Nmap 5.61TEST2 released - IPv6 OS detection, CPE, 30 more scripts, and more!

[Fyodor <fyodor () insecure org>]

Hi Folks!  Thanks to your IPv6 OS detection submissions, we've been
able to incorporate them into the new machine learning system and
enable IPv6 OS detection.  So if you scan your submitted machines
again, they should now be properly identified in Nmap output.

Of course the DB is still small, so if you get a fingerprint printed
by Nmap, please do submit it.  Also, if the reported OS version is
wrong (even just by a minor version number), please submit a
correction at http://insecure.org/cgi-bin/submit.cgi?corr-os.
Corrections are particularly important for this new machine learning
system.

Also, we spent some time working on Solaris 10 SPARC support.  If
anyone is able to test on that platform, please send a report to the
list.  David did a bunch of AIX 6.1 and 7.1 work too.  So proprietary
UNIX gets some love for this release.

Also, including the features from the informal 5.61TEST1 release a
week and a half ago, this release includes 30 new NSE scripts, CPE
output, IPv6 neighbor discovery ping, hundreds of new IPv4 OS
fingerprints, and much more.

You can download 5.61TEST2 at the normal place:

http://nmap.org/download.html

Here are the CHANGELOG entries for 5.61TEST2 and 5.61TEST1 (which
didn't have a comprehensive CHANGELOG when it was released):

Nmap 5.61TEST2 [2011-09-30]

o Added IPv6 OS detection system! The new system utilizes many tests
  similar to IPv4, and also some IPv6-specific ones that we found to
  be particularly effective. And it uses a machine learning approach
  rather than the static classifier we use for IPv4. We hope to move
  some of the IPv6 innovations back to our IPv4 system if they work
  out well. The database is still very small, so please submit any
  fingerprints that Nmap gives you to the specified URL (as long as
  you are certain that you know what the target system is
  running). Usage and results output are basically the same as with
  IPv4, but we will soon document the internal mechanisms at
  http://nmap.org/book/osdetect.html, just as we have for IPv4. For an
  example, try "nmap -6 -O scanme.nmap.org". [David, Luis]

o [NSE] Added 3 scripts, bringing the total to 246!  You can learn
  more about them at http://nmap.org/nsedoc/. Here they are (authors
  listed in brackets):

  + lltd-discovery uses the Microsoft LLTD protocol to discover hosts
    on a local network. [Gorjan Petrovski]

  + ssl-google-cert-catalog queries Google's Certificate Catalog for
    the SSL certificates retrieved from target hosts. [Vasiliy Kulikov]

  + quake3-info extracts information from a Quake3-like game
    server. [Toni Ruottu]

o Improved AIX support for raw scans. This includes some patches
  originally written by Peter O'Gorman and Florian Schmid. It also
  involved various build fixes found necessary on AIX 6.1 and 7.1. See
  http://nmap.org/book/inst-other-platforms.html. [David]

o Fixed Nmap so that it again compiles and runs on Solaris 10,
  including IPv6 support. [David]

o [NSE] Moved our brute force authentication cracking scripts
  (*-brute) from the "auth" category into a new "brute"
  category. Nmap's brute force capabilities have grown tremendously!
  You can see all 32 of them at
  http://nmap.org/nsedoc/categories/brute.html.  It isn't clear
  whether dns-brute should be in the brute category, so for now it
  isn't. [Fyodor]

o Made the interface gathering loop work on Linux when an interface
  index is more than two digits in /proc/sys/if_inet6. Joe McEachern
  tracked down the problem and provided the fix.

o [NSE] Fixed a bug in dns.lua: ensure that dns.query() always return two values
  (status, response) and replaced the workaround in asn-query.nse by the proper
  use. [Henri]

o [NSE] Made irc-info.nse handle the case where the MOTD is missing.
  Patch by Sebastian Dragomir.

o Updated nmap-mac-prefixes to include the latest IEEE assignments
  as of 2011-09-29.

Nmap 5.61TEST1 [2011-09-19]

o Added Common Platform Enumeration (CPE, http://cpe.mitre.org/)
  output for OS and service versions. This is a standard way to
  identifying operating systems and applications so that Nmap can
  better interoperate with other software. Nmap's own (generally more
  comprehensive) taxonomy/classification system is still supported as
  well. Some OS and version detection results don't have CPE entries
  yet. CPE entries show up in normal output with the headings "OS
  CPE:" and "Service Info:":
    OS CPE: cpe:/o:linux:kernel:2.6.39
    Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
  These also appear in XML output, which additionally has CPE entries
  for service versions. [David, Henri]

o Added IPv6 Neighbor Discovery ping. This is the IPv6 analog to IPv4
  ARP scan. It is the default ping type for local IPv6 networks.
  [Weilin]

o Integrated your latest (IPv4) OS detection submissions and
  corrections until June 22. New fingerprints include Linux 3, FreeBSD
  9, Mac OS X 10.7 (Lion), and 300+ more. The DB size increased 11% to
  3,308 fingerprints. See
  http://seclists.org/nmap-dev/2011/q3/556. Please keep those
  fingerprints coming! We now accept IPv4 and IPv6 OS fingerprints as
  well as service fingerprints, plus corrections of all types if Nmap
  guess wrong.

o [NSE] Added 27 scripts, bringing the total to 243!  You can learn
  more about any of them at http://nmap.org/nsedoc/. Here are the new
  ones (authors listed in brackets):

  + address-info shows extra information about IPv6 addresses, such as
    embedded MAC or IPv4 addresses when available. [David Fifield]

  + bittorrent-discovery discovers bittorrent peers sharing a file
    based on a user-supplied torrent file or magnet link. [Gorjan
    Petrovski]

  + broadcast-db2-discover attempts to discover DB2 servers on the
    network by sending a broadcast request to port 523/udp. [Patrik
    Karlsson]

  + broadcast-dhcp-discover sends a DHCP request to the broadcast
    address (255.255.255.255) and reports the results. [Patrik
    Karlsson]

  + broadcast-listener sniffs the network for incoming broadcast
    communication and attempts to decode the received packets. It
    supports protocols like CDP, HSRP, Spotify, DropBox, DHCP, ARP and
    a few more. [Patrik Karlsson]

  + broadcast-ping sends broadcast pings on a selected interface using
    raw ethernet packets and outputs the responding hosts' IP and MAC
    addresses or (if requested) adds them as targets. [Gorjan
    Petrovski]

  + cvs-brute performs brute force password auditing against CVS
    pserver authentication. [Patrik Karlsson]

  + cvs-brute-repository attempts to guess the name of the CVS
    repositories hosted on the remote server.  With knowledge of the
    correct repository name, usernames and passwords can be
    guessed. [Patrik Karlsson]

  + ftp-vsftpd-backdoor tests for the presence of the vsFTPd 2.3.4
    backdoor reported on 2011-07-04 (CVE-2011-2523). This script
    attempts to exploit the backdoor using the innocuous 'id' command
    by default, but that can be changed with the 'exploit.cmd' or
    'ftp-vsftpd-backdoor.cmd' script arguments. [Daniel Miller]

  + ftp-vuln-cve2010-4221 checks for a stack-based buffer overflow in
    the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. [Djalal
    Harouni]

  + http-awstatstotals-exec exploits a remote code execution
    vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other
    products based on it (CVE: 2008-3922). [Paulino Calderon]

  + http-axis2-dir-traversal Exploits a directory traversal
    vulnerability in Apache Axis2 version 1.4.1 by sending a specially
    crafted request to the parameter 'xsd' (OSVDB-59001). By default
    it will try to retrieve the configuration file of the Axis2
    service '/conf/axis2.xml' using the path '/axis2/services/' to
    return the username and password of the admin account. [Paulino
    Calderon]

  + http-default-accounts tests for access with default credentials
    used by a variety of web applications and devices. [Paulino
    Calderon]

  + http-google-malware checks if hosts are on Google's blacklist of
    suspected malware and phishing servers. These lists are constantly
    updated and are part of Google's Safe Browsing service. [Paulino
    Calderon]

  + http-joomla-brute performs brute force password auditing against
    Joomla web CMS installations. [Paulino Calderon]

  + http-litespeed-sourcecode-download exploits a null-byte poisoning
    vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to
    retrieve the target script's source code by sending a HTTP request
    with a null byte followed by a .txt file extension
    (CVE-2010-2333). [Paulino Calderon]

  + http-vuln-cve2011-3192 detects a denial of service vulnerability
    in the way the Apache web server handles requests for multiple
    overlapping/simple ranges of a page. [Duarte Silva]

  + http-waf-detect attempts to determine whether a web server is
    protected by an IPS (Intrusion Prevention System), IDS (Intrusion
    Detection System) or WAF (Web Application Firewall) by probing the
    web server with malicious payloads and detecting changes in the
    response code and body. [Paulino Calderon]

  + http-wordpress-brute performs brute force password auditing
    against Wordpress CMS/blog installations. [Paulino Calderon]

  + http-wordpress-enum enumerates usernames in Wordpress blog/CMS
    installations by exploiting an information disclosure
    vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and
    3.2-beta2 and possibly others. [Paulino Calderon]

  + imap-brute performs brute force password auditing against IMAP
    servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM
    authentication. [Patrik Karlsson]

  + smtp-brute performs brute force password auditing against SMTP
    servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM
    authentication. [Patrik Karlsson]

  + smtp-vuln-cve2011-1764 checks for a format string vulnerability in
    the Exim SMTP server (version 4.70 through 4.75) with DomainKeys
    Identified Mail (DKIM) support (CVE-2011-1764). [Djalal Harouni]

  + targets-ipv6-multicast-echo sends an ICMPv6 echo request packet to
    the all-nodes link-local multicast address (ff02::1) to discover
    responsive hosts on a LAN without needing to individually ping
    each IPv6 address. [David Fifield, Xu Weilin]

  + targets-ipv6-multicast-invalid-dst sends an ICMPv6 packet with an
    invalid extension header to the all-nodes link-local multicast
    address (ff02::1) to discover (some) available hosts on the
    LAN. This works because some hosts will respond to this probe with
    an ICMPv6 parameter problem packet. [David Fifield, Xu Weilin]

  + targets-ipv6-multicast-slaac performs IPv6 host discovery by
    triggering stateless address auto-configuration (SLAAC). [David
    Fifield, Xu Weilin]

  + xmpp-brute Performs brute force password auditing against XMPP
    (Jabber) instant messaging servers. [Patrik Karlsson]

o Fixed compilation on OS X 10.7 Lion. Thanks to Patrik Karlsson and
  Babak Farroki for researching fixes.

o [NSE] The script arguments which start with a script name
  (e.g. http-brute.hostname or afp-ls.maxfiles) can now accept the
  unqualified arguments as well (hostname, maxfiles). This lets you
  use the generic version ("hostname") when you want to affect
  multiple scripts, while using the qualified version to target
  individual scripts. If both are specified, the qualified version
  takes precedence for that particular script. This works for library
  script arguments too (e.g. you can specify 'timelimit' rather than
  unpwdb.timelimit). [Paulino]

o [Ncat] Updated SSL certificate store (ca-bundle.crt), primarily to
  remove the epic fail known as DigiNotar.

o Nmap now defers options parsing until it has read through all the
  command line arguments.  This removes the few remaining cases where
  option order mattered (for example, IPv6 users previously had to
  specify -6 before -S). [Shinnok]

o [NSE] Added a new default credential list for Oracle databases and
  modified the oracle-brute script to make use of it. [Patrik]

o [NSE] Our Packet library (packet.lua) now handles IPv6. This is used
  by the new multicast IPv6 host discovery scripts
  (targets-ipv6-*). [Weilin]

o [NSE] Replaced xmpp.nse with an an overhauled version named
  xmpp-info.nse which brings many new features and fixes. [Vasiliy Kulikov]

o [NSE] Fixed SSL compressor names in ssl-enum-ciphers.nse, and
  removed redundant multiple listings of the NULL compressor.
  [Matt Selsky]

o [NSE] Added cipher strength ratings to ssl-enum-ciphers.nse.
  [Gabriel Lawrence]

o [NSE] Fixed a bug in the ssh2-enum-algos script that would prevent it from
  displaying any output unless run in debug mode. [Patrik]

o [NSE] Added 4 more protocol libraries. You can learn more about any
  of them at http://nmap.org/nsedoc/. Here are the new ones (authors
  listed in brackets):

