to send and properly route raw ethernet frames, ARP scanning (for faster and more reliable local LAN host discovery), MAC address spoofing, enormous version detection and OS detection updates, dramatic Windows performance and stability improvements, 'l33t ASCII art, OS/hostname/device type detection via service fingerprinting, dozens of bug fixes and much more. Linux binary RPMs are now available for x86_64 (AMD
    Athlon64/Opteron) and Windows users _must_ upgrade to WinPcap 3.1 from winpcap.org.

    We have now gone through and integrated all of your service detection fingerprint submissions and are ready to handle more. So if Nmap spits out a service detection fingerprint and you are certain what is running, please submit it to the URL it gives you. OS detection fingerprints aren't as important right now because we are considering major changes to that subsystem.

    Here are the details from the Changelog:

    o Added the ability for Nmap to send and properly route raw ethernet
    packets cointaining IP datagrams rather than always sending the
    packets via raw sockets. This is particularly useful for Windows,
    since Microsoft has disabled raw socket support in XP for no good
    reason. Nmap tries to choose the best method at runtime based on
    platform, though you can override it with the new --send_eth and
    --send_ip options.

    o Added ARP scanning (-PR). Nmap can now send raw ethernet ARP requests to
    determine whether hosts on a LAN are up, rather than relying on
    higher-level IP packets (which can only be sent after a successful
    ARP request and reply anyway). This is much faster and more
    reliable (not subject to IP-level firewalling) than IP-based probes.
    The downside is that it only works when the target machine is on the
    same LAN as the scanning machine. It is now used automatically for
    any hosts that are detected to be on a local ethernet network,
    unless --send_ip was specified. Example usage: nmap -sP -PR
    192.168.0.0/16 .

    o Added the --spoof_mac option, which asks Nmap to use the given MAC
    address for all of the raw ethernet frames it sends. The MAC given
    can take several formats. If it is simply the string "0", Nmap
    chooses a completely random MAC for the session. If the given
    string is an even number of hex digits (with the pairs optionally
    separated by a colon), Nmap will use those as the MAC. If less than
    12 hex digits are provided, Nmap fills in the remainder of the 6
    bytes with random values. If the argument isn't a 0 or hex string,
    Nmap looks through the nmap-mac-prefixes to find a vendor name
    containing the given string (it is case insensitive). If a match is
    found, Nmap uses the vendor's OUI (3-byte prefix) and fills out the
    remaining 3 bytes randomly. Valid --spoof_mac argument examples are
    "Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", "0020F2", and
    "Cisco".

    o Applied an enormous nmap-service-probes (version detection) update
    from SoC student Doug Hoyte (doug(a)hcsw.org). Version 3.81 had
    1064 match lines covering 195 service protocols. Now we have 2865
    match lines covering 359 protocols! So the database size has nearly
    tripled! This should make your -sV scans quicker and more
    accurate. Thanks also go to the (literally) thousands of you who
    submitted service fingerprints. Keep them coming!

    o Applied a massive OS fingerprint update from Zhao Lei
    (zhaolei(a)gmail.com). About 350 fingerprints were added, and many
    more were updated. Notable additions include Mac OS X 10.4 (Tiger),
    OpenBSD 3.7, FreeBSD 5.4, Windows Server 2003 SP1, Sony AIBO (along
    with a new "robotic pet" device type category), the latest Linux 2.6
    kernels Cisco routers with IOS 12.4, a ton of VoIP devices, Tru64
    UNIX 5.1B, new Fortinet firewalls, AIX 5.3, NetBSD 2.0, Nokia IPSO
    3.8.X, and Solaris 10. Of course there are also tons of new
    broadband routers, printers, WAPs and pretty much any other device
    you can coax an ethernet cable (or wireless card) into!

    o Added 'leet ASCII art to the confugrator! ARTIST NOTE: If you think
    the ASCII art sucks, feel free to send me alternatives. Note that
    only people compiling the UNIX source code get this. (ASCII artist
    unknown).

    o Added OS, device type, and hostname detection using the service
    detection framework. Many services print a hostname, which may be
    different than DNS. The services often give more away as well. If
    Nmap detects IIS, it reports an OS family of "Windows". If it sees
    HP JetDirect telnetd, it reports a device type of "printer". Rather
    than try to combine TCP/IP stack fingerprinting and service OS
    fingerprinting, they are both printed. After all, they could
    legitimately be different. An IP that gives a stack fingerprint
    match of "Linksys WRT54G broadband router" and a service fingerprint
    of Windows based on Kazaa running is likely a common NAT setup rather
    than an Nmap mistake.

    o Nmap on Windows now compiles/links with the new WinPcap 3.1
    header/lib files. So please upgrade to 3.1 from
    http://www.winpcap.org before installing this version of Nmap.
    While older versions may still work, they aren't supported with Nmap.

    o The official Nmap RPM files are now compiled statically for better
    compatability with other systems. X86_64 (AMD Athlon64/Opteron)
    binaries are now available in addition to the standard i386. NmapFE
    RPMs are no longer distributed by Insecure.Org.

    o Nmap distribution signing has changed. Release files are now signed
    with a new Nmap Project GPG key (KeyID 6B9355D0). Fyodor has also
    generated a new key for himself (KeyID 33599B5F). The Nmap key has
    been signed by Fyodor's new key, which has been signed by Fyodor's
    old key so that you know they are legit. The new keys are available
    at http://www.insecure.org/nmap/data/nmap_gpgkeys.txt , as
    docs/nmap_gpgkeys.txt in the Nmap source tarball, and on the public
    keyserver network. Here are the fingerprints:
    pub 1024D/33599B5F 2005-04-24
    Key fingerprint = BB61 D057 C0D7 DCEF E730 996C 1AF6 EC50 3359 9B5F
    uid Fyodor <fyodor@insecure.org>
    sub 2048g/D3C2241C 2005-04-24

    pub 1024D/6B9355D0 2005-04-24
    Key fingerprint = 436D 66AB 9A79 8425 FDA0 E3F8 01AF 9F03 6B93 55D0
    uid Nmap Project Signing Key (http://www.insecure.org/)
    sub 2048g/A50A6A94 2005-04-24

    o Fixed a crash problem related to non-portable varargs (vsnprintf)
    usage. Reports of this crash came from Alan William Somers
    (somers(a)its.caltech.edu) and Christophe (chris.branch(a)gmx.de).
    This patch was prevalent on Linux boxes running an Opteron/Athlon64
    CPU in 64-bit mode.

    o Fixed crash when Nmap is compiled using gcc 4.X by adding the
    --fno-strict-aliasing option when that compiler is detected. Thanks
    to Greg Darke (starstuff(a)optusnet.com.au) for discovering that
    this option fixes (hides) the problem and to Duilio J. Protti
    (dprotti(a)flowgate.net) for writing the configure patch to detect
    gcc 4 and add the option. A better fix is to identify and rewrite
    lines that violate C99 alias rules, and we are looking into that.

    o Added "rarity" feature to Nmap version detection. This causes
    obscure probes to be skipped when they are unlikely to help. Each
    probe now has a "rarity" value. Probes that detect dozens of
    services such as GenericLines and GetRequest have rarity values of
    1, while the WWWOFFLEctrlstat and mydoom probes have a rarity of 9.
    When interrogating a port, Nmap always tries probes registered to
    that port number. So even WWWOFFLEctrlstat will be tried against
    port 8081 and mydoom will be tried against open ports between 3127
    and 3198. If none of the registered ports find a match, Nmap tries
    probes that have a rarity less than or equal to its current
    intensity level. The intensity level defaults to 7 (so that most of
    the probes are done). You can set the intensity level with the new
    --version_intensity option. Alternatively, you can just use
    --version_light or --version_all which set the intensity to 2 (only
    try the most important probes and ones registered to the port
    number) and 9 (try all probes), respectively. --version_light is
    much faster than default version detection, but also a bit less
    likely to find a match. This feature was designed and implemented
    by Doug Hoyte (doug(a)hcsw.org).

    o Added a "fallback" feature to the nmap-service-probes database.
    This allows a probe to "inherit" match lines from other probes. It
    is currently only used for the HTTPOptions, RTSPRequest, and
    SSLSessionReq probes to inherit all of the match lines from
    GetRequest. Some servers don't respond to the Nmap GetRequest (for
    example because it doesn't include a Host: line) but they do respond
    to some of those other 3 probes in ways that GetRequest match lines
    are general enough to match. The fallback construct allows us to
    benefit from these matches without repeating hundreds of signatures
    in the file. This is another feature designed and implemented
    by Doug Hoyte (doug(a)hcsw.org).

    o Fixed crash with certain --excludefile or
    --exclude arguments. Thanks to Kurt Grutzmacher
    (grutz(a)jingojango.net) and pijn trein (ptrein(a)gmail.com) for
    reporting the problem, and to Duilio J. Protti
    (dprotti(a)flowgate.net) for debugging the issue and sending the
    patch.

    o Updated random scan (ip_is_reserved()) to reflect the latest IANA
    assignments. This patch was sent in by Felix Groebert
    (felix(a)groebert.org).

    o Included new Russian man page translation by
    locco_bozi(a)Safe-mail.net

    o Applied pach from Steve Martin (smartin(a)stillsecure.com) which
    standardizes many OS names and corrects typos in nmap-os-fingerprints.

    o Fixed a crash found during certain UDP version scans. The crash was
    discovered and reported by Ron (iago(a)valhallalegends.com) and fixed
    by Doug Hoyte (doug(a)hcsw.com).

    o Added --iflist argument which prints a list of system interfaces and
    routes detected by Nmap.

    o Fixed a protocol scan (-sO) problem which led to the error message:
    "Error compiling our pcap filter: syntax error". Thanks to Michel
    Arboi (michel(a)arboi.fr.eu.org) for reporting the problem.

    o Fixed an Nmap version detection crash on Windows which led to the
    error message "Unexpected error in NSE_TYPE_READ callback. Error
    code: 10053 (Unknown error)". Thanks to Srivatsan
    (srivatsanp(a)adventnet.com) for reporting the problem.

    o Fixed some misspellings in docs/nmap.xml reported by Tom Sellers
    (TSellers(a)trustmark.com).

    o Applied some changes from Gisle Vanem (giva(a)bgnett.no) to make
    Nmap compile with Cygwin.

    o XML "osmatch" element now has a "line" attribute giving the
    reference fingerprint line number in nmap-os-fingerprints.

    o Added a distcc probes and a bunch of smtp matches from Dirk Mueller
    (mueller(a)kde.org) to nmap-service-probes. Also added AFS version
    probe and matches from Lionel Cons (lionel.cons(a)cern.ch). And
    even more probes and matches from Martin Macok
    (martin.macok(a)underground.cz)

    o Fixed a problem where Nmap compilation would use header files from
    the libpcap included with Nmap even when it was linking to a system
    libpcap. Thanks to Solar Designer (solar(a)openwall.com) and Okan
    Demirmen (okan(a)demirmen.com) for reporting the problem.

    o Added configure option --with-libpcap=included to tell Nmap to use
    the version of libpcap it ships with rather than any that may already be
    installed on the system. You can still use --with-libpcap=[dir] to
    specify that a system libpcap be installed rather than the shipped
    one. By default, Nmap looks at both and decides which one is likely
    to work best. If you are having problems on Solaris, try
    --with-libpcap=included .

    o Changed the --no-stylesheet option to --no_stylesheet to be
    consistant with all of the other Nmap options. Though I'm starting to
    like hyphens a bit better than underscores and may change all of the
    options to use hyphens instad at some point.

    o Added "Exclude" directive to nmap-service-probes grammar which
    causes version detection to skip listed ports. This is helpful for
    ports such as 9100. Some printers simply print any data sent to
    that port, leading to pages of HTTP requests, SMB queries, X Windows
    probes, etc. If you really want to scan all ports, specify
    --allports. This patch came from Doug Hoyte (doug(a)hcsw.org).

    o Added a stripped-down and heavily modified version of Dug Song's
    libdnet networking library (v. 1.10). This helps with the new raw
    ethernet features. My (extensive) changes are described in
    libdnet-stripped/NMAP_MODIFICATIONS

    o Removed WinIP library (and all Windows raw sockets code) since MS
    has gone and broken raw sockets. Maybe packet receipt via raw
    sockets will come back at some point. As part of this removal, the
    Windows-specific --win_help, --win_list_interfaces, --win_norawsock,
    --win_forcerawsock, --win_nopcap, --win_nt4route, --win_noiphlpapi,
    and --win_trace options have been removed.

