Nmap Changelog

What's new in Nmap 7.95

Apr 24, 2024

[Windows]Upgraded Npcap (our Windows raw packet capturing and transmission driver) from version 1.75 to the latest version 1.79. It includes many performance improvements, bug fixes and feature enhancements described at https://npcap.com/changelog.
Integrated over 4000 IPv4 OS fingerprints submitted since June 2020. Added 336 fingerprints, bringing the new total to 6036. Additions include iOS 15 & 16, macOS Ventura & Monterey, Linux 6.1, OpenBSD 7.1, and lwIP 2.2
Integrated over 2500 service/version detection fingerprints submitted since June 2020. The signature count went up 1.4% to 12089, including 9 new softmatches. We now detect 1246 protocols, including new additions of grpc, mysqlx, essnet, remotemouse, and tuya.
[NSE]Four new scripts from the DINA community (https://github.com/DINA-community) for querying industrial control systems:
hartip-info reads device information from devices using the Highway Addressable Remote Transducer protocol
iec61850-mms queries devices using Manufacturing Message Specification requests. [Dennis Rösch, Max Helbig]
multicast-profinet-discovery Sends a multicast PROFINET DCP Identify All message and prints the responses. [Stefan Eiwanger, DINA-community]
profinet-cm-lookup queries the DCERPC endpoint mapper exposed via the PNIO-CM service.
Upgraded included libraries: Lua 5.4.6, libpcre2 10.43, zlib 1.3.1, libssh2 1.11.0, liblinear 2.47
[GH#2639]Upgraded OpenSSL binaries (for the Windows builds and for RPMs) to version 3.0.13. CVEs resolved in this update include only 2 moderate-severity issues which we do not believe affect Nmap: CVE-2023-5363 and CVE-2023-2650
[Zenmap][Ndiff][GH#2649]Zenmap and Ndiff now use setuptools, not distutils for packaging.
[Ncat][GH#2685]Fixed Ncat UDP server mode to not quit after EOF on stdin. Reported as Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1039613
[GH#2672]Fixed an issue where TCP Connect scan (-sT) on Windows would fail to open any sockets, leading to scans that never finish. [Daniel Miller]
[NSE]ssh-auth-methods will now print the pre-authentication banner text when available. Requires libssh2 1.11.0 or later. [Daniel Miller]
[Zenmap][GH#2739]Fix a crash in Zenmap when changing a host comment.
[NSE][GH#2766]Fix TLS 1.2 signature algorithms for EdDSA. [Daniel Roethlisberger]
[Zenmap][GH#2706]RPM spec files now correctly require the python3 package, not python>=3
Improvements to OS detection fingerprint matching, including a syntax change for nmap-os-db that allows ranges within the TCP Options string. This leads to more concise and maintainable fingerprints. [Daniel Miller]
Improved the OS detection engine by using a new source port for each retry. Scans from systems such as Windows that do not send RST for unsolicited SYN|ACK responses were previously unable to get a response in subsequent tries. [Daniel Miller]
Several profile-guided optimizations of the port scan engine. [Daniel Miller]
[GH#2731]Fix an out-of-bounds read which led to out-of-memory errors when duplicate addresses were used with --exclude
[GH#2609]Fixed a memory leak in Nsock: compiled pcap filters were not freed.
[GH#2658]Fixed a crash when using service name wildcards with -p, as in -p "http*"
[NSE]Fixed DNS TXT record parsing which caused asn-query to fail in Nmap 7.80 and later. [David Fifield, Mike Pattrick]
[NSE][GH#2727][GH#2728]Fixed packet size testing in KNX scripts [f0rw4rd]

New in Nmap 7.94 (May 21, 2023)

Zenmap and Ndiff now use Python 3! Thanks to the many contributors who made this effort possible:
[GH#2088][GH#1176][Zenmap]Updated Zenmap to Python 3 and PyGObject. [Jakub Kulík]
[GH#1807][GH#1176][Ndiff]Updated Ndiff to Python 3. [Brian Quigley]
Additional Python 3 update fixes by Sam James, Daniel Miller. Special thanks to those who opened Python 3-related issues and pull requests: Eli Schwartz, Romain Leonard, Varunram Ganesh, Pavel Zhukov, Carey Balboa, Hasan Aliyev, and others.
[Windows]Upgraded Npcap (our Windows raw packet capturing and transmission driver) from version 1.71 to the latest version 1.75. It includes dozens of performance improvements, bug fixes and feature enhancements described at https://npcap.com/changelog.
Nmap now prints vendor names based on MAC address for MA-S (24-bit), MA-M (28-bit), and MA-L (36-bit) registrations instead of the fixed 3-byte MAC prefix used previously for lookups.
Added partial silent-install support to the Nmap Windows installer. It previously didn't offer silent mode (/S) because the free/demo version of Npcap Windoes packet capturing driver that it needs and ships with doesn't include a silent installer. Now with the /S option, Nmap checks whether Npcap is already installed (either the free version or OEM) and will silently install itself if so. This is similar to how the Wireshark installer works and is particularly helpful for organizations that want to fully automate their Nmap (and Npcap) deployments. See https://nmap.org/nmap-silent-install for more details.
Lots of profile-guided memory and processing improvements for Nmap, including OS fingerprint matching, probe matching and retransmission lookups for large hostgroups, and service name lookups. Overhauled Nmap's string interning and several other startup-related procedures to speed up start times, especially for scans using OS detection. [Daniel Miller]
Integrated many of the most-submitted IPv4 OS fingerprints for recent versions of Windows, iOS, macOS, Linux, and BSD. Added 22 fingerprints, bringing the new total to 5700!
[NSE][GH#548]Added the tftp-version script which requests a nonexistent file from a TFTP server and matches the error message to a database of known software. [Mak Kolybabi]
[Ncat][GH#1223]Ncat can now accept "connections" from multiple UDP hosts in listen mode with the --keep-open option. This also enables --broker and --chat via UDP. [Daniel Miller]
[GH#2575]Upgraded OpenSSL binaries (for the Windows builds and for RPM's) to version 3.0.8. This resolves some CVE's (CVE-2022-3602; CVE-2022-3786) which don't impact Nmap proper since it doesn't do certificate validation, but could possibly impact Ncat when the --ssl-verify option is used.
Upgrade included libraries: zlib 1.2.13, Lua 5.4.4, libpcap 1.10.4
[GH#2532]Removed the bogus OpenSSL message from the Windows Nmap executable which looked like "NSOCK ERROR ssl_init_helper(): OpenSSL legacy provider failed to load." We actually already have the legacy provider built-in to our OpenSSL builds, and that's why loading the external one fails.
[GH#2541]UDP port scan (-sU) and version scan (-sV) now both use the same data source, nmap-service-probes, for data payloads. Previously, the nmap-payloads file was used for port scan. Port scan responses will be used to kick-start the version matching process. [Daniel Miller]
Nmap's service scan (-sV) can now probe the UDP service behind a DTLS tunnel, the same as it already does for TCP services with SSL/TLS encryption. The DTLSSessionReq probe has had its rarity lowered to 2 to allow it to be sent sooner in the scan. [Daniel Miller]
[Ncat]Ncat in listen mode with --udp --ssl will use DTLS to secure incoming connections. [Daniel Miller]
[GH#1023]Handle Internationalized Domain Names (IDN) like ??????.?? on platforms where getaddrinfo supports the AI_IDN flag. [Daniel Miller]
[Ncat]Addressed an issue from the Debian bug tracker (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969314) regarding data received immediately after a SOCKS CONNECT response. Ncat can now be correctly used in the ProxyCommand option of OpenSSH.
Improved DNS domain name parsing to avoid recursion and enforce name length limits, avoiding a theoretical stack overflow issue with certain crafted DNS server responses, reported by Philippe Antoine.
[GH#2338][NSE]Fix mpint packing in ssh2 library, which was causing OpenSSH errors like "ssh_dispatch_run_fatal: bignum is negative" [Sami Loone]
[GH#2507]Updates to the Japanese manpage translation by Taichi Kotake.
[Ncat][GH#1026][GH#2426]Dramatically speed up Ncat transfers on Windows by avoiding a 125ms wait for every read from STDIN. [scriptjunkie]
[GH#1192][Windows]Periodically reset the system idle timer to keep the system from going to sleep while scans are in process. This only affects port scans and OS detection scans, since NSE and version scan do not rely on timing data to adjust speed.
Updated the Nmap Public Source License (NPSL) to Version 0.95. This just clarifies that the derivative works definition and all other license clauses only apply to parties who choose to accept the license in return for the special rights granted (such as Nmap redistribution rights). If a party can do everything they need to using copyright provisions outside of this license such as fair use, we support that and aren't trying to claim any control over their work. Versions of Nmap released under previous versions of the NPSL may also be used under the NPSL 0.95 terms.
Avoid storing many small strings from IPv4 OS detection results in the global string_pool. These were effectively leaked after a host is done being scanned, since string_pool allocations are not freed until Nmap quits.

New in Nmap 7.93 (Sep 2, 2022)

This release commemorates Nmap's 25th anniversary! It all started with this September 1, 1997 Phrack article by Fyodor: https://nmap.org/p51-11.html.
[Windows]Upgraded Npcap (our Windows raw packet capturing and transmission driver) from version 1.50 to the latest version 1.71. It includes dozens of performance improvements, bug fixes and feature enhancements described at https://npcap.com/changelog.
Ensure Nmap builds with OpenSSL 3.0 using no deprecated API functions. Binaries for this release include OpenSSL 3.0.5.
Upgrade included libraries: libssh2 1.10.0, zlib 1.2.12, Lua 5.3.6, libpcap 1.10.1
[GH#2416]Fix a bug that prevented Nmap from discovering interfaces on Linux when no IPv4 addresses were configured. [Daniel Miller, nnposter]
[NSE][GH#2463]NSE "exception handling" with nmap.new_try() will no longer result in a stack traceback in debug output nor a "ERROR: script execution failed" message in script output, since the intended behavior has always been to end the script immediately without output. [Daniel Miller]
[GH#2494]Update the Nmap output DTD to match actual output since the `<hosthint>` element was added in Nmap 7.90.
[NSE][GH#2496]Fix newtargets support: since Nmap 7.92, scripts could not add targets in script pre-scanning phase. [Daniel Miller]
[GH#2468]Scripts dhcp-discover and broadcast-dhcp-discover now support setting a client identifier. [nnposter]
[GH#2331][GH#2471]Script oracle-tns-version was not reporting the version correctly for Oracle 19c or newer [linholmes]
[GH#2296][GH#2342]Script redis-info was crashing or producing inaccurate information about client connections and/or cluster nodes. [nnposter]
[GH#2379]Nmap and Nping were unable to obtain system routes on FreeBSD [benpratt, nnposter]
[GH#2464]Script ipidseq was broken due to calling an unreachable library function. [nnposter]
[GH#2420][GH#2436]Support for EC crypto was not properly enabled if Nmap was compiled with OpenSSL in a custom location. [nnposter]
[NSE]Improvements to event handling and pcap socket garbage collection, fixing potential hangs and crashes. [Daniel Miller]
We ceased creating the Nmap win32 binary zipfile. It was useful back when you could just unzip it and run Nmap from there, but that hasn't worked well for many years. The win32 self-installer handles Npcap installation and many other dependencies and complexities. Anyone who needs the binaries for some reason can still install Nmap on any system and retrieve them from there. For now we're keeping the Win32 zipfile in the Nmap OEM Edition (https://nmap.org/oem) for companies building Nmap into their own products. But even in that case we believe that running the Nmap OEM self-installer in silent mode is a better approach.
[GH#2388]Fix TDS7 password encoding for mssql.lua, which had been assuming ASCII input even though other parts of the library had been passing it Unicode.
[GH#2402]Replace deprecated CPEs for IIS with their updated identifier, cpe:/a:microsoft:internet_information_services [Esa Jokinen]
[NSE][GH#2393]Fix script-terminating error when unknown BSON data types are encountered. Added parsers for most standard data types. [Daniel Miller]
[Ncat]Fix hostname/certificate comparison and matching to handle ASN.1 strings without null terminators, a similar bug to OpenSSL's CVE-2021-3712.
[Ncat][GH#2365]Added support for SOCKS5 proxies that return bind addresses as hostnames, instead of IPv4/IPv6 addresses. [pomu0325]

New in Nmap 7.92 (Aug 8, 2021)

[Windows] Upgraded Npcap (our Windows raw packet capturing and transmission driver) from version 1.00 to the latest version 1.50. You can read about the dozens of performance improvements, bug fixes and feature enhancements at https://npcap.org/changelog.
[Windows] Thanks to the Npcap 1.50 upgrade, Nmap now works on the Windows ARM architecture so you can run it on lightweight and power-efficient tablets like the Microsoft Surface Pro X and Samsung Galaxy Book Go. More ARM devices are on the way along with the upcoming Windows 11 release. See the Npcap on ARM announcement at https://seclists.org/nmap-announce/2021/2.
[Windows] Updated our Windows builds to Visual Studio 2019, Windows 10 SDK, and the UCRT. This prevents Nmap from working on Windows Vista and earlier, but they can still use older versions of Nmap on their ancient operating system.
New Nmap option --unique will prevent Nmap from scanning the same IP address twice, which can happen when different names resolve to the same address. [Daniel Miller]
[NSE][GH#1691] TLS 1.3 now supported by most scripts for which it is relevant, such as ssl-enum-ciphers. Some functions like ssl tunnel connections and certificate parsing will require OpenSSL 1.1.1 or later to fully support TLS 1.3. [Daniel Miller]
[NSE] Added 3 NSE scripts, from 4 authors, bringing the total up to 604! They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
[GH#2201] nbns-interfaces queries NetBIOS name service (NBNS) to gather IP addresses of the target's network interfaces [Andrey Zhukov]
[GH#711] openflow-info gathers preferred and supported protocol versions from OpenFlow devices [Jay Smith, Mak Kolybabi]
port-states prints a list of ports that were found in each state, including states that were summarized as "Not shown: X closed ports" [Daniel Miller]
Several changes to UDP payloads to improve accuracy:
[GH#2269] Fix an issue with -sU where payload data went out-of-scope before it was used, causing corrupted payloads to be sent. [Mariusz Ziulek]
Nmap's retransmission limits were preventing some UDP payloads from being tried with -sU and -PU. Now, Nmap sends each payload for a particular port at the same time without delay. [Daniel Miller]
New UDP payloads:
[GH#1279] TS3INIT1 for UDP 3389 [colcrunch]
[GH#1895] DTLS for UDP 3391 (RD Gateway) [Arnim Rupp]
[NSE][GH#2208][GH#2203] SMB2 dialect handling has been redesigned. Visible changes include:
Notable improvement in speed of script smb-protocols and others
Some SMB scripts are no longer using a hardcoded dialect, improving target interoperability
Dialect names are aligned with Microsoft, such as 3.0.2, instead of 3.02 [nnposter]
[GH#2350] Upgraded OpenSSL to version 1.1.1k. This addresses some CVE's which don't affect Nmap in a material way. Details: https://github.com/nmap/nmap/issues/2350
Removed support for the ancient WinPcap library since we already include our own Npcap library (https://npcap.org) supporting the same API. WinPcap was abandoned years ago and it's official download page says that "WE RECOMMEND USING Npcap INSTEAD" for security, stability, compatibility, and support reasons.
[GH#2257] Fix an issue in addrset matching that was causing all targets to be excluded if the --excludefile listed a CIDR range that contains an earlier, smaller CIDR range. [Daniel Miller]
Upgrade the Windows NSIS installer to use the latest NSIS 3 (version 3.07) instead of the previous NSIS 2 generation.
Setting --host-timeout=0 will disable the host timeout, which is set by -T5 to 15 minutes. Earlier versions of Nmap require the user to specify a very long timeout instead.
Improvements to Nmap's XML output:
If a host times out, the XML <host> element will have the attribute timedout="true" and the host's timing info (srtt etc.) will still be printed.
The "extrareasons" element now includes a list of port numbers for each "ignored" state. The "All X ports" and "Not shown:" lines in normal output have been changed slightly to provide more detail. [Daniel Miller]
[NSE][GH#2237] Prevent the ssl-* NSE scripts from probing ports that were excluded from version scan, usually 9100-9107, since JetDirect will print anything sent to these ports. [Daniel Miller]
[GH#2206] Nmap no longer produces cryptic message "Failed to convert source address to presentation format" when unable to find useable route to the target. [nnposter]
[Ncat][GH#2202] Use safety-checked versions of FD_* macros to abort early if number of connections exceeds FD_SETSIZE. [Pavel Zhukov]
[Ncat] Connections proxied via SOCKS4/SOCKS5 were intermittently dropping server data sent right after the connection got established, such as port banners. [Sami Pönkänen]
[Ncat][GH#2149] Fixed a bug in proxy connect mode which would close the connection as soon as it was opened in Nmap 7.90 and 7.91.
[NSE][GH#2175] Fixed NSE so it will not consolidate all port script output for targets which share an IP (e.g. HTTP vhosts) under one target. [Daniel Miller]
[Zenmap][GH#2157] Fixed an issue where a failure to execute Nmap would result in a Zenmap crash with "TypeError: coercing to Unicode" exception.
Nmap no longer considers an ICMP Host Unreachable as confirmation that a target is down, in accordance with RFC 1122 which says these errors may be transient. Instead, the probe will be destroyed and other probes used to determine aliveness. [Daniel Miller]
[Ncat][GH#2154] Ncat no longer crashes when used with Unix domain sockets.
[Ncat][GH#2167][GH#2168] Ncat is now again generating certificates with the duration of one year. Due to a bug, recent versions of Ncat were using only one minute. [Tobias Girstmair]
[NSE][GH#2281] URL/percent-encoding is now using uppercase hex digits to align with RFC 3986, section 2.1, and to improve compatibility with some real-world web servers. [nnposter]
[NSE][GH#2174] Script hostmap-crtsh got improved in several ways. The most visible are that certificate SANs are properly split apart and that identities that are syntactically incorrect to be hostnames are now ignored. [Michel Le Bihan, nnposter]
[NSE] Loading of a Nikto database failed if the file was referenced relative to the Nmap directory [nnposter]
[GH#2199] Updated Nmap's NPSL license to rewrite a poorly-worded clause abiyt "proprietary software companies". The new license version 0.93 is still available from https://nmap.org/npsl/. As described on that page, we are also still offering Nmap 7.90, 7.91, and 7.92 under the previous Nmap 7.80 license. Finally, we still offer the Nmap OEM program for companies who want a non-copyleft license allowing them to redistribute Nmap with their products at https://nmap.org/oem/.
[NSE] Script smb2-vuln-uptime no longer reports false positives when the target does not provide its boot time. [nnposter]
[NSE][GH#2197] Client packets composed by the DHCP library will now contain option 51 (IP address lease time) only when requested. [nnposter]
[NSE][GH#2192] XML decoding in library citrixxml no longer crashes when encountering a character reference with codepoint greater than 255. (These references are now left unmodified.) [nnposter]
[NSE] Script mysql-audit now defaults to the bundled mysql-cis.audit for the audit rule base. [nnposter]
[NSE][GH#1473] It is now possible to control whether the SNMP library uses v1 (default) or v2c by setting script argument snmp.version. [nnposter]

New in Nmap 7.91 (Oct 11, 2020)

New in Nmap 7.80 (Aug 11, 2019)

[Windows] The Npcap Windows packet capturing library (https://npcap.org/) is faster and more stable than ever. Nmap 7.80 updates the bundled Npcap from version 0.99-r2 to 0.9982, including all of these changes from the last 15 Npcap releases: https://nmap.org/npcap/changelog
[NSE] Added 11 NSE scripts, from 8 authors, bringing the total up to 598! They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
[GH#1232] broadcast-hid-discoveryd discovers HID devices on a LAN by sending a discoveryd network broadcast probe. [Brendan Coles]
[GH#1236] broadcast-jenkins-discover discovers Jenkins servers on a LAN by sending a discovery broadcast probe. [Brendan Coles]
[GH#1016][GH#1082] http-hp-ilo-info extracts information from HP Integrated Lights-Out (iLO) servers. [rajeevrmenon97]
[GH#1243] http-sap-netweaver-leak detects SAP Netweaver Portal with the Knowledge Management Unit enabled with anonymous access. [ArphanetX]
https-redirect detects HTTP servers that redirect to the same port, but with HTTPS. Some nginx servers do this, which made ssl-* scripts not run properly. [Daniel Miller]
[GH#1504] lu-enum enumerates Logical Units (LU) of TN3270E servers. [Soldier of Fortran]
[GH#1633] rdp-ntlm-info extracts Windows domain information from RDP services. [Tom Sellers]
smb-vuln-webexec checks whether the WebExService is installed and allows code execution. [Ron Bowes]
smb-webexec-exploit exploits the WebExService to run arbitrary commands with SYSTEM privileges. [Ron Bowes]
[GH#1457] ubiquiti-discovery extracts information from the Ubiquiti Discovery service and assists version detection. [Tom Sellers]
[GH#1126] vulners queries the Vulners CVE database API using CPE information from Nmap's service and application version detection. [GMedian, Daniel Miller]
[GH#1291][GH#34][GH#1339] Use pcap_create instead of pcap_live_open in Nmap, and set immediate mode on the pcap descriptor. This solves packet loss problems on Linux and may improve performance on other platforms. [Daniel Cater, Mike Pontillo, Daniel Miller]
[NSE] Collected utility functions for string processing into a new library, stringaux.lua. [Daniel Miller]
[NSE] New rand.lua library uses the best sources of random available on the system to generate random strings. [Daniel Miller]
[NSE] New library, oops.lua, makes reporting errors easy, with plenty of debugging detail when needed, and no clutter when not. [Daniel Miller]
[NSE] Collected utility functions for manipulating and searching tables into a new library, tableaux.lua. [Daniel Miller]
[NSE] New knx.lua library holds common functions and definitions for communicating with KNX/Konnex devices. [Daniel Miller]
[NSE][GH#1571] The HTTP library now provides transparent support for gzip- encoded response body. (See https://github.com/nmap/nmap/pull/1571 for an overview.) [nnposter]
[Nsock][Ncat][GH#1075] Add AF_VSOCK (Linux VM sockets) functionality to Nsock and Ncat. VM sockets are used for communication between virtual machines and the hypervisor. [Stefan Hajnoczi]
[Security][Windows] Address CVE-2019-1552 in OpenSSL by building with the prefix "C:Program Files (x86)NmapOpenSSL". This should prevent unauthorized users from modifying OpenSSL defaults by writing configuration to this directory.
[Security][GH#1147][GH#1108] Reduced LibPCRE resource limits so that version detection can't use as much of the stack. Previously Nmap could crash when run on low-memory systems against target services which are intentionally or accidentally difficult to match. Someone assigned CVE-2018-15173 for this issue. [Daniel Miller]
[GH#1361] Deprecate and disable the -PR (ARP ping) host discovery option. ARP ping is already used whenever possible, and the -PR option would not force it to be used in any other case. [Daniel Miller]
[NSE] bin.lua is officially deprecated. Lua 5.3, added 2 years ago in Nmap 7.25BETA2, has native support for binary data packing via string.pack and string.unpack. All existing scripts and libraries have been updated. [Daniel Miller]
[NSE] Completely removed the bit.lua NSE library. All of its functions are replaced by native Lua bitwise operations, except for `arshift` (arithmetic shift) which has been moved to the bits.lua library. [Daniel Miller]
[NSE][GH#1571] The HTTP library is now enforcing a size limit on the received response body. The default limit can be adjusted with a script argument, which applies to all scripts, and can be overridden case-by-case with an HTTP request option. (See https://github.com/nmap/nmap/pull/1571 for details.) [nnposter]
[NSE][GH#1648] CR characters are no longer treated as illegal in script XML output. [nnposter]
[GH#1659] Allow resuming nmap scan with lengthy command line [Clément Notin]
[NSE][GH#1614] Add TLS support to rdp-enum-encryption. Enables determining protocol version against servers that require TLS and lays ground work for some NLA/CredSSP information collection. [Tom Sellers]
[NSE][GH#1611] Address two protocol parsing issues in rdp-enum-encryption and the RDP nse library which broke scanning of Windows XP. Clarify protocol types [Tom Sellers]
[NSE][GH#1608] Script http-fileupload-exploiter failed to locate its resource file unless executed from a specific working directory. [nnposter]
[NSE][GH#1467] Avoid clobbering the "severity" and "ignore_404" values of fingerprints in http-enum. None of the standard fingerprints uses these fields. [Kostas Milonas]
[NSE][GH#1077] Fix a crash caused by a double-free of libssh2 session data when running SSH NSE scripts against non-SSH services. [Seth Randall]
[NSE][GH#1565] Updates the execution rule of the mongodb scripts to be able to run on alternate ports. [Paulino Calderon]
[Ncat][GH#1560] Allow Ncat to connect to servers on port 0, provided that the socket implementation allows this. [Daniel Miller]
Update the included libpcap to 1.9.0. [Daniel Miller]
[NSE][GH#1544] Fix a logic error that resulted in scripts not honoring the smbdomain script-arg when the target provided a domain in the NTLM challenge. [Daniel Miller]
[Nsock][GH#1543] Avoid a crash (Protocol not supported) caused by trying to reconnect with SSLv2 when an error occurs during DTLS connect. [Daniel Miller]
[NSE][GH#1534] Removed OSVDB references from scripts and replaced them with BID references where possible. [nnposter]
[NSE][GH#1504] Updates TN3270.lua and adds argument to disable TN3270E [Soldier of Fortran]
[GH#1504] RMI parser could crash when encountering invalid input [Clément Notin]
[GH#863] Avoid reporting negative latencies due to matching an ARP or ND response to a probe sent after it was recieved. [Daniel Miller]
[Ncat][GH#1441] To avoid confusion and to support non-default proxy ports, option --proxy now requires a literal IPv6 address to be specified using square-bracket notation, such as --proxy [2001:db8::123]:456. [nnposter]
[Ncat][GH#1214][GH#1230][GH#1439] New ncat option provides control over whether proxy destinations are resolved by the remote proxy server or locally, by Ncat itself. See option --proxy-dns. [nnposter]
[NSE][GH#1478] Updated script ftp-syst to prevent potential endless looping. [nnposter]
[GH#1454] New service probes and match lines for v1 and v2 of the Ubiquiti Discovery protocol. Devices often leave the related service open and it exposes significant amounts of information as well as the risk of being used as part of a DDoS. New nmap-payload entry for v1 of the protocol. [Tom Sellers]
[NSE] Removed hostmap-ip2hosts.nse as the API has been broken for a while and the service was completely shutdown on Feb 17th, 2019. [Paulino Calderon]
[NSE][GH#1318] Adds TN3270E support and additional improvements to tn3270.lua and updates tn3270-screen.nse to display the new setting. [mainframed]
[NSE][GH#1346] Updates product codes and adds a check for response length in enip-info.nse. The script now uses string.unpack. [NothinRandom]
[Ncat][GH#1310][GH#1409] Temporary RSA keys are now 2048-bit to resolve a compatibility issue with OpenSSL library configured with security level 2, as seen on current Debian or Kali. [Adrian Vollmer, nnposter]
[NSE][GH#1227] Fix a crash (double-free) when using SSH scripts against non-SSH services. [Daniel Miller]
[Zenmap] Fix a crash when Nmap executable cannot be found and the system PATH contains non-UTF-8 bytes, such as on Windows. [Daniel Miller]
[Zenmap] Fix a crash in results search when using the dir: operator:
AttributeError: 'SearchDB' object has no attribute 'match_dir' [Daniel Miller]
[Ncat][GH#1372] Fixed an issue with Ncat -e on Windows that caused early termination of connections. [Alberto Garcia Illera]
[NSE][GH#1359] Fix a false-positive in http-phpmyadmin-dir-traversal when the server responds with 200 status to a POST request to any URI. [Francesco Soncina]
[NSE] New vulnerability state in vulns.lua, UNKNOWN, is used to indicate that testing could not rule out vulnerability. [Daniel Miller]
[GH#1355] When searching for Lua header files, actually use them where they are found instead of forcing /usr/include. [Fabrice Fontaine, Daniel Miller]
[NSE][GH#1331] Script traceroute-geolocation no longer crashes when www.GeoPlugin.net returns null coordinates [Michal Kubenka, nnposter]
Limit verbose -v and debugging -d levels to a maximum of 10. Nmap does not use higher levels internally. [Daniel Miller]
[NSE] tls.lua when creating a client_hello message will now only use a SSLv3 record layer if the protocol version is SSLv3. Some TLS implementations will not handshake with a client offering less than TLSv1.0. Scripts will have to manually fall back to SSLv3 to talk to SSLv3-only servers. [Daniel Miller]
[NSE][GH#1322] Fix a few false-positive conditions in ssl-ccs-injection. TLS implementations that responded with fatal alerts other than "unexpected message" had been falsely marked as vulnerable. [Daniel Miller]
Emergency fix to Nmap's birthday announcement so Nmap wishes itself a "Happy 21st Birthday" rather than "Happy 21th" in verbose mode (-v) on September 1, 2018. [Daniel Miller]
[GH#1150] Start host timeout clocks when the first probe is sent to a host, not when the hostgroup is started. Sometimes a host doesn't get probes until late in the hostgroup, increasing the chance it will time out. [jsiembida]
[NSE] Support for edns-client-subnet (ECS) in dns.lua has been improved by:
[GH#1271] Using ECS code compliant with RFC 7871 [John Bond]
Properly trimming ECS address, as mandated by RFC 7871 [nnposter]
Fixing a bug that prevented using the same ECS option table more than once [nnposter]
[Ncat][GH#1267] Fixed communication with commands launched with -e or -c on Windows, especially when --ssl is used. [Daniel Miller]
[NSE] Script http-default-accounts can now select more than one fingerprint category. It now also possible to select fingerprints by name to support very specific scanning. [nnposter]
[NSE] Script http-default-accounts was not able to run against more than one target host/port. [nnposter]
[NSE][GH#1251] New script-arg `http.host` allows users to force a particular value for the Host header in all HTTP requests.
[NSE][GH#1258] Use smtp.domain script arg or target's domain name instead of "example.com" in EHLO command used for STARTTLS. [gwire]
[NSE][GH#1233] Fix brute.lua's BruteSocket wrapper, which was crashing Nmap with an assertion failure due to socket mixup [Daniel Miller]: nmap: nse_nsock.cc:672: int receive_buf(lua_State*, int, lua_KContext): Assertion `lua_gettop(L) == 7' failed.
[NSE][GH#1254] Handle an error condition in smb-vuln-ms17-010 caused by IPS closing the connection. [Clément Notin]
[Ncat][GH#1237] Fixed literal IPv6 URL format for connecting through HTTP proxies. [Phil Dibowitz]
[NSE][GH#1212] Updates vendors from ODVA list for enip-info. [NothinRandom]
[NSE][GH#1191] Add two common error strings that improve MySQL detection by the script http-sql-injection. [Robert Taylor, Paulino Calderon]
[NSE][GH#1220] Fix bug in http-vuln-cve2006-3392 that prevented the script to generate the vulnerability report correctly. [rewardone]
[NSE][GH#1218] Fix bug related to screen rendering in NSE library tn3270. This patch also improves the brute force script tso-brute. [mainframed]
[NSE][GH#1209] Fix SIP, SASL, and HTTP Digest authentication when the algorithm contains lowercase characters. [Jeswin Mathai]
[GH#1204] Nmap could be fooled into ignoring TCP response packets if they used an unknown TCP Option, which would misalign the validation, causing it to fail. [Clément Notin, Daniel Miller]
[NSE]The HTTP response parser now tolerates status lines without a reason phrase, which improves compatibility with some HTTP servers. [nnposter]
[NSE][GH#1169][GH#1170][GH#1171]][GH#1198] Parser for HTTP Set-Cookie header is now more compliant with RFC 6265:
empty attributes are tolerated
double quotes in cookie and/or attribute values are treated literally
attributes with empty values and value-less attributes are parsed equally
attributes named "name" or "value" are ignored
[nnposter]
[NSE][GH#1158] Fix parsing http-grep.match script-arg. [Hans van den Bogert]
[Zenmap][GH#1177] Avoid a crash when recent_scans.txt cannot be written to. [Daniel Miller]
Fixed --resume when the path to Nmap contains spaces. Reported on Windows by Adriel Desautels. [Daniel Miller]
New service probe and match lines for adb, the Android Debug Bridge, which allows remote code execution and is left enabled by default on many devices. [Daniel Miller]

New in Nmap 7.70 (Mar 21, 2018)

[Windows] Updated the bundled Npcap from 0.93 to 0.99-r2, with many stability fixes and installation improvements, as well as fixes to raw 802.11 frame capture. See https://nmap.org/npcap/changelog
Integrated all of your service/version detection fingerprints submitted from March 2017 to August 2017 (728 of them). The signature count went up 1.02% to 11,672, including 26 new softmatches. We now detect 1224 protocols from filenet-pch, lscp, and netassistant to sharp-remote, urbackup, and watchguard. We will try to integrate the remaining submissions in the next release.
Integrated all of your IPv4 OS fingerprint submissions from September 2016 to August 2017 (667 of them). Added 298 fingerprints, bringing the new total to 5,652. Additions include iOS 11, macOS Sierra, Linux 4.14, Android 7, and more.
Integrated all 33 of your IPv6 OS fingerprint submissions from September 2016 to August 2017. New groups for OpenBSD 6.0 and FreeBSD 11.0 were added, as well as strengthened groups for Linux and OS X.
Added the --resolve-all option to resolve and scan all IP addresses of a host. This essentially replaces the resolveall NSE script. [Daniel Miller]
[NSE][SECURITY] Nmap developer nnposter found a security flaw (directory traversal vulnerability) in the way the non-default http-fetch script sanitized URLs. If a user manualy ran this NSE script with against a malicious web server, the server could potentially (depending on NSE arguments used) cause files to be saved outside the intended destination directory. Existing files couldn't be overwritten. We fixed http-fetch, audited our other scripts to ensure they didn't make this mistake, and we updated the httpspider library API to protect against this by default. [nnposter, Daniel Miller]
[NSE] Added 9 NSE scripts, from 8 authors, bringing the total up to 588! They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
deluge-rpc-brute performs brute-force credential testing against Deluge BitTorrent RPC services, using the new zlib library. [Claudiu Perta]
hostmap-crtsh lists subdomains by querying Google's Certificate Transparency logs. [Paulino Calderon]
[GH#892] http-bigip-cookie decodes unencrypted F5 BIG-IP cookies and reports back the IP address and port of the actual server behind the load-balancer. [Seth Jackson]
http-jsonp-detection Attempts to discover JSONP endpoints in web servers. JSONP endpoints can be used to bypass Same-origin Policy restrictions in web browsers. [Vinamra Bhatia]
http-trane-info obtains information from Trane Tracer SC controllers and connected HVAC devices. [Pedro Joaquin]
[GH#609] nbd-info uses the new nbd.lua library to query Network Block Devices for protocol and file export information. [Mak Kolybabi]
rsa-vuln-roca checks for RSA keys generated by Infineon TPMs vulnerable to Return Of Coppersmith Attack (ROCA) (CVE-2017-15361). Checks SSH and TLS services. [Daniel Miller]
[GH#987] smb-enum-services retrieves the list of services running on a remote Windows machine. Modern Windows systems requires a privileged domain account in order to list the services. [Rewanth Cool]
tls-alpn checks TLS servers for Application Layer Protocol Negotiation (ALPN) support and reports supported protocols. ALPN largely replaces NPN, which tls-nextprotoneg was written for. [Daniel Miller]
[GH#978] Fixed Nsock on Windows giving errors when selecting on STDIN. This was causing Ncat 7.60 in connect mode to quit with error: libnsock select_loop(): nsock_loop error 10038: An operation was attempted on something that is not a socket. [nnposter]
[Ncat][GH#197][GH#1049] Fix --ssl connections from dropping on renegotiation, the same issue that was partially fixed for server mode in [GH#773]. Reported on Windows with -e by pkreuzt and vinod272. [Daniel Miller]
[NSE][GH#1062][GH#1149] Some changes to brute.lua to better handle misbehaving or rate-limiting services. Most significantly, brute.killstagnated now defaults to true. Thanks to xp3s and Adamtimtim for reporing infinite loops and proposing changes.
[NSE] VNC scripts now support Apple Remote Desktop authentication (auth type 30) [Daniel Miller]
[NSE][GH#1111] Fix a script crash in ftp.lua when PASV connection timed out. [Aniket Pandey]
[NSE][GH#1114] Update bitcoin-getaddr to receive more than one response message, since the first message usually only has one address in it. [h43z]
[Ncat][GH#1139] Ncat now selects the correct default port for a given proxy type. [Pavel Zhukov]
[NSE] memcached-info can now gather information from the UDP memcached service in addition to the TCP service. The UDP service is frequently used as a DDoS reflector and amplifier. [Daniel Miller]
[NSE][GH#1129] Changed url.absolute() behavior with respect to dot and dot-dot path segments to comply with RFC 3986, section 5.2. [nnposter]
Removed deprecated and undocumented aliases for several long options that used underscores instead of hyphens, such as --max_retries. [Daniel Miller]
Improved service scan's treatment of soft matches in two ways. First of all, any probes that could result in a full match with the soft matched service will now be sent, regardless of rarity. This improves the chances of matching unusual services on non-standard ports. Second, probes are now skipped if they don't contain any signatures for the soft matched service. Previously the probes would still be run as long as the target port number matched the probe's specification. Together, these changes should make service/version detection faster and more accurate. For more details on how it works, see https://nmap.org/book/vscan.html. [Daniel Miller]
--version-all now turns off the soft match optimization, ensuring that all probes really are sent, even if there aren't any existing match lines for the softmatched service. This is slower, but gives the most comprehensive results and produces better fingerprints for submission. [Daniel Miller]
[NSE][GH#1083] New set of Telnet softmatches for version detection based on Telnet DO/DON'T options offered, covering a wide variety of devices and operating systems. [D Roberson]
[GH#1112] Resolved crash opportunities caused by unexpected libpcap version string format. [Gisle Vanem, nnposter]
[NSE][GH#1090] Fix false positives in rexec-brute by checking responses for indications of login failure. [Daniel Miller]
[NSE][GH#1099] Fix http-fetch to keep downloaded files in separate destination directories. [Aniket Pandey]
[NSE] Added new fingerprints to http-default-accounts:
Hikvision DS-XXX Network Camera and NUOO DVR [Paulino Calderon]
[GH#1074] ActiveMQ, Purestorage, and Axis Network Cameras [Rob Fitzpatrick, Paulino Calderon]
Added a new service detection match for WatchGuard Authentication Gateway. [Paulino Calderon]
[NSE][GH#1038][GH#1037] Script qscan was not observing interpacket delays (parameter qscan.delay). [nnposter]
[NSE][GH#1046] Script http-headers now fails properly if the target does not return a valid HTTP response. [spacewander]
[Ncat][Nsock][GH#972] Remove RC4 from the list of TLS ciphers used by default, in accordance with RFC 7465. [Codarren Velvindron]
[NSE][GH#1022] Fix a false positive condition in ipmi-cipher-zero caused by not checking the error code in responses. Implementations which return an error are not vulnerable. [Juho Jokelainen]
[NSE][GH#958] Two new libraries for NSE.
idna - Support for internationalized domain names in applications (IDNA)
punycode (a transfer encoding syntax used in IDNA)
[Rewanth Cool]
[NSE] New fingerprints for http-enum:
[GH#954] Telerik UI CVE-2017-9248 [Harrison Neal]
[GH#767] Many WordPress version detections [Rewanth Cool]
[GH#981][GH#984][GH#996][GH#975] Fixed Ncat proxy authentication issues:
Usernames and/or passwords could not be empty
Passwords could not contain colons
SOCKS5 authentication was not properly documented
SOCKS5 authentication had a memory leak
[nnposter]
[GH#1009][GH#1013] Fixes to autoconf header files to allow autoreconf to be run. [Lukas Schwaighofer]
[GH#977] Improved DNS service version detection coverage and consistency by using data from a Project Sonar Internet wide survey. Numerouse false positives were removed and reliable softmatches added. Match lines for version.bind responses were also conslidated using the technique below. [Tom Sellers]
[GH#977] Changed version probe fallbacks so as to work cross protocol (TCP/UDP). This enables consolidating match lines for services where the responses on TCP and UDP are similar. [Tom Sellers]
[NSE][GH#532] Added the zlib library for NSE so scripts can easily handle compression. This work started during GSOC 2014, so we're particularly pleased to finally integrate it! [Claudiu Perta, Daniel Miller]
[NSE][GH#1004] Fixed handling of brute.retries variable. It was being treated as the number of tries, not retries, and a value of 0 would result in infinite retries. Instead, it is now the number of retries, defaulting to 2 (3 total tries), with no option for infinite retries.
[NSE] http-devframework-fingerprints.lua supports Jenkins server detection and returns extra information when Jenkins is detected [Vinamra Bhatia]
[GH#926] The rarity level of MS SQL's service detection probe was decreased. Now we can find MS SQL in odd ports without increasing version intensity. [Paulino Calderon]
[GH#957] Fix reporting of zlib and libssh2 versions in "nmap --version". We were always reporting the version number of the included source, even when a different version was actually linked. [Pavel Zhukov]
Add a new helper function for nmap-service-probes match lines: $I(1,">") will unpack an unsigned big-endian integer value up to 8 bytes wide from capture 1. The second option can be "<" for little-endian. [Daniel Miller]

New in Nmap 7.60 (Aug 2, 2017)

[Windows] Updated the bundled Npcap from 0.91 to 0.93, fixing several issues with installation and compatibility with the Windows 10 Creators Update.
[NSE][GH#910] NSE scripts now have complete SSH support via libssh2, including password brute-forcing and running remote commands, thanks to the combined efforts of three Summer of Code students: [Devin Bjelland, Sergey Khegay, Evangelos Deirmentzoglou]
[NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 579! They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
ftp-syst sends SYST and STAT commands to FTP servers to get system version and connection information. [Daniel Miller]
[GH#916] http-vuln-cve2017-8917 checks for an SQL injection vulnerability affecting Joomla! 3.7.x before 3.7.1. [Wong Wai Tuck]
iec-identify probes for the IEC 60870-5-104 SCADA protocol. [Aleksandr Timorin, Daniel Miller]
[GH#915] openwebnet-discovery retrieves device identifying information and number of connected devices running on openwebnet protocol. [Rewanth Cool]
puppet-naivesigning checks for a misconfiguration in the Puppet CA where naive signing is enabled, allowing for any CSR to be automatically signed. [Wong Wai Tuck]
[GH#943] smb-protocols discovers if a server supports dialects NT LM 0.12 (SMBv1), 2.02, 2.10, 3.00, 3.02 and 3.11. This replaces the old smbv2-enabled script. [Paulino Calderon]
[GH#943] smb2-capabilities lists the supported capabilities of SMB2/SMB3 servers. [Paulino Calderon]
[GH#943] smb2-time determines the current date and boot date of SMB2 servers. [Paulino Calderon]
[GH#943] smb2-security-mode determines the message signing configuration of SMB2/SMB3 servers. [Paulino Calderon]
[GH#943] smb2-vuln-uptime attempts to discover missing critical patches in Microsoft Windows systems based on the SMB2 server uptime. [Paulino Calderon]
ssh-auth-methods lists the authentication methods offered by an SSH server. [Devin Bjelland]
ssh-brute performs brute-forcing of SSH password credentials. [Devin Bjelland]
ssh-publickey-acceptance checks public or private keys to see if they could be used to log in to a target. A list of known-compromised key pairs is included and checked by default. [Devin Bjelland]
ssh-run uses user-provided credentials to run commands on targets via SSH. [Devin Bjelland]
[NSE] Removed smbv2-enabled, which was incompatible with the new SMBv2/3 improvements. It was fully replaced by the smb-protocols script.
[Ncat][GH#446] Added Datagram TLS (DTLS) support to Ncat in connect (client) mode with --udp --ssl. Also added Application Layer Protocol Negotiation (ALPN) support with the --ssl-alpn option. [Denis Andzakovic, Daniel Miller]
Updated the default ciphers list for Ncat and the secure ciphers list for Nsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDH ciphersuites, anonymous ECDH suites were being allowed. [Daniel Miller]
[NSE][GH#930] Fix ndmp-version and ndmp-fs-info when scanning Veritas Backup Exec Agent 15 or 16. [Andrew Orr]
[NSE][GH#943] Added new SMB2/3 library and related scripts. [Paulino Calderon]
[NSE][GH#950] Added wildcard detection to dns-brute. Only hostnames that resolve to unique addresses will be listed. [Aaron Heesakkers]
[NSE] FTP scripts like ftp-anon and ftp-brute now correctly handle TLS-protected FTP services and use STARTTLS when necessary. [Daniel Miller]
[NSE][GH#936] Function url.escape no longer encodes so-called "unreserved" characters, including hyphen, period, underscore, and tilde, as per RFC 3986. [nnposter]
[NSE][GH#935] Function http.pipeline_go no longer assumes that persistent connections are supported on HTTP 1.0 target (unless the target explicitly declares otherwise), as per RFC 7230. [nnposter]
[NSE][GH#934] The HTTP response object has a new member, version, which contains the HTTP protocol version string returned by the server, e.g. "1.0". [nnposter]
[NSE][GH#938] Fix handling of the objectSID Active Directory attribute by ldap.lua. [Tom Sellers]
[NSE] Fix line endings in the list of Oracle SIDs used by oracle-sid-brute. Carriage Return characters were being sent in the connection packets, likely resulting in failure of the script. [Anant Shrivastava]
[NSE][GH#141] http-useragent-checker now checks for changes in HTTP status (usually 403 Forbidden) in addition to redirects to indicate forbidden User Agents. [Gyanendra Mishra]

New in Nmap 7.50 (Jun 15, 2017)

[Windows] Updated the bundled Npcap from 0.78 to 0.91, with several bugfixes for WiFi connectivity problems and stability issues. [Daniel Miller, Yang Luo]
Integrated all of your service/version detection fingerprints submitted from September to March (855 of them). The signature count went up 2.9% to 11,418. We now detect 1193 protocols from apachemq, bro, and clickhouse to jmon, slmp, and zookeeper. Highlights: http://seclists.org/nmap-dev/2017/q2/140
[NSE] Added 14 NSE scripts from 12 authors, bringing the total up to 566! They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
[GH#743] broadcast-ospf2-discover discovers OSPF 2 routers and neighbors. OSPFv2 authentication is supported. [Emiliano Ticci]
[GH#671] cics-info checks IBM TN3270 services for CICS transaction services and extracts useful information. [Soldier of Fortran]
[GH#671] cics-user-brute does brute-force enumeration of CICS usernames on IBM TN3270 services. [Soldier of Fortran]
[GH#669] http-cookie-flags checks HTTP session cookies for HTTPOnly and Secure flags. [Steve Benson]
http-security-headers checks for the HTTP response headers related to security given in OWASP Secure Headers Project, giving a brief description of the header and its configuration value. [Vinamra Bhatia, Ícaro Torres]
[GH#740][GH#759] http-vuln-cve2017-5638 checks for the RCE bug in Apache Struts2. [Seth Jackson]
[GH#876] http-vuln-cve2017-5689 detects a privilege escalation vulnerability (INTEL-SA-00075) in Intel Active Management Technology (AMT) capable systems. [Andrew Orr]
http-vuln-cve2017-1001000 detects a privilege escalation vulnerability in Wordpress 4.7.0 and 4.7.1 (CVE-2017-1001000) [Vinamra Bhatia]
[GH#713] impress-remote-discover attempts to pair with the LibreOffice Impress presentation remote service and extract version info. Pairing is PIN-protected, and the script can optionally brute-force the PIN. New service probe and match line also added. [Jeremy Hiebert]
[GH#854] smb-double-pulsar-backdoor detects the Shadow Brokers-leaked Double Pulsar backdoor in Windows SMB servers. [Andrew Orr]
smb-vuln-cve-2017-7494 detects a remote code execution vulnerability affecting Samba versions 3.5.0 and greater with writable shares. [Wong Wai Tuck]
smb-vuln-ms17-010 detects a critical remote code execution vulnerability affecting SMBv1 servers in Microsoft Windows systems (ms17-010). The script also reports patched systems. [Paulino Calderon]
[GH#686] tls-ticketbleed checks for the Ticketbleed vulnerability (CVE-2016-9244) in F5 BIG-IP appliances. [Mak Kolybabi]
vmware-version queries VMWare SOAP API for version and product information. Submitted in 2011, this was mistakenly turned into a service probe that was unable to elicit any matches. [Aleksey Tyurin]
[Ncat] A series of changes and fixes based on feedback from the Red Hat community:
[GH#157] Ncat will now continue trying to connect to each resolved address for a hostname before declaring the connection refused, allowing it to fallback from IPv6 to IPv4 or to connect to names that use DNS failover. [Jaromir Koncicky, Michal Hlavinka]
The --no-shutdown option now also works in connect mode, not only in listen mode.
Made -i/--idle-timeout not cause Ncat in server mode to close while waiting for an initial connection. This was also causing -i to interfere with the HTTP proxy server mode. [Carlos Manso, Daniel Miller]
[GH#773] Ncat in server mode properly handles TLS renegotiations and other situations where SSL_read returns a non-fatal error. This was causing SSL-over-TCP connections to be dropped. [Daniel Miller]
Enable --ssl-ciphers to be used with Ncat in client mode, not only in server (listen) mode. [Daniel Miller]
[NSE][GH#266][GH#704][GH#238][GH#883] NSE libraries smb and msrpc now use fully qualified paths. SMB scripts now work against all modern versions of Microsoft Windows. [Paulino Calderon]
[NSE] smb library's share_get_list now properly uses anonymous connections first before falling back authenticating as a known user.
New service probes and matches for Apache HBase and Hadoop MapReduce. [Paulino Calderon]
Extended Memcached service probe and added match for Apache ZooKeeper. [Paulino Calderon]
[NSE] New script argument "vulns.short" will reduce vulns library script output to a single line containing the target name or IP, the vulnerability state, and the CVE ID or title of the vulnerability. [Daniel Miller]
[NSE][GH#862] SNMP scripts will now take a community string provided like `--script-args creds.snmp=private`, which previously did not work because it was interpreted as a username. [Daniel Miller]
[NSE] Resolved several issues in the default HTTP redirect rules:
[GH#826] A redirect is now cancelled if the original URL contains embedded credentials
[GH#829] A redirect test is now more careful in determining whether a redirect destination is related to the original host
[GH#830] A redirect is now more strict in avoiding possible redirect loops
[nnposter]
[NSE][GH#766] The HTTP Host header will now include the port unless it is the default one for a given scheme. [nnposter]
[NSE] The HTTP response object has a new member, fragment, which contains a partially received body (if any) when the overall request fails to complete. [nnposter]
[NSE][GH#866] NSE now allows cookies to have arbitrary attributes, which are silently ignored (in accordance with RFC 6265). Unrecognized attributes were previously causing HTTP requests with such cookies to fail. [nnposter]
[NSE][GH#844] NSE now correctly parses a Set-Cookie header that has unquoted whitespace in the cookie value (which is allowed per RFC 6265). [nnposter]
[NSE][GH#731] NSE is now able to process HTTP responses with a Set-Cookie header that has an extraneous trailing semicolon. [nnposter]
[NSE][GH#708] TLS SNI now works correctly for NSE HTTP requests initiated with option any_af. As an added benefit, option any_af is now available for all connections via comm.lua, not just HTTP requests. [nnposter]
[NSE][GH#781] There is a new common function, url.get_default_port(), to obtain the default port number for a given scheme. [nnposter]
[NSE][GH#833] Function url.parse() now returns the port part as a number, not a string. [nnposter]
No longer allow ICMP Time Exceeded messages to mark a host as down during host discovery. Running traceroute at the same time as Nmap was causing interference. [David Fifield]
[NSE][GH#807] Fixed a JSON library issue that was causing long integers to be expressed in the scientific/exponent notation. [nnposter]
[NSE] Fixed several potential hangs in NSE scripts that used receive_buf(pattern), which will not return if the service continues to send data that does not match pattern. A new function in match.lua, pattern_limit, is introduced to limit the number of bytes consumed while searching for the pattern. [Daniel Miller, Jacek Wielemborek]
[Nsock] Handle any and all socket connect errors the same: raise as an Nsock error instead of fatal. This prevents Nmap and Ncat from quitting with "Strange error from connect:" [Daniel Miller]
[NSE] Added several commands to redis-info to extract listening addresses, connected clients, active channels, and cluster nodes. [Vasiliy Kulikov]
[NSE][GH#679][GH#681] Refreshed script http-robtex-reverse-ip, reflecting changes at the source site (www.robtex.com). [aDoN]
[NSE][GH#620][GH#715] Added 8 new http-enum fingerprints for Hadoop infrastructure components. [Thomas Debize, Varunram Ganesh]
[NSE][GH#629] Added two new fingerprints to http-default-accounts (APC Management Card, older NetScreen ScreenOS) [Steve Benson, nnposter]
[NSE][GH#716] Fix for oracle-tns-version which was sending an invalid TNS probe due to a string escaping mixup. [Alexandr Savca]
[NSE][GH#694] ike-version now outputs information about supported attributes and unknown vendor ids. Also, a new fingerprint for FortiGate VPNs was submitted by Alexis La Goutte. [Daniel Miller]
[GH#700] Enabled support for TLS SNI on the Windows platform. [nnposter]
[GH#649] New service probe and match lines for the JMON and RSE services of IBM Explorer for z/OS. [Soldier of Fortran]
Removed a duplicate service probe for Memcached added in 2011 (the original probe was added in 2008) and reported as duplicate in 2013 by Pavel Kankovsky.
New service probe and match line for NoMachine NX Server remote desktop. [Justin Cacak]
[Zenmap] Fixed a recurring installation problem on OS X/macOS where Zenmap was installed to /Applications/Applications/Zenmap.app instead of /Applications/Zenmap.app.
[Zenmap][GH#639] Zenmap will no longer crash when no suitable temporary directory is found. Patches contributed by [Varunram Ganesh] and [Sai Sundhar]
[Zenmap][GH#626] Zenmap now properly handles the -v0 (no output) option, which was added in Nmap 7.10. Previously, this was treated the same as not specifying -v at all. [lymanZerga11]
[GH#630] Updated or removed some OpenSSL library calls that were deprecated in OpenSSL 1.1. [eroen]
[NSE] Script ssh-hostkey now recognizes and reports Ed25519 keys [nnposter]
[NSE][GH#627] Fixed script hang in several brute scripts due to the "threads" script-arg not being converted to a number. Error message was "nselib/brute.lua:1188: attempt to compare number with string" [Arne Beer]

New in Nmap 7.40 (Dec 21, 2016)

[Windows] Updated the bundled Npcap from 0.10r9 to 0.78r5, with an improved installer experience, driver signing updates to work with Windows 10 build 1607, and bugfixes for WiFi connectivity problems. [Yang Luo, Daniel Miller]
Integrated all of your IPv4 OS fingerprint submissions from April to September (568 of them). Added 149 fingerprints, bringing the new total to 5,336. Additions include Linux 4.6, macOS 10.12 Sierra, NetBSD 7.0, and more. Highlights: http://seclists.org/nmap-dev/2016/q4/110 [Daniel Miller]
Integrated all of your service/version detection fingerprints submitted from April to September (779 of them). The signature count went up 3.1% to 11,095. We now detect 1161 protocols, from airserv-ng, domaintime, and mep to nutcracker, rhpp, and usher. Highlights: http://seclists.org/nmap-dev/2016/q4/115 [Daniel Miller]
Fix reverse DNS on Windows which was failing with the message "mass_dns: warning: Unable to determine any DNS servers." This was because the interface GUID comparison needed to be case-insensitive. [Robert Croteau]
[NSE] Added 12 NSE scripts from 4 authors, bringing the total up to 552! They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
cics-enum enumerates CICS transaction IDs, mapping to screens in TN3270 services. [Soldier of Fortran]
cics-user-enum brute-forces usernames for CICS users on TN3270 services. [Soldier of Fortran]
fingerprint-strings will print the ASCII strings it finds in the service fingerprints that Nmap shows for unidentified services. [Daniel Miller]
[GH#606] ip-geolocation-map-bing renders IP geolocation data as an image via Bing Maps API. [Mak Kolybabi]
[GH#606] ip-geolocation-map-google renders IP geolocation data as an image via Google Maps API. [Mak Kolybabi]
[GH#606] ip-geolocation-map-kml records IP geolocation data in a KML file for import into other mapping software [Mak Kolybabi]
nje-pass-brute brute-forces the password to a NJE node, given a valid RHOST and OHOST. Helpfully, nje-node-brute can now brute force both of those values. [Soldier of Fortran]
[GH#557] ssl-cert-intaddr will search for private IP addresses in TLS certificate fields and extensions. [Steve Benson]
tn3270-screen shows the login screen from mainframe TN3270 Telnet services, including any hidden fields. The script is accompanied by the new tn3270 library. [Soldier of Fortran]
tso-enum enumerates usernames for TN3270 Telnet services. [Soldier of Fortran]
tso-brute brute-forces passwords for TN3270 Telnet services. [Soldier of Fortran]
vtam-enum brute-forces VTAM application IDs for TN3270 services. [Soldier of Fortran]
[NSE][GH#518] Brute scripts are faster and more accurate. New feedback and adaptivity mechanisms in brute.lua help brute scripts use resources more efficiently, dynamically changing number of threads based on protocol messages like FTP 421 errors, network errors like timeouts, etc. [Sergey Khegay]
[GH#353] New option --defeat-icmp-ratelimit dramatically reduces UDP scan times in exchange for labeling unresponsive (and possibly open) ports as "closed|filtered". Ports which give a UDP protocol response to one of Nmap's scanning payloads will be marked "open". [Sergey Khegay]
[NSE][GH#533] Removed ssl-google-cert-catalog, since Google shut off that service at some point. Reported by Brian Morin.
[NSE][GH#606] New NSE library, geoip.lua, provides a common framework for storing and retrieving IP geolocation results. [Mak Kolybabi]
[Ncat] Restore the connection success message that Ncat prints with -v. This was accidentally suppressed when not using -z.
[GH#316] Added scan resume from Nmap's XML output. Now you can --resume a canceled scan from all 3 major output formats: -oN, -oG, and -oX. [Tudor Emil Coman]
[Ndiff][GH#591] Fix a bug where hosts with the same IP but different hostnames were shown as changing hostnames between scans. Made sort stable with regard to hostnames. [Daniel Miller]
[NSE][GH#540] Add tls.servername script-arg for forcing a name to be used for TLS Server Name Indication extension. The argument overrides the default use of the host's targetname. [Bertrand Bonnefoy-Claudet]
[GH#505] Updated Russian translation of Zenmap by Alexander Kozlov.
[NSE][GH#588] Fix a crash in smb.lua when using smb-ls due to a floating-point number being passed to os.time ("bad argument"). [Dallas Winger]
[NSE][GH#596] Fix a bug in mysql.lua that caused authentication failures in mysql-brute and other scripts due to including a null terminator in the salt value. This bug affects Nmap 7.25BETA2 and later releases. [Daniel Miller]
The --open option now implies --defeat-rst-ratelimit. This may result in inaccuracies in the numbers of "Not shown:" closed and filtered ports, but only in situations where it also speeds up scan times. [Daniel Miller]
[NSE] Added known Diffie-Hellman parameters for haproxy, postfix, and IronPort to ssl-dh-params. [Frank Bergmann]
Added service probe for ClamAV servers (clam), an open source antivirus engine used in mail scanning. [Paulino Calderon]
Added service probe and UDP payload for Quick UDP Internet Connection (QUIC), a secure transport developed by Google and used with HTTP/2. [Daniel Miller]
[NSE] Enabled resolveall to run against any target provided as a hostname, so the resolveall.hosts script-arg is no longer required. [Daniel Miller]
[NSE] Revised script http-default-accounts in several ways [nnposter]:
Added 21 new fingerprints, plus broadened 5 to cover more variants.
[GH#577] It can now can test systems that return status 200 for non-existent pages.
[GH#604] Implemented XML output. Layout of the classic text output has also changed, including reporting blank usernames or passwords as "", instead of just empty strings.
Added CPE entries to individual fingerprints (where known). They are reported only in the XML output.
[NSE][GH#573] Updated http.lua to allow processing of HTTP responses with malformed header names. Such header lines are still captured in the rawheader list but skipped otherwise. [nnposter]
[GH#416] New service probe and match line for iperf3. [Eric Gershman]
[NSE][GH#555] Add Drupal to the set of web apps brute forced by http-form-brute. [Nima Ghotbi]

New in Nmap 7.31 (Oct 24, 2016)

New in Nmap 7.30 (Sep 30, 2016)

Integrated all 12 of your IPv6 OS fingerprint submissions from June to September. No new groups, but several classifications were strengthened, especially Windows localhost and OS X.
Upgraded Npcap, our new Windows packet capturing driver/library, from version to 0.09 to 0.10r2. This includes many bug fixes, with a particular on emphasis on concurrency issues discovered by running hundreds of Nmap instances at a time. More details are available from https://github.com/nmap/npcap/releases.
New service probes and match lines for DTLS, IPMI-RMCP, MQTT, PCWorx, ProConOS, and Tridium Fox
Improved some output filtering to remove or escape carriage returns ('r') that could allow output spoofing by overwriting portions of the screen. Issue reported by Adam Rutherford.
[NSE] Fixed a few bad Lua patterns that could result in denial of service due to excessive backtracking. [Adam Rutherford, Daniel Miller]
Fixed a discrepancy between the number of targets selected with -iR and the number of hosts scanned, resulting in output like "Nmap done: 1033 IP addresses" when the user specified -iR 1000.
Fixed a bug in port specification parsing that could cause extraneous 'T', 'U', 'S', and 'P' characters to be ignored when they should have caused an error. [David Fifield]
[GH#543] Restored compatibility with LibreSSL, which was lost in adding library version checks for OpenSSL 1.1.
[Zenmap] Fixed a bug in the Compare Scans window of Zenmap on OS X resulting in this message instead of Ndiff output:
ImportError: dlopen(/Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so, 2): no suitable image found. Did find:
/Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so: mach-o, but wrong architecture
Reported by Kyle Gustafson.
[NSE] Fixed a bug in ssl-enum-ciphers and ssl-dh-params which caused them to not output TLSv1.2 info with DHE ciphersuites or others involving ServerKeyExchange messages.
[NSE] Added X509v3 extension parsing to NSE's sslcert code. ssl-cert now shows the Subject Alternative Name extension; all extensions are shown in the XML output.
[NSE] Added 7 NSE scripts, from 3 authors, bringing the total up to 541! They are all listed at https://nmap.org/nsedoc/, and the summaries are below (authors are listed in brackets):
[GH#369] coap-resources grabs the list of available resources from CoAP endpoints. [Mak Kolybabi]
fox-info retrieves detailed version and configuration info from Tridium Niagara Fox services.
ipmi-brute performs authentication brute-forcing on IPMI services. [Claudiu Perta]
ipmi-cipher-zero checks IPMI services for Cipher Zero support, which allows connection without a password.
ipmi-version retrieves protocol version and authentication options from ASF-RMCP (IPMI) services.
a MQTT broker, subscribes to topics, and lists the messages received.
pcworx-info retrieves PLC model, firmware version, and date from Phoenix Contact PLCs.

New in Nmap 7.25 Beta 2 (Sep 2, 2016)

[GH#376] Windows binaries are now code-signed with our "Insecure.Com LLC" SHA256 certificate. This should give our users extra peace-of-mind and avoid triggering Microsoft's ever-increasing security warnings.
[NSE] Upgraded NSE to Lua 5.3, adding bitwise operators, integer data type, a utf8 library, and native binary packing and unpacking functions. Removed bit library, added bits.lua, replaced base32, base64, and bin libraries. [Patrick Donnelly]
[NSE] Added 2 NSE scripts, bringing the total up to 534! They are both listed at https://nmap.org/nsedoc/, and the summaries are below:
oracle-tns-version decodes the version number from Oracle Database Server's TNS listener. [Daniel Miller]
clock-skew analyzes and reports clock skew between Nmap and services that report timestamps, grouping hosts with similar skews. [Daniel Miller]
Integrated all of your service/version detection fingerprints submitted from January to April (578 of them). The signature count went up 2.2% to 10760. We now detect 1122 protocols, from elasticsearch, fhem, and goldengate to ptcp, resin-watchdog, and siemens-logo. [Daniel Miller]
[Nsock][GH#148] New, very fast IOCP Nsock engine uses "Overlapped I/O" to improve performance of version scan and NSE against many targets on Windows. [Tudor Emil Coman]
[Zenmap][GH#449] Fix a crash when closing Zenmap due to a read-only zenmap.conf. User will be warned that config cannot be saved and that they should fix the file permissions. [Daniel Miller]
[NSE] Fix a crash when parsing TLS certificates that OpenSSL doesn't support, like DH certificates or corrupted certs. When this happens, ssl-enum-ciphers will label the ciphersuite strength as "unknown." Reported by Bertrand Bonnefoy-Claudet. [Daniel Miller]
[NSE] Fixed a bug in ssl-enum-ciphers and ssl-dh-params which caused them to not output TLSv1.2 info with DHE ciphersuites or others involving ServerKeyExchange messages. [Daniel Miller]
[NSE][GH#531] Fix two issues in sslcert.lua that prevented correct operations against LDAP services when version detection or STARTTLS were used. [Tom Sellers]
[Zenmap] Long-overdue Spanish language translation has been added! Muy bien! [Vincent Dumont, Marta Garcia De La Paz, Paulino Calderon, Patricio Castagnaro]
[GH#426] Remove a workaround for lack of selectable pcap file descriptors on Windows, which required including pcap-int.h and locking us to a single version of libpcap. The new method, using WaitForSingleObject should work with all versions of both WinPcap and Npcap. [Daniel Miller]
[NSE][GH#234] Added a --script-timeout option for limiting run time for every individual NSE script. [Abhishek Singh]
[Ncat][GH#444] Added a -z option to Ncat. Just like the -z option in traditional netcat, it can be used to quicky check the status of a port. Port ranges are not supported. [Abhishek Singh]
Fix checking of Npcap/WinPcap presence on Windows so that "nmap -A" and "nmap" with no options result in the same behaviors as on Linux (and no crashes) [Daniel Miller]
[NSE] ssl-enum-ciphers will now warn about 64-bit block ciphers in CBC mode, which are vulnerable to the SWEET32 attack.
[NSE][GH#117] tftp-enum now only brute-forces IP-address-based Cisco filenames when the wordlist contains "{cisco}". Previously, custom wordlists would still end up sending these extra 256 requests. [Sriram Raghunathan]
[GH#472] Avoid an unnecessary assert failure in timing.cc when printing estimated completion time. Instead, we'll output a diagnostic error message:
Timing error: localtime(n) is NULL
where "n" is some number that is causing problems. [Jean-Guilhem Nousse]
[NSE][GH#519] Removed the obsolete script ip-geolocation-geobytes. [Paulino Calderon]
[NSE] Added 9 new fingerprints for script http-default-accounts. (Motorola AP, Lantronix print server, Dell iDRAC6, HP StorageWorks, Zabbix, Schneider controller, Xerox printer, Citrix NetScaler, ESXi hypervisor) [nnposter]
[NSE] Completed a refresh and validation of almost all fingerprints for script http-default-accounts. Also improved the script speed. [nnposter]
[GH#98] Added support for decoys in IPv6. Earlier we supported decoys only in IPv4. [Abhishek Singh]
Various performance improvements for large-scale high-rate scanning, including increased ping host groups, faster probe matching, and ensuring data types can handle an Internet's-worth of targets. [Tudor Emil Coman]
[GH#484] Allow Nmap to compile on some older Red Hat distros that disable EC crypto support in OpenSSL. [Jeroen Roovers, Vincent Dumont]
[GH#439] Nmap now supports OpenSSL 1.1.0-pre5 and previous versions. [Vincent Dumont]
[Ncat] Fix a crash ("add_fdinfo() failed.") when --exec was used with --ssl and --max-conns, due to improper accounting of file descriptors. [Daniel Miller]
FTP Bounce scan: improved some edge cases like anonymous login without password, 500 errors used to indicate port closed, and timeouts for LIST command. Also fixed a 1-byte array overrun (read) when checking for privileged ports. [Daniel Miller]
[GH#140] Allow target DNS names up to 254 bytes. We previously imposed an incorrect limit of 64 bytes in several parts of Nmap. [Vincent Dumont]
[NSE] The hard limit on number of concurrently running scripts can now increase above 1000 to match a high user-set --min-parallelism value. [Tudor Emil Coman]
[NSE] Solved a memory corruption issue that would happen if a socket connect operation produced an error immediately, such as Network Unreachable. The event handler was throwing a Lua error, preventing Nsock from cleaning up properly, leaking events. [Abhishek Singh, Daniel Miller]
[NSE] Added the datetime library for performing date and time calculations, and as a helper to the clock-skew script.
[GH#103][GH#364] Made Nmap's parallel reverse DNS resolver more robust, fully handling truncated replies. If a response is too long, we now fall back to using the system resolver to answer it. [Abhishek Singh]
[Zenmap][GH#279] Added a legend for the Topography window. [Suraj Hande]

New in Nmap 7.25 Beta 1 (Sep 2, 2016)

Nmap now ships with and uses Npcap, our new packet sniffing library for Windows. It's based on WinPcap (unmaintained for years), but uses modern Windows APIs for better performance. It also includes security improvements and many bug fixes. See http://npcap.org. And it enables Nmap to perform SYN scans and OS detection against localhost, which we haven't been able to do on Windows since Microsoft removed the raw sockets API in 2003. [Yang Luo, Daniel Miller, Fyodor]
[NSE] Added 6 NSE scripts, from 5 authors, bringing the total up to 533! They are all listed at https://nmap.org/nsedoc/, and the summaries are below (authors are listed in brackets):
clamav-exec detects ClamAV servers vulnerable to unauthorized clamav command execution. [Paulino Calderon]
http-aspnet-debug detects ASP.NET applications with debugging enabled. [Josh Amishav-Zlatin]
http-internal-ip-disclosure determines if the web server leaks its internal IP address when sending an HTTP/1.0 request without a Host header. [Josh Amishav-Zlatin]
[GH#304] http-mcmp detects mod_cluster Management Protocol (MCMP) and dumps its configuration. [Frank Spierings]
[GH#365] sslv2-drown detects vulnerability to the DROWN attack, including CVE-2016-0703 and CVE-2016-0704 that enable fast attacks on OpenSSL. [Bertrand Bonnefoy-Claudet]
vnc-title logs in to VNC servers and grabs the desktop title, geometry, and color depth. [Daniel Miller]
Integrated all of your IPv4 OS fingerprint submissions from January to April (539 of them). Added 98 fingerprints, bringing the new total to 5187. Additions include Linux 4.4, Android 6.0, Windows Server 2016, and more. [Daniel Miller]
Integrated all 31 of your IPv6 OS fingerprint submissions from January to June. The classifier added 2 groups and expanded several others. Several Apple OS X groups were consolidated, reducing the total number of groups to 93. [Daniel Miller]
Update oldest supported Windows version to Vista (Windows 6.0). This enables the use of the poll Nsock engine, which has significant performance and accuracy advantages. Windows XP users can still use Nmap 7.12, available from https://nmap.org/dist/?C=M&O=D [Daniel Miller]
[NSE] Fix a crash that happened when trying to print the percent done of 0 NSE script threads:
timing.cc:710 bool ScanProgressMeter::printStats(double, const timeval*): Assertion 'ltime' failed.
This would happen if no scripts were scheduled in a scan phase and the user pressed a key or specified a short --stats-every interval. Reported by Richard Petrie. [Daniel Miller]
[GH#283][Nsock] Avoid "unknown protocol:0" debug messages and an "Unknown address family 0" crash on Windows and other platforms that do not set the src_addr argument to recvfrom for TCP sockets. [Daniel Miller]
Retrieve the correct network prefix length for an adapter on Windows. If more than one address was configured on an adapter, the same prefix length would be used for both. This incorrect behavior is still used on Windows XP and earlier. Reported by Niels Bohr. [Daniel Miller]
Changed libdnet-stripped to avoid bailing completely when an interface is encountered with an unsupported hardware address type. Caused "INTERFACES: NONE FOUND!" bugs in Nmap whenever Linux kernel added new hardware address types. [Daniel Miller]
Improved service detection of Docker and fixed a bug in the output of docker-version script. [Tom Sellers]
Fix detection of Microsoft Terminal Services (RDP). Our improved TLS service probes were matching on port 3389 before our specific Terminal Services probe, causing the port to be labeled as "ssl/unknown". Reported by Josh Amishav-Zlatin.
[NSE] Update to enable smb-os-discovery to augment version detection for certain SMB related services using data that the script discovers. [Tom Sellers]
Improved version detection and descriptions for Microsoft and Samba SMB services. Also addresses certain issues with OS identification. [Tom Sellers]
[NSE] ssl-enum-ciphers will give a failing score to any server with an RSA certificate whose public key uses an exponent of 1. It will also cap the score of an RC4-ciphersuite handshake at C and output a warning referencing RFC 7465. [Daniel Miller]
[NSE] Refactored some SSLv2 functionality into a new library, sslv2.lua . [Daniel Miller]
[GH#399] Zenmap's authorization wrapper now uses an AppleScript method for privilege escalation on OS X, avoiding the deprecated AuthorizationExecuteWithPrivileges method previously used. [Vincent Dumont]
[GH#454] The OS X binary package is distributed in a .dmg disk image that now features an instructive background image. [Vincent Dumont]
[GH#420] Our OS X build system now uses gtk-mac-bundler and jhbuild to provide all dependencies. We no longer use Macports for this purpose. [Vincent Dumont]
[GH#345][Zenmap] On Windows, save Zenmap's stderr output to a writeable location (%LOCALAPPDATA%zenmap.exe.log or %TEMP%zenmap.exe.log) instead of next to the zenmap.exe executable. This avoids a warning message when closing Zenmap if it produced any stderr output. [Daniel Miller]
[GH#379][NSE] Fix http-iis-short-name-brute to report non vulnerable hosts. Reported by alias1. [Paulino Calderon]
[NSE][GH#371] Fix mysql-audit by adding needed library requires to the mysql-cis.audit file. The script would fail with "Failed to load rulebase" message. [Paolo Perego]
[NSE][GH#362] Added support for LDAP over udp to ldap-rootdse.nse. Also added version detection and information extraction to match the new LDAP LDAPSearchReq and LDAPSearchReqUDP probes. [Tom Sellers]
[GH#354] Added new version detection Probes for LDAP services, LDAPSearchReq and LDAPSearchReqUDP. The second is Microsoft Active Directory specific. The Probes will elicit responses from target services that allow better finger -printing and information extraction. Also added nmap-payload entry for detecting LDAP on udp. [Tom Sellers]
[NSE] More VNC updates: Support for VeNCrypt and Tight auth types, output of authentication sub-types in vnc-info, and all zero-authentication types are recognized and reported. [Daniel Miller]

New in Nmap 7.12 (Mar 30, 2016)

New in Nmap 7.11 (Mar 25, 2016)

New in Nmap 7.10 (Mar 17, 2016)

[NSE] Added 12 NSE scripts from 7 authors, bringing the total up to 527! They are all listed at https://nmap.org/nsedoc/, and the summaries are below (authors are listed in brackets):
[GH#322] http-apache-server-status parses the server status page of Apache's mod_status. [Eric Gershman]
http-vuln-cve2013-6786 detects a XSS and URL redirection vulnerability in Allegro RomPager web server. Also added a fingerprint for detecting CVE-2014-4019 to http-fingerprints.lua. [Vlatko Kosturjak]
[GH#226] http-vuln-cve2014-3704 detects and exploits the "Drupalgeddon" pre-auth SQL Injection vulnerability in Drupal. [Mariusz Ziulek]
imap-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled IMAP services. [Justin Cacak]
ipv6-multicast-mld-list discovers IPv6 multicast listeners with MLD probes. The discovery is the same as targets-ipv6-multicast-mld, but the subscribed addresses are decoded and listed. [Alexandru Geana, Daniel Miller]
ms-sql-ntlm-info extracts OS version and sometimes hostname from MS SQL Server instances via the NTLM challenge message. [Justin Cacak]
nntp-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled NNTP services. [Justin Cacak]
pop3-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled POP3 services. [Justin Cacak]
rusers retrieves information about logged-on users from the rusersd RPC service. [Daniel Miller]
[GH#333] shodan-api queries the Shodan API (https://www.shodan.io) and retrieves open port and service info from their Internet-wide scan data. [Glenn Wilkinson]
smtp-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled SMTP and submission services. [Justin Cacak]
telnet-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled Telnet services. [Justin Cacak]
Integrated all of your IPv4 OS fingerprint submissions from October to January (536 of them). Added 104 fingerprints, bringing the new total to 5089. Additions include Linux 4.2, more Windows 10, IBM i 7, and more. Highlights: http://seclists.org/nmap-dev/2016/q1/270 [Daniel Miller]
Integrated all of your service/version detection fingerprints submitted from October to January (508 of them). The signature count went up 2.2% to 10532. We now detect 1108 protocols, from icy, finger, and rtsp to ipfs, basestation, and minecraft-pe. Highlights: http://seclists.org/nmap-dev/2016/q1/271 [Daniel Miller]
Integrated all 12 of your IPv6 OS fingerprint submissions from October to January. The classifier added 3 new groups, including new and expanded groups for OS X, bringing the new total to 96. Highlights: http://seclists.org/nmap-dev/2016/q1/273 [Daniel Miller]
[NSE] Upgrade to http-form-brute allowing correct handling of token-based CSRF protections and cookies. Also, a simple database of common login forms supports Django, Wordpress, MediaWiki, Joomla, and others. [Daniel Miller]
[Zenmap] [GH#247] Remember window geometry (position and size) from the previous time Zenmap was run. [isjing]
New service probe for CORBA GIOP (General Inter-ORB Protocol) detection should elicit a not-found exception from GIOP services that do not respond to non-GIOP probes. [Quentin Hardy]
[GH#284] Fix retrieval of route netmasks on FreeBSD. IPv6 routes were given /32 netmasks regardless of actual netmask configured, resulting in failed routing. Reported by Martin Gysi. [Daniel Miller]
[GH#272][GH#269] Give option parsing errors after the usage statement, or avoid printing the usage statement in some cases. The options summary has grown quite large, requiring users to scroll to the top to see the error message. [Abhishek Singh]
[GH#249][Nsock] Avoid a crash on Windows reported by users using Zenmap's Slow Comprehensive Scan profile. In the case of unknown OpenSSL errors, ERR_reason_error_string would return NULL, which could not be printed with the "%s" format string. Reported by Dan Baxter. [Gisle Vanem, Daniel Miller]
[GH#293][Zenmap] Fix a regression in our build that caused copy-and-paste to not work in Zenmap on Windows.
Changed Nmap's idea of reserved and private IP addresses to include 169.254/16 (RFC3927) and remove 6/8, 7/8, and 55/8 networks. This list, in libnetutil's isipprivate function, is used to filter -iR randomly generated targets. The newly-valid address ranges belong to the U.S. Department of Defense, so users wanting to avoid those ranges should use their own exclusion lists with --exclude or --exclude-file. [Bill Parker, Daniel Miller]
Allow the -4 option for Nmap to indicate IPv4 address family. This is the default, and using the option doesn't change anything, but does make it more explicit which address family you want to scan. Using -4 with -6 is an error. [Daniel Miller]
[GH#265] When provided a verbosity of 0 (-v0), Nmap will not output any text to the screen. This happens at the time of argument parsing, so the usual meaning of "verbosity 0" is preserved. [isjing]
[NSE][GH#314] Fix naming of SSL2_RC2_128_CBC_WITH_MD5 and SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 ciphers in sslv2 in order to match the draft specification from Mozilla. [Bertrand Bonnefoy-Claudet]
[NSE][GH#320] Add STARTTLS support to sslv2 to enable SSLv2 detection against services that are not TLS encrypted by default but that support post connection upgrade. This will enable more comprehensive detection of SSLv2 and DROWN (CVE-2016-0800) attack oracles. [Tom Sellers]
[NSE][GH#301] Added default credential checks for RICOH Web Image Monitor and BeEF to http-default-accounts. [nnposter]
Properly display Next-hop MTU value from ICMP Type 3 Code 4 Fragmentation Required messages when tracing packets or in Nping output. Improper offset meant we were printing the total IP length. [Sławomir Demeszko]
[NSE] Added support for DHCP options "TFTP server name" and "Bootfile name" to dhcp.lua and enabled checking for options with a code above 61 by default. [Mike Rykowski]
[NSE] whois-ip: Don't request a remote IANA assignments data file when the local filesystem will not permit the file to cached in a local file. [jah]
[NSE] Updated http-php-version hash database to cover all versions from PHP 4.1.0 to PHP 5.4.45. Based on scans of a few thousand PHP web servers pulled from Shodan API (https://www.shodan.io/) [Daniel Miller]
Use the same ScanProgressMeter for FTP bounce scan (-b) as for the other scan types, allowing periodic status updates with --stats-every or keypress events. [Daniel Miller]
[GH#274] Use a shorter pcap_select timeout on OpenBSD, just as we do for OS X, old FreeBSD, and Solaris, which use BPF for packet capture and do not have properly select-able fds. Fix by OpenBSD port maintainer [David Carlier]
Print service info in grepable output for ports which are not listed in nmap-services when a service tunnel (SSL) is detected. Previously, the service info ("ssl|unknown") was not printed unless the service inside the tunnel was positively identified. http://seclists.org/nmap-dev/2015/q4/260 [Daniel Miller]
[NSE] [GH#242] Fix multiple false-positive sources in http-backup-agent. [Tom Sellers]

New in Nmap 7.01 (Dec 10, 2015)

New in Nmap 7.00 (Nov 19, 2015)

New in Nmap 6.49 Beta 5 (Sep 25, 2015)

Fix a crash in Zenmap when using Compare Results AttributeError: 'NoneType' object has no attribute 'get_nmap_output'
[NSE] Fix http.get_url function when used with https scheme. Previously plaintext http to port 443 was attempted first.
Use a mutex on Windows to avoid a hang when accessing WinPCAP driver Reported by multiple users on Windows 8.1 and Windows Server 2012 R2 Nmap hangs when the WinPCAP driver is accessed via OpenServiceA by multiple processes at once. Users report that this change, which uses a mutex to avoid concurrent access, fixes the hang.
[NSE] Enhanced reporting of elliptic curve names and strengths in ssl-enum-ciphers. The name of the curve is now reported instead of just "ec"
[NSE] Added knx-gateway-discover and knx-gateway-info scripts for gathering information from multicast and unicast KNX gateways, which connect home automation systems to IP networks.
Disable TPACKET_V3 in our included libpcap. This version of the Linux kernel packet ring API has problems that result in lots of lost packets. This patch falls back to TPACKET_V2 or earlier versions if available. [nnposter]
Output a warning when deprecated options are used, and suggest the preferred option. Currently deprecated: -i -o -m -sP -P0 -PN -oM -sR. The warning is only visible with -v.
[NSE] Added script http-ls. Parses web server directory index pages with optional recursion.
[NSE] [GH#106] Added a new NSE module, ls.lua, for accumulating and outputting file and directory listings. The afp-ls, nfs-ls, and smb-ls scripts have been converted to use this module.
Fix Nmap's DTD, which did not recognize that the script element could contain character data when a script returns a number or a boolean
[GH#75] Normalize check targets to standard format check-*
[GH#75] Normalize clean and distclean targets to standard format clean-* and distclean-*.
[GH#75] Normalize build targets to standard format build-*
[NSE] Added script xmlrpc-methods. This script perfoms introspection of xmlrpc services and lists methods and their description
[NSE] Removed http-email-harvest as the the new http-grep does email address scraping by default.
[NSE] Added script http-fetch. This script can be used to fetch all files from the target, specific files from the target or files that match a given pattern.
[NSE] http-drupal-modules was renamed to http-drupal-enum. Extended to
enumerate both themesa and modules of drupal installaions.
[GH#196] Fix raw packet sending on FreeBSD 10.0 and later. FreeBSD changed byte order of the IPv4 stack, so SYN scan and other raw packet functions were broken.
[NSE] Added script http-svn-enum. Enumerates users of a Subversion repository by examinning commit logs.
[NSE] Added script http-svn-info. Requests information from a Subversion repository.
[GH#51] Added IPv6 support to nmap_mass_rdns, improved reverse DNS cache and refactored DNS code to improve readability and extensibility
[NSE] Added NTLM brute support to http-brute.
[NSE] Added NTLM authentication support to http.lua and a related function to create an ntlm v2 session response in smbauth.lua.
[NSE] ssl-enum-ciphers now marks cipher scores as unkown for ciphers requiring the use of openssl when openssl is missing. [jrchamp]
[NSE] Added builtin pattern and multiple pattern search to http-grep.
[NSE] http-crossdomainxml is now http-cross-domain-policy and supports client access policies and uses the new SLAXML parser. [Gyanendra Mishra]
[NSE] Added a patch for vulns lib that allows list of tables to be submitted to fields in the vulns report.
[NSE] Added additional checks for successful PUT request in http-put
[NSE] Added an update for http-methods that checks all possible methods not in Allow or Public header of OPTIONS response.
[NSE] Added SLAXML, an XML parser in Lua
[NSE] Added hnap-info, detects and outputs info for Home Network Administration Protocol devices.
[NSE] Added http-webdav-scan, which detects WebDAV servers.
[NSE] Added tor-consensus-checker, which checks if a target is a
known Tor node.

New in Nmap 6.49 Beta 3 (Jun 26, 2015)

New in Nmap 6.49 Beta 2 (Jun 26, 2015)

New in Nmap 6.49 Beta 1 (Jun 17, 2015)

Integrated all of your IPv4 OS fingerprint submissions from May 2014 to February 2015 (1900+ of them). Added 281 fingerprints, bringing the new total to 4766. Addtions include Linux 3.18, Windows 8.1, OS X 10.10, Android 5.0, FreeBSD 10.1, OpenBSD 5.6, and more. Highlights: http://seclists.org/nmap-dev/2015/q2/169 [Daniel Miller]
Integrated all of your service/version detection fingerprints submitted from June 2013 to February 2015 (2500+ of them). The signature count soared over the 10000 mark, a 12% increase. We now detect 1062 protocols, from http, telnet, and ftp to jute, bgp, and slurm. Highlights: http://seclists.org/nmap-dev/2015/q2/171 [Daniel Miller]
Integrated all of your IPv6 OS fingerprint submissions from June 2013 to April 2015 (only 97 of them!). We are steadily improving the IPv6 database, but we need your submissions. The classifier added 9 new groups, bringing the new total to 90. Highlights: http://seclists.org/nmap-dev/2015/q2/170 [Daniel Miller]
Nmap now has an official bug tracker! We are using Github Issues, which you can reach from http://issues.nmap.org/. We welcome your bug reports, enhancement requests, and code submissions via the Issues and Pull Request features of Github (https://github.com/nmap/nmap), though the repository itself is just a mirror of our authoritative Subversion repository.
[Zenmap] New Chinese-language (zh) translation from Jie Jiang, new Hindi (hi) translation by Gyanendra Mishra, and updated translations for German (de, Chris Leick), Italian (it, Jan Reister), Polish (pl, Jacek Wielemborek), and French (fr, MaZ)
Added options --data and --data-string to send custom payloads in scan packet data. [Jay Bosamiya]
--reason is enabled for verbosity > 2, and now includes the TTL of received packets in Normal output (this was already present in XML) [Jay Bosamiya]
Update our Windows build system to VS 2013 on Windows 8.1. Also, we now build our included OpenSSL with DEP, ASLR, and SafeSEH enabled. [Daniel Miller]
Our OS X installer is now built for a minimum supported version of 10.8 (Mountain Lion), a much-needed update from 10.5 (Leopard). Additionally, OpenSSL is now statically linked, allowing us to distribute the latest from Macports instead of being subjected to the 0.9.8 branch still in use as of 10.9. [Daniel Miller]
New features for the IPv6 OS detection engine allow for better classification of systems: IPv6 guessed initial hop limit (TTL) and ratio of TCP initial window size to maximum segment size. [Alexandru Geana]
[NSE] Rework ssl-enum-ciphers to actually score the strength of the SSL/TLS handshake, including certificate key size and DH parameters if applicable. This is similar to Qualys's SSL Labs scanner, and means that we no longer maintain a list of scores per ciphersuite. [Daniel Miller]
All nmap.org pages are now available SSL-secured to improve privacy and ensure your binaries can't be tampered with in transit. So be sure to download from https://nmap.org/download.html. We will soon remove the non-SSL version of the site. We still offer GPG-signed binaries as well: https://nmap.org/book/install.html#inst-integrity
Enhance Nmap's tcpwrapped service detection by using a shorter timeout for the tcpwrapped designation. This prevents falsely labeling services as tcpwrapped which merely have a read timeout shorter than 6 seconds. Full discussion: http://issues.nmap.org/39 [nnposter, Daniel Miller]
Fix ICMP Echo (-PE) host discovery for IPv6, broken since 6.45, caused by failing to set the ICMP ID for outgoing packets which is used to match incoming responses. [Andrew Waters]
Add 2 more ASCII-art configure splash images to be rotated randomly with the traditional dragon image. New ideas for other images to use here may be sent to [email protected]. [Jay Bosamiya, Daniel Miller]
Solve a crash on Windows (reported on Windows 8.1 on Surface Pro 3) caused by passing a NULL pointer to a WinPcap function that then tries to write an error message to it. [Peter Malecka]
Fix compilation and several bugs on AIX. [Daniel Miller]
Fix a bug in libdnet-stripped on Solaris that resulted in the wrong MAC address being detected for all interfaces. http://seclists.org/nmap-dev/2015/q2/1 [Daniel Miller]
[NSE] Improved http-form-brute autodetection and behavior to handle more unusual-but-valid HTML syntax, non-POST forms, success/failure testing on HTTP headers, and more. [nnposter]
[NSE] Reduce many NSE default timeouts and base them on Nmap's detected timeouts for those hosts from the port scan phase. Scripts which take timeout script-args can now handle 's' and 'ms' suffixes, just like Nmap's own options. [Daniel Miller]
[NSE] Remove db2-discover, as its functionality was performed by service version detection since the broadcast portion was separated into broadcast-db2-discover. http://seclists.org/nmap-dev/2014/q3/415 [Daniel Miller]
Cache dnet names not found on Windows when enumerating interfaces in the Windows Registry. Reduces startup times. [Elon Natovich]
[NSE] Make smb-ls able to leverage results from smb-enum-shares or list of shares specified on command line. [Pierre Lalet]
[NSE] Fix X509 cert date parsing for dates after 2049. Reported by Teppo Turtiainen. [Daniel Miller]
Handle a bunch of socket errors that can result from odd ICMP Type 3 Destination Unreachable messages received during service scanning. The crash reported was "Unexpected error in NSE_TYPE_READ callback. Error code: 92 (Protocol not available)" [Daniel Miller]
Fixed a crash (NULL pointer dereference) in PortList::isTCPwrapped when using -sV and -O on an unknown service not listed in nmap-services. [Pierre Lalet]
Fixed a benign TOCTOU race between stat() and open() in mmapfile(). Reported by Camille Mougey. [Henri Doreau]
Reduce CPU consumption when using nsock poll engine with no registered FD, by actually calling Poll() for the time until timeout, instead of directly returning zero and entering the loop again. [Henri Doreau]
Change the URI for the fingerprint submitter to its new location at https://nmap.org/cgi-bin/submit.cgi
[NSE] Added a check for Cisco ASA version disclosure, CVE-2014-3398, to http-enum in the 'security' category [Daniel Miller]
Fixed a bug that caused Nmap to fail to find any network interface when a Prism interface is in monitor mode. The fix was to define the ARP_HRD_IEEE80211_PRISM header identifier in the libdnet-stripped code. [Brad Johnson]
Added a version probe for Tor. [David Fifield]
[NSE] Add support to citrix-enum-apps-xml for reporting if Citrix published applications in the list are enforcing/requiring the level of ICA/session data encryption shown in the script result. [Tom Sellers]
[NSE] Updated our Wordpress plugin list to improve the http-wordpress-enum NSE script. We can now detect 34,077 plugins, up from 18,570. [Danila Poyarkov]
[NSE] Add the signature algorithm that was used to sign the target port's x509 certificate to the output of ssl-cert.nse [Tom Sellers]
[NSE] Fixed a bug in the sslcert.lua library that was triggered against certain services when version detection was used. [Tom Sellers]
[NSE] vulns.Report:make_output() now generates XML structured output reports automatically. [Paulino Calderon]
[NSE] Add port.reason_ttl, host.reason, host.reason_ttl for use in scripts [Jay Bosamiya]
[NSE] If a version script is run by name, nmap.version_intensity() returns the maximum value (9) for it [Jay Bosamiya]
[NSE] shortport.version_port_or_service() takes an optional rarity parameter now to run only when version intensity > rarity [Jay Bosamiya]
[NSE] Added nmap.version_intensity() function so that NSE version scripts can use the argument to --version-intensity (which can be overridden by the script arg 'script-intensity') in order to decide whether to run or not [Jay Bosamiya]
Improve OS detection; If a port is detected to be 'tcpwrapped', then it will not be used for OS detection. This helps in cases where a firewall might be the port to be 'tcpwrapped' [Jay Bosamiya]
[Zenmap] Reduce noise generated in Topology View due to anonymous hops [Jay Bosamiya]
Added option --exclude-ports to Nmap so that some ports can be excluded from scanning (for example, due to policy) [Jay Bosamiya]
[Zenmap] Catch the MemoryError caused in Zenmap due to large Nmap Output, and display a more helpful error message [Jay Bosamiya]
Catch badly named output files (such as those unintentionally caused by "-oX -sV logfile.xml") [Jay Bosamiya]
[Zenmap] Improved NmapParser to increase speed in opening scans. Large scans now open in seconds instead of hours. [Jay Bosamiya]
Modify the included libpcap configure script to disable certain unused features: bluetooth, usb, usb-can, and dbus sniffing. Dbus support caused a build problem on CentOS 6.5. [Daniel Miller]
Updated the bundled libpcap from 1.2.1 to 1.5.3 [Jay Bosamiya]
Correct the Target MAC Address in Nmap's ARP discovery to conform to what IP stacks in currently popular operating systems use. [Jay Bosamiya]
Fixed a bug which caused Nmap to be unable to have any runtime interaction when called from sudo or from a shell script. [Jay Bosamiya]
Improvements to whois-ip.nse: fix an unhandled error when a referred-to response could not be understood; add a new pattern to recognise a LACNIC "record not found" type of response and update the way ARIN is queried. [jah]
[NSE] Added 25 NSE scripts from 17 authors, bringing the total up to 494! They are all listed at https://nmap.org/nsedoc/, and the summaries are below (authors are listed in brackets):
bacnet-info gets device information from SCADA/ICS devices via BACnet (Building Automation and Control Networks) [Stephen Hilt, Michael Toecker]
docker-version detects and fingerprints Docker [Claudio Criscione]
enip-info gets device information from SCADA/ICS devices via EtherNet/IP [Stephen Hilt]
fcrdns performs a Forward-confirmed Reverse DNS lookup and reports anomalous results. [Daniel Miller]
http-avaya-ipoffice-users enumerates users in Avaya IP Office 7.x systems. [Paulino Calderon]
http-cisco-anyconnect gets version and tunnel information from Cisco SSL VPNs. [Patrik Karlsson]
http-crossdomainxml detects overly permissive crossdomain policies and finds trusted domain names available for purchase. [Paulino Calderon]
http-shellshock detects web applications vulnerable to Shellshock (CVE-2014-6271). [Paulino Calderon]
http-vuln-cve2006-3392 exploits a file disclosure vulnerability in Webmin. [Paul AMAR]
http-vuln-cve2014-2126, http-vuln-cve2014-2127, http-vuln-cve2014-2128 and http-vuln-cve2014-2129 detect specific vulnerabilities in Cisco AnyConnect SSL VPNs. [Patrik Karlsson]
http-vuln-cve2015-1427 detects Elasticsearch servers vulnerable to remote code execution. [Gyanendra Mishra]
http-vuln-cve2015-1635 detects Microsoft Windows systems vulnerable to MS15-034. [Paulino Calderon]
http-vuln-misfortune-cookie detects the "Misfortune Cookie" vulnerability in Allegro RomPager 4.07, commonly used in SOHO routers for TR-069 access. [Andrew Orr]
http-wordpress-plugins was renamed http-wordpress-enum and extended to enumerate both plugins and themes of Wordpress installations and their versions. http-wordpress-enum is now http-wordpress-users. [Paulino Calderon]
mikrotik-routeros-brute performs password auditing attacks against Mikrotik's RouterOS API. [Paulino Calderon]
omron-info gets device information from Omron PLCs via the FINS service. [Stephen Hilt]
s7-info gets device information from Siemens PLCs via the S7 service, tunneled over ISO-TSAP on TCP port 102. [Stephen Hilt]
snmp-info gets the enterprise number and other information from the snmpEngineID in an SNMPv3 response packet. [Daniel Miller]
ssl-ccs-injection detects whether a server is vulnerable to the SSL/TLS CCS Injection vulnerability (CVE-2014-0224) [Claudiu Perta]
ssl-poodle detects the POODLE bug in SSLv3 (CVE-2014-3566) [Daniel Miller]
supermicro-ipmi-conf exploits Supermicro IPMI/BMC controllers. [Paulino Calderon]
targets-ipv6-map4to6 generates target IPv6 addresses which correspond to IPv4 addresses mapped within a particular IPv6 subnet. [Raúl Fuentes]
targets-ipv6-wordlist generates target IPv6 addresses from a wordlist made of hexadecimal characters. [Raúl Fuentes]

New in Nmap 6.47 (Sep 4, 2014)

Integrated all of your IPv4 OS fingerprint submissions since June 2013 (2700+ of them). Added 366 fingerprints, bringing the new total to 4485.
Additions include Linux 3.10 - 3.14, iOS 7, OpenBSD 5.4 - 5.5, FreeBSD 9.2,
OS X 10.9, Android 4.3, and more. Many existing fingerprints were improved.
Upgraded the included OpenSSL to version 1.0.1i.
Upgraded the included Python to version 2.7.8.
Removed the External Entity Declaration from the DOCTYPE in Nmap's XML. This was added in 6.45, and resulted in trouble for Nmap XML parsers without
network access, as well as increased traffic to Nmap's servers. The doctype
is now:
[Ndiff] Fixed the installation process on Windows, which was missing the actual Ndiff Python module since we separated it from the driver script.
[Ndiff] Fixed the ndiff.bat wrapper in the zipfile Windows distribution, which was giving the error, "\Microsoft was unexpected at this time."
[Zenmap] Fixed the Zenmap .dmg installer for OS X. Zenmap failed to launch, producing this error:
Could not import the zenmapGUI.App module:
'dlopen(/Applications/Zenmap.app/Contents/Resources/lib/python2.6/lib-dynload/glib/_glib.so, 2):
Library not loaded: /Users/david/macports-10.5/lib/libffi.5.dylib\n
Referenced from:
/Applications/Zenmap.app/Contents/Resources/lib/python2.6/lib-dynload/glib/_glib.so\n
Reason: image not found'.
[Ncat] Fixed SOCKS5 username/password authentication. The password length was being written in the wrong place, so authentication could not succeed.
Avoid formatting NULL as "%s" when running nmap --iflist. GNU libc converts this to the string "(null)", but it caused segfault on Solaris. [Daniel Miller]
[Zenmap][Ndiff] Avoid crashing when users have the antiquated PyXML package installed. Python tries to be nice and loads it when we import xml, but it isn't compatible. Instead, we force Python to use the standard library xml module.
Handle ICMP admin-prohibited messages when doing service version detection.
Crash reported by Nathan Stocks was: Unexpected error in NSE_TYPE_READ
callback. Error code: 101 (Network is unreachable)]
[NSE] Fix a bug causing http.head to not honor redirects.
[Zenmap] Fix a bug in DiffViewer causing this crash:
TypeError: GtkTextBuffer.set_text() argument 1 must be string or read-only buffer, not NmapParserSAX
Crash happened when trying to compare two scans within Zenmap.

New in Nmap 6.46 (Apr 22, 2014)

New in Nmap 6.45 (Apr 14, 2014)

[NSE] Add ssl-heartbleed script to detect the Heartbleed bug in OpenSSL CVE-2014-0160
[NSE] Fixed an error-handling bug in socks-open-proxy that caused it to fail when scanning a SOCKS4-only proxy. Reported on IRC by Husky.
[NSE] Improved ntp-info script to handle underscores in returned data.
[NSE] Add quake1-info script for retrieving server and player information from Quake 1 game servers. Reports potential DoS amplification factor
[NSE] Add unicode library for decoding and encoding UTF-8, UTF-16, CP437 and other character sets to Unicode code points. Scripts that previously just added or skipped nulls in UTF-16 data can use this to support non-ASCII characters.
When doing a ping scan (-sn), the --open option will prevent down hosts from being shown when -v is specified. This aligns with similar output for other scan types.
[Ncat] Added support for socks5 and corresponding regression tests
[NSE] Add http-ntlm-info script for getting server information from Web servers that require NTLM authentication.
Added TCP support to dns.lua.
Added safe fd_set operations. This makes nmap fail gracefully instead of crashing when the number of file descriptors grows over FD_SETSIZE.
[NSE] Added tls library for functions related to SSLv3 and TLS messages Existing ssl-enum-ciphers, ssl-date, and tls-nextprotoneg scripts were updated to use this library.
[NSE] Add sstp-discover script to discover Microsoft's Secure Socket Tunnelling Protocol
[NSE] Added unittest library and NSE script for adding unit tests to NSE libraries. See unittest.lua for examples, and run `nmap --script=unittest script-args=unittest.run -d` to run the tests.
Updated bundled liblua from 5.2.2 to 5.2.3 (bugfix release) [Daniel Miller]
Added version detection signatures and probes for a bunch of Android remote mouse/keyboard servers, including AndroMouse, AirHID Wifi-mouse, and RemoteMouse. [Paul Hemberger]
[NSE] Added allseeingeye-info for gathering information from games using this query protocol. A version detection probe was also added.
[NSE] Add freelancer-info to gather information about the Freelancer game server. Also added a related version detection probe and UDP protocol payload for detecting the service.
[Ncat] Fixed compilation when --without-liblua is specified in configure (an #include needed an ifdef guard).
[NSE] Add http-server-header script to grab the Server header as a last-ditch effort to get a software version. This can't be done as a softmatch because of the need to match non-HTTP services that obey some HTTP requests.
[NSE] Add rfc868-time script to get the date and time from an RFC 868 Time server.
[NSE] Add weblogic-t3-info script that detects the T3 RMI protocol used by Oracle/BEA Weblogic. Extracts the Weblogic version, as well
Fixed a bug in libdnet with handling interfaces with AF_LINK addresses on FreeBSD >9 reported by idwer on IRC. Likely affected other *BSDs. Handled by skipping these non-network addresses. [Daniel Miller]
Fixed a bug with UDP checksum calculation. When the UDP checksum is zero 0x0000), it must be transmitted as 1's-complement -0 (0xffff) to avoid ambiguity with +0, which indicates no checksum was calculated. This affected
UDP on IPv4 only. Reported by Michael Weber.
[NSE] Removed a fixed value (28428) which was being set for the Request ID in the snmpWalk library function; a value based on nmap.clock_ms will now be set instead. [jah]
[NSE] Add http-iis-short-name-brute script that detects Microsoft IIS servers vulnerable to a file/folder name disclosure and a denial of service vulnerability. The script obtains the "shortnames" of the files and folders in the webroot folder.
Idle scan now supports IPv6. IPv6 packets don't usually come with fragments identifiers like IPv4 packets do, so new techniques had to be developed to make idle scan possible.
[NSE] Add http-dlink-backdoor script that detects DLink routers with firmware backdoor allowing admin access over HTTP interface.
The ICMP ID of ICMP probes is now matched against the sent ICMP ID to reduce the chance of false matches.
[NSE] Made telnet-brute support multiple parallel guessing threads reuse connections, and support password-only logins.
[NSE] Made the table returned by ssh1.fetch_host_key contain a "key" element, like that of ssh2.fetch_host_key. This fixed a crash in the ssh-hostkey script reported by Dan Farmer and Florian Pelgrim. The "key" element of ssh2.fetch_host_key now is base64-encoded, to match the format used by the known_hosts file.
[Nsock] Handle timers and timeouts via a priority queue (using a heap) for improved performance. Nsock now only iterates over events which are completed or expired instead of inspecting the entire event set at each iteration.
[NSE] Update dns-cache-snoop script to use a new list of top 50 domains rather than a 2010 list. [Nicolle Neulist]
[NSE] Added the qconn-exec script by Brendan Coles, which tests the QNX QCONN service for remote command execution
[Zenmap] Fixed a crash that would happen when you entered a search term starting with a colon: "AttributeError FilteredNetworkInventory' object has no attribute 'match_'"
[Ncat] Added NCAT_PROTO, NCAT_REMOTE_ADDR, NCAT_REMOTE_PORT, NCAT_LOCAL_ADDR and NCAT_LOCAL_PORT environment variables being set in all --*-exec child processes

New in Nmap 6.40 (Jul 29, 2013)

[Ncat] Added NCAT_PROTO, NCAT_REMOTE_ADDR, NCAT_REMOTE_PORT, NCAT_LOCAL_ADDR and NCAT_LOCAL_PORT environment variables being set in all --*-exec child processes.
[Nping] Nping now checks for a matching ICMP ID on echo replies, to avoid receiving crosstalk from other ping programs running at the same time. [David Fifield]
[NSE] Added http-adobe-coldfusion-apsa1301.nse. It exploits an authentication bypass vulnerability in Adobe Coldfusion servers. [Paulino Calderon]
[NSE] The ipOps.isPrivate library now considers the deprecated site-local prefix fec0::/10 to be private. [Marek Majkowski]
[Ncat] Added --lua-exec. This feature is basically an equivalent of ncat --sh-exec "lua " and allows you to run Lua scripts with Ncat, redirecting all stdin and stdout operations to the socket connection. [Jacek Wielemborek]
[NSE] Oops, there was a vulnerability in one of our 437 NSE scripts. If you ran the (fortunately non-default) http-domino-enum-passwords script with the (fortunately also non-default) domino-enum-passwords.idpath parameter against a malicious server, it could cause an arbitrarily named file to to be written to the client system. Thanks to Trustwave researcher Piotr Duszynski for discovering and reporting the problem. We've fixed that script, and also updated several other scripts to use a new stdnse.filename_escape function for extra safety. This breaks our record of never having a vulnerability in the 16 years that Nmap has existed, but that's still a fairly good run. [David, Fyodor]
[NSE] Added teamspeak2-version.nse by Marin Maržić.
Nmap's routing table is now sorted first by netmask, then by metric. Previously it was the other way around, which could cause a very general route with a low metric to be preferred over a specific route with a higher metric.
[Ncat] The -i option (idle timeout) now works in listen mode as well as connect mode. [Tomas Hozza]
Fixed a byte-ordering problem on little-endian architectures when doing idle scan with a zombie that uses broken ID incremements. [David Fifield]
[Ncat] Ncat now support chained certificates with the --ssl-cert option. [Greg Bailey]
Stop parsing TCP options after reaching EOL in libnetutil. Bug reported by Gustavo Moreira. [Henri Doreau]
[NSE] The dns-ip6-arpa-scan script now optionally accepts "/" syntax for a network mask. Based on a patch by Indula Nayanamith.
[Ncat] Reduced the default --max-conns limit from 100 to 60 on Windows, to stay within platform limitations. Suggested by Andrey Olkhin.
Fixed IPv6 routing table alignment on NetBSD.
[NSE] Added http-phpmyadmin-dir-traversal by Alexey Meshcheryakov.
Added a service probe for Erlang distribution nodes. [Michael Schierl]
Updated libdnet to not SIOCIFNETMASK before SIOCIFADDR on OpenBSD. This was reported to break on -current as of May 2013. [Giovanni Bechis]
Fixed address matching for SCTP (-PY) ping. [Marin Maržić]
Removed some non-ANSI-C strftime format strings ("%F") and locale-dependent formats ("%c") from NSE scripts and libraries. C99-specified %F was noticed by Alex Weber. [Daniel Miller]
[Zenmap] Added Polish translation by Jacek Wielemborek.
[NSE] Added http-coldfusion-subzero. It detects Coldfusion 9 and 10 vulnerable to a local file inclusion vulnerability and grabs the version, install path and the administrator credentials. [Paulino Calderon]
[Nsock] Added a minimal regression test suite for nsock. [Henri Doreau]
[NSE] Updated redis-brute.nse and redis-info.nse to work against the latest versions of redis server. [Henri Doreau]
[Ncat] Fixed errors in conneting to IPv6 proxies. [Joachim Henke]
Added a service probe for Minecraft servers. [Eric Davisson]
[NSE] Updated hostmap-bfk to work with the latest version of their website. [Paulino Calderon]
[NSE] Added XML structured output support to hostmap-bfk, hostmap-robtex, and hostmap-ip2hosts. [Paulino Calderon]
[NSE] Added hostmap-ip2hosts. It uses the service provider ip2hosts.com to list domain names pointing to the same IP address. [Paulino Calderon]
[NSE] Added http-vuln-cve2013-0156. It detects Ruby on Rails servers vulnerable to remote command execution (CVE-2013-0156). [Paulino Calderon]
Added a service probe for the Hazelcast data grid. [Pavel Kankovsky]
[NSE] Rewrote telnet-brute for better compatibility with a variety of telnet servers. [nnposter]
[Nsock] Added initial proxy support to nsock. Nsock based modules (version scan, nse) of nmap can now establish TCP connections through chains of proxies. HTTP CONNECT and SOCKS4 protocols are supported, with some limitations. [Henri Doreau]
Fixed a regression that changed the number of delimiters in machine output. [Daniel Miller]
[Zenmap] Updated the Italian translation. [Giacomo]
Handle ICMP type 11 (Time Exceeded) responses to port scan probes. Ports will be reported as "filtered", to be consistent with existing Connect scan results, and will have a reason of time-exceeded. DiabloHorn reported this issue via IRC. [Daniel Miller]
Add new decoders (BROWSER, DHCP6 and LLMNR) to broadcast-listener and changed output of some of the decoders slightly. [Patrik Karlsson]
Timeout script-args are now standardized to use the timespec that Nmap's command-line arguments take (5s, 5000ms, 1h, etc.). Some scripts that previously took an integer number of milliseconds will now treat that as a number of seconds if not explicitly denoted as ms. [Daniel Miller]
The list of nameservers on Windows now ignores nameservers from inactive interfaces. [David Fifield]
Namespace the pipes used to communicate with subprocesses by PID, to avoid multiple instances of Ncat from interfering with each other. Patch by Andrey Olkhin.
Nmap may now partially rearrange its target list for more efficient host groups. Previously, a single target with a different interface, or with an IP address the same as a that of a target already in the group, would cause the group to be broken off at whatever size it was. Now, we buffer a small number of such targets, and keep looking through the input for more targets to fill out the current group. [David Fifield]
[NSE] Changed ip-geolocation-geoplugin to use the web service's new output format. Reported by Robin Wood.
Limited the number of open sockets in ultra_scan to FD_SETSIZE. Very fast connect scans could write past the end of an fd_set and cause a variety of crashes: nmap: scan_engine.cc:978: bool ConnectScanInfo::clearSD(int): Assertion `numSDs > 0' failed. select failed in do_one_select_round(): Bad file descriptor (9) [David Fifield]
Fixed a bug that prevented Nmap from finding any interfaces when one of them had the type ARP_HDR_APPLETALK; this was the case for AppleTalk interfaces. However, This support is not complete since AppleTalk interfaces use different size hardware addresses than Ethernet. Nmap IP level scans should work without any problem, please refer to the '--send-ip' switch and to the following thread: http://seclists.org/nmap-dev/2013/q1/214 This bug was reported by Steven Gregory Johnson. [Daniel Miller]
[Nping] Nping now skips localhost targets for privileged pings (with an error message) because those generally don't work. [David Fifield]
[Ncat] Ncat now keeps running in connect mode after receiving EOF from the remote socket, unless --recv-only is in effect. [Tomas Hozza]
Routes are now sorted to prefer those with a lower metric. Retrieval of metrics is supported only on Linux and Windows. [David Fifield]
Packet trace of ICMP packets now include the ICMP ID and sequence number by default. [David Fifield]
[NSE] Added ike-version and a new ike library by Jesper Kückelhahn. Thanks also go to Roy Hills, who allowed the use of the signature database from the ike-scan tool.
[NSE] Fixed various NSEDoc bugs found by David Matousek.
[Zenmap] Zenmap now understands the NMAP_PRIVILEGED and NMAP_UNPRIVILEGED environment variables. [Tyler Wagner]
It's now possible to mix IPv4 range notation with CIDR netmasks in target specifications. For example, 192.168-170.4-100,200.5/16 is effectively the same as 192.168.168-170.0-255.0-255. [David Fifield]
Added nmap-fo.xsl, contributed by Tilik Ammon. This converts Nmap XML into XSL-FO, which can be converted into PDF using Apache FOP.
Increased the number of slack file descriptors not used during connect scan. Previously, the calculation did not consider the descriptors used by various open log files. Connect scans using a lot of sockets could fail with the message "Socket creation in sendConnectScanProbe: Too many open files". [David Fifield]
[Zenmap] Fixed internationalization files. Running in a language other than the default English would result in the error "ValueError: too many values to unpack". [David Fifield]
Changed the --webxml XSL stylesheet to point to the new location of nmap.xsl in the new respository, https://svn.nmap.org/nmap/docs/nmap.xsl This was noticed by Simon John.
[NSE] Made the vulnerability library able to preserve vulnerability information across multiple ports of the same host. The bug was reported by iphelix. [Djalal Harouni]
[NSE] Added ventrilo-info by Marin Maržić. This gets information from a Ventrilo VoIP server.
Removed the undocumented -q option, which renamed the nmap process to something like "pine".
Moved the Japanese man page from man1/jp to man1/ja. jp is a country code while ja is a language code. Reported by Christian Neukirchen.
[NSE] Added mysql-enum script which enumerates valid mysql server usernames [Aleksandar Nikolic]
[Nsock] Reworked the logging infrastructure to make it more flexible and consistent. Updated nmap, nping and ncat accordingly. Nsock log level can now be adjusted at runtime by pressing d/D in nmap. [Henri Doreau, David Fifield]
[NSE] Fixed scripts using unconnected UDP sockets. The bug was reported by Dhiru Kholia. [David Fifield]
[NSE] Added structured output to http-git.nse. [Alex Weber]
[NSE] Added murmur-version by Marin Maržić. This gets the server version and other information for Murmur, the server for the Mumble VoIP system.
Added a corresponding UDP payload for Murmur. [Marin Maržić]
[Zenmap] Fixed a crash that could be caused by opening the About dialog, using the window manager to close it, and opening it again. This was reported by Yashartha Chaturvedi and Jordan Schroeder. [David Fifield]
[Ncat] Made test-addrset.sh exit with nonzero status if any tests fail. This in turn causes "make check" to fail if any tests fail. [Andreas Stieger]
Fixed compilation with --without-liblua. The bug was reported by Rick Farina, Nikos Chantziaras, and Alex Turbov. [David Fifield]
Fixed CRC32c calculation (as used in SCTP scans) on 64-bit platforms. [Pontus Andersson]
[NSE] Added multicast group name output to broadcast-igmp-discovery.nse. [Vasily Kulikov]
[NSE] Added new fingerprints for http-enum: Sitecore, Moodle, typo3, SquirrelMail, RoundCube. [Jesper Kückelhahn]

New in Nmap 6.25 (Dec 4, 2012)

New in Nmap 6.01 (Jun 18, 2012)

[NSE] Added http-rfi-spider script that spiders webservers in search of
remote file inclusion vulnerabilities. [Piotr Olma]
[NSE] Added mysql-vuln-cve2012-2122 script which exploits an authentication
bypass vulnerability in MySQL/MariaDB tdump usernames and password hashes.
(CVE2012-2122) [PaulinCalderon]
[NSE] Added http-frontpage-login script which tries tdetect anonymous
login vulnerability in Frontpage Extensions. [Aleksandar Nikolic]
[NSE] Added dns-nsec3-enum script which which abuses NSEC3 tenumerate
all domains on a DNS server. [Aleksandar Nikolic]
[NSE] Added the script http-waf-fingerprint which tries tdetect the presence of
a web application firewall and its type and version. [Hani Benhabiles]
[NSE] More Windows 7 and Windows 2008 fixes for the smb library and smb-ls
scripts. [Patrik Karlsson]
[NSE] Added SPNEGauthentication supporting Windows 7 and Windows 2008 to
the smb library. [Patrik Karlsson]
[NSE] Changed http-brute sthat it works against the root path
("/") by default rather than always requiring the http-brute.path
script argument. [Fyodor]
[NSE] Applied patch from Daniel Miller that fixes bug in several scripts and
libraries http://seclists.org/nmap-dev/2012/q2/593 [Daniel Miller]
[NSE] Added the script smb-ls that lists files on SMB shares and produces
output similar tthe dir command on Windows. [Patrik Karlsson]
[Zenmap] Added Italian translation by FrancescTombolini.
[NSE] Added the script eppc-enum-processes that enumerates active
applications, their PID and the UID under which they run through the Apple
Remote Event protocol. [Patrik Karlsson]
[NSE] Added the Internet Storage Name Service (iSNS) library and the
isns-infscript that lists information about portals and iSCSI devices.
[Patrik Karlsson]
[NSE] Added rmi-vuln-classloader which scans for machines vulnerable to
remote class loading. [Aleksandar Nikolic]
[NSE] Rewrote mysql-brute tuse brute library [Aleksandar Nikolic]
[Zenmap] Added Japanese translation by Yuji Tounai.
[NSE] Added the script icap-info, which tries tidentify common ICAP
service names and list service and tag information. [Patrik Karlsson]

New in Nmap 6.00 (May 22, 2012)

[NSE] Added the script http-traceroute, which exploits the Max-Forwards HTTP header to detect reverse proxies.
Added the script distcc-CVE-2004-2687 that checks and exploits a remote command execution vulnerability in distcc.
Added two new scripts mysql-query and mysql-dump-hashes, which add support for performing custom MySQL queries and dump MySQL password hashes.
Improved the mysql library to handle multiple columns with the same name, added a formatResultset function to format a query response to a table suitable for script output.
The message "nexthost: failed to determine route to ..." is now a warning rather than a fatal error. Addresses that are skipped in this way are recorded in the XML output as elements.
[NSE] Added the script http-drupal-modules, which enumerates the installed Drupal modules using drupal-modules.lst.
[NSE] Added http-vuln-cve2012-1823.nse, which checks for PHP CGI installations with a remote code execution vulnerability.
[NSE] Added the script dict-info, which retrieves information from a DICT server, by issuing the SHOW SERVER command.
[NSE] Added the script gkrellm-info, which displays information retrieved from the GKRellm monitoring service.
[NSE] Added the script ajp-request, which adds support for creating custom Apache JServer Protocol requests.
[NSE] Added the script ajp-brute, which enables password brute force auditing against the Apache JServ Protocol service.
[NSE] Added the script broadcast-tellstick-discover, which discovers Telldus Technologies TellStickNet devices on the LAN.
[NSE] Added the Apache JServer Protocol (AJP) library and the scripts ajp-methods, ajp-headers and ajp-auth.
In XML output, elements are now child elements of the they belong to. Old output was thus:
......
New output is:
......
The option --deprecated-xml-osclass restores the old output, in case
you use an Nmap XML parser that doesn't understand the new
structure. The xmloutputversion has been increased to 1.04.
Added a new element to XML output that indicates when a target specification was ignored, perhaps because of a syntax error or DNS failure. It looks like this:
[David Fifield]
Nmap's development pace has increased because Google (again) sponsored 5 full-time college and graduate student programmer interns this summer as part of their Summer of Code program!
[NSE] Added the script mmouse-exec that connects to a Mobile Mouse server, starts an application, and sends a sequence of keystrokes to it.
[NSE] Added the script mmouse-brute that performs brute force password auditing against the Mobile Mouse service.
[NSE] Added the script cups-queue-info that lists the contents of a remote CUPS printer queue.
[NSE] Added the script ip-forwarding that detects devices that have IP forwarding enabled (acting as routers).
[NSE] Added the script samba-vuln-cve-2012-1182 which detects the SAMBA CVE 2012-1182 vulnerability.
[NSE] Added the script dns-check-zone that checks DNS configuration against best practices including RFC 1912.
[NSE] Added the http-gitweb-projects-enum that queries a gitweb for a list of Git projects, their authors and descriptions.
[NSE] targets-sniffer now is capable of sniffing IPv6 addresses.
[NSE] Added the script traceroute-geolocation that queries geographic locations of each traceroute hop and allows to export the results to KLM, allowing the hops to be plotted on a map.
[NSE] Added the ipp library and the script cups-info that lists available printers by querying the cups network daemon.
[NSE] Added the mobilme library and the scripts http-icloud-findmyiphone and http-icloud-sendmsg, that finds the location of iOS devices and provides functionality to send them messages.
[NSE] Added gps library and the gpsd-info script that collects GPS data from the gpsd daemon.
[NSE] Ported the pop3-brute script to use the brute library.
Fixed a compilation problem on Solaris 9 caused by a missing definition of IPV6_V6ONLY.
Upgraded included libpcap to version 1.2.1.
[NSE] Added hostmap-robtex.nse by Arturo Busleiman, which finds other domain names sharing the IP address of the target.
[NSE] Renamed hostmap.nse to hostmap-bfk.nse.
[NSE] Added http-robtex-shared-ns by Arturo Busleiman, finding domain names that share the same name server as the target.
[NSE] Added the script http-vlcstreamer-ls which queries the VLC Streamer helper service for a list of files in a given directory.
[NSE] Added the script targets-ipv6-mld that sends a malformed ICMP6 MLD Query to discover IPv6 enabled hosts on the LAN.
[NSE] Added script http-virustotal that allows checking files, or hashes of previously scanned files, against the major antivirus engines.
Setting --min-parallelism by itself no longer forces the maximum parallelism to the same value.
[NSE] Added an error message indicating script failure, when Nmap is being run in non verbose/debug mode.
Service-scan information is now included in XML and grepable output even if -sV wasn't used. This information can be set by scripts in the absence of -sV.
[NSE] Added the script dns-ip6-arpa-scan which uses a very efficient technique to scan the ip6.arpa zone for PTR records.
Changed XML output to show the "service" element whenever a tunnel is discovered for a port, even if the service behind it was unknown.
[Zenmap] Fixed a crash that would happen in the profile editor when the script.db file doesn't exist.
[Zenmap] It is now possible to compare scans having the same name or command line.
[NSE] Added rdp-vuln-ms12-020.nse by Aleksandar Nikolic. This tests for two Remote Desktop vulnerabilities, including one allowing remote code execution, that were fixed in the MS12-020 advisory.
Fixed an error that could occur with ICMPv6 probes and -d4 debugging: "Unexpected probespec2ascii type encountered"
Fixed the routing table loop on OS X so that on-link routes appear. Previously, they were ignored so that things like ARP scan didn't work.
[NSE] Added new script http-chrono, which measures min, max and average response times of web servers.
Applied a workaround to make pcap captures work better on Solaris 10. This involves peeking at the pcap buffer to ensure that captures are not being lost. A symptom of behavior before this fix was that, when doing ARP host discovery against two targets, only one would be reported up.
Added ciphers from RFC 5932 and Fortezza-based ciphers to ssl-enum-ciphers.nse.
[NSE] Added new script http-drupal-users-enum, which enumerates all available Drupal user accounts by exploiting a vulnerability in the Views module.
[NSE] Added new script broadcast-ataoe-discover, which discovers ATA over Ethernet capable devices through LAN ethernet broadcasts.
Fixed a bug that could cause Nsock timers to fire too early. This could happen for the timed probes in IPv6 OS detection, causing an incorrect measurement of the TCP_ISR feature.
[NSE] Added a stun library and the scripts stun-version and stun-info, which extract version information and the external NAT:ed address.
[NSE] Added the script duplicates which attempts to determine duplicate hosts by analyzing information collected by other scripts.
Changed the way timeout calculations are made in the IPv6 OS engine. In rare cases a certain interleaving of probes and responses would result in an assertion failure.

New in Nmap 5.61 Test 4 (Jan 4, 2012)

[NSE] Added a new httpspider library which is used for recursively crawling web sites for information. New scripts using this functionality include http-backup-finder, http-email-harvest, http-grep, http-open-redirect, and http-unsafe-output-escaping.
We set up a new SVN server for the Nmap codebase. This one uses SSL for better security, WebDAV rather than svnserve for greater functionality, is hosted on a faster (virtual) machine, provides Nmap code history back to 1998 rather than 2005, and removes the need for the special "guest" username. The new server is at https://svn.nmap.org.
[NSE] Added a vulnerability management library (vulns.lua) to store and to report discovered vulnerabilities. Modified these scripts to use the new library: - ftp-libopie.nse - http-vuln-cve2011-3192.nse - ftp-vuln-cve2010-4221.nse - ftp-vsftpd-backdoor.nse - smtp-vuln-cve2011-1720.nse - smtp-vuln-cve2011-1764.nse - afp-path-vuln.nse [Djalal, Henri]
[NSE] Added a new script force feature. You can force scripts to run against target ports (even if the "wrong" service is detected) by placing a plus in front of the script name passed to --script.
[NSE] Added 51(!) NSE scripts, bringing the total up to 297.
Nmap now includes a nmap-update program for obtaining the latest updates (new scripts, OS fingerprints, etc.) The system is currently only available to a few developers for testing, but we hope to enable a larger set of beta testers soon.
On Windows, the directory \AppData\Roaming\nmap is now searched for data files. This is the equivalent of $HOME/.nmap on POSIX.
Improved OS detection performance by scaling congestion control increments by the response rate during OS scan, just as was done for port scan before.
[NSE] The targets-ipv6-multicast-*.nse scripts now scan all interfaces by default. They show the MAC address and interface name now too.
Added some new version detection probes: MongoDB service [Martin Holst Swende], Metasploit XMLRPC service [Vlatko Kosturjak], Vuze filesharing system [Patrik], Redis key-value store [Patrik], memcached [Patrik], Sybase SQL Anywhere [Patrik], VMware ESX Server [Aleksey Tyurin], TCP Kerberos [Patrik], PC-Duo [Patrik], PC Anywhere [Patrik]
Targets requiring different source addresses now go into different hostgroups, not only for host discovery but also for port scanning. Before, only responses to one of the source addresses would be processed, and the others would be ignored.
Tidied up the version detection DB (nmap-service-probes) with a new cleanup/canonicalization program sv-tidy.
The --exclude and --excludefile options for excluding targets can now be used together.
[NSE] Added support for detecting whether a http connection was established using SSL or not to the http.lua library
[NSE] Added local port to BPF filter in snmp-brute to fix bug that would prevent multiple scripts from receiving the correct responses. The bug was discovered by Brendan Bird.
[NSE] Changed the dhcp-discover script to use the DHCPINFORM request to query dhcp servers instead of DHCPDISCOVER. Also removed DoS code from dhcp-discover and placed the script into the discovery and safe categories. Added support for adding options to DHCP requests and cleaned up some code in the dhcp library.
[NSE] Applied patch to snmp-brute that solves problems with handling errors that occur during community list file parsing.
[NSE] Added new fingerprints to http-enum for: - Subversion, CVS and Apache Archiva [Duarte Silva] - DVCS systems Git, Mercurial and Bazaar
[NSE] Applied some code cleanup to the snmp library.
[NSE] Fixed an undeclared variable bug in snmp-ios-config
[NSE] Add additional version information to Mongodb scripts
[NSE] Added path argument to the http-auth script and update the script to use stdnse.format_output.
[NSE] Fixed bug in the http library that would fail to parse authentication headers if no parameters were present.
Made a syntax change in the zenmap.desktop file for compliance with the XDG standard.
[NSE] Replaced a number of GET requests to HEAD in http- fingerprints.lua. HEAD is quicker and sufficient when no matching is performed on the returned contents.
[NSE] Added support for retrieving SSL certificates from FTP servers.
[Nping] The --safe-payloads option is now the default. Added --include-payloads for the special situations where payloads are needed.
[NSE] Added new functionality and fixed some bugs in the brute library:
Added support for restricting the number of guesses performed by the brute library against users, to prevent account lockouts.
Added support to guess the username as password. The documentation previously suggested (wrongly) that this was the default behavior.
Added support to guess an empty string as password if not present in the dictionary.
[NSE] Re-enabled support for guessing the username in addition to password that was incorrectly removed from the metasploit-xmlrpc-brute in previous commit.
[NSE] Fixed bug that would prevent brute scripts from running if no service field was present in the port table.
[NSE] Turned on promiscuous mode in targets-sniffer.nse so that it finds packets not only from or to the scanning host.
The Zenmap topology display feature is now disabled when there are more than 1,000 target hosts. Those topology maps slow down the interface and are generally too crowded to be of much use.
[NSE] Modified the http library to support servers that don't return valid chunked encoded data, such as the Citrix XML service.
[NSE] Fixed a bug where the brute library would not abort even after all retries were exhausted
Fixed a bug in the IPv6 OS probe called NI. The Node Information Query didn't include the target address as the payload, so at least OS X didn't respond. This differed from the probe sent by the ipv6fp.py program from which some of our fingerprints were derived.
[NSE] Fixed an error in the mssql library that was causing the broadcast-ms-sql-discover script to fail when trying to update port version information.
[NSE] Added the missing broadcast category to the broadcast-listener script.
[NSE] Made changes to the categories of the following scripts (new categories shown):
http-userdir-enum.nse (auth,intrusive)
mysql-users.nse (auth,intrusive)
http-wordpress-enum.nse (auth,intrusive,vuln)
krb5-enum-users.nse (auth,intrusive)
snmp-win32-users.nse (default,auth,safe)
smtp-enum-users.nse (auth,external,intrusive)
ncp-enum-users.nse (auth,safe)
smb-enum-users.nse (auth,intrusive)
Made nbase compile with the clang compiler that is a part of Xcode 4.2.
[NSE] Fix a nil table index bug discovered in the mongodb library.
[NSE] Added XMPP support to ssl-cert.nse.
[NSE] Made http-wordpress-enum.nse able to get names of users who have no posts.
Increased hop distance estimates from OS detection by one. The distance now counts the number of hops including the final one to the target, not just the number of intermediate nodes. The IPv6 distance calculation already worked this way.

New in Nmap 5.61 Test 2 (Dec 6, 2011)

o Added IPv6 OS detection system! The new system utilizes many tests
similar to IPv4, and also some IPv6-specific ones that we found to
be particularly effective. And it uses a machine learning approach
rather than the static classifier we use for IPv4. We hope to move
some of the IPv6 innovations back to our IPv4 system if they work
out well. The database is still very small, so please submit any
fingerprints that Nmap gives you to the specified URL (as long as
you are certain that you know what the target system is
running). Usage and results output are basically the same as with
IPv4, but we will soon document the internal mechanisms at
http://nmap.org/book/osdetect.html, just as we have for IPv4. For an
example, try "nmap -6 -O scanme.nmap.org". [David, Luis]
o [NSE] Added 3 scripts, bringing the total to 246! You can learn
more about them at http://nmap.org/nsedoc/. Here they are (authors
listed in brackets)
lltd-discovery uses the Microsoft LLTD protocol to discover hosts
on a local network. [Gorjan Petrovski]
ssl-google-cert-catalog queries Google's Certificate Catalog for
the SSL certificates retrieved from target hosts. [Vasiliy Kulikov]
quake3-info extracts information from a Quake3-like game
server. [Toni Ruottu]
o Improved AIX support for raw scans. This includes some patches
originally written by Peter O'Gorman and Florian Schmid. It also
involved various build fixes found necessary on AIX 6.1 and 7.1. See
http://nmap.org/book/inst-other-platforms.html. [David]
o Fixed Nmap so that it again compiles and runs on Solaris 10
including IPv6 support. [David]
o [NSE] Moved our brute force authentication cracking scripts
brute) from the "auth" category into a new "brute"
category. Nmap's brute force capabilities have grown tremendously
You can see all 32 of them at
http://nmap.org/nsedoc/categories/brute.html. It isn't clear
whether dns-brute should be in the brute category, so for now it
isn't. [Fyodor]
o Made the interface gathering loop work on Linux when an interface
index is more than two digits in /proc/sys/if_inet6. Joe McEachern
tracked down the problem and provided the fix
o [NSE] Fixed a bug in dns.lua: ensure that dns.query() always return two values
status, response) and replaced the workaround in asn-query.nse by the proper
use. [Henri]
o [NSE] Made irc-info.nse handle the case where the MOTD is missing
Patch by Sebastian Dragomir
o Updated nmap-mac-prefixes to include the latest IEEE assignments
as of 2011-09-29

New in Nmap 5.61 Test 1 (Dec 6, 2011)

o Added Common Platform Enumeration (CPE, http://cpe.mitre.org/)
output for OS and service versions. This is a standard way to
identify operating systems and applications so that Nmap can
better interoperate with other software. Nmap's own (generally more
comprehensive) taxonomy/classification system is still supported as
well. Some OS and version detection results don't have CPE entries
yet. CPE entries show up in normal output with the headings "OS
CPE:" and "Service Info:"
OS CPE: cpe:/o:linux:kernel:2.6.39
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
These also appear in XML output, which additionally has CPE entries
for service versions. [David, Henri]
o Added IPv6 Neighbor Discovery ping. This is the IPv6 analog to IPv4
ARP scan. It is the default ping type for local IPv6 networks
Weilin]
o Integrated your latest (IPv4) OS detection submissions and
corrections until June 22. New fingerprints include Linux 3, FreeBSD
9, Mac OS X 10.7 (Lion), and 300+ more. The DB size increased 11% to
3,308 fingerprints. See
http://seclists.org/nmap-dev/2011/q3/556. Please keep those
fingerprints coming! We now accept IPv4 and IPv6 OS fingerprints as
well as service fingerprints, plus corrections of all types if Nmap
guess wrong
o [NSE] Added 27 scripts, bringing the total to 243! You can learn
more about any of them at http://nmap.org/nsedoc/. Here are the new
ones (authors listed in brackets)
address-info shows extra information about IPv6 addresses, such as
embedded MAC or IPv4 addresses when available. [David Fifield]
bittorrent-discovery discovers bittorrent peers sharing a file
based on a user-supplied torrent file or magnet link. [Gorjan
Petrovski]
broadcast-db2-discover attempts to discover DB2 servers on the
network by sending a broadcast request to port 523/udp. [Patrik
Karlsson]
broadcast-dhcp-discover sends a DHCP request to the broadcast
address (255.255.255.255) and reports the results. [Patrik
Karlsson]
broadcast-listener sniffs the network for incoming broadcast
communication and attempts to decode the received packets. It
supports protocols like CDP, HSRP, Spotify, DropBox, DHCP, ARP and
a few more. [Patrik Karlsson]
broadcast-ping sends broadcast pings on a selected interface using
raw ethernet packets and outputs the responding hosts' IP and MAC
addresses or (if requested) adds them as targets. [Gorjan
Petrovski]
cvs-brute performs brute force password auditing against CVS
pserver authentication. [Patrik Karlsson]
cvs-brute-repository attempts to guess the name of the CVS
repositories hosted on the remote server. With knowledge of the
correct repository name, usernames and passwords can be
guessed. [Patrik Karlsson]
ftp-vsftpd-backdoor tests for the presence of the vsFTPd 2.3.4
backdoor reported on 2011-07-04 (CVE-2011-2523). This script
attempts to exploit the backdoor using the innocuous 'id' command
by default, but that can be changed with the 'exploit.cmd' or
ftp-vsftpd-backdoor.cmd' script arguments. [Daniel Miller]
ftp-vuln-cve2010-4221 checks for a stack-based buffer overflow in
the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. [Djalal
Harouni]
http-awstatstotals-exec exploits a remote code execution
vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other
products based on it (CVE: 2008-3922). [Paulino Calderon]
http-axis2-dir-traversal Exploits a directory traversal
vulnerability in Apache Axis2 version 1.4.1 by sending a specially
crafted request to the parameter 'xsd' (OSVDB-59001). By default
it will try to retrieve the configuration file of the Axis2
service '/conf/axis2.xml' using the path '/axis2/services/' to
return the username and password of the admin account. [Paulino
Calderon]
http-default-accounts tests for access with default credentials
used by a variety of web applications and devices. [Paulino
Calderon]
http-google-malware checks if hosts are on Google's blacklist of
suspected malware and phishing servers. These lists are constantly
updated and are part of Google's Safe Browsing service. [Paulino
Calderon]
http-joomla-brute performs brute force password auditing against
Joomla web CMS installations. [Paulino Calderon]
http-litespeed-sourcecode-download exploits a null-byte poisoning
vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to
retrieve the target script's source code by sending a HTTP request
with a null byte followed by a .txt file extension
CVE-2010-2333). [Paulino Calderon]
http-vuln-cve2011-3192 detects a denial of service vulnerability
in the way the Apache web server handles requests for multiple
overlapping/simple ranges of a page. [Duarte Silva]
http-waf-detect attempts to determine whether a web server is
protected by an IPS (Intrusion Prevention System), IDS (Intrusion
Detection System) or WAF (Web Application Firewall) by probing the
web server with malicious payloads and detecting changes in the
response code and body. [Paulino Calderon]
http-wordpress-brute performs brute force password auditing
against Wordpress CMS/blog installations. [Paulino Calderon]
http-wordpress-enum enumerates usernames in Wordpress blog/CMS
installations by exploiting an information disclosure
vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and
3.2-beta2 and possibly others. [Paulino Calderon]
imap-brute performs brute force password auditing against IMAP
servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM
authentication. [Patrik Karlsson]
smtp-brute performs brute force password auditing against SMTP
servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM
authentication. [Patrik Karlsson]
smtp-vuln-cve2011-1764 checks for a format string vulnerability in
the Exim SMTP server (version 4.70 through 4.75) with DomainKeys
Identified Mail (DKIM) support (CVE-2011-1764). [Djalal Harouni]
targets-ipv6-multicast-echo sends an ICMPv6 echo request packet to
the all-nodes link-local multicast address (ff02::1) to discover
responsive hosts on a LAN without needing to individually ping
each IPv6 address. [David Fifield, Xu Weilin]
targets-ipv6-multicast-invalid-dst sends an ICMPv6 packet with an
invalid extension header to the all-nodes link-local multicast
address (ff02::1) to discover (some) available hosts on the
LAN. This works because some hosts will respond to this probe with
an ICMPv6 parameter problem packet. [David Fifield, Xu Weilin]
targets-ipv6-multicast-slaac performs IPv6 host discovery by
triggering stateless address auto-configuration (SLAAC). [David
Fifield, Xu Weilin]
xmpp-brute Performs brute force password auditing against XMPP
Jabber) instant messaging servers. [Patrik Karlsson]
o Fixed compilation on OS X 10.7 Lion. Thanks to Patrik Karlsson and
Babak Farroki for researching fixes
o [NSE] The script arguments which start with a script name
e.g. http-brute.hostname or afp-ls.maxfiles) can now accept the
unqualified arguments as well (hostname, maxfiles). This lets you
use the generic version ("hostname") when you want to affect
multiple scripts, while using the qualified version to target
individual scripts. If both are specified, the qualified version
takes precedence for that particular script. This works for library
script arguments too (e.g. you can specify 'timelimit' rather than
unpwdb.timelimit). [Paulino]
o [Ncat] Updated SSL certificate store (ca-bundle.crt), primarily to
remove the epic fail known as DigiNotar
o Nmap now defers options parsing until it has read through all the
command line arguments. This removes the few remaining cases where
option order mattered (for example, IPv6 users previously had to
specify -6 before -S). [Shinnok]
o [NSE] Added a new default credential list for Oracle databases and
modified the oracle-brute script to make use of it. [Patrik]
o [NSE] Our Packet library (packet.lua) now handles IPv6. This is used
by the new multicast IPv6 host discovery scripts
targets-ipv6-*). [Weilin]
o [NSE] Replaced xmpp.nse with an an overhauled version named
xmpp-info.nse which brings many new features and fixes. [Vasiliy Kulikov]
o [NSE] Fixed SSL compressor names in ssl-enum-ciphers.nse, and
removed redundant multiple listings of the NULL compressor
Matt Selsky]
o [NSE] Added cipher strength ratings to ssl-enum-ciphers.nse
Gabriel Lawrence]
o [NSE] Fixed a bug in the ssh2-enum-algos script that would prevent it from
displaying any output unless run in debug mode. [Patrik]
o [NSE] Added 4 more protocol libraries. You can learn more about any
of them at http://nmap.org/nsedoc/. Here are the new ones (authors
listed in brackets)
bittorrent supports the BitTorrent file sharing protocol [Gorjan
Petrovski]
cvs includes support for the Concurrent Versions System (CVS)
Patrik Karlsson]
sasl provides common code for "Simple Authentication and Security
Layer" to services supporting it. The algorithms supported by the
library are: PLAIN, CRAM-MD5, DIGEST-MD5 and NTLM. [Djalal
Harouni, Patrik Karlsson]
xmpp handles XMPP (Jabber) IM servers [Patrik Karlsson]
o [NSE] Removed the mac-geolocation script, which relied on a Google
database to determine strikingly accurate GPS coordinates for
anyone's wireless access points (based on their MAC address). It
was very powerful. Perhaps Google decided it was too powerful, as
they discontinued the service before our script was even 2 months
old
o [Ncat] Added an --append-output option which, when used along with
o and/or -x, prevents clobbering (truncating) an existing
file. [Shinnok]
o Fixed RPC scan (part of -sV) to work on the 64-bit machines where
"unsigned long" is 8 bytes rather than 4. We now use the more
portable u32 in the code. [David]
o [NSE] Moved some scripts into the default category: giop-info
vnc-info, ncp-serverinfo, smb-security-mode, and and
afp-serverinfo. [Djalal]
o Relaxed the XML DTD to allow validation of files where the verbosity
level changed during the scan. Also made a service confidence of 8
used when tcpwrapped) or any other number between 0 and 10
legal. [Daniel Miller]
o [NSE] Fixed authentication problems in the TNS library that would prevent
authentication from working against Oracle 11.2.0.2.0 XE [Chris Woodbury]
o [NSE] Added basic query support to the Oracle TNS library so that scripts
can now make SQL queries against database servers. Also improved
support for 64-bit database servers and improved the documentation. [Patrik]
o Removed some restrictions on probe matching that, for example
prevented a RST/ACK reply from being recognized in a NULL scan. This
was found and fixed by Matthew Stickney and Joe McEachern
o Rearranged some characters classes in service matches to avoid any
that look like POSIX collating symbols ("[.xyz.]"). John Hutchison
discovered this error caused by one of the match lines
InitMatch: illegal regexp: POSIX collating elements are not supported
Daniel Miller]
o [NSE] Added more than 100 new signatures to http-enum (many for
known vulnerabilities). They are in the categories: general
attacks, cms, security, management and database [Paulino]
o [NSE] Updated account status text in brute force password discovery
scripts in an effort to make the reporting more consistent across
all scripts. This will have an impact on any code that parses these
values. [Tom Sellers]
o Nmap now includes the Liblinear library for large linear
classification (http://www.csie.ntu.edu.tw/~cjlin/liblinear/). We
are using it for the upcoming IPv6 OS detection system, and (if that
works out well) may eventually use it for IPv4 too. It uses a
three-clause BSD license
o [NSE] Better error messages (including a traceback) are now provided
when script loading fails. [Patrick]
o [Zenmap] Prevent Zenmap from deleting ports when merging scans
results based on newer scans which did not actually scan the ports
in question. Additionally Zenmap now only updates ports with new
information if the new information uses the same protocol--not just
the same port number. [Colin Rice]
o [Ncat] Fixed a crash which would occur when --ssl-verify is combined
with -vvv on windows. [Colin Rice]
o [Nping] Added new --safe-payloads option for echo mode which causes
returned packet payloads to be zeroed to reduce privacy risks if
Nping echo server was to accidentally (or through malicious intent)
return a packet which wasn't sent by the Nping echo client. We hope
to soon make this behavior the default. [Luis]
o Fixed a bug that would make Nmap segfault if it failed to open an
interface using pcap. The bug details and patch are posted at
http://seclists.org/nmap-dev/2011/q3/365 [Patrik]
o Ncat SCTP mode now supports connection brokering
sctp --broker). [Shinnok]
o Consolidated a bunch of duplicate code between Ncat's listen
ncat_listen.c) and broker (ncat_broker.c) modes to ease
maintenance. [Shinnok]
o Added a 'nostore' nse argument to the brute force library which
prevents the brute force authentication cracking scripts from
storing found credentials in the creds library (they will still be
printed in script output)
o [NSE] Fixed the nsedebug print_hex() function so it does not print an
empty line if there are no remaining characters, and improved its NSEDoc
Chris Woodbury]
o [Ncat] Ncat no longer blocks while an ssl handshake is taking place
or waiting to complete. This could make listening Ncat instances
unavailable to other clients because one client was taking too long
to complete the SSL handshake. Our public Ncat chat server is now
much more reliable (connect with: ncat --ssl -v chat.nmap.org)
Shinnok]
o [NSE] Updated SMTP and IMAP libraries to support authentication
using both plain-text and the SASL library. [Patrik]
o [Zenmap] The Zenmap crash handler now instructs users to mail in
crash information to nmap-dev rather than offering to create a
Sourceforge bug tracker entry. [Colin Rice]
o [NSE] Applied patch from Chris Woodbury that adds the following
additional information to the output of smb-os-discovery: NetBIOS
computer name, NetBIOS domain name, FQDN, and forest name
o [NSE] Updated smb-brute to add detection for valid credentials where the
target account was expired or limited by time or login host constraints
Tom Sellers]
o [Ncat] Ncat now supports IPV6 addresses by default without the -6 flag
Additionally ncat listens on both ::1 and localhost when passed
l, or any other listening mode unless a specific listening address is
supplied. [Colin Rice]
o Fixed broken XML output in the case of timed-out hosts; the
enclosing host element was missing. The fix was suggested by Rémi
Mollon
o [NSE] Multiple ldap-brute changes by Tom Sellers
Added support for 2008 R2 functional level Active Directory instances
Added detection for valid credentials where the target account was
expired or limited by time or login host constraints
Added support for specifying a UPN suffix to be appended to usernames
when brute forcing Microsoft Active Directory accounts
Added support for saving discovered credentials to a CSV file
Now reports valid credentials as they are discovered when the script
is run with -vv or higher
o [NSE] ldap-search.nse - Added support for saving search results to
CSV. This is done by using the ldap.savesearch script argument to
specify an output filename prefix. [Tom Sellers]
o Handle an unconventional IPv6 internal link-local address convention
used by Mac OS X. See
http://seclists.org/nmap-dev/2011/q3/906. [David]
o [NSE] Optimized stdnse.format_output (changing the data structures)
to improve performance for scripts which produce a lot of output. See
http://seclists.org/nmap-dev/2011/q3/623. [Djalal]
o [NSE] Fix nping-brute so that it again works on IPv6. [Toni Ruottu]
o [NSE] Added the make_array and make_object functions to our json
library, allowing LUA tables to be treated as JSON arrays or
objects. See http://seclists.org/nmap-dev/2011/q3/15 [Daniel Miller]
o [NSE] The ip-geolocation-ipinfodb now allows you to specify an
IPInfoDB API key using the apikey NSE argument. [Gorjan]
o [NSE] Renamed http-wp-plugins to http-wordpress-plugins script for
consistency with http-wordpress-brute and now
http-wordpress-enum. [Fyodor]

New in Nmap 5.59 Beta 1 (Jul 9, 2011)

[NSE] Added 40 scripts, bringing the total to 217! Here are the new ones (authors listed in brackets):
afp-ls: Lists files and their attributes from Apple Filing Protocol (AFP) volumes. [Patrik Karlsson]
backorifice-brute: Performs brute force password auditing against the BackOrifice remote administration (trojan) service. [Gorjan Petrovski]
backorifice-info: Connects to a BackOrifice service and gathers information about the host and the BackOrifice service itself. [Gorjan Petrovski]
broadcast-avahi-dos: Attempts to discover hosts in the local network using the DNS Service Discovery protocol, then tests whether each host is vulnerable to the Avahi NULL UDP packet denial of service bug (CVE-2011-1002). [Djalal Harouni]
broadcast-netbios-master-browser: Attempts to discover master browsers and the Windows domains they manage. [Patrik Karlsson]
broadcast-novell-locate: Attempts to use the Service Location Protocol to discover Novell NetWare Core Protocol (NCP) servers. [Patrik Karlsson]
creds-summary: Lists all discovered credentials (e.g. from brute force and default password checking scripts) at end of scan. [Patrik Karlsson]
dns-brute: Attempts to enumerate DNS hostnames by brute force guessing of common subdomains. [Cirrus]
dns-nsec-enum: Attempts to discover target hosts' services using the DNS Service Discovery protocol. [Patrik Karlsson]
dpap-brute: Performs brute force password auditing against an iPhoto Library. [Patrik Karlsson]
epmd-info: Connects to Erlang Port Mapper Daemon (epmd) and retrieves a list of nodes with their respective port numbers. [Toni Ruottu]
http-affiliate-id: Grabs affiliate network IDs (e.g. Google AdSense or Analytics, Amazon Associates, etc.) from a web page. These can be used to identify pages with the same owner. [Hani Benhabiles, Daniel Miller]
http-barracuda-dir-traversal: Attempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability. [Brendan Coles]
http-cakephp-version: Obtains the CakePHP version of a web application built with the CakePHP framework by fingerprinting default files shipped with the CakePHP framework. [Paulino Calderon]
http-majordomo2-dir-traversal: Exploits a directory traversal vulnerability existing in the Majordomo2 mailing list manager to retrieve remote files. (CVE-2011-0049). [Paulino Calderon]
http-wp-plugins: Tries to obtain a list of installed WordPress plugins by brute force testing for known plugins. [Ange Gutek]
ip-geolocation-geobytes: Tries to identify the physical location of an IP address using the Geobytes geolocation web service. [Gorjan Petrovski]
ip-geolocation-geoplugin: Tries to identify the physical location of an IP address using the Geoplugin geolocation web service. [Gorjan Petrovski]
ip-geolocation-ipinfodb: Tries to identify the physical location of an IP address using the IPInfoDB geolocation web service. [Gorjan Petrovski]
ip-geolocation-maxmind: Tries to identify the physical location of an IP address using a Geolocation Maxmind database file. [Gorjan Petrovski]
ldap-novell-getpass: Attempts to retrieve the Novell Universal Password for a user. You must already have (and include in script arguments) the username and password for an eDirectory server administrative account. [Patrik Karlsson]
mac-geolocation: Looks up geolocation information for BSSID (MAC) addresses of WiFi access points in the Google geolocation database. [Gorjan Petrovski]
mysql-audit: Audit MySQL database server security configuration against parts of the CIS MySQL v1.0.2 benchmark (the engine can also be used for other MySQL audits by creating appropriate audit files). [Patrik Karlsson]
ncp-enum-users: Retrieves a list of all eDirectory users from the Novell NetWare Core Protocol (NCP) service. [Patrik Karlsson]
ncp-serverinfo: Retrieves eDirectory server information (OS version, server name, mounts, etc.) from the Novell NetWare Core Protocol (NCP) service. [Patrik Karlsson]
nping-brute: Performs brute force password auditing against an Nping Echo service. [Toni Ruottu]
omp2-brute: Performs brute force password auditing against the OpenVAS manager using OMPv2. [Henri Doreau]
omp2-enum-targets: Attempts to retrieve the list of target systems and networks from an OpenVAS Manager server. [Henri Doreau]
ovs-agent-version: Detects the version of an Oracle OVSAgentServer by fingerprinting responses to an HTTP GET request and an XML-RPC method call. [David Fifield]
quake3-master-getservers: Queries Quake3-style master servers for game servers (many games other than Quake 3 use this same protocol). [Toni Ruottu]
servicetags: Attempts to extract system information (OS, hardware, etc.) from the Sun Service Tags service agent (UDP port 6481). [Matthew Flanagan]
sip-brute: Performs brute force password auditing against Session Initiation Protocol accounts. This protocol is most commonly associated with VoIP sessions. [Patrik Karlsson]
sip-enum-users: Attempts to enumerate valid SIP user accounts. Currently only the SIP server Asterisk is supported. [Patrik Karlsson]
smb-mbenum: Queries information managed by the Windows Master Browser. [Patrik Karlsson]
smtp-vuln-cve2010-4344: Checks for and/or exploits a heap overflow within versions of Exim prior to version 4.69 (CVE-2010-4344) and a privilege escalation vulnerability in Exim 4.72 and prior (CVE-2010-4345). [Djalal Harouni]
smtp-vuln-cve2011-1720: Checks for a memory corruption in the Postfix SMTP server when it uses Cyrus SASL library authentication mechanisms (CVE-2011-1720). This vulnerability can allow denial of service and possibly remote code execution. [Djalal Harouni]
snmp-ios-config: Attempts to downloads Cisco router IOS configuration files using SNMP RW (v1) and display or save them. [Vikas Singhal, Patrik Karlsson]
ssl-known-key: Checks whether the SSL certificate used by a host has a fingerprint that matches an included database of problematic keys. [Mak Kolybabi]
targets-sniffer: Sniffs the local network for a configurable amount of time (10 seconds by default) and prints discovered addresses. If the newtargets script argument is set, discovered addresses are added to the scan queue. [Nick Nikolaou]
xmpp: Connects to an XMPP server (port 5222) and collects server information such as supported auth mechanisms, compression methods and whether TLS is supported and mandatory. [Vasiliy Kulikov]
Nmap has long supported IPv6 for basic (connect) port scans, basic host discovery, version detection, Nmap Scripting Engine. This release dramatically expands and improves IPv6 support: + IPv6 raw packet scans (including SYN scan, UDP scan, ACK scan, etc.) are now supported. [David, Weilin] + IPv6 raw packet host discovery (IPv6 echo requests, TCP/UDP discovery packets, etc.) is now supported. [David, Weilin] + IPv6 traceroute is now supported [David] + IPv6 protocol scan (-sO) is now supported, including creating realistic headers for many protocols. [David] + IPv6 support to the wsdd, dnssd and upnp NSE libraries. [Daniel Miller, Patrik] + The --exclude and --excludefile now support IPV6 addresses with netmasks. [Colin]
Scanme.Nmap.Org (the system anyone is allowed to scan for testing purposes) is now dual-stacked (has an IPv6 address as well as IPv4) so you can scan it during IPv6 testing. We also added a DNS record for ScanmeV6.nmap.org which is IPv6-only. [Fyodor]
The Nmap.Org website as well as sister sites Insecure.Org, SecLists.Org, and SecTools.Org all have working IPv6 addresses now (dual stacked). [Fyodor]
Nmap now determines the filesystem location it is being run from and that path is now included early in the search path for data files (such as nmap-services). This reduces the likelihood of needing to specify --datadir or getting data files from a different version of Nmap installed on the system. Thanks to Solar Designer for implementation advice. [David]
Created a page on our SecWiki for collecting Nmap script ideas! If you have a good idea, post it to the incoming section of the page. Or if you're in a script writing mood but don't know what to write, come here for inspiration.
The development pace has greatly increased because Google (again) sponsored a 7 full-time college and graduate student programmer interns this summer as part of their Summer of Code program! Thanks, Google Open Source Department!
[NSE] Added 7 new protocol libraries, bringing the total to 66. Here are the new ones (authors listed in brackets):
creds: Handles storage and retrieval of discovered credentials (such as passwords discovered by brute force scripts). [Patrik Karlsson]
ncp: A tiny implementation of Novell Netware Core Protocol (NCP). [Patrik Karlsson]
omp2: OpenVAS Management Protocol (OMP) version 2 support. [Henri Doreau]
sip: Supports a limited subset of SIP commands and methods. [Patrik Karlsson]
smtp: Simple Mail Transfer Protocol (SMTP) operations. [Djalal Harouni]
srvloc: A relatively small implementation of the Service Location Protocol. [Patrik Karlsson]
tftp: Implements a minimal TFTP server. It is used in snmp-ios-config to obtain router config files.[Patrik Karlsson]
o Improved Nmap's service/version detection database by adding: + Apple iPhoto (DPAP) protocol probe [Patrik] + Zend Java Bridge probe [Michael Schierl] + BackOrifice probe [Gorjan Petrovski] + GKrellM probe [Toni Ruotto] + Signature improvements for a wide variety of services (we now have 7,375 signatures)
[NSE] ssh-hostkey now additionally has a postrule that prints hosts found during the scan which share the same hostkey. [Henri Doreau]
[NSE] Added 300+ new signatures to http-enum which look for admin directories, JBoss, Tomcat, TikiWiki, Majordomo2, MS SQL, Wordpress, and more. [Paulino]
Made the final IP address space assignment update as all available IPv4 address blocks have now been allocated to the regional registries. Our random IP generation (-iR) logic now only excludes the various reserved blocks. Thanks to Kris for years of regular updates to this function!
[NSE] Replaced http-trace with a new more effective version. [Paulino]
Performed some output cleanup work to remove unimportant status lines so that it is easier to find the good stuff! [David]
[Zenmap] now properly kills Nmap scan subprocess when you cancel a scan or quit Zenmap on Windows. [Shinnok]
[NSE] Banned scripts from being in both the "default" and "intrusive" categories. We did this by removing dhcp-discover and dns-zone-transfer from the set of scripts run by default (leaving them "intrusive"), and reclassifying dns-recursion, ftp-bounce, http-open-proxy, and socks-open-proxy as "safe" rather than "intrusive" (keeping them in the "default" set).
[NSE] Added a credential storage library (creds.lua) and modified the brute library and scripts to make use of it. [Patrik]
[Ncat] Created a portable version of ncat.exe that you can just drop onto Microsoft Windows systems without having to run any installer or copy over extra library files. See the Ncat page for binary downloads and a link to build instructions. [Shinnok]
Fix a segmentation fault which could occur when running Nmap on various Android-based phones. The problem related to NULL being passed to freeaddrinfo(). [David, Vlatko Kosturjak]
[NSE] The host.bin_ip and host.bin_ip_src entries now also work with 16-byte IPv6 addresses. [David]
[Ncat] Updated the ca-bundle.crt list of trusted certificate authority certificates. [David]
[NSE] Fixed a bug in the SMB Authentication library which could prevent concurrently running scripts with valid credentials from logging in. [Chris Woodbury]
[NSE] Re-worked http-form-brute.nse to better autodetect form fields, allow brute force attempts where only the password (no username) is needed, follow HTTP redirects, and better detect incorrect login attempts. [Patrik, Daniel Miller]
[Zenmap] Changed the "slow comprehensive scan" profile's NSE script selection from "all" to "default or (discovery and safe)" categories. Except for testing and debugging, "--script all" is rarely desirable.
[NSE] Added the stdnse.silent_require method which is used for library requires that you know might fail (e.g. "openssl" fails if Nmap was compiled without that library). If these libraries are called with silent_require and fail to load, the script will cease running but the user won't be presented with ugly failure messages as would happen with a normal require. [Patrick Donnelly]
[Zenmap] Fixed a bug in topology mapper which caused endpoints behind firewalls to sometimes show up in the wrong place. [Colin Rice]
[Zenmap] If you scan a system twice, any open ports from the first scan which are closed in the 2nd will be properly marked as closed. [Colin Rice].
o [Zenmap] Fixed an error that could cause a crash ("TypeError: an integer is required") if a sort column in the ports table was unset. [David]
[Ndiff] Added nmaprun element information (Nmap version, scan date, etc.) to the diff. Also, the Nmap banner with version number and data is now only printed if there were other differences in the scan. [Daniel Miller, David, Dr. Jesus]
[NSE] Added nmap.get_interface and nmap.get_interface_info functions so scripts can access characteristics of the scanning interface. Removed nmap.get_interface_link. [Djalal]
Fixed an overflow in scan elapsed time display that caused negative times to be printed after about 25 days. [Daniel Miller]
Updated nmap-rpc from the master list, now maintained by IANA. [Daniel Miller, David]
[Zenmap] Fixed a bug in the option parser: -sN (null scan) was interpreted as -sn (no port scan). This was reported by Shitaneddine. [David]
Removed the -sR (RPC scan) option--it is now an alias for -sV (version scan), which always does RPC scan when an rpcinfo service is detected.
[NSE] Improved the ms-sql scripts and library in several ways: - Improved version detection and server discovery - Added support for named pipes, integrated authentication, and connecting to instances by name or port - Improved script and library stability and documentation. [Patrik Karlsson, Chris Woodbury]
[NSE] Fixed http.validate_options when handling a cookie table. [Sebastian Prengel]
Added a Service Tags UDP probe for port 6481/udp. [David]
[NSE] Enabled firewalk.nse to automatically find the gateways at which probes are dropped and fixed various bugs. [Henri Doreau]
[Zenmap] Worked around a pycairo bug that prevented saving the topology graphic as PNG on Windows: "Error Saving Snapshot: Surface.write_to_png takes one argument which must be a filename (str), file object, or a file-like object which has a 'write' method (like StringIO)". The problem was reported by Alex Kah. [David]
The -V and --version options now show the platform Nmap was compiled on, which features are compiled in, the version numbers of libraries it is linked against, and whether the libraries are the ones that come with Nmap or the operating system. [Ambarisha B., David]
Fixed some inconsistencies in nmap-os-db reported by Xavier Sudre from netVigilance.
The Nmap Win32 uninstaller now properly deletes nping.exe. [Fyodor]
[NSE] Added a shortport.ssl function which can be used as a script portrule to match SSL services. It is similar in concept to our existing shortport.http. [David]
Set up the RPM build to use the compat-glibc and compat-gcc-34-c++ packages (on CentOS 5.3) to resolve a report of Nmap failing to run on old versions of Glibc. [David]
We no longer support Nmap on versions of Windows earlier than XP SP2. Even Microsoft no longer supports Windows versions that old.
There were hundreds of other little bug fixes and improvements (especially to NSE scripts). See the SVN logs for revisions 22,274 through 24,460 for details.

New in Nmap 5.51 (Feb 14, 2011)

New in Nmap 5.50 (Jan 29, 2011)

[Zenmap] Added a new script selection interface, allowing you to choose scripts and arguments from a list which includes descriptions of every available script. Just click the "Scripting" tab in the profile editor. [Kirubakaran]
[Nping] Added echo mode, a novel technique for discovering how your packets are changed (or dropped) in transit between the host they originated and a target machine. It can detect network address translation, packet filtering, routing anomalies, and more. You can try it out against our public Nping echo server using this command: nping --echo-client "public" echo.nmap.org' Or learn more about echo mode at http://nmap.org/book/nping-man-echo-mode.html. [Luis]
[NSE] Added an amazing 46 scripts, bringing the total to 177! You can learn more about any of them at http://nmap.org/nsedoc/. Here are the new ones (authors listed in brackets):
broadcast-dns-service-discovery: Attempts to discover hosts' services using the DNS Service Discovery protocol. It sends a multicast DNS-SD query and collects all the responses. [Patrik Karlsson]
broadcast-dropbox-listener: Listens for the LAN sync information broadcasts that the Dropbox.com client broadcasts every 20 seconds, then prints all the discovered client IP addresses, port numbers, version numbers, display names, and more. [Ron Bowes, Mak Kolybabi, Andrew Orr, Russ Tait Milne]
broadcast-ms-sql-discover: Discovers Microsoft SQL servers in the same broadcast domain. [Patrik Karlsson]
broadcast-upnp-info: Attempts to extract system information from the UPnP service by sending a multicast query, then collecting, parsing, and displaying all responses. [Patrik Karlsson]
broadcast-wsdd-discover: Uses a multicast query to discover devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.NET 4.0 or later). [Patrik Karlsson]
db2-discover: Attempts to discover DB2 servers on the network by querying open ibm-db2 UDP ports (normally port 523). [Patrik Karlsson]
dns-update.nse: Attempts to perform an unauthenticated dynamic DNS update. [Patrik Karlsson]
domcon-brute: Performs brute force password auditing against the Lotus Domino Console. [Patrik Karlsson]
domcon-cmd: Runs a console command on the Lotus Domino Console with the given authentication credentials (see also: domcon-brute). [Patrik Karlsson]
domino-enum-users: Attempts to discover valid IBM Lotus Domino users and download their ID files by exploiting the CVE-2006-5835 vulnerability. [Patrik Karlsson]
firewalk: Tries to discover firewall rules using an IP TTL expiration technique known as firewalking. [Henri Doreau]
ftp-proftpd-backdoor: Tests for the presence of the ProFTPD 1.3.3c backdoor reported as OSVDB-ID 69562. This script attempts to exploit the backdoor using the innocuous id command by default, but that can be changed with a script argument. [Mak Kolybabi]
giop-info: Queries a CORBA naming server for a list of objects. [Patrik Karlsson]
gopher-ls: Lists files and directories at the root of a gopher service. Remember those? [Toni Ruottu]
hddtemp-info: Reads hard disk information (such as brand, model, and sometimes temperature) from a listening hddtemp service. [Toni Ruottu]
hostmap: Tries to find hostnames that resolve to the target's IP address by querying the online database at http://www.bfk.de/bfk_dnslogger.html. [Ange Gutek]
http-brute: Performs brute force password auditing against http basic authentication. [Patrik Karlsson]
http-domino-enum-passwords: Attempts to enumerate the hashed Domino Internet Passwords that are (by default) accessible by all authenticated users. This script can also download any Domino ID Files attached to the Person document. [Patrik Karlsson]
http-form-brute: Performs brute force password auditing against http form-based authentication. [Patrik Karlsson]
http-vhosts: Searches for web virtual hostnames by making a large number of HEAD requests against http servers using common hostnames. [Carlos Pantelides]
informix-brute: Performs brute force password auditing against IBM Informix Dynamic Server. [Patrik Karlsson]
informix-query: Runs a query against IBM Informix Dynamic Server using the given authentication credentials (see also: informix-brute). [Patrik Karlsson]
informix-tables: Retrieves a list of tables and column definitions for each database on an Informix server. [Patrik Karlsson]
iscsi-brute: Performs brute force password auditing against iSCSI targets. [Patrik Karlsson]
iscsi-info: Collects and displays information from remote iSCSI targets. [Patrik Karlsson]
modbus-discover: Enumerates SCADA Modbus slave ids (sids) and collects their device information. [Alexander Rudakov]
nat-pmp-info: Queries a NAT-PMP service for its external address. [Patrik Karlsson]
netbus-auth-bypass: Checks if a NetBus server is vulnerable to an authentication bypass vulnerability which allows full access without knowing the password. [Toni Ruottu]
netbus-brute: Performs brute force password auditing against the Netbus backdoor ("remote administration") service. [Toni Ruottu]
netbus-info: Opens a connection to a NetBus server and extracts information about the host and the NetBus service itself. [Toni Ruottu]
netbus-version: Extends version detection to detect NetBuster, a honeypot service that mimes NetBus. [Toni Ruottu]
nrpe-enum: Queries Nagios Remote Plugin Executor (NRPE) daemons to obtain information such as load averages, process counts, logged in user information, etc. [Mak Kolybabi]
oracle-brute: Performs brute force password auditing against Oracle servers. [Patrik Karlsson]
oracle-enum-users: Attempts to enumerate valid Oracle user names against unpatched Oracle 11g servers (this bug was fixed in Oracle's October 2009 Critical Patch Update). [Patrik Karlsson]
path-mtu: Performs simple Path MTU Discovery to target hosts. [Kris Katterjohn]
resolveall: Resolves hostnames and adds every address (IPv4 or IPv6, depending on Nmap mode) to Nmap's target list. This differs from Nmap's normal host resolution process, which only scans the first address (A or AAAA record) returned for each host name. [Kris Katterjohn]
rmi-dumpregistry: Connects to a remote RMI registry and attempts to dump all of its objects. [Martin Holst Swende]
smb-flood: Exhausts a remote SMB server's connection limit by by opening as many connections as we can. Most implementations of SMB have a hard global limit of 11 connections for user accounts and 10 connections for anonymous. Once that limit is reached, further connections are denied. This script exploits that limit by taking up all the connections and holding them. [Ron Bowes]
ssh2-enum-algos: Reports the number of algorithms (for encryption, compression, etc.) that the target SSH2 server offers. If verbosity is set, the offered algorithms are each listed by type. [Kris Katterjohn]
stuxnet-detect: Detects whether a host is infected with the Stuxnet worm (http://en.wikipedia.org/wiki/Stuxnet). [Mak Kolybabi]
svn-brute: Performs brute force password auditing against Subversion source code control servers. [Patrik Karlsson]
targets-traceroute: Inserts traceroute hops into the Nmap scanning queue. It only functions if Nmap's --traceroute option is used and the newtargets script argument is given. [Henri Doreau]
vnc-brute: Performs brute force password auditing against VNC servers. [Patrik Karlsson]
vnc-info: Queries a VNC server for its protocol version and supported security types. [Patrik Karlsson]
wdb-version: Detects vulnerabilities and gathers information (such as version numbers and hardware support) from VxWorks Wind DeBug agents. [Daniel Miller]
wsdd-discover: Retrieves and displays information from devices supporting the Web Services Dynamic Discovery (WS-Discovery) protocol. It also attempts to locate any published Windows Communication Framework (WCF) web services (.NET 4.0 or later). [Patrik Karlsson]
[NSE] Added 12 new protocol libraries: - dhcp.lua by Ron - dnssd.lua (DNS Service Discovery) by Patrik - ftp.lua by David - giop.lua (CORBA naming service) by Patrik - informix.lua (Informix database) by Patrik - iscsi.lua (iSCSI - IP based SCSI data transfer) by Patrik - nrpc.lua (Lotus Domino RPC) by Patrik - rmi.lua (Java Remote Method Invocation) by Martin Holst Swende - tns.lua (Oracle) by Patrik - upnp.lua (UPnP support) by Thomas Buchanan and Patrik - vnc.lua (Virtual Network Computing) by Patrik - wsdd.lua (Web Service Dynamic Discovery) by Patrik
[NSE] Added a new brute library that provides a basic framework and logic for brute force password auditing scripts. [Patrik]
[Zenmap] Greatly improved performance for large scans by benchmarking intensively and then recoding dozens of slow parts. Time taken to load our benchmark file (a scan of just over a million IPs belonging to Microsoft corporation, with 74,293 hosts up) was reduced from hours to less than two minutes. Memory consumption decreased dramatically as well. [David]
Performed a major OS detection integration run. The database has grown more than 14% to 2,982 fingerprints and many of the existing fingerprints were improved. Highlights include Linux 2.6.37, iPhone OS 4.2.1, Solaris 11, AmigaOS 3.1, GNU Hurd 0.3, and MINIX 2.0.4. David posted highlights of his integration work at http://seclists.org/nmap-dev/2010/q4/651
Performed a huge version detection integration run. The number of signatures has grown by more than 11% to 7,355. More than a third of our signatures are for http, but we also detect 743 other service protocols, from abc, acap, access-remote-pc, and achat to zenworks, zeo, and zmodem. David posted highlights at http://seclists.org/nmap-dev/2010/q4/761.
[NSE] Added the target NSE library which allows scripts to add newly discovered targets to Nmap's scanning queue. This allows Nmap to support a wide range of target acquisition techniques. Scripts which can now use this feature include dns-zone-transfer, hostmap, ms-sql-info, snmp-interfaces, targets-traceroute, and several more. [Djalal]
[NSE] Nmap has two new NSE script scanning phases. The new pre-scan occurs before Nmap starts scanning. Some of the initial pre-scan scripts use techniques like broadcast DNS service discovery or DNS zone transfers to enumerate hosts which can optionally be treated as targets. The other phase (post scan) runs after all of Nmap's scanning is complete. We don't have any of these scripts yet, but they could compile scan statistics or present the results in a different way. One idea is a reverse index which provides a list of services discovered during a network scan, along with a list of IPs found to be running each service. See http://nmap.org/book/nse-usage.html#nse-script-types. [Djalal]
[NSE] A new --script-help option describes all scripts matching a given specification. It accepts the same specification format as --script does. For example, try 'nmap --script-help "default or http-*"'. [David, Martin Holst Swende]
Dramatically improved nmap.xsl (used for converting Nmap XML output to HTML). In particular: - Put verbose details behind expander buttons so you can see them if you want, but they don't distract from the main output. In particular, offline hosts and traceroute results are collapsed by default. - Improved the color scheme to be less garish. - Added support for the new NSE pre-scan and post-scan phases. - Changed script output to use 'pre' tags to keep even lengthy output readable. - Added a floating menu to the lower-right for toggling whether closed/filtered ports are shown or not (they are now hidden by default if Javascript is enabled). Many smaller improvements were made as well. You can find the new file at http://nmap.org/svn/docs/nmap.xsl, and here is an example scan processed through it: http://nmap.org/tmp/newxsl.html. [Tom]
[NSE] Created a new "broadcast" script category for the broadcast-* scripts. These perform network discovery by broadcasting on the local network and listening for responses. Since they don't directly relate to targets specified on the command line, these are kept out of the default category (nor do they go in "discovery").
Integrated cracked passwords from the Gawker.com compromise (http://seclists.org/nmap-dev/2010/q4/674) into Nmap's top-5000 password database. A team of Nmap developers lead by Brandon Enright has cracked 635,546 out of 748,081 password hashes so far (85%). Gawker doesn't exactly have the most sophisticated users on the Internet--their top passwords are "123456", "password", "12345678", "lifehack", "qwerty", "abc123", "12345", "monkey", "111111", "consumer", and "letmein".
XML output now excludes output for down hosts when only doing host discovery, unless verbosity (-v) was requested. This is how it already worked for normal scans, but the ping-only case was overlooked. [David]
Updated the Windows build process to work with (and require) Visual C++ 2010 rather than 2008. If you want to build Zenmap too, you now need Python 2.7 (rather than 2.6) and GTK+ 2.22. See http://nmap.org/book/inst-windows.html#inst-win-source [David, Rob Nicholls, KX]
Merged port names in the nmap-services file with allocated names from the IANA (http://www.iana.org/assignments/port-numbers). We only added IANA names which were "unknown" in our file--we didn't deal with conflicting names. [David]
Enabled the ASLR and DEP security technologies for Nmap.exe, Ncat.exe and Nping.exe on Windows Vista and above. Visual C++ will set the /DYNAMICBASE and /NXCOMPAT flags in the PE header. Executables generated using py2exe or NSIS and third party binaries (OpenSSL, WinPcap) still don't support ASLR or DEP. Support for DEP on XP SP3, using SetProcessDEPPolicy(), could still be implemented. See http://seclists.org/nmap-dev/2010/q3/328. [Robert]
Investigated using the CPE (Common Platform Enumeration) standard for describing operating systems, devices, and service names for Nmap OS and service detection. You can read David's reports at http://seclists.org/nmap-dev/2010/q3/278 and http://seclists.org/nmap-dev/2010/q3/303.
[Zenmap] Improved the output viewer to show new output in constant time. Previously it would get slower and slower as the output grew longer, eventually making Zenmap appear to freeze with 100% CPU. Rob Nicholls and Ray Middleton helped with testing. [David]
The Linux RPM builds of Nmap and related tools (ncat, nping, etc.) now link to system libraries dynamically rather than statically. They still link statically to dependency libraries such as OpenSSL, Lua, LibPCRE, Libpcap, etc. We hope this will improve portability so the RPMs will work on distributions with older software (like RHEL, Debian stable) as well as more bleeding edge ones like Fedora. [David]
[NSE] Added the ability to send and receive on unconnected sockets. This can be used, for example, to receive UDP broadcasts without having to use Libpcap. A number of scripts have been changed so that they can work as prerule scripts to discover services by UDP broadcasting, and optionally add the discovered targets to the scanning queue: - ms-sql-info - upnp-info - dns-service-discovery The nmap.new_socket function can now optionally take a default protocol and address family, which will be used if the socket is not connected. There is a new nmap.sendto function to be used with unconnected UDP sockets. [David, Patrik]
[Nping] Substantially improved the Nping man page. You can read it online at http://nmap.org/book/nping-man.html. [Luis, David]
Documented the licenses of the third-party software used by Nmap and it's sibling tools: http://nmap.org/svn/docs/3rd-party-licenses.txt. [David]
[NSE] Improved the SMB scripts so that they can run in parallel rather than using a mutex to force serialization. This quadrupled the SMB scan speed in one large scale test. See http://seclists.org/nmap-dev/2010/q3/819. [Ron]
Added a simple Nmap NSE script template to make writing new scripts easier: http://nmap.org/svn/docs/sample-script.nse. [Ron]
[Zenmap] Made the topology node radiuses grow logarithmically instead of linearly, so that hosts with thousands of open ports don't overwhelm the diagram. Also only open ports (not open|filtered) are considered when calculating node sizes. Henri Doreau found and fixed a bug in the implementation. [Daniel Miller]
[NSE] Added the get_script_args NSE function for parsing script arguments in a clean and standardized way (http://nmap.org/nsedoc/lib/stdnse.html#get_script_args). [Djalal]
Increased the initial RTT timeout for ARP scans from 100 ms to 200 ms. Some wireless and VPN links were taking around 300 ms to respond. The default of one retransmission gives them 400 ms to be detected.
Added new version detection probes and signatures from Patrik for: - Lotus Domino Console running on tcp/2050 (shows OS and hostname) - IBM Informix Dynamic Server running native protocol (shows hostname, and file path) - Database servers running the DRDA protocol - IBM Websphere MQ (shows name of queue-manager and channel)
Fix Nmap compilation on OpenSolaris (see http://blogs.sun.com/sdaven/entry/nmap_5_35dc1_compile_on) [David]
[NSE] The http library's request functions now accept an additional "auth" table within the option table, which causes Basic authentication credentials to be sent. [David]
Improved IPv6 host output in that we now remember and report the forward DNS name (given by the user) and any non-scanned addresses (usually because of round robin DNS). We already did this for IPv4. [David]
[Zenmap] Upgraded to the newer gtk.Tooltip API to avoid deprecation messages about gtk.Tooltip. [Rob Nicholls]
[NSE] Made dns-zone-transfer script able to add new discovered DNS records to the Nmap scanning queue. [Djalal]
[NSE] Enhance ssl-cert to also report the type and bit size of SSL certificate public keys [Matt Selsky]
[Ncat] Make --exec and --idle-timeout work when connecting with --proxy. Florian Roth reported the bug. [David]
[Nping] Fixed a bug which caused Nping to fail when targeting broadcast addresses (see http://seclists.org/nmap-dev/2010/q3/752). [Luis]
[Nping] Nping now limits concurrent open file descriptors properly based on the resources available on the host (see http://seclists.org/nmap-dev/2010/q4/2). [Luis]
[NSE] Improved ssh2's kex_init() parameters: all of the algorithm and language lists can be set using new keys in the "options" table argument. These all default to the same value used before. Also, the required "cookie" argument is now replaced by an optional "cookie" key in the "options" table, defaulting to random bytes as suggested by the RFC. [Kris]
Ncat now logs Nsock debug output to stderr instead of stdout for consistency with its other debug messages. [David]
[NSE] Added a new function, shortport.http, for HTTP script portrules and changed 14 scripts to use it. [David]
Updated to the latest config.guess and config.sub. Thanks to Ty Miller for a reminder. [David]
[NSE] Added prerule support to snmp-interfaces and the ability to add the remote host's interface addresses to the scanning queue. The new script arguments used for this functionality are "host" (required) and "port" (optional). [Kris]
Fixed some inconsistencies in nmap-os-db and a small memory leak that would happen where there was more than one round of OS detection. These were reported by Xavier Sudre from netVigilance. [David]
[NSE] Fixed a bug with worker threads calling the wrong destructors. Fixing this allows better parallelism in http-brute.nse. The problem was reported by Patrik Karlsson. [David, Patrick]
Upgraded the OpenSSL binaries shipped in our Windows installer to version 1.0.0a. [David]
[NSE] Added prerule support to the dns-zone-transfer script, allowing it to run early to discover IPs from DNS records and optionally add those IPs to Nmap's target queue. You must specify the DNS server and domain name to use with script arguments. [Djalal]
Changed the name of libdnet's sctp_chunkhdr to avoid a conflict with a struct of the same name in . This caused a compilation error when Nmap was compiled with an OpenSSL that had SCTP support. [Olli Hauer, Daniel Roethlisberger]
[NSE] Implemented a big cleanup of the Nmap NSE Nsock library binding code. [Patrick]
Added a bunch of Apple and Netatalk AFP service detection signatures. These often provide extra details such as whether the target is a MacBook Pro, Air, Mac Mini, iMac, etc. [Brandon]
[NSE] Host tables now have a host.traceroute member available when --traceroute is used. This array contains the IP address, reverse DNS name, and RTT for each traceroute hop. [Henri Doreau]
[NSE] Made the ftp-anon script return a directory listing when anonymous login is allowed. [Gutek, David]
[NSE] Added the nmap.resolve() function. It takes a host name and optionally an address family (such as "inet") and returns a table containing all of its matching addresses. If no address family is specified, all addresses for the name are returned. [Kris]
[NSE] Added the nmap.address_family() function which returns the address family Nmap is using as a string (e.g., "inet6" is returned if Nmap is called with the -6 option). [Kris]
[NSE] Scripts can now access the MTU of the host.interface device using host.interface_mtu. [Kris]
Restrict the default Windows DLL search path by removing the current directory. This adds extra protection against DLL hijacking attacks, especially if we were to add file type associations to Nmap in the future. We implement this with the SetDllDirectory function when available (Windows XP SP1 and later). Otherwise, we call SetCurrentDirectory with the directory containing the executable. [David]
Nmap now prints the MTU for interfaces in --iflist output. [Kris]
[NSE] Removed references to the MD2 algorithm, which OpenSSL 1.x.x no longer supports. [Alexandru]
[Ncat,NSE] Server Name Indication (SNI) is now supported by Ncat and Nmap NSE, allowing them to connect to servers which run multiple SSL websites on one IP address. To enable this for NSE, the nmap.connect function has been changed to accept host and port tables (like those provided to the action function) in place of a string and a number. [David]
[NSE] Renamed db2-info and db2-brute scripts to drda-*. Added support other DRDA based databases such as IBM Informix Dynamic Server and Apache Derby. [Patrik]
[Nsock] Added a new function, nsi_set_hostname, to set the intended hostname of the target. This allows the use of Server Name Indication in SSL connections. [David]
[NSE] Limits the number of ports that qscan will scan (now up to 8 open ports and up to 1 closed port by default). These limits can be controlled with the qscan.numopen and qscan.numclosed script arguments. [David]
[NSE] Made sslv2.nse give special output when SSLv2 is supported, but no SSLv2 ciphers are offered. This happened with a specific Sendmail configuration. [Matt Selsky]
[NSE] Added a "times" table to the host table passed to scripts. This table contains Nmap's timing data (srtt, the smoothed round trip time; rttvar, the rtt variance; and timeout), all represented as floating-point seconds. The ipidseq and qscan scripts were updated to utilize the host's timeout value rather than using a conservative guess of 3 seconds for read timeouts. [Kris]
Fixed the fragmentation options (-f in Nmap, --mtu in Nmap & Nping), which were improperly sending whole packets in version 5.35DC1. [Kris]
[NSE] When receiving raw packets from Pcap, the packet capture time is now available to scripts as an additional return value from pcap_receive(). It is returned as the floating point number of seconds since the epoch. Also added the nmap.clock() function which returns the current time (and convenience functions clock_ms() and clock_us()). Qscan.nse was updated to use this more accurate timing data. [Kris]
[Ncat,Nsock] Fixed some minor bugs discovered using the Smatch source code analyzer (http://smatch.sourceforge.net/). [David]
[Zenmap] Fixed a crash that would happen after opening the search window, entering a relative date criterion such as "after:-7", and then clicking the "Expressions" button. The error message was AttributeError: 'tuple' object has no attribute 'strftime' [David]
Added a new packet payload--a NAT-PMP external address request for port 5351/udp. Payloads help us elicit responses from listening UDP services to better distinguish them from filtered ports. This payload goes well with our new nat-pmp-info script. [David, Patrik]
Updated IANA IP address space assignment list for random IP (-iR) generation. [Kris]
[Ncat] Ncat now uses case-insensitive string comparison when checking authentication schemes and parameters. Florian Roth found a server offering "BASIC" instead of "Basic", and the HTTP RFC requires case-insensitive comparisons in most places. [David]
[NSE] There is now a limit of 1,000 concurrent running scripts, instituted to keep memory under control when there are many open ports. Nathan reported 3 GB of memory use (with an out-of-memory NSE crash) for one host with tens of thousands of open ports. This limit can be controlled with the variable CONCURRENCY_LIMIT in nse_main.lua. [David]
The command line in XML output (/nmaprun/@args attribute) now does quoting of whitespace using double quotes and backslashes. This allows recovering the original command line array even when arguments contain whitespace. [David]
Added a service detection probe for master servers of Quake 3 and related games. [Toni Ruottu]
[Zenmap] Updated French translation. [Henri Doreau]
[Zenmap] Fixed an crash when printing a scan that had no output (like a scan made by command-line Nmap). Henri Doreau noticed the error. [David]

New in Nmap 5.21 (Jan 28, 2010)

New in Nmap 5.20 (Jan 23, 2010)

Dramatically improved the version detection database, integrating 2,596 submissions that users contributed since February 3, 2009
More than a thousand signatures were added, bringing the total to 8,501. Many existing signatures were improved as well. Please keep those submissions and corrections coming! Nmap prints a submission URL and fingerprint when it receives responses it can't yet interpret
[NSE] Added a new script, oracle-sid-brute, which queries the Oracle TNS-listener for default instance/sid names. The SID enumeration list was prepared by Red Database security.
[Ncat] The --ssl, --output, and --hex-dump options now work with exec and --sh-exec. Among other things, this allows you to make a program's I/O available over the network wrapped in SSL encryption for security. It is implemented by forking a separate process to handle network communications and relay the data to the sub-process. [Venkat, David]
Nmap now tries start the WinPcap NPF service on Windows if it is not already running. This is rare, since our WinPcap installer starts NPF running at system boot time by default. Because starting NPF requires administrator privileges, a UAC dialog for net.exe may appear on Windows Vista and Windows 7 before NPF is loaded. Once NPF is loaded, it generally stays loaded until you reboot or run "net stop npf". [David, Michael Pattrick]
The Nmap Windows installer and our WinPcap installer now have an option / NPFSTARTUP=NO, which inhibits the installer from setting the WinPcap NPF service to start at system startup and at install-time. This option only affects silent mode (/S) because existing GUI checkboxes allow you to configure this behavior during interactive installation. [David]
[NSE] Replaced our runlevel system for managing the order of script execution with a much more powerful dependency system. This allows scripts to specify which other scripts they depend on (e.g. a brute force authentication script might depend on username enumeration scripts) and NSE manages the order. Dependencies only enforce ordering, they cannot pull in scripts which the user didn't specify.
[Ncat] For compatibility with Hobbit's original Netcat, The -p option now works to set the listening port number in listen mode So "ncat -l 123" can now be expressed as "ncat -l -p 123" too. [David]
A new script argument, http.useragent, lets you modify the User-Agent header sent by NSE from its default of "Mozilla/5.0 compatible; Nmap Scripting Engine; http://nmap.org/book/nse.html)"
Set it to the empty string to disable the User-Agent entirely. [David, Tom Sellers, Jah]
[Zenmap] The locale setting had been taken from the Windows locale which inadvertently made setting the locale with the LANG environment variable stop working. Now the LANG variable is examined first, and if that is not present, the system-wide setting is used. This change allows users to keep Zenmap in its original English (or any of Zenmap's other languages) even if their system is set to use a different locale. [David]
[NSE] The http-favicon script is now better at finding "link rel=icon" tags in pages, and uses that icon in preference to favicon.ico if found. If the favicon.uri script arg is given, only that is tried. Meanwhile, a giant (10 million web servers) favicon scan by Brandon allowed us to add about 40 more of the most popular icons to the DB. [David, Brandon]
[NSE] smb-psexec now works against Windows XP (as well as already-supported Win2K and Windows 2003). The solution involved changing the seemingly irrelevant PID field in the SMB packet.
[NSE] Fixed a bug which kept the nselib/data/psexec subdirectory out of the Windows packages. We needed to add the /s and /e options to xcopy in our Visual C++ project file. [David]
[NSE] Overhauled our http library to centralize HTTP parsing and make it more robust. The biggest user-visible change is that http.request goes back to returning a parsed result table rather than raw HTTP data. Also the http.pipeline function no longer accepts the no-longer-used "raw" option. [David]
Fixed a bug in traceroute that could lead to a crash terminate called after throwing an instance of 'std::out_of_range' what(): bitset::test
It happened when the preliminary distance guess for a target was greater than 30, the size of an internal data structure. David and Brandon tracked down the problem
Fixed compilation of libdnet-stripped on platforms that don't have socklen_t. [Michael Pattrick]
Added a service probe and match lines for the Logitech/SlimDevices SqueezeCenter music server. [Patrik Karlsson]
Fixed the RTSPRequest version probe, which was accidentally modified to say "RTSP/2.0" rather than "RTSP/1.0" in 5.10BETA2. [Matt Selsky]
[NSE] Our http library no longer allows cached responses from a GET request to be returned for a HEAD request. This could cause problems with at least the http-enum script. [David]
Fixed a bug in the WinPcap installer: If the "Start the WinPcap service 'NPF' at startup" box was unchecked and the "Start the WinPcap service 'NPF' now" box was checked, the second checkbox would be ignored (the service would not be started now). [Rob Nicholls]

New in Nmap 5.00 (Jul 31, 2009)

[Zenmap] Merged the changes in the zenmap-filter branch to the main zenmap branch. Pressing Ctrl+L now brings up the filter interface for filtering out uninteresting hosts. Alternatively, the interface is accessible via the 'Filter Hosts' button. [Josh]
[Ncat]In verbose mode Ncat prints In and OUT traffic in bytes once the client connection is terminated,in this way "Finished. 29 bytes sent, 24 bytes received." For this few lines of code has been added to Nsock so that other nsock dependent applications also can use this traffic count.[Venkat].
The ARP host discovery scan now filters ARP packets based on their target address address field, not the destination address in the enclosing ethernet frame. Some operating systems, including Windows 7 and Solaris 10, are known to at least sometimes send their ARP replies to the broadcast address and Nmap wouldn't notice them. The symptom of this was that root scans wouldn't work ("Host seems down") but non-root scans would work. Thanks to Mike Calmus and Vijay Sankar for reporting the problem, and Marcus Haebler for suggesting the fix.
The -fno-strict-aliasing option is now used unconditionally when using GCC. It was already this way, in effect, because a test against the GCC version number was reversed: = 4. Solar Designer reported the problem.
Nmap now prints a warning instead of a fatal error when the hardware address of an interface can't be found. This is the case for FireWire interfaces, which have a hardware address format not supported by libdnet. Thanks to Julian Berdych for the bug report. [David]
Added the pjl-ready-message.nse script from Aaron Leininger. This script allows viewing and setting the message displayed by printers that support the Printer Job Language.
The Ndiff man page was expanded with examples and sample output. [David]
Made RPC grinding work from service detection again by changing the looked-for service name from "rpc" to "rpcbind", the name it has in nmap-service-probes. [David]
Fixed a log_write call and a pfatal call to use a syntax which is safer from format strings bugs. This allows Nmap to build with the gcc -Wformat -Werror=format-security options. [Guillaume Rousse, Dmitry Levin]
[Ndiff] Ndiff now shows changes in script output. [David]
A bug in Nsock was fixed: On systems where a nonblocking connect could succeed immediately, connections that were requested to be tunnelled through SSL would actually be plain text. This could be verified with an Ncat client and server running on localhost. This was observed to happen with localhost connections on FreeBSD 7.2. Non-localhost connections were likely not affected. The bug was reported by Daniel Roethlisberger. [David]
[NSE] Scripts that are listed by name with the --script option now have their verbosity level automatically increased by one. Many will print negative results ("no infection found") at a higher verbosity level. The idea is that if you ask for a script specifically, you are more interested in such results. [David, Patrick]
[Ncat]Ncat proxy now hides the proxy's response ("HTTP/1.0 200 OK" or whatever it may be). Before, if you retrieved a file through a proxy, it would have the "HTTP/1.0 200 OK" stuck to the top of it. For this Ncat uses blocking sockets untill the proxy negotiation is done and once it is successfull, Nsock takes over for rest of the connection.[Venkat]
[Ncat] Fixed an error that would cause Ncat to use 100% CPU in broker mode after a client disconnected or a read error happened. [Kris, David]
[Ncat] Ncat now prints a message like "Connection refused." by default when a socket error occurs. This used to require -v, but printing no message at all could make a failed connection look like success in a case like ncat remote < short-file
[Ncat] Using --send-only in conjunction with the plain listen or broker modes now behaves as it should: nothing will be read from the network end. Ncat was simply discarding any data received. [Kris]
[Ncat] Added additional test cases to the ncat/test/test-cmdline-split program and rewrote the cmdline_split function in ncat_posix.c [Josh Marlow]
[Ncat] The --broker option now automatically implies --listen. [David]
Added Apache JServe protocol version detection probe and signature from Tom Sellers. He submitted some other version detection patches as well.
Added a test program, test/test-cmdline-split to test the cmdline_split function in test/test-cmdline-split in preparation for an eventual rewrite of cmdline_split [Josh Marlow].
For some UDP ports, Nmap will now send a protocol-specific payload that is more likely to get a response than an empty packet is. This improves the effectiveness of probes to those ports for host discovery, and also makes an open port more likely to be classified open rather than open|filtered. The ports and payloads are defined in payload.cc. [David]
Fixed two memory leaks in ncat_posix.c and a bug where an open file was not being closed in libdnet-stripped/src/intf.c [Josh Marlow]
Added a convenience top-level BSD makefile redirecting BSD make to GNU make on BSD systems. This should help prevent bogus error reports when users run "make" instead of "gmake" on BSD systems. [Daniel Roethlisberger]
[Zenmap] Added support to zenmap for the SCTP options: -PY, -sY and -sZ, as well as making a comment in zenmapCore/NmapOptions.py on how to add new options. [Josh Marlow]
The configure script now allows cross-compiling by assuming that libpcap is recent enough. Previously it would quit because a test program could not be run. libpcap will always be recent enough when the included copy is used. The patch was contributed by Mike Frysinger.

New in Nmap 4.90 RC1 (Jun 25, 2009)

New in Nmap 4.85 Beta 9 (May 14, 2009)

Integrated all of your 1,156 of your OS detection submissions and your 50 corrections since January 8. Please keep them coming! The second generation OS detection DB has grown 14% to more than 2,000 fingerprints! That is more than we ever had with the first system. The 243 new fingerprints include Microsoft Windows 7 beta, Linux 2.6.28, and much more.
[Ncat] A whole lot of work was done by David to improve SSL security and functionality:
Ncat now does certificate domain and trust validation against trusted certificate lists if you specify --ssl-verify.
[Ncat] To enable SSL certificate verification on systems whose default trusted certificate stores aren't easily usable by OpenSSL, we install a set of certificates extracted from Windows in the file ca-bundle.crt. The trusted contents of this file are added to whatever default trusted certificates the operating system may provide. [David]
Ncat now automatically generates a temporary keypair and certificate in memory when you request it to act as an SSL server but you don't specify your own key using --ssl-key and --ssl-cert options. [David]
[Ncat] In SSL mode, Ncat now always uses secure connections, meaning that it uses only good ciphers and doesn't use SSLv2. Certificates can optionally be verified with the --ssl-verify and --ssl-trustfile options. Nsock provides the option of making SSL connections that prioritize either speed or security; Ncat uses security while version detection and NSE continue to use speed. [David]
[NSE] Added Boolean Operators for --script. You may now use ("and", "or", or "not") combined with categories, filenames, and wildcarded filenames to match a set files. Parenthetical subexpressions are allowed for precedence too. For example, you can now run: nmap --script "(default or safe or intrusive) and not http-*" scanme.nmap.org
[Ncat] The HTTP proxy server now works on Windows too. [David]
[Zenmap] The command wizard has been removed. The profile editor has the same capabilities with a better interface that doesn't require clicking through many screens. The profile editor now has its own "Scan" button that lets you run an edited command line immediately without saving a new profile. The profile editor now comes up showing the current command rather than being blank. [David]
[Zenmap] Added an small animated throbber which indicates that a scan is still running (similar in concept to the one on the upper-right Firefox corner hich animates while a page is oading). [David]
Regenerate script.db to remove references to non-existent smb-check-vulns-2.nse. This caused the following error messages when people used the --script=all option: "nse_main.lua:319: smb-check-vulns-2.nse is not a file!" The script.db entries are now sorted again to make diffs easier to read. [David,Patrick]
Fixed --script-update on Windows--it was adding bogus backslashes preceding file names in the generated script.db. The error message was also improved.
The official Windows binaries are now compiled with MS Visual C++ 2008 Express Edition SP1 rather than the RTM version. We also now distribute the matching SP1 version of the MS runtime components (vcredist_x86.exe). A number of compiler warnings were fixed too. [Fyodor,David]
Fixed a bug in the new NSE Lua core which caused it to round fractional runlevel values to the next integer. This could cause dependency problems for the smb-* scripts and others which rely on floating point runlevel values (e.g. that smb-brute at runlevel 0.5 will run before smb-system-info at the default runlevel of 1).
The SEQ.CI OS detection test introduced in 4.85BETA4 now has some examples in nmap-os-db and has been assigned a MatchPoints value of 50. [David]
[Ncat] When using --send-only, Ncat will now close the network connection and terminate after receiving EOF on standard input. This is useful for, say, piping a file to a remote ncat where you don't care to wait for any response. [Daniel Roethlisberger]
[Ncat] Fix hostname resolution on BSD systems where a recently fixed libc bug caused getaddrinfo(3) to fail unless a socket type hint is provided. Patch originally provided by Hajimu Umemoto of FreeBSD. [Daniel Roethlisberger]
[NSE] Fixed bug in the DNS library which caused the error message "nselib/dns.lua:54: 'for' limit must be a number". [Jah]
Fixed Solaris 10 compilation by renaming a yield structure which conflicted with a yield function declared in unistd.h on that platform. [Pieter Bowman, Patrick]
[Ncat] Minor code cleanup of Ncat memory allocation and string duplication calls. [Ithilgore]
Fixed a bug which could cause -iR to only scan the first host group and then terminate prematurely. The problem related to the way hosts are counted by o.numhosts_scanned. [David]
Fixed a bug in the su-to-zenmap.sh script so that, in the cases where it calls su, it uses the proper -c option rather than -C.
Overhaul the NSE documentation "Usage and Examples" section and add many more examples: http://nmap.org/book/nse-usage.html [David]
[NSE] Made hexify in nse_nsock.cc take an unsigned char * to work around an assertion in Visual C++ in Debug mode. The isprint, isalpha, etc. functions from ctype.h have an assertion that the value of the character passed in is = 128, it is cast to an unsigned int, making it a large positive number and failing the assertion.
[NSE] Fixed a segmentation fault which could occur in scripts which use the NSE pcap library. The problem was reported by Lionel Cons and fixed by Patrick.
[NSE] Port script start/finish debug messages now show the target port number as well as the host/IP. [Jah]
Updated IANA assignment IP list for random IP (-iR) generation. [Kris]
[NSE] Fixed http.table_argument so that user-supplied HTTP headers are now properly sent in HTTP requests.

New in Nmap 4.76 (Dec 30, 2008)

A prblem that caused S detectin t fail fr mst hsts in a
certain was fixed. It happened when sending raw Ethernet frames
(by default n Windws r n ther platfrms with --send-eth) t
hsts n a switched LAN. The destinatin MAC address was wrng fr
mst targets. The symptm was that nly ne ut f each scan grup
f 20 r 30 hsts wuld have a meaningful S fingerprint. Thanks g
t Michael Head fr running tests and especially Trent Snyder fr
testing and finding the cause f the prblem. [David]
Fixed a divisin by zer errr in the packet rate measuring cde
that culd cause a display f infinity packets per secnds near the
start f a scan. [Jah]
Cmplete re-write f the marshalling lgic fr Micrsft RPC calls.
[Rn Bwes]
Added vulnerability checks fr MS08-067 as well as an unfixed
denial f service in the Windws 2000 registry service.
[Rn Bwes]
Zenmap nw runs ndiff t d its "Cmpare Results" functin. This
cmpletely replaces the ld diff view. ndiff is nw required t d
cmparisns in Zenmap. [David]
Fixed a bug in the IP validatin cde which wuld have let a specially
crafted reply sent frm a hst n the same LAN slip thrugh and cause
Nmap t segfault. Thanks t ithilgre f sck-raw.hmeunix.rg fr
the very detailed bug reprt. [Kris]
[Zenmap] The crash reprter is mre respectful f user privacy. It
shws all the infrmatin that will be submitted s yu can edit it
t remve identifying infrmatin such as the name f yur hme
directry. If yu prvide an email address the reprt will be marked
private s it will nt appear n the public bug tracker. [David]
[Zenmap] Internatinalizatin has been fixed [David]. Currently
there are tw partial translatins:
Brazilian Prtuguese by Adrian Mnteir Marques
German by Chris Leick
[NSE] hst.s table is nw prperly a 1 based array (was 0). [Patrick]
[Zenmap] Zenmap nw parses and recrds XSL stylesheet infrmatin
frm Nmap XML files, s files saved by Zenmap will be viewable in a
web brwser just like thse prduced by Nmap. [David]
A pssible Lua stack verflw in dns.lua was fixed. [David]
The NSE registry nw persists acrss hst grups. [David]
Added a script that checks fr ms08-067-vulnerable hsts
(smb-check-vulns.nse) using the smb nselib. [Rn Bwes]
Added a Russian translatin f the Nmap Reference Guide by Guz
Alexander. We nw have translatins in 15 languages available frm
http://nmap.rg/dcs.html. Mre vlunteer translaters are welcme,
as we are still missing sme imprtant languages (particularly
German!). Translatin instructins are available frm that dcs.html
page.
[Zenmap] Added a wrkarund fr a crash
GtkWarning: culd nt pen display
n Mac S X 10.5. The prblem is caused by setting the DISPLAY
envirnment variable in ne f yur shell startup files; that
shuldn't be dne under 10.5 and remving it will make ther
X11-using applicatins wrk better. Zenmap will nw handle the
situatin autmatically. [David]
http-auth.nse nw prperly checks fr default authenticatin
credentials. A bug prevented it frm wrking befre. [Vlatk
Ksturjak]
Renamed irc-zmbie.nse t auth-spf and imprved its descriptin
and utput a bit. [Fydr]
Mst script names were changed t make them mre cnsistent.
[Fydr, David]
Remved ripeQuery.nse because we nw have the much mre rbust
whis.nse which handles all the majr registries. [Fydr]
Remved shwSSHVersin.nse. Its nly real claim t fame was the
ability t trick sme SSH servers (including at least penSSH
.3p2-9etch3) int nt lgging the cnnectin. This trick desn't
seem t wrk with newer versins f penSSH, as my
penssh-server-4.7p1-4.fc8 des lg the cnnectin. Withut the
stealth advantage, the script has n real benefit ver versin
detectin r the upcming banner grabbing script. [Fydr]
NSE scripts that require a list f DNS servers (currently nly
ASN.nse) nw wrk when IPv6 scanning. Previusly it gave an errr
message: "Failed t send dns query. Respnse frm dns.query(): 9".
[Jah, David]
[Zenmap] Added a simple wrkarund fr a bug in PyXML (an add-n
Pythn XML library) that caused a crash. The crash wuld happen when
lading an XML file and lked like "KeyErrr: 0". [David]
Remved sme unecessary "dem" categry NSE scripts: echTest,
chargenTest, shwHTTPVersin, and shwSMTPVersin.nse. Mved
daytimeTest frm the "dem" categry t "discvery". Remved
shwHTMLTitle frm the "dem" categry, but it remains in the
"default" and "safe" categries. This leaves just shwSSHVersin and
SMTP_penrelay in the undcumented "dem" categry. [Fydr]
A crash caused by an incrrect test cnditin was fixed. It wuld
happen when running a ping scan ther than a prtcl ping, withut
debugging enabled, if an ICMP packet was received referring t a
packet that was nt TCP, UDP, r ICMP. Thanks t Brandn Enright and
Matt Castelein fr reprting the prblem. [David]
[Zenmap] The keybard shrtcut fr "Save t Directry" has been
changed frm Ctrl+v t Ctrl+Alt+s s as nt t cnflict with the
usual paste shrtcut [Jah, Michael].
Nmap quits if yu give a "backwards" prt r prtcl range like
p 20-10. The issue was nted by Artur "Buanz" Busleiman. [David]
Fixed a bug which caused Nmap t infer an imprper distance against
sme hsts when perfrmaing S detectin against a grup whse
distance varies between members. [David, Fydr]
Added a new NSE penSSL library with functins fr multiprecisin
integer arithmetics, hashing, HMAC, symmetric encryptin and symmetric
decryptin. [Sven]
[Zenmap] Hst infrmatin windws are nw like any ther windws,
and will nt becme unclsable by having their cntrls ffscreen.
Thanks t Rbert Mead fr the bug reprt.
shwHTMLTitle.nse can nw fllw (nn-standard) relative redirects,
and may d a DNS lkup t find if the redirected-t hst has the
same IP address as the scanned hst. [Jah]
Enhanced the thex() functin in the NSE stdnse library t supprt strings
and added ptins t cntrl the frmatting. [Sven]
The http NSE mdule tries t deal with nn-standards-cmpliant HTTP
traffic, particularly respnses in which the header fields are
separated by plain LF rather than CRLF. [Jah, Sven]
[Zenmap] The help functin nw prperly cnverts the pathname f the
lcal help file t a URL, fr better cmpatibility with different
web brwsers. [David]
This shuld fix the crash
WindwsErrr: [Errr 2] The system cannt find the file specified:
'file://C:\Prgram Files\Nmap\zenmap\share\zenmap\dcs\help.html'
The HTTP_pen_prxy.nse script is updated t match Ggle Web
Server's changed header field: "Server: gws" instead f
"Server: GWS/". [Vlatk Ksturjak]
Enhanced the ssh service detectin signatures t prperly
detect prtcl versin 2 services. [Matt Selsky]
[Zenmap] Nmap utput is autmatically scrlled. [David]
Reduced memry cnsumptin fr sme lnger running scans by remving
cmpleted hsts frm the lists after tw minutes. These hsts are
kept arund in case there is a late respnse, but this draws the
line n hw lng we wait and hence keep this infrmatin in memry.
See http://seclists.rg/nmap-dev/2008/q3/0902.html fr mre. [Kris]
XML utput nw cntains the full path t nmap.xml n Windws. The
path is cnverted t a file:// URL t prvide better cmpatibility
acrss brwsers. [Jah]
Zenmap n lnger utputs XML elements and attributes that are nt in
the Nmap XML DTD. This was dne mstly by remving things frm
Zenmap's utput, and adding a few new ptinal things t the Nmap
DTD. A scan's prfile name, hst cmments, and interactive text
utput are what were added t nmap.dtd. The .usr filename extensin
fr saved Zenmap files is deprecated in favr f the .xml extensin
cmmnly used with Nmap. Because f these changes the
xmlutputversin has been increased t 1.03. [David]
Added the Ndiff utility, which cmpares the results f Nmap scans.
See ndiff/README and http://nmap.rg/ndiff/ fr mre
infrmatin. [David]
Fixed an integer verflw that culd cause the scan delay t grw
large fr n reasn in sme circumstances. [David]
Enhanced the AS Numbers script (ASN.nse) t better cnslidate
results and bail ut if the DNS server desn't supprt the ASN
queries. [Jah]
Made DNS timeuts in NSE dependent n the timing template [Jah]
Added three new nselib mdules: msrpc, netbis, and smb. As the
names suggest, they cntain cmmn cde fr scripts using MSRPC,
NetBIS, and SMB. These mdules allw scripts t extract a great
deal f infrmatin frm hsts running Windws, particularly Windws
. New r updated scripts using the mdules are:
nbstat.nse: get NetBIS names and MAC address.
smb-enumdmains.nse: enumerate dmains and plicies.
smb-enumsessins.nse: enumerate lgins and SMB sessins.
smb-enumshares.nse: enumerate netwrk shares.
smb-enumusers.nse: enumerate users and infrmatin abut them.
smb-s-discvery.nse: get perating system ver SMB (replaces
netbis-smb-s-discvery.nse).
smb-security-mde.nse: determine if a hst uses user-level r
share-level security, and what ther security features it
supprts.
smb-serverstats.nse: grab statistics such as netwrk traffic
cunts.
smb-systeminf.nse: get lts f infrmatin frm the registry.
[Rn Bwes]
A script culd be executed twice if it was given with the --script
ptin, als in the "versin" categry, and versin detectin (-sV)
was requested. This has been fixed. [David]
Fixed prt number representatin in sme f Nmap's and all f Nsck's
utput. Incrrect cnversin mdifiers were being used which caused
high prts t wrap arund and be shwn as negative values. [Kris]
Upgraded the shipped libdnet t 1.12. [Kris]
Upgraded the penSSL shipped fr Windws t 0.9.8i. [Kris]
The SSLv2-supprt NSE script n lnger prints duplicate cyphers if
they exist in the server's supprted cypher list. [Kris]
Updated IANA assignment IP list fr randm IP (-iR)
generatin. [Kris]

New in Nmap 4.75 (Sep 11, 2008)

New in Nmap 4.68 (Jul 23, 2008)

Doug integrated all of your version detection submissions and
corrections for the year up tMay 31. There were more than 1,000
new submissions and 18 corrections. Please keep them coming! And
don't forget that corrections are very important, sdsubmit them
if you ever catch Nmap making a version detection or OS detection
mistake. The version detection DB has grown t5,054 signatures
representing 486 service protocols. Protocols span the gamut from
abc, acap, access-remote-pc, activefax, and activemq, tzebedee,
zebra, zenimaging, and zenworks. The most popular protocols are
http (1,672 signatures), telnet (519), ftp (459), smtp (344), and
pop3 (201).
Nmap compilation on Windows is now done with Visual C Express 2008
rather than 2005. Windows compilation instructions have been
updated at http://nmap.org/book/inst-windows.html#inst-win-source .
[Kris]
The Nmap Windows self-installer now automatically installs the MS
Visual C 2008 runtime components if they aren't already installed
on a system. These are some reasonably small DLLs that are
generally necessary for applications compiled with Visual C (with
dynamic linking). Many or most systems already have these installed
from other software packages. The lack of these components led to
the error message "The Application failed tinitialize properly
(0xc0150002)." with Nmap 4.65. A related change is that Nmap on
Windows is now compiled with /MD rather than /MT sthat it
consistently uses these runtime libraries. The patch was created by
Rob Nicholls.
Added advanced search functionality tZenmap sthat you can locate
previous scans using criteria such as which ports were open, keywords
in the target names, OS detection results. etc. Try it out with
Ctrl-F or "Tools->Search Scan Results". [Vladimir]
Nmap's special WinPcap installer now handles 64-bit Windows machines
by installing the proper 64-bit npf.sys. [Rob Nicholls]
Added a new NSE Comm (common communication) library for common
network discovery tasks such as banner-grabbing (get_banner()) and
making a quick exchange of data (exchange()). 16 scripts were
updated tuse this library. [Kris]
The Nmap Scripting Engine now supports mutexes for gracefully
handling concurrency issues. Mutexes are documented at
http://nmap.org/book/nse-api.html#nse-mutex . [Patrick]
Added a UDP SNMPv3 probe tversion detection, along with 9 vendor
match lines. The patch was from Tom Sellers, whcontributed other
probes and match lines tthis release as well.
Added a new timing_level() function tNSE which reports the Nmap
timing level from 0 t5, as set by the Nmap -T option. The default
is 3. [Thomas Buchanan]
Update the HTTP library tuse the new timing_level functionality to
set connection and response timeouts. An error preventing the new
timing_level feature from working was alsfixed. [Jah]
Optimized the doAnyOutstandingProbes() function tmake Nmap a bit
faster and more efficient. This makes a particularly big difference
in cases where --min-rate is being used tspecify a very high
packet sending rate. [David]
Fixed an integer overflow which prevented a target specification of
"*.*.*.*" from working. Support for the CIDR /0 is now also
available for those times you wish tscan the entire
Internet. [Kris]
The robots.nse has been improved tprint output more compactly and
limit the number of entries of large robots.txt files based on Nmap
verbosity and debugging levels. [Eddie Bell]
The Nmap NSE scripts have been re-categorized in a more logical
fashion. The new categories are described at
http://nmap.org/book/nse-usage.html#nse-categories . [Kris]
Improve AIX support by linking against -lodm and -lcfg on that
platform. [David]
Updated showHTMLTitle NSE script tfollow one HTTP redirect if
necessary as long as it is on the same server. [Jah]
Michael Pattrick and David created a new OSassist application which
streamlines the OS fingerprint submission integration process and
prevents certain previously common errors. OSassist isn't part of
Nmap, but the system was used tintegrate some submissions for this
release. 13 fingerprints were added during OSassist testing, and
some existing fingerprints were improved as well. Expect many more
fingerprints coming soon.
Improved the mapping from dnet device names (like eth0) and WinPcap
names (like DeviceNPF_{28700713...}). You can see this mapping
with --iflist, and the change should make Nmap more likely twork
on Windows machines with unusual networking configurations. [David]
Service fingerprints in XML output are nlonger be truncated t2kb.
[Michael]
Some laptops report the IP Family as NULL for disabled WiFi cards.
This could lead ta crash with the "sin->sin_family == AF_INET6"
assertion failure. Nmap nlonger quits when this is
encountered. [Michael]
On systems without the GNU getopt_long_only() function, Nmap has its
own replacement. That replacement used tcall the system's
getopt() function if it exists. But the AIX and Solaris getopt()
functions proved insufficient/buggy, sNmap now always calls its own
internal getopt() now from its getopt_long_only()
replacement. [David]
Integrated several service match lines from Tom Sellers.
An error was fixed where Zenmap would crash when trying tload from
the recent scans database a file containing non-ASCII characters. The
error looked like
pysqlite2.dbapi2.OperationalError: Could not decode tUTF-8 column
'nmap_xml_output' with text
'
TargetName() from Nmap proper
and host.targetname from NSE scripts. The NSE HTTP library now uses
this for the Host header. Thanks tSven Klemm for adding this
useful feature.
Added NSE HTTP library which allows scripts teasily fetch URLs
with http.get_url() or create more complex requests with
http.request(). There is alsan http.get() function which takes
components (hostname, port, and path) rather than a URL. The
HTTPAuth, robots, and showHTMLTitle NSE scripts have been updated to
use this library. Sven Klemm wrote all of this code.
Fixed an integer overflow in the DNS caching code that caused nmap
tloop infinitely once it had expunging the cache of older
entries. Thanks tDavid Moore for the report, and Eddie Bell for
the fix.
Fixed another integer overflow in the DNS caching code which caused
infinite loops. [David]
Added IPv6 host support tthe RPC scan. Attempting this before
(via -sV) caused a segmentation fault. Thanks tWill Cladek for
the report. [Kris]
Fixed an event handling bug in NSE that could cause execution of
some in-progress scripts tbe excessively delayed. [Marek]
A new NSE table library (tab.lua) allows scripts tdeliver better
formatted output. The Zone transfer script (zoneTrans.nse) has been
updated tuse this new facility. [Eddie]
Rewrote HTTPpasswd.nse tuse Sven's excellent HTTP library and to
dsome much-needed cleaning up. [Kris]
Added a new MsSQL version detection probe and a bunch of match lines
developed by Tom Sellers.
Added a new service detection probe and signatures for the memcached
service [Doug]
Added new service detection probes and signatures for the Beast
Trojan and Firebird RDBMS. [Brandon Enright]
Fixed a crash in Zenmap which occurred when attempting tedit or
create a new profile based on an existing one when there wasn't one
selected. The error message was:
'NoneType' object has nattribute 'toolbar'
Now a new Profile Editor is opened. Thanks tD1N ([email protected])
for the report. [Kris]
Fixed another crash in Zenmap which occurred when exiting the
Profile Editor (while editing an existing profile) by clicking the
"X", then going tedit the same profile again. The error message
was: "Noption named '' found!". Now the same window that appears
when clicking Cancel comes up when clicking "X". Thanks tDavid
for reporting this bug. [Kris]
Another Zenmap bug was fixed: ports consolidated int"extra ports"
groups are now counted and shown in the "Host Details" tab. The
closed, filtered and scanned port counts in this tab didn't contain
this information before sthey were usually very inaccurate. [Kris]
Another Zenmap bug was fixed: the --scan-delay and --max-scan-delay
buttons ("amount of time between probes") under the Advanced tab in
the Profile Editor were backwards. [Kris]
Added the UDP Scan (-sU) and IPProtPing (-PO) tZenmap's Profile
Editor and Command Wizard. [Kris]
Reordered the UDP port selection for Traceroute: a closed port is
now chosen before an open one. This is because an open UDP port is
usually due trunning version detection (-sV), sa Traceroute
probe wouldn't elicit a response. [Kris]
Add Famtech Radmin remote control software probe and signatures to
the Nmap version detection DB. [Tom Sellers, Fyodor]
Add "Conection: Close" header trequests from HTTP NSE scripts so
that they finish faster. [Sven Klemm]
Update SSLv2-support NSE script trun against more services which
are likely SSL. [Sven Klemm]
A bunch of service name canonicalization was done in the Nmap
version detection file by Brandon Enright (e.g. capitalizing D-Link
and Netgear consistently).
Upgraded the shipped LibPCRE from version 7.4 t7.6. [Kris]
Updated tlatest (as of 3/15) autoconf config.sub/config.guess
files from http://cvs.savannah.gnu.org/viewvc/config/?root=config .
We now escape newlines, carriage returns, and tabs (
) in XML
output. While those are allowed in XML attributes, they get
normalized which can make formatting the output difficult for
applications which parse Nmap XML. [JoaMedeiros, David, Fyodor]
The Zenmap man page is now installed on Unix when "make install" is
run. This was supposed twork before, but didn't. [Kris]
Fixed a man page bug related tour DocBook tNroff translation
software producing incorrect Nroff output. The man page nlonger
uses the ".nse" string which was being confused with the Nroff
no-space mode command. [Fyodor]
Fixed a bug in which some NSE error messages were improperly escaped
sthat a message including "c:
map" would end up with a newline
between "c:" and "map".
Updated IANA assignment IP list for random IP (-iR)
generation. [Kris]
The DocBook XML source code tthe Nmap Scripting Engine docs
(http://nmap.org/nse/) is now in SVN under docs/scripting.xml .