From: <b class="gmail_sendername">Fyodor</b> <span dir="ltr"><<a href="mailto:fyodor@nmap.org">fyodor@nmap.org</a>></span><br><div class="gmail_quote">Date: Mon, Aug 19, 2013 at 2:50 PM<br>Subject: Nmap 6.40 Released! New scripts, new signatures, better performance!<br>
To: Nmap Project Announcements <<a href="mailto:announce@nmap.org">announce@nmap.org</a>><br><br><br>Hi Folks. It has been a while since the last stable Nmap release, but<br>
I'm pleased to release Nmap 6.40 and I think you'll consider it worth<br>
the wait! It includes 14 new NSE scripts, hundreds of new OS and<br>
service detection signatures, a new --lua-exec feature for scripting<br>
Ncat, initial support for NSE and version scanning through a chain of<br>
proxies, improved target specification, many performance enhancements<br>
and bug fixes, and much more! So many improvements, in fact, that our<br>
source code repository recently reached revision number 31337! In<br>
addition to our normal developers, this release showcases the efforts<br>
of our 3 Google Summer of Code students who have all been doing great<br>
work since June. Congratulations George, Jacek, and Yang!<br>
<br>
Nmap 6.40 source code and binary packages for Linux, Windows, and Mac<br>
are available for free download from:<br>
<br>
<a href="http://nmap.org/download.html" target="_blank">http://nmap.org/download.html</a><br>
<br>
If you find any bugs, please let us know on the Nmap dev list as<br>
described at <a href="http://nmap.org/book/man-bugs.html" target="_blank">http://nmap.org/book/man-bugs.html</a>. Here are the most<br>
important changes since 6.25:<br>
<br>
o [Ncat] Added --lua-exec. This feature is basically the equivalent of 'ncat<br>
--sh-exec "lua <scriptname>"' and allows you to run Lua scripts with Ncat,<br>
redirecting all stdin and stdout operations to the socket connection. See<br>
<a href="http://nmap.org/book/ncat-man-command-options.html" target="_blank">http://nmap.org/book/ncat-man-command-options.html</a> [Jacek Wielemborek]<br>
<br>
o Integrated all of your IPv4 OS fingerprint submissions since January<br>
(1,300 of them). Added 91 fingerprints, bringing the new total to 4,118.<br>
Additions include Linux 3.7, iOS 6.1, OpenBSD 5.3, AIX 7.1, and more.<br>
Many existing fingerprints were improved. Highlights:<br>
<a href="http://seclists.org/nmap-dev/2013/q2/519" target="_blank">http://seclists.org/nmap-dev/2013/q2/519</a>. [David Fifield]<br>
<br>
o Integrated all of your service/version detection fingerprints submitted<br>
since January (737 of them)! Our signature count jumped by 273 to 8,979.<br>
We still detect 897 protocols, from extremely popular ones like http, ssh,<br>
smtp and imap to the more obscure airdroid, gopher-proxy, and<br>
enemyterritory. Highlights:<br>
<a href="http://seclists.org/nmap-dev/2013/q3/80" target="_blank">http://seclists.org/nmap-dev/2013/q3/80</a>. [David Fifield]<br>
<br>
o Integrated your latest IPv6 OS submissions and corrections. We're still<br>
low on IPv6 fingerprints, so please scan any IPv6 systems you own or<br>
administer and submit them to <a href="http://nmap.org/submit/" target="_blank">http://nmap.org/submit/</a>. Both new<br>
fingerprints (if Nmap doesn't find a good match) and corrections (if Nmap<br>
guesses wrong) are useful. [David Fifield]<br>
<br>
o [Nsock] Added initial proxy support to Nsock. Nmap version detection<br>
and NSE can now establish TCP connections through chains of one or<br>
more CONNECT or SOCKS4 proxies. Use the Nmap --proxies option with a<br>
chain of one or more proxies as the argument (example:<br>
<a href="http://localhost:8080" target="_blank">http://localhost:8080</a>,socks4://<a href="http://someproxy.example.com" target="_blank">someproxy.example.com</a>). Note that<br>
only version detection and NSE are supported so far (no port<br>
scanning or host discovery), and there are other limitations<br>
described in the man page. [Henri Doreau]<br>
<br>
o [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 446.<br>
