dic 08 2006
Acaba de llegarme el aviso de la lista de correo de nmap-hackers, estamos de enhorabuena, mi herramienta preferida de auditoría de redes , nmap, ha sido renovada.
Según comenta Fyodor, Nmap 4.20 viene con un nuevo sistema de detección de sistema operativo remoto;
“The most important change in this release is a 2nd generation OS
Hay muchos más cambios de gran interés, yo me había bajado hace tiempo el código fuente de la versión Alpha y lo había compilado para OS X y Debian GNU/Linux y ya estaba al tanto de muchas mejoras pero esta release es impresionante -;)
Para descargar la nueva versión de Nmap desde aquí.
Debajo os pongo toda la información de Fyodor sobre esta nueva versión;
Hello everyone, and happy holidays! For Christmas I’ve built you a
new stable (I hope) release of Nmap. Given the substantial number of
improvements since 4.11, this release deserves to be called 4.30. But
my pot-smoking friend insists on version number 4.20. So read on if
you’re ready for some packet smoking good times!
We worked for 6 months on this release and had more than a dozen
intervening ALPHA releases. For those of you who just want the goods
without reading through pages of changes, you can find 4.20 (including
the source, Windows binaries, and x86 and x86-64 Linux RPMs) at the
Nmap download page:
The most important change in this release is a 2nd generation OS
detection system. Nmap has supported OS fingerprinting since 1998,
and users have contributed so many fingerprints that Nmap has the most
comprehensive database of any tool — including thousands of
fingerprints representing more than 600 system types.
But it is time for something new. Nmap 4.20 includes a second
generation system, which utilizes some newer TCP/IP features (such as
selective ACK and explicit congestion notification) and benefits from
everything we have learned about OS detection in the last 8 years.
We are also starting from scratch with a new fingerprint database.
Thanks to many prolific contributors during the ALPHA release cycle,
the new database already contains 231 entries. This includes
everything from your common Linux and Windows boxes, to more obscure
systems such as Minix 3.1.2a and “Ember InSight Adapter for
programming EM2XX-family embedded devices”. Who doesn’t have a few of
those laying around?
If you find a system which isn’t yet detected, and Nmap considers the
fingerprint valid, you will be directed to the new submission page.
Please submit these as long as you are certain you know exactly what
Since the new database isn’t yet as comprehensive as the old one, the
1st generation system still exists in parallel. Nmap will normally
fall back to that if the new system fails to identify a target. You
can also specify -O1 to try only the first generations system, or -O2
to disable the fallback mechanism. As before, you can use
–osscan-guess for a more aggressive guess (now using better
In addition to being more accurate in distinguishing closely related
systems, this system is faster because it can handle many targets in
I would like to particularly thank Zhao Lei, who spent 2 summers
helping design and implement this new system. Thanks also go to the
Google Summer of Code program which sponsored his work. And of course
to everyone who has already submitted fingerprints.
The 2nd generation system is described in great detail at
http://insecure.org/nmap/osdetect/ . If you have suggestions for
improving the system, please email the nmap-dev list.
If OS detection just isn’t your thing, we have many dozens of other
improvements which might interest you. The full list is available at
http://insecure.org/nmap/changelog.html , and here are the highlights:
o Nmap now supports IP options with the new –ip-options flag. You
can specify any options in hex, or use “R” (record route), “T”
(record timestamp), “U”) (record route & timestamp), “S [route]”
(strict source route), or “L [route]” (loose source route). Specify
–packet-trace to display IP options of responses. For further
information and examples, see http://insecure.org/nmap/man/ and
http://seclists.org/nmap-dev/2006/q3/0052.html . Thanks to Marek
Majkowski for writing and sending the patch.
o –packet-trace now reports IP and TCP options, if any. Thanks to
Zhao Lei for the patch.
o Added the –open option, which causes Nmap to show only open ports.
Ports in the states “open|closed” and “unfiltered” might be open, so
those are shown unless the host has an overwhelming number of them.
o Upgraded the included LibPCRE from version 6.4 to 6.7. Thanks to
Jochen Voss (voss(a)seehuhn.de) for the suggestion (he found some bugs
o Added –unprivileged option, which is the opposite of –privileged.
It tells Nmap to treat the user as lacking network raw socket and
sniffing privileges. This is useful for testing, debugging, or when
the raw network functionality of your operating system is somehow
o Applied, oh, about 50 small but useful cleanup patches from Kris
o Fixed a TCP sequence prediction difficulty indicator bug. The index
is supposed to go from 0 (“trivial joke”) to about 260 (OpenBSD).
But some systems generated ISNs so insecurely that Nmap went
berserk and reported a negative difficulty index. This generally
only affects some printers, crappy cable modems, and Microsoft
Windows (old versions). Thanks to Sebastian Garcia for helping me
track down the problem.
o Fixed (I hope) the “getinterfaces: intf_loop() failed” error which
was seen on Windows Vista. The problem was apparently in
intf-win32.c of libdnet (need to define MIB_IF_TYPE_MAX to
MAX_IF_TYPE rather than 32). Thanks to Dan Griffin
(dan(a)jwsecure.com) for tracking this down! If anyone still has
trouble running Nmap on Vista, please let us know.
o NmapFE now uses a spin button for verbosity and debugging options so
that you can specify whatever verbosity (-v) or debugging (-d) level
you desire. The –randomize-hosts option was also added to NmapFE.
Thanks to Kris Katterjohn for the patches.
o Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE
(http://standards.ieee.org/regauth/oui/oui.txt), and also added
various unregistered virtual NIC prefixes used by virtualization
systems such as QEMU, Bochs, PearPC, and Cooperative Linux.
o Integrated all 2nd quarter service detection fingerprint
submissions. Please keep them coming! We now have 3,671 signatures
representing 415 protocols. Thanks to version detection czar Doug
Hoyte for doing this.
o Nmap now uses the (relatively) new libpcap pcap_get_selectable_fd
API on systems which support it. This means that we no longer need
to hack the included Pcap to better support Linux. So Nmap will now
link with an existing system libpcap by default on that platform if
one is detected. Thanks to Doug Hoyte for the patch.
o Updated the included libpcap from 0.9.3 to 0.9.4. The changes I
made are in libpcap/NMAP_MODIFICATIONS . By default, Nmap will now
use the included libpcap unless version 0.9.4 or greater is already
installed on the system.
o Fixed a bug which would occasionally cause Nmap to crash with the
message “log_vwrite: write buffer not large enough”.
o Nmap now provides progress statistics in the XML output in verbose
mode. Here are some examples of the format (etc is “estimated time
until completion) and times are in UNIX time_t (seconds since 1970)
format. Angle braces have been replaced by square braces:
[taskbegin task="SYN Stealth Scan" time="1151384685" /]
[taskprogress task="SYN Stealth Scan" time="1151384715"
percent="13.85" remaining="187" etc="1151384902" /]
[taskend task="SYN Stealth Scan" time="1151384776" /]
[taskbegin task="Service scan" time="1151384776" /]
[taskend task="Service scan" time="1151384788" /]
Thanks to Adam Vartanian (flooey(a)gmail.com) for the patch.
o Updated the Windows installer to give an option checkbox for
performing the Nmap performance registry changes. The default is to
do so. Thanks to Adam Vartanian (flooey(a)gmail.com) for the patch.
o Added –release-memory option, which causes Nmap to release all
accessible memory buffers before quitting (rather than let the OS do
it). This is only useful for debugging memory leaks.
o Nmap no longer gets random numbers from OpenSSL when it is available
because that turned out to be slower than Nmap’s other methods
(e.g. /dev/urandom on Linux, /dev/arandom on OpenBSD, etc.). Thanks
to Marek Majkowski for reporting the problem.
o Dozens of bug fixes and some performance enhancements of various sorts.
o The man page has been updated to reflect all of these changes. See
Enjoy the new release, and mail nmap-dev if you find any problems.
Also keep those OS detection submissions (if you find an undetected
system) and corrections (for wrongly detected systems) coming!
As usual, I can’t hog all the credit for this release. Many people
contributed in substantial ways. For their contributions since 4.11,
I would particularly like to thank Adam Vartanian, Adriano Monteiro,
Brandon Enright, Christophe Thil, Cole Nevins, Craig Humphrey,
Christophe Thil, Dan Griffin, Diman Todorov, Doug Hoyte, Douglas
Calvert, Eddie Bell, Iron Reflex, Jochen Voss, Jon Passki, Julien
Delange, Justin Knox, Kurt Grutzmacher, Kris Katterjohn, KX, Marek
Majkowski, Michal Luczaj, Mike Crabtree, Robert Millan, Sebastian
Garcia, Sina Bahram, Steve Christensen, Thomas Buchana, Tibor Csogor,
and Zhao Lei
We’re now heading into another development cycle. The next big
feature we’re looking at is a scripting engine which allows you to
execute network and vulnerability discovery scripts in parallel
against target systems. You can learn more about the Nmap Scripting
Engine at http://insecure.org/nmap/nse/ , or join the development list
to actually test it out. We’re also looking at potentially replacing
NmapFE with the cross-platform UMIT GUI
That download page for Nmap 4.20 is, again: