# Nmap Changelog ($Id$) OSFINGER 1.00 o Based on Nmap 3.00, do OS fingrprint only. Nmap 3.00 o Woohoo! :) Nmap 2.99RC2 o Fixed an important memory initialization bug which was causing crashes on Mac OS X (and possibly other platforms). The problem was located by Pieter ten Pierick (P.tenPierick@chello.nl) o Various minor bugfixes/cleanup Nmap 2.99RC1 o Implemented the biggest OS fingerprint update since December 1999! More than 200 fingerprints were added/modified. This includes OpenBSD 3.1, Solaris 9, Mac OS 10.1.5, OS/400, FreeBSD 4.6, The latest MS WinXP changes, new CISCO equiptment, and loads of network devices such as VoIP phones, switches, printers, WAPs, etc. o Updated build system to work on MacOS X. o I removed "credit" lines from the nmap-os-fingerprints file out of concern that evil spammers might harvest the 602 addresses. Plus those took up 28K and the size of nmap-os-fingerprints has already caused trouble for some handheld devices. If anyone actually cares about the "fame" of being listed, let me know and I'll put you back in. I still appreciate everyone who submits fingerprints! I just don't want you to be spammed when the fingerprint file goes online. o Minor usage screen (nmap -h) fix suggested by Martin Kluge ( martin@elxsi.info ) o Insured that the initial pound (#) in C preprocessor directives is always in column 1 (portability fix). Problem noted by Shamsher Sran (ssran@bechtel.com) Nmap 2.54BETA37 o Made SYN scan the default for privileged (root) users. This offers far better performance for Windows users due to their broken connect() call, and is usually even preferred on UNIX because it is more stealthy and less likely to crash applications listening on the target host. o Fixed a problem noted by Ping Huang (pshuang@alum.mit.edu) relating to -PI scans of a machine's own non-localhost interfaces (eg scanning your ethernet address). o Applied patch from Patrice Goetghebeur (pgoetghebeur@mac.com) which fixes PPP/SLIP support on Mac OS X. o Applied dozens of nmap-services portnumber mapping updates researched and sent by palante@subterrain.net o Updated nmap-rpc to the latest version from Eilon Gishri (eilon@aristo.tau.ac.il) o Fixed --resume option to better detect all of the previously scanned hosts in an -oN file (bug report from Adam.Scott@predictive.com ) o Adjusted random IP generator (for -iR) to account for newly allocated ip space from http://www.iana.org/assignments/ipv4-address-space as noted by Chad Loder (cloder@acm.org) o Updated config.sub and config.guess to the versions in automake-1.6.2 . o Applied patch from Markus A. Nonym (g17m0@lycos.com) which checks for a recent version of GTK+ in ./configure before even trying to build NmapFE (avoids the previous ugly compiler errors). o Applied patch from benkj@gmx.it which fixes misbehavior when Nmap would receive EOF (including ^D) in interactive mode. o Fixed format string bugs (not the security-related kind) found by Takehiro YONEKURA (yonekura@obliguard.com) and Kuk-hyeon Lee (errai@inzen.com) o Applied patch from Greg Steuck (greg-nmap-dev@nest.cx) which fixes an alignment problem in charpool.c that could cause bus errors on 64-bit platforms. o Applied portability fix patch from Matt Christian (mattc@visi.com) Nmap 2.54BETA36 o Fixed major connect scan problem introduced in BETA35 o Changed NmapFE to use the version number 2.54BETA36 rather than 0.2.54BETA36. I had to do this because RedHat took the liberty of releasing a so-called "2.54BETA31" version of nmap-frontend in their 7.3 distribution. Thus my upgrades were failing to install on such systems because a "later" version is already installed. Nmap 2.54BETA35 o Fixed an issue that could cause the abort message "Serious time computation problem in adjust_timeout ...". If you still see this, please let me know. o Fixed Windows compilation (and I really mean it this time -- tested myself). o Applied configure script patch to recognize Solaris 2.10 when it eventually becomes available (from James Carlson (james.d.carlson@east.sun.com) o Applied some portability fixes from Albert Chin (china@thewrittenword.com) o Applied libpcap aclocal.m4 patch to enable debugging (-g) when compiling libpcap with gcc. Patch from Ping Huang (pshuang@alum.mit.edu) o Restructured "TCP probe port" output message a bit as suggested by Ping Huang (pshuang@alum.mit.edu) Nmap 2.54BETA34 o Windows compilation fixed thanks to new VC++ project file (nmap.dsp) sent by Evan Sparks (gmplague@sdf.lonestar.org) (I had forgotten to include the new main.c). o Various nmap-services updates o Fixed a bunch of typos and capitalization issues in nmap-os-fingerprints by applying patch sent in by Royce Williams (royce@alaska.net). Nmap 2.54BETA33 o Tons of OS fingerprint updates. More than 100 fingerprints added or changed, including OpenBSD 3, FreeBSD 4.5, Solaris 9 pre-release, Commodor 64 (with the TFE Ethernet Card and uIP stack), Compaq iPAQ, Cisco IOS 12.2(8), AIX 5.1, IRIX 6.5.15, various Redback/Racal/Juniper/BigIP/HP/Siemens/Brocade/Quantum devices, numerous printers/switches, KRONOS network clock, WTI Network Power Switch, Windows XP, and many more. Thanks to everyone who contributed! o Applied fix for an important RPC scanning bug sent in by Pasi Eronen (pasi.eronen@nixu.com) o Applied fix for nasty OS fingerprinting bug found by William Robertson (wkr@cs.ucsb.edu) o Do not show uptime when obviously spoofed (eg OpenBSD 3.0) o Slightly changed (I hope improved) the whitespace in Nmap output so that messages relating to the same host are kept together (and different hosts different separated by newlines). o Moved main() function into a new file, cleverly named main.c. Nmap 2.54BETA32 o Applied Windows pinging fix and from Andy Lutomirski (Luto@myrealbox.com) o Applied a few more Windows fixes from Andy. o Fixed a flaw in several error-checking statements noted by Giacomo Cariello (jwk@bug.it) o Applied Win32 compilation fixes sent by Kirby Kuehl (kkuehl@cisco.com) and jens.vogt@bluewin.ch Nmap 2.54BETA31 o Added ICMP Timestamp and Netmask ping types (-PP and -PM). These (especially timestamp) can be useful against some hosts that do not respond to normal ping (-PI) packets. o Documented the --data_length option and made it work with all the ICMP ping types (echo request, netmask, and timestamp). o Added check for strings.h before including it in portlist.c . This fixes a compilation problem on some versions of Windows. Problem first noted by Michael Vorin (mvorin@hotmail.com) o Applied patch from Andy Lutomirski (Luto@myrealbox.com) which fixes a crash on some Windows platforms when timeouts occur. o Fixed "grepable output" (-oG) so that it prints IPID sequence class rather than printing the TCP ISN sequence index twice. Problem noted by Russell Fulton (r.fulton@auckland.ac.nz) o Added mysterious, undocumented --scanflags option. o Applied patch from Andy Lutomirski (Luto@myrealbox.com) which fixes some important Windows bugs. Apparently this can cause a dramatic speedup in some circumstances. The patch had other misc. changes too. o Fix bug noted by Chris V (iselldrugstokidsonline@yahoo.com) in which Nmap could segmentation fault with the (bogus) command: './nmap -sO -p 1-65535 hostname' (protocol only can go up to 255). That being said, Nmap should never segfault just because of bogus options. o Fixed problem noted by Maximiliano (emax25@arnet.com.ar) where Nmap would get stuck in a (nearly) infinite loop when you try to "resume" a random host (-iR) scan. o Included a number of fingerprint updates, but I still have many more web submissions to go through. Also made some nmap-services portlist updates. o Included a bunch of fixes (mostly to prevent compiler warnings) from William McVey (wam@cisco.com) Nmap 2.54BETA30 o Added a Document Type Definition (DTD) for the Nmap XML output format (-oX) to the docs directory. This allows validating parsers to check nmap XML output files for correctness. It is also useful for application programmers to understand the XML output structure. The DTD was written by William McVey (wam@cisco.com) of Cisco Secure Consulting Services ( http://www.cisco.com/go/securityconsulting ). o Merged in a number of Windows fixes/updates from Andy Lutomirski (Luto@myrealbox.com) o Merged in fixes/updates (mostly to the Windows functionality) from Matt Hargett (matt@use.net) o Applied patch by Colin Phipps (cph@netcraft.com) which correctly encodes special characters in the XML output. o Applied patch by William McVey (wam@cisco.com) which adds the uptime information printed with -O to the XML output format. o Fixed byte-order bug in Windows packet matching code which caused -PS and -PT to fail. Bug found and patch sent by Tim Adam (tma@osa.com.au) o Fixed segfault problem with "-sU -F". Nobody reported this until I noticed it :(. Anytime you see "Segmentation Fault" in the latest version of Nmap, it is probably a bug -- please mail me the command you used, the OS/platform you are running on, and whether it is reproducable. o Added a convenience option "-oA (basefilename)". This tells Nmap to log in ALL the major formats (normal, grepable, and XML). You give a base for the filename, and the output files will be base.nmap, base.gnmap, and base.xml. o Documented the --append_output option which tells Nmap to append scan results to any output files you have specified rather than overwriting the files. o Integrate TIMEVAL_SEC_SUBTRACT() fix by Scott Renfro (scott@renfro.org) which improves timing accuracy. ** 2.54BETA29 o Integrated William McVey's multi-portlist patch. This allows you to specify different port numbers when scanning both TCP & UDP. For example, if you want to UDP for 53,111 and 137 while TCP scanning for 21-25,80,139,515,6000,8080 you could do: nmap -sSU -p U:53,111,137,T:21-25,80,139,515,6000,8080 target.com . Prior to this patch, you had to either use different Nmap executions or scan both UDP & TCP of each port. See the man page for more usage info. o Added/updated a bunch of fingerprints, including Windows XP release candidates #1 & #2, OpenBSD 2.9, various home gateways/cable modem, MacOS X 10.0.4, Linux 2.4.7, Guantlet Firewall 4.0a, a few Cisco routers, and, most importantly, the Alcatel Advanced Reflexes IP Phone :). Many other fingerprints were updated as well. o Found and fixed some relatively major memory leaks based on reports sent in by H D Moore (hdm@secureaustin.com), mugz (mugz@x-mafia.org), and Steven Van Acker (deepstar@ulyssis.org) o Applied patch from Chad Loder (chad_loder@rapid7.com) which improves random target host selection (-iR) by excluding more undesirable addresses. o Fixed portscan timing bug found by H D Moore (hdm@secureaustin.com). This bug can occur when you specify a --max_rtt_timeout but not --initial_rtt_timeout and then scan certain firewalled hosts. o Fixed port number printing bug found by "Stephen Leavitt" o The Nmap source tarball now extracts with more lenient permissions (sometimes world-readable or world-executable, but never world-writable). If you don't want this, set your umask to 077 (which is what I do). Suggested by Line Printer (lps@rahul.net) ** 2.54BETA28 o I hope that I have fixed the Libpcap "Unknown datalink type" problem that many people reported. If you still receive this error, please send me the following info: 1) Full output of Nmap including the command you typed 2) What OS/OS version you are using 3) What type of interface is the scan going through (PPP, ISDN, ethernet, PPPoE, etc) 4) Whether you compiled from source or used the RPM version o Hopefully fixed Libpcap lex/yacc generated file problem that plagued a few folks. o Various minor fixes/changes/updates ** 2.54BETA27 o Fixed bug that caused "adding open port" messages to be printed even when verbose mode was not specified. (patch sent by Doug Hoyte ( dugely@yahoo.com ). o Fixed bug in zombie:port option parsing in Idlescan as well a few other bugs in patch sent by Germano Caronni (gec@acm.org) o Fixed Windows compilation (I broke it when I added Idlescan). o Fixed a (Win32 only) port identification bug which would cause some ports to be listed as "unknown" even when Nmap should know their name. This was found at patched by David Griffiths (davidg@intrinsica.co.uk). o Fixed more nmap-os-fingerprints syntax/grammar violations found by Raymond Mercier of VIGILANTe o Fixed a memory leak in Nbase str*casecmp() functions by applying patch sent by Matt (matt@use.net). I plan to kill this whole strcasecmp.c file as soon as possible (it is a mess). ** 2.54BETA26 o Added Idlescan (IPID blind scan). The usage syntax is "-sI ". o Fixed a bunch of fingerprints that were corrupt due to violations of the fingerprint syntax/grammar (problems were found by Raymond Mercier of VIGILANTe ) o Fixed command-line option parsing bug found by "m r rao" (mrrao@del3.vsnl.net.in ) o Fixed an OS fingerprinting bug that caused many extra packets to be sent if you request a lot of decoys. o Added some debug code to help diagnose the "Unknown datalink type" error. If Nmap is giving you this error, please send the following info to fyodor@insecure.org : 1) The full output from Nmap (including the command arguments) 2) What OS and OS version are you using 3) What type of adaptor are you using (modem, ethernet, FDDI, etc) o Added a bunch of IDS sensor/console/agent port numbers from Patrick Mueller (pmueller@neohapsis.com) ** 2.54BETA25 o Added a whole bunch of new OS fingerprints (and adjustments) ranging from big important ones (Linux 2.4.X, OpenBSD 2.9, FreeBSD 4.3, Cisco 12.2.1, MacOS X, etc) to some that are more obscure ( such as Apple Color LaserWriter 12/660 PS and VirtualAccess LinxpeedPro 120 ) o Upgraded Libpcap to the latest version (0.6.2) from tcpdump.org. I modified the build system slightly by shipping pre-generated scanner.c/grammer.c (instead of using lex/yacc) and I also upgraded to the newest config.sub/config.guess . o Fixed some issues with the new Libpcap under Linux (patches will be sent to the developers). o Added "All zeros" IP.ID sequence classification to account for the new Linux 2.4 scheme which seems to use 0 whenever the DF bit is set (probably a good idea). o Tweaked TCP Timestamp and IP.ID sequence classification algorithms ** 2.54BETA24 o Fixed compilation problems on MacOS X publis release. Thanks to Nicolas Dawson (nizcolas@myrealbox.com) for securing an account for me. o On the suggestion of the ever-helpful LaMont Jones (lamont@hp.com), I obtained the newest config.guess/config.sub from http://subversions.gnu.org/cgi-bin/cvsweb/config and made libpcap/nbase use symlinks rather than copeis of the file o Applied patch from LaMont Jones (lamont@hp.com) which makes Nmap compatable with gcc 3.0 (apparently printf() is a macro in that version) o Applied patch from Colin Phipps (cph@netcraft.com) which fixes a problem that kept UDP RPC scanning from working unless you were also doing a TCP scan. o Applied a patch from Chris Eagle (cseagle@redshift.com) which fixes Windows compilation (I broke it with a recent change). o Updated Lithuanian translation of man page based on a newer version sent by Aurimas Mikalauskas (inner@crazy.lt) o Killed carriage returns in nmap.c and nmapfe.c, which caused problems for some (SGI) compilers. Problem noted by Artur Niederstebruch (artur@sgi.com) o Updated to latest version of rpc program number list, maintained by Eilon Gishri (eilon@aristo.tau.ac.il) o Fixed a quoting bug in the Nmap man page found by Rasmus Andersson o Applied RPM spec file changes from "Benjamin Reed" (ranger@befunk.com) which allows you to avoid building the frontend by adding "--define frontend 0" to the build command (eg --rebuild, --ba, etc). ** 2.54BETA22 -- Eliminated usage of u_int32_t (was causing compilation errors on some Sun and HP boxes). Problem first noted by Nick Munger (nmunger@Oswego.EDU) and Ralf Hildebrandt (Ralf.Hildebrandt@innominate.com) and Antonin Sprinzl (Antonin.Sprinzl@tuwien.ac.at) -- Defined integer-width typedefs such as u32/s32/u16/etc. in Nbase. Went through much of the Nmap code and substituted these in where correct lengths are important (port numbers, IP addresses, etc). ** 2.54BETA21 -- Cleaned up a few build/distribution issues that were reported by LaMont Jones (lamont@hp.com) -- Fixed compiler warning noted by Gabor Z. Papp (gzp@papp.hu) ) ** 2.54BETA20 -- Added TCP Timestamp sequence checking for OS detection and Netcraft-style uptime tests. -- Found and fixed (I hope) byte alignment problem which was causing bus errors on SPARC64 ( reported by H D Moore (hdm@secureaustin.com) and Matthew Franz (mfranz@cisco.com) ) -- Apple Darwin (Mac OS X) 1.2 portability patch from Rob Braun -- Added IPID sequence number predictability report (also now used in OS detection). -- Show actual IPID, TCP ISN, and TCP timestamp values in XML format output rather than just the cooked results. -- Suppress IPID and TCP ISN predictability report unless you use -v (you need -O as well). -- Applied Solaris 8 compilation fixes from Germano Caronni ( gec@acm.org ) -- Applied configure.in variable name typo fixes from Christian Weisgerber (naddy@openbsd.org) -- Applied some more changes from Andy Lutomirski (Luto@mailandnews.com) which provides better detection and reporting from some heinous errors. -- Added -n and -R (always/never DNS resolve) options to the man page. ** 2.54BETA19 -- I ported NmapFE to Windows so that Win32 users can use the graphical interface. It generally works, although I haven't tested much. Patches welcome! -- Various little fixes and cleanups, especially to the Windows port. -- Applied patch from Andy Lutomirski (Luto@mailandnews.com) which enhances some of the Win* error messages and adds the --win_trace debugging option. -- Applied some patches from Jay Freeman (saurik@saurik.com) -- New --data_length option adds indicated number of random data bytes to send with scan packet and tcp ping packet (does not currently work with ICMP ping packet). Does not affect OS detection, RPC, or connect() scan packets. -- Windows portability fixes -- Various other little fixes. -- Renamed rpc.h and error.h because they conflict with Windows include files. By the way, this was a pain to figure out because VC++ is such a crappy compiler! It basically just says problem in "foobar.h" without giving you any idea how foobar.h got included! gcc gives you a nice message tracing the chain of include files! ** 2.54BETA16 -- Upgraded to latest version of Winpcap ( 2.1-beta ) -- Merged in Windows port code from Ryan Permeh ( ryan@eeye.com) and Andy Lutomirski ( Luto@mailandnews.com ). -- Took out C++ compiler test from nbase configure script. It was inserted accidently, but I found it interesting that only 2 people complained about this causing them problems. I guess most everyone already has C++ compilers. -- Applied patch from Steve Bleazard (steve@bleazard.com) which fixed bug in internal Smoothed Round Trim Time calculations. -- Fixed CFLAGS computation error in configure. Problem discovered and patched by Fredrik Lundholm (exce7@ce.chalmers.se) -- Added more debugging code for "Unknown datalink type" error -- if you get this, please send me the full error msg including hex values. -- Added Portuguese man page translations from Antonio Pires de Castro Junior (apcastro@ic.unicamp.br). -- Capitalized all references to God in error messages. ** Version 2.54BETA7 -- Applied patch from Hubert Feyrer (hubert.feyrer@informatik.fh-regensburg.de) which adds support for the new NetBSD DLT_PPP_* types. -- Updated to Eilon Gishri's (eilon@aristo.tau.ac.il) newest version of nmap-rpc at ftp://ftp.tau.ac.il/pub/users/eilon/rpc/rpc -- Moved a bunch of the scanning engine related functions to new files (scan_engine.c and scan_engine.h ). Timing functions were moved to the new timing.c/timing.h . Other stuff was shifted to tcpip.c/tcpip.h. At some point, nmap.c will only contain the Nmap command line UI. -- Updated Russian version of man page from Alex Volkov (topcat@nm.ru) ** Version 2.54BETA6 -- Added XML output (-oX). Hopefully this will help those of you writing Nmap front ends and other tools that utilize Nmap. The "machine-readable" output has been renamed "grepable" (-oG) to emphasize that XML is now the preferred machine-readable output format. But don't worry if your tool uses -oM , that format (and the deprecated -oM flag) won't go away any time soon (if ever). -- Applied patch from Stefan Rapp which fixes a variable argument integer promotion problem in the new snprintf compatability file. This is important for Redhat 7 systems. -- Reorganized output-related routines so that they now reside in output.c & output.h. Let me know if I accidently screwed up the behavior of any scan types in the process. ** Version 2.54BETA5 -- Revamped the 'compatability libraries' subsystem. Moved all of that to a new library called 'libnbase' and changed Nmap and NmapFE to use that. I included a better version of *snprintf and some other compatability files. Obviously I cannot test these changes on every whacked OS that needs this compatability cruft, so please let me know if you run into compilation problems. -- Fixed a problem found by Martyn Tovey when using Nmap on platforms that dislike division by zero. -- Removed 128.210.*.* addresses from Nmap man page due to complaints from Purdue security staff. -- Fixed FreeBSD (some versions) compilation problem found by Martyn Tovey ** Version 2.54BETA4 -- Upgraded to the very latest Libpcap version ( the 9/3/00 CVS snapshot ). This version is from the tcpdump.org group rather than the Lawrence Livermore crew. The most important advantage is Linux Socket Filter support (so you won't have that annoying syslog message about Nmap using the obsolete SOCK_PACKET interface). -- I tried to install Nmap on yet another machine without lex/yacc or flex/bison. That was the last straw! I am now shipping the generated C files, which eliminates the lex/yacc requirement. -- Applied patch by Jay Freeman (saurik) to make Nmap C++-clean (this was lot of tedious work! Thanks!). Note that Nmap still uses a normal C compiler by default, but Nmap derivatives may appreciate C++ compatability. Note that this only applies to "Nmap proper", not libpcap. -- Added a HACKING file for people who want to help with Nmap development. It describes preferred patch formats, development resources, and offers a number of useful changes that would likely be accepted into the main tree. -- Fixed a configure.in error found by Vacuum (vacuum@technotronic.com) which could cause compilation errors. -- Fingerprint file adjustments for better Win* detection -- Ensure libpcap is not configured and/or installed if you already have a "new enough" version (0.4a6+) installed. -- Included Italian translation of Nmap man page from Giorgio Zoppi . -- Fixed a SYN scan problem that could cause a major slowdown on some busy networks. -- Fixed a crash problem in NmapFE reported by sverre ( sverre@gmx.net ) -- Added an "SInfo" line to most printed fingerprints. It looks similar to this: SInfo(V=2.54BETA4%P=i686-pc-linux-gnu%D=9/4%Time=9681031%O=7%C=1) and contains information useful when fingerprints are reported (Nmap version/platform, scan date, and open/closed ports used) -- Fixed RPCGrind (-sR) scan. It has been almost completely broken since 2.54BETA2 (which has been out for two weeks) and nobody reported it! I noticed the problem myself during testing of something else. I am disappointed that nobody bothered to even let me know that this was broken. Does anyone even use RPC Scan? -- Various other small fixes/improvements ** Version 2.54BETA3 -- Went through and added/adjusted a bunch of fingerprints. A lot of people submitted Windows Millenium Edition (WinME) beta fingerprints, but nobody submitted IPs for them. So please let me know if this version detects your WinME boxes. -- Applied NmapFE patch from Michael Fischer v. Mollard which made did the following: -- Added delete event so that NmapFE always quits when you kill it with your window manager -- added the menubar to the vbox instead to the fixed widget -- Various small fixes/improvements ** Version 2.54BETA2 -- Added a shortcut which can make single port SYN scans of a network much faster. For example, if a new sendmail vulnerability is found, this reduces the time it takes to scan your whole network for port 25. This shortcut takes effect when you do "-PS -sS -p". For example 'nmap -n -sS -p25 -PS25 24.0.0.0/8". This optimization doubled the scan speed in a 30,000 IP test I performed. -- Added -sL (List scan). Just as ping scan (-sP) allows you to short circuit the scan right after pinging, -sL allows you to short circuit the scan right after target selection. This allows you to see what hosts WOULD be scanned without actually doing it. The hosts will be resolved unles you use -n. Primary uses: 1) Get all the IPs in a network (like A.B.C.D/16) and take out machines that are too fragile to be scanned safely before calling Nmap with the new list (using -iL). 2) Test that a complex spec like 128.4,5,7-9.*.7 does what you expect before actual scanning. 3) When all you want to do is resolve a bunch of IPs. 4) You just want results of a zone transfer (if it is implemented). -- Added some new fingerprints and adjusted some others based on submissions to the DB (I still have a lot more to go through so don't worry if your submission is still not detected). -- Added a warning when you scan 0 hosts (eg "nmap -v"). There are various other output tweaks as well. -- Insured that 0.0.0.0 can be scanned by nmap (although on some OSs, like Linux, it won't work due to what seem to be kernel bugs). Oh well. I'll look into it later. ** Version 2.54BETA1 -- Added an extremely cool scan type by Gerhard Rieger ( rieger at iue.tuwien.ac.at ) -- IP Protocol scanning. Basically it sends a bunch of IP headers (no data) with different "protocol" fields to the host. The host then (usually) sends back a protocol unreachable for those that it does not support. By exclusion, nmap can make a list of those that are supported. This is similar in concept to (and is implemented using most of the same scanning routines as) UDP scanning. Note that some hosts do not send back protocol unreachables -- in that case all protocols will appear "open". -- Fixed an uninitialized variable problem in NmapFE (found by Alvin Starr (alvin at iplink.net ) -- Fixed a packaging problem that lead to the Nmap man page being included twice in the .tgz . -- Fixed dangling nroff include in xnmap man page (noted by Debian Nmap package maintainer LaMont Jones (lamont@security.hp.com) -- Give a warning when no targets at all are specified -- Updated 'make uninstall' so that it deletes all relevant files -- Included latest nmap-rpc from Eilon Gishri (eilon at aristo.tau.ac.il) -- Eliminated -I. from Nmap's and NmapFE's makefiles (suggested by "Jay Freeman (saurik)" (saurik at saurik.com) -- Added Russian documentation by Alex Volkov -- Added Lithuanian documentation from Aurimas Mikalauskas (inner at dammit.lt) ** Version 2.53 -- Fixed a commenting issue that could cause trouble for non-GNU compilers (first found by Jan-Frode Myklebust (janfrode at parallab.uib.no)) -- A few new services to nmap-services ** Version 2.52 -- Added very simple man pages for xnmap/nmapfe (lack of man pages for these was noticed by LaMont Jones (lamont (at) hp.com), the Debian Nmap package maintainer, based on bug report by Adrian Bunk (bunk (at) fs.tum.de ). -- Fixed a "Status: Down" machine name output problem in machine parseable logs found by Alek O. Komarnitsky ( alek (at) ast.lmco.com ) -- Took some wierd files out of the doc directory (cd, grep , vi, and .swp) -- Fixed some typos found by Thomas Klausner ( wiz (at) danbala.ifoer.tuwien.ac.at ) -- Updated nmap-rpc with new entries found in the latest version of Eilon Gishri's rpc list. ** Version 2.51 -- Fixed target parsing bug found by Steve Horsburgh (shorsburgh (at) horsburgh.com). -- Changed makefile/rpm to store fingerprint, rpc, and services file in $prefix/share/nmap rather than $prefix/lib/nmap , since these files are architecture independent. You should now use ./configure --datadir instead of ./configure --libdir to change the default location. Suggested by Thomas Klausner ( wiz (at) danbala.ifoer.tuwien.ac.at ). -- I am now including Eilon Gishri's (eilon (at) aristo.tau.ac.il) rpc number list (which he recently merged with the Nmap 2.50 rpc list). -- Included Spanish and French HTML versions of the Nmap man page (may not always be up to date). ** Version 2.50 -- Fixed an IP calculation error which could occur in some cases where you scan machines on different devices (like lo and eth0). This problem was discoved by Jonathan Fine (jfine@psu.edu). -- Fixed a problem that could, in rare cases, cause a SYN scan scan to crash (the error message was "attempt to add port number X with illegal state 0"). This problem was reported by Erik Benner (erik@xyzzy.net) -- Changed the .spec file so that RPM versions create a xnmap link to nmapfe ( the normal make install has done this for a long time ). ** Version 2.3BETA21 -- A number of people reported problems with nmapfe in various environments (specifically gdk errors, hangs, and crashes). I think that is now fixed. Let me know if you still have the problem (make sure the title bar says BETA21). -- Added a bunch of OS fingerprints based on all the contributions in the last month or so. -- Fixed a bug that completely broke RPC scanning in BETA19. -- Added list of ports scanned near the top of each machine log WHEN -v was specified. Here is an example of the format: # Ports scanned: TCP(13;1-10,22,25) UDP(0;) The "13" above is the number of TCP ports being scanned. -- Got rid of a snprintf() from nmapfe sine some systems don't have it :( and I'm to lazy to integrate in the snprintf that comes with nmap right now. -- Fixed important target IP range parsing bug found by Jean-Yves Simon ( lethalwp@linuxbe.org ). -- Applied patch by albert chin (china at thewrittenword.com) which adds --with-libpcap[=DIR] option to configure and and adds an elegant approach for -lnsl and -lsocket checking to configure . -- Fixed a bug which could cause Nmap to mark a port filtered based on ICMP dest. unreachable packets relating to a different host than the one being scanned. -- Fixed output problem relating to ident scan noted by Peter Marschall ( peter.marschall at mayn.de ) -- Applied patch to services.c by Andrew Brown (atatat@atatdot.net) which prevents some useless debugging (-d) output when reading some kindss of /etc/services files. -- Added "Host: [machinename] (ip) Status: Down" to machine logs when the verbose option is given (just like down hosts are reported to stdout when verbose is given). Suggested by Alek Komarnitsky. -- Applied NetBSD compatability patch provided by Mipam (reinoud at ibbnet.org) which changes an autoconf macro to check for getopt_long_only instead of getopt_long. -- Nmap used to print an inaccuracy warning when no open TCP ports were found on the target machine. Due to a bug, this was not always being printed. Problem found by Matt (matt at use.net) and Ajay Gupta2 (Ajay.Gupta2 at ey.com). -- Added the number of ports in the ignored state right after the state name in machine parseable logs. It used to looke like: "Ignored State: closed" whereas now it looks like: "Ignored State: closed (1508)" Meaning that 1508 ports were closed and thus are not specifically enumerated. -- Changed all nmapfe calls to gdk_font_load into gdk_fontset_load . Bennett Feitell (bfeitell at panix.com) suggested that this fixed some nmapfe font problems. ** Version 2.3BETA20 -- Applied patch sent in by s.rapp@hrz.uni-dortmund.de which fixes a memory alignment bug in osscan.c which could cause core dumps on machines which require aligned access (like SPARC). -- Fixed a compilation problem on machines that do not have MAP_FAILED defined (as a return value to mmap). Problem noted by Phil Stracchino . ** Version 2.3BETA19 -- Tweaked the output so that it now tells how many ports are not shown and what state the ignored ports are in. This info could be inferred before by people who had studied the manpage, but now the info is explicitly available. I cleaned up a bunch of stuff internally to make this happen. I hope I didn't break anything! -- Changed NmapFE so that it always kills any running Nmap process when you press exit. Problem noted by Marc Renner (mrenner (at) ci.marysville.wa.us) -- Apparently some Linux (glibc) systems now come with a "strcasestr" function. So I have made autoconf look for this and use the native version if supported. (problem noted by Sami Farin (sfarin (at) ratol.fi)). -- Added a new attribute "Ignored State: xxx" to the machine parseable logs, where xxx is the state (closed, filtered, or UNfiltered) that is being ignored. Ports in that state are not listed (they weren't listed in earlier versions either). Perhaps I should list ALL ports for machine parseable output. Opinions? -- Merged in a patch sent in by Mipam (reinoud (at) ibbnet.org) which is apparently part of the OpenBSD Nmap "port". Although Nmap seems to work fine for me on my OpenBSD 2.4 box, a couple OpenBSD users have complained of problems. Hopefully this will help. (it adds DLT_LOOP and DLT_ENC offset cases when reading from libpcap). -- A few really minor bugfixes. ** Version 2.3BETA18 -- Fixed a very important bug that occurred when SYN scanning localhost. Many thanks to Dries Schellekens ( gwyllion (at) ace.ulyssis.student.kuleuven.ac.be ) for first reporting the problem. -- Uros Prestor from TurboLinux informed us that the latest versions of Nmap work with Linux on the upcoming Intel Merced/Itanium IA-64 processors. He also said that the TurboLinux distribution includes Nmap. Kudos to them! As well as the other distros that support Nmap (Debian, Red Hat, Suse, Trinux) and of course FreeBSD, NetBSD, & OpenBSD. Does anyone know if Nmap ships with the latest from Mandrake or Corel? The latest Solaris includes some Free software. If anyone can get them to ship Nmap, I will buy you a case of beer :). -- Added a #define to change vsnprintf to vsprintf on machines which do not support the former (mostly Solaris 2.5.1 and earlier). This function is less safe. For people who care about security, we recommend an upgrade to Solaris 8 (or Linux/*BSD). -- Changed the NmapFE version to 0. rather than always leaving it at 0.9.5 (which was confusing). Thanks to J.D.K. Chipps (jdkc (at) woptura.com) for noticing this. -- Added support for "-vv" (means the same as "-v -v"). Older versions of Nmap supported it (noted by George Kurtz). ** Version 2.3BETA17 -- Added ACK scanning. This scan technique (which van Houser and others have been bugging me to add for years :), is great for testing firewall rulesets. It can NOT find open ports, but it can distinguish between filtered/unfilterd by sending an ACK packet to each port and waiting for a RST to come back. Filtered ports will not send back a RST (or will send ICMP unreachables). This scan type is activated with -sA . -- Documented the Window scan (-sW) which Lamont Granquist added in September 99. -- Added a whole bunch of OS fingerprints that people have submitted. -- "Protocol" field in output eliminated. It is now printed right next to the number (/etc/services style). Like "22/tcp". I wonder what I should put in the extra white space this leaves on the report :). -- Added --resume option to continue a large network scan where you left off. This is useful for recovering from errors (modem drops carrier, network outage, etc). It also allows you to start and stop for policy reasons (like if a client only wants you to scan on weekends or at night) or if you want to run the scan on a different host. Usage is 'nmap --resume logfile' where logfile can be either normal (-oN) or machine parseable (-oM) logfile from the scan that was aborted. No other options can be given (the options in the logfile from the original scan will be used). Nmap will start off with the host after the last one successfully scanned in the log file. -- Added --append_output option which causes -oN/-oM/-oS to APPEND to the output file you specify rather than overwriting it. -- Various internal code cleanup, makefile fixes, etc. -- Changed version number from 2.3BETA* to 2.30BETA* to appease various packaging systems that thought 2.3BETA was < 2.12 . -- Nmap output to files now correctly flushes output after scanning for each host is finished. -- Fixed compiler -L flags error found by Ralf Hildebrandt -- Fixed configure scripts so that options you give to the Nmap configure (like --prefix ) are also passed to the nmapfe configure script. This problem was noted by Ralf Hildebrandt . While I was at it, I added some other cleanups to the system. -- Added --noninteractive option for when nmap is called from scripts (where stuff like prompting users for info is unacceptable). It does not currently do anything (Nmap never prompts) and script writers should probably wait until at least May '2000 so their scripts still work with earlier versions of Nmap. -- Updated to the latest config.guess and config.sub from Autoconf 2.13 -- Applied patch by Sven which fixes a segmentation fault problem in Nmapfe colored mode as well as some output niceties. -- Changed some C++ comments to C-style for portability (noticed by "Sergei V. Rousakov" ) ** Version 2.3BETA14 -- Peter Kosinar performed some cleanup of the output routines and as a bonus he added skript kiddie output mode!!! Try it out by adding "-oS - " to your nmap command line. Note that using '-' to represent stdout instead of a filename is something you can do with any of the output modes. -- Ensured that Nmap always gives up on ident scan after the first port attempt finds it to be closed (problem noticed by Matt ) -- Changed strsep's in nmapfe to more portable strtok's (should especially help Nmapfe compiles on Solaris) -- Changed permutation algorithm to make port order and host order shuffling more random. -- Various minor changes and internal code cleanup. -- Fixed integer overflow that was limiting the max --host_timeout value to about 2,000,000 milliseconds (~1/2 hour). The limit is now about 4,000,000,000 milliseconds (~1 month). I really hope you don't need more than that :). ** Version 2.3BETA13 -- I made Nmap smarter about detecting filtering during UDP, Xmas, NULL, and FIN scans. -- Updated Nmapfe to 0.9.5 (+ a patch from NmapFE author Zach Smith) -- Fixed a problem where NmapFE would fail to honor $PATH (Noticed by K. Scott Rowe ) -- Added a couple ICMP unreachable messages Nmap was missing (found by Bifrost ). -- Internal cleanup that improves the way some port lists are stored. -- Added some more RPC numbers from -- Relaxed the dependency requirements of nmapfe rpm (now will accept any version of Nmap). ** Version 2.3BETA12 -- Added interactive mode which adds convenience for managing nmap sessions and also enhances privacy. Get to it with --interactive and then type 'h' for help. -- Added/modified many fingerprints including the latest 2.3.X Linux releases, the latest Win2000 builds, the Apple Airport Wireless device, and several dozen more. -- Migrated to RPM .spec file sent in by Tim Powers . That is the file they will be using to package Nmap with the power tools CD in the next Redhat release. The most important changes are that Nmap (only the RPM version) now installs in /usr/* instead of /usr/local/* and the frontend is now dynamically linked with GTK and comes in a separate rpm. -- The -i (input from list) option has been deprecated. From now on you should use -iL to read from a list or -iR to have Nmap generate random IPs to scan. This -iR option is new. -- The -o and -m options have been deprecated. From now on, you should use -oN for normal (human readable) output and -oM for machine parseable output. At some point I might add -oH (HTML output) or -oSK (sKr|pt | 23 lines!) and include some of the new features of this release. The man page was updated as well. -- Fixed longstanding bug where nmap -sS mylocalnetwork/24 would not successfully scan the host running nmap. -- Internal improvements to make scanning faster with -i (input list) or when you specify multiple machines on the command line. -- Uses faster GCD algorithm and fixed several typos (sent in by Peter Kosinar). -- Provide more information in machine/human readable output files (start time, end time, RPC program name, Nmap version number) -- Killed the -A option (if you don't know what that is then you won't miss it. In fact, even if you do know what it is you won't miss it.) ** Version 2.3BETA10 -- Added about 70 new OS fingerprints so that Nmap can detect more systems. The most important new fingerprints are probably: * The new SP5+ NT boxes -- After all these years MS FINALLY made sequence prediction harder (on NT anyway). * Solaris 8 Pre-Release * Sega Dreamcast (Hack that!) * Latest Windows 2000 builds * OpenBSD 2.6 ** Version 2.3BETA9 -- Applied patch by Mark Abene (Phiber Optik) to fix several type length issues so that it works on Linux/Alpha. -- Applied patch by Matthieu Verbert to speed up OSScan ** Version 2.3Beta8 -- Added "firewall mode" timing optimizations which can decrease the ammount of time neccessary to SYN or connect scan some heavily filtered hosts. -- Added min_rtt_timeout timing option (see man page for details) -- Changed "TCP Ping" to use a random ACK value rather than 0 (an IDS called Snort was using this to detect Nmap TCP Pings). -- Some changes for better Alpha/Linux support based on investigation by Bill Beers -- Applied changes for FDDI support by Tobias J. Nijweide which can be useful when using -S to specify one of multiple interfaces on a machine. -- Made OS detection smart enough to first check scan results for a known closed port instead of immediately resorting to a random one. This improves OS detection against some machines behind packet filters. (suggested by van Hauser) -- Applied a shortcut suggestion by Thomas Reinke which can lead to a tremendous speedup against some firewalled hosts. -- Added some ports commonly used for RPC to nmap-services -- Fixed a problem with the timing of an RPC scan (could come before the UDP scans they rely on) -- Added a number of new ports to nmap-services ** Version 2.3Beta6 ** -- Added sophisticated timing controls to give the user much more control over Nmap's speed. This allows you to make Nmap much more aggressive to scan hosts faster, or you can make Nmap more "polite" -- slower but less likely to wreak havoc on your Network. You can even enforce large delays between sending packets to sneak under IDS thresholds and prevent detection. See the new "Timing Options" section of the Nmap man page for more information on using this. -- Applied Lamont Granquist's Window scan patch (I changed the name from ACK scan to Window scan since I may add another scan that uses ACK packets and I don't want them to be confused). -sW activates this scan type. It is mostly effective against BSD, AIX, Digital UNIX, and various older HP/UX, SunOS, and VAX. (See nmap-hackers mailing list archives for an extensive list). -- Added various long options people expect to see like --version , --help , --usage , etc. Some of the new timing options are also long. I had to add getopt_long C files since most non-Linux boxes don't support getopt_long in libc. -- Human readable (-o) output changed to include the time/date of the scan. Suggested by van Hauser. ** Version 2.3-Beta5 *** -- Changed RPC output based on suggestions by David O'Brien and Lance Spitzner . I got rid of the "(Non-RPC)" unnecessary clutter which appeared after each non RPC port and the "(untested)" that appeard after each "filtered" port. -- Added a ton of new OS fingerprints people submitted. I had about 400 in my inbox. Of course, almost 100 of them were submissions for www.windows2000test.com :). -- Changed the machine parseable output of RPC information to include the version information. If we figured out the RPC info, it is now provided as "program-num*lowversion-highversion". If we didn't get the number, but we think the port is RPC, the field simply contains "R". If we believe the port is NOT RPC, then the field contains "N". If the field is empty, we did not RPC scan the port. Thanks to H D Moore for making me aware how much the earlier machine parseable RPC logging sucked :). *** Version 2.3-Beta4 *** -- Added direct (non-portmapper) RPC scanning to determine what RPC program is listening on a particular port. This works for UDP and TCP ports and is currently implemented using sockets (which means you can't use decoys, but on the other hand you don't have to be root). Thanks go to ga for writing sample code to demonstrate the technique. The RPC services list included with nmap was compiled by Vik Bajaj with help from various members of the nmap-hackers list. -- Fixed a problem that could cause freezes when you scan machines on at least two different types of interfaces as part of the same command. -- Identified and found workaround for Linux kernel bug which allows connect() to sometimes succeed inapropriately when scanning closed ports on localhost. -- Fixed problems relating to people who specify the same port more than once on the command line. While the right answer is "well, don't do that!", I decided to fix nmap to handle this gracefully. -- Tweaked UDP scanning to be more effective against Solaris ICMP error limiting. -- Fixed strtol() integer overflow problem found by Renaud Deraison -- The HTML translation of the Man page at http://www.insecure.org/nmap/nmap_manpage.html should now be complete (man2html was dropping lines before). -- Added a note in the man page that Nmap 2.0+ is believed to be COMPLETELY Y2K COMPLIANT! I've been getting a lot of letters from laywers about that recently. You should still be able to port scan on Jan 1st (well ... as long as you have electricity and gangs of looting thugs haven't stolen your computers :) *** Version 2.2-Beta4 *** -- Integrated nmapfe code from Zach Smith to allow the nmapfe output window to resize when you resize the nmapfe window. -- Integrated patch sent in by Stefan Erben which allows nmap to recognize and ignore null interfaces. If you were getting a bogus error like "eth0 not found in /proc/net/route" then this should solve your problem. -- Applied patch from Alexander Savelyev which gives nmap the parameters necessary to support SLIP and PPP on BSDI systems. -- Upgraded to a new version of shtool (1.2.3) *** Version 2.2-Beta3 *** -- Adopted Ralf S. Engelschall's excellent shtool script for simplifying the nmap makefile and making it more portable -- Various other minor changes to nmapfe. *** Version 2.2-Beta2 *** -- Cleaned up build environment more, fixed up RPM and Makefile.in, eliminated the automake stuff. -- Added nmapfe feature to show nmap command as you change options -- Changed nmapfe to use a global MyWidgets struct rather than tons of global vars all over the place. -- Made nmapfe much smarter about rejecting stupid option attempts. It now tries to correct things when you specify illegal options. -- GTK+ 1.0 compatibility fixes -- Integrated nmapfe changes from Zach *** Version 2.2-BETA1 Changes *** -- Integrated in nmapfe -- a cool front end wrottem by Zach Smith *** Version 2.12 Changes *** -- Changed the way tcp connect() scan determines the results of a connect() call. Hopefully this will make nmap a little more portable. -- Got rid of the security warning message for people who are missing /dev/random and /dev/urandom due to complaints about the warning. This only silences the warnings -- it still uses relatively weak random number generation under Solaris and other systems that lack this functionality. -- Eliminated pow() calls on Linux boxes. I think some sort of glibc bug was causing nmap to sigsegv in some cases inside of pow(). Most people weren't affected, but those who were would almost always SIGSEGV with -O. -- Fixed an rpm problem noted by Mark Smith *** Version 2.11 Changes *** -- Many new fingerprints added. I received more than 300 submissions between this release and the last one. -- Fixed IRIX problems which prevented OS scanning from working on that platform. The problem was researched and solution found by Lamont Granquist . You can also thank him for porting nmap to almost every UNIX around. -- Added support for '-m -' to redirect machine readable logs to stdout for shell pipelining, etc. I also changed machine readable output to show service names now that we use a nmap specific services file rather than /etc/services. These features were suggested by Dan Farmer. You can also thank him for SATAN (the auditing tool). -- Fixed a link-list bug that could cause hangs in UDP,FIN,NULL, and XMAS scans. Also fixed a ptr problem that could cause SIGSEGV. These problem were discovered and tracked down by Ben Laurie . You can also thank him for Apache, OpenSSL, and Apache-SSL. -- Fixed installation problem for people without a /usr/local/man/man1 directory. Found by Jeffrey Robertson . I guess you can thank him for Win98 ;). -- Several other little fixes to the installation script and minor scanner tweaks. *** Version 2.10 Changes *** -- Private test release *** Version 2.09 Changes *** -- Private test release *** Version 2.08 Changes *** -- Bugfix for problem that can cause nmap to appear to "freeze up" for long periods of time when run on some busy networks. (found by Lamont Granquist) *** Version 2.07 Changes *** -- Fixed a lockup on Solaris (and perhaps other proprietary UNIX systems) caused by a lack of /dev/random & /dev/urandom and a rand() that only returns values up to 65535. Users of Free operating systems like Linux, FreeBSD, or OpenBSD probably shouldn't bother upgrading. ***Version 2.06 Changes*** -- Fixed compile problems on machines which lack snprintf() (found by Ken Williams ) -- Added the squid proxy to nmap-services (suggested by Holger Heimann) -- Fixed a problem where the new memory allocation system was handing out misaligned pointers. -- Fixed another memory allocation bug which probably doesn't cause any real-life problems. -- Made nmap look in more places for nmap-os-fingerprints ***Version 2.05 Changes*** -- Tons of new fingerprints. The number has grown by more than 25%. In particular, Charles M. Hannum fixed several problems with NetBSD that made it easy to fingerprint and he sent me a huge new batch of fingerprints for various NetBSD releases down to 1.2. Other people sent NetBSD fingerprints down to 1.0. I finally got some early Linux fingerprints in (down to 1.09). -- Nmap now comes with its own nmap-services which I created by merging the /etc/services from a bunch of OS' and then adding Netbus, Back Orifice, etc. -- Random number generation now takes advantage of the /dev/urandom or /dev/random that most Free operating systems offer. -- Increased the maximum number of OS guesses nmap will make, told nmap never to give you two matches where the OS names are byte-to-byte equivalent. Fixed nmap to differentiate between "no OS matches found" and "too many OS matches to list". -- Fixed an information leak in the packet TTL values (found by HD Moore ) -- Fixed the problem noted by Savva Uspensky about offsets used for various operating systems' PPP/SLIP headers. Due to lack of responses regarding other operating systems, I have made assumptions about what works for BSDI, NetBSD, and SOLARIS. If this version no longer works on your modem, please let me know (and tell me whether you are using SLIP/PPP and what OS you are running). -- Machine parseable logs are now more machine parseable (I now use a tab to seperate test result fields rather than the more ambiguous spaces. This may break a few things which rely on the old format. Sorry. They should be easy to fix. -- Added my nmap-fingerprintinting-article.txt to the distribution in the docs directory. -- Fixed problem where nmap -sS would not correctly scan localhost (due to the kernel rerouting the traffic through localhost). Nmap should now detect and work around this behavior. -- Applied patch sent to my by Bill Fenner which fixes various SunOS compatibility problems. -- Changed the makefile 'all' target to use install-sh rather than mkdir -p (doesn't work on some systems) -- Documentation updated and clarified slightly. -- Added this CHANGELOG file to the distribution.