Nmap Announce mailing list archives

By Date By Thread Nmap 7.10 released: 12 new scripts, hundreds of OS/version fingerprints, bug fixes, and more! From: Fyodor <fyodor () nmap org>

Date: Thu, 17 Mar 2016 12:25:02 -0700

Hi Folks! Before I tell you about today's new Nmap release, I wanted to share some Summer of Code news: Google posted a fantastic story by one of our Summer of Code alumni about how the program helped take him from rural China to a full-ride scholarship at the University of Virginia graduate school! His mentor David and I had the chance to meet him in San Francisco: http://google-opensource.blogspot.com/2016/02/coming-to-america-how-google-summer-of.html Way to go, Weilin! Also, applications are now open for GSoC 2016. But only until next Friday. We've also added several new project ideas. So if you know any college/grad students (or are one!) interested in earning $5,500 writing open source Nmap code this summer, please point them here: https://nmap.org/soc/ And now for the main news: I'm pleased to announce the release of Nmap 7.10 with many great improvements! It's got 12 new NSE scripts, hundreds of new OS/version fingerprints, and dozens if smaller improvements and bug fixes. And that's not even counting the changes in Nmap 7.01, which we released in December but I never got around to announcing because I suck at marketing. Nmap 7.10 source code and binary packages for Linux, Windows, and Mac are available for free download from the usual spot: https://nmap.org/download.html If you find any bugs in this release, please let us know on the Nmap Dev list or bug tracker as described at https://nmap.org/book/man-bugs.html. Here is the full list of material changes in 7.10 and 7.01: o [NSE] Added 12 NSE scripts from 7 authors, bringing the total up to 527! They are all listed at https://nmap.org/nsedoc/, and the summaries are below (authors are listed in brackets): + [GH#322] http-apache-server-status parses the server status page of Apache's mod_status. [Eric Gershman] + http-vuln-cve2013-6786 detects a XSS and URL redirection vulnerability in Allegro RomPager web server. Also added a fingerprint for detecting CVE-2014-4019 to http-fingerprints.lua. [Vlatko Kosturjak] + [GH#226] http-vuln-cve2014-3704 detects and exploits the "Drupalgeddon" pre-auth SQL Injection vulnerability in Drupal. [Mariusz Ziulek] + imap-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled IMAP services. [Justin Cacak] + ipv6-multicast-mld-list discovers IPv6 multicast listeners with MLD probes. The discovery is the same as targets-ipv6-multicast-mld, but the subscribed addresses are decoded and listed. [Alexandru Geana, Daniel Miller] + ms-sql-ntlm-info extracts OS version and sometimes hostname from MS SQL Server instances via the NTLM challenge message. [Justin Cacak] + nntp-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled NNTP services. [Justin Cacak] + pop3-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled POP3 services. [Justin Cacak] + rusers retrieves information about logged-on users from the rusersd RPC service. [Daniel Miller] + [GH#333] shodan-api queries the Shodan API (https://www.shodan.io) and retrieves open port and service info from their Internet-wide scan data. [Glenn Wilkinson] + smtp-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled SMTP and submission services. [Justin Cacak] + telnet-ntlm-info extracts hostname and sometimes OS version from NTLM-auth-enabled Telnet services. [Justin Cacak] o Integrated all of your IPv4 OS fingerprint submissions from October to January (536 of them). Added 104 fingerprints, bringing the new total to 5089. Additions include Linux 4.2, more Windows 10, IBM i 7, and more. Highlights: http://seclists.org/nmap-dev/2016/q1/270 [Daniel Miller] o Integrated all of your service/version detection fingerprints submitted from October to January (508 of them). The signature count went up 2.2% to 10532. We now detect 1108 protocols, from icy, finger, and rtsp to ipfs, basestation, and minecraft-pe. Highlights: http://seclists.org/nmap-dev/2016/q1/271 [Daniel Miller] o Integrated all 12 of your IPv6 OS fingerprint submissions from October to January. The classifier added 3 new groups, including new and expanded groups for OS X, bringing the new total to 96. Highlights: http://seclists.org/nmap-dev/2016/q1/273 [Daniel Miller] o [NSE] Upgrade to http-form-brute allowing correct handling of token-based CSRF protections and cookies. Also, a simple database of common login forms supports Django, Wordpress, MediaWiki, Joomla, and others. [Daniel Miller] o [Zenmap] [GH#247] Remember window geometry (position and size) from the previous time Zenmap was run. [isjing] o New service probe for CORBA GIOP (General Inter-ORB Protocol) detection should elicit a not-found exception from GIOP services that do not respond to non-GIOP probes. [Quentin Hardy] o [GH#284] Fix retrieval of route netmasks on FreeBSD. IPv6 routes were given /32 netmasks regardless of actual netmask configured, resulting in failed routing. Reported by Martin Gysi. [Daniel Miller] o [GH#272][GH#269] Give option parsing errors after the usage statement, or avoid printing the usage statement in some cases. The options summary has grown quite large, requiring users to scroll to the top to see the error message. [Abhishek Singh] o [GH#249][Nsock] Avoid a crash on Windows reported by users using Zenmap's Slow Comprehensive Scan profile. In the case of unknown OpenSSL errors, ERR_reason_error_string would return NULL, which could not be printed with the "%s" format string. Reported by Dan Baxter. [Gisle Vanem, Daniel Miller] o [GH#293][Zenmap] Fix a regression in our build that caused copy-and-paste to not work in Zenmap on Windows. o Changed Nmap's idea of reserved and private IP addresses to include 169.254/16 (RFC3927) and remove 6/8, 7/8, and 55/8 networks. This list, in libnetutil's isipprivate function, is used to filter -iR randomly generated targets. The newly-valid address ranges belong to the U.S. Department of Defense, so users wanting to avoid those ranges should use their own exclusion lists with --exclude or --exclude-file. [Bill Parker, Daniel Miller] o Allow the -4 option for Nmap to indicate IPv4 address family. This is the default, and using the option doesn't change anything, but does make it more explicit which address family you want to scan. Using -4 with -6 is an error. [Daniel Miller] o [GH#265] When provided a verbosity of 0 (-v0), Nmap will not output any text to the screen. This happens at the time of argument parsing, so the usual meaning of "verbosity 0" is preserved. [isjing] o [NSE][GH#314] Fix naming of SSL2_RC2_128_CBC_WITH_MD5 and SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 ciphers in sslv2 in order to match thedraft specification from Mozilla. [Bertrand Bonnefoy-Claudet] o [NSE][GH#320] Add STARTTLS support to sslv2 to enable SSLv2 detection against services that are not TLS encrypted by default but that support post connection upgrade. This will enable more comprehensive detection of SSLv2 and DROWN (CVE-2016-0800) attack oracles. [Tom Sellers] o [NSE][GH#301] Added default credential checks for RICOH Web Image Monitor and BeEF to http-default-accounts. [nnposter] o Properly display Next-hop MTU value from ICMP Type 3 Code 4 Fragmentation Required messages when tracing packets or in Nping output. Improper offset meant we were printing the total IP length. [Sławomir Demeszko] o [NSE] Added support for DHCP options "TFTP server name" and "Bootfile name" to dhcp.lua and enabled checking for options with a code above 61 by default. [Mike Rykowski] o [NSE] whois-ip: Don't request a remote IANA assignments data file when the local filesystem will not permit the file to cached in a local file. [jah] o [NSE] Updated http-php-version hash database to cover all versions from PHP 4.1.0 to PHP 5.4.45. Based on scans of a few thousand PHP web servers pulled from Shodan API (https://www.shodan.io/) [Daniel Miller] o Use the same ScanProgressMeter for FTP bounce scan (-b) as for the other scan types, allowing periodic status updates with --stats-every or keypress events. [Daniel Miller] o [GH#274] Use a shorter pcap_select timeout on OpenBSD, just as we do for OS X, old FreeBSD, and Solaris, which use BPF for packet capture and do not have properly select-able fds. Fix by OpenBSD port maintainer [David Carlier] o Print service info in grepable output for ports which are not listed in nmap-services when a service tunnel (SSL) is detected. Previously, the service info ("ssl|unknown") was not printed unless the service inside the tunnel was positively identified. http://seclists.org/nmap-dev/2015/q4/260 [Daniel Miller] o [NSE] [GH#242] Fix multiple false-positive sources in http-backup-agent. [Tom Sellers] Nmap 7.01 [2015-12-09] o Switch to using gtk-mac-bundler and jhbuild for building the OS X installer. This promises to reduce a lot of the problems we've had with local paths and dependencies using the py2app and macports build system. [Daniel Miller] o The Windows installer is now built with NSIS 2.47 which features LoadLibrary security hardening to prevent DLL hijacking and other unsafe use of temporary directories. Thanks to Stefan Kanthak for reporting the issue to NSIS and to us and the many other projects that use it. o Updated the OpenSSL shipped with our binary builds (Windows, OS X, and RPM) to 1.0.2e. o [Zenmap] [GH#235] Fix several failures to launch Zenmap on OS X. The new build process eliminates these errors: IOError: [Errno 2] No such file or directory: '/Applications/Zenmap.app/Contents/Resources/etc/pango/pangorc.in' LSOpenURLsWithRole() failed for the application /Applications/Zenmap.app with error -10810. o [NSE] [GH#254] Update the TLSSessionRequest probe in ssl-enum-ciphers to match the one in nmap-service-probes, which was fixed previously to correct a length calculation error. [Daniel Miller] o [NSE] [GH#251] Correct false positives and unexpected behavior in http-* scripts which used http.identify_404 to determine when a file was not found on the target. The function was following redirects, which could be an indication of a soft-404 response. [Tom Sellers] o [NSE] [GH#241] Fix a false-positive in hnap-info when the target responds with 200 OK to any request. [Tom Sellers] o [NSE] [GH#244] Fix an error response in xmlrpc-methods when run against a non-HTTP service. The expected behavior is no output. [Niklaus Schiess] o [NSE] Fix SSN validation function in http-grep, reported by Bruce Barnett. Enjoy the new release! -Fyodor _______________________________________________ Sent through the announce mailing list https://nmap.org/mailman/listinfo/announce Archived at http://seclists.org/nmap-hackers/ By Date By Thread Current thread: Nmap 7.10 released: 12 new scripts, hundreds of OS/version fingerprints, bug fixes, and more! Fyodor (Mar 17)