Nmap 7.50 Released! 14 new NSE scripts, 300+ fingerprints, new Npcap, and more

[Fyodor <fyodor () nmap org>]

Dear Nmap Community:

The Nmap project is delighted to announce the release of Nmap 7.50!  It is
our first big release since last December and has hundreds of improvements
that we hope you will enjoy.

One of the things we have been worked the hardest on recently is our Npcap
packet capturing driver and library for Windows (https://nmap.org/npcap/).
It is a replacement for WinPcap, which served us well for many years, but
is no longer maintained. Npcap uses newer APIs for better performance and
compatibility, including Windows 10 support.  We also added loopback packet
capture and injection, raw wireless sniffing for beacon frames and such,
and extra security features such as requiring Administrator access. Nmap
7.50 ships with Nmap 0.92 (released yesterday) and you can read about all
the improvements since 0.78 (which shipped with Nmap 7.40) at
https://github.com/nmap/npcap/blob/master/CHANGELOG.md.

Another priority for Nmap 7.50 was improving our Nmap Scripting Engine.
For example, we were one of the first scanners to release a detection
script for the MS17-010 vulnerability exploited by the Wannacry ransomeware
and we hope it helped many people prevent infection.  We also developed
scripts for the more recent Sambacry bug (CVE 2017-7494) and other vulns as
well as quite a few new information gathering scripts to support Nmap's
core network discovery mission.

This release also includes more than 300 new service detection
fingerprints, improvements to Nmap's family of related tools such as Ncat,
and dozens of other enhancements and bug fixes all listed below.  And we
plan to keep the good stuff coming this summer, as our team of 4 GSoC
students plus their mentors are already hard at work (
http://seclists.org/nmap-announce/2017/2).

Nmap 7.50 source code and binary packages for Linux, Windows, and Mac are
available for free download from the usual spot:

https://nmap.org/download.html

If you find any bugs in this release, please let us know on the Nmap Dev
list or bug tracker as described at https://nmap.org/book/man-bugs.html.

Here is the full list of significant changes since Nmap 7.40:

• [Windows] Updated the bundled Npcap from 0.78 to 0.92, with several
bugfixes for WiFi connectivity problems and stability issues. [Daniel
Miller, Yang Luo]

• Integrated all of your service/version detection fingerprints submitted
from September to March (855 of them). The signature count went up 2.9% to
11,418. We now detect 1193 protocols from apachemq, bro, and clickhouse to
jmon, slmp, and zookeeper. Highlights:
http://seclists.org/nmap-dev/2017/q2/140

• [NSE] Added 14 NSE scripts from 12 authors, bringing the total up to 566!
They are all listed at https://nmap.org/nsedoc/, and the summaries are
below:

   - [GH#743] broadcast-ospf2-discover discovers OSPF 2 routers and
   neighbors. OSPFv2 authentication is supported. [Emiliano Ticci]
   - [GH#671] cics-info checks IBM TN3270 services for CICS transaction
   services and extracts useful information. [Soldier of Fortran]
   - [GH#671] cics-user-brute does brute-force enumeration of CICS
   usernames on IBM TN3270 services. [Soldier of Fortran]
   - [GH#669] http-cookie-flags checks HTTP session cookies for HTTPOnly
   and Secure flags. [Steve Benson]
   - http-security-headers checks for the HTTP response headers related to
   security given in OWASP Secure Headers Project, giving a brief description
   of the header and its configuration value. [Vinamra Bhatia, Ícaro Torres]
   - [GH#740][GH#759] http-vuln-cve2017-5638 checks for the RCE bug in
   Apache Struts2. [Seth Jackson]
   - [GH#876] http-vuln-cve2017-5689 detects a privilege escalation
   vulnerability (INTEL-SA-00075) in Intel Active Management Technology (AMT)
   capable systems. [Andrew Orr]
   - http-vuln-cve2017-1001000 detects a privilege escalation vulnerability
   in Wordpress 4.7.0 and 4.7.1 (CVE-2017-1001000) [Vinamra Bhatia]
   - [GH#713] impress-remote-discover attempts to pair with the LibreOffice
   Impress presentation remote service and extract version info.  Pairing is
   PIN-protected, and the script can optionally brute-force the PIN.  New
   service probe and match line also added. [Jeremy Hiebert]
   - [GH#854] smb-double-pulsar-backdoor detects the Shadow Brokers-leaked
   Double Pulsar backdoor in Windows SMB servers. [Andrew Orr]
   - smb-vuln-cve-2017-7494 detects the "SambaCry" remote code execution
   vulnerability affecting Samba versions 3.5.0 and greater with writable
   shares.  [Wong Wai Tuck]
   - smb-vuln-ms17-010 detects a critical remote code execution
   vulnerability affecting SMBv1 servers in Microsoft Windows systems
   (ms17-010).  The script also reports patched systems. [Paulino Calderon]
   - [GH#686] tls-ticketbleed checks for the Ticketbleed vulnerability
   (CVE-2016-9244) in F5 BIG-IP appliances. [Mak Kolybabi]
   - vmware-version queries VMWare SOAP API for version and product
   information. Submitted in 2011, this was mistakenly turned into a service
   probe that was unable to elicit any matches. [Aleksey Tyurin]

