Subject: Re: pkg/10225: nmap 2.54beta1 port for netbsd ready.
To: None <hubertf@netbsd.org>
From: Mipam <mipam@ibb.net>
List: netbsd-bugs
Date: 05/30/2000 14:57:00
Here is the patch and what it does Andrew refers to:

From: Andrew Brown <atatat@atatdot.net>
Date: Thu, 20 Apr 2000 19:21:31 -0400
To: Fyodor <fyodor@insecure.org>
Cc: nmap-hackers@insecure.org

>I am pleased to announce that Nmap 2.30BETA20 has been released.  It
>contains a few bugfixes and is a stable release candidate.  I plan to
>release the next stable version within a week.  It may just be 2.30BETA20
>with the version number changed.  So try it out and let me know if you 
>find any problems.

hopefully you're not too close to actually cutting the release that
you can't roll in one nifty new feature.

attached is a patch that allows nmap to detect cisco equipment in a
way similar to a syn scan.  here's a demo:

# ./nmap -sC 204.17.3.0/24

Starting nmap V. 2.30BETA20 by fyodor@insecure.org ( www.insecure.org/nmap/ )
Host   (204.17.3.0) seems to be a subnet broadcast address (returned 25 extra pings).  Still scanning it.
Host  (204.17.3.1) appears to be a cisco.
Host  (204.17.3.47) appears to be a cisco.
Host   (204.17.3.255) seems to be a subnet broadcast address (returned 25 extra pings).  Still scanning it.
Nmap run completed -- 256 IP addresses (68 hosts up) scanned in 7 seconds

i mainly hacked it in around the syn scan code, but with only one port
in mind: 1999/tcp.  cisco's will usually not have any processes
listening on this port and will respond with the expected reset
packet.  the trick is that ciscos put six bytes of data (that are not
accounted for in the ip packet length or tcp data length numbers) at
the end of the reset packet that say "cisco\0".

there's also a small patch to services.c to ignore a couple of
protocol types sometimes found in /etc/services that nmap doesn't
handle (reducing the number of complaints when running it with a few
-d's).

i'd also like to suggest that you distribute the "massive" services
file that i've been maintaining for a year or so at

    http://www.graffiti.com/services

as the nmap-services file.  it's basically a large merge of the iana
port-numbers list and the services files from solaris, the bsds, a few
linuxes, and some submissions i've gotten, giving a really nice big
list.  it's really good for scanning *everything*.  :)

-- 
|-----< "CODE WARRIOR" >-----|
codewarrior@daemon.org             * "ah!  i see you have the internet
twofsonet@graffiti.com (Andrew Brown)                that goes *ping*!"
andrew@crossbar.com       * "information is power -- share the wealth."

diff -cr nmap-2.30BETA20.orig/global_structures.h nmap-2.30BETA20/global_structures.h
*** nmap-2.30BETA20.orig/global_structures.h	Sat Apr  8 15:59:42 2000
--- nmap-2.30BETA20/global_structures.h	Tue Apr 11 18:33:47 2000
***************
*** 199,204 ****
--- 199,205 ----
    int xmasscan;
    int fragscan;
    int synscan;
+   int ciscoscan;
    int windowscan;
    int maimonscan;
    int finscan;
***************
*** 210,216 ****
    FILE *nmap_stdout; /* Nmap standard output */
  };
    
! typedef enum { ACK_SCAN, SYN_SCAN, FIN_SCAN, XMAS_SCAN, UDP_SCAN, CONNECT_SCAN, NULL_SCAN, WINDOW_SCAN, RPC_SCAN, MAIMON_SCAN } stype;
  
  #endif /*GLOBAL_STRUCTURES_H */
  
--- 211,217 ----
    FILE *nmap_stdout; /* Nmap standard output */
  };
    
! typedef enum { ACK_SCAN, SYN_SCAN, FIN_SCAN, XMAS_SCAN, UDP_SCAN, CONNECT_SCAN, NULL_SCAN, WINDOW_SCAN, RPC_SCAN, MAIMON_SCAN, CISCO_SCAN } stype;
  
