If I do nmap -sV -sU, I find that it has a SIGSEGV. Am I the only one
having this problem? If so, I can pull a backtrace from gdb.
Fyodor wrote:
> Developers,
>
> While there hasn't been a formal Nmap release since 3.81 in February,
> it isn't due to lack of development. Quite the opposite: there have
> been so many improvements to the core abilities of Nmap that
> stabilizing it for a release has been tough. Not only have I been
> busy at work, but there are major contributions from SoC students and
> other 3rd parties. Changes incldue ARP scanning, MAC spoofing, a raw
> ethernet packet sending system, 'l33t ASCII art, hundreds of new OS
> detection and version deection fingerprints, and much more. It
> includes all the goodies I released during my recent Defcon keynote
> speech, and more.
>
> I'm releasing a private version (not linked from the Nmap download
> page) of 3.84ALPHA1 for nmap-dev testing. Please give it a whirl and
> let me know if you find any problems (compilation or runtime).
> Problem reports are always helpful, but patches would be fabulous!
> I've already tested it on quite a few systems (Linux, FreeBSD,
> Solaris, Windows XP, and Windows 2K), but there will surely be bugs.
>
> I am particularly interested in Windows testing, so I'm including
> binaries for that platform. The way packets are sent and received has
> been changed dramatically. The new Win32 raw ethernet subsystem
> should be much faster than the previous code, and get's around
> Microsoft's silly raw IP socket ban. BEFORE RUNNING THIS CODE ON
> WINDOWS, INSTALL THE JUST-RELEASED WINPCAP 3.1 FROM WWW.WINPCAP.ORG.
>
> I have placed the new version up at:
>
> http://www.insecure.org/nmap/dist/nmap-3.84ALPHA1.tgz
> http://www.insecure.org/nmap/dist/nmap-3.84ALPHA1.tar.bz2
> http://www.insecure.org/nmap/dist/nmap-3.84ALPHA1-win32.zip
>
> The crypto signatures are in http://www.insecure.org/nmap/dist/sigs/ ,
> as usual, but see the changes below for the new Nmap Project key
> details.
>
> Finally, here are the most significant changes since 3.81:
>
> o Added the ability for Nmap to send and properly route raw ethernet
> packets cointaining IP datagrams rather than always sending the
> packets via raw sockets. This is particularly useful for Windows,
> since Microsoft has disabled raw socket support in XP for no good
> reason. Nmap tries to choose the best method at runtime based on
> platform, though you can override it with the new --send_eth and
> --send_ip options.
>
> o Added ARP ping (-PR). Nmap can now send raw ethernet ARP requests to
> determine whether hosts on a LAN are up, rather than relying on
> higher-level IP packets (which can only be sent after a successful
> ARP request and reply anyway). This is much faster and more
> reliable (not subject to IP-level firewalling) than IP-based probes.
> The downside is that it only works when the target machine is on the
> same LAN as the scanning machine. It is now used automatically for
> any hosts that are detected to be on a local ethernet network,
> unless --send_ip was specified. Example usage: nmap -sP -PR
> 192.168.0.0/16 . This is not yet supported on Windows.
>
> o Added the --spoof_mac option, which asks Nmap to use the given MAC
> address for all of the raw ethernet frames it sends. The MAC given
> can take several formats. If it is simply the string "0", Nmap
> chooses a completely random MAC for the session. If the given
> string is an even number of hex digits (with the pairs optionally
> separated by a colon), Nmap will use those as the MAC. If less than
> 12 hex digits are provided, Nmap fills in the remainder of the 6
> bytes with random values. If the argument isn't a 0 or hex string,
> Nmap looks through the nmap-mac-prefixes to find a vendor name
> containing the given string (it is case insensitive). If a match is
> found, Nmap uses the vendor's OUI (3-byte prefix) and fills out the
> remaining 3 bytes randomly. Valid --spoof_mac argument examples are
> "Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", "0020F2", and
> "Cisco".
>
> o Applied a massive OS fingerprint update from Zhao Lei
> (zhaolei(a)gmail.com). About 350 fingerprints were added, and many
> more were updated. Notable additions include Mac OS X 10.4 (Tiger),
> OpenBSD 3.7, FreeBSD 5.4, Windows Server 2003 SP1, Sony AIBO (along
> with a new "robotic pet" device type category), the latest Linux 2.6
> kernels Cisco routers with IOS 12.4, a ton of VoIP devices, Tru64
> UNIX 5.1B, new Fortinet firewalls, AIX 5.3, NetBSD 2.0, Nokia IPSO
> 3.8.X, and Solaris 10. Of course there are also tons of new
> broadband routers, printers, WAPs and pretty much any other device
> you can coax an ethernet cable (or wireless card) into!
>
> o Integrated hundreds of nmap-service-probes signatures from Doug
> Hoyte (doug(a)hcsw.org)
>
> o Added a distcc probes and a bunch of smtp matches from Dirk Mueller
> (mueller(a)kde.org) to nmap-service-probes. Also added AFS version
> probe and matches from Lionel Cons (lionel.cons(a)cern.ch). And
> even more probes and matches from Martin Macok
> (martin.macok(a)underground.cz)
>
> o Nmap on Windows now compiles/links with the new WinPcap 3.1
> header/lib files. So please upgrade to 3.1 from
> http://www.winpcap.org before installing this version of Nmap.
> While older versions may still work, they aren't supported with Nmap.
>
> o Fixed a problem where Nmap compilation would use header files from
> the libpcap included with Nmap even when it was linking to a system
> libpcap. Thanks to Solar Designer (solar(a)openwall.com) and Okan
> Demirmen (okan(a)demirmen.com) for reporting the problem.
>
> o Added configure option --with-libpcap=included to tell Nmap to use
> the version of libpcap it ships with rather than any that may already be
> installed on the system. You can still use --with-libpcap=[dir] to
> specify that a system libpcap be installed rather than the shipped
> one. By default, Nmap looks at both and decides which one is likely
> to work best. If you are having problems on Solaris, try
> --with-libpcap=included .
>
> o Changed the --no-stylesheet option to --no_stylesheet to be
> consistant with all of the other Nmap options. Though I'm starting to
> like hyphens a bit better than underscores and may change all of the
> options to use hyphens instad at some point.
>
> o Added "Exclude" directive to nmap-service-probes grammar which
> causes version detection to skip listed ports. This is helpful for
> ports such as 9100. Some printers simply print any data sent to
> that port, leading to pages of HTTP requests, SMB queries, X Windows
> probes, etc. If you really want to scan all ports, specify
> --allports. This patch came from Doug Hoyte (doug(a)hcsw.org).
>
> o Added a stripped-down and heavily modified version of Dug Song's
> libdnet networking library (v. 1.10). This helps with the new raw
> ethernet features. My changes are described in
> libdnet-stripped/NMAP_MODIFICATIONS
>
> o Removed WinIP library (and all Windows raw sockets code) since MS
> has gone and broken raw sockets. Maybe packet receipt via raw
> sockets will come back at some point.
>
> o Chagned the interesting ports array from a 65K-member array of
> pointers into an STL list. This noticeable reduces memory usage in
> some cases, and should also give a slight runtime performance
> boost. This patch was written by Paul Tarjan (ptarjan(a)gmail.com).
>
> o Removed the BSDFIX/BSDUFIX macros. The underlying bug in
> FreeBSD/NetBSD is still there though. When an IP packet is sent
> through a raw socket, these platforms require the total length and
> fragmentation offset fields of an IP packet to be in host byte order
> rather than network byte order, even though all the other fields
> must be in NBO. I believe that OpenBSD fixed this a while back.
> Other platforms, such as Linux, Solaris, Mac OS X, and Windows take
> all of the fields in network byte order. While I removed the macro,
> I still do the munging where required so that Nmap still works on
> FreeBSD.
>
> o Integrated many nmap-service-probes changes from Bo Jiang
> (jiangbo(a)brandeis.edu)
>
> o Added a bunch of RPC numbers from nmap-rpc maintainer Eilon Gishri
> (eilon(a)aristo.tau.ac.il)
>
> o Added some new RPC services to nmap-rpc thanks to a patch from
> vlad902 (vlad902(a)gmail.com).
>
> o Fixed a bug where Nmap would quit on Windows whenever it encountered
> a raw scan of localhost (including the local ethernet interface
> address), even when that was just one address out of a whole network
> being scanned. Now Nmap just warns that it is skipping raw scans when
> it encounters the local IP, but continues on to scan the rest of the
> network. Raw scans do not currently work against local IP addresses
> because Winpcap doesn't support reading/writing localhost interfaces
> due to limitations of Windows.
>
> o The OS fingerprint is now provided in XML output if debugging is
> enabled (-d) or verbosity is at least 2 (-v -v). This patch was
> sent by Okan Demirmen (okan(a)demirmen.com)
>
> o Fixed the way tcp connect scan (-sT) respons to ICMP network
> unreachable responses (patch by Richard Moore
> (rich(a)westpoint.ltd.uk).
