# Nmap Changelog ($Id: CHANGELOG 2842 2005-09-07 22:37:43Z fyodor $)o Added the ability for Nmap to send and properly route raw ethernet  packets cointaining IP datagrams rather than always sending the  packets via raw sockets. This is particularly useful for Windows,  since Microsoft has disabled raw socket support in XP for no good  reason.  Nmap tries to choose the best method at runtime based on  platform, though you can override it with the new --send_eth and  --send_ip options.o Added ARP scanning (-PR). Nmap can now send raw ethernet ARP requests to  determine whether hosts on a LAN are up, rather than relying on  higher-level IP packets (which can only be sent after a successful  ARP request and reply anyway).  This is much faster and more  reliable (not subject to IP-level firewalling) than IP-based probes.  The downside is that it only works when the target machine is on the  same LAN as the scanning machine.  It is now used automatically for  any hosts that are detected to be on a local ethernet network,  unless --send_ip was specified.  Example usage: nmap -sP -PR  192.168.0.0/16 .o Added the --spoof_mac option, which asks Nmap to use the given MAC  address for all of the raw ethernet frames it sends.  The MAC given  can take several formats.  If it is simply the string "0", Nmap  chooses a completely random MAC for the session.  If the given  string is an even number of hex digits (with the pairs optionally  separated by a colon), Nmap will use those as the MAC.  If less than  12 hex digits are provided, Nmap fills in the remainder of the 6  bytes with random values.  If the argument isn't a 0 or hex string,  Nmap looks through the nmap-mac-prefixes to find a vendor name  containing the given string (it is case insensitive).  If a match is  found, Nmap uses the vendor's OUI (3-byte prefix) and fills out the  remaining 3 bytes randomly.  Valid --spoof_mac argument examples are  "Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", "0020F2", and  "Cisco".o Applied an enormous nmap-service-probes (version detection) update  from SoC student Doug Hoyte (doug(a)hcsw.org).  Version 3.81 had  1064 match lines covering 195 service protocols.  Now we have 2865  match lines covering 359 protocols!  So the database size has nearly  tripled!  This should make your -sV scans quicker and more  accurate.  Thanks also go to the (literally) thousands of you who  submitted service fingerprints.  Keep them coming!o Applied a massive OS fingerprint update from Zhao Lei  (zhaolei(a)gmail.com).  About 350 fingerprints were added, and many  more were updated.  Notable additions include Mac OS X 10.4 (Tiger),  OpenBSD 3.7, FreeBSD 5.4, Windows Server 2003 SP1, Sony AIBO (along  with a new "robotic pet" device type category), the latest Linux 2.6  kernels Cisco routers with IOS 12.4, a ton of VoIP devices, Tru64  UNIX 5.1B, new Fortinet firewalls, AIX 5.3, NetBSD 2.0, Nokia IPSO  3.8.X, and Solaris 10.  Of course there are also tons of new  broadband routers, printers, WAPs and pretty much any other device  you can coax an ethernet cable (or wireless card) into!o Added 'leet ASCII art to the confugrator!  ARTIST NOTE: If you think  the ASCII art sucks, feel free to send me alternatives.  Note that  only people compiling the UNIX source code get this. (ASCII artist  unknown).o Nmap on Windows now compiles/links with the new WinPcap 3.1  header/lib files. So please upgrade to 3.1 from  http://www.winpcap.org before installing this version of Nmap.  While older versions may still work, they aren't supported with Nmap.o Nmap distribution signing has changed. Release files are now signed  with a new Nmap Project GPG key (KeyID 6B9355D0).  Fyodor has also  generated a new key for himself (KeyID 33599B5F).  The Nmap key has  been signed by Fyodor's new key, which has been signed by Fyodor's  old key so that you know they are legit.  The new keys are available  at http://www.insecure.org/nmap/data/nmap_gpgkeys.txt , as  docs/nmap_gpgkeys.txt in the Nmap source tarball, and on the public  keyserver network.  Here are the fingerprints:    pub  1024D/33599B5F 2005-04-24         Key fingerprint = BB61 D057 C0D7 DCEF E730  996C 1AF6 EC50 3359 9B5F    uid  Fyodor <fyodor@insecure.org>    sub  2048g/D3C2241C 2005-04-24    pub  1024D/6B9355D0 2005-04-24         Key fingerprint = 436D 66AB 9A79 8425 FDA0  E3F8 01AF 9F03 6B93 55D0    uid  Nmap Project Signing Key (http://www.insecure.org/)    sub  2048g/A50A6A94 2005-04-24o Fixed a crash problem related to non-portable varargs (vsnprintf)  usage. Reports of this crash came from Alan William Somers  (somers(a)its.caltech.edu) and Christophe (chris.branch(a)gmx.de).  This patch was prevalent on Linux boxes running an Opteron/Athlon64  CPU in 64-bit mode.o Fixed crash when Nmap is compiled using gcc 4.X by adding the  --fno-strict-aliasing option when that compiler is detected.  Thanks  to Greg Darke (starstuff(a)optusnet.com.au) for discovering that  this option fixes (hides) the problem and to Duilio J. Protti  (dprotti(a)flowgate.net) for writing the configure patch to detect  gcc 4 and add the option.  A better fix is to identify and rewrite  lines that violate C99 alias rules, and we are looking into that.o Added "rarity" feature to Nmap version detection.  This causes  obscure probes to be skipped when they are unlikely to help.  Each  probe now has a "rarity" value.  Probes that detect dozens of  services such as GenericLines and GetRequest have rarity values of  1, while the WWWOFFLEctrlstat and mydoom probes have a rarity of 9.  When interrogating a port, Nmap always tries probes registered to  that port number.  So even WWWOFFLEctrlstat will be tried against  port 8081 and mydoom will be tried against open ports between 3127  and 3198.  If none of the registered ports find a match, Nmap tries  probes that have a rarity less than or equal to its current  intensity level.  The intensity level defaults to 7 (so that most of  the probes are done).  You can set the intensity level with the new  --version_intensity option.  Alternatively, you can just use  --version_light or --version_all which set the intensity to 2 (only  try the most important probes and ones registered to the port  number) and 9 (try all probes), respectively.  --version_light is  much faster than default version detection, but also a bit less  likely to find a match.  This feature was designed and implemented  by Doug Hoyte (doug(a)hcsw.org).o Added a "fallback" feature to the nmap-service-probes database.  This allows a probe to "inherit" match lines from other probes.  It  is currently only used for the HTTPOptions, RTSPRequest, and  SSLSessionReq probes to inherit all of the match lines from  GetRequest.  Some servers don't respond to the Nmap GetRequest (for  example because it doesn't include a Host: line) but they do respond  to some of those other 3 probes in ways that GetRequest match lines  are general enough to match.  The fallback construct allows us to  benefit from these matches without repeating hundreds of signatures  in the file.  This is another feature designed and implemented  by Doug Hoyte (doug(a)hcsw.org).o Fixed crash with certain --excludefile or  --exclude arguments.  Thanks to Kurt Grutzmacher  (grutz(a)jingojango.net) and pijn trein (ptrein(a)gmail.com) for  reporting the problem, and to Duilio J. Protti  (dprotti(a)flowgate.net) for debugging the issue and sending the  patch.o Updated random scan (ip_is_reserved()) to reflect the latest IANA  assignments.  This patch was sent in by Felix Groebert  (felix(a)groebert.org).o Included new Russian man page translation by  locco_bozi(a)Safe-mail.neto Applied pach from Steve Martin (smartin(a)stillsecure.com) which  standardizes many OS names and corrects typos in nmap-os-fingerprints.o Fixed a crash found during certain UDP version scans.  The crash was  discovered and reported by Ron (iago(a)valhallalegends.com) and fixed  by Doug Hoyte (doug(a)hcsw.com).o Added --iflist argument which prints a list of system interfaces and  routes detected by Nmap.o Fixed a protocol scan (-sO) problem which led to the error message:  "Error compiling our pcap filter: syntax error".  Thanks to Michel  Arboi (michel(a)arboi.fr.eu.org) for reporting the problem.o Fixed an Nmap version detection crash on Windows which led to the  error message "Unexpected error in NSE_TYPE_READ callback.  Error  code: 10053 (Unknown error)".  Thanks to Srivatsan  (srivatsanp(a)adventnet.com) for reporting the problem.o Fixed some misspellings in docs/nmap.xml reported by Tom Sellers  (TSellers(a)trustmark.com).o Applied some changes from  Gisle Vanem (giva(a)bgnett.no) to make  Nmap compile with Cygwin.o XML "osmatch" element now has a "line" attribute giving the  reference fingerprint line number in nmap-os-fingerprints.o Added a distcc probes and a bunch of smtp matches from Dirk Mueller  (mueller(a)kde.org) to nmap-service-probes.  Also added AFS version  probe and matches from Lionel Cons (lionel.cons(a)cern.ch).  And  even more probes and matches from Martin Macok  (martin.macok(a)underground.cz)o Fixed a problem where Nmap compilation would use header files from  the libpcap included with Nmap even when it was linking to a system  libpcap.  Thanks to Solar Designer (solar(a)openwall.com) and Okan  Demirmen (okan(a)demirmen.com) for reporting the problem.o Added configure option --with-libpcap=included to tell Nmap to use  the version of libpcap it ships with rather than any that may already be  installed on the system.  You can still use --with-libpcap=[dir] to  specify that a system libpcap be installed rather than the shipped  one.  By default, Nmap looks at both and decides which one is likely  to work best.  If you are having problems on Solaris, try  --with-libpcap=included .o Changed the --no-stylesheet option to --no_stylesheet to be  consistant with all of the other Nmap options.  Though I'm starting to  like hyphens a bit better than underscores and may change all of the  options to use hyphens instad at some point.o Added "Exclude" directive to nmap-service-probes grammar which  causes version detection to skip listed ports.  This is helpful for  ports such as 9100.  Some printers simply print any data sent to  that port, leading to pages of HTTP requests, SMB queries, X Windows  probes, etc.  If you really want to scan all ports, specify  --allports.  This patch came from Doug Hoyte (doug(a)hcsw.org).o Added a stripped-down and heavily modified version of Dug Song's  libdnet networking library (v. 1.10).  This helps with the new raw  ethernet features.  My (extensive) changes are described in  libdnet-stripped/NMAP_MODIFICATIONSo Removed WinIP library (and all Windows raw sockets code) since MS  has gone and broken raw sockets.  Maybe packet receipt via raw  sockets will come back at some point.  As part of this removal, the  Windows-specific --win_help, --win_list_interfaces, --win_norawsock,  --win_forcerawsock, --win_nopcap, --win_nt4route, --win_noiphlpapi,  and --win_trace options have been removed.o Chagned the interesting ports array from a 65K-member array of  pointers into an STL list.  This noticeable reduces memory usage in  some cases, and should also give a slight runtime performance  boost. This patch was written by Paul Tarjan (ptarjan(a)gmail.com).o Removed the BSDFIX/BSDUFIX macros.  The underlying bug in  FreeBSD/NetBSD is still there though.  When an IP packet is sent  through a raw socket, these platforms require the total length and  fragmentation offset fields of an IP packet to be in host byte order  rather than network byte order, even though all the other fields  must be in NBO.  I believe that OpenBSD fixed this a while back.  Other platforms, such as Linux, Solaris, Mac OS X, and Windows take  all of the fields in network byte order.  While I removed the macro,  I still do the munging where required so that Nmap still works on  FreeBSD.o Integrated many nmap-service-probes changes from Bo Jiang  (jiangbo(a)brandeis.edu)o Added a bunch of RPC numbers from nmap-rpc maintainer Eilon Gishri  (eilon(a)aristo.tau.ac.il)o Added some new RPC services to nmap-rpc thanks to a patch from  vlad902 (vlad902(a)gmail.com).o Fixed a bug where Nmap would quit on Windows whenever it encountered  a raw scan of localhost (including the local ethernet interface  address), even when that was just one address out of a whole network  being scanned.  Now Nmap just warns that it is skipping raw scans when  it encounters the local IP, but continues on to scan the rest of the  network.  Raw scans do not currently work against local IP addresses  because Winpcap doesn't support reading/writing localhost interfaces  due to limitations of Windows.o The OS fingerprint is now provided in XML output if debugging is  enabled (-d) or verbosity is at least 2 (-v -v).  This patch was  sent by Okan Demirmen (okan(a)demirmen.com)o Fixed the way tcp connect scan (-sT) respons to ICMP network  unreachable responses (patch by Richard Moore  (rich(a)westpoint.ltd.uk).o Update random host scan (-iR) to support the latest IANA-allocated  ranges, thanks to patch by Chad Loder (cloder(a)loder.us).o Updated GNU shtool (a helper program used during 'make install' to  version 2.0.2, which fixes a predictable temporary filename  weakness discovered by Eric Raymond.o Removed addport element from XML DTD, since it is no longer used  (sugested by Lionel Cons (lionel.cons(a)cern.ch)o Added new --privileged command-line option and NMAP_PRIVILEGED  environmental variable.  Either of these tell Nmap to assume that  the user has full privileges to execute raw packet scans, OS