They are all listed at <a href="http://nmap.org/nsedoc/" target="_blank">http://nmap.org/nsedoc/</a>, and the summaries are<br>
below (authors are listed in brackets):<br>
<br>
+ hostmap-ip2hosts finds hostnames that resolve to the target's IP address<br>
by querying the online database at <a href="http://www.ip2hosts.com" target="_blank">http://www.ip2hosts.com</a> (uses Bing<br>
search results) [Paulino Calderon]<br>
<br>
+ http-adobe-coldfusion-apsa1301 attempts to exploit an authentication<br>
bypass vulnerability in Adobe Coldfusion servers (APSA13-01:<br>
<a href="http://www.adobe.com/support/security/advisories/apsa13-01.html" target="_blank">http://www.adobe.com/support/security/advisories/apsa13-01.html</a>) to<br>
retrieve a valid administrator's session cookie. [Paulino Calderon]<br>
<br>
+ http-coldfusion-subzero attempts to retrieve version, absolute path of<br>
administration panel and the file 'password.properties' from vulnerable<br>
installations of ColdFusion 9 and 10. [Paulino Calderon]<br>
<br>
+ http-comments-displayer extracts and outputs HTML and JavaScript<br>
comments from HTTP responses. [George Chatzisofroniou]<br>
<br>
+ http-fileupload-exploiter exploits insecure file upload forms in web<br>
applications using various techniques like changing the Content-type<br>
header or creating valid image files containing the payload in the<br>
comment. [George Chatzisofroniou]<br>
<br>
+ http-phpmyadmin-dir-traversal exploits a directory traversal<br>
vulnerability in phpMyAdmin 2.6.4-pl1 (and possibly other versions) to<br>
retrieve remote files on the web server. [Alexey Meshcheryakov]<br>
<br>
+ http-stored-xss posts specially crafted strings to every form it<br>
encounters and then searches through the website for those strings to<br>
determine whether the payloads were successful. [George Chatzisofroniou]<br>
<br>
+ http-vuln-cve2013-0156 detects Ruby on Rails servers vulnerable to<br>
object injection, remote command executions and denial of service<br>
attacks. (CVE-2013-0156) [Paulino Calderon]<br>
<br>
+ ike-version obtains information (such as vendor and device type where<br>
available) from an IKE service by sending four packets to the host.<br>
This scripts tests with both Main and Aggressive Mode and sends multiple<br>
transforms per request. [Jesper Kueckelhahn]<br>
<br>
+ murmur-version detects the Murmur service (server for the Mumble voice<br>
communication client) versions 1.2.X. [Marin Maržić]<br>
<br>
+ mysql-enum performs valid-user enumeration against MySQL server using a<br>
bug discovered and published by Kingcope<br>
(<a href="http://seclists.org/fulldisclosure/2012/Dec/9" target="_blank">http://seclists.org/fulldisclosure/2012/Dec/9</a>). [Aleksandar Nikolic]<br>
<br>
+ teamspeak2-version detects the TeamSpeak 2 voice communication server<br>
and attempts to determine version and configuration information. [Marin<br>
Maržić]<br>
<br>
+ ventrilo-info detects the Ventrilo voice communication server service<br>
versions 2.1.2 and above and tries to determine version and<br>
configuration information. [Marin Maržić]<br>
<br>
o Updated the Nmap license agreement to close some loopholes and stop some<br>
abusers. It's particularly targeted at companies which distribute<br>
malware-laden Nmap installers as we caught Download.com doing last<br>
year--<a href="http://insecure.org/news/download-com-fiasco.html" target="_blank">http://insecure.org/news/download-com-fiasco.html</a>. The updated<br>
license is in the all the normal places, including<br>
<a href="https://svn.nmap.org/nmap/COPYING" target="_blank">https://svn.nmap.org/nmap/COPYING</a>.<br>
<br>
o [NSE] Oops, there was a vulnerability in one of our 437 NSE scripts. If<br>
you ran the (fortunately non-default) http-domino-enum-passwords script<br>
with the (fortunately also non-default) domino-enum-passwords.idpath<br>
parameter against a malicious server, it could cause an arbitrarily named<br>
file to to be written to the client system. Thanks to Trustwave researcher<br>
Piotr Duszynski for discovering and reporting the problem. We've fixed<br>
that script, and also updated several other scripts to use a new<br>
stdnse.filename_escape function for extra safety. This breaks our record<br>
of never having a vulnerability in the 16 years that Nmap has existed, but<br>
that's still a fairly good run! [David, Fyodor]<br>
<br>
o Unicast CIDR-style IPv6 range scanning is now supported, so you can<br>
specify targets such as <a href="http://en.wikipedia.org/120" target="_blank">en.wikipedia.org/120</a>. Obviously it will take ages<br>
if you specify a huge space. For example, a /64 contains<br>
18,446,744,073,709,551,616 addresses. [David Fifield]<br>
<br>
o It's now possible to mix IPv4 range notation with CIDR netmasks in target<br>
specifications. For example, 192.168-170.4-100,200.5/16 is effectively the<br>
same as 192.168.168-170.0-255.0-255. [David Fifield]<br>
<br>
o Timeout script-args are now standardized to use the timespec that Nmap's<br>
command-line arguments take (5s, 5000ms, 1h, etc.). Some scripts that<br>
previously took an integer number of milliseconds will now treat that as a<br>
number of seconds if not explicitly denoted as ms. [Daniel Miller]<br>
<br>
o Nmap may now partially rearrange its target list for more efficient<br>
host groups. Previously, a single target with a different interface,<br>
or with an IP address the same as a that of a target already in the<br>
group, would cause the group to be broken off at whatever size it<br>
was. Now, we buffer a small number of such targets, and keep looking<br>
through the input for more targets to fill out the current group.<br>
[David Fifield]<br>
<br>
o [Ncat] The -i option (idle timeout) now works in listen mode as well as<br>
connect mode. [Tomas Hozza]<br>
<br>
o [Ncat] Ncat now support chained certificates with the --ssl-cert<br>
option. [Greg Bailey]<br>
<br>
o [Nping] Nping now checks for a matching ICMP ID on echo replies, to avoid<br>
receiving crosstalk from other ping programs running at the same<br>
time. [David Fifield]<br>
<br>
o [NSE] The ipOps.isPrivate library now considers the deprecated site-local<br>
prefix fec0::/10 to be private. [Marek Majkowski]<br>
<br>
o Nmap's routing table is now sorted first by netmask, then by metric.<br>
Previously it was the other way around, which could cause a very general<br>
route with a low metric to be preferred over a specific route with a<br>
higher metric.<br>
<br>
o Routes are now sorted to prefer those with a lower metric. Retrieval of<br>
metrics is supported only on Linux and Windows. [David Fifield]<br>
<br>
o Fixed a byte-ordering problem on little-endian architectures when doing<br>
idle scan with a zombie that uses broken ID increments. [David Fifield]<br>
<br>
o Stop parsing TCP options after reaching EOL in libnetutil. Bug reported by<br>
Gustavo Moreira. [Henri Doreau]<br>
<br>
o [NSE] The dns-ip6-arpa-scan script now optionally accepts "/" syntax for a<br>
network mask. Based on a patch by Indula Nayanamith.<br>
<br>
o [Ncat] Reduced the default --max-conns limit from 100 to 60 on Windows, to<br>
stay within platform limitations. Suggested by Andrey Olkhin.<br>
<br>
o Fixed IPv6 routing table alignment on NetBSD.<br>
<br>
o Fixed our NSEDoc system so the author field uses UTF-8 and we can spell<br>
people's name properly, even if they use crazy non-ASCII characters like<br>
Marin Maržić. [David Fifield]<br>
<br>
o UDP protocol payloads were added for detecting the Murmer service (a<br>
server for the Mumble voice communication client) and TeamSpeak 2 VoIP<br>
software.<br>
<br>
o [NSE] Added http-phpmyadmin-dir-traversal by Alexey Meshcheryakov.<br>
<br>
o Updated libdnet to not SIOCIFNETMASK before SIOCIFADDR on OpenBSD. This<br>
was reported to break on -current as of May 2013. [Giovanni Bechis]<br>
<br>
o Fixed address matching for SCTP (-PY) ping. [Marin Maržić]<br>
<br>
o Removed some non-ANSI-C strftime format strings ("%F") and<br>
locale-dependent formats ("%c") from NSE scripts and libraries.<br>
C99-specified %F was noticed by Alex Weber. [Daniel Miller]<br>
<br>
o [Zenmap] Improved internationalization support:<br>
+ Added Polish translation by Jacek Wielemborek.<br>
+ Updated the Italian translation. [Giacomo]<br>
<br>
o [Zenmap] Fixed internationalization files. Running in a language other<br>
than the default English would result in the error "ValueError: too many<br>
values to unpack". [David Fifield]<br>
<br>
o [NSE] Updated the included Liblua from version 5.2.1 to 5.2.2. [Patrick<br>
Donnelly]<br>
<br>
o [Nsock] Added a minimal regression test suite for Nsock. [Henri Doreau]<br>
<br>
o [NSE] Updated the redis-brute and redis-info scripts to work against the<br>
latest versions of redis server. [Henri Doreau]<br>
<br>
o [Ncat] Fixed errors in connecting to IPv6 proxies. [Joachim Henke]<br>
<br>
o [NSE] Updated hostmap-bfk to work with the latest version of their website<br>
(<a href="http://bfk.de" target="_blank">bfk.de</a>). [Paulino Calderon]<br>
<br>
o [NSE] Added XML structured output support to:<br>
+ xmpp-info, irc-info, sslv2, address-info [Daniel Miller]<br>
+ hostmap-bfk, hostmap-robtex, hostmap-ip2hosts. [Paulino Calderon]<br>
+ http-git.nse. [Alex Weber]<br>
<br>
o Added new service probes for:<br>
+ Erlang distribution nodes [Michael Schierl]<br>
+ Minecraft servers. [Eric Davisson]<br>
+ Hazelcast data grid. [Pavel Kankovsky]<br>
<br>
o [NSE] Rewrote telnet-brute for better compatibility with a variety of<br>
telnet servers. [nnposter]<br>
<br>
o Fixed a regression that changed the number of delimiters in machine<br>
output. [Daniel Miller]<br>
<br>
o Fixed a regression in broadcast-dropbox-listener which prevented it from<br>
producing output. [Daniel Miller]<br>
<br>
o Handle ICMP type 11 (Time Exceeded) responses to port scan probes. Ports<br>
will be reported as "filtered", to be consistent with existing Connect<br>
scan results, and will have a reason of time-exceeded. DiabloHorn<br>
reported this issue via IRC. [Daniel Miller]<br>
<br>
o Add new decoders (BROWSER, DHCP6 and LLMNR) to broadcast-listener and<br>
changed output of some of the decoders slightly. [Patrik Karlsson]<br>
<br>
o The list of name servers on Windows now ignores those from inactive<br>
interfaces. [David Fifield]<br>
<br>
o Namespace the pipes used to communicate with subprocesses by PID, to avoid<br>
multiple instances of Ncat from interfering with each other. Patch by<br>
Andrey Olkhin.<br>
<br>
o [NSE] Changed ip-geolocation-geoplugin to use the web service's new output<br>
format. Reported by Robin Wood.<br>
<br>
o Limited the number of open sockets in ultra_scan to FD_SETSIZE. Very fast<br>
connect scans could write past the end of an fd_set and cause a variety of<br>
crashes:<br>
nmap: scan_engine.cc:978: bool ConnectScanInfo::clearSD(int):<br>
Assertion `numSDs > 0' failed.<br>
select failed in do_one_select_round(): Bad file descriptor (9)<br>
[David Fifield]<br>
<br>
o Fixed a bug that prevented Nmap from finding any interfaces when one of<br>
them had the type ARP_HDR_APPLETALK; this was the case for AppleTalk<br>
interfaces. However, This support is not complete since AppleTalk<br>
interfaces use different size hardware addresses than Ethernet. Nmap IP<br>
level scans should work without any problem, please refer to the<br>
'--send-ip' switch and to the following thread:<br>
<a href="http://seclists.org/nmap-dev/2013/q1/214" target="_blank">http://seclists.org/nmap-dev/2013/q1/214</a>. This bug was reported by Steven<br>
Gregory Johnson. [Daniel Miller]<br>
<br>
o [Nping] Nping on Windows now skips localhost targets for privileged pings<br>
on (with an error message) because those generally don't work. [David<br>
Fifield]<br>
<br>
o [Ncat] Ncat now keeps running in connect mode after receiving EOF from the<br>
remote socket, unless --recv-only is in effect. [Tomas Hozza]<br>
<br>
o Packet trace of ICMP packets now include the ICMP ID and sequence number<br>
by default. [David Fifield]<br>
<br>
o [NSE] Fixed various NSEDoc bugs found by David Matousek.<br>
<br>
o [Zenmap] Zenmap now understands the NMAP_PRIVILEGED and NMAP_UNPRIVILEGED<br>
environment variables. [Tyler Wagner]<br>
<br>
o Added an ncat_assert macro. This is similar to assert(), but remains even<br>
if NDEBUG is defined. Replaced all Ncat asserts with this. We also moved<br>
operation with side effects outside of asserts as yet another layer of<br>
bug-prevention [David Fifield].<br>
<br>
o Added nmap-fo.xsl, contributed by Tilik Ammon. This converts Nmap XML into<br>
XSL-FO, which can be converted into PDF using tools suck as Apache FOP.<br>
<br>
o Increased the number of slack file descriptors not used during connect<br>
scan. Previously, the calculation did not consider the descriptors used by<br>
various open log files. Connect scans using a lot of sockets could fail<br>
with the message "Socket creation in sendConnectScanProbe: Too many open<br>
files". [David Fifield]<br>
<br>
o Changed the --webxml XSL stylesheet to point to the new location of<br>
nmap.xsl in the new repository (<a href="https://svn.nmap.org/nmap/docs/nmap.xsl" target="_blank">https://svn.nmap.org/nmap/docs/nmap.xsl</a>).<br>
It still may not work in web browsers due to same origin policy (see<br>
<a href="http://seclists.org/nmap-dev/2013/q1/58" target="_blank">http://seclists.org/nmap-dev/2013/q1/58</a>). [David Fifield, Simon John]<br>
<br>
o [NSE] The vulnerability library can now preserve vulnerability information<br>
across multiple ports of the same host. The bug was reported by<br>
iphelix. [Djalal Harouni]<br>
<br>
o Removed the undocumented -q option, which renamed the nmap process to<br>
something like "pine".<br>
<br>
o Moved the Japanese man page from man1/jp to man1/ja. JP is a country code<br>
while JA is a language code. Reported by Christian Neukirchen.<br>
<br>
o [Nsock] Reworked the logging infrastructure to make it more flexible and<br>
consistent. Updated Nmap, Nping and Ncat accordingly. Nsock log level can<br>
now be adjusted at runtime by pressing d/D in nmap. [Henri Doreau, David<br>
Fifield]<br>
<br>
o [NSE] Fixed scripts using unconnected UDP sockets. The bug was reported by<br>
Dhiru Kholia at <a href="http://seclists.org/nmap-dev/2012/q4/422" target="_blank">http://seclists.org/nmap-dev/2012/q4/422</a>. [David Fifield]<br>
<br>
o Made some changes to Ndiff to reduce parsing time when dealing with large<br>
Nmap XML output files. [Henri Doreau]<br>
<br>
o Clean up the source code a bit to resolve some false positive issues<br>
identified by the Parfait static code analysis program. Oracle apparently<br>
runs this on programs (including Nmap) that they ship with Solaris. See<br>
<a href="http://seclists.org/nmap-dev/2012/q4/504" target="_blank">http://seclists.org/nmap-dev/2012/q4/504</a>. [David Fifield]<br>
<br>
o [Zenmap] Fixed a crash that could be caused by opening the About dialog,<br>
using the window manager to close it, and opening it again. This was<br>
reported by Yashartha Chaturvedi and Jordan Schroeder. [David Fifield]<br>
<br>
o [Ncat] Made test-addrset.sh exit with nonzero status if any tests<br>
fail. This in turn causes "make check" to fail if any tests fail.<br>
[Andreas Stieger]<br>
<br>
o Fixed compilation with --without-liblua. The bug was reported by Rick<br>
Farina, Nikos Chantziaras, and Alex Turbov. [David Fifield]<br>
<br>
o Fixed CRC32c calculation (as used in SCTP scans) on 64-bit<br>
platforms. [Pontus Andersson]<br>
<br>
o [NSE] Added multicast group name output to<br>
broadcast-igmp-discovery.nse. [Vasily Kulikov]<br>
<br>
o [NSE] Added new fingerprints for http-enum: Sitecore, Moodle, typo3,<br>
SquirrelMail, RoundCube. [Jesper Kückelhahn]<br>
<br>
<br>
Enjoy the new release!<br>
<span class="HOEnZb"><font color="#888888">-Fyodor<br></font></span></div><div><br></div>-- <br><div><br></div>(503) 754-4452 Android<br>(623) 239-3392 Skype<br>(623) 688-3392 Google Voice<br>**<br><a href="http://it-clowns.com/c/" target="_blank">it-clowns.com</a><br>
Chief Clown<br><br><br><br><br><br><br><br><br><br><br><br><br><br>