Nmap Announce mailing list archives

By Date By Thread Nmap GSoC 2015 Success Report From: Fyodor <fyodor () nmap org>

Date: Mon, 19 Oct 2015 15:38:09 -0700

Nmap hackers: I'm pleased to report the successful completion of our 11th Google Summer of Code. And this year all five of our students passed! They added many great features and improvements which Nmap users are sure to enjoy. Much of their work has already been integrated in the Nmap 6.49BETA5 release last month, and we're working to integrate even more in the upcoming stable version. Let's look at their accomplishments individually: *Andrew Farabee* spent most of the summer working on proxy-related tasks. We're talking socks4a, socks5, proxy authentication, name-based proxy scanning, etc. One of the most exciting points was creating an experimental system for scanning Tor hidden services ( http://seclists.org/nmap-dev/2015/q2/317). Most of this work hasn't been merged yet, but he created a road map for doing so ( http://seclists.org/nmap-dev/2015/q3/236). He was expertly mentored by Jacek Wielemborek who has experience working in the same code areas from his own two summers as a GSoC student. *Gioacchino Mazzurco* was a feature creeper, so he worked on a wide variety of tasks all over the Nmap code base. Perhaps his biggest change was adding IPv6 support to our parallel reverse DNS query system, making it much faster. To understand why we've been working so hard on IPv6 in recent years, just take a look at Google's IPv6 adoption stats ( https://www.google.com/intl/en/ipv6/statistics.html). It roughly doubles every year. Gio also cleaned up our build system and made some NSE enhancements such as improving the creds (credentials) library and upgrading the SNMP library and scripts to support creds. Gio gave a talk about his Nmap work at the BattleMesh ad-hoc networking event in Slovenia. He worked on all this with mentor Dan Miller, and most of his code has already been integrated into Nmap. *Gyanendra Mishra* spent the summer improving our Nmap Scripting Engine. In the process he wrote or improved dozens of scripts, and you can find a full list at http://seclists.org/nmap-dev/2015/q3/237. His slaxml library provides a long-awaited XML parsing library for Nmap and his improvements to the HTTP library include NTLM auth support which makes scripts such as http-brute more powerful. Gyani was also mentored by Dan Miller. *Jiayi Ye* was also developing NSE scripts this summer, but her focus was on vulnerability detection. She wrote scripts for specific bug checks (e.g. http-vuln-cve2015-1635, smtp-vuln-cve2015-0235) and also one which uses the Tor consensus protocol to determine whether a target is listed as a Tor node. She also hugely improved Marc Ruef's general purpose vuln detection script (vulnscan.nse). You can read about more of her work at http://seclists.org/nmap-dev/2015/q3/249. She was mentored by Paulino Calderon who literally wrote the book on NSE ( https://www.packtpub.com/networking-and-servers/mastering-nmap-scripting-engine). Paulino also has previous experience as an Nmap GSoC student (2011). *Yang Luo* is a second time Nmap GSoC student who returned this year to work with me (Fyodor) on an awesome project to improve the WinPcap library that Nmap uses for packet capture on Windows. Our new version replaces the deprecated NDIS5 API with the newer and superior Windows Filtering Platform. We also added a security feature to prevent unprivileged users from packet sniffing. And Yang found a way to enable packets sending to localhost. Our experimental version of Nmap with Npcap can do SYN scans against localhost for the first time since Microsoft disabled raw sockets in 2003. We've received a lot of interest in Npcap from Wireshark users as well. We're hoping to either incorporate Npcap into official Nmap releases, or work with the WinPcap folks to get our improvements ported over. Both students and mentors deserve a round of applause for their great work this year! And so does Google for making all of this possible! They have spent tens of millions of dollars sponsoring thousands of students to work on hundreds of open source projects. Nmap by itself has now mentored 73 SoC students in the last 11 years and some of those students are now top Nmap developers and GSoC mentors. If you enjoy Zenmap, the Nmap Scripting Engine, Ncat, Nping, or Ndiff, you're using features developed in a large part by previous Summer of Code students! Cheers, Fyodor PS: For those who are interested, here are our previous success (pass) rates and wrap-up reports: 2015 (5/5 - 100%) [this report] 2014 (4/6 - 67%): http://seclists.org/nmap-dev/2014/q4/108 2013 (3/3 - 100%): http://seclists.org/nmap-dev/2013/q4/108 2012 (4/5 - 80%): http://seclists.org/nmap-dev/2012/q4/138 2011 (7/7 - 100%): http://seclists.org/nmap-dev/2012/q1/542 2010 (8/8 - 100%): http://seclists.org/nmap-dev/2011/q1/708 2009 (6/6 - 100%): http://seclists.org/nmap-dev/2009/q4/148 2008 (6/7 - 86%): http://bit.ly/googleblognmap 2007 (5/6 - 83%): http://seclists.org/nmap-dev/2007/q4/24 2006 (8/10 - 80%): http://seclists.org/nmap-dev/2007/q1/235 2005 (7/10 - 70%): http://slashdot.org/comments.pl?sid=183143&cid=15133184 _______________________________________________ Sent through the announce mailing list https://nmap.org/mailman/listinfo/announce Archived at http://seclists.org/nmap-hackers/ By Date By Thread Current thread: Nmap GSoC 2015 Success Report Fyodor (Oct 19)