Nmap Development mailing list archives
Nmap 5.61TEST2 released - IPv6 OS detection, CPE, 30 more scripts, and more!
From: Fyodor <fyodor () insecure org>
Date: Fri, 30 Sep 2011 11:45:18 -0700
Hi Folks! Thanks to your IPv6 OS detection submissions, we've been able to incorporate them into the new machine learning system and enable IPv6 OS detection. So if you scan your submitted machines again, they should now be properly identified in Nmap output. Of course the DB is still small, so if you get a fingerprint printed by Nmap, please do submit it. Also, if the reported OS version is wrong (even just by a minor version number), please submit a correction at http://insecure.org/cgi-bin/submit.cgi?corr-os. Corrections are particularly important for this new machine learning system. Also, we spent some time working on Solaris 10 SPARC support. If anyone is able to test on that platform, please send a report to the list. David did a bunch of AIX 6.1 and 7.1 work too. So proprietary UNIX gets some love for this release. Also, including the features from the informal 5.61TEST1 release a week and a half ago, this release includes 30 new NSE scripts, CPE output, IPv6 neighbor discovery ping, hundreds of new IPv4 OS fingerprints, and much more. You can download 5.61TEST2 at the normal place: http://nmap.org/download.html Here are the CHANGELOG entries for 5.61TEST2 and 5.61TEST1 (which didn't have a comprehensive CHANGELOG when it was released): Nmap 5.61TEST2 [2011-09-30] o Added IPv6 OS detection system! The new system utilizes many tests similar to IPv4, and also some IPv6-specific ones that we found to be particularly effective. And it uses a machine learning approach rather than the static classifier we use for IPv4. We hope to move some of the IPv6 innovations back to our IPv4 system if they work out well. The database is still very small, so please submit any fingerprints that Nmap gives you to the specified URL (as long as you are certain that you know what the target system is running). Usage and results output are basically the same as with IPv4, but we will soon document the internal mechanisms at http://nmap.org/book/osdetect.html, just as we have for IPv4. For an example, try "nmap -6 -O scanme.nmap.org". [David, Luis] o [NSE] Added 3 scripts, bringing the total to 246! You can learn more about them at http://nmap.org/nsedoc/. Here they are (authors listed in brackets): + lltd-discovery uses the Microsoft LLTD protocol to discover hosts on a local network. [Gorjan Petrovski] + ssl-google-cert-catalog queries Google's Certificate Catalog for the SSL certificates retrieved from target hosts. [Vasiliy Kulikov] + quake3-info extracts information from a Quake3-like game server. [Toni Ruottu] o Improved AIX support for raw scans. This includes some patches originally written by Peter O'Gorman and Florian Schmid. It also involved various build fixes found necessary on AIX 6.1 and 7.1. See http://nmap.org/book/inst-other-platforms.html. [David] o Fixed Nmap so that it again compiles and runs on Solaris 10, including IPv6 support. [David] o [NSE] Moved our brute force authentication cracking scripts (*-brute) from the "auth" category into a new "brute" category. Nmap's brute force capabilities have grown tremendously! You can see all 32 of them at http://nmap.org/nsedoc/categories/brute.html. It isn't clear whether dns-brute should be in the brute category, so for now it isn't. [Fyodor] o Made the interface gathering loop work on Linux when an interface index is more than two digits in /proc/sys/if_inet6. Joe McEachern tracked down the problem and provided the fix. o [NSE] Fixed a bug in dns.lua: ensure that dns.query() always return two values (status, response) and replaced the workaround in asn-query.nse by the proper use. [Henri] o [NSE] Made irc-info.nse handle the case where the MOTD is missing. Patch by Sebastian Dragomir. o Updated nmap-mac-prefixes to include the latest IEEE assignments as of 2011-09-29. Nmap 5.61TEST1 [2011-09-19] o Added Common Platform Enumeration (CPE, http://cpe.mitre.org/) output for OS and service versions. This is a standard way to identifying operating systems and applications so that Nmap can better interoperate with other software. Nmap's own (generally more comprehensive) taxonomy/classification system is still supported as well. Some OS and version detection results don't have CPE entries yet. CPE entries show up in normal output with the headings "OS CPE:" and "Service Info:": OS CPE: cpe:/o:linux:kernel:2.6.39 Service Info: OS: Linux; CPE: cpe:/o:linux:kernel These also appear in XML output, which additionally has CPE entries for service versions. [David, Henri] o Added IPv6 Neighbor Discovery ping. This is the IPv6 analog to IPv4 ARP scan. It is the default ping type for local IPv6 networks. [Weilin] o Integrated your latest (IPv4) OS detection submissions and corrections until June 22. New fingerprints include Linux 3, FreeBSD 9, Mac OS X 10.7 (Lion), and 300+ more. The DB size increased 11% to 3,308 fingerprints. See http://seclists.org/nmap-dev/2011/q3/556. Please keep those fingerprints coming! We now accept IPv4 and IPv6 OS fingerprints as well as service fingerprints, plus corrections of all types if Nmap guess wrong. o [NSE] Added 27 scripts, bringing the total to 243! You can learn more about any of them at http://nmap.org/nsedoc/. Here are the new ones (authors listed in brackets): + address-info shows extra information about IPv6 addresses, such as embedded MAC or IPv4 addresses when available. [David Fifield] + bittorrent-discovery discovers bittorrent peers sharing a file based on a user-supplied torrent file or magnet link. [Gorjan Petrovski] + broadcast-db2-discover attempts to discover DB2 servers on the network by sending a broadcast request to port 523/udp. [Patrik Karlsson] + broadcast-dhcp-discover sends a DHCP request to the broadcast address (255.255.255.255) and reports the results. [Patrik Karlsson] + broadcast-listener sniffs the network for incoming broadcast communication and attempts to decode the received packets. It supports protocols like CDP, HSRP, Spotify, DropBox, DHCP, ARP and a few more. [Patrik Karlsson] + broadcast-ping sends broadcast pings on a selected interface using raw ethernet packets and outputs the responding hosts' IP and MAC addresses or (if requested) adds them as targets. [Gorjan Petrovski] + cvs-brute performs brute force password auditing against CVS pserver authentication. [Patrik Karlsson] + cvs-brute-repository attempts to guess the name of the CVS repositories hosted on the remote server. With knowledge of the correct repository name, usernames and passwords can be guessed. [Patrik Karlsson] + ftp-vsftpd-backdoor tests for the presence of the vsFTPd 2.3.4 backdoor reported on 2011-07-04 (CVE-2011-2523). This script attempts to exploit the backdoor using the innocuous 'id' command by default, but that can be changed with the 'exploit.cmd' or 'ftp-vsftpd-backdoor.cmd' script arguments. [Daniel Miller] + ftp-vuln-cve2010-4221 checks for a stack-based buffer overflow in the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. [Djalal Harouni] + http-awstatstotals-exec exploits a remote code execution vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other products based on it (CVE: 2008-3922). [Paulino Calderon] + http-axis2-dir-traversal Exploits a directory traversal vulnerability in Apache Axis2 version 1.4.1 by sending a specially crafted request to the parameter 'xsd' (OSVDB-59001). By default it will try to retrieve the configuration file of the Axis2 service '/conf/axis2.xml' using the path '/axis2/services/' to return the username and password of the admin account. [Paulino Calderon] + http-default-accounts tests for access with default credentials used by a variety of web applications and devices. [Paulino Calderon] + http-google-malware checks if hosts are on Google's blacklist of suspected malware and phishing servers. These lists are constantly updated and are part of Google's Safe Browsing service. [Paulino Calderon] + http-joomla-brute performs brute force password auditing against Joomla web CMS installations. [Paulino Calderon] + http-litespeed-sourcecode-download exploits a null-byte poisoning vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to retrieve the target script's source code by sending a HTTP request with a null byte followed by a .txt file extension (CVE-2010-2333). [Paulino Calderon] + http-vuln-cve2011-3192 detects a denial of service vulnerability in the way the Apache web server handles requests for multiple overlapping/simple ranges of a page. [Duarte Silva] + http-waf-detect attempts to determine whether a web server is protected by an IPS (Intrusion Prevention System), IDS (Intrusion Detection System) or WAF (Web Application Firewall) by probing the web server with malicious payloads and detecting changes in the response code and body. [Paulino Calderon] + http-wordpress-brute performs brute force password auditing against Wordpress CMS/blog installations. [Paulino Calderon] + http-wordpress-enum enumerates usernames in Wordpress blog/CMS installations by exploiting an information disclosure vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and 3.2-beta2 and possibly others. [Paulino Calderon] + imap-brute performs brute force password auditing against IMAP servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM authentication. [Patrik Karlsson] + smtp-brute performs brute force password auditing against SMTP servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM authentication. [Patrik Karlsson] + smtp-vuln-cve2011-1764 checks for a format string vulnerability in the Exim SMTP server (version 4.70 through 4.75) with DomainKeys Identified Mail (DKIM) support (CVE-2011-1764). [Djalal Harouni] + targets-ipv6-multicast-echo sends an ICMPv6 echo request packet to the all-nodes link-local multicast address (ff02::1) to discover responsive hosts on a LAN without needing to individually ping each IPv6 address. [David Fifield, Xu Weilin] + targets-ipv6-multicast-invalid-dst sends an ICMPv6 packet with an invalid extension header to the all-nodes link-local multicast address (ff02::1) to discover (some) available hosts on the LAN. This works because some hosts will respond to this probe with an ICMPv6 parameter problem packet. [David Fifield, Xu Weilin] + targets-ipv6-multicast-slaac performs IPv6 host discovery by triggering stateless address auto-configuration (SLAAC). [David Fifield, Xu Weilin] + xmpp-brute Performs brute force password auditing against XMPP (Jabber) instant messaging servers. [Patrik Karlsson] o Fixed compilation on OS X 10.7 Lion. Thanks to Patrik Karlsson and Babak Farroki for researching fixes. o [NSE] The script arguments which start with a script name (e.g. http-brute.hostname or afp-ls.maxfiles) can now accept the unqualified arguments as well (hostname, maxfiles). This lets you use the generic version ("hostname") when you want to affect multiple scripts, while using the qualified version to target individual scripts. If both are specified, the qualified version takes precedence for that particular script. This works for library script arguments too (e.g. you can specify 'timelimit' rather than unpwdb.timelimit). [Paulino] o [Ncat] Updated SSL certificate store (ca-bundle.crt), primarily to remove the epic fail known as DigiNotar. o Nmap now defers options parsing until it has read through all the command line arguments. This removes the few remaining cases where option order mattered (for example, IPv6 users previously had to specify -6 before -S). [Shinnok] o [NSE] Added a new default credential list for Oracle databases and modified the oracle-brute script to make use of it. [Patrik] o [NSE] Our Packet library (packet.lua) now handles IPv6. This is used by the new multicast IPv6 host discovery scripts (targets-ipv6-*). [Weilin] o [NSE] Replaced xmpp.nse with an an overhauled version named xmpp-info.nse which brings many new features and fixes. [Vasiliy Kulikov] o [NSE] Fixed SSL compressor names in ssl-enum-ciphers.nse, and removed redundant multiple listings of the NULL compressor. [Matt Selsky] o [NSE] Added cipher strength ratings to ssl-enum-ciphers.nse. [Gabriel Lawrence] o [NSE] Fixed a bug in the ssh2-enum-algos script that would prevent it from displaying any output unless run in debug mode. [Patrik] o [NSE] Added 4 more protocol libraries. You can learn more about any of them at http://nmap.org/nsedoc/. Here are the new ones (authors listed in brackets): + bittorrent supports the BitTorrent file sharing protocol [Gorjan Petrovski] + cvs includes support for the Concurrent Versions System (CVS) [Patrik Karlsson] + sasl provides common code for "Simple Authentication and Security Layer" to services supporting it. The algorithms supported by the library are: PLAIN, CRAM-MD5, DIGEST-MD5 and NTLM. [Djalal Harouni, Patrik Karlsson] + xmpp handles XMPP (Jabber) IM servers [Patrik Karlsson] o [NSE] Removed the mac-geolocation script, which relied on a Google database to determine strikingly accurate GPS coordinates for anyone's wireless access points (based on their MAC address). It was very powerful. Perhaps Google decided it was too powerful, as they discontinued the service before our script was even 2 months old. o [Ncat] Added an --append-output option which, when used along with -o and/or -x, prevents clobbering (truncating) an existing file. [Shinnok] o Fixed RPC scan (part of -sV) to work on the 64-bit machines where "unsigned long" is 8 bytes rather than 4. We now use the more portable u32 in the code. [David] o [NSE] Moved some scripts into the default category: giop-info, vnc-info, ncp-serverinfo, smb-security-mode, and and afp-serverinfo. [Djalal] o Relaxed the XML DTD to allow validation of files where the verbosity level changed during the scan. Also made a service confidence of 8 (used when tcpwrapped) or any other number between 0 and 10 legal. [Daniel Miller] o [NSE] Fixed authentication problems in the TNS library that would prevent authentication from working against Oracle 11.2.0.2.0 XE [Chris Woodbury] o [NSE] Added basic query support to the Oracle TNS library so that scripts can now make SQL queries against database servers. Also improved support for 64-bit database servers and improved the documentation. [Patrik] o Removed some restrictions on probe matching that, for example, prevented a RST/ACK reply from being recognized in a NULL scan. This was found and fixed by Matthew Stickney and Joe McEachern. o Rearranged some characters classes in service matches to avoid any that look like POSIX collating symbols ("[.xyz.]"). John Hutchison discovered this error caused by one of the match lines: InitMatch: illegal regexp: POSIX collating elements are not supported [Daniel Miller] o [NSE] Added more than 100 new signatures to http-enum (many for known vulnerabilities). They are in the categories: general, attacks, cms, security, management and database [Paulino] o [NSE] Updated account status text in brute force password discovery scripts in an effort to make the reporting more consistent across all scripts. This will have an impact on any code that parses these values. [Tom Sellers] o Nmap now includes the Liblinear library for large linear classification (http://www.csie.ntu.edu.tw/~cjlin/liblinear/). We are using it for the upcoming IPv6 OS detection system, and (if that works out well) may eventually use it for IPv4 too. It uses a three-clause BSD license. o [NSE] Better error messages (including a traceback) are now provided when script loading fails. [Patrick] o [Zenmap] Prevent Zenmap from deleting ports when merging scans results based on newer scans which did not actually scan the ports in question. Additionally Zenmap now only updates ports with new information if the new information uses the same protocol--not just the same port number. [Colin Rice] o [Ncat] Fixed a crash which would occur when --ssl-verify is combined with -vvv on windows. [Colin Rice] o [Nping] Added new --safe-payloads option for echo mode which causes returned packet payloads to be zeroed to reduce privacy risks if Nping echo server was to accidentally (or through malicious intent) return a packet which wasn't sent by the Nping echo client. We hope to soon make this behavior the default. [Luis] o Fixed a bug that would make Nmap segfault if it failed to open an interface using pcap. The bug details and patch are posted at http://seclists.org/nmap-dev/2011/q3/365 [Patrik] o Ncat SCTP mode now supports connection brokering (--sctp --broker). [Shinnok] o Consolidated a bunch of duplicate code between Ncat's listen (ncat_listen.c) and broker (ncat_broker.c) modes to ease maintenance. [Shinnok] o Added a 'nostore' nse argument to the brute force library which prevents the brute force authentication cracking scripts from storing found credentials in the creds library (they will still be printed in script output). o [NSE] Fixed the nsedebug print_hex() function so it does not print an empty line if there are no remaining characters, and improved its NSEDoc. [Chris Woodbury]. o [Ncat] Ncat no longer blocks while an ssl handshake is taking place or waiting to complete. This could make listening Ncat instances unavailable to other clients because one client was taking too long to complete the SSL handshake. Our public Ncat chat server is now much more reliable (connect with: ncat --ssl -v chat.nmap.org). [Shinnok] o [NSE] Updated SMTP and IMAP libraries to support authentication using both plain-text and the SASL library. [Patrik] o [Zenmap] The Zenmap crash handler now instructs users to mail in crash information to nmap-dev rather than offering to create a Sourceforge bug tracker entry. [Colin Rice] o [NSE] Applied patch from Chris Woodbury that adds the following additional information to the output of smb-os-discovery: NetBIOS computer name, NetBIOS domain name, FQDN, and forest name. o [NSE] Updated smb-brute to add detection for valid credentials where the target account was expired or limited by time or login host constraints. [Tom Sellers] o [Ncat] Ncat now supports IPV6 addresses by default without the -6 flag. Additionally ncat listens on both ::1 and localhost when passed -l, or any other listening mode unless a specific listening address is supplied. [Colin Rice] o Fixed broken XML output in the case of timed-out hosts; the enclosing host element was missing. The fix was suggested by RĂ©mi Mollon. o [NSE] Multiple ldap-brute changes by Tom Sellers: + Added support for 2008 R2 functional level Active Directory instances + Added detection for valid credentials where the target account was expired or limited by time or login host constraints. + Added support for specifying a UPN suffix to be appended to usernames when brute forcing Microsoft Active Directory accounts. + Added support for saving discovered credentials to a CSV file. + Now reports valid credentials as they are discovered when the script is run with -vv or higher. o [NSE] ldap-search.nse - Added support for saving search results to CSV. This is done by using the ldap.savesearch script argument to specify an output filename prefix. [Tom Sellers] o Handle an unconventional IPv6 internal link-local address convention used by Mac OS X. See http://seclists.org/nmap-dev/2011/q3/906. [David] o [NSE] Optimized stdnse.format_output (changing the data structures) to improve performance for scripts which produce a lot of output. See http://seclists.org/nmap-dev/2011/q3/623. [Djalal] o [NSE] Fix nping-brute so that it again works on IPv6. [Toni Ruottu] o [NSE] Added the make_array and make_object functions to our json library, allowing LUA tables to be treated as JSON arrays or objects. See http://seclists.org/nmap-dev/2011/q3/15 [Daniel Miller] o [NSE] The ip-geolocation-ipinfodb now allows you to specify an IPInfoDB API key using the apikey NSE argument. [Gorjan] o [NSE] Renamed http-wp-plugins to http-wordpress-plugins script for consistency with http-wordpress-brute and now http-wordpress-enum. [Fyodor] Enjoy the release, and don't forget to report any bugs found. Cheers, Fyodor _______________________________________________ Sent through the nmap-dev mailing list http://cgi.insecure.org/mailman/listinfo/nmap-dev Archived at http://seclists.org/nmap-dev/
Current thread:
- Nmap 5.61TEST2 released - IPv6 OS detection, CPE, 30 more scripts, and more! Fyodor (Sep 30)
- Re: Nmap 5.61TEST2 released - IPv6 OS detection David Fifield (Sep 30)