http://lwn.net/Articles/171828/ This is a special feed containing comments posted to the individual LWN article titled "A look at nmap 4.0". hourly 2 http://lwn.net/Articles/172620/rss 2006-02-19T23:42:41+00:00 man_ls Cannot resist: thanks for an invaluable tool, and keep up the good work! http://lwn.net/Articles/172313/rss 2006-02-16T14:58:41+00:00 sbergman27 Getting an idea of how long the scan is going to take is definitely a plus.<br> <p> With the releases I have used, I never know if I should get up out of my chair at all, or get a cup of coffee, or make dinner, or go to the grocery store, or make a trip to Greece, while waiting for it to complete.<br> <p> But thanks, Fyodor, for the tool. It has been extremely useful. And I have had enough confidence in its speed that I have not had occasion to actually see Greece yet. ;-)<br> http://lwn.net/Articles/172235/rss 2006-02-16T07:55:25+00:00 fyodor Nmap already does look at various aspects of ICMP port unreachable replies. These tests can be seen in the "PU" fingerprint test line. Here is an example, from the Linux 2.4.7 fingerprint: <pre> PU(DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E) </pre> <p>This means that in the ICMP response, the don't fragment bit was not set, the ToS byte is 0xC0, the total length (tells you how much of the original packet was echoed) is 164, the TTL is 148, the ID and IP checksum of the initial packet were returned uncorrupted, the UDP length field in the echod header was 134, and the data from that UDP packet was returned uncorrupted (but possibly truncated). More details can be found in my <a href="http://www.insecure.org/nmap/nmap-fingerprinting-article.html">OS fingerprinting article</a>. <p>But maybe we could glean even more information from these ICMP packets. Our current proposed new system is <a href="http://seclists.org/lists/nmap-hackers/2005/Jul-Sep/0002.html">here</a>, and I welcome ideas for new tests to add. <p>-<a href="http://www.insecure.org">Fyodor</a> http://lwn.net/Articles/172232/rss 2006-02-16T07:29:44+00:00 Ross This probably isn't the best forum to ask, but I've always wondered why nmap doesn't look at ICMP formatting for use in OS detection. Reportedly the way the original packets are quoted varies widely. Of course sometimes ICMP is blocked, but when it is not this might help disambiguate certain cases (or cases where people are using firewall rules to frustrate fingerprinting based on TCP option handling).<br> http://lwn.net/Articles/172230/rss 2006-02-16T06:24:50+00:00 fyodor <p>I'm glad you like Nmap 4! It really has come a long way, though we certainly aren't resting on our laurels. We are now working on a 2nd generation OS detection system, and then possibly a scripting language optimized for concurrent I/O against many target ports. For more details on the release, see my <a href="http://www.securityfocus.com/columnists/384">SecurityFocus interview</a>. <p>Nmap 4 had more than a 100,000 downloads in the first week and I'm afraid that so much testing exposed some minor bugs. 4.01 was released last week to deal with them. Grab a copy from the <a href="http://www.insecure.org/nmap/download.html">Nmap download page</a>. <P>Cheers,<BR> <a href="http://www.insecure.org">Fyodor</a> (Enjoying LWN since the single-yellow-page days!)<BR>