Nmap 7.91 [2020-10-09]
o [Zenmap] Fix a crash in the profile editor due to a missing import.
o [Nsock][Windows] Demote the IOCP Nsock engine because of some known
issues that will take longer to resolve. The previous default "poll" engine
will be used instead.
o [Nsock][Windows] Fix a crash in service scan due to a previously-unknown
error being returned from the IOCP Nsock engine. [Daniel Miller]
o [NSE] Fix several places where Lua's os.time was being used
to represent dates prior to January 1, 1970, which fails on Windows. Notably,
NSE refused to run in UTC+X timezones with the error "time result cannot be
represented in this installation" [Clément Notin, nnposter, Daniel Miller]
o [NSE] MySQL library was not properly parsing server responses,
resulting in script crashes. [nnposter]
o Silence the irrelevant warning, "Your ports include 'T:' but you
haven't specified any TCP scan type" when running nmap -sUV
Nmap 7.90 [2020-10-02]
o [Windows] Upgraded Npcap, our Windows packet capturing (and sending)
library to the milestone 1.00 release! It's the culmination of 7 years of
development with 170 public pre-releases. This includes dozens of
performance improvements, bug fixes, and feature enhancements described
at https://npcap.org/changelog.
o Integrated over 800 service/version detection fingerprints submitted since
August 2017. The signature count went up 1.8% to 11,878, including 17 new
softmatches. We now detect 1237 protocols from airmedia-audio, banner-ivu,
and control-m to insteon-plm, pi-hole-stats, and ums-webviewer. A
significant number of submissions remain to be integrated in the next
release.
o Integrated over 330 of the most-frequently-submitted IPv4 OS fingerprints
since August 2017. Added 26 fingerprints, bringing the new total to 5,678.
Additions include iOS 12 & 13, macOS Catalina & Mojave, Linux 5.4, FreeBSD
13, and more.
o Integrated all 67 of your IPv6 OS fingerprint submissions from August 2017 to
September 2020. Added new groups for FreeBSD 12, Linux 5.4, and Windows 10,
and consolidated several weak groups to improve classification accuracy.
o [NSE] Added 3 NSE scripts, from 2 authors, bringing the total up to 601!
They are all listed at https://nmap.org/nsedoc/, and the summaries are
below:
+ dicom-brute attempts to brute force the called Application Entity Title
of DICOM servers. [Paulino Calderon]
+ dicom-ping discovers DICOM servers and determines if any Application
Entity Title is allowed to connect. [Paulino Calderon]
+ uptime-agent-info collects system information from an Idera Uptime
Infrastructure Monitor agent. [Daniel Miller]
o Addressed over 250 code quality issues identified by LGTM.com,
improving our code quality score from "C" to "A+"
o Released Npcap OEM Edition. For more than 20 years, the Nmap Project has
been funded by selling licenses for companies to distribute Nmap with
their products, along with commercial support. Hundreds of commercial
products now use Nmap for network discovery tasks like port scanning,
host discovery, OS detection, service/version detection, and of course
the Nmap Scripting Engine (NSE). Until now they have just used standard
Nmap, but this new OEM Edition is customized for use within other Windows
software. Nmap OEM contains the OEM version of our Npcap driver, which
allows for silent installation. It also removes the Zenmap GUI, which
cuts the installer size by more than half. And it reports itself as Nmap
OEM so customers know it's a properly licensed Nmap. See
https://nmap.org/oem for more details. We will be reaching out to all
existing licensees with Nmap OEM access credentials, but any licensees
who wants it quicker should see https://nmap.org/oem.
o Upgraded the Nmap license form a sort of hacked-up version of GPLv2 to a
cleaner and better organized version (still based on GPLv2) now called the
Nmap Public Source License to avoid confusion. See https://nmap.org/npsl/
for more details and annotated license text. This NPSL project was started
in 2006 (community discussion here:
https://seclists.org/nmap-dev/2006/q4/126) and then it lost momentum for 7
years until it was restarted in 2013
(https://seclists.org/nmap-dev/2013/q1/399) and then we got distracted by
development again. We still have some ideas for improving the NPSL, but
it's already much better than the current license, so we're applying NPSL
Version 0.92 to the code now and can make improvements later if
needed. This does not change the license of previous Nmap releases.
o Removed nmap-update. This program was intended to provide a way to update
data files and NSE scripts, but the infrastructure was never fielded. It
depended on Subversion version control and would have required maintaining
separate versions of NSE scripts for compatibility.
o Removed the silent-install command-line option (/S) from the Windows
installer. It causes several problems and there were no objections when we
proposed removing it in 2016 (https://seclists.org/nmap-dev/2016/q4/168).
It will remain in Nmap OEM since its main use was for customers who
redistribute Nmap with other software. If anyone else has a strong need
for an Nmap silent installer, please contact sales@nmap.com and we'll see
what we can do.
o 23 new UDP payloads and dozens more default ports for existing
payloads developed for Rapid7's InsightVM scan engine. These speed up and
ensure detection of open UDP services. [Paul Miseiko, Rapid7]
o Added a UDP payload for STUN (Session Traversal Utilities for NAT).
[David Fifield]
o [NSE] Fixed an off-by-one bug in the stun.lua library that prevented
parsing a server response. [David Fifield]
o Restrict Nmap's search path for scripts and data files.
NMAPDATADIR, defined on Unix and Linux as ${prefix}/share/nmap, will not be
searched on Windows, where it was previously defined as C:\Nmap .
Additionally, the --script option will not interpret names as directory names
unless they are followed by a '/'. [Daniel Miller]
o Fix an assertion failure when unsolicited ARP response is received:
nmap: Target.cc:503: void Target::stopTimeOutClock(const timeval*): Assertion `htn.toclock_running == true' failed.
o [NSE] New outlib library consolidates functions related to NSE output,
both string formatting conventions and structured output. [Daniel Miller]
o [NSE] New dicom library implements the DICOM protocol used for
storing and transfering medical images. [Paulino Calderon]
o Fix a regression in ARP host discovery left over from the move from
massping to ultra_scan in Nmap 4.22SOC8 (2007) that sometimes resulted in
missing ARP responses from targets near the end of a scan. Accuracy and speed
are both improved. [Daniel Miller]
o Restrict Nmap's search path for scripts and data files.
NMAPDATADIR, defined on Unix and Linux as ${prefix}/share/nmap, will not be
searched on Windows, where it was previously defined as C:\Nmap .
Additionally, the --script option will not interpret names as directory names
unless they are followed by a '/'. [Daniel Miller]
o Fix the "iocp" Nsock engine for Windows to be able to correctly
handle PCAP read events. This engine is now the default for Windows, which
should greatly improve performance over the previous default, the "poll"
engine. [Daniel Miller]
o Reduced CPU usage of OS scan by 50% by avoiding string copy
operations and removing undocumented fingerprint syntax unused in nmap-os-db
('&' and '+' in expressions). [Daniel Miller]
o Allow multiple UDP payloads to be specified for a port in
nmap-payloads. If the first payload does not get a response, the remaining
payloads are tried round-robin. [Paul Miseiko, Rapid7]
o New option --discovery-ignore-rst tells Nmap to ignore TCP RST
responses when determining if a target is up. Useful when firewalls are
spoofing RST packets. [Tom Sellers, Rapid7]
o [Ncat] It is now possible to override
the value of TLS SNI via --ssl-servername [Hank Leininger, nnposter]
o Fixed parsing of TCP options which would hang (infinite loop) if an
option had an explicit length of 0. Affects Nmap 7.80 only.
[Daniel Miller, Imed Mnif]
o [NSE] Script ssh2-enum-algos would fail if the server initiated
the key exchange before completing the protocol version exchange
[Scott Ellis, nnposter]
o [NSE] Fetching of SSH2 keys might fail because of key exchange
confusion [nnposter]
o [NSE] Performance of script afp-ls has been dramatically improved
[nnposter]
o [NSE] Parsing of AFP FPGetFileDirParms and
FPEnumerateExt2FPEnumerateExt2 responses was not working correctly [nnposter]
o [NSE] Eliminated false positives in script http-shellshock caused by
simple reflection of HTTP request data [Anders Kaseorg]
o [NSE] SNMP scripts are now enabled on non-standard ports where SNMP
has been detected [usd-markus, nnposter]
o [NSE] MQTT library was using incorrect position when parsing
received responses [tatulea]
o [NSE] IPMI library was using incorrect position when parsing
received responses [Star Salzman]
o [NSE] Scripts ipmi-brute and deluge-rpc-brute were not capturing
successfully brute-forced credentials [Star Salzman]
o Allow resuming IPv6 scans with --resume. The address parsing was assuming IPv4
addresses, leading to "Unable to parse ip" error. In a related fix, MAC addresses
will not be parsed as IP addresses when resuming from XML. [Daniel Miller]
o Fix reverse-DNS handling of PTR records that are not lowercase.
Nmap was failing to identify reverse-DNS names when the DNS server delivered
them like ".IN-ADDR.ARPA". [Lucas Nussbaum, Richard Schütz, Daniel Miller]
o [NSE] IKE library was not properly populating the protocol
number in aggressive mode requests. [luc-x41]
o Added service fingerprinting for MySQL 8.x, Microsoft SQL
Server 2019, MariaDB, and Crate.io CrateDB. Updated PostreSQL coverage and
added specific detection of recent versions running in Docker. [Tom Sellers]
o New XML output "hosthint" tag emitted during host discovery when a target is
found to be up. This gives earlier notification than waiting for the
hostgroup to finish all scan phases. [Paul Miseiko]
o New UDP payloads for GPRS Tunneling Protocol (GTP) on ports 2123,
2152, and 3386. [Guillaume Teissier]
o [NSE] SSH scripts now run on several ports likely to be SSH based on
empirical data from Shodan.io, as well as the netconf-ssh service.
[Lim Shi Min Jonathan, Daniel Miller]
o [Zenmap] Stop creating a debugging output file 'tmp.txt' on the
desktop in macOS. [Roland Linder]
o [Nping] Address build failure under libc++ due to "using namespace std;" in
several headers, resulting in conflicting definitions of bind(). Reported by
StormBytePP and Rosen Penev. [Daniel Miller]
o [Ncat] Fix a fatal error when connecting to a Linux VM socket with
verbose output enabled. [Stefano Garzarella]
o [Ncat] Proxy credentials can be alternatively passed onto Ncat by
setting environment variable NCAT_PROXY_AUTH, which reduces the risk of the
credentials getting captured in process logs. [nnposter]
o [NSE] Fixed a crash on Windows when processing a GZIP-encoded HTTP
body. [Daniel Miller]
o Upgrade libpcap to 1.9.1, which addresses several CVE vulnerabilities.
o Upgrade libssh2 to 1.9.0, fixing compilation with OpenSSL 1.1.0 API.
o Processing of IP address CIDR blocks was not working
correctly on ppc64, ppc64le, and s390x architectures. [rfrohl, nnposter]
o [Windows] Add support for the new loopback behavior in Npcap 0.9983 and
later. This enables Nmap to scan localhost on Windows without needing the
Npcap Loopback Adapter to be installed, which was a source of problems for
some users. [Daniel Miller]
o [NSE] MS SQL library has improved version resolution, from service pack level
to individual cumulative updates [nnposter]
o [NSE] With increased verbosity, script http-default-accounts now
reports matched target fingerprints even if no default credentials were found
[nnposter]
o [NSE] IPP request object conversion to string was not working
correctly [nnposter]
o [NSE] IPP response parser was not correctly processing
end-of-attributes-tag [nnposter]
o [NSE] Script cups-info was failing due to erroneous double-decoding
of the IPP printer status [nnposter]
o [NSE] Oracle TNS parser was incorrectly unmarshalling DALC byte
arrays [nnposter]
o [NSE] The password hashing function for Oracle 10g was not working correctly
for non-alphanumeric characters [nnposter]
o [NSE] Virtual host probing list, vhosts-full.lst, was missing numerous
entries present in vhosts-default.lst [nnposter]
o [NSE] Script http-grep was not correctly calculating Luhn
checksum [Colleen Li, nnposter]
o [NSE] Scripts dhcp-discover and broadcast-dhcp-discover now support
new argument "mac" to force a specific client MAC address [nnposter]
o [NSE] Code improvements in RPC Dump, benefitting NFS-related scripts
[nnposter]
o [NSE] RPC code was using incorrect port range, which was causing some calls,
such as NFS mountd, to fail intermittently [nnposter]
o [NSE] XML output from script ssl-cert now includes RSA key modulus
and exponent [nnposter]
o [NSE] Nmap no longer crashes when SMB scripts, such as smb-ls, call
smb.find_files [nnposter]
o [NSE] The MongoDB library was causing errors when assembling protocol
payloads. [nnposter]
o [NSE] The RTSP library was not correctly generating request
strings. [nnposter]
o [NSE] VNC handshakes were failing with insert position out of bounds
error. [nnposter]
o [NSE] Function marshall_dom_sid2 in library msrpctypes was not
correctly populating ID Authority. [nnposter]
o [NSE] Unmarshalling functions in library msrpctypes were attempting
arithmetic on a nil argument. [Ivan Ivanov, nnposter]
o [NSE] Functions lsa_lookupnames2 and lsa_lookupsids2 in library
msrpc were incorrectly referencing function strjoin when called with debug
level 2 or higher. [Ivan Ivanov]
o [NSE] Added HTTP default account fingerprints for Tomcat
Host Manager and Dell iDRAC9. [Clément Notin]
o [NSE] A MS-SMB spec non-compliance in Samba was causing
protocol negotiation to fail with data string too short error.
[Clément Notin, nnposter]
o [NSE] A bug in SMB library was causing scripts to
fail with bad format argument error. [Ivan Ivanov]
o [NSE] The HTTP library no longer crashes when code requests digest
authentication but the server does not provide the necessary authentication
header. [nnposter]
o [NSE] Fixed a bug in http-wordpress-users.nse that could cause
extraneous output to be captured as part of a username. [Duarte Silva]
7.80:
Here is the full list of significant changes:
o [Windows] The Npcap Windows packet capturing library (https://npcap.org/)
is faster and more stable than ever. Nmap 7.80 updates the bundled Npcap
from version 0.99-r2 to 0.9982, including all of these changes from the
last 15 Npcap releases: https://nmap.org/npcap/changelog
o [NSE] Added 11 NSE scripts, from 8 authors, bringing the total up to 598!
They are all listed at https://nmap.org/nsedoc/, and the summaries are
below:
+ broadcast-hid-discoveryd discovers HID devices on a LAN by
sending a discoveryd network broadcast probe.
+ broadcast-jenkins-discover discovers Jenkins servers on a LAN
by sending a discovery broadcast probe.
+ http-hp-ilo-info extracts information from HP
Integrated Lights-Out (iLO) servers.
+ http-sap-netweaver-leak detects SAP Netweaver Portal with the
Knowledge Management Unit enabled with anonymous access.
+ https-redirect detects HTTP servers that redirect to the same port, but
with HTTPS. Some nginx servers do this, which made ssl-* scripts not run
properly.
+ lu-enum enumerates Logical Units (LU) of TN3270E servers.
+ rdp-ntlm-info extracts Windows domain information from RDP
services.
+ smb-vuln-webexec checks whether the WebExService is installed and allows
code execution.
+ smb-webexec-exploit exploits the WebExService to run arbitrary commands
with SYSTEM privileges.
+ ubiquiti-discovery extracts information from the Ubiquiti
Discovery service and assists version detection.
+ vulners queries the Vulners CVE database API using CPE
information from Nmap's service and application version detection.
o Use pcap_create instead of pcap_live_open in
Nmap, and set immediate mode on the pcap descriptor. This solves packet
loss problems on Linux and may improve performance on other platforms.
o [NSE] Collected utility functions for string processing into a new
library, stringaux.lua.
o [NSE] New rand.lua library uses the best sources of random available on
the system to generate random strings.
o [NSE] New library, oops.lua, makes reporting errors easy, with plenty of
debugging detail when needed, and no clutter when not.
o [NSE] Collected utility functions for manipulating and searching tables
into a new library, tableaux.lua.
o [NSE] New knx.lua library holds common functions and definitions for
communicating with KNX/Konnex devices.
o [NSE] The HTTP library now provides transparent support for gzip-
encoded response body. (See https://github.com/nmap/nmap/pull/1571 for an
overview.)
o [Nsock][Ncat] Add AF_VSOCK (Linux VM sockets) functionality to
Nsock and Ncat. VM sockets are used for communication between virtual
machines and the hypervisor.
o [Security][Windows] Address CVE-2019-1552 in OpenSSL by building with the
prefix "C:\Program Files (x86)\Nmap\OpenSSL". This should prevent
unauthorized users from modifying OpenSSL defaults by writing
configuration to this directory.
o [Security] Reduced LibPCRE resource limits so that
version detection can't use as much of the stack. Previously Nmap could
crash when run on low-memory systems against target services which are
intentionally or accidentally difficult to match. Someone assigned
CVE-2018-15173 for this issue.
o Deprecate and disable the -PR (ARP ping) host discovery
option. ARP ping is already used whenever possible, and the -PR option
would not force it to be used in any other case.
o [NSE] bin.lua is officially deprecated. Lua 5.3, added 2 years ago in Nmap
7.25BETA2, has native support for binary data packing via string.pack and
string.unpack. All existing scripts and libraries have been updated.
o [NSE] Completely removed the bit.lua NSE library. All of its functions are
replaced by native Lua bitwise operations, except for `arshift`
(arithmetic shift) which has been moved to the bits.lua library. [Daniel
Miller]
o [NSE] The HTTP library is now enforcing a size limit on the
received response body. The default limit can be adjusted with a script
argument, which applies to all scripts, and can be overridden case-by-case
with an HTTP request option. (See https://github.com/nmap/nmap/pull/1571
for details.)
o [NSE] CR characters are no longer treated as illegal in script
XML output.
o Allow resuming nmap scan with lengthy command line [Clément
Notin]
o [NSE] Add TLS support to rdp-enum-encryption. Enables determining
protocol version against servers that require TLS and lays ground work for
some NLA/CredSSP information collection.
o [NSE] Address two protocol parsing issues in rdp-enum-encryption
and the RDP nse library which broke scanning of Windows XP. Clarify
protocol types
o [NSE] Script http-fileupload-exploiter failed to locate its
resource file unless executed from a specific working
directory.
o [NSE] Avoid clobbering the "severity" and "ignore_404" values of
fingerprints in http-enum. None of the standard fingerprints uses these
fields.
o [NSE] Fix a crash caused by a double-free of libssh2 session data
when running SSH NSE scripts against non-SSH services.
o [NSE] Updates the execution rule of the mongodb scripts to be
able to run on alternate ports.
o [Ncat] Allow Ncat to connect to servers on port 0, provided that
the socket implementation allows this.
o Update the included libpcap to 1.9.0.
o [NSE] Fix a logic error that resulted in scripts not honoring the
smbdomain script-arg when the target provided a domain in the NTLM
challenge.
o [Nsock] Avoid a crash (Protocol not supported) caused by trying
to reconnect with SSLv2 when an error occurs during DTLS connect. [Daniel
Miller]
o [NSE] Removed OSVDB references from scripts and replaced them
with BID references where possible.
o [NSE] Updates TN3270.lua and adds argument to disable TN3270E
o RMI parser could crash when encountering invalid input [Clément
Notin]
o Avoid reporting negative latencies due to matching an ARP or ND
response to a probe sent after it was recieved.
o [Ncat] To avoid confusion and to support non-default proxy ports,
option --proxy now requires a literal IPv6 address to be specified using
square-bracket notation, such as --proxy
o [Ncat] New ncat option provides control over
whether proxy destinations are resolved by the remote proxy server or
locally, by Ncat itself. See option --proxy-dns.
o [NSE] Updated script ftp-syst to prevent potential endless
looping.
o New service probes and match lines for v1 and v2 of the Ubiquiti
Discovery protocol. Devices often leave the related service open and it
exposes significant amounts of information as well as the risk of being
used as part of a DDoS. New nmap-payload entry for v1 of the
protocol.
o [NSE] Removed hostmap-ip2hosts.nse as the API has been broken for a while
and the service was completely shutdown on Feb 17th, 2019. [Paulino
Calderon]
o [NSE] Adds TN3270E support and additional improvements to
tn3270.lua and updates tn3270-screen.nse to display the new
setting.
o [NSE] Updates product codes and adds a check for response length
in enip-info.nse. The script now uses string.unpack.
o [Ncat] Temporary RSA keys are now 2048-bit to resolve a
compatibility issue with OpenSSL library configured with security level 2,
as seen on current Debian or Kali.
o [NSE] Fix a crash (double-free) when using SSH scripts against
non-SSH services.
o [Zenmap] Fix a crash when Nmap executable cannot be found and the system
PATH contains non-UTF-8 bytes, such as on Windows.
o [Zenmap] Fix a crash in results search when using the dir: operator:
AttributeError: 'SearchDB' object has no attribute 'match_dir' [Daniel
Miller]
o [Ncat] Fixed an issue with Ncat -e on Windows that caused early
termination of connections.
o [NSE] Fix a false-positive in http-phpmyadmin-dir-traversal when
the server responds with 200 status to a POST request to any
URI.
o [NSE] New vulnerability state in vulns.lua, UNKNOWN, is used to indicate
that testing could not rule out vulnerability.
o When searching for Lua header files, actually use them where
they are found instead of forcing /usr/include. [Fabrice Fontaine, Daniel
Miller]
o [NSE] Script traceroute-geolocation no longer crashes when
www.GeoPlugin.net returns null coordinates
o Limit verbose -v and debugging -d levels to a maximum of 10. Nmap does not
use higher levels internally.
o [NSE] tls.lua when creating a client_hello message will now only use a
SSLv3 record layer if the protocol version is SSLv3. Some TLS
implementations will not handshake with a client offering less than
TLSv1.0. Scripts will have to manually fall back to SSLv3 to talk to
SSLv3-only servers.
o [NSE] Fix a few false-positive conditions in
ssl-ccs-injection. TLS implementations that responded with fatal alerts
other than "unexpected message" had been falsely marked as
vulnerable.
o Emergency fix to Nmap's birthday announcement so Nmap wishes itself a
"Happy 21st Birthday" rather than "Happy 21th" in verbose mode (-v) on
September 1, 2018.
o Start host timeout clocks when the first probe is sent to a
host, not when the hostgroup is started. Sometimes a host doesn't get
probes until late in the hostgroup, increasing the chance it will time
out.
o [NSE] Support for edns-client-subnet (ECS) in dns.lua has been improved
by:
-
- Properly trimming ECS address, as mandated by RFC 7871
- Fixing a bug that prevented using the same ECS option table more than
once
o [Ncat] Fixed communication with commands launched with -e or -c
on Windows, especially when --ssl is used.
o [NSE] Script http-default-accounts can now select more than one
fingerprint category. It now also possible to select fingerprints by name
to support very specific scanning.
o [NSE] Script http-default-accounts was not able to run against more than
one target host/port.
o [NSE] New script-arg `http.host` allows users to force a
particular value for the Host header in all HTTP requests.
o [NSE] Use smtp.domain script arg or target's domain name instead
of "example.com" in EHLO command used for STARTTLS.
o [NSE] Fix brute.lua's BruteSocket wrapper, which was crashing
Nmap with an assertion failure due to socket mixup [Daniel Miller]: nmap:
nse_nsock.cc:672: int receive_buf(lua_State*, int, lua_KContext):
Assertion `lua_gettop(L) == 7' failed.
o [NSE] Handle an error condition in smb-vuln-ms17-010 caused by
IPS closing the connection.
o [Ncat] Fixed literal IPv6 URL format for connecting through HTTP
proxies.
o [NSE] Updates vendors from ODVA list for enip-info.
[NothinRandom]
o [NSE] Add two common error strings that improve MySQL detection
by the script http-sql-injection.
o [NSE] Fix bug in http-vuln-cve2006-3392 that prevented the script
to generate the vulnerability report correctly.
o [NSE] Fix bug related to screen rendering in NSE library
tn3270. This patch also improves the brute force script
tso-brute.
o [NSE] Fix SIP, SASL, and HTTP Digest authentication when the
algorithm contains lowercase characters.
o Nmap could be fooled into ignoring TCP response packets if they
used an unknown TCP Option, which would misalign the validation, causing
it to fail.
o [NSE]The HTTP response parser now tolerates status lines without a reason
phrase, which improves compatibility with some HTTP servers.
o [NSE]] Parser for HTTP Set-Cookie header
is now more compliant with RFC 6265:
- empty attributes are tolerated
- double quotes in cookie and/or attribute values are treated literally
- attributes with empty values and value-less attributes are parsed
equally
- attributes named "name" or "value" are ignored
o [NSE] Fix parsing http-grep.match script-arg. [Hans van den
Bogert]
o [Zenmap] Avoid a crash when recent_scans.txt cannot be written
to.
o Fixed --resume when the path to Nmap contains spaces.
o New service probe and match lines for adb, the Android Debug Bridge, which
allows remote code execution and is left enabled by default on many
devices.
7.70:
We're excited to make our first Nmap release of 2018--version 7.70! It
includes hundreds of new OS and service fingerprints, 9 new NSE scripts
(for a total of 588), a much-improved version of our Npcap windows packet
capturing library/driver, and service detection improvements to make -sV
faster and more accurate.
o Updated the bundled Npcap from 0.91 to 0.93, fixing several issues
with installation and compatibility with the Windows 10 Creators Update.
o NSE scripts now have complete SSH support via libssh2,
including password brute-forcing and running remote commands, thanks to the
combined efforts of three Summer of Code students.
o Added 14 NSE scripts from 6 authors, bringing the total up to 579!
They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
+ ftp-syst sends SYST and STAT commands to FTP servers to get system version
and connection information.
+ http-vuln-cve2017-8917 checks for an SQL injection vulnerability affecting
Joomla! 3.7.x before 3.7.1.
+ iec-identify probes for the IEC 60870-5-104 SCADA protocol.
+ openwebnet-discovery retrieves device identifying information and
number of connected devices running on openwebnet protocol.
+ puppet-naivesigning checks for a misconfiguration in the Puppet CA where
naive signing is enabled, allowing for any CSR to be automatically signed.
+ smb-protocols discovers if a server supports dialects NT LM 0.12
(SMBv1), 2.02, 2.10, 3.00, 3.02 and 3.11. This replaces the old
smbv2-enabled script.
+ smb2-capabilities lists the supported capabilities of SMB2/SMB3
servers.
+ smb2-time determines the current date and boot date of SMB2
servers.
+ smb2-security-mode determines the message signing configuration of
SMB2/SMB3 servers.
+ smb2-vuln-uptime attempts to discover missing critical patches in
Microsoft Windows systems based on the SMB2 server uptime.
+ ssh-auth-methods lists the authentication methods offered by an SSH server.
+ ssh-brute performs brute-forcing of SSH password credentials.
+ ssh-publickey-acceptance checks public or private keys to see if they could
be used to log in to a target. A list of known-compromised key pairs is
included and checked by default.
+ ssh-run uses user-provided credentials to run commands on targets via SSH.
o Removed smbv2-enabled, which was incompatible with the new SMBv2/3
improvements. It was fully replaced by the smb-protocols script.
o Added Datagram TLS (DTLS) support to Ncat in connect (client)
mode with --udp --ssl. Also added Application Layer Protocol Negotiation
(ALPN) support with the --ssl-alpn option.
o Updated the default ciphers list for Ncat and the secure ciphers list for
Nsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDH
ciphersuites, anonymous ECDH suites were being allowed.
o Fix ndmp-version and ndmp-fs-info when scanning Veritas Backup
Exec Agent 15 or 16.
o Added wildcard detection to dns-brute. Only hostnames that
resolve to unique addresses will be listed.
o FTP scripts like ftp-anon and ftp-brute now correctly handle
TLS-protected FTP services and use STARTTLS when necessary.
o Function url.escape no longer encodes so-called "unreserved"
characters, including hyphen, period, underscore, and tilde, as per RFC 3986.
o Function http.pipeline_go no longer assumes that persistent
connections are supported on HTTP 1.0 target (unless the target explicitly
declares otherwise), as per RFC 7230.
o The HTTP response object has a new member, version, which
contains the HTTP protocol version string returned by the server, e.g. "1.0".
o Fix handling of the objectSID Active Directory attribute
by ldap.lua.
o Fix line endings in the list of Oracle SIDs used by oracle-sid-brute.
Carriage Return characters were being sent in the connection packets, likely
resulting in failure of the script.
o http-useragent-checker now checks for changes in HTTP status
(usually 403 Forbidden) in addition to redirects to indicate forbidden User
Agents.
o [Windows] Updated the bundled Npcap from 0.78 to 0.91, with several bugfixes
for WiFi connectivity problems and stability issues. [Daniel Miller, Yang Luo]
o Integrated all of your service/version detection fingerprints submitted from
September to March (855 of them). The signature count went up 2.9% to 11,418.
We now detect 1193 protocols from apachemq, bro, and clickhouse to jmon,
slmp, and zookeeper. Highlights: http://seclists.org/nmap-dev/2017/q2/140
o [NSE] Added 14 NSE scripts from 12 authors, bringing the total up to 566!
They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
o [Ncat] A series of changes and fixes based on feedback from the Red Hat community:
o [NSE][GH-266][GH-704][GH-238][GH-883] NSE libraries smb and msrpc now use
fully qualified paths. SMB scripts now work against all modern versions
of Microsoft Windows. [Paulino Calderon]
o [NSE] smb library's share_get_list now properly uses anonymous connections
first before falling back authenticating as a known user.
o New service probes and matches for Apache HBase and Hadoop MapReduce.
[Paulino Calderon]
o Extended Memcached service probe and added match for Apache ZooKeeper.
[Paulino Calderon]
o [NSE] New script argument "vulns.short" will reduce vulns library script
output to a single line containing the target name or IP, the vulnerability
state, and the CVE ID or title of the vulnerability. [Daniel Miller]
o [NSE][GH-862] SNMP scripts will now take a community string provided like
`--script-args creds.snmp=private`, which previously did not work because it
was interpreted as a username. [Daniel Miller]
o [NSE] Resolved several issues in the default HTTP redirect rules:
- [GH-826] A redirect is now cancelled if the original URL contains
embedded credentials
- [GH-829] A redirect test is now more careful in determining whether
a redirect destination is related to the original host
- [GH-830] A redirect is now more strict in avoiding possible redirect
loops
[nnposter]
o [NSE][GH-766] The HTTP Host header will now include the port unless it is
the default one for a given scheme. [nnposter]
o [NSE] The HTTP response object has a new member, fragment, which contains
a partially received body (if any) when the overall request fails to
complete. [nnposter]
o [NSE][GH-866] NSE now allows cookies to have arbitrary attributes, which
are silently ignored (in accordance with RFC 6265). Unrecognized attributes
were previously causing HTTP requests with such cookies to fail. [nnposter]
o [NSE][GH-844] NSE now correctly parses a Set-Cookie header that has unquoted
whitespace in the cookie value (which is allowed per RFC 6265). [nnposter]
o [NSE][GH-731] NSE is now able to process HTTP responses with a Set-Cookie
header that has an extraneous trailing semicolon. [nnposter]
o [NSE][GH-708] TLS SNI now works correctly for NSE HTTP requests initiated
with option any_af. As an added benefit, option any_af is now available for
all connections via comm.lua, not just HTTP requests. [nnposter]
o [NSE][GH-781] There is a new common function, url.get_default_port(),
to obtain the default port number for a given scheme. [nnposter]
o [NSE][GH-833] Function url.parse() now returns the port part as a number,
not a string. [nnposter]
o No longer allow ICMP Time Exceeded messages to mark a host as down during
host discovery. Running traceroute at the same time as Nmap was causing
interference. [David Fifield]
o [NSE][GH-807] Fixed a JSON library issue that was causing long integers
to be expressed in the scientific/exponent notation. [nnposter]
o [NSE] Fixed several potential hangs in NSE scripts that used
receive_buf(pattern), which will not return if the service continues to send
data that does not match pattern. A new function in match.lua, pattern_limit,
is introduced to limit the number of bytes consumed while searching for the
pattern. [Daniel Miller, Jacek Wielemborek]
o [Nsock] Handle any and all socket connect errors the same: raise as an Nsock
error instead of fatal. This prevents Nmap and Ncat from quitting with
"Strange error from connect:" [Daniel Miller]
o [NSE] Added several commands to redis-info to extract listening addresses,
connected clients, active channels, and cluster nodes. [Vasiliy Kulikov]
o [NSE][GH-679][GH-681] Refreshed script http-robtex-reverse-ip, reflecting
changes at the source site (www.robtex.com). [aDoN]
o [NSE][GH-620][GH-715] Added 8 new http-enum fingerprints for Hadoop
infrastructure components. [Thomas Debize, Varunram Ganesh]
o [NSE][GH-629] Added two new fingerprints to http-default-accounts
(APC Management Card, older NetScreen ScreenOS) [Steve Benson, nnposter]
o [NSE][GH-716] Fix for oracle-tns-version which was sending an invalid TNS
probe due to a string escaping mixup. [Alexandr Savca]
o [NSE][GH-694] ike-version now outputs information about supported attributes
and unknown vendor ids. Also, a new fingerprint for FortiGate VPNs was
submitted by Alexis La Goutte. [Daniel Miller]
o [GH-700] Enabled support for TLS SNI on the Windows platform. [nnposter]
o [GH-649] New service probe and match lines for the JMON and RSE services of
IBM Explorer for z/OS. [Soldier of Fortran]
o Removed a duplicate service probe for Memcached added in 2011 (the original
probe was added in 2008) and reported as duplicate in 2013 by Pavel Kankovsky.
o New service probe and match line for NoMachine NX Server remote desktop.
[Justin Cacak]
o [Zenmap] Fixed a recurring installation problem on OS X/macOS where Zenmap
was installed to /Applications/Applications/Zenmap.app instead of
/Applications/Zenmap.app.
o [Zenmap][GH-639] Zenmap will no longer crash when no suitable temporary
directory is found. Patches contributed by [Varunram Ganesh] and [Sai Sundhar]
o [Zenmap][GH-626] Zenmap now properly handles the -v0 (no output) option,
which was added in Nmap 7.10. Previously, this was treated the same as not
specifying -v at all. [lymanZerga11]
o [GH-630] Updated or removed some OpenSSL library calls that were deprecated
in OpenSSL 1.1. [eroen]
o [NSE] Script ssh-hostkey now recognizes and reports Ed25519 keys [nnposter]
o [NSE][GH-627] Fixed script hang in several brute scripts due to the "threads"
script-arg not being converted to a number. Error message was
"nselib/brute.lua:1188: attempt to compare number with string" [Arne Beer]
ok pettai@
Changes:
Nmap 7.30 [2016-09-29]
Integrated all 12 of your IPv6 OS fingerprint submissions from June to September. No new groups, but several classifications were strengthened, especially Windows localhost and OS X. [Daniel Miller]
[NSE] Added 7 NSE scripts, from 3 authors, bringing the total up to 541! They are all listed at https://nmap.org/nsedoc/, and the summaries are below (authors are listed in brackets):
[GH#369] coap-resources grabs the list of available resources from CoAP endpoints. [Mak Kolybabi]
fox-info retrieves detailed version and configuration info from Tridium Niagara Fox services. [Stephen Hilt]
ipmi-brute performs authentication brute-forcing on IPMI services. [Claudiu Perta]
ipmi-cipher-zero checks IPMI services for Cipher Zero support, which allows connection without a password. [Claudiu Perta]
ipmi-version retrieves protocol version and authentication options from ASF-RMCP (IPMI) services. [Claudiu Perta]
[GH#352] mqtt-subscribe connects to a MQTT broker, subscribes to topics, and lists the messages received. [Mak Kolybabi]
pcworx-info retrieves PLC model, firmware version, and date from Phoenix Contact PLCs. [Stephen Hilt]
Upgraded Npcap, our new Windows packet capturing driver/library, from version to 0.09 to 0.10r2. This includes many bug fixes, with a particular on emphasis on concurrency issues discovered by running hundreds of Nmap instances at a time. More details are available from https://github.com/nmap/npcap/releases. [Yang Luo, Daniel Miller, Fyodor]
New service probes and match lines for DTLS, IPMI-RMCP, MQTT, PCWorx, ProConOS, and Tridium Fox, [Stephen Hilt, Mak Kolybabi, Daniel Miller]
Improved some output filtering to remove or escape carriage returns ('\r') that could allow output spoofing by overwriting portions of the screen. Issue reported by Adam Rutherford. [Daniel Miller]
[NSE] Fixed a few bad Lua patterns that could result in denial of service due to excessive backtracking. [Adam Rutherford, Daniel Miller]
Fixed a discrepancy between the number of targets selected with -iR and the number of hosts scanned, resulting in output like "Nmap done: 1033 IP addresses" when the user specified -iR 1000. [Daniel Miller]
Fixed a bug in port specification parsing that could cause extraneous 'T', 'U', 'S', and 'P' characters to be ignored when they should have caused an error. [David Fifield]
[GH#543] Restored compatibility with LibreSSL, which was lost in adding library version checks for OpenSSL 1.1. [Wonko7]
[Zenmap] Fixed a bug in the Compare Scans window of Zenmap on OS X resulting in this message instead of Ndiff output:
ImportError: dlopen(/Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so, 2): no suitable image found. Did find:
/Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so: mach-o, but wrong architecture
Reported by Kyle Gustafson. [Daniel Miller]
[NSE] Fixed a bug in ssl-enum-ciphers and ssl-dh-params which caused them to not output TLSv1.2 info with DHE ciphersuites or others involving ServerKeyExchange messages. [Daniel Miller]
[NSE] Added X509v3 extension parsing to NSE's sslcert code. ssl-cert now shows the Subject Alternative Name extension; all extensions are shown in the XML output. [Daniel Miller]
Nmap 7.25BETA2 [2016-09-01]
[GH#376] Windows binaries are now code-signed with our "Insecure.Com LLC" SHA256 certificate. This should give our users extra peace-of-mind and avoid triggering Microsoft's ever-increasing security warnings.
[NSE] Upgraded NSE to Lua 5.3, adding bitwise operators, integer data type, a utf8 library, and native binary packing and unpacking functions. Removed bit library, added bits.lua, replaced base32, base64, and bin libraries. [Patrick Donnelly]
[NSE] Added 2 NSE scripts, bringing the total up to 534! They are both listed at https://nmap.org/nsedoc/, and the summaries are below:
oracle-tns-version decodes the version number from Oracle Database Server's TNS listener. [Daniel Miller]
clock-skew analyzes and reports clock skew between Nmap and services that report timestamps, grouping hosts with similar skews. [Daniel Miller]
Integrated all of your service/version detection fingerprints submitted from January to April (578 of them). The signature count went up 2.2% to 10760. We now detect 1122 protocols, from elasticsearch, fhem, and goldengate to ptcp, resin-watchdog, and siemens-logo. [Daniel Miller]
Upgraded Npcap, our new Windows packet capturing driver/library, from version 0.07-r17 to 0.09. This includes many improvements you can read about at https://github.com/nmap/npcap/releases.
[Nsock][GH#148] Added the new IOCP Nsock engine which uses the Windows Overlapped I/O API to improve performance of version scan and NSE against many targets on Windows. [Tudor Emil Coman]
[GH#376] Windows binaries are now code-signed with our "Insecure.Com LLC" SHA256 certificate. This should give our users extra peace-of-mind and avoid triggering Microsoft's ever-increasing security warnings.
Various performance improvements for large-scale high-rate scanning, including increased ping host groups, faster probe matching, and ensuring data types can handle an Internet's-worth of targets. [Tudor Emil Coman]
[NSE] Added the oracle-tns-version NSE script which decodes the version number from Oracle Database Server's TNS listener. https://nmap.org/nsedoc/scripts/oracle-tns-version.html [Daniel Miller]
[NSE] Added the clock-skew NSE script which analyzes and reports clock skew between Nmap and services that report timestamps, grouping hosts with similar skews. https://nmap.org/nsedoc/scripts/clock-skew.html [Daniel Miller]
[Zenmap] Long-overdue Spanish language translation has been added! Muy bien! [Vincent Dumont, Marta Garcia De La Paz, Paulino Calderon, Patricio Castagnaro]
[Zenmap][GH#449] Fix a crash when closing Zenmap due to a read-only zenmap.conf. User will be warned that config cannot be saved and that they should fix the file permissions. [Daniel Miller]
[NSE] Fix a crash when parsing TLS certificates that OpenSSL doesn't support, like DH certificates or corrupted certs. When this happens, ssl-enum-ciphers will label the ciphersuite strength as "unknown." Reported by Bertrand Bonnefoy-Claudet. [Daniel Miller]
[NSE][GH#531] Fix two issues in sslcert.lua that prevented correct operations against LDAP services when version detection or STARTTLS were used. [Tom Sellers]
[Zenmap] Long-overdue Spanish language translation has been added! Muy bien! [Vincent Dumont, Marta Garcia De La Paz, Paulino Calderon, Patricio Castagnaro]
[GH#426] Remove a workaround for lack of selectable pcap file descriptors on Windows, which required including pcap-int.h and locking us to a single version of libpcap. The new method, using WaitForSingleObject should work with all versions of both WinPcap and Npcap. [Daniel Miller]
[NSE][GH#234] Added a --script-timeout option for limiting run time for every individual NSE script. [Abhishek Singh]
[Ncat][GH#444] Added a -z option to Ncat. Just like the -z option in traditional netcat, it can be used to quickly check the status of a port. Port ranges are not supported since we recommend a certain other tool for port scanning. [Abhishek Singh]
Fix checking of Npcap/WinPcap presence on Windows so that "nmap -A" and "nmap" with no options result in the same behaviors as on Linux (and no crashes) [Daniel Miller]
[NSE] ssl-enum-ciphers will now warn about 64-bit block ciphers in CBC mode, which are vulnerable to the SWEET32 attack.
[NSE][GH#117] tftp-enum now only brute-forces IP-address-based Cisco filenames when the wordlist contains "{cisco}". Previously, custom wordlists would still end up sending these extra 256 requests. [Sriram Raghunathan]
[GH#472] Avoid an unnecessary assert failure in timing.cc when printing estimated completion time. Instead, we'll output a diagnostic error message:
Timing error: localtime(n) is NULL
where "n" is some number that is causing problems. [Jean-Guilhem Nousse]
[NSE][GH#519] Removed the obsolete script ip-geolocation-geobytes. [Paulino Calderon]
[NSE] Added 9 new fingerprints for script http-default-accounts. (Motorola AP, Lantronix print server, Dell iDRAC6, HP StorageWorks, Zabbix, Schneider controller, Xerox printer, Citrix NetScaler, ESXi hypervisor) [nnposter]
[NSE] Completed a refresh and validation of almost all fingerprints for script http-default-accounts. Also improved the script speed. [nnposter]
[GH#98] Added support for decoys in IPv6. Earlier we supported decoys only in IPv4. [Abhishek Singh]
Various performance improvements for large-scale high-rate scanning, including increased ping host groups, faster probe matching, and ensuring data types can handle an Internet's-worth of targets. [Tudor Emil Coman]
[GH#484] Allow Nmap to compile on some older Red Hat distros that disable EC crypto support in OpenSSL. [Jeroen Roovers, Vincent Dumont]
[GH#439] Nmap now supports OpenSSL 1.1.0-pre5 and previous versions. [Vincent Dumont]
[Ncat] Fix a crash ("add_fdinfo() failed.") when --exec was used with --ssl and --max-conns, due to improper accounting of file descriptors. [Daniel Miller]
FTP Bounce scan: improved some edge cases like anonymous login without password, 500 errors used to indicate port closed, and timeouts for LIST command. Also fixed a 1-byte array overrun (read) when checking for privileged ports. [Daniel Miller]
[GH#140] Allow target DNS names up to 254 bytes. We previously imposed an incorrect limit of 64 bytes in several parts of Nmap. [Vincent Dumont]
[NSE] The hard limit on number of concurrently running scripts can now increase above 1000 to match a high user-set --min-parallelism value. [Tudor Emil Coman]
[NSE] Solved a memory corruption issue that would happen if a socket connect operation produced an error immediately, such as Network Unreachable. The event handler was throwing a Lua error, preventing Nsock from cleaning up properly, leaking events. [Abhishek Singh, Daniel Miller]
[NSE] Added the datetime library for performing date and time calculations, and as a helper to the clock-skew script.
[GH#103][GH#364] Made Nmap's parallel reverse DNS resolver more robust, fully handling truncated replies. If a response is too long, we now fall back to using the system resolver to answer it. [Abhishek Singh]
[Zenmap][GH#279] Added a legend for the Topography window. [Suraj Hande]
Nmap 7.25BETA1 [2016-07-15]
Nmap now ships with and uses Npcap, our new packet sniffing library for Windows. It's based on WinPcap (unmaintained for years), but uses modern Windows APIs for better performance. It also includes security improvements and many bug fixes. See http://npcap.org. And it enables Nmap to perform SYN scans and OS detection against localhost, which we haven't been able to do on Windows since Microsoft removed the raw sockets API in 2003. [Yang Luo, Daniel Miller, Fyodor]
[NSE] Added 6 NSE scripts, from 5 authors, bringing the total up to 533! They are all listed at https://nmap.org/nsedoc/, and the summaries are below (authors are listed in brackets):
clamav-exec detects ClamAV servers vulnerable to unauthorized clamav command execution. [Paulino Calderon]
http-aspnet-debug detects ASP.NET applications with debugging enabled. [Josh Amishav-Zlatin]
http-internal-ip-disclosure determines if the web server leaks its internal IP address when sending an HTTP/1.0 request without a Host header. [Josh Amishav-Zlatin]
[GH#304] http-mcmp detects mod_cluster Management Protocol (MCMP) and dumps its configuration. [Frank Spierings]
[GH#365] sslv2-drown detects vulnerability to the DROWN attack, including CVE-2016-0703 and CVE-2016-0704 that enable fast attacks on OpenSSL. [Bertrand Bonnefoy-Claudet]
vnc-title logs in to VNC servers and grabs the desktop title, geometry, and color depth. [Daniel Miller]
Integrated all of your IPv4 OS fingerprint submissions from January to April (539 of them). Added 98 fingerprints, bringing the new total to 5187. Additions include Linux 4.4, Android 6.0, Windows Server 2016, and more. [Daniel Miller]
Integrated all 31 of your IPv6 OS fingerprint submissions from January to June. The classifier added 2 groups and expanded several others. Several Apple OS X groups were consolidated, reducing the total number of groups to 93. [Daniel Miller]
Update oldest supported Windows version to Vista (Windows 6.0). This enables the use of the poll Nsock engine, which has significant performance and accuracy advantages. Windows XP users can still use Nmap 7.12, available from https://nmap.org/dist/?C=M&O=D [Daniel Miller]
[NSE] Fix a crash that happened when trying to print the percent done of 0 NSE script threads:
timing.cc:710 bool ScanProgressMeter::printStats(double, const timeval*): Assertion 'ltime' failed.
This would happen if no scripts were scheduled in a scan phase and the user pressed a key or specified a short --stats-every interval. Reported by Richard Petrie. [Daniel Miller]
[GH#283][Nsock] Avoid "unknown protocol:0" debug messages and an "Unknown address family 0" crash on Windows and other platforms that do not set the src_addr argument to recvfrom for TCP sockets. [Daniel Miller]
Retrieve the correct network prefix length for an adapter on Windows. If more than one address was configured on an adapter, the same prefix length would be used for both. This incorrect behavior is still used on Windows XP and earlier. Reported by Niels Bohr. [Daniel Miller]
Changed libdnet-stripped to avoid bailing completely when an interface is encountered with an unsupported hardware address type. Caused "INTERFACES: NONE FOUND!" bugs in Nmap whenever Linux kernel added new hardware address types. [Daniel Miller]
Improved service detection of Docker and fixed a bug in the output of docker-version script. [Tom Sellers]
Fix detection of Microsoft Terminal Services (RDP). Our improved TLS service probes were matching on port 3389 before our specific Terminal Services probe, causing the port to be labeled as "ssl/unknown". Reported by Josh Amishav-Zlatin.
[NSE] Update to enable smb-os-discovery to augment version detection for certain SMB related services using data that the script discovers. [Tom Sellers]
Improved version detection and descriptions for Microsoft and Samba SMB services. Also addresses certain issues with OS identification. [Tom Sellers]
[NSE] ssl-enum-ciphers will give a failing score to any server with an RSA certificate whose public key uses an exponent of 1. It will also cap the score of an RC4-ciphersuite handshake at C and output a warning referencing RFC 7465. [Daniel Miller]
[NSE] Refactored some SSLv2 functionality into a new library, sslv2.lua . [Daniel Miller]
[GH#399] Zenmap's authorization wrapper now uses an AppleScript method for privilege escalation on OS X, avoiding the deprecated AuthorizationExecuteWithPrivileges method previously used. [Vincent Dumont]
[GH#454] The OS X binary package is distributed in a .dmg disk image that now features an instructive background image. [Vincent Dumont]
[GH#420] Our OS X build system now uses gtk-mac-bundler and jhbuild to provide all dependencies. We no longer use Macports for this purpose. [Vincent Dumont]
[GH#345][Zenmap] On Windows, save Zenmap's stderr output to a writeable location (%LOCALAPPDATA%\zenmap.exe.log or %TEMP%\zenmap.exe.log) instead of next to the zenmap.exe executable. This avoids a warning message when closing Zenmap if it produced any stderr output. [Daniel Miller]
[GH#379][NSE] Fix http-iis-short-name-brute to report non vulnerable hosts. Reported by alias1. [Paulino Calderon]
[NSE][GH#371] Fix mysql-audit by adding needed library requires to the mysql-cis.audit file. The script would fail with "Failed to load rulebase" message. [Paolo Perego]
[NSE][GH#362] Added support for LDAP over udp to ldap-rootdse.nse. Also added version detection and information extraction to match the new LDAP LDAPSearchReq and LDAPSearchReqUDP probes. [Tom Sellers]
[GH#354] Added new version detection Probes for LDAP services, LDAPSearchReq and LDAPSearchReqUDP. The second is Microsoft Active Directory specific. The Probes will elicit responses from target services that allow better finger -printing and information extraction. Also added nmap-payload entry for detecting LDAP on udp. [Tom Sellers]
[NSE] More VNC updates: Support for VeNCrypt and Tight auth types, output of authentication sub-types in vnc-info, and all zero-authentication types are recognized and reported. [Daniel Miller]
o [Zenmap] Avoid file corruption in zenmap.conf, reported as files containing
many null ("\x00") characters. Example exception:
ValueError: unable to parse colour specification
o [NSE] VNC updates including vnc-brute support for TLS security type and
negotiating a lower RFB version if the server sends an unknown higher
version.
o [NSE] Added STARTTLS support for VNC, NNTP, and LMTP
o Added new service probes and match lines for OpenVPN on UDP and TCP.
o Switch to using gtk-mac-bundler and jhbuild for building the OS X installer.
This promises to reduce a lot of the problems we've had with local paths and
dependencies using the py2app and macports build system. [Daniel Miller]
o The Windows installer is now built with NSIS 2.47 which features LoadLibrary
security hardening to prevent DLL hijacking and other unsafe use of temporary
directories. Thanks to Stefan Kanthak for reporting the issue to NSIS and to
us and the many other projects that use it.
o Updated the OpenSSL shipped with our binary builds (Windows, OS X, and RPM)
to 1.0.2e.
o [Zenmap] [GH-235] Fix several failures to launch Zenmap on OS X. The new
build process eliminates these errors:
IOError: [Errno 2] No such file or directory: '/Applications/Zenmap.app/Contents/Resources/etc/pango/pangorc.in'
LSOpenURLsWithRole() failed for the application /Applications/Zenmap.app with error -10810.
o [NSE] [GH-254] Update the TLSSessionRequest probe in ssl-enum-ciphers to
match the one in nmap-service-probes, which was fixed previously to correct a
length calculation error. [Daniel Miller]
o [NSE] [GH-251] Correct false positives and unexpected behavior in http-*
scripts which used http.identify_404 to determine when a file was not found
on the target. The function was following redirects, which could be an
indication of a soft-404 response. [Tom Sellers]
o [NSE] [GH-241] Fix a false-positive in hnap-info when the target responds
with 200 OK to any request. [Tom Sellers]
o [NSE] [GH-244] Fix an error response in xmlrpc-methods when run against a
non-HTTP service. The expected behavior is no output. [Niklaus Schiess]
o [NSE] Fix SSN validation function in http-grep, reported by Bruce Barnett.
o Integrated all of your IPv4 OS fingerprint submissions since June 2013
(2700+ of them). Added 366 fingerprints, bringing the new total to 4485.
Additions include Linux 3.10 - 3.14, iOS 7, OpenBSD 5.4 - 5.5, FreeBSD 9.2,
OS X 10.9, Android 4.3, and more. Many existing fingerprints were improved.
Highlights: http://seclists.org/nmap-dev/2014/q3/325
o (Windows) Upgraded the included OpenSSL to version 1.0.1i.
o (Windows) Upgraded the included Python to version 2.7.8.
o Removed the External Entity Declaration from the DOCTYPE in Nmap's XML. This
was added in 6.45, and resulted in trouble for Nmap XML parsers without
network access, as well as increased traffic to Nmap's servers. The doctype
is now:
<!DOCTYPE nmaprun>
o [Ndiff] Fixed the installation process on Windows, which was missing the
actual Ndiff Python module since we separated it from the driver script.
o [Ndiff] Fixed the ndiff.bat wrapper in the zipfile Windows distribution,
which was giving the error, "\Microsoft was unexpected at this time." See
https://support.microsoft.com/kb/2524009
o [Zenmap] Fixed the Zenmap .dmg installer for OS X. Zenmap failed to launch,
producing this error:
Could not import the zenmapGUI.App module:
'dlopen(/Applications/Zenmap.app/Contents/Resources/lib/python2.6/lib-dynload/glib/_glib.so, 2):
Library not loaded: /Users/david/macports-10.5/lib/libffi.5.dylib\n
Referenced from:
/Applications/Zenmap.app/Contents/Resources/lib/python2.6/lib-dynload/glib/_glib.so\n
Reason: image not found'.
o [Ncat] Fixed SOCKS5 username/password authentication. The password length was
being written in the wrong place, so authentication could not succeed.
o Avoid formatting NULL as "%s" when running nmap --iflist. GNU libc converts
this to the string "(null)", but it caused segfault on Solaris.
o [Zenmap][Ndiff] Avoid crashing when users have the antiquated PyXML package
installed. Python tries to be nice and loads it when we import xml, but it
isn't compatible. Instead, we force Python to use the standard library xml
module.
o Handle ICMP admin-prohibited messages when doing service version detection.
Crash reported by Nathan Stocks was: Unexpected error in NSE_TYPE_READ
callback. Error code: 101 (Network is unreachable)
o [NSE] Fix a bug causing http.head to not honor redirects.
o [Zenmap] Fix a bug in DiffViewer causing this crash:
TypeError: GtkTextBuffer.set_text() argument 1 must be string or read-only
buffer, not NmapParserSAX
Crash happened when trying to compare two scans within Zenmap.
changes:
-scripting improvements
-added lua scripting support to ncat
-hundreds of new OS and service detection signatures
-version scanning through a chain of proxies
-improved target specification
-performance enhancements and bug fixes
pkgsrc note: added "lua" option
approved by The Maintainer
o [NSE] Added CPE to smb-os-discovery output.
o [Ncat] Fixed the printing of warning messages for large arguments to
the -i and -w options.
o [Ncat] Shut down the write part of connected sockets in listen mode
when stdin hits EOF, just as was already done in connect mode.
o [Zenmap] Removed a crashing error that could happen when canceling a
"Print to File" on Windows:
Traceback (most recent call last):
File "zenmapGUI\MainWindow.pyo", line 831, in _print_cb
File "zenmapGUI\Print.pyo", line 156, in run_print_operation
GError: Error from StartDoc
o [NSE] Added new fingerprints for http-enum: Sitecore, Moodle, typo3,
SquirrelMail, RoundCube.
o Added some new checks for failed library calls.
"The Nmap Project is pleased to announce the immediate, free availability
of the Nmap Security Scanner version 6.00 from http://nmap.org/.
It is the product of almost three years of work, 3,924 code commits,
and more than a dozen point releases since the big Nmap 5 release in July
2009. Nmap 6 includes a more powerful Nmap Scripting Engine, 289 new scripts,
better web scanning, full IPv6 support, the Nping packet prober, faster scans, and much more! We recommend that all current users upgrade."
Here is a condensed Changelog:
Nmap 6.01 [2012-06-13]
o [Zenmap] Fixed a hang that would occur on Mac OS X 10.7.
o [Zenmap] Fixed a crash that happened when activating the host filter.
o Fixed a bug that caused Nmap to fail to find any network interface when
at least one of them is in the monitor mode.
http://seclists.org/nmap-dev/2012/q2/449http://seclists.org/nmap-dev/2012/q2/478
o Fixed the greppable output of hosts that time-out.
Nmap 6.00 [2012-05-21]
o Most important release since Nmap 5.00 in July 2009! For a list of
the most significant improvements and new features, see the
announcement at: http://nmap.org/6
o Some XML output improvements...
o Lots of NSE scripts added and updated...
o Fixed the routing table loop on OS X so that on-link routes appear.
o Upgraded included libpcap to version 1.2.1.
o Fixed a compilation problem on Solaris 9 caused by a missing
definition of IPV6_V6ONLY.
o Setting --min-parallelism by itself no longer forces the maximum
parallelism to the same value.
o [Zenmap] Fixed a crash that would happen in the profile editor when
the script.db file doesn't exist.
o [Zenmap] It is now possible to compare scans having the same name or
command line parameters.
o Fixed an error that could occur with ICMPv6 probes and -d4 debugging:
"Unexpected probespec2ascii type encountered"
o Applied a workaround to make pcap captures work better on Solaris 10.
o Fixed a bug that could cause Nsock timers to fire too early.
o Changed the way timeout calculations are made in the IPv6 OS engine.
Nmap 5.61TEST5 [2012-03-09]
o Integrated all of your IPv4 OS fingerprint submissions since June
2011 (about 1,900 of them). Added about 256 new fingerprints (and
deleted some bogus ones), bringing the new total to 3,572.
Additions include Apple iOS 5.01, OpenBSD 4.9 and 5.0, FreeBSD 7.0
through 9.0-PRERELEASE, and a ton of new WAPs, routers, and other
devices. Many existing fingerprints were improved. For more details,
see http://seclists.org/nmap-dev/2012/q1/431
o Integrated all of your service/version detection fingerprints
submitted since November 2010--more than 2,500 of them! Our
signature count increased more than 10% to 7,423 covering 862
protocols. Some amusing and bizarre new services are described at
http://seclists.org/nmap-dev/2012/q1/359
o Integrated your latest IPv6 OS submissions and corrections. We're
still low on IPv6 fingerprints, so please scan any IPv6 systems you
own or administer and submit them to http://nmap.org/submit/. Both
new fingerprints (if Nmap doesn't find a good match) and corrections
(if Nmap guesses wrong) are useful.
o IPv6 OS detection now includes a novelty detection system which
avoids printing a match when an observed fingerprint is too
different from fingerprints seen before. As the OS database is still
small, this helps to avoid making (essentially) wild guesses when
seeing a new operating system.
o Refactored the nsock library to add the nsock-engines system.
o [NSE] Added 43(!) NSE scripts, bringing the total up to 340.
o CPE (Common Platform Enumeration) OS classification is now supported
for IPv6 OS detection.
[...]
Nmap 5.61TEST4 [2012-01-02] -> Nmap 5.61TEST1
[...]
Lots of Bugfixes!
Thanks to jschauma@ for analysing a NetBSD related problem,
and to David Fifield for providing the (upstream) patch.
o [Ndiff] Added support for prerule and postrule scripts.
o [NSE] Fixed a bug which caused some NSE scripts to fail due to the
absence of the NSE SCRIPT_NAME environment variable when loaded.
o [Zenmap] Selecting one of the scan targets in the left pane is
supposed to jump to that host in the Nmap Output in the right pane
(but it wasn't).
o Fixed an obscure bug in Windows interface matching. If the MAC
address of an interface couldn't be retrieved, it might have been
used instead of the correct interface.
o [NSE] Fixed portrules in dns-zone-transfer and ftp-proftpd-backdoor
that used shortport functions incorrectly and always returned
true.
o [Ndiff] Fixed ndiff.dtd to include two elements that can be diffed:
status and address.
o [Ndiff] Fixed the ordering of hostscript-related elements in XML
output.
o [NSE] Fixed a bug in the nrpe-enum script that would make it run for
every port (when it was selected--it isn't by default).
o [NSE] When an NSE script sets a negative socket timeout, it now
causes a controlled Lua stack trace instead of a fatal error.
o [Zenmap] Worked around an error that caused the py2app bootstrap
executable to be non-universal even when the rest of the application
was universal. This prevented the binary .dmg from working on
PowerPC.
o [Ndiff] Fixed an output line that wasn't being redirected to a file
when all other output was.
Some of the highlights are:
o [Zenmap] Added a new script selection interface, allowing you to
choose scripts and arguments from a list.
o [Nping] Added echo mode, learn more about echo mode at
http://nmap.org/book/nping-man-echo-mode.html.
o [NSE] Added an amazing 46 scripts, bringing the total to 177!
You can learn more about any of them at http://nmap.org/nsedoc/
o [NSE] Added 12 new protocol libraries.
o [NSE] Added a new brute library that provides a basic framework and logic
for brute force password auditing scripts.
o [Zenmap] Greatly improved performance for large scans by
benchmarking intensively and then recoding dozens of slow parts.
o Performed a major OS detection integration run. The database has
grown more than 14% to 2,982 fingerprints and many of the existing
fingerprints were improved. David posted highlights of his integration work at
http://seclists.org/nmap-dev/2010/q4/651
o Performed a huge version detection integration run. The number of
signatures has grown by more than 11% to 7,355. David posted highlights at
http://seclists.org/nmap-dev/2010/q4/761
o [NSE] Nmap has two new NSE script scanning phases. See
http://nmap.org/book/nse-usage.html#nse-script-types
o Dramatically improved nmap.xsl (used for converting Nmap XML output
to HTML).
o Integrated cracked passwords from the Gawker.com compromise
(http://seclists.org/nmap-dev/2010/q4/674) into Nmap's top-5000
password database.
o Merged port names in the nmap-services file with allocated names
from the IANA (http://www.iana.org/assignments/port-numbers).
o [Zenmap] Made the topology node radiuses grow logarithmically
instead of linearly, so that hosts with thousands of open ports
don't overwhelm the diagram.
o Improved IPv6 host output in that we now remember and report the
forward DNS name (given by the user) and any non-scanned addresses
(usually because of round robin DNS).
o [Zenmap] Upgraded to the newer gtk.Tooltip API to avoid deprecation
messages about gtk.Tooltip.
o [NSE] Enhance ssl-cert to also report the type and bit size of SSL
certificate public keys.
o [Nping] Nping now limits concurrent open file descriptors properly
based on the resources available on the host.
o Ncat now logs Nsock debug output to stderr instead of stdout for
consistency with its other debug messages.
o Changed the name of libdnet's sctp_chunkhdr to avoid a conflict with
a struct of the same name in <netinet/sctp.h>.
o [NSE] Host tables now have a host.traceroute member available when
--traceroute is used.
o Nmap now prints the MTU for interfaces in --iflist output.
o [Ncat,NSE] Server Name Indication (SNI) is now supported by Ncat and
Nmap NSE, allowing them to connect to servers which run multiple SSL
websites on one IP address.
o [Nsock] Added a new function, nsi_set_hostname, to set the intended
hostname of the target.
o [NSE] Made sslv2.nse give special output when SSLv2 is supported,
but no SSLv2 ciphers are offered.
o Fixed the fragmentation options (-f in Nmap, --mtu in Nmap & Nping),
which were improperly sending whole packets in version 5.35DC1.
o [NSE] When receiving raw packets from Pcap, the packet capture time
is now available to scripts as an additional return value from
pcap_receive().
o Updated IANA IP address space assignment list for random IP (-iR)
generation.
o [Ncat] Ncat now uses case-insensitive string comparison when
checking authentication schemes and parameters.
o [NSE] There is now a limit of 1,000 concurrent running scripts,
instituted to keep memory under control when there are many open
ports.
Plus many bugfixes and improvements.
For full changelog, see http://nmap.org/changelog.html
Some of the highlights are:
o [NSE] Added more scripts, bringing the total to 131!
o Performed a major OS detection integration run.
o Performed a large version detection integration run.
o [Zenmap] Added the ability to print Nmap output to a printer.
o [Nmap, Ncat, Nping] The default unit for time specifications is now
seconds, not milliseconds, and times may have a decimal point.
o Ports are now considered open during a SYN scan if a SYN packet
(without the ACK flag) is received in response.
o [Ncat] In listen mode, the --exec and --sh-exec options now accept a
single connection and then exit, just like in normal listen mode.
o UDP payloads are now stored in an external data file, nmap-payloads,
instead of being hard-coded in the executable.
o Added a new library, libnetutil, which contains about 2,700 lines of
networking related code which is now shared between Nmap and Nping
o Improved service detection match lines.
o Improved our brute force password guessing list by mixing in some
data sent in by Solar Designer of John the Ripper fame.
o [Zenmap] IP addresses are now sorted by octet rather than their
string representation.
o [Ncat] When receiving a connection/datagram in listen mode, Ncat now
prints the connecting source port along with the IP address.
o Added EPROTO to the list of known error codes in service scan.
o Updated IANA IP address space assignment list for random IP (-iR)
generation.
o Zenmap's "slow comprehensive scan profile" has been modified to use
the best 7-probe host discovery combination we were able to find in
extensive empirical testing
o Zenmap now lets you save scan results in normal Nmap text output
format or (as before) as XML.
o [NSE] Raw packet sending at the IP layer is now supported, in
addition to the existing Ethernet sending functionality.
o Nmap now honors routing table entries that override interface
addresses and netmasks.
o [Ncat] The HTTP proxy server now accepts client connections over
SSL, and added support for HTTP digest authentication of proxies, as
both client and server.
o Improved the MIT Kerberos version detection signatures.
Plus many bugfixes and improvements.
For full changelog, see http://nmap.org/changelog.html
Some of highlights are:
o Dramatically improved the version detection database, integrating
2,596 submissions that users contributed since February 3, 2009!
o Added 7 new NSE scripts for a grand total of 79!
o Performed a memory consumption audit and made changes to
dramatically reduce Nmap's footprint.
o A major service detection submission integration.
o Added some new service detection probes
o Added 14 new NSE scripts for a grand total of 72! You can learn
about them all at http://nmap.org/nsedoc/. Here are the new ones:
o Nmap's --traceroute has been rewritten for better performance.
o Integrated 1,349 fingerprints (and 81 corrections).
o [NSE] Default socket parallelism has been doubled from 10 to 20.
o [NSE] Now supports worker threads
o Zenmap now includes ports in the services view whenever Nmap found
them "interesting," whatever their state.
o [Ncat, Ndiff] The exit codes of these programs now reflect whether
they succeeded.
o Optimize MAC address prefix lookup by using an std::map
o Canonicalized the list of OS detection device types to a smaller set.
o Zenmap's UI performance has improved significantly.
o [NSE] socket garbage collection was rewritten for better performance.
Many many bugfixes!
For full changelog, see http://nmap.org/changelog.html
Ok'ed during freeze by wiz@
Fix for PR#41506
Fix missing @dirrm entries from PLIST*
Before we go into the detailed changes, here are the top 5 improvements in Nmap 5:
1. The new Ncat tool aims to be your Swiss Army Knife for data transfer, redirection, and debugging. We released a whole users' guide detailing security testing and network administration tasks made easy with Ncat.
2. The addition of the Ndiff scan comparison tool completes Nmap's growth into a whole suite of applications which work together to serve network administrators and security practitioners. Ndiff makes it easy to automatically scan your network daily and report on any changes (systems coming up or going down or changes to the software services they are running). The other two tools now packaged with Nmap itself are Ncat and the much improved Zenmap GUI and results viewer.
3. Nmap performance has improved dramatically. We spent last summer scanning much of the Internet and merging that data with internal enterprise scan logs to determine the most commonly open ports. This allows Nmap to scan fewer ports by default while finding more open ports. We also added a fixed-rate scan engine so you can bypass Nmap's congestion control algorithms and scan at exactly the rate (packets per second) you specify.
4. We released Nmap Network Scanning, the official Nmap guide to network discovery and security scanning. From explaining port scanning basics for novices to detailing low-level packet crafting methods used by advanced hackers, this book suits all levels of security and networking professionals. A 42-page reference guide documents every Nmap feature and option, while the rest of the book demonstrates how to apply those features to quickly solve real-world tasks. More than half the book is available in the free online edition.
5. The Nmap Scripting Engine (NSE) is one of Nmap's most powerful and flexible features. It allows users to write (and share) simple scripts to automate a wide variety of networking tasks. Those scripts are then executed in parallel with the speed and efficiency you expect from Nmap. All existing scripts have been improved, and 32 new ones added. New scripts include a whole bunch of MSRPC/NetBIOS attacks, queries, and vulnerability probes; open proxy detection; whois and AS number lookup queries; brute force attack scripts against the SNMP and POP3 protocols; and many more. All NSE scripts and modules are described in the new NSE documentation portal.
Details are here: http://nmap.org/changelog.html
actual length of each item is never less than sizeof(struct ifreq), but
may be more than that. If the platform's struct sockaddr has an sa_len
field, and if the length in sa_len is larger then the space available in
ifr_ifru, then the data extends beyond the end of the ifr_ifru field by
the difference in sizes.
Fixed the --script-updatedb command
Fixed several byte-order bugs in Traceroute
Service fingerprints in XML output are no longer be truncated
Added a UDP SNMPv3 probe to version detection
Zenmap no longer leaves any temporary files lying around.
*Lots* of Zenmap fixes
See CHANGELOG for all the details
Take MAINTAINER (agreed with salo@)
o Updated to include the latest MAC Address prefixes from the IEEE in
nmap-mac-prefixes [Fyodor]
o NSE engine was cleaned up significantly.
o Nmap now understands the RFC 4007 percent syntax for IPv6 Zone IDs.
o Updated IANA assignment IP list for random IP (-iR)
generation. [Kris]
o NmapFE is now gone. (zenmap is the replacement)
o Added the NSE library (NSELib) which is a library of useful
functions (which can be implemented in LUA or as loadable C/C++
modules) for use by NSE scripts.
o Integrated the Nmap Scripting Engine (NSE) into mainline Nmap.
Changes:
4.20
o Integrated the latest OS fingerprint submissions. The 2nd
generation DB size has grown to 231 fingerprints. Please keep them
coming! New fingerprints include Mac OS X Server 10.5 pre-release,
NetBSD 4.99.4, Windows NT, and much more.
o Fixed a segmentation fault in the new OS detection system
which was reported by Craig Humphrey and Sebastian Garcia.
o Fixed a TCP sequence prediction difficulty indicator bug. The index
is supposed to go from 0 ("trivial joke") to about 260 (OpenBSD).
But some systems generated ISNs so insecurely that Nmap went
berserk and reported a negative difficulty index. This generally
only affects some printers, crappy cable modems, and Microsoft
Windows (old versions). Thanks to Sebastian Garcia for helping me
track down the problem.
4.20RC2
o Integrated all of your OS detection submissions since RC1. The DB
has increased 13% to 214 fingerprints. Please keep them coming!
New fingerprints include versions of z/OS, OpenBSD, Linux, AIX,
FreeBSD, Cisco CatOS, IPSO firewall, and a slew of printers and
misc. devices. We also got our first Windows 95 fingerprint,
submitted anonymously of course :).
o Fixed (I hope) the "getinterfaces: intf_loop() failed" error which
was seen on Windows Vista. The problem was apparently in
intf-win32.c of libdnet (need to define MIB_IF_TYPE_MAX to
MAX_IF_TYPE rather than 32). Thanks to Dan Griffin
(dan(a)jwsecure.com) for tracking this down!
o Applied a couple minor bug fixes for IP options
support and packet tracing. Thanks to Michal Luczaj
(regenrecht(a)o2.pl) for reporting them.
o Incorporated SLNP (Simple Library Network Protocol) version
detection support. Thanks to Tibor Csogor (tibi(a)tiborius.net) for
the patch.
4.20RC1
o Fixed (I hope) a bug related to Pcap capture on Mac OS X. Thanks to
Christophe Thil for reporting the problem and to Kurt Grutzmacher
and Diman Todorov for helping to track it down.
o Integrated all of your OS detection submissions since ALPHA11. The
DB has increased 27% to 189 signatures. Notable additions include
the Apple Airport Express, Windows Vista RC1, OpenBSD 4.0, a Sony
TiVo device, and tons of broadband routers, printers, switches, and
Linux kernels. Keep those submissions coming!
o Upgraded the included LibPCRE from version 6.4 to 6.7. Thanks to
Jochen Voss (voss(a)seehuhn.de) for the suggestion (he found some bugs
in 6.4)
4.20ALPHA11
o Integrated all of your OS detection submissions, bringing the
database up to 149 fingerprints. This is an increase of 28% from
ALPHA10. Notable additions include FreeBSD 6.1, a bunch of HP
LaserJet printers, and HP-UX 11.11. We also got a bunch of more
obscure submissions like Minix 3.1.2a and "Ember InSight Adapter for
programming EM2XX-family embedded devices". Who doesn't have a few
of those laying around? I'm hoping that all the obscure submissions
mean that more of the mainstream systems are being detected out of
the box! Please keep those submissions (obscure or otherwise)
coming!
4.20ALPHA10
o Integrated tons of new OS fingerprints. The DB now contains 116
fingerprints, which is up 63% since the previous version. Please keep
the submissions coming!
4.20ALPHA9
o Integrated the newly submitted OS fingerprints. The DB now contains
71 fingerprints, up 27% from 56 in ALPHA8. Please keep them coming!
We still only have 4.2% as many fingerprints as the gen1 database.
o Added the --open option, which causes Nmap to show only open ports.
Ports in the states "open|closed" and "unfiltered" might be open, so
those are shown unless the host has an overwhelming number of them.
o Nmap gen2 OS detection used to always do 2 retries if it fails to
find a match. Now it normally does just 1 retry, but does 4 retries
if conditions are good enough to warrant fingerprint submission.
This should speed things up on average. A new --max-os-tries option
lets you specify a higher lower maximum number of tries.
o Added --unprivileged option, which is the opposite of --privileged.
It tells Nmap to treat the user as lacking network raw socket and
sniffing privileges. This is useful for testing, debugging, or when
the raw network functionality of your operating system is somehow
broken.
o Fixed a confusing error message which occured when you specified a
ping scan or list scan, but also specified -p (which is only used for
port scans). Thanks to Thomas Buchanan for the patch.
o Applied some small cleanup patches from Kris Katterjohn
4.20ALPHA8
o Integrated the newly submitted OS fingerprints. The DB now contains
56, up 33% from 42 in ALPHA7. Please keep them coming! We still only
have 3.33% as many signatures as the gen1 database.
o Nmap 2nd generation OS detection now has a more sophisticated
mechanism for guessing a target OS when there is no exact match in the
database (see http://insecure.org/nmap/osdetect/osdetect-guess.html )
o Rewrote mswin32/nmap.rc to remove cruft and hopefully reduce some
MFC-related compilation problems we've seen. Thanks to KX
(kxmail(a)gmail.com) for doing this.
o NmapFE now uses a spin button for verbosity and debugging options so
that you can specify whatever verbosity (-v) or debugging (-d) level
you desire. The --randomize-hosts option was also added to NmapFE.
Thanks to Kris Katterjohn for the patches.
o A dozen or so small patches to Nmap and NmapFE by Kris Katterjohn.
o Removed libpcap/Win32 and libpcap/msdos as Nmap doesn't use them.
This reduces the Nmap tar.bz2 by about 50K. Thanks to Kris Katterjohn
for the suggestion.
4.20ALPHA7
o Did a bunch of Nmap 2nd generation fingerprint integration work.
Thanks to everyone who sent some in, though we still need a lot more.
Also thanks to Zhao for a bunch of help with the integration tools.
4.20ALPHA6 had 12 fingerprints, this new version has 42. The old DB
(still included) has 1,684.
o Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE
(http://standards.ieee.org/regauth/oui/oui.txt) as of September 6, 2006.
Also added the unregistered PearPC virtual NIC prefix, as suggested
by Robert Millan (rmh(a)aybabtu.com).
o Applied some small internal cleanup patches by Kris Katterjohn.
4.20ALPHA6
o Fixed a bug in 2nd generation OS detection which would (usually) prevent
fingerprints from being printed when systems don't respond to the 1st
ICMP echo probe (the one with bogus code value of 9). Thanks to
Brandon Enright for reporting and helping me debug the problem.
o Fixed some problematic Nmap version detection signatures which could
cause warning messages. Thanks to Brandon Enright for the initial patch.
4.20ALPHA5
o Worked with Zhao to improve the new OS detection system with
better algorithms, probe changes, and bug fixes. We're
now ready to start growing the new database! If Nmap gives you
fingerprints, please submit them at the given URL. The DB is still
extremely small. The new system is extensively documented at
http://insecure.org/nmap/osdetect/ .
o Nmap now supports IP options with the new --ip-options flag. You
can specify any options in hex, or use "R" (record route), "T"
(record timestamp), "U") (record route & timestamp), "S [route]"
(strict source route), or "L [route]" (loose source route). Specify
--packet-trace to display IP options of responses. For further
information and examples, see http://insecure.org/nmap/man/ and
http://seclists.org/nmap-dev/2006/q3/0052.html . Thanks to Marek
Majkowski for writing and sending the patch.
o Integrated all 2nd quarter service detection fingerprint
submissions. Please keep them coming! We now have 3,671 signatures
representing 415 protocols. Thanks to version detection czar Doug
Hoyte for doing this.
o Nmap now uses the (relatively) new libpcap pcap_get_selectable_fd
API on systems which support it. This means that we no longer need
to hack the included Pcap to better support Linux. So Nmap will now
link with an existing system libpcap by default on that platform if
one is detected. Thanks to Doug Hoyte for the patch.
o Updated the included libpcap from 0.9.3 to 0.9.4. The changes I
made are in libpcap/NMAP_MODIFICATIONS . By default, Nmap will now
use the included libpcap unless version 0.9.4 or greater is already
installed on the system.
o Applied some nsock bugfixes from Diman Todorov. These don't affect
the current version of Nmap, but are important for his Nmap
Scripting Engine, which I hope to integrate into mainline Nmap in
September.
o Fixed a bug which would occasionally cause Nmap to crash with the
message "log_vwrite: write buffer not large enough". I thought I
conquered it in a previous release -- thanks to Doug Hoyte for finding a
corner case which proved me wrong.
o Fixed a bug in the rDNS system which prevented us from querying
certain authoritative DNS servers which have recursion explicitly
disabled. Thanks to Doug Hoyte for the patch.
o --packet-trace now reports TCP options (thanks to Zhao Lei for the
patch). Thanks to the --ip-options addition also found in this
release, IP options are printed too.
o Cleaned up Nmap DNS reporting to be a little more useful and
concise. Thanks to Doug Hoyte for the patch.
o Applied a bunch of small internal cleanup patches by Kris Katterjohn
(kjak(a)ispwest.com).
o Fixed the 'distclean' make target to be more comprehensive. Thanks
to Thomas Buchanan (Thomas.Buchanan(a)thecompassgrp.net) for the
patch.
Nmap 4.20ALPHA4
o Nmap now provides progress statistics in the XML output in verbose
mode. Here are some examples of the format (etc is "estimated time
until completion) and times are in UNIX time_t (seconds since 1970)
format. Angle braces have been replaced by square braces:
[taskbegin task="SYN Stealth Scan" time="1151384685" /]
[taskprogress task="SYN Stealth Scan" time="1151384715"
percent="13.85" remaining="187" etc="1151384902" /]
[taskend task="SYN Stealth Scan" time="1151384776" /]
[taskbegin task="Service scan" time="1151384776" /]
[taskend task="Service scan" time="1151384788" /]
Thanks to Adam Vartanian (flooey(a)gmail.com) for the patch.
o Updated the Windows installer to give an option checkbox for
performing the Nmap performance registry changes. The default is to
do so. Thanks to Adam Vartanian (flooey(a)gmail.com) for the patch.
o Applied several code cleanup patches from Marek Majkowski.
o Added --release-memory option, which causes Nmap to release all
accessible memory buffers before quitting (rather than let the OS do
it). This is only useful for debugging memory leaks.
o Fixed a bug related to bogus completion time estimates when you
request an estimate (through runtime interaction) right when Nmap is
starting.a subsystem (such as a port scan or version detection).
Thanks to Diman Todorov for reporting the problem and Doug Hoyte for
writing a fix.
o Nmap no longer gets random numbers from OpenSSL when it is available
because that turned out to be slower than Nmap's other methods
(e.g. /dev/urandom on Linux, /dev/arandom on OpenBSD, etc.). Thanks
to Marek Majkowski for reporting the problem.
o Updated the Windows binary distributions (self-installer and .zip)
to include the new 2nd generation OS detection DB (nmap-os-db).
Thanks to Sina Bahram for reporting the problem.
o Fixed the --max-retries option, which wasn't being honored. Thanks
to Jon Passki (jon.passki(a)hursk.com) for the patch.
Nmap 4.20ALPHA3
o Added back Win32 support thanks to a patch by kx
o Fixed the English translation of TCP sequence difficulty reported by
Brandon Enright, and also removed fingerprint printing for 1st
generation fingerprints (I don't really want to deal with those
anymore). Thanks to Zhao Lei for writing this patch.
o Fix a problem which caused OS detection to be done in some cases
even if the user didn't request it. Thanks to Diman Todorov for the
fix.
Nmap 4.20ALPHA2
o Included nmap-os-db (the new OS detection DB) within the release.
Oops! Thanks to Brandon Enright (bmenrigh(a)ucsd.edu) for catching
this problem with 4.20ALPHA1.
o Added a fix for the crash in the new OS detection which would come
with the message "Probe doesn't exist! Probe type: 1. Probe subid: 1"
Nmap 4.20ALPHA1
o Integrated initial 2nd generation OS detection patch! The system is
documented at http://insecure.org/nmap/osdetect/ . Thanks to Zhao Lei
for helping with the coding and design.
o portlist.cc was refactored to remove some code duplication. Thanks
to Diman Todorov for the patch.
- bite the bullet and use GNU make, it's increasingly annoying to try
avoiding it
Changes:
- Added a dozens of more detailed SSH version detection signatures,
thanks to a SSH huge survey and integration effort by Doug Hoyte.
The results of his large-scale SSH scan are posted at
http://seclists.org/nmap-dev/2006/Apr-Jun/0393.html .
- Fixed the Nmap Makefile (actually Makefile.in) to correctly handle
include file dependencies. So if a .h file is changed, all of the
.cc files which depend on it will be recompiled. Thanks to Diman
Todorov (diman(a)xover.mud.at) for the patch.
- Fixed a compilation problem on solaris and possibly other platforms.
The error message looked like "No rule to make target `inet_aton.o',
needed by `libnbase.a'". Thanks to Matt Selsky
(selsky(a)columbia.edu) for the patch.
Fixes PR pkg/33806 from Gilles Dauphin.
- Applied a patch which helps with HP-UX compilation by linking in the
nm library (-lnm). Thanks to Zakharov Mikhail (zmey20000(a)yahoo.com)
for the patch.
- Added version detection probes for detecting the Nessus daemon.
Thanks to Adam Vartanian (flooey(a)gmail.com) for sending the patch.
Changes:
4.10:
=====
- Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE
(http://standards.ieee.org/regauth/oui/oui.txt) as of May 31, 2006.
Also added a couple unregistered OUI's (for QEMU and Bochs)
suggested by Robert Millan (rmh(a)aybabtu.com).
- Fixed a bug which could cause false öpen" ports when doing a UDP
scan of localhost. This usually only happened when you scan tens of
thousands of ports (e.g. -p- option).
- Fixed a bug in service detection which could lead to a crash when
"--version-intensity 0" was used with a UDP scan. Thanks to Makoto
Shiotsuki (shio(a)st.rim.or.jp) for reporting the problem and Doug
Hoyte for producing a patch.
- Made some AIX and HP-UX portability fixes to Libdnet and NmapFE.
These were sent in by Peter O'Gorman
(nmap-dev(a)mlists.thewrittenword.com).
- When you do a UDP«CP scan, the TCP ports are now shown first (in
numerical order), followed by the UDP ports (also in order). This
contrasts with the old format which showed all ports together in
numerical order, regardless of protocol. This was at first a "bug",
but then I started thinking this behavior may be better. If you
have a preference for one format or the other, please post your
reasons to nmap-dev.
- Changed mass_dns system to print a warning if it can't find any
available DNS servers, but not quit like it used to. Thanks to Doug
Hoyte for the patch.
4.04BETA1:
==========
- Integrated all of your submissions (about a thousand) from the first
quarter of this year! Please keep 'em coming! The DB has increased
from 3,153 signatures representing 381 protocols in 4.03 to 3,441
signatures representing 401 protocols. No other tool comes close!
Many of the already existing match lines were improved too. Thanks
to Version Detection Czar Doug Hoyte for doing this.
- Nmap now allows multiple ingored port states. If a 65K-port scan
had, 64K filtered ports, 1K closed ports, and a few dozen open
ports, Nmap used to list the dozen open ones among a thousand lines
of closed ports. Now Nmap will give reports like "Not shown: 64330
filtered ports, 1000 closed ports" or "All 2051 scanned ports on
192.168.0.69 are closed (1051) or filtered (1000)", and omit all of
those ports from the table. Open ports are never ignored. XML
output can now have multiple <extraports> directive (one for each
ignored state). The number of ports in a single state before it is
consolidated defaults to 26 or more, though that number increases as
you add -v or -d options. With -d3 or higher, no ports will be
consolidated. The XML output should probably be augmented to give
the extraports directive 'ip', 'tcp', and 'udp' attributes which
specify the corresponding port numbers in the given state in the
same listing format as the nmaprun.scaninfo.services attribute, but
that part hasn't yet been implemented. If you absoultely need the
exact port numbers for each state in the XML, use -d3 for now.
- Nmap now ignores certain ICMP error message rate limiting (rather
than slowing down to accomidate it) in cases such as SYN scan where
an ICMP message and no response mean the same thing (port filtered).
This is currently only done at timing level Aggressive (-T4) or
higher, though we may make it the default if we don't hear problems
with it. In addition, the --defeat-rst-ratelimit option has been
added, which causes Nmap not to slow down to accomidate RST rate
limits when encountered. For a SYN scan, this may cause closed
ports to be labeled 'filtered' becuase Nmap refused to slow down
enough to correspond to the rate limiting. Learn more about this
new option at http://www.insecure.org/nmap/man/ . Thanks to Martin
Macok (martin.macok(a)underground.cz) for writing the patch that
these changes were based on.
- Moved my Nmap development environment to Visual C++ 2005 Express
edition. In typical "MS Upgrade Treadmill" fashion, Visual Studio
2003 users will no longer be able to compile Nmap using the new
solution files. The compilation, installation, and execution
instructions at
http://www.insecure.org/nmap/install/inst-windows.html have been
upgraded.
- Automated my Windows build system so that I just have to type a
single make command in the mswin32 directory. Thanks to Scott
Worley (smw(a)pobox.com>, Shane & Jenny Walters
(yfisaqt(a)waltersinamerica.com), and Alex Prinsier
(aphexer(a)mailhaven.com) for reading my appeal in the 4.03
CHANGELOG and assisting.
- Changed the PortList class to use much more efficient data
structures and algorithms which take advantage of Nmap-specific
behavior patterns. Thanks to Marek Majkowski
(majek(a)forest.one.pl) for the patch.
- Fixed a bug which prevented certain TCPÙDP scan commands, such as
"nmap -sSU -p1-65535 localhost" from scanning both TCP and UDP.
Instead they gave the error message "WARNING: UDP scan was requested,
but no udp ports were specified. Skipping this scan type". Thanks to
Doug Hoyte for the patch.
- Nmap has traditionally required you to specify -T* timing options
before any more granular options like --max-rtt-timeout, otherwise the
general timing option would overwrite the value from your more
specific request. This has now been fixed so that the more specific
options always have precendence. Thanks to Doug Hoyte for this patch.
- Fixed a couple possible memory leaks reported by Ted Kremenek
(kremenek(a)cs.stanford.edu) from the Stanford University sofware
static analysis lab ("Checker" project).
- Nmap now prints a warning when you specify a target name which
resolves to multiple IP addresses. Nmap proceeds to scan only the
first of those addresses (as it always has done). Thanks to Doug
Hoyte for the patch. The warning looks like this:
Warning: Hostname google.com resolves to 3 IPs. Using 66.102.7.99.
- Disallow --host-timeout values of less than 1500ms, print a warning
for values less than 15s.
- Changed all instances of inet_aton() into calls to inet_pton()
instead. This allowed us to remove inet_aton.c from nbase. Thanks to
KX (kxmail(a)gmail.com) for the patch.
- When debugging (-d) is specified, Nmap now prints a report on the
timing variables in use. Thanks to Doug Hoyte for the patch. The
report loos like this:
---------- Timing report ----------
hostgroups: min 1, max 100000
rtt-timeouts: init 250, min 50, max 300
scan-delay: TCP 5, UDP 1000
parallelism: min 0, max 0
max-retries: 2, host-timeout 900000
-----------------------------------
- Modified the WinPcap installer file to explicitly uninstall an
existing WinPcap (if you select that you wish to replace it) rather
than just overwriting the old version. Thanks to Doug Hoyte for
making this change.
- Added some P2P application ports to the nmap-services file. Thanks
to Martin Macok for the patch.
- The write buffer length increased in 4.03 was increased even further
when the debugging or verbosity levels are more than 2 (e.g. -d3).
Thanks to Brandon Enright (bmenrigh(a)ucsd.edu) for the patch. The
goal is to prevent you from ever seeing the fatal error:
"log_vwrite: write buffer not large enough -- need to increase"
- Added a note to the Nmap configure dragon that people sick of him
can submit their own ASCII art to nmap-dev@insecure.org . If you
are wondering WTF I am talking about, it is probably because only
most elite Nmap users -- the ones who compile from source on UNIX --
get to see the 'l33t ASCII Art.
Changes:
- Updated the LibPCRE build system to add the -fno-thread-jumps option
to gcc when compiling on the new Intel-based Apple Mac OS X systems.
Hopefully this resolves the version detection crashes that several
people have reported on such systems. Thanks to Kurt Grutzmacher
(grutz(a)jingojango.net) for sending the configure.ac patch.
- Increased a write buffer length to avoid Nmap from quitting with the
message "log_vwrite: write buffer not large enough -- need to
increase". Thanks to Dave (dmarcher(a)pobox.com) for reporting the
issue.
- Made some portability fixes to keep Nmap compiling with the newest
Visual Studio 2005. Thanks to KX (kxmail(a)gmail.com) for
suggesting them.
- Service fingerprints are now provided in the XML output whenever
they would appear in the interactive output (i.e. when a service
respons with data but is unrecognized). They are shown in a new
'servicefp' attribute to the 'service' tag. Thanks to Brandon Enright
(bmenrigh(a)ucsd.edu) for sending the patch.
- Improved the Windows build system -- mswin32/Makefile now takes care
of packaging Nmap and creating the installers once Visual Studio (GUI)
is done building the Release version of mswin32/nmap.sln. If someone
knows how to do this (build) step on the command line (using the
Makefile), please let me know. Or if you know how to at least make
'Release' (rather than Debug) the default configuration, that would be
valuable.
- WinPcap 3.1 binaries are now shipped in the Nmap tarball, along with
a customized (for Nmap) installer written by Doug Hoyte. That new
WinPcap installer is now used in the Nmap self-installer.
- Fixed (I hope) a problem where aggresive --min-parallelization
option values could cause Nmap to quit with the message "box(300, 100,
15) called (min,max,num)". Thanks to Richard van den Berg
(richard.vandenberg(a)ins.com) for reporting the problem.
- Fixed a rare crash bug thanks to a report and patch from Ganga
Bhavani (GBhavani(a)everdreamcorp.com)
adam
joerg
jklos
maya
richard
agc
rodent
drochner
pettai
dholland
wiz
markd
obache
adrianp
apb
rillig
salo