Re: Nmap 5.10BETA1 released

[Walt Scrivens <walts () gate net>]

Thanks, everyone for all the hard work!

Preliminary results for Mac OS X 10.6.2

svn complained about several unversioned files in libpcap.  At first I ignored the error, but the make gave the 
following errors:
======================
output.cc: In function ‘void printportoutput(Target*, PortList*)’:
output.cc:811: error: ‘class Port’ has no member named ‘owner’
output.cc:814: error: ‘class Port’ has no member named ‘owner’
output.cc:842: error: ‘class Port’ has no member named ‘owner’
output.cc:842: error: ‘class Port’ has no member named ‘owner’
output.cc:843: error: ‘class Port’ has no member named ‘owner’
======================

Totally groping, I deleted the libpcap folder and ran svn up again.  With the updated files, the compile ran smoothly 
and a few test scans worked properly. 
Walt


On Nov 23, 2009, at 3:33 AM, Fyodor wrote:

> Hi folks.  I'm happy to announce our first post-5.00 release!  It
> contains the results of a full five months of work, since the 5.00
> release candidate was branched off in June.  Good work, everybody!
>
> Changes include:
> o 14 new NSE scripts, bringing the total to 72!
>
> o A brand new (much faster and more efficient) --traceroute system
>
> o The Zenmap host filter (Ctrl-L) for drilling down to the exact
>   systems you want to see in a big scan based on the criteria you
>   specify.  For example, type "apache" to see all the hosts running a
>   version of the Apache web server.
>
> o UDP protocol-specific payloads make UDP scanning and host discovery
>   much more effective.
>
> o And more than 100 other significant changes!
>
> With such a massive release, I wouldn't be surprised to find some bugs
> lurking about.  Please give this some serious testing, as I'd like to
> turn it into a stable release in December.  If you find any problems
> or have questions, see the instructions at
> http://nmap.org/book/man-bugs.html.  If the problems are serious, I'll
> build and release 5.10BETA2.
>
> You can download Nmap 5.10BETA1 from the normal location:
>
>  http://nmap.org/download.html
>
> Now here is the giant list of changes in this release (I've tried to
> put the most important ones near the top):
>
> Nmap 5.10BETA1 [2009-11-23]
>
> o Added 14 new NSE scripts for a grand total of 72! You can learn
>  about them all at http://nmap.org/nsedoc/. Here are the new ones:
>
>  o smb-psexec implements remote process execution similar to the
>    Sysinternals' psexec tool (or Metasploit's psexec "exploit"),
>    allowing a user to run a series of programs on a remote machine
>    and read the output. This is great for gathering information about
>    servers, running the same tool on a range of system, or even
>    installing a backdoor on a collection of computers. See
>    http://nmap.org/nsedoc/scripts/smb-psexec.html [Ron]
>
>  o dhcp-discover sends out DHCP probes on UDP/67 and displays all
>    interesting results (or, with verbosity, all results).
>    Optionally, multiple probes can be sent and the MAC address can be
>    randomized in an attempt to exhaust the DHCP server's address pool
>    and potentially create a denial of service condition. See
>    http://nmap.org/nsedoc/scripts/dhcp-discover.html. [Ron]
>
>  o http-enum enumerates URLs used by popular web applications and
>    servers and reports which ones exist on a target web server. See
>    http://nmap.org/nsedoc/scripts/http-enum.html. [Ron, Andrew Orr,
>    Rob Nicholls]
>
>  o ssl-cert retrieves and prints a target server's SSL
>    certificate. See
>    http://nmap.org/nsedoc/scripts/ssl-cert.html. [David]
>
>  o x11-access checks whether access to an X11 server is allowed (as
>    with "xhost +" for example). See
>    http://nmap.org/nsedoc/scripts/x11-access.html. [jlanthea]
>
>  o db2-info enhances DB2 database instance detection. It provides
>    detection when version probes fail, but will default to the
>    version detection probe value if that is more precise. It also
>    detects the server platform and database instance name. The DB2
>    version detection port ranges were broadened to 50000-50025 and
>    60000-60025 as well. See
>    http://nmap.org/nsedoc/scripts/db2-info.html. [Tom]
>
>  o smbv2-enabled checks if the smbv2 protocol is enabled on target
>    servers. SMBv2 has already suffered from at least one major
>    security vulnerability. See
>    http://nmap.org/nsedoc/scripts/smbv2-enabled.html. [Ron]
>
>  o http-favicon obtains the favicon file (/favicon.ico or whatever is
>    specified by the HTML link tag) and tries to identify its source
>    (such as a certain web application) using a database lookup. See
>    http://nmap.org/nsedoc/scripts/http-favicon.html. [Vladz]
>
>  o http-date obtains the Date: header field value from an HTTP server
>    then displays it along with how much it differs from local
>    time. See http://nmap.org/nsedoc/scripts/http-date.html. [David]
>
>  o http-userdir-enum attempts to enumerate users on a system by
>    trying URLs with common usernames in the Apache mod_userdir format
>    (e.g. http://target-server.com/~john). See
>    http://nmap.org/nsedoc/scripts/http-userdir-enum.html. [Jah]
>
>  o pjl-ready-message allows viewing and setting the status message on
>    printers which support the Printer Job Language (many HP printers
>    do). See http://nmap.org/nsedoc/scripts/pjl-ready-message.html.
