Nmap 5.10BETA2 [2009-12-24]
o Added 7 new NSE scripts for a grand total of 79! You can learn about
them all at http://nmap.org/nsedoc/. Here are the new ones:
* nfs-showmount displays NFS exports like "showmount -e" does. See
http://nmap.org/nsedoc/scripts/nfs-showmount.html. [Patrik
Karlsson]
* ntp-info prints the time and configuration variables provided by
an NTP service. It may get such interesting information as the
operating system, server build date, and upstream time server IP
address. See
http://nmap.org/nsedoc/scripts/ntp-info.html. [Richard Sammet]
* citrix-brute-xml uses the unpwdb library to guess credentials for
the Citrix PN Web Agent Service. See
http://nmap.org/nsedoc/scripts/citrix-brute-xml.html. [Patrik Karlsson]
* citrix-enum-apps and citrix-enum-apps-xml print a list of published
applications from the Citrix ICA Browser or XML service,
respectively. See
http://nmap.org/nsedoc/scripts/citrix-enum-apps.html and
http://nmap.org/nsedoc/scripts/citrix-enum-apps-xml.html. [Patrik Karlsson]
* citrix-enum-servers and citrix-enum-servers-xml.nse print a list
of Citrix servers from the Citrix ICA Browser or XML service,
respectively. See
http://nmap.org/nsedoc/scripts/citrix-enum-servers.html and
http://nmap.org/nsedoc/scripts/citrix-enum-servers-xml.html. [Patrik
Karlsson]
o We performed a memory consumption audit and made changes to
dramatically reduce Nmap's footprint. This improves performance on
all systems, but is particularly important when running Nmap on
small embedded devices such as phones. Our intensive UDP scan
benchmark saw peak memory usage decrease from 34MB to 6MB, while OS
detection consumption was reduced from 67MB to 3MB. Read about the
changes at http://seclists.org/nmap-dev/2009/q4/663. Here are the
highlights:
* The size of the internal representation of nmap-os-db was reduced
more than 90%. Peak memory consumption in our OS detection
benchmark was reduced from 67MB to 3MB. [David]
* The size of individual Port structures without service scan
results was reduced about 70%. [Pavel Kankovsky]
* When a port receives no response, Nmap now avoids allocating a
Port structure at all, so scans against filtered hosts can be
light on memory. [David]
o David started a major service detection submission integration
run. So far he has processed submissions since February for the
following services: imap, pop3, afp, sip, printer, transmission,
svnserve, vmware, domain, backdoor, finger, freeciv, hp, imaps, irc,
landesk, netbios-ssn, netsupport, nntp, oracle, radmin, routersetup,
rtorrent, serv-u, shoutcast, ssh, tcpmux, torrent, utorrent, vnc and
ipp. The rest will come in the next release, along with full stats
on the additions.
o Added service detection probe for Kerberos (udp/88) and IBM DB2
DAS (523/UDP). [Patrik Karlsson]
o Added a UDP payload and service detection probe for Citrix
MetaFrame, which typically runs on 1604/udp. [Thomas Buchanan]
o Added a UDP SIPOptions service detection probe corresponding to the
TCP one. [Patrik Karlsson, Matt Selsky, David Fifield]
o Updated service detection signatures for Microsoft SQL Server 2005
to detect recent Microsoft security update (MS09-062), and also
updated ms-sql-info.nse to support MS SQL Server 2008
detection. [Tom]
o Nmap now provides Christmas greetings and a reminder of Xmas scan
(-sX) when run in verbose mode on December 25. [Fyodor]
o Removed a limitation of snmp.lua which only allowed it to properly
encode OID component values up to 127. The bug was reported by
Victor Rudnev. [David]
o Nmap script output now uses two spaces of indention rather than
three for the first level. This better aligns with the standard set by
the stdnse.format_output function added in the last release. Output
now looks like:
8082/tcp open http Apache httpd 2.2.13 ((Fedora))
|_http-favicon: Apache Web Server (seen on SuSE, Linux Tux favicon)
|_html-title: Nmap - Free Security Scanner For Network Exploration & Securit...
...
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.4.2-0.42.fc11)
| Name: Unknown\Unknown
|_ System time: 2009-11-24 17:19:21 UTC-8
|_smbv2-enabled: Server doesn't support SMBv2 protocol
[Fyodor]
o [NSE] Fixed (we hope) a deadlock we were seeing when doing a
favicon.nse survey against millions of hosts. We now restore all
threads that are waiting on a socket lock when a thread relinquishes
its lock. We expect only one of them to be able to grab the newly
freed lock, and the rest to go back to waiting. [David, Patrick]
o [Zenmap] Fixed a crash when filtering with inroute: in scans without
traceroute data. (KeyError: 'hops') [David]
o [NSE] Use a looser match pattern in auth-owners.nse for retrieving
the owner out of an identd response. See
http://seclists.org/nmap-dev/2009/q4/549. [Richard Sammet]
o Improved some Cyrus pop3 and Polycom SoundStation sip match
lines. [Matt Selsky]
o [Ncat] In the Windows version of netrun, we weren't noticing when a
command fails to be executed (when CreateProcess fails). We now see
the return value and close the socket to disconnect the
client. [David]
o [NSE] Updated http-iis-webdav-vuln to run against SSL-enabled
servers [Ron]
o [NSE] Improved db2-info to set port product and state (rather than
just port.version.name and confidence) when a DB2 service is
positively identified. Error reporting was improved as well. [Tom]
Nmap 5.21 [2010-01-27]
o [Zenmap] Added a workaround for a Ubuntu Python packaging idiosyncrasy.
As of version python2.6-2.6.4-0ubuntu3, Ubuntu's distutils modifies
self.prefix, a variable we use in the setup.py script. This would
cause Zenmap to look in the wrong place for its configuration files,
and show the dialog "Error creating the per-user configuration
directory" with the specific error "[Errno 2] No such file or
directory: '/usr/share/zenmap/config'". This problem was reported by
Chris Clements, who also helped debug. [David]
o Fixed an error that occurred when UDP scan was combined with version
scan. UDP ports would appear in the state "unknown" at the end of
the scan, and in some cases an assertion failure would be raised.
This was an unintended side effect of the memory use reduction
changes in 5.20. The bug was reported by Jon Kibler. [David]
o [NSE] Did some simple bit-flipping on the nmap_service.exe program
used by the smb-psexec script, to avoid its being falsely detected
as malware. [Ron]
o [NSE] Fixed a bug in http.lua that could lead to an assertion
failure. It happened when there was an error getting the a response
at the beginning of a batch in http.pipeline. The symptoms of the
bug were:
NSE: Received only 0 of 1 expected reponses.
Decreasing max pipelined requests to 0.
NSOCK (0.1870s) Write request for 0 bytes...
nmap: nsock_core.c:516: handle_write_result: Assertion `bytesleft > 0' failed.
The error was reported by Brandon Enright and pyllyukko.
o [NSE] Restored the ability of http.head to return a body if the
server returns one. This was lost in the http.lua overhaul from
5.20. [David]
o [NSE] Fixed the use of our strict.lua library on distributions that
install their own strict.lua. The error message was
nse_main.lua:97: attempt to call a boolean value
It was reported by Onur K. [Patrick]
o Fixed handing of nameserver entries in /etc/resolv.conf so it could
handle entries containing more than 16 bytes, which can occur with
IPv6 addresses. Gunnar Lindberg reported the problem and
contributed an initial patch, then Brandon and Kris refined and
implemented it.
o [NSE] Corrected a behavior change in http.request that was
accidentally made in 5.20: it could return nil instead of a table
indicating failure. [David]
o [NSE] Fixed the use of an undefined variable in smb-enum-sessions,
reported by Brandon. [Ron]
o Fixed a compiler error when --without-liblua is used. [Brandon]
o [NSE] Fixed an error with running http-enum.nse along with the
--datadir option. The script would report the error
http-enum.nse:198: bad argument #1 to 'lines'
(nselib/data/http-fingerprints: No such file or directory)
The error was reported by Ron Meldau and Brandon. [Kris]
o Added a function that was missing from http-favicon.nse. Its absence
would cause the error
http-favicon.nse:141: variable 'dirname' is not declared
when a web page specified an relative icon URL through the link
element. This bug was reported by Ron Meldau. [David]
o Fixed a bug with the decoding of NMAP OID component values greater
than 127. [Patrik Karlsson, David]
# Nmap Changelog ($Id: CHANGELOG 18882 2010-07-16 18:23:36Z david $); -*-text-*-
Nmap 5.35DC1 [2010-07-16]
o [NSE] Added 17 scripts, bringing the total to 131! They are
described individually in the CHANGELOG, but here is the list of new
ones:
afp-serverinfo, db2-brute, dns-cache-snoop, dns-fuzz, ftp-libopie
http-php-version, irc-unrealircd-backdoor, ms-sql-brute,
ms-sql-config, ms-sql-empty-password, ms-sql-hasdbaccess,
ms-sql-query, ms-sql-tables, ms-sql-xp-cmdshell, nfs-ls,
ntp-monlist
Learn more about any of these at: http://nmap.org/nsedoc/
o Performed a major OS detection integration run. The database has
grown to 2,608 fingerprints (an increase of 262) and many of the
existing fingerprints were improved. These include the Apple iPad
and Cisco IOS 15.X devices. We also received many fingerprints for
ancient Microsoft systems including MS-DOS with MS Networking Client
3.0, Windows 3.1, and Windows NT 3.1. David posted highlights of his
integration work at http://seclists.org/nmap-dev/2010/q2/283.
o Performed a large version detection integration run. The number of
signatures has grown to 6,622 (an increase of 279). New signatures
include a remote administrative backdoor that a school famously used
to spy on its students, an open source digital currency scheme named
Bitcoin, and game servers for EVE Online, l2emurt Lineage II, and
Frozen Bubble. You can read David's highlights at
http://seclists.org/nmap-dev/2010/q2/385.
o [NSE] Added nfs-ls.nse, which lists NFS exported files and their
attributes. The nfs-acls and nfs-dirlist scripts were deleted
because all their features are supported by this script. [Djalal]
o [NSE] Add new DB2 library and two scripts
- db2-brute.nse uses the unpwdb library to guess credentials for DB2
- db2-info.nse re-write of Tom Sellers script to use the new library
[Patrik]
o [NSE] Added a library for Microsoft SQL Server and 7 new scripts. The new
scripts are:
- ms-sql-brute.nse uses the unpwdb library to guess credentials for MSSQL
- ms-sql-config retrieves various configuration details from the server
- ms-sql-empty-password checks if the sa account has an empty password
- ms-sql-hasdbaccess lists database access per user
- ms-sql-query add support for running custom queries against the database
- ms-sql-tables lists databases, tables, columns and datatypes with optional
keyword filtering
- ms-sql-xp-cmdshell adds support for OS command execution to privileged
users
[Patrik]
o [NSE] Added the afp-serverinfo script that gets a hostname, IP
addresses, and other configuration information from an AFP server.
The script, and a patch to the afp library, were contributed by
Andrew Orr and subsequently enhanced by Patrik and David.
o [NSE] Added additional vulnerability checks to smb-check-vulns.nse:
The Windows RAS RPC service vulnerability MS06-025
(http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx)
and the Windows DNS Server RPC vuln MS07-029
(http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx).
Note that these are only run if you specify the "unsafe" script arg
because the implemented test crashes vulnerable services. [Drazen]
o [NSE] Added dns-cache-snoop.nse by Eugene Alexeev. This script performs
cache snooping by either sending non-recursive queries or by measuring
response times.
o [Zenmap] Added the ability to print Nmap output to a
printer. [David]
o [Nmap, Ncat, Nping] The default unit for time specifications is now
seconds, not milliseconds, and times may have a decimal point. 1000
now means 1000 seconds, or about 17 minutes, not 1000 milliseconds.
Floating point values such as 1.5 are now allowed. This affects the
following options:
Nmap:
--host-timeout
--max-rtt-timeout --min-rtt-timeout --initial-rtt-timeout
--scan-delay --max-scan-delay
--stats-every
Ncat:
-d --delay
-i --idle-timeout
-w --wait
Nping:
--delay
--host-timeout
--icmp-orig-time --icmp-recv-time --icmp-trans-time
Some sanity checks have been added to catch what looks like an
attempt to use the old millisecond defaults. For example,
--host-timeout 10000 yields
Since April 2010, the default unit for --host-timeout is seconds,
so your time of "10000" is 2.8 hours. If this is what you want,
use "10000s".
QUITTING!
You can always disable the warning by giving an explicit unit.
o [NSE] Scripts which take an argument for a time duration can now
have the duration be a number followed by a unit, like elsewhere in
Nmap. An example is "10m" for 10 minutes. The units understood are
"ms" for milliseconds, "s" for seconds, "m" for minutes, and "h" for
hours. Seconds are the default if no unit is specified. The new
function stdnse.parse_timespec does the parsing of these
formats. The qscan.delay script argument, which formerly interpreted
its argument as being in milliseconds, now defaults to seconds;
append "ms" to continue using the same numbers. [David]
o [NSE] Added irc-unrealircd-backdoor.nse, which detects a backdoor
that was in UnrealIRCd source code distributions between November
2009 and June 2010. See http://seclists.org/nmap-dev/2010/q2/826.
[Vlatko Kosturjak, Ron, David]
o Ports are now considered open during a SYN scan if a SYN packet
(without the ACK flag) is received in response. This can be due to
an extremely rare TCP feature known as a simultaneous open or split
handshake connection. see http://bit.ly/tcp-sh and
http://seclists.org/nmap-dev/2010/q2/723. [Jah]
o [Ncat] In listen mode, the --exec and --sh-exec options now accept a
single connection and then exit, just like in normal listen mode.
Use the --keep-open option to get the old default inetd-like
behavior. This was suggested by David Millis. [David]
o [NSE] Added ftp-libopie.nse by Gutek. This script checks for an
off-by-one stack overflow vulnerability in libopie by giving the FTP
service an overly long name. See
http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc for
details.
o [NSE] Added ntp-monlist.nse which discovers NTP server, peer and
client hosts associated with a scanned target by sending NTPv2
Private Mode 'monitor' and 'peers' commands to the target. [Jah]
o [NSE] Added http-php-version.nse from Gutek. This script retrieves
version-specific pages through a couple of magic PHP queries, which
can identify the PHP version even when a server doesn't advertise
it.
o [NSE] New script dns-fuzz launches a fuzzing attack against DNS
servers. Added a new category - fuzzer - for scripts like this.
[Michael Pattrick]
o David made many improvements to the NSEDoc for individual scripts,
including adding @output sections to scripts which didn't have them.
He also improved the generated HTML with features like
auto-generating usage strings if the scripts don't include their own
and allowing the giant sidebar lists of scripts/libraries to expand
and contract. See http://nmap.org/nsedoc/.
o UDP payloads are now stored in an external data file, nmap-payloads,
instead of being hard-coded in the executable. This makes it easier
to add your own payloads or disable those you find problematic. [Jay
Fink, David]
o The Windows executable installer now uses LZMA compression instead
of zlib, making it about 15% smaller. See
http://seclists.org/nmap-dev/2010/q2/1011 for test results. [David]
o Open XML elements are now closed in case of a fatal error, so the
output should at least be well-formed. There are new attributes
"exit" and "errormsg" in the finished element. "exit" is "success"
or "error". When it is "error", the "errormsg" attribute contains
the error message. Thanks to Grant Bartlett, who found a typo in the
new output. [David]
o Fixed name resolution in environments where gethostbyname can return
IPv6 (or other non-IPv4 addresses). In such an environment, Nmap
would wrongly use the first four bytes of the IPv6 address as an
IPv4 address. You could force this, at least on Debian, by adding
the line "options inet6" to /etc/resolv.conf or by running with
RES_OPTIONS=inet6 in the environment. This was reported by Mats Erik
Andersson, who also suggested the fix. [David]
o Fixed the assignment of interface aliases to directly connected
routes on Linux, which was broken in 5.30BETA1 (it always assigned
the base interface instead of the alias). This was visible in the
host.interface variable passed to NSE scripts. The bug was reported
Victor Rudnev. [David]
o When Nmap is passed a hostname such as google.com which resolves to
several IP addresses, Nmap now prints each IP address. It still
only scans the first one in the returned list. [David]
o Nmap now works if you specify several target host names which
resolve to the same IP address. This can be useful when you are
scanning virtual-hosted web servers and want to see NSE results
specific to each site name even though they reside on the same
machine. [David]
o Made a list of current Nmap SVN committers:
http://nmap.org/svn/docs/committers.txt
o Added a new library, libnetutil, which contains about 2,700 lines of
networking related code which is now shared between Nmap and Nping
(it was previously duplicated by each tool). [Luis, David]
o [NSE] http-passwd.nse now also checks for boot.ini to support
Windows targets. [Gutek]
o Removed --interactive mode, a miniature shell whose primary purpose
was to hide command line arguments from the process list. It had
been broken (would segfault during the second scan) for at least 9
months and was rarely used. The fact that it was broken was reported
by Juan Carlos Castro. [David]
o Added a version probe, match line, and UDP payload for the
serialnumberd service of Mac OS X Server. This service overrides
firewall settings to make itself visible, so it's useful for host
discovery. [Patrik]
o Improved service detection match lines for:
o Oracle Enterprise Manager Agent and mupdate by Matt Selsky
o Twisted web server, Apple Filing Protocol, Apple Mac OS X Password
Server, XAVi XG6546p Wireless Gateway, Sun GlassFish
Communications Server, and Comdasys, SIParator and Glassfish SIP
by Patrik
o PostgreSQL, Cisco Site Selector ftpd, and LanSafe UPS monitoring
HTTPd by Tom Sellers
o Improved our brute force password guessing list by mixing in some
data sent in by Solar Designer of John the Ripper fame.
o [Zenmap] IP addresses are now sorted by octet rather than their
string representation. For example, 10.1.1.2 is now sorted before
10.1.1.10. This problem was reported by Norris Carden. [David]
o [NSE] Added UDP header parsing support to packet.lua. [jah]
o Fixed a bug in Libpcap which lead to Nmap hanging forever in some
cases on 64-bit Mac OS X 10.6, 10.6.1, and 10.6.3. The fix was
actually already available in upstream Libpcap, just not released.
We also had to make Nmap build with its own Libpcap on 64-bit OS X
if an already-installed system Libpcap has this bug. [David]
o Updated our WinPcap to the new 4.1.2 release. [Rob Nicholls]
o [NSE] Fixed a bug in qscan.nse which gave an error if a confidence
level of 0.9995 was used. Thanks to Marcin Hoffmann for noticing
the problem. [Kris]
o [libpcap] Added a --disable-packet-ring option to force the use of
an older, slower packet capture mechanism on Linux. Before Linux
2.6.27, the packet ring mechanism uses different-sized kernel
structures on 32- and 64-bit architectures, so a 32-bit program will
not run correctly on a 64-bit kernel. The older mechanism does not
have this flaw.
o Fixed some errors in nmap-os-db, probably caused by incorrect string
replacement during integration. This patch is from James Cook.
o [Nsock, Ncat] Nsock has a new function, nsp_setbroadcast, that
allows setting the SO_BROADCAST option on sockets. Ncat now sets
this option unconditionally in connect mode to allow connections to
broadcast addresses (useful in UDP mode). [Daniel Miller]
o Nmap now works with "teamed" network interfaces on Windows. In order
to distinguish the interfaces, their textual descriptions are now
compared in addition to their MAC addresses. Without this, Nmap
would send on the wrong interface and not receive any replies. A
symptom of this problem was all scans failing except when
--unprivileged was used. Norris Carden reported this bug. [David]
o [Ncat] When receiving a connection/datagram in listen mode, Ncat now
prints the connecting source port along with the IP address (when
verbosity is enabled). [Rebellis]
o Fixed a problem where the time variable used in some port scanning
algorithms (for probe timeouts, etc) could vary based on the
debugging level. [Kris]
o Moved the parse_long function from ncat to nbase for better reuse,
and used it to simplify netmask parsing code. [William Pursell]
o Added EPROTO to the list of known error codes in service scan. Daniel
Miller reported that an EPROTO was causing Nmap to exit after sending
the Sqlping probe during service scan. The error message was
"Unexpected error in NSE_TYPE_READ callback. Error code: 71 (Protocol
error)". We suspect this was caused by a forged ICMP packet sent by an
active firewall. [David]
o [NSE] Improved smtp-commands.nse to work against more mail servers,
made it take an smtp-commands.domain script argument, and rewrote it
in the style of other smtp scripts. [Jason DePriest]
o [NSE] Made smtp-commands run for the services smtp, smtps,
submission rather than just smtp. The other smtp scripts already do
this. [David]
o [NSE] The dns-recursion script now marks the port as open when it
gets a response. [Olivier M]
o [Nping] A big correctness and code cleanliness audit was performed
which resulted in many bugs being fixed and much more code being
shared with Nmap rather than duplicated. A structured testing
script system was also created. [Luis, David]
o [Nping] A big correctness and code cleanliness audit was performed
which resulted in many bugs being fixed and much more code being
shared with Nmap rather than duplicated. A structured testing
script system was also created. [Luis, David]
o [Nping] Now allows a --count value of zero to run almost
indefinitely (2^32 rounds). Suggested by Andreas Hubert. [Luis]
o [Nping] Fixed --data argument parsing. The value passed was not
actually making it into outgoing packets. Reported by Tim
Poth. [Luis]
o [Nping] When a RST packet is received in response to a connection
attempt in TCP-Connect mode, Nping now properly prints "Connection
refused" rather than "Operation now in progress". [Luis]
o [Nping] Fixed a bug which caused failure when the first supplied
target was not resolvable (e.g.: nping bogushost.fkz scanme.insecure.com
tcpdump.com). [Luis]
o [Nping] Fixed some bugs in the BPF filter creation to avoid capture
and printing of packets Nping sent or which are destined for another
process. [Luis]
o [Nping] Fixed a bug which prevented ARP replies from being displayed
properly. [Luis]
o [Nping] Fixed a bug that caused ICMP Router Advertisement entries to
be set in host byte order rather than proper network byte
order. [Luis]
o [Nping] Fixed a segfault caused by bad --data values. [Greg Skoczek]
o The Mac OS X installer is now built with MacPorts 1.9.1 rather than
1.8.2. Among other changes, this fixes a segmentation fault reported
by some OS X 10.6.3 users.
o Nsock now supports an option to remove its Pcap support. This
allows the same Nsock to be shared with Nmap (which needs that
support) and Ncrack (which doesn't.) Pcap support can be disabled by
specifying --disable-pcap at configure time on UNIX, or by selecting
the DebugNoPcap or ReleaseNoPcap configurations in Visual C++ on
Windows.
o Sped up compilation by not building both shared and static libdnet
libraries--we only use the static one. [David]
o [NSE] Improved error handling and reporting and re-designed communication
class in RPC library with patch from Djalal Harouni. [Patrik]
o Upgraded the included libpcap to version 1.1.1. [David]
o [NSE] Add some special-use IPv4 addresses to isPrivate which are
described in RFC 5736 and RFC 5737, published in Jan 2010. Improve
performance of isPrivate for IPv4 addresses by using ip_in_range
less frequently. Add an extra return value to isPrivate - when the
first return value is true, the second return value will now be a
string representing the special use assignment in which the supplied
address is located. [jah]
o Fix compilation on OpenSolaris. We had to make the libdnet autoconf
check for PF_PACKET Linux-specific. Recent versions of OpenSolaris
support PF_PACKET, but not in a way which is entirely compatible
with the Linux approach. This problem was reported by Darren Reed. A
few other minor compatibility changes were made as well. [David]
o [NSE] Added script arguments "username" and "password" to ftp-bounce
to override the default anonymous:IEUser@ login combination. [Kris]
o [NSE] Added port number sorting to dns-service-discovery.nse. [Patrik]
o [NSE] Added an snmpWalk() function to the SNMP library and updated
scripts to use it. [Patrik]
o [NSE] Fixed this dns.lua error reported by Eugene Alexeev:
nselib/dns.lua:110: attempt to get length of field 'dtype' (a number value)
[Jah]
o Updated nmap-mac-prefixes to the latest IEEE data as of 2010-07-13.
o Updated IANA IP address space assignment list for random IP (-iR)
generation. [Kris]
o Created a new directory for storing todo lists for Nmap and related
projects. You can see what we're working on and planning by
visiting http://nmap.org/svn/todo/.
o [NSE] Removed explicit time limit checking from ms-sql-brute,
pgsql-brute, mysql-brute, ldap-brute, and afp-brute. The unpwdb
library does this automatically now. [David]
o [NSE] Correct global access errors in afp.lua reported by Patrick Donnelly
[Patrik]
o [NSE] Correct misspelled "Capabilities.IgnoreSpaceBeforeParanthesis"
name in the MySQL library. [Kris]
o Cleaned up our Winpcap header file directory, and also updated to
the latest files from the official developer pack
(WpdPack_4_1_1.zip). [Fyodor]
o [NSE] Fixed a bug which would prevent rpcinfo.nse from returning any
results for RPC programs which could not be matched to a
name. [Patrik]
o [NSE] The ftp-anon script is now much smarter about parsing server
responses and detecting successful (or not) logins. It now knows
how to send the ACCT command where appropriate as well. [Rob
Nicholls]
o Normalized a bunch of version detection entries with "webserver" in
the description. In most cases this was changed to "httpd".
o [Ncat] Fixed the --crlf option not to insert an extra \r byte in the
case that one system read ends with \r and the next begins with \n
(should be rare). [David]
o [NSE] Fixed bug in rpc.lua library that incorrectly required file handles
to be 32 octets when calling the ReadDir function. The bug was reported by
Djalal Harouni. [Patrik]
Nmap Changelog ($Id: CHANGELOG 21562 2010-12-29 21:24:53Z david $); -*-text-*-
o [NSE] Created an ftp.lua library. [David]
o [NSE] Added gopher-ls.nse by Toni Ruotto, which lists the root of a
Gopher server.
o [NSE] Added modbus-discover.nse by Alexander Rudakov. This script
enumerates Modbus slave ids and then tries to find device
information about each of them.
o [NSE] Added scripts by Toni Ruotto communicating with the NetBus
remote administration/backdoor program.
- netbus-info: gets configuration information.
- netbus-brute: guesses passwords.
- netbus-version: distinguishes NetBus from NetBuster, a program
that mimics the protocol but doesn't actually allow any
operations.
- netbus-auth-bypass: Checks for a bug in the server that allows
connecting without a password.
o [NSE] Added stuxnet-detect.nse by Mak Kolybabi, which detects
infections of the Sutxnet worm and can optionally download the
Stuxnet executable.
o [NSE] Added a new iSCSI library and the two scripts iscsi-info and
iscsi-brute. [Patrik]
o [NSE] Add new script broadcast-ms-sql-discover and removed broadcast
support from ms-sql-info. [Patrik]
o [NSE] Added the ftp-proftpd-backdoor.nse script by Mak Kolybabi,
which checks for a backdoor in ProFTPD 1.3.3c. Michael Meyer tested
the script and contributed some patches.
o [NSE] Added http-vhosts.nse from Carlos Pantelides. This script
brute-forces virtual hosts by sending different Host headers to the
same server.
o [Ncat] Ncat now uses case-insensitive string comparison when
checking authentication schemes and parameters. Florian Roth found a
server offering "BASIC" instead of "Basic", and the HTTP RFC
requires case-insensitive comparisons in most places. [David]
o [NSE] Added the hddtemp-info script from Toni Ruotto, which gets
hard drive temperatures from the hddtemp service.
o [NSE] There is now a limit of 1,000 concurrent running scripts,
instituted to keep memory under control when there are many open
ports. Nathan reported 3 GB of memory use (with an out-of-memory NSE
crash) for one host with tens of thousands of open ports. This limit
can be controlled with the variable CONCURRENCY_LIMIT in
nse_main.lua. [David]
o The command line in XML output (/nmaprun/@args attribute) now does
quoting of whitespace using double quotes and backslashes. This
allows recovering the original command line array even when
arguments contain whitespace. [David]
o XML output now excludes output for down hosts when doing host
discovery only, except in verbose mode. This is how it already
worked for normal scans, but the ping-only case was overlooked.
[David]
o [NSE] Added a new Web Service Dynamic Discovery library (wsdd) and the two
scripts broadcast-wsdd-discover and wsdd-discover. [Patrik]
o [Zenmap] Upgraded to the newer gtk.Tooltip API to avoid deprecation
messages about gtk.Tooltip. [Rob Nicholls]
o Updated the Windows build process to work with (and require) Visual
C++ 2010 rather than 2008. If you want to build Zenmap too, you now
need Python 2.7 (rather than 2.6) and GTK+ 2.22. See
http://nmap.org/book/inst-windows.html#inst-win-source [David, Rob
Nicholls, KX]
o [NSE] Added a new library upnp that provides UPnP support to the scripts
upnp-info and broadcast-upnp-info. The library is largely based on code
taken from Thomas Buchanan's upnp-info script. [Patrik]
o [NSE] Added a new library dnssd with supporting functions for DNS Service
Discovery. Moved multicast prerule from dns-service-discovery to a new
script called broadcast-dns-service-discovery. [Patrik]
o [NSE] Added the rmi-dumpregistry script, which shows the contents of
Java RMI registry. [Martin Holst Swende]
o [NSE] Added the ssh2-enum-algos script which reports the number of
algorithms the target SSH2 server supports, by type. If verbosity
is set, then the offered algorithms are listed. Output is reduced
for identical "client to server" and "server to client" lists by
using a single combined list. [Kris]
o [NSE] Made dns-zone-transfer script able to add new discovered DNS
records onto Nmap scanning queue. [Djalal]
o [NSE] Added reporting of the type and bit size of certificate public
keys to ssl-cert.nse. [Matt Selsky]
o [NSE] Added the db2-discover script. This can find DB2 servers by
sending a UDP broadcast. [Patrik]
o [NSE] Added the hostmap script by Ange Gutek. This uses a third-party
database to look up other hostnames mapping to the target.
o [NSE] Added the ability to send and receive on unconnected sockets.
This can be used, for example, to receive UDP broadcasts without
using pcap. A number of scripts have been changed so that they can
work as prerule scripts to discover services by UDP broadcasting,
optionally add the discovered targets to the scanning queue:
- ms-sql-info
- upnp-info
- dns-service-discovery
The nmap.new_socket function can now optionally take a default
protocol and address family, which will be used if the socket is not
connected. There is a new nmap.sendto function to be used with
unconnected UDP sockets. [David, Patrik]
o [NSE] Improved ssh2's kex_init() parameters: all of the algorithm
and language lists can be set using new keys in the "options" table
argument. These all default to the same value used before. Also, the
required "cookie" argument is now replaced by an optional "cookie"
key in the "options" table, defaulting to random bytes as the RFC
says the value should be. [Kris]
o Ncat now logs Nsock debug output to stderr instead of stdout, like
its other debug messages. [David]
o Updated to the latest config.guess and config.sub. Thanks to Ty
Miller for a reminder. [David]
o [NSE] Added nat-pmp-info script that uses the nat-pmp service to
discover the external IP address of a router. [Patrik]
o [NSE] Added prerule support to snmp-interfaces and the ability to
add the host's interface addresses to the scanning queue. The new
script arguments used for this functionality are "host" (required)
and "port" (optional). [Kris]
o [NSE] Added the resolveall prerule script which takes a table of
target names as a "hosts" argument and adds all of the resolved
addresses (IPv4 or IPv6, depending on Nmap's -6 option) for all of
the hosts to the scanning queue. [Kris]
o Fixed some inconsistencies in nmap-os-db and a small memory leak
that would happen where there was more than one round of OS
detection. These were reported by Xavier Sudre from netVigilance,
Inc.
o [NSE] Fixed a bug with worker threads calling the wrong destructors.
Fixing this allows better parallelism in http-brute.nse. The problem
was reported by Patrik Karlsson. [David, Patrick]
o [Zenmap] Made the topology node radiuses grow logarithmically
instead of linearly, so that hosts with thousands of open ports
don't overwhelm the diagram. Also only open ports (not
open|filtered) are considered when calculating node sizes. Henri
Doreau found and fixed a bug in the implementation. [Daniel Miller]
o Increased the initial RTT timeout for ARP scans from 100 ms to
200 ms. Some wireless and VPN links were taking around 300 ms to
respond. The default of one retransmit gives them 400 ms to be
detected.
o Upgraded the OpenSSL binaries shipped in our Windows installer to
version 1.0.0a. [David]
o [NSE] Added the targets-traceroute script, which inserts traceroute
hops onto Nmap scanning queue. [Henri Doreau]
o [NSE] Added the target NSE library to let scripts to add new
discovered targets onto Nmap scanning queue. This feature, coupled
with the new prerule is well suited for NSE host discovery. [Djalal]
o [NSE] Added a prerule support to dns-zone-transfer script, which
lets the script to run during the script pre-scanning phase to
perform DNS zone transfer discovery operations when the necessary
script arguments are given. [Djalal]
o [NSE] Nmap now have three different NSE script scan phases. The first
one is the script pre-scanning phase, which will run before any Nmap
scan operation. Scripts during this phase are activated by the new
rule prerule. The second phase is the classic script scan one, which
will run for every host group. Scripts during this phase are
activated by the classic portrules and hostrules. The third phase
is the script post-scanning one, which will run after all Nmap scan
operations. Scripts are activated during this phase by the new rule
postrule. [Djalal]
o Changed the name of libdnet's sctp_chunkhdr to avoid a conflict with
a struct of the same name in <netinet/sctp.h>. This caused a
compiliation error when Nmap was compiled with an OpenSSL that had
SCTP support. [Olli Hauer, Daniel Roethlisberger]
o [NSE] Added the firewalk script, which tries to find whether a
firewall blocks or forwards ports like the firewalk tool does. [Henri
Doreau]
o [NSE] Host tables now have a host.traceroute member when --traceroute
is used. This array contains the IP address, reverse DNS name, and RTT
for each traceroute hop. [Henri Doreau]
o [NSE] Made the ftp-anon script return a directory listing when
anonymous login is allowed. [Gutek, David]
o [NSE] Added the nmap.resolve() function which takes a host name and
optionally an address family (such as "inet") and returns a table
containing all of its matching addresses. If no address family is
specified, then all of the addresses are returned for the name. [Kris]
o [NSE] Added the nmap.address_family() function which returns the address
family Nmap is using as a string (e.g., "inet6" is returned if Nmap is
called with the -6 option). [Kris]
o [NSE] Added the path-mtu script to perform Path MTU Discovery to the
target host using TCP or UDP. The script tries to conserve bandwidth and
time by starting with the outgoing interface's MTU and properly handling
the Next-Hop MTU field in ICMP responses generated by RFC-compliant
intermediate routers. [Kris]
o [NSE] Scripts can now access the MTU of the host.interface device using
host.interface_mtu. [Kris]
o Nmap now prints the MTU for interfaces when using --iflist. [Kris]
o [NSE] Removed references to MD2, as OpenSSL 1.x.x doesn't support it anymore
[alexandru]
o [NSE] Added GIOP library and a small script that makes use of it:
- giop-info Queries the CORBA naming server for a list of objects
[Patrik]
o [NSE] Added a Oracle TNS library and two new scripts that make use of it.
The scripts are:
- oracle-brute uses the brute and tns library to perform password guessing
- oracle-enum-users attempts to determine valid Oracle user names
[Patrik]
o [NSE] Added a smallish Lotus Domino rpc library (nrpc.lua) and some Lotus
Domino oriented scripts:
- domino-enum-users guesses users and attempts to download ID files by
exploiting (CVE-2006-5835).
- domino-enum-passwords attempts to download Internet passwords and ID files
from the web server.
- domcon-brute performs password guessing against the remote console.
- domcon-cmd adds support for running custom remote console commands.
[Patrik]
o [NSE] Added an Informix library and three scripts that make use of it:
- informix-brute uses the brute framework to perform password guessing
- informix-query add support for running SQL queries against Informix
- informix-tables lists table- and column-names for a given database
[Patrik]
o [NSE] Added two new scripts http-brute.nse and http-form-brute that attempt
to perform password guessing against web servers and applications. [Patrik]
o [NSE] Added svn-brute, which attempts to perform password guessing against
the subversion service. [Patrik]
o [NSE] The nmap.connect function can now accept host and port tables
(like those provided to the action function) in place of a string
and a number. The motivation behind this is to easily support Server
Name Indication for SSL sockets by reading host.targetname. [David
Fifield]
o [NSE] Added wdb-version, which discovers information from a VxWorks
debug service that is often left open. [Daniel Miller]
o [NSE] Added one script (vnc-brute) that performs password guessing against
VNC using the new brute library and another (vnc-info) that lists supported
security mechanisms. [Patrik]
o [NSE] Added a new brute library that provides a basic framework and logic
for password guessing scripts. [Patrik]
o [NSE] Renamed db2-info and db2-brute scripts to drda-*. Updated script
and library to reflect name change. Added support other DRDA based
databases such as IBM Informix Dynamic Server and Apache Derby.
[Patrik]
o [Nsock] Added a new function, nsi_set_hostname, to set the intended
hostname of the target. This allows the use of Server Name
Indication in SSL connections. This was suggested by Nuno Goncalves.
[David]
o [NSE] Added default limits on the number of ports that qscan will
scan. By default, it will do upt o 8 open ports and up to 1 closed
port. These limits can be controlled with the qscan.numopen and
qscan.numclosed script arguments. [David]
o [NSE] Made sslv2.nse give special output when SSLv2 is supported,
but no SSLv2 ciphers are offered. This happened with a specific
Sendmail configuration. [Matt Selsky]
o [NSE] Added a "times" table to the host table passed to scripts.
This table contains Nmap's timing data (srtt, the smoothed round
trip time; rttvar, the rtt variance; and timeout), all represented
as floating-point seconds. The ipidseq and qscan scripts were
updated to utilize the host's timeout value instead of the very
conservative guess of 3 seconds for read timeouts. [Kris]
o [Nmap, Nping] Fixed the fragmentation options (-f in Nmap, --mtu in
both) which broke in 5.35DC1. Instead of sending multiple fragments,
the original packet was sent whole. In some circumstances, sending
would fail on interfaces with low MTUs (such as SLIP lines) with no
way to bump down packet sizes for transport. [Kris]
o [NSE] The http library's request functions now accept an additional
"auth" table within the option table, which if provided causes Basic
authentication credentials to be sent. [David]
o [NSE] When receiving raw packets from Pcap, the packet capture time
is now available to scripts as an additional return value from
pcap_receive(). It is returned as the floating point number of
seconds since the epoch. [Kris]
o [NSE] Added the nmap.clock() function which returns the current time
as floating point seconds since the epoch. Convenience functions
clock_ms() and clock_us() were added to stdnse to return the current
time in milliseconds and microseconds, respectively. [Kris]
o [NSE] The qscan.nse script was updated to use the more accurate
timing data from pcap_receive() and clock() to provide microsecond
resolution for round-trip times. [Kris]
o [Zenmap] Fixed a crash that would happen after opening the search
window, entering a relative date criterion such as "after:-7", and
then clicking the "Expressions" button. The error message was
AttributeError: 'tuple' object has no attribute 'strftime'
[David]
o [zenmap] Added a new Script selection Interface. This interface is
present under the "Scripting" tab of profile editor. Besides selecting
script,argument values can also be given. Description and categories
of script is also shown.
[kirubakaran]
o Updated IANA IP address space assignment list for random IP (-iR)
generation. [Kris]# Nmap Changelog ($Id: CHANGELOG 21916 2011-01-21 09:43:36Z fyodor $); -*-text-*-
o [Zenmap] Added a new script selection interface, allowing you to
choose scripts and arguments from a list which includes descriptions
of every available script. Just click the "Scripting" tab in the
profile editor. [Kirubakaran]
o [Nping] Added echo mode, a novel technique for discovering how your
packets are changed (or dropped) in transit between the host they
originated and a target machine. It can detect network address
translation, packet filtering, routing anomalies, and more. You can
try it out against our public Nping echo server using this command:
nping --echo-client "public" echo.nmap.org'
Or learn more about echo mode at
http://nmap.org/book/nping-man-echo-mode.html. [Luis]
o [NSE] Added an amazing 46 scripts, bringing the total to 177! You
can learn more about any of them at http://nmap.org/nsedoc/. Here
are the new ones (authors listed in brackets):
broadcast-dns-service-discovery: Attempts to discover hosts'
services using the DNS Service Discovery protocol. It sends a
multicast DNS-SD query and collects all the responses. [Patrik
Karlsson]
broadcast-dropbox-listener: Listens for the LAN sync information
broadcasts that the Dropbox.com client broadcasts every 20
seconds, then prints all the discovered client IP addresses, port
numbers, version numbers, display names, and more. [Ron Bowes,
Mak Kolybabi, Andrew Orr, Russ Tait Milne]
broadcast-ms-sql-discover: Discovers Microsoft SQL servers in the
same broadcast domain. [Patrik Karlsson]
broadcast-upnp-info: Attempts to extract system information from the
UPnP service by sending a multicast query, then collecting,
parsing, and displaying all responses. [Patrik Karlsson]
broadcast-wsdd-discover: Uses a multicast query to discover devices
supporting the Web Services Dynamic Discovery (WS-Discovery)
protocol. It also attempts to locate any published Windows
Communication Framework (WCF) web services (.NET 4.0 or
later). [Patrik Karlsson]
db2-discover: Attempts to discover DB2 servers on the network by
querying open ibm-db2 UDP ports (normally port 523). [Patrik
Karlsson]
dns-update.nse: Attempts to perform an unauthenticated dynamic DNS
update. [Patrik Karlsson]
domcon-brute: Performs brute force password auditing against the
Lotus Domino Console. [Patrik Karlsson]
domcon-cmd: Runs a console command on the Lotus Domino Console with
the given authentication credentials (see also: domcon-brute).
[Patrik Karlsson]
domino-enum-users: Attempts to discover valid IBM Lotus Domino users
and download their ID files by exploiting the CVE-2006-5835
vulnerability. [Patrik Karlsson]
firewalk: Tries to discover firewall rules using an IP TTL
expiration technique known as firewalking. [Henri Doreau]
ftp-proftpd-backdoor: Tests for the presence of the ProFTPD 1.3.3c
backdoor reported as OSVDB-ID 69562. This script attempts to
exploit the backdoor using the innocuous id command by default,
but that can be changed with a script argument. [Mak Kolybabi]
giop-info: Queries a CORBA naming server for a list of
objects. [Patrik Karlsson]
gopher-ls: Lists files and directories at the root of a gopher
service. Remember those? [Toni Ruottu]
hddtemp-info: Reads hard disk information (such as brand, model, and
sometimes temperature) from a listening hddtemp service. [Toni
Ruottu]
hostmap: Tries to find hostnames that resolve to the target's IP
address by querying the online database at
http://www.bfk.de/bfk_dnslogger.html. [Ange Gutek]
http-brute: Performs brute force password auditing against http
basic authentication. [Patrik Karlsson]
http-domino-enum-passwords: Attempts to enumerate the hashed Domino
Internet Passwords that are (by default) accessible by all
authenticated users. This script can also download any Domino ID
Files attached to the Person document. [Patrik Karlsson]
http-form-brute: Performs brute force password auditing against http
form-based authentication. [Patrik Karlsson]
http-vhosts: Searches for web virtual hostnames by making a large
number of HEAD requests against http servers using common
hostnames. [Carlos Pantelides]
informix-brute: Performs brute force password auditing against
IBM Informix Dynamic Server. [Patrik Karlsson]
informix-query: Runs a query against IBM Informix Dynamic Server
using the given authentication credentials (see also:
informix-brute). [Patrik Karlsson]
informix-tables: Retrieves a list of tables and column definitions
for each database on an Informix server. [Patrik Karlsson]
iscsi-brute: Performs brute force password auditing against iSCSI
targets. [Patrik Karlsson]
iscsi-info: Collects and displays information from remote iSCSI
targets. [Patrik Karlsson]
modbus-discover: Enumerates SCADA Modbus slave ids (sids) and
collects their device information. [Alexander Rudakov]
nat-pmp-info: Queries a NAT-PMP service for its external
address. [Patrik Karlsson]
netbus-auth-bypass: Checks if a NetBus server is vulnerable to an
authentication bypass vulnerability which allows full access
without knowing the password. [Toni Ruottu]
netbus-brute: Performs brute force password auditing against the
Netbus backdoor ("remote administration") service. [Toni Ruottu]
netbus-info: Opens a connection to a NetBus server and extracts
information about the host and the NetBus service itself. [Toni
Ruottu]
netbus-version: Extends version detection to detect NetBuster, a
honeypot service that mimes NetBus. [Toni Ruottu]
nrpe-enum: Queries Nagios Remote Plugin Executor (NRPE) daemons to
obtain information such as load averages, process counts, logged in
user information, etc. [Mak Kolybabi]
oracle-brute: Performs brute force password auditing against Oracle
servers. [Patrik Karlsson]
oracle-enum-users: Attempts to enumerate valid Oracle user names
against unpatched Oracle 11g servers (this bug was fixed in
Oracle's October 2009 Critical Patch Update). [Patrik Karlsson]
path-mtu: Performs simple Path MTU Discovery to target hosts. [Kris
Katterjohn]
resolveall: Resolves hostnames and adds every address (IPv4 or IPv6,
depending on Nmap mode) to Nmap's target list. This differs from
Nmap's normal host resolution process, which only scans the first
address (A or AAAA record) returned for each host name. [Kris
Katterjohn]
rmi-dumpregistry: Connects to a remote RMI registry and attempts to
dump all of its objects. [Martin Holst Swende]
smb-flood: Exhausts a remote SMB server's connection limit by by
opening as many connections as we can. Most implementations of
SMB have a hard global limit of 11 connections for user accounts
and 10 connections for anonymous. Once that limit is reached,
further connections are denied. This script exploits that limit by
taking up all the connections and holding them. [Ron Bowes]
ssh2-enum-algos: Reports the number of algorithms (for encryption,
compression, etc.) that the target SSH2 server offers. If
verbosity is set, the offered algorithms are each listed by
type. [Kris Katterjohn]
stuxnet-detect: Detects whether a host is infected with the Stuxnet
worm (http://en.wikipedia.org/wiki/Stuxnet). [Mak Kolybabi]
svn-brute: Performs brute force password auditing against Subversion
source code control servers. [Patrik Karlsson]
targets-traceroute: Inserts traceroute hops into the Nmap scanning
queue. It only functions if Nmap's --traceroute option is used and
the newtargets script argument is given. [Henri Doreau]
vnc-brute: Performs brute force password auditing against VNC
servers. [Patrik Karlsson]
vnc-info: Queries a VNC server for its protocol version and
supported security types. [Patrik Karlsson]
wdb-version: Detects vulnerabilities and gathers information (such
as version numbers and hardware support) from VxWorks Wind DeBug
agents. [Daniel Miller]
wsdd-discover: Retrieves and displays information from devices
supporting the Web Services Dynamic Discovery (WS-Discovery)
protocol. It also attempts to locate any published Windows
Communication Framework (WCF) web services (.NET 4.0 or
later). [Patrik Karlsson]
o [NSE] Added 12 new protocol libraries:
- dhcp.lua by Ron
- dnssd.lua (DNS Service Discovery) by Patrik
- ftp.lua by David
- giop.lua (CORBA naming service) by Patrik
- informix.lua (Informix database) by Patrik
- iscsi.lua (iSCSI - IP based SCSI data transfer) by Patrik
- nrpc.lua (Lotus Domino RPC) by Patrik
- rmi.lua (Java Remote Method Invocation) by Martin Holst Swende
- tns.lua (Oracle) by Patrik
- upnp.lua (UPnP support) by Thomas Buchanan and Patrik
- vnc.lua (Virtual Network Computing) by Patrik
- wsdd.lua (Web Service Dynamic Discovery) by Patrik
o [NSE] Added a new brute library that provides a basic framework and logic
for brute force password auditing scripts. [Patrik]
o [Zenmap] Greatly improved performance for large scans by
benchmarking intensively and then recoding dozens of slow parts.
Time taken to load our benchmark file (a scan of just over a million
IPs belonging to Microsoft corporation, with 74,293 hosts up) was
reduced from hours to less than two minutes. Memory consumption
decreased dramatically as well. [David]
o Performed a major OS detection integration run. The database has
grown more than 14% to 2,982 fingerprints and many of the existing
fingerprints were improved. Highlights include Linux 2.6.37, iPhone
OS 4.2.1, Solaris 11, AmigaOS 3.1, GNU Hurd 0.3, and MINIX 2.0.4.
David posted highlights of his integration work at
http://seclists.org/nmap-dev/2010/q4/651
o Performed a huge version detection integration run. The number of
signatures has grown by more than 11% to 7,355. More than a third
of our signatures are for http, but we also detect 743 other service
protocols, from abc, acap, access-remote-pc, and achat to zenworks,
zeo, and zmodem. David posted highlights at
http://seclists.org/nmap-dev/2010/q4/761.
o [NSE] Added the target NSE library which allows scripts to add newly
discovered targets to Nmap's scanning queue. This allows Nmap to
support a wide range of target acquisition techniques. Scripts which
can now use this feature include dns-zone-transfer, hostmap,
ms-sql-info, snmp-interfaces, targets-traceroute, and several
more. [Djalal]
o [NSE] Nmap has two new NSE script scanning phases. The new pre-scan
occurs before Nmap starts scanning. Some of the initial pre-scan
scripts use techniques like broadcast DNS service discovery or DNS
zone transfers to enumerate hosts which can optionally be treated as
targets. The other phase (post scan) runs after all of Nmap's
scanning is complete. We don't have any of these scripts yet, but
they could compile scan statistics or present the results in a
different way. One idea is a reverse index which provides a list of
services discovered during a network scan, along with a list of IPs
found to be running each service. See
http://nmap.org/book/nse-usage.html#nse-script-types. [Djalal]
o Dramatically improved nmap.xsl (used for converting Nmap XML output
to HTML). In particular:
- Put verbose details behind expander buttons so you can see them if
you want, but they don't distract from the main output. In
particular, offline hosts and traceroute results are collapsed by
default.
- Improved the color scheme to be less garish.
- Added support for the new NSE pre-scan and post-scan phases.
- Changed script output to use 'pre' tags to keep even lengthy
output readable.
- Added a floating menu to the lower-right for toggling whether
closed/filtered ports are shown or not (they are now hidden by
default if Javascript is enabled).
Many smaller improvements were made as well. You can find the new
file at http://nmap.org/svn/docs/nmap.xsl, and here is an example
scan processed through it: http://nmap.org/tmp/newxsl.html. [Tom]
o [NSE] Created a new "broadcast" script category for the broadcast-*
scripts. These perform network discovery by broadcasting on the
local network and listening for responses. Since they don't
directly relate to targets specified on the command line, these are
kept out of the default category (nor do they go in "discovery").
o Integrated cracked passwords from the Gawker.com compromise
(http://seclists.org/nmap-dev/2010/q4/674) into Nmap's top-5000
password database. A team of Nmap developers lead by Brandon Enright
has cracked 635,546 out of 748,081 password hashes so far
(85%). Gawker doesn't exactly have the most sophisticated users on
the Internet--their top passwords are "123456", "password",
"12345678", "lifehack", "qwerty", "abc123", "12345", "monkey",
"111111", "consumer", and "letmein".
o XML output now excludes output for down hosts when only doing host
discovery, unless verbosity (-v) was requested. This is how it
already worked for normal scans, but the ping-only case was
overlooked. [David]
o Updated the Windows build process to work with (and require) Visual
C++ 2010 rather than 2008. If you want to build Zenmap too, you now
need Python 2.7 (rather than 2.6) and GTK+ 2.22. See
http://nmap.org/book/inst-windows.html#inst-win-source [David, Rob
Nicholls, KX]
o Merged port names in the nmap-services file with allocated names
from the IANA (http://www.iana.org/assignments/port-numbers). We
only added IANA names which were "unknown" in our file--we didn't
deal with conflicting names. [David]
o Enabled the ASLR and DEP security technologies for Nmap.exe,
Ncat.exe and Nping.exe on Windows Vista and above. Visual C++ will
set the /DYNAMICBASE and /NXCOMPAT flags in the PE
header. Executables generated using py2exe or NSIS and third party
binaries (OpenSSL, WinPcap) still don't support ASLR or DEP. Support
for DEP on XP SP3, using SetProcessDEPPolicy(), could still be
implemented. See http://seclists.org/nmap-dev/2010/q3/328. [Robert]
o Investigated using the CPE (Common Platform Enumeration) standard
for describing operating systems, devices, and service names for
Nmap OS and service detection. You can read David's reports at
http://seclists.org/nmap-dev/2010/q3/278 and
http://seclists.org/nmap-dev/2010/q3/303.
o [Zenmap] Improved the output viewer to show new output in constant
time. Previously it would get slower and slower as the output grew
longer, eventually making Zenmap appear to freeze with 100% CPU. Rob
Nicholls and Ray Middleton helped with testing. [David]
o The Linux RPM builds of Nmap and related tools (ncat, nping, etc.)
now link to system libraries dynamically rather than statically.
They still link statically to dependency libraries such as OpenSSL,
Lua, LibPCRE, Libpcap, etc. We hope this will improve portability so
the RPMs will work on distributions with older software (like RHEL,
Debian stable) as well as more bleeding edge ones like
Fedora. [David]
o [NSE] Added the ability to send and receive on unconnected sockets.
This can be used, for example, to receive UDP broadcasts without
having to use Libpcap. A number of scripts have been changed so that
they can work as prerule scripts to discover services by UDP
broadcasting, and optionally add the discovered targets to the
scanning queue:
- ms-sql-info
- upnp-info
- dns-service-discovery
The nmap.new_socket function can now optionally take a default
protocol and address family, which will be used if the socket is not
connected. There is a new nmap.sendto function to be used with
unconnected UDP sockets. [David, Patrik]
o [Nping] Substantially improved the Nping man page. You can read it
online at http://nmap.org/book/nping-man.html. [Luis, David]
o Documented the licenses of the third-party software used by Nmap and
it's sibling tools:
http://nmap.org/svn/docs/3rd-party-licenses.txt. [David]
o [NSE] Improved the SMB scripts so that they can run in parallel
rather than using a mutex to force serialization. This quadrupled
the SMB scan speed in one large scale test. See
http://seclists.org/nmap-dev/2010/q3/819. [Ron]
o Added a simple Nmap NSE script template to make writing new scripts
easier: http://nmap.org/svn/docs/sample-script.nse. [Ron]
o [Zenmap] Made the topology node radiuses grow logarithmically
instead of linearly, so that hosts with thousands of open ports
don't overwhelm the diagram. Also only open ports (not
open|filtered) are considered when calculating node sizes. Henri
Doreau found and fixed a bug in the implementation. [Daniel Miller]
o [NSE] Added the get_script_args NSE function for parsing script
arguments in a clean and standardized way
(http://nmap.org/nsedoc/lib/stdnse.html#get_script_args). [Djalal]
o Increased the initial RTT timeout for ARP scans from 100 ms to 200
ms. Some wireless and VPN links were taking around 300 ms to
respond. The default of one retransmission gives them 400 ms to be
detected.
o Added new version detection probes and signatures from Patrik for:
- Lotus Domino Console running on tcp/2050 (shows OS and hostname)
- IBM Informix Dynamic Server running native protocol (shows hostname, and file path)
- Database servers running the DRDA protocol
- IBM Websphere MQ (shows name of queue-manager and channel)
o Fix Nmap compilation on OpenSolaris (see
http://blogs.sun.com/sdaven/entry/nmap_5_35dc1_compile_on) [David]
o [NSE] The http library's request functions now accept an additional
"auth" table within the option table, which causes Basic
authentication credentials to be sent. [David]
o Improved IPv6 host output in that we now remember and report the
forward DNS name (given by the user) and any non-scanned addresses
(usually because of round robin DNS). We already did this for
IPv4. [David]
o [Zenmap] Upgraded to the newer gtk.Tooltip API to avoid deprecation
messages about gtk.Tooltip. [Rob Nicholls]
o [NSE] Made dns-zone-transfer script able to add new discovered DNS
records to the Nmap scanning queue. [Djalal]
o [NSE] Enhance ssl-cert to also report the type and bit size of SSL
certificate public keys [Matt Selsky]
o [Ncat] Make --exec and --idle-timeout work when connecting with
--proxy. Florian Roth reported the bug. [David]
o [Nping] Fixed a bug which caused Nping to fail when targeting
broadcast addresses (see
http://seclists.org/nmap-dev/2010/q3/752). [Luis]
o [Nping] Nping now limits concurrent open file descriptors properly
based on the resources available on the host (see
http://seclists.org/nmap-dev/2010/q4/2). [Luis]
o [NSE] Improved ssh2's kex_init() parameters: all of the algorithm
and language lists can be set using new keys in the "options" table
argument. These all default to the same value used before. Also, the
required "cookie" argument is now replaced by an optional "cookie"
key in the "options" table, defaulting to random bytes as suggested
by the RFC. [Kris]
o Ncat now logs Nsock debug output to stderr instead of stdout for
consistency with its other debug messages. [David]
o [NSE] Added a new function, shortport.http, for HTTP script
portrules and changed 14 scripts to use it. [David]
o Updated to the latest config.guess and config.sub. Thanks to Ty
Miller for a reminder. [David]
o [NSE] Added prerule support to snmp-interfaces and the ability to
add the remote host's interface addresses to the scanning queue.
The new script arguments used for this functionality are "host"
(required) and "port" (optional). [Kris]
o Fixed some inconsistencies in nmap-os-db and a small memory leak
that would happen where there was more than one round of OS
detection. These were reported by Xavier Sudre from
netVigilance. [David]
o [NSE] Fixed a bug with worker threads calling the wrong destructors.
Fixing this allows better parallelism in http-brute.nse. The problem
was reported by Patrik Karlsson. [David, Patrick]
o Upgraded the OpenSSL binaries shipped in our Windows installer to
version 1.0.0a. [David]
o [NSE] Added prerule support to the dns-zone-transfer script,
allowing it to run early to discover IPs from DNS records and
optionally add those IPs to Nmap's target queue. You must specify
the DNS server and domain name to use with script
arguments. [Djalal]
o Changed the name of libdnet's sctp_chunkhdr to avoid a conflict with
a struct of the same name in <netinet/sctp.h>. This caused a
compilation error when Nmap was compiled with an OpenSSL that had
SCTP support. [Olli Hauer, Daniel Roethlisberger]
o [NSE] Implemented a big cleanup of the Nmap NSE Nsock library
binding code. [Patrick]
o Added a bunch of Apple and Netatalk AFP service detection
signatures. These often provide extra details such as whether the
target is a MacBook Pro, Air, Mac Mini, iMac, etc. [Brandon]
o [NSE] Host tables now have a host.traceroute member available when
--traceroute is used. This array contains the IP address, reverse
DNS name, and RTT for each traceroute hop. [Henri Doreau]
o [NSE] Made the ftp-anon script return a directory listing when
anonymous login is allowed. [Gutek, David]
o [NSE] Added the nmap.resolve() function. It takes a host name and
optionally an address family (such as "inet") and returns a table
containing all of its matching addresses. If no address family is
specified, all addresses for the name are returned. [Kris]
o [NSE] Added the nmap.address_family() function which returns the address
family Nmap is using as a string (e.g., "inet6" is returned if Nmap is
called with the -6 option). [Kris]
o [NSE] Scripts can now access the MTU of the host.interface device using
host.interface_mtu. [Kris]
o Restrict the default Windows DLL search path by removing the current
directory. This adds extra protection against DLL hijacking attacks,
especially if we were to add file type associations to Nmap in the
future. We implement this with the SetDllDirectory function when
available (Windows XP SP1 and later). Otherwise, we call
SetCurrentDirectory with the directory containing the
executable. [David]
o Nmap now prints the MTU for interfaces in --iflist output. [Kris]
o [NSE] Removed references to the MD2 algorithm, which OpenSSL 1.x.x
no longer supports. [Alexandru]
o [Ncat,NSE] Server Name Indication (SNI) is now supported by Ncat and
Nmap NSE, allowing them to connect to servers which run multiple SSL
websites on one IP address. To enable this for NSE, the nmap.connect
function has been changed to accept host and port tables (like those
provided to the action function) in place of a string and a
number. [David]
o [NSE] Renamed db2-info and db2-brute scripts to drda-*. Added
support other DRDA based databases such as IBM Informix Dynamic
Server and Apache Derby. [Patrik]
o [Nsock] Added a new function, nsi_set_hostname, to set the intended
hostname of the target. This allows the use of Server Name
Indication in SSL connections. [David]
o [NSE] Limits the number of ports that qscan will scan (now up to 8
open ports and up to 1 closed port by default). These limits can be
controlled with the qscan.numopen and qscan.numclosed script
arguments. [David]
o [NSE] Made sslv2.nse give special output when SSLv2 is supported,
but no SSLv2 ciphers are offered. This happened with a specific
Sendmail configuration. [Matt Selsky]
o [NSE] Added a "times" table to the host table passed to scripts.
This table contains Nmap's timing data (srtt, the smoothed round
trip time; rttvar, the rtt variance; and timeout), all represented
as floating-point seconds. The ipidseq and qscan scripts were
updated to utilize the host's timeout value rather than using a
conservative guess of 3 seconds for read timeouts. [Kris]
o Fixed the fragmentation options (-f in Nmap, --mtu in Nmap & Nping),
which were improperly sending whole packets in version
5.35DC1. [Kris]
o [NSE] When receiving raw packets from Pcap, the packet capture time
is now available to scripts as an additional return value from
pcap_receive(). It is returned as the floating point number of
seconds since the epoch. Also added the nmap.clock() function which
returns the current time (and convenience functions clock_ms() and
clock_us()). Qscan.nse was updated to use this more accurate timing
data. [Kris]
o [Ncat,Nsock] Fixed some minor bugs discovered using the Smatch
source code analyzer (http://smatch.sourceforge.net/). [David]
o [Zenmap] Fixed a crash that would happen after opening the search
window, entering a relative date criterion such as "after:-7", and
then clicking the "Expressions" button. The error message was
AttributeError: 'tuple' object has no attribute 'strftime'
[David]
o Added a new packet payload--a NAT-PMP external address request for
port 5351/udp. Payloads help us elicit responses from listening UDP
services to better distinguish them from filtered ports. This
payload goes well with our new nat-pmp-info script. [David, Patrik]
o Updated IANA IP address space assignment list for random IP (-iR)
generation. [Kris]
o [Ncat] Ncat now uses case-insensitive string comparison when
checking authentication schemes and parameters. Florian Roth found a
server offering "BASIC" instead of "Basic", and the HTTP RFC
requires case-insensitive comparisons in most places. [David]
o [NSE] There is now a limit of 1,000 concurrent running scripts,
instituted to keep memory under control when there are many open
ports. Nathan reported 3 GB of memory use (with an out-of-memory NSE
crash) for one host with tens of thousands of open ports. This limit
can be controlled with the variable CONCURRENCY_LIMIT in
nse_main.lua. [David]
o The command line in XML output (/nmaprun/@args attribute) now does
quoting of whitespace using double quotes and backslashes. This
allows recovering the original command line array even when
arguments contain whitespace. [David]
o Added a service detection probe for master servers of Quake 3 and
related games. [Toni Ruottu]# Nmap Changelog ($Id: CHANGELOG 22072 2011-01-28 01:10:25Z fyodor $); -*-text-*-
o [Zenmap] Added a new script selection interface, allowing you to
choose scripts and arguments from a list which includes descriptions
of every available script. Just click the "Scripting" tab in the
profile editor. [Kirubakaran]
o [Nping] Added echo mode, a novel technique for discovering how your
packets are changed (or dropped) in transit between the host they
originated and a target machine. It can detect network address
translation, packet filtering, routing anomalies, and more. You can
try it out against our public Nping echo server using this command:
nping --echo-client "public" echo.nmap.org'
Or learn more about echo mode at
http://nmap.org/book/nping-man-echo-mode.html. [Luis]
o [NSE] Added an amazing 46 scripts, bringing the total to 177! You
can learn more about any of them at http://nmap.org/nsedoc/. Here
are the new ones (authors listed in brackets):
broadcast-dns-service-discovery: Attempts to discover hosts'
services using the DNS Service Discovery protocol. It sends a
multicast DNS-SD query and collects all the responses. [Patrik
Karlsson]
broadcast-dropbox-listener: Listens for the LAN sync information
broadcasts that the Dropbox.com client broadcasts every 20
seconds, then prints all the discovered client IP addresses, port
numbers, version numbers, display names, and more. [Ron Bowes,
Mak Kolybabi, Andrew Orr, Russ Tait Milne]
broadcast-ms-sql-discover: Discovers Microsoft SQL servers in the
same broadcast domain. [Patrik Karlsson]
broadcast-upnp-info: Attempts to extract system information from the
UPnP service by sending a multicast query, then collecting,
parsing, and displaying all responses. [Patrik Karlsson]
broadcast-wsdd-discover: Uses a multicast query to discover devices
supporting the Web Services Dynamic Discovery (WS-Discovery)
protocol. It also attempts to locate any published Windows
Communication Framework (WCF) web services (.NET 4.0 or
later). [Patrik Karlsson]
db2-discover: Attempts to discover DB2 servers on the network by
querying open ibm-db2 UDP ports (normally port 523). [Patrik
Karlsson]
dns-update.nse: Attempts to perform an unauthenticated dynamic DNS
update. [Patrik Karlsson]
domcon-brute: Performs brute force password auditing against the
Lotus Domino Console. [Patrik Karlsson]
domcon-cmd: Runs a console command on the Lotus Domino Console with
the given authentication credentials (see also: domcon-brute).
[Patrik Karlsson]
domino-enum-users: Attempts to discover valid IBM Lotus Domino users
and download their ID files by exploiting the CVE-2006-5835
vulnerability. [Patrik Karlsson]
firewalk: Tries to discover firewall rules using an IP TTL
expiration technique known as firewalking. [Henri Doreau]
ftp-proftpd-backdoor: Tests for the presence of the ProFTPD 1.3.3c
backdoor reported as OSVDB-ID 69562. This script attempts to
exploit the backdoor using the innocuous id command by default,
but that can be changed with a script argument. [Mak Kolybabi]
giop-info: Queries a CORBA naming server for a list of
objects. [Patrik Karlsson]
gopher-ls: Lists files and directories at the root of a gopher
service. Remember those? [Toni Ruottu]
hddtemp-info: Reads hard disk information (such as brand, model, and
sometimes temperature) from a listening hddtemp service. [Toni
Ruottu]
hostmap: Tries to find hostnames that resolve to the target's IP
address by querying the online database at
http://www.bfk.de/bfk_dnslogger.html. [Ange Gutek]
http-brute: Performs brute force password auditing against http
basic authentication. [Patrik Karlsson]
http-domino-enum-passwords: Attempts to enumerate the hashed Domino
Internet Passwords that are (by default) accessible by all
authenticated users. This script can also download any Domino ID
Files attached to the Person document. [Patrik Karlsson]
http-form-brute: Performs brute force password auditing against http
form-based authentication. [Patrik Karlsson]
http-vhosts: Searches for web virtual hostnames by making a large
number of HEAD requests against http servers using common
hostnames. [Carlos Pantelides]
informix-brute: Performs brute force password auditing against
IBM Informix Dynamic Server. [Patrik Karlsson]
informix-query: Runs a query against IBM Informix Dynamic Server
using the given authentication credentials (see also:
informix-brute). [Patrik Karlsson]
informix-tables: Retrieves a list of tables and column definitions
for each database on an Informix server. [Patrik Karlsson]
iscsi-brute: Performs brute force password auditing against iSCSI
targets. [Patrik Karlsson]
iscsi-info: Collects and displays information from remote iSCSI
targets. [Patrik Karlsson]
modbus-discover: Enumerates SCADA Modbus slave ids (sids) and
collects their device information. [Alexander Rudakov]
nat-pmp-info: Queries a NAT-PMP service for its external
address. [Patrik Karlsson]
netbus-auth-bypass: Checks if a NetBus server is vulnerable to an
authentication bypass vulnerability which allows full access
without knowing the password. [Toni Ruottu]
netbus-brute: Performs brute force password auditing against the
Netbus backdoor ("remote administration") service. [Toni Ruottu]
netbus-info: Opens a connection to a NetBus server and extracts
information about the host and the NetBus service itself. [Toni
Ruottu]
netbus-version: Extends version detection to detect NetBuster, a
honeypot service that mimes NetBus. [Toni Ruottu]
nrpe-enum: Queries Nagios Remote Plugin Executor (NRPE) daemons to
obtain information such as load averages, process counts, logged in
user information, etc. [Mak Kolybabi]
oracle-brute: Performs brute force password auditing against Oracle
servers. [Patrik Karlsson]
oracle-enum-users: Attempts to enumerate valid Oracle user names
against unpatched Oracle 11g servers (this bug was fixed in
Oracle's October 2009 Critical Patch Update). [Patrik Karlsson]
path-mtu: Performs simple Path MTU Discovery to target hosts. [Kris
Katterjohn]
resolveall: Resolves hostnames and adds every address (IPv4 or IPv6,
depending on Nmap mode) to Nmap's target list. This differs from
Nmap's normal host resolution process, which only scans the first
address (A or AAAA record) returned for each host name. [Kris
Katterjohn]
rmi-dumpregistry: Connects to a remote RMI registry and attempts to
dump all of its objects. [Martin Holst Swende]
smb-flood: Exhausts a remote SMB server's connection limit by by
opening as many connections as we can. Most implementations of
SMB have a hard global limit of 11 connections for user accounts
and 10 connections for anonymous. Once that limit is reached,
further connections are denied. This script exploits that limit by
taking up all the connections and holding them. [Ron Bowes]
ssh2-enum-algos: Reports the number of algorithms (for encryption,
compression, etc.) that the target SSH2 server offers. If
verbosity is set, the offered algorithms are each listed by
type. [Kris Katterjohn]
stuxnet-detect: Detects whether a host is infected with the Stuxnet
worm (http://en.wikipedia.org/wiki/Stuxnet). [Mak Kolybabi]
svn-brute: Performs brute force password auditing against Subversion
source code control servers. [Patrik Karlsson]
targets-traceroute: Inserts traceroute hops into the Nmap scanning
queue. It only functions if Nmap's --traceroute option is used and
the newtargets script argument is given. [Henri Doreau]
vnc-brute: Performs brute force password auditing against VNC
servers. [Patrik Karlsson]
vnc-info: Queries a VNC server for its protocol version and
supported security types. [Patrik Karlsson]
wdb-version: Detects vulnerabilities and gathers information (such
as version numbers and hardware support) from VxWorks Wind DeBug
agents. [Daniel Miller]
wsdd-discover: Retrieves and displays information from devices
supporting the Web Services Dynamic Discovery (WS-Discovery)
protocol. It also attempts to locate any published Windows
Communication Framework (WCF) web services (.NET 4.0 or
later). [Patrik Karlsson]
o [NSE] Added 12 new protocol libraries:
- dhcp.lua by Ron
- dnssd.lua (DNS Service Discovery) by Patrik
- ftp.lua by David
- giop.lua (CORBA naming service) by Patrik
- informix.lua (Informix database) by Patrik
- iscsi.lua (iSCSI - IP based SCSI data transfer) by Patrik
- nrpc.lua (Lotus Domino RPC) by Patrik
- rmi.lua (Java Remote Method Invocation) by Martin Holst Swende
- tns.lua (Oracle) by Patrik
- upnp.lua (UPnP support) by Thomas Buchanan and Patrik
- vnc.lua (Virtual Network Computing) by Patrik
- wsdd.lua (Web Service Dynamic Discovery) by Patrik
o [NSE] Added a new brute library that provides a basic framework and logic
for brute force password auditing scripts. [Patrik]
o [Zenmap] Greatly improved performance for large scans by
benchmarking intensively and then recoding dozens of slow parts.
Time taken to load our benchmark file (a scan of just over a million
IPs belonging to Microsoft corporation, with 74,293 hosts up) was
reduced from hours to less than two minutes. Memory consumption
decreased dramatically as well. [David]
o Performed a major OS detection integration run. The database has
grown more than 14% to 2,982 fingerprints and many of the existing
fingerprints were improved. Highlights include Linux 2.6.37, iPhone
OS 4.2.1, Solaris 11, AmigaOS 3.1, GNU Hurd 0.3, and MINIX 2.0.4.
David posted highlights of his integration work at
http://seclists.org/nmap-dev/2010/q4/651
o Performed a huge version detection integration run. The number of
signatures has grown by more than 11% to 7,355. More than a third
of our signatures are for http, but we also detect 743 other service
protocols, from abc, acap, access-remote-pc, and achat to zenworks,
zeo, and zmodem. David posted highlights at
http://seclists.org/nmap-dev/2010/q4/761.
o [NSE] Added the target NSE library which allows scripts to add newly
discovered targets to Nmap's scanning queue. This allows Nmap to
support a wide range of target acquisition techniques. Scripts which
can now use this feature include dns-zone-transfer, hostmap,
ms-sql-info, snmp-interfaces, targets-traceroute, and several
more. [Djalal]
o [NSE] Nmap has two new NSE script scanning phases. The new pre-scan
occurs before Nmap starts scanning. Some of the initial pre-scan
scripts use techniques like broadcast DNS service discovery or DNS
zone transfers to enumerate hosts which can optionally be treated as
targets. The other phase (post scan) runs after all of Nmap's
scanning is complete. We don't have any of these scripts yet, but
they could compile scan statistics or present the results in a
different way. One idea is a reverse index which provides a list of
services discovered during a network scan, along with a list of IPs
found to be running each service. See
http://nmap.org/book/nse-usage.html#nse-script-types. [Djalal]
o [NSE] A new --script-help option describes all scripts matching a
given specification. It accepts the same specification format as
--script does. For example, try 'nmap --script-help "default or
http-*"'. [David, Martin Holst Swende]
o Dramatically improved nmap.xsl (used for converting Nmap XML output
to HTML). In particular:
- Put verbose details behind expander buttons so you can see them if
you want, but they don't distract from the main output. In
particular, offline hosts and traceroute results are collapsed by
default.
- Improved the color scheme to be less garish.
- Added support for the new NSE pre-scan and post-scan phases.
- Changed script output to use 'pre' tags to keep even lengthy
output readable.
- Added a floating menu to the lower-right for toggling whether
closed/filtered ports are shown or not (they are now hidden by
default if Javascript is enabled).
Many smaller improvements were made as well. You can find the new
file at http://nmap.org/svn/docs/nmap.xsl, and here is an example
scan processed through it: http://nmap.org/tmp/newxsl.html. [Tom]
o [NSE] Created a new "broadcast" script category for the broadcast-*
scripts. These perform network discovery by broadcasting on the
local network and listening for responses. Since they don't
directly relate to targets specified on the command line, these are
kept out of the default category (nor do they go in "discovery").
o Integrated cracked passwords from the Gawker.com compromise
(http://seclists.org/nmap-dev/2010/q4/674) into Nmap's top-5000
password database. A team of Nmap developers lead by Brandon Enright
has cracked 635,546 out of 748,081 password hashes so far
(85%). Gawker doesn't exactly have the most sophisticated users on
the Internet--their top passwords are "123456", "password",
"12345678", "lifehack", "qwerty", "abc123", "12345", "monkey",
"111111", "consumer", and "letmein".
o XML output now excludes output for down hosts when only doing host
discovery, unless verbosity (-v) was requested. This is how it
already worked for normal scans, but the ping-only case was
overlooked. [David]
o Updated the Windows build process to work with (and require) Visual
C++ 2010 rather than 2008. If you want to build Zenmap too, you now
need Python 2.7 (rather than 2.6) and GTK+ 2.22. See
http://nmap.org/book/inst-windows.html#inst-win-source [David, Rob
Nicholls, KX]
o Merged port names in the nmap-services file with allocated names
from the IANA (http://www.iana.org/assignments/port-numbers). We
only added IANA names which were "unknown" in our file--we didn't
deal with conflicting names. [David]
o Enabled the ASLR and DEP security technologies for Nmap.exe,
Ncat.exe and Nping.exe on Windows Vista and above. Visual C++ will
set the /DYNAMICBASE and /NXCOMPAT flags in the PE
header. Executables generated using py2exe or NSIS and third party
binaries (OpenSSL, WinPcap) still don't support ASLR or DEP. Support
for DEP on XP SP3, using SetProcessDEPPolicy(), could still be
implemented. See http://seclists.org/nmap-dev/2010/q3/328. [Robert]
o Investigated using the CPE (Common Platform Enumeration) standard
for describing operating systems, devices, and service names for
Nmap OS and service detection. You can read David's reports at
http://seclists.org/nmap-dev/2010/q3/278 and
http://seclists.org/nmap-dev/2010/q3/303.
o [Zenmap] Improved the output viewer to show new output in constant
time. Previously it would get slower and slower as the output grew
longer, eventually making Zenmap appear to freeze with 100% CPU. Rob
Nicholls and Ray Middleton helped with testing. [David]
o The Linux RPM builds of Nmap and related tools (ncat, nping, etc.)
now link to system libraries dynamically rather than statically.
They still link statically to dependency libraries such as OpenSSL,
Lua, LibPCRE, Libpcap, etc. We hope this will improve portability so
the RPMs will work on distributions with older software (like RHEL,
Debian stable) as well as more bleeding edge ones like
Fedora. [David]
o [NSE] Added the ability to send and receive on unconnected sockets.
This can be used, for example, to receive UDP broadcasts without
having to use Libpcap. A number of scripts have been changed so that
they can work as prerule scripts to discover services by UDP
broadcasting, and optionally add the discovered targets to the
scanning queue:
- ms-sql-info
- upnp-info
- dns-service-discovery
The nmap.new_socket function can now optionally take a default
protocol and address family, which will be used if the socket is not
connected. There is a new nmap.sendto function to be used with
unconnected UDP sockets. [David, Patrik]
o [Nping] Substantially improved the Nping man page. You can read it
online at http://nmap.org/book/nping-man.html. [Luis, David]
o Documented the licenses of the third-party software used by Nmap and
it's sibling tools:
http://nmap.org/svn/docs/3rd-party-licenses.txt. [David]
o [NSE] Improved the SMB scripts so that they can run in parallel
rather than using a mutex to force serialization. This quadrupled
the SMB scan speed in one large scale test. See
http://seclists.org/nmap-dev/2010/q3/819. [Ron]
o Added a simple Nmap NSE script template to make writing new scripts
easier: http://nmap.org/svn/docs/sample-script.nse. [Ron]
o [Zenmap] Made the topology node radiuses grow logarithmically
instead of linearly, so that hosts with thousands of open ports
don't overwhelm the diagram. Also only open ports (not
open|filtered) are considered when calculating node sizes. Henri
Doreau found and fixed a bug in the implementation. [Daniel Miller]
o [NSE] Added the get_script_args NSE function for parsing script
arguments in a clean and standardized way
(http://nmap.org/nsedoc/lib/stdnse.html#get_script_args). [Djalal]
o Increased the initial RTT timeout for ARP scans from 100 ms to 200
ms. Some wireless and VPN links were taking around 300 ms to
respond. The default of one retransmission gives them 400 ms to be
detected.
o Added new version detection probes and signatures from Patrik for:
- Lotus Domino Console running on tcp/2050 (shows OS and hostname)
- IBM Informix Dynamic Server running native protocol (shows hostname, and file path)
- Database servers running the DRDA protocol
- IBM Websphere MQ (shows name of queue-manager and channel)
o Fix Nmap compilation on OpenSolaris (see
http://blogs.sun.com/sdaven/entry/nmap_5_35dc1_compile_on) [David]
o [NSE] The http library's request functions now accept an additional
"auth" table within the option table, which causes Basic
authentication credentials to be sent. [David]
o Improved IPv6 host output in that we now remember and report the
forward DNS name (given by the user) and any non-scanned addresses
(usually because of round robin DNS). We already did this for
IPv4. [David]
o [Zenmap] Upgraded to the newer gtk.Tooltip API to avoid deprecation
messages about gtk.Tooltip. [Rob Nicholls]
o [NSE] Made dns-zone-transfer script able to add new discovered DNS
records to the Nmap scanning queue. [Djalal]
o [NSE] Enhance ssl-cert to also report the type and bit size of SSL
certificate public keys [Matt Selsky]
o [Ncat] Make --exec and --idle-timeout work when connecting with
--proxy. Florian Roth reported the bug. [David]
o [Nping] Fixed a bug which caused Nping to fail when targeting
broadcast addresses (see
http://seclists.org/nmap-dev/2010/q3/752). [Luis]
o [Nping] Nping now limits concurrent open file descriptors properly
based on the resources available on the host (see
http://seclists.org/nmap-dev/2010/q4/2). [Luis]
o [NSE] Improved ssh2's kex_init() parameters: all of the algorithm
and language lists can be set using new keys in the "options" table
argument. These all default to the same value used before. Also, the
required "cookie" argument is now replaced by an optional "cookie"
key in the "options" table, defaulting to random bytes as suggested
by the RFC. [Kris]
o Ncat now logs Nsock debug output to stderr instead of stdout for
consistency with its other debug messages. [David]
o [NSE] Added a new function, shortport.http, for HTTP script
portrules and changed 14 scripts to use it. [David]
o Updated to the latest config.guess and config.sub. Thanks to Ty
Miller for a reminder. [David]
o [NSE] Added prerule support to snmp-interfaces and the ability to
add the remote host's interface addresses to the scanning queue.
The new script arguments used for this functionality are "host"
(required) and "port" (optional). [Kris]
o Fixed some inconsistencies in nmap-os-db and a small memory leak
that would happen where there was more than one round of OS
detection. These were reported by Xavier Sudre from
netVigilance. [David]
o [NSE] Fixed a bug with worker threads calling the wrong destructors.
Fixing this allows better parallelism in http-brute.nse. The problem
was reported by Patrik Karlsson. [David, Patrick]
o Upgraded the OpenSSL binaries shipped in our Windows installer to
version 1.0.0a. [David]
o [NSE] Added prerule support to the dns-zone-transfer script,
allowing it to run early to discover IPs from DNS records and
optionally add those IPs to Nmap's target queue. You must specify
the DNS server and domain name to use with script
arguments. [Djalal]
o Changed the name of libdnet's sctp_chunkhdr to avoid a conflict with
a struct of the same name in <netinet/sctp.h>. This caused a
compilation error when Nmap was compiled with an OpenSSL that had
SCTP support. [Olli Hauer, Daniel Roethlisberger]
o [NSE] Implemented a big cleanup of the Nmap NSE Nsock library
binding code. [Patrick]
o Added a bunch of Apple and Netatalk AFP service detection
signatures. These often provide extra details such as whether the
target is a MacBook Pro, Air, Mac Mini, iMac, etc. [Brandon]
o [NSE] Host tables now have a host.traceroute member available when
--traceroute is used. This array contains the IP address, reverse
DNS name, and RTT for each traceroute hop. [Henri Doreau]
o [NSE] Made the ftp-anon script return a directory listing when
anonymous login is allowed. [Gutek, David]
o [NSE] Added the nmap.resolve() function. It takes a host name and
optionally an address family (such as "inet") and returns a table
containing all of its matching addresses. If no address family is
specified, all addresses for the name are returned. [Kris]
o [NSE] Added the nmap.address_family() function which returns the address
family Nmap is using as a string (e.g., "inet6" is returned if Nmap is
called with the -6 option). [Kris]
o [NSE] Scripts can now access the MTU of the host.interface device using
host.interface_mtu. [Kris]
o Restrict the default Windows DLL search path by removing the current
directory. This adds extra protection against DLL hijacking attacks,
especially if we were to add file type associations to Nmap in the
future. We implement this with the SetDllDirectory function when
available (Windows XP SP1 and later). Otherwise, we call
SetCurrentDirectory with the directory containing the
executable. [David]
o Nmap now prints the MTU for interfaces in --iflist output. [Kris]
o [NSE] Removed references to the MD2 algorithm, which OpenSSL 1.x.x
no longer supports. [Alexandru]
o [Ncat,NSE] Server Name Indication (SNI) is now supported by Ncat and
Nmap NSE, allowing them to connect to servers which run multiple SSL
websites on one IP address. To enable this for NSE, the nmap.connect
function has been changed to accept host and port tables (like those
provided to the action function) in place of a string and a
number. [David]
o [NSE] Renamed db2-info and db2-brute scripts to drda-*. Added
support other DRDA based databases such as IBM Informix Dynamic
Server and Apache Derby. [Patrik]
o [Nsock] Added a new function, nsi_set_hostname, to set the intended
hostname of the target. This allows the use of Server Name
Indication in SSL connections. [David]
o [NSE] Limits the number of ports that qscan will scan (now up to 8
open ports and up to 1 closed port by default). These limits can be
controlled with the qscan.numopen and qscan.numclosed script
arguments. [David]
o [NSE] Made sslv2.nse give special output when SSLv2 is supported,
but no SSLv2 ciphers are offered. This happened with a specific
Sendmail configuration. [Matt Selsky]
o [NSE] Added a "times" table to the host table passed to scripts.
This table contains Nmap's timing data (srtt, the smoothed round
trip time; rttvar, the rtt variance; and timeout), all represented
as floating-point seconds. The ipidseq and qscan scripts were
updated to utilize the host's timeout value rather than using a
conservative guess of 3 seconds for read timeouts. [Kris]
o Fixed the fragmentation options (-f in Nmap, --mtu in Nmap & Nping),
which were improperly sending whole packets in version
5.35DC1. [Kris]
o [NSE] When receiving raw packets from Pcap, the packet capture time
is now available to scripts as an additional return value from
pcap_receive(). It is returned as the floating point number of
seconds since the epoch. Also added the nmap.clock() function which
returns the current time (and convenience functions clock_ms() and
clock_us()). Qscan.nse was updated to use this more accurate timing
data. [Kris]
o [Ncat,Nsock] Fixed some minor bugs discovered using the Smatch
source code analyzer (http://smatch.sourceforge.net/). [David]
o [Zenmap] Fixed a crash that would happen after opening the search
window, entering a relative date criterion such as "after:-7", and
then clicking the "Expressions" button. The error message was
AttributeError: 'tuple' object has no attribute 'strftime'
[David]
o Added a new packet payload--a NAT-PMP external address request for
port 5351/udp. Payloads help us elicit responses from listening UDP
services to better distinguish them from filtered ports. This
payload goes well with our new nat-pmp-info script. [David, Patrik]
o Updated IANA IP address space assignment list for random IP (-iR)
generation. [Kris]
o [Ncat] Ncat now uses case-insensitive string comparison when
checking authentication schemes and parameters. Florian Roth found a
server offering "BASIC" instead of "Basic", and the HTTP RFC
requires case-insensitive comparisons in most places. [David]
o [NSE] There is now a limit of 1,000 concurrent running scripts,
instituted to keep memory under control when there are many open
ports. Nathan reported 3 GB of memory use (with an out-of-memory NSE
crash) for one host with tens of thousands of open ports. This limit
can be controlled with the variable CONCURRENCY_LIMIT in
nse_main.lua. [David]
o The command line in XML output (/nmaprun/@args attribute) now does
quoting of whitespace using double quotes and backslashes. This
allows recovering the original command line array even when
arguments contain whitespace. [David]
o Added a service detection probe for master servers of Quake 3 and
related games. [Toni Ruottu]Nmap Changelog ($Id: CHANGELOG 22250 2011-02-13 03:29:16Z david $); -*-text-*-
o [Zenmap] Worked around a pycairo bug that prevented saving the
topology graphic as PNG on Windows: "Error Saving Snapshot:
Surface.write_to_png takes one argument which must be a filename
(str), file object, or a file-like object which has a 'write' method
(like StringIO)". The problem was reported by Alex Kah. [David]
o The -V and --version options now show the platform Nmap was compiled
on, which features are compiled in, and the version numbers of
libraries it is linked against. [Ambarisha B., David]
o Fixed some inconsistencies in nmap-os-db reported by Xavier Sudre
from netVigilance.
o Updated IANA IP address space assignment list for random IP (-iR)
generation. This list now contains only various reserved blocks as
IANA has handed out the final unallocated IPv4 addresses to the
RIRs. [Kris]
Nmap 5.51 [2011-02-11]
o [Ndiff] Added support for prerule and postrule scripts. [David]
o [NSE] Fixed a bug which caused some NSE scripts to fail due to the
absence of the NSE SCRIPT_NAME environment variable when loaded.
Michael Pattrick reported the problem. [Djalal]
o [Zenmap] Selecting one of the scan targets in the left pane is
supposed to jump to that host in the Nmap Output in the right pane
(but it wasn't). Brian Krebs reported this bug. [David]
o Fixed an obscure bug in Windows interface matching. If the MAC
address of an interface couldn't be retrieved, it might have been
used instead of the correct interface. Alexander Khodyrev reported
the problem. [David]
o [NSE] Fixed portrules in dns-zone-transfer and ftp-proftpd-backdoor
that used shortport functions incorrectly and always returned
true. [Jost Krieger]
o [Ndiff] Fixed ndiff.dtd to include two elements that can be diffed:
status and address. [Daniel Miller]
o [Ndiff] Fixed the ordering of hostscript-related elements in XML
output. [Daniel Miller]
o [NSE] Fixed a bug in the nrpe-enum script that would make it run for
every port (when it was selected--it isn't by default). Daniel
Miller reported the bug. [Patrick]
o [NSE] When an NSE script sets a negative socket timeout, it now
causes a controlled Lua stack trace instead of a fatal error.
Vlatko Kosturjak reported the bug. [David]
o [Zenmap] Worked around an error that caused the py2app bootstrap
executable to be non-universal even when the rest of the application
was universal. This prevented the binary .dmg from working on
PowerPC. Yxynaxen reported the problem. [David]
o [Ndiff] Fixed an output line that wasn't being redirected to a file
when all other output was. [Daniel Miller]
Nmap 5.59BETA1 [2011-06-30]
o [NSE] Added 40 scripts, bringing the total to 217! You can learn
more about any of them at http://nmap.org/nsedoc/. Here are the new
ones (authors listed in brackets):
+ afp-ls: Lists files and their attributes from Apple Filing
Protocol (AFP) volumes. [Patrik Karlsson]
+ backorifice-brute: Performs brute force password auditing against
the BackOrifice remote administration (trojan) service. [Gorjan
Petrovski]
+ backorifice-info: Connects to a BackOrifice service and gathers
information about the host and the BackOrifice service
itself. [Gorjan Petrovski]
+ broadcast-avahi-dos: Attempts to discover hosts in the local
network using the DNS Service Discovery protocol, then tests
whether each host is vulnerable to the Avahi NULL UDP packet
denial of service bug (CVE-2011-1002). [Djalal Harouni]
+ broadcast-netbios-master-browser: Attempts to discover master
browsers and the Windows domains they manage. [Patrik Karlsson]
+ broadcast-novell-locate: Attempts to use the Service Location
Protocol to discover Novell NetWare Core Protocol (NCP)
servers. [Patrik Karlsson]
+ creds-summary: Lists all discovered credentials (e.g. from brute
force and default password checking scripts) at end of scan.
[Patrik Karlsson]
+ dns-brute: Attempts to enumerate DNS hostnames by brute force
guessing of common subdomains. [Cirrus]
+ dns-nsec-enum: Attempts to discover target hosts' services using
the DNS Service Discovery protocol. [Patrik Karlsson]
+ dpap-brute: Performs brute force password auditing against an
iPhoto Library. [Patrik Karlsson]
+ epmd-info: Connects to Erlang Port Mapper Daemon (epmd) and
retrieves a list of nodes with their respective port
numbers. [Toni Ruottu]
+ http-affiliate-id: Grabs affiliate network IDs (e.g. Google
AdSense or Analytics, Amazon Associates, etc.) from a web
page. These can be used to identify pages with the same
owner. [Hani Benhabiles, Daniel Miller]
+ http-barracuda-dir-traversal: Attempts to retrieve the
configuration settings from a Barracuda Networks Spam & Virus
Firewall device using the directory traversal vulnerability
described at
http://seclists.org/fulldisclosure/2010/Oct/119. [Brendan Coles]
+ http-cakephp-version: Obtains the CakePHP version of a web
application built with the CakePHP framework by fingerprinting
default files shipped with the CakePHP framework. [Paulino
Calderon]
+ http-majordomo2-dir-traversal: Exploits a directory traversal
vulnerability existing in the Majordomo2 mailing list manager to
retrieve remote files. (CVE-2011-0049). [Paulino Calderon]
+ http-wp-plugins: Tries to obtain a list of installed WordPress
plugins by brute force testing for known plugins. [Ange Gutek]
+ ip-geolocation-geobytes: Tries to identify the physical location
of an IP address using the Geobytes geolocation web service
(http://www.geobytes.com/iplocator.htm). [Gorjan Petrovski]
+ ip-geolocation-geoplugin: Tries to identify the physical location
of an IP address using the Geoplugin geolocation web service
(http://www.geoplugin.com/). [Gorjan Petrovski]
+ ip-geolocation-ipinfodb: Tries to identify the physical location
of an IP address using the IPInfoDB geolocation web service
(http://ipinfodb.com/ip_location_api.php). [Gorjan Petrovski]
+ ip-geolocation-maxmind: Tries to identify the physical location of
an IP address using a Geolocation Maxmind database file (available
from http://www.maxmind.com/app/ip-location). [Gorjan Petrovski]
+ ldap-novell-getpass: Attempts to retrieve the Novell Universal
Password for a user. You must already have (and include in script
arguments) the username and password for an eDirectory server
administrative account. [Patrik Karlsson]
+ mac-geolocation: Looks up geolocation information for BSSID (MAC)
addresses of WiFi access points in the Google geolocation
database. [Gorjan Petrovski]
+ mysql-audit: Audit MySQL database server security configuration
against parts of the CIS MySQL v1.0.2 benchmark (the engine can
also be used for other MySQL audits by creating appropriate audit
files). [Patrik Karlsson]
+ ncp-enum-users: Retrieves a list of all eDirectory users from the
Novell NetWare Core Protocol (NCP) service. [Patrik Karlsson]
+ ncp-serverinfo: Retrieves eDirectory server information (OS
version, server name, mounts, etc.) from the Novell NetWare Core
Protocol (NCP) service. [Patrik Karlsson]
+ nping-brute: Performs brute force password auditing against an
Nping Echo service. [Toni Ruottu]
+ omp2-brute: Performs brute force password auditing against the
OpenVAS manager using OMPv2. [Henri Doreau]
+ omp2-enum-targets: Attempts to retrieve the list of target systems
and networks from an OpenVAS Manager server. [Henri Doreau]
+ ovs-agent-version: Detects the version of an Oracle OVSAgentServer
by fingerprinting responses to an HTTP GET request and an XML-RPC
method call. [David Fifield]
+ quake3-master-getservers: Queries Quake3-style master servers for
game servers (many games other than Quake 3 use this same
protocol). [Toni Ruottu]
+ servicetags: Attempts to extract system information (OS, hardware,
etc.) from the Sun Service Tags service agent (UDP port
6481). [Matthew Flanagan]
+ sip-brute: Performs brute force password auditing against Session
Initiation Protocol (SIP -
http://en.wikipedia.org/wiki/Session_Initiation_Protocol)
accounts. This protocol is most commonly associated with VoIP
sessions. [Patrik Karlsson]
+ sip-enum-users: Attempts to enumerate valid SIP user accounts.
Currently only the SIP server Asterisk is supported. [Patrik
Karlsson]
+ smb-mbenum: Queries information managed by the Windows Master
Browser. [Patrik Karlsson]
+ smtp-vuln-cve2010-4344: Checks for and/or exploits a heap overflow
within versions of Exim prior to version 4.69 (CVE-2010-4344) and
a privilege escalation vulnerability in Exim 4.72 and prior
(CVE-2010-4345). [Djalal Harouni]
+ smtp-vuln-cve2011-1720: Checks for a memory corruption in the
Postfix SMTP server when it uses Cyrus SASL library authentication
mechanisms (CVE-2011-1720). This vulnerability can allow denial
of service and possibly remote code execution. [Djalal Harouni]
+ snmp-ios-config: Attempts to downloads Cisco router IOS
configuration files using SNMP RW (v1) and display or save
them. [Vikas Singhal, Patrik Karlsson]
+ ssl-known-key: Checks whether the SSL certificate used by a host
has a fingerprint that matches an included database of problematic
keys. [Mak Kolybabi]
+ targets-sniffer: Sniffs the local network for a configurable
amount of time (10 seconds by default) and prints discovered
addresses. If the newtargets script argument is set, discovered
addresses are added to the scan queue. [Nick Nikolaou]
+ xmpp: Connects to an XMPP server (port 5222) and collects server
information such as supported auth mechanisms, compression methods
and whether TLS is supported and mandatory. [Vasiliy Kulikov]
o Nmap has long supported IPv6 for basic (connect) port scans, basic
host discovery, version detection, Nmap Scripting Engine. This
release dramatically expands and improves IPv6 support:
+ IPv6 raw packet scans (including SYN scan, UDP scan, ACK scan,
etc.) are now supported. [David, Weilin]
+ IPv6 raw packet host discovery (IPv6 echo requests, TCP/UDP
discovery packets, etc.) is now supported. [David, Weilin]
+ IPv6 traceroute is now supported [David]
+ IPv6 protocol scan (-sO) is now supported, including creating
realistic headers for many protocols. [David]
+ IPv6 support to the wsdd, dnssd and upnp NSE libraries. [Daniel
Miller, Patrik]
+ The --exclude and --excludefile now support IPV6 addresses with
netmasks. [Colin]
o Scanme.Nmap.Org (the system anyone is allowed to scan for testing
purposes) is now dual-stacked (has an IPv6 address as well as IPv4)
so you can scan it during IPv6 testing. We also added a DNS record
for ScanmeV6.nmap.org which is IPv6-only. See
http://seclists.org/nmap-dev/2011/q2/428. [Fyodor]
o The Nmap.Org website as well as sister sites Insecure.Org,
SecLists.Org, and SecTools.Org all have working IPv6 addresses now
(dual stacked). [Fyodor]
o Nmap now determines the filesystem location it is being run from and
that path is now included early in the search path for data files
(such as nmap-services). This reduces the likelihood of needing to
specify --datadir or getting data files from a different version of
Nmap installed on the system. For full details, see
http://nmap.org/book/data-files-replacing-data-files.html. Thanks
to Solar Designer for implementation advice. [David]
o Created a page on our SecWiki for collecting Nmap script ideas! If
you have a good idea, post it to the incoming section of the page.
Or if you're in a script writing mood but don't know what to write,
come here for inspiration: https://secwiki.org/w/Nmap_Script_Ideas.
o The development pace has greatly increased because Google (again)
sponsored a 7 full-time college and graduate student programmer
interns this summer as part of their Summer of Code program!
Thanks, Google Open Source Department! We're delighted to introduce
the team: http://seclists.org/nmap-dev/2011/q2/312
o [NSE] Added 7 new protocol libraries, bringing the total to 66. You
can read about them all at http://nmap.org/nsedoc/. Here are the new
ones (authors listed in brackets):
+ creds: Handles storage and retrieval of discovered credentials
(such as passwords discovered by brute force scripts). [Patrik
Karlsson]
+ ncp: A tiny implementation of Novell Netware Core Protocol
(NCP). [Patrik Karlsson]
+ omp2: OpenVAS Management Protocol (OMP) version 2 support. [Henri
Doreau]
+ sip: Supports a limited subset of SIP commands and
methods. [Patrik Karlsson]
+ smtp: Simple Mail Transfer Protocol (SMTP) operations. [Djalal
Harouni]
+ srvloc: A relatively small implementation of the Service Location
Protocol. [Patrik Karlsson]
+ tftp: Implements a minimal TFTP server. It is used in
snmp-ios-config to obtain router config files.[Patrik Karlsson]
o Improved Nmap's service/version detection database by adding:
+ Apple iPhoto (DPAP) protocol probe [Patrik]
+ Zend Java Bridge probe [Michael Schierl]
+ BackOrifice probe [Gorjan Petrovski]
+ GKrellM probe [Toni Ruotto]
+ Signature improvements for a wide variety of services (we now have
7,375 signatures)
o [NSE] ssh-hostkey now additionally has a postrule that prints hosts
found during the scan which share the same hostkey. [Henri Doreau]
o [NSE] Added 300+ new signatures to http-enum which look for admin
directories, JBoss, Tomcat, TikiWiki, Majordomo2, MS SQL, Wordpress,
and more. [Paulino]
o Made the final IP address space assignment update as all available
IPv4 address blocks have now been allocated to the regional
registries. Our random IP generation (-iR) logic now only excludes
the various reserved blocks. Thanks to Kris for years of regular
updates to this function!
o [NSE] Replaced http-trace with a new more effective version. [Paulino]
o Performed some output cleanup work to remove unimportant status
lines so that it is easier to find the good stuff! [David]
o [Zenmap] now properly kills Nmap scan subprocess when you cancel a
scan or quit Zenmap on Windows. [Shinnok]
o [NSE] Banned scripts from being in both the "default" and
"intrusive" categories. We did this by removing dhcp-discover and
dns-zone-transfer from the set of scripts run by default (leaving
them "intrusive"), and reclassifying dns-recursion, ftp-bounce,
http-open-proxy, and socks-open-proxy as "safe" rather than
"intrusive" (keeping them in the "default" set).
o [NSE] Added a credential storage library (creds.lua) and modified
the brute library and scripts to make use of it. [Patrik]
o [Ncat] Created a portable version of ncat.exe that you can just drop
onto Microsoft Windows systems without having to run any installer
or copy over extra library files. See the Ncat page
(http://nmap.org/ncat/) for binary downloads and a link to build
instructions. [Shinnok]
o Fix a segmentation fault which could occur when running Nmap on
various Android-based phones. The problem related to NULL being
passed to freeaddrinfo(). [David, Vlatko Kosturjak]
o [NSE] The host.bin_ip and host.bin_ip_src entries now also work with
16-byte IPv6 addresses. [David]
o [Ncat] Updated the ca-bundle.crt list of trusted certificate
authority certificates. [David]
o [NSE] Fixed a bug in the SMB Authentication library which could
prevent concurrently running scripts with valid credentials from
logging in. [Chris Woodbury]
o [NSE] Re-worked http-form-brute.nse to better autodetect form
fields, allow brute force attempts where only the password (no
username) is needed, follow HTTP redirects, and better detect
incorrect login attempts. [Patrik, Daniel Miller]
o [Zenmap] Changed the "slow comprehensive scan" profile's NSE script
selection from "all" to "default or (discovery and safe)"
categories. Except for testing and debugging, "--script all" is
rarely desirable.
o [NSE] Added the stdnse.silent_require method which is used for
library requires that you know might fail (e.g. "openssl" fails if
Nmap was compiled without that library). If these libraries are
called with silent_require and fail to load, the script will cease
running but the user won't be presented with ugly failure messages
as would happen with a normal require. [Patrick Donnelly]
o [Zenmap] Fixed a bug in topology mapper which caused endpoints
behind firewalls to sometimes show up in the wrong place (see
http://seclists.org/nmap-dev/2011/q2/733). [Colin Rice]
o [Zenmap] If you scan a system twice, any open ports from the first
scan which are closed in the 2nd will be properly marked as
closed. [Colin Rice].
o [Zenmap] Fixed an error that could cause a crash ("TypeError: an
integer is required") if a sort column in the ports table was unset.
[David]
o [Ndiff] Added nmaprun element information (Nmap version, scan date,
etc.) to the diff. Also, the Nmap banner with version number and
data is now only printed if there were other differences in the
scan. [Daniel Miller, David, Dr. Jesus]
o [NSE] Added nmap.get_interface and nmap.get_interface_info functions
so scripts can access characteristics of the scanning interface.
Removed nmap.get_interface_link. [Djalal]
o Fixed an overflow in scan elapsed time display that caused negative
times to be printed after about 25 days. [Daniel Miller]
o Updated nmap-rpc from the master list, now maintained by IANA.
[Daniel Miller, David]
o [Zenmap] Fixed a bug in the option parser: -sN (null scan) was
interpreted as -sn (no port scan). This was reported by
Shitaneddine. [David]
o [Ndiff] Fixed the Mac OS X packages to use the correct path for
Python: /usr/bin/python instead of /opt/local/bin/python. The bug
was reported by Wellington Castello. [David]
o Removed the -sR (RPC scan) option--it is now an alias for -sV
(version scan), which always does RPC scan when an rpcinfo service
is detected.
o [NSE] Improved the ms-sql scripts and library in several ways:
- Improved version detection and server discovery
- Added support for named pipes, integrated authentication, and
connecting to instances by name or port
- Improved script and library stability and documentation.
[Patrik Karlsson, Chris Woodbury]
o [NSE] Fixed http.validate_options when handling a cookie table.
[Sebastian Prengel]
o Added a Service Tags UDP probe for port 6481/udp. [David]
o [NSE] Enabled firewalk.nse to automatically find the gateways at
which probes are dropped and fixed various bugs. [Henri Doreau]
o [Zenmap] Worked around a pycairo bug that prevented saving the
topology graphic as PNG on Windows: "Error Saving Snapshot:
Surface.write_to_png takes one argument which must be a filename
(str), file object, or a file-like object which has a 'write' method
(like StringIO)". The problem was reported by Alex Kah. [David]
o The -V and --version options now show the platform Nmap was compiled
on, which features are compiled in, the version numbers of libraries
it is linked against, and whether the libraries are the ones that
come with Nmap or the operating system. [Ambarisha B., David]
o Fixed some inconsistencies in nmap-os-db reported by Xavier Sudre
from netVigilance.
o The Nmap Win32 uninstaller now properly deletes nping.exe. [Fyodor]
o [NSE] Added a shortport.ssl function which can be used as a script
portrule to match SSL services. It is similar in concept to our
existing shortport.http. [David]
o Set up the RPM build to use the compat-glibc and compat-gcc-34-c++
packages (on CentOS 5.3) to resolve a report of Nmap failing to run
on old versions of Glibc. [David]
o We no longer support Nmap on versions of Windows earlier than XP
SP2. Even Microsoft no longer supports Windows versions that old.
But if you must use Nmap on such systems anyway, please see
https://secwiki.org/w/Nmap_On_Old_Windows_Releases.
o There were hundreds of other little bug fixes and improvements
(especially to NSE scripts). See the SVN logs for revisions 22,274
through 24,460 for details.# Nmap Changelog ($Id: CHANGELOG 26639 2011-09-19 22:14:29Z david $); -*-text-*-
Nmap 5.61TEST1 [2011-09-19]
o The changelog entries below for this test release are not yet
finished or comprehensive. We'll update them soon.
o [Ncat] Updated ca-bundle.crt (primarily to remove DigiNotar).
o Fixed compilation on OS X 10.7 Lion. Thanks to Patrik Karlsson and
Babak Farroki for researching fixes.
o [NSE] Fixed SSL compressor names in ssl-enum-ciphers.nse, and
removed redundant multiple listings of the NULL compressor.
[Matt Selsky]
o [NSE] Added cipher strength ratings to ssl-enum-ciphers.nse.
[Gabriel Lawrence]
o Added Common Platform Enumeration (CPE, http://cpe.mitre.org/)
output for OS and service versions. These show up in normal output
with the headings "OS CPE:" and "Service Info:":
OS CPE: cpe:/o:linux:kernel:2.6.39
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
These also appear in XML output, which additionally has CPE entries
for service versions. [David, Henri]
o [NSE] Added new default credential list for Oracle and modified the
oracle-brute script to make use of it. [Patrik]
o [NSE] Added xmpp-info.nse as a replacement for xmpp.nse. This updated version
brings new features and fixes. [Vasiliy Kulikov]
o Fixed RPC scan for 64-bit architectures by using fixed-size data
types. [David]
o Relaxed the XML DTD to allow validation of files where the verbosity
level changed during the scan. [Daniel Miller]
o Made a service confidence of 8 (used when tcpwrapped) and indeed any
number between 0 and 10 be legal in XML output according to the DTD.
[Daniel Miller]
o [NSE] Added three scripts that do host discovery on local IPv6
subnets. Each of them uses a different multicast technique, meaning
that even very large networks have host discovery done without
needing to probe every address individually.
+ targets-multicast-ipv6-echo: Sends a multicast echo request, like
broadcast-ping does for IPv4.
+ targets-multicast-ipv6-invalid-dst: Sends an invalid packet that
can elicit an ICMPv6 Parameter Problem response.
+ targets-multicast-ipv6-slaac: Sends a phony router advertisement,
which causes hosts to allocate a temporary address and then send a
packet to discover if anyone else is using the address.
[Weilin, David]
o [NSE] Added functions to packet.lua to make it easier to build IPv6
packets. [Weilin]
o [NSE] Added new script http-vuln-cve2011-3192 which checks whether an instance
of Apache is vulnerable to a DoS attack exploiting the byterange filter.
[Duarte Silva].
o [NSE] Fixed authentication problems in the TNS library that would prevent
authentication from working against Oracle 11.2.0.2.0 XE [Chris Woodbury]
o Removed some restrictions on probe matching that, for example,
prevented a RST/ACK reply from being recognized in a NULL scan. This
was found and fixed by Matthew Stickney and Joe McEachern.
o Rearranged some characters classes in service matches to avoid any
that look like POSIX collating symbols ("[.xyz.]"). John Hutchison
discovered this error caused by one of the match lines:
InitMatch: illegal regexp: POSIX collating elements are not supported
[Daniel Miller]
o [NSE] Added the address-info.nse script, which shows extra information about IP addresses.
o [NSE] Added scripts http-joomla-brute, http-wordpress-brute, http-wp-enum and
http-awstatstotal-exec. [Paulino]
o [Zenmap] Fixed zenmap deleting ports based on newer scans which did
not actually scan the port in question. Additionally ncat now only
updates ports with new information if the new information is the same
protocol. Not just the same port. [Colin Rice]
o [Ncat] Fixed ncat crashing with --ssl-verify -vvv on windows. [Colin Rice]
o [NSE] Added script http-waf-detect. This script tries to determine
if an IDS/IPS/WAF is protecting a web server. [Paulino]
o [NSE] Added the bittorrent library and bittorrent-discovery script which
enables us to discover peers and nodes for a particular torrent file or
magnet link.
o [NSE] Added basic query support to the Oracle TNS library making it possible
for scripts to query the database server using SQL. [Patrik]
o [Ncat] Added --append-output option, that when used along with -o and/or -x
prevents clobbering(truncating) an existing file. [Shinnok]
o [NSE] Added script broadcast-listener that attempts to discover hosts by
passively listening to the network. It does so by decoding ethernet and IP
broadcast and multicast messages. [Patrik]
o Fixed a bug that would make Nmap segfault if it failed to open an interface
using pcap. The bug details and patch are posted here:
http://seclists.org/nmap-dev/2011/q3/365 [Patrik]
o Ncat SCTP mode supports connection brokering now(--sctp --broker). [Shinnok]
o Nmap now defers options parsing until it has read through all the command line
arguments. You can now use options like -S with an IPv6 address before
specifying -6 at the command line, which previously got you an error.
[Shinnok]
o [NSE] Added the library xmpp.lua and the script xmpp-brute that performs
brute force password auditing against XMPP (Jabber) servers. [Patrik]
o [NSE] Fixed a bug in the ssh2-enum-algos script that would prevent it from
displaying any output unless run in debug mode. [Patrik]
o [NSE] Fixed the nsedebug print_hex() function so it does not print an
empty line if there are no remaining characters, and improved its NSEDoc.
[Chris Woodbury].
o [NSE] Added the scripts http-axis2-dir-traversal and
http-litespeed-sourcecode-download that exploits a directory traversal and
null byte poisoning vulnerabilities in Apache Axis2 and LiteSpeed Web Server
respectively. [Paulino]
o [Ncat] Ncat now no longer blocks while an ssl handshake is taking place or
waiting to complete. [Shinnok]
o [NSE] Added the script broadcast-dhcp-discover that sends a DHCP discover
message to the broadcast address and collects and reports the network
information received from the DHCP server. [Patrik]
o [NSE] Added the script smtp-brute that performs brute force password
auditing against SMTP servers. [Patrik]
o [NSE] Updated SMTP library to support authentication using both plain-text
and the SASL library. [Patrik]
o [NSE] Added the script imap-brute that performs brute force password
auditing against IMAP servers. [Patrik]
o [NSE] Updated IMAP library to support authentication using both plain-text
and the SASL library. [Patrik]
o [NSE] Added SASL library created by Djalal Harouni and Patrik Karlsson
providing common code for "Simple Authentication and Security Layer" to
services supporting it. The algorithms supported by the library are:
PLAIN, CRAM-MD5, DIGEST-MD5 and NTLM. [Patrik Karlsson, Djalal Harouni]
o [NSE] Added scripts cvs-brute.nse, cvs-brute-repository.nse and the cvs
library. The cvs-brute-repository script allows for guessing possible
repository names needed in order to perform password guessing using the
cvs-brute.nse script. [Patrik]
o [Zenmap] The Zenmap crash handler now instructs you to mail in crash
information to nmap-dev. [Colin Rice]
o Added IPv6 Neighbor Discovery ping. This is the IPv6 analog to IPv4
ARP scan. It is the default ping type for local IPv6 networks.
[Weilin]
o [NSE] Added smtp-vuln-cve2011-1764 script, which checks if the Exim
SMTP server is vulnerable to the DKIM Format String vulnerability
(CVE-2011-1764). [Djalal]
o Added the broadcast-ping script which sends icmp packets to broadcast
addresses on the selected network interface, or all ethernet interfaces if
none is selected. It has the option to add the discovered hosts as targets.
o [NSE] Applied patch from Chris Woodbury that adds the following additional
information to the output of smb-os-discovery:
+ Forest name
+ FQDN
+ NetBIOS computer name
+ NetBIOS domain name
o [Ncat] Ncat now supports IPV6 addresses by default without the -6 flag.
Additionally ncat listens on both :: and localhost when passed
-l, or any other listening mode unless a specific listening address is
supplied.
o [NSE] Split script db2-discover into two scripts, adding a new
broadcast-db2-discover script. This script attempts to discover DB2
database servers through broadcast requests. [Patrik Karlsson]
o Fixed broken XML output in the case of timed-out hosts; the
enclosing host element was missing. The fix was suggested by Rémi
Mollon.
o [NSE] Added ftp-vuln-cve2010-4221 script, which checks if the ProFTPD
server is vulnerable to the Telnet IAC stack overflow vulnerability
(CVE-2010-4221). [Djalal]
o [NSE] Added ftp-vsftpd-backdoor, which detects a backdoor that was introduced
into vsftpd-2.3.4 source code distributions. [Daniel Miller]
o [NSE] ldap-brute.nse - Multiple changes:
+ Added support for 2008 R2 functional level Active Directory instances
to ldap-brute.
+ Added detection for valid credentials where the target account was
expired or limited by time or login host constraints.
+ Added support for specifying a UPN suffix to be appended to usernames
when brute forcing Microsoft Active Directory accounts.
+ Added support for saving discovered credentials to a CSV file.
+ Now reports valid credentials as they are discovered when the script
is run with -vv or higher.
[Tom Sellers]
o [NSE] ldap-search.nse - Added support for saving search results to
CSV. This is done by using the ldap.savesearch script argument to
specify an output filename prefix. [Tom Sellers]
o [NSE] Updated smb-brute to add detection for valid credentials where the
target account was expired or limited by time or login host constraints.
[Tom Sellers]
o [NSE] Updated account status text in brute force password discovery
scripts in an effort to make the reporting more consistent across
all scripts. This will have an impact on any code that parses these
values. [Tom Sellers]Nmap 5.61TEST2 [2011-09-30]
o Added IPv6 OS detection system! The new system utilizes many tests
similar to IPv4, and also some IPv6-specific ones that we found to
be particularly effective. And it uses a machine learning approach
rather than the static classifier we use for IPv4. We hope to move
some of the IPv6 innovations back to our IPv4 system if they work
out well. The database is still very small, so please submit any
fingerprints that Nmap gives you to the specified URL (as long as
you are certain that you know what the target system is
running). Usage and results output are basically the same as with
IPv4, but we will soon document the internal mechanisms at
http://nmap.org/book/osdetect.html, just as we have for IPv4. For an
example, try "nmap -6 -O scanme.nmap.org". [David, Luis]
o [NSE] Added 3 scripts, bringing the total to 246! You can learn
more about them at http://nmap.org/nsedoc/. Here they are (authors
listed in brackets):
+ lltd-discovery uses the Microsoft LLTD protocol to discover hosts
on a local network. [Gorjan Petrovski]
+ ssl-google-cert-catalog queries Google's Certificate Catalog for
the SSL certificates retrieved from target hosts. [Vasiliy Kulikov]
+ quake3-info extracts information from a Quake3-like game
server. [Toni Ruottu]
o Improved AIX support for raw scans. This includes some patches
originally written by Peter O'Gorman and Florian Schmid. It also
involved various build fixes found necessary on AIX 6.1 and 7.1. See
http://nmap.org/book/inst-other-platforms.html. [David]
o Fixed Nmap so that it again compiles and runs on Solaris 10,
including IPv6 support. [David]
o Made the interface gathering loop work on Linux when an interface
index is more than two digits in /proc/sys/if_inet6. Joe McEachern
tracked down the problem and provided the fix.
o [NSE] Fixed a bug in dns.lua: ensure that dns.query() always return two values
(status, response) and replaced the workaround in asn-query.nse by the proper
use. [Henri]
o [NSE] Made irc-info.nse handle the case where the MOTD is missing.
Patch by Sebastian Dragomir.
o Updated nmap-mac-prefixes to include the latest IEEE assignments
as of 2011-09-29.# Nmap Changelog ($Id: CHANGELOG 27735 2012-01-02 02:55:47Z fyodor $); -*-text-*-
Nmap 5.61TEST4 [2012-01-02]
o [NSE] Added a new httpspider library which is used for recursively
crawling web sites for information. New scripts using this
functionality include http-backup-finder, http-email-harvest,
http-grep, http-open-redirect, and http-unsafe-output-escaping. See
http://nmap.org/nsedoc/ or the list later in this file for details
on these. [Patrik]
o Our Mac OS X packages are now x86-only (rather than universal),
reducing the download size from 30 MB to about 17. If you still
need a PowerPC version (Apple stopped selling those machines in
2006), you can use Nmap 5.51 or 5.61TEST2 from
http://nmap.org/dist/?C=M&O=D.
o We set up a new SVN server for the Nmap codebase. This one uses SSL
for better security, WebDAV rather than svnserve for greater
functionality, is hosted on a faster (virtual) machine, provides
Nmap code history back to 1998 rather than 2005, and removes the
need for the special "guest" username. The new server is at
https://svn.nmap.org. More information:
http://seclists.org/nmap-dev/2011/q4/504.
o [NSE] Added a vulnerability management library (vulns.lua) to store and to
report discovered vulnerabilities. Modified these scripts to use
the new library:
- ftp-libopie.nse
- http-vuln-cve2011-3192.nse
- ftp-vuln-cve2010-4221.nse
- ftp-vsftpd-backdoor.nse
- smtp-vuln-cve2011-1720.nse
- smtp-vuln-cve2011-1764.nse
- afp-path-vuln.nse
[Djalal, Henri]
o [NSE] Added a new script force feature. You can force scripts to
run against target ports (even if the "wrong" service is detected)
by placing a plus in front of the script name passed to --script.
See
http://nmap.org/book/nse-usage.html#nse-script-selection. [Martin
Swende]
o [NSE] Added 51(!) NSE scripts, bringing the total up to 297. They
are all listed at http://nmap.org/nsedoc/, and the summaries are
below (authors listed in brackets):
+ amqp-info gathers information (a list of all server properties)
from an AMQP (advanced message queuing protocol)
server. [Sebastian Dragomir]
+ bitcoin-getaddr queries a Bitcoin server for a list of known
Bitcoin nodes. [Patrik Karlsson]
+ bitcoin-info extracts version and node information from a Bitcoin
server [Patrik Karlsson]
+ bitcoinrpc-info obtains information from a Bitcoin server by
calling <code>getinfo</code> on its JSON-RPC interface. [Toni
Ruottu]
+ broadcast-pc-anywhere sends a special broadcast probe to discover
PC-Anywhere hosts running on a LAN. [Patrik Karlsson]
+ broadcast-pc-duo discovers PC-DUO remote control hosts and
gateways running on the LAN. [Patrik Karlsson]
+ broadcast-rip-discover discovers hosts and routing information
from devices running RIPv2 on the LAN. It does so by sending a
RIPv2 Request command and collects the responses from all devices
responding to the request. [Patrik Karlsson]
+ broadcast-sybase-asa-discover discovers Sybase Anywhere servers on
the LAN by sending broadcast discovery messages. [Patrik Karlsson]
+ broadcast-wake-on-lan wakes a remote system up from sleep by
sending a Wake-On-Lan packet. [Patrik Karlsson]
+ broadcast-wpad-discover Retrieves a list of proxy servers on the
LAN using the Web Proxy Autodiscovery Protocol (WPAD). [Patrik
Karlsson]
+ dns-blacklist checks target IP addresses against multiple DNS
anti-spam and open proxy blacklists and returns a list of services
where the IP has been blacklisted. [Patrik Karlsson]
+ dns-zeustracker checks if the target IP range is part of a Zeus
botnet by querying ZTDNS @ abuse.ch. [Mikael Keri]
+ ganglia-info retrieves system information (OS version, available
memory, etc.) from a listening Ganglia Monitoring Daemon or
Ganglia Meta Daemon. [Brendan Coles]
+ hadoop-datanode-info discovers information such as log directories
from an Apache Hadoop DataNode HTTP status page. [John R. Bond]
+ hadoop-jobtracker-info retrieves information from an Apache Hadoop
JobTracker HTTP status page. [John R. Bond]
+ hadoop-namenode-info retrieves information from an Apache Hadoop
NameNode HTTP status page. [John R. Bond]
+ hadoop-secondary-namenode-info retrieves information from an
Apache Hadoop secondary NameNode HTTP status page. [John R. Bond]
+ hadoop-tasktracker-info retrieves information from an Apache
Hadoop TaskTracker HTTP status page. [John R. Bond]
+ hbase-master-info retrieves information from an Apache HBase
(Hadoop database) master HTTP status page. [John R. Bond]
+ hbase-region-info retrieves information from an Apache HBase
(Hadoop database) region server HTTP status page. [John R. Bond]
+ http-apache-negotiation checks if the target http server has
mod_negotiation enabled. This feature can be leveraged to find
hidden resources and spider a web site using fewer requests. [Hani
Benhabiles]
+ http-backup-finder Spiders a website and attempts to identify
backup copies of discovered files. It does so by requesting a
number of different combinations of the filename (e.g. index.bak,
index.html~, copy of index.html). [Patrik Karlsson]
+ http-cors tests an http server for Cross-Origin Resource Sharing
(CORS), a way for domains to explicitly opt in to having certain
methods invoked by another domain. [Toni Ruottu]
+ http-email-harvest spiders a web site and collects e-mail
addresses. [Patrik Karlsson]
+ http-grep spiders a website and attempts to match all pages and
urls against a given string. Matches are counted and grouped per
url under which they were discovered. [Patrik Karlsson]
+ http-method-tamper tests whether a JBoss target is vulnerable to
jmx console authentication bypass (CVE-2010-0738). [Hani
Benhabiles]
+ http-open-redirect spiders a website and attempts to identify open
redirects. Open redirects are handlers which commonly take a URL
as a parameter and responds with a http redirect (3XX) to the
target. [Martin Holst Swende]
+ http-put uploads a local file to a remote web server using the
HTTP PUT method. You must specify the filename and URL path with
NSE arguments. [Patrik Karlsson]
+ http-robtex-reverse-ip Obtains up to 100 forward DNS names for a
target IP address by querying the Robtex service
(http://www.robtex.com/ip/). [riemann]
+ http-unsafe-output-escaping spiders a website and attempts to
identify output escaping problems where content is reflected back
to the user. [Martin Holst Swende]
+ http-vuln-cve2011-3368 tests for the CVE-2011-3368 (Reverse Proxy
Bypass) vulnerability in Apache HTTP server's reverse proxy
mode. [Ange Gutek, Patrik Karlsson"]
+ ipv6-node-info obtains hostnames, IPv4 and IPv6 addresses through
IPv6 Node Information Queries. [David Fifield]
+ irc-botnet-channels checks an IRC server for channels that are
commonly used by malicious botnets. [David Fifield, Ange Gutek]
+ irc-brute performs brute force password auditing against IRC
(Internet Relay Chat) servers. [Patrik Karlsson]
+ krb5-enum-users discovers valid usernames by brute force querying
likely usernames against a Kerberos service. [Patrik Karlsson]
+ maxdb-info retrieves version and database information from a SAP
Max DB database. [Patrik Karlsson]
+ metasploit-xmlrpc-brute performs brute force password auditing
against a Metasploit RPC server using the XMLRPC protocol. [Vlatko
Kosturjak]
+ ms-sql-dump-hashes Dumps the password hashes from an MS-SQL server
in a format suitable for cracking by tools such as
John-the-ripper. In order to do so the user needs to have the
appropriate DB privileges. [Patrik Karlsson]
+ nessus-brute performs brute force password auditing against a
Nessus vulnerability scanning daemon using the NTP 1.2
protocol. [Patrik Karlsson]
+ nexpose-brute performs brute force password auditing against a
Nexpose vulnerability scanner using the API 1.1. [Vlatko
Kosturjak]
+ openlookup-info parses and displays the banner information of an
OpenLookup (network key-value store) server. [Toni Ruottu]
+ openvas-otp-brute performs brute force password auditing against a
OpenVAS vulnerability scanner daemon using the OTP 1.0
protocol. [Vlatko Kosturjak]
+ reverse-index creates a reverse index at the end of scan output
showing which hosts run a particular service. [Patrik Karlsson]
+ rexec-brute performs brute force password auditing against the
classic UNIX rexec (remote exec) service. [Patrik Karlsson]
+ rlogin-brute performs brute force password auditing against the
classic UNIX rlogin (remote login) service. [Patrik Karlsson]
+ rtsp-methods determines which methods are supported by the RTSP
(real time streaming protocol) server. [Patrik Karlsson]
+ rtsp-url-brute attempts to enumerate RTSP media URLS by testing
for common paths on devices such as surveillance IP
cameras. [Patrik Karlsson]
+ telnet-encryption determines whether the encryption option is
supported on a remote telnet server. Some systems (including
FreeBSD and the krb5 telnetd available in many Linux
distributions) implement this option incorrectly, leading to a
remote root vulnerability. [Patrik Karlsson, David Fifield,
Fyodor]
+ tftp-enum enumerates TFTP (trivial file transfer protocol) filenames by testing
for a list of common ones. [Alexander Rudakov]
+ unusual-port compares the detected service on a port against the
expected service for that port number (e.g. ssh on 22, http on 80)
and reports deviations. [Patrik Karlsson]
+ vuze-dht-info retrieves some basic information, including protocol
version from a Vuze filesharing node. [Patrik Karlsson]
o [NSE] Added some new protocol libraries
+ amqp (advanced message queuing protocol) [Sebastian Dragomir]
+ bitcoin crypto currency [Patrik Karlsson
+ dnsbl for DNS-based blacklists [Patrik Karlsson
+ rtsp (real time streaming protocol) [Patrik Karlsson]
+ httpspider and vulns have separate entries in this CHANGELOG
o Nmap now includes a nmap-update program for obtaining the latest
updates (new scripts, OS fingerprints, etc.) The system is
currently only available to a few developers for testing, but we
hope to enable a larger set of beta testers soon. [David]
o On Windows, the directory <HOME>\AppData\Roaming\nmap is now
searched for data files. This is the equivalent of $HOME/.nmap on
POSIX. [David]
o Improved OS detection performance by scaling congestion control
increments by the response rate during OS scan, just as was done
for port scan before. [David]
o [NSE] The targets-ipv6-multicast-*.nse scripts now scan all
interfaces by default. They show the MAC address and interface name
now too. [David, Daniel Miller]
o Added some new version detection probes:
+ MongoDB service [Martin Holst Swende]
+ Metasploit XMLRPC service [Vlatko Kosturjak]
+ Vuze filesharing system [Patrik]
+ Redis key-value store [Patrik]
+ memcached [Patrik]
+ Sybase SQL Anywhere [Patrik]
+ VMware ESX Server [Aleksey Tyurin]
+ TCP Kerberos [Patrik]
+ PC-Duo [Patrik]
+ PC Anywhere [Patrik]
o Targets requiring different source addresses now go into different
hostgroups, not only for host discovery but also for port scanning.
Before, only responses to one of the source addresses would be
processed, and the others would be ignored. [David]
o Tidied up the version detection DB (nmap-service-probes) with a new
cleanup/canonicalization program sv-tidy. In particular, this:
- Removes excess whitespace
- Sorts templates in the order m p v i d o h cpe:
- Canonicalizes template delimiters in the order: / | % = @ #.
[David]
o The --exclude and --excludefile options for excluding targets can
now be used together. [David]
o [NSE] Added support for detecting whether a http connection was established
using SSL or not to the http.lua library [Patrik]
o [NSE] Added local port to BPF filter in snmp-brute to fix bug that would
prevent multiple scripts from receiving the correct responses. The bug was
discovered by Brendan Bird. [Patrik]
o [NSE] Changed the dhcp-discover script to use the DHCPINFORM request
to query dhcp servers instead of DHCPDISCOVER. Also removed DoS code
from dhcp-discover and placed the script into the discovery and safe
categories. Added support for adding options to DHCP requests and
cleaned up some code in the dhcp library. [Patrik]
o [NSE] Applied patch to snmp-brute that solves problems with handling
errors that occur during community list file parsing. [Duarte
Silva]
o [NSE] Added new fingerprints to http-enum for:
- Subversion, CVS and Apache Archiva [Duarte Silva]
- DVCS systems Git, Mercurial and Bazaar [Hani Benhabiles].
o [NSE] Applied some code cleanup to the snmp library. [Brendan Byrd]
o [NSE] Fixed an undeclared variable bug in snmp-ios-config [Patrik]
o [NSE] Add additional version information to Mongodb scripts [Martin
Swende]
o [NSE] Added path argument to the http-auth script and update the
script to use stdnse.format_output. [Duarte Silva, Patrik]
o [NSE] Fixed bug in the http library that would fail to parse
authentication headers if no parameters were present. [Patrik]
o Made a syntax change in the zenmap.desktop file for compliance with
the XDG standard. [Frederik Schwarzer]
o [NSE] Replaced a number of GET requests to HEAD in http-
fingerprints.lua. HEAD is quicker and sufficient when no matching
is performed on the returned contents. [Hani Benhabiles]
o [NSE] Added support for retrieving SSL certificates from FTP
servers. [Matt Selsky]
o [Nping] The --safe-payloads option is now the default. Added
--include-payloads for the special situations where payloads are
needed. [Colin Rice]
o [NSE] Added new functionality and fixed some bugs in the brute library:
- Added support for restricting the number of guesses performed by the
brute library against users, to prevent account lockouts.
- Added support to guess the username as password. The documentation
previously suggested (wrongly) that this was the default behavior.
- Added support to guess an empty string as password if not
present in the dictionary. [Patrik]
o [NSE] Re-enabled support for guessing the username in addition to password
that was incorrectly removed from the metasploit-xmlrpc-brute in previous
commit. [Patrik]
o [NSE] Fixed bug that would prevent brute scripts from running if no service
field was present in the port table. [Patrik]
o [NSE] Turned on promiscuous mode in targets-sniffer.nse so that it
finds packets not only from or to the scanning host. [David]
o The Zenmap topology display feature is now disabled when there are
more than 1,000 target hosts. Those topology maps slow down the
interface and are generally too crowded to be of much use.
o [NSE] Modified the http library to support servers that don't return valid
chunked encoded data, such as the Citrix XML service. [Patrik]
o [NSE] Fixed a bug where the brute library would not abort even after all
retries were exhausted [Patrik]
o Fixed a bug in the IPv6 OS probe called NI. The Node Information
Query didn't include the target address as the payload, so at least
OS X didn't respond. This differed from the probe sent by the
ipv6fp.py program from which some of our fingerprints were derived.
[David]
o [NSE] Fixed an error in the mssql library that was causing the
broadcast-ms-sql-discover script to fail when trying to update port version
information. [Patrik]
o [NSE] Added the missing broadcast category to the broadcast-listener script.
[Jason DePriest]
o [NSE] Made changes to the categories of the following scripts (new
categories shown) [Duarte Silva]:
- http-userdir-enum.nse (auth,intrusive)
- mysql-users.nse (auth,intrusive)
- http-wordpress-enum.nse (auth,intrusive,vuln)
- krb5-enum-users.nse (auth,intrusive)
- snmp-win32-users.nse (default,auth,safe)
- smtp-enum-users.nse (auth,external,intrusive)
- ncp-enum-users.nse (auth,safe)
- smb-enum-users.nse (auth,intrusive)
o Made nbase compile with the clang compiler that is a part of Xcode
4.2. [Daniel J. Luke]
o [NSE] Fix a nil table index bug discovered in the mongodb
library. [Thomas Buchanan]
o [NSE] Added XMPP support to ssl-cert.nse.
o [NSE] Made http-wordpress-enum.nse able to get names of users who
have no posts. [Duarte Silva]
o Increased hop distance estimates from OS detection by one. The
distance now counts the number of hops including the final one to
the target, not just the number of intermediate nodes. The IPv6
distance calculation already worked this way. [David]Nmap 5.61TEST5 [2012-03-09]
o Integrated all of your IPv4 OS fingerprint submissions since June
2011 (about 1,900 of them). Added about 256 new fingerprints (and
deleted some bogus ones), bringing the new total to 3,572.
Additions include Apple iOS 5.01, OpenBSD 4.9 and 5.0, FreeBSD 7.0
through 9.0-PRERELEASE, and a ton of new WAPs, routers, and other
devices. Many existing fingerprints were improved. For more details,
see http://seclists.org/nmap-dev/2012/q1/431 [David Fifield]
o Integrated all of your service/version detection fingerprints
submitted since November 2010--more than 2,500 of them! Our
signature count increased more than 10% to 7,423 covering 862
protocols. Some amusing and bizarre new services are described at
http://seclists.org/nmap-dev/2012/q1/359 [David Fifield]
o Integrated your latest IPv6 OS submissions and corrections. We're
still low on IPv6 fingerprints, so please scan any IPv6 systems you
own or administer and submit them to http://nmap.org/submit/. Both
new fingerprints (if Nmap doesn't find a good match) and corrections
(if Nmap guesses wrong) are useful.
o [NSE] Added a host-based registry which only persists (for the given
host) until all scripts have finished scanning that host. The normal
registry saves information until it is deleted or the Nmap scan
ends. That is a waste of memory for information which doesn't need
to persist that long. Use the host based registry instead if you
can. See http://nmap.org/book/nse-api.html#nse-api-registry. [Patrik
Karlsson]
o IPv6 OS detection now includes a novelty detection system which
avoids printing a match when an observed fingerprint is too
different from fingerprints seen before. As the OS database is still
small, this helps to avoid making (essentially) wild guesses when
seeing a new operating system. [David Fifield]
o Refactored the nsock library to add the nsock-engines system. This
allows system-specific scalable IO notification facilities to be
used while maintaining the portable Nsock API. This initial version
comes with an epoll-based engine for Linux and a select-based
fallback engine for all other operating systems. Also added the
--nsock-engine option to Nmap, Nping and Ncat to enforce use of a
specific Nsock IO engine. [Henri Doreau]
o [NSE] Added 43(!) NSE scripts, bringing the total up to 340. They
are all listed at http://nmap.org/nsedoc/, and the summaries are
below (authors are listed in brackets):
+ acarsd-info retrieves information from a listening acarsd
daemon. Acarsd decodes ACARS (Aircraft Communication Addressing
and Reporting System) data in real time. [Brendan Coles]
+ asn-to-prefix produces a list of IP prefixes for a given AS number
(ASN). It uses the external Shadowserver API (with their
permission). [John Bond]
+ broadcast-dhcp6-discover sends a DHCPv6 request (Solicit) to the
DHCPv6 multicast address, parses the response, then extracts and
prints the address along with any options returned by the
server. [Patrik Karlsson]
+ broadcast-networker-discover discovers the EMC Networker backup
software server on a LAN by using network broadcasts. [Patrik Karlsson]
+ broadcast-pppoe-discover discovers PPPoE servers using the PPPoE
Discovery protocol (PPPoED). [Patrik Karlsson]
+ broadcast-ripng-discover discovers hosts and routing information
from devices running RIPng on the LAN by sending a RIPng Request
command and collecting the responses from all responsive
devices. [Patrik Karlsson]
+ broadcast-versant-locate discovers Versant object databases using
the srvloc protocol. [Patrik Karlsson]
+ broadcast-xdmcp-discover discovers servers running the X Display
Manager Control Protocol (XDMCP) by sending a XDMCP broadcast
request to the LAN. [Patrik Karlsson]
+ cccam-version detects the CCcam service (software for sharing
subscription TV among multiple receivers). [David Fifield]
+ dns-client-subnet-scan performs a domain lookup using the
edns-client-subnet option that adds support for adding subnet
information to the query describing where the query is
originating. The script uses this option to supply a number of
geographically distributed locations in an attempt to enumerate as
many different address records as possible. [John Bond]
+ dns-nsid retrieves information from a DNS nameserver by requesting
its nameserver ID (nsid) and asking for its id.server and
version.bind values. [John Bond]
+ dns-srv-enum enumerates various common service (SRV) records for a
given domain name. The service records contain the hostname, port
and priority of servers for a given service. [Patrik Karlsson]
+ eap-info enumerates the authentication methods offered by an EAP
authenticator for a given identity or for the anonymous identity
if no argument is passed. [Riccardo Cecolin]
+ http-auth-finder spiders a web site to find web pages requiring
form-based or HTTP-based authentication. [Patrik Karlsson]
+ http-config-backup checks for backups and swap files of common
content management system and web server configuration
files. [Riccardo Cecolin]
+ http-generator displays the contents of the "generator" meta tag
of a web page (default: /) if there is one. [Michael Kohl]
+ http-proxy-brute performs brute force password guessing against a
HTTP proxy server. [Patrik Karlsson]
+ http-qnap-nas-info attempts to retrieve the model, firmware
version, and enabled services from a QNAP Network Attached Storage
(NAS) device. [Brendan Coles]
+ http-vuln-cve2009-3960 exploits cve-2009-3960 also known as Adobe
XML External Entity Injection. [Hani Benhabiles]
+ http-vuln-cve2010-2861 executes a directory traversal attack
against a ColdFusion server and tries to grab the password hash
for the administrator user. It then uses the salt value (hidden in
the web page) to create the SHA1 HMAC hash that the web server
needs for authentication as admin. [Micah Hoffman]
+ iax2-brute performs brute force password auditing against the
Asterisk IAX2 protocol. [Patrik Karlsson]
+ membase-brute performs brute force password auditing against
Couchbase Membase servers. [Patrik Karlsson]
+ membase-http-info retrieves information (hostname, OS, uptime,
etc.) from the CouchBase Web Administration port. [Patrik
Karlsson]
+ memcached-info retrieves information (including system
architecture, process ID, and server time) from distributed memory
object caching system memcached. [Patrik Karlsson]
+ mongodb-brute performs brute force password auditing against the
MongoDB database. [Patrik Karlsson]
+ nat-pmp-mapport maps a WAN port on the router to a local port on
the client using the NAT Port Mapping Protocol (NAT-PMP). [Patrik
Karlsson]
+ ndmp-fs-info lists remote file systems by querying the remote
device using the Network Data Management Protocol (ndmp). [Patrik
Karlsson]
+ ndmp-version retrieves version information from the remote Network
Data Management Protocol (NDMP) service. [Patrik Karlsson]
+ nessus-xmlrpc-brute performs brute force password auditing against
a Nessus vulnerability scanning daemon using the XMLRPC
protocol. [Patrik Karlsson]
+ redis-brute performs brute force passwords auditing against a
Redis key-value store. [Patrik Karlsson]
+ redis-info retrieves information (such as version number and
architecture) from a Redis key-value store. [Patrik Karlsson]
+ riak-http-info retrieves information (such as node name and
architecture) from a Basho Riak distributed database using the
HTTP protocol. [Patrik Karlsson]
+ rpcap-brute performs brute force password auditing against the
WinPcap Remote Capture Daemon (rpcap). [Patrik Karlsson]
+ rpcap-info connects to the rpcap service (provides remote sniffing
capabilities through WinPcap) and retrieves interface
information. [Patrik Karlsson]
+ rsync-brute performs brute force password auditing against the
rsync remote file syncing protocol. [Patrik Karlsson]
+ rsync-list-modules lists modules available for rsync (remote file
sync) synchronization. [Patrik Karlsson]
+ socks-auth-info determines the supported authentication mechanisms
of a remote SOCKS 5 proxy server. [Patrik Karlsson]
+ socks-brute performs brute force password auditing against SOCKS 5
proxy servers. [Patrik Karlsson]
+ url-snarf sniffs an interface for HTTP traffic and dumps any URLs, and their
originating IP address. [Patrik Karlsson]
+ versant-info extracts information, including file paths, version
and database names from a Versant object database. [Patrik
Karlsson]
+ vmauthd-brute performs brute force password auditing against the
VMWare Authentication Daemon (vmware-authd). [Patrik Karlsson]
+ voldemort-info retrieves cluster and store information from the
Voldemort distributed key-value store using the Voldemort Native
Protocol. [Patrik Karlsson]
+ xdmcp-discover requests an XDMCP (X display manager control
protocol) session and lists supported authentication and
authorization mechanisms. [Patrik Karlsson]
o [NSE] Added 14 new protocol libraries! They were all written by
Patrik Karlsson, except for the EAP library by Riccardo Cecolin:
+ dhcp6 (Dynamic Host Configuration Protocol for IPv6)
+ eap (Extensible Authentication Protocol)
+ iax2 (Inter-Asterisk eXchange v2 VoIP protocol)
+ membase (Couchbase Membase TAP protocol)
+ natpmp (NAT Port Mapping Protocol)
+ ndmp (Network Data Management Protocol)
+ pppoe (Point-to-point protocol over Ethernet)
+ redis (in-memory key-value data store)
+ rpcap (WinPcap Remote Capture Deamon)
+ rsync (remote file sync)
+ socks (SOCKS 5 proxy protocol)
+ sslcert (for collecting SSL certificates and storing them in the
host-based registry)
+ versant (an object database)
+ xdmcp (X Display Manager Control Protocol)
o CPE (Common Platform Enumeration) OS classification is now supported
for IPv6 OS detection. Previously it was only available for
IPv4. [David Fifield]
o [NSE] The host.os table is now a structured array of table that
include OS class information and CPE. See
http://nmap.org/book/nse-api.html for documentation of the new
structure. [Henri Doreau, David]
o [NSE] Service matches can now access CPE through the
port.version.cpe array. [Henri Doreau]
o Added a new --script-args-file option which allows you to specify
the name of a file containing all of your desired NSE script
arguments. The arguments may be separated with commas or newlines
and may be overridden by arguments specified on the command-line
with --script-args. [Daniel Miller]
o Audited the nmap-service-probes database to remove all unused
captures, fixing dozens of bugs with captures either being ignored
or two fields erroneously using the same capture. [Lauri Kokkonen,
David Fifield, and Rob Nicholls]
o Added new version detection probes and match lines for:
+ Erlang Port Mapper Daemon
+ Couchbase Membase NoSQL database
+ Basho Riak distributed database protocol buffers client (PBC)
+ Tarantool in-memory data store
[Patrik Karlsson]
o Split the nmap-update client into its own binary RPM to avoid the
Nmap RPM having a dependency on the Subversion and APR libraries.
We're not yet distributing this binary nmap-update RPM since the
system isn't complete, but the source code is available in the Nmap
tarball and source RPM. [David]
o [NSE] Added authentication support to the MongoDB library and
modified existing scripts to support it. [Patrik Karlsson]
o [NSE] Added support to broadcast-listener for extracting address, native VLAN
and management IP address from CDP packets. [Tom Sellers]
o [NSE] Added RPC Call CALLIT to the RPC library and modified UDP sockets to be
unconnected in order to support broadcast. [Patrik Karlsson]
o [NSE] Modified the ssl-cert and ssl-google-cert-catalog scripts to
take advantage of the new sslcert library which retrieves and caches
SSL certificates in the registry.
o [NSE] Patch our bitcoin library to support recent changes in the
BitCoin protocol. [Andrew Orr, Patrik Karlsson]
o Fixed an error where very long messages could cause an
assertion failure: "log_vwrite: vsnprintf failed. Even after
increasing bufferlen to ---, Vsnprintf returned -1 (logt == 1)."
This was reported by David Hingos.
o Fixed an assertion failure that was printed when a fatal error
occurred while an XML tag was incomplete: "!xml.tag_open, file
..\xml.cc, line 401". This was reported by David Hingos. [David
Fifield]
o [NSE] Added support for decoding EIGRP broadcasts from Cisco routers
to broadcast-listener. [Tom Sellers]
o [NSE] Added redirect support to the http library. All calls to
http.get and http.head now transparently handle any HTTP
redirects. The number and destination of redirects are limited by
default to avoid endless loops or unwanted follows of redirects to
different servers, but they can be configured. [Patrik Karlsson]
o [NSE] Modified the sql-injection script to use the httpspider library.
[Lauri Kokkonen]
o Added --with-apr and --with-subversion configuration options to
support systems where those libraries aren't in the usual places.
[David Fifield]
o [NSE] Fixed a bunch of global access errors in various libraries reported by
the nse_check_globals script. [Patrik Karlsson]
o Fixed an assertion failure which could occur when connecting to an
SSL server:
nsock_core.c:186: update_events: Assertion `(ev_inc & ev_dec) == 0' failed.
Thanks to Ron for reporting the bug and testing. [Henri Doreau]
o [NSE] Added support to the DNS library for the CHAOS class and NSID
requests. [John Bond]
o [NSE] Changed the dnsbl library to take a much faster threaded
approach to querying DNS blacklists. [Patrik Karlsson]
o [NSE] Added new services and the ATTACK category to the dnsbl
script. [Duarte Silva]
o [NSE] Fixed a memory leak in PortList::setServiceProbeResults()
which was noticed and reported by David Fifield. The leak was
triggered by set_port_version calls from NSE. [Henri Doreau]
o [NSE] Fixed a race condition in broadcast-dhcp-discover.nse that
could cause responses to be missed on fast networks. It was noticed
by Vasiliy Kulikov. [David Fifield]
o Fixed a bug in reverse name resolution: a name of "." would leave
the hostname unintialized and cause "Illegal character(s) in
hostname" warnings. [Gisle Vanem]
o Allow overriding the AR variable to use a different version of the
ar library creation tool when creating the liblinear library. [Nuno
Gonçalves]
o Added vcredist2008_x86.exe to the Windows zip file. This installer
from MS must be run on new Windows 2008 systems (those which don't
already have it) before running Nmap. The Nmap Windows installer
already takes care of this. [David Fifield]
o Removed about 5MB of unnecessary DocBook XSL from the Nping docs
directory. [David Fifield]
o The packet library now uses consistent naming of the address fields
for IPv4 and IPv6 packets (ip_bin_src, ip_bin_dst, ip_src, and
ip_dst). [Henri Doreau]
o Update to the latest MAC address prefix assignments from IEEE as of
March 8, 2012. [Fyodor]
o Fixed a problem in the ippackethdrinfo function which was leading to
warning messages like: "BOGUS! Can't parse supposed IP packet" during
certain IPv6 scans. [David Fifield]
o Fixed building on Arch Linux. The PCAP_IS_SUITABLE test had to be
modified to ensure that -lnl was passed on the build line. See the
r28202 svn log for further information. [David Fifield]
o Include net/if.h before net/if_arp.h in netutil.cc and tcpip.cc to
hopefully fix some build problems on AIX 5.3.
o [NSE] Added IPv6 support to firewalk.nse. [Henri Doreau]Nmap 6.01 [2012-06-13]
o [Zenmap] Fixed a hang that would occur on Mac OS X 10.7. A symptom
of the hang was this message in the system console:
"Couldn't recognize the image file format for file
'/Applications/Zenmap.app/Contents/MacOS/../Resources/share/zenmap/pixmaps/radialnet/padlock.png'".
[David Fifield]
o [Zenmap] Fixed a crash that happened when activating the host filter.
File "zenmapCore\SearchResult.pyo", line 155, in match_os
KeyError: 'osmatches'
[jah]
o Fixed an error that occurred when scanning certain addresses like
192.168.0.0 on Windows XP:
get_srcaddr: can't connect socket: The requested address is not valid in its context.
nexthost: failed to determine route to 10.80.0.0
[David Fifield]
o Fixed a bug that caused Nmap to fail to find any network interface when
at least one of them is in the monitor mode. The fix was to define the
ARP_HRD_IEEE80211_RADIOTAP 802.11 radiotap header identifier in the
libdnet-stripped code. Network interfaces that are in this mode are used
by radiotap for 802.11 frame injection and reception. The bug was
reported by Tom Eichstaedt and Henri Doreau.
http://seclists.org/nmap-dev/2012/q2/449
http://seclists.org/nmap-dev/2012/q2/478
[Djalal Harouni, Henri Doreau]
o Fixed the greppable output of hosts that time-out (when --host-timeout was
used and the host timed-out after something was received from that host).
This issue was reported by Matthew Morgan. [jah]
o [Zenmap] Updated the version of Python used to build the Windows
release from 2.7.1 to 2.7.3 to remove a false-positive security
alarm flagged by tools such as Secunia PSI. There was a minor
vulnerability in certain Python27.dll web functionality (which Nmap
doesn't use anyway) and Secunia was flagging all software which
includes that version of Python27.dll. This update should prevent
the false alarm.- [NSE] Added CPE to smb-os-discovery output.
- [Ncat] Fixed the printing of warning messages for large arguments to the -i and -w options.
- [Ncat] Shut down the write part of connected sockets in listen mode when stdin hits EOF, just as was already done in connect mode.
- [Zenmap] Removed a crashing error that could happen when canceling a "Print to File" on Windows:
> Traceback (most recent call last):
> File "zenmapGUI\MainWindow.pyo", line 831, in _print_cb
> File "zenmapGUI\Print.pyo", line 156, in run_print_operation
GError: Error from StartDoc
- Added some new checks for failed library calls. [Bill Parker]· [Ncat] Added NCAT_PROTO, NCAT_REMOTE_ADDR, NCAT_REMOTE_PORT, NCAT_LOCAL_ADDR and NCAT_LOCAL_PORT environment variables being set in all --*-exec child processes.
· [Nping] Nping now checks for a matching ICMP ID on echo replies, to avoid receiving crosstalk from other ping programs running at the same time. [David Fifield]
· [NSE] Added http-adobe-coldfusion-apsa1301.nse. It exploits an authentication bypass vulnerability in Adobe Coldfusion servers. [Paulino Calderon]
· [NSE] The ipOps.isPrivate library now considers the deprecated site-local prefix fec0::/10 to be private. [Marek Majkowski]
· [Ncat] Added --lua-exec. This feature is basically an equivalent of ncat --sh-exec "lua " and allows you to run Lua scripts with Ncat, redirecting all stdin and stdout operations to the socket connection. [Jacek Wielemborek]
· [NSE] Oops, there was a vulnerability in one of our 437 NSE scripts. If you ran the (fortunately non-default) http-domino-enum-passwords script with the (fortunately also non-default) domino-enum-passwords.idpath parameter against a malicious server, it could cause an arbitrarily named file to to be written to the client system. Thanks to Trustwave researcher Piotr Duszynski for discovering and reporting the problem. We've fixed that script, and also updated several other scripts to use a new stdnse.filename_escape function for extra safety. This breaks our record of never having a vulnerability in the 16 years that Nmap has existed, but that's still a fairly good run. [David, Fyodor]
· [NSE] Added teamspeak2-version.nse by Marin Maržić.
· Nmap's routing table is now sorted first by netmask, then by metric. Previously it was the other way around, which could cause a very general route with a low metric to be preferred over a specific route with a higher metric.
· [Ncat] The -i option (idle timeout) now works in listen mode as well as connect mode. [Tomas Hozza]
· Fixed a byte-ordering problem on little-endian architectures when doing idle scan with a zombie that uses broken ID incremements. [David Fifield]
· [Ncat] Ncat now support chained certificates with the --ssl-cert option. [Greg Bailey]
· Stop parsing TCP options after reaching EOL in libnetutil. Bug reported by Gustavo Moreira. [Henri Doreau]
· [NSE] The dns-ip6-arpa-scan script now optionally accepts "/" syntax for a network mask. Based on a patch by Indula Nayanamith.
· [Ncat] Reduced the default --max-conns limit from 100 to 60 on Windows, to stay within platform limitations. Suggested by Andrey Olkhin.
· Fixed IPv6 routing table alignment on NetBSD.
· [NSE] Added http-phpmyadmin-dir-traversal by Alexey Meshcheryakov.
· Added a service probe for Erlang distribution nodes. [Michael Schierl]
· Updated libdnet to not SIOCIFNETMASK before SIOCIFADDR on OpenBSD. This was reported to break on -current as of May 2013. [Giovanni Bechis]
· Fixed address matching for SCTP (-PY) ping. [Marin Maržić]
· Removed some non-ANSI-C strftime format strings ("%F") and locale-dependent formats ("%c") from NSE scripts and libraries. C99-specified %F was noticed by Alex Weber. [Daniel Miller]
· [Zenmap] Added Polish translation by Jacek Wielemborek.
· [NSE] Added http-coldfusion-subzero. It detects Coldfusion 9 and 10 vulnerable to a local file inclusion vulnerability and grabs the version, install path and the administrator credentials. [Paulino Calderon]
· [Nsock] Added a minimal regression test suite for nsock. [Henri Doreau]
· [NSE] Updated redis-brute.nse and redis-info.nse to work against the latest versions of redis server. [Henri Doreau]
· [Ncat] Fixed errors in conneting to IPv6 proxies. [Joachim Henke]
· Added a service probe for Minecraft servers. [Eric Davisson]
· [NSE] Updated hostmap-bfk to work with the latest version of their website. [Paulino Calderon]
· [NSE] Added XML structured output support to hostmap-bfk, hostmap-robtex, and hostmap-ip2hosts. [Paulino Calderon]
· [NSE] Added hostmap-ip2hosts. It uses the service provider ip2hosts.com to list domain names pointing to the same IP address. [Paulino Calderon]
· [NSE] Added http-vuln-cve2013-0156. It detects Ruby on Rails servers vulnerable to remote command execution (CVE-2013-0156). [Paulino Calderon]
· Added a service probe for the Hazelcast data grid. [Pavel Kankovsky]
· [NSE] Rewrote telnet-brute for better compatibility with a variety of telnet servers. [nnposter]
· [Nsock] Added initial proxy support to nsock. Nsock based modules (version scan, nse) of nmap can now establish TCP connections through chains of proxies. HTTP CONNECT and SOCKS4 protocols are supported, with some limitations. [Henri Doreau]
· Fixed a regression that changed the number of delimiters in machine output. [Daniel Miller]
· [Zenmap] Updated the Italian translation. [Giacomo]
· Handle ICMP type 11 (Time Exceeded) responses to port scan probes. Ports will be reported as "filtered", to be consistent with existing Connect scan results, and will have a reason of time-exceeded. DiabloHorn reported this issue via IRC. [Daniel Miller]
· Add new decoders (BROWSER, DHCP6 and LLMNR) to broadcast-listener and changed output of some of the decoders slightly. [Patrik Karlsson]
· Timeout script-args are now standardized to use the timespec that Nmap's command-line arguments take (5s, 5000ms, 1h, etc.). Some scripts that previously took an integer number of milliseconds will now treat that as a number of seconds if not explicitly denoted as ms. [Daniel Miller]
· The list of nameservers on Windows now ignores nameservers from inactive interfaces. [David Fifield]
· Namespace the pipes used to communicate with subprocesses by PID, to avoid multiple instances of Ncat from interfering with each other. Patch by Andrey Olkhin.
· Nmap may now partially rearrange its target list for more efficient host groups. Previously, a single target with a different interface, or with an IP address the same as a that of a target already in the group, would cause the group to be broken off at whatever size it was. Now, we buffer a small number of such targets, and keep looking through the input for more targets to fill out the current group. [David Fifield]
· [NSE] Changed ip-geolocation-geoplugin to use the web service's new output format. Reported by Robin Wood.
· Limited the number of open sockets in ultra_scan to FD_SETSIZE. Very fast connect scans could write past the end of an fd_set and cause a variety of crashes: nmap: scan_engine.cc:978: bool ConnectScanInfo::clearSD(int): Assertion `numSDs > 0' failed. select failed in do_one_select_round(): Bad file descriptor (9) [David Fifield]
· Fixed a bug that prevented Nmap from finding any interfaces when one of them had the type ARP_HDR_APPLETALK; this was the case for AppleTalk interfaces. However, This support is not complete since AppleTalk interfaces use different size hardware addresses than Ethernet. Nmap IP level scans should work without any problem, please refer to the '--send-ip' switch and to the following thread: http://seclists.org/nmap-dev/2013/q1/214 This bug was reported by Steven Gregory Johnson. [Daniel Miller]
· [Nping] Nping now skips localhost targets for privileged pings (with an error message) because those generally don't work. [David Fifield]
· [Ncat] Ncat now keeps running in connect mode after receiving EOF from the remote socket, unless --recv-only is in effect. [Tomas Hozza]
· Routes are now sorted to prefer those with a lower metric. Retrieval of metrics is supported only on Linux and Windows. [David Fifield]
· Packet trace of ICMP packets now include the ICMP ID and sequence number by default. [David Fifield]
· [NSE] Added ike-version and a new ike library by Jesper Kückelhahn. Thanks also go to Roy Hills, who allowed the use of the signature database from the ike-scan tool.
· [NSE] Fixed various NSEDoc bugs found by David Matousek.
· [Zenmap] Zenmap now understands the NMAP_PRIVILEGED and NMAP_UNPRIVILEGED environment variables. [Tyler Wagner]
· It's now possible to mix IPv4 range notation with CIDR netmasks in target specifications. For example, 192.168-170.4-100,200.5/16 is effectively the same as 192.168.168-170.0-255.0-255. [David Fifield]
· Added nmap-fo.xsl, contributed by Tilik Ammon. This converts Nmap XML into XSL-FO, which can be converted into PDF using Apache FOP.
· Increased the number of slack file descriptors not used during connect scan. Previously, the calculation did not consider the descriptors used by various open log files. Connect scans using a lot of sockets could fail with the message "Socket creation in sendConnectScanProbe: Too many open files". [David Fifield]
· [Zenmap] Fixed internationalization files. Running in a language other than the default English would result in the error "ValueError: too many values to unpack". [David Fifield]
· Changed the --webxml XSL stylesheet to point to the new location of nmap.xsl in the new respository, https://svn.nmap.org/nmap/docs/nmap.xsl This was noticed by Simon John.
· [NSE] Made the vulnerability library able to preserve vulnerability information across multiple ports of the same host. The bug was reported by iphelix. [Djalal Harouni]
· [NSE] Added ventrilo-info by Marin Maržić. This gets information from a Ventrilo VoIP server.
· Removed the undocumented -q option, which renamed the nmap process to something like "pine".
· Moved the Japanese man page from man1/jp to man1/ja. jp is a country code while ja is a language code. Reported by Christian Neukirchen.
· [NSE] Added mysql-enum script which enumerates valid mysql server usernames [Aleksandar Nikolic]
· [Nsock] Reworked the logging infrastructure to make it more flexible and consistent. Updated nmap, nping and ncat accordingly. Nsock log level can now be adjusted at runtime by pressing d/D in nmap. [Henri Doreau, David Fifield]
· [NSE] Fixed scripts using unconnected UDP sockets. The bug was reported by Dhiru Kholia. [David Fifield]
· [NSE] Added structured output to http-git.nse. [Alex Weber]
· [NSE] Added murmur-version by Marin Maržić. This gets the server version and other information for Murmur, the server for the Mumble VoIP system.
· Added a corresponding UDP payload for Murmur. [Marin Maržić]
· [Zenmap] Fixed a crash that could be caused by opening the About dialog, using the window manager to close it, and opening it again. This was reported by Yashartha Chaturvedi and Jordan Schroeder. [David Fifield]
· [Ncat] Made test-addrset.sh exit with nonzero status if any tests fail. This in turn causes "make check" to fail if any tests fail. [Andreas Stieger]
· Fixed compilation with --without-liblua. The bug was reported by Rick Farina, Nikos Chantziaras, and Alex Turbov. [David Fifield]
· Fixed CRC32c calculation (as used in SCTP scans) on 64-bit platforms. [Pontus Andersson]
· [NSE] Added multicast group name output to broadcast-igmp-discovery.nse. [Vasily Kulikov]
· [NSE] Added new fingerprints for http-enum: Sitecore, Moodle, typo3, SquirrelMail, RoundCube. [Jesper Kückelhahn]
Nmap 6.45 [2014-04-11]
o NOTE THAT THE CHANGELOG FOR THIS RELEASE IS INCOMPLETE. We plan to
finish it soon.
o [NSE] Add ssl-heartbleed script to detect the Heartbleed bug in OpenSSL
CVE-2014-0160 [Patrik Karlsson]
o [NSE] Fixed an error-handling bug in socks-open-proxy that caused it to fail
when scanning a SOCKS4-only proxy. Reported on IRC by Husky. [Daniel Miller]
o [NSE] Improved ntp-info script to handle underscores in returned
data. [nnposter]
o [NSE] Add quake1-info script for retrieving server and player information
from Quake 1 game servers. Reports potential DoS amplification factor.
[Ulrik Haugen]
o [NSE] Add unicode library for decoding and encoding UTF-8, UTF-16, CP437 and
other character sets to Unicode code points. Scripts that previously just
added or skipped nulls in UTF-16 data can use this to support non-ASCII
characters. [Daniel Miller]
o When doing a ping scan (-sn), the --open option will prevent down hosts from
being shown when -v is specified. This aligns with similar output for other
scan types. [Daniel Miller]
o [Ncat] Added support for socks5 and corresponding regression tests.
[Marek Lucaszuk, Petr Stodulka]
o [NSE] Add http-ntlm-info script for getting server information from Web
servers that require NTLM authentication. [Justin Cacak]
o Added TCP support to dns.lua. [John Bond]
o Added safe fd_set operations. This makes nmap fail gracefully instead of
crashing when the number of file descriptors grows over FD_SETSIZE. Jacek
Wielemborek reported the crash. [Henri Doreau]
o [NSE] Added tls library for functions related to SSLv3 and TLS messages.
Existing ssl-enum-ciphers, ssl-date, and tls-nextprotoneg scripts were
updated to use this library. [Daniel Miller]
o [NSE] Add sstp-discover script to discover Microsoft's Secure Socket
Tunnelling Protocol (http://msdn.microsoft.com/en-us/library/cc247338.aspx)
[Niklaus Schiess]
o [NSE] Added unittest library and NSE script for adding unit tests to NSE
libraries. See unittest.lua for examples, and run `nmap --script=unittest
--script-args=unittest.run -d` to run the tests. [Daniel Miller]
o Updated bundled liblua from 5.2.2 to 5.2.3 (bugfix release) [Daniel Miller]
o Added version detection signatures and probes for a bunch of Android
remote mouse/keyboard servers, including AndroMouse, AirHID,
Wifi-mouse, and RemoteMouse. [Paul Hemberger]
o [NSE] Added allseeingeye-info for gathering information from games
using this query protocol. A version detection probe was also
added. [Marin Maržić]
o [NSE] Add freelancer-info to gather information about the Freelancer
game server. Also added a related version detection probe and UDP
protocol payload for detecting the service. [Marin Maržić]
o [Ncat] Fixed compilation when --without-liblua is specified in
configure (an #include needed an ifdef guard). [Quentin Glidic]
o [NSE] Add http-server-header script to grab the Server header as a last-ditch
effort to get a software version. This can't be done as a softmatch because
of the need to match non-HTTP services that obey some HTTP requests. [Daniel
Miller]
o [NSE] Add rfc868-time script to get the date and time from an RFC 868 Time
server. [Daniel Miller]
o [NSE] Add weblogic-t3-info script that detects the T3 RMI protocol used by
Oracle/BEA Weblogic. Extracts the Weblogic version, as well [Alessandro
Zanni, Daniel Miller]
o Fixed a bug in libdnet with handling interfaces with AF_LINK addresses on
FreeBSD >9 reported by idwer on IRC. Likely affected other *BSDs. Handled by
skipping these non-network addresses. [Daniel Miller]
o Fixed a bug with UDP checksum calculation. When the UDP checksum is zero
(0x0000), it must be transmitted as 1's-complement -0 (0xffff) to avoid
ambiguity with +0, which indicates no checksum was calculated. This affected
UDP on IPv4 only. Reported by Michael Weber. [Daniel Miller]
o [NSE] Removed a fixed value (28428) which was being set for the Request ID in
the snmpWalk library function; a value based on nmap.clock_ms will now be set
instead. [jah]
o [NSE] Add http-iis-short-name-brute script that detects Microsoft IIS
servers vulnerable to a file/folder name disclosure and a denial of
service vulnerability. The script obtains the "shortnames" of the
files and folders in the webroot folder. [Paulino Calderon]
o Idle scan now supports IPv6. IPv6 packets don't usually come with
fragments identifiers like IPv4 packets do, so new techniques had to
be developed to make idle scan possible. The implementation is by
Mathias Morbitzer, who made it the subject of his master's thesis.
o [NSE] Add http-dlink-backdoor script that detects DLink routers with firmware
backdoor allowing admin access over HTTP interface. [Patrik Karlsson]
o The ICMP ID of ICMP probes is now matched against the sent ICMP ID,
to reduce the chance of false matches. Patch by Chris Johnson.
o [NSE] Made telnet-brute support multiple parallel guessing threads,
reuse connections, and support password-only logins. [nnposter]
o [NSE] Made the table returned by ssh1.fetch_host_key contain a "key"
element, like that of ssh2.fetch_host_key. This fixed a crash in the
ssh-hostkey script reported by Dan Farmer and Florian Pelgrim. The
"key" element of ssh2.fetch_host_key now is base64-encoded, to match
the format used by the known_hosts file. [David Fifield]
o [Nsock] Handle timers and timeouts via a priority queue (using a heap)
for improved performance. Nsock now only iterates over events which are
completed or expired instead of inspecting the entire event set at each
iteration. [Henri Doreau]
o [NSE] Update dns-cache-snoop script to use a new list of top 50
domains rather than a 2010 list. [Nicolle Neulist]
o [NSE] Added the qconn-exec script by Brendan Coles, which tests the
QNX QCONN service for remote command execution.
o [Zenmap] Fixed a crash that would happen when you entered a search
term starting with a colon: "AttributeError:
'FilteredNetworkInventory' object has no attribute 'match_'".
Reported by Kris Paernell. [David Fifield]
o [Ncat] Added NCAT_PROTO, NCAT_REMOTE_ADDR, NCAT_REMOTE_PORT, NCAT_LOCAL_ADDR
and NCAT_LOCAL_PORT environment variables being set in all --*-exec child
processes.