Announce: nmap-3.30+V-2.90 ("Version" Scanning) [Now Really Fast]

["Jay Freeman \(saurik\)" <saurik () saurik com>]

Changelog:

o Refactored the scanning code to offer an upwards of an 8x speedup.
  Ports are now scanned in parallel rather than one at a time. Just
  how many ports are scanned in parallel is based on this algorithm:

    unsigned ports(pow(2.5, o.timing_level));
    ports = max(ports, o.min_parallelism);
    ports = min(ports, o.max_parallelism ? o.max_parallelism : 100);

  Where o.timing_level is controled by the -T command line option,
  o.min_parallelism by --max_parallelism, and o.min_paralellism by
  --min_parallelism. The equation's goal was to make the default
  value of -T make the default parallelism be around 16.

o -sV now supports UDP ports. So far it only detects one service: DNS.
  I'll add more whenever I have time. If anyone has any that they'd
  like to offer detection strings for, I'm very open. If you want to
  actually test them with nmap+V, I have a walkthrough in the docs
  folder called service-fingerprint.txt. Each IP protocol is handled by
  a different file: nmap-<protocol>-fingerprints. This differs from my
  previous naming convention of nmap-versions.

o While I was doing that I fixed the fingerprint for DNS over TCP. It
  wasn't very happy... I had noticed it, but I kept putting off actually
  doing something about it.

o I added a portability layer that will let me change to libpcre in the
  future if a reason comes up. I debated just doing it, but so far I'm
  not using any of the features, so my good ol' version of regex; the one
  that I hacked together from an "ok" licensed file that came up after
  doing an `slocate regex.c` in order to support doing regular expressions
  on strings that contain binary garbage, is still the regex of choice for
  nmap+V.

o Added back a better version of my "debugging stuff". I've added STL
  to so many parts of my code now that it no longer matters. I still
  need to try to tackle nmap's Win32 portability problem sometime soon.
  Unfortunately, this usage of STL means that this release won't compile
  on Win32. It isn't fundamentally broken, there are just some bad
  #define's in mswin32/winclude.h that keep non-nmap sanctioned system
  header files from working.

o Removed the -FV option. It mainly stayed around because scans were
  so painfully slow. Originally, I think I added it because I couldn't
  scan protocols on ports that I didn't think they were on (this was
  mainly version scanning at the time, not protocol auto-detection,
  which was added later). Regardless, the feature seems pointless now.

o Removed the feature where I reuse the already open connections from
  TCP connect() scans. I might add this back someday, but for now it's
  gone as it was too much of a pain to maintain all the _other_ code
  changes that this one required (as I had to tap into the addport()
  system in order to get the information added correctly). Besides, I
  figure A) if you are doing a connect() scan you aren't trying to be
  stealthy anyway and B) the -sV scan is most useful when it can use
  multiple connections anyway with -sVV. I'm not worried that I'm going
  to get many complaints :).

o In general minimized my patch whereever possible.


FTP Information (for "released" versions):

  Source: ftp://ftp.saurik.com/pub/nmap/nmap-3.30+V-2.90.tgz
  Patch: ftp://ftp.saurik.com/pub/nmap/nmap+V-2.90

  New Win32 Binaries: not available for this release... sorry
  Old Win32: ftp://ftp.saurik.com/pub/nmap/nmap-3.30+V-2.35.win32.zip


CVS Information (for current versions):

  Repository: :pserver:anoncvs () cvs saurik com:/cvs/nmap
  Module: nmap
  Password: anoncvs


Example Output (for the curious; and yes, it should line up with a fixed
width font, although it is occasionally wider than 77 characters and wraps):

[root(2)@ironclad nmap-3.30+V]# ./nmap -sS -sVV -F localhost

Starting nmap 3.30+V ( http://www.insecure.org/nmap/ ) at 2003-07-24 02:54
CDT
Interesting ports on localhost.localdomain (127.0.0.1):
(The 1174 ports scanned but not shown below are in state: closed)
Port       State       Service             Protocol     Version
17/tcp     open        qotd                Go Text      GNU Go 3.2
21/tcp     open        ftp                 FTP          wu-2.6.2-8
22/tcp     open        ssh                 SSH          1.99-OpenSSH_3.4p1
23/tcp     open        telnet              Telnet
25/tcp     open        smtp                SMTP         Sendmail
8.12.6/8.12.6
53/tcp     open        domain              DNS
80/tcp     open        http                HTTP         Apache/2.0.44 (Unix)
110/tcp    open        pop-3               POP3         Cyrus
v2.1.11-Invoca-RPM-2.1.11-3
111/tcp    open        sunrpc              RPC
113/tcp    open        auth                AUTH
119/tcp    open        nntp                NNTP         INN 2.2.2
13-Dec-1999
143/tcp    open        imap2               IMAP         Cyrus
v2.1.11-Invoca-RPM-2.1.11-3
465/tcp    open        smtps               SSL
587/tcp    open        submission          SMTP         Sendmail
8.12.6/8.12.6
783/tcp    open        hp-alarm-mgr        SpamAssassin
953/tcp    open        rndc                BIND rndc    BIND9
993/tcp    open        imaps               SSL
995/tcp    open        pop3s               SSL
2000/tcp   open        callbook            Sieve        Cyrus timsieved
v2.1.11-Invoca-RPM-2.1.11-3
2401/tcp   open        cvspserver          CVS
5432/tcp   open        postgres            PostgreSQL   7.3
8009/tcp   open        ajp13               Ajp13        Apache Tomcat
8080/tcp   open        http-proxy          HTTP         Apache
Tomcat/4.1.18-LE-jdk14 (HTTP/1.1 Connector)

Nmap run completed -- 1 IP address (1 host up) scanned in 15.962 seconds

Sincerely,
Jay Freeman (saurik)
saurik () saurik com


--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help () insecure org . List run by ezmlm-idx (www.ezmlm.org).