mailing list archives
Re: Nmap 4.85BETA8 Released!
From: Ron <ron () skullsecurity net>
Date: Tue, 21 Apr 2009 22:07:17 -0500
Hopefully some of you have tried this out.. I haven't heard any
feedback, so I'll assume that's good news for the time being. I'd really
like to hear if this rooted out any infections, though!
If you want to read some more details, check out my blog post about it:
I tried to be pretty thorough with explaining how the script works and
how to use it.
Any questions or comments, feel free to ask!
Hi All. I'm happy to report the release of Nmap 4.85BETA8. It
includes many improvements from our last 20 days of work, including
much better Ncat http proxy server support (including authentication,
and the GET/HEAD/POST methods so you can use it with Firefox), redone
(much easier to read) text output for Ndiff, a whole bunch of
Conficker improvements (including a great new script by Ron based on
Symantec research and numerous improvements to the existing
smb-check-vulns), and much more. Our anti-Conficker efforts have
apparently pissed off the Conficker authors so much that the latest
variants ban nmap.* and insecure.* domains. No worries: I've mirrored
this release at http://sectools.org/nmap/.
And those of you who aren't infected by Conficker can download
4.85BETA8 at the normal location:
To scan you network quickly for Conficker infections before the next
variant breaks this new techinque, we recommend this command:
nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns --script-args checkconficker=1,safe=1 -T4
If you have time for a slower but more comprehensive scan, use this instead:
nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p- --script-args checkall=1,safe=1 -T4 [target networks]
And here is the full list of changes since BETA7:
Nmap 4.85BETA8 [2009-04-21]
o Ncat's HTTP proxy now supports the GET, HEAD, and POST methods in
addition to the CONNECT tunneling method, so it can be used as a
proxy with an ordinary web browser.[David]
o Ncat can now run as an authenticated proxy in HTTP proxy mode. Use
--proxy-auth to provide a username and password that will be required
of proxy users. Only the insecure (not encrypted) Basic authentication
method is supported. [David]
o Ndiff's text output has been redone to look more like Nmap output
and be easier to read. See the Ndiff README file for an example. The
XML output is now based on Nmap's XML output as well. Zenmap's diff
viewer now shows the new output with syntax highlighting. [David]
o The new versions of the Conficker Internet worm ban infected systems
from visiting Insecure.Org and Nmap.Org. We take that as a
compliment to the effectiveness of our remote Conficker scanner.
They also ban DNS substrings "honey" (for the Honeynet Project),
"doxpara" (for Dan Kaminsky's site), "tenablese" for Tenable
Security, "coresecur" for Core Security Technologies, and
"iv.cs.uni" for those meddlesome (to the Conficker authors)
researchers at the University of Bonn. For people who can't reach
nmap.org due to infection, I've mirrored this release at
o New Conficker versions eliminate the loophole we were using to
detect them with smb-check-vulns,nse, so we've added new methods
which work with the newest variants. Here are the Conficker-related
improvements since BETA7:
o Added new p2p-conficker script which detects Conficker using its
P2P update ports rather than MSRPC. This is based on some new
research by Symantec. See
o Since new Conficker variants prevent detection by our previous
MSRPC check in smb-check-vulns, we've added a new check which still
works. It involves calling netpathcanonicalize on "\" rather than
"\..\" and checking for a different return value. It was discovered
by Felix Leder and Tillmann Werner.
o Improved smb-check-vulns Conficker error message text to be more
o smb-check-vulns now defaults to using basic login rather than
extended logins as this seems to work better on some machines.
o Recommended command for a fast Conficker scan:
nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns \
--script-args checkconficker=1,safe=1 -T4 [target networks]
o Recommended command for a more comprehensive (but slower) scan:
nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p- \
--script-args checkall=1,safe=1 -T4 [target networks]
o [NSE] The Nmap Script Engine core (C++) was rewritten in Lua for
code simplicity and extensibility. See
o [Zenmap] The "Cancel" button has been restored to the main screen.
It will cancel the scan that is currently being displayed.
o Fixed an SMB library bug which could case a nil-pointer exception
when scanning broken SMB implementations. Reported by Steve
o [Ndiff] The setup.py installation script now suggests installing the
python-dev package in a certain error situation. Previously the
error message it printed was misleading:
error: invalid Python installation: unable to open
/usr/lib/python2.6/config/Makefile (No such file or directory)
The change was suggested by Aaron Leininger. [David]
o [Nbase] The checksum functions now have an nbase_ prefix. This
should prevent name collisions with internal but exported functions
in shared libraries Nmap links against (e.g. adler32() in zlib).
Such collisions seem to confuse the runtime linker on some platforms.
o Fixed banner.nse to remove surrounding whitespace from banners. For
example, this avoids a superfluous carriage return and newline at the
end of SSH greetings. [Patrick]
o Expanded and tweaked the product/version/info of service scans in an
attempt to reduce the number of warnings like "Warning: Servicescan
failed to fill info_template...". Parts of this change include:
o Improved the text of the warning to be less confusing
o Increased the internal version info buffer to 256 chars from 128
o Increased the final version string length to 160 from 128 chars
o Changed the behavior when constructing the final version string so
that if it runs out of space, rather than dropping the output of that
template it truncates the template with ...
o Fixed the printing of unneeded spaces between templates when one of the
templates isn't going to be printed at all.
o Improved the service scan DB to remove certain problematic regex
patterns which could lead to PCRE_MATCHLIMIT errors. For example,
instances of ".*\r\n.*" and ".*\n.*\n" were generally collapsed to
".*" as long as the DOTALL (/s) modifier was set. [Brandon]
o Changed some error() calls (which were more informational than error
messages) to use log_write() instead, and changed a few f?printf()
calls into error() or log_write(). [Brandon]
o [Ncat] Fixed a bug in the resolve() function which could cause Ncat
to resolve names using the wrong address family (such as AF_INET
rather than AF_INET6) in some rare cases. [Daniel Roethlisberger]
o [Zenmap] Worked around a GTK+ bug on Windows reported by Henry Nymann.
It caused a crash when opening the Hosts Viewer on a host that had OS
information. A window appeared saying simply "Runtime Error!". [David]
o [Zenmap] Gracefully handle unrecognized port states in the hosts
viewer. Apparently old versions of Nmap can return a state of
"unknown". This prevents this crash:
File "radialnet\gui\NodeNotebook.pyo", line 107, in __init__
File "radialnet\gui\NodeNotebook.pyo", line 257, in __create_widgets
o Rewrote the debugging error message "Found whacked packet protocol
17 in get_ping_pcap_result" because we decided that receiving a UDP
packet during TCP ping scan is not egregious enough to qualify as
Enjoy the new release! And let us know on nmap-dev if you encounter
any problems! See http://nmap.org/book/man-bugs.html.
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org
Sent through the nmap-dev mailing list
Archived at http://SecLists.Org