Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Development: Re: [Exp PATCH] Start OSScan more quickly

Re: [Exp PATCH] Start OSScan more quickly

From: Eddie Bell <ejlbell_at_gmail.com>
Date: Thu, 14 Jun 2007 20:42:38 +0100

Hey Kris,

Cool idea. I haven't look at the code very deeply but I think
clearHost() causes problems for the code that runs after it

$ sudo gdb ./nmap
(gdb) r -sS -p1-30 -O --osscan-quick -iR 200 -v

<snip>

Program received signal SIGSEGV, Segmentation fault.
HostScanStats::destroyOutstandingProbe at scan_engine.cc:1501
1501 if (!probe->timedout) {
(gdb) info stack
#0 HostScanStats::destroyOutstandingProbe (this=0xf859a0,
probeI=<value optimized out>) at scan_engine.cc:1501
#1 0x000000000043474f in HostScanStats::clearHost (this=0xf859a0) at
scan_engine.cc:1483
#2 0x000000000043966d in processData (USI=0xf857a0) at scan_engine.cc:3389

Also the check in scan_engine.cc only checks for osscan_quick. This
might cause a problem if the user has only specified that and not an
osscan (-O)

cheers
 - eddie

On 12/06/07, Kris Katterjohn <katterjohn_at_gmail.com> wrote:
> Hey everyone!
>
> I have attached an experimental (read: it works for me, but there's
> probably a better way) patch (off soc07) for people when they really
> just want to use Nmap's OS Detection.
>
> So, basically, --osscan-quick is an option added to end the port
> scanning of a host when an open and closed TCP port and/or a closed UDP
> port is determined, as this is what the OS Detection uses. The idea
> being that if we don't know what ports are open/closed on the host, we
> can't limit the ports scanned using -p. But if we just want to
> determine the OS, we don't really want to scan all the ports of the host
> because that can take a while for information we don't want.
>
> The clearHost() stuff in scan_engine.cc is the thing that can probably
> be done better. Is there a better way to end prematurely? Does doing
> this cause any problems? I didn't encounter any, but very thorough
> tests were not done.
>
>
> Please let me know what you think.
>
>
> Thanks,
> Kris Katterjohn
>
>
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://SecLists.Org

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://SecLists.Org
Received on Jun 14 2007

[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]