[installer 1995] nmap-5.00

nmap-5.00 が出ました。

http://nmap.org/5/ より:
> Nmap 5.00 Released
> July 16, 2009 -- Insecure.Org is pleased to announce the immediate,
> free availability of the Nmap Security Scanner version 5.00 from
> http://nmap.org/. This is the first stable release since 4.76 (last

> September), and the first major release since the 4.50 release in
> 2007. Dozens of development releases led up to this.
> Considering all the changes, we consider this the most important
> Nmap release since 1997, and we recommend that all current users
> upgrade.

☆ nmap-5.00

Nmap 5.00

o Bumped up version number to 5.00!

o [NSE] http-open-proxy script fixed to avoid false positives from bad
pattern matching and to properly declare some formerly-global
variables as local. [Joao]

Nmap 4.90RC1 [2009-06-25]

o [Zenmap] Fixed a display hanging problem on Mac OS X reported by
Christopher Caldwell at
http://seclists.org/nmap-dev/2009/q2/0721.html. This was done by
adding gtk2 back to macports-1.8.0-universal.diff and removing the
dependency on shared-mime-info so it doesn't expect /usr/share/mime
files at runtime. Also included GDK pixbuf loaders statically rather
than as external loadable modules. [David]

o Fixed a memory bug (access of freed memory) when loading exclude
targets with --exclude. This was reported to occasionally cause a
crash. Will Cladek reported the bug and contributed an initial
patch. [David]

o Zenmap application icons were regenerated using the newer SVG
representation of the Nmap eye. [David]

Nmap 4.85BETA10 [2009-06-12]

o The host discovery (ping probe) defaults have been enhanced to
include twice as many probes. The default is now "-PE -PS443 -PA80
-PP". In exhaustive testing of 90 different probes, this emerged as
the best four-probe combination, finding 14% more Internet hosts
than the previous default, "-PE -PA80". The default for non-root
users is -PS80,443, replacing the previous default of -PS80. In
addition, ping probes are now sent in order of effectiveness (-PE
first) so that less effective probes may not have to be sent. ARP
ping is still the default on local ethernet networks. [David,

o Added SCTP port scanning support to Nmap. SCTP is a layer 4 protocol
used mostly for telephony related applications. This brings the
following new features:
o SCTP INIT chunk port scan (-sY): open ports return an INIT-ACK
chunk, closed ones an ABORT chunk. This is the SCTP equivalent
of a TCP SYN stealth scan.
o SCTP COOKIE-ECHO chunk port scan (-sZ): open ports are silent,
closed ports return an ABORT chunk.
o SCTP INIT chunk ping probes (-PY): host discovery using SCTP
INIT chunk packets.
o SCTP-specific IP protocol scan (-sO -p sctp).
o SCTP-specific traceroute support (--traceroute).
o The ability to use the deprecated Adler32 algorithm as specified
in RFC 2960 instead of CRC32C from RFC 4960 (--adler32).
o 42 well-known SCTP ports were added to the nmap-services file.
o The server scanme.csnc.ch has been set up for your SCTP scan
testing pleasure. But note that SCTP doesn't pass through most
NAT devices. See http://seclists.org/nmap-dev/2009/q2/0669.html.
Part of the work on SCTP support was kindly sponsored by
Compass Security AG, Switzerland. [Daniel Roethlisberger]

o [NSE] Added http-iis-webdav-vuln.nse, which detects the recently
discovered WebDAV unicode bug in MS IIS 5.1/6.0 web server which can
allow arbitrary users to access password protected folders without
authentication. See
http://nmap.org/svn/scripts/http-iis-webdav-vuln.nse. [Ron]

o The Nmap Reference Guide has been translated to German by Open
Source Press and Indonesian by Tedi Heriyanto. You can now read it
in 16 languages at http://nmap.org/docs.html. We're always looking
for more translations of Nmap and it's documentation--if you'd like
to help, see http://seclists.org/nmap-dev/2009/q2/0667.html.

o Open Source Press completed and released the German translation of
the official Nmap book (Nmap Network Scanning). Learn more at

o [NSE] Added socks-open-proxy.nse for scanning networks for open
SOCKS proxy servers. See
http://nmap.org/nsedoc/scripts/socks-open-proxy.html. [Joao Correa]

o [NSE] http-open-proxy.nse has been updated to attempt HEAD and
CONNECT methods as well as previously supported GET method. It
still tries to reach http://www.google.com through the proxy by
default, but now also offers an argument for specifying a different
URL. [Joao Correa]

o [Ncat] There is a backwards-incompatible change in the way that
listen mode works. The new default behavior is to accept only one
connection, and quit when the connection ends. This was necessary to
prevent data loss in some situations; some programs require Ncat to
send an EOF before they flush their internal buffers and finish
processing the last bit of data. See
http://seclists.org/nmap-dev/2009/q2/0528.html for more information.
Use the new -k or --keep-open option to get the old behavior, in
which Ncat will accept multiple simultaneous connection, combine all
their input, and accept more connections after a disconnection.
[Daniel Roethlisberger, David]

o Ncat handling of newlines on Windows has been improved. CRLF is
automatically converted to a bare LF when input is from the console,
but left untouched when it is from a pipe or a file. No newline
translation is done on output (where it was being done before). This
makes it possible to transfer binary files with Ncat on Windows
without any corruption, while still being able to interactively ncat
into UNIX shells and other processes which require bare
newlines. Ncat clients now work the same way on UNIX and Windows in
that respect. For cases where you do want \r\n line endings (such
as connections to web and email servers or Windows cmd.exe shells),
specify -C whether your client is running on UNIX or
Windows. [David]

o Nmap RPM packages (x86 and x86-64) are now built with OpenSSL
support (statically linked in to avoid dependencies). They are also
now built on CentOS 5.3 for compatibility with RHEL, Fedora, and
other distributions. Please let us know if you discover any
compatibility problems (or other issues) with the new RPMs. [Fyodor]

o [Zenmap] The Topology tab now has a "Save Graphic" button that
allows saving the current topology display as a PNG, postscript,
PDF, and SVG image. [Joao Medeiros, David]

o Changed the default UDP ping (-PU) port from 31338 to 40125. This
appears to be a better port based on David's empirical testing.

o [NSE] Added the imap-capabilities script, which uses the CAPABILITY
command to determine the capabilities of a target IMAP mail server.
A simple supporting IMAP library was added as well. See
http://nmap.org/nsedoc/scripts/imap-capabilities.html. [Brandon]

o [NSE] Brandon Enright from UCSD reports that, thanks to all the NSE
fixes in this release, he no longer sees any Nmap crashes in his
large scale scans. See

o Zenmap now works on RHEL/CentOS since it no longer requires the
hashlib library (which was introduced in Python 2.5, but RHEL 5
still uses 2.4) and removing the pysqlite2 requirement (RHEL does
not offer that module). It is still desirable to have pysqlite2
when available, since it enables Zenmap searching and database
saving features. [David]

o Ncat can now send SSL certificates in connect mode for client
authentication by using the --ssl-cert and --ssl-key options. The
specified certificates are only sent when requested by the
server. [Venkat]

o Nmap can now handle -SP and -SA at the same time when running nmap
as non-root or using IPv6. It now combines the two port lists [Josh

o [Ncat] SSL in listen mode now works on systems like BSD in which a
socket inherits its blocking or non-blocking status from the
listening socket. [David, Daniel Roethlisberger]

