Re: minor fix + {ports} syntax

[David Fifield <david () bamsoftware com>]

On Wed, Mar 03, 2010 at 05:48:41AM +0100, Anonymous Remailer (austria) wrote:
> saludos,
> greengreat.
>
> ==PATCH 1==
>
> In scan_engine.cc,
> In one comment, correct the order of probe tries, to reflect the code:
>
> --- scan_engine.cc
> +++ scan_engine.cc
> @@ -2009,7 +2009,7 @@
>      return 0;
>    } else if (USI->ping_scan) {
>      /* This is ordered to try probes of higher effectiveness first:
> -         -PE -PS -PA -PP -PU
> +         -PE -PS -PA -PY -PM -PP -PU -PO -PT
>         -PA is slightly better than -PS when combined with -PE, but give -PS an
>         edge because it is less likely to be dropped by firewalls. */
>      if (USI->ptech.rawicmpscan) {

Here the code is slightly wrong, not the comment. According to out
research, -PY should come after -PU. -PM should come last as it is the
worst single probe. I'm still going to leave only the top five probes
documented here, as the relative ordering of the less effective probes
is not so important.

> ==PATCH 2==
> WORDING
> In nmap.cc,
> -p when associated with -PO is referred to protocol numbers:
>
> --- nmap.cc
> +++ nmap.cc
> @@ -1201,7 +1201,7 @@
>          }
>        } else if (*optarg == 'O') {
>          if (ports.proto_ping_count > 0)
> -          fatal("Only one -PO option is allowed. Combine port ranges with commas.");
> +          fatal("Only one -PO option is allowed. Combine protocol ranges with commas.");
>          o.pingtype |= PINGTYPE_PROTO;
>          if (*(optarg + 1) != '\0') {
>            getpts_simple(optarg + 1, SCAN_PROTOCOLS, &ports.proto_ping_ports, &ports.proto_ping_count);

Good idea. I committed this.

> ==PATCH 3==
> COMMANDLINE PARSE FIX
> In nmap.cc,
> initialize scanflags value to -1 so that would return error on all malformed input eg "--scanflags A9":
>
> --- nmap.cc
> +++ nmap.cc
> @@ -127,7 +127,7 @@
>  
>  /* parse the --scanflags argument.  It can be a number >=0 or a string consisting of TCP flag names like 
> "URGPSHFIN".  Returns -1 if the argument is invalid. */
>  static int parse_scanflags(char *arg) {
> -  int flagval = 0;
> +  int flagval = -1;
>    char *end = NULL;
>  
>    if (isdigit((int) (unsigned char) arg[0])) {

This is wrong. It makes it return -1 even for valid strings like SYN.

> ==PATCH 4==
> DOC
> In nmap.cc,
> add -PY to available probes in the error message:
>
> --- nmap.cc
> +++ nmap.cc
> @@ -1212,7 +1210,7 @@
>            assert(ports.proto_ping_count > 0);
>          }
>        } else {
> -        fatal("Illegal Argument to -P, use -PN, -PO, -PI, -PB, -PE, -PM, -PP, -PA, -PU, -PT, or -PT80 (or whatever 
> number you want for the TCP probe destination port)");
> +        fatal("Illegal Argument to -P, use -PN, -PO, -PI, -PB, -PE, -PM, -PP, -PA, -PU, -PT, -PY or -PT80 (or 
> whatever port number you want to be probed)");
>        }
>        break;

Good idea, committed.

> ==PATCH 5==
> FEATURE?
> In docs/nmap.1, docs/nmap.usage.txt, nmap.h, nmap.cc,
> advertise (where lacks thereof) the explicit indication of SCTP scan (-sY||-sZ) probe ports ie: "-pS:ports"

You only need to change nmap.cc. nmap.usage.txt and nmap.1 are generated
automatically from the help output. I added the S: comment.

> and add a port range syntax complement to the square brackets [] one;
> it is a quick hack based on Doug Hoyte's code. Curly brackets {}, make
> scan in the range of ports specified only the ones not present in
> nmap-services, in other words the obscure, less used ones:

I'm not so sure about this. There aren't that many named ports, so if
you're looking for obscure ports you might as well scan them all. I
don't think [] is commonly used either; it exists mainly as a fallback
to previous behavior when you use a services file without frequency
measurements.

David Fifield
_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/