|
|
Log in / Subscribe / Register

4.01 is Now Available

4.01 is Now Available

Posted Feb 16, 2006 6:24 UTC (Thu) by fyodor (guest, #3481)
Parent article: A look at nmap 4.0

I'm glad you like Nmap 4! It really has come a long way, though we certainly aren't resting on our laurels. We are now working on a 2nd generation OS detection system, and then possibly a scripting language optimized for concurrent I/O against many target ports. For more details on the release, see my SecurityFocus interview.

Nmap 4 had more than a 100,000 downloads in the first week and I'm afraid that so much testing exposed some minor bugs. 4.01 was released last week to deal with them. Grab a copy from the Nmap download page.

Cheers,
Fyodor (Enjoying LWN since the single-yellow-page days!)

to post comments

4.01 is Now Available

Posted Feb 16, 2006 7:29 UTC (Thu) by Ross (guest, #4065) [Link] (1 responses)

This probably isn't the best forum to ask, but I've always wondered why nmap doesn't look at ICMP formatting for use in OS detection. Reportedly the way the original packets are quoted varies widely. Of course sometimes ICMP is blocked, but when it is not this might help disambiguate certain cases (or cases where people are using firewall rules to frustrate fingerprinting based on TCP option handling).

It already does to some degree

Posted Feb 16, 2006 7:55 UTC (Thu) by fyodor (guest, #3481) [Link]

Nmap already does look at various aspects of ICMP port unreachable replies. These tests can be seen in the "PU" fingerprint test line. Here is an example, from the Linux 2.4.7 fingerprint: 
PU(DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN=134%DAT=E)

This means that in the ICMP response, the don't fragment bit was not set, the ToS byte is 0xC0, the total length (tells you how much of the original packet was echoed) is 164, the TTL is 148, the ID and IP checksum of the initial packet were returned uncorrupted, the UDP length field in the echod header was 134, and the data from that UDP packet was returned uncorrupted (but possibly truncated). More details can be found in my OS fingerprinting article.

But maybe we could glean even more information from these ICMP packets. Our current proposed new system is here, and I welcome ideas for new tests to add.

-Fyodor

Thanks

Posted Feb 19, 2006 23:42 UTC (Sun) by man_ls (guest, #15091) [Link]

Cannot resist: thanks for an invaluable tool, and keep up the good work!


Copyright © 2026, Eklektix, Inc.
Comments and public postings are copyrighted by their creators.
Linux is a registered trademark of Linus Torvalds