-
Notifications
You must be signed in to change notification settings - Fork 0
/
Copy pathCHANGELOG
12307 lines (9595 loc) · 549 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
# Nmap Changelog ($Id$); -*-text-*-
o [NSE] Added support to broadcast-listener for extracting address, native vlan
and management IP address from CDP packets. [Tom]
o [NSE] Added the script broadcast-networker-discover that discoverer EMC
Networker servers on the LAN. [Patrik]
o [NSE] Added RPC Call CALLIT to the RPC library and modified UDP sockets to be
unconnected in order to support broadcast. [Patrik]
o Integrated latest IPv6 OS submissions and corrections.
o [NSE] Added a sslcert library that gets and caches SSL certificates in the
registry. Modified the scripts ssl-cert and ssl-google-cert-catalog to take
advantage of this change. [Patrik]
o [NSE] Added host based registry, which allows scripts to share data between
scripts scanning a specific host. [Patrik]
o [NSE] Applied patch from Andrew Orr that fixes the recent changes in the
BitCoin protocol. [Patrik]
o [NSE] Added a Network Data Management Protocol (ndmp) library and the
scripts:
+ ndmp-version - retrieves version information
+ ndmp-fs-info - retrieves information about remote filesystems
[Patrik]
o [NSE] Added the script http-vuln-cve2010-2861 to detect the Cold Fusion
CVE-2010-2861 directory traversal vulnerability. [Micah Hoffman]
o [NSE] Added support for edns-client-subnet requests to the DNS library and
the script dns-client-subnet-scan that scans for addresses resolved from
different subnets. [John Bond]
o [NSE] Added support for decoding EIGRP broadcasts from Cisco routers
to broadcast-listener. [Tom]
o [NSE] Added redirect support to the http library. All calls to http.get and
http.head now transparently handle any HTTP redirects. [Patrik]
o [NSE] Added asn-to-prefix.nse by John Bond, to convert AS numbers to
IP address ranges and optionally scan them.
o [NSE] Modified the sql-injection script to use the httpspider library.
[Lauri Kokkonen]
o [NSE] Added a rsync library and two new script:
+ rsync-list-modules - list available rsync modules
+ rsync-brute - attempts to brute force passwords against a rsync module
[Patrik]
o Added --with-apr and --with-subversion configuration options to
support systems where those libraries aren't in the usual places.
[David]
o [NSE] Added voldemort-info, that retrieves cluster and store information
from the Voldemort distributed key-value store. [Patrik]
o [NSE] Added http-qnap-nas-info, that retrieves the model, firware version,
and enabled services from a QNAP Network Attached Storage (NAS) device.
[Brendan Coles]
o [NSE] Fixed a bunch of global access errors in various libraries reported by
the nse_check_globals script. [Patrik]
o [NSE] Added url-snarf. The script sniffs the network for URLs in HTTP
traffic and prints the URL together with the originating IP. [Patrik]
o [NSE] Added http-auth-finder. The scripts spiders a site looking for URLs
requiring form- or HTTP-based authentication. [Patrik]
o Fixed an assertion failure which could occur when connecting to an
SSL server:
nsock_core.c:186: update_events: Assertion `(ev_inc & ev_dec) == 0' failed.
Thanks to Ron for reporting the bug and testing. [Henri]
o [NSE] Added cccam-version.nse. It detects the CCcam TV card sharing
system. [David]
o [NSE] Added the scripts xdmcp-discover, broadcast-xdmcp-discover and the
X Display Manager Control Protocol (xdmcp) library. The scripts discover
hosts either using unicast or broadcast and try to detect supported
authentication and authorization mechanisms. [Patrik]
o Audited the nmap-service-probes database to remove all unused
captures, fixing dozens of bugs with captures either being ignored
or two fields erroneously using the same capture. This was done by
Lauri Kokkonen, David Fifield, and Rob Nicholls.
o [NSE] Added script iax2-brute and supporting IAX2 library that performs
brute-force password guessing against the Asterisk IAX2 protocol. [Patrik]
o Added service probe for the Erlang Port Mapper Daemon. [Patrik]
o [NSE] Added script broadcast-dhcp6-discover and supporting DHCPv6 library.
The script retrieves and prints an IPv6 address and some of the DHCP6
options. [Patrik]
o IPv6 OS detection now includes a novelty detection phase that avoids
printing a match when an observed fingerprint is too different from
fingerprints seen before. As the OS database is still small, this
will help not to make what is essentially a wild guess when seeing a
new operating system. [David]
o [NSE] Added script dns-srv-enum that enumerates DNS service records for a
given domain. [Patrik]
o [NSE] Added script nessus-xmlrpc-brute that performs brute force password
guessing against the Nessus web GUI. [Patrik]
o [NSE] Added script dns-nsid by John Bond, that retrieves name server ID and
version information.
o [NSE] Applied patch to DNS library by John Bond that adds support for the
CHAOS class and NSID requests.
o [NSE] Changed the dnsbl library to take a threaded approach into querying
DNSBL provides drastically improving performance. [Patrik]
o [NSE] Applied patch from Duarte Silva to dnsbl adding new services and the
ATTACK category. [Duarte Silva]
o [NSE] Added broadcast-ripng-discover that discovers IPv6 RIPng routers and
displays their routing information. [Patrik]
o [NSE] Made gathered CPE codes available to NSE. [Henri]
o [NSE] Fixed a memory leak in PortList::setServiceProbeResults() noticed and
reported by David. The leak was triggered by set_port_version calls from NSE.
[Henri]
o [NSE] Added http-generator.nse by Michael Kohl, which gets version
information for web applications that set the "generator" meta
element.
o [NSE] Added the script broadcast-pppoe-discover that discovers PPPoE servers
on the LAN using the PPPoE Discovery Protocol. [Patrik]
o [NSE] Added the script membase-brute that performs password brute force
password guessing against the Membase TAP protocol. [Patrik]
o [NSE] Added the script membase-http-info that retrieves information from the
Couchbase distributed key-value pair server. [Patrik]
o [NSE] Fixed a race condition in broadcast-dhcp-discover.nse that
could cause responses to be missed on fast networks. It was noticed
by Vasiliy Kulikov. [David]
o Added IPv6 support to firewalk.nse. [Henri]
o Fixed a bug in reverse name resolution: a name of "." would leave
the hostname unintialized, which would manifest as
Illegal character(s) in hostname -- replacing with '*'
errors. [Gisle Vanem]
o Merged nsock-engines from nmap-exp. This rewrite of the nsock library adds
support for system-specific scalable IO notification facilities without
breaking portability. This initial version comes with an epoll(7)-based engine
for Linux and a select(2)-based fallback engine for all other operating
systems. [Henri]
o Added probe and matchline for Couchbase Membase NoSQL database [Patrik]
o Added the new --script-args-file option which allows you to specify
the name of a file containing all of your desired NSE script
arguments. The arguments may be separated with commas or newlines
and may be overridden by arguments specified on the command-line
with --script-args. [Daniel Miller]
o [NSE] Added the script http-vuln-cve2009-3960 that detects and exploits the
CVE 2009-3960 XML injection vulnerability in Adobe products. [Hani
Benhabiles]
o Added two new probes for the Basho Riak PBC and Tarantool protocols.
[Patrik]
o [NSE] Added a natpmp library and the script nat-pmp-mapport that allows
NAT mapping of external TCP and UDP ports to internal addresses. [Patrik]
o [NSE] Added the script riak-http-info that lists version and statistics
information from the Basho Riak distributed database. [Patrik]
o [NSE] Added the script memcached-info that lists version and statistics
information from the distributed memory object caching service memcached
[Patrik]
o [NSE] Added the script redis-info that lists version and statistic
information gathered from the Redis network key-value store. [Patrik]
o [NSE] Added the redis library and the script redis-brute that performs brute
force password guessing against the Redis network key-value store. [Patrik]
o [NSE] Added the script http-proxy-brute that performs brute force password
guessing against HTTP proxy servers. [Patrik]
o [NSE] Added the script socks-auth-info that lists supported SOCKS 5
authentication mechanisms. [Patrik]
o [NSE] Added the script socks-brute that performs brute force password
guessing against SOCKS 5 servers. [Patrik]
o [NSE] Added the script vmauthd-brute that performs brute force password
guessing against the VMware authentication daemon. [Patrik]
Nmap 5.61TEST4 [2012-01-02]
o [NSE] Added a new httpspider library which is used for recursively
crawling web sites for information. New scripts using this
functionality include http-backup-finder, http-email-harvest,
http-grep, http-open-redirect, and http-unsafe-output-escaping. See
http://nmap.org/nsedoc/ or the list later in this file for details
on these. [Patrik]
o Our Mac OS X packages are now x86-only (rather than universal),
reducing the download size from 30 MB to about 17. If you still
need a PowerPC version (Apple stopped selling those machines in
2006), you can use Nmap 5.51 or 5.61TEST2 from
http://nmap.org/dist/?C=M&O=D.
o We set up a new SVN server for the Nmap codebase. This one uses SSL
for better security, WebDAV rather than svnserve for greater
functionality, is hosted on a faster (virtual) machine, provides
Nmap code history back to 1998 rather than 2005, and removes the
need for the special "guest" username. The new server is at
https://svn.nmap.org. More information:
http://seclists.org/nmap-dev/2011/q4/504.
o [NSE] Added a vulnerability management library (vulns.lua) to store and to
report discovered vulnerabilities. Modified these scripts to use
the new library:
- ftp-libopie.nse
- http-vuln-cve2011-3192.nse
- ftp-vuln-cve2010-4221.nse
- ftp-vsftpd-backdoor.nse
- smtp-vuln-cve2011-1720.nse
- smtp-vuln-cve2011-1764.nse
- afp-path-vuln.nse
[Djalal, Henri]
o [NSE] Added a new script force feature. You can force scripts to
run against target ports (even if the "wrong" service is detected)
by placing a plus in front of the script name passed to --script.
