Nmap Security Scanner
*Intro
*Ref Guide
*Install Guide
*Download
*Changelog
*Book
*Docs
Security Lists
*Nmap Hackers
*Nmap Dev
*Bugtraq
*Full Disclosure
*Pen Test
*Basics
*More
Security Tools
*Pass crackers
*Sniffers
*Vuln Scanners
*Web scanners
*Wireless
*Exploitation
*Packet crafters
*More
Site News
Site Search:
Exploit World
Advertising
About/Contact
Credits
Sponsors:
edgeos



Nmap Hackers: Re: Nmap 2.30BETA20 Released

Re: Nmap 2.30BETA20 Released

From: Andrew Brown <atatat_at_atatdot.net>
Date: Thu, 20 Apr 2000 19:21:31 -0400

>I am pleased to announce that Nmap 2.30BETA20 has been released. It
>contains a few bugfixes and is a stable release candidate. I plan to
>release the next stable version within a week. It may just be 2.30BETA20
>with the version number changed. So try it out and let me know if you
>find any problems.

hopefully you're not too close to actually cutting the release that
you can't roll in one nifty new feature.

attached is a patch that allows nmap to detect cisco equipment in a
way similar to a syn scan. here's a demo:

# ./nmap -sC 204.17.3.0/24

Starting nmap V. 2.30BETA20 by fyodor_at_insecure.org ( www.insecure.org/nmap/ )
Host (204.17.3.0) seems to be a subnet broadcast address (returned 25 extra pings). Still scanning it.
Host (204.17.3.1) appears to be a cisco.
Host (204.17.3.47) appears to be a cisco.
Host (204.17.3.255) seems to be a subnet broadcast address (returned 25 extra pings). Still scanning it.
Nmap run completed -- 256 IP addresses (68 hosts up) scanned in 7 seconds

i mainly hacked it in around the syn scan code, but with only one port
in mind: 1999/tcp. cisco's will usually not have any processes
listening on this port and will respond with the expected reset
packet. the trick is that ciscos put six bytes of data (that are not
accounted for in the ip packet length or tcp data length numbers) at
the end of the reset packet that say "cisco\0".

there's also a small patch to services.c to ignore a couple of
protocol types sometimes found in /etc/services that nmap doesn't
handle (reducing the number of complaints when running it with a few
-d's).

i'd also like to suggest that you distribute the "massive" services
file that i've been maintaining for a year or so at

    http://www.graffiti.com/services

as the nmap-services file. it's basically a large merge of the iana
port-numbers list and the services files from solaris, the bsds, a few
linuxes, and some submissions i've gotten, giving a really nice big
list. it's really good for scanning *everything*. :) 

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior_at_daemon.org             * "ah!  i see you have the internet
twofsonet_at_graffiti.com (Andrew Brown)                that goes *ping*!"
andrew_at_crossbar.com       * "information is power -- share the wealth."

Received on Apr 20 2000
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
edgeos