  + bittorrent supports the BitTorrent file sharing protocol [Gorjan
    Petrovski]

  + cvs includes support for the Concurrent Versions System (CVS)
    [Patrik Karlsson]

  + sasl provides common code for "Simple Authentication and Security
    Layer" to services supporting it. The algorithms supported by the
    library are: PLAIN, CRAM-MD5, DIGEST-MD5 and NTLM. [Djalal
    Harouni, Patrik Karlsson]

  + xmpp handles XMPP (Jabber) IM servers [Patrik Karlsson]

o [NSE] Removed the mac-geolocation script, which relied on a Google
  database to determine strikingly accurate GPS coordinates for
  anyone's wireless access points (based on their MAC address).  It
  was very powerful.  Perhaps Google decided it was too powerful, as
  they discontinued the service before our script was even 2 months
  old.

o [Ncat] Added an --append-output option which, when used along with
  -o and/or -x, prevents clobbering (truncating) an existing
  file. [Shinnok]

o Fixed RPC scan (part of -sV) to work on the 64-bit machines where
  "unsigned long" is 8 bytes rather than 4.  We now use the more
  portable u32 in the code. [David]

o [NSE] Moved some scripts into the default category: giop-info,
  vnc-info, ncp-serverinfo, smb-security-mode, and and
  afp-serverinfo. [Djalal]

o Relaxed the XML DTD to allow validation of files where the verbosity
  level changed during the scan.  Also made a service confidence of 8
  (used when tcpwrapped) or any other number between 0 and 10
  legal. [Daniel Miller]

o [NSE] Fixed authentication problems in the TNS library that would prevent
  authentication from working against Oracle 11.2.0.2.0 XE [Chris Woodbury]

o [NSE] Added basic query support to the Oracle TNS library so that scripts
  can now make SQL queries against database servers.  Also improved
  support for 64-bit database servers and improved the documentation. [Patrik]

o Removed some restrictions on probe matching that, for example,
  prevented a RST/ACK reply from being recognized in a NULL scan. This
  was found and fixed by Matthew Stickney and Joe McEachern.

o Rearranged some characters classes in service matches to avoid any
  that look like POSIX collating symbols ("[.xyz.]"). John Hutchison
  discovered this error caused by one of the match lines:
    InitMatch: illegal regexp: POSIX collating elements are not supported
  [Daniel Miller]

o [NSE] Added more than 100 new signatures to http-enum (many for
  known vulnerabilities). They are in the categories: general,
  attacks, cms, security, management and database [Paulino]

o [NSE] Updated account status text in brute force password discovery 
  scripts in an effort to make the reporting more consistent across
  all scripts.  This will have an impact on any code that parses these
  values.  [Tom Sellers]

o Nmap now includes the Liblinear library for large linear
  classification (http://www.csie.ntu.edu.tw/~cjlin/liblinear/). We
  are using it for the upcoming IPv6 OS detection system, and (if that
  works out well) may eventually use it for IPv4 too.  It uses a
  three-clause BSD license.

o [NSE] Better error messages (including a traceback) are now provided
  when script loading fails. [Patrick]

o [Zenmap] Prevent Zenmap from deleting ports when merging scans
  results based on newer scans which did not actually scan the ports
  in question. Additionally Zenmap now only updates ports with new
  information if the new information uses the same protocol--not just
  the same port number. [Colin Rice]

o [Ncat] Fixed a crash which would occur when --ssl-verify is combined
  with -vvv on windows. [Colin Rice]

o [Nping] Added new --safe-payloads option for echo mode which causes
  returned packet payloads to be zeroed to reduce privacy risks if
  Nping echo server was to accidentally (or through malicious intent)
  return a packet which wasn't sent by the Nping echo client.  We hope
  to soon make this behavior the default. [Luis]

o Fixed a bug that would make Nmap segfault if it failed to open an
  interface using pcap. The bug details and patch are posted at
  http://seclists.org/nmap-dev/2011/q3/365 [Patrik]

o Ncat SCTP mode now supports connection brokering 
  (--sctp --broker). [Shinnok]

o Consolidated a bunch of duplicate code between Ncat's listen
  (ncat_listen.c) and broker (ncat_broker.c) modes to ease
  maintenance. [Shinnok]

o Added a 'nostore' nse argument to the brute force library which
  prevents the brute force authentication cracking scripts from
  storing found credentials in the creds library (they will still be
  printed in script output).

o [NSE] Fixed the nsedebug print_hex() function so it does not print an
  empty line if there are no remaining characters, and improved its NSEDoc.
  [Chris Woodbury].

o [Ncat] Ncat no longer blocks while an ssl handshake is taking place
  or waiting to complete.  This could make listening Ncat instances
  unavailable to other clients because one client was taking too long
  to complete the SSL handshake.  Our public Ncat chat server is now
  much more reliable (connect with: ncat --ssl -v chat.nmap.org).
  [Shinnok]

o [NSE] Updated SMTP and IMAP libraries to support authentication
  using both plain-text and the SASL library. [Patrik]

o [Zenmap] The Zenmap crash handler now instructs users to mail in
  crash information to nmap-dev rather than offering to create a
  Sourceforge bug tracker entry. [Colin Rice]

o [NSE] Applied patch from Chris Woodbury that adds the following
  additional information to the output of smb-os-discovery: NetBIOS
  computer name, NetBIOS domain name, FQDN, and forest name.

o [NSE] Updated smb-brute to add detection for valid credentials where the 
  target account was expired or limited by time or login host constraints.
  [Tom Sellers]

o [Ncat] Ncat now supports IPV6 addresses by default without the -6 flag.
  Additionally ncat listens on both ::1 and localhost when passed
  -l, or any other listening mode unless a specific listening address is
  supplied. [Colin Rice]

o Fixed broken XML output in the case of timed-out hosts; the
  enclosing host element was missing. The fix was suggested by Rémi
  Mollon.

o [NSE] Multiple ldap-brute changes by Tom Sellers:
  + Added support for 2008 R2 functional level Active Directory instances
  + Added detection for valid credentials where the target account was 
    expired or limited by time or login host constraints.
  + Added support for specifying a UPN suffix to be appended to usernames
    when brute forcing Microsoft Active Directory accounts.
  + Added support for saving discovered credentials to a CSV file.
  + Now reports valid credentials as they are discovered when the script
    is run with -vv or higher.

o [NSE] ldap-search.nse - Added support for saving search results to
  CSV.  This is done by using the ldap.savesearch script argument to
  specify an output filename prefix.  [Tom Sellers]  

o Handle an unconventional IPv6 internal link-local address convention
  used by Mac OS X. See
  http://seclists.org/nmap-dev/2011/q3/906. [David]
  
o [NSE] Optimized stdnse.format_output (changing the data structures)
  to improve performance for scripts which produce a lot of output. See
  http://seclists.org/nmap-dev/2011/q3/623. [Djalal]

o [NSE] Fix nping-brute so that it again works on IPv6. [Toni Ruottu]

o [NSE] Added the make_array and make_object functions to our json
  library, allowing LUA tables to be treated as JSON arrays or
  objects. See http://seclists.org/nmap-dev/2011/q3/15 [Daniel Miller]

o [NSE] The ip-geolocation-ipinfodb now allows you to specify an
  IPInfoDB API key using the apikey NSE argument. [Gorjan]

o [NSE] Renamed http-wp-plugins to http-wordpress-plugins script for
  consistency with http-wordpress-brute and now
  http-wordpress-enum. [Fyodor]


Enjoy the release, and don't forget to report any bugs found.

Cheers,
Fyodor

_______________________________________________
Sent through the nmap-dev mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-dev
Archived at http://seclists.org/nmap-dev/