See
http://nmap.org/book/nse-usage.html#nse-script-selection. [Martin
Swende]
o [NSE] Added 51(!) NSE scripts, bringing the total up to 297. They
are all listed at http://nmap.org/nsedoc/, and the summaries are
below (authors listed in brackets):
+ amqp-info gathers information (a list of all server properties)
from an AMQP (advanced message queuing protocol)
server. [Sebastian Dragomir]
+ bitcoin-getaddr queries a Bitcoin server for a list of known
Bitcoin nodes. [Patrik Karlsson]
+ bitcoin-info extracts version and node information from a Bitcoin
server [Patrik Karlsson]
+ bitcoinrpc-info obtains information from a Bitcoin server by
calling <code>getinfo</code> on its JSON-RPC interface. [Toni
Ruottu]
+ broadcast-pc-anywhere sends a special broadcast probe to discover
PC-Anywhere hosts running on a LAN. [Patrik Karlsson]
+ broadcast-pc-duo discovers PC-DUO remote control hosts and
gateways running on the LAN. [Patrik Karlsson]
+ broadcast-rip-discover discovers hosts and routing information
from devices running RIPv2 on the LAN. It does so by sending a
RIPv2 Request command and collects the responses from all devices
responding to the request. [Patrik Karlsson]
+ broadcast-sybase-asa-discover discovers Sybase Anywhere servers on
the LAN by sending broadcast discovery messages. [Patrik Karlsson]
+ broadcast-wake-on-lan wakes a remote system up from sleep by
sending a Wake-On-Lan packet. [Patrik Karlsson]
+ broadcast-wpad-discover Retrieves a list of proxy servers on the
LAN using the Web Proxy Autodiscovery Protocol (WPAD). [Patrik
Karlsson]
+ dns-blacklist checks target IP addresses against multiple DNS
anti-spam and open proxy blacklists and returns a list of services
where the IP has been blacklisted. [Patrik Karlsson]
+ dns-zeustracker checks if the target IP range is part of a Zeus
botnet by querying ZTDNS @ abuse.ch. [Mikael Keri]
+ ganglia-info retrieves system information (OS version, available
memory, etc.) from a listening Ganglia Monitoring Daemon or
Ganglia Meta Daemon. [Brendan Coles]
+ hadoop-datanode-info discovers information such as log directories
from an Apache Hadoop DataNode HTTP status page. [John R. Bond]
+ hadoop-jobtracker-info retrieves information from an Apache Hadoop
JobTracker HTTP status page. [John R. Bond]
+ hadoop-namenode-info retrieves information from an Apache Hadoop
NameNode HTTP status page. [John R. Bond]
+ hadoop-secondary-namenode-info retrieves information from an
Apache Hadoop secondary NameNode HTTP status page. [John R. Bond]
+ hadoop-tasktracker-info retrieves information from an Apache
Hadoop TaskTracker HTTP status page. [John R. Bond]
+ hbase-master-info retrieves information from an Apache HBase
(Hadoop database) master HTTP status page. [John R. Bond]
+ hbase-region-info retrieves information from an Apache HBase
(Hadoop database) region server HTTP status page. [John R. Bond]
+ http-apache-negotiation checks if the target http server has
mod_negotiation enabled. This feature can be leveraged to find
hidden resources and spider a web site using fewer requests. [Hani
Benhabiles]
+ http-backup-finder Spiders a website and attempts to identify
backup copies of discovered files. It does so by requesting a
number of different combinations of the filename (e.g. index.bak,
index.html~, copy of index.html). [Patrik Karlsson]
+ http-cors tests an http server for Cross-Origin Resource Sharing
(CORS), a way for domains to explicitly opt in to having certain
methods invoked by another domain. [Toni Ruottu]
+ http-email-harvest spiders a web site and collects e-mail
addresses. [Patrik Karlsson]
+ http-grep spiders a website and attempts to match all pages and
urls against a given string. Matches are counted and grouped per
url under which they were discovered. [Patrik Karlsson]
+ http-method-tamper tests whether a JBoss target is vulnerable to
jmx console authentication bypass (CVE-2010-0738). [Hani
Benhabiles]
+ http-open-redirect spiders a website and attempts to identify open
redirects. Open redirects are handlers which commonly take a URL
as a parameter and responds with a http redirect (3XX) to the
target. [Martin Holst Swende]
+ http-put uploads a local file to a remote web server using the
HTTP PUT method. You must specify the filename and URL path with
NSE arguments. [Patrik Karlsson]
+ http-robtex-reverse-ip Obtains up to 100 forward DNS names for a
target IP address by querying the Robtex service
(http://www.robtex.com/ip/). [riemann]
+ http-unsafe-output-escaping spiders a website and attempts to
identify output escaping problems where content is reflected back
to the user. [Martin Holst Swende]
+ http-vuln-cve2011-3368 tests for the CVE-2011-3368 (Reverse Proxy
Bypass) vulnerability in Apache HTTP server's reverse proxy
mode. [Ange Gutek, Patrik Karlsson"]
+ ipv6-node-info obtains hostnames, IPv4 and IPv6 addresses through
IPv6 Node Information Queries. [David Fifield]
+ irc-botnet-channels checks an IRC server for channels that are
commonly used by malicious botnets. [David Fifield, Ange Gutek]
+ irc-brute performs brute force password auditing against IRC
(Internet Relay Chat) servers. [Patrik Karlsson]
+ krb5-enum-users discovers valid usernames by brute force querying
likely usernames against a Kerberos service. [Patrik Karlsson]
+ maxdb-info retrieves version and database information from a SAP
Max DB database. [Patrik Karlsson]
+ metasploit-xmlrpc-brute performs brute force password auditing
against a Metasploit RPC server using the XMLRPC protocol. [Vlatko
Kosturjak]
+ ms-sql-dump-hashes Dumps the password hashes from an MS-SQL server
in a format suitable for cracking by tools such as
John-the-ripper. In order to do so the user needs to have the
appropriate DB privileges. [Patrik Karlsson]
+ nessus-brute performs brute force password auditing against a
Nessus vulnerability scanning daemon using the NTP 1.2
protocol. [Patrik Karlsson]
+ nexpose-brute performs brute force password auditing against a
Nexpose vulnerability scanner using the API 1.1. [Vlatko
Kosturjak]
+ openlookup-info parses and displays the banner information of an
OpenLookup (network key-value store) server. [Toni Ruottu]
+ openvas-otp-brute performs brute force password auditing against a
OpenVAS vulnerability scanner daemon using the OTP 1.0
protocol. [Vlatko Kosturjak]
+ reverse-index creates a reverse index at the end of scan output
showing which hosts run a particular service. [Patrik Karlsson]
+ rexec-brute performs brute force password auditing against the
classic UNIX rexec (remote exec) service. [Patrik Karlsson]
+ rlogin-brute performs brute force password auditing against the
classic UNIX rlogin (remote login) service. [Patrik Karlsson]
+ rtsp-methods determines which methods are supported by the RTSP
(real time streaming protocol) server. [Patrik Karlsson]
+ rtsp-url-brute attempts to enumerate RTSP media URLS by testing
for common paths on devices such as surveillance IP
cameras. [Patrik Karlsson]
+ telnet-encryption determines whether the encryption option is
supported on a remote telnet server. Some systems (including
FreeBSD and the krb5 telnetd available in many Linux
distributions) implement this option incorrectly, leading to a
remote root vulnerability. [Patrik Karlsson, David Fifield,
Fyodor]
+ tftp-enum enumerates TFTP (trivial file transfer protocol) filenames by testing
for a list of common ones. [Alexander Rudakov]
+ unusual-port compares the detected service on a port against the
expected service for that port number (e.g. ssh on 22, http on 80)
and reports deviations. An early version of this same idea was
written by Daniel Miller. [Patrik Karlsson]
+ vuze-dht-info retrieves some basic information, including protocol
version from a Vuze filesharing node. [Patrik Karlsson]
o [NSE] Added some new protocol libraries
+ amqp (advanced message queuing protocol) [Sebastian Dragomir]
+ bitcoin crypto currency [Patrik Karlsson
+ dnsbl for DNS-based blacklists [Patrik Karlsson
+ rtsp (real time streaming protocol) [Patrik Karlsson]
+ httpspider and vulns have separate entries in this CHANGELOG
o Nmap now includes a nmap-update program for obtaining the latest
updates (new scripts, OS fingerprints, etc.) The system is
currently only available to a few developers for testing, but we
hope to enable a larger set of beta testers soon. [David]
o On Windows, the directory <HOME>\AppData\Roaming\nmap is now
searched for data files. This is the equivalent of $HOME/.nmap on
POSIX. [David]
o Improved OS detection performance by scaling congestion control
increments by the response rate during OS scan, just as was done
for port scan before. [David]
o [NSE] The targets-ipv6-multicast-*.nse scripts now scan all
interfaces by default. They show the MAC address and interface name
now too. [David, Daniel Miller]
o Added some new version detection probes:
+ MongoDB service [Martin Holst Swende]
+ Metasploit XMLRPC service [Vlatko Kosturjak]
+ Vuze filesharing system [Patrik]
+ Redis key-value store [Patrik]
+ memcached [Patrik]
+ Sybase SQL Anywhere [Patrik]
+ VMware ESX Server [Aleksey Tyurin]
+ TCP Kerberos [Patrik]
+ PC-Duo [Patrik]
+ PC Anywhere [Patrik]
o Targets requiring different source addresses now go into different
hostgroups, not only for host discovery but also for port scanning.
Before, only responses to one of the source addresses would be
processed, and the others would be ignored. [David]
o Tidied up the version detection DB (nmap-service-probes) with a new
cleanup/canonicalization program sv-tidy. In particular, this:
- Removes excess whitespace
- Sorts templates in the order m p v i d o h cpe:
- Canonicalizes template delimiters in the order: / | % = @ #.
[David]
o The --exclude and --excludefile options for excluding targets can
now be used together. [David]
o [NSE] Added support for detecting whether a http connection was established
using SSL or not to the http.lua library [Patrik]
o [NSE] Added local port to BPF filter in snmp-brute to fix bug that would
prevent multiple scripts from receiving the correct responses. The bug was
discovered by Brendan Bird. [Patrik]
o [NSE] Changed the dhcp-discover script to use the DHCPINFORM request
to query dhcp servers instead of DHCPDISCOVER. Also removed DoS code
from dhcp-discover and placed the script into the discovery and safe
categories. Added support for adding options to DHCP requests and
cleaned up some code in the dhcp library. [Patrik]
o [NSE] Applied patch to snmp-brute that solves problems with handling
errors that occur during community list file parsing. [Duarte
Silva]
o [NSE] Added new fingerprints to http-enum for:
- Subversion, CVS and Apache Archiva [Duarte Silva]
- DVCS systems Git, Mercurial and Bazaar [Hani Benhabiles].
o [NSE] Applied some code cleanup to the snmp library. [Brendan Byrd]
o [NSE] Fixed an undeclared variable bug in snmp-ios-config [Patrik]
o [NSE] Add additional version information to Mongodb scripts [Martin
Swende]
o [NSE] Added path argument to the http-auth script and update the
script to use stdnse.format_output. [Duarte Silva, Patrik]
o [NSE] Fixed bug in the http library that would fail to parse
authentication headers if no parameters were present. [Patrik]
o Made a syntax change in the zenmap.desktop file for compliance with
the XDG standard. [Frederik Schwarzer]
o [NSE] Replaced a number of GET requests to HEAD in http-
fingerprints.lua. HEAD is quicker and sufficient when no matching
is performed on the returned contents. [Hani Benhabiles]
o [NSE] Added support for retrieving SSL certificates from FTP
servers. [Matt Selsky]
o [Nping] The --safe-payloads option is now the default. Added
--include-payloads for the special situations where payloads are
needed. [Colin Rice]
o [NSE] Added new functionality and fixed some bugs in the brute library:
- Added support for restricting the number of guesses performed by the
brute library against users, to prevent account lockouts.
- Added support to guess the username as password. The documentation
previously suggested (wrongly) that this was the default behavior.
- Added support to guess an empty string as password if not
present in the dictionary. [Patrik]
o [NSE] Re-enabled support for guessing the username in addition to password
that was incorrectly removed from the metasploit-xmlrpc-brute in previous
commit. [Patrik]
o [NSE] Fixed bug that would prevent brute scripts from running if no service
field was present in the port table. [Patrik]
o [NSE] Turned on promiscuous mode in targets-sniffer.nse so that it
finds packets not only from or to the scanning host. [David]
o The Zenmap topology display feature is now disabled when there are
more than 1,000 target hosts. Those topology maps slow down the
interface and are generally too crowded to be of much use.
o [NSE] Modified the http library to support servers that don't return valid
chunked encoded data, such as the Citrix XML service. [Patrik]
o [NSE] Fixed a bug where the brute library would not abort even after all
retries were exhausted [Patrik]
o Fixed a bug in the IPv6 OS probe called NI. The Node Information
Query didn't include the target address as the payload, so at least
OS X didn't respond. This differed from the probe sent by the
ipv6fp.py program from which some of our fingerprints were derived.
[David]
o [NSE] Fixed an error in the mssql library that was causing the
broadcast-ms-sql-discover script to fail when trying to update port version
information. [Patrik]
o [NSE] Added the missing broadcast category to the broadcast-listener script.
[Jason DePriest]
o [NSE] Made changes to the categories of the following scripts (new
categories shown) [Duarte Silva]:
- http-userdir-enum.nse (auth,intrusive)
- mysql-users.nse (auth,intrusive)
- http-wordpress-enum.nse (auth,intrusive,vuln)
- krb5-enum-users.nse (auth,intrusive)
- snmp-win32-users.nse (default,auth,safe)
- smtp-enum-users.nse (auth,external,intrusive)
- ncp-enum-users.nse (auth,safe)
- smb-enum-users.nse (auth,intrusive)
o Made nbase compile with the clang compiler that is a part of Xcode
4.2. [Daniel J. Luke]
o [NSE] Fix a nil table index bug discovered in the mongodb
library. [Thomas Buchanan]
o [NSE] Added XMPP support to ssl-cert.nse.
o [NSE] Made http-wordpress-enum.nse able to get names of users who
have no posts. [Duarte Silva]
o Increased hop distance estimates from OS detection by one. The
distance now counts the number of hops including the final one to
the target, not just the number of intermediate nodes. The IPv6
distance calculation already worked this way. [David]
Nmap 5.61TEST2 [2011-09-30]
o Added IPv6 OS detection system! The new system utilizes many tests
similar to IPv4, and also some IPv6-specific ones that we found to
be particularly effective. And it uses a machine learning approach
rather than the static classifier we use for IPv4. We hope to move
some of the IPv6 innovations back to our IPv4 system if they work
out well. The database is still very small, so please submit any
fingerprints that Nmap gives you to the specified URL (as long as
you are certain that you know what the target system is
running). Usage and results output are basically the same as with
IPv4, but we will soon document the internal mechanisms at
http://nmap.org/book/osdetect.html, just as we have for IPv4. For an
example, try "nmap -6 -O scanme.nmap.org". [David, Luis]
o [NSE] Added 3 scripts, bringing the total to 246! You can learn
more about them at http://nmap.org/nsedoc/. Here they are (authors
listed in brackets):
+ lltd-discovery uses the Microsoft LLTD protocol to discover hosts
on a local network. [Gorjan Petrovski]
+ ssl-google-cert-catalog queries Google's Certificate Catalog for
the SSL certificates retrieved from target hosts. [Vasiliy Kulikov]
+ quake3-info extracts information from a Quake3-like game
server. [Toni Ruottu]
o Improved AIX support for raw scans. This includes some patches
originally written by Peter O'Gorman and Florian Schmid. It also
involved various build fixes found necessary on AIX 6.1 and 7.1. See
http://nmap.org/book/inst-other-platforms.html. [David]
o Fixed Nmap so that it again compiles and runs on Solaris 10,
including IPv6 support. [David]
o [NSE] Moved our brute force authentication cracking scripts
(*-brute) from the "auth" category into a new "brute"
category. Nmap's brute force capabilities have grown tremendously!
You can see all 32 of them at
http://nmap.org/nsedoc/categories/brute.html. It isn't clear
whether dns-brute should be in the brute category, so for now it
isn't. [Fyodor]
o Made the interface gathering loop work on Linux when an interface
index is more than two digits in /proc/sys/if_inet6. Joe McEachern
tracked down the problem and provided the fix.
o [NSE] Fixed a bug in dns.lua: ensure that dns.query() always return two values
(status, response) and replaced the workaround in asn-query.nse by the proper
use. [Henri]
o [NSE] Made irc-info.nse handle the case where the MOTD is missing.
Patch by Sebastian Dragomir.
o Updated nmap-mac-prefixes to include the latest IEEE assignments
as of 2011-09-29.
Nmap 5.61TEST1 [2011-09-19]
o Added Common Platform Enumeration (CPE, http://cpe.mitre.org/)
output for OS and service versions. This is a standard way to
identify operating systems and applications so that Nmap can
better interoperate with other software. Nmap's own (generally more
comprehensive) taxonomy/classification system is still supported as
well. Some OS and version detection results don't have CPE entries
yet. CPE entries show up in normal output with the headings "OS
CPE:" and "Service Info:":
OS CPE: cpe:/o:linux:kernel:2.6.39
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
These also appear in XML output, which additionally has CPE entries
for service versions. [David, Henri]
o Added IPv6 Neighbor Discovery ping. This is the IPv6 analog to IPv4
ARP scan. It is the default ping type for local IPv6 networks.
[Weilin]
o Integrated your latest (IPv4) OS detection submissions and
corrections until June 22. New fingerprints include Linux 3, FreeBSD
9, Mac OS X 10.7 (Lion), and 300+ more. The DB size increased 11% to
3,308 fingerprints. See
http://seclists.org/nmap-dev/2011/q3/556. Please keep those
fingerprints coming! We now accept IPv4 and IPv6 OS fingerprints as
well as service fingerprints, plus corrections of all types if Nmap
guess wrong.
o [NSE] Added 27 scripts, bringing the total to 243! You can learn
more about any of them at http://nmap.org/nsedoc/. Here are the new
ones (authors listed in brackets):
+ address-info shows extra information about IPv6 addresses, such as
embedded MAC or IPv4 addresses when available. [David Fifield]
+ bittorrent-discovery discovers bittorrent peers sharing a file
based on a user-supplied torrent file or magnet link. [Gorjan
Petrovski]
+ broadcast-db2-discover attempts to discover DB2 servers on the
network by sending a broadcast request to port 523/udp. [Patrik
Karlsson]
+ broadcast-dhcp-discover sends a DHCP request to the broadcast
address (255.255.255.255) and reports the results. [Patrik
Karlsson]
+ broadcast-listener sniffs the network for incoming broadcast
communication and attempts to decode the received packets. It
supports protocols like CDP, HSRP, Spotify, DropBox, DHCP, ARP and
a few more. [Patrik Karlsson]
+ broadcast-ping sends broadcast pings on a selected interface using
raw ethernet packets and outputs the responding hosts' IP and MAC
addresses or (if requested) adds them as targets. [Gorjan
Petrovski]
+ cvs-brute performs brute force password auditing against CVS
pserver authentication. [Patrik Karlsson]
+ cvs-brute-repository attempts to guess the name of the CVS
repositories hosted on the remote server. With knowledge of the
correct repository name, usernames and passwords can be
guessed. [Patrik Karlsson]
+ ftp-vsftpd-backdoor tests for the presence of the vsFTPd 2.3.4
backdoor reported on 2011-07-04 (CVE-2011-2523). This script
attempts to exploit the backdoor using the innocuous 'id' command
by default, but that can be changed with the 'exploit.cmd' or
'ftp-vsftpd-backdoor.cmd' script arguments. [Daniel Miller]
+ ftp-vuln-cve2010-4221 checks for a stack-based buffer overflow in
the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. [Djalal
Harouni]
+ http-awstatstotals-exec exploits a remote code execution
vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other
products based on it (CVE: 2008-3922). [Paulino Calderon]
+ http-axis2-dir-traversal Exploits a directory traversal
vulnerability in Apache Axis2 version 1.4.1 by sending a specially
crafted request to the parameter 'xsd' (OSVDB-59001). By default
it will try to retrieve the configuration file of the Axis2
service '/conf/axis2.xml' using the path '/axis2/services/' to
return the username and password of the admin account. [Paulino
Calderon]
+ http-default-accounts tests for access with default credentials
used by a variety of web applications and devices. [Paulino
Calderon]
+ http-google-malware checks if hosts are on Google's blacklist of
suspected malware and phishing servers. These lists are constantly
updated and are part of Google's Safe Browsing service. [Paulino
Calderon]
+ http-joomla-brute performs brute force password auditing against
Joomla web CMS installations. [Paulino Calderon]
+ http-litespeed-sourcecode-download exploits a null-byte poisoning
vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to
retrieve the target script's source code by sending a HTTP request
with a null byte followed by a .txt file extension
(CVE-2010-2333). [Paulino Calderon]
+ http-vuln-cve2011-3192 detects a denial of service vulnerability
in the way the Apache web server handles requests for multiple
overlapping/simple ranges of a page. [Duarte Silva]
+ http-waf-detect attempts to determine whether a web server is
protected by an IPS (Intrusion Prevention System), IDS (Intrusion
Detection System) or WAF (Web Application Firewall) by probing the
web server with malicious payloads and detecting changes in the
response code and body. [Paulino Calderon]
+ http-wordpress-brute performs brute force password auditing
against Wordpress CMS/blog installations. [Paulino Calderon]
+ http-wordpress-enum enumerates usernames in Wordpress blog/CMS
installations by exploiting an information disclosure
vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and
3.2-beta2 and possibly others. [Paulino Calderon]
+ imap-brute performs brute force password auditing against IMAP
servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM
authentication. [Patrik Karlsson]
+ smtp-brute performs brute force password auditing against SMTP
servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM
authentication. [Patrik Karlsson]
+ smtp-vuln-cve2011-1764 checks for a format string vulnerability in
the Exim SMTP server (version 4.70 through 4.75) with DomainKeys
Identified Mail (DKIM) support (CVE-2011-1764). [Djalal Harouni]
+ targets-ipv6-multicast-echo sends an ICMPv6 echo request packet to
the all-nodes link-local multicast address (ff02::1) to discover
responsive hosts on a LAN without needing to individually ping
each IPv6 address. [David Fifield, Xu Weilin]
+ targets-ipv6-multicast-invalid-dst sends an ICMPv6 packet with an
invalid extension header to the all-nodes link-local multicast
address (ff02::1) to discover (some) available hosts on the
LAN. This works because some hosts will respond to this probe with
an ICMPv6 parameter problem packet. [David Fifield, Xu Weilin]
+ targets-ipv6-multicast-slaac performs IPv6 host discovery by
triggering stateless address auto-configuration (SLAAC). [David
Fifield, Xu Weilin]
+ xmpp-brute Performs brute force password auditing against XMPP
(Jabber) instant messaging servers. [Patrik Karlsson]
o Fixed compilation on OS X 10.7 Lion. Thanks to Patrik Karlsson and
Babak Farroki for researching fixes.
o [NSE] The script arguments which start with a script name
(e.g. http-brute.hostname or afp-ls.maxfiles) can now accept the
unqualified arguments as well (hostname, maxfiles). This lets you
use the generic version ("hostname") when you want to affect
multiple scripts, while using the qualified version to target
individual scripts. If both are specified, the qualified version
takes precedence for that particular script. This works for library
script arguments too (e.g. you can specify 'timelimit' rather than
unpwdb.timelimit). [Paulino]
o [Ncat] Updated SSL certificate store (ca-bundle.crt), primarily to
remove the epic fail known as DigiNotar.
o Nmap now defers options parsing until it has read through all the
command line arguments. This removes the few remaining cases where
option order mattered (for example, IPv6 users previously had to
specify -6 before -S). [Shinnok]
o [NSE] Added a new default credential list for Oracle databases and
modified the oracle-brute script to make use of it. [Patrik]
o [NSE] Our Packet library (packet.lua) now handles IPv6. This is used
by the new multicast IPv6 host discovery scripts
(targets-ipv6-*). [Weilin]
o [NSE] Replaced xmpp.nse with an an overhauled version named
xmpp-info.nse which brings many new features and fixes. [Vasiliy Kulikov]
o [NSE] Fixed SSL compressor names in ssl-enum-ciphers.nse, and
removed redundant multiple listings of the NULL compressor.
[Matt Selsky]
o [NSE] Added cipher strength ratings to ssl-enum-ciphers.nse.
[Gabriel Lawrence]
o [NSE] Fixed a bug in the ssh2-enum-algos script that would prevent it from
displaying any output unless run in debug mode. [Patrik]
o [NSE] Added 4 more protocol libraries. You can learn more about any
of them at http://nmap.org/nsedoc/. Here are the new ones (authors
listed in brackets):
+ bittorrent supports the BitTorrent file sharing protocol [Gorjan
Petrovski]
+ cvs includes support for the Concurrent Versions System (CVS)
[Patrik Karlsson]
+ sasl provides common code for "Simple Authentication and Security
Layer" to services supporting it. The algorithms supported by the
library are: PLAIN, CRAM-MD5, DIGEST-MD5 and NTLM. [Djalal
Harouni, Patrik Karlsson]
+ xmpp handles XMPP (Jabber) IM servers [Patrik Karlsson]
o [NSE] Removed the mac-geolocation script, which relied on a Google
database to determine strikingly accurate GPS coordinates for
anyone's wireless access points (based on their MAC address). It
was very powerful. Perhaps Google decided it was too powerful, as
they discontinued the service before our script was even 2 months
old.
o [Ncat] Added an --append-output option which, when used along with
-o and/or -x, prevents clobbering (truncating) an existing
file. [Shinnok]
o Fixed RPC scan (part of -sV) to work on the 64-bit machines where
"unsigned long" is 8 bytes rather than 4. We now use the more
portable u32 in the code. [David]
o [NSE] Moved some scripts into the default category: giop-info,
vnc-info, ncp-serverinfo, smb-security-mode, and and
afp-serverinfo. [Djalal]
o Relaxed the XML DTD to allow validation of files where the verbosity
level changed during the scan. Also made a service confidence of 8
(used when tcpwrapped) or any other number between 0 and 10
legal. [Daniel Miller]
o [NSE] Fixed authentication problems in the TNS library that would prevent
authentication from working against Oracle 11.2.0.2.0 XE [Chris Woodbury]
o [NSE] Added basic query support to the Oracle TNS library so that scripts
can now make SQL queries against database servers. Also improved
support for 64-bit database servers and improved the documentation. [Patrik]
o Removed some restrictions on probe matching that, for example,
prevented a RST/ACK reply from being recognized in a NULL scan. This
was found and fixed by Matthew Stickney and Joe McEachern.
o Rearranged some characters classes in service matches to avoid any
that look like POSIX collating symbols ("[.xyz.]"). John Hutchison
discovered this error caused by one of the match lines:
InitMatch: illegal regexp: POSIX collating elements are not supported
[Daniel Miller]
o [NSE] Added more than 100 new signatures to http-enum (many for
known vulnerabilities). They are in the categories: general,
attacks, cms, security, management and database [Paulino]
o [NSE] Updated account status text in brute force password discovery
scripts in an effort to make the reporting more consistent across
all scripts. This will have an impact on any code that parses these
values. [Tom Sellers]
o Nmap now includes the Liblinear library for large linear
classification (http://www.csie.ntu.edu.tw/~cjlin/liblinear/). We
are using it for the upcoming IPv6 OS detection system, and (if that
works out well) may eventually use it for IPv4 too. It uses a
three-clause BSD license.
o [NSE] Better error messages (including a traceback) are now provided
when script loading fails. [Patrick]
o [Zenmap] Prevent Zenmap from deleting ports when merging scans
results based on newer scans which did not actually scan the ports
in question. Additionally Zenmap now only updates ports with new
information if the new information uses the same protocol--not just
the same port number. [Colin Rice]
o [Ncat] Fixed a crash which would occur when --ssl-verify is combined
with -vvv on windows. [Colin Rice]
o [Nping] Added new --safe-payloads option for echo mode which causes
returned packet payloads to be zeroed to reduce privacy risks if
Nping echo server was to accidentally (or through malicious intent)
return a packet which wasn't sent by the Nping echo client. We hope
to soon make this behavior the default. [Luis]
o Fixed a bug that would make Nmap segfault if it failed to open an
interface using pcap. The bug details and patch are posted at
http://seclists.org/nmap-dev/2011/q3/365 [Patrik]
o Ncat SCTP mode now supports connection brokering
(--sctp --broker). [Shinnok]
o Consolidated a bunch of duplicate code between Ncat's listen
(ncat_listen.c) and broker (ncat_broker.c) modes to ease
maintenance. [Shinnok]
o Added a 'nostore' nse argument to the brute force library which
prevents the brute force authentication cracking scripts from
storing found credentials in the creds library (they will still be
printed in script output).
o [NSE] Fixed the nsedebug print_hex() function so it does not print an
empty line if there are no remaining characters, and improved its NSEDoc.
[Chris Woodbury].
o [Ncat] Ncat no longer blocks while an ssl handshake is taking place
or waiting to complete. This could make listening Ncat instances
unavailable to other clients because one client was taking too long
to complete the SSL handshake. Our public Ncat chat server is now
much more reliable (connect with: ncat --ssl -v chat.nmap.org).
[Shinnok]
o [NSE] Updated SMTP and IMAP libraries to support authentication
using both plain-text and the SASL library. [Patrik]
o [Zenmap] The Zenmap crash handler now instructs users to mail in
crash information to nmap-dev rather than offering to create a
Sourceforge bug tracker entry. [Colin Rice]
o [NSE] Applied patch from Chris Woodbury that adds the following
additional information to the output of smb-os-discovery: NetBIOS
computer name, NetBIOS domain name, FQDN, and forest name.
o [NSE] Updated smb-brute to add detection for valid credentials where the
target account was expired or limited by time or login host constraints.
[Tom Sellers]
o [Ncat] Ncat now supports IPV6 addresses by default without the -6 flag.
Additionally ncat listens on both ::1 and localhost when passed
-l, or any other listening mode unless a specific listening address is
supplied. [Colin Rice]
o Fixed broken XML output in the case of timed-out hosts; the
enclosing host element was missing. The fix was suggested by Rémi
Mollon.
o [NSE] Multiple ldap-brute changes by Tom Sellers: