Results 1 to 10 of 10

Thread: Nmap 4.0

  1. #1
    King Tutorial-ankhamun
    Join Date
    Jul 2004

    Nmap 4.0

    Figure a lost of you are already on the Insecurt mailing lists, but for those who are not it looks like Nmap 4.0 is out:

    From: nmap-hackers-bounces@insecure.org on behalf of Fyodor Sent: Tue 1/31/2006 12:26 PM
    To: nmap-hackers@insecure.org
    Subject: Nmap 4.00 Released!
    View As Web Page

    Nmap Hackers,

    Hot on the heels of 3.9999 (you could probably guess this was coming),
    I am pleased to announce that Nmap 4.00 is now available!

    Documentation: http://www.insecure.org/nmap/docs.html
    Download: http://www.insecure.org/nmap/download.html
    Release Announcement: http://www.insecure.org/stf/Nmap-4.00-Release.html


    Nmap has undergone many substantial changes since our last major
    release (3.50 in February 2004) and we recommend that all current
    users upgrade. Here are the most important improvements made in the 36
    intermediate releases since 3.50:

    o Added the ability for Nmap to send and properly route raw ethernet
    frames containing IP datagrams rather than always sending the
    packets via raw sockets. This is particularly useful for Windows,
    since Microsoft has disabled raw socket support in XP. Nmap tries
    to choose the best method at runtime based on platform, though you
    can override it with the new --send-eth and --send-ip options.

    o Added ARP scanning (-PR). Nmap can now send raw ethernet ARP
    requests to determine whether hosts on a LAN are up, rather than
    relying on higher-level IP packets (which can only be sent after a
    successful ARP request and reply anyway). This is much faster and
    more reliable (not subject to IP-level firewalling) than IP-based
    probes. It is now used automatically for any hosts that are
    detected to be on a local ethernet network, unless --send-ip was

    o Added the --spoof-mac option, which asks Nmap to use the given MAC
    address for all of the raw ethernet frames it sends. Valid
    --spoof-mac argument examples are "Apple", "0", "01:02:03:04:05:06",
    "deadbeefcafe", "0020F2", and "Cisco".

    o Rewrote core port scanning engine, which is now named ultra_scan().
    Improved algorithms make this faster (often dramatically so) in
    almost all cases. Not only is it superior against single hosts, but
    ultra_scan() can scan many hosts (sometimes hundreds) in parallel.
    This offers many efficiency/speed advantages. For example, hosts
    often limit the ICMP port unreachable packets used by UDP scans to
    1/second. That made those scans extraordinarily slow in previous
    versions of Nmap. But if you are scanning 100 hosts at once,
    suddenly you can receive 100 responses per second. Spreading the
    scan amongst hosts is also gentler toward the target hosts.

    o Overhauled UDP scan. Ports that don't respond are now classified as
    "open|filtered" (open or filtered) rather than "open". The (somewhat
    rare) ports that actually respond with a UDP packet to the empty
    probe are considered open. If version detection is requested, it
    will be performed on open|filtered ports. Any that respond to any of
    the UDP probes will have their status changed to open. This avoids
    the false-positive problem where filtered UDP ports appear to be
    open, leading to terrified newbies thinking their machine is
    infected by back orifice.

    o Put Nmap on a diet, with changes to the core port scanning routine
    (ultra_scan) to substantially reduce memory consumption, particularly
    when tens of thousands of ports are scanned.

    o Added 'leet ASCII art to the configurator! Note that
    only people compiling the UNIX source code get this. (ASCII artist
    unknown). If you don't like it, feel free to submit your own work.

    o Wrote a new man page from scratch. It is much more comprehensive
    (more than twice as long) and (IMHO) better organized than the
    previous one. Read it online at http://www.insecure.org/nmap/man/
    or docs/nmap.1 from the Nmap distribution. Let me know if you have
    any ideas for improving it. Translations to Chinese, French,
    Japanese, Brazilian Portuguese, Portugal Portuguese, and Romanian
    can be found on the Nmap docs page at
    http://www.insecure.org/nmap/docs.html . More than a dozen other
    translations are in progress. The XML source for the man page is
    distributed with Nmap in docs/nmap-man.xml. Patches to Nmap that are
    user-visible should include patches to the man page XML source rather
    than to the generated Nroff.

    o Integrated all service submissions up to January 2006. The DB has
    tripled in size since 3.50 to 3,153 signatures for 381 service
    protocols. Those protocols span the gamut from abc, acap, afp, and
    afs to zebedee, zebra, and zenimaging. It even covers obscure
    protocols such as http, ftp, smtp, and ssh . Thanks to Version
    Detection Czar Doug Hoyte for his excellent work on this. Other
    great probes and signatures came from Dirk Mueller
    (mueller(a)kde.org), Lionel Cons (lionel.cons(a)cern.ch), Martin
    Macok (martin.macok(a)underground.cz), and Bo Jiang
    (jiangbo(a)brandeis.edu). Thanks also go to the (literally)
    thousands of you who submitted service fingerprints. Keep them

    o Integrated tons of new OS detection fingerprints. The database grew
    more than 50% from 1,121 to 1,684 fingerprints. Notable additions
    include Mac OS X 10.4 (Tiger), OpenBSD 3.7, FreeBSD 5.4, Windows
    Server 2003 SP1, Sony AIBO (along with a new "robotic pet" device
    type category), the latest Linux 2.6 kernels, Cisco routers with IOS
    12.4, a ton of VoIP devices, Tru64 UNIX 5.1B, new Fortinet
    firewalls, AIX 5.3, NetBSD 2.0, Nokia IPSO 3.8.X, and Solaris 10.
    Of course there are also tons of new broadband routers, printers,
    WAPs and pretty much any other device you can coax an ethernet cable
    (or wireless card) into! Much of this OS detecton work was done by
    Google SoC student Zhao Lei (zhaolei(a)gmail.com).

    o Created a Windows executable installer using the open source NSIS
    (Nullsoft Scriptable Install System). It handles Pcap installation,
    registry performance changes, and adding Nmap to your cmd.exe
    executable path. The installer source files are in mswin32/nsis/ .
    Thanks to Google SoC student Bo Jiang (jiangbo(a)brandeis.edu) for
    creating the initial version.

    o Added run time interaction as documented at
    http://www.insecure.org/nmap/man/man...teraction.html .
    While Nmap is running, you can now press 'v' to increase verbosity,
    'd' to increase the debugging level, 'p' to enable packet tracing,
    or the capital versions (V,D,P) to do the opposite. Any other key
    (such as enter) will print out a status message giving the estimated
    time until scan completion. Most of this work was done by Paul
    Tarjan (ptarjan(a)stanford.edu), Andrew Lutomirski
    (luto(a)myrealbox.com), and Gisle Vanem (giva(a)bgnett.no).

    o Reverse DNS resolution is now done in parallel rather than one at a
    time. All scans of large networks (particularly list, ping and
    just-a-few-ports scans) benefit substantially from this change. The
    new --system-dns option was added so you can use the (slow) system
    resolver if you prefer that for some reason. You can specify a
    comma separated list of DNS server IP addresses for Nmap to use with
    the new --dns-servers option. Otherwise, Nmap looks in
    /etc/resolve.conf (UNIX) or the system registry (Windows) to obtain
    the nameservers already configured for your system. This excellent
    patch was written by Doug Hoyte (doug(a)hcsw.org).

    o Updated NmapFE to build with GTK2 rather than obsolete GTK1. Thanks
    to Priit Laes (amd(a)store20.com), Mike Basinger
    (dbasinge(a)speakeasy.net) and Meethune Bhowmick
    (meethune(a)oss-institute.org) for developing the patch. GTK2 is
    prettier, more functional, and actually exists on most modern Linux
    distributions (many of which removed GTK1 long ago).

    o Added the --badsum option, which causes Nmap to use invalid TCP or
    UDP checksums for packets sent to target hosts. Since virtually all
    host IP stacks properly drop these packets, any responses received
    are likely coming from a firewall or IDS that didn't bother to
    verify the checksum. For more details on this technique, see
    http://www.phrack.org/phrack/60/p60-0x0c.txt . The author of that
    paper, Ed3f (ed3f(a)antifork.org), is also the author of this patch
    (which I changed it a bit).

