Nmap 7.25BETA1 Released with our new Npcap driver, 6 new NSE scripts, and more!

[Fyodor <fyodor () nmap org>]

Hi folks!  As you may know, we've been working for the last 3 years on an
improved Windows packet capturing library named Npcap. It's based on the
original WinPcap (which hasn't been maintained in years), but we rewrote
the driver to use modern APIs (NDIS 6) for better performance. It also
improves security and enables new features.  For example, Npcap allows Nmap
to do raw scans (including SYN scans and OS detection) of localhost on
Windows for the first time since Microsoft disabled the raw sockets API in
2003!  Most of the work on this project was done by Yang Luo, and you can
learn more about Npcap at http://npcap.org.

It has been a long road (low-level Windows driver development isn't exactly
easy), but we're finally ready to include Npcap in a beta version of Nmap!
We've just released Nmap 7.25BETA1 which includes Npcap as well as dozens
of other features and fixes which benefit users on all platforms (see list
below).  This includes some of the work already done by our five excellent
Google Summer of Code students.

Nmap 7.25BETA1 source code and binary packages for Linux, Windows, and Mac
are available for free download from the usual spot:

https://nmap.org/download.html

If you find any bugs in this release, please let us know on the Nmap Dev
list or bug tracker as described at https://nmap.org/book/man-bugs.html.

Here are the changes since the current stable release (7.12):

• Nmap now ships with and uses Npcap, our new packet sniffing library for
Windows. It's based on WinPcap (unmaintained for years), but uses modern
Windows APIs for better performance. It also includes security improvements
and many bug fixes. See http://npcap.org. And it enables Nmap to perform
SYN scans and OS detection against localhost, which we haven't been able to
do on Windows since Microsoft removed the raw sockets API in 2003. [Yang
Luo, Dan Miller, Fyodor]

• [NSE] Added 6 NSE scripts, from 5 authors, bringing the total up to 533!
They are all listed at https://nmap.org/nsedoc/, and the summaries are
below (authors are listed in brackets):

   - clamav-exec detects ClamAV servers vulnerable to unauthorized clamav
   command execution. [Paulino Calderon]
   - http-aspnet-debug detects ASP.NET applications with debugging enabled.
   [Josh Amishav-Zlatin]
   - http-internal-ip-disclosure determines if the web server leaks its
   internal IP address when sending an HTTP/1.0 request without a Host header.
   [Josh Amishav-Zlatin]
   - [GH#304] http-mcmp detects mod_cluster Management Protocol (MCMP) and
   dumps its configuration. [Frank Spierings]
   - [GH#365] sslv2-drown detects vulnerability to the DROWN attack,
   including CVE-2016-0703 and CVE-2016-0704 that enable fast attacks on
   OpenSSL. [Bertrand Bonnefoy-Claudet]
   - vnc-title logs in to VNC servers and grabs the desktop title,
   geometry, and color depth. [Daniel Miller]


• Integrated all of your IPv4 OS fingerprint submissions from January to
April (539 of them). Added 98 fingerprints, bringing the new total to 5187.
Additions include Linux 4.4, Android 6.0, Windows Server 2016, and more.
[Daniel Miller]

• Integrated all 31 of your IPv6 OS fingerprint submissions from January to
June. The classifier added 2 groups and expanded several others. Several
Apple OS X groups were consolidated, reducing the total number of groups to
93. [Daniel Miller]

• Update oldest supported Windows version to Vista (Windows 6.0). This
enables the use of the poll Nsock engine, which has significant performance
and accuracy advantages. Windows XP users can still use Nmap 7.12,
available from https://nmap.org/dist/?C=M&O=D [Daniel Miller]

• [NSE] Fix a crash that happened when trying to print the percent done of
0 NSE script threads:
    timing.cc:710 bool ScanProgressMeter::printStats(double, const
timeval*): Assertion 'ltime' failed.
  This would happen if no scripts were scheduled in a scan phase and the
user pressed a key or specified a short --stats-every interval. Reported by
Richard Petrie. [Daniel Miller]

• [GH#283][Nsock] Avoid "unknown protocol:0" debug messages and an "Unknown
address family 0" crash on Windows and other platforms that do not set the
src_addr argument to recvfrom for TCP sockets. [Daniel Miller]

• Retrieve the correct network prefix length for an adapter on Windows. If
more than one address was configured on an adapter, the same prefix length
would be used for both. This incorrect behavior is still used on Windows XP
and earlier. Reported by Niels Bohr. [Daniel Miller]

• Changed libdnet-stripped to avoid bailing completely when an interface is
encountered with an unsupported hardware address type. Caused "INTERFACES:
NONE FOUND!" bugs in Nmap whenever Linux kernel added new hardware address
types. [Daniel Miller]

• Improved service detection of Docker and fixed a bug in the output of
docker-version script. [Tom Sellers]

• Fix detection of Microsoft Terminal Services (RDP). Our improved TLS
service probes were matching on port 3389 before our specific Terminal
Services probe, causing the port to be labeled as "ssl/unknown". Reported
by Josh Amishav-Zlatin.

• [NSE] Update to enable smb-os-discovery to augment version detection for
certain SMB related services using data that the script discovers. [Tom
Sellers]

• Improved version detection and descriptions for Microsoft and Samba SMB
services. Also addresses certain issues with OS identification. [Tom
Sellers]

• [NSE] ssl-enum-ciphers will give a failing score to any server with an
RSA certificate whose public key uses an exponent of 1. It will also cap
the score of an RC4-ciphersuite handshake at C and output a warning
referencing RFC 7465. [Daniel Miller]

• [NSE] Refactored some SSLv2 functionality into a new library, sslv2.lua .
[Daniel Miller]

• [GH#399] Zenmap's authorization wrapper now uses an AppleScript method
for privilege escalation on OS X, avoiding the deprecated
AuthorizationExecuteWithPrivileges method previously used. [Vincent Dumont]

• [GH#454] The OS X binary package is distributed in a .dmg disk image that
now features an instructive background image. [Vincent Dumont]

• [GH#420] Our OS X build system now uses gtk-mac-bundler and jhbuild to
provide all dependencies. We no longer use Macports for this purpose.
[Vincent Dumont]

• [GH#345][Zenmap] On Windows, save Zenmap's stderr output to a writeable
location (%LOCALAPPDATA%\zenmap.exe.log or %TEMP%\zenmap.exe.log) instead
of next to the zenmap.exe executable. This avoids a warning message when
closing Zenmap if it produced any stderr output. [Daniel Miller]

• [GH#379][NSE] Fix http-iis-short-name-brute to report non vulnerable
hosts. Reported by alias1. [Paulino Calderon]

• [NSE][GH#371] Fix mysql-audit by adding needed library requires to the
mysql-cis.audit file. The script would fail with "Failed to load rulebase"
message. [Paolo Perego]

• [NSE][GH#362] Added support for LDAP over udp to ldap-rootdse.nse.  Also
added version detection and information extraction to match the new LDAP
LDAPSearchReq and LDAPSearchReqUDP probes. [Tom Sellers]

• [GH#354] Added new version detection Probes for LDAP services,
LDAPSearchReq and LDAPSearchReqUDP. The second is Microsoft Active
Directory specific. The Probes will elicit responses from target services
that allow better finger -printing and information extraction. Also added
nmap-payload entry for detecting LDAP on udp. [Tom Sellers]

• [NSE] More VNC updates: Support for VeNCrypt and Tight auth types, output
of authentication sub-types in vnc-info, and all zero-authentication types
are recognized and reported. [Daniel Miller]

Enjoy the new release!
-Fyodor
_______________________________________________
Sent through the announce mailing list
https://nmap.org/mailman/listinfo/announce
Archived at http://seclists.org/nmap-hackers/