>
> o Fixed a crash problem related to non-portable varargs (vsnprintf)
> usage. Reports of this crash came from Alan William Somers
> (somers(a)its.caltech.edu) and Christophe (chris.branch(a)gmx.de).
> This patch was prevalent on Linux boxes running an Opteron/Athlon64
> CPU in 64-bit mode.
>
> o Nmap distribution signing has changed. Release files are now signed
> with a new Nmap Project GPG key (KeyID 6B9355D0). Fyodor has also
> generated a new key for himself (KeyID 33599B5F). The Nmap key has
> been signed by Fyodor's new key, which has been signed by Fyodor's
> old key so that you know they are legit. The new keys are available
> at http://www.insecure.org/nmap/data/nmap_gpgkeys.txt , as
> docs/nmap_gpgkeys.txt in the Nmap source tarball, and on the public
> keyserver network. Here are the fingerprints:
> pub 1024D/33599B5F 2005-04-24
> Key fingerprint = BB61 D057 C0D7 DCEF E730 996C 1AF6 EC50 3359 9B5F
> uid Fyodor <fyodor_at_insecure.org>
> sub 2048g/D3C2241C 2005-04-24
>
> pub 1024D/6B9355D0 2005-04-24
> Key fingerprint = 436D 66AB 9A79 8425 FDA0 E3F8 01AF 9F03 6B93 55D0
> uid Nmap Project Signing Key (http://www.insecure.org/)
> sub 2048g/A50A6A94 2005-04-24
>
> o Update random host scan (-iR) to support the latest IANA-allocated
> ranges, thanks to patch by Chad Loder (cloder(a)loder.us).
>
> o Added 'leet ASCII art to the confugrator! ARTIST NOTE: If you think
> the ASCII art sucks, feel free to send me alternatives. Note that
> only people compiling the UNIX source code get this. (ASCII artist
> unknown).
>
> o Updated GNU shtool (a helper program used during 'make install' to
> version 2.0.2, which fixes a predictable temporary filename
> weakness discovered by Eric Raymond.
>
> o Removed addport element from XML DTD, since it is no longer used
> (sugested by Lionel Cons (lionel.cons(a)cern.ch)
>
> o Added new --privileged command-line option and NMAP_PRIVILEGED
> environmental variable. Either of these tell Nmap to assume that
> the user has full privileges to execute raw packet scans, OS
> detection and the like. This can be useful when Linux kernel
> capabilities or other systems are used that allow non-root users to
> perform raw packet or ethernet frame manipulation. Without this
> flag or variable set, Nmap bails on UNIX if geteuid() is
> nonzero.
>
> o Fixed Nmap compilation on Solaris x86 thanks to a patch from Simon
> Burr (simes(a)bpfh.net).
>
> o ultra_scan() now sets pseudo-random ACK values (rather than 0) for
> any TCP scans in which the initial probe packet has the ACK flag set.
> This would be the ACK, Xmas, Maimon, and Window scans.
>
> o Updated the Nmap version number, description, and similar fields
> that MS Visual Studio places in the binary. This was done by editing
> mswin32/nmap.rc as suggested by Chris Paget (chrisp_at_ngssoftware.com)
>
> o Fixed Nmap compilation on DragonFly BSD (and perhaps some other
> systems) by applying a short patch by Joerg Sonnenberger which omits
> the declaration of errno if it is a #define.
>
> o Fixed an integer overflow that prevented Nmap from scanning
> 2,147,483,648 hosts in one expression (e.g. 0.0.0.0/1). Problem
> noted by Justin Cranford (jcranford(a)n-able.com). While /1 scans
> are now possible, don't expect them to finish during your bathroom
> break. No matter how constipated you are.
>
> o Increased the buffer size allocated for fingerprints to prevent Nmap
> from running out and quitting (error message: "Assertion
> `servicefpalloc - servicefplen > 8' failed". Thanks to Mike Hatz
> (mhatz(a)blackcat.com) for the report. [ Actually this was done in a
> previous version, but I forgot which one ]
>
> o Changed from CVS to Subversion source control system (which
> rocks!). Neither repository is public (I'm paranoid because both CVS
> and SVN have had remotely exploitable security holes), so the main
> change users will see is that "Id" tags in file headers use the SVN
> format for version numbering and such.
>
> If you already spent the time to read this far, please test it out and
> let me know how it goes.
>
> Cheers,
> Fyodor
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
>
>
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Received on Aug 25 2005
Intro
