Home page logo
/

Nmap Announce mailing list archives

Nmap 5.59BETA1 Released!
From: Fyodor <fyodor () insecure org>
Date: Thu, 30 Jun 2011 16:05:01 -0700

Hi Folks.  Other than the recent informal IPv6 commemorative edition,
we haven't had a real Nmap release in more than four months since
5.51.  That is in part because we've been so busy with seven (!)
full-time Google Summer of Code students cranking out tons of
excellent code!  But I think we've pulled this together into a release
we can be proud of, and I'm happy to announce Nmap 5.59BETA1!

This version includes:
 o 40 new NSE scripts (plus improvements to many others)
 o even more IPv6 goodness than our informal World IPv6 Day release
 o 7 new NSE protocol libraries
 o hundreds of bug fixes
 o and much more (see below)!

Nmap 5.59BETA1 source code as well as binary packages for Linux, Mac,
and Windows are now available at:

http://nmap.org/download.html

If you find any bugs, please let us know on nmap-dev as described at
http://nmap.org/book/man-bugs.html.

Here are the most significant changes since version 5.51:

o [NSE] Added 40 scripts, bringing the total to 217!  You can learn
  more about any of them at http://nmap.org/nsedoc/. Here are the new
  ones (authors listed in brackets):

  + afp-ls: Lists files and their attributes from Apple Filing
    Protocol (AFP) volumes. [Patrik Karlsson]

  + backorifice-brute: Performs brute force password auditing against
    the BackOrifice remote administration (trojan) service. [Gorjan
    Petrovski]

  + backorifice-info: Connects to a BackOrifice service and gathers
    information about the host and the BackOrifice service
    itself. [Gorjan Petrovski]

  + broadcast-avahi-dos: Attempts to discover hosts in the local
    network using the DNS Service Discovery protocol, then tests
    whether each host is vulnerable to the Avahi NULL UDP packet
    denial of service bug (CVE-2011-1002). [Djalal Harouni]

  + broadcast-netbios-master-browser: Attempts to discover master
    browsers and the Windows domains they manage. [Patrik Karlsson]

  + broadcast-novell-locate: Attempts to use the Service Location
    Protocol to discover Novell NetWare Core Protocol (NCP)
    servers. [Patrik Karlsson]

  + creds-summary: Lists all discovered credentials (e.g. from brute
    force and default password checking scripts) at end of scan.
    [Patrik Karlsson]

  + dns-brute: Attempts to enumerate DNS hostnames by brute force
    guessing of common subdomains. [Cirrus]

  + dns-nsec-enum: Attempts to discover target hosts' services using
    the DNS Service Discovery protocol. [Patrik Karlsson]

  + dpap-brute: Performs brute force password auditing against an
    iPhoto Library. [Patrik Karlsson]

  + epmd-info: Connects to Erlang Port Mapper Daemon (epmd) and
    retrieves a list of nodes with their respective port
    numbers. [Toni Ruottu]

  + http-affiliate-id: Grabs affiliate network IDs (e.g. Google
    AdSense or Analytics, Amazon Associates, etc.) from a web
    page. These can be used to identify pages with the same
    owner. [Hani Benhabiles, Daniel Miller]

  + http-barracuda-dir-traversal: Attempts to retrieve the
    configuration settings from a Barracuda Networks Spam & Virus
    Firewall device using the directory traversal vulnerability
    described at
    http://seclists.org/fulldisclosure/2010/Oct/119. [Brendan Coles]

  + http-cakephp-version: Obtains the CakePHP version of a web
    application built with the CakePHP framework by fingerprinting
    default files shipped with the CakePHP framework. [Paulino
    Calderon]

  + http-majordomo2-dir-traversal: Exploits a directory traversal
    vulnerability existing in the Majordomo2 mailing list manager to
    retrieve remote files. (CVE-2011-0049). [Paulino Calderon]

  + http-wp-plugins: Tries to obtain a list of installed WordPress
    plugins by brute force testing for known plugins. [Ange Gutek]

  + ip-geolocation-geobytes: Tries to identify the physical location
    of an IP address using the Geobytes geolocation web service
    (http://www.geobytes.com/iplocator.htm). [Gorjan Petrovski]

  + ip-geolocation-geoplugin: Tries to identify the physical location
    of an IP address using the Geoplugin geolocation web service
    (http://www.geoplugin.com/). [Gorjan Petrovski]

  + ip-geolocation-ipinfodb: Tries to identify the physical location
    of an IP address using the IPInfoDB geolocation web service
    (http://ipinfodb.com/ip_location_api.php). [Gorjan Petrovski]

  + ip-geolocation-maxmind: Tries to identify the physical location of
    an IP address using a Geolocation Maxmind database file (available
    from http://www.maxmind.com/app/ip-location). [Gorjan Petrovski]