  #endif /*GLOBAL_STRUCTURES_H */
  
diff -cr nmap-2.30BETA20.orig/nmap.c nmap-2.30BETA20/nmap.c
*** nmap-2.30BETA20.orig/nmap.c	Mon Apr 10 04:19:42 2000
--- nmap-2.30BETA20/nmap.c	Thu Apr 20 17:29:48 2000
***************
*** 549,554 ****
--- 549,555 ----
  	case 'A': o.ackscan = 1; break;
  	case 'B':  fatal("No scan type 'B', did you mean bounce scan (-b)?");
  	  break;
+ 	case 'C':  o.ciscoscan = 1; break;
  	case 'F':  o.finscan = 1; break;
  	case 'M':  o.maimonscan = 1; break;
  	case 'N':  o.nullscan = 1; break;
***************
*** 621,627 ****
  
    /* Now we check the option sanity */
    /* Insure that at least one scantype is selected */
!   if (!o.connectscan && !o.udpscan && !o.synscan && !o.windowscan && !o.finscan && !o.maimonscan &&  !o.nullscan && !o.xmasscan && !o.ackscan && !o.bouncescan && !o.pingscan) {
      o.connectscan++;
      if (o.verbose) error("No tcp,udp, or ICMP scantype specified, assuming vanilla tcp connect() scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up).");
    }
--- 622,628 ----
  
    /* Now we check the option sanity */
    /* Insure that at least one scantype is selected */
!   if (!o.connectscan && !o.udpscan && !o.synscan && !o.windowscan && !o.finscan && !o.maimonscan &&  !o.nullscan && !o.xmasscan && !o.ackscan && !o.bouncescan && !o.pingscan && !o.ciscoscan) {
      o.connectscan++;
      if (o.verbose) error("No tcp,udp, or ICMP scantype specified, assuming vanilla tcp connect() scan. Use -sP if you really don't want to portscan (and just want to see what hosts are up).");
    }
***************
*** 634,647 ****
      error("WARNING:  -S will not affect the source address used in a connect() scan.  Use -sS or another raw scan if you want to use the specified source address for the port scanning stage of nmap");
    }
  
    if (fastscan && ports) {
      fatal("You can specify fast scan (-F) or explicitly select individual ports (-p), but not both");
    } else if (fastscan) {
!     ports = getfastports(o.windowscan|o.synscan|o.connectscan|o.fragscan|o.finscan|o.maimonscan|o.bouncescan|o.nullscan|o.xmasscan|o.ackscan,o.udpscan);
    }
  
    if (o.pingscan && ports) {
!     fatal("You cannot use -F (fast scan) or -p (explicit port selection) with PING scan");
    }
  
    if (o.pingscan && fastscan) {
--- 635,656 ----
      error("WARNING:  -S will not affect the source address used in a connect() scan.  Use -sS or another raw scan if you want to use the specified source address for the port scanning stage of nmap");
    }
  
+   if (o.ciscoscan)
+     if (ports)
+       fatal("You cannot specify ports to use with a cisco scan");
+     else if (fastscan)
+       fatal("You cannot use fastscan with cisco scan");
+     else 
+       ports=getpts("1999");
+ 
    if (fastscan && ports) {
      fatal("You can specify fast scan (-F) or explicitly select individual ports (-p), but not both");
    } else if (fastscan) {
!     ports = getfastports(o.windowscan|o.ciscoscan|o.synscan|o.connectscan|o.fragscan|o.finscan|o.maimonscan|o.bouncescan|o.nullscan|o.xmasscan|o.ackscan,o.udpscan);
    }
  
    if (o.pingscan && ports) {
!     fatal("You cannot use -F (fast scan), -sC (cisco scan) or -p (explicit port selection) with PING scan");
    }
  
    if (o.pingscan && fastscan) {
***************
*** 658,664 ****
    if (!o.tcp_probe_port) o.tcp_probe_port = 80;
  
  
!   if (o.pingscan && (o.connectscan || o.udpscan || o.windowscan || o.synscan || o.finscan || o.maimonscan ||  o.nullscan || o.xmasscan || o.ackscan || o.bouncescan)) {
      fatal("Ping scan is not valid with any other scan types (the other ones all include a ping scan");
    }
  