>    [Aaron Leininger]
>
>  o http-headers performs a GET request for the root folder ("/") of a
>    web server and displays the HTTP headers returned. See
>    http://nmap.org/nsedoc/scripts/http-headers.html. [Ron]
>
>  o http-malware-host is designed to discover hosts that are serving
>    malware (perhaps because they were compromised), but so far it
>    only checks for one specific attack. See
>    http://nmap.org/nsedoc/scripts/http-malware-host.html. [Ron]
>
>  o smb-enum-groups displays a list of groups on the remote system
>    along with their membership (like enum.exe -G). See
>    http://nmap.org/nsedoc/scripts/smb-enum-users.html [Ron]
>
> o Nmap's --traceroute has been rewritten for better performance.
>  Probes are sent in parallel to individual hosts, not just across all
>  hosts as before. Trace consolidation is more sophisticated, allowing
>  common traces to be identified sooner and fewer probes to be sent.
>  The older traceroute could be very slow (taking minutes per target)
>  if the target did not respond to the trace probes, and this new
>  traceroute avoids that. In a trace of 110 hosts in a /24 over the
>  Internet, the number of probes sent dropped 50% from 1565 to 743,
>  and the time taken dropped 92% from 95 seconds to 7.6
>  seconds. Traceroute now uses an ICMP echo request probe if no
>  working probes against the target were discovered during
>  scanning. [David]
>
> o [Zenmap] After performing or loading a scan, you can now filter
>  results to just the hosts you are interested in by pressing Ctrl+L
>  (or the "Filter Hosts" button) to open the host filtering interface.
>  This makes it easy to select just Linux hosts, or those running a
>  certain version of Apache, or whatever interests you. You can easily
>  modify the filter or remove it to see the whole scan again. See
>  http://nmap.org/book/zenmap-filter.html. [Josh Marlow]
>
> o For some UDP ports, Nmap will now send a protocol-specific payload
>  that is more likely to get a response than an empty packet is. This
>  improves the effectiveness of probes to those ports for host
>  discovery, and also makes an open port more likely to be classified
>  open rather than open|filtered. The ports and payloads are defined
>  in payload.cc. The ports that have a payload are 7 (echo),
>  53 (domain), 111 (rpcbind), 123 (ntp), 137 (netbios-ns), 161 (snmp),
>  177 (xdmcp), 500 (isakmp), 520 (route), 1645 and 1812 (radius),
>  2049 (nfs), 5353 (zeroconf), and 10080 (amanda). [David]
>
> o Integrated 1,349 fingerprints (and 81 corrections) submitted by Nmap
>  users! They resulted in 342 new fingerprints (a 17% increase),
>  including Google's Android Linux system for smart phones, Mac OS X
>  10.6 (Snow Leopard), the Chumby, and a slew number of printers, broadband
>  routers, and other devices (40 new vendors). See
>  http://seclists.org/nmap-dev/2009/q4/416 [David]
>
> o [NSE] For all the services which are commonly tunneled over SSL
>  (pop3, http, imap, irc, smtp, etc.), we audited the scripts to
>  ensure they can support that tunneling. The com.tryssl function
>  was added for easy SSL detection. See
>  http://nmap.org/nsedoc/lib/comm.html [Joao]
>
> o Nmap now prefers to display the hostname supplied by the user instead
>  of the reverse-DNS name in most places. If a reverse DNS record
>  exists, and it differs from the user-supplied name, it is printed
>  like this:
>    Nmap scan report for www.google.com (74.125.53.103)
>    rDNS record for 74.125.53.103: pw-in-f103.1e100.net
>  And in XML it looks like:
>  <hostnames>
>    <hostname name="openbsd.org" type="user"/>
>    <hostname name="cvs.openbsd.org" type="PTR"/>
>  </hostnames>
>  Host latency is now printed more often. See
>  http://seclists.org/nmap-dev/2009/q4/199 for a summary of other
>  output changes. [David]
>
> o Ndiff now shows changes in script (NSE) output for each target
>  host (in both text output format and XML). [David]
>
> o We now print output for down hosts, even when doing scanning beyond
>  just a ping scan.  This always prints to XML and grepable output,
>  and is printed to normal and interactive output in verbose mode. The
>  format for printing a down host has changed slightly: "Nmap scan
>  report for 1.1.1.1 [host down]" [David]
>
> o [NSE] Default socket parallelism has been doubled from 10 to 20,
>  which doubles speed in some situations. See
>  http://seclists.org/nmap-dev/2009/q3/161. [Patrick]
>
> o Version detection's maximum socket concurrency has been increased
>  from 10-20 based on timing level to 20-40. This can dramatically
>  speed up version detection when there are many open ports in a host
>  group being scanned. [Fyodor]
>
> o The Nmap source tarball (and RPMs) now included man page
>  translations (16 languages so far). Nmap always installs the English
>  man page, and installs the translations by default. If you only want
>  some of the translations, set the LINGUAS environmental variable to
>  the language codes you are interested in (e.g. "es de"). You can
>  specify the configure option --disable-nls or set LINGUAS to the
>  empty string to avoid installation of any man page translations. The
>  RPM always installs them. [David]
>
> o [NSE] Added a function for scripts to format their output in a
>  consistent way. See
>  http://nmap.org/nsedoc/lib/stdnse.html#format_output. [Ron]
>
> o [NSE] Now supports worker threads so that a single script can
>  perform multiple network operations concurrently. This patch also
>  includes condition variables for synchronization. See
>  http://nmap.org/nsedoc/lib/stdnse.html#new_thread,
>  http://nmap.org/nsedoc/lib/nmap.html#condvar, and
>  http://seclists.org/nmap-dev/2009/q4/294.
>
> o Fixed a problem in which the Nmap installer wrongly reported that
>  the Microsoft Visual C++ 2008 Redistributable Package (vcredist.exe)
>  failed to install. We had to update a registry key--see
>  http://seclists.org/nmap-dev/2009/q3/164. [Jah]
>
> o Added support for connecting to nameservers over IPv6. IPv6 addresses
>  can be used in /etc/resolv.conf or with the --dns-servers option. The
>  parallel reverse DNS resolver still only support IPv4 addresses, but
>  it can look them up over IPv6. [Ankur Nandwani]
>
> o Zenmap now includes ports in the services view whenever Nmap found
>  them "interesting," whatever their state. Previously they were only
>  included if the state was "open", "filtered", or "open|filtered",
>  which led to confusing behavior when a closed port showed up in the
>  Services column but clicking on the service showed no ports in the
>  display. [David]
>
> o [Ncat] Now has configure-time ASCII art just like Nmap does:
>            .       .
>            \`-"'"-'/
>             } 6 6 {
>            ==. Y ,==
>              /^^^\  .
>             /     \  )  Ncat: A modern interpretation of classic Netcat
>            (  )-(  )/
>            -""---""---   /
>           /   Ncat    \_/
>          (     ____
>           \_.=|____E
>
> o [NSE] Added HTTP pipelining support to the HTTP library and and to
>  the http-enum, http-userdir-enum, and sql-injection.nse
>  scripts. Pipelining can increase speed dramatically for scripts
>  which make many requests.
>
> o [NSE] The HTTP library now caches responses from http.get or
>  http.head so that resources aren't requested multiple times during
>  the same Nmap run even if several scripts request them. See
>  http://seclists.org/nmap-dev/2009/q3/733. [Patrick]
>
> o [Ncat, Ndiff] The exit codes of these programs now reflect whether
>  they succeeded. For Ncat, 0 means the connection was successful, 1
>  indicates a network error, and 2 indicates any other error. For
>  Ndiff, 0 means the scans were equal, 1 means they were different,
>  and 2 indicates a runtime error. [David]
>
> o [Ncat] In verbose mode, Ncat now prints the number of bytes read and
>  written after the client connection is terminated. Ncat also now
>  prints elapsed time. For example, "Ncat finished: 16 bytes sent, 566
>  bytes received in 8.05 seconds." [Venkat]
>
> o [NSE] telnet-brute.nse now uses the unpw database instead of a
>  hard coded list. [Ron]
>
> o [NSE] ssl-cert.nse now supports TLS negotiation against SMTP ports
>  that support it. [Tom Sellers, David]
>
> o [NSE] Scripts that are listed by name with the --script option now
>  have their verbosity level automatically increased by one. Many
>  will print negative results ("no infection found") at a higher
>  verbosity level. The idea is that if you ask for a script
>  specifically, you are more interested in such results.
>  [David, Patrick]
>
> o Upgraded our Winpcap installer to use the new WinPcap version 4.1.1.
>  A bug which could prevent proper uninstallation of previous versions
>  was fixed at the same time. Later we made it set some registry keys
>  for compatibility with the official Winpcap project installer (see
>  http://seclists.org/nmap-dev/2009/q4/237). [Rob Nicholls]
>
> o [Ncat] Ncat now prints a message like "Connection refused." by
>  default when a socket error occurs. This used to require -v, but
>  printing no message at all could make a failed connection look like
>  success in a case like
>    ncat remote < short-file
>
> o Zenmap no longer displays down hosts in the GUI. [Josh]
>
> o The Ndiff man page was dramatically improved with examples and
>  sample output. See http://nmap.org/ndiff/man.html.
>  [David]
>
> o [NSE] At debug level 2 or higher (-d2), Nmap now prints all active
>  scripts (running & waiting) and a backtrace whenever a key is
>  pressed. This can be quite helpful in debugging deadlocks and other
>  script/NSE problems. [Patrick]
>
> o Nmap now allows you to specify --data-length 0, and that is now the
>  documented way to disable the new UDP protocol-specific probe
>  payload feature. [David]
>
> o Fixed compilation of our libdnet on Debian GNU/kFreeBSD (patch from
>  Petr Salinger).
>
> o Our Windows packages are now built on Windows 7, though they are
>  32-bit binaries and should continue to work on Win2K and later.
>
> o Fixed a bug that could cause an infinite loop ("Unable to find
>  listening socket in get_rpc_results") in RPC scan. The loop would
>  happen when scanning a port that sent no responses, and there was at
>  least one other port to scan. Thanks to Lionel Cons for reporting
>  the problem. [David]
>
> o [NSE] The dns-zone-transfer and whois script argument table syntax has been
>  improved so you don't need curly braces.
>
> o [NSE] smb-enum-shares.nse now checks whether or not a share is
>  writable by attempting to write a file (and deleting it if it's
>  successful).  Significantly cleaned up the code, as well. [Ron]
>
> o The nselib/data directory is now installed. It was not installed
>  before because of an error in the Makefile. The scripts that would
>  not have worked after installation because they were missing data
>  files are http-enum.nse, http-favicon.nse, http-iis-webdav-vuln.nse,
>  http-userdir-enum.nse, smb-pwdump.nse, pop3-brute.nse,
>  smb-brute.nse, and snmp-brute.nse. [David]
>
> o Upgraded the included libpcap to 1.0.0. [David]
>
> o Optimize MAC address prefix lookup by using an std::map rather than
>  a custom hash table. This increases performance and code simplicity
>  at the cost of some extra memory consumption. In one test, this
>  reduced the time of a single target ARP ping scan from 0.59 seconds
>  to 0.13. [David]
>
> o Added -Pn and -sn as aliases for -PN and -sP, respectively. They
>  will eventually become the recommended and documented way to disable
>  host discovery (ping scanning) and port scanning. They are more
>  consistent and also match the existing -n option for disabling
>  reverse DNS resolution. [David]
>
> o Fixed an error in the handling of exclude groups that used IPv4
>  ranges. Si Stransky reported the problem and provided a number of
>  useful test cases in http://seclists.org/nmap-dev/2009/q4/276. The
>  error caused various assertion failures along the lines of
>    TargetGroup.cc:465: int
>    TargetGroup::get_next_host(sockaddr_storage*, size_t*):
>    Assertion `ipsleft > 1' failed.
>  [David]
>
> o [NSE] Improved the authentication used by the smb-* scripts. Instead of 
>  looking in a bunch of places (registry, command-line, etc) for the
>  usernames/passwords, a table is kept. This lets us store any number
>  of accounts for later use, and remove them if they stop working. This
>  also fixes a bug where typing in a password incorrectly would lock
>  out an account (since it wouldn't stop trying the account in question). 
>  [Ron]
>
> o Removed IP ID matching in packet headers returned in ICMP errors.
>  This was already the case for some operating systems that are known
>  to mangle the IDs of sent IP packets. Requiring such a match could
>  occasionally cause valid replies to be ignored. See
>  http://seclists.org/nmap-dev/2009/q2/580 for an example of host
>  order affecting scan results due to this phenomenon. [David]
>
> o [NSE] The HTTP library now handles chunked transfer decoding more
>  robustly. See http://seclists.org/nmap-dev/2009/q3/13 [David]
>
> o [NSE] Unexpected error messages from scripts now include the target
>  host and port number. [David]
>
> o [NSE] Fixed many libraries which were inappropriately using global
>  variables, meaning that multiple scripts running concurrently could
>  overwrite each others values. NSE now automatically checks for this
>  problem at runtime, and we have a static code checker
>  (check_globals) available as well. See this whole thread
>  http://seclists.org/nmap-dev/2009/q3/70. [Patrick]
>
> o Added some additional matching rules to keep a reply to a SYN probe
>  from matching an ACK probe to the same port, or vice versa, in ping
>  scans that include both scan types. Such a mismatch could cause an
>  ineffective timing ping or traceroute probe to be selected. [David]
>
> o [Zenmap] There is a new command-line option, --confdir, which sets
>  the per-user configuration directory. Its value defaults to
>  $HOME/.zenmap. This was suggested by Jesse McCoppin. [David]
>
> o Open bpf devices in read/write mode, not read-only, in libdnet on
>  BSD. This is to work around a bug in Mac OS X 10.6 that causes
>  incoming traffic to become invisible. [David]
>
> o "make install" now removes from the Nmap script directory some
>  scripts which only existed in previous versions of Nmap but weren't
>  deleted during upgrades. [David]
>
> o [NSE] Added the reconnect_ssl method for sockets. We sometimes need
>  to reconnect a socket with SSL because the initial communication on
>  the socket is done without SSL. See this thread for more details:
>  http://seclists.org/nmap-dev/2009/q4/3 [Patrick, Tom Sellers]
>
> o [Zenmap] Fixed a crash that could occur when entering certain
>  characters in the target entry (those whose UTF-8 encoding contains
>  a byte that counts as whitespace in the Windows locale):
>    File "zenmapGUI\ScanNotebook.pyo", line 184, in _target_entry_changed
>    File "zenmapCore\NmapOptions.pyo", line 719, in render_string
>    UnicodeDecodeError: 'utf8' codec can't decode byte 0xc3 in position 1:
>      unexpected end of data
>  For more details on this curious problem, see
>  http://seclists.org/nmap-dev/2009/q4/82 [David]
>
> o [NSE] There is a new function, nmap.bind, to set the source address
>  of a socket. [David]
>
> o [Nsock] Made it a fatal error instead of silent memory corruption
>  when an attempt is made to use a file descriptor whose number is not
>  less than FD_SETSIZE. This applies only on non-Windows platforms
>  where FD_SETSIZE is a limit on the value of file descriptors as well
>  as a limit on the number of descriptors in the set. The error will
>  look like
>    nsock_core.c:186: Attempt to FD_SET fd 1024, which is not less
>    than FD_SETSIZE (1024). Try using a lower parallelism.
>  Thanks to Brandon Enright for discovering the problem and much help
>  debugging it, and to Jay Fink for submitting an initial patch. [David]
>
> o [Ncat] Fixed proxy connections in connect mode on Windows. Because
>  the dup function does not work on Windows, an assertion failure
>  would be raised reading
>    (fh >= 0 && (unsigned)fd < (unsigned)_nhandle)
>  [David]
>
> o [Ncat] Fixed the combination of --max-conns and --exec on Windows.
>  The count of connected clients was not decreased when the program
>  spawned by --exec finished. With --max-conns 5, for example, no more
>  connections would be allowed after the fifth, even if some of the
>  earlier ones had ended. Jon Greaves reported the problem and Venkat
>  contributed a patch.
>
> o [Ncat] The code that manages the count of connected clients has been
>  made robust with respect to signals. The code was contributed by
>  Solar Designer.
>
> o The files read by the -iL (input from file) and --excludefile
>  options now support comments that start with # and go to the end of
>  the line. [Tom Sellers]
>
> o [Zenmap] On Windows, Zenmap no longer uses the cmd.exe shell to run
>  Nmap sub-processes. This means that canceling a scan will kill the
>  Nmap process as it does on other platforms (previously it would just
>  kill the shell). It also means that that scanning will work as a
>  user whose name contains characters like '&' that are significant to
>  the shell.  Mike Crawford and Nick Marsh reported bugs related to
>  this. [David]
>
> o [NSE] All scripts (except for those in "version" or "demo"
>  categories) are now classified in either the "safe" or "intrusive"
>  categories, based on how likely they are to cause problems when run
>  against other machines on the network. Those classifications already
>  existed, but weren't used consistently. [Fyodor]
>
> o Added a check for a SMBv2 vulnerability (CVE-2009-3103) to
>  smb-check-vulns. Due to its nature (it performs a DoS, then checks
>  if the system is still online), the script isn't run by default and
>  requires a special script-arg to work. See
>  http://nmap.org/nsedoc/scripts/smb-check-vulns.html. [Ron]
>
> o Fixed an integer overflow in uptime calculation which could occur
>  when a target with a low TCP timestamp clock frequency uses large
>  timestamp values, such that a naive uptime calculation shows a boot
>  time before the epoch. Also fixed a printf format specifier mismatch
>  that was revealed by the bug. Toby Simmons reported the problem and
>  helped with the fix.  [David]
>
> o [NSE] The HTTP library now supports HTTP cookies. [Joao Correa]
>
> o Fixed a compile error on NetBSD. It was
>    tcpip.cc:2948: error: pointer of type 'void *' used in arithmetic
>  Thanks to Jay Fink for reporting the problem and submitting a patch.
>
> o [Zenmap] If you have any hosts or services selected, they will
>  remain selected after aggregating another scan or running a filter
>  (as long as they are still up and visible). Previously the selection
>  was lost whenever the scan inventory was changed. This is
>  particularly important due to the new host filter system. [David]
>
> o [Zenmap] New translation: Russian (contributed by Alexander Khodyrev).
>  Updated translations: French and German.
>
> o Nmap now generates IP addresses without duplicates (until you cycle
>  through all the allowed IPs) thanks to a new collision-free 32-bit
>  number generator in nbase_rnd.c. See
>  http://seclists.org/nmap-dev/2009/q3/695 [Brandon]
>
> o There is a new OS detection pseudo-test, SCAN.DC, which records how
>  the network distance in SCAN.DS was calculated. Its value can be "L"
>  for localhost, "D" for a direct connection, "I" for an ICMP TTL
>  calculation, and "T" for a traceroute hop count. This is mainly for
>  the benefit of OS integration, when it is sometimes important to
>  distinguish between DS=1%DC=I (probably the result of forged TTLs)
>  and DS=1%DC=D (a true one-hop connection.) [David]
>
> o Canonicalized the list of OS detection device types to a smaller set
>  with descriptions: http://nmap.org/svn/docs/device-types.txt.
>  [David, Fyodor, Doug]
>
> o [Ncat] The --idle-timeout option now exits when *both* stdin and the
>  socket have been idle for the given time. Previously it would exit
>  when *either* of them had been idle, meaning that the program would
>  quit contrary to your expectation when downloading a large file
>  without sending anything, for example. [David]
>
> o [Ncat] Ncat now always prefixes its own output messages with "Ncat: "
>  or "NCAT DEBUG: " to make it clear that they are not coming from the
>  remote host. This only matters when output goes to a terminal, where
>  the standard output and standard error streams are mixed. [David]
>
> o Nmap's Nbase library now has a new hexdump() function which produces
>  output similar to Wireshark. nmap_hexdump() is a wrapper which
>  prints the output using Nmap's log_write facility. The old hdump()
>  and lamont_dump() functions have been removed. [Luis]
>
> o Added explicit casts to (int)(unsigned char) for arguments to ctype function
>  calls in nmap, ncat and nbase.  Thanks to Solar Designer for pointing out
>  the need and fix for this. [Josh]
>
> o Ncat now supports wildcard SSL certificates.  The wildcard character
>  (*) can be in commonname field or in DNS field of Subject
>  Alternative Name(SAN) Extension of SSL certificate.  Matching Rules:
>  -'*' should be only on the leftmost component of FQDN.(*.example.com
>     but not www.*.com or www.example*.com).
>  -The leftmost component should contain only '*' and it should be
>     followed by '.'(*.example.com but not *w.example.com or
>     w*.example.com).
>  -There should be at least three components in FQDN.(*.exmaple.com but
>     not *.com or *.com.).[venkat]
>
> o Nmap now handles the case when a primary network interface (venet0)
>  does not have an address assigned but its aliases do (venet0:1
>  etc.). This could result in the error messages
>    Failed to find device venet0 which was referenced in /proc/net/route
>    Failed to lookup subnet/netmask for device (venet0): venet0: no IPv4 address assigned
>  This was observed under OpenVZ. [Dmitry Levin]
>
> o [Ncat] The --ssl-cert, --ssl-key, and --ssl-trustfile options now
>  automatically turn on SSL mode. Previously they were ignored if
>  --ssl was not also used. [David]
>
> o [Nsock] Now Nsock supports pure TLSv1 and SSLv3 servers in addition
>  to the (already supported and far more common) SSLv2 and SSLv23
>  servers.  Ncat currently never uses SSLv2 for security reasons, so
>  it is unaffected by this change.
>
> o [Ncat] Implemented basic SCTP client functionality (server already
>  exists).  Only the default SCTP stream is used.  This is also called
>  TCP compatible mode.  While it allows Ncat to be used for manually
>  probing open SCTP ports, more complicated services making use of
>  multiple streams or depending on specific message boundaries cannot
>  be talked to successfully.  [Daniel Roethlisberger]
>
> o [Ncat] Implemented SSL over SCTP in both client (connect) and server
>  (listen) modes. [Daniel Roethlisberger]
>
> o Nmap now filters received ARP packets based on their target address
>  address field, not the destination address in the enclosing ethernet
>  frame. Some operating systems, including Windows 7 and Solaris 10,
>  are known to at least sometimes send their ARP replies to the
>  broadcast address and Nmap wouldn't notice them. The symptom of this
>  was that root scans wouldn't work ("Host seems down") but non-root
>  scans would work. Thanks to Mike Calmus and Vijay Sankar for
>  reporting the problem, and Marcus Haebler for suggesting the
>  fix. [David]
>
> o The -fno-strict-aliasing option is now used unconditionally when
>  using GCC. It was already this way, in effect, because a test
>  against the GCC version number was reversed: <= 4 rather than >= 4.
>  Solar Designer reported the problem.
>
> o Nmap now prints a warning instead of a fatal error when the hardware
>  address of an interface can't be found. This is the case for
>  FireWire interfaces, which have a hardware address format not
>  supported by libdnet. Thanks to Julian Berdych for the bug report.
>  [David]
>
> o Zenmap's UI performance has improved significantly thanks to
>  optimization of the update_ui() function. In particular, this speeds
>  up the new host filter system. [Josh]
>
> o Add a service probe for DNS-based service discovery (DNS-SD). See
>  http://seclists.org/nmap-dev/2009/q3/0610.html. [David]
>
> o Made RPC grinding work from service detection again by changing the
>  looked-for service name from "rpc" to "rpcbind", the name it has in
>  nmap-service-probes. Also removed some dead code. [David]
>
> o Fixed a log_write call and a pfatal call to use a syntax which is
>  safer from format strings bugs.  This allows Nmap to build with the
>  gcc -Wformat -Werror=format-security options. [Guillaume Rousse,
>  Dmitry Levin]
>
> o A bug in Nsock was fixed: On systems where a non-blocking connect
>  could succeed immediately, connections that were requested to be
>  tunneled through SSL would actually be plain text. This could be
>  verified with an Ncat client and server running on localhost. This
>  was observed to happen with localhost connections on FreeBSD 7.2.
>  Non-localhost connections were likely not affected. The bug was
>  reported by Daniel Roethlisberger. [David]
>
> o Ncat proxy now hides the proxy's response ("HTTP/1.0 200 OK" or
>  whatever it may be). Before, if you retrieved a file through a
>  proxy, it would have the "HTTP/1.0 200 OK" stuck to the top of
>  it. For this Ncat uses blocking sockets until the proxy negotiation
>  is done and once it is successful, Nsock takes over for rest of the
>  connection.[Venkat]
>
> o [NSE] socket garbage collection was rewritten for better performance
>  and to ensure that socket slots are immediately available to others
>  after a socket is closed.  See
>  http://seclists.org/nmap-dev/2009/q2/0624.html. [Patrick]
>
> o [NSE] Fixed a rare but possible segfault which could occur if the
>  nsock binding attempted to push values on the stack of a thread
>  which had already ended due to an error, and if that internal Lua
>  stack was already completely full. This bug is very hard to
>  reproduce with a SEGFAULT but is usually visible when Lua assertion
>  checks are turned on. A socket handler routine must be called AFTER
>  a thread has ended in error. [Patrick]
>
> o [Ncat] Fixed an error that would cause Ncat to use 100% CPU in
>  broker mode after a client disconnected or a read error happened.
>  [Kris, David]
>
> o [NSE] --script-args may now have whitespace in unquoted strings (but
>  surrounding whitespace is ignored). For example,
>  --script-args 'greeting = This is a greeting' Becomes: 
>  { ["greeting"] = "This is a greeting" } [Patrick]
>
> o [Ncat] Using --send-only in conjunction with the plain listen or
>  broker modes now behaves as it should: nothing will be read from the
>  network end.  Ncat previously read and discarded any data
>  received. [Kris]
>
> o [Nsock] Added a socket_count abstraction that counts the number of
>  read or write events pending on a socket, for the purpose of
>  maintaining an fd_set. The bit is set in the fd_set whenever the
>  count is positive, and cleared when it is zero. The reason for doing
>  this was that write bits were not being properly cleared when using
>  Ncat with SSL in connect mode, such that a client send would cause
>  Ncat to use 100% CPU until it received something from the
>  server. See the thread at
>  http://seclists.org/nmap-dev/2009/q2/0413.html. This change will
>  also make it easier to use a different back end than select in the
>  future. [David]
>
> o [Nsock] Added compilation dependency generation (makefile.dep)
>  [David]
>
> o [Ncat] The --broker option now automatically implies --listen. [David]
>
> o Fixed a logic error in getinterfaces_siocgifconf. The check for
>  increasing the capacity of the list of interfaces was off by
>  one. This caused a crash on initialization for systems with more
>  than 16 network interfaces. [David]
>
> o Added Apache JServe protocol version detection probe and signatures
>  and some some other nmap-service-probes patches. [Tom Sellers]
>
> o Fixed two memory leaks in ncat_posix.c and a bug where an open file was not
>  being closed in libdnet-stripped/src/intf.c [Josh Marlow]
>
> o [Zenmap] Added profile editor support for the Nmap SCTP options:
>  -PY, -sY and -sZ. [Josh Marlow]
>
> o Fixed a bug in --data-length parsing which in some cases could
>  result in useless buffer allocations and unpredictable payload
>  lengths. See http://seclists.org/nmap-dev/2009/q2/0763.html [Luis]
>
> o The configure script now allows cross-compiling by assuming that
>  libpcap is recent enough to use rather than trying to compile and
>  run a test program. Libpcap will always be recent enough when Nmap's
>  included copy is used. [Mike Frysinger]
>
> o Updated the IANA assignment IP list for random IP (-iR)
>  generation. The Mac OS prefix file was updated as
>  well. [Kris, Fyodor]
>
> o [Zenmap] Fix a bug which could cause a crash in the (very rare) case
>  where Nmap would produce port tags in XML output without a state
>  attribute. [David]
>
> o Added a convenience top-level BSDmakefile which automatically
>  redirects BSD make to GNU make on BSD systems. The Nmap Makefile
>  relies on numerous GNU Make extensions. [Daniel Roethlisberger]
>
>
> Enjoy the new release!
> -Fyodor
> _______________________________________________
> Sent through the nmap-dev mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-dev
> Archived at http://seclists.org/nmap-dev/

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/