Nmap Security Scanner version 3.50 Released

From: Gideon T. Rasmussen, CISSP, CISM, CFSO, SCSA (lists_at_infostruct.net)
Date: 02/27/04

  • Next message: Buyer Jr, David: "RE: NMAP - 3.50 changes mstask.exe?" 
    Date: Fri, 27 Feb 2004 08:10:48 -0500
To: pen-test@securityfocus.com

    - -----Original Message-----
    From: Fyodor [mailto:fyodor@insecure.org]
    Sent: Thursday, February 26, 2004 3:36 PM
    To: bugtraq@securityfocus.com
    Subject: Nmap Security Scanner 3.50 Released

    - -----BEGIN PGP SIGNED MESSAGE-----

    Hello Bugtraq,

    I am pleased to announce the immediate, free availability of the Nmap
    Security Scanner version 3.50 from http://www.insecure.org/nmap/ .
    Actually it was released a few weeks back, but I wanted to ensure it
    is actually stable .

    Nmap ("Network Mapper") is an open source utility for network
    exploration or security auditing. It was designed to rapidly scan
    large networks, although it works fine against single hosts. Nmap uses
    raw IP packets in novel ways to determine what hosts are available on
    the network, what services (application name and version) they are
    offering, what operating system (and OS version) they are running,
    what type of packet filters/firewalls are in use, and dozens of other
    characteristics. Nmap runs on most types of computers, including
    Linux/BSD/Mac OS X, and Windows. Both console and graphical versions
    are available. Nmap is free software, available with full source code
    under the terms of the GNU GPL.

    To reduce Bugtraq traffic, I rarely post more than one Nmap
    announcement per year. The last time was Nmap 3.00 in 2002. To keep
    up with all new versions and other Nmap-related announcements, you are
    invited to join the nmap-hackers list by sending a blank email to
    nmap-hackers-subscribe@insecure.org . Or read the archives at
    http://seclists.org .

    CHANGES

    Nmap has undergone many substantial changes since 3.00 and we
    recommend that all current users upgrade. Improvements from 41
    intermediate releases have gone into 3.50. Here are a list of the most
    important advantages (For a much more detailed list, see
    http://www.insecure.org/nmap/nmap_changelog.html ):

    o An advanced service/version detection system was added after months
    of private development. Now instead of using a simple nmap-services
    table lookup to determine a port's likely purpose, Nmap will (if
    asked) interrogate that TCP or UDP port to determine what service is
    really listening. In many cases it can determine the application
    name and version number as well. IPv6, SSL encryption, and SunRPC
    program number brute forcing are all supported. Thanks to a huge
    number of contributors, the database now contains more than a
    thousand signatures, representing 180 unique service protocols from
    acap, afp, and aim to xml-rpc, zebedee, and zebra.

    o The OS detection database has also improved dramatically. There are
    now 1,121 fingerprints in the DB (from 700 in 3.30). Most recently
    added were Linux 2.6.X, Mac OS X up to 10.3.2 (Panther), OpenBSD 3.4
    (normal and pf "scrub all"), FreeBSD 5.2, the latest Windows
    Longhorn warez, and Cisco PIX 6.3.3. As usual, there are a ton of
    new consumer devices from ubiquitous D-Link, Linksys, and Netgear
    broadband routers to a number of new IP phones including the Cisco
    devices commonly used by Vonage.

    o MS Windows support has improved substantially. Newer features such
    as version detection are supported, and the Windows port is also
    faster and more stable.

    o Mac OS X is now fully supported

    o SCO Corporation of Lindon, Utah (formerly Caldera) has lately taken
    to an extortion campaign of demanding license fees from Linux users
    for code that they themselves knowingly distributed under the terms
    of the GNU GPL. They have also refused to accept the GPL, claiming
    that some preposterous theory of theirs makes it invalid (and even
    unconstitutional)! Meanwhile they have distributed GPL-licensed Nmap
    in (at least) their "Supplemental Open Source CD". In response to
    these blatant violations, and in accordance with section 4 of the
    GPL, we terminated SCO's rights to redistribute any versions of Nmap
    in any of their products, including (without limitation) OpenLinux,
    Skunkware, OpenServer, and UNIXWare. We have also stopped supporting
    the OpenServer and UNIXWare platforms.

    o Major changes were made to the NmapFE UNIX GUI. It now uses tabs and
    supports all of the major Nmap command-line options. Most of this
    work was done by Peter Marschall (peter(a)adpm.de).