--- 667,673 ----
    if (!o.tcp_probe_port) o.tcp_probe_port = 80;
  
  
!   if (o.pingscan && (o.connectscan || o.udpscan || o.windowscan || o.synscan || o.ciscoscan || o.finscan || o.maimonscan ||  o.nullscan || o.xmasscan || o.ackscan || o.bouncescan)) {
      fatal("Ping scan is not valid with any other scan types (the other ones all include a ping scan");
    }
  
***************
*** 670,676 ****
        o.pingtype = PINGTYPE_TCP;
      }
  
!     if (o.finscan || o.windowscan || o.synscan || o.maimonscan || o.nullscan || o.xmasscan || o.ackscan
  	|| o.udpscan ) {
        fatal("You requested a scan type which requires r00t privileges, and you do not have them.\n");
      }
--- 679,685 ----
        o.pingtype = PINGTYPE_TCP;
      }
  
!     if (o.finscan || o.windowscan || o.synscan || o.ciscoscan || o.maimonscan || o.nullscan || o.xmasscan || o.ackscan
  	|| o.udpscan ) {
        fatal("You requested a scan type which requires r00t privileges, and you do not have them.\n");
      }
***************
*** 695,702 ****
    if (o.bouncescan && o.pingtype != PINGTYPE_NONE) 
      log_write(LOG_STDOUT, "Hint: if your bounce scan target hosts aren't reachable from here, remember to use -P0 so we don't try and ping them prior to the scan\n");
  
!   if (o.connectscan + o.windowscan + o.synscan + o.finscan + o.maimonscan + o.xmasscan + o.nullscan + o.ackscan  > 1) {
!     fatal("You specified more than one type of TCP scan.  Please choose only one of -sT, -sS, -sF, -sM, -sX, -sA, -sW, and -sN");
    }
  
    if (o.numdecoys > 0 && (o.bouncescan || o.connectscan)) {
--- 704,711 ----
    if (o.bouncescan && o.pingtype != PINGTYPE_NONE) 
      log_write(LOG_STDOUT, "Hint: if your bounce scan target hosts aren't reachable from here, remember to use -P0 so we don't try and ping them prior to the scan\n");
  
!   if (o.connectscan + o.windowscan + o.synscan + o.ciscoscan + o.finscan + o.maimonscan + o.xmasscan + o.nullscan + o.ackscan  > 1) {
!     fatal("You specified more than one type of TCP scan.  Please choose only one of -sT, -sS, -sF, -sM, -sX, -sA, -sW, -sC, and -sN");
    }
  
    if (o.numdecoys > 0 && (o.bouncescan || o.connectscan)) {
***************
*** 704,710 ****
    }
  
    if (o.fragscan && (o.connectscan || 
! 		     (o.udpscan && (o.windowscan + o.synscan + o.finscan + o.maimonscan + 
  				    o.xmasscan + o.ackscan + o.nullscan == 0))))
      fatal("Fragmentation scan can only be used with SYN, FIN, Maimon, XMAS, ACK, or NULL scan types");
   
--- 713,719 ----
    }
  
    if (o.fragscan && (o.connectscan || 
! 		     (o.udpscan && (o.windowscan + o.synscan + o.ciscoscan + o.finscan + o.maimonscan + 
  				    o.xmasscan + o.ackscan + o.nullscan == 0))))
      fatal("Fragmentation scan can only be used with SYN, FIN, Maimon, XMAS, ACK, or NULL scan types");
   
***************
*** 869,874 ****
--- 878,884 ----
  
        }
        else {
+ 	printf("currenths->flags %x\n",currenths->flags);
  	if (currenths->flags & HOST_UP) {  
  	  log_write(LOG_NORMAL|LOG_SKID|LOG_STDOUT,"Host %s (%s) appears to be up.\n", currenths->name, inet_ntoa(currenths->host));
  	  log_write(LOG_MACHINE,"Host: %s (%s)\tStatus: Up\n", inet_ntoa(currenths->host), currenths->name);
***************
*** 898,904 ****
        if (currenths->flags & HOST_UP /*&& !currenths->wierd_responses*/ &&
  	  !o.pingscan) {
     