    o The 26 Nmap commands that previously included an underscore
    (--max-rtt-timeout, --send-eth, --host-timeout, etc.) have been
    renamed to use a hyphen in the preferred format
    (i.e. --max-rtt-timeout). Underscores are still supported for
    backward compatibility.

    o Added --max-retries option for capping the maximum number of
    retransmissions the port scan engine will do. The value may be as
    low as 0 (no retransmits). A low value can increase speed, though
    at the risk of losing accuracy. The -T4 option now allows up to 6
    retries, and -T5 allows 2. Thanks to Martin Macok
    (martin.macok(a)underground.cz) for writing the initial patch.

    o Many of the Nmap low-level timing options take a value in
    milliseconds. You can now append an 's', 'm', or 'h' to the value
    to give it in seconds, minutes, or hours instead. So you can specify a
    45 minute host timeout with --host-timeout 45m rather than specifying
    --host-timeout 2700000 and hoping you did the math right and have the
    correct number of zeros. This also now works for the
    --min-rtt-timeout, --max-rtt-timeout, --initial-rtt-timeout,
    --scan-delay, and --max-scan-delay options.

    o Wrote a new Nmap compilation, installation, and removal guide, which
    you can find at http://www.insecure.org/nmap/install/ .

    o Made some changes to allow source port zero scans (-g0). Nmap used
    to refuse to do this, but now it just gives a warning that it may not
    work on all systems. It seems to work fine on my Linux box. Thanks
    to Bill Dale (bill_dale(a)bellsouth.net) for suggesting this feature.

    o Applied some small fixes so that Nmap compiles with Visual C++
    2005 Express, which is free from Microsoft at
    http://msdn.microsoft.com/vstudio/express/visualc/ . Thanks to KX
    (kxmail(a)gmail.com) and Sina Bahram (sbahram(a)nc.rr.com)

    o Added --thc option (undocumented)

    o Wrote a new "help screen", which you get when running Nmap without
    arguments. It is also reproduced in the man page and at
    http://www.insecure.org/nmap/data/nmap.usage.txt . I gave up trying
    to fit it within a 25-line, 80-column terminal window. It is now 78
    lines and summarizes all but the most obscure Nmap options.

    o Added OS, device type, and hostname detection using the service
    detection framework. Many services print a hostname, which may be
    different than DNS. The services often give more away as well. If
    Nmap detects IIS, it reports an OS family of "Windows". If it sees
    HP JetDirect telnetd, it reports a device type of "printer". Rather
    than try to combine TCP/IP stack fingerprinting and service OS
    fingerprinting, they are both printed. After all, they could
    legitimately be different. An IP that gives a stack fingerprint
    match of "Linksys WRT54G broadband router" and a service fingerprint
    of Windows based on Kazaa running is likely a common NAT setup rather
    than an Nmap mistake.

    o Overhauled the Nmap version detection guide and posted it at
    http://www.insecure.org/nmap/vscan/ .

    o Service/version detection now handles multiple hosts at once for
    more efficient and less-intrusive operation.

    o Added "rarity" feature to Nmap version detection. This causes
    obscure probes to be skipped when they are unlikely to help. Each
    probe now has a "rarity" value. Probes that detect dozens of
    services such as GenericLines and GetRequest have rarity values of
    1, while the WWWOFFLEctrlstat and mydoom probes have a rarity of 9.
    When interrogating a port, Nmap always tries probes registered to
    that port number. So even WWWOFFLEctrlstat will be tried against
    port 8081 and mydoom will be tried against open ports between 3127
    and 3198. If none of the registered ports find a match, Nmap tries
    probes that have a rarity less than or equal to its current
    intensity level. The intensity level defaults to 7 (so that most of
    the probes are done). You can set the intensity level with the new
    --version-intensity option. Alternatively, you can just use
    --version-light or --version-all which set the intensity to 2 (only
    try the most important probes and ones registered to the port
    number) and 9 (try all probes), respectively. --version-light is
    much faster than default version detection, but also a bit less
    likely to find a match. This feature was designed and implemented
    by Doug Hoyte (doug(a)hcsw.org).