• [Ncat] A series of changes and fixes based on feedback from the Red Hat
community:

   - [GH#157] Ncat will now continue trying to connect to each resolved
   address for a hostname before declaring the connection refused, allowing it
   to fallback from IPv6 to IPv4 or to connect to names that use DNS failover.
   [Jaromir Koncicky, Michal Hlavinka]
   - The --no-shutdown option now also works in connect mode, not only in
   listen mode.
   - Made -i/--idle-timeout not cause Ncat in server mode to close while
   waiting for an initial connection. This was also causing -i to interfere
   with the HTTP proxy server mode. [Carlos Manso, Daniel Miller]
   - [GH#773] Ncat in server mode properly handles TLS renegotiations and
   other situations where SSL_read returns a non-fatal error. This was causing
   SSL-over-TCP connections to be dropped. [Daniel Miller]
   - Enable --ssl-ciphers to be used with Ncat in client mode, not only in
   server (listen) mode. [Daniel Miller]

• [NSE][GH#266][GH#704][GH#238][GH#883] NSE libraries smb and msrpc now use
fully qualified paths. SMB scripts now work against all modern versions of
Microsoft Windows. [Paulino Calderon]

• [NSE] smb library's share_get_list now properly uses anonymous
connections first before falling back authenticating as a known user.

• New service probes and matches for Apache HBase and Hadoop MapReduce.
[Paulino Calderon]

• Extended Memcached service probe and added match for Apache ZooKeeper.
[Paulino Calderon]

• [NSE] New script argument "vulns.short" will reduce vulns library script
output to a single line containing the target name or IP, the vulnerability
state, and the CVE ID or title of the vulnerability. [Daniel Miller]

• [NSE][GH#862] SNMP scripts will now take a community string provided like
`--script-args creds.snmp=private`, which previously did not work because
it was interpreted as a username. [Daniel Miller]

• [NSE] Resolved several issues in the default HTTP redirect rules:
    - [GH#826] A redirect is now cancelled if the original URL contains
embedded credentials
    - [GH#829] A redirect test is now more careful in determining whether a
redirect destination is related to the original host
    - [GH#830] A redirect is now more strict in avoiding possible redirect
loops
    [nnposter]

• [NSE][GH#766] The HTTP Host header will now include the port unless it is
the default one for a given scheme. [nnposter]

• [NSE] The HTTP response object has a new member, fragment, which contains
a partially received body (if any) when the overall request fails to
complete. [nnposter]

• [NSE][GH#866] NSE now allows cookies to have arbitrary attributes, which
are silently ignored (in accordance with RFC 6265). Unrecognized attributes
were previously causing HTTP requests with such cookies to fail. [nnposter]

• [NSE][GH#844] NSE now correctly parses a Set-Cookie header that has
unquoted whitespace in the cookie value (which is allowed per RFC 6265).
[nnposter]

• [NSE][GH#731] NSE is now able to process HTTP responses with a Set-Cookie
header that has an extraneous trailing semicolon. [nnposter]

• [NSE][GH#708] TLS SNI now works correctly for NSE HTTP requests initiated
with option any_af. As an added benefit, option any_af is now available for
all connections via comm.lua, not just HTTP requests. [nnposter]

• [NSE][GH#781] There is a new common function, url.get_default_port(), to
obtain the default port number for a given scheme. [nnposter]

• [NSE][GH#833] Function url.parse() now returns the port part as a number,
not a string. [nnposter]

• No longer allow ICMP Time Exceeded messages to mark a host as down during
host discovery. Running traceroute at the same time as Nmap was causing
interference. [David Fifield]

• [NSE][GH#807] Fixed a JSON library issue that was causing long integers
to be expressed in the scientific/exponent notation. [nnposter]

• [NSE] Fixed several potential hangs in NSE scripts that used
receive_buf(pattern), which will not return if the service continues to
send data that does not match pattern. A new function in match.lua,
pattern_limit, is introduced to limit the number of bytes consumed while
searching for the pattern. [Daniel Miller, Jacek Wielemborek]

• [Nsock] Handle any and all socket connect errors the same: raise as an
Nsock error instead of fatal. This prevents Nmap and Ncat from quitting
with "Strange error from connect:" [Daniel Miller]

• [NSE] Added several commands to redis-info to extract listening
addresses, connected clients, active channels, and cluster nodes. [Vasiliy
Kulikov]

• [NSE][GH#679][GH#681] Refreshed script http-robtex-reverse-ip, reflecting
changes at the source site (www.robtex.com). [aDoN]

• [NSE][GH#620][GH#715] Added 8 new http-enum fingerprints for Hadoop
infrastructure components. [Thomas Debize, Varunram Ganesh]

• [NSE][GH#629] Added two new fingerprints to http-default-accounts (APC
Management Card, older NetScreen ScreenOS) [Steve Benson, nnposter]

• [NSE][GH#716] Fix for oracle-tns-version which was sending an invalid TNS
probe due to a string escaping mixup. [Alexandr Savca]

• [NSE][GH#694] ike-version now outputs information about supported
attributes and unknown vendor ids. Also, a new fingerprint for FortiGate
VPNs was submitted by Alexis La Goutte. [Daniel Miller]

• [GH#700] Enabled support for TLS SNI on the Windows platform. [nnposter]

• [GH#649] New service probe and match lines for the JMON and RSE services
of IBM Explorer for z/OS. [Soldier of Fortran]

• Removed a duplicate service probe for Memcached added in 2011 (the
original probe was added in 2008) and reported as duplicate in 2013 by
Pavel Kankovsky.

• New service probe and match line for NoMachine NX Server remote desktop.
[Justin Cacak]

• [Zenmap] Fixed a recurring installation problem on OS X/macOS where
Zenmap was installed to /Applications/Applications/Zenmap.app instead of
/Applications/Zenmap.app.

• [Zenmap][GH#639] Zenmap will no longer crash when no suitable temporary
directory is found. Patches contributed by [Varunram Ganesh] and [Sai
Sundhar]

• [Zenmap][GH#626] Zenmap now properly handles the -v0 (no output) option,
which was added in Nmap 7.10. Previously, this was treated the same as not
specifying -v at all. [lymanZerga11]

• [GH#630] Updated or removed some OpenSSL library calls that were
deprecated in OpenSSL 1.1. [eroen]

• [NSE] Script ssh-hostkey now recognizes and reports Ed25519 keys
[nnposter]

• [NSE][GH#627] Fixed script hang in several brute scripts due to the
"threads" script-arg not being converted to a number. Error message was
"nselib/brute.lua:1188: attempt to compare number with string" [Arne Beer]

Enjoy this new release and please do let us know if you find any problems!
Download link: https://nmap.org/download.html

Cheers,
Fyodor
_______________________________________________
Sent through the announce mailing list
https://nmap.org/mailman/listinfo/announce
Archived at http://seclists.org/nmap-hackers/