-
Notifications
You must be signed in to change notification settings - Fork 0
/
CHANGELOG
14029 lines (10905 loc) · 626 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# Nmap Changelog ($Id$); -*-text-*-
o [Zenmap] Updated translations for German (de, Chris Leick), Italian (it, Jan
Reister), Polish (pl, Jacek Wielemborek), and French (fr, MaZ)
o [Zenmap] New Chinese-language (zh) translation from Jie Jiang.
o [NSE] Added snmp-info to get the enterprise number and other information from
the snmpEngineID in an SNMPv3 response packet. [Daniel Miller]
o [NSE] Add support to citrix-enum-apps-xml for reporting if Citrix
published applications in the list are enforcing/requiring the level
of ICA/session data encryption shown in the script result.
[Tom Sellers]
o [NSE] Added targets-ipv6-wordlist to generate target IPv6 addresses
from a wordlist made of hexadecimal characters. [Raúl Fuentes]
o [NSE] Added targets-ipv6-map4to6 to generate target IPv6 addresses
which correspond to IPv4 addresses mapped within a particular IPv6 subnet.
[Raúl Fuentes]
o [NSE] Updated our Wordpress plugin list to improve the
http-wordpress-plugins NSE script. We can now detect 34,077 plugins,
up from 18,570. [Danila Poyarkov]
o [NSE] Rework ssl-enum-ciphers to actually score the strength of the SSL/TLS
handshake, including certificate key size and DH parameters if applicable.
This is similar to Qualys's SSL Labs scanner, and means that we no longer
maintain a list of scores per ciphersuite. [Daniel Miller]
o [NSE] Add the signature algorithm that was used to sign the target port's
x509 certificate to the output of ssl-cert.nse [Tom Sellers]
o [NSE] Fixed a bug in the sslcert.lua library that was triggered against
certain services when version detection was used. [Tom Sellers]
o [NSE] Added ssl-poodle to detect CVE-2014-3566 [Daniel Miller]
o [NSE] vulns.Report:make_output() now generates XML structured output
reports automatically. [Paulino Calderon]
o [NSE] Added http-avaya-ipoffice-users script to enumerate users in Avaya
IP Office 7.x systems. [Paulino Calderon]
o [NSE] Added docker-version script for detecting Docker [Claudio Criscione]
o [NSE] Improved http-form-brute autodetection and behavior to handle more
unusual-but-valid HTML syntax, non-POST forms, success/failure testing on
HTTP headers, and more. [nnposter]
o [NSE] Add port.reason_ttl, host.reason, host.reason_ttl for use in scripts
[Jay Bosamiya]
o [NSE] If a version script is run by name, nmap.version_intensity() returns
the maximum value (9) for it [Jay Bosamiya]
o [NSE] shortport.version_port_or_service() takes an optional rarity parameter
now to run only when version intensity > rarity [Jay Bosamiya]
o [NSE] Added nmap.version_intensity() function so that NSE version scripts
can use the argument to --version-intensity (which can be overridden by the
script arg 'script-intensity') in order to decide whether to run or not
[Jay Bosamiya]
o Improve OS detection; If a port is detected to be 'tcpwrapped', then it will
not be used for OS detection. This helps in cases where a firewall might be
the port to be 'tcpwrapped' [Jay Bosamiya]
o [Zenmap] Reduce noise generated in Topology View due to anonymous
hops [Jay Bosamiya]
o --reason is enabled for verbosity > 2
o When --reason is asked for, show TTL information too in default output
mode [Jay Bosamiya]
o Added option --exclude-ports to Nmap so that some ports can be excluded from
scanning (for example, due to policy) [Jay Bosamiya]
o [Zenmap] Catch the MemoryError caused in Zenmap due to large Nmap Output,
and display a more helpful error message [Jay Bosamiya]
o Catch badly named output files (such as those unintentionally caused by
"-oX -sV logfile.xml") [Jay Bosamiya]
o [NSE] Added the script supermicro-ipmi-conf to exploit Supermicro IPMI/BMC
controllers. [Paulino Calderon]
o [NSE] Added mikrotik-routeros-brute script to perform password auditing
attacks against Mikrotik's RouterOS API. [Paulino Calderon]
o [NSE] Add s7-info script to get device information from Siemens PLCs via the
S7 service, tunnelled over ISO-TSAP on TCP port 102. [Stephen Hilt]
o Added options --data <hex string> and --data-string <string> to send custom
payloads in scan packet data. [Jay Bosamiya]
o [Zenmap] Improved NmapParser to increase speed in opening scans. Large scans
now open in seconds instead of hours. [Jay Bosamiya]
o Modify the included libpcap configure script to disable certain unused
features: bluetooth, usb, usb-can, and dbus sniffing. Dbus support caused a
build problem on CentOS 6.5. [Daniel Miller]
o Updated the bundled libpcap from 1.2.1 to 1.5.3 [Jay Bosamiya]
o Correct the Target MAC Address in Nmap's ARP discovery to conform to what IP
stacks in currently popular operating systems use. [Jay Bosamiya]
o [NSE] Add bacnet-info script to get device information from SCADA/ICS devices
via BACnet (Building Automation and Control Networks) [Stephen Hilt, Michael
Toecker]
o [NSE] Add Cisco Anyconnect library and scripts http-cisco-anyconnect,
http-vuln-cve2014-2126, http-vuln-cve2014-2127, http-vuln-cve2014-2128 and
http-vuln-cve2014-2129. [Patrik Karlsson]
o [NSE] Add enip-info script to get device information from SCADA/ICS devices
via EtherNet/IP [Stephen Hilt]
o Fixed a bug which caused Nmap to be unable to have any runtime interaction
when called from sudo or from a shell script. [Jay Bosamiya]
o Improvements to whois-ip.nse: fix an unhandled error when a referred-to
response could not be understood; add a new pattern to recognise a
LACNIC "record not found" type of response and update the way ARIN is
queried. [jah]
Nmap 6.47 [2014-08-23]
o Integrated all of your IPv4 OS fingerprint submissions since June 2013
(2700+ of them). Added 366 fingerprints, bringing the new total to 4485.
Additions include Linux 3.10 - 3.14, iOS 7, OpenBSD 5.4 - 5.5, FreeBSD 9.2,
OS X 10.9, Android 4.3, and more. Many existing fingerprints were improved.
Highlights: http://seclists.org/nmap-dev/2014/q3/325 [Daniel Miller]
o (Windows, RPMs) Upgraded the included OpenSSL to version 1.0.1i. [Daniel Miller]
o (Windows) Upgraded the included Python to version 2.7.8. [Daniel Miller]
o Removed the External Entity Declaration from the DOCTYPE in Nmap's XML. This
was added in 6.45, and resulted in trouble for Nmap XML parsers without
network access, as well as increased traffic to Nmap's servers. The doctype
is now:
<!DOCTYPE nmaprun>
o [Ndiff] Fixed the installation process on Windows, which was missing the
actual Ndiff Python module since we separated it from the driver script.
[Daniel Miller]
o [Ndiff] Fixed the ndiff.bat wrapper in the zipfile Windows distribution,
which was giving the error, "\Microsoft was unexpected at this time." See
https://support.microsoft.com/kb/2524009 [Daniel Miller]
o [Zenmap] Fixed the Zenmap .dmg installer for OS X. Zenmap failed to launch,
producing this error:
Could not import the zenmapGUI.App module:
'dlopen(/Applications/Zenmap.app/Contents/Resources/lib/python2.6/lib-dynload/glib/_glib.so, 2):
Library not loaded: /Users/david/macports-10.5/lib/libffi.5.dylib\n
Referenced from:
/Applications/Zenmap.app/Contents/Resources/lib/python2.6/lib-dynload/glib/_glib.so\n
Reason: image not found'.
o [Ncat] Fixed SOCKS5 username/password authentication. The password length was
being written in the wrong place, so authentication could not succeed.
Reported with patch by Pierluigi Vittori.
o Avoid formatting NULL as "%s" when running nmap --iflist. GNU libc converts
this to the string "(null)", but it caused segfault on Solaris. [Daniel Miller]
o [Zenmap][Ndiff] Avoid crashing when users have the antiquated PyXML package
installed. Python tries to be nice and loads it when we import xml, but it
isn't compatible. Instead, we force Python to use the standard library xml
module. [Daniel Miller]
o Handle ICMP admin-prohibited messages when doing service version detection.
Crash reported by Nathan Stocks was: Unexpected error in NSE_TYPE_READ
callback. Error code: 101 (Network is unreachable) [David Fifield]
o [NSE] Fix a bug causing http.head to not honor redirects. [Patrik Karlsson]
o [Zenmap] Fix a bug in DiffViewer causing this crash:
TypeError: GtkTextBuffer.set_text() argument 1 must be string or read-only
buffer, not NmapParserSAX
Crash happened when trying to compare two scans within Zenmap. [Daniel Miller]
Nmap 6.46 [2014-04-18]
o [NSE] Made numerous improvements to ssl-heartbleed to provide
more reliable detection of the vulnerability.
o [Zenmap] Fixed a bug which caused this crash message:
IOError: [Errno socket error] [Errno 10060] A connection attempt failed
because the connected party did not properly respond after a period of
time, or established connection failed because connected host has
failed to
respond
The bug was caused by us adding a DOCTYPE definition to Nmap's XML
output which caused Python's XML parser to try and fetch the DTD
every time it parses an XML file. We now override that DTD-fetching
behavior. [Daniel Miller]
o [NSE] Fix some bugs which could cause snmp-ios-config and
snmp-sysdescr scripts to crash
(http://seclists.org/nmap-dev/2014/q2/120) [Patrik Karlsson]
o [NSE] Improved performance of citrixlua library when handling large XML
responses containing application lists. [Tom Sellers]
Nmap 6.45 [2014-04-11]
o NOTE THAT THE CHANGELOG FOR THIS RELEASE IS INCOMPLETE. We plan to
finish it soon.
o [NSE] Add ssl-heartbleed script to detect the Heartbleed bug in OpenSSL
CVE-2014-0160 [Patrik Karlsson]
o [NSE] Fixed an error-handling bug in socks-open-proxy that caused it to fail
when scanning a SOCKS4-only proxy. Reported on IRC by Husky. [Daniel Miller]
o [NSE] Improved ntp-info script to handle underscores in returned
data. [nnposter]
o [NSE] Add quake1-info script for retrieving server and player information
from Quake 1 game servers. Reports potential DoS amplification factor.
[Ulrik Haugen]
o [NSE] Add unicode library for decoding and encoding UTF-8, UTF-16, CP437 and
other character sets to Unicode code points. Scripts that previously just
added or skipped nulls in UTF-16 data can use this to support non-ASCII
characters. [Daniel Miller]
o When doing a ping scan (-sn), the --open option will prevent down hosts from
being shown when -v is specified. This aligns with similar output for other
scan types. [Daniel Miller]
o [Ncat] Added support for socks5 and corresponding regression tests.
[Marek Lucaszuk, Petr Stodulka]
o [NSE] Add http-ntlm-info script for getting server information from Web
servers that require NTLM authentication. [Justin Cacak]
o Added TCP support to dns.lua. [John Bond]
o Added safe fd_set operations. This makes nmap fail gracefully instead of
crashing when the number of file descriptors grows over FD_SETSIZE. Jacek
Wielemborek reported the crash. [Henri Doreau]
o [NSE] Added tls library for functions related to SSLv3 and TLS messages.
Existing ssl-enum-ciphers, ssl-date, and tls-nextprotoneg scripts were
updated to use this library. [Daniel Miller]
o [NSE] Add sstp-discover script to discover Microsoft's Secure Socket
Tunnelling Protocol (http://msdn.microsoft.com/en-us/library/cc247338.aspx)
[Niklaus Schiess]
o [NSE] Added unittest library and NSE script for adding unit tests to NSE
libraries. See unittest.lua for examples, and run `nmap --script=unittest
--script-args=unittest.run -d` to run the tests. [Daniel Miller]
o Updated bundled liblua from 5.2.2 to 5.2.3 (bugfix release) [Daniel Miller]
o Added version detection signatures and probes for a bunch of Android
remote mouse/keyboard servers, including AndroMouse, AirHID,
Wifi-mouse, and RemoteMouse. [Paul Hemberger]
o [NSE] Added allseeingeye-info for gathering information from games
using this query protocol. A version detection probe was also
added. [Marin Maržić]
o [NSE] Add freelancer-info to gather information about the Freelancer
game server. Also added a related version detection probe and UDP
protocol payload for detecting the service. [Marin Maržić]
o [Ncat] Fixed compilation when --without-liblua is specified in
configure (an #include needed an ifdef guard). [Quentin Glidic]
o [NSE] Add http-server-header script to grab the Server header as a last-ditch
effort to get a software version. This can't be done as a softmatch because
of the need to match non-HTTP services that obey some HTTP requests. [Daniel
Miller]
o [NSE] Add rfc868-time script to get the date and time from an RFC 868 Time
server. [Daniel Miller]
o [NSE] Add weblogic-t3-info script that detects the T3 RMI protocol used by
Oracle/BEA Weblogic. Extracts the Weblogic version, as well [Alessandro
Zanni, Daniel Miller]
o Fixed a bug in libdnet with handling interfaces with AF_LINK addresses on
FreeBSD >9 reported by idwer on IRC. Likely affected other *BSDs. Handled by
skipping these non-network addresses. [Daniel Miller]
o Fixed a bug with UDP checksum calculation. When the UDP checksum is zero
(0x0000), it must be transmitted as 1's-complement -0 (0xffff) to avoid
ambiguity with +0, which indicates no checksum was calculated. This affected
UDP on IPv4 only. Reported by Michael Weber. [Daniel Miller]
o [NSE] Removed a fixed value (28428) which was being set for the Request ID in
the snmpWalk library function; a value based on nmap.clock_ms will now be set
instead. [jah]
o [NSE] Add http-iis-short-name-brute script that detects Microsoft IIS
servers vulnerable to a file/folder name disclosure and a denial of
service vulnerability. The script obtains the "shortnames" of the
files and folders in the webroot folder. [Paulino Calderon]
o Idle scan now supports IPv6. IPv6 packets don't usually come with
fragments identifiers like IPv4 packets do, so new techniques had to
be developed to make idle scan possible. The implementation is by
Mathias Morbitzer, who made it the subject of his master's thesis.
o [NSE] Add http-dlink-backdoor script that detects DLink routers with firmware
backdoor allowing admin access over HTTP interface. [Patrik Karlsson]
o The ICMP ID of ICMP probes is now matched against the sent ICMP ID,
to reduce the chance of false matches. Patch by Chris Johnson.
o [NSE] Made telnet-brute support multiple parallel guessing threads,
reuse connections, and support password-only logins. [nnposter]
o [NSE] Made the table returned by ssh1.fetch_host_key contain a "key"
element, like that of ssh2.fetch_host_key. This fixed a crash in the
ssh-hostkey script reported by Dan Farmer and Florian Pelgrim. The
"key" element of ssh2.fetch_host_key now is base64-encoded, to match
the format used by the known_hosts file. [David Fifield]
o [Nsock] Handle timers and timeouts via a priority queue (using a heap)
for improved performance. Nsock now only iterates over events which are
completed or expired instead of inspecting the entire event set at each
iteration. [Henri Doreau]
o [NSE] Update dns-cache-snoop script to use a new list of top 50
domains rather than a 2010 list. [Nicolle Neulist]
o [NSE] Added the qconn-exec script by Brendan Coles, which tests the
QNX QCONN service for remote command execution.
o [Zenmap] Fixed a crash that would happen when you entered a search
term starting with a colon: "AttributeError:
'FilteredNetworkInventory' object has no attribute 'match_'".
Reported by Kris Paernell. [David Fifield]
o [Ncat] Added NCAT_PROTO, NCAT_REMOTE_ADDR, NCAT_REMOTE_PORT, NCAT_LOCAL_ADDR
and NCAT_LOCAL_PORT environment variables being set in all --*-exec child
processes.
Nmap 6.40 [2013-07-29]
o [Ncat] Added --lua-exec. This feature is basically the equivalent of 'ncat
--sh-exec "lua <scriptname>"' and allows you to run Lua scripts with Ncat,
redirecting all stdin and stdout operations to the socket connection. See
http://nmap.org/book/ncat-man-command-options.html [Jacek Wielemborek]
o Integrated all of your IPv4 OS fingerprint submissions since January
(1,300 of them). Added 91 fingerprints, bringing the new total to 4,118.
Additions include Linux 3.7, iOS 6.1, OpenBSD 5.3, AIX 7.1, and more.
Many existing fingerprints were improved. Highlights:
http://seclists.org/nmap-dev/2013/q2/519. [David Fifield]
o Integrated all of your service/version detection fingerprints submitted
since January (737 of them)! Our signature count jumped by 273 to 8,979.
We still detect 897 protocols, from extremely popular ones like http, ssh,
smtp and imap to the more obscure airdroid, gopher-proxy, and
enemyterritory. Highlights:
http://seclists.org/nmap-dev/2013/q3/80. [David Fifield]
o Integrated your latest IPv6 OS submissions and corrections. We're still
low on IPv6 fingerprints, so please scan any IPv6 systems you own or
administer and submit them to http://nmap.org/submit/. Both new
fingerprints (if Nmap doesn't find a good match) and corrections (if Nmap
guesses wrong) are useful. [David Fifield]
o [Nsock] Added initial proxy support to Nsock. Nmap version detection
and NSE can now establish TCP connections through chains of one or
more CONNECT or SOCKS4 proxies. Use the Nmap --proxies option with a
chain of one or more proxies as the argument (example:
http://localhost:8080,socks4://someproxy.example.com). Note that
only version detection and NSE are supported so far (no port
scanning or host discovery), and there are other limitations
described in the man page. [Henri Doreau]
o [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 446.
They are all listed at http://nmap.org/nsedoc/, and the summaries are
below (authors are listed in brackets):
+ hostmap-ip2hosts finds hostnames that resolve to the target's IP address
by querying the online database at http://www.ip2hosts.com (uses Bing
search results) [Paulino Calderon]
+ http-adobe-coldfusion-apsa1301 attempts to exploit an authentication
bypass vulnerability in Adobe Coldfusion servers (APSA13-01:
http://www.adobe.com/support/security/advisories/apsa13-01.html) to
retrieve a valid administrator's session cookie. [Paulino Calderon]
+ http-coldfusion-subzero attempts to retrieve version, absolute path of
administration panel and the file 'password.properties' from vulnerable
installations of ColdFusion 9 and 10. [Paulino Calderon]
+ http-comments-displayer extracts and outputs HTML and JavaScript
comments from HTTP responses. [George Chatzisofroniou]
+ http-fileupload-exploiter exploits insecure file upload forms in web
applications using various techniques like changing the Content-type
header or creating valid image files containing the payload in the
comment. [George Chatzisofroniou]
+ http-phpmyadmin-dir-traversal exploits a directory traversal
vulnerability in phpMyAdmin 2.6.4-pl1 (and possibly other versions) to
retrieve remote files on the web server. [Alexey Meshcheryakov]
+ http-stored-xss posts specially crafted strings to every form it
encounters and then searches through the website for those strings to
determine whether the payloads were successful. [George Chatzisofroniou]
+ http-vuln-cve2013-0156 detects Ruby on Rails servers vulnerable to
object injection, remote command executions and denial of service
attacks. (CVE-2013-0156) [Paulino Calderon]
+ ike-version obtains information (such as vendor and device type where
available) from an IKE service by sending four packets to the host.
This scripts tests with both Main and Aggressive Mode and sends multiple
transforms per request. [Jesper Kueckelhahn]
+ murmur-version detects the Murmur service (server for the Mumble voice
communication client) versions 1.2.X. [Marin Maržić]
+ mysql-enum performs valid-user enumeration against MySQL server using a
bug discovered and published by Kingcope
(http://seclists.org/fulldisclosure/2012/Dec/9). [Aleksandar Nikolic]
+ teamspeak2-version detects the TeamSpeak 2 voice communication server
and attempts to determine version and configuration information. [Marin
Maržić]
+ ventrilo-info detects the Ventrilo voice communication server service
versions 2.1.2 and above and tries to determine version and
configuration information. [Marin Maržić]
o Updated the Nmap license agreement to close some loopholes and stop some
abusers. It's particularly targeted at companies which distribute
malware-laden Nmap installers as we caught Download.com doing last
year--http://insecure.org/news/download-com-fiasco.html. The updated
license is in the all the normal places, including
https://svn.nmap.org/nmap/COPYING.
o [NSE] Oops, there was a vulnerability in one of our 437 NSE scripts. If
you ran the (fortunately non-default) http-domino-enum-passwords script
with the (fortunately also non-default) domino-enum-passwords.idpath
parameter against a malicious server, it could cause an arbitrarily named
file to to be written to the client system. Thanks to Trustwave researcher
Piotr Duszynski for discovering and reporting the problem. We've fixed
that script, and also updated several other scripts to use a new
stdnse.filename_escape function for extra safety. This breaks our record
of never having a vulnerability in the 16 years that Nmap has existed, but
that's still a fairly good run! [David, Fyodor]
o Unicast CIDR-style IPv6 range scanning is now supported, so you can
specify targets such as en.wikipedia.org/120. Obviously it will take ages
if you specify a huge space. For example, a /64 contains
18,446,744,073,709,551,616 addresses. [David Fifield]
o It's now possible to mix IPv4 range notation with CIDR netmasks in target
specifications. For example, 192.168-170.4-100,200.5/16 is effectively the
same as 192.168.168-170.0-255.0-255. [David Fifield]
o Timeout script-args are now standardized to use the timespec that Nmap's
command-line arguments take (5s, 5000ms, 1h, etc.). Some scripts that
previously took an integer number of milliseconds will now treat that as a
number of seconds if not explicitly denoted as ms. [Daniel Miller]
o Nmap may now partially rearrange its target list for more efficient
host groups. Previously, a single target with a different interface,
or with an IP address the same as a that of a target already in the
group, would cause the group to be broken off at whatever size it
was. Now, we buffer a small number of such targets, and keep looking
through the input for more targets to fill out the current group.
[David Fifield]
o [Ncat] The -i option (idle timeout) now works in listen mode as well as
connect mode. [Tomas Hozza]
o [Ncat] Ncat now support chained certificates with the --ssl-cert
option. [Greg Bailey]
o [Nping] Nping now checks for a matching ICMP ID on echo replies, to avoid
receiving crosstalk from other ping programs running at the same
time. [David Fifield]
o [NSE] The ipOps.isPrivate library now considers the deprecated site-local
prefix fec0::/10 to be private. [Marek Majkowski]
o Nmap's routing table is now sorted first by netmask, then by metric.
Previously it was the other way around, which could cause a very general
route with a low metric to be preferred over a specific route with a
higher metric.
o Routes are now sorted to prefer those with a lower metric. Retrieval of
metrics is supported only on Linux and Windows. [David Fifield]
o Fixed a byte-ordering problem on little-endian architectures when doing
idle scan with a zombie that uses broken ID increments. [David Fifield]
o Stop parsing TCP options after reaching EOL in libnetutil. Bug reported by
Gustavo Moreira. [Henri Doreau]
o [NSE] The dns-ip6-arpa-scan script now optionally accepts "/" syntax for a
network mask. Based on a patch by Indula Nayanamith.
o [Ncat] Reduced the default --max-conns limit from 100 to 60 on Windows, to
stay within platform limitations. Suggested by Andrey Olkhin.
o Fixed IPv6 routing table alignment on NetBSD.
o Fixed our NSEDoc system so the author field uses UTF-8 and we can spell
people's name properly, even if they use crazy non-ASCII characters like
Marin Maržić. [David Fifield]
o UDP protocol payloads were added for detecting the Murmer service (a
server for the Mumble voice communication client) and TeamSpeak 2 VoIP
software.
o [NSE] Added http-phpmyadmin-dir-traversal by Alexey Meshcheryakov.
o Updated libdnet to not SIOCIFNETMASK before SIOCIFADDR on OpenBSD. This
was reported to break on -current as of May 2013. [Giovanni Bechis]
o Fixed address matching for SCTP (-PY) ping. [Marin Maržić]
o Removed some non-ANSI-C strftime format strings ("%F") and
locale-dependent formats ("%c") from NSE scripts and libraries.
C99-specified %F was noticed by Alex Weber. [Daniel Miller]
o [Zenmap] Improved internationalization support:
+ Added Polish translation by Jacek Wielemborek.
+ Updated the Italian translation. [Giacomo]
o [Zenmap] Fixed internationalization files. Running in a language other
than the default English would result in the error "ValueError: too many
values to unpack". [David Fifield]
o [NSE] Updated the included Liblua from version 5.2.1 to 5.2.2. [Patrick
Donnelly]
o [Nsock] Added a minimal regression test suite for Nsock. [Henri Doreau]
o [NSE] Updated the redis-brute and redis-info scripts to work against the
latest versions of redis server. [Henri Doreau]
o [Ncat] Fixed errors in connecting to IPv6 proxies. [Joachim Henke]
o [NSE] Updated hostmap-bfk to work with the latest version of their website
(bfk.de). [Paulino Calderon]
o [NSE] Added XML structured output support to:
+ xmpp-info, irc-info, sslv2, address-info [Daniel Miller]
+ hostmap-bfk, hostmap-robtex, hostmap-ip2hosts. [Paulino Calderon]
+ http-git.nse. [Alex Weber]
o Added new service probes for:
+ Erlang distribution nodes [Michael Schierl]
+ Minecraft servers. [Eric Davisson]
+ Hazelcast data grid. [Pavel Kankovsky]
o [NSE] Rewrote telnet-brute for better compatibility with a variety of
telnet servers. [nnposter]
o Fixed a regression that changed the number of delimiters in machine
output. [Daniel Miller]
o Fixed a regression in broadcast-dropbox-listener which prevented it from
producing output. [Daniel Miller]
o Handle ICMP type 11 (Time Exceeded) responses to port scan probes. Ports
will be reported as "filtered", to be consistent with existing Connect
scan results, and will have a reason of time-exceeded. DiabloHorn
reported this issue via IRC. [Daniel Miller]
o Add new decoders (BROWSER, DHCP6 and LLMNR) to broadcast-listener and
changed output of some of the decoders slightly. [Patrik Karlsson]
o The list of name servers on Windows now ignores those from inactive
interfaces. [David Fifield]
o Namespace the pipes used to communicate with subprocesses by PID, to avoid
multiple instances of Ncat from interfering with each other. Patch by
Andrey Olkhin.
o [NSE] Changed ip-geolocation-geoplugin to use the web service's new output
format. Reported by Robin Wood.
o Limited the number of open sockets in ultra_scan to FD_SETSIZE. Very fast
connect scans could write past the end of an fd_set and cause a variety of
crashes:
nmap: scan_engine.cc:978: bool ConnectScanInfo::clearSD(int): Assertion `numSDs > 0' failed.
select failed in do_one_select_round(): Bad file descriptor (9)
[David Fifield]
o Fixed a bug that prevented Nmap from finding any interfaces when one of
them had the type ARP_HDR_APPLETALK; this was the case for AppleTalk
interfaces. However, This support is not complete since AppleTalk
interfaces use different size hardware addresses than Ethernet. Nmap IP
level scans should work without any problem, please refer to the
'--send-ip' switch and to the following thread:
http://seclists.org/nmap-dev/2013/q1/214. This bug was reported by Steven
Gregory Johnson. [Daniel Miller]
o [Nping] Nping on Windows now skips localhost targets for privileged pings
on (with an error message) because those generally don't work. [David
Fifield]
o [Ncat] Ncat now keeps running in connect mode after receiving EOF from the
remote socket, unless --recv-only is in effect. [Tomas Hozza]
o Packet trace of ICMP packets now include the ICMP ID and sequence number
by default. [David Fifield]
o [NSE] Fixed various NSEDoc bugs found by David Matousek.
o [Zenmap] Zenmap now understands the NMAP_PRIVILEGED and NMAP_UNPRIVILEGED
environment variables. [Tyler Wagner]
o Added an ncat_assert macro. This is similar to assert(), but remains even
if NDEBUG is defined. Replaced all Ncat asserts with this. We also moved
operation with side effects outside of asserts as yet another layer of
bug-prevention [David Fifield].
o Added nmap-fo.xsl, contributed by Tilik Ammon. This converts Nmap XML into
XSL-FO, which can be converted into PDF using tools suck as Apache FOP.
o Increased the number of slack file descriptors not used during connect
scan. Previously, the calculation did not consider the descriptors used by
various open log files. Connect scans using a lot of sockets could fail
with the message "Socket creation in sendConnectScanProbe: Too many open
files". [David Fifield]
o Changed the --webxml XSL stylesheet to point to the new location of
nmap.xsl in the new repository (https://svn.nmap.org/nmap/docs/nmap.xsl).
It still may not work in web browsers due to same origin policy (see
http://seclists.org/nmap-dev/2013/q1/58). [David Fifield, Simon John]
o [NSE] The vulnerability library can now preserve vulnerability information
across multiple ports of the same host. The bug was reported by
iphelix. [Djalal Harouni]
o Removed the undocumented -q option, which renamed the nmap process to
something like "pine".
o Moved the Japanese man page from man1/jp to man1/ja. JP is a country code
while JA is a language code. Reported by Christian Neukirchen.
o [Nsock] Reworked the logging infrastructure to make it more flexible and
consistent. Updated Nmap, Nping and Ncat accordingly. Nsock log level can
now be adjusted at runtime by pressing d/D in nmap. [Henri Doreau, David
Fifield]
o [NSE] Fixed scripts using unconnected UDP sockets. The bug was reported by
Dhiru Kholia at http://seclists.org/nmap-dev/2012/q4/422. [David Fifield]
o Made some changes to Ndiff to reduce parsing time when dealing with large
Nmap XML output files. [Henri Doreau]
o Clean up the source code a bit to resolve some false positive issues
identified by the Parfait static code analysis program. Oracle apparently
runs this on programs (including Nmap) that they ship with Solaris. See
http://seclists.org/nmap-dev/2012/q4/504. [David Fifield]
o [Zenmap] Fixed a crash that could be caused by opening the About dialog,
using the window manager to close it, and opening it again. This was
reported by Yashartha Chaturvedi and Jordan Schroeder. [David Fifield]
o [Ncat] Made test-addrset.sh exit with nonzero status if any tests
fail. This in turn causes "make check" to fail if any tests fail.
[Andreas Stieger]
o Fixed compilation with --without-liblua. The bug was reported by Rick
Farina, Nikos Chantziaras, and Alex Turbov. [David Fifield]
o Fixed CRC32c calculation (as used in SCTP scans) on 64-bit
platforms. [Pontus Andersson]
o [NSE] Added multicast group name output to
broadcast-igmp-discovery.nse. [Vasily Kulikov]
o [NSE] Added new fingerprints for http-enum: Sitecore, Moodle, typo3,
SquirrelMail, RoundCube. [Jesper Kückelhahn]
Nmap 6.25 [2012-11-29]
o [NSE] Added CPE to smb-os-discovery output.
o [Ncat] Fixed the printing of warning messages for large arguments to
the -i and -w options. [Michal Hlavinka]
o [Ncat] Shut down the write part of connected sockets in listen mode
when stdin hits EOF, just as was already done in connect mode.
[Michal Hlavinka]
o [Zenmap] Removed a crashing error that could happen when canceling a
"Print to File" on Windows:
Traceback (most recent call last):
File "zenmapGUI\MainWindow.pyo", line 831, in _print_cb
File "zenmapGUI\Print.pyo", line 156, in run_print_operation
GError: Error from StartDoc
This bug was reported by Imre Adácsi. [David Fifield]
o Added some new checks for failed library calls. [Bill Parker]
Nmap 6.20BETA1 [2012-11-16]
o Integrated all of your IPv4 OS fingerprint submissions since January
(more than 3,000 of them). Added 373 fingerprints, bringing the new
total to 3,946. Additions include Linux 3.6, Windows 8, Windows
Server 2012, Mac OS X 10.8, and a ton of new WAPs, printers,
routers, and other devices--including our first IP-enabled doorbell!
Many existing fingerprints were improved. [David Fifield]
o Integrated all of your service/version detection fingerprints
submitted since January (more than 1,500)! Our signature
count jumped by more than 400 to 8,645. We now detect 897
protocols, from extremely popular ones like http, ssh, smtp and imap
to the more obscure airdroid, gopher-proxy, and
enemyterritory. [David Fifield]
o Integrated your latest IPv6 OS submissions and corrections. We're
still low on IPv6 fingerprints, so please scan any IPv6 systems you
own or administer and submit them to http://nmap.org/submit/. Both
new fingerprints (if Nmap doesn't find a good match) and corrections
(if Nmap guesses wrong) are useful.
o Enabled support for IPv6 traceroute using UDP, SCTP, and IPProto
(Next Header) probes. Previously, only TCP and ICMP were
supported. [David Fifield]
o Scripts can now return a structured name-value table so that results
are query-able from XML output. Scripts can return a string as
before, or a table, or a table and a string. In this last case, the
table will go to XML output and the string will go to screen output.
See http://nmap.org/book/nse-api.html#nse-structured-output [Daniel
Miller, David Fifield, Patrick Donnelly]
o [Nsock] Added new poll and kqueue I/O engines for improved
performance on Windows and BSD-based systems including Mac OS X.
These are in addition to the epoll engine (used on Linux) and the
classic select engine fallback for other system. [Henri Doreau]
o [Ncat] Added support for Unix domain sockets. The new -U and
--unixsock options activate this mode. These provide compatibility
with Hobbit's original Netcat. [Tomas Hozza]
o Moved some Windows dependencies, including OpenSSL, libsvn, and the
vcredist files, into a new public Subversion directory
/nmap-mswin32-aux and moved it out of the source tarball. This
reduces the compressed tarball size from 22 MB to 8 MB and similarly
reduces the bandwidth and storage required for an svn checkout.
Folks who build Nmap on Windows will need to check out
/nmap-mswin32-aux along with /nmap as described at
http://nmap.org/book/inst-windows.html#inst-win-source.
o Many of the great features in this release were created by college
and grad students generously sponsored by Google's Summer of Code
program. Thanks, Google Open Source Department! This year's team
of five developers is introduced at
http://seclists.org/nmap-dev/2012/q2/204 and their successes
documented at http://seclists.org/nmap-dev/2012/q4/138
o [NSE] Replaced old RPC grinder (RPC enumeration, performed as part
of version detection when a port seems to run a SunRPC service) with
a faster and easier to maintain NSE-based implementation. This also
allowed us to remove the crufty old pos_scan scan engine. [Hani
Benhabiles]
o Updated our Nmap Scripting Engine to use Lua 5.2 (and then 5.2.1)
rather than 5.1. See http://seclists.org/nmap-dev/2012/q2/34 for
details. [Patrick Donnelly]
o [NSE] Added 85(!) NSE scripts, bringing the total up to 433. They
are all listed at http://nmap.org/nsedoc/, and the summaries are
below (authors are listed in brackets):
+ ajp-auth retrieves the authentication scheme and realm of an AJP
service (Apache JServ Protocol) that requires authentication. The
Apache JServ Protocol is commonly used by web servers to
communicate with back-end Java application server
containers. [Patrik Karlsson]
+ ajp-brute performs brute force passwords auditing against the
Apache JServ protocol. [Patrik Karlsson]
+ ajp-headers performs a HEAD or GET request against either the root
directory or any optional directory of an Apache JServ Protocol
server and returns the server response headers. [Patrik Karlsson]
+ ajp-methods discovers which options are supported by the AJP
(Apache JServ Protocol) server by sending an OPTIONS request and
lists potentially risky methods. [Patrik Karlsson]
+ ajp-request requests a URI over the Apache JServ Protocol and
displays the result (or stores it in a file). Different AJP
methods such as; GET, HEAD, TRACE, PUT or DELETE may be
used. [Patrik Karlsson]
+ bjnp-discover retrieves printer or scanner information from a
remote device supporting the BJNP protocol. The protocol is known
to be supported by network based Canon devices. [Patrik Karlsson]
+ broadcast-ataoe-discover discovers servers supporting the ATA over
Ethernet protocol. ATA over Ethernet is an ethernet protocol
developed by the Brantley Coile Company and allows for simple,
high-performance access to SATA drives over Ethernet. [Patrik
Karlsson]
+ broadcast-bjnp-discover attempts to discover Canon devices
(Printers/Scanners) supporting the BJNP protocol by sending BJNP
Discover requests to the network broadcast address for both ports
associated with the protocol. [Patrik Karlsson]
+ broadcast-eigrp-discovery performs network discovery and routing
information gathering through Cisco's EIGRP protocol. [Hani
Benhabiles]
+ broadcast-igmp-discovery discovers targets that have IGMP
Multicast memberships and grabs interesting information. [Hani
Benhabiles]
+ broadcast-pim-discovery discovers routers that are running PIM
(Protocol Independent Multicast). [Hani Benhabiles]
+ broadcast-tellstick-discover discovers Telldus Technologies
TellStickNet devices on the LAN. The Telldus TellStick is used to
wirelessly control electric devices such as lights, dimmers and
electric outlets. [Patrik Karlsson]
+ cassandra-brute performs brute force password auditing against the
Cassandra database. [Vlatko Kosturjak]
+ cassandra-info attempts to get basic info and server status from a
Cassandra database. [Vlatko Kosturjak]
+ cups-info lists printers managed by the CUPS printing
service. [Patrik Karlsson]
+ cups-queue-info Lists currently queued print jobs of the remote
CUPS service grouped by printer. [Patrik Karlsson]
+ dict-info Connects to a dictionary server using the DICT protocol,
runs the SHOW SERVER command, and displays the result. [Patrik
Karlsson]
+ distcc-cve2004-2687 detects and exploits a remote code execution
vulnerability in the distributed compiler daemon distcc. [Patrik
Karlsson]
+ dns-check-zone checks DNS zone configuration against best
practices, including RFC 1912. The configuration checks are
divided into categories which each have a number of different
tests. [Patrik Karlsson]
+ dns-ip6-arpa-scan performs a quick reverse DNS lookup of an IPv6
network using a technique which analyzes DNS server response codes
to dramatically reduce the number of queries needed to enumerate
large networks. [Patrik Karlsson]
+ dns-nsec3-enum tries to enumerate domain names from the DNS server
that supports DNSSEC NSEC3 records. [Aleksandar Nikolic, John
Bond]
+ eppc-enum-processes attempts to enumerate process info over the
Apple Remote Event protocol. When accessing an application over
the Apple Remote Event protocol the service responds with the uid
and pid of the application, if it is running, prior to requesting
authentication. [Patrik Karlsson]
+ firewall-bypass detects a vulnerability in Netfilter and other
firewalls that use helpers to dynamically open ports for protocols
such as ftp and sip. [Hani Benhabiles]
+ flume-master-info retrieves information from Flume master HTTP
pages. [John R. Bond]
+ gkrellm-info queries a GKRellM service for monitoring
information. A single round of collection is made, showing a
snapshot of information at the time of the request. [Patrik
Karlsson]
+ gpsd-info retrieves GPS time, coordinates and speed from the GPSD
network daemon. [Patrik Karlsson]
+ hostmap-robtex discovers hostnames that resolve to the target's IP
address by querying the Robtex service at
http://www.robtex.com/dns/. [Arturo Busleiman]
+ http-drupal-enum-users enumerates Drupal users by exploiting a an
information disclosure vulnerability in Views, Drupal's most
popular module. [Hani Benhabiles]
+ http-drupal-modules enumerates the installed Drupal modules by
using a list of known modules. [Hani Benhabiles]
+ http-exif-spider spiders a site's images looking for interesting
exif data embedded in .jpg files. Displays the make and model of
the camera, the date the photo was taken, and the embedded geotag
information. [Ron Bowes]
+ http-form-fuzzer performs a simple form fuzzing against forms
found on websites. Tries strings and numbers of increasing length
and attempts to determine if the fuzzing was successful. [Piotr
Olma]
+ http-frontpage-login checks whether target machines are vulnerable
to anonymous Frontpage login. [Aleksandar Nikolic]
+ http-git checks for a Git repository found in a website's document
root (/.git/<something>) then retrieves as much repo
information as possible, including language/framework, Github
username, last commit message, and repository description. [Alex
Weber]
+ http-gitweb-projects-enum retrieves a list of Git projects, owners
and descriptions from a gitweb (web interface to the Git revision
control system). [riemann]
+ http-huawei-hg5xx-vuln detects Huawei modems models HG530x,
HG520x, HG510x (and possibly others...) vulnerable to a remote
credential and information disclosure vulnerability. It also
extracts the PPPoE credentials and other interesting configuration
values. [Paulino Calderon]
+ http-icloud-findmyiphone retrieves the locations of all "Find my
iPhone" enabled iOS devices by querying the MobileMe web service
(authentication required). [Patrik Karlsson]
+ http-icloud-sendmsg sends a message to a iOS device through the
Apple MobileMe web service. The device has to be registered with
an Apple ID using the Find My iPhone application. [Patrik
Karlsson]
+ http-phpself-xss crawls a web server and attempts to find PHP
files vulnerable to reflected cross site scripting via the
variable $_SERVER["PHP_SELF"]. [Paulino Calderon]
+ http-rfi-spider crawls webservers in search of RFI (remote file
inclusion) vulnerabilities. It tests every form field it finds and
every parameter of a URL containing a query. [Piotr Olma]
+ http-robtex-shared-ns Finds up to 100 domain names which use the
same name server as the target by querying the Robtex service at
http://www.robtex.com/dns/. [Arturo Busleiman]
+ http-sitemap-generator spiders a web server and displays its
directory structure along with number and types of files in each
folder. Note that files listed as having an 'Other' extension are
ones that have no extension or that are a root document. [Piotr
Olma]
+ http-slowloris-check tests a web server for vulnerability to the
Slowloris DoS attack without actually launching a DoS
attack. [Aleksandar Nikolic]
+ http-slowloris tests a web server for vulnerability to the
Slowloris DoS attack by launching a Slowloris attack. [Aleksandar
Nikolic, Ange Gutek]
+ http-tplink-dir-traversal exploits a directory traversal
vulnerability existing in several TP-Link wireless
routers. Attackers may exploit this vulnerability to read any of
the configuration and password files remotely and without
authentication. [Paulino Calderon]
+ http-traceroute exploits the Max-Forwards HTTP header to detect
the presence of reverse proxies. [Hani Benhabiles]
+ http-virustotal checks whether a file has been determined as
malware by virustotal. Virustotal is a service that provides the
capability to scan a file or check a checksum against a number of
the major antivirus vendors. [Patrik Karlsson]
+ http-vlcstreamer-ls connects to a VLC Streamer helper service and
lists directory contents. The VLC Streamer helper service is used
by the iOS VLC Streamer application to enable streaming of
multimedia content from the remote server to the device. [Patrik
Karlsson]
+ http-vuln-cve2010-0738 tests whether a JBoss target is vulnerable
to jmx console authentication bypass (CVE-2010-0738). [Hani
Benhabiles]
+ http-waf-fingerprint Tries to detect the presence of a web
application firewall and its type and version. [Hani Benhabiles]
+ icap-info tests a list of known ICAP service names and prints
information about any it detects. The Internet Content Adaptation
Protocol (ICAP) is used to extend transparent proxy servers and is
generally used for content filtering and antivirus
scanning. [Patrik Karlsson]
+ ip-forwarding detects whether the remote device has ip forwarding
or "Internet connection sharing" enabled, by sending an ICMP echo
request to a given target using the scanned host as default