    o Added a "fallback" feature to the nmap-service-probes database.
    This allows a probe to "inherit" match lines from other probes. It
    is currently only used for the HTTPOptions, RTSPRequest, and
    SSLSessionReq probes to inherit all of the match lines from
    GetRequest. Some servers don't respond to the Nmap GetRequest (for
    example because it doesn't include a Host: line) but they do respond
    to some of those other 3 probes in ways that GetRequest match lines
    are general enough to match. The fallback construct allows us to
    benefit from these matches without repeating hundreds of signatures
    in the file. This is another feature designed and implemented
    by Doug Hoyte (doug(a)hcsw.org).

    o Added "Exclude" directive to nmap-service-probes grammar which
    causes version detection to skip listed ports. This is helpful for
    ports such as 9100. Some printers simply print any data sent to
    that port, leading to pages of HTTP requests, SMB queries, X Windows
    probes, etc. If you really want to scan all ports, specify
    --allports. This patch came from Doug Hoyte (doug(a)hcsw.org).

    o Version detection softmatches (when Nmap determines the service
    protocol such as smtp but isn't able to determine the app name such as
    Postfix) can now parse out the normal match line fields such as
    hostname, device type, and extra info. For example, we may not know
    what vendor created an sshd, but we can still parse out the protocol
    number. This was a patch from Doug Hoyte (doug(a)hcsw.org).

    o Fixed a bunch of typos and misspellings throughout the Nmap source
    code (mostly in comments). This was a 625-line patch by Saint Xavier

    o Added a stripped-down and heavily modified version of Dug Song's
    libdnet networking library (v. 1.10). This helps with the new raw
    ethernet features. My (extensive) changes are described in

    o Updated nmap data files (nmap-mac-prefixes, nmap-protocols,
    nmap-rpc) with the latest OUIs, IP protocols, and RPC program numbers,

    o Updated the included libpcap from 0.7.2 to 0.9.3. This was an
    attempt to fix an annoying bug, which I then found was actually in
    my code rather than libpcap . Also updated the included GNU
    shtool (to 2.0.2), LibPCRE (6.4), and the autoconf config.* files
    (to the latest from their CVS).

    o Nmap now uses (and require) WinPcap 3.1 on Windows.

    o Added MAC address printing. If Nmap receives packet from a target
    machine which is on an Ethernet segment directly connected to the
    scanning machine, Nmap will print out the target MAC address. Nmap
    also now contains a database (derived from the official IEEE
    version) which it uses to determine the vendor name of the target
    ethernet interface. Here are examples from normal and XML output
    (angle brackets replaced with [] for HTML changelog compatibility):
    MAC Address: 08:00:20:8F:6B:2F (SUN Microsystems)
    [address addr="00:A0:CC:63:85:4B" vendor="Lite-on Communications" addrtype="mac" /]

    o The official Nmap RPM files are now compiled statically for better
    compatibility with other systems. X86_64 (AMD Athlon64/Opteron)
    binaries are now available in addition to the standard i386. NmapFE
    RPMs are no longer distributed by Insecure.Org.

    o Nmap distribution signing has changed. Release files are now signed
    with a new Nmap Project GPG key (KeyID 6B9355D0). Learn more at

    o Updated random scan (ip_is_reserved()) to reflect the latest IANA
    assignments. This to Felix Groebert
    (felix(a)groebert.org) and Chad Loder (cloder(a)loder.us) for
    sending these patches.

    o Added the --iflist option, which prints a list of system interfaces
    and routes detected by Nmap.

    o Removed WinIP library (and all Windows raw sockets code) since MS
    has gone and broken raw sockets. Maybe packet receipt via raw
    sockets will come back at some point. As part of this removal, the
    Windows-specific --win_help, --win_list_interfaces, --win_norawsock,
    --win_forcerawsock, --win_nopcap, --win_nt4route, --win_noiphlpapi,
    and --win_trace options have been removed.

    o Added new --privileged command-line option and NMAP_PRIVILEGED
    environmental variable. Either of these tell Nmap to assume that
    the user has full privileges to execute raw packet scans, OS
    detection and the like. This can be useful when Linux kernel
    capabilities or other systems are used that allow non-root users to
    perform raw packet or ethernet frame manipulation. Without this
    flag or variable set, Nmap bails on UNIX if geteuid() is

    o Changed the RPM spec file so that if you define "static" to 1 (by
    passing --define "static 1" to rpmbuild), static binaries are built.

    o ultra_scan() now sets pseudo-random ACK values (rather than 0) for
    any TCP scans in which the initial probe packet has the ACK flag set.
    This would be the ACK, Xmas, Maimon, and Window scans.

    o Fixed an integer overflow that prevented Nmap from scanning
    2,147,483,648 hosts in one expression (e.g. Problem
    noted by Justin Cranford (jcranford(a)n-able.com). While /1 scans
    are now possible, don't expect them to finish during your bathroom
    break. No matter how constipated you are.

    o Changed from CVS to Subversion source control system (which
    rocks!). Neither repository is currently public due to security

    o Nmap now ships with and installs (in the same directory as other
    data files such as nmap-os-fingerprints) an XSL stylesheet for
    rendering the XML output as HTML. This stylesheet was written by
    Benjamin Erb ( see http://www.benjamin-erb.de/nmap/ for examples).
    It supports tables, version detection, color-coded port states, and
    more. The XML output has been augmented to include an
    xml-stylesheet directive pointing to nmap.xsl on the local
    filesystem. You can point to a different XSL file by providing the
    filename or URL to the new --stylesheet argument. Omit the
    xml-stylesheet directive entirely by specifying --no-stylesheet.
    The XML to HTML conversion can be done with an XSLT processor such
    as Saxon, Sablot, or Xalan, but modern browsers can do this on the
    fly -- simply load the XML output file in IE or Firefox.It is
    often more convenient to have the stylesheet loaded from a URL
    rather than the local filesystem, allowing the XML to be rendered on
    any machine regardless of whether/where the XSL is installed. For
    privacy reasons (avoid loading of an external URL when you view
    results), Nmap uses the local filesystem by default. If you would
    like the latest version of the stylesheet loaded from Insecure.Org when
    rendering, specify --webxml, which is a shortcut for
    --stylesheet http://www.insecure.org/nmap/data/nmap.xsl .

    o If a user attempts -PO (the letter O), instead of -P0 (zero), print
    an error suggesting that the user is a doofus (actually it is a nice

    o Upgraded the fragmentation option (-f). One -f now sets sends
    fragments with just 8 bytes after the IP header, while -ff sends 16
    bytes to reduce the number of fragments needed. You can specify
    your own fragmentation offset (must be a multiple of 8) with the new
    --mtu flag. Don't also specify -f if you use --mtu. Remember that
    some systems (such as Linux with connection tracking) will
    defragment in the kernel anyway -- so test first while sniffing with
    ethereal. These changes are from a patch by Martin Macok

    o Nmap now prints the number (and total bytes) of raw IP packets sent
    and received when it completes, if verbose mode (-v) is enabled. The
    report looks like:
    Nmap finished: 256 IP addresses (3 hosts up) scanned in 30.632 seconds
    Raw packets sent: 7727 (303KB) | Rcvd: 6944 (304KB)

    o Added new "closed|filtered" state. This is used for Idle scan, since
    that scan method can't distinguish between those two states. Nmap
    previously just used "closed", but this is more accurate.

    o Null, FIN, Maimon, and Xmas scans now mark ports as "open|filtered"
    instead of "open" when they fail to receive any response from the
    target port. After all, it could just as easily be filtered as open.
    This is the same change that was made to UDP scan in 3.70. Also as
    with UDP scan, adding version detection (-sV) will change the state
    from open|filtered to open if it confirms that they really are open.

    o Change IP protocol scan (-sO) so that a response from the target
    host in any protocol at all will prove that protocol is open. As
    before, no response means "open|filtered", an ICMP protocol
    unreachable means "closed", and most other ICMP error messages mean

    o Changed IP protocol scan (-sO) so that it sends valid ICMP, TCP, and
    UDP headers when scanning protocols 1, 6, and 17, respectively. An
    empty IP header is still sent for all other protocols. This should
    prevent the error messages such as "sendto in send_ip_packet:
    sendto(3, packet, 20, 0,, 16) => Operation not
    permitted" that Linux (and perhaps other systems) would give when
    they try to interpret the raw packet. This also makes it more
    likely that these protocols will elicit a response, proving that the
    protocol is "open".

    o Fixed a memory leak that would generally consume several hundred
    bytes per down host scanned. While the effect for most scans is
    negligible, it was overwhelming when Scott Carlson
    (Scott.Carlson(a)schwab.com) tried to scan 24 million IPs
    ( Thanks to him for reporting the problem. Also thanks
    to Valgrind ( http://valgrind.kde.org ) for making it easy to debug.

    o Added --max-scan-delay parameter. Nmap will sometimes increase the
    delay itself when it detects many dropped packets. For example,
    Solaris systems tend to respond with only one ICMP port unreachable
    packet per second during a UDP scan. So Nmap will try to detect
    this and lower its rate of UDP probes to one per second. This can
    provide more accurate results while reducing network congestion, but
    it can slow the scans down substantially. By default (with no -T
    options specified), Nmap allows this delay to grow to one second per
    probe. This option allows you to set a lower or higher maximum.
    The -T4 and -T5 scan modes now limit the maximum scan delay for TCP
    scans to 10 and 5 ms, respectively.

    o Added --max-hostgroup option which specifies the maximum number of
    hosts that Nmap is allowed to scan in parallel.

    o Added --min-hostgroup option which specifies the minimum number of
    hosts that Nmap should scan in parallel (there are some exceptions
    where Nmap will still scan smaller groups -- see man page). Of
    course, Nmap will try to choose efficient values even if you don't
    specify hostgroup restrictions explicitly.

    o Nmap now estimates completion times for almost all port scan types
    (any that use ultra_scan()) as well as service scan (version
    detection). These are only shown in verbose mode (-v). On scans
    that take more than a minute or two, you will see occasional updates
    SYN Stealth Scan Timing: About 30.01% done; ETC: 16:04 (0:01:09 remaining)
    New updates are given if the estimates change significantly.

    o Added --exclude option, which lets you specify a comma-separated
    list of targets (hosts, ranges, netblocks) that should be excluded
    from the scan. This is useful to keep from scanning yourself, your
    ISP, particularly sensitive hosts, etc. The new --excludefile reads
    the list (newline-delimited) from a given file. All the work was
    done by Mark-David McLaughlin (mdmcl(a)cisco.com> and William McVey
    ( wam(a)cisco.com ), who sent me a well-designed and well-tested

    o Nmap now has a "port scan ping" system. If it has received at least
    one response from any port on the host, but has not received
    responses lately (usually due to filtering), Nmap will "ping" that
    known-good port occasionally to detect latency, packet drop rate,

    o Nmap now wishes itself a happy birthday when run on September 1 in
    verbose mode! The first public release was on that date in 1997.

    o The port randomizer now has a bias toward putting
    commonly-accessible ports (80, 22, etc.) near the beginning of the
    list. Getting a response early helps Nmap calculate response times and
    detect packet loss, so the scan goes faster.

    o Host timeout system (--host-timeout) overhauled to support host
    parallelization. Hosts times are tracked separately, so a host that
    finishes a SYN scan quickly is not penalized for an exceptionally
    slow host being scanned at the same time.

    o When Nmap has not received any responses from a host, it can now use
    certain timing values from other hosts from the same scan group.
    This way Nmap doesn't have to use absolute-worst-case (300bps SLIP
    link to Uzbekistan) round trip time and latency estimates.

    o Documented the --osscan-limit option, which saves time by skipping
    OS detection if at least one open and one closed port are not found on
    the remote hosts. OS detection is much less reliable against such
    hosts anyway, and skipping it can save some time.

    o Configure script now detects GNU/k*BSD (whatever that is),
    thanks to patches from Robert Millan (rmh@debian.org) and Petr
    Salinger (Petr.Salinger(a)t-systems.cz)

    o Provide limited --packet-trace support for TCP connect() (-sT)

    o Hundreds of other features, bugfixes, and portability
    enhancements described at http://www.insecure.org/nmap/changelog.html


    With this stable version out of the way, we plan to dive headfirst
    into the next development cycle. Many exciting features are in the
    queue, including a next-generation OS detection system. We also plan
    to launch the 2006 Nmap User Survey in February, to learn what
    features you want most.


    Nmap is available for download from http://www.insecure.org/nmap/ for
    most platforms in source or binary form. Nmap is free, open source
    software (license: http://www.insecure.org/nmap/data/COPYING )


    A popular open source security scanner recently went proprietary,
    complaining that their community never contributes much. We are sorry
    to hear that, but happy to report that the Nmap community is as
    vibrant and productive as ever! We would like to acknowledge and thank
    the many people who contributed ideas and/or code to this release
    (since 3.50). Special thanks go out to Adam Kerrison, Adam Morgan,
    Adriano Monteiro Marques, Alan Bishoff, Alan William Somers, Albert
    Chin, Allison Randal, Alok Tangoankar, Amy Hennings, Anders Thulin,
    Andreia Gaita, Andy Lutomirski, Annalee Newitz, Arturo Buanzo
    Busleiman, Bart Dopheide, Beirne Konarski, Ben Harris, Bill Dale, Bill
    Petersen, Bill Pollock, Bo Jiang, Brian Hatch, Chad Loder, Chris
    Gibson, Christophe, Craig Humphrey, Curtis Doty, Dana Epp, Dirk
    Mueller, Doug Hoyte, Dragos Ruiu, Dug Song, Duilio J. Protti, Eric
    S. Raymond, Felix Gröbert, Florian Ebner, Fyodor Yarochkin, Ganga
    Bhavani, Gisle Vanem, Glyn Geoghegan, Greg A. Woods, Greg Darke, Greg
    Taleck, Gwenole Beauchesne, HD Moore, Jedi/Sector One, Jeff Nathan,
    Jesse Burns, Jim Carras, Jim Harrison, Jonathan Dieter, José Domingos,
    Justin Cranford, Justin M Cacak, Krok, KX, Lamont Jones, Lance
    Spitzner, Laurent Estieux, Lionel Cons, Lucien Raven, MadHat, Marius
    Strobl, Mark-David McLaughlin, Mark Ruef, Martin Macok, Matthieu
    Verbert, Matt Selsky, Max Schubert, Meethune Bhowmick, Mephisto, Mike
    Basinger, Mike Hatz, Murphy, Netris, Okan Demirmen, Ole Morten
    Grodaas, Oliver Eikemeier, Pascal Trouvin, Paul Tarjan, Petr Salinger,
    Petter Reinholdtsen, pijn trein, Ping Huang, Piotr Sobolewski, Priit
    Laes, Princess Nadia, Raven Alder, Richard Birkett, Richard Moore,
    Robert E. Lee, Rob Foehl, Ronak Sutaria, Royce Williams, Ruediger
    Rissmann, Saint Xavier, Saravanan, Scott Mansfield, Sebastian
    Wolfgarten, Seth Master, Shahid Khan, Simon Burr, Simple Nomad, Sina
    Bahram, Solar Designer, Srivatsan, Stephane Loeuillet, Stephen Bishop,
    Steve Christensen, Steve Martin, Thorsten Holz, Tom Duffy, Tom Rune
    Flo, Tom Sellers, Tony Golding, van Hauser, vlad902, William McVey,
    Zapphire, and Zhao Lei.

    And of course we would also like to thank the thousands of people who
    have submitted OS and service/version fingerprints, as well as
    everyone who has found and reported bugs or suggested features.

    For further information, see http://www.insecure.org/

    Sent through the nmap-hackers mailing list

  2. #2
    Senior Member
    Join Date
    Jan 2003
    Hey Hey,

    Anyone here running it in Win32? I was testing it out this aft. and had a few problems..

    Blue Screen : IRQL_NOT_LESS_OR_EQUAL

    Event Log: Error code 0000000a, parameter1 00000016, parameter2 00000002, parameter3 00000000, parameter4 804dbda3.

    Microsoft Error Report Service: BCCode : a BCP1 : 00000016 BCP2 : 00000002 BCP3 : 00000000
    BCP4 : 804DBDA3 OSVer : 5_1_2600 SP : 2_0 Product : 256_1
    That's the result of me running nmap -PR and then hitting ctr+c during the scan... it was on the 3rd host out of what would have ended around 20... I'm running on a P4 1.8 w/ 512MB of RDRAM.. it's XP SP2 fully updated, however it was an upgrade install from 2000 Pro SP4. I have not been able to duplicate the results in a VM... however I haven't yet tested it on this machine again..

    And interesting thing though... when I powered back up and browsed to AO, I was no longer logged in... none of my cookies were remembered after the crash.. So anyways.. anyone else testing this in Wn32.. I'd love to see your results..

    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  3. #3
    AOs Resident Troll
    Join Date
    Nov 2003
    From my vast experience with BSOD codes

    ...back in the NT4 days..

    IRQ NOT LESS OR EQUAL and the first parameter Error code STOP 0000000a

    points to hardware....and or a driver issue


    Meaning it may not be interacting with your NIC driver...or TCPIP.sys version very well...
    among other things

    How people treat you is their karma- how you react is yours-Wayne Dyer

  4. #4
    Senior Member
    Join Date
    Jan 2003
    Originally posted here by morganlefay
    From my vast experience with BSOD codes

    ...back in the NT4 days..

    IRQ NOT LESS OR EQUAL and the first parameter Error code STOP 0000000a

    points to hardware....and or a driver issue

    Which is what I would say as well.. which makes me wonder if maybe it's part of winPCAP that is the problem.. but pcap has been installed and functioning for a while now and is the correct version....

    I ran it again on this computer.. I ctl+c'd it four times.. the fourth time it blue screened again... I've yet to be able to do it in the VM, however there are some updates that need to be installed so Windows update is install those...

    Perhaps I'll setup a sniffer on this segment and see what's being sent right hwne it crashes and see if I can recreate the data...

    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  5. #5
    Senior Member
    Join Date
    Oct 2003
    Thats the problem. It's pretty much a generic blue screen. I do not know of anyway you can really trace it.

  6. #6
    AOs Resident Troll
    Join Date
    Nov 2003
    A recent MS upgrade knocked out server client communications....came across this looking for something else...I wonder if it has something to do with it...

    If I come across it again I will post...there was a hotfix released

    How people treat you is their karma- how you react is yours-Wayne Dyer

  7. #7
    AOs Resident Troll
    Join Date
    Nov 2003
    If you get the actuall blue screen...at the end of this line in the top half of the page...

    [QUOTE]Error code 0000000a, parameter1 00000016, parameter2 00000002, parameter3 00000000, parameter4 QUOTE]

    Will be the file that caused the exception......filename.xxx......from that you can usually gleen what piece of hardware.


    edit...sorry for the double post
    How people treat you is their karma- how you react is yours-Wayne Dyer

  8. #8
    Senior Member
    Join Date
    Jan 2003
    [QUOTE] Originally posted here by morganlefay
    If you get the actuall blue screen...at the end of this line in the top half of the page...

    Error code 0000000a, parameter1 00000016, parameter2 00000002, parameter3 00000000, parameter4 QUOTE]

    Will be the file that caused the exception......filename.xxx......from that you can usually gleen what piece of hardware.


    edit...sorry for the double post
    Hey Hey,

    Nope... no file name... I wrote down everything off the blue screen while the memeory was dumping.... hoping for soemthing... but there was nothing of interest... (other then the error code and parameters)

    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

  9. #9
    AOs Resident Troll
    Join Date
    Nov 2003
    Found that article.....

    It was server based

    dont think it applies


    Being an OS upgrade...may be an issue...with the IP stack...or something...

    Personally I dont like upgrading OSes...carries the crap from the previous OS over...

    I always go for the clean install.

    How people treat you is their karma- how you react is yours-Wayne Dyer

  10. #10
    Senior Member
    Join Date
    Jan 2003
    Hey Hey

    I'm not a big fan of the upgrade process either... This is the first time I've ever done it.. but for some strange reason, the original media and licenses for all the software that it had installed when I got here have disappeared.... I can only assume that the software is legit and plead ignorance if it's not.. after all... what sort of company would run with primarily pirated software... but since i no longer have that original media or even just the licenses.. I can't, in good conscience, install any of that software on this machine.

    IT Blog: .:Computer Defense:.
    PnCHd (Pronounced Pinched): Acronym - Point 'n Click Hacked. As in: "That website was pinched" or "The skiddie pinched my computer because I forgot to patch".

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts