I'm indeed giving a trip to Vegas that weekend some serious thought =) BTW I bought Fyodor's Nmap book and love it. Ben On Sun, Jul 18, 2010 at 6:32 AM, Lisa Kachold wrote: > Opps, I did it.  I read the list of presentations, so now I HAVE to go to > Defcon 18: > > https://www.defcon.org/html/defcon-18/dc-18-news.html > > Who else is going? > > ---------- Forwarded message ---------- > From: Fyodor > Date: Fri, Jul 16, 2010 at 10:50 AM > Subject: Nmap Defcon Release: Version 5.35DC1 > To: nmap-hackers@insecure.org > > > Hi folks.  It has been 3.5 months since the last Nmap release > (5.30BETA1 on March 29), and anyone following the nmap-dev list knows > that we've been very busy during that time.  So I'm pleased to release > Nmap version 5.35DC1 containing the fruits of that labor.  The Defcon > name is because that conference is awesome!  And also because David > Fifield and I have an exciting Nmap talk planned there and at Black > Hat in a couple weeks (see http://seclists.org/nmap-dev/2010/q3/108). > > This release includes 131 NSE scripts (17 new), 6,622 version > detection signatures, 2,608 OS fingerprints, and more.  I'm > particularly excited about the new db2 and ms-sql scripts, and nfs-ls > really makes NFS discovery easy!  We also added Eugene Alexeev's > clever new dns-cache-snoop script.  Nping and Ncat were significantly > improved as well. > > The Nmap 5.35DC1 source code and packages for Linux, Mac OS X, and > Windows are available for download at the usual place: > > http://nmap.org/download.html > > This is a BETA release, but we hope it works well for you. If not (or > if you have any suggestions for improvement), please let us know on > nmap-dev as described at http://nmap.org/book/man-bugs.html. > > Here are the 83 most significant changes in this release: > > o [NSE] Added 17 scripts, bringing the total to 131! They are >  described individually in the CHANGELOG, but here is the list of new >  ones: >   afp-serverinfo, db2-brute, dns-cache-snoop, dns-fuzz, ftp-libopie >   http-php-version, irc-unrealircd-backdoor, ms-sql-brute, >   ms-sql-config, ms-sql-empty-password, ms-sql-hasdbaccess, >   ms-sql-query, ms-sql-tables ms-sql-xp-cmdshell, nfs-ls ntp-monlist >  Learn more about any of these at: http://nmap.org/nsedoc/ > > o Performed a major OS detection integration run. The database has >  grown to 2,608 fingerprints (an increase of 262) and many of the >  existing fingerprints were improved. These include the Apple iPad >  and Cisco IOS 15.X devices. We also received many fingerprints for >  ancient Microsoft systems including MS-DOS with MS Networking Client >  3.0, Windows 3.1, and Windows NT 3.1. David posted highlights of his >  integration work at http://seclists.org/nmap-dev/2010/q2/283. > > o Performed a large version detection integration run. The number of >  signatures has grown to 6,622 (an increase of 279). New signatures >  include a remote administrative backdoor that a school famously used >  to spy on its students, an open source digital currency scheme named >  Bitcoin, and game servers for EVE Online, l2emurt Lineage II, and >  Frozen Bubble. You can read David's highlights at >  http://seclists.org/nmap-dev/2010/q2/385. > > o [NSE] Added nfs-ls.nse, which lists NFS exported files and their >  attributes. The nfs-acls and nfs-dirlist scripts were deleted >  because all their features are supported by this script. [Djalal] > > o [NSE] Add new DB2 library and two scripts >  - db2-brute.nse uses the unpwdb library to guess credentials for DB2 >  - db2-info.nse re-write of Tom Sellers script to use the new library >  [Patrik] > > o [NSE] Added a library for Microsoft SQL Server and 7 new scripts. The new >  scripts are: >  - ms-sql-brute.nse uses the unpwdb library to guess credentials for MSSQL >  - ms-sql-config retrieves various configuration details from the server >  - ms-sql-empty-password checks if the sa account has an empty password >  - ms-sql-hasdbaccess lists database access per user >  - ms-sql-query add support for running custom queries against the database >  - ms-sql-tables lists databases, tables, columns and datatypes with > optional >    keyword filtering >  - ms-sql-xp-cmdshell adds support for OS command execution to privileged >    users >  [Patrik] > > o [NSE] Added the afp-serverinfo script that gets a hostname, IP >  addresses, and other configuration information from an AFP server. >  The script, and a patch to the afp library, were contributed by >  Andrew Orr and subsequently enhanced by Patrik and David. > > o [NSE] Added additional vulnerability checks to smb-check-vulns.nse: >  The Windows RAS RPC service vulnerability MS06-025 >  (http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx) >  and the Windows DNS Server RPC vuln MS07-029 >  (http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx). >  Note that these are only run if you specify the "unsafe" script arg >  because the implemented test crashes vulnerable services. [Drazen] > > o [NSE] Added dns-cache-snoop.nse by Eugene Alexeev. This script performs >  cache snooping by either sending non-recursive queries or by measuring >  response times. > > o [Zenmap] Added the ability to print Nmap output to a >  printer. [David] > > o [Nmap, Ncat, Nping] The default unit for time specifications is now >  seconds, not milliseconds, and times may have a decimal point. 1000 >  now means 1000 seconds, or about 17 minutes, not 1000 milliseconds. >  Floating point values such as 1.5 are now allowed.  This affects the >  following options: >  Nmap: >    --host-timeout >    --max-rtt-timeout --min-rtt-timeout --initial-rtt-timeout >    --scan-delay --max-scan-delay >    --stats-every >  Ncat: >    -d --delay >    -i --idle-timeout >    -w --wait >  Nping: >    --delay >    --host-timeout >    --icmp-orig-time --icmp-recv-time --icmp-trans-time >  Some sanity checks have been added to catch what looks like an >  attempt to use the old millisecond defaults. For example, >  --host-timeout 10000 yields >    Since April 2010, the default unit for --host-timeout is seconds, >    so your time of "10000" is 2.8 hours. If this is what you want, >    use "10000s". >    QUITTING! >  You can always disable the warning by giving an explicit unit. > > o [NSE] Scripts which take an argument for a time duration can now >  have the duration be a number followed by a unit, like elsewhere in >  Nmap. An example is "10m" for 10 minutes. The units understood are >  "ms" for milliseconds, "s" for seconds, "m" for minutes, and "h" for >  hours.  Seconds are the default if no unit is specified. The new >  function stdnse.parse_timespec does the parsing of these >  formats. The qscan.delay script argument, which formerly interpreted >  its argument as being in milliseconds, now defaults to seconds; >  append "ms" to continue using the same numbers. [David] > > o [NSE] Added irc-unrealircd-backdoor.nse, which detects a backdoor >  that was in UnrealIRCd source code distributions between November >  2009 and June 2010. See http://seclists.org/nmap-dev/2010/q2/826. >  [Vlatko Kosturjak, Ron, David] > > o Ports are now considered open during a SYN scan if a SYN packet >  (without the ACK flag) is received in response. This can be due to >  an extremely rare TCP feature known as a simultaneous open or split >  handshake connection. see http://bit.ly/tcp-sh and >  http://seclists.org/nmap-dev/2010/q2/723. [Jah] > > o [Ncat] In listen mode, the --exec and --sh-exec options now accept a >  single connection and then exit, just like in normal listen mode. >  Use the --keep-open option to get the old default inetd-like >  behavior. This was suggested by David Millis. [David] > > o [NSE] Added ftp-libopie.nse by Gutek. This script checks for an >  off-by-one stack overflow vulnerability in libopie by giving the FTP >  service an overly long name. See >  http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc for >  details. > > o [NSE] Added ntp-monlist.nse which discovers NTP server, peer and >  client hosts associated with a scanned target by sending NTPv2 >  Private Mode 'monitor' and 'peers' commands to the target. [Jah] > > o [NSE] Added http-php-version.nse from Gutek. This script retrieves >  version-specific pages through a couple of magic PHP queries, which >  can identify the PHP version even when a server doesn't advertise >  it. > > o [NSE] New script dns-fuzz launches a fuzzing attack against DNS >  servers. Added a new category - fuzzer - for scripts like this. >  [Michael Pattrick] > > o David made many improvements to the NSEDoc for individual scripts, >  including adding @output sections to scripts which didn't have them. >  He also improved the generated HTML with features like >  auto-generating usage strings if the scripts don't include their own >  and allowing the giant sidebar lists of scripts/libraries to expand >  and contract.  See http://nmap.org/nsedoc/. > > o UDP payloads are now stored in an external data file, nmap-payloads, >  instead of being hard-coded in the executable. This makes it easier >  to add your own payloads or disable those you find problematic. [Jay >  Fink, David] > > o The Windows executable installer now uses LZMA compression instead >  of zlib, making it about 15% smaller. See >  http://seclists.org/nmap-dev/2010/q2/1011 for test results. [David] > > o Open XML elements are now closed in case of a fatal error, so the >  output should at least be well-formed. There are new attributes >  "exit" and "errormsg" in the finished element. "exit" is "success" >  or "error". When it is "error", the "errormsg" attribute contains >  the error message. Thanks to Grant Bartlett, who found a typo in the >  new output. [David] > > o Fixed name resolution in environments where gethostbyname can return >  IPv6 (or other non-IPv4 addresses). In such an environment, Nmap >  would wrongly use the first four bytes of the IPv6 address as an >  IPv4 address. You could force this, at least on Debian, by adding >  the line "options inet6" to /etc/resolv.conf or by running with >  RES_OPTIONS=inet6 in the environment. This was reported by Mats Erik >  Andersson, who also suggested the fix. [David] > > o Fixed the assignment of interface aliases to directly connected >  routes on Linux, which was broken in 5.30BETA1 (it always assigned >  the base interface instead of the alias). This was visible in the >  host.interface variable passed to NSE scripts. The bug was reported >  Victor Rudnev. [David] > > o When Nmap is passed a hostname such as google.com which resolves to >  several IP addresses, Nmap now prints each IP address.  It still >  only scans the first one in the returned list. [David] > > o Nmap now works if you specify several target host names which >  resolve to the same IP address.  This can be useful when you are >  scanning virtual-hosted web servers and want to see NSE results >  specific to each site name even though they reside on the same >  machine. [David] > > o Made a list of current Nmap SVN committers: >  http://nmap.org/svn/docs/committers.txt > > o Added a new library, libnetutil, which contains about 2,700 lines of >  networking related code which is now shared between Nmap and Nping >  (it was previously duplicated by each tool). [Luis, David] > > o [NSE] http-passwd.nse now also checks for boot.ini to support >  Windows targets. [Gutek] > > o Removed --interactive mode, a miniature shell whose primary purpose >  was to hide command line arguments from the process list. It had >  been broken (would segfault during the second scan) for at least 9 >  months and was rarely used. The fact that it was broken was reported >  by Juan Carlos Castro. [David] > > o Added a version probe, match line, and UDP payload for the >  serialnumberd service of Mac OS X Server. This service overrides >  firewall settings to make itself visible, so it's useful for host >  discovery. [Patrik] > > o Improved service detection match lines for: >  o Oracle Enterprise Manager Agent and mupdate by Matt Selsky >  o Twisted web server, Apple Filing Protocol, Apple Mac OS X Password >    Server, XAVi XG6546p Wireless Gateway, Sun GlassFish >    Communications Server, and Comdasys, SIParator and Glassfish SIP >    by Patrik >  o PostgreSQL, Cisco Site Selector ftpd, and LanSafe UPS monitoring >    HTTPd by Tom Sellers > > o Improved our brute force password guessing list by mixing in some >  data sent in by Solar Designer of John the Ripper fame. > > o [Zenmap] IP addresses are now sorted by octet rather than their >  string representation. For example, 10.1.1.2 is now sorted before >  10.1.1.10. This problem was reported by Norris Carden. [David] > > o [NSE] Added UDP header parsing support to packet.lua. [jah] > > o Fixed a bug in Libpcap which lead to Nmap hanging forever in some >  cases on 64-bit Mac OS X 10.6, 10.6.1, and 10.6.3.  The fix was >  actually already available in upstream Libpcap, just not released. >  We also had to make Nmap build with its own Libpcap on 64-bit OS X >  if an already-installed system Libpcap has this bug. [David] > > o Updated our Winpcap to the new 4.1.2 release [Rob Nicholls] > > o [NSE] Fixed a bug in qscan.nse which gave an error if a confidence >  level of 0.9995 was used.  Thanks to Marcin Hoffmann for noticing >  the problem. [Kris] > > o [libpcap] Added a --disable-packet-ring option to force the use of >  an older, slower packet capture mechanism on Linux. Before Linux >  2.6.27, the packet ring mechanism uses different-sized kernel >  structures on 32- and 64-bit architectures, so a 32-bit program will >  not run correctly on a 64-bit kernel. The older mechanism does not >  have this flaw. > > o Fixed some errors in nmap-os-db, probably caused by incorrect string >  replacement during integration. This patch is from James Cook. > > o [Nsock, Ncat] Nsock has a new function, nsp_setbroadcast, that >  allows setting the SO_BROADCAST option on sockets. Ncat now sets >  this option unconditionally in connect mode to allow connections to >  broadcast addresses (useful in UDP mode). [Daniel Miller] > > o Nmap now works with "teamed" network interfaces on Windows. In order >  to distinguish the interfaces, their textual descriptions are now >  compared in addition to their MAC addresses. Without this, Nmap >  would send on the wrong interface and not receive any replies. A >  symptom of this problem was all scans failing except when >  --unprivileged was used. Norris Carden reported this bug. [David] > > o [Ncat] When receiving a connection/datagram in listen mode, Ncat now >  prints the connecting source port along with the IP address (when >  verbosity is enabled). [Rebellis] > > o Fixed a problem where the time variable used in some port scanning >  algorithms (for probe timeouts, etc) could vary based on the >  debugging level. [Kris] > > o Moved the parse_long function from ncat to nbase for better reuse, >  and used it to simplify netmask parsing code. [William Pursell] > > o Added EPROTO to the list of known error codes in service scan. Daniel >  Miller reported that an EPROTO was causing Nmap to exit after sending >  the Sqlping probe during service scan. The error message was >  "Unexpected error in NSE_TYPE_READ callback. Error code: 71 (Protocol >  error)". We suspect this was caused by a forged ICMP packet sent by an >  active firewall. [David] > > o [NSE] Improved smtp-commands.nse to work against more mail servers, >  made it take an smtp-commands.domain script argument, and rewrote it >  in the style of other smtp scripts. [Jason DePriest] > > o [NSE] Made smtp-commands run for the services smtp, smtps, >  submission rather than just smtp.  The other smtp scripts already do >  this. [David] > > o [NSE] The dns-recursion script now marks the port as open when it >  gets a response. [Olivier M] > > o [Nping] A big correctness and code cleanliness audit was performed >  which resulted in many bugs being fixed and much more code being >  shared with Nmap rather than duplicated. A structured testing >  script system was also created. [Luis, David] > > o [Nping] A big correctness and code cleanliness audit was performed >  which resulted in many bugs being fixed and much more code being >  shared with Nmap rather than duplicated. A structured testing >  script system was also created. [Luis, David] > > o [Nping] Now allows a --count value of zero to run almost >  indefinitely (2^32 rounds). Suggested by Andreas Hubert. [Luis] > > o [Nping] Fixed --data argument parsing. The value passed was not >  actually making it into outgoing packets. Reported by Tim >  Poth. [Luis] > > o [Nping] When a RST packet is received in response to a connection >  attempt in TCP-Connect mode, Nping now properly prints "Connection >  refused" rather than "Operation now in progress". [Luis] > > o [Nping] Fixed a bug which caused failure when the first supplied >  target was not resolvable (e.g.: nping bogushost.fkz scanme.insecure.com >  tcpdump.com). [Luis] > > o [Nping] Fixed some bugs in the BPF filter creation to avoid capture >  and printing of packets Nping sent or which are destined for another >  process. [Luis] > > o [Nping] Fixed a bug which prevented ARP replies from being displayed >  properly. [Luis] > > o [Nping] Fixed a bug that caused ICMP Router Advertisement entries to >  be set in host byte order rather than proper network byte >  order. [Luis] > > o [Nping] Fixed a segfault caused by bad --data values. [Greg Skoczek] > > o The Mac OS X installer is now built with MacPorts 1.9.1 rather than >  1.8.2. Among other changes, this fixes a segmentation fault reported >  by some OS X 10.6.3 users. > > o Nsock now supports an option to remove its Pcap support.  This >  allows the same Nsock to be shared with Nmap (which needs that >  support) and Ncrack (which doesn't.) Pcap support can be disabled by >  specifying --disable-pcap at configure time on UNIX, or by selecting >  the DebugNoPcap or ReleaseNoPcap configurations in Visual C++ on >  Windows. > > o Sped up compilation by not building both shared and static libdnet >  libraries--we only use the static one. [David] > > o [NSE] Improved error handling and reporting and re-designed communication >  class in RPC library with patch from Djalal Harouni. [Patrik] > > o Upgraded the included libpcap to version 1.1.1. [David] > > o [NSE] Add some special-use IPv4 addresses to isPrivate which are >  described in RFC 5736 and RFC 5737, published in Jan 2010. Improve >  performance of isPrivate for IPv4 addresses by using ip_in_range >  less frequently. Add an extra return value to isPrivate - when the >  first return value is true, the second return value will now be a >  string representing the special use assignment in which the supplied >  address is located. [jah] > > o Fix compilation on OpenSolaris.  We had to make the libdnet autoconf >  check for PF_PACKET Linux-specific.  Recent versions of OpenSolaris >  support PF_PACKET, but not in a way which is entirely compatible >  with the Linux approach. This problem was reported by Darren Reed. A >  few other minor compatibility changes were made as well. [David] > > o [NSE] Added script arguments "username" and "password" to ftp-bounce >  to override the default anonymous:IEUser@ login combination. [Kris] > > o [NSE] Added port number sorting to dns-service-discovery.nse. [Patrik] > > o [NSE] Added an snmpWalk() function to the SNMP library and updated >  scripts to use it.  [Patrik] > > o [NSE] Fixed this dns.lua error reported by Eugene Alexeev: >  nselib/dns.lua:110: attempt to get length of field 'dtype' (a number value) >  [Jah] > > o Updated nmap-mac-prefixes to the latest IEEE data as of 2010-07-13. > > o Updated IANA IP address space assignment list for random IP (-iR) >  generation. [Kris] > > o Created a new directory for storing todo lists for Nmap and related >  projects.  You can see what we're working on and planning by >  visiting http://nmap.org/svn/todo/. > > o [NSE] Removed explicit time limit checking from ms-sql-brute, >  pgsql-brute, mysql-brute, ldap-brute, and afp-brute. The unpwdb >  library does this automatically now. [David] > > o [NSE] Correct global access errors in afp.lua reported by Patrick Donnelly >  [Patrik] > > o [NSE] Correct misspelled "Capabilities.IgnoreSpaceBeforeParanthesis" >  name in the MySQL library. [Kris] > > o Cleaned up our Winpcap header file directory, and also updated to >  the latest files from the official developer pack >  (WpdPack_4_1_1.zip). [Fyodor] > > o [NSE] Fixed a bug which would prevent rpcinfo.nse from returning any >  results for RPC programs which could not be matched to a >  name. [Patrik] > > o [NSE] The ftp-anon script is now much smarter about parsing server >  responses and detecting successful (or not) logins.  It now knows >  how to send the ACCT command where appropriate as well. [Rob >  Nicholls] > > o Normalized a bunch of version detection entries with "webserver" in >  the description.  In most cases this was changed to "httpd". > > o [Ncat] Fixed the --crlf option not to insert an extra \r byte in the >  case that one system read ends with \r and the next begins with \n >  (should be rare). [David] > > o [NSE] Fixed bug in rpc.lua library that incorrectly required file handles >  to be 32 octets when calling the ReadDir function. The bug was reported by >  Djalal Harouni. [Patrik] > > Enjoy the new release, and I hope to see you at Defcon! > -Fyodor > > > _______________________________________________ > Sent through the nmap-hackers mailing list > http://cgi.insecure.org/mailman/listinfo/nmap-hackers > Archived at http://seclists.org/nmap-hackers/ > > > > -- > Office: (480)307-8712 > AT&T: (503)754-4452 > > > > > > > > > > > > > > > > --------------------------------------------------- > PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us > To subscribe, unsubscribe, or to change your mail settings: > http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss > --------------------------------------------------- PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us To subscribe, unsubscribe, or to change your mail settings: http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss