Nmap Announce mailing list archives

By Date By Thread Nmap 7.50 Released! 14 new NSE scripts, 300+ fingerprints, new Npcap, and more From: Fyodor <fyodor () nmap org>

Date: Tue, 13 Jun 2017 13:42:19 -0700

Dear Nmap Community: The Nmap project is delighted to announce the release of Nmap 7.50! It is our first big release since last December and has hundreds of improvements that we hope you will enjoy. One of the things we have been worked the hardest on recently is our Npcap packet capturing driver and library for Windows (https://nmap.org/npcap/). It is a replacement for WinPcap, which served us well for many years, but is no longer maintained. Npcap uses newer APIs for better performance and compatibility, including Windows 10 support. We also added loopback packet capture and injection, raw wireless sniffing for beacon frames and such, and extra security features such as requiring Administrator access. Nmap 7.50 ships with Nmap 0.92 (released yesterday) and you can read about all the improvements since 0.78 (which shipped with Nmap 7.40) at https://github.com/nmap/npcap/blob/master/CHANGELOG.md. Another priority for Nmap 7.50 was improving our Nmap Scripting Engine. For example, we were one of the first scanners to release a detection script for the MS17-010 vulnerability exploited by the Wannacry ransomeware and we hope it helped many people prevent infection. We also developed scripts for the more recent Sambacry bug (CVE 2017-7494) and other vulns as well as quite a few new information gathering scripts to support Nmap's core network discovery mission. This release also includes more than 300 new service detection fingerprints, improvements to Nmap's family of related tools such as Ncat, and dozens of other enhancements and bug fixes all listed below. And we plan to keep the good stuff coming this summer, as our team of 4 GSoC students plus their mentors are already hard at work ( http://seclists.org/nmap-announce/2017/2). Nmap 7.50 source code and binary packages for Linux, Windows, and Mac are available for free download from the usual spot: https://nmap.org/download.html If you find any bugs in this release, please let us know on the Nmap Dev list or bug tracker as described at https://nmap.org/book/man-bugs.html. Here is the full list of significant changes since Nmap 7.40: • [Windows] Updated the bundled Npcap from 0.78 to 0.92, with several bugfixes for WiFi connectivity problems and stability issues. [Daniel Miller, Yang Luo] • Integrated all of your service/version detection fingerprints submitted from September to March (855 of them). The signature count went up 2.9% to 11,418. We now detect 1193 protocols from apachemq, bro, and clickhouse to jmon, slmp, and zookeeper. Highlights: http://seclists.org/nmap-dev/2017/q2/140 • [NSE] Added 14 NSE scripts from 12 authors, bringing the total up to 566! They are all listed at https://nmap.org/nsedoc/, and the summaries are below: - [GH#743] broadcast-ospf2-discover discovers OSPF 2 routers and neighbors. OSPFv2 authentication is supported. [Emiliano Ticci] - [GH#671] cics-info checks IBM TN3270 services for CICS transaction services and extracts useful information. [Soldier of Fortran] - [GH#671] cics-user-brute does brute-force enumeration of CICS usernames on IBM TN3270 services. [Soldier of Fortran] - [GH#669] http-cookie-flags checks HTTP session cookies for HTTPOnly and Secure flags. [Steve Benson] - http-security-headers checks for the HTTP response headers related to security given in OWASP Secure Headers Project, giving a brief description of the header and its configuration value. [Vinamra Bhatia, Ícaro Torres] - [GH#740][GH#759] http-vuln-cve2017-5638 checks for the RCE bug in Apache Struts2. [Seth Jackson] - [GH#876] http-vuln-cve2017-5689 detects a privilege escalation vulnerability (INTEL-SA-00075) in Intel Active Management Technology (AMT) capable systems. [Andrew Orr] - http-vuln-cve2017-1001000 detects a privilege escalation vulnerability in Wordpress 4.7.0 and 4.7.1 (CVE-2017-1001000) [Vinamra Bhatia] - [GH#713] impress-remote-discover attempts to pair with the LibreOffice Impress presentation remote service and extract version info. Pairing is PIN-protected, and the script can optionally brute-force the PIN. New service probe and match line also added. [Jeremy Hiebert] - [GH#854] smb-double-pulsar-backdoor detects the Shadow Brokers-leaked Double Pulsar backdoor in Windows SMB servers. [Andrew Orr] - smb-vuln-cve-2017-7494 detects the "SambaCry" remote code execution vulnerability affecting Samba versions 3.5.0 and greater with writable shares. [Wong Wai Tuck] - smb-vuln-ms17-010 detects a critical remote code execution vulnerability affecting SMBv1 servers in Microsoft Windows systems (ms17-010). The script also reports patched systems. [Paulino Calderon] - [GH#686] tls-ticketbleed checks for the Ticketbleed vulnerability (CVE-2016-9244) in F5 BIG-IP appliances. [Mak Kolybabi] - vmware-version queries VMWare SOAP API for version and product information. Submitted in 2011, this was mistakenly turned into a service probe that was unable to elicit any matches. [Aleksey Tyurin] • [Ncat] A series of changes and fixes based on feedback from the Red Hat community: - [GH#157] Ncat will now continue trying to connect to each resolved address for a hostname before declaring the connection refused, allowing it to fallback from IPv6 to IPv4 or to connect to names that use DNS failover. [Jaromir Koncicky, Michal Hlavinka] - The --no-shutdown option now also works in connect mode, not only in listen mode. - Made -i/--idle-timeout not cause Ncat in server mode to close while waiting for an initial connection. This was also causing -i to interfere with the HTTP proxy server mode. [Carlos Manso, Daniel Miller] - [GH#773] Ncat in server mode properly handles TLS renegotiations and other situations where SSL_read returns a non-fatal error. This was causing SSL-over-TCP connections to be dropped. [Daniel Miller] - Enable --ssl-ciphers to be used with Ncat in client mode, not only in server (listen) mode. [Daniel Miller] • [NSE][GH#266][GH#704][GH#238][GH#883] NSE libraries smb and msrpc now use fully qualified paths. SMB scripts now work against all modern versions of Microsoft Windows. [Paulino Calderon] • [NSE] smb library's share_get_list now properly uses anonymous connections first before falling back authenticating as a known user. • New service probes and matches for Apache HBase and Hadoop MapReduce. [Paulino Calderon] • Extended Memcached service probe and added match for Apache ZooKeeper. [Paulino Calderon] • [NSE] New script argument "vulns.short" will reduce vulns library script output to a single line containing the target name or IP, the vulnerability state, and the CVE ID or title of the vulnerability. [Daniel Miller] • [NSE][GH#862] SNMP scripts will now take a community string provided like `--script-args creds.snmp=private`, which previously did not work because it was interpreted as a username. [Daniel Miller] • [NSE] Resolved several issues in the default HTTP redirect rules: - [GH#826] A redirect is now cancelled if the original URL contains embedded credentials - [GH#829] A redirect test is now more careful in determining whether a redirect destination is related to the original host - [GH#830] A redirect is now more strict in avoiding possible redirect loops [nnposter] • [NSE][GH#766] The HTTP Host header will now include the port unless it is the default one for a given scheme. [nnposter] • [NSE] The HTTP response object has a new member, fragment, which contains a partially received body (if any) when the overall request fails to complete. [nnposter] • [NSE][GH#866] NSE now allows cookies to have arbitrary attributes, which are silently ignored (in accordance with RFC 6265). Unrecognized attributes were previously causing HTTP requests with such cookies to fail. [nnposter] • [NSE][GH#844] NSE now correctly parses a Set-Cookie header that has unquoted whitespace in the cookie value (which is allowed per RFC 6265). [nnposter] • [NSE][GH#731] NSE is now able to process HTTP responses with a Set-Cookie header that has an extraneous trailing semicolon. [nnposter] • [NSE][GH#708] TLS SNI now works correctly for NSE HTTP requests initiated with option any_af. As an added benefit, option any_af is now available for all connections via comm.lua, not just HTTP requests. [nnposter] • [NSE][GH#781] There is a new common function, url.get_default_port(), to obtain the default port number for a given scheme. [nnposter] • [NSE][GH#833] Function url.parse() now returns the port part as a number, not a string. [nnposter] • No longer allow ICMP Time Exceeded messages to mark a host as down during host discovery. Running traceroute at the same time as Nmap was causing interference. [David Fifield] • [NSE][GH#807] Fixed a JSON library issue that was causing long integers to be expressed in the scientific/exponent notation. [nnposter] • [NSE] Fixed several potential hangs in NSE scripts that used receive_buf(pattern), which will not return if the service continues to send data that does not match pattern. A new function in match.lua, pattern_limit, is introduced to limit the number of bytes consumed while searching for the pattern. [Daniel Miller, Jacek Wielemborek] • [Nsock] Handle any and all socket connect errors the same: raise as an Nsock error instead of fatal. This prevents Nmap and Ncat from quitting with "Strange error from connect:" [Daniel Miller] • [NSE] Added several commands to redis-info to extract listening addresses, connected clients, active channels, and cluster nodes. [Vasiliy Kulikov] • [NSE][GH#679][GH#681] Refreshed script http-robtex-reverse-ip, reflecting changes at the source site (www.robtex.com). [aDoN] • [NSE][GH#620][GH#715] Added 8 new http-enum fingerprints for Hadoop infrastructure components. [Thomas Debize, Varunram Ganesh] • [NSE][GH#629] Added two new fingerprints to http-default-accounts (APC Management Card, older NetScreen ScreenOS) [Steve Benson, nnposter] • [NSE][GH#716] Fix for oracle-tns-version which was sending an invalid TNS probe due to a string escaping mixup. [Alexandr Savca] • [NSE][GH#694] ike-version now outputs information about supported attributes and unknown vendor ids. Also, a new fingerprint for FortiGate VPNs was submitted by Alexis La Goutte. [Daniel Miller] • [GH#700] Enabled support for TLS SNI on the Windows platform. [nnposter] • [GH#649] New service probe and match lines for the JMON and RSE services of IBM Explorer for z/OS. [Soldier of Fortran] • Removed a duplicate service probe for Memcached added in 2011 (the original probe was added in 2008) and reported as duplicate in 2013 by Pavel Kankovsky. • New service probe and match line for NoMachine NX Server remote desktop. [Justin Cacak] • [Zenmap] Fixed a recurring installation problem on OS X/macOS where Zenmap was installed to /Applications/Applications/Zenmap.app instead of /Applications/Zenmap.app. • [Zenmap][GH#639] Zenmap will no longer crash when no suitable temporary directory is found. Patches contributed by [Varunram Ganesh] and [Sai Sundhar] • [Zenmap][GH#626] Zenmap now properly handles the -v0 (no output) option, which was added in Nmap 7.10. Previously, this was treated the same as not specifying -v at all. [lymanZerga11] • [GH#630] Updated or removed some OpenSSL library calls that were deprecated in OpenSSL 1.1. [eroen] • [NSE] Script ssh-hostkey now recognizes and reports Ed25519 keys [nnposter] • [NSE][GH#627] Fixed script hang in several brute scripts due to the "threads" script-arg not being converted to a number. Error message was "nselib/brute.lua:1188: attempt to compare number with string" [Arne Beer] Enjoy this new release and please do let us know if you find any problems! Download link: https://nmap.org/download.html Cheers, Fyodor _______________________________________________ Sent through the announce mailing list https://nmap.org/mailman/listinfo/announce Archived at http://seclists.org/nmap-hackers/ By Date By Thread Current thread: Nmap 7.50 Released! 14 new NSE scripts, 300+ fingerprints, new Npcap, and more Fyodor (Jun 13)