Nmap Announce mailing list archives
Nmap 5.59BETA1 Released!
From: Fyodor <fyodor () insecure org>
Date: Thu, 30 Jun 2011 16:05:01 -0700
Hi Folks. Other than the recent informal IPv6 commemorative edition, we haven't had a real Nmap release in more than four months since 5.51. That is in part because we've been so busy with seven (!) full-time Google Summer of Code students cranking out tons of excellent code! But I think we've pulled this together into a release we can be proud of, and I'm happy to announce Nmap 5.59BETA1! This version includes: o 40 new NSE scripts (plus improvements to many others) o even more IPv6 goodness than our informal World IPv6 Day release o 7 new NSE protocol libraries o hundreds of bug fixes o and much more (see below)! Nmap 5.59BETA1 source code as well as binary packages for Linux, Mac, and Windows are now available at: http://nmap.org/download.html If you find any bugs, please let us know on nmap-dev as described at http://nmap.org/book/man-bugs.html. Here are the most significant changes since version 5.51: o [NSE] Added 40 scripts, bringing the total to 217! You can learn more about any of them at http://nmap.org/nsedoc/. Here are the new ones (authors listed in brackets): + afp-ls: Lists files and their attributes from Apple Filing Protocol (AFP) volumes. [Patrik Karlsson] + backorifice-brute: Performs brute force password auditing against the BackOrifice remote administration (trojan) service. [Gorjan Petrovski] + backorifice-info: Connects to a BackOrifice service and gathers information about the host and the BackOrifice service itself. [Gorjan Petrovski] + broadcast-avahi-dos: Attempts to discover hosts in the local network using the DNS Service Discovery protocol, then tests whether each host is vulnerable to the Avahi NULL UDP packet denial of service bug (CVE-2011-1002). [Djalal Harouni] + broadcast-netbios-master-browser: Attempts to discover master browsers and the Windows domains they manage. [Patrik Karlsson] + broadcast-novell-locate: Attempts to use the Service Location Protocol to discover Novell NetWare Core Protocol (NCP) servers. [Patrik Karlsson] + creds-summary: Lists all discovered credentials (e.g. from brute force and default password checking scripts) at end of scan. [Patrik Karlsson] + dns-brute: Attempts to enumerate DNS hostnames by brute force guessing of common subdomains. [Cirrus] + dns-nsec-enum: Attempts to discover target hosts' services using the DNS Service Discovery protocol. [Patrik Karlsson] + dpap-brute: Performs brute force password auditing against an iPhoto Library. [Patrik Karlsson] + epmd-info: Connects to Erlang Port Mapper Daemon (epmd) and retrieves a list of nodes with their respective port numbers. [Toni Ruottu] + http-affiliate-id: Grabs affiliate network IDs (e.g. Google AdSense or Analytics, Amazon Associates, etc.) from a web page. These can be used to identify pages with the same owner. [Hani Benhabiles, Daniel Miller] + http-barracuda-dir-traversal: Attempts to retrieve the configuration settings from a Barracuda Networks Spam & Virus Firewall device using the directory traversal vulnerability described at http://seclists.org/fulldisclosure/2010/Oct/119. [Brendan Coles] + http-cakephp-version: Obtains the CakePHP version of a web application built with the CakePHP framework by fingerprinting default files shipped with the CakePHP framework. [Paulino Calderon] + http-majordomo2-dir-traversal: Exploits a directory traversal vulnerability existing in the Majordomo2 mailing list manager to retrieve remote files. (CVE-2011-0049). [Paulino Calderon] + http-wp-plugins: Tries to obtain a list of installed WordPress plugins by brute force testing for known plugins. [Ange Gutek] + ip-geolocation-geobytes: Tries to identify the physical location of an IP address using the Geobytes geolocation web service (http://www.geobytes.com/iplocator.htm). [Gorjan Petrovski] + ip-geolocation-geoplugin: Tries to identify the physical location of an IP address using the Geoplugin geolocation web service (http://www.geoplugin.com/). [Gorjan Petrovski] + ip-geolocation-ipinfodb: Tries to identify the physical location of an IP address using the IPInfoDB geolocation web service (http://ipinfodb.com/ip_location_api.php). [Gorjan Petrovski] + ip-geolocation-maxmind: Tries to identify the physical location of an IP address using a Geolocation Maxmind database file (available from http://www.maxmind.com/app/ip-location). [Gorjan Petrovski] + ldap-novell-getpass: Attempts to retrieve the Novell Universal Password for a user. You must already have (and include in script arguments) the username and password for an eDirectory server administrative account. [Patrik Karlsson] + mac-geolocation: Looks up geolocation information for BSSID (MAC) addresses of WiFi access points in the Google geolocation database. [Gorjan Petrovski] + mysql-audit: Audit MySQL database server security configuration against parts of the CIS MySQL v1.0.2 benchmark (the engine can also be used for other MySQL audits by creating appropriate audit files). [Patrik Karlsson] + ncp-enum-users: Retrieves a list of all eDirectory users from the Novell NetWare Core Protocol (NCP) service. [Patrik Karlsson] + ncp-serverinfo: Retrieves eDirectory server information (OS version, server name, mounts, etc.) from the Novell NetWare Core Protocol (NCP) service. [Patrik Karlsson] + nping-brute: Performs brute force password auditing against an Nping Echo service. [Toni Ruottu] + omp2-brute: Performs brute force password auditing against the OpenVAS manager using OMPv2. [Henri Doreau] + omp2-enum-targets: Attempts to retrieve the list of target systems and networks from an OpenVAS Manager server. [Henri Doreau] + ovs-agent-version: Detects the version of an Oracle OVSAgentServer by fingerprinting responses to an HTTP GET request and an XML-RPC method call. [David Fifield] + quake3-master-getservers: Queries Quake3-style master servers for game servers (many games other than Quake 3 use this same protocol). [Toni Ruottu] + servicetags: Attempts to extract system information (OS, hardware, etc.) from the Sun Service Tags service agent (UDP port 6481). [Matthew Flanagan] + sip-brute: Performs brute force password auditing against Session Initiation Protocol (SIP - http://en.wikipedia.org/wiki/Session_Initiation_Protocol) accounts. This protocol is most commonly associated with VoIP sessions. [Patrik Karlsson] + sip-enum-users: Attempts to enumerate valid SIP user accounts. Currently only the SIP server Asterisk is supported. [Patrik Karlsson] + smb-mbenum: Queries information managed by the Windows Master Browser. [Patrik Karlsson] + smtp-vuln-cve2010-4344: Checks for and/or exploits a heap overflow within versions of Exim prior to version 4.69 (CVE-2010-4344) and a privilege escalation vulnerability in Exim 4.72 and prior (CVE-2010-4345). [Djalal Harouni] + smtp-vuln-cve2011-1720: Checks for a memory corruption in the Postfix SMTP server when it uses Cyrus SASL library authentication mechanisms (CVE-2011-1720). This vulnerability can allow denial of service and possibly remote code execution. [Djalal Harouni] + snmp-ios-config: Attempts to downloads Cisco router IOS configuration files using SNMP RW (v1) and display or save them. [Vikas Singhal, Patrik Karlsson] + ssl-known-key: Checks whether the SSL certificate used by a host has a fingerprint that matches an included database of problematic keys. [Mak Kolybabi] + targets-sniffer: Sniffs the local network for a configurable amount of time (10 seconds by default) and prints discovered addresses. If the newtargets script argument is set, discovered addresses are added to the scan queue. [Nick Nikolaou] + xmpp: Connects to an XMPP server (port 5222) and collects server information such as supported auth mechanisms, compression methods and whether TLS is supported and mandatory. [Vasiliy Kulikov] o Nmap has long supported IPv6 for basic (connect) port scans, basic host discovery, version detection, Nmap Scripting Engine. This release dramatically expands and improves IPv6 support: + IPv6 raw packet scans (including SYN scan, UDP scan, ACK scan, etc.) are now supported. [David, Weilin] + IPv6 raw packet host discovery (IPv6 echo requests, TCP/UDP discovery packets, etc.) is now supported. [David, Weilin] + IPv6 traceroute is now supported [David] + IPv6 protocol scan (-sO) is now supported, including creating realistic headers for many protocols. [David] + IPv6 support to the wsdd, dnssd and upnp NSE libraries. [Daniel Miller, Patrik] + The --exclude and --excludefile now support IPV6 addresses with netmasks. [Colin] o Scanme.Nmap.Org (the system anyone is allowed to scan for testing purposes) is now dual-stacked (has an IPv6 address as well as IPv4) so you can scan it during IPv6 testing. We also added a DNS record for ScanmeV6.nmap.org which is IPv6-only. See http://seclists.org/nmap-dev/2011/q2/428. [Fyodor] o The Nmap.Org website as well as sister sites Insecure.Org, SecLists.Org, and SecTools.Org all have working IPv6 addresses now (dual stacked). [Fyodor] o Nmap now determines the filesystem location it is being run from and that path is now included early in the search path for data files (such as nmap-services). This reduces the likelihood of needing to specify --datadir or getting data files from a different version of Nmap installed on the system. For full details, see http://nmap.org/book/data-files-replacing-data-files.html. Thanks to Solar Designer for implementation advice. [David] o Created a page on our SecWiki for collecting Nmap script ideas! If you have a good idea, post it to the incoming section of the page. Or if you're in a script writing mood but don't know what to write, come here for inspiration: https://secwiki.org/w/Nmap_Script_Ideas. o The development pace has greatly increased because Google (again) sponsored a 7 full-time college and graduate student programmer interns this summer as part of their Summer of Code program! Thanks, Google Open Source Department! We're delighted to introduce the team: http://seclists.org/nmap-dev/2011/q2/312 o [NSE] Added 7 new protocol libraries, bringing the total to 66. You can read about them all at http://nmap.org/nsedoc/. Here are the new ones (authors listed in brackets): + creds: Handles storage and retrieval of discovered credentials (such as passwords discovered by brute force scripts). [Patrik Karlsson] + ncp: A tiny implementation of Novell Netware Core Protocol (NCP). [Patrik Karlsson] + omp2: OpenVAS Management Protocol (OMP) version 2 support. [Henri Doreau] + sip: Supports a limited subset of SIP commands and methods. [Patrik Karlsson] + smtp: Simple Mail Transfer Protocol (SMTP) operations. [Djalal Harouni] + srvloc: A relatively small implementation of the Service Location Protocol. [Patrik Karlsson] + tftp: Implements a minimal TFTP server. It is used in snmp-ios-config to obtain router config files.[Patrik Karlsson] o Improved Nmap's service/version detection database by adding: + Apple iPhoto (DPAP) protocol probe [Patrik] + Zend Java Bridge probe [Michael Schierl] + BackOrifice probe [Gorjan Petrovski] + GKrellM probe [Toni Ruotto] + Signature improvements for a wide variety of services (we now have 7,375 signatures) o [NSE] ssh-hostkey now additionally has a postrule that prints hosts found during the scan which share the same hostkey. [Henri Doreau] o [NSE] Added 300+ new signatures to http-enum which look for admin directories, JBoss, Tomcat, TikiWiki, Majordomo2, MS SQL, Wordpress, and more. [Paulino] o Made the final IP address space assignment update as all available IPv4 address blocks have now been allocated to the regional registries. Our random IP generation (-iR) logic now only excludes the various reserved blocks. Thanks to Kris for years of regular updates to this function! o [NSE] Replaced http-trace with a new more effective version. [Paulino] o Performed some output cleanup work to remove unimportant status lines so that it is easier to find the good stuff! [David] o [Zenmap] now properly kills Nmap scan subprocess when you cancel a scan or quit Zenmap on Windows. [Shinnok] o [NSE] Banned scripts from being in both the "default" and "intrusive" categories. We did this by removing dhcp-discover and dns-zone-transfer from the set of scripts run by default (leaving them "intrusive"), and reclassifying dns-recursion, ftp-bounce, http-open-proxy, and socks-open-proxy as "safe" rather than "intrusive" (keeping them in the "default" set). o [NSE] Added a credential storage library (creds.lua) and modified the brute library and scripts to make use of it. [Patrik] o [Ncat] Created a portable version of ncat.exe that you can just drop onto Microsoft Windows systems without having to run any installer or copy over extra library files. See the Ncat page (http://nmap.org/ncat/) for binary downloads and a link to build instructions. [Shinnok] o Fix a segmentation fault which could occur when running Nmap on various Android-based phones. The problem related to NULL being passed to freeaddrinfo(). [David, Vlatko Kosturjak] o [NSE] The host.bin_ip and host.bin_ip_src entries now also work with 16-byte IPv6 addresses. [David] o [Ncat] Updated the ca-bundle.crt list of trusted certificate authority certificates. [David] o [NSE] Fixed a bug in the SMB Authentication library which could prevent concurrently running scripts with valid credentials from logging in. [Chris Woodbury] o [NSE] Re-worked http-form-brute.nse to better autodetect form fields, allow brute force attempts where only the password (no username) is needed, follow HTTP redirects, and better detect incorrect login attempts. [Patrik, Daniel Miller] o [Zenmap] Changed the "slow comprehensive scan" profile's NSE script selection from "all" to "default or (discovery and safe)" categories. Except for testing and debugging, "--script all" is rarely desirable. o [NSE] Added the stdnse.silent_require method which is used for library requires that you know might fail (e.g. "openssl" fails if Nmap was compiled without that library). If these libraries are called with silent_require and fail to load, the script will cease running but the user won't be presented with ugly failure messages as would happen with a normal require. [Patrick Donnelly] o [Ncat] ncat now listens on both localhost and ::1 when you run ncat -l. It works as before if you specify -4 or -6 or a specific address. [Colin Rice] o [Zenmap] Fixed a bug in topology mapper which caused endpoints behind firewalls to sometimes show up in the wrong place (see http://seclists.org/nmap-dev/2011/q2/733). [Colin Rice] o [Zenmap] If you scan a system twice, any open ports from the first scan which are closed in the 2nd will be properly marked as closed. [Colin Rice]. o [Zenmap] Fixed an error that could cause a crash ("TypeError: an integer is required") if a sort column in the ports table was unset. [David] o [Ndiff] Added nmaprun element information (Nmap version, scan date, etc.) to the diff. Also, the Nmap banner with version number and data is now only printed if there were other differences in the scan. [Daniel Miller, David, Dr. Jesus] o [NSE] Added nmap.get_interface and nmap.get_interface_info functions so scripts can access characteristics of the scanning interface. Removed nmap.get_interface_link. [Djalal] o Fixed an overflow in scan elapsed time display that caused negative times to be printed after about 25 days. [Daniel Miller] o Updated nmap-rpc from the master list, now maintained by IANA. [Daniel Miller, David] o [Zenmap] Fixed a bug in the option parser: -sN (null scan) was interpreted as -sn (no port scan). This was reported by Shitaneddine. [David] o [Ndiff] Fixed the Mac OS X packages to use the correct path for Python: /usr/bin/python instead of /opt/local/bin/python. The bug was reported by Wellington Castello. [David] o Removed the -sR (RPC scan) option--it is now an alias for -sV (version scan), which always does RPC scan when an rpcinfo service is detected. o [NSE] Improved the ms-sql scripts and library in several ways: - Improved version detection and server discovery - Added support for named pipes, integrated authentication, and connecting to instances by name or port - Improved script and library stability and documentation. [Patrik Karlsson, Chris Woodbury] o [NSE] Fixed http.validate_options when handling a cookie table. [Sebastian Prengel] o Added a Service Tags UDP probe for port 6481/udp. [David] o [NSE] Enabled firewalk.nse to automatically find the gateways at which probes are dropped and fixed various bugs. [Henri Doreau] o [Zenmap] Worked around a pycairo bug that prevented saving the topology graphic as PNG on Windows: "Error Saving Snapshot: Surface.write_to_png takes one argument which must be a filename (str), file object, or a file-like object which has a 'write' method (like StringIO)". The problem was reported by Alex Kah. [David] o The -V and --version options now show the platform Nmap was compiled on, which features are compiled in, the version numbers of libraries it is linked against, and whether the libraries are the ones that come with Nmap or the operating system. [Ambarisha B., David] o Fixed some inconsistencies in nmap-os-db reported by Xavier Sudre from netVigilance. o The Nmap Win32 uninstaller now properly deletes nping.exe. [Fyodor] o [NSE] Added a shortport.ssl function which can be used as a script portrule to match SSL services. It is similar in concept to our existing shortport.http. [David] o Set up the RPM build to use the compat-glibc and compat-gcc-34-c++ packages (on CentOS 5.3) to resolve a report of Nmap failing to run on old versions of Glibc. [David] o We no longer support Nmap on versions of Windows earlier than XP SP2. Even Microsoft no longer supports Windows versions that old. But if you must use Nmap on such systems anyway, please see https://secwiki.org/w/Nmap_On_Old_Windows_Releases. o There were hundreds of other little bug fixes and improvements (especially to NSE scripts). See the SVN logs for revisions 22,274 through 24,460 for details. Enjoy the new release! -Fyodor _______________________________________________ Sent through the nmap-hackers mailing list http://cgi.insecure.org/mailman/listinfo/nmap-hackers Archived at http://seclists.org/nmap-hackers/
Current thread:
- Nmap 5.59BETA1 Released! Fyodor (Jun 30)