o Updated the bundled Npcap from 0.91 to 0.93, fixing several issues
with installation and compatibility with the Windows 10 Creators Update.
o NSE scripts now have complete SSH support via libssh2,
including password brute-forcing and running remote commands, thanks to the
combined efforts of three Summer of Code students.
o Added 14 NSE scripts from 6 authors, bringing the total up to 579!
They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
+ ftp-syst sends SYST and STAT commands to FTP servers to get system version
and connection information.
+ http-vuln-cve2017-8917 checks for an SQL injection vulnerability affecting
Joomla! 3.7.x before 3.7.1.
+ iec-identify probes for the IEC 60870-5-104 SCADA protocol.
+ openwebnet-discovery retrieves device identifying information and
number of connected devices running on openwebnet protocol.
+ puppet-naivesigning checks for a misconfiguration in the Puppet CA where
naive signing is enabled, allowing for any CSR to be automatically signed.
+ smb-protocols discovers if a server supports dialects NT LM 0.12
(SMBv1), 2.02, 2.10, 3.00, 3.02 and 3.11. This replaces the old
smbv2-enabled script.
+ smb2-capabilities lists the supported capabilities of SMB2/SMB3
servers.
+ smb2-time determines the current date and boot date of SMB2
servers.
+ smb2-security-mode determines the message signing configuration of
SMB2/SMB3 servers.
+ smb2-vuln-uptime attempts to discover missing critical patches in
Microsoft Windows systems based on the SMB2 server uptime.
+ ssh-auth-methods lists the authentication methods offered by an SSH server.
+ ssh-brute performs brute-forcing of SSH password credentials.
+ ssh-publickey-acceptance checks public or private keys to see if they could
be used to log in to a target. A list of known-compromised key pairs is
included and checked by default.
+ ssh-run uses user-provided credentials to run commands on targets via SSH.
o Removed smbv2-enabled, which was incompatible with the new SMBv2/3
improvements. It was fully replaced by the smb-protocols script.
o Added Datagram TLS (DTLS) support to Ncat in connect (client)
mode with --udp --ssl. Also added Application Layer Protocol Negotiation
(ALPN) support with the --ssl-alpn option.
o Updated the default ciphers list for Ncat and the secure ciphers list for
Nsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDH
ciphersuites, anonymous ECDH suites were being allowed.
o Fix ndmp-version and ndmp-fs-info when scanning Veritas Backup
Exec Agent 15 or 16.
o Added wildcard detection to dns-brute. Only hostnames that
resolve to unique addresses will be listed.
o FTP scripts like ftp-anon and ftp-brute now correctly handle
TLS-protected FTP services and use STARTTLS when necessary.
o Function url.escape no longer encodes so-called "unreserved"
characters, including hyphen, period, underscore, and tilde, as per RFC 3986.
o Function http.pipeline_go no longer assumes that persistent
connections are supported on HTTP 1.0 target (unless the target explicitly
declares otherwise), as per RFC 7230.
o The HTTP response object has a new member, version, which
contains the HTTP protocol version string returned by the server, e.g. "1.0".
o Fix handling of the objectSID Active Directory attribute
by ldap.lua.
o Fix line endings in the list of Oracle SIDs used by oracle-sid-brute.
Carriage Return characters were being sent in the connection packets, likely
resulting in failure of the script.
o http-useragent-checker now checks for changes in HTTP status
(usually 403 Forbidden) in addition to redirects to indicate forbidden User
Agents.
75d36712bf