! 	if (currenths->flags & HOST_UP && !currenths->source_ip.s_addr && ( o.windowscan || o.synscan || o.finscan || o.maimonscan || o.udpscan || o.nullscan || o.xmasscan || o.ackscan )) {
  	  if (gethostname(myname, MAXHOSTNAMELEN) || 
  	      !(target = gethostbyname(myname)))
  	    fatal("Cannot get hostname!  Try using -S <my_IP_address> or -e <interface to scan through>\n"); 
--- 908,914 ----
        if (currenths->flags & HOST_UP /*&& !currenths->wierd_responses*/ &&
  	  !o.pingscan) {
     
! 	if (currenths->flags & HOST_UP && !currenths->source_ip.s_addr && ( o.windowscan || o.synscan || o.ciscoscan || o.finscan || o.maimonscan || o.udpscan || o.nullscan || o.xmasscan || o.ackscan )) {
  	  if (gethostname(myname, MAXHOSTNAMELEN) || 
  	      !(target = gethostbyname(myname)))
  	    fatal("Cannot get hostname!  Try using -S <my_IP_address> or -e <interface to scan through>\n"); 
***************
*** 910,922 ****
  	}
     
  	/* Figure out what link-layer device (interface) to use (ie eth0, ppp0, etc) */
! 	if (!*currenths->device && currenths->flags & HOST_UP && (o.nullscan || o.xmasscan || o.ackscan || o.udpscan || o.finscan || o.maimonscan ||  o.synscan || o.osscan || o.windowscan) && (ipaddr2devname( currenths->device, &currenths->source_ip) != 0))
  	  fatal("Could not figure out what device to send the packet out on!  You might possibly want to try -S (but this is probably a bigger problem).  If you are trying to sp00f the source of a SYN/FIN scan with -S <fakeip>, then you must use -e eth0 (or other devicename) to tell us what interface to use.\n");
  	/* Set up the decoy */
  	o.decoys[o.decoyturn] = currenths->source_ip;
     
  	/* Time for some actual scanning! */    
  	if (o.synscan) pos_scan(currenths, ports, SYN_SCAN);
  	if (o.windowscan) pos_scan(currenths, ports, WINDOW_SCAN);
  	if (o.connectscan) pos_scan(currenths, ports, CONNECT_SCAN);      
  	if (o.ackscan) pos_scan(currenths, ports, ACK_SCAN);
--- 920,933 ----
  	}
     
  	/* Figure out what link-layer device (interface) to use (ie eth0, ppp0, etc) */
! 	if (!*currenths->device && currenths->flags & HOST_UP && (o.nullscan || o.xmasscan || o.ackscan || o.udpscan || o.finscan || o.maimonscan ||  o.synscan || o.ciscoscan || o.osscan || o.windowscan) && (ipaddr2devname( currenths->device, &currenths->source_ip) != 0))
  	  fatal("Could not figure out what device to send the packet out on!  You might possibly want to try -S (but this is probably a bigger problem).  If you are trying to sp00f the source of a SYN/FIN scan with -S <fakeip>, then you must use -e eth0 (or other devicename) to tell us what interface to use.\n");
  	/* Set up the decoy */
  	o.decoys[o.decoyturn] = currenths->source_ip;
     
  	/* Time for some actual scanning! */    
  	if (o.synscan) pos_scan(currenths, ports, SYN_SCAN);
+ 	if (o.ciscoscan) pos_scan(currenths, ports, CISCO_SCAN);
  	if (o.windowscan) pos_scan(currenths, ports, WINDOW_SCAN);
  	if (o.connectscan) pos_scan(currenths, ports, CONNECT_SCAN);      
  	if (o.ackscan) pos_scan(currenths, ports, ACK_SCAN);
***************
*** 946,952 ****
  	  log_write(LOG_MACHINE,"Host: %s (%s)\tStatus: Timeout", 
  			   inet_ntoa(currenths->host), currenths->name);
  	}
! 	else if (!o.pingscan) {
  	  assignignoredportstate(&currenths->ports);
  	  printportoutput(currenths, &currenths->ports);
  	  resetportlist(&currenths->ports);
--- 957,963 ----
  	  log_write(LOG_MACHINE,"Host: %s (%s)\tStatus: Timeout", 
  			   inet_ntoa(currenths->host), currenths->name);
  	}
! 	else if (!o.pingscan && !o.ciscoscan) {
  	  assignignoredportstate(&currenths->ports);
  	  printportoutput(currenths, &currenths->ports);
  	  resetportlist(&currenths->ports);
***************
*** 2361,2367 ****
     
    /* Init our raw socket */
    if ((scantype == SYN_SCAN) || (scantype == WINDOW_SCAN) || 
!       (scantype == ACK_SCAN)) {  
      if ((rawsd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0 )
        pfatal("socket troubles in pos_scan");
      /* We do not wan't to unblock the socket since we want to wait 
--- 2372,2378 ----
     
    /* Init our raw socket */
    if ((scantype == SYN_SCAN) || (scantype == WINDOW_SCAN) || 
!       (scantype == ACK_SCAN) || (scantype == CISCO_SCAN)) {  
      if ((rawsd = socket(AF_INET, SOCK_RAW, IPPROTO_RAW)) < 0 )
        pfatal("socket troubles in pos_scan");
      /* We do not wan't to unblock the socket since we want to wait 
***************
*** 2409,2415 ****
        fatal("Error compiling our pcap filter: %s\n", pcap_geterr(pd));
      if (pcap_setfilter(pd, &fcode) < 0 )
        fatal("Failed to set the pcap filter: %s\n", pcap_geterr(pd));
!     if (scantype == SYN_SCAN)
        scanflags = TH_SYN;
      else
        scanflags = TH_ACK;
--- 2420,2426 ----
        fatal("Error compiling our pcap filter: %s\n", pcap_geterr(pd));
      if (pcap_setfilter(pd, &fcode) < 0 )
        fatal("Failed to set the pcap filter: %s\n", pcap_geterr(pd));
!     if (scantype == SYN_SCAN || scantype == CISCO_SCAN)
        scanflags = TH_SYN;
      else
        scanflags = TH_ACK;
***************
*** 2442,2447 ****
--- 2453,2460 ----
    if (o.debugging || o.verbose) {  
      if (scantype == SYN_SCAN)
        log_write(LOG_STDOUT, "Initiating SYN half-open stealth scan against %s (%s)\n", target->name, inet_ntoa(target->host));
+     else if (scantype == CISCO_SCAN)
+       log_write(LOG_STDOUT, "Initiating cisco stealth scan against %s (%s)\n",target->name, inet_ntoa(target->host)); 
      else if (scantype == CONNECT_SCAN)
        log_write(LOG_STDOUT, "Initiating TCP connect() scan against %s (%s)\n",target->name, inet_ntoa(target->host)); 
      else if (scantype == WINDOW_SCAN) {    
***************
*** 2565,2571 ****
  		current->trynum++;
  		gettimeofday(&current->sent[current->trynum], NULL);
  		now = current->sent[current->trynum];
! 		if ((scantype == SYN_SCAN) || (scantype == WINDOW_SCAN) || (scantype == ACK_SCAN)) {	      
  		  if (o.fragscan)
  		    send_small_fragz_decoys(rawsd, &target->host, sequences[current->trynum], o.magic_port + tries * 3 + current->trynum, current->portno, scanflags);
  		  else 
--- 2578,2584 ----
  		current->trynum++;
  		gettimeofday(&current->sent[current->trynum], NULL);
  		now = current->sent[current->trynum];
! 		if ((scantype == SYN_SCAN) || (scantype == WINDOW_SCAN) || (scantype == ACK_SCAN) || (scantype == CISCO_SCAN)) {
  		  if (o.fragscan)
  		    send_small_fragz_decoys(rawsd, &target->host, sequences[current->trynum], o.magic_port + tries * 3 + current->trynum, current->portno, scanflags);
  		  else 
***************
*** 2660,2666 ****
  	    ss.numqueries_outstanding++;
  	    gettimeofday(&current->sent[0], NULL);
  	    if ((scantype == SYN_SCAN) || (scantype == WINDOW_SCAN) || 
! 		(scantype == ACK_SCAN)) {	  
  	      if (o.fragscan)
  		send_small_fragz_decoys(rawsd, &target->host, sequences[current->trynum], o.magic_port + tries * 3, current->portno, scanflags);
  	      else
--- 2673,2679 ----
  	    ss.numqueries_outstanding++;
  	    gettimeofday(&current->sent[0], NULL);
  	    if ((scantype == SYN_SCAN) || (scantype == WINDOW_SCAN) || 
! 		(scantype == ACK_SCAN) || (scantype == CISCO_SCAN)) {	  
  	      if (o.fragscan)
  		send_small_fragz_decoys(rawsd, &target->host, sequences[current->trynum], o.magic_port + tries * 3, current->portno, scanflags);
  	      else
***************
*** 2718,2724 ****
  
  	/* Now that we have sent the packets we wait for responses */
  	ss.alreadydecreasedqueries = 0;
! 	if ((scantype == SYN_SCAN) || (scantype == WINDOW_SCAN) || (scantype == ACK_SCAN))
  	  get_syn_results(target, scan, &ss, &pil, portlookup, pd, sequences, scantype);
  	else if (scantype == RPC_SCAN) {
  	  /* We only bother worrying about responses if we haven't reached
--- 2731,2737 ----
  
  	/* Now that we have sent the packets we wait for responses */
  	ss.alreadydecreasedqueries = 0;
! 	if ((scantype == SYN_SCAN) || (scantype == WINDOW_SCAN) || (scantype == ACK_SCAN) || (scantype == CISCO_SCAN))
  	  get_syn_results(target, scan, &ss, &pil, portlookup, pd, sequences, scantype);
  	else if (scantype == RPC_SCAN) {
  	  /* We only bother worrying about responses if we haven't reached
***************
*** 2808,2814 ****
    }
    
    if (o.verbose)
!     log_write(LOG_STDOUT, "The %s scan took %ld %s to scan %d ports.\n", (scantype == WINDOW_SCAN) ? "Window" : (scantype == SYN_SCAN)? "SYN" : (scantype == CONNECT_SCAN)? "TCP connect" : (scantype == RPC_SCAN)? "RPC" : "ACK",  (long) time(NULL) - starttime, (((long) time(NULL) - starttime) == 1)? "second" : "seconds", o.numports);
    
   posscan_timedout:
    
--- 2821,2827 ----
    }
    
    if (o.verbose)
!     log_write(LOG_STDOUT, "The %s scan took %ld %s to scan %d ports.\n", (scantype == WINDOW_SCAN) ? "Window" : (scantype == SYN_SCAN)? "SYN" : (scantype == CONNECT_SCAN)? "TCP connect" : (scantype == RPC_SCAN)? "RPC" : (scantype == CISCO_SCAN)? "CISCO" : "ACK",  (long) time(NULL) - starttime, (((long) time(NULL) - starttime) == 1)? "second" : "seconds", o.numports);
    
   posscan_timedout:
    
***************
*** 2908,2914 ****
         worse shape */
      if (newstate != PORT_FIREWALLED)
        ss->changed++;
!     if (scantype == SYN_SCAN)
        ss->numqueries_outstanding--;
      else {
        for(i=0; i <= current->trynum; i++)
--- 2921,2927 ----
         worse shape */
      if (newstate != PORT_FIREWALLED)
        ss->changed++;
!     if (scantype == SYN_SCAN || scantype == CISCO_SCAN)
        ss->numqueries_outstanding--;
      else {
        for(i=0; i <= current->trynum; i++)
***************
*** 3277,3282 ****
--- 3290,3306 ----
  	else if (tcp->th_flags & TH_RST) {	  
  	  newstate = PORT_CLOSED;
  	}	
+       }
+       else if (scantype == CISCO_SCAN) {
+         char *tcpdata = (char *) (((char *) tcp) + 4 * tcp->th_off);
+ 	if (tcp->th_flags & TH_RST &&
+ 	    memcmp(tcpdata, "cisco\0", 6) == 0) {
+ 	  log_write(LOG_NORMAL|LOG_SKID|LOG_STDOUT,"Host %s (%s) appears to be a cisco.\n", target->name, inet_ntoa(target->host));
+ 	  log_write(LOG_MACHINE,"Host: %s (%s)\tStatus: Up Cisco\n", inet_ntoa(target->host), target->name);
+ 	  target->flags |= HOST_CISCO;
+ 	}
+ 	newstate = PORT_CLOSED;
+ 	target->flags |= HOST_UP;
        }
        else if (scantype == WINDOW_SCAN) {
  	if (tcp->th_win) {
diff -cr nmap-2.30BETA20.orig/nmap.h nmap-2.30BETA20/nmap.h
*** nmap-2.30BETA20.orig/nmap.h	Mon Apr 10 03:55:22 2000
--- nmap-2.30BETA20/nmap.h	Thu Apr 20 14:09:33 2000
***************
*** 209,214 ****
--- 209,215 ----
  #define HOST_DOWN 2 
  #define HOST_FIREWALLED 4 
  #define HOST_BROADCAST 8 /* use the wierd_responses member of hoststruct instead */
+ #define HOST_CISCO 16 /* host is a cisco */
  
  #define PINGTYPE_UNKNOWN 0
  #define PINGTYPE_NONE 1
diff -cr nmap-2.30BETA20.orig/services.c nmap-2.30BETA20/services.c
*** nmap-2.30BETA20.orig/services.c	Thu Apr  6 03:58:00 2000
--- nmap-2.30BETA20/services.c	Thu Apr 20 18:43:04 2000
***************
*** 56,61 ****
--- 56,67 ----
        numtcpports++;
      } else if (strncasecmp(proto, "udp", 3) == 0) {
        numudpports++;
+     } else if (strncasecmp(proto, "ddp", 3) == 0) {
+       /* ddp is some apple thing...we don't "do" that */
+     } else if (strncasecmp(proto, "divert", 6) == 0) {
+       /* divert sockets are for freebsd's natd */
+     } else if (strncasecmp(proto, "#", 1) == 0) {
+       /* possibly misplaced comment, but who cares? */
      } else {
        if (o.debugging)
  	error("Unknown protocol (%s) on line %d of services file %s.", proto, lineno, filename);
diff -cr nmap-2.30BETA20.orig/targets.c nmap-2.30BETA20/targets.c
*** nmap-2.30BETA20.orig/targets.c	Thu Apr  6 03:58:00 2000
--- nmap-2.30BETA20/targets.c	Thu Apr 20 14:22:04 2000
***************
*** 147,153 ****
  	if (o.isr00t && 
  	    ((o.pingtype & PINGTYPE_TCP) || 
  	     (o.pingtype == PINGTYPE_NONE && 
! 	      (o.synscan || o.finscan || o.xmasscan || o.nullscan || 
  	       o.maimonscan || o.ackscan || o.udpscan || o.osscan || o.windowscan)))) {
  	 device = routethrough(&(hs->hostbatch[hidx].host), &(hs->hostbatch[hidx].source_ip));
  	 if (!device) {
--- 147,153 ----
  	if (o.isr00t && 
  	    ((o.pingtype & PINGTYPE_TCP) || 
  	     (o.pingtype == PINGTYPE_NONE && 
! 	      (o.synscan || o.finscan || o.xmasscan || o.nullscan || o.ciscoscan ||
  	       o.maimonscan || o.ackscan || o.udpscan || o.osscan || o.windowscan)))) {
  	 device = routethrough(&(hs->hostbatch[hidx].host), &(hs->hostbatch[hidx].source_ip));
  	 if (!device) {
***************
*** 1169,1174 ****
--- 1169,1176 ----
      return "HOST_DOWN";
    case HOST_FIREWALLED:
      return "HOST_FIREWALLED";
+   case HOST_UP|HOST_CISCO:
+     return "HOST_UP(CISCO)";
    default:
      return "UNKNOWN/COMBO";
    }


--------------------------------------------------
For help using this (nmap-hackers) mailing list, send a blank email to 
nmap-hackers-help@insecure.org . List run by ezmlm-idx (www.ezmlm.org).

----- End forwarded message -----