Nmap 5.61TEST5 released with 43 new scripts, improved OS & version detection, and more!

[Fyodor <fyodor () insecure org>]

Hi folks!  We've been working hard for the last 2 months since
5.61TEST4, and I'm pleased to announce the results: Nmap 5.61TEST5.
This release has 43 new scripts, including new brute forcers for http
proxies, SOCKS proxies, Asterisk IAX2, Membase, MongoDB, Nessus
XMLRPC, Redis, the WinPcap remote capture daemon, the VMWare auth
daemon, and old-school rsync.  Better check that your passwords are
strong!  Some other fun scripts are nat-pmp-mapport, asn-to-prefix,
url-snarf, and http-auth-finder.  See the changelog entries below for
a full list with descriptions.

For this release, we also incorporated thousands of your OS detection
and service detection submissions, dramatically improving the
databases.  Our IPv6 OS detection system became smarter as well.  And
we've incorporated a new "nsock engines" system which improves
performance by using advanced I/O APIs (such as epoll on Linux) rather
than always using select.

You can download 5.61TEST5 source code and binaries for Linux,
Windows, and Mac OS X at the normal place:

http://nmap.org/download.html

Please give this some good testing, as we're hoping to use it as the
base for a new stable version of Nmap!  That will be the first stable
version since 5.51 more than a year ago.  If you encounter any
problems, please report them to nmap-dev as described at:

http://nmap.org/book/man-bugs.html

Here are the most significant changes since 5.61TEST4:

o Integrated all of your IPv4 OS fingerprint submissions since June
  2011 (about 1,900 of them).  Added about 256 new fingerprints (and
  deleted some bogus ones), bringing the new total to 3,572.
  Additions include Apple iOS 5.01, OpenBSD 4.9 and 5.0, FreeBSD 7.0
  through 9.0-PRERELEASE, and a ton of new WAPs, routers, and other
  devices. Many existing fingerprints were improved. For more details,
  see http://seclists.org/nmap-dev/2012/q1/431 [David Fifield]

o Integrated all of your service/version detection fingerprints
  submitted since November 2010--more than 2,500 of them!  Our
  signature count increased more than 10% to 7,423 covering 862
  protocols. Some amusing and bizarre new services are described at
  http://seclists.org/nmap-dev/2012/q1/359 [David Fifield]

o Integrated your latest IPv6 OS submissions and corrections. We're
  still low on IPv6 fingerprints, so please scan any IPv6 systems you
  own or administer and submit them to http://nmap.org/submit/.  Both
  new fingerprints (if Nmap doesn't find a good match) and corrections
  (if Nmap guesses wrong) are useful.

o [NSE] Added a host-based registry which only persists (for the given
  host) until all scripts have finished scanning that host. The normal
  registry saves information until it is deleted or the Nmap scan
  ends. That is a waste of memory for information which doesn't need
  to persist that long. Use the host based registry instead if you
  can. See http://nmap.org/book/nse-api.html#nse-api-registry. [Patrik
  Karlsson]

o IPv6 OS detection now includes a novelty detection system which
  avoids printing a match when an observed fingerprint is too
  different from fingerprints seen before. As the OS database is still
  small, this helps to avoid making (essentially) wild guesses when
  seeing a new operating system. [David Fifield]

o Refactored the nsock library to add the nsock-engines system. This
  allows system-specific scalable IO notification facilities to be
  used while maintaining the portable Nsock API. This initial version
  comes with an epoll-based engine for Linux and a select-based
  fallback engine for all other operating systems. Also added the
  --nsock-engine option to Nmap, Nping and Ncat to enforce use of a
  specific Nsock IO engine. [Henri Doreau]

o [NSE] Added 43(!) NSE scripts, bringing the total up to 340.  They
  are all listed at http://nmap.org/nsedoc/, and the summaries are
  below (authors are listed in brackets):

  + acarsd-info retrieves information from a listening acarsd
    daemon. Acarsd decodes ACARS (Aircraft Communication Addressing
    and Reporting System) data in real time. [Brendan Coles]

  + asn-to-prefix produces a list of IP prefixes for a given AS number
    (ASN). It uses the external Shadowserver API (with their
    permission). [John Bond]

  + broadcast-dhcp6-discover sends a DHCPv6 request (Solicit) to the
    DHCPv6 multicast address, parses the response, then extracts and
    prints the address along with any options returned by the
    server. [Patrik Karlsson]

  + broadcast-networker-discover discovers the EMC Networker backup
    software server on a LAN by using network broadcasts. [Patrik Karlsson]

  + broadcast-pppoe-discover discovers PPPoE servers using the PPPoE
    Discovery protocol (PPPoED). [Patrik Karlsson]

  + broadcast-ripng-discover discovers hosts and routing information
    from devices running RIPng on the LAN by sending a RIPng Request
    command and collecting the responses from all responsive
    devices. [Patrik Karlsson]

  + broadcast-versant-locate discovers Versant object databases using
    the srvloc protocol. [Patrik Karlsson]

  + broadcast-xdmcp-discover discovers servers running the X Display
    Manager Control Protocol (XDMCP) by sending a XDMCP broadcast
    request to the LAN. [Patrik Karlsson]

  + cccam-version detects the CCcam service (software for sharing
    subscription TV among multiple receivers). [David Fifield]

  + dns-client-subnet-scan performs a domain lookup using the
    edns-client-subnet option that adds support for adding subnet
    information to the query describing where the query is
    originating. The script uses this option to supply a number of
    geographically distributed locations in an attempt to enumerate as
    many different address records as possible. [John Bond]

  + dns-nsid retrieves information from a DNS nameserver by requesting
    its nameserver ID (nsid) and asking for its id.server and
    version.bind values. [John Bond]

  + dns-srv-enum enumerates various common service (SRV) records for a
    given domain name.  The service records contain the hostname, port
    and priority of servers for a given service. [Patrik Karlsson]

  + eap-info enumerates the authentication methods offered by an EAP
    authenticator for a given identity or for the anonymous identity
    if no argument is passed. [Riccardo Cecolin]

  + http-auth-finder spiders a web site to find web pages requiring
    form-based or HTTP-based authentication. [Patrik Karlsson]

  + http-config-backup checks for backups and swap files of common
    content management system and web server configuration
    files. [Riccardo Cecolin]

  + http-generator displays the contents of the "generator" meta tag
    of a web page (default: /) if there is one. [Michael Kohl]

  + http-proxy-brute performs brute force password guessing against a
    HTTP proxy server. [Patrik Karlsson]

  + http-qnap-nas-info attempts to retrieve the model, firmware
    version, and enabled services from a QNAP Network Attached Storage
    (NAS) device. [Brendan Coles]

  + http-vuln-cve2009-3960 exploits cve-2009-3960 also known as Adobe
    XML External Entity Injection. [Hani Benhabiles]

  + http-vuln-cve2010-2861 executes a directory traversal attack
    against a ColdFusion server and tries to grab the password hash
    for the administrator user. It then uses the salt value (hidden in
    the web page) to create the SHA1 HMAC hash that the web server
    needs for authentication as admin. [Micah Hoffman]

  + iax2-brute performs brute force password auditing against the
    Asterisk IAX2 protocol. [Patrik Karlsson]

  + membase-brute performs brute force password auditing against
    Couchbase Membase servers. [Patrik Karlsson]

  + membase-http-info retrieves information (hostname, OS, uptime,
    etc.) from the CouchBase Web Administration port. [Patrik
    Karlsson]

  + memcached-info retrieves information (including system
    architecture, process ID, and server time) from distributed memory
    object caching system memcached. [Patrik Karlsson]

  + mongodb-brute performs brute force password auditing against the
    MongoDB database. [Patrik Karlsson]

  + nat-pmp-mapport maps a WAN port on the router to a local port on
    the client using the NAT Port Mapping Protocol (NAT-PMP). [Patrik
    Karlsson]

  + ndmp-fs-info lists remote file systems by querying the remote
    device using the Network Data Management Protocol (ndmp). [Patrik
    Karlsson]

  + ndmp-version retrieves version information from the remote Network
    Data Management Protocol (NDMP) service. [Patrik Karlsson]

  + nessus-xmlrpc-brute performs brute force password auditing against
    a Nessus vulnerability scanning daemon using the XMLRPC
    protocol. [Patrik Karlsson]

  + redis-brute performs brute force passwords auditing against a
    Redis key-value store. [Patrik Karlsson]

  + redis-info retrieves information (such as version number and
    architecture) from a Redis key-value store. [Patrik Karlsson]

  + riak-http-info retrieves information (such as node name and
    architecture) from a Basho Riak distributed database using the
    HTTP protocol. [Patrik Karlsson]

  + rpcap-brute performs brute force password auditing against the
    WinPcap Remote Capture Daemon (rpcap). [Patrik Karlsson]

  + rpcap-info connects to the rpcap service (provides remote sniffing
    capabilities through WinPcap) and retrieves interface
    information. [Patrik Karlsson]

  + rsync-brute performs brute force password auditing against the
    rsync remote file syncing protocol. [Patrik Karlsson]

  + rsync-list-modules lists modules available for rsync (remote file
    sync) synchronization. [Patrik Karlsson]

  + socks-auth-info determines the supported authentication mechanisms
    of a remote SOCKS 5 proxy server. [Patrik Karlsson]

  + socks-brute performs brute force password auditing against SOCKS 5
    proxy servers. [Patrik Karlsson]

  + url-snarf sniffs an interface for HTTP traffic and dumps any URLs, and their
    originating IP address. [Patrik Karlsson]

  + versant-info extracts information, including file paths, version
    and database names from a Versant object database. [Patrik
    Karlsson]

  + vmauthd-brute performs brute force password auditing against the
    VMWare Authentication Daemon (vmware-authd). [Patrik Karlsson]

  + voldemort-info retrieves cluster and store information from the
    Voldemort distributed key-value store using the Voldemort Native
    Protocol. [Patrik Karlsson]

  + xdmcp-discover requests an XDMCP (X display manager control
    protocol) session and lists supported authentication and
    authorization mechanisms. [Patrik Karlsson]

o [NSE] Added 14 new protocol libraries! They were all written by
  Patrik Karlsson, except for the EAP library by Riccardo Cecolin:
  + dhcp6 (Dynamic Host Configuration Protocol for IPv6)
  + eap (Extensible Authentication Protocol)
  + iax2 (Inter-Asterisk eXchange v2 VoIP protocol)
  + membase (Couchbase Membase TAP protocol)
  + natpmp (NAT Port Mapping Protocol)
  + ndmp (Network Data Management Protocol)
  + pppoe (Point-to-point protocol over Ethernet)
  + redis (in-memory key-value data store)
  + rpcap (WinPcap Remote Capture Deamon)
  + rsync (remote file sync)
  + socks (SOCKS 5 proxy protocol)
  + sslcert (for collecting SSL certificates and storing them in the
    host-based registry)
  + versant (an object database)
  + xdmcp (X Display Manager Control Protocol)

o CPE (Common Platform Enumeration) OS classification is now supported
  for IPv6 OS detection. Previously it was only available for
  IPv4. [David Fifield]

o [NSE] The host.os table is now a structured array of table that
  include OS class information and CPE. See
  http://nmap.org/book/nse-api.html for documentation of the new
  structure. [Henri Doreau, David]

o [NSE] Service matches can now access CPE through the
  port.version.cpe array. [Henri Doreau]

o Added a new --script-args-file option which allows you to specify
  the name of a file containing all of your desired NSE script
  arguments. The arguments may be separated with commas or newlines
  and may be overridden by arguments specified on the command-line
  with --script-args. [Daniel Miller]

o Audited the nmap-service-probes database to remove all unused
  captures, fixing dozens of bugs with captures either being ignored
  or two fields erroneously using the same capture. [Lauri Kokkonen,
  David Fifield, and Rob Nicholls]

o Added new version detection probes and match lines for:
 + Erlang Port Mapper Daemon
 + Couchbase Membase NoSQL database
 + Basho Riak distributed database protocol buffers client (PBC)
 + Tarantool in-memory data store
 [Patrik Karlsson]

o Split the nmap-update client into its own binary RPM to avoid the
  Nmap RPM having a dependency on the Subversion and APR libraries.
  We're not yet distributing this binary nmap-update RPM since the
  system isn't complete, but the source code is available in the Nmap
  tarball and source RPM. [David]

o [NSE] Added authentication support to the MongoDB library and
  modified existing scripts to support it. [Patrik Karlsson]

o [NSE] Added support to broadcast-listener for extracting address, native VLAN
  and management IP address from CDP packets. [Tom Sellers]
        
o [NSE] Added RPC Call CALLIT to the RPC library and modified UDP sockets to be
  unconnected in order to support broadcast. [Patrik Karlsson]

o [NSE] Modified the ssl-cert and ssl-google-cert-catalog scripts to
  take advantage of the new sslcert library which retrieves and caches
  SSL certificates in the registry.

o [NSE] Patch our bitcoin library to support recent changes in the
  BitCoin protocol. [Andrew Orr, Patrik Karlsson]

o Fixed an error where very long messages could cause an
  assertion failure: "log_vwrite: vsnprintf failed.  Even after
  increasing bufferlen to ---, Vsnprintf returned -1 (logt == 1)."
  This was reported by David Hingos.

o Fixed an assertion failure that was printed when a fatal error
  occurred while an XML tag was incomplete: "!xml.tag_open, file
  ..\xml.cc, line 401". This was reported by David Hingos. [David
  Fifield]

o [NSE] Added support for decoding EIGRP broadcasts from Cisco routers
  to broadcast-listener. [Tom Sellers]

o [NSE] Added redirect support to the http library. All calls to
  http.get and http.head now transparently handle any HTTP
  redirects. The number and destination of redirects are limited by
  default to avoid endless loops or unwanted follows of redirects to
  different servers, but they can be configured. [Patrik Karlsson]

o [NSE] Modified the sql-injection script to use the httpspider library.
  [Lauri Kokkonen]

o Added --with-apr and --with-subversion configuration options to
  support systems where those libraries aren't in the usual places.
  [David Fifield]

o [NSE] Fixed a bunch of global access errors in various libraries reported by
  the nse_check_globals script. [Patrik Karlsson]

o Fixed an assertion failure which could occur when connecting to an
  SSL server:
  nsock_core.c:186: update_events: Assertion `(ev_inc & ev_dec) == 0' failed.
  Thanks to Ron for reporting the bug and testing. [Henri Doreau]

o [NSE] Added support to the DNS library for the CHAOS class and NSID
  requests. [John Bond]

o [NSE] Changed the dnsbl library to take a much faster threaded
  approach to querying DNS blacklists. [Patrik Karlsson]

o [NSE] Added new services and the ATTACK category to the dnsbl
  script. [Duarte Silva]

o [NSE] Fixed a memory leak in PortList::setServiceProbeResults()
  which was noticed and reported by David Fifield. The leak was
  triggered by set_port_version calls from NSE.  [Henri Doreau]

o [NSE] Fixed a race condition in broadcast-dhcp-discover.nse that
  could cause responses to be missed on fast networks. It was noticed
  by Vasiliy Kulikov. [David Fifield]

o Fixed a bug in reverse name resolution: a name of "." would leave
  the hostname unintialized and cause "Illegal character(s) in
  hostname" warnings. [Gisle Vanem]

o Allow overriding the AR variable to use a different version of the
  ar library creation tool when creating the liblinear library. [Nuno
  Gonçalves]

o Added vcredist2008_x86.exe to the Windows zip file. This installer
  from MS must be run on new Windows 2008 systems (those which don't
  already have it) before running Nmap.  The Nmap Windows installer
  already takes care of this. [David Fifield]

o Removed about 5MB of unnecessary DocBook XSL from the Nping docs
  directory. [David Fifield]

o The packet library now uses consistent naming of the address fields
  for IPv4 and IPv6 packets (ip_bin_src, ip_bin_dst, ip_src, and
  ip_dst). [Henri Doreau]

o Update to the latest MAC address prefix assignments from IEEE as of
  March 8, 2012. [Fyodor]

o Fixed a problem in the ippackethdrinfo function which was leading to
  warning messages like: "BOGUS!  Can't parse supposed IP packet" during
  certain IPv6 scans. [David Fifield]

o Fixed building on Arch Linux. The PCAP_IS_SUITABLE test had to be
  modified to ensure that -lnl was passed on the build line. See the
  r28202 svn log for further information. [David Fifield]

o Include net/if.h before net/if_arp.h in netutil.cc and tcpip.cc to
  hopefully fix some build problems on AIX 5.3.

o [NSE] Added IPv6 support to firewalk.nse. [Henri Doreau]

And here is the download link again:

http://nmap.org/download.html

And the bug reporting link again:

http://nmap.org/book/man-bugs.html

Cheers,
Fyodor

_______________________________________________
Sent through the nmap-hackers mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-hackers
Archived at http://seclists.org/nmap-hackers/