[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index][Old Index]
CVS commit: wip/nmap
Module name: wip
Committed by: pettai
Date: Thu Jan 12 22:48:36 UTC 2012
wip/nmap: Makefile PLIST PLIST.zenmap distinfo options.mk
Nmap 5.61TEST4 [2012-01-02]
o [NSE] Added a new httpspider library which is used for recursively
crawling web sites for information. New scripts using this
functionality include http-backup-finder, http-email-harvest,
http-grep, http-open-redirect, and http-unsafe-output-escaping. See
http://nmap.org/nsedoc/ or the list later in this file for details
o We set up a new SVN server for the Nmap codebase. This one uses SSL
for better security, WebDAV rather than svnserve for greater
functionality, is hosted on a faster (virtual) machine, provides
Nmap code history back to 1998 rather than 2005, and removes the
need for the special "guest" username. The new server is at
https://svn.nmap.org. More information:
o [NSE] Added a vulnerability management library (vulns.lua) to store and to
report discovered vulnerabilities. Modified these scripts to use
the new library:
o [NSE] Added a new script force feature. You can force scripts to
run against target ports (even if the "wrong" service is detected)
by placing a plus in front of the script name passed to --script. See
o [NSE] Added 51(!) NSE scripts, bringing the total up to 297. They
are all listed at http://nmap.org/nsedoc/, and the summaries are
below (authors listed in brackets):
o [NSE] Added some new protocol libraries
+ amqp (advanced message queuing protocol)
+ bitcoin crypto currency [Patrik Karlsson
+ dnsbl for DNS-based blacklists [Patrik Karlsson
+ rtsp (real time streaming protocol) [Patrik Karlsson]
+ httpspider and vulns have separate entries in this CHANGELOG
o Nmap now includes a nmap-update program for obtaining the latest
updates (new scripts, OS fingerprints, etc.) The system is
currently only available to a few developers for testing, but we
hope to enable a larger set of beta testers soon.
o Improved OS detection performance by scaling congestion control
increments by the response rate during OS scan, just as was done
for port scan before.
o [NSE] The targets-ipv6-multicast-*.nse scripts now scan all
interfaces by default. They show the MAC address and interface name
o Added some new version detection probes:
+ MongoDB service
+ Metasploit XMLRPC service
+ Vuze filesharing system
+ Redis key-value store
+ Sybase SQL Anywhere
+ VMware ESX Server
+ TCP Kerberos
+ PC Anywhere
o Targets requiring different source addresses now go into different
hostgroups, not only for host discovery but also for port scanning.
Before, only responses to one of the source addresses would be
processed, and the others would be ignored.
o Tidied up the version detection DB (nmap-service-probes) with a new
cleanup/canonicalization program sv-tidy. In particular, this:
- Removes excess whitespace
- Sorts templates in the order m p v i d o h cpe:
- Canonicalizes template delimiters in the order: / | % = @ #.
o The --exclude and --excludefile options for excluding targets can
now be used together.
o [NSE] Added support for detecting whether a http connection was established
using SSL or not to the http.lua library
o [NSE] Changed the dhcp-discover script to use the DHCPINFORM request
to query dhcp servers instead of DHCPDISCOVER. Also removed DoS code
from dhcp-discover and placed the script into the discovery and safe
categories. Added support for adding options to DHCP requests and
cleaned up some code in the dhcp library.
o [NSE] Applied patch to snmp-brute that solves problems with handling
errors that occur during community list file parsing.
o [NSE] Added new fingerprints to http-enum for:
- Subversion, CVS and Apache Archiva
- DVCS systems Git, Mercurial and Bazaar
o [NSE] Applied some code cleanup to the snmp library.
o [NSE] Add additional version information to Mongodb scripts
o [NSE] Added path argument to the http-auth script and update the
script to use stdnse.format_output.
o Made a syntax change in the zenmap.desktop file for compliance with
the XDG standard.
o [NSE] Replaced a number of GET requests to HEAD in http-
fingerprints.lua. HEAD is quicker and sufficient when no matching
is performed on the returned contents.
o [NSE] Added support for retrieving SSL certificates from FTP servers.
o [Nping] The --safe-payloads option is now the default. Added
--include-payloads for the special situations where payloads are
o [NSE] Added new functionality and fixed some bugs in the brute library:
- Added support for restricting the number of guesses performed by the
brute library against users, to prevent account lockouts.
- Added support to guess the username as password. The documentation
previously suggested (wrongly) that this was the default behavior.
- Added support to guess an empty string as password if not
present in the dictionary.
o [NSE] Re-enabled support for guessing the username in addition to password
that was incorrectly removed from the metasploit-xmlrpc-brute in previous
o [NSE] Turned on promiscuous mode in targets-sniffer.nse so that it
finds packets not only from or to the scanning host.
o The Zenmap topology display feature is now disabled when there are
more than 1,000 target hosts. Those topology maps slow down the
interface and are generally too crowded to be of much use.
o [NSE] Modified the http library to support servers that don't return valid
chunked encoded data, such as the Citrix XML service. [Patrik]
o Fixed a bug in the IPv6 OS probe called NI. The Node Information
Query didn't include the target address as the payload, so at least
OS X didn't respond. This differed from the probe sent by the
ipv6fp.py program from which some of our fingerprints were derived.
o [NSE] Fixed an error in the mssql library that was causing the
broadcast-ms-sql-discover script to fail when trying to update port version
o [NSE] Added the missing broadcast category to the broadcast-listener script.
o [NSE] Made changes to the categories of the following scripts (new
- http-userdir-enum.nse (auth,intrusive)
- mysql-users.nse (auth,intrusive)
- http-wordpress-enum.nse (auth,intrusive,vuln)
- krb5-enum-users.nse (auth,intrusive)
- snmp-win32-users.nse (default,auth,safe)
- smtp-enum-users.nse (auth,external,intrusive)
- ncp-enum-users.nse (auth,safe)
- smb-enum-users.nse (auth,intrusive)
o Made nbase compile with the clang compiler that is a part of Xcode 4.2.
o [NSE] Added XMPP support to ssl-cert.nse.
o [NSE] Made http-wordpress-enum.nse able to get names of users who
have no posts.
o Increased hop distance estimates from OS detection by one. The
distance now counts the number of hops including the final one to
the target, not just the number of intermediate nodes. The IPv6
distance calculation already worked this way.
o Added IPv6 OS detection system! The new system utilizes many tests
similar to IPv4, and also some IPv6-specific ones that we found to
be particularly effective. And it uses a machine learning approach
rather than the static classifier we use for IPv4. We hope to move
some of the IPv6 innovations back to our IPv4 system if they work
out well. The database is still very small, so please submit any
fingerprints that Nmap gives you to the specified URL (as long as
you are certain that you know what the target system is
running). Usage and results output are basically the same as with
IPv4, but we will soon document the internal mechanisms at
http://nmap.org/book/osdetect.html, just as we have for IPv4. For an
example, try "nmap -6 -O scanme.nmap.org".
o [NSE] Added 3 scripts, bringing the total to 246! You can learn
more about them at http://nmap.org/nsedoc/. Here they are (authors
listed in brackets)
o Improved AIX support for raw scans. This includes some patches
originally written by Peter O'Gorman and Florian Schmid. It also
involved various build fixes found necessary on AIX 6.1 and 7.1. See
o Fixed Nmap so that it again compiles and runs on Solaris 10,
including IPv6 support.
o [NSE] Moved our brute force authentication cracking scripts
(*-brute) from the "auth" category into a new "brute"
category. Nmap's brute force capabilities have grown tremendously!
You can see all 32 of them at
http://nmap.org/nsedoc/categories/brute.html. It isn't clear
whether dns-brute should be in the brute category, so for now it isn't.
o Made the interface gathering loop work on Linux when an interface
index is more than two digits in /proc/sys/if_inet6.
o [NSE] Made irc-info.nse handle the case where the MOTD is missing.
o Updated nmap-mac-prefixes to include the latest IEEE assignments
as of 2011-09-29.
o Added Common Platform Enumeration (CPE, http://cpe.mitre.org/)
output for OS and service versions. This is a standard way to
identify operating systems and applications so that Nmap can
better interoperate with other software. Nmap's own (generally more
comprehensive) taxonomy/classification system is still supported as
well. Some OS and version detection results don't have CPE entries
yet. CPE entries show up in normal output with the headings "OS
CPE:" and "Service Info:":
OS CPE: cpe:/o:linux:kernel:2.6.39
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
These also appear in XML output, which additionally has CPE entries
for service versions.
o Added IPv6 Neighbor Discovery ping. This is the IPv6 analog to IPv4
ARP scan. It is the default ping type for local IPv6 networks.
o Integrated your latest (IPv4) OS detection submissions and
corrections until June 22. New fingerprints include Linux 3, FreeBSD
9, Mac OS X 10.7 (Lion), and 300+ more. The DB size increased 11% to
3,308 fingerprints. See
http://seclists.org/nmap-dev/2011/q3/556. Please keep those
fingerprints coming! We now accept IPv4 and IPv6 OS fingerprints as
well as service fingerprints, plus corrections of all types if Nmap
o [NSE] Added 27 scripts, bringing the total to 243! You can learn
more about any of them at http://nmap.org/nsedoc/. Here are the new
ones (authors listed in brackets)
o [NSE] The script arguments which start with a script name
(e.g. http-brute.hostname or afp-ls.maxfiles) can now accept the
unqualified arguments as well (hostname, maxfiles). This lets you
use the generic version ("hostname") when you want to affect
multiple scripts, while using the qualified version to target
individual scripts. If both are specified, the qualified version
takes precedence for that particular script. This works for library
script arguments too (e.g. you can specify 'timelimit' rather than
o [Ncat] Updated SSL certificate store (ca-bundle.crt), primarily to
remove the epic fail known as DigiNotar.
o Nmap now defers options parsing until it has read through all the
command line arguments. This removes the few remaining cases where
option order mattered (for example, IPv6 users previously had to
specify -6 before -S). [Shinnok]
o [NSE] Added a new default credential list for Oracle databases and
modified the oracle-brute script to make use of it. [Patrik]
o [NSE] Our Packet library (packet.lua) now handles IPv6. This is used
by the new multicast IPv6 host discovery scripts
o [NSE] Replaced xmpp.nse with an an overhauled version named
xmpp-info.nse which brings many new features and fixes. [Vasiliy Kulikov]
o [NSE] Fixed SSL compressor names in ssl-enum-ciphers.nse, and
removed redundant multiple listings of the NULL compressor.
o [NSE] Added cipher strength ratings to ssl-enum-ciphers.nse.
o [NSE] Added 4 more protocol libraries. You can learn more about any
of them at http://nmap.org/nsedoc/. Here are the new ones (authors
listed in brackets)
+ bittorrent supports the BitTorrent file sharing protocol
+ cvs includes support for the Concurrent Versions System (CVS)
+ sasl provides common code for "Simple Authentication and Security
Layer" to services supporting it. The algorithms supported by the
library are: PLAIN, CRAM-MD5, DIGEST-MD5 and NTLM.
+ xmpp handles XMPP (Jabber) IM servers
o [NSE] Removed the mac-geolocation script, which relied on a Google
database to determine strikingly accurate GPS coordinates for
anyone's wireless access points (based on their MAC address). It
was very powerful. Perhaps Google decided it was too powerful, as
they discontinued the service before our script was even 2 months
o [Ncat] Added an --append-output option which, when used along with
-o and/or -x, prevents clobbering (truncating) an existing file.
o Fixed RPC scan (part of -sV) to work on the 64-bit machines where
"unsigned long" is 8 bytes rather than 4. We now use the more
portable u32 in the code.
o [NSE] Moved some scripts into the default category: giop-info,
vnc-info, ncp-serverinfo, smb-security-mode, and and
o Relaxed the XML DTD to allow validation of files where the verbosity
level changed during the scan. Also made a service confidence of 8
(used when tcpwrapped) or any other number between 0 and 10 legal.
o [NSE] Fixed authentication problems in the TNS library that would prevent
authentication from working against Oracle 22.214.171.124.0 XE
o [NSE] Added basic query support to the Oracle TNS library so that scripts
can now make SQL queries against database servers. Also improved
support for 64-bit database servers and improved the documentation.
o Removed some restrictions on probe matching that, for example,
prevented a RST/ACK reply from being recognized in a NULL scan.
o Rearranged some characters classes in service matches to avoid any
that look like POSIX collating symbols ("[.xyz.]").
InitMatch: illegal regexp: POSIX collating elements are not supported
o [NSE] Added more than 100 new signatures to http-enum (many for
known vulnerabilities). They are in the categories: general,
attacks, cms, security, management and database [Paulino]
o [NSE] Updated account status text in brute force password discovery
scripts in an effort to make the reporting more consistent across
all scripts. This will have an impact on any code that parses these
o Nmap now includes the Liblinear library for large linear
classification (http://www.csie.ntu.edu.tw/~cjlin/liblinear/). We
are using it for the upcoming IPv6 OS detection system, and (if that
works out well) may eventually use it for IPv4 too. It uses a
three-clause BSD license.
o [NSE] Better error messages (including a traceback) are now provided
when script loading fails.
o [Zenmap] Prevent Zenmap from deleting ports when merging scans
results based on newer scans which did not actually scan the ports
in question. Additionally Zenmap now only updates ports with new
information if the new information uses the same protocol--not just
the same port number.
o [Nping] Added new --safe-payloads option for echo mode which causes
returned packet payloads to be zeroed to reduce privacy risks if
Nping echo server was to accidentally (or through malicious intent)
return a packet which wasn't sent by the Nping echo client. We hope
to soon make this behavior the default.
o Ncat SCTP mode now supports connection brokering (--sctp --broker).
o Consolidated a bunch of duplicate code between Ncat's listen
(ncat_listen.c) and broker (ncat_broker.c) modes to ease
o Added a 'nostore' nse argument to the brute force library which
prevents the brute force authentication cracking scripts from
storing found credentials in the creds library (they will still be
printed in script output).
o [Ncat] Ncat no longer blocks while an ssl handshake is taking place
or waiting to complete. This could make listening Ncat instances
unavailable to other clients because one client was taking too long
to complete the SSL handshake. Our public Ncat chat server is now
much more reliable (connect with: ncat --ssl -v chat.nmap.org).
o [NSE] Updated SMTP and IMAP libraries to support authentication
using both plain-text and the SASL library.
o [Zenmap] The Zenmap crash handler now instructs users to mail in
crash information to nmap-dev rather than offering to create a
Sourceforge bug tracker entry.
o [NSE] Applied patch from Chris Woodbury that adds the following
additional information to the output of smb-os-discovery: NetBIOS
computer name, NetBIOS domain name, FQDN, and forest name.
o [NSE] Updated smb-brute to add detection for valid credentials where the
target account was expired or limited by time or login host constraints.
o [Ncat] Ncat now supports IPV6 addresses by default without the -6 flag.
Additionally ncat listens on both ::1 and localhost when passed
-l, or any other listening mode unless a specific listening address is
o Fixed broken XML output in the case of timed-out hosts; the
enclosing host element was missing.
o [NSE] Multiple ldap-brute changes by Tom Sellers:
+ Added support for 2008 R2 functional level Active Directory instances
+ Added detection for valid credentials where the target account was
expired or limited by time or login host constraints.
+ Added support for specifying a UPN suffix to be appended to usernames
when brute forcing Microsoft Active Directory accounts.
+ Added support for saving discovered credentials to a CSV file.
+ Now reports valid credentials as they are discovered when the script
is run with -vv or higher.
o [NSE] ldap-search.nse - Added support for saving search results to
CSV. This is done by using the ldap.savesearch script argument to
specify an output filename prefix.
o Handle an unconventional IPv6 internal link-local address convention
used by Mac OS X. See http://seclists.org/nmap-dev/2011/q3/906.
o [NSE] Optimized stdnse.format_output (changing the data structures)
to improve performance for scripts which produce a lot of output. See
o [NSE] Fix nping-brute so that it again works on IPv6. [Toni Ruottu]
o [NSE] Added the make_array and make_object functions to our json
library, allowing LUA tables to be treated as JSON arrays or
objects. See http://seclists.org/nmap-dev/2011/q3/15
o [NSE] The ip-geolocation-ipinfodb now allows you to specify an
IPInfoDB API key using the apikey NSE argument.
o [NSE] Renamed http-wp-plugins to http-wordpress-plugins script for
consistency with http-wordpress-brute and now
Plus many bugfixes and improvements.
For full changelog, see http://nmap.org/changelog.html
To generate a diff of this commit:
cvs -z3 rdiff -u -r1.2 -r1.3 wip/nmap/Makefile wip/nmap/PLIST \
wip/nmap/PLIST.zenmap wip/nmap/distinfo wip/nmap/options.mk
To view a diff of this commit:
Please note that diffs are not public domain; they are subject to the
copyright notices on the relevant files.
RSA(R) Conference 2012
Mar 27 - Feb 2
Save $400 by Jan. 27
pkgsrc-wip-cvs mailing list
Main Index |
Thread Index |