  + ldap-novell-getpass: Attempts to retrieve the Novell Universal
    Password for a user. You must already have (and include in script
    arguments) the username and password for an eDirectory server
    administrative account. [Patrik Karlsson]

  + mac-geolocation: Looks up geolocation information for BSSID (MAC)
    addresses of WiFi access points in the Google geolocation
    database. [Gorjan Petrovski]

  + mysql-audit: Audit MySQL database server security configuration
    against parts of the CIS MySQL v1.0.2 benchmark (the engine can
    also be used for other MySQL audits by creating appropriate audit
    files).  [Patrik Karlsson]

  + ncp-enum-users: Retrieves a list of all eDirectory users from the
    Novell NetWare Core Protocol (NCP) service. [Patrik Karlsson]

  + ncp-serverinfo: Retrieves eDirectory server information (OS
    version, server name, mounts, etc.) from the Novell NetWare Core
    Protocol (NCP) service. [Patrik Karlsson]

  + nping-brute: Performs brute force password auditing against an
    Nping Echo service. [Toni Ruottu]

  + omp2-brute: Performs brute force password auditing against the
    OpenVAS manager using OMPv2. [Henri Doreau]

  + omp2-enum-targets: Attempts to retrieve the list of target systems
    and networks from an OpenVAS Manager server. [Henri Doreau]

  + ovs-agent-version: Detects the version of an Oracle OVSAgentServer
    by fingerprinting responses to an HTTP GET request and an XML-RPC
    method call. [David Fifield]

  + quake3-master-getservers: Queries Quake3-style master servers for
    game servers (many games other than Quake 3 use this same
    protocol). [Toni Ruottu]

  + servicetags: Attempts to extract system information (OS, hardware,
    etc.) from the Sun Service Tags service agent (UDP port
    6481). [Matthew Flanagan]

  + sip-brute: Performs brute force password auditing against Session
    Initiation Protocol (SIP -
    http://en.wikipedia.org/wiki/Session_Initiation_Protocol)
    accounts.  This protocol is most commonly associated with VoIP
    sessions. [Patrik Karlsson]

  + sip-enum-users: Attempts to enumerate valid SIP user accounts.
    Currently only the SIP server Asterisk is supported. [Patrik
    Karlsson]

  + smb-mbenum: Queries information managed by the Windows Master
    Browser. [Patrik Karlsson]

  + smtp-vuln-cve2010-4344: Checks for and/or exploits a heap overflow
    within versions of Exim prior to version 4.69 (CVE-2010-4344) and
    a privilege escalation vulnerability in Exim 4.72 and prior
    (CVE-2010-4345). [Djalal Harouni]

  + smtp-vuln-cve2011-1720: Checks for a memory corruption in the
    Postfix SMTP server when it uses Cyrus SASL library authentication
    mechanisms (CVE-2011-1720).  This vulnerability can allow denial
    of service and possibly remote code execution. [Djalal Harouni]

  + snmp-ios-config: Attempts to downloads Cisco router IOS
    configuration files using SNMP RW (v1) and display or save
    them. [Vikas Singhal, Patrik Karlsson]

  + ssl-known-key: Checks whether the SSL certificate used by a host
    has a fingerprint that matches an included database of problematic
    keys. [Mak Kolybabi]

  + targets-sniffer: Sniffs the local network for a configurable
    amount of time (10 seconds by default) and prints discovered
    addresses. If the newtargets script argument is set, discovered
    addresses are added to the scan queue. [Nick Nikolaou]

  + xmpp: Connects to an XMPP server (port 5222) and collects server
    information such as supported auth mechanisms, compression methods
    and whether TLS is supported and mandatory. [Vasiliy Kulikov]

o Nmap has long supported IPv6 for basic (connect) port scans, basic
  host discovery, version detection, Nmap Scripting Engine.  This
  release dramatically expands and improves IPv6 support:
  + IPv6 raw packet scans (including SYN scan, UDP scan, ACK scan,
    etc.) are now supported. [David, Weilin]
  + IPv6 raw packet host discovery (IPv6 echo requests, TCP/UDP
    discovery packets, etc.) is now supported. [David, Weilin]
  + IPv6 traceroute is now supported [David]
  + IPv6 protocol scan (-sO) is now supported, including creating
    realistic headers for many protocols. [David]
  + IPv6 support to the wsdd, dnssd and upnp NSE libraries. [Daniel
    Miller, Patrik]
  + The --exclude and --excludefile now support IPV6 addresses with
    netmasks.  [Colin]

o Scanme.Nmap.Org (the system anyone is allowed to scan for testing
  purposes) is now dual-stacked (has an IPv6 address as well as IPv4)
  so you can scan it during IPv6 testing.  We also added a DNS record
  for ScanmeV6.nmap.org which is IPv6-only. See
  http://seclists.org/nmap-dev/2011/q2/428. [Fyodor]

o The Nmap.Org website as well as sister sites Insecure.Org,
  SecLists.Org, and SecTools.Org all have working IPv6 addresses now
  (dual stacked). [Fyodor]

o Nmap now determines the filesystem location it is being run from and
  that path is now included early in the search path for data files
  (such as nmap-services).  This reduces the likelihood of needing to
  specify --datadir or getting data files from a different version of
  Nmap installed on the system.  For full details, see
  http://nmap.org/book/data-files-replacing-data-files.html.  Thanks
  to Solar Designer for implementation advice. [David]

o Created a page on our SecWiki for collecting Nmap script ideas! If
  you have a good idea, post it to the incoming section of the page.
  Or if you're in a script writing mood but don't know what to write,
  come here for inspiration: https://secwiki.org/w/Nmap_Script_Ideas.

o The development pace has greatly increased because Google (again)
  sponsored a 7 full-time college and graduate student programmer
  interns this summer as part of their Summer of Code program!
  Thanks, Google Open Source Department!  We're delighted to introduce
  the team: http://seclists.org/nmap-dev/2011/q2/312

o [NSE] Added 7 new protocol libraries, bringing the total to 66.  You
  can read about them all at http://nmap.org/nsedoc/. Here are the new
  ones (authors listed in brackets):

  + creds: Handles storage and retrieval of discovered credentials
    (such as passwords discovered by brute force scripts). [Patrik
    Karlsson]

  + ncp: A tiny implementation of Novell Netware Core Protocol
    (NCP). [Patrik Karlsson]

  + omp2: OpenVAS Management Protocol (OMP) version 2 support. [Henri
    Doreau]

  + sip: Supports a limited subset of SIP commands and
    methods. [Patrik Karlsson]

  + smtp: Simple Mail Transfer Protocol (SMTP) operations. [Djalal
    Harouni]

  + srvloc: A relatively small implementation of the Service Location
    Protocol. [Patrik Karlsson]

  + tftp: Implements a minimal TFTP server. It is used in
    snmp-ios-config to obtain router config files.[Patrik Karlsson]

o Improved Nmap's service/version detection database by adding:
  + Apple iPhoto (DPAP) protocol probe [Patrik]
  + Zend Java Bridge probe [Michael Schierl]
  + BackOrifice probe [Gorjan Petrovski]
  + GKrellM probe [Toni Ruotto]
  + Signature improvements for a wide variety of services (we now have
    7,375 signatures)

o [NSE] ssh-hostkey now additionally has a postrule that prints hosts
  found during the scan which share the same hostkey. [Henri Doreau]

o [NSE] Added 300+ new signatures to http-enum which look for admin
  directories, JBoss, Tomcat, TikiWiki, Majordomo2, MS SQL, Wordpress,
  and more. [Paulino]

o Made the final IP address space assignment update as all available
  IPv4 address blocks have now been allocated to the regional
  registries.  Our random IP generation (-iR) logic now only excludes
  the various reserved blocks.  Thanks to Kris for years of regular
  updates to this function!

o [NSE] Replaced http-trace with a new more effective version. [Paulino]

o Performed some output cleanup work to remove unimportant status
  lines so that it is easier to find the good stuff! [David]

o [Zenmap] now properly kills Nmap scan subprocess when you cancel a
  scan or quit Zenmap on Windows. [Shinnok]

o [NSE] Banned scripts from being in both the "default" and
  "intrusive" categories.  We did this by removing dhcp-discover and
  dns-zone-transfer from the set of scripts run by default (leaving
  them "intrusive"), and reclassifying dns-recursion, ftp-bounce,
  http-open-proxy, and socks-open-proxy as "safe" rather than
  "intrusive" (keeping them in the "default" set).

o [NSE] Added a credential storage library (creds.lua) and modified
  the brute library and scripts to make use of it. [Patrik]

o [Ncat] Created a portable version of ncat.exe that you can just drop
  onto Microsoft Windows systems without having to run any installer
  or copy over extra library files. See the Ncat page
  (http://nmap.org/ncat/) for binary downloads and a link to build
  instructions. [Shinnok]

o Fix a segmentation fault which could occur when running Nmap on
  various Android-based phones.  The problem related to NULL being
  passed to freeaddrinfo(). [David, Vlatko Kosturjak]

o [NSE] The host.bin_ip and host.bin_ip_src entries now also work with
  16-byte IPv6 addresses. [David]

o [Ncat] Updated the ca-bundle.crt list of trusted certificate
  authority certificates. [David]

o [NSE] Fixed a bug in the SMB Authentication library which could
  prevent concurrently running scripts with valid credentials from
  logging in. [Chris Woodbury]

o [NSE] Re-worked http-form-brute.nse to better autodetect form
  fields, allow brute force attempts where only the password (no
  username) is needed, follow HTTP redirects, and better detect
  incorrect login attempts. [Patrik, Daniel Miller]

o [Zenmap] Changed the "slow comprehensive scan" profile's NSE script
  selection from "all" to "default or (discovery and safe)"
  categories.  Except for testing and debugging, "--script all" is
  rarely desirable.

o [NSE] Added the stdnse.silent_require method which is used for
  library requires that you know might fail (e.g. "openssl" fails if
  Nmap was compiled without that library).  If these libraries are
  called with silent_require and fail to load, the script will cease
  running but the user won't be presented with ugly failure messages
  as would happen with a normal require. [Patrick Donnelly]

o [Ncat] ncat now listens on both localhost and ::1 when you run ncat
  -l. It works as before if you specify -4 or -6 or a specific
  address. [Colin Rice]

o [Zenmap] Fixed a bug in topology mapper which caused endpoints
  behind firewalls to sometimes show up in the wrong place (see
  http://seclists.org/nmap-dev/2011/q2/733).  [Colin Rice]

o [Zenmap] If you scan a system twice, any open ports from the first
  scan which are closed in the 2nd will be properly marked as
  closed. [Colin Rice].

o [Zenmap] Fixed an error that could cause a crash ("TypeError: an
  integer is required") if a sort column in the ports table was unset.
  [David]

o [Ndiff] Added nmaprun element information (Nmap version, scan date,
  etc.) to the diff.  Also, the Nmap banner with version number and
  data is now only printed if there were other differences in the
  scan. [Daniel Miller, David, Dr. Jesus]

o [NSE] Added nmap.get_interface and nmap.get_interface_info functions
  so scripts can access characteristics of the scanning interface.
  Removed nmap.get_interface_link. [Djalal]

o Fixed an overflow in scan elapsed time display that caused negative
  times to be printed after about 25 days. [Daniel Miller]

o Updated nmap-rpc from the master list, now maintained by IANA.
  [Daniel Miller, David]

o [Zenmap] Fixed a bug in the option parser: -sN (null scan) was
  interpreted as -sn (no port scan). This was reported by
  Shitaneddine. [David]

o [Ndiff] Fixed the Mac OS X packages to use the correct path for
  Python: /usr/bin/python instead of /opt/local/bin/python. The bug
  was reported by Wellington Castello. [David]

o Removed the -sR (RPC scan) option--it is now an alias for -sV
  (version scan), which always does RPC scan when an rpcinfo service
  is detected.

o [NSE] Improved the ms-sql scripts and library in several ways:
  - Improved version detection and server discovery
  - Added support for named pipes, integrated authentication, and
    connecting to instances by name or port
  - Improved script and library stability and documentation.
  [Patrik Karlsson, Chris Woodbury]

o [NSE] Fixed http.validate_options when handling a cookie table.
  [Sebastian Prengel]

o Added a Service Tags UDP probe for port 6481/udp. [David]

o [NSE] Enabled firewalk.nse to automatically find the gateways at
  which probes are dropped and fixed various bugs. [Henri Doreau]

o [Zenmap] Worked around a pycairo bug that prevented saving the
  topology graphic as PNG on Windows: "Error Saving Snapshot:
  Surface.write_to_png takes one argument which must be a filename
  (str), file object, or a file-like object which has a 'write' method
  (like StringIO)". The problem was reported by Alex Kah. [David]

o The -V and --version options now show the platform Nmap was compiled
  on, which features are compiled in, the version numbers of libraries
  it is linked against, and whether the libraries are the ones that
  come with Nmap or the operating system.  [Ambarisha B., David]

o Fixed some inconsistencies in nmap-os-db reported by Xavier Sudre
  from netVigilance.

o The Nmap Win32 uninstaller now properly deletes nping.exe. [Fyodor]

o [NSE] Added a shortport.ssl function which can be used as a script
  portrule to match SSL services.  It is similar in concept to our
  existing shortport.http. [David]

o Set up the RPM build to use the compat-glibc and compat-gcc-34-c++
  packages (on CentOS 5.3) to resolve a report of Nmap failing to run
  on old versions of Glibc. [David]

o We no longer support Nmap on versions of Windows earlier than XP
  SP2.  Even Microsoft no longer supports Windows versions that old.
  But if you must use Nmap on such systems anyway, please see
  https://secwiki.org/w/Nmap_On_Old_Windows_Releases.

o There were hundreds of other little bug fixes and improvements
  (especially to NSE scripts).  See the SVN logs for revisions 22,274
  through 24,460 for details.

Enjoy the new release!
-Fyodor
_______________________________________________
Sent through the nmap-hackers mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-hackers
Archived at http://seclists.org/nmap-hackers/


  By Date           By Thread  

Current thread:
  • Nmap 5.59BETA1 Released! Fyodor (Jun 30)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]