Defcon 18

Lisa Kachold lisakachold at obnosis.com
Sun Jul 18 06:32:03 MST 2010


Opps, I did it.  I read the list of presentations, so now I HAVE to go to
Defcon 18:

https://www.defcon.org/html/defcon-18/dc-18-news.html

Who else is going?

---------- Forwarded message ----------
From: Fyodor <fyodor at insecure.org>
Date: Fri, Jul 16, 2010 at 10:50 AM
Subject: Nmap Defcon Release: Version 5.35DC1
To: nmap-hackers at insecure.org


Hi folks.  It has been 3.5 months since the last Nmap release
(5.30BETA1 on March 29), and anyone following the nmap-dev list knows
that we've been very busy during that time.  So I'm pleased to release
Nmap version 5.35DC1 containing the fruits of that labor.  The Defcon
name is because that conference is awesome!  And also because David
Fifield and I have an exciting Nmap talk planned there and at Black
Hat in a couple weeks (see http://seclists.org/nmap-dev/2010/q3/108).

This release includes 131 NSE scripts (17 new), 6,622 version
detection signatures, 2,608 OS fingerprints, and more.  I'm
particularly excited about the new db2 and ms-sql scripts, and nfs-ls
really makes NFS discovery easy!  We also added Eugene Alexeev's
clever new dns-cache-snoop script.  Nping and Ncat were significantly
improved as well.

The Nmap 5.35DC1 source code and packages for Linux, Mac OS X, and
Windows are available for download at the usual place:

http://nmap.org/download.html

This is a BETA release, but we hope it works well for you. If not (or
if you have any suggestions for improvement), please let us know on
nmap-dev as described at http://nmap.org/book/man-bugs.html.

Here are the 83 most significant changes in this release:

o [NSE] Added 17 scripts, bringing the total to 131! They are
 described individually in the CHANGELOG, but here is the list of new
 ones:
  afp-serverinfo, db2-brute, dns-cache-snoop, dns-fuzz, ftp-libopie
  http-php-version, irc-unrealircd-backdoor, ms-sql-brute,
  ms-sql-config, ms-sql-empty-password, ms-sql-hasdbaccess,
  ms-sql-query, ms-sql-tables ms-sql-xp-cmdshell, nfs-ls ntp-monlist
 Learn more about any of these at: http://nmap.org/nsedoc/

o Performed a major OS detection integration run. The database has
 grown to 2,608 fingerprints (an increase of 262) and many of the
 existing fingerprints were improved. These include the Apple iPad
 and Cisco IOS 15.X devices. We also received many fingerprints for
 ancient Microsoft systems including MS-DOS with MS Networking Client
 3.0, Windows 3.1, and Windows NT 3.1. David posted highlights of his
 integration work at http://seclists.org/nmap-dev/2010/q2/283.

o Performed a large version detection integration run. The number of
 signatures has grown to 6,622 (an increase of 279). New signatures
 include a remote administrative backdoor that a school famously used
 to spy on its students, an open source digital currency scheme named
 Bitcoin, and game servers for EVE Online, l2emurt Lineage II, and
 Frozen Bubble. You can read David's highlights at
 http://seclists.org/nmap-dev/2010/q2/385.

o [NSE] Added nfs-ls.nse, which lists NFS exported files and their
 attributes. The nfs-acls and nfs-dirlist scripts were deleted
 because all their features are supported by this script. [Djalal]

o [NSE] Add new DB2 library and two scripts
 - db2-brute.nse uses the unpwdb library to guess credentials for DB2
 - db2-info.nse re-write of Tom Sellers script to use the new library
 [Patrik]

o [NSE] Added a library for Microsoft SQL Server and 7 new scripts. The new
 scripts are:
 - ms-sql-brute.nse uses the unpwdb library to guess credentials for MSSQL
 - ms-sql-config retrieves various configuration details from the server
 - ms-sql-empty-password checks if the sa account has an empty password
 - ms-sql-hasdbaccess lists database access per user
 - ms-sql-query add support for running custom queries against the database
 - ms-sql-tables lists databases, tables, columns and datatypes with
optional
   keyword filtering
 - ms-sql-xp-cmdshell adds support for OS command execution to privileged
   users
 [Patrik]

o [NSE] Added the afp-serverinfo script that gets a hostname, IP
 addresses, and other configuration information from an AFP server.
 The script, and a patch to the afp library, were contributed by
 Andrew Orr and subsequently enhanced by Patrik and David.

o [NSE] Added additional vulnerability checks to smb-check-vulns.nse:
 The Windows RAS RPC service vulnerability MS06-025
 (http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx)
 and the Windows DNS Server RPC vuln MS07-029
 (http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx).
 Note that these are only run if you specify the "unsafe" script arg
 because the implemented test crashes vulnerable services. [Drazen]

o [NSE] Added dns-cache-snoop.nse by Eugene Alexeev. This script performs
 cache snooping by either sending non-recursive queries or by measuring
 response times.

o [Zenmap] Added the ability to print Nmap output to a
 printer. [David]

o [Nmap, Ncat, Nping] The default unit for time specifications is now
 seconds, not milliseconds, and times may have a decimal point. 1000
 now means 1000 seconds, or about 17 minutes, not 1000 milliseconds.
 Floating point values such as 1.5 are now allowed.  This affects the
 following options:
 Nmap:
   --host-timeout
   --max-rtt-timeout --min-rtt-timeout --initial-rtt-timeout
   --scan-delay --max-scan-delay
   --stats-every
 Ncat:
   -d --delay
   -i --idle-timeout
   -w --wait
 Nping:
   --delay
   --host-timeout
   --icmp-orig-time --icmp-recv-time --icmp-trans-time
 Some sanity checks have been added to catch what looks like an
 attempt to use the old millisecond defaults. For example,
 --host-timeout 10000 yields
   Since April 2010, the default unit for --host-timeout is seconds,
   so your time of "10000" is 2.8 hours. If this is what you want,
   use "10000s".
   QUITTING!
 You can always disable the warning by giving an explicit unit.

o [NSE] Scripts which take an argument for a time duration can now
 have the duration be a number followed by a unit, like elsewhere in
 Nmap. An example is "10m" for 10 minutes. The units understood are
 "ms" for milliseconds, "s" for seconds, "m" for minutes, and "h" for
 hours.  Seconds are the default if no unit is specified. The new
 function stdnse.parse_timespec does the parsing of these
 formats. The qscan.delay script argument, which formerly interpreted
 its argument as being in milliseconds, now defaults to seconds;
 append "ms" to continue using the same numbers. [David]

o [NSE] Added irc-unrealircd-backdoor.nse, which detects a backdoor
 that was in UnrealIRCd source code distributions between November
 2009 and June 2010. See http://seclists.org/nmap-dev/2010/q2/826.
 [Vlatko Kosturjak, Ron, David]

o Ports are now considered open during a SYN scan if a SYN packet
 (without the ACK flag) is received in response. This can be due to
 an extremely rare TCP feature known as a simultaneous open or split
 handshake connection. see http://bit.ly/tcp-sh and
 http://seclists.org/nmap-dev/2010/q2/723. [Jah]

o [Ncat] In listen mode, the --exec and --sh-exec options now accept a
 single connection and then exit, just like in normal listen mode.
 Use the --keep-open option to get the old default inetd-like
 behavior. This was suggested by David Millis. [David]

o [NSE] Added ftp-libopie.nse by Gutek. This script checks for an
 off-by-one stack overflow vulnerability in libopie by giving the FTP
 service an overly long name. See
 http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc for
 details.

o [NSE] Added ntp-monlist.nse which discovers NTP server, peer and
 client hosts associated with a scanned target by sending NTPv2
 Private Mode 'monitor' and 'peers' commands to the target. [Jah]

o [NSE] Added http-php-version.nse from Gutek. This script retrieves
 version-specific pages through a couple of magic PHP queries, which
 can identify the PHP version even when a server doesn't advertise
 it.

o [NSE] New script dns-fuzz launches a fuzzing attack against DNS
 servers. Added a new category - fuzzer - for scripts like this.
 [Michael Pattrick]

o David made many improvements to the NSEDoc for individual scripts,
 including adding @output sections to scripts which didn't have them.
 He also improved the generated HTML with features like
 auto-generating usage strings if the scripts don't include their own
 and allowing the giant sidebar lists of scripts/libraries to expand
 and contract.  See http://nmap.org/nsedoc/.

o UDP payloads are now stored in an external data file, nmap-payloads,
 instead of being hard-coded in the executable. This makes it easier
 to add your own payloads or disable those you find problematic. [Jay
 Fink, David]

o The Windows executable installer now uses LZMA compression instead
 of zlib, making it about 15% smaller. See
 http://seclists.org/nmap-dev/2010/q2/1011 for test results. [David]

o Open XML elements are now closed in case of a fatal error, so the
 output should at least be well-formed. There are new attributes
 "exit" and "errormsg" in the finished element. "exit" is "success"
 or "error". When it is "error", the "errormsg" attribute contains
 the error message. Thanks to Grant Bartlett, who found a typo in the
 new output. [David]

o Fixed name resolution in environments where gethostbyname can return
 IPv6 (or other non-IPv4 addresses). In such an environment, Nmap
 would wrongly use the first four bytes of the IPv6 address as an
 IPv4 address. You could force this, at least on Debian, by adding
 the line "options inet6" to /etc/resolv.conf or by running with
 RES_OPTIONS=inet6 in the environment. This was reported by Mats Erik
 Andersson, who also suggested the fix. [David]

o Fixed the assignment of interface aliases to directly connected
 routes on Linux, which was broken in 5.30BETA1 (it always assigned
 the base interface instead of the alias). This was visible in the
 host.interface variable passed to NSE scripts. The bug was reported
 Victor Rudnev. [David]

o When Nmap is passed a hostname such as google.com which resolves to
 several IP addresses, Nmap now prints each IP address.  It still
 only scans the first one in the returned list. [David]

o Nmap now works if you specify several target host names which
 resolve to the same IP address.  This can be useful when you are
 scanning virtual-hosted web servers and want to see NSE results
 specific to each site name even though they reside on the same
 machine. [David]

o Made a list of current Nmap SVN committers:
 http://nmap.org/svn/docs/committers.txt

o Added a new library, libnetutil, which contains about 2,700 lines of
 networking related code which is now shared between Nmap and Nping
 (it was previously duplicated by each tool). [Luis, David]

o [NSE] http-passwd.nse now also checks for boot.ini to support
 Windows targets. [Gutek]

o Removed --interactive mode, a miniature shell whose primary purpose
 was to hide command line arguments from the process list. It had
 been broken (would segfault during the second scan) for at least 9
 months and was rarely used. The fact that it was broken was reported
 by Juan Carlos Castro. [David]

o Added a version probe, match line, and UDP payload for the
 serialnumberd service of Mac OS X Server. This service overrides
 firewall settings to make itself visible, so it's useful for host
 discovery. [Patrik]

o Improved service detection match lines for:
 o Oracle Enterprise Manager Agent and mupdate by Matt Selsky
 o Twisted web server, Apple Filing Protocol, Apple Mac OS X Password
   Server, XAVi XG6546p Wireless Gateway, Sun GlassFish
   Communications Server, and Comdasys, SIParator and Glassfish SIP
   by Patrik
 o PostgreSQL, Cisco Site Selector ftpd, and LanSafe UPS monitoring
   HTTPd by Tom Sellers

o Improved our brute force password guessing list by mixing in some
 data sent in by Solar Designer of John the Ripper fame.

o [Zenmap] IP addresses are now sorted by octet rather than their
 string representation. For example, 10.1.1.2 is now sorted before
 10.1.1.10. This problem was reported by Norris Carden. [David]

o [NSE] Added UDP header parsing support to packet.lua. [jah]

o Fixed a bug in Libpcap which lead to Nmap hanging forever in some
 cases on 64-bit Mac OS X 10.6, 10.6.1, and 10.6.3.  The fix was
 actually already available in upstream Libpcap, just not released.
 We also had to make Nmap build with its own Libpcap on 64-bit OS X
 if an already-installed system Libpcap has this bug. [David]

o Updated our Winpcap to the new 4.1.2 release [Rob Nicholls]

o [NSE] Fixed a bug in qscan.nse which gave an error if a confidence
 level of 0.9995 was used.  Thanks to Marcin Hoffmann for noticing
 the problem. [Kris]

o [libpcap] Added a --disable-packet-ring option to force the use of
 an older, slower packet capture mechanism on Linux. Before Linux
 2.6.27, the packet ring mechanism uses different-sized kernel
 structures on 32- and 64-bit architectures, so a 32-bit program will
 not run correctly on a 64-bit kernel. The older mechanism does not
 have this flaw.

o Fixed some errors in nmap-os-db, probably caused by incorrect string
 replacement during integration. This patch is from James Cook.

o [Nsock, Ncat] Nsock has a new function, nsp_setbroadcast, that
 allows setting the SO_BROADCAST option on sockets. Ncat now sets
 this option unconditionally in connect mode to allow connections to
 broadcast addresses (useful in UDP mode). [Daniel Miller]

o Nmap now works with "teamed" network interfaces on Windows. In order
 to distinguish the interfaces, their textual descriptions are now
 compared in addition to their MAC addresses. Without this, Nmap
 would send on the wrong interface and not receive any replies. A
 symptom of this problem was all scans failing except when
 --unprivileged was used. Norris Carden reported this bug. [David]

o [Ncat] When receiving a connection/datagram in listen mode, Ncat now
 prints the connecting source port along with the IP address (when
 verbosity is enabled). [Rebellis]

o Fixed a problem where the time variable used in some port scanning
 algorithms (for probe timeouts, etc) could vary based on the
 debugging level. [Kris]

o Moved the parse_long function from ncat to nbase for better reuse,
 and used it to simplify netmask parsing code. [William Pursell]

o Added EPROTO to the list of known error codes in service scan. Daniel
 Miller reported that an EPROTO was causing Nmap to exit after sending
 the Sqlping probe during service scan. The error message was
 "Unexpected error in NSE_TYPE_READ callback. Error code: 71 (Protocol
 error)". We suspect this was caused by a forged ICMP packet sent by an
 active firewall. [David]

o [NSE] Improved smtp-commands.nse to work against more mail servers,
 made it take an smtp-commands.domain script argument, and rewrote it
 in the style of other smtp scripts. [Jason DePriest]

o [NSE] Made smtp-