    o Nmap output is more concise and prettier, thanks to a new
    NmapOutputTable class that reduces extraneous whitespace. This makes
    it easier to read, and also leaves more room for version info and
    possibly future enhancements.

    o Major parts of the codebase have been rewritten. Nmap now compiles
    with C++ rather than ANSI C, and it lightly uses the Standard
    Template Library (STL). The excellent libpcre (Perl Compatible
    Regular Expressions) library has been added, as has a custom
    parallel socket library (nsock). Libpcap has been updated to version
    0.7.2, and the latest autoconf version is being used.

    o Every one of the OS fingerprints was examined to normalize the
    descriptions. I also looked up what all of the devices are (thanks
    E*Bay and Google!). Results like "Nexland ISB Pro800 Turbo" and
    "Siemens 300E Release 6.5" are much more useful when followed by
    "cable modem" and "business phone system"

    o Added a new classification system to nmap-os-fingerprints. In
    addition to the standard text description, each entry is now
    classified by vendor name (e.g. Sun), underlying OS (e.g. Solaris),
    OS generation (e.g. 7), and device type ("general purpose", router,
    switch, game console, etc). This can be useful if you want to (say)
    locate and eliminate the SCO systems on a network, or find the
    wireless access points (WAPs) by scanning from the wired side.

    o Nmap will now sometimes guess the remote operating system in the "no
    exact matches" case, even if you don't use the secret --osscan_guess
    or --fuzzy options.

    o Nmap now compiles under Amiga thanks to patches sent by Diego
    Casorran (dcr8520(a)amiga.org).

    o Added UDP-based "ping" scanning. The -PU option can take an optional
    portlist like the TCP "ping" options (-PS, -PA), but it sends a UDP
    packet to the targets and expects hosts that are up to reply with a
    port unreachable (or possibly a UDP response if the port is
    open). This one is likely to work best against closed ports, since
    many open ports don't respond to empty requests.

    o The random IP input option (-iR) now takes an argument specifying
    how many IPs you want to scan (e.g. -iR 1000). This reduces the risk
    of forgetting about a scan and leaving it running all night, then
    waking up to angry mail from your ISP . Specify 0 for the old
    never-ending scan behavior.

    o Made substantial changes to the SYN/connect()/Window scanning
    algorithms for improved speeds, especially against heavily filtered
    hosts. Also made numerous improvements to the timing behavior of
    "-T Aggressive" (same as -T4) scans. -T4 is now recommended for regular
    use by users on broadband or direct ethernet connections. One scan
    against a firewalled host that took 556 seconds with 3.15BETA2 now
    takes only 41 seconds with Nmap 3.50 and the -T4 option.

    o Added support for a brand new "port" that many people have never
    scanned before! UDP & TCP "port 0" (and IP protocol 0) are now
    permitted if you specify 0 explicitly. An argument like "-p -40"
    would still scan ports 1-40. Unlike ports, protocol 0 IS now scanned
    by default. This now works for ping probes too (e.g., -PS, -PA).

    o Applied patch by Martin Kluge (martin(a)elxsi.info) which adds --ttl
    option, which sets the outgoing IPv4 TTL field in packets sent via
    all raw scan types (including ping scans and OS detection). A TTL of
    0 is supported, and even tends to work on a LAN:

    14:17:19.474293 192.168.0.42.60214 > 192.168.0.40.135: S 326:326(0) [ttl
    0]
    14:17:19.474456 192.168.0.40.135 > 192.168.0.42.60214: S 280:280(0) ack
    326 (ttl 128)

    o added a new --datadir command line option which allows you to
    specify the highest priority directory for Nmap data files
    nmap-services, nmap-os-fingerprints, and nmap-rpc. Any files which
    aren't in the given dir, will be searched for in the $NMAPDIR
    environmental variable, ~/nmap/, a compiled in data directory
    (e.g. /usr/share/nmap), and finally the current directory.

    o To emphasize the highly professional nature of Nmap, all instances
    of "fucked up" in error message text has been changed to "b0rked".

    o IPv6 is now supported for many of the most important scan types,
    including TCP scan (-sT), connect()-style ping scan (-sP), list scan
    (-sL), and version detection. Just specify the -6 option and the
    IPv6 numbers or DNS names. Netmask notation is not currently
    supported -- I'm not sure how useful it is for IPv6, where even
    petty end users may be allocated trillions of addresses (/80).

    o Multiple TCP/UDP ports can now be specified for the "ping scanning
    phase". You can also now specify multiple ping types (e.g. UDP, TCP
    SYN, ICMP echo request, and TCP ACK). So you can now do combinations
    such as "-PS22,53,80 -PT113 -PN -PE" in order to increase your odds
    of passing through strict filters.

    o Reworked the "ping scan" algorithm (used for any scan except -P0 or
    -sL) to be more robust in the face of low-bandwidth and congested
    connections. This also improves reliability in the multi-port and
    multi-type ping cases described below.

    o Applied patch by Max Schubert (nmap(a)webwizarddesign.com) which
    adds an add-port XML tag whenever a new port is found open when Nmap
    is running in verbose mode. The new tag looks like: [addport
    state="open" portid="22" protocol="tcp"/] I also updated
    docs/nmap.dtd to recognize this new tag.

    o Added --packet_trace option, which tells Nmap to display all of the
    packets it sends and receives in a format similar to tcpdump. I
    mostly added this for debugging purposes, but people wishing to
    learn how Nmap works or for experts wanting to ensure Nmap is doing
    exactly what they expect.

    o Hundreds of more minor features, bugfixes, and portability enhancements.

    MOVING FORWARD:

    With this "stable" version out of the way, we plan to dive headfirst
    into the next development cycle. Many exciting features are in the
    queue, including better multi-host parallelization, an OS detection
    overhaul, and further version scanning features, such as intensity
    levels. I am also working on a book describing Nmap, from port
    scanning basics for novices to the types of packet crafting used by
    advanced hackers. Much of this book will be made available for free
    online. A few chapters should be available very soon. For the latest
    news on Nmap and the book, consider joining the nmap-hackers list
    discussed up top.

    DOWNLOAD:

    - - From http://www.insecure.org/nmap

    ACKNOWLEDGEMENTS:

    I would like to acknowledge and thank the many people who contributed
    ideas and/or code to this release. Special thanks go out to A. Jones,
    Albert Chin-A-Young, Alex Volkov, Al Smith, Amy Hennings, Andy
    Lutomirski, Annalee Newitz, Axel Krauth, Axel Nennker, Ayamura
    Kikuchi, Blue Boar, Brian Hatch, Chad Loder, Crayden Mantelium, Curt
    Wilson, Darren Reed, Dean Bennett, Diego Casorran, Dmitry V. Levin,
    Dragos Ruiu, Dug Song, Eric S. Raymond, Fejed, Florin Andrei, Frank
    Berger, Fyodor Yarochkin, Gabriel L. Somlo, Gisle Vanem, Guido van
    Rooij, HellNBack, HD Moore, Hubert Feyrer, Jan Roger Wilkens, Jari
    Ruusu, Jaroslav Sladek, Javier Kohen, Jay Freeman (Saurik), Jeff
    Nathan, jerickson_at_inphonic, Jochen Erwied, Josef 'Jupp' Schugt,
    Juho Schultz, Justin A., Kevin Davis, Kirby Kuehl, Kronos, Lance
    Spitzner, Lionel CONS, MadHat, Maik Pfeil, Marc Ruef, Mario Manno,
    Marius Strobl, Martin Kluge, Matt Burnett, Matthieu Verbert, Matt
    Selsky, Max Schubert, Max Vision, Michael Davis, Mikael Mannstrom,
    Miscelerious Options, Mugz, Niels Heinen, Osamah Abuoun, Peter
    Marschall, Petter Reinholdtsen, Phix, Pope_at_undersec, Przemek
    Galczewski, R. Anderson, Rain.Forest.Puppy, ray_at_24hoursecurity,
    Remi Denis-Courmont, Rob Foehl, Russel Miller, Ryan Lowe, Scott
    Egbert, Sebastien Blanchet, Seth Master, Shawn Wallis, Simple Nomad,
    Solar Designer, Solar Eclipse, Ste Jones, Stephen Bishop, Tammy
    Rathbun, Tom Duffy, Tom Rune Flo, van Hauser, Wei Jiang, William
    McVey, Will Saxon, Yeti, and everyone I forgot .

    And of course I would also like to thank the thousands of people who
    have submitted OS and service/version fingerprints, as well as
    everyone who has found and reported bugs or suggested features.

    Cheers,
    Fyodor

    ---------------------------------------------------------------------------
    ----------------------------------------------------------------------------

  • Next message: Buyer Jr, David: "RE: NMAP - 3.50 changes mstask.exe?"
    • Quantcast