o The --packet-trace/--version-trace options now shows the names of
version detection probes as they are sent, making the version
detection process easier to understand and debug. [Tom Sellers]

o The GPG detached signatures for Nmap releases now use the more
standard .asc extension rather than .gpg.txt. They can still be
found at http://nmap.org/dist/sigs/ and the .gpg.txt versions for
previous releases are still available for compatibility reasons. For
instructions on verifying Nmap package integrity, see
http://nmap.org/book/install.html#inst-integrity. [Fyodor]

o [Zenmap] Fixed two bugs: 1) When two scans are performed in Zenmap
and aggregated, the first one was being modified in the process,
preventing you from doing diffs in the "compare scans" dialogue or
properly saving the first scan individually. 2) If you start two
scans, then the faster one finishes and you cancel and remove the
slower one while still in progress, much of the results from both
scans are lost. [Josh Marlow]

o [Ncat] When connecting to an SSL service in verbose mode, Ncat now
prints confirmation of the SSL connection, some certificate
information, and a cert fingerprint. For example:
SSL connection to Electronic Frontier Foundation
SHA-1 fingerprint: 28BE B476 2E49 7ED5 3A9B 4D79 AD1E 69A9 82DB C75A

o [NSE] Clean up output (generally reducing default verbosity) for the
p2p-conficker, smb-check-vulns, and http-iis-webdav-vuln scripts. In
general, we don't ask scripts to report that a host is clean unless
Nmap's verbosity level (-v) is at least one or two. [Ron, Fyodor]

o [Zenmap] Added the -PS22,25,80 option found in the Quick Traceroute
profile to some of the Intense scan profiles for improved host
discovery. [Josh Marlow]

o Fixed a bug with the --defeat-rst-ratelimit option which prevented
it from working properly. See this thread:
http://seclists.org/nmap-dev/2009/q2/0476.html. [Josh]

o [Ndiff] Avoid printing a "Not shown:" line if there weren't any
ports in the non-shown (extraports) list. [David]

o [Ncat] Fixed Ncat compilation with versions of OpenSSL before 0.9.7.
Previously it would fail in ncat_openssl.c with the message
"structure has no member named `it'". The problem was reported by
Jaroslav Fojtik. [David]

o [NSE] Removed the packet.hextobin(str) and packet.bintohex(str)
functions. They are redundant since you get the same functionality
by calling bin.pack("H", str) and bin.unpack("H", str),
respectively. [Patrick]

o [NSE] Fixed the parsing of --script-args, which was only accepting
alphanumeric characters and underscores in values. Now a key, value,
or array value may be a sequence of any characters except '{', '}',
',', '=', and all space characters. You may overcome this
restriction by using quotes (single or double) to allow all
characters within the quotation marks. You may also use the quote
delimiter inside the sequence so long as it is escaped by a
backslash. See
http://seclists.org/nmap-dev/2009/q2/0211.html. [Patrick]

o [NSE] When a script ends for any reason, all of its mutexes are now
unlocked. This prevents a permanent (and painful to debug) deadlock
when a script crashes without unlocking a mutex. See
http://seclists.org/nmap-dev/2009/q2/0533.html. [Patrick]

o Fixed a bug wherein nmap would not display the post-scan count of
raw packets sent during a SYN ping scan (-sP -PS). [Josh Marlow]

o Changed the ICMP ping probes to use a random non-zero ICMP id.
David's empirical testing found that some hosts drop probes when the
ICMP id is 0 [Josh Marlow]

o [NSE] Fixed a --script argument processing bug in which Nmap would
abort when an expression matches a set of scripts which were loaded
by other expressions first (a simple example is "--script
default,DEFAULT". [Patrick]

o [Zenmap] Operating system icons are now always loaded as PNGs, even on
platforms which support SVG images. That is much faster, and Zenmap
currently never scales the images anyway. [Josh]

o [Ncat] The Nmap Windows uninstaller now removes the Ncat CA list
(ca-bundle.crt) which has been installed since 4.85BETA9. [Jah]

o Optimized some Nmap version detection match lines for slightly
better performance. See
http://seclists.org/nmap-dev/2009/q2/0328.html. [Brandon]

o [NSE] Upon connection failure, a socket now immediately unlocks its
"socket lock" to allow other pending socket connections to succeed
sooner. This slightly improves scan speeds by eliminating the wait
for garbage collection to free the resource. [Patrick]

o [NSE] Corrected a bug in nse_nsock.cc that could result in a crash
from the use of an invalid Lua state if a thread is collected due to
timeout or other rare reasons. Essentially, the callbacks from the
nsock library were returning to an already-collected Lua state. We
now maintain a reference to the Lua State Thread in the nsock
userdata environment table to prevent early collection. This is a
temporary patch for the stable release pending a more detailed
review of the NSE nsock library binding. [Patrick]

o [NSE] When an NSE script in the database (script.db) is requested
but not found on the filesystem, Nmap now prints a warning rather
than aborting. We accidentally shipped with such a phantom script
(smb-check-vulns-2.nse) in 4.85BETA8. [Patrick]

o Fixed a bug where an ICMP echo, timestamp, or address mask reply
could be matched up with the wrong ICMP probe if more than one ICMP
probe type was being sent (as with the new default ping). This lead
to timing calculation problems. [David]

o Improved the host expression parser to better handle a few cases
where invalid target specifiers would case Nmap to scan unintended
hosts. See http://seclists.org/nmap-dev/2009/q2/0319.html. [Jah]

o [Zenmap] Fixed a crash, introduced in 4.85BETA4, that happened when
searching scan results by date. [David]
The error message was: File "zenmapGUI\SearchGUI.pyo", line 816, in
set_date TypeError: argument must be sequence of length 9, not 3

o Patched configure.ac to detect Lua include and library files in
"lua5.1" subdirectories of /usr/include and the like. Debian
apparently puts them there. We still check the likes of
/usr/include/lua.h and /usr/include/lua/lua.h as well. [Jan
Christoph Nordholz]

o Improved nsock's fselect() to be a more complete replacement for
select() on the Windows platform. In particularly, any or all of the
FD sets can be null or empty descriptor sets. This fixes an error
("nsock_loop error 10022") which would occur when you ran ncat
--send-only on Windows. [David]

o The --with-openssl= directive now works for specifying the SSL
location to the nsock library. It was previously not passing the
proper include file path to the compiler. [Fyodor]

o The --traceroute feature is now properly disabled for IPv6 ping
scans (-6 -sP) since IPv6 traceroute is not currently
supported. [Jah]

o Fixed an assertion failure which could occur on at least SPARC Linux
The error looked like "nsock_core.c:294: handle_connect_result:
Assertion `0' failed. Aborted". [David Fifield, Fabio Pedretti]

o Nmap's make install target now uses $(INSTALL) rather than cp to
copy NSE scripts and libraries to ensure that file permissions are
set properly. [Fyodor]

o Improved the Oracle DB version detection signatures. [Tom Sellers]

o [NSE] Remove the old nse_macros.h header file. This involved
removing the SCRIPT_ENGINE_* status defines, moving the likes of
SCRIPT_ENGINE_LUA_DIR to nse_main.h, removing the last remaining use
of SCRIPT_ENGINE_TRY, and moving the FILES and DIRS defines to
nse_fs.h. [Patrick]

o Cleaned up the libpcre build system a bit by removing Makefile.am
and modifying configure.ac to prevent unnecessary removal of
pcre_chartables.cc in some instances. [Fyodor]

o Fixed a bug which would cause Nmap to sometimes miscount the number
of hosts scanned and produce warnings such as "WARNING: No targets
were specified, so 0 hosts scanned" when --traceroute and -sP were
combined. [Jah]

o Changed Nmap and Ncat's configure.ac files to check in more
situations whether -ldl is required for compilation and add it where
necessary. [Fyodor]

o When building Nmap RPMs using the spec file, you can now pass in an
openssl argument, the contents of which are passed to ./configure's
--with-openssl option. So you can pass rpmbuild an option such as
--define "openssl /usr/local/ssl". [Fyodor]

o Fixed the make distclean target to avoid a failure which could occur
when you ran it right after a make clean (it might have failed in
other situations as well). [David]

o Updated nmap-mac-prefixes with the latest MAC address prefix data
from http://standards.ieee.org/regauth/oui/oui.txt as of
5/20/09. [Fyodor]

o Ncat now makes sockets blocking before handing them off to another
program with --exec or --sh-exec. This is to resolve a failure where
the command "ncat --exec /usr/bin/yes localhost" would stop sending
because yes would send data so quickly that kernel send buffers
could not keep up and socket writes would start generating EAGAIN
errors. [Venkat]

o Ncat now ignores SIGPIPE in listen mode. This fixes the command
"yes | ncat -l --keep-open --send-only", which was failing after the
first client disconnected due to a broken pipe signal when Ncat
would try to write more date before realizing that the client had
closed the connection.

o Version detection can now detect Ncat's --chat mode. [David]

Nmap 4.85BETA9 [2009-05-12]

o Integrated all of your 1,156 of your OS detection submissions and
your 50 corrections since January 8. Please keep them coming! The
second generation OS detection DB has grown 14% to more than 2,000
fingerprints! That is more than we ever had with the first system.
The 243 new fingerprints include Microsoft Windows 7 beta, Linux
2.6.28, and much more. See
http://seclists.org/nmap-dev/2009/q2/0335.html. [David]

o [Ncat] A whole lot of work was done by David to improve SSL
security and functionality:
o Ncat now does certificate domain and trust validation against
trusted certificate lists if you specify --ssl-verify.
o [Ncat] To enable SSL certificate verification on systems whose
default trusted certificate stores aren't easily usable by
OpenSSL, we install a set of certificates extracted from Windows
in the file ca-bundle.crt. The trusted contents of this file are
added to whatever default trusted certificates the operating
system may provide. [David]
o Ncat now automatically generates a temporary keypair and
certificate in memory when you request it to act as an SSL server
but you don't specify your own key using --ssl-key and --ssl-cert
options. [David]
o [Ncat] In SSL mode, Ncat now always uses secure connections,
meaning that it uses only good ciphers and doesn't use
SSLv2. Certificates can optionally be verified with the
--ssl-verify and --ssl-trustfile options. Nsock provides the
option of making SSL connections that prioritize either speed or
security; Ncat uses security while version detection and NSE
continue to use speed. [David]

o [NSE] Added Boolean Operators for --script. You may now use ("and",
"or", or "not") combined with categories, filenames, and wildcarded filenames
to match a set files. Parenthetical subexpressions are allowed for
precedence too. For example, you can now run:

nmap --script "(default or safe or intrusive) and not http-*" scanme.nmap.org

For more details, see
http://nmap.org/book/nse-usage.html#nse-args. [Patrick]

o [Ncat] The HTTP proxy server now works on Windows too. [David]

o [Zenmap] The command wizard has been removed. The profile editor has
the same capabilities with a better interface that doesn't require
clicking through many screens. The profile editor now has its own
"Scan" button that lets you run an edited command line immediately
without saving a new profile. The profile editor now comes up
showing the current command rather than being blank. [David]

o [Zenmap] Added an small animated throbber which indicates that a
scan is still running (similar in concept to the one on the
upper-right Firefox corner which animates while a page is
loading). [David]

o Regenerate script.db to remove references to non-existent
smb-check-vulns-2.nse. This caused the following error messages when
people used the --script=all option: "nse_main.lua:319:
smb-check-vulns-2.nse is not a file!" The script.db entries are now
sorted again to make diffs easier to read. [David,Patrick]

o Fixed --script-updatedb on Windows--it was adding bogus backslashes
preceding file names in the generated script.db. Reported by
Michael Patrick at http://seclists.org/nmap-dev/2009/q2/0192.html,
and fixed by Jah. The error message was also improved.

o The official Windows binaries are now compiled with MS Visual C++
2008 Express Edition SP1 rather than the RTM version. We also now
distribute the matching SP1 version of the MS runtime components
(vcredist_x86.exe). A number of compiler warnings were fixed
too. [Fyodor,David]

o Fixed a bug in the new NSE Lua core which caused it to round
fractional runlevel values to the next integer. This could cause
dependency problems for the smb-* scripts and others which rely on
floating point runlevel values (e.g. that smb-brute at runlevel 0.5
will run before smb-system-info at the default runlevel of 1).

o The SEQ.CI OS detection test introduced in 4.85BETA4 now has some
examples in nmap-os-db and has been assigned a MatchPoints value of
50. [David]

o [Ncat] When using --send-only, Ncat will now close the network
connection and terminate after receiving EOF on standard input.
This is useful for, say, piping a file to a remote ncat where you
don't care to wait for any response. [Daniel Roethlisberger]

o [Ncat] Fix hostname resolution on BSD systems where a recently
fixed libc bug caused getaddrinfo(3) to fail unless a socket type
hint is provided. Patch originally provided by Hajimu Umemoto of
FreeBSD. [Daniel Roethlisberger]

o [NSE] Fixed bug in the DNS library which caused the error message
"nselib/dns.lua:54: 'for' limit must be a number". [Jah]

o Fixed Solaris 10 compilation by renaming a yield structure which
conflicted with a yield function declared in unistd.h on that
platform. [Pieter Bowman, Patrick]

o [Ncat] Minor code cleanup of Ncat memory allocation and string
duplication calls. [Ithilgore]

o Fixed a bug which could cause -iR to only scan the first host group
and then terminate prematurely. The problem related to the way
hosts are counted by o.numhosts_scanned. [David]

o Fixed a bug in the su-to-zenmap.sh script so that, in the cases
where it calls su, it uses the proper -c option rather than
-C. [Michal Januszewski, Henry Gebhardt]

o Overhaul the NSE documentation "Usage and Examples" section and add
many more examples: http://nmap.org/book/nse-usage.html [David]

o [NSE] Made hexify in nse_nsock.cc take an unsigned char * to work
around an assertion in Visual C++ in Debug mode. The isprint,
isalpha, etc. functions from ctype.h have an assertion that the
value of the character passed in is <= 255. If you pass a character
whose value is >= 128, it is cast to an unsigned int, making it a
large positive number and failing the assertion. This is the same
thing that was reported in
http://seclists.org/nmap-dev/2007/q2/0257.html, in regard to
non-ASCII characters in nmap-mac-prefixes. [David]

o [NSE] Fixed a segmentation fault which could occur in scripts which
use the NSE pcap library. The problem was reported by Lionel Cons
and fixed by Patrick.

o [NSE] Port script start/finish debug messages now show the target
port number as well as the host/IP. [Jah]

o Updated IANA assignment IP list for random IP (-iR)
generation. [Kris]

o [NSE] Fixed http.table_argument so that user-supplied HTTP headers
are now properly sent in HTTP requests. [Jah]

Nmap 4.85BETA8 [2009-04-21]

o Ncat's HTTP proxy now supports the GET, HEAD, and POST methods in
addition to the CONNECT tunneling method, so it can be used as a
proxy with an ordinary web browser.[David]

o Ncat can now run as an authenticated proxy in HTTP proxy mode. Use
--proxy-auth to provide a username and password that will be required
of proxy users. Only the insecure (not encrypted) Basic authentication
method is supported. [David]

o Ndiff's text output has been redone to look more like Nmap output
and be easier to read. See the Ndiff README file for an example. The
XML output is now based on Nmap's XML output as well. Zenmap's diff
viewer now shows the new output with syntax highlighting. [David]

o The new versions of the Conficker Internet worm ban infected systems
from visiting Insecure.Org and Nmap.Org. We take that as a
compliment to the effectiveness of our remote Conficker scanner.
They also ban DNS substrings "honey" (for the Honeynet Project),
"doxpara" (for Dan Kaminsky's site), "tenablese" for Tenable
Security, "coresecur" for Core Security Technologies, and
"iv.cs.uni" for those meddlesome (to the Conficker authors)
researchers at the University of Bonn. For people who can't reach
nmap.org due to infection, I've mirrored this release at
http://sectools.org/nmap/. [Fyodor]

o New Conficker versions eliminate the loophole we were using to
detect them with smb-check-vulns,nse, so we've added new methods
which work with the newest variants. Here are the Conficker-related
improvements since BETA7:
o Added new p2p-conficker script which detects Conficker using its
P2P update ports rather than MSRPC. This is based on some new
research by Symantec. See
http://nmap.org/nsedoc/scripts/p2p-conficker.html [Ron]
o Since new Conficker variants prevent detection by our previous
MSRPC check in smb-check-vulns, we've added a new check which still
works. It involves calling netpathcanonicalize on "\" rather than
"\..\" and checking for a different return value. It was discovered
by Felix Leder and Tillmann Werner. [Ron]
o Improved smb-check-vulns Conficker error message text to be more
useful. [David]
o smb-check-vulns now defaults to using basic login rather than
extended logins as this seems to work better on some
machines. [Ron]
o Recommended command for a fast Conficker scan (combine into 1 line):
nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns
--script-args checkconficker=1,safe=1 -T4 [target networks]
o Recommended command for a more comprehensive (but slower) scan:
nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p-
--script-args checkall=1,safe=1 -T4 [target networks]

o [NSE] The Nmap Script Engine core (C++) was rewritten in Lua for
code simplicity and extensibility. See
http://seclists.org/nmap-dev/2009/q2/0090.html and
http://seclists.org/nmap-dev/2009/q1/0047.html. [Patrick]

o [Zenmap] The "Cancel" button has been restored to the main screen.
It will cancel the scan that is currently being displayed. [David]

o Fixed an SMB library bug which could case a nil-pointer exception
when scanning broken SMB implementations. Reported by Steve
Horejsi. [Ron]

o [Ndiff] The setup.py installation script now suggests installing the
python-dev package in a certain error situation. Previously the
error message it printed was misleading:
error: invalid Python installation: unable to open
/usr/lib/python2.6/config/Makefile (No such file or directory)
The change was suggested by Aaron Leininger. [David]

o [Nbase] The checksum functions now have an nbase_ prefix. This
should prevent name collisions with internal but exported functions
in shared libraries Nmap links against (e.g. adler32() in zlib).
Such collisions seem to confuse the runtime linker on some platforms.
[Daniel Roethlisberger]

o Fixed banner.nse to remove surrounding whitespace from banners. For
example, this avoids a superfluous carriage return and newline at the
end of SSH greetings. [Patrick]

o Expanded and tweaked the product/version/info of service scans in an
attempt to reduce the number of warnings like "Warning: Servicescan
failed to fill info_template...". Parts of this change include:
o Improved the text of the warning to be less confusing
o Increased the internal version info buffer to 256 chars from 128
o Increased the final version string length to 160 from 128 chars
o Changed the behavior when constructing the final version string so
that if it runs out of space, rather than dropping the output of that
template it truncates the template with ...
o Fixed the printing of unneeded spaces between templates when one of the
templates isn't going to be printed at all.

o Improved the service scan DB to remove certain problematic regex
patterns which could lead to PCRE_MATCHLIMIT errors. For example,
instances of ".*\r\n.*" and ".*\n.*\n" were generally collapsed to
".*" as long as the DOTALL (/s) modifier was set. [Brandon]

o Changed some error() calls (which were more informational than error
messages) to use log_write() instead, and changed a few f?printf()
calls into error() or log_write(). [Brandon]

o [Ncat] Fixed a bug in the resolve() function which could cause Ncat
to resolve names using the wrong address family (such as AF_INET
rather than AF_INET6) in some rare cases. [Daniel Roethlisberger]

o [Zenmap] Worked around a GTK+ bug on Windows reported by Henry Nymann.
It caused a crash when opening the Hosts Viewer on a host that had OS
information. A window appeared saying simply "Runtime Error!". [David]

o [Zenmap] Gracefully handle unrecognized port states in the hosts
viewer. Apparently old versions of Nmap can return a state of
"unknown". This prevents this crash:
File "radialnet\gui\NodeNotebook.pyo", line 107, in __init__
File "radialnet\gui\NodeNotebook.pyo", line 257, in __create_widgets
KeyError: u'unknown'

o Rewrote the debugging error message "Found whacked packet protocol
17 in get_ping_pcap_result" because we decided that receiving a UDP
packet during TCP ping scan is not egregious enough to qualify as
"whacked". [David]

Nmap 4.85BETA7 [2009-04-1]

o Improvements to the Conficker detection script (smb-check-vulns):
o Reduce false negative rate. We (and all the other scanners) used
to require the 0x57 return code as well as a canonicalized path
string including 0x5c450000. Tenable confirmed an infected system
which returned a 0x00000000 path, so we now treat any hosting
returning code 0x57 as likely infected. [Ron]
o Add workaround for crash in older versions of OpenSSL which would
occur when we received a blank authentication challenge string
from the server. The error looked like: evp_enc.c(282): OpenSSL
internal error, assertion failed: inl > 0". [Ron]
o Add helpful text for the two most common errors seen in the
Conficker check in smb-check-vulns.nse. So instead of saying
things like "Error: NT_STATUS_ACCESS_DENIED", output is like:
| Conficker: Likely CLEAN; access was denied.
| | If you have a login, try using --script-args=smbuser=xxx,smbpass=yyy
| | (replace xxx and yyy with your username and password). Also try
| |_ smbdomain=zzz if you know the domain. (Error NT_STATUS_ACCESS_DENIED)
The other improved message is for

o The NSEDoc portal at http://nmap.org/nsedoc/ now provides download
links from the script and module pages to browse or download recent versions
of the code. It isn't quite as up-to-date as obtaining them from
svn directly, but may be more convenient. For an example, see
http://nmap.org/nsedoc/scripts/smb-check-vulns.html. [David, Fyodor]

o A copy of the Nmap public svn repository (/nmap, plus its zenmap,
nsock, nbase, and ncat externals) is now available at
http://nmap.org/svn/. We'll be updating this regularly, but it may
be slightly behind the SVN version. This is particularly useful
when you need to link to files in the tree, since browsers generally
don't handle svn:// repository links. [Fyodor]

o Declare a couple msrpc.lua variables as local to avoid a potential
deadlock between smb-server-stats.nse instances. [Ron]

Nmap 4.85BETA6 [2009-03-31]

o Fixed some bugs with the Conficker detection script
(smb-check-vulns) [Ron]:
o SMB response timeout raised to 20s from 5s to compensate for
slow/overloaded systems and networks.
o MSRPC now only signs messages if OpenSSL is available (avoids an
o Better error checking for MS08-067 patch
o Fixed forgotten endian-modifier (caused problems on big-endian
systems such as Solaris on SPARC).

o Host status messages (up/down) are now uniform between ping scanning
and port scanning and include more information. They used to vary
slightly, but now all look like
Host <host> is up (Xs latency).
Host <host> is down.
The new latency information is Nmap's estimate of the round trip
time. In addition, the reason for a host being up is now printed for
port scans just as for ping scans, with the --reason option. [David]

o Version detection now has a generic match line for SSLv3 servers,
which matches more servers than the already-existing set of specific
match lines. The match line found 13% more SSL servers in a test.
Note that Nmap will not be able to do SSL scan-through against a
small fraction of these servers, those that are SSLv3-only or
TLSv1-only, because that ability is not yet built into Nsock. There
is also a new version detection probe that works against SSLv2-only
servers. These have shown themselves to be very rare, so that probe
is not sent by default. Kristof Boeynaems provided the patch and did
the testing.

o [Zenmap] A typo that led to a crash if the ndiff subprocess
terminated with an error was fixed. [David] The message was
File "zenmapGUI\DiffCompare.pyo", line 331, in check_ndiff_process
UnboundLocalError: local variable 'error_test' referenced before assignment

o [Zenmap] A crash was fixed:
File "zenmapGUI\SearchGUI.pyo", line 582, in operator_changed
KeyError: "Syst\xc3\xa8me d'Exploitation"
The text could be different, because the error was caused by
translating a string that was also being used as an index into an
internal data structure. The string will be untranslated until that
part of the code can be rewritten. [David]

o [Zenmap] A bug was fixed that caused a crash when doing a keyword:
or target: search over hosts that had a MAC address. [David]
The crash output was
File "zenmapCore\SearchResult.pyo", line 86, in match_keyword
File "zenmapCore\SearchResult.pyo", line 183, in match_target
TypeError: argument of type 'NoneType' is not iterable

o Fixed a bug which prevented all comma-separated --script arguments
from being shown in Nmap normal and XML output files where they show
the original Nmap command. [David]

o Fixed ping scanner's runtime statistics system so that instead of
saying "0 undergoing Ping Scan" it gives the actual number of hosts in
the group (e.g. 4096). [David]

o [Zenmap] A crash was fixed in displaying the "Error creating the
per-user configuration directory" dialog:
File "zenmap", line 104, in <module>
File "zenmapGUI\App.pyo", line 129, in run
UnicodeDecodeError: 'utf8' codec can't decode bytes in position 43-45:
invalid data
The crash would only happen to users with paths containing
multibyte characters in a non-UTF-8 locale, who also had some error
preventing the creation of the directory. [David]

Nmap 4.85BETA5 [2009-03-30]

o Ron (in just a few hours of furious coding) added remote detection
of the Conficker worm to smb-check-vulns. It is based on new
research by Tillmann Werner and Felix Leder. You can scan your
network for Conficker with a command like: nmap -PN -T4 -p139,445 -n
-v --script=smb-check-vulns --script-args safe=1 [targetnetworks]

o Ndiff now includes service (version detection) and OS detection
differences. [David]

o [Ncat] The --exec and --sh-exec options now work in UDP mode like
they do in TCP mode: the server handles multiple concurrent clients
and doesn't have to be restarted after each one. Marius Sturm
provided the patch.

o [Ncat] The -v option (used alone) no longer floods the screen with
debugging messages. With just -v, we now only print the most
important status messages such as "Connected to ...", a startup
banner, and error messages. At -vv, minor debugging messages are
enabled, such as what command is being executed by --sh-exec. With
-vvv you get detailed debugging messages. [David]

o [Ncat] Chat mode now lets other participants know when someone
connects or disconnects, and it also broadcasts a current list of
participants at such times. [David]

o [Ncat] Fixed a socket handling bug which could occur when you
redirect Ncat stdin, such as "ncat -l --chat < /dev/null". The next
user to connect would end up with file descriptor 0 (which is
normally stdin) and thus confuse Ncat. [David]

o [Zenmap] The "Scan Output" expanders in the diff window now behave
more naturally. Some strange behavior on Windows was noted by Jah.

o The following OS detection tests are no longer included in OS
fingerprints: U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI. URL, DLI,
and SI were found not be helpful in distinguishing operating systems
because they didn't vary. TOS and TOSI were disabled in 4.85BETA1
but now they are not included in prints at all. [David]

o The compile-time Nmap ASCII dragon is now more ferocious thanks to
better teeth alignment. [David]

o Version 4.85BETA4 had a bug in the implementation of the new SEQ.CI
test that could cause a closed-port IP ID to be written into the
array for the SEQ.TI test and cause erroneous results. The bug was
found and fixed by Guillaume Prigent.

o Nbase has grown routines for calculating Adler32 and CRC32C
checksums. This is needed for future SCTP support. [Daniel

o [Zenmap] Zenmap no longer shows an error message when running Nmap
with options that cause a zero-length XML file to be produced (like
--iflist). [David]

o Fixed an off-by-one error in printableSize() which could cause Nmap
to crash while reporting NSE results. Also, NmapOutputTable's memory
allocation strategy was improved to conserve memory. [Brandon,

o [Zenmap] We now give the --force option to setup.py for installation
to ensure that it replaces all files. [David]

o Nmap's --packet-trace, --version-trace, and --script-trace now use
an Nsock trace level of 2 rather than 5. This removes some
superfluous lines which can flood the screen. [David]

o [Zenmap] Fixed a crash which could occur when loading the help URL
if the path contains multibyte characters. [David]

o [Ncat] The version number is now matched to the Nmap release it came
with rather than always being 0.2. [David]

o Fixed a strtok issue between load_exclude and
TargetGroup::parse_expr that caused only the first exclude on
a line to be loaded as well as an invalid read into free()'d
memory in load_exclude(). [Brandon, David]

o NSE's garbage collection system (for cleaning up sockets from
completed threads, etc.) has been improved. [Patrick]

Nmap 4.85BETA4 [2009-3-15]

o Added two new SMB/MSRPC NSE scripts by Ron Bowes:
smb-brute.nse: Bruteforce to discover SMB accounts. Has advanced
features, such as lockout detection, username validation, username
enumeration, and optimized case detection.
smb-pwdump.nse: Uses executables from the Pwdump6 project to dump
password hashes from a remote machine (and optionally crack them
with Rainbow Crack). Pwdump6 files have to be downloaded

o [Ncat] The --exec and --sh-exec options now work on Windows. This
was a big job, considering that Windows doesn't even have a fork()
call and has all sorts of socket idiosyncrasies. [David]

o Doug performed one of the largest version detection integration runs
ever, processing 1,746 submissions and 18 corrections. We are now
current with all submissions up to February 3. Keep them coming.
The version detection database has grown to 5,476 signatures for 510
application protocols. Doug posted his notes on the integration at
http://hcsw.org/blog.pl/37. We now have 1,868 http server
signatures, and the number of gopher signatures has bumped up from 5
to 6.

o Released the new Ncat guide which contains practical real-life Ncat
usage examples for Ncat's major features. It complements the more
option-centric man page. Read it here: http://nmap.org/ncat/guide/
[David, Fyodor]

o Ndiff is now included in the Windows zip distribution. For space
reasons, it is not an executable compiled with py2exe as in the
executable installer, rather it is the Ndiff source code (ndiff.py)
and a batch file wrapper (ndiff.bat). Because it's not precompiled,
it's necessary to have a Python interpreter installed. [David]

o The new --stats-every option takes a time interval that controls how
often timing status updates are printed. It's intended to be used
when Nmap is run by another program as a subprocess. Thanks to
Aleksandar Petrinic for the initial implementation. [David]

o [NSE] A new function stdnse.sleep allows a script to sleep for a
given time (and yield control to other scripts). [David]

o [Ncat] In --chat mode (formerly --talk), the server now announces to
everyone when someone connects or disconnects. Besides letting you
know who's connected, this also informs you of your "user name" as
soon as you connect. [David]

o [Ncat] Ncat now works interactively on Windows. Before,
peculiarities in the way Windows handles reading from the keyboard
meant that typing interactively into Ncat would cause it to quit
with a write timeout. [David]

o Refactored SMB and MSRPC NSE scripts significantly, moving much of
the code into the smb.lua and msrpc.lua modules where it can be
leveraged by other scripts. For example, the user enumeration
functions are used by smb-brute.nse. [Ron Bowes]

o [Ncat] The syntax accepted by the --allow, --deny, --allowfile, and
--denyfile options is now the same as Nmap's target specifications.
Additionally any errors in the allow or deny specifications are
reported when the program starts, not deferred until a connection is
received. [David]

o You can now use '-' by itself in a target IP specification to mean
0-255, so you could scan 192.168.-.-. An asterisk can also still be
used as an octet wildcard, but then you have to deal with shell
escaping on many platforms. [David]

o Nmap was discovered in another movie! In the Russian film
Khottabych, teenage hacker Gena uses Nmap (and telnet) to hack
Microsoft. In response, MS sends a pretty female hacker to flush
him out. More details and screenshots: http://nmap.org/movies.html.

o Improved operating system support for the smb-enum-sessions NSE
script; previous revisions worked on Windows 2003 or Windows 2000,
but never both. Currently, it is tested and working on both
versions. [Ron Bowes]

o Implemented file-management functions in SMB, including file upload,
file download, and file delete. Only leverages by smb-pwdump.nse at
the moment, these functions give scripts the ability to perform
checks against the filesystem of a server. [Ron Bowes]

o [Zenmap] A crash was fixed that occurred when you ran a scan
that didn't produce any host output (like "nmap --iflist") and then
tried to remove it from the inventory. [David]
The crash looked like
ValueError: list.remove(x): x not in list

o [Ncat] In --chat mode, the server escapes potentially dangerous
control characters (in octal) before sending them to
clients. [David]

o [Ndiff] Added a workaround for a bug in PyXML. The bug would cause a
crash that looked like "KeyError: 0". [David]

o [Zenmap] Fixed a crash when something that looked like a format
specifier (like %y) appeared in a profile. The error message was
ValueError: unsupported format character 'y' (0x79)

o A bug was fixed in route finding on BSD Unix. The libdnet function
addr_stob didn't handle the special case of the sa_len member of
struct sockaddr being equal to 0 and accessed unrelated memory past
the end of the sockaddr. A symptom of this was the fatal error
nexthost: failed to determine route to ...
which was caused by the default route being assigned a netmask other
than [David]

o Added bindings for the service control (SVCCTL) and at service (ATSVC)
services. These are both related to running processes on the remote
system (identical to how PsExec-style scripts work). These bindings
are used by smb-pwdump.nse. [Ron Bowes]

o Refactored SMB authentication code into its own module, smbauth.lua.
Improved scripts' ability to store and retrieve login information
discovered by modules such as smb-brute.nse. [Ron Bowes]

o Added message signing to SMB. Connections will no longer fail if the
server requires message signatures. This is a rare case, but comes up
on occasion. If a server allows but doesn't require message signing,
smb.lua will negotiate signing. This improves security by preventing
man in the middle attacks. [Ron Bowes]

o Fixed the daytime.nse script to work for UDP again (it was checking
a "proto" field when the field name is actually "protocol"). [Jah]

o Implemented extended security negotiations in the NSE SMB
module. Creates no noticeable change from the user's perspective,
but it's a more modern protocol. [Ron Bowes]

o Nmap wins LinuxQuestions.Org Network Security Application of the
Year for the sixth year in a row! See

o [Zenmap] Removed some unnecessary (mostly GTK+-related) files from
the Windows installer--nmap-4.85BETA4-setup.exe is now smaller than
it has ever been since Nmap 4.22SOC6, which was released in August
2007! [David]

o Fixed the install-zenmap make target for Solaris portability.
Solaris /bin/sh does not have test(1) -e. [Daniel Roethlisberger]

o Version detection used to omit the "ssl/" service name prefix if an
SSL-tunneled port didn't respond to any version probes. Now it keeps
"ssl/" as an indication that SSL was discovered, even if the service
behind it wasn't identified. Kristof Boeynaems reported the problem
and contributed a patch. [David]

o [Ncat] The --talk option has been renamed --chat. --talk remains as an
undocumented alias.

o There is a new OS detection test named SEQ.CI. Like TI and II, CI
classifies the target's IP ID sequence generation algorithm. CI is
based on the responses received to the probes sent to a closed port.
The algorithm for closed ports has been observed to differ from that
for open ports on some operating systems (though we don't yet know
which ones). The new test won't have an effect until new
fingerprints containing it are added to nmap-os-db. We got the idea
from some notes sent in by Dario Ciccarone. [David,Fyodor]

o OS fingerprints now include the SEQ.II test (ICMP IP ID sequence
generation) even if there are no other SEQ test results. The
previous omission of SEQ.II in that case was a bug. [David]

o [Ncat] The --send-only and --recv-only options now work in listen
mode as well as connect mode. [David]

o [Ncat] An error in formatting bytes with the high bit set in hex
dump output was fixed. [David]

o [Zenmap] New translation: Croatian (contributed by Vlatko Kosturjak).

o Fixed a DNS decoding bug in dns-zone-transfer.nse that created
garbage output and could crash Zenmap by including 0x0C bytes in XML
files. The Zenmap crash looked like
SAXParseException: .../zenmap-XXXXXX.xml:39:290: not well-formed
(invalid token)
Thanks to Anino Belan and Eric Nickel for sending in affected log
files. [David]

o [NSEDoc] Scripts that use modules automatically have the script
arguments defined by those modules included in their documentation.
It's no longer necessary to manually supply @args for the arguments
in the modules you use. For those who haven't seen the NSEDoc portal
yet, check out http://nmap.org/nsedoc/. [David]

o An integer overflow in the scan progress meter was fixed. It caused
nonsense output like
UDP Scan Timing: About 11.34% done; ETC: 03:21 (-688:-41:-48 remaining)
during very long scans. [Henri Doreau]

o [Zenmap] A better method of detecting the system locale is used, so
it should not be necessary to set the LANG environment variable on
Windows to get internationalized text. Thanks to Dirk Loss for the
suggestion. [David]

o [Ncat] Added a number of automated tests for ensuring that Ncat is
working correctly. They are in /ncat/test in SVN. [David]

o [Ncat] Now builds again when using the --without-openssl
option. [David]

o [Zenmap] Fix auto-scroll behavior while Nmap is producing output, as
that previously failed in some cases involving wide lines in
output. [David]

o [Zenmap] The network topology feature (Radialnet) has been
internationalized so its strings will be localized as well (as soon
as the relevant language's translation files are updated. To help
out, see http://nmap.org/book/zenmap-lang.html. Some remaining search
interface elements were internationalized as well. [David]

o Improved the efficiency of the xml_convert() routine which handles
XML escaping. It was so inefficient that this stupid little routine
was noticeably slowing Nmap down in some cases. [David]

o Removed 9 OS detection device types which only had one or two
instances in our whole database (ATM, TV, oscilloscope, etc.) and
made some other cleanups as well. We plan to enhance this even
further for the next release. [Fyodor,David,Doug]

o [Zenmap] Removed some unnecessary GTK+ files from the files
installed by the Windows executable installer. [David]

o [Zenmap] Tweaked the file format of the topology icons
(firewall.png, padlock.png, etc.) in an attempt to improve
compatibility with some versions of GTK+. This may fix a crash like
File "radialnet/gui/Image.py", line 53, in get_pixbuf
self.__cache[icon + image_type] = gtk.gdk.pixbuf_new_from_file(file)
GError: Couldn't recognize the image file format for file 'radialnet/padlock.png'
Thanks to Trevor Bain for a report and help debugging. [David]

o Removed a bunch of unnecessary files (mostly GTK related) from the
Win32 exe installer to reduce its size. [David]

o Fixed an NSE crash (assertion error) which looked like
"nsock_core.c:293: handle_connect_result: Assertion `0'
failed". Brandon reported the bug, which was fixed by Doug and
David. See http://seclists.org/nmap-dev/2009/q1/0546.html.

Nmap 4.85BETA3 [2009-2-2]

o Revert the temporary GTK DLL workaround (r11899) which added
duplicate DLL files to the distribution. David found that using a
different GTK download fixed the problem (see
docs/win32-installer-zenmap-buildguide.txt) and Fyodor was able to
reproduce and implement.

o The conditions for printing OS fingerprints to XML output are now
the same as are used to decide whether to print them in the other
formats. So they will be printed if submission is desirable,
otherwise they are only printed if debugging is enabled or verbosity
is 2 or higher. [Tom Sellers]

o Removed some Brazilian poetry/lyrics from Zenmap source code
(NmapOutputViewer.py). We've seen enough of it in the debug logs. "E
nao se entrega, nao".

o Fix Ncat compilation with the MingW windows compiler. [Gisle Vanem]

o Corrected some NSE libraries (datafiles, tab) which were using the
old arg table interface. [Patrick]

o [Zenmap] Fixed a crash that happened when running a scan directly
from the command wizard without saving a profile [David]:
NmapParser.py", line 417, in set_target
self.ops.target_specs = target.split()
AttributeError: 'NoneType' object has no attribute 'split'

o Fixed an NSE pop3 library error which gave a message such as:
SCRIPT ENGINE (506.424s): ./scripts/pop3-capabilities.nse against
a.b.1.47:995 ended with error: ./scripts/pop3-capabilities.nse:32:
bad argument #1 to 'pairs' (table expected, got string) [Jah]

o Upgraded the OpenSSL binaries shipped in our Windows installer to
version 0.9.8j. [Kris]

o Updated IANA assignment IP list for random IP (-iR)
generation. [Kris]

Nmap 4.85BETA2 [2009-1-29]

o Added some duplicate GTK DLLs to Windows installer, as a temporary
fix for this issue: http://seclists.org/nmap-dev/2009/q1/0207.html.
The problem caused a warning message complaining of problems finding
librsvg-2-2.dll to pop up 32 times before Zenmap would start. We're
still looking for a better fix. [Fyodor, Rob, Jah]

o Made a few improvements to nmap.xsl (details:
http://seclists.org/nmap-dev/2009/q1/0210.html) [Tom Sellers]

o [Zenmap] New translation: French (contributed by Gutek)

o Updated the mswin32 installer build guide and posted it to
http://nmap.org/data/win32-installer-zenmap-buildguide.txt [Fyodor]

o The xampp-default-auth.nse script was renamed to ftp-brute.nse since
it has become more general.

Nmap 4.85BETA1 [2009-1-23]

o Added Ncat, a much-improved reimplementation of the venerable Netcat
tool which adds modern features and makes use of Nmap's efficient
networking libraries. Features include SSL support, proxy
connections (client or server, socks4 or connect-based, with or
without authentication, optionally chained), TCP and UDP connection
redirection, connection brokering (facilitating connections between
machines which are behind NAT gateways), and much more. It is
cross-platform (Linux, Windows, Mac, etc.) and supports IPv6 as well
as standard IPv4. See http://nmap.org/ncat/ for details. It is now
included in our binary packages (Windows, Linux, and Mac OS X), and
built by default. You can skip it with the --without-ncat configure
option. Thanks to Kris and David for their great work on this!

o Added the Ndiff utility, which compares the results of two Nmap
scans and describes the new/removed hosts, newly open/cosed ports,
changed operating systems, etc. This makes it trivial to scan your
networks on a regular basis and create a report (XML or text format)
on all the changes. See http://nmap.org/ndiff/ and ndiff/README for
more information. Ndiff is included in our binary packages and built
by default, though you can prevent it from being built by specifying
the --without-ndiff configure flag. Thanks to David and Michael
Pattrick for their great work on this.

o Released Nmap Network Scanning: The Official Nmap Project Guide to
Network Discovery and Security Scanning. From explaining port
scanning basics for novices to detailing low-level packet crafting
methods used by advanced hackers, this book suits all levels of
security and networking professionals. A 42-page reference guide
documents every Nmap feature and option, while the rest of the book
demonstrates how to apply those features to quickly solve real-world
tasks. It was briefly the #1 selling computer book on Amazon.
Translations to the German, Korean, and Brazilian Portuguese
languages are forthcoming. More than half of the book is already
free online. For more, see http://nmap.org/book/.

o David spent more than a month working on algorithms to improve port
scan performance while retaining or improving accuracy. The changes
are described at http://seclists.org/nmap-dev/2009/q1/0054.html. He
was able to reduce our "benchmark scan time" (which involves many
different scan types from many source networks to many targets) from
1879 seconds to 1321 without harming accuracy. That is a 30% time

o Introduced the NSE documentation portal, which documents every NSE
script and library included with Nmap. See http://nmap.org/nsedoc/.
Script documentation was improved substantially in the process.
Scripts and libraries must use the new NSEDoc format, which is
described at http://nmap.org/book/nsedoc.html. Thanks to Patrick
and David for their great work on this.

o The 2nd Generation OS Detection System was dramatically improved for
improved accuracy. After substantial testing, David and Fyodor made
the following changes:
o The "T" (TTL test) result ranges were widened to prevent minor
routing (and device hardware inconsistency) variations from causing
so many matches to fail.
o The TG (TTL guess) results were canonicalized. Nmap is only
capable of assigning the values 0x20, 0x40, 0x80, and 0xFF for
these tests, yet many fingerprints had different values. This was
due to bugs in our fingerprint integration tools.
o The U1.TOS and IE.TOSI tests (both having to do with the IP Type
of Service field) have been effectively eliminated (MatchPoints
set to 0). These proved particularly susceptible to false results
due to networking hardware along the packet route manipulating the
TOS header field.
o An important bug in OS detection's congestion control algorithms
was fixed. It could lead to Nmap sending packets much too quickly
in some cases, which hurt accuracy.

o Integrated all of your OS detection fingerprint submissions and
corrections up to January 8. The DB has grown more than 17% to
1,761 fingerprints. Newly detected services include Mac OS X
10.5.6, Linux 2.6.28, iPhone 2.1, and all manner of WAPs, VoIP
phones, routers, oscilloscopes, employee timeclocks, etc. Keep those
submissions coming!

o Ron Bowes embarked on a massive MSRPC/NETBIOS project to allow Nmap
to interrogate Windows machines much more completely. He added
three new nselib modules: msrpc, netbios, and smb. As the names
suggest, they contain common code for scripts using MSRPC, NetBIOS,
and SMB. These modules allow scripts to extract a great deal of
information from hosts running Windows, particularly Windows
2000. New or updated scripts using the modules are:
nbstat.nse: get NetBIOS names and MAC address.
smb-enum-domains.nse: enumerate domains and policies.
smb-enum-processes.nse: allows a user with administrator
credentials to view a tree of the processes running on the
remote system (uses HKEY_PERFORMANCE_DATA hive).
smb-enum-sessions.nse: enumerate logins and SMB sessions.
smb-enum-shares.nse: enumerate network shares.
smb-enum-users.nse: enumerate users and information about them.
smb-os-discovery.nse: get operating system over SMB (replaces
smb-security-mode.nse: determine if a host uses user-level or
share-level security, and what other security features it
smb-server-stats.nse: grab statistics such as network traffic
smb-system-info.nse: get lots of information from the registry.

o A problem that caused OS detection to fail for most hosts in a
certain case was fixed. It happened when sending raw Ethernet frames
(by default on Windows or on other platforms with --send-eth) to
hosts on a switched LAN. The destination MAC address was wrong for
most targets. The symptom was that only one out of each scan group
of 20 or 30 hosts would have a meaningful OS fingerprint. Thanks go
to Michael Head for running tests and especially Trent Snyder for
testing and finding the cause of the problem. [David]

o Zenmap now runs ndiff to for its "Compare Results" function. This
completely replaces the old diff view. The diff window size is now
more flexible for user resizing as well. [David]

o Added a Russian translation of the Nmap Reference Guide by Guz
Alexander. We now have translations in 15 languages available from
http://nmap.org/docs.html. More volunteer translators are welcome,
as we are still missing some important languages. Translation
instructions are available from that docs.html page.

o Update Windows installer to handle Windows 7 (tested with the Beta
build 7000) [Rob Nicholls]

o Improved port scan performance by changing the list of high priority
ports which Nmap shifts closer to the beginning of scans because
they are more likely to be responsive. We based the change on
empirical data from large-scale scanning. The new port list is:
21, 22, 23, 25, 53, 80, 110, 111, 113, 135, 139, 143, 199, 256,
443, 445, 554, 587, 993, 995, 1025, 1720, 1723, 3306, 3389, 5900,
8080, 8888 [Fyodor, David]

o [NSE] Almost all scripts were renamed to be more consistent. They
are now all lowercase and most of them start with the name of the
service name they query. Words are separated by hyphens. [David,

o [NSE] Now that scripts are better named, the "Id" field has been
removed and the script name (sans the .nse or directory path
information) is used in script output instead. [David]

o [NSE] Added banner.nse, a simple script which connects to open TCP
ports and prints out anything sent in the first five seconds by the
listening service. [Jah]

o [NSE] Added a new OpenSSL library with functions for multiprecision
integer arithmetic, hashing, HMAC, symmetric encryption and
symmetric decryption. [Sven]

o [Zenmap] Internationalization has been fixed [David]. Currently
Zenmap has two translations:
o German by Chris Leick
o Brazilian Portuguese by Adriano Monteiro Marques (partial)
For details on using an existing translation or localizing Zenmap
into your own native language, see
http://nmap.org/book/zenmap-lang.html. [David]

o Zenmap no longer outputs XML elements and attributes that are not in
the Nmap XML DTD. This was done mostly by removing things from
Zenmap's output, and adding a few new optional things to the Nmap
DTD. A scan's profile name, host comments, and interactive text
output are what were added to nmap.dtd. The .usr filename extension
for saved Zenmap files is deprecated in favor of the .xml extension
commonly used with Nmap. Because of these changes the
xmloutputversion has been increased to 1.03. [David]

o The NSE registry now persists across host groups so that values
stored in it will remain until they are explicitly removed or Nmap
execution ends. [David]

o Enhanced the AS Numbers script (ASN.nse) to better consolidate
results and bail out if the DNS server doesn't support the ASN
queries. [Jah]

o Complete re-write of the marshaling logic for Microsoft RPC calls.
[Ron Bowes]

o Added a script that checks for ms08-067-vulnerable hosts
(smb-check-vulns.nse) using the smb nselib. It also checks for an
unfixed denial of service vulnerability Ron discovered in the
Windows 2000 registry service. [Ron Bowes]

o [Zenmap] Text size is larger on Mac OS X thanks to a new included
gtkrc file. [David]

o Reduced memory consumption for some longer-running scans by removing
completed hosts from the lists after two minutes. These hosts are
kept around in case there is a late response, but this draws the
line on how long we wait and hence keep this information in memory.
See http://seclists.org/nmap-dev/2008/q3/0902.html for more. [Kris]

o The Windows installer now uses Zenmap binaries built using Python
2.6.1 rather than 2.5.1 [Fyodor]

o When a system route can't be matched up directly with an interface
by comparing addresses, Nmap now tries to match the route through
another route. This helps for instance with a PPP connection where
the default route's gateway address is routed through a different
route, the one associated with the address of the PPP device. The
problem would show itself as an inability to scan through the
default route and the error message
WARNING: Unable to find appropriate interface for system route to ...

o Removed a code comment which simply declared /* WANKER ALERT! */ for
no good reason. [Fyodor]

o NSE prints messages in debugging mode whenever a script starts or
finishes. [Patrick, David]

o [Ncat] The -l option can now be specified w/o a port number to
listen on Ncat's default port number (31337).

o [Zenmap] The Nmap output window now scrolls automatically as a scan
progresses. [David]

o [NSE] We now have a canonical way for scripts to check for
dependency libraries such as OpenSSL. This allows them to handle
the issue gracefully (by exiting or doing some of their work if
possible) rather than flooding the console with error messages as
before. See http://nmap.org/nsedoc/modules/openssl.html. [Pattrick,
David, Fyodor]

o Nmap now reports a proper error message when you combine an IPv6
scan (-6) with random IPv4 address selection (-iR). [Henri Doreau]

o Nmap now builds with the _FORTIFY_SOURCE=2 define. With modern
versions of GCC, this adds extra buffer overflow protection and
other security checks. It is described at
http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html. [David,

o The --excludefile option correctly handles files with no terminating
newline instead of claiming "Exclude file line 0 was too long to
read." [Henri D

投稿者 xml-rpc : 2009年7月17日 12:12
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/86773