The coolest feature is a new scan type -- Idlescan!
The quick synopsis is that this is a completely blind scan (meaning no
packets are sent to the target from your real IP address). Instead, a
unique side-channel attack exploits predictable "IP fragmentation ID"
sequence generation on the zombie host to glean information about the
open ports on the target.
-- Added a whole bunch of new OS fingerprints (and adjustments)
ranging from big important ones (Linux 2.4.X, OpenBSD 2.9, FreeBSD
4.3, Cisco 12.2.1, MacOS X, etc) to some that are more obscure (
such as Apple Color LaserWriter 12/660 PS and VirtualAccess
LinxpeedPro 120 )
-- Tweaked TCP Timestamp and IP.ID sequence classification algorithms
+ fixes a problem that kept UDP RPC scanning from working unless you were
also doing a TCP scan.
+ updated to latest version of rpc program number list
* Added ACK scanning. This scan technique is great for testing firewall
rulesets. It can NOT find open ports, but it can distinguish between
filtered/unfilterd by sending an ACK packet to each port and waiting for
a RST to come back. Filtered ports will not send back a RST (or will
send ICMP unreachables). This scan type is activated with -sA .
* Documented the Window scan (-sW)
* "Protocol" field in output eliminated. It is now printed right
next to the number (/etc/services style). Like "22/tcp".
* Added --resume option to continue a large network scan where you left off.
It also allows you to start and stop for policy reasons
* Added "firewall mode" timing optimizations which can decrease the
amount of time neccessary to SYN or connect scan some heavily filtered
hosts.
* Changed "TCP Ping" to use a random ACK value rather than 0 (an IDS
called Snort was using this to detect Nmap TCP pings).
* better FDDI support
* changes which should lead to tremendous speedups against some firewalled
hosts.
* Added sophisticated timing controls to give the user much more control
over Nmap's speed. This allows you to make Nmap much more aggressive to
scan hosts faster, or you can make Nmap more "polite" -- slower but less
likely to wreak havoc on your Network. You can even enforce large delays
between sending packets to sneak under IDS thresholds and prevent
detection. See the new "Timing Options" section of the Nmap man page for
more information on using this.
* New "Window scan" that does fun things with ACK packets. -sW activates
this scan type. It is mostly effective against BSD, AIX, Digital UNIX, and
various older HP/UX, SunOS, and VAX.
[Has anyone figured-out what makes the number 393 so interesting to PW, now?]
I wonder what was going through Jordan's head during his infamous
$Id$-smashing commit.
Before I forget....
Thanks to naddy@mips.rhein-neckar.de (Christian Weisgerber) for prompting
this commit. See msg-id: 7geokh$tje$1@mips.rhein-neckar.de
