Nmap Announce mailing list archives

By Date By Thread Nmap 6.25 holiday season release! 85 new scripts, better performance, Windows 8 enhancements, and more From: Fyodor <fyodor () nmap org>

Date: Thu, 29 Nov 2012 16:34:15 -0800

Hi folks. It has been more than five months since the Nmap 6.01 release, and I'm pleased to announce a new version for you to enjoy during the holidays! Nmap 6.25 contains hundreds of improvements, including 85 new NSE scripts, nearly 1,000 new OS and service detection fingerprints, performance enhancements such as the new kqueue and poll I/O engines, better IPv6 traceroute support, Windows 8 improvements, and much more! It also includes the work of five Google Summer of Code interns who worked full time with Nmap mentors during the summer. Nmap 6.25 source code and binary packages for Linux, Windows, and Mac are available for free download from: http://nmap.org/download.html If you find any bugs, please let us know on nmap-dev as described at http://nmap.org/book/man-bugs.html. Here are the most important change since 6.01: o Integrated all of your IPv4 OS fingerprint submissions since January (more than 3,000 of them). Added 373 fingerprints, bringing the new total to 3,946. Additions include Linux 3.6, Windows 8, Windows Server 2012, Mac OS X 10.8, and a ton of new WAPs, printers, routers, and other devices--including our first IP-enabled doorbell! Many existing fingerprints were improved. [David Fifield] o Integrated all of your service/version detection fingerprints submitted since January (more than 1,500)! Our signature count jumped by more than 400 to 8,645. We now detect 897 protocols, from extremely popular ones like http, ssh, smtp and imap to the more obscure airdroid, gopher-proxy, and enemyterritory. [David Fifield] o Integrated your latest IPv6 OS submissions and corrections. We're still low on IPv6 fingerprints, so please scan any IPv6 systems you own or administer and submit them to http://nmap.org/submit/. Both new fingerprints (if Nmap doesn't find a good match) and corrections (if Nmap guesses wrong) are useful. o Enabled support for IPv6 traceroute using UDP, SCTP, and IPProto (Next Header) probes. [David Fifield] o Scripts can now return a structured name-value table so that results are query-able from XML output. Scripts can return a string as before, or a table, or a table and a string. In this last case, the table will go to XML output and the string will go to screen output. See http://nmap.org/book/nse-api.html#nse-structured-output [Daniel Miller, David Fifield, Patrick Donnelly] o [Nsock] Added new poll and kqueue I/O engines for improved performance on Windows and BSD-based systems including Mac OS X. These are in addition to the epoll engine (used on Linux) and the classic select engine fallback for other system. [Henri Doreau] o [Ncat] Added support for Unix domain sockets. The new -U and --unixsock options activate this mode. These provide compatibility with Hobbit's original Netcat. [Tomas Hozza] o Moved some Windows dependencies, including OpenSSL, libsvn, and the vcredist files, into a new public Subversion directory /nmap-mswin32-aux and moved it out of the source tarball. This reduces the compressed tarball size from 22 MB to 8 MB and similarly reduces the bandwidth and storage required for an svn checkout. Folks who build Nmap on Windows will need to check out /nmap-mswin32-aux along with /nmap as described at http://nmap.org/book/inst-windows.html#inst-win-source. o Many of the great features in this release were created by college and grad students generously sponsored by Google's Summer of Code program. Thanks, Google Open Source Department! This year's team of five developers is introduced at http://seclists.org/nmap-dev/2012/q2/204 and their successes documented at http://seclists.org/nmap-dev/2012/q4/138 o [NSE] Replaced old RPC grinder (RPC enumeration, performed as part of version detection when a port seems to run a SunRPC service) with a faster and easier to maintain NSE-based implementation. This also allowed us to remove the crufty old pos_scan scan engine. [Hani Benhabiles] o Updated our Nmap Scripting Engine to use Lua 5.2 (and then 5.2.1) rather than 5.1. See http://seclists.org/nmap-dev/2012/q2/34 for details. [Patrick Donnelly] o [NSE] Added 85(!) NSE scripts, bringing the total up to 433. They are all listed at http://nmap.org/nsedoc/, and the summaries are below (authors are listed in brackets): + ajp-auth retrieves the authentication scheme and realm of an AJP service (Apache JServ Protocol) that requires authentication. The Apache JServ Protocol is commonly used by web servers to communicate with back-end Java application server containers. [Patrik Karlsson] + ajp-brute performs brute force passwords auditing against the Apache JServ protocol. [Patrik Karlsson] + ajp-headers performs a HEAD or GET request against either the root directory or any optional directory of an Apache JServ Protocol server and returns the server response headers. [Patrik Karlsson] + ajp-methods discovers which options are supported by the AJP (Apache JServ Protocol) server by sending an OPTIONS request and lists potentially risky methods. [Patrik Karlsson] + ajp-request requests a URI over the Apache JServ Protocol and displays the result (or stores it in a file). Different AJP methods such as; GET, HEAD, TRACE, PUT or DELETE may be used. [Patrik Karlsson] + bjnp-discover retrieves printer or scanner information from a remote device supporting the BJNP protocol. The protocol is known to be supported by network based Canon devices. [Patrik Karlsson] + broadcast-ataoe-discover discovers servers supporting the ATA over Ethernet protocol. ATA over Ethernet is an ethernet protocol developed by the Brantley Coile Company and allows for simple, high-performance access to SATA drives over Ethernet. [Patrik Karlsson] + broadcast-bjnp-discover attempts to discover Canon devices (Printers/Scanners) supporting the BJNP protocol by sending BJNP Discover requests to the network broadcast address for both ports associated with the protocol. [Patrik Karlsson] + broadcast-eigrp-discovery performs network discovery and routing information gathering through Cisco's EIGRP protocol. [Hani Benhabiles] + broadcast-igmp-discovery discovers targets that have IGMP Multicast memberships and grabs interesting information. [Hani Benhabiles] + broadcast-pim-discovery discovers routers that are running PIM (Protocol Independent Multicast). [Hani Benhabiles] + broadcast-tellstick-discover discovers Telldus Technologies TellStickNet devices on the LAN. The Telldus TellStick is used to wirelessly control electric devices such as lights, dimmers and electric outlets. [Patrik Karlsson] + cassandra-brute performs brute force password auditing against the Cassandra database. [Vlatko Kosturjak] + cassandra-info attempts to get basic info and server status from a Cassandra database. [Vlatko Kosturjak] + cups-info lists printers managed by the CUPS printing service. [Patrik Karlsson] + cups-queue-info Lists currently queued print jobs of the remote CUPS service grouped by printer. [Patrik Karlsson] + dict-info Connects to a dictionary server using the DICT protocol, runs the SHOW SERVER command, and displays the result. [Patrik Karlsson] + distcc-cve2004-2687 detects and exploits a remote code execution vulnerability in the distributed compiler daemon distcc. [Patrik Karlsson] + dns-check-zone checks DNS zone configuration against best practices, including RFC 1912. The configuration checks are divided into categories which each have a number of different tests. [Patrik Karlsson] + dns-ip6-arpa-scan performs a quick reverse DNS lookup of an IPv6 network using a technique which analyzes DNS server response codes to dramatically reduce the number of queries needed to enumerate large networks. [Patrik Karlsson] + dns-nsec3-enum tries to enumerate domain names from the DNS server that supports DNSSEC NSEC3 records. [Aleksandar Nikolic, John Bond] + eppc-enum-processes attempts to enumerate process info over the Apple Remote Event protocol. When accessing an application over the Apple Remote Event protocol the service responds with the uid and pid of the application, if it is running, prior to requesting authentication. [Patrik Karlsson] + firewall-bypass detects a vulnerability in Netfilter and other firewalls that use helpers to dynamically open ports for protocols such as ftp and sip. [Hani Benhabiles] + flume-master-info retrieves information from Flume master HTTP pages. [John R. Bond] + gkrellm-info queries a GKRellM service for monitoring information. A single round of collection is made, showing a snapshot of information at the time of the request. [Patrik Karlsson] + gpsd-info retrieves GPS time, coordinates and speed from the GPSD network daemon. [Patrik Karlsson] + hostmap-robtex discovers hostnames that resolve to the target's IP address by querying the Robtex service at http://www.robtex.com/dns/. [Arturo Busleiman] + http-drupal-enum-users enumerates Drupal users by exploiting a an information disclosure vulnerability in Views, Drupal's most popular module. [Hani Benhabiles] + http-drupal-modules enumerates the installed Drupal modules by using a list of known modules. [Hani Benhabiles] + http-exif-spider spiders a site's images looking for interesting exif data embedded in .jpg files. Displays the make and model of the camera, the date the photo was taken, and the embedded geotag information. [Ron Bowes] + http-form-fuzzer performs a simple form fuzzing against forms found on websites. Tries strings and numbers of increasing length and attempts to determine if the fuzzing was successful. [Piotr Olma] + http-frontpage-login checks whether target machines are vulnerable to anonymous Frontpage login. [Aleksandar Nikolic] + http-git checks for a Git repository found in a website's document root (/.git/<something>) then retrieves as much repo information as possible, including language/framework, Github username, last commit message, and repository description. [Alex Weber] + http-gitweb-projects-enum retrieves a list of Git projects, owners and descriptions from a gitweb (web interface to the Git revision control system). [riemann] + http-huawei-hg5xx-vuln detects Huawei modems models HG530x, HG520x, HG510x (and possibly others...) vulnerable to a remote credential and information disclosure vulnerability. It also extracts the PPPoE credentials and other interesting configuration values. [Paulino Calderon] + http-icloud-findmyiphone retrieves the locations of all "Find my iPhone" enabled iOS devices by querying the MobileMe web service (authentication required). [Patrik Karlsson] + http-icloud-sendmsg sends a message to a iOS device through the Apple MobileMe web service. The device has to be registered with an Apple ID using the Find My iPhone application. [Patrik Karlsson] + http-phpself-xss crawls a web server and attempts to find PHP files vulnerable to reflected cross site scripting via the variable $_SERVER["PHP_SELF"]. [Paulino Calderon] + http-rfi-spider crawls webservers in search of RFI (remote file inclusion) vulnerabilities. It tests every form field it finds and every parameter of a URL containing a query. [Piotr Olma] + http-robtex-shared-ns Finds up to 100 domain names which use the same name server as the target by querying the Robtex service at http://www.robtex.com/dns/. [Arturo Busleiman] + http-sitemap-generator spiders a web server and displays its directory structure along with number and types of files in each folder. Note that files listed as having an 'Other' extension are ones that have no extension or that are a root document. [Piotr Olma] + http-slowloris-check tests a web server for vulnerability to the Slowloris DoS attack without actually launching a DoS attack. [Aleksandar Nikolic] + http-slowloris tests a web server for vulnerability to the Slowloris DoS attack by launching a Slowloris attack. [Aleksandar Nikolic, Ange Gutek] + http-tplink-dir-traversal exploits a directory traversal vulnerability existing in several TP-Link wireless routers. Attackers may exploit this vulnerability to read any of the configuration and password files remotely and without authentication. [Paulino Calderon] + http-traceroute exploits the Max-Forwards HTTP header to detect the presence of reverse proxies. [Hani Benhabiles] + http-virustotal checks whether a file has been determined as malware by virustotal. Virustotal is a service that provides the capability to scan a file or check a checksum against a number of the major antivirus vendors. [Patrik Karlsson] + http-vlcstreamer-ls connects to a VLC Streamer helper service and lists directory contents. The VLC Streamer helper service is used by the iOS VLC Streamer application to enable streaming of multimedia content from the remote server to the device. [Patrik Karlsson] + http-vuln-cve2010-0738 tests whether a JBoss target is vulnerable to jmx console authentication bypass (CVE-2010-0738). [Hani Benhabiles] + http-waf-fingerprint Tries to detect the presence of a web application firewall and its type and version. [Hani Benhabiles] + icap-info tests a list of known ICAP service names and prints information about any it detects. The Internet Content Adaptation Protocol (ICAP) is used to extend transparent proxy servers and is generally used for content filtering and antivirus scanning. [Patrik Karlsson] + ip-forwarding detects whether the remote device has ip forwarding or "Internet connection sharing" enabled, by sending an ICMP echo request to a given target using the scanned host as default gateway. [Patrik Karlsson] + ipv6-ra-flood generates a flood of Router Advertisements (RA) with random source MAC addresses and IPv6 prefixes. Computers, which have stateless autoconfiguration enabled by default (every major OS), will start to compute IPv6 suffix and update their routing table to reflect the accepted announcement. This will cause 100% CPU usage on Windows and platforms, preventing to process other application requests. [Adam Stevko] + irc-sasl-brute performs brute force password auditing against IRC (Internet Relay Chat) servers supporting SASL authentication. [Piotr Olma] + isns-info lists portals and iSCSI nodes registered with the Internet Storage Name Service (iSNS). [Patrik Karlsson] + jdwp-exec attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script abuses this to inject and execute a Java class file that executes the supplied shell command and returns its output. [Aleksandar Nikolic] + jdwp-info attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script injects and execute a Java class file that returns remote system information. [Aleksandar Nikolic] + jdwp-inject attempts to exploit java's remote debugging port. When remote debugging port is left open, it is possible to inject java bytecode and achieve remote code execution. This script allows injection of arbitrary class files. [Aleksandar Nikolic] + llmnr-resolve resolves a hostname by using the LLMNR (Link-Local Multicast Name Resolution) protocol. [Hani Benhabiles] + mcafee-epo-agent check if ePO agent is running on port 8081 or port identified as ePO Agent port. [Didier Stevens and Daniel Miller] + metasploit-info gathers info from the Metasploit RPC service. It requires a valid login pair. After authentication it tries to determine Metasploit version and deduce the OS type. Then it creates a new console and executes few commands to get additional info. [Aleksandar Nikolic] + metasploit-msgrpc-brute performs brute force username and password auditing against Metasploit msgrpc interface. [Aleksandar Nikolic] + mmouse-brute performs brute force password auditing against the RPA Tech Mobile Mouse servers. [Patrik Karlsson] + mmouse-exec connects to an RPA Tech Mobile Mouse server, starts an application and sends a sequence of keys to it. Any application that the user has access to can be started and the key sequence is sent to the application after it has been started. [Patrik Karlsson] + mrinfo queries targets for multicast routing information. [Hani Benhabiles] + msrpc-enum queries an MSRPC endpoint mapper for a list of mapped services and displays the gathered information. [Aleksandar Nikolic] + ms-sql-dac queries the Microsoft SQL Browser service for the DAC (Dedicated Admin Connection) port of a given (or all) SQL Server instance. The DAC port is used to connect to the database instance when normal connection attempts fail, for example, when server is hanging, out of memory or in other bad states. [Patrik Karlsson] + mtrace queries for the multicast path from a source to a destination host. [Hani Benhabiles] + mysql-dump-hashes dumps the password hashes from an MySQL server in a format suitable for cracking by tools such as John the Ripper. Appropriate DB privileges (root) are required. [Patrik Karlsson] + mysql-query runs a query against a MySQL database and returns the results as a table. [Patrik Karlsson] + mysql-vuln-cve2012-2122 attempts to bypass authentication in MySQL and MariaDB servers by exploiting CVE2012-2122. If its vulnerable, it will also attempt to dump the MySQL usernames and password hashes. [Paulino Calderon] + oracle-brute-stealth exploits the CVE-2012-3137 vulnerability, a weakness in Oracle's O5LOGIN authentication scheme. The vulnerability exists in Oracle 11g R1/R2 and allows linking the session key to a password hash. [Dhiru Kholia] + pcanywhere-brute performs brute force password auditing against the pcAnywhere remote access protocol. [Aleksandar Nikolic] + rdp-enum-encryption determines which Security layer and Encryption level is supported by the RDP service. It does so by cycling through all existing protocols and ciphers. [Patrik Karlsson] + rmi-vuln-classloader tests whether Java rmiregistry allows class loading. The default configuration of rmiregistry allows loading classes from remote URLs, which can lead to remote code execution. The vendor (Oracle/Sun) classifies this as a design feature. [Aleksandar Nikolic] + rpc-grind fingerprints the target RPC port to extract the target service, RPC number and version. [Hani Benhabiles] + sip-call-spoof spoofs a call to a SIP phone and detects the action taken by the target (busy, declined, hung up, etc.) [Hani Benhabiles] + sip-methods enumerates a SIP Server's allowed methods (INVITE, OPTIONS, SUBSCRIBE, etc.) [Hani Benhabiles] + smb-ls attempts to retrieve useful information about files shared on SMB volumes. The output is intended to resemble the output of the UNIX <code>ls</code> command. [Patrik Karlsson] + smb-print-text attempts to print text on a shared printer by calling Print Spooler Service RPC functions. [Aleksandar Nikolic] + smb-vuln-ms10-054 tests whether target machines are vulnerable to the ms10-054 SMB remote memory corruption vulnerability. [Aleksandar Nikolic] + smb-vuln-ms10-061 tests whether target machines are vulnerable to ms10-061 Printer Spooler impersonation vulnerability. [Aleksandar Nikolic] + snmp-hh3c-logins attempts to enumerate Huawei / HP/H3C Locally Defined Users through the hh3c-user.mib OID [Kurt Grutzmacher] + ssl-date retrieves a target host's time and date from its TLS ServerHello response. [Aleksandar Nikolic] + tls-nextprotoneg enumerates a TLS server's supported protocols by using the next protocol negotiation extension. [Hani Benhabiles] + traceroute-geolocation lists the geographic locations of each hop in a traceroute and optionally saves the results to a KML file, plottable on Google earth and maps. [Patrik Karlsson] o [NSE] Added 12 new protocol libraries, bring our total to 105! Here they are, with authors enclosed in brackets: + ajp (Apache JServ Protocol) [Patrik Karlsson] + base32 (Base32 encoding/decoding - RFC 4648) [Philip Pickering] + bjnp (Canon BJNP printer/scanner discovery protocol) [Patrik Karlsson] + cassandra (Cassandra database protocol) [Vlatko Kosturjak] + eigrp (Cisco Enhanced Interior Gateway Routing Protocol) [Hani Benhabiles] + gps (Global Positioning System - does GPRMC NMEA decoding) [Patrik Karlsson] + ipp (CUPS Internet Printing Protocol) [Patrik Karlsson] + isns (Internet Storage Name Service) [Patrik Karlsson] + jdwp (Java Debug Wire Protocol) [Aleksandar Nikolic] + mobileme (a service for managing Apple/Mac devices) [Patrik Karlsson] + ospf (Open Shortest Path First routing protocol) [Patrik Karlsson] + rdp (Remote Desktop Protocol) [Patrik Karlsson] o Added Common Platform Enumeration (CPE) identifiers to nearly 1,000 more OS detection signatures. Nmap 6.01 had them for 2,608 of 3,572 fingerprints (73%) and now we have them for 3,558 out of 3,946 (90%). [David Fifield] o Scans that use OS sockets (including TCP connect scan, version detection, and script scan) now use the SO_BINDTODEVICE sockopt on Linux, so that the -e (select network device) option is honored. [David Fifield] o [Zenmap] Host filters can now do negative matching, for example you can use "os:!linux" to match hosts NOT detected as Linux. [Daniel Miller] o Fixed a bug that caused an incorrect source address to be set when scanning certain addresses (apparently those ending in .0) on Windows XP. The symptom of this bug was the messages get_srcaddr: can't connect socket: The requested address is not valid in its context. Failed to convert source address to presentation format!?! Error: Unknown error Thanks to Robert Washam and Jorge Hernandez for reports and help debugging. [David Fifield] o Upgraded the included OpenSSL to version 1.0.1c. [David Fifield] o [NSE] Added changes to brute and unpwdb libraries to allow more flexible iterator specification and control. [Aleksandar Nikolic] o Tested that our WinPcap installer works on Windows 8 and Windows Server 2012 build 8400. Updated to installer text to recommend that users select the option to start 'NPF' at startup. [Rob Nicholls] o [NSE] Added CPE to smb-os-discovery output. o [Ncat] Fixed the printing of warning messages for large arguments to the -i and -w options. [Michal Hlavinka] o [Ncat] Shut down the write part of connected sockets in listen mode when stdin hits EOF, just as was already done in connect mode. [Michal Hlavinka] o [Zenmap] Removed a crashing error that could happen when canceling a "Print to File" on Windows: Traceback (most recent call last): File "zenmapGUI\MainWindow.pyo", line 831, in _print_cb File "zenmapGUI\Print.pyo", line 156, in run_print_operation GError: Error from StartDoc This bug was reported by Imre Adácsi. [David Fifield] o [NSE] Added new fingerprints for http-enum: Sitecore, Moodle, typo3, SquirrelMail, RoundCube. [Jesper Kückelhahn] o Changed libdnet's routing interface to return an interface name for each route on the most common operating systems. This is used to improve the quality of Nmap's matching of routes to interfaces, which was previously done by matching routes to interface addresses. [Djalal Harouni, David Fifield] o Fixed a bug that prevented Nmap from finding any interfaces when one of them had the type ARPHDR_INFINIBAND; this was the case for IP-over-InfiniBand interfaces. However, This support is not complete since IPoIB interfaces use 20 bytes for the hardware address, and currently we only report and handle 6 bytes. Nmap IP level scans should work without any problem, please refer to the '--send-ip' switch and to the following thread: http://seclists.org/nmap-dev/2012/q3/642 This bug was reported by starlight.2012q3. [Djalal Harouni] o Fixed a bug that prevented Nmap from finding any interfaces when one of them had the type ARPHDR_IEEE80211; this was the case for wireless interfaces operating in access point mode. This bug was reported by Sebastiaan Vileijn. [Djalal Harouni] o Updated the Zenmap desktop icons on Windows, Linux, and Mac with higher resolution ones. [Sean Rivera, David Fifield] o [NSE] Script results for a host or service are now sorted alphabetically by script name. [Sean Rivera] o Fixed a bug that prevented Nmap from finding any interfaces when any interface had the type ARPHRD_VOID; this was the case for OpenVZ venet interfaces. [Djalal Harouni, David Fifield] o Linux unreachable routes are now properly ignored. [David Fifield] o Added Dan Miller as an Nmap committer. He has done a ton of great work on Nmap, as you can see by searching for him in this CHANGELOG or reading the Nmap committers list at https://svn.nmap.org/nmap/docs/committers.txt. o Added a new --disable-arp-ping option. This option prevents Nmap from implicitly using ARP or ND host discovery for discovering directly connected Ethernet targets. This is useful in networks using proxy ARP, which make all addresses appear to be up using ARP scan. The previously recommended workaround for this situation, --send-ip, didn't work on Windows because that lame excuse for an operating system is still missing raw socket support. [David Fifield (editorializing added by Fyodor)] o Protocol scan (-sO) probes for TCP, UDP, and SCTP now go to ports 80, 40125, and 80 respectively, instead of being randomly generated or going to the same port as the source port. [David Fifield] o The Nmap --log-errors functionality (including errors and warnings in the normal-format output file) is now always true, whether you pass that option or not. [Sean Rivera] o [NSE] Rewrote ftp-brute script to use the brute library for performing password auditing. [Aleksandar Nikolic] o Reduced the size of Port structures by about two thirds (from 176 to 64 bytes on x86_64). They had accidentally grown during the IPv6 code merge. [David Fifield] o Made source port numbers (used to encode probe metadata) increment so as not to overlap between different scanning phases. Previously it was possible for an RST response to an ACK probe from host discovery to be misinterpreted as a reply to a SYN probe from port scanning. [Sean Rivera, David Fifield] o [NSE] Added support for ECDSA keys to ssh-hostkey.nse. [Adam Števko] o Changed the CPE for Linux from cpe:/o:linux:kernel to cpe:/o:linux:linux_kernel to reflect deprecation in the official CPE dictionary. o Added some additional CPE entries to nmap-service-probes. [Dillon Graham] o Fixed an assertion failure with IPv6 traceroute trying to use an unsupported protocol: nmap: traceroute.cc:749: virtual unsigned char* UDPProbe::build_packet(const sockaddr_storage*, u32*) const: Assertion `source->ss_family == 2' failed. This was reported by Pierre Emeriaud. [David Fifield] o Added version detection signatures for half a dozen new or changed products. [Tom Sellers] o Fixed protocol number-to-name mapping. A patch was contributed by hejianet. o [NSE] The nmap.ip_send function now takes a second argument, the destination to send to. Previously the destination address was taken from the packet buffer, but this failed for IPv6 link-local addresses, because the scope ID is not part of the packet. Calling ip_send without a destination address will continue to use the old behavior, but this practice is deprecated. o Increased portability of configure scripts on systems using a libc other than Glibc. Several problems were reported by John Spencer. o [NSE] Fixed a bug in rpc-grind.nse that would cause unresponsive UDP ports to be wrongly marked open. This was reported by Christopher Clements. [David Fifield] o [Ncat] Close connection endpoint when receiving EOF on stdin. [Michal Hlavinka]. o Fixed interface listing on NetBSD. The bug was first noticed by Fredrik Pettai and diagnosed by Jan Schaumann. [David Fifield] o [Ncat] Applied a blocking-socket workaround for a bug that could prevent some sends from working in listen mode. The problem was reported by Jonas Wielicki. [Alex Weber, David Fifield] o [NSE] Updated mssql.lua library to support additional data types, enhanced some of the existing data types, added the DoneProc response token, and reordered code for maintainability. [Tom Sellers] o [Nping] Nping now prints out an error and exists when the user tries to use the -p flag for a scan option where that is meaningless. [Sean Rivera] o [NSE] Added spoolss functions and constants to msrpc.lua. [Aleksandar Nikolic] o [NSE] Reduced the number of names tried by http-vhosts by default. [Vlatko Kosturjak] o [Zenmap] Fixed a crash when using the en_NG locale: "ValueError: unknown locale: en_NG" [David Fifield] o [NSE] Fixed some bugs in snmp-interfaces which prevented the script from outputting discovered interface info and caused it to abort in the pre-scanning phase. [jah] o [NSE] lltd-discovery scripts now parses for hostnames and outputs network card manufacturer. [Hani Benhabiles] o Added protocol specific payloads for IPv6 hop-by-hop (0x00), routing (0x2b), fragment (0x2c), and destination (0x3c). [Sean Rivera] o [NSE] Added support for decoding OSPF Hello packets to broadcast-listener. [Hani Benhabiles] o [NSE] Fixed a false positive in http-vuln-cve2011-3192.nse, which detected Apache 2.2.22 as vulnerable. [Michael Meyer] o [NSE] Modified multiple scripts that operated against HTTP based services so as to remove false positives that were generated when the target service answers with a 200 response to all requests. [Tom Sellers] o [NSOCK] Fixed an epoll-engine-specific bug. The engine didn't recognized FDs that were internally closed and replaced by other ones. This happened during reconnect attempts. Also, the IOD flags were not properly cleared. [Henri Doreau, Daniel Miller] o Added support for log type bitmasks in log_vwrite(). Also replaced a fatal() statement by an assert(0) to get rid of a possible infinite call loop when passed an invalid log type. [Henri Doreau] o Added handling for the unexpected error WSAENETRESET (10052). This error is currently wrapped in the ifdef for WIN32 as there error appears to be unique to windows [Sean Rivera] o [NSE] Added default values for Expires, Call-ID, Allow and Content-Length headers in SIP requests and removed redundant code in sip library. [Hani Benhabiles] o [NSE] Calling methods of unconnected sockets now causes the usual error code return value, instead of raising a Lua error. The problem was noticed by Daniel Miller. [David Fifield] o [NSE] Added AUTH_UNIX support to the rpc library and NFS scripts. [Daniel Miller] o [Zenmap] Fixed a crash in the profile editor that would happen when the nmap binary couldn't be found. [David Fifield] o Made the various Makefiles' treatment of makefile.dep uniform: "make clean" keeps the file and "make distclean" deletes it. [Michael McTernan] o [NSE] Fixed dozens of scripts and libraries to work better on system which don't have OpenSSL available. [Patrik Karlsson] o [Ncat] --output logging now works in UDP mode. Thanks to Michal Hlavinka for reporting the bug. [David Fifield] o [NSE] More Windows 7 and Windows 2008 fixes for the smb library and smb-ls scripts. [Patrik Karlsson] o [NSE] Added SPNEGO authentication supporting Windows 7 and Windows 2008 to the smb library. [Patrik Karlsson] o [NSE] Changed http-brute so that it works against the root path ("/") by default rather than always requiring the http-brute.path script argument. [Fyodor] o [NSE] Applied patch from Daniel Miller that fixes bug in several scripts and libraries http://seclists.org/nmap-dev/2012/q2/593 [Daniel Miller] o [Zenmap] Added Italian translation by Francesco Tombolini and Japanese translation by Yujiy Tounai. Some typos in the Japanese translation were corrected by OKANO Takayoshi. o [NSE] Rewrote mysql-brute to use brute library [Aleksandar Nikolic] o Improved the mysql library to handle multiple columns with the same name, added a formatResultset function to format a query response to a table suitable for script output. [Patrik Karlsson] o The message "nexthost: failed to determine route to ..." is now a warning rather than a fatal error. Addresses that are skipped in this way are recorded in the XML output as "target" elements. [David Fifield] o [NSE] targets-sniffer now is capable of sniffing IPv6 addresses. [Daniel Miller] o [NSE] Ported the pop3-brute script to use the brute library. [Piotr Olma] o [NSE] Added an error message indicating script failure, when Nmap is being run in non verbose/debug mode. [Patrik Karlsson] o Service-scan information is now included in XML and grepable output even if -sV wasn't used. This information can be set by scripts in the absence of -sV. [Daniel Miller] Enjoy the new release! -Fyodor _______________________________________________ Sent through the nmap-hackers mailing list http://cgi.insecure.org/mailman/listinfo/nmap-hackers Archived at http://seclists.org/nmap-hackers/ By Date By Thread Current thread: Nmap 6.25 holiday season release! 85 new scripts, better performance, Windows 8 enhancements, and more Fyodor (Nov 29)