2011年2月 2日

[installer 2665] nmap-5.50

nmap-5.50 出ました。

Nmap Scripting Engine (NSE) の実装がポイントのようです。

http://seclists.org/nmap-hackers/2011/0 より:
BEGIN-----------------------------------------------------
Hi folks! It has been a year since the last Nmap stable release
(5.21) and six months since development version 5.35DC1, so I'm

pleased to release Nmap 5.50! I'm sure you'll find that it was worth
the wait!

A primary focus of this release is the Nmap Scripting Engine, which
has allowed Nmap to expand up the protocol stack and take network
discovery to the next level. Nmap can now query all sorts of
application protocols, including web servers, databases, DNS servers,
FTP, and now even Gopher servers! Remember those? These capabilities
are in self-contained libraries and scripts to avoid bloating Nmap's
core engine.

I'm so excited about NSE that I made it the topic of my presentation
with David Fifield last summer at Defcon and the Black Hat Briefings.
You can watch the video at http://nmap.org/presentations/.

Since Nmap 5.21, we've more then doubled the number of NSE scripts to
177 and NSE libraries jumped from 30 to 54. They're all detailed at
http://nmap.org/nsedoc/.

The actual NSE engine became more powerful as well. Newtargets
support allows scripts like dns-zone-xfer and dns-service-discovery to
add discovered hosts to Nmap's scan queue. We also added a brute
forcing engine, network broadcast script support, and two new script
scanning phases known as prerule and postrule.

This release isn't just about NSE. We also added the Nping packet
probing and analysis tool http://nmap.org/nping/) in 5.35DC1.
Version 5.50 improves Nping further with an innovative new echo mode
http://bit.ly/nping-echo).

Meanwhile, we added 636 OS fingerprints and 1,037 version detection
signatures to Nmap since 5.21, bringing the totals to 2,982 and 7,319,
respectively. No other tool comes close.

Some people complained that our Zenmap GUI was too slow to handle
giant enterprise networks, so we put a lot of effort into performance.
Time taken to load our benchmark file (a scan of just over a million
IPs belonging to Microsoft corporation) was reduced from hours to less
than two minutes. We also gave Zenmap some new features, including a
script selection interface and printing support.
- snip -
END-------------------------------------------------------

☆ nmap-5.50
http://nmap.org/
http://nmap.org/dist/nmap-5.50.tgz

o [Zenmap] Added a new script selection interface, allowing you to
choose scripts and arguments from a list which includes descriptions
of every available script. Just click the "Scripting" tab in the
profile editor. [Kirubakaran]

o [Nping] Added echo mode, a novel technique for discovering how your
packets are changed (or dropped) in transit between the host they
originated and a target machine. It can detect network address
translation, packet filtering, routing anomalies, and more. You can
try it out against our public Nping echo server using this command:
nping --echo-client "public" echo.nmap.org'
Or learn more about echo mode at
http://nmap.org/book/nping-man-echo-mode.html. [Luis]

o [NSE] Added an amazing 46 scripts, bringing the total to 177! You
can learn more about any of them at http://nmap.org/nsedoc/. Here
are the new ones (authors listed in brackets):

broadcast-dns-service-discovery: Attempts to discover hosts'
services using the DNS Service Discovery protocol. It sends a
multicast DNS-SD query and collects all the responses. [Patrik
Karlsson]

broadcast-dropbox-listener: Listens for the LAN sync information
broadcasts that the Dropbox.com client broadcasts every 20
seconds, then prints all the discovered client IP addresses, port
numbers, version numbers, display names, and more. [Ron Bowes,
Mak Kolybabi, Andrew Orr, Russ Tait Milne]

broadcast-ms-sql-discover: Discovers Microsoft SQL servers in the
same broadcast domain. [Patrik Karlsson]

broadcast-upnp-info: Attempts to extract system information from the
UPnP service by sending a multicast query, then collecting,
parsing, and displaying all responses. [Patrik Karlsson]

broadcast-wsdd-discover: Uses a multicast query to discover devices
supporting the Web Services Dynamic Discovery (WS-Discovery)
protocol. It also attempts to locate any published Windows
Communication Framework (WCF) web services (.NET 4.0 or
later). [Patrik Karlsson]

db2-discover: Attempts to discover DB2 servers on the network by
querying open ibm-db2 UDP ports (normally port 523). [Patrik
Karlsson]

dns-update.nse: Attempts to perform an unauthenticated dynamic DNS
update. [Patrik Karlsson]

domcon-brute: Performs brute force password auditing against the
Lotus Domino Console. [Patrik Karlsson]

domcon-cmd: Runs a console command on the Lotus Domino Console with
the given authentication credentials (see also: domcon-brute).
[Patrik Karlsson]

domino-enum-users: Attempts to discover valid IBM Lotus Domino users
and download their ID files by exploiting the CVE-2006-5835
vulnerability. [Patrik Karlsson]

firewalk: Tries to discover firewall rules using an IP TTL
expiration technique known as firewalking. [Henri Doreau]

ftp-proftpd-backdoor: Tests for the presence of the ProFTPD 1.3.3c
backdoor reported as OSVDB-ID 69562. This script attempts to
exploit the backdoor using the innocuous id command by default,
but that can be changed with a script argument. [Mak Kolybabi]

giop-info: Queries a CORBA naming server for a list of
objects. [Patrik Karlsson]

gopher-ls: Lists files and directories at the root of a gopher
service. Remember those? [Toni Ruottu]

hddtemp-info: Reads hard disk information (such as brand, model, and
sometimes temperature) from a listening hddtemp service. [Toni
Ruottu]

hostmap: Tries to find hostnames that resolve to the target's IP
address by querying the online database at
http://www.bfk.de/bfk_dnslogger.html. [Ange Gutek]

http-brute: Performs brute force password auditing against http
basic authentication. [Patrik Karlsson]

http-domino-enum-passwords: Attempts to enumerate the hashed Domino
Internet Passwords that are (by default) accessible by all
authenticated users. This script can also download any Domino ID
Files attached to the Person document. [Patrik Karlsson]

http-form-brute: Performs brute force password auditing against http
form-based authentication. [Patrik Karlsson]

http-vhosts: Searches for web virtual hostnames by making a large
number of HEAD requests against http servers using common
hostnames. [Carlos Pantelides]

informix-brute: Performs brute force password auditing against
IBM Informix Dynamic Server. [Patrik Karlsson]

informix-query: Runs a query against IBM Informix Dynamic Server
using the given authentication credentials (see also:
informix-brute). [Patrik Karlsson]

informix-tables: Retrieves a list of tables and column definitions
for each database on an Informix server. [Patrik Karlsson]

iscsi-brute: Performs brute force password auditing against iSCSI
targets. [Patrik Karlsson]

iscsi-info: Collects and displays information from remote iSCSI
targets. [Patrik Karlsson]

modbus-discover: Enumerates SCADA Modbus slave ids (sids) and
collects their device information. [Alexander Rudakov]

nat-pmp-info: Queries a NAT-PMP service for its external
address. [Patrik Karlsson]

netbus-auth-bypass: Checks if a NetBus server is vulnerable to an
authentication bypass vulnerability which allows full access
without knowing the password. [Toni Ruottu]

netbus-brute: Performs brute force password auditing against the
Netbus backdoor ("remote administration") service. [Toni Ruottu]

netbus-info: Opens a connection to a NetBus server and extracts
information about the host and the NetBus service itself. [Toni
Ruottu]

netbus-version: Extends version detection to detect NetBuster, a
honeypot service that mimes NetBus. [Toni Ruottu]

nrpe-enum: Queries Nagios Remote Plugin Executor (NRPE) daemons to
obtain information such as load averages, process counts, logged in
user information, etc. [Mak Kolybabi]

oracle-brute: Performs brute force password auditing against Oracle
servers. [Patrik Karlsson]

oracle-enum-users: Attempts to enumerate valid Oracle user names
against unpatched Oracle 11g servers (this bug was fixed in
Oracle's October 2009 Critical Patch Update). [Patrik Karlsson]

path-mtu: Performs simple Path MTU Discovery to target hosts. [Kris
Katterjohn]

resolveall: Resolves hostnames and adds every address (IPv4 or IPv6,
depending on Nmap mode) to Nmap's target list. This differs from
Nmap's normal host resolution process, which only scans the first
address (A or AAAA record) returned for each host name. [Kris
Katterjohn]

rmi-dumpregistry: Connects to a remote RMI registry and attempts to
dump all of its objects. [Martin Holst Swende]

smb-flood: Exhausts a remote SMB server's connection limit by by
opening as many connections as we can. Most implementations of
SMB have a hard global limit of 11 connections for user accounts
and 10 connections for anonymous. Once that limit is reached,
further connections are denied. This script exploits that limit by
taking up all the connections and holding them. [Ron Bowes]

ssh2-enum-algos: Reports the number of algorithms (for encryption,
compression, etc.) that the target SSH2 server offers. If
verbosity is set, the offered algorithms are each listed by
type. [Kris Katterjohn]

stuxnet-detect: Detects whether a host is infected with the Stuxnet
worm http://en.wikipedia.org/wiki/Stuxnet). [Mak Kolybabi]

svn-brute: Performs brute force password auditing against Subversion
source code control servers. [Patrik Karlsson]

targets-traceroute: Inserts traceroute hops into the Nmap scanning
queue. It only functions if Nmap's --traceroute option is used and
the newtargets script argument is given. [Henri Doreau]

vnc-brute: Performs brute force password auditing against VNC
servers. [Patrik Karlsson]

vnc-info: Queries a VNC server for its protocol version and
supported security types. [Patrik Karlsson]

wdb-version: Detects vulnerabilities and gathers information (such
as version numbers and hardware support) from VxWorks Wind DeBug
agents. [Daniel Miller]

wsdd-discover: Retrieves and displays information from devices
supporting the Web Services Dynamic Discovery (WS-Discovery)
protocol. It also attempts to locate any published Windows
Communication Framework (WCF) web services (.NET 4.0 or
later). [Patrik Karlsson]

o [NSE] Added 12 new protocol libraries:
- dhcp.lua by Ron
- dnssd.lua (DNS Service Discovery) by Patrik
- ftp.lua by David
- giop.lua (CORBA naming service) by Patrik
- informix.lua (Informix database) by Patrik
- iscsi.lua (iSCSI - IP based SCSI data transfer) by Patrik
- nrpc.lua (Lotus Domino RPC) by Patrik
- rmi.lua (Java Remote Method Invocation) by Martin Holst Swende
- tns.lua (Oracle) by Patrik
- upnp.lua (UPnP support) by Thomas Buchanan and Patrik
- vnc.lua (Virtual Network Computing) by Patrik
- wsdd.lua (Web Service Dynamic Discovery) by Patrik

o [NSE] Added a new brute library that provides a basic framework and logic
for brute force password auditing scripts. [Patrik]

o [Zenmap] Greatly improved performance for large scans by
benchmarking intensively and then recoding dozens of slow parts.
Time taken to load our benchmark file (a scan of just over a million
IPs belonging to Microsoft corporation, with 74,293 hosts up) was
reduced from hours to less than two minutes. Memory consumption
decreased dramatically as well. [David]

o Performed a major OS detection integration run. The database has
grown more than 14% to 2,982 fingerprints and many of the existing
fingerprints were improved. Highlights include Linux 2.6.37, iPhone
OS 4.2.1, Solaris 11, AmigaOS 3.1, GNU Hurd 0.3, and MINIX 2.0.4.
David posted highlights of his integration work at
http://seclists.org/nmap-dev/2010/q4/651

o Performed a huge version detection integration run. The number of
signatures has grown by more than 11% to 7,355. More than a third
of our signatures are for http, but we also detect 743 other service
protocols, from abc, acap, access-remote-pc, and achat to zenworks,
zeo, and zmodem. David posted highlights at
http://seclists.org/nmap-dev/2010/q4/761.

o [NSE] Added the target NSE library which allows scripts to add newly
discovered targets to Nmap's scanning queue. This allows Nmap to
support a wide range of target acquisition techniques. Scripts which
can now use this feature include dns-zone-transfer, hostmap,
ms-sql-info, snmp-interfaces, targets-traceroute, and several
more. [Djalal]

o [NSE] Nmap has two new NSE script scanning phases. The new pre-scan
occurs before Nmap starts scanning. Some of the initial pre-scan
scripts use techniques like broadcast DNS service discovery or DNS
zone transfers to enumerate hosts which can optionally be treated as
targets. The other phase (post scan) runs after all of Nmap's
scanning is complete. We don't have any of these scripts yet, but
they could compile scan statistics or present the results in a
different way. One idea is a reverse index which provides a list of
services discovered during a network scan, along with a list of IPs
found to be running each service. See
http://nmap.org/book/nse-usage.html#nse-script-types. [Djalal]

o [NSE] A new --script-help option describes all scripts matching a
given specification. It accepts the same specification format as
--script does. For example, try 'nmap --script-help "default or
http-*"'. [David, Martin Holst Swende]

o Dramatically improved nmap.xsl (used for converting Nmap XML output
to HTML). In particular:
- Put verbose details behind expander buttons so you can see them if
you want, but they don't distract from the main output. In
particular, offline hosts and traceroute results are collapsed by
default.
- Improved the color scheme to be less garish.
- Added support for the new NSE pre-scan and post-scan phases.
- Changed script output to use 'pre' tags to keep even lengthy
output readable.
- Added a floating menu to the lower-right for toggling whether
closed/filtered ports are shown or not (they are now hidden by
default if Javascript is enabled).
Many smaller improvements were made as well. You can find the new
file at http://nmap.org/svn/docs/nmap.xsl, and here is an example
scan processed through it: http://nmap.org/tmp/newxsl.html. [Tom]

o [NSE] Created a new "broadcast" script category for the broadcast-*
scripts. These perform network discovery by broadcasting on the
local network and listening for responses. Since they don't
directly relate to targets specified on the command line, these are
kept out of the default category (nor do they go in "discovery").

o Integrated cracked passwords from the Gawker.com compromise
http://seclists.org/nmap-dev/2010/q4/674) into Nmap's top-5000
password database. A team of Nmap developers lead by Brandon Enright
has cracked 635,546 out of 748,081 password hashes so far
(85%). Gawker doesn't exactly have the most sophisticated users on
the Internet--their top passwords are "123456", "password",
"12345678", "lifehack", "qwerty", "abc123", "12345", "monkey",
"111111", "consumer", and "letmein".

o XML output now excludes output for down hosts when only doing host
discovery, unless verbosity (-v) was requested. This is how it
already worked for normal scans, but the ping-only case was
overlooked. [David]

o Updated the Windows build process to work with (and require) Visual
C++ 2010 rather than 2008. If you want to build Zenmap too, you now
need Python 2.7 (rather than 2.6) and GTK+ 2.22. See
http://nmap.org/book/inst-windows.html#inst-win-source [David, Rob
Nicholls, KX]

o Merged port names in the nmap-services file with allocated names
from the IANA http://www.iana.org/assignments/port-numbers). We
only added IANA names which were "unknown" in our file--we didn't
deal with conflicting names. [David]

o Enabled the ASLR and DEP security technologies for Nmap.exe,
Ncat.exe and Nping.exe on Windows Vista and above. Visual C++ will
set the /DYNAMICBASE and /NXCOMPAT flags in the PE
header. Executables generated using py2exe or NSIS and third party
binaries (OpenSSL, WinPcap) still don't support ASLR or DEP. Support
for DEP on XP SP3, using SetProcessDEPPolicy(), could still be
implemented. See http://seclists.org/nmap-dev/2010/q3/328. [Robert]

o Investigated using the CPE (Common Platform Enumeration) standard
for describing operating systems, devices, and service names for
Nmap OS and service detection. You can read David's reports at
http://seclists.org/nmap-dev/2010/q3/278 and
http://seclists.org/nmap-dev/2010/q3/303.

o [Zenmap] Improved the output viewer to show new output in constant
time. Previously it would get slower and slower as the output grew
longer, eventually making Zenmap appear to freeze with 100% CPU. Rob
Nicholls and Ray Middleton helped with testing. [David]

o The Linux RPM builds of Nmap and related tools (ncat, nping, etc.)
now link to system libraries dynamically rather than statically.
They still link statically to dependency libraries such as OpenSSL,
Lua, LibPCRE, Libpcap, etc. We hope this will improve portability so
the RPMs will work on distributions with older software (like RHEL,
Debian stable) as well as more bleeding edge ones like
Fedora. [David]

o [NSE] Added the ability to send and receive on unconnected sockets.
This can be used, for example, to receive UDP broadcasts without
having to use Libpcap. A number of scripts have been changed so that
they can work as prerule scripts to discover services by UDP
broadcasting, and optionally add the discovered targets to the
scanning queue:
- ms-sql-info
- upnp-info
- dns-service-discovery
The nmap.new_socket function can now optionally take a default
protocol and address family, which will be used if the socket is not
connected. There is a new nmap.sendto function to be used with
unconnected UDP sockets. [David, Patrik]

o [Nping] Substantially improved the Nping man page. You can read it
online at http://nmap.org/book/nping-man.html. [Luis, David]

o Documented the licenses of the third-party software used by Nmap and
it's sibling tools:
http://nmap.org/svn/docs/3rd-party-licenses.txt. [David]

o [NSE] Improved the SMB scripts so that they can run in parallel
rather than using a mutex to force serialization. This quadrupled
the SMB scan speed in one large scale test. See
http://seclists.org/nmap-dev/2010/q3/819. [Ron]

o Added a simple Nmap NSE script template to make writing new scripts
easier: http://nmap.org/svn/docs/sample-script.nse. [Ron]

o [Zenmap] Made the topology node radiuses grow logarithmically
instead of linearly, so that hosts with thousands of open ports
don't overwhelm the diagram. Also only open ports (not
open|filtered) are considered when calculating node sizes. Henri
Doreau found and fixed a bug in the implementation. [Daniel Miller]

o [NSE] Added the get_script_args NSE function for parsing script
arguments in a clean and standardized way
http://nmap.org/nsedoc/lib/stdnse.html#get_script_args). [Djalal]

o Increased the initial RTT timeout for ARP scans from 100 ms to 200
ms. Some wireless and VPN links were taking around 300 ms to
respond. The default of one retransmission gives them 400 ms to be
detected.

o Added new version detection probes and signatures from Patrik for:
- Lotus Domino Console running on tcp/2050 (shows OS and hostname)
- IBM Informix Dynamic Server running native protocol (shows hostname, and file path)
- Database servers running the DRDA protocol
- IBM Websphere MQ (shows name of queue-manager and channel)

o Fix Nmap compilation on OpenSolaris (see
http://blogs.sun.com/sdaven/entry/nmap_5_35dc1_compile_on) [David]

o [NSE] The http library's request functions now accept an additional
"auth" table within the option table, which causes Basic
authentication credentials to be sent. [David]

o Improved IPv6 host output in that we now remember and report the
forward DNS name (given by the user) and any non-scanned addresses
(usually because of round robin DNS). We already did this for
IPv4. [David]

o [Zenmap] Upgraded to the newer gtk.Tooltip API to avoid deprecation
messages about gtk.Tooltip. [Rob Nicholls]

o [NSE] Made dns-zone-transfer script able to add new discovered DNS
records to the Nmap scanning queue. [Djalal]

o [NSE] Enhance ssl-cert to also report the type and bit size of SSL
certificate public keys [Matt Selsky]

o [Ncat] Make --exec and --idle-timeout work when connecting with
--proxy. Florian Roth reported the bug. [David]

o [Nping] Fixed a bug which caused Nping to fail when targeting
broadcast addresses (see
http://seclists.org/nmap-dev/2010/q3/752). [Luis]

o [Nping] Nping now limits concurrent open file descriptors properly
based on the resources available on the host (see
http://seclists.org/nmap-dev/2010/q4/2). [Luis]

o [NSE] Improved ssh2's kex_init() parameters: all of the algorithm
and language lists can be set using new keys in the "options" table
argument. These all default to the same value used before. Also, the
required "cookie" argument is now replaced by an optional "cookie"
key in the "options" table, defaulting to random bytes as suggested
by the RFC. [Kris]

o Ncat now logs Nsock debug output to stderr instead of stdout for
consistency with its other debug messages. [David]

o [NSE] Added a new function, shortport.http, for HTTP script
portrules and changed 14 scripts to use it. [David]

o Updated to the latest config.guess and config.sub. Thanks to Ty
Miller for a reminder. [David]

o [NSE] Added prerule support to snmp-interfaces and the ability to
add the remote host's interface addresses to the scanning queue.
The new script arguments used for this functionality are "host"
(required) and "port" (optional). [Kris]

o Fixed some inconsistencies in nmap-os-db and a small memory leak
that would happen where there was more than one round of OS
detection. These were reported by Xavier Sudre from
netVigilance. [David]

o [NSE] Fixed a bug with worker threads calling the wrong destructors.
Fixing this allows better parallelism in http-brute.nse. The problem
was reported by Patrik Karlsson. [David, Patrick]

o Upgraded the OpenSSL binaries shipped in our Windows installer to
version 1.0.0a. [David]

o [NSE] Added prerule support to the dns-zone-transfer script,
allowing it to run early to discover IPs from DNS records and
optionally add those IPs to Nmap's target queue. You must specify
the DNS server and domain name to use with script
arguments. [Djalal]

o Changed the name of libdnet's sctp_chunkhdr to avoid a conflict with
a struct of the same name in <netinet/sctp.h>. This caused a
compilation error when Nmap was compiled with an OpenSSL that had
SCTP support. [Olli Hauer, Daniel Roethlisberger]

o [NSE] Implemented a big cleanup of the Nmap NSE Nsock library
binding code. [Patrick]

o Added a bunch of Apple and Netatalk AFP service detection
signatures. These often provide extra details such as whether the
target is a MacBook Pro, Air, Mac Mini, iMac, etc. [Brandon]

o [NSE] Host tables now have a host.traceroute member available when
--traceroute is used. This array contains the IP address, reverse
DNS name, and RTT for each traceroute hop. [Henri Doreau]

o [NSE] Made the ftp-anon script return a directory listing when
anonymous login is allowed. [Gutek, David]

o [NSE] Added the nmap.resolve() function. It takes a host name and
optionally an address family (such as "inet") and returns a table
containing all of its matching addresses. If no address family is
specified, all addresses for the name are returned. [Kris]

o [NSE] Added the nmap.address_family() function which returns the address
family Nmap is using as a string (e.g., "inet6" is returned if Nmap is
called with the -6 option). [Kris]

o [NSE] Scripts can now access the MTU of the host.interface device using
host.interface_mtu. [Kris]

o Restrict the default Windows DLL search path by removing the current
directory. This adds extra protection against DLL hijacking attacks,
especially if we were to add file type associations to Nmap in the
future. We implement this with the SetDllDirectory function when
available (Windows XP SP1 and later). Otherwise, we call
SetCurrentDirectory with the directory containing the
executable. [David]

o Nmap now prints the MTU for interfaces in --iflist output. [Kris]

o [NSE] Removed references to the MD2 algorithm, which OpenSSL 1.x.x
no longer supports. [Alexandru]

o [Ncat,NSE] Server Name Indication (SNI) is now supported by Ncat and
Nmap NSE, allowing them to connect to servers which run multiple SSL
websites on one IP address. To enable this for NSE, the nmap.connect
function has been changed to accept host and port tables (like those
provided to the action function) in place of a string and a
number. [David]

o [NSE] Renamed db2-info and db2-brute scripts to drda-*. Added
support other DRDA based databases such as IBM Informix Dynamic
Server and Apache Derby. [Patrik]

o [Nsock] Added a new function, nsi_set_hostname, to set the intended
hostname of the target. This allows the use of Server Name
Indication in SSL connections. [David]

o [NSE] Limits the number of ports that qscan will scan (now up to 8
open ports and up to 1 closed port by default). These limits can be
controlled with the qscan.numopen and qscan.numclosed script
arguments. [David]

o [NSE] Made sslv2.nse give special output when SSLv2 is supported,
but no SSLv2 ciphers are offered. This happened with a specific
Sendmail configuration. [Matt Selsky]

o [NSE] Added a "times" table to the host table passed to scripts.
This table contains Nmap's timing data (srtt, the smoothed round
trip time; rttvar, the rtt variance; and timeout), all represented
as floating-point seconds. The ipidseq and qscan scripts were
updated to utilize the host's timeout value rather than using a
conservative guess of 3 seconds for read timeouts. [Kris]

o Fixed the fragmentation options (-f in Nmap, --mtu in Nmap & Nping),
which were improperly sending whole packets in version
5.35DC1. [Kris]

o [NSE] When receiving raw packets from Pcap, the packet capture time
is now available to scripts as an additional return value from
pcap_receive(). It is returned as the floating point number of
seconds since the epoch. Also added the nmap.clock() function which
returns the current time (and convenience functions clock_ms() and
clock_us()). Qscan.nse was updated to use this more accurate timing
data. [Kris]

o [Ncat,Nsock] Fixed some minor bugs discovered using the Smatch
source code analyzer http://smatch.sourceforge.net/). [David]

o [Zenmap] Fixed a crash that would happen after opening the search
window, entering a relative date criterion such as "after:-7", and
then clicking the "Expressions" button. The error message was
AttributeError: 'tuple' object has no attribute 'strftime'
[David]

o Added a new packet payload--a NAT-PMP external address request for
port 5351/udp. Payloads help us elicit responses from listening UDP
services to better distinguish them from filtered ports. This
payload goes well with our new nat-pmp-info script. [David, Patrik]

o Updated IANA IP address space assignment list for random IP (-iR)
generation. [Kris]

o [Ncat] Ncat now uses case-insensitive string comparison when
checking authentication schemes and parameters. Florian Roth found a
server offering "BASIC" instead of "Basic", and the HTTP RFC
requires case-insensitive comparisons in most places. [David]

o [NSE] There is now a limit of 1,000 concurrent running scripts,
instituted to keep memory under control when there are many open
ports. Nathan reported 3 GB of memory use (with an out-of-memory NSE
crash) for one host with tens of thousands of open ports. This limit
can be controlled with the variable CONCURRENCY_LIMIT in
nse_main.lua. [David]

o The command line in XML output (/nmaprun/@args attribute) now does
quoting of whitespace using double quotes and backslashes. This
allows recovering the original command line array even when
arguments contain whitespace. [David]

o Added a service detection probe for master servers of Quake 3 and
related games. [Toni Ruottu]

Nmap 5.35DC1 [2010-07-16]

o [NSE] Added 17 scripts, bringing the total to 131! They are
described individually in the CHANGELOG, but here is the list of new
ones:
afp-serverinfo, db2-brute, dns-cache-snoop, dns-fuzz, ftp-libopie
http-php-version, irc-unrealircd-backdoor, ms-sql-brute,
ms-sql-config, ms-sql-empty-password, ms-sql-hasdbaccess,
ms-sql-query, ms-sql-tables, ms-sql-xp-cmdshell, nfs-ls,
ntp-monlist
Learn more about any of these at: http://nmap.org/nsedoc/

o Performed a major OS detection integration run. The database has
grown to 2,608 fingerprints (an increase of 262) and many of the
existing fingerprints were improved. These include the Apple iPad
and Cisco IOS 15.X devices. We also received many fingerprints for
ancient Microsoft systems including MS-DOS with MS Networking Client
3.0, Windows 3.1, and Windows NT 3.1. David posted highlights of his
integration work at http://seclists.org/nmap-dev/2010/q2/283.

o Performed a large version detection integration run. The number of
signatures has grown to 6,622 (an increase of 279). New signatures
include a remote administrative backdoor that a school famously used
to spy on its students, an open source digital currency scheme named
Bitcoin, and game servers for EVE Online, l2emurt Lineage II, and
Frozen Bubble. You can read David's highlights at
http://seclists.org/nmap-dev/2010/q2/385.

o [NSE] Added nfs-ls.nse, which lists NFS exported files and their
attributes. The nfs-acls and nfs-dirlist scripts were deleted
because all their features are supported by this script. [Djalal]

o [NSE] Add new DB2 library and two scripts
- db2-brute.nse uses the unpwdb library to guess credentials for DB2
- db2-info.nse re-write of Tom Sellers script to use the new library
[Patrik]

o [NSE] Added a library for Microsoft SQL Server and 7 new scripts. The new
scripts are:
- ms-sql-brute.nse uses the unpwdb library to guess credentials for MSSQL
- ms-sql-config retrieves various configuration details from the server
- ms-sql-empty-password checks if the sa account has an empty password
- ms-sql-hasdbaccess lists database access per user
- ms-sql-query add support for running custom queries against the database
- ms-sql-tables lists databases, tables, columns and datatypes with optional
keyword filtering
- ms-sql-xp-cmdshell adds support for OS command execution to privileged
users
[Patrik]

o [NSE] Added the afp-serverinfo script that gets a hostname, IP
addresses, and other configuration information from an AFP server.
The script, and a patch to the afp library, were contributed by
Andrew Orr and subsequently enhanced by Patrik and David.

o [NSE] Added additional vulnerability checks to smb-check-vulns.nse:
The Windows RAS RPC service vulnerability MS06-025
http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx)
and the Windows DNS Server RPC vuln MS07-029
http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx).
Note that these are only run if you specify the "unsafe" script arg
because the implemented test crashes vulnerable services. [Drazen]

o [NSE] Added dns-cache-snoop.nse by Eugene Alexeev. This script performs
cache snooping by either sending non-recursive queries or by measuring
response times.

o [Zenmap] Added the ability to print Nmap output to a
printer. [David]

o [Nmap, Ncat, Nping] The default unit for time specifications is now
seconds, not milliseconds, and times may have a decimal point. 1000
now means 1000 seconds, or about 17 minutes, not 1000 milliseconds.
Floating point values such as 1.5 are now allowed. This affects the
following options:
Nmap:
--host-timeout
--max-rtt-timeout --min-rtt-timeout --initial-rtt-timeout
--scan-delay --max-scan-delay
--stats-every
Ncat:
-d --delay
-i --idle-timeout
-w --wait
Nping:
--delay
--host-timeout
--icmp-orig-time --icmp-recv-time --icmp-trans-time
Some sanity checks have been added to catch what looks like an
attempt to use the old millisecond defaults. For example,
--host-timeout 10000 yields
Since April 2010, the default unit for --host-timeout is seconds,
so your time of "10000" is 2.8 hours. If this is what you want,
use "10000s".
QUITTING!
You can always disable the warning by giving an explicit unit.

o [NSE] Scripts which take an argument for a time duration can now
have the duration be a number followed by a unit, like elsewhere in
Nmap. An example is "10m" for 10 minutes. The units understood are
"ms" for milliseconds, "s" for seconds, "m" for minutes, and "h" for
hours. Seconds are the default if no unit is specified. The new
function stdnse.parse_timespec does the parsing of these
formats. The qscan.delay script argument, which formerly interpreted
its argument as being in milliseconds, now defaults to seconds;
append "ms" to continue using the same numbers. [David]

o [NSE] Added irc-unrealircd-backdoor.nse, which detects a backdoor
that was in UnrealIRCd source code distributions between November
2009 and June 2010. See http://seclists.org/nmap-dev/2010/q2/826.
[Vlatko Kosturjak, Ron, David]

o Ports are now considered open during a SYN scan if a SYN packet
(without the ACK flag) is received in response. This can be due to
an extremely rare TCP feature known as a simultaneous open or split
handshake connection. see http://bit.ly/tcp-sh and
http://seclists.org/nmap-dev/2010/q2/723. [Jah]

o [Ncat] In listen mode, the --exec and --sh-exec options now accept a
single connection and then exit, just like in normal listen mode.
Use the --keep-open option to get the old default inetd-like
behavior. This was suggested by David Millis. [David]

o [NSE] Added ftp-libopie.nse by Gutek. This script checks for an
off-by-one stack overflow vulnerability in libopie by giving the FTP
service an overly long name. See
http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc for
details.

o [NSE] Added ntp-monlist.nse which discovers NTP server, peer and
client hosts associated with a scanned target by sending NTPv2
Private Mode 'monitor' and 'peers' commands to the target. [Jah]

o [NSE] Added http-php-version.nse from Gutek. This script retrieves
version-specific pages through a couple of magic PHP queries, which
can identify the PHP version even when a server doesn't advertise
it.

o [NSE] New script dns-fuzz launches a fuzzing attack against DNS
servers. Added a new category - fuzzer - for scripts like this.
[Michael Pattrick]

o David made many improvements to the NSEDoc for individual scripts,
including adding @output sections to scripts which didn't have them.
He also improved the generated HTML with features like
auto-generating usage strings if the scripts don't include their own
and allowing the giant sidebar lists of scripts/libraries to expand
and contract. See http://nmap.org/nsedoc/.

o UDP payloads are now stored in an external data file, nmap-payloads,
instead of being hard-coded in the executable. This makes it easier
to add your own payloads or disable those you find problematic. [Jay
Fink, David]

o The Windows executable installer now uses LZMA compression instead
of zlib, making it about 15% smaller. See
http://seclists.org/nmap-dev/2010/q2/1011 for test results. [David]

o Open XML elements are now closed in case of a fatal error, so the
output should at least be well-formed. There are new attributes
"exit" and "errormsg" in the finished element. "exit" is "success"
or "error". When it is "error", the "errormsg" attribute contains
the error message. Thanks to Grant Bartlett, who found a typo in the
new output. [David]

o Fixed name resolution in environments where gethostbyname can return
IPv6 (or other non-IPv4 addresses). In such an environment, Nmap
would wrongly use the first four bytes of the IPv6 address as an
IPv4 address. You could force this, at least on Debian, by adding
the line "options inet6" to /etc/resolv.conf or by running with
RES_OPTIONS=inet6 in the environment. This was reported by Mats Erik
Andersson, who also suggested the fix. [David]

o Fixed the assignment of interface aliases to directly connected
routes on Linux, which was broken in 5.30BETA1 (it always assigned
the base interface instead of the alias). This was visible in the
host.interface variable passed to NSE scripts. The bug was reported
Victor Rudnev. [David]

o When Nmap is passed a hostname such as google.com which resolves to
several IP addresses, Nmap now prints each IP address. It still
only scans the first one in the returned list. [David]

o Nmap now works if you specify several target host names which
resolve to the same IP address. This can be useful when you are
scanning virtual-hosted web servers and want to see NSE results
specific to each site name even though they reside on the same
machine. [David]

o Made a list of current Nmap SVN committers:
http://nmap.org/svn/docs/committers.txt

o Added a new library, libnetutil, which contains about 2,700 lines of
networking related code which is now shared between Nmap and Nping
(it was previously duplicated by each tool). [Luis, David]

o [NSE] http-passwd.nse now also checks for boot.ini to support
Windows targets. [Gutek]

o Removed --interactive mode, a miniature shell whose primary purpose
was to hide command line arguments from the process list. It had
been broken (would segfault during the second scan) for at least 9
months and was rarely used. The fact that it was broken was reported
by Juan Carlos Castro. [David]

o Added a version probe, match line, and UDP payload for the
serialnumberd service of Mac OS X Server. This service overrides
firewall settings to make itself visible, so it's useful for host
discovery. [Patrik]

o Improved service detection match lines for:
o Oracle Enterprise Manager Agent and mupdate by Matt Selsky
o Twisted web server, Apple Filing Protocol, Apple Mac OS X Password
Server, XAVi XG6546p Wireless Gateway, Sun GlassFish
Communications Server, and Comdasys, SIParator and Glassfish SIP
by Patrik
o PostgreSQL, Cisco Site Selector ftpd, and LanSafe UPS monitoring
HTTPd by Tom Sellers

o Improved our brute force password guessing list by mixing in some
data sent in by Solar Designer of John the Ripper fame.

o [Zenmap] IP addresses are now sorted by octet rather than their
string representation. For example, 10.1.1.2 is now sorted before
10.1.1.10. This problem was reported by Norris Carden. [David]

o [NSE] Added UDP header parsing support to packet.lua. [jah]

o Fixed a bug in Libpcap which lead to Nmap hanging forever in some
cases on 64-bit Mac OS X 10.6, 10.6.1, and 10.6.3. The fix was
actually already available in upstream Libpcap, just not released.
We also had to make Nmap build with its own Libpcap on 64-bit OS X
if an already-installed system Libpcap has this bug. [David]

o Updated our WinPcap to the new 4.1.2 release. [Rob Nicholls]

o [NSE] Fixed a bug in qscan.nse which gave an error if a confidence
level of 0.9995 was used. Thanks to Marcin Hoffmann for noticing
the problem. [Kris]

o [libpcap] Added a --disable-packet-ring option to force the use of
an older, slower packet capture mechanism on Linux. Before Linux
2.6.27, the packet ring mechanism uses different-sized kernel
structures on 32- and 64-bit architectures, so a 32-bit program will
not run correctly on a 64-bit kernel. The older mechanism does not
have this flaw.

o Fixed some errors in nmap-os-db, probably caused by incorrect string
replacement during integration. This patch is from James Cook.

o [Nsock, Ncat] Nsock has a new function, nsp_setbroadcast, that
allows setting the SO_BROADCAST option on sockets. Ncat now sets
this option unconditionally in connect mode to allow connections to
broadcast addresses (useful in UDP mode). [Daniel Miller]

o Nmap now works with "teamed" network interfaces on Windows. In order
to distinguish the interfaces, their textual descriptions are now
compared in addition to their MAC addresses. Without this, Nmap
would send on the wrong interface and not receive any replies. A
symptom of this problem was all scans failing except when
--unprivileged was used. Norris Carden reported this bug. [David]

o [Ncat] When receiving a connection/datagram in listen mode, Ncat now
prints the connecting source port along with the IP address (when
verbosity is enabled). [Rebellis]

o Fixed a problem where the time variable used in some port scanning
algorithms (for probe timeouts, etc) could vary based on the
debugging level. [Kris]

o Moved the parse_long function from ncat to nbase for better reuse,
and used it to simplify netmask parsing code. [William Pursell]

o Added EPROTO to the list of known error codes in service scan. Daniel
Miller reported that an EPROTO was causing Nmap to exit after sending
the Sqlping probe during service scan. The error message was
"Unexpected error in NSE_TYPE_READ callback. Error code: 71 (Protocol
error)". We suspect this was caused by a forged ICMP packet sent by an
active firewall. [David]

o [NSE] Improved smtp-commands.nse to work against more mail servers,
made it take an smtp-commands.domain script argument, and rewrote it
in the style of other smtp scripts. [Jason DePriest]

o [NSE] Made smtp-commands run for the services smtp, smtps,
submission rather than just smtp. The other smtp scripts already do
this. [David]

o [NSE] The dns-recursion script now marks the port as open when it
gets a response. [Olivier M]

o [Nping] A big correctness and code cleanliness audit was performed
which resulted in many bugs being fixed and much more code being
shared with Nmap rather than duplicated. A structured testing
script system was also created. [Luis, David]

o [Nping] Now allows a --count value of zero to run almost
indefinitely (2^32 rounds). Suggested by Andreas Hubert. [Luis]

o [Nping] Fixed --data argument parsing. The value passed was not
actually making it into outgoing packets. Reported by Tim
Poth. [Luis]

o [Nping] When a RST packet is received in response to a connection
attempt in TCP-Connect mode, Nping now properly prints "Connection
refused" rather than "Operation now in progress". [Luis]

o [Nping] Fixed a bug which caused failure when the first supplied
target was not resolvable (e.g.: nping bogushost.fkz scanme.insecure.com
tcpdump.com). [Luis]

o [Nping] Fixed some bugs in the BPF filter creation to avoid capture
and printing of packets Nping sent or which are destined for another
process. [Luis]

o [Nping] Fixed a bug which prevented ARP replies from being displayed
properly. [Luis]

o [Nping] Fixed a bug that caused ICMP Router Advertisement entries to
be set in host byte order rather than proper network byte
order. [Luis]

o [Nping] Fixed a segfault caused by bad --data values. [Greg Skoczek]

o The Mac OS X installer is now built with MacPorts 1.9.1 rather than
1.8.2. Among other changes, this fixes a segmentation fault reported
by some OS X 10.6.3 users.

o Nsock now supports an option to remove its Pcap support. This
allows the same Nsock to be shared with Nmap (which needs that
support) and Ncrack (which doesn't.) Pcap support can be disabled by
specifying --disable-pcap at configure time on UNIX, or by selecting
the DebugNoPcap or ReleaseNoPcap configurations in Visual C++ on
Windows.

o Sped up compilation by not building both shared and static libdnet
libraries--we only use the static one. [David]

o [NSE] Improved error handling and reporting and re-designed communication
class in RPC library with patch from Djalal Harouni. [Patrik]

o Upgraded the included libpcap to version 1.1.1. [David]

o [NSE] Add some special-use IPv4 addresses to isPrivate which are
described in RFC 5736 and RFC 5737, published in Jan 2010. Improve
performance of isPrivate for IPv4 addresses by using ip_in_range
less frequently. Add an extra return value to isPrivate - when the
first return value is true, the second return value will now be a
string representing the special use assignment in which the supplied
address is located. [jah]

o Fix compilation on OpenSolaris. We had to make the libdnet autoconf
check for PF_PACKET Linux-specific. Recent versions of OpenSolaris
support PF_PACKET, but not in a way which is entirely compatible
with the Linux approach. This problem was reported by Darren Reed. A
few other minor compatibility changes were made as well. [David]

o [NSE] Added script arguments "username" and "password" to ftp-bounce
to override the default anonymous:IEUser@ login combination. [Kris]

o [NSE] Added port number sorting to dns-service-discovery.nse. [Patrik]

o [NSE] Added an snmpWalk() function to the SNMP library and updated
scripts to use it. [Patrik]

o [NSE] Fixed this dns.lua error reported by Eugene Alexeev:
nselib/dns.lua:110: attempt to get length of field 'dtype' (a number value)
[Jah]

o Updated nmap-mac-prefixes to the latest IEEE data as of 2010-07-13.

o Updated IANA IP address space assignment list for random IP (-iR)
generation. [Kris]

o Created a new directory for storing todo lists for Nmap and related
projects. You can see what we're working on and planning by
visiting http://nmap.org/svn/todo/.

o [NSE] Removed explicit time limit checking from ms-sql-brute,
pgsql-brute, mysql-brute, ldap-brute, and afp-brute. The unpwdb
library does this automatically now. [David]

o [NSE] Correct global access errors in afp.lua reported by Patrick Donnelly
[Patrik]

o [NSE] Correct misspelled "Capabilities.IgnoreSpaceBeforeParanthesis"
name in the MySQL library. [Kris]

o Cleaned up our Winpcap header file directory, and also updated to
the latest files from the official developer pack
(WpdPack_4_1_1.zip). [Fyodor]

o [NSE] Fixed a bug which would prevent rpcinfo.nse from returning any
results for RPC programs which could not be matched to a
name. [Patrik]

o [NSE] The ftp-anon script is now much smarter about parsing server
responses and detecting successful (or not) logins. It now knows
how to send the ACCT command where appropriate as well. [Rob
Nicholls]

o Normalized a bunch of version detection entries with "webserver" in
the description. In most cases this was changed to "httpd".

o [Ncat] Fixed the --crlf option not to insert an extra \r byte in the
case that one system read ends with \r and the next begins with \n
(should be rare). [David]

o [NSE] Fixed bug in rpc.lua library that incorrectly required file handles
to be 32 octets when calling the ReadDir function. The bug was reported by
Djalal Harouni. [Patrik]

Nmap 5.30BETA1 [2010-03-29]

o [NSE] Added 37 scripts, bringing the total to 117! They are
described individually in the CHANGELOG, but here is the list of new
ones:
afp-brute afp-path-vuln afp-showmount couchdb-databases
couchdb-stats daap-get-library db2-das-info dns-service-discovery
http-methods http-vmware-path-vuln ipidseq jdwp-version ldap-brute
ldap-rootdse ldap-search lexmark-config mongodb-databases
mongodb-info mysql-brute mysql-databases mysql-empty-password
mysql-users mysql-variables nfs-acls nfs-dirlist nfs-statfs
pgsql-brute qscan smtp-enum-users snmp-interfaces snmp-netstat
snmp-processes snmp-win32-services snmp-win32-shares
snmp-win32-software snmp-win32-users ssl-enum-ciphers
Learn more about any of these at: http://nmap.org/nsedoc/

o [NSE] New script afp-path-vuln detects and can exploit a major Mac
OS X AFP directory traversal vulnerability (CVE-2010-0533)
discovered by Nmap developer Patrik Karlsson. See
http://nmap.org/nsedoc/scripts/afp-path-vuln.html and
http://bit.ly/nmapafp.

o An ALPHA TEST VERSION of Nping, a packet generator written by Luis
MartinGarcia and Fyodor last summer, is now included in the Nmap
distribution. While it works, we consider the application unfinished
and we hope to improve it greatly as a Summer of Code project this
summer and then do an official release. See http://nmap.org/nping/.

o [NSE] Added RPC library and three new NFS scripts. Modified the
rpcinfo and nfs-showmount scripts to use the new library. The new
scripts are:
- nfs-acls shows the owner and directory mode of NFS exports
http://nmap.org/nsedoc/scripts/nfs-acls.html).
- nfs-dirlist lists the contents of NFS exports
http://nmap.org/nsedoc/scripts/nfs-dirlist.html)
- nfs-statfs shows file system statistics for NFS exports
http://nmap.org/nsedoc/scripts/nfs-statfs.html).
[Patrik]

o [NSE] Added the new dns-service-discovery script which uses DNS-SD
to identify services. DNS-SD is one part of automatic configuration
technologies known by names such as Bonjour, Rendezvous, and
Zeroconf. This one script can provide as much information as a full
port scan in some cases. See
http://nmap.org/nsedoc/scripts/dns-service-discovery.html. [Patrik
Karlsson]

o [NSE] New script afp-brute for brute force authentication attempts
against the Apple AFP filesharing protocol. See
http://nmap.org/nsedoc/scripts/afp-brute.html. [Patrik]

o [NSE] Added a new script afp-showmount which displays Apple AFP
shares and their permissions. See
http://nmap.org/nsedoc/scripts/afp-showmount.html. [Patrik]

o [NSE] Added the qscan script to repeatedly probe ports on a host to
gather round-trip times for each port. The script then uses these
times to group together ports with statistically equivalent round
trip times. Ports in different groups could be the result of things
such as port forwarding to hosts behind a NAT. It is based on work
by Doug Hoyte. This script also utilizes the new NSE raw IP sending
functionality. See http://nmap.org/nsedoc/scripts/qscan.html. [Kris]

o [NSE] Added a new script, db2-das-info.nse, that connects to the IBM
DB2 Administration Server (DAS) exports the server profile. No
authentication is required for this request. The script will also
set the port product and version if a version scan is requested. See
http://nmap.org/nsedoc/scripts/db2-das-info.html. [Patrik Karlsson,
Tom Sellers]

o [NSE] Added a new library for ASN.1 parsing and adapted the SNMP
library to make use of it. Added 5 SNMP scripts that use the new
libraries:
- snmp-netstat shows listening and connected
sockets http://nmap.org/nsedoc/scripts/snmp-netstat.html).
- snmp-processes shows process information including name, pid, path
& parameters http://nmap.org/nsedoc/scripts/snmp-processes.html).
- snmp-win32-services shows the names of running Windows services
http://nmap.org/nsedoc/scripts/snmp-win32-services.html).
- snmp-win32-shares shows the names and path of Windows shares
http://nmap.org/nsedoc/scripts/snmp-win32-shares.html).
- snmp-win32-software shows a list of installed Windows software
http://nmap.org/nsedoc/scripts/snmp-win32-software.html).
- snmp-win32-users shows a list of local Windows users
http://nmap.org/nsedoc/scripts/snmp-win32-users.html).
[Patrik]

o [NSE] Added the snmp-interfaces script by Thomas Buchanan, which
enumerates network interfaces over SNMP. See
http://nmap.org/nsedoc/scripts/snmp-interfaces.html.

o [NSE] Added http-vmware-path-vuln.nse, which checks for a critical
and easy to exploit path-traversal vulnerability in VMWare
(CVE-2009-3733). See
http://nmap.org/nsedoc/scripts/http-vmware-path-vuln.html. [Ron]

o [NSE] Added a new library for LDAP and three new scripts by Patrik:
- ldap-brute uses the unpwdb library to guess credentials for LDAP
http://nmap.org/nsedoc/scripts/ldap-brute.html).
- ldap-rootdse retrieves the LDAP root DSA-specific Entry (DSE)
http://nmap.org/nsedoc/scripts/ldap-rootdse.html).
- ldap-search queries a LDAP directory for either
all, or a number of pre-defined object types
http://nmap.org/nsedoc/scripts/ldap-search.html).

o [NSE] Added a new library for PostgreSQL and the script pgsql-brute
that uses it to guess credentials. See
http://nmap.org/nsedoc/scripts/pgsql-brute.html. [Patrik]

o [NSE] Added 5 new MySQL NSE scripts and a MySQL library by Patrik Karlsson:
- mysql-brute uses the unpwdb library to guess credentials for MySQL
http://nmap.org/nsedoc/scripts/mysql-brute.html).
- mysql-databases queries MySQL for a list of databases
http://nmap.org/nsedoc/scripts/mysql-databases.html).
- mysql-empty-password attempts to authenticate anonymously or as
root with an empty password
http://nmap.org/nsedoc/scripts/mysql-empty-password.html).
- mysql-users queries MySQL for a list of database users
http://nmap.org/nsedoc/scripts/mysql-users.html).
- mysql-variables queries MySQL for it's variables and their
settings http://nmap.org/nsedoc/scripts/mysql-variables.html).

o Improved the passwords.lst database used by NSE by combining several
leaked password databases collected by Ron Bowes. The size of the
database has been increased from 200 to 5000.

o Zenmap's "slow comprehensive scan profile" has been modified to use
the best 7-probe host discovery combination we were able to find in
extensive empirical testing
http://www.bamsoftware.com/wiki/nmap/EffectivenessOfPingProbes).
That combination is "-PE -PP -PS21,22,23,25,80,113,31339
-PA80,113,443,10042 -PO". [David]

o Switched to -Pn and -sn and as the preferred syntax for skipping
ping scan and skipping port scan, respectively. Previously the -PN
and -sP options were recommended. This establishes a more regular
syntax for some options that disable phases of a scan:
-n no reverse DNS
-Pn no host discovery
-sn no port scan
We also felt that the old -sP ("ping scan") option was a bit
misleading because current versions of Nmap can go much further
(including -sC and --traceroute) even with port scans disabled. We
will retain support for the previous option names for the foreseeable
future.

o [NSE] Added the ipidseq script to classify a host's IP ID sequence
numbers in the same way Nmap does. This can be used to test hosts'
suitability for Nmap's Idle Scan (-sI), i.e. check if a host is an
idle zombie. This is the first script to use the new raw IP sending
functionality in NSE. See
http://nmap.org/nsedoc/scripts/ipidseq.html. [Kris]

o [NSE] Added the ssl-enum-ciphers script by Mak Kolybabi. It lists
the ciphers and compressors supported by SSL/TLS servers. See
http://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html.

o [NSE] Added two new scripts for the MongoDB database from Martin
Holst Swende. mongodb-info
http://nmap.org/nsedoc/scripts/mongodb-info.html) gets information
like the version number, memory use, and operating system, while
mongodb-databases
http://nmap.org/nsedoc/scripts/mongodb-databases.html) lists the
databases and their size on disk.

o [NSE] Added the scripts couchdb-databases and couchdb-stats, which
list CouchDB databases and show access statistics, and a new
json.lua library they depend on. See
http://nmap.org/nsedoc/scripts/couchdb-databases.html and
http://nmap.org/nsedoc/scripts/couchdb-stats.html [Martin Holst
Swende]

o [NSE] Added the new lexmark-config script that lists product
information and configuration for Lexmark printers. See
http://nmap.org/nsedoc/scripts/lexmark-config.html. [Patrik
Karlsson]

o [NSE] Added the new daap-get-library script which uses the Digital
Audio Access Protocol to enumerate the contents of a library. The
contents contain the name of the artist, album and song. See
http://nmap.org/nsedoc/scripts/daap-get-library.html. [Patrik]

o [NSE] Added jdwp-version.nse, a script by Michael Schierl that finds
the version of a Java Debug Wire Protocol server. This is a
dangerous service to find running as it does not provide any
security against malicious attackers who can inject their own
bytecode into the debugged process. See
http://nmap.org/nsedoc/scripts/jdwp-version.html.

o [NSE] Added the smtp-enum-users script from Duarte Silva, which
attempts to find user account names over SMTP by brute force testing
using RCPT, VRFY, and EXPN tests.

o [NSE] The unpwdb library now has a default time limit on the
usernames and passwords iterators. This will prevent brute force
scripts from running for a long time when a service is slow. These
new script arguments control the limits:
unpwdb.userlimit Limit on number of usernames.
unpwdb.passlimit Limit on number of passwords.
unpwdb.timelimit Time limit in seconds.
Pass 0 for any of these limits to disable it. For more details, see
http://nmap.org/nsedoc/lib/unpwdb.html. [David]

o When --open is used, Nmap no longer prints output for hosts which
don't have any open ports. All output formats are treated the same
way, so if a host isn't shown in normal output, it won't be shown in
XML output either.

o [NSE] Added the script http-methods from Bernd Stroessenreuther.
This script sends an HTTP OPTIONS request to get the methods
supported by the server, highlights potentially risky methods, and
optionally tests each method to see if they are restricted by IP
address or something similar. See
http://nmap.org/nsedoc/scripts/http-methods.html.

o The -v and -d options are now handled in the same way. These three
forms are equivalent:
-v -v -v -vvv -v3
-d -d -d -ddd -d3
Formerly, the -ddd and -v3 forms didn't work. Mak Kolybabi submitted
a patch.

o Fixed a libpcap compilation error on Solaris. This was actually
fixed in libpcap's source control back in 2008, but they haven't made
a release since then :(. They still seem to be actively developing
though, so let's hope for a release soon. Solaris compilation fixes
were made to Ncat and Nping as well.

o Zenmap now lets you save scan results in normal Nmap text output
format or (as before) as XML. The XML format still has the text
version embedded inside it, and is still the only format Zenmap can
load again. The "Save to Directory" mode for saving multiple
aggregated scans at once still always saves XML results. [David]

o Fixed the packaging of x64 versions of WinPcap drivers in the
winpcap-nmap installer to ensure that 64-bit applications (such as
64-bit Wireshark) work properly. [Rob Nicholls]

o Fixed the Idle Scan (-sI) so that scanning multiple hosts doesn't
retest the zombie proxy and reinitialize all of the associated data
at the beginning of each run. [Kris]

o [NSE] Raw packet sending at the IP layer is now supported, in
addition to the existing Ethernet sending functionality. Packets to
send start with an IPv4 header and can be sent to arbitrary
hosts. For details, see
http://nmap.org/book/nse-api.html#nse-api-networkio-raw [Kris]

o Added version detection match line for the Arucer backdoor, which was
found packaged with drivers for the Energizer USB recharger product
(see http://www.kb.cert.org/vuls/id/154421). [Ron]

o Fixed --resume to work again despite our recent changes to the Nmap
output format. [jlanthea]

o [Zenmap] Localized most of the remaining strings in the GUI
interface which were English-only. The actual textual Nmap results
are still in English since Nmap, but the GUI is now almost fully
localized. [David]

o [Zenmap] Updated the localization files for the French
translation. [Gutek]

o [Zenmap] Fixed an interface bug which could cause hostnames with
underscores like "host_a" to be rendered like "hosta" with the "a"
underlined. Thanks to Toralf F. for the report, and David for the
fix.

o Nmap now honors routing table entries that override interface
addresses and netmasks. For example, with this configuration:

************************INTERFACES************************
DEV (SHORT) IP/MASK TYPE UP MAC
eth0 (eth0) 192.168.0.21/24 ethernet up 00:00:00:00:00:00

**************************ROUTES**************************
DST/MASK DEV GATEWAY
192.168.0.3/32 eth0 192.168.0.1
192.168.0.0/24 eth0

Nmap will not consider 192.168.0.3 directly connected through eth0,
even though it matches the interface's netmask. It won't try to ARP
ping 192.168.0.3, but will route traffic through 192.168.0.1.

o [Ncat] The HTTP proxy server now accepts client connections over
SSL. That means connections to the proxy can be encrypted and
authenticated. We haven't found any HTTP clients that directly
support SSL connections to proxies, but you can use Ncat as a tunnel
to an SSL-supporting Ncat proxy. This new feature was implemented by
Markus Klinik.

o Updated our Mac OS X build system so that our binary packages are
built on Mac OS X 10.6 rather than 10.5. [David]

o Fixed reading of the interface table on NetBSD. Running nmap
--iflist would report "INTERFACES: NONE FOUND(!)" and any scan done
as root would fail with "WARNING: Unable to find appropriate
interface for system route to...". This was first reported by Jay
Fink, and had already been patched in the NetBSD pkgsrc
tree. [David]

o Fixed a bug in traceroute that could happen when directly connected
and routed targets were in the same hostgroup. If the first target
was directly connected, the traceroute for all targets in the group
would have a trace of one hop.

o ARP requests now work with libpcap Linux "cooked" encapsulation.
According to http://wiki.wireshark.org/SLL, this encapsulation is
used on devices "where the native link layer header isn't available
or can't be used." Before this, attempting any ARP operation on such
an interface would fail with the error
read_arp_reply_pcap called on interfaces that is datatype 113
rather than DLT_EN10MB (1)
[David]

o Fixed the display of route netmask bits in --iflist on little-endian
architectures. Formerly, any mask less than /24 was shown as /0, and
other masks were also wrong. [David]

o Fixed an assertion failure which could occur when connecting to an
SSL server:
nsock_core.c:199: socket_count_write_dec: Assertion `(iod->writesd_count)
> 0' failed.
This was observed when running the http-enum script but could
possibly have happened in other situations. Thanks to Brandon for
reporting the bug and testing. [David]

o Added the function bignum_add to the nse_openssl library to support
BIGNUM addition [Patrik]

o The redistributable Visual C++ runtime components installer
(vcredist_x86.exe) has been upgraded to version 9.0.30729.4148. Axel
Pettinger reported that the previous version 9.0.30729.17, caused a
Windows Update on Windows 7 because of Microsoft security advisory
MS09-035.

o [Ncat] Fixed an error that could make programs run with --exec exit
prematurely on Windows. The problem was related to a program writing
too quickly into a non-blocking socket. A symptom was the message:
NCAT DEBUG: Subprocess ended with exit code 259.
Reported by David Millis. [David]

o [Ncat] Fixed a bug that prevented detection of EOF from stdin on
Windows. Reported by Adrian Crenshaw and Andy Zwirko. [David]

o [Nsock] WSAEACCES was added to the list of known connect error
codes. This error can happen on Windows when a port is blocked by
Windows Firewall. Thanks to Taemun for reporting this and
investigating.

o XML output now only includes host elements for down hosts in verbose
mode. This makes it consistent with the other output formats.

o [NSE] Fixed http-enum so it uses the full path name for the
fingerprints file. This prevents it from quitting with an error like
this:
NSE: http-enum: Attempting to parse fingerprint file
nselib/data/http-fingerprints NSE: http-enum against
10.99.24.140:443 threw an error! C:\Program
Files\Nmap\scripts\http-enum.nse:198: bad argument #1 to 'lines'
(nselib/data/http-fingerprints: No such file or directory) stack
traceback:
[Kris, Brandon, Ron Meldau]

o [NSE] Added a missing dirname function to http-favicon. Its absence
was causing this error message when a web page specified a relative
icon URL in a link element:
http-favicon.nse:141: variable 'dirname' is not declared
[David, Ron Meldau]

o Fixed the parsing of libdnet DLPI interface names that contain more
than one string of digits. Joe Dietz reported that an interface with
the name e1000g0 was causing this error message on Solaris 9:
Warning: Unable to open interface e1000g0 -- skipping it.
[David]

o [NS

投稿者 xml-rpc : 2011年2月 2日 18:10
役に立ちました?:
過去のフィードバック 平均:(0) 総合:(0) 投票回数:(0)
本記事へのTrackback: http://hoop.euqset.org/blog/mt-tb2006.cgi/101739
トラックバック
コメント
コメントする




画像の中に見える文字を入力してください。