    o Chagned the interesting ports array from a 65K-member array of
    pointers into an STL list. This noticeable reduces memory usage in
    some cases, and should also give a slight runtime performance
    boost. This patch was written by Paul Tarjan (ptarjan(a)gmail.com).

    o Removed the BSDFIX/BSDUFIX macros. The underlying bug in
    FreeBSD/NetBSD is still there though. When an IP packet is sent
    through a raw socket, these platforms require the total length and
    fragmentation offset fields of an IP packet to be in host byte order
    rather than network byte order, even though all the other fields
    must be in NBO. I believe that OpenBSD fixed this a while back.
    Other platforms, such as Linux, Solaris, Mac OS X, and Windows take
    all of the fields in network byte order. While I removed the macro,
    I still do the munging where required so that Nmap still works on
    FreeBSD.

    o Integrated many nmap-service-probes changes from Bo Jiang
    (jiangbo(a)brandeis.edu)

    o Added a bunch of RPC numbers from nmap-rpc maintainer Eilon Gishri
    (eilon(a)aristo.tau.ac.il)

    o Added some new RPC services to nmap-rpc thanks to a patch from
    vlad902 (vlad902(a)gmail.com).

    o Fixed a bug where Nmap would quit on Windows whenever it encountered
    a raw scan of localhost (including the local ethernet interface
    address), even when that was just one address out of a whole network
    being scanned. Now Nmap just warns that it is skipping raw scans when
    it encounters the local IP, but continues on to scan the rest of the
    network. Raw scans do not currently work against local IP addresses
    because Winpcap doesn't support reading/writing localhost interfaces
    due to limitations of Windows.

    o The OS fingerprint is now provided in XML output if debugging is
    enabled (-d) or verbosity is at least 2 (-v -v). This patch was
    sent by Okan Demirmen (okan(a)demirmen.com)

    o Fixed the way tcp connect scan (-sT) respons to ICMP network
    unreachable responses (patch by Richard Moore
    (rich(a)westpoint.ltd.uk).

    o Update random host scan (-iR) to support the latest IANA-allocated
    ranges, thanks to patch by Chad Loder (cloder(a)loder.us).

    o Updated GNU shtool (a helper program used during 'make install' to
    version 2.0.2, which fixes a predictable temporary filename
    weakness discovered by Eric Raymond.

    o Removed addport element from XML DTD, since it is no longer used
    (sugested by Lionel Cons (lionel.cons(a)cern.ch)

    o Added new --privileged command-line option and NMAP_PRIVILEGED
    environmental variable. Either of these tell Nmap to assume that
    the user has full privileges to execute raw packet scans, OS
    detection and the like. This can be useful when Linux kernel
    capabilities or other systems are used that allow non-root users to
    perform raw packet or ethernet frame manipulation. Without this
    flag or variable set, Nmap bails on UNIX if geteuid() is
    nonzero.

    o Changed the RPM spec file so that if you define "static" to 1 (by
    passing --define "static 1" to rpmbuild), static binaries are built.

    o Fixed Nmap compilation on Solaris x86 thanks to a patch from Simon
    Burr (simes(a)bpfh.net).

    o ultra_scan() now sets pseudo-random ACK values (rather than 0) for
    any TCP scans in which the initial probe packet has the ACK flag set.
    This would be the ACK, Xmas, Maimon, and Window scans.

    o Updated the Nmap version number, description, and similar fields
    that MS Visual Studio places in the binary. This was done by editing
    mswin32/nmap.rc as suggested by Chris Paget (chrisp@ngssoftware.com)

    o Fixed Nmap compilation on DragonFly BSD (and perhaps some other
    systems) by applying a short patch by Joerg Sonnenberger which omits
    the declaration of errno if it is a #define.

    o Fixed an integer overflow that prevented Nmap from scanning
    2,147,483,648 hosts in one expression (e.g. 0.0.0.0/1). Problem
    noted by Justin Cranford (jcranford(a)n-able.com). While /1 scans
    are now possible, don't expect them to finish during your bathroom
    break. No matter how constipated you are.

    o Increased the buffer size allocated for fingerprints to prevent Nmap
    from running out and quitting (error message: "Assertion
    `servicefpalloc - servicefplen > 8' failed". Thanks to Mike Hatz
    (mhatz(a)blackcat.com) for the report. [ Actually this was done in a
    previous version, but I forgot which one ]

    o Changed from CVS to Subversion source control system (which
    rocks!). Neither repository is public (I'm paranoid because both CVS
    and SVN have had remotely exploitable security holes), so the main
    change users will see is that "Id" tags in file headers use the SVN
    format for version numbering and such.

    As always, you can download Nmap from http://www.insecure.org/nmap/nmap_download.html . The paranoid
    (smart) list members will check the cryptographic hashes and GPG signatures available from http://www.insecure.org/nmap/dist/sigs/?C=M&O=D .

    Enjoy! And please let me know if you encounter any problems.

    Cheers,
    Fyodor
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  2. #2
    I downloaded 3.81 a few days ago and loved the GUI frontend. I also downloaded 3.90 as soon as I saw this headline in a RSS feed. Having problems....something flawed?

    --------
    ./configure: line 9093: cd: /home/*/*/nmap: No such file or directory
    Configuration complete. Type make (or gmake on some *BSD machines) to compile.
    [root@Matrix nmap-3.90]# make
    make: *** No rule to make target `libpcap-possiblymodified/Makefile', needed by `libpcap-possiblymodified/libpcap.a'. Stop.
    [root@Matrix nmap-3.90]# exit

  3. #3
    Senior Member
    Join Date
    Dec 2004
    Posts
    137
    Is the new ver. going to improve scanning on against MS Windows Firewall?

  4. #4
    Master-Jedi-Pimps0r & Moderator thehorse13's Avatar
    Join Date
    Dec 2002
    Location
    Washington D.C. area
    Posts
    2,885
    Is the new ver. going to improve scanning on against MS Windows Firewall?
    The tool is as good as the user. I have no issues with it when I bang against an XP host with the firewall enabled. I've used 3.5 and up against W32 firewall.
    Our scars have the power to remind us that our past was real. -- Hannibal Lecter.
    Talent is God given. Be humble. Fame is man-given. Be grateful. Conceit is self-given. Be careful. -- John Wooden

  5. #5
    Senior Member
    Join Date
    Dec 2003
    Location
    Pacific Northwest
    Posts
    1,675
    bang against an XP host with the firewall enabled
    Well I know what I'll be doing this weekend. poor little laptop, here it comes!

    Connection refused, try again later.

  6. #6
    Senior Member
    Join Date
    Dec 2004
    Posts
    137
    Originally posted here by thehorse13
    The tool is as good as the user. I have no issues with it when I bang against an XP host with the firewall enabled. I've used 3.5 and up against W32 firewall.
    I thought there were issues with SP2 and Nmap?

  7. #7
    Senior Member
    Join Date
    May 2004
    Posts
    274

    nmap 3.90 problem

    [machine@machine machine]# /usr/bin/nmap -sS 192.168.1.4

    Starting nmap 3.90 ( http://www.insecure.org/nmap/ ) at 2005-09-09 09:57 PKT
    caught SIGSEGV signal, cleaning up
    Aborted
    i am using redhat 9 and i installed an rpm and having the above message. Any solutions for that?????
    Excuse me, is there an airport nearby large enough for a private jet to land?

  8. #8
    Senior Member
    Join Date
    Jan 2003
    Posts
    3,915

    Re: nmap 3.90 problem

    Hey Hey,

    Originally posted here by mmkhan
    i am using redhat 9 and i installed an rpm and having the above message. Any solutions for that?????
    There's a very simply solution... download and compile from source .

    I'm very excited about this... the 3.84alpha proved very interesting, so I'm interested in playing with some of the new features in this one... It's downloading for Win32 right now and this weekend when I finally have free time I'm going to put it on the laptop...

    Peace,
    HT

  9. #9
    Well I know what I'll be doing this weekend. poor little laptop, here it comes!
    Oh man, I hear ya.

  10. #10
    Senior Member
    Join Date
    Oct 2003
    Location
    MA
    Posts
    1,052
    All I have to say about the new features is wow...This program always gets better :-P

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •