May 22nd, 2012· [NSE] Added the script http-traceroute, which exploits the Max-Forwards HTTP header to detect reverse proxies.
· Added the script distcc-CVE-2004-2687 that checks and exploits a remote command execution vulnerability in distcc.
· Added two new scripts mysql-query and mysql-dump-hashes, which add support for performing custom MySQL queries and dump MySQL password hashes.
· Improved the mysql library to handle multiple columns with the same name, added a formatResultset function to format a query response to a table suitable for script output.
· The message "nexthost: failed to determine route to ..." is now a warning rather than a fatal error. Addresses that are skipped in this way are recorded in the XML output as elements.
· [NSE] Added the script http-drupal-modules, which enumerates the installed Drupal modules using drupal-modules.lst.
· [NSE] Added http-vuln-cve2012-1823.nse, which checks for PHP CGI installations with a remote code execution vulnerability.
· [NSE] Added the script dict-info, which retrieves information from a DICT server, by issuing the SHOW SERVER command.
· [NSE] Added the script gkrellm-info, which displays information retrieved from the GKRellm monitoring service.
· [NSE] Added the script ajp-request, which adds support for creating custom Apache JServer Protocol requests.
· [NSE] Added the script ajp-brute, which enables password brute force auditing against the Apache JServ Protocol service.
· [NSE] Added the script broadcast-tellstick-discover, which discovers Telldus Technologies TellStickNet devices on the LAN.
· [NSE] Added the Apache JServer Protocol (AJP) library and the scripts ajp-methods, ajp-headers and ajp-auth.
In XML output, elements are now child elements of the they belong to. Old output was thus:
· ......
New output is:
· ......
· The option --deprecated-xml-osclass restores the old output, in case
· you use an Nmap XML parser that doesn't understand the new
· structure. The xmloutputversion has been increased to 1.04.
Added a new element to XML output that indicates when a target specification was ignored, perhaps because of a syntax error or DNS failure. It looks like this:
· [David Fifield]
· Nmap's development pace has increased because Google (again) sponsored 5 full-time college and graduate student programmer interns this summer as part of their Summer of Code program!
· [NSE] Added the script mmouse-exec that connects to a Mobile Mouse server, starts an application, and sends a sequence of keystrokes to it.
· [NSE] Added the script mmouse-brute that performs brute force password auditing against the Mobile Mouse service.
· [NSE] Added the script cups-queue-info that lists the contents of a remote CUPS printer queue.
· [NSE] Added the script ip-forwarding that detects devices that have IP forwarding enabled (acting as routers).
· [NSE] Added the script samba-vuln-cve-2012-1182 which detects the SAMBA CVE 2012-1182 vulnerability.
· [NSE] Added the script dns-check-zone that checks DNS configuration against best practices including RFC 1912.
· [NSE] Added the http-gitweb-projects-enum that queries a gitweb for a list of Git projects, their authors and descriptions.
· [NSE] targets-sniffer now is capable of sniffing IPv6 addresses.
· [NSE] Added the script traceroute-geolocation that queries geographic locations of each traceroute hop and allows to export the results to KLM, allowing the hops to be plotted on a map.
· [NSE] Added the ipp library and the script cups-info that lists available printers by querying the cups network daemon.
· [NSE] Added the mobilme library and the scripts http-icloud-findmyiphone and http-icloud-sendmsg, that finds the location of iOS devices and provides functionality to send them messages.
· [NSE] Added gps library and the gpsd-info script that collects GPS data from the gpsd daemon.
· [NSE] Ported the pop3-brute script to use the brute library.
· Fixed a compilation problem on Solaris 9 caused by a missing definition of IPV6_V6ONLY.
· Upgraded included libpcap to version 1.2.1.
· [NSE] Added hostmap-robtex.nse by Arturo Busleiman, which finds other domain names sharing the IP address of the target.
· [NSE] Renamed hostmap.nse to hostmap-bfk.nse.
· [NSE] Added http-robtex-shared-ns by Arturo Busleiman, finding domain names that share the same name server as the target.
· [NSE] Added the script http-vlcstreamer-ls which queries the VLC Streamer helper service for a list of files in a given directory.
· [NSE] Added the script targets-ipv6-mld that sends a malformed ICMP6 MLD Query to discover IPv6 enabled hosts on the LAN.
· [NSE] Added script http-virustotal that allows checking files, or hashes of previously scanned files, against the major antivirus engines.
· Setting --min-parallelism by itself no longer forces the maximum parallelism to the same value.
· [NSE] Added an error message indicating script failure, when Nmap is being run in non verbose/debug mode.
· Service-scan information is now included in XML and grepable output even if -sV wasn't used. This information can be set by scripts in the absence of -sV.
· [NSE] Added the script dns-ip6-arpa-scan which uses a very efficient technique to scan the ip6.arpa zone for PTR records.
· Changed XML output to show the "service" element whenever a tunnel is discovered for a port, even if the service behind it was unknown.
· [Zenmap] Fixed a crash that would happen in the profile editor when the script.db file doesn't exist.
· [Zenmap] It is now possible to compare scans having the same name or command line.
· [NSE] Added rdp-vuln-ms12-020.nse by Aleksandar Nikolic. This tests for two Remote Desktop vulnerabilities, including one allowing remote code execution, that were fixed in the MS12-020 advisory.
· Fixed an error that could occur with ICMPv6 probes and -d4 debugging: "Unexpected probespec2ascii type encountered"
· Fixed the routing table loop on OS X so that on-link routes appear. Previously, they were ignored so that things like ARP scan didn't work.
· [NSE] Added new script http-chrono, which measures min, max and average response times of web servers.
· Applied a workaround to make pcap captures work better on Solaris 10. This involves peeking at the pcap buffer to ensure that captures are not being lost. A symptom of behavior before this fix was that, when doing ARP host discovery against two targets, only one would be reported up.
· Added ciphers from RFC 5932 and Fortezza-based ciphers to ssl-enum-ciphers.nse.
· [NSE] Added new script http-drupal-users-enum, which enumerates all available Drupal user accounts by exploiting a vulnerability in the Views module.
· [NSE] Added new script broadcast-ataoe-discover, which discovers ATA over Ethernet capable devices through LAN ethernet broadcasts.
· Fixed a bug that could cause Nsock timers to fire too early. This could happen for the timed probes in IPv6 OS detection, causing an incorrect measurement of the TCP_ISR feature.
· [NSE] Added a stun library and the scripts stun-version and stun-info, which extract version information and the external NAT:ed address.
· [NSE] Added the script duplicates which attempts to determine duplicate hosts by analyzing information collected by other scripts.
· Changed the way timeout calculations are made in the IPv6 OS engine. In rare cases a certain interleaving of probes and responses would result in an assertion failure.
January 4th, 2012· [NSE] Added a new httpspider library which is used for recursively crawling web sites for information. New scripts using this functionality include http-backup-finder, http-email-harvest, http-grep, http-open-redirect, and http-unsafe-output-escaping.
· We set up a new SVN server for the Nmap codebase. This one uses SSL for better security, WebDAV rather than svnserve for greater functionality, is hosted on a faster (virtual) machine, provides Nmap code history back to 1998 rather than 2005, and removes the need for the special "guest" username. The new server is at https://svn.nmap.org.
· [NSE] Added a vulnerability management library (vulns.lua) to store and to report discovered vulnerabilities. Modified these scripts to use the new library: - ftp-libopie.nse - http-vuln-cve2011-3192.nse - ftp-vuln-cve2010-4221.nse - ftp-vsftpd-backdoor.nse - smtp-vuln-cve2011-1720.nse - smtp-vuln-cve2011-1764.nse - afp-path-vuln.nse [Djalal, Henri]
· [NSE] Added a new script force feature. You can force scripts to run against target ports (even if the "wrong" service is detected) by placing a plus in front of the script name passed to --script.
· [NSE] Added 51(!) NSE scripts, bringing the total up to 297.
· Nmap now includes a nmap-update program for obtaining the latest updates (new scripts, OS fingerprints, etc.) The system is currently only available to a few developers for testing, but we hope to enable a larger set of beta testers soon.
· On Windows, the directory \AppData\Roaming\nmap is now searched for data files. This is the equivalent of $HOME/.nmap on POSIX.
· Improved OS detection performance by scaling congestion control increments by the response rate during OS scan, just as was done for port scan before.
· [NSE] The targets-ipv6-multicast-*.nse scripts now scan all interfaces by default. They show the MAC address and interface name now too.
· Added some new version detection probes: MongoDB service [Martin Holst Swende], Metasploit XMLRPC service [Vlatko Kosturjak], Vuze filesharing system [Patrik], Redis key-value store [Patrik], memcached [Patrik], Sybase SQL Anywhere [Patrik], VMware ESX Server [Aleksey Tyurin], TCP Kerberos [Patrik], PC-Duo [Patrik], PC Anywhere [Patrik]
· Targets requiring different source addresses now go into different hostgroups, not only for host discovery but also for port scanning. Before, only responses to one of the source addresses would be processed, and the others would be ignored.
· Tidied up the version detection DB (nmap-service-probes) with a new cleanup/canonicalization program sv-tidy.
· The --exclude and --excludefile options for excluding targets can now be used together.
· [NSE] Added support for detecting whether a http connection was established using SSL or not to the http.lua library
· [NSE] Added local port to BPF filter in snmp-brute to fix bug that would prevent multiple scripts from receiving the correct responses. The bug was discovered by Brendan Bird.
· [NSE] Changed the dhcp-discover script to use the DHCPINFORM request to query dhcp servers instead of DHCPDISCOVER. Also removed DoS code from dhcp-discover and placed the script into the discovery and safe categories. Added support for adding options to DHCP requests and cleaned up some code in the dhcp library.
· [NSE] Applied patch to snmp-brute that solves problems with handling errors that occur during community list file parsing.
· [NSE] Added new fingerprints to http-enum for: - Subversion, CVS and Apache Archiva [Duarte Silva] - DVCS systems Git, Mercurial and Bazaar
· [NSE] Applied some code cleanup to the snmp library.
· [NSE] Fixed an undeclared variable bug in snmp-ios-config
· [NSE] Add additional version information to Mongodb scripts
· [NSE] Added path argument to the http-auth script and update the script to use stdnse.format_output.
· [NSE] Fixed bug in the http library that would fail to parse authentication headers if no parameters were present.
· Made a syntax change in the zenmap.desktop file for compliance with the XDG standard.
· [NSE] Replaced a number of GET requests to HEAD in http- fingerprints.lua. HEAD is quicker and sufficient when no matching is performed on the returned contents.
· [NSE] Added support for retrieving SSL certificates from FTP servers.
· [Nping] The --safe-payloads option is now the default. Added --include-payloads for the special situations where payloads are needed.
[NSE] Added new functionality and fixed some bugs in the brute library:
· Added support for restricting the number of guesses performed by the brute library against users, to prevent account lockouts.
· Added support to guess the username as password. The documentation previously suggested (wrongly) that this was the default behavior.
· Added support to guess an empty string as password if not present in the dictionary.
· [NSE] Re-enabled support for guessing the username in addition to password that was incorrectly removed from the metasploit-xmlrpc-brute in previous commit.
· [NSE] Fixed bug that would prevent brute scripts from running if no service field was present in the port table.
· [NSE] Turned on promiscuous mode in targets-sniffer.nse so that it finds packets not only from or to the scanning host.
· The Zenmap topology display feature is now disabled when there are more than 1,000 target hosts. Those topology maps slow down the interface and are generally too crowded to be of much use.
· [NSE] Modified the http library to support servers that don't return valid chunked encoded data, such as the Citrix XML service.
· [NSE] Fixed a bug where the brute library would not abort even after all retries were exhausted
· Fixed a bug in the IPv6 OS probe called NI. The Node Information Query didn't include the target address as the payload, so at least OS X didn't respond. This differed from the probe sent by the ipv6fp.py program from which some of our fingerprints were derived.
· [NSE] Fixed an error in the mssql library that was causing the broadcast-ms-sql-discover script to fail when trying to update port version information.
· [NSE] Added the missing broadcast category to the broadcast-listener script.
[NSE] Made changes to the categories of the following scripts (new categories shown):
· http-userdir-enum.nse (auth,intrusive)
· mysql-users.nse (auth,intrusive)
· http-wordpress-enum.nse (auth,intrusive,vuln)
· krb5-enum-users.nse (auth,intrusive)
· snmp-win32-users.nse (default,auth,safe)
· smtp-enum-users.nse (auth,external,intrusive)
· ncp-enum-users.nse (auth,safe)
· smb-enum-users.nse (auth,intrusive)
· Made nbase compile with the clang compiler that is a part of Xcode 4.2.
· [NSE] Fix a nil table index bug discovered in the mongodb library.
· [NSE] Added XMPP support to ssl-cert.nse.
· [NSE] Made http-wordpress-enum.nse able to get names of users who have no posts.
· Increased hop distance estimates from OS detection by one. The distance now counts the number of hops including the final one to the target, not just the number of intermediate nodes. The IPv6 distance calculation already worked this way.
December 6th, 2011· o Added IPv6 OS detection system! The new system utilizes many tests
· similar to IPv4, and also some IPv6-specific ones that we found to
· be particularly effective. And it uses a machine learning approach
· rather than the static classifier we use for IPv4. We hope to move
· some of the IPv6 innovations back to our IPv4 system if they work
· out well. The database is still very small, so please submit any
· fingerprints that Nmap gives you to the specified URL (as long as
· you are certain that you know what the target system is
· running). Usage and results output are basically the same as with
· IPv4, but we will soon document the internal mechanisms at
· http://nmap.org/book/osdetect.html, just as we have for IPv4. For an
· example, try "nmap -6 -O scanme.nmap.org". [David, Luis]
· o [NSE] Added 3 scripts, bringing the total to 246! You can learn
· more about them at http://nmap.org/nsedoc/. Here they are (authors
· listed in brackets)
· lltd-discovery uses the Microsoft LLTD protocol to discover hosts
· on a local network. [Gorjan Petrovski]
· ssl-google-cert-catalog queries Google's Certificate Catalog for
· the SSL certificates retrieved from target hosts. [Vasiliy Kulikov]
· quake3-info extracts information from a Quake3-like game
· server. [Toni Ruottu]
· o Improved AIX support for raw scans. This includes some patches
· originally written by Peter O'Gorman and Florian Schmid. It also
· involved various build fixes found necessary on AIX 6.1 and 7.1. See
· http://nmap.org/book/inst-other-platforms.html. [David]
· o Fixed Nmap so that it again compiles and runs on Solaris 10
· including IPv6 support. [David]
· o [NSE] Moved our brute force authentication cracking scripts
· brute) from the "auth" category into a new "brute"
· category. Nmap's brute force capabilities have grown tremendously
· You can see all 32 of them at
· http://nmap.org/nsedoc/categories/brute.html. It isn't clear
· whether dns-brute should be in the brute category, so for now it
· isn't. [Fyodor]
· o Made the interface gathering loop work on Linux when an interface
· index is more than two digits in /proc/sys/if_inet6. Joe McEachern
· tracked down the problem and provided the fix
· o [NSE] Fixed a bug in dns.lua: ensure that dns.query() always return two values
· status, response) and replaced the workaround in asn-query.nse by the proper
· use. [Henri]
· o [NSE] Made irc-info.nse handle the case where the MOTD is missing
· Patch by Sebastian Dragomir
· o Updated nmap-mac-prefixes to include the latest IEEE assignments
· as of 2011-09-29
December 6th, 2011· o Added Common Platform Enumeration (CPE, http://cpe.mitre.org/)
· output for OS and service versions. This is a standard way to
· identify operating systems and applications so that Nmap can
· better interoperate with other software. Nmap's own (generally more
· comprehensive) taxonomy/classification system is still supported as
· well. Some OS and version detection results don't have CPE entries
· yet. CPE entries show up in normal output with the headings "OS
· CPE:" and "Service Info:"
· OS CPE: cpe:/o:linux:kernel:2.6.39
· Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
· These also appear in XML output, which additionally has CPE entries
· for service versions. [David, Henri]
· o Added IPv6 Neighbor Discovery ping. This is the IPv6 analog to IPv4
· ARP scan. It is the default ping type for local IPv6 networks
· Weilin]
· o Integrated your latest (IPv4) OS detection submissions and
· corrections until June 22. New fingerprints include Linux 3, FreeBSD
· 9, Mac OS X 10.7 (Lion), and 300+ more. The DB size increased 11% to
· 3,308 fingerprints. See
· http://seclists.org/nmap-dev/2011/q3/556. Please keep those
· fingerprints coming! We now accept IPv4 and IPv6 OS fingerprints as
· well as service fingerprints, plus corrections of all types if Nmap
· guess wrong
· o [NSE] Added 27 scripts, bringing the total to 243! You can learn
· more about any of them at http://nmap.org/nsedoc/. Here are the new
· ones (authors listed in brackets)
· address-info shows extra information about IPv6 addresses, such as
· embedded MAC or IPv4 addresses when available. [David Fifield]
· bittorrent-discovery discovers bittorrent peers sharing a file
· based on a user-supplied torrent file or magnet link. [Gorjan
· Petrovski]
· broadcast-db2-discover attempts to discover DB2 servers on the
· network by sending a broadcast request to port 523/udp. [Patrik
· Karlsson]
· broadcast-dhcp-discover sends a DHCP request to the broadcast
· address (255.255.255.255) and reports the results. [Patrik
· Karlsson]
· broadcast-listener sniffs the network for incoming broadcast
· communication and attempts to decode the received packets. It
· supports protocols like CDP, HSRP, Spotify, DropBox, DHCP, ARP and
· a few more. [Patrik Karlsson]
· broadcast-ping sends broadcast pings on a selected interface using
· raw ethernet packets and outputs the responding hosts' IP and MAC
· addresses or (if requested) adds them as targets. [Gorjan
· Petrovski]
· cvs-brute performs brute force password auditing against CVS
· pserver authentication. [Patrik Karlsson]
· cvs-brute-repository attempts to guess the name of the CVS
· repositories hosted on the remote server. With knowledge of the
· correct repository name, usernames and passwords can be
· guessed. [Patrik Karlsson]
· ftp-vsftpd-backdoor tests for the presence of the vsFTPd 2.3.4
· backdoor reported on 2011-07-04 (CVE-2011-2523). This script
· attempts to exploit the backdoor using the innocuous 'id' command
· by default, but that can be changed with the 'exploit.cmd' or
· ftp-vsftpd-backdoor.cmd' script arguments. [Daniel Miller]
· ftp-vuln-cve2010-4221 checks for a stack-based buffer overflow in
· the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. [Djalal
· Harouni]
· http-awstatstotals-exec exploits a remote code execution
· vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other
· products based on it (CVE: 2008-3922). [Paulino Calderon]
· http-axis2-dir-traversal Exploits a directory traversal
· vulnerability in Apache Axis2 version 1.4.1 by sending a specially
· crafted request to the parameter 'xsd' (OSVDB-59001). By default
· it will try to retrieve the configuration file of the Axis2
· service '/conf/axis2.xml' using the path '/axis2/services/' to
· return the username and password of the admin account. [Paulino
· Calderon]
· http-default-accounts tests for access with default credentials
· used by a variety of web applications and devices. [Paulino
· Calderon]
· http-google-malware checks if hosts are on Google's blacklist of
· suspected malware and phishing servers. These lists are constantly
· updated and are part of Google's Safe Browsing service. [Paulino
· Calderon]
· http-joomla-brute performs brute force password auditing against
· Joomla web CMS installations. [Paulino Calderon]
· http-litespeed-sourcecode-download exploits a null-byte poisoning
· vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to
· retrieve the target script's source code by sending a HTTP request
· with a null byte followed by a .txt file extension
· CVE-2010-2333). [Paulino Calderon]
· http-vuln-cve2011-3192 detects a denial of service vulnerability
· in the way the Apache web server handles requests for multiple
· overlapping/simple ranges of a page. [Duarte Silva]
· http-waf-detect attempts to determine whether a web server is
· protected by an IPS (Intrusion Prevention System), IDS (Intrusion
· Detection System) or WAF (Web Application Firewall) by probing the
· web server with malicious payloads and detecting changes in the
· response code and body. [Paulino Calderon]
· http-wordpress-brute performs brute force password auditing
· against Wordpress CMS/blog installations. [Paulino Calderon]
· http-wordpress-enum enumerates usernames in Wordpress blog/CMS
· installations by exploiting an information disclosure
· vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and
· 3.2-beta2 and possibly others. [Paulino Calderon]
· imap-brute performs brute force password auditing against IMAP
· servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM
· authentication. [Patrik Karlsson]
· smtp-brute performs brute force password auditing against SMTP
· servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM
· authentication. [Patrik Karlsson]
· smtp-vuln-cve2011-1764 checks for a format string vulnerability in
· the Exim SMTP server (version 4.70 through 4.75) with DomainKeys
· Identified Mail (DKIM) support (CVE-2011-1764). [Djalal Harouni]
· targets-ipv6-multicast-echo sends an ICMPv6 echo request packet to
· the all-nodes link-local multicast address (ff02::1) to discover
· responsive hosts on a LAN without needing to individually ping
· each IPv6 address. [David Fifield, Xu Weilin]
· targets-ipv6-multicast-invalid-dst sends an ICMPv6 packet with an
· invalid extension header to the all-nodes link-local multicast
· address (ff02::1) to discover (some) available hosts on the
· LAN. This works because some hosts will respond to this probe with
· an ICMPv6 parameter problem packet. [David Fifield, Xu Weilin]
· targets-ipv6-multicast-slaac performs IPv6 host discovery by
· triggering stateless address auto-configuration (SLAAC). [David
· Fifield, Xu Weilin]
· xmpp-brute Performs brute force password auditing against XMPP
· Jabber) instant messaging servers. [Patrik Karlsson]
· o Fixed compilation on OS X 10.7 Lion. Thanks to Patrik Karlsson and
· Babak Farroki for researching fixes
· o [NSE] The script arguments which start with a script name
· e.g. http-brute.hostname or afp-ls.maxfiles) can now accept the
· unqualified arguments as well (hostname, maxfiles). This lets you
· use the generic version ("hostname") when you want to affect
· multiple scripts, while using the qualified version to target
· individual scripts. If both are specified, the qualified version
· takes precedence for that particular script. This works for library
· script arguments too (e.g. you can specify 'timelimit' rather than
· unpwdb.timelimit). [Paulino]
· o [Ncat] Updated SSL certificate store (ca-bundle.crt), primarily to
· remove the epic fail known as DigiNotar
· o Nmap now defers options parsing until it has read through all the
· command line arguments. This removes the few remaining cases where
· option order mattered (for example, IPv6 users previously had to
· specify -6 before -S). [Shinnok]
· o [NSE] Added a new default credential list for Oracle databases and
· modified the oracle-brute script to make use of it. [Patrik]
· o [NSE] Our Packet library (packet.lua) now handles IPv6. This is used
· by the new multicast IPv6 host discovery scripts
· targets-ipv6-*). [Weilin]
· o [NSE] Replaced xmpp.nse with an an overhauled version named
· xmpp-info.nse which brings many new features and fixes. [Vasiliy Kulikov]
· o [NSE] Fixed SSL compressor names in ssl-enum-ciphers.nse, and
· removed redundant multiple listings of the NULL compressor
· Matt Selsky]
· o [NSE] Added cipher strength ratings to ssl-enum-ciphers.nse
· Gabriel Lawrence]
· o [NSE] Fixed a bug in the ssh2-enum-algos script that would prevent it from
· displaying any output unless run in debug mode. [Patrik]
· o [NSE] Added 4 more protocol libraries. You can learn more about any
· of them at http://nmap.org/nsedoc/. Here are the new ones (authors
· listed in brackets)
· bittorrent supports the BitTorrent file sharing protocol [Gorjan
· Petrovski]
· cvs includes support for the Concurrent Versions System (CVS)
· Patrik Karlsson]
· sasl provides common code for "Simple Authentication and Security
· Layer" to services supporting it. The algorithms supported by the
· library are: PLAIN, CRAM-MD5, DIGEST-MD5 and NTLM. [Djalal
· Harouni, Patrik Karlsson]
· xmpp handles XMPP (Jabber) IM servers [Patrik Karlsson]
· o [NSE] Removed the mac-geolocation script, which relied on a Google
· database to determine strikingly accurate GPS coordinates for
· anyone's wireless access points (based on their MAC address). It
· was very powerful. Perhaps Google decided it was too powerful, as
· they discontinued the service before our script was even 2 months
· old
· o [Ncat] Added an --append-output option which, when used along with
· o and/or -x, prevents clobbering (truncating) an existing
· file. [Shinnok]
· o Fixed RPC scan (part of -sV) to work on the 64-bit machines where
· "unsigned long" is 8 bytes rather than 4. We now use the more
· portable u32 in the code. [David]
· o [NSE] Moved some scripts into the default category: giop-info
· vnc-info, ncp-serverinfo, smb-security-mode, and and
· afp-serverinfo. [Djalal]
· o Relaxed the XML DTD to allow validation of files where the verbosity
· level changed during the scan. Also made a service confidence of 8
· used when tcpwrapped) or any other number between 0 and 10
· legal. [Daniel Miller]
· o [NSE] Fixed authentication problems in the TNS library that would prevent
· authentication from working against Oracle 11.2.0.2.0 XE [Chris Woodbury]
· o [NSE] Added basic query support to the Oracle TNS library so that scripts
· can now make SQL queries against database servers. Also improved
· support for 64-bit database servers and improved the documentation. [Patrik]
· o Removed some restrictions on probe matching that, for example
· prevented a RST/ACK reply from being recognized in a NULL scan. This
· was found and fixed by Matthew Stickney and Joe McEachern
· o Rearranged some characters classes in service matches to avoid any
· that look like POSIX collating symbols ("[.xyz.]"). John Hutchison
· discovered this error caused by one of the match lines
· InitMatch: illegal regexp: POSIX collating elements are not supported
· Daniel Miller]
· o [NSE] Added more than 100 new signatures to http-enum (many for
· known vulnerabilities). They are in the categories: general
· attacks, cms, security, management and database [Paulino]
· o [NSE] Updated account status text in brute force password discovery
· scripts in an effort to make the reporting more consistent across
· all scripts. This will have an impact on any code that parses these
· values. [Tom Sellers]
· o Nmap now includes the Liblinear library for large linear
· classification (http://www.csie.ntu.edu.tw/~cjlin/liblinear/). We
· are using it for the upcoming IPv6 OS detection system, and (if that
· works out well) may eventually use it for IPv4 too. It uses a
· three-clause BSD license
· o [NSE] Better error messages (including a traceback) are now provided
· when script loading fails. [Patrick]
· o [Zenmap] Prevent Zenmap from deleting ports when merging scans
· results based on newer scans which did not actually scan the ports
· in question. Additionally Zenmap now only updates ports with new
· information if the new information uses the same protocol--not just
· the same port number. [Colin Rice]
· o [Ncat] Fixed a crash which would occur when --ssl-verify is combined
· with -vvv on windows. [Colin Rice]
· o [Nping] Added new --safe-payloads option for echo mode which causes
· returned packet payloads to be zeroed to reduce privacy risks if
· Nping echo server was to accidentally (or through malicious intent)
· return a packet which wasn't sent by the Nping echo client. We hope
· to soon make this behavior the default. [Luis]
· o Fixed a bug that would make Nmap segfault if it failed to open an
· interface using pcap. The bug details and patch are posted at
· http://seclists.org/nmap-dev/2011/q3/365 [Patrik]
· o Ncat SCTP mode now supports connection brokering
· sctp --broker). [Shinnok]
· o Consolidated a bunch of duplicate code between Ncat's listen
· ncat_listen.c) and broker (ncat_broker.c) modes to ease
· maintenance. [Shinnok]
· o Added a 'nostore' nse argument to the brute force library which
· prevents the brute force authentication cracking scripts from
· storing found credentials in the creds library (they will still be
· printed in script output)
· o [NSE] Fixed the nsedebug print_hex() function so it does not print an
· empty line if there are no remaining characters, and improved its NSEDoc
· Chris Woodbury]
· o [Ncat] Ncat no longer blocks while an ssl handshake is taking place
· or waiting to complete. This could make listening Ncat instances
· unavailable to other clients because one client was taking too long
· to complete the SSL handshake. Our public Ncat chat server is now
· much more reliable (connect with: ncat --ssl -v chat.nmap.org)
· Shinnok]
· o [NSE] Updated SMTP and IMAP libraries to support authentication
· using both plain-text and the SASL library. [Patrik]
· o [Zenmap] The Zenmap crash handler now instructs users to mail in
· crash information to nmap-dev rather than offering to create a
· Sourceforge bug tracker entry. [Colin Rice]
· o [NSE] Applied patch from Chris Woodbury that adds the following
· additional information to the output of smb-os-discovery: NetBIOS
· computer name, NetBIOS domain name, FQDN, and forest name
· o [NSE] Updated smb-brute to add detection for valid credentials where the
· target account was expired or limited by time or login host constraints
· Tom Sellers]
· o [Ncat] Ncat now supports IPV6 addresses by default without the -6 flag
· Additionally ncat listens on both ::1 and localhost when passed
· l, or any other listening mode unless a specific listening address is
· supplied. [Colin Rice]
· o Fixed broken XML output in the case of timed-out hosts; the
· enclosing host element was missing. The fix was suggested by Rémi
· Mollon
· o [NSE] Multiple ldap-brute changes by Tom Sellers
· Added support for 2008 R2 functional level Active Directory instances
· Added detection for valid credentials where the target account was
· expired or limited by time or login host constraints
· Added support for specifying a UPN suffix to be appended to usernames
· when brute forcing Microsoft Active Directory accounts
· Added support for saving discovered credentials to a CSV file
· Now reports valid credentials as they are discovered when the script
· is run with -vv or higher
· o [NSE] ldap-search.nse - Added support for saving search results to
· CSV. This is done by using the ldap.savesearch script argument to
· specify an output filename prefix. [Tom Sellers]
· o Handle an unconventional IPv6 internal link-local address convention
· used by Mac OS X. See
· http://seclists.org/nmap-dev/2011/q3/906. [David]
· o [NSE] Optimized stdnse.format_output (changing the data structures)
· to improve performance for scripts which produce a lot of output. See
· http://seclists.org/nmap-dev/2011/q3/623. [Djalal]
· o [NSE] Fix nping-brute so that it again works on IPv6. [Toni Ruottu]
· o [NSE] Added the make_array and make_object functions to our json
· library, allowing LUA tables to be treated as JSON arrays or
· objects. See http://seclists.org/nmap-dev/2011/q3/15 [Daniel Miller]
· o [NSE] The ip-geolocation-ipinfodb now allows you to specify an
· IPInfoDB API key using the apikey NSE argument. [Gorjan]
· o [NSE] Renamed http-wp-plugins to http-wordpress-plugins script for
· consistency with http-wordpress-brute and now
· http-wordpress-enum. [Fyodor]
July 9th, 2011[NSE] Added 40 scripts, bringing the total to 217! Here are the new ones (authors listed in brackets):
· afp-ls: Lists files and their attributes from Apple Filing Protocol (AFP) volumes. [Patrik Karlsson]
· backorifice-brute: Performs brute force password auditing against the BackOrifice remote administration (trojan) service. [Gorjan Petrovski]
· backorifice-info: Connects to a BackOrifice service and gathers information about the host and the BackOrifice service itself. [Gorjan Petrovski]
· broadcast-avahi-dos: Attempts to discover hosts in the local network using the DNS Service Discovery protocol, then tests whether each host is vulnerable to the Avahi NULL UDP packet denial of service bug (CVE-2011-1002). [Djalal Harouni]
· broadcast-netbios-master-browser: Attempts to discover master browsers and the Windows domains they manage. [Patrik Karlsson]
· broadcast-novell-locate: Attempts to use the Service Location Protocol to discover Novell NetWare Core Protocol (NCP) servers. [Patrik Karlsson]
· creds-summary: Lists all discovered credentials (e.g. from brute force and default password checking scripts) at end of scan. [Patrik Karlsson]
· dns-brute: Attempts to enumerate DNS hostnames by brute force guessing of common subdomains. [Cirrus]
· dns-nsec-enum: Attempts to discover target hosts' services using the DNS Service Discovery protocol. [Patrik Karlsson]
· dpap-brute: Performs brute force password auditing against an iPhoto Library. [Patrik Karlsson]
· epmd-info: Connects to Erlang Port Mapper Daemon (epmd) and retrieves a list of nodes with their respective port numbers. [Toni Ruottu]
· http-affiliate-id: Grabs affiliate network IDs (e.g. Google AdSense or Analytics, Amazon Associates, etc.) from a web page. These can be used to identify pages with the same owner. [Hani Benhabiles, Daniel Miller]
· http-barracuda-dir-traversal: Attempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability. [Brendan Coles]
· http-cakephp-version: Obtains the CakePHP version of a web application built with the CakePHP framework by fingerprinting default files shipped with the CakePHP framework. [Paulino Calderon]
· http-majordomo2-dir-traversal: Exploits a directory traversal vulnerability existing in the Majordomo2 mailing list manager to retrieve remote files. (CVE-2011-0049). [Paulino Calderon]
· http-wp-plugins: Tries to obtain a list of installed WordPress plugins by brute force testing for known plugins. [Ange Gutek]
· ip-geolocation-geobytes: Tries to identify the physical location of an IP address using the Geobytes geolocation web service. [Gorjan Petrovski]
· ip-geolocation-geoplugin: Tries to identify the physical location of an IP address using the Geoplugin geolocation web service. [Gorjan Petrovski]
· ip-geolocation-ipinfodb: Tries to identify the physical location of an IP address using the IPInfoDB geolocation web service. [Gorjan Petrovski]
· ip-geolocation-maxmind: Tries to identify the physical location of an IP address using a Geolocation Maxmind database file. [Gorjan Petrovski]
· ldap-novell-getpass: Attempts to retrieve the Novell Universal Password for a user. You must already have (and include in script arguments) the username and password for an eDirectory server administrative account. [Patrik Karlsson]
· mac-geolocation: Looks up geolocation information for BSSID (MAC) addresses of WiFi access points in the Google geolocation database. [Gorjan Petrovski]
· mysql-audit: Audit MySQL database server security configuration against parts of the CIS MySQL v1.0.2 benchmark (the engine can also be used for other MySQL audits by creating appropriate audit files). [Patrik Karlsson]
· ncp-enum-users: Retrieves a list of all eDirectory users from the Novell NetWare Core Protocol (NCP) service. [Patrik Karlsson]
· ncp-serverinfo: Retrieves eDirectory server information (OS version, server name, mounts, etc.) from the Novell NetWare Core Protocol (NCP) service. [Patrik Karlsson]
· nping-brute: Performs brute force password auditing against an Nping Echo service. [Toni Ruottu]
· omp2-brute: Performs brute force password auditing against the OpenVAS manager using OMPv2. [Henri Doreau]
· omp2-enum-targets: Attempts to retrieve the list of target systems and networks from an OpenVAS Manager server. [Henri Doreau]
· ovs-agent-version: Detects the version of an Oracle OVSAgentServer by fingerprinting responses to an HTTP GET request and an XML-RPC method call. [David Fifield]
· quake3-master-getservers: Queries Quake3-style master servers for game servers (many games other than Quake 3 use this same protocol). [Toni Ruottu]
· servicetags: Attempts to extract system information (OS, hardware, etc.) from the Sun Service Tags service agent (UDP port 6481). [Matthew Flanagan]
· sip-brute: Performs brute force password auditing against Session Initiation Protocol accounts. This protocol is most commonly associated with VoIP sessions. [Patrik Karlsson]
· sip-enum-users: Attempts to enumerate valid SIP user accounts. Currently only the SIP server Asterisk is supported. [Patrik Karlsson]
· smb-mbenum: Queries information managed by the Windows Master Browser. [Patrik Karlsson]
· smtp-vuln-cve2010-4344: Checks for and/or exploits a heap overflow within versions of Exim prior to version 4.69 (CVE-2010-4344) and a privilege escalation vulnerability in Exim 4.72 and prior (CVE-2010-4345). [Djalal Harouni]
· smtp-vuln-cve2011-1720: Checks for a memory corruption in the Postfix SMTP server when it uses Cyrus SASL library authentication mechanisms (CVE-2011-1720). This vulnerability can allow denial of service and possibly remote code execution. [Djalal Harouni]
· snmp-ios-config: Attempts to downloads Cisco router IOS configuration files using SNMP RW (v1) and display or save them. [Vikas Singhal, Patrik Karlsson]
· ssl-known-key: Checks whether the SSL certificate used by a host has a fingerprint that matches an included database of problematic keys. [Mak Kolybabi]
· targets-sniffer: Sniffs the local network for a configurable amount of time (10 seconds by default) and prints discovered addresses. If the newtargets script argument is set, discovered addresses are added to the scan queue. [Nick Nikolaou]
· xmpp: Connects to an XMPP server (port 5222) and collects server information such as supported auth mechanisms, compression methods and whether TLS is supported and mandatory. [Vasiliy Kulikov]
· Nmap has long supported IPv6 for basic (connect) port scans, basic host discovery, version detection, Nmap Scripting Engine. This release dramatically expands and improves IPv6 support: + IPv6 raw packet scans (including SYN scan, UDP scan, ACK scan, etc.) are now supported. [David, Weilin] + IPv6 raw packet host discovery (IPv6 echo requests, TCP/UDP discovery packets, etc.) is now supported. [David, Weilin] + IPv6 traceroute is now supported [David] + IPv6 protocol scan (-sO) is now supported, including creating realistic headers for many protocols. [David] + IPv6 support to the wsdd, dnssd and upnp NSE libraries. [Daniel Miller, Patrik] + The --exclude and --excludefile now support IPV6 addresses with netmasks. [Colin]
· Scanme.Nmap.Org (the system anyone is allowed to scan for testing purposes) is now dual-stacked (has an IPv6 address as well as IPv4) so you can scan it during IPv6 testing. We also added a DNS record for ScanmeV6.nmap.org which is IPv6-only. [Fyodor]
· The Nmap.Org website as well as sister sites Insecure.Org, SecLists.Org, and SecTools.Org all have working IPv6 addresses now (dual stacked). [Fyodor]
· Nmap now determines the filesystem location it is being run from and that path is now included early in the search path for data files (such as nmap-services). This reduces the likelihood of needing to specify --datadir or getting data files from a different version of Nmap installed on the system. Thanks to Solar Designer for implementation advice. [David]
· Created a page on our SecWiki for collecting Nmap script ideas! If you have a good idea, post it to the incoming section of the page. Or if you're in a script writing mood but don't know what to write, come here for inspiration.
· The development pace has greatly increased because Google (again) sponsored a 7 full-time college and graduate student programmer interns this summer as part of their Summer of Code program! Thanks, Google Open Source Department!
[NSE] Added 7 new protocol libraries, bringing the total to 66. Here are the new ones (authors listed in brackets):
· creds: Handles storage and retrieval of discovered credentials (such as passwords discovered by brute force scripts). [Patrik Karlsson]
· ncp: A tiny implementation of Novell Netware Core Protocol (NCP). [Patrik Karlsson]
· omp2: OpenVAS Management Protocol (OMP) version 2 support. [Henri Doreau]
· sip: Supports a limited subset of SIP commands and methods. [Patrik Karlsson]
· smtp: Simple Mail Transfer Protocol (SMTP) operations. [Djalal Harouni]
· srvloc: A relatively small implementation of the Service Location Protocol. [Patrik Karlsson]
· tftp: Implements a minimal TFTP server. It is used in snmp-ios-config to obtain router config files.[Patrik Karlsson]
· o Improved Nmap's service/version detection database by adding: + Apple iPhoto (DPAP) protocol probe [Patrik] + Zend Java Bridge probe [Michael Schierl] + BackOrifice probe [Gorjan Petrovski] + GKrellM probe [Toni Ruotto] + Signature improvements for a wide variety of services (we now have 7,375 signatures)
· [NSE] ssh-hostkey now additionally has a postrule that prints hosts found during the scan which share the same hostkey. [Henri Doreau]
· [NSE] Added 300+ new signatures to http-enum which look for admin directories, JBoss, Tomcat, TikiWiki, Majordomo2, MS SQL, Wordpress, and more. [Paulino]
· Made the final IP address space assignment update as all available IPv4 address blocks have now been allocated to the regional registries. Our random IP generation (-iR) logic now only excludes the various reserved blocks. Thanks to Kris for years of regular updates to this function!
· [NSE] Replaced http-trace with a new more effective version. [Paulino]
· Performed some output cleanup work to remove unimportant status lines so that it is easier to find the good stuff! [David]
· [Zenmap] now properly kills Nmap scan subprocess when you cancel a scan or quit Zenmap on Windows. [Shinnok]
· [NSE] Banned scripts from being in both the "default" and "intrusive" categories. We did this by removing dhcp-discover and dns-zone-transfer from the set of scripts run by default (leaving them "intrusive"), and reclassifying dns-recursion, ftp-bounce, http-open-proxy, and socks-open-proxy as "safe" rather than "intrusive" (keeping them in the "default" set).
· [NSE] Added a credential storage library (creds.lua) and modified the brute library and scripts to make use of it. [Patrik]
· [Ncat] Created a portable version of ncat.exe that you can just drop onto Microsoft Windows systems without having to run any installer or copy over extra library files. See the Ncat page for binary downloads and a link to build instructions. [Shinnok]
· Fix a segmentation fault which could occur when running Nmap on various Android-based phones. The problem related to NULL being passed to freeaddrinfo(). [David, Vlatko Kosturjak]
· [NSE] The host.bin_ip and host.bin_ip_src entries now also work with 16-byte IPv6 addresses. [David]
· [Ncat] Updated the ca-bundle.crt list of trusted certificate authority certificates. [David]
· [NSE] Fixed a bug in the SMB Authentication library which could prevent concurrently running scripts with valid credentials from logging in. [Chris Woodbury]
· [NSE] Re-worked http-form-brute.nse to better autodetect form fields, allow brute force attempts where only the password (no username) is needed, follow HTTP redirects, and better detect incorrect login attempts. [Patrik, Daniel Miller]
· [Zenmap] Changed the "slow comprehensive scan" profile's NSE script selection from "all" to "default or (discovery and safe)" categories. Except for testing and debugging, "--script all" is rarely desirable.
· [NSE] Added the stdnse.silent_require method which is used for library requires that you know might fail (e.g. "openssl" fails if Nmap was compiled without that library). If these libraries are called with silent_require and fail to load, the script will cease running but the user won't be presented with ugly failure messages as would happen with a normal require. [Patrick Donnelly]
· [Zenmap] Fixed a bug in topology mapper which caused endpoints behind firewalls to sometimes show up in the wrong place. [Colin Rice]
· [Zenmap] If you scan a system twice, any open ports from the first scan which are closed in the 2nd will be properly marked as closed. [Colin Rice].
· o [Zenmap] Fixed an error that could cause a crash ("TypeError: an integer is required") if a sort column in the ports table was unset. [David]
· [Ndiff] Added nmaprun element information (Nmap version, scan date, etc.) to the diff. Also, the Nmap banner with version number and data is now only printed if there were other differences in the scan. [Daniel Miller, David, Dr. Jesus]
· [NSE] Added nmap.get_interface and nmap.get_interface_info functions so scripts can access characteristics of the scanning interface. Removed nmap.get_interface_link. [Djalal]
· Fixed an overflow in scan elapsed time display that caused negative times to be printed after about 25 days. [Daniel Miller]
· Updated nmap-rpc from the master list, now maintained by IANA. [Daniel Miller, David]
· [Zenmap] Fixed a bug in the option parser: -sN (null scan) was interpreted as -sn (no port scan). This was reported by Shitaneddine. [David]
· Removed the -sR (RPC scan) option--it is now an alias for -sV (version scan), which always does RPC scan when an rpcinfo service is detected.
· [NSE] Improved the ms-sql scripts and library in several ways: - Improved version detection and server discovery - Added support for named pipes, integrated authentication, and connecting to instances by name or port - Improved script and library stability and documentation. [Patrik Karlsson, Chris Woodbury]
· [NSE] Fixed http.validate_options when handling a cookie table. [Sebastian Prengel]
· Added a Service Tags UDP probe for port 6481/udp. [David]
· [NSE] Enabled firewalk.nse to automatically find the gateways at which probes are dropped and fixed various bugs. [Henri Doreau]
· [Zenmap] Worked around a pycairo bug that prevented saving the topology graphic as PNG on Windows: "Error Saving Snapshot: Surface.write_to_png takes one argument which must be a filename (str), file object, or a file-like object which has a 'write' method (like StringIO)". The problem was reported by Alex Kah. [David]
· The -V and --version options now show the platform Nmap was compiled on, which features are compiled in, the version numbers of libraries it is linked against, and whether the libraries are the ones that come with Nmap or the operating system. [Ambarisha B., David]
· Fixed some inconsistencies in nmap-os-db reported by Xavier Sudre from netVigilance.
· The Nmap Win32 uninstaller now properly deletes nping.exe. [Fyodor]
· [NSE] Added a shortport.ssl function which can be used as a script portrule to match SSL services. It is similar in concept to our existing shortport.http. [David]
· Set up the RPM build to use the compat-glibc and compat-gcc-34-c++ packages (on CentOS 5.3) to resolve a report of Nmap failing to run on old versions of Glibc. [David]
· We no longer support Nmap on versions of Windows earlier than XP SP2. Even Microsoft no longer supports Windows versions that old.
· There were hundreds of other little bug fixes and improvements (especially to NSE scripts). See the SVN logs for revisions 22,274 through 24,460 for details.
February 14th, 2011· [Ndiff] Added support for prerule and postrule scripts. [David]
· [NSE] Fixed a bug which caused some NSE scripts to fail due to the absence of the NSE SCRIPT_NAME environment variable when loaded.
· [Zenmap] Selecting one of the scan targets in the left pane is supposed to jump to that host in the Nmap Output in the right pane (but it wasn't).
· Fixed an obscure bug in Windows interface matching. If the MAC address of an interface couldn't be retrieved, it might have been used instead of the correct interface. Alexander Khodyrev reported the problem.
· [NSE] Fixed portrules in dns-zone-transfer and ftp-proftpd-backdoor
· that used shortport functions incorrectly and always returned true. [Jost Krieger]
· [Ndiff] Fixed ndiff.dtd to include two elements that can be diffed: status and address.
· [Ndiff] Fixed the ordering of hostscript-related elements in XML
· output.
· [NSE] Fixed a bug in the nrpe-enum script that would make it run for every port (when it was selected--it isn't by default).
· [NSE] When an NSE script sets a negative socket timeout, it now causes a controlled Lua stack trace instead of a fatal error.
· [Zenmap] Worked around an error that caused the py2app bootstrap
· executable to be non-universal even when the rest of the application
· was universal. This prevented the binary .dmg from working on PowerPC. Yxynaxen reported the problem.
· [Ndiff] Fixed an output line that wasn't being redirected to a file when all other output was.
January 29th, 2011· [Zenmap] Added a new script selection interface, allowing you to choose scripts and arguments from a list which includes descriptions of every available script. Just click the "Scripting" tab in the profile editor. [Kirubakaran]
· [Nping] Added echo mode, a novel technique for discovering how your packets are changed (or dropped) in transit between the host they originated and a target machine. It can detect network address translation, packet filtering, routing anomalies, and more. You can try it out against our public Nping echo server using this command: nping --echo-client "public" echo.nmap.org' Or learn more about echo mode at http://nmap.org/book/nping-man-echo-mode.html. [Luis]
[NSE] Added an amazing 46 scripts, bringing the total to 177! You can learn more about any of them at http://nmap.org/nsedoc/. Here are the new ones (authors listed in brackets):
· broadcast-dns-service-discovery: Attempts to discover hosts' services using the DNS Service Discovery protocol. It sends a multicast DNS-SD query and collects all the responses. [Patrik Karlsson]
· broadcast-dropbox-listener: Listens for the LAN sync information broadcasts that the Dropbox.com client broadcasts every 20 seconds, then prints all the discovered client IP addresses, port numbers, version numbers, display names, and more. [Ron Bowes, Mak Kolybabi, Andrew Orr, Russ Tait Milne]
· broadcast-ms-sql-discover: Discovers Microsoft SQL servers in the same broadcast domain. [Patrik Karlsson]
· broadcast-upnp-info: Attempts to extract system information from the UPnP service by sending a multicast query, then collecting, parsing, and displaying all responses. [Patrik Karlsson]
· broadcast-wsdd-discover: Uses a multicast query to discover devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.NET 4.0 or later). [Patrik Karlsson]
· db2-discover: Attempts to discover DB2 servers on the network by querying open ibm-db2 UDP ports (normally port 523). [Patrik Karlsson]
· dns-update.nse: Attempts to perform an unauthenticated dynamic DNS update. [Patrik Karlsson]
· domcon-brute: Performs brute force password auditing against the Lotus Domino Console. [Patrik Karlsson]
· domcon-cmd: Runs a console command on the Lotus Domino Console with the given authentication credentials (see also: domcon-brute). [Patrik Karlsson]
· domino-enum-users: Attempts to discover valid IBM Lotus Domino users and download their ID files by exploiting the CVE-2006-5835 vulnerability. [Patrik Karlsson]
· firewalk: Tries to discover firewall rules using an IP TTL expiration technique known as firewalking. [Henri Doreau]
· ftp-proftpd-backdoor: Tests for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID 69562. This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with a script argument. [Mak Kolybabi]
· giop-info: Queries a CORBA naming server for a list of objects. [Patrik Karlsson]
· gopher-ls: Lists files and directories at the root of a gopher service. Remember those? [Toni Ruottu]
· hddtemp-info: Reads hard disk information (such as brand, model, and sometimes temperature) from a listening hddtemp service. [Toni Ruottu]
· hostmap: Tries to find hostnames that resolve to the target's IP address by querying the online database at http://www.bfk.de/bfk_dnslogger.html. [Ange Gutek]
· http-brute: Performs brute force password auditing against http basic authentication. [Patrik Karlsson]
· http-domino-enum-passwords: Attempts to enumerate the hashed Domino Internet Passwords that are (by default) accessible by all authenticated users. This script can also download any Domino ID Files attached to the Person document. [Patrik Karlsson]
· http-form-brute: Performs brute force password auditing against http form-based authentication. [Patrik Karlsson]
· http-vhosts: Searches for web virtual hostnames by making a large number of HEAD requests against http servers using common hostnames. [Carlos Pantelides]
· informix-brute: Performs brute force password auditing against IBM Informix Dynamic Server. [Patrik Karlsson]
· informix-query: Runs a query against IBM Informix Dynamic Server using the given authentication credentials (see also: informix-brute). [Patrik Karlsson]
· informix-tables: Retrieves a list of tables and column definitions for each database on an Informix server. [Patrik Karlsson]
· iscsi-brute: Performs brute force password auditing against iSCSI targets. [Patrik Karlsson]
· iscsi-info: Collects and displays information from remote iSCSI targets. [Patrik Karlsson]
· modbus-discover: Enumerates SCADA Modbus slave ids (sids) and collects their device information. [Alexander Rudakov]
· nat-pmp-info: Queries a NAT-PMP service for its external address. [Patrik Karlsson]
· netbus-auth-bypass: Checks if a NetBus server is vulnerable to an authentication bypass vulnerability which allows full access without knowing the password. [Toni Ruottu]
· netbus-brute: Performs brute force password auditing against the Netbus backdoor ("remote administration") service. [Toni Ruottu]
· netbus-info: Opens a connection to a NetBus server and extracts information about the host and the NetBus service itself. [Toni Ruottu]
· netbus-version: Extends version detection to detect NetBuster, a honeypot service that mimes NetBus. [Toni Ruottu]
· nrpe-enum: Queries Nagios Remote Plugin Executor (NRPE) daemons to obtain information such as load averages, process counts, logged in user information, etc. [Mak Kolybabi]
· oracle-brute: Performs brute force password auditing against Oracle servers. [Patrik Karlsson]
· oracle-enum-users: Attempts to enumerate valid Oracle user names against unpatched Oracle 11g servers (this bug was fixed in Oracle's October 2009 Critical Patch Update). [Patrik Karlsson]
· path-mtu: Performs simple Path MTU Discovery to target hosts. [Kris Katterjohn]
· resolveall: Resolves hostnames and adds every address (IPv4 or IPv6, depending on Nmap mode) to Nmap's target list. This differs from Nmap's normal host resolution process, which only scans the first address (A or AAAA record) returned for each host name. [Kris Katterjohn]
· rmi-dumpregistry: Connects to a remote RMI registry and attempts to dump all of its objects. [Martin Holst Swende]
· smb-flood: Exhausts a remote SMB server's connection limit by by opening as many connections as we can. Most implementations of SMB have a hard global limit of 11 connections for user accounts and 10 connections for anonymous. Once that limit is reached, further connections are denied. This script exploits that limit by taking up all the connections and holding them. [Ron Bowes]
· ssh2-enum-algos: Reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers. If verbosity is set, the offered algorithms are each listed by type. [Kris Katterjohn]
· stuxnet-detect: Detects whether a host is infected with the Stuxnet worm (http://en.wikipedia.org/wiki/Stuxnet). [Mak Kolybabi]
· svn-brute: Performs brute force password auditing against Subversion source code control servers. [Patrik Karlsson]
· targets-traceroute: Inserts traceroute hops into the Nmap scanning queue. It only functions if Nmap's --traceroute option is used and the newtargets script argument is given. [Henri Doreau]
· vnc-brute: Performs brute force password auditing against VNC servers. [Patrik Karlsson]
· vnc-info: Queries a VNC server for its protocol version and supported security types. [Patrik Karlsson]
· wdb-version: Detects vulnerabilities and gathers information (such as version numbers and hardware support) from VxWorks Wind DeBug agents. [Daniel Miller]
· wsdd-discover: Retrieves and displays information from devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.NET 4.0 or later). [Patrik Karlsson]
· [NSE] Added 12 new protocol libraries: - dhcp.lua by Ron - dnssd.lua (DNS Service Discovery) by Patrik - ftp.lua by David - giop.lua (CORBA naming service) by Patrik - informix.lua (Informix database) by Patrik - iscsi.lua (iSCSI - IP based SCSI data transfer) by Patrik - nrpc.lua (Lotus Domino RPC) by Patrik - rmi.lua (Java Remote Method Invocation) by Martin Holst Swende - tns.lua (Oracle) by Patrik - upnp.lua (UPnP support) by Thomas Buchanan and Patrik - vnc.lua (Virtual Network Computing) by Patrik - wsdd.lua (Web Service Dynamic Discovery) by Patrik
· [NSE] Added a new brute library that provides a basic framework and logic for brute force password auditing scripts. [Patrik]
· [Zenmap] Greatly improved performance for large scans by benchmarking intensively and then recoding dozens of slow parts. Time taken to load our benchmark file (a scan of just over a million IPs belonging to Microsoft corporation, with 74,293 hosts up) was reduced from hours to less than two minutes. Memory consumption decreased dramatically as well. [David]
· Performed a major OS detection integration run. The database has grown more than 14% to 2,982 fingerprints and many of the existing fingerprints were improved. Highlights include Linux 2.6.37, iPhone OS 4.2.1, Solaris 11, AmigaOS 3.1, GNU Hurd 0.3, and MINIX 2.0.4. David posted highlights of his integration work at http://seclists.org/nmap-dev/2010/q4/651
· Performed a huge version detection integration run. The number of signatures has grown by more than 11% to 7,355. More than a third of our signatures are for http, but we also detect 743 other service protocols, from abc, acap, access-remote-pc, and achat to zenworks, zeo, and zmodem. David posted highlights at http://seclists.org/nmap-dev/2010/q4/761.
· [NSE] Added the target NSE library which allows scripts to add newly discovered targets to Nmap's scanning queue. This allows Nmap to support a wide range of target acquisition techniques. Scripts which can now use this feature include dns-zone-transfer, hostmap, ms-sql-info, snmp-interfaces, targets-traceroute, and several more. [Djalal]
· [NSE] Nmap has two new NSE script scanning phases. The new pre-scan occurs before Nmap starts scanning. Some of the initial pre-scan scripts use techniques like broadcast DNS service discovery or DNS zone transfers to enumerate hosts which can optionally be treated as targets. The other phase (post scan) runs after all of Nmap's scanning is complete. We don't have any of these scripts yet, but they could compile scan statistics or present the results in a different way. One idea is a reverse index which provides a list of services discovered during a network scan, along with a list of IPs found to be running each service. See http://nmap.org/book/nse-usage.html#nse-script-types. [Djalal]
· [NSE] A new --script-help option describes all scripts matching a given specification. It accepts the same specification format as --script does. For example, try 'nmap --script-help "default or http-*"'. [David, Martin Holst Swende]
· Dramatically improved nmap.xsl (used for converting Nmap XML output to HTML). In particular: - Put verbose details behind expander buttons so you can see them if you want, but they don't distract from the main output. In particular, offline hosts and traceroute results are collapsed by default. - Improved the color scheme to be less garish. - Added support for the new NSE pre-scan and post-scan phases. - Changed script output to use 'pre' tags to keep even lengthy output readable. - Added a floating menu to the lower-right for toggling whether closed/filtered ports are shown or not (they are now hidden by default if Javascript is enabled). Many smaller improvements were made as well. You can find the new file at http://nmap.org/svn/docs/nmap.xsl, and here is an example scan processed through it: http://nmap.org/tmp/newxsl.html. [Tom]
· [NSE] Created a new "broadcast" script category for the broadcast-* scripts. These perform network discovery by broadcasting on the local network and listening for responses. Since they don't directly relate to targets specified on the command line, these are kept out of the default category (nor do they go in "discovery").
· Integrated cracked passwords from the Gawker.com compromise (http://seclists.org/nmap-dev/2010/q4/674) into Nmap's top-5000 password database. A team of Nmap developers lead by Brandon Enright has cracked 635,546 out of 748,081 password hashes so far (85%). Gawker doesn't exactly have the most sophisticated users on the Internet--their top passwords are "123456", "password", "12345678", "lifehack", "qwerty", "abc123", "12345", "monkey", "111111", "consumer", and "letmein".
· XML output now excludes output for down hosts when only doing host discovery, unless verbosity (-v) was requested. This is how it already worked for normal scans, but the ping-only case was overlooked. [David]
· Updated the Windows build process to work with (and require) Visual C++ 2010 rather than 2008. If you want to build Zenmap too, you now need Python 2.7 (rather than 2.6) and GTK+ 2.22. See http://nmap.org/book/inst-windows.html#inst-win-source [David, Rob Nicholls, KX]
· Merged port names in the nmap-services file with allocated names from the IANA (http://www.iana.org/assignments/port-numbers). We only added IANA names which were "unknown" in our file--we didn't deal with conflicting names. [David]
· Enabled the ASLR and DEP security technologies for Nmap.exe, Ncat.exe and Nping.exe on Windows Vista and above. Visual C++ will set the /DYNAMICBASE and /NXCOMPAT flags in the PE header. Executables generated using py2exe or NSIS and third party binaries (OpenSSL, WinPcap) still don't support ASLR or DEP. Support for DEP on XP SP3, using SetProcessDEPPolicy(), could still be implemented. See http://seclists.org/nmap-dev/2010/q3/328. [Robert]
· Investigated using the CPE (Common Platform Enumeration) standard for describing operating systems, devices, and service names for Nmap OS and service detection. You can read David's reports at http://seclists.org/nmap-dev/2010/q3/278 and http://seclists.org/nmap-dev/2010/q3/303.
· [Zenmap] Improved the output viewer to show new output in constant time. Previously it would get slower and slower as the output grew longer, eventually making Zenmap appear to freeze with 100% CPU. Rob Nicholls and Ray Middleton helped with testing. [David]
· The Linux RPM builds of Nmap and related tools (ncat, nping, etc.) now link to system libraries dynamically rather than statically. They still link statically to dependency libraries such as OpenSSL, Lua, LibPCRE, Libpcap, etc. We hope this will improve portability so the RPMs will work on distributions with older software (like RHEL, Debian stable) as well as more bleeding edge ones like Fedora. [David]
· [NSE] Added the ability to send and receive on unconnected sockets. This can be used, for example, to receive UDP broadcasts without having to use Libpcap. A number of scripts have been changed so that they can work as prerule scripts to discover services by UDP broadcasting, and optionally add the discovered targets to the scanning queue: - ms-sql-info - upnp-info - dns-service-discovery The nmap.new_socket function can now optionally take a default protocol and address family, which will be used if the socket is not connected. There is a new nmap.sendto function to be used with unconnected UDP sockets. [David, Patrik]
· [Nping] Substantially improved the Nping man page. You can read it online at http://nmap.org/book/nping-man.html. [Luis, David]
· Documented the licenses of the third-party software used by Nmap and it's sibling tools: http://nmap.org/svn/docs/3rd-party-licenses.txt. [David]
· [NSE] Improved the SMB scripts so that they can run in parallel rather than using a mutex to force serialization. This quadrupled the SMB scan speed in one large scale test. See http://seclists.org/nmap-dev/2010/q3/819. [Ron]
· Added a simple Nmap NSE script template to make writing new scripts easier: http://nmap.org/svn/docs/sample-script.nse. [Ron]
· [Zenmap] Made the topology node radiuses grow logarithmically instead of linearly, so that hosts with thousands of open ports don't overwhelm the diagram. Also only open ports (not open|filtered) are considered when calculating node sizes. Henri Doreau found and fixed a bug in the implementation. [Daniel Miller]
· [NSE] Added the get_script_args NSE function for parsing script arguments in a clean and standardized way (http://nmap.org/nsedoc/lib/stdnse.html#get_script_args). [Djalal]
· Increased the initial RTT timeout for ARP scans from 100 ms to 200 ms. Some wireless and VPN links were taking around 300 ms to respond. The default of one retransmission gives them 400 ms to be detected.
· Added new version detection probes and signatures from Patrik for: - Lotus Domino Console running on tcp/2050 (shows OS and hostname) - IBM Informix Dynamic Server running native protocol (shows hostname, and file path) - Database servers running the DRDA protocol - IBM Websphere MQ (shows name of queue-manager and channel)
· Fix Nmap compilation on OpenSolaris (see http://blogs.sun.com/sdaven/entry/nmap_5_35dc1_compile_on) [David]
· [NSE] The http library's request functions now accept an additional "auth" table within the option table, which causes Basic authentication credentials to be sent. [David]
· Improved IPv6 host output in that we now remember and report the forward DNS name (given by the user) and any non-scanned addresses (usually because of round robin DNS). We already did this for IPv4. [David]
· [Zenmap] Upgraded to the newer gtk.Tooltip API to avoid deprecation messages about gtk.Tooltip. [Rob Nicholls]
· [NSE] Made dns-zone-transfer script able to add new discovered DNS records to the Nmap scanning queue. [Djalal]
· [NSE] Enhance ssl-cert to also report the type and bit size of SSL certificate public keys [Matt Selsky]
· [Ncat] Make --exec and --idle-timeout work when connecting with --proxy. Florian Roth reported the bug. [David]
· [Nping] Fixed a bug which caused Nping to fail when targeting broadcast addresses (see http://seclists.org/nmap-dev/2010/q3/752). [Luis]
· [Nping] Nping now limits concurrent open file descriptors properly based on the resources available on the host (see http://seclists.org/nmap-dev/2010/q4/2). [Luis]
· [NSE] Improved ssh2's kex_init() parameters: all of the algorithm and language lists can be set using new keys in the "options" table argument. These all default to the same value used before. Also, the required "cookie" argument is now replaced by an optional "cookie" key in the "options" table, defaulting to random bytes as suggested by the RFC. [Kris]
· Ncat now logs Nsock debug output to stderr instead of stdout for consistency with its other debug messages. [David]
· [NSE] Added a new function, shortport.http, for HTTP script portrules and changed 14 scripts to use it. [David]
· Updated to the latest config.guess and config.sub. Thanks to Ty Miller for a reminder. [David]
· [NSE] Added prerule support to snmp-interfaces and the ability to add the remote host's interface addresses to the scanning queue. The new script arguments used for this functionality are "host" (required) and "port" (optional). [Kris]
· Fixed some inconsistencies in nmap-os-db and a small memory leak that would happen where there was more than one round of OS detection. These were reported by Xavier Sudre from netVigilance. [David]
· [NSE] Fixed a bug with worker threads calling the wrong destructors. Fixing this allows better parallelism in http-brute.nse. The problem was reported by Patrik Karlsson. [David, Patrick]
· Upgraded the OpenSSL binaries shipped in our Windows installer to version 1.0.0a. [David]
· [NSE] Added prerule support to the dns-zone-transfer script, allowing it to run early to discover IPs from DNS records and optionally add those IPs to Nmap's target queue. You must specify the DNS server and domain name to use with script arguments. [Djalal]
· Changed the name of libdnet's sctp_chunkhdr to avoid a conflict with a struct of the same name in . This caused a compilation error when Nmap was compiled with an OpenSSL that had SCTP support. [Olli Hauer, Daniel Roethlisberger]
· [NSE] Implemented a big cleanup of the Nmap NSE Nsock library binding code. [Patrick]
· Added a bunch of Apple and Netatalk AFP service detection signatures. These often provide extra details such as whether the target is a MacBook Pro, Air, Mac Mini, iMac, etc. [Brandon]
· [NSE] Host tables now have a host.traceroute member available when --traceroute is used. This array contains the IP address, reverse DNS name, and RTT for each traceroute hop. [Henri Doreau]
· [NSE] Made the ftp-anon script return a directory listing when anonymous login is allowed. [Gutek, David]
· [NSE] Added the nmap.resolve() function. It takes a host name and optionally an address family (such as "inet") and returns a table containing all of its matching addresses. If no address family is specified, all addresses for the name are returned. [Kris]
· [NSE] Added the nmap.address_family() function which returns the address family Nmap is using as a string (e.g., "inet6" is returned if Nmap is called with the -6 option). [Kris]
· [NSE] Scripts can now access the MTU of the host.interface device using host.interface_mtu. [Kris]
· Restrict the default Windows DLL search path by removing the current directory. This adds extra protection against DLL hijacking attacks, especially if we were to add file type associations to Nmap in the future. We implement this with the SetDllDirectory function when available (Windows XP SP1 and later). Otherwise, we call SetCurrentDirectory with the directory containing the executable. [David]
· Nmap now prints the MTU for interfaces in --iflist output. [Kris]
· [NSE] Removed references to the MD2 algorithm, which OpenSSL 1.x.x no longer supports. [Alexandru]
· [Ncat,NSE] Server Name Indication (SNI) is now supported by Ncat and Nmap NSE, allowing them to connect to servers which run multiple SSL websites on one IP address. To enable this for NSE, the nmap.connect function has been changed to accept host and port tables (like those provided to the action function) in place of a string and a number. [David]
· [NSE] Renamed db2-info and db2-brute scripts to drda-*. Added support other DRDA based databases such as IBM Informix Dynamic Server and Apache Derby. [Patrik]
· [Nsock] Added a new function, nsi_set_hostname, to set the intended hostname of the target. This allows the use of Server Name Indication in SSL connections. [David]
· [NSE] Limits the number of ports that qscan will scan (now up to 8 open ports and up to 1 closed port by default). These limits can be controlled with the qscan.numopen and qscan.numclosed script arguments. [David]
· [NSE] Made sslv2.nse give special output when SSLv2 is supported, but no SSLv2 ciphers are offered. This happened with a specific Sendmail configuration. [Matt Selsky]
· [NSE] Added a "times" table to the host table passed to scripts. This table contains Nmap's timing data (srtt, the smoothed round trip time; rttvar, the rtt variance; and timeout), all represented as floating-point seconds. The ipidseq and qscan scripts were updated to utilize the host's timeout value rather than using a conservative guess of 3 seconds for read timeouts. [Kris]
· Fixed the fragmentation options (-f in Nmap, --mtu in Nmap & Nping), which were improperly sending whole packets in version 5.35DC1. [Kris]
· [NSE] When receiving raw packets from Pcap, the packet capture time is now available to scripts as an additional return value from pcap_receive(). It is returned as the floating point number of seconds since the epoch. Also added the nmap.clock() function which returns the current time (and convenience functions clock_ms() and clock_us()). Qscan.nse was updated to use this more accurate timing data. [Kris]
· [Ncat,Nsock] Fixed some minor bugs discovered using the Smatch source code analyzer (http://smatch.sourceforge.net/). [David]
· [Zenmap] Fixed a crash that would happen after opening the search window, entering a relative date criterion such as "after:-7", and then clicking the "Expressions" button. The error message was AttributeError: 'tuple' object has no attribute 'strftime' [David]
· Added a new packet payload--a NAT-PMP external address request for port 5351/udp. Payloads help us elicit responses from listening UDP services to better distinguish them from filtered ports. This payload goes well with our new nat-pmp-info script. [David, Patrik]
· Updated IANA IP address space assignment list for random IP (-iR) generation. [Kris]
· [Ncat] Ncat now uses case-insensitive string comparison when checking authentication schemes and parameters. Florian Roth found a server offering "BASIC" instead of "Basic", and the HTTP RFC requires case-insensitive comparisons in most places. [David]
· [NSE] There is now a limit of 1,000 concurrent running scripts, instituted to keep memory under control when there are many open ports. Nathan reported 3 GB of memory use (with an out-of-memory NSE crash) for one host with tens of thousands of open ports. This limit can be controlled with the variable CONCURRENCY_LIMIT in nse_main.lua. [David]
· The command line in XML output (/nmaprun/@args attribute) now does quoting of whitespace using double quotes and backslashes. This allows recovering the original command line array even when arguments contain whitespace. [David]
· Added a service detection probe for master servers of Quake 3 and related games. [Toni Ruottu]
· [Zenmap] Updated French translation. [Henri Doreau]
· [Zenmap] Fixed an crash when printing a scan that had no output (like a scan made by command-line Nmap). Henri Doreau noticed the error. [David]
January 28th, 2010· [Zenmap] Added a workaround for a Ubuntu Python packaging idiosyncrasy.
· As of version python2.6-2.6.4-0ubuntu3, Ubuntu's distutils modifies
· self.prefix, a variable we use in the setup.py script. This would
· cause Zenmap to look in the wrong place for its configuration files,
· and show the dialog "Error creating the per-user configuration
· directory" with the specific error "[Errno 2] No such file or
· directory: '/usr/share/zenmap/config'".
· Fixed an error that occurred when UDP scan was combined with version
· scan. UDP ports would appear in the state "unknown" at the end of
· the scan, and in some cases an assertion failure would be raised.
· This was an unintended side effect of the memory use reduction
· changes in 5.20.
· [NSE] Did some simple bit-flipping on the nmap_service.exe program
· used by the smb-psexec script, to avoid its being falsely detected
· as malware. [Ron]
· [NSE] Fixed a bug in http.lua that could lead to an assertion
· failure. It happened when there was an error getting the a response
· at the beginning of a batch in http.pipeline. The symptoms of the
bug were:
· NSE: Received only 0 of 1 expected reponses.
· Decreasing max pipelined requests to 0.
· NSOCK (0.1870s) Write request for 0 bytes...
· nmap: nsock_core.c:516: handle_write_result: Assertion `bytesleft > 0' failed.
· [NSE] Restored the ability of http.head to return a body if the
· server returns one. This was lost in the http.lua overhaul from
January 23rd, 2010· Dramatically improved the version detection database, integrating 2,596 submissions that users contributed since February 3, 2009
· More than a thousand signatures were added, bringing the total to 8,501. Many existing signatures were improved as well. Please keep those submissions and corrections coming! Nmap prints a submission URL and fingerprint when it receives responses it can't yet interpret
· [NSE] Added a new script, oracle-sid-brute, which queries the Oracle TNS-listener for default instance/sid names. The SID enumeration list was prepared by Red Database security.
· [Ncat] The --ssl, --output, and --hex-dump options now work with exec and --sh-exec. Among other things, this allows you to make a program's I/O available over the network wrapped in SSL encryption for security. It is implemented by forking a separate process to handle network communications and relay the data to the sub-process. [Venkat, David]
· Nmap now tries start the WinPcap NPF service on Windows if it is not already running. This is rare, since our WinPcap installer starts NPF running at system boot time by default. Because starting NPF requires administrator privileges, a UAC dialog for net.exe may appear on Windows Vista and Windows 7 before NPF is loaded. Once NPF is loaded, it generally stays loaded until you reboot or run "net stop npf". [David, Michael Pattrick]
· The Nmap Windows installer and our WinPcap installer now have an option / NPFSTARTUP=NO, which inhibits the installer from setting the WinPcap NPF service to start at system startup and at install-time. This option only affects silent mode (/S) because existing GUI checkboxes allow you to configure this behavior during interactive installation. [David]
· [NSE] Replaced our runlevel system for managing the order of script execution with a much more powerful dependency system. This allows scripts to specify which other scripts they depend on (e.g. a brute force authentication script might depend on username enumeration scripts) and NSE manages the order. Dependencies only enforce ordering, they cannot pull in scripts which the user didn't specify.
· [Ncat] For compatibility with Hobbit's original Netcat, The -p option now works to set the listening port number in listen mode So "ncat -l 123" can now be expressed as "ncat -l -p 123" too. [David]
· A new script argument, http.useragent, lets you modify the User-Agent header sent by NSE from its default of "Mozilla/5.0 compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)"
· Set it to the empty string to disable the User-Agent entirely. [David, Tom Sellers, Jah]
· [Zenmap] The locale setting had been taken from the Windows locale which inadvertently made setting the locale with the LANG environment variable stop working. Now the LANG variable is examined first, and if that is not present, the system-wide setting is used. This change allows users to keep Zenmap in its original English (or any of Zenmap's other languages) even if their system is set to use a different locale. [David]
· [NSE] The http-favicon script is now better at finding "link rel=icon" tags in pages, and uses that icon in preference to favicon.ico if found. If the favicon.uri script arg is given, only that is tried. Meanwhile, a giant (10 million web servers) favicon scan by Brandon allowed us to add about 40 more of the most popular icons to the DB. [David, Brandon]
· [NSE] smb-psexec now works against Windows XP (as well as already-supported Win2K and Windows 2003). The solution involved changing the seemingly irrelevant PID field in the SMB packet.
· [NSE] Fixed a bug which kept the nselib/data/psexec subdirectory out of the Windows packages. We needed to add the /s and /e options to xcopy in our Visual C++ project file. [David]
· [NSE] Overhauled our http library to centralize HTTP parsing and make it more robust. The biggest user-visible change is that http.request goes back to returning a parsed result table rather than raw HTTP data. Also the http.pipeline function no longer accepts the no-longer-used "raw" option. [David]
· Fixed a bug in traceroute that could lead to a crash terminate called after throwing an instance of 'std::out_of_range' what(): bitset::test
· It happened when the preliminary distance guess for a target was greater than 30, the size of an internal data structure. David and Brandon tracked down the problem
· Fixed compilation of libdnet-stripped on platforms that don't have socklen_t. [Michael Pattrick]
· Added a service probe and match lines for the Logitech/SlimDevices SqueezeCenter music server. [Patrik Karlsson]
· Fixed the RTSPRequest version probe, which was accidentally modified to say "RTSP/2.0" rather than "RTSP/1.0" in 5.10BETA2. [Matt Selsky]
· [NSE] Our http library no longer allows cached responses from a GET request to be returned for a HEAD request. This could cause problems with at least the http-enum script. [David]
· Fixed a bug in the WinPcap installer: If the "Start the WinPcap service 'NPF' at startup" box was unchecked and the "Start the WinPcap service 'NPF' now" box was checked, the second checkbox would be ignored (the service would not be started now). [Rob Nicholls]
July 31st, 2009· [Zenmap] Merged the changes in the zenmap-filter branch to the main zenmap branch. Pressing Ctrl+L now brings up the filter interface for filtering out uninteresting hosts. Alternatively, the interface is accessible via the 'Filter Hosts' button. [Josh]
· [Ncat]In verbose mode Ncat prints In and OUT traffic in bytes once the client connection is terminated,in this way "Finished. 29 bytes sent, 24 bytes received." For this few lines of code has been added to Nsock so that other nsock dependent applications also can use this traffic count.[Venkat].
· The ARP host discovery scan now filters ARP packets based on their target address address field, not the destination address in the enclosing ethernet frame. Some operating systems, including Windows 7 and Solaris 10, are known to at least sometimes send their ARP replies to the broadcast address and Nmap wouldn't notice them. The symptom of this was that root scans wouldn't work ("Host seems down") but non-root scans would work. Thanks to Mike Calmus and Vijay Sankar for reporting the problem, and Marcus Haebler for suggesting the fix.
· The -fno-strict-aliasing option is now used unconditionally when using GCC. It was already this way, in effect, because a test against the GCC version number was reversed: = 4. Solar Designer reported the problem.
· Nmap now prints a warning instead of a fatal error when the hardware address of an interface can't be found. This is the case for FireWire interfaces, which have a hardware address format not supported by libdnet. Thanks to Julian Berdych for the bug report. [David]
· Added the pjl-ready-message.nse script from Aaron Leininger. This script allows viewing and setting the message displayed by printers that support the Printer Job Language.
· The Ndiff man page was expanded with examples and sample output. [David]
· Made RPC grinding work from service detection again by changing the looked-for service name from "rpc" to "rpcbind", the name it has in nmap-service-probes. [David]
· Fixed a log_write call and a pfatal call to use a syntax which is safer from format strings bugs. This allows Nmap to build with the gcc -Wformat -Werror=format-security options. [Guillaume Rousse, Dmitry Levin]
· [Ndiff] Ndiff now shows changes in script output. [David]
· A bug in Nsock was fixed: On systems where a nonblocking connect could succeed immediately, connections that were requested to be tunnelled through SSL would actually be plain text. This could be verified with an Ncat client and server running on localhost. This was observed to happen with localhost connections on FreeBSD 7.2. Non-localhost connections were likely not affected. The bug was reported by Daniel Roethlisberger. [David]
· [NSE] Scripts that are listed by name with the --script option now have their verbosity level automatically increased by one. Many will print negative results ("no infection found") at a higher verbosity level. The idea is that if you ask for a script specifically, you are more interested in such results. [David, Patrick]
· [Ncat]Ncat proxy now hides the proxy's response ("HTTP/1.0 200 OK" or whatever it may be). Before, if you retrieved a file through a proxy, it would have the "HTTP/1.0 200 OK" stuck to the top of it. For this Ncat uses blocking sockets untill the proxy negotiation is done and once it is successfull, Nsock takes over for rest of the connection.[Venkat]
· [Ncat] Fixed an error that would cause Ncat to use 100% CPU in broker mode after a client disconnected or a read error happened. [Kris, David]
· [Ncat] Ncat now prints a message like "Connection refused." by default when a socket error occurs. This used to require -v, but printing no message at all could make a failed connection look like success in a case like ncat remote < short-file
· [Ncat] Using --send-only in conjunction with the plain listen or broker modes now behaves as it should: nothing will be read from the network end. Ncat was simply discarding any data received. [Kris]
· [Ncat] Added additional test cases to the ncat/test/test-cmdline-split program and rewrote the cmdline_split function in ncat_posix.c [Josh Marlow]
· [Ncat] The --broker option now automatically implies --listen. [David]
· Added Apache JServe protocol version detection probe and signature from Tom Sellers. He submitted some other version detection patches as well.
· Added a test program, test/test-cmdline-split to test the cmdline_split function in test/test-cmdline-split in preparation for an eventual rewrite of cmdline_split [Josh Marlow].
· For some UDP ports, Nmap will now send a protocol-specific payload that is more likely to get a response than an empty packet is. This improves the effectiveness of probes to those ports for host discovery, and also makes an open port more likely to be classified open rather than open|filtered. The ports and payloads are defined in payload.cc. [David]
· Fixed two memory leaks in ncat_posix.c and a bug where an open file was not being closed in libdnet-stripped/src/intf.c [Josh Marlow]
· Added a convenience top-level BSD makefile redirecting BSD make to GNU make on BSD systems. This should help prevent bogus error reports when users run "make" instead of "gmake" on BSD systems. [Daniel Roethlisberger]
· [Zenmap] Added support to zenmap for the SCTP options: -PY, -sY and -sZ, as well as making a comment in zenmapCore/NmapOptions.py on how to add new options. [Josh Marlow]
· The configure script now allows cross-compiling by assuming that libpcap is recent enough. Previously it would quit because a test program could not be run. libpcap will always be recent enough when the included copy is used. The patch was contributed by Mike Frysinger.
June 25th, 2009· [Zenmap] Fixed a display hanging problem on Mac OS X. This was done by
· adding gtk2 back to macports-1.8.0-universal.diff and removing the dependency on shared-mime-info so it doesn't expect /usr/share/mime files at runtime. Also included GDK pixbuf loaders statically rather than as external loadable modules. [David]
· Fixed a memory bug (access of freed memory) when loading exclude targets with --exclude. This was reported to occasionally cause a crash. Will Cladek reported the bug and contributed an initial patch. [David]
· Zenmap application icons were regenerated using the newer SVGnrepresentation of the Nmap eye. [David]
May 14th, 2009· Integrated all of your 1,156 of your OS detection submissions and your 50 corrections since January 8. Please keep them coming! The second generation OS detection DB has grown 14% to more than 2,000 fingerprints! That is more than we ever had with the first system. The 243 new fingerprints include Microsoft Windows 7 beta, Linux 2.6.28, and much more.
[Ncat] A whole lot of work was done by David to improve SSL security and functionality:
· Ncat now does certificate domain and trust validation against trusted certificate lists if you specify --ssl-verify.
· [Ncat] To enable SSL certificate verification on systems whose default trusted certificate stores aren't easily usable by OpenSSL, we install a set of certificates extracted from Windows in the file ca-bundle.crt. The trusted contents of this file are added to whatever default trusted certificates the operating system may provide. [David]
· Ncat now automatically generates a temporary keypair and certificate in memory when you request it to act as an SSL server but you don't specify your own key using --ssl-key and --ssl-cert options. [David]
· [Ncat] In SSL mode, Ncat now always uses secure connections, meaning that it uses only good ciphers and doesn't use SSLv2. Certificates can optionally be verified with the --ssl-verify and --ssl-trustfile options. Nsock provides the option of making SSL connections that prioritize either speed or security; Ncat uses security while version detection and NSE continue to use speed. [David]
· [NSE] Added Boolean Operators for --script. You may now use ("and", "or", or "not") combined with categories, filenames, and wildcarded filenames to match a set files. Parenthetical subexpressions are allowed for precedence too. For example, you can now run: nmap --script "(default or safe or intrusive) and not http-*" scanme.nmap.org
· [Ncat] The HTTP proxy server now works on Windows too. [David]
· [Zenmap] The command wizard has been removed. The profile editor has the same capabilities with a better interface that doesn't require clicking through many screens. The profile editor now has its own "Scan" button that lets you run an edited command line immediately without saving a new profile. The profile editor now comes up showing the current command rather than being blank. [David]
· [Zenmap] Added an small animated throbber which indicates that a scan is still running (similar in concept to the one on the upper-right Firefox corner hich animates while a page is oading). [David]
· Regenerate script.db to remove references to non-existent smb-check-vulns-2.nse. This caused the following error messages when people used the --script=all option: "nse_main.lua:319: smb-check-vulns-2.nse is not a file!" The script.db entries are now sorted again to make diffs easier to read. [David,Patrick]
· Fixed --script-update on Windows--it was adding bogus backslashes preceding file names in the generated script.db. The error message was also improved.
· The official Windows binaries are now compiled with MS Visual C++ 2008 Express Edition SP1 rather than the RTM version. We also now distribute the matching SP1 version of the MS runtime components (vcredist_x86.exe). A number of compiler warnings were fixed too. [Fyodor,David]
· Fixed a bug in the new NSE Lua core which caused it to round fractional runlevel values to the next integer. This could cause dependency problems for the smb-* scripts and others which rely on floating point runlevel values (e.g. that smb-brute at runlevel 0.5 will run before smb-system-info at the default runlevel of 1).
· The SEQ.CI OS detection test introduced in 4.85BETA4 now has some examples in nmap-os-db and has been assigned a MatchPoints value of 50. [David]
· [Ncat] When using --send-only, Ncat will now close the network connection and terminate after receiving EOF on standard input. This is useful for, say, piping a file to a remote ncat where you don't care to wait for any response. [Daniel Roethlisberger]
· [Ncat] Fix hostname resolution on BSD systems where a recently fixed libc bug caused getaddrinfo(3) to fail unless a socket type hint is provided. Patch originally provided by Hajimu Umemoto of FreeBSD. [Daniel Roethlisberger]
· [NSE] Fixed bug in the DNS library which caused the error message "nselib/dns.lua:54: 'for' limit must be a number". [Jah]
· Fixed Solaris 10 compilation by renaming a yield structure which conflicted with a yield function declared in unistd.h on that platform. [Pieter Bowman, Patrick]
· [Ncat] Minor code cleanup of Ncat memory allocation and string duplication calls. [Ithilgore]
· Fixed a bug which could cause -iR to only scan the first host group and then terminate prematurely. The problem related to the way hosts are counted by o.numhosts_scanned. [David]
· Fixed a bug in the su-to-zenmap.sh script so that, in the cases where it calls su, it uses the proper -c option rather than -C.
· Overhaul the NSE documentation "Usage and Examples" section and add many more examples: http://nmap.org/book/nse-usage.html [David]
· [NSE] Made hexify in nse_nsock.cc take an unsigned char * to work around an assertion in Visual C++ in Debug mode. The isprint, isalpha, etc. functions from ctype.h have an assertion that the value of the character passed in is = 128, it is cast to an unsigned int, making it a large positive number and failing the assertion.
· [NSE] Fixed a segmentation fault which could occur in scripts which use the NSE pcap library. The problem was reported by Lionel Cons and fixed by Patrick.
· [NSE] Port script start/finish debug messages now show the target port number as well as the host/IP. [Jah]
· Updated IANA assignment IP list for random IP (-iR) generation. [Kris]
· [NSE] Fixed http.table_argument so that user-supplied HTTP headers are now properly sent in HTTP requests.
December 30th, 2008· A prblem that caused S detectin t fail fr mst hsts in a
· certain was fixed. It happened when sending raw Ethernet frames
· (by default n Windws r n ther platfrms with --send-eth) t
· hsts n a switched LAN. The destinatin MAC address was wrng fr
· mst targets. The symptm was that nly ne ut f each scan grup
· f 20 r 30 hsts wuld have a meaningful S fingerprint. Thanks g
· t Michael Head fr running tests and especially Trent Snyder fr
· testing and finding the cause f the prblem. [David]
· Fixed a divisin by zer errr in the packet rate measuring cde
· that culd cause a display f infinity packets per secnds near the
· start f a scan. [Jah]
· Cmplete re-write f the marshalling lgic fr Micrsft RPC calls.
· [Rn Bwes]
· Added vulnerability checks fr MS08-067 as well as an unfixed
· denial f service in the Windws 2000 registry service.
· [Rn Bwes]
· Zenmap nw runs ndiff t d its "Cmpare Results" functin. This
· cmpletely replaces the ld diff view. ndiff is nw required t d
· cmparisns in Zenmap. [David]
· Fixed a bug in the IP validatin cde which wuld have let a specially
· crafted reply sent frm a hst n the same LAN slip thrugh and cause
· Nmap t segfault. Thanks t ithilgre f sck-raw.hmeunix.rg fr
· the very detailed bug reprt. [Kris]
· [Zenmap] The crash reprter is mre respectful f user privacy. It
· shws all the infrmatin that will be submitted s yu can edit it
· t remve identifying infrmatin such as the name f yur hme
· directry. If yu prvide an email address the reprt will be marked
· private s it will nt appear n the public bug tracker. [David]
· [Zenmap] Internatinalizatin has been fixed [David]. Currently
there are tw partial translatins:
· Brazilian Prtuguese by Adrian Mnteir Marques
· German by Chris Leick
· [NSE] hst.s table is nw prperly a 1 based array (was 0). [Patrick]
· [Zenmap] Zenmap nw parses and recrds XSL stylesheet infrmatin
· frm Nmap XML files, s files saved by Zenmap will be viewable in a
· web brwser just like thse prduced by Nmap. [David]
· A pssible Lua stack verflw in dns.lua was fixed. [David]
· The NSE registry nw persists acrss hst grups. [David]
· Added a script that checks fr ms08-067-vulnerable hsts
· (smb-check-vulns.nse) using the smb nselib. [Rn Bwes]
· Added a Russian translatin f the Nmap Reference Guide by Guz
· Alexander. We nw have translatins in 15 languages available frm
· http://nmap.rg/dcs.html. Mre vlunteer translaters are welcme,
· as we are still missing sme imprtant languages (particularly
· German!). Translatin instructins are available frm that dcs.html
· page.
· [Zenmap] Added a wrkarund fr a crash
· GtkWarning: culd nt pen display
· n Mac S X 10.5. The prblem is caused by setting the DISPLAY
· envirnment variable in ne f yur shell startup files; that
· shuldn't be dne under 10.5 and remving it will make ther
· X11-using applicatins wrk better. Zenmap will nw handle the
· situatin autmatically. [David]
· http-auth.nse nw prperly checks fr default authenticatin
· credentials. A bug prevented it frm wrking befre. [Vlatk
· Ksturjak]
· Renamed irc-zmbie.nse t auth-spf and imprved its descriptin
· and utput a bit. [Fydr]
· Mst script names were changed t make them mre cnsistent.
· [Fydr, David]
· Remved ripeQuery.nse because we nw have the much mre rbust
· whis.nse which handles all the majr registries. [Fydr]
· Remved shwSSHVersin.nse. Its nly real claim t fame was the
· ability t trick sme SSH servers (including at least penSSH
· .3p2-9etch3) int nt lgging the cnnectin. This trick desn't
· seem t wrk with newer versins f penSSH, as my
· penssh-server-4.7p1-4.fc8 des lg the cnnectin. Withut the
· stealth advantage, the script has n real benefit ver versin
· detectin r the upcming banner grabbing script. [Fydr]
· NSE scripts that require a list f DNS servers (currently nly
· ASN.nse) nw wrk when IPv6 scanning. Previusly it gave an errr
· message: "Failed t send dns query. Respnse frm dns.query(): 9".
· [Jah, David]
· [Zenmap] Added a simple wrkarund fr a bug in PyXML (an add-n
· Pythn XML library) that caused a crash. The crash wuld happen when
· lading an XML file and lked like "KeyErrr: 0". [David]
· Remved sme unecessary "dem" categry NSE scripts: echTest,
· chargenTest, shwHTTPVersin, and shwSMTPVersin.nse. Mved
· daytimeTest frm the "dem" categry t "discvery". Remved
· shwHTMLTitle frm the "dem" categry, but it remains in the
· "default" and "safe" categries. This leaves just shwSSHVersin and
· SMTP_penrelay in the undcumented "dem" categry. [Fydr]
· A crash caused by an incrrect test cnditin was fixed. It wuld
· happen when running a ping scan ther than a prtcl ping, withut
· debugging enabled, if an ICMP packet was received referring t a
· packet that was nt TCP, UDP, r ICMP. Thanks t Brandn Enright and
· Matt Castelein fr reprting the prblem. [David]
· [Zenmap] The keybard shrtcut fr "Save t Directry" has been
· changed frm Ctrl+v t Ctrl+Alt+s s as nt t cnflict with the
· usual paste shrtcut [Jah, Michael].
· Nmap quits if yu give a "backwards" prt r prtcl range like
· p 20-10. The issue was nted by Artur "Buanz" Busleiman. [David]
· Fixed a bug which caused Nmap t infer an imprper distance against
· sme hsts when perfrmaing S detectin against a grup whse
· distance varies between members. [David, Fydr]
· Added a new NSE penSSL library with functins fr multiprecisin
· integer arithmetics, hashing, HMAC, symmetric encryptin and symmetric
· decryptin. [Sven]
· [Zenmap] Hst infrmatin windws are nw like any ther windws,
· and will nt becme unclsable by having their cntrls ffscreen.
· Thanks t Rbert Mead fr the bug reprt.
· shwHTMLTitle.nse can nw fllw (nn-standard) relative redirects,
· and may d a DNS lkup t find if the redirected-t hst has the
· same IP address as the scanned hst. [Jah]
· Enhanced the thex() functin in the NSE stdnse library t supprt strings
· and added ptins t cntrl the frmatting. [Sven]
· The http NSE mdule tries t deal with nn-standards-cmpliant HTTP
· traffic, particularly respnses in which the header fields are
· separated by plain LF rather than CRLF. [Jah, Sven]
· [Zenmap] The help functin nw prperly cnverts the pathname f the
· lcal help file t a URL, fr better cmpatibility with different
· web brwsers. [David]
· This shuld fix the crash
WindwsErrr: [Errr 2] The system cannt find the file specified:
· 'file://C:\Prgram Files\Nmap\zenmap\share\zenmap\dcs\help.html'
· The HTTP_pen_prxy.nse script is updated t match Ggle Web
· Server's changed header field: "Server: gws" instead f
· "Server: GWS/". [Vlatk Ksturjak]
· Enhanced the ssh service detectin signatures t prperly
· detect prtcl versin 2 services. [Matt Selsky]
· [Zenmap] Nmap utput is autmatically scrlled. [David]
· Reduced memry cnsumptin fr sme lnger running scans by remving
· cmpleted hsts frm the lists after tw minutes. These hsts are
· kept arund in case there is a late respnse, but this draws the
· line n hw lng we wait and hence keep this infrmatin in memry.
· See http://seclists.rg/nmap-dev/2008/q3/0902.html fr mre. [Kris]
· XML utput nw cntains the full path t nmap.xml n Windws. The
· path is cnverted t a file:// URL t prvide better cmpatibility
· acrss brwsers. [Jah]
· Zenmap n lnger utputs XML elements and attributes that are nt in
· the Nmap XML DTD. This was dne mstly by remving things frm
· Zenmap's utput, and adding a few new ptinal things t the Nmap
· DTD. A scan's prfile name, hst cmments, and interactive text
· utput are what were added t nmap.dtd. The .usr filename extensin
· fr saved Zenmap files is deprecated in favr f the .xml extensin
· cmmnly used with Nmap. Because f these changes the
· xmlutputversin has been increased t 1.03. [David]
· Added the Ndiff utility, which cmpares the results f Nmap scans.
· See ndiff/README and http://nmap.rg/ndiff/ fr mre
· infrmatin. [David]
· Fixed an integer verflw that culd cause the scan delay t grw
· large fr n reasn in sme circumstances. [David]
· Enhanced the AS Numbers script (ASN.nse) t better cnslidate
· results and bail ut if the DNS server desn't supprt the ASN
· queries. [Jah]
· Made DNS timeuts in NSE dependent n the timing template [Jah]
· Added three new nselib mdules: msrpc, netbis, and smb. As the
· names suggest, they cntain cmmn cde fr scripts using MSRPC,
· NetBIS, and SMB. These mdules allw scripts t extract a great
· deal f infrmatin frm hsts running Windws, particularly Windws
. New r updated scripts using the mdules are:
· nbstat.nse: get NetBIS names and MAC address.
· smb-enumdmains.nse: enumerate dmains and plicies.
· smb-enumsessins.nse: enumerate lgins and SMB sessins.
· smb-enumshares.nse: enumerate netwrk shares.
· smb-enumusers.nse: enumerate users and infrmatin abut them.
· smb-s-discvery.nse: get perating system ver SMB (replaces
· netbis-smb-s-discvery.nse).
· smb-security-mde.nse: determine if a hst uses user-level r
· share-level security, and what ther security features it
· supprts.
· smb-serverstats.nse: grab statistics such as netwrk traffic
· cunts.
· smb-systeminf.nse: get lts f infrmatin frm the registry.
· [Rn Bwes]
· A script culd be executed twice if it was given with the --script
· ptin, als in the "versin" categry, and versin detectin (-sV)
· was requested. This has been fixed. [David]
· Fixed prt number representatin in sme f Nmap's and all f Nsck's
· utput. Incrrect cnversin mdifiers were being used which caused
· high prts t wrap arund and be shwn as negative values. [Kris]
· Upgraded the shipped libdnet t 1.12. [Kris]
· Upgraded the penSSL shipped fr Windws t 0.9.8i. [Kris]
· The SSLv2-supprt NSE script n lnger prints duplicate cyphers if
· they exist in the server's supprted cypher list. [Kris]
· Updated IANA assignment IP list fr randm IP (-iR)
· generatin. [Kris]
September 11th, 2008· [Zenmap] Removed services.dmp and os_dmp.dmp and all the files that referred to them. They are not needed with the new search interface. Also removed an unused search progress bar. And some broken fingerprint submission code.
· [Zenmap] Added "%F" to the Exec link in the new Zenmap desktop file. We expect (hope) that this will allow dragging and dropping XML files onto the icon.
· [Zenmap] The -o[XGASN] options can now be specified, just as you can at the console.
· [Zenmap] You can now shrink the scan window below its default size thanks to NmapOutputViewer code enhancements.
· [Zenmap] Removed optional use of the Psyco Python optimizer since Zenmap is not the kind of CPU-bound application which benefits from Psyco.
· [Zenmap] You can now select more than one host in the "Ports / Hosts" view by control-clicking them in the column at left.
· [Zenmap] The profile editor now offers the --traceroute option.
· Zenmap now uses Unicode objects pervasively when dealing with Nmap text output, though the only internationalized text Nmap currently outputs is the user's time zone.
· Unprintable characters in NSE script output (which really shouldn't happen anyway) are now printed like xHH, where HH is the hexadecimal representation of the character.
· Nmap sometimes sent packets with incorrect IP checksums, particularly when sending the UDP probes in OS detection. This has been fixed. Thanks to Gisle Vanem for reporting and investigating the bug.
· Fixed the --without-liblua configure option so that it works again.
· In the interest of forward compatibility, the xmloutputversion attribute in Nmap XML output is no longer constrained to be a certain string ("1.02"). The xmloutputversion should be taken as merely advisory by authors of parsers.
· Zenmap no longer leaves any temporary files lying around. Nmap only prints an uptime guess in verbose mode now, because in some situations it can be very inaccurate.
July 23rd, 2008· Doug integrated all of your version detection submissions and
· corrections for the year up tMay 31. There were more than 1,000
· new submissions and 18 corrections. Please keep them coming! And
· don't forget that corrections are very important, sdsubmit them
· if you ever catch Nmap making a version detection or OS detection
· mistake. The version detection DB has grown t5,054 signatures
· representing 486 service protocols. Protocols span the gamut from
· abc, acap, access-remote-pc, activefax, and activemq, tzebedee,
· zebra, zenimaging, and zenworks. The most popular protocols are
· http (1,672 signatures), telnet (519), ftp (459), smtp (344), and
· pop3 (201).
· Nmap compilation on Windows is now done with Visual C Express 2008
· rather than 2005. Windows compilation instructions have been
· updated at http://nmap.org/book/inst-windows.html#inst-win-source .
· [Kris]
· The Nmap Windows self-installer now automatically installs the MS
· Visual C 2008 runtime components if they aren't already installed
· on a system. These are some reasonably small DLLs that are
· generally necessary for applications compiled with Visual C (with
· dynamic linking). Many or most systems already have these installed
· from other software packages. The lack of these components led to
· the error message "The Application failed tinitialize properly
· (0xc0150002)." with Nmap 4.65. A related change is that Nmap on
· Windows is now compiled with /MD rather than /MT sthat it
· consistently uses these runtime libraries. The patch was created by
· Rob Nicholls.
· Added advanced search functionality tZenmap sthat you can locate
· previous scans using criteria such as which ports were open, keywords
· in the target names, OS detection results. etc. Try it out with
· Ctrl-F or "Tools->Search Scan Results". [Vladimir]
· Nmap's special WinPcap installer now handles 64-bit Windows machines
· by installing the proper 64-bit npf.sys. [Rob Nicholls]
· Added a new NSE Comm (common communication) library for common
· network discovery tasks such as banner-grabbing (get_banner()) and
· making a quick exchange of data (exchange()). 16 scripts were
· updated tuse this library. [Kris]
· The Nmap Scripting Engine now supports mutexes for gracefully
· handling concurrency issues. Mutexes are documented at
· http://nmap.org/book/nse-api.html#nse-mutex . [Patrick]
· Added a UDP SNMPv3 probe tversion detection, along with 9 vendor
· match lines. The patch was from Tom Sellers, whcontributed other
· probes and match lines tthis release as well.
· Added a new timing_level() function tNSE which reports the Nmap
· timing level from 0 t5, as set by the Nmap -T option. The default
· is 3. [Thomas Buchanan]
· Update the HTTP library tuse the new timing_level functionality to
· set connection and response timeouts. An error preventing the new
· timing_level feature from working was alsfixed. [Jah]
· Optimized the doAnyOutstandingProbes() function tmake Nmap a bit
· faster and more efficient. This makes a particularly big difference
· in cases where --min-rate is being used tspecify a very high
· packet sending rate. [David]
· Fixed an integer overflow which prevented a target specification of
· "*.*.*.*" from working. Support for the CIDR /0 is now also
· available for those times you wish tscan the entire
· Internet. [Kris]
· The robots.nse has been improved tprint output more compactly and
· limit the number of entries of large robots.txt files based on Nmap
· verbosity and debugging levels. [Eddie Bell]
· The Nmap NSE scripts have been re-categorized in a more logical
· fashion. The new categories are described at
· http://nmap.org/book/nse-usage.html#nse-categories . [Kris]
· Improve AIX support by linking against -lodm and -lcfg on that
· platform. [David]
· Updated showHTMLTitle NSE script tfollow one HTTP redirect if
· necessary as long as it is on the same server. [Jah]
· Michael Pattrick and David created a new OSassist application which
· streamlines the OS fingerprint submission integration process and
· prevents certain previously common errors. OSassist isn't part of
· Nmap, but the system was used tintegrate some submissions for this
· release. 13 fingerprints were added during OSassist testing, and
· some existing fingerprints were improved as well. Expect many more
· fingerprints coming soon.
· Improved the mapping from dnet device names (like eth0) and WinPcap
· names (like DeviceNPF_{28700713...}). You can see this mapping
· with --iflist, and the change should make Nmap more likely twork
· on Windows machines with unusual networking configurations. [David]
· Service fingerprints in XML output are nlonger be truncated t2kb.
· [Michael]
· Some laptops report the IP Family as NULL for disabled WiFi cards.
· This could lead ta crash with the "sin->sin_family == AF_INET6"
· assertion failure. Nmap nlonger quits when this is
· encountered. [Michael]
· On systems without the GNU getopt_long_only() function, Nmap has its
· own replacement. That replacement used tcall the system's
· getopt() function if it exists. But the AIX and Solaris getopt()
· functions proved insufficient/buggy, sNmap now always calls its own
· internal getopt() now from its getopt_long_only()
· replacement. [David]
· Integrated several service match lines from Tom Sellers.
· An error was fixed where Zenmap would crash when trying tload from
· the recent scans database a file containing non-ASCII characters. The
· error looked like
· pysqlite2.dbapi2.OperationalError: Could not decode tUTF-8 column
· 'nmap_xml_output' with text
· '
· TargetName() from Nmap proper
· and host.targetname from NSE scripts. The NSE HTTP library now uses
· this for the Host header. Thanks tSven Klemm for adding this
· useful feature.
· Added NSE HTTP library which allows scripts teasily fetch URLs
· with http.get_url() or create more complex requests with
· http.request(). There is alsan http.get() function which takes
· components (hostname, port, and path) rather than a URL. The
· HTTPAuth, robots, and showHTMLTitle NSE scripts have been updated to
· use this library. Sven Klemm wrote all of this code.
· Fixed an integer overflow in the DNS caching code that caused nmap
· tloop infinitely once it had expunging the cache of older
· entries. Thanks tDavid Moore for the report, and Eddie Bell for
· the fix.
· Fixed another integer overflow in the DNS caching code which caused
· infinite loops. [David]
· Added IPv6 host support tthe RPC scan. Attempting this before
· (via -sV) caused a segmentation fault. Thanks tWill Cladek for
· the report. [Kris]
· Fixed an event handling bug in NSE that could cause execution of
· some in-progress scripts tbe excessively delayed. [Marek]
· A new NSE table library (tab.lua) allows scripts tdeliver better
· formatted output. The Zone transfer script (zoneTrans.nse) has been
· updated tuse this new facility. [Eddie]
· Rewrote HTTPpasswd.nse tuse Sven's excellent HTTP library and to
· dsome much-needed cleaning up. [Kris]
· Added a new MsSQL version detection probe and a bunch of match lines
· developed by Tom Sellers.
· Added a new service detection probe and signatures for the memcached
· service [Doug]
· Added new service detection probes and signatures for the Beast
· Trojan and Firebird RDBMS. [Brandon Enright]
· Fixed a crash in Zenmap which occurred when attempting tedit or
· create a new profile based on an existing one when there wasn't one
selected. The error message was:
· 'NoneType' object has nattribute 'toolbar'
· Now a new Profile Editor is opened. Thanks tD1N (d1n@inbox.com)
· for the report. [Kris]
· Fixed another crash in Zenmap which occurred when exiting the
· Profile Editor (while editing an existing profile) by clicking the
· "X", then going tedit the same profile again. The error message
· was: "Noption named '' found!". Now the same window that appears
· when clicking Cancel comes up when clicking "X". Thanks tDavid
· for reporting this bug. [Kris]
· Another Zenmap bug was fixed: ports consolidated int"extra ports"
· groups are now counted and shown in the "Host Details" tab. The
· closed, filtered and scanned port counts in this tab didn't contain
· this information before sthey were usually very inaccurate. [Kris]
· Another Zenmap bug was fixed: the --scan-delay and --max-scan-delay
· buttons ("amount of time between probes") under the Advanced tab in
· the Profile Editor were backwards. [Kris]
· Added the UDP Scan (-sU) and IPProtPing (-PO) tZenmap's Profile
· Editor and Command Wizard. [Kris]
· Reordered the UDP port selection for Traceroute: a closed port is
· now chosen before an open one. This is because an open UDP port is
· usually due trunning version detection (-sV), sa Traceroute
· probe wouldn't elicit a response. [Kris]
· Add Famtech Radmin remote control software probe and signatures to
· the Nmap version detection DB. [Tom Sellers, Fyodor]
· Add "Conection: Close" header trequests from HTTP NSE scripts so
· that they finish faster. [Sven Klemm]
· Update SSLv2-support NSE script trun against more services which
· are likely SSL. [Sven Klemm]
· A bunch of service name canonicalization was done in the Nmap
· version detection file by Brandon Enright (e.g. capitalizing D-Link
· and Netgear consistently).
· Upgraded the shipped LibPCRE from version 7.4 t7.6. [Kris]
· Updated tlatest (as of 3/15) autoconf config.sub/config.guess
· files from http://cvs.savannah.gnu.org/viewvc/config/?root=config .
· We now escape newlines, carriage returns, and tabs (
· ) in XML
· output. While those are allowed in XML attributes, they get
· normalized which can make formatting the output difficult for
· applications which parse Nmap XML. [JoaMedeiros, David, Fyodor]
· The Zenmap man page is now installed on Unix when "make install" is
· run. This was supposed twork before, but didn't. [Kris]
· Fixed a man page bug related tour DocBook tNroff translation
· software producing incorrect Nroff output. The man page nlonger
· uses the ".nse" string which was being confused with the Nroff
· no-space mode command. [Fyodor]
· Fixed a bug in which some NSE error messages were improperly escaped
sthat a message including "c:
· map" would end up with a newline
· between "c:" and "map".
· Updated IANA assignment IP list for random IP (-iR)
· generation. [Kris]
· The DocBook XML source code tthe Nmap Scripting Engine docs
· (http://nmap.org/nse/) is now in SVN under docs/scripting.xml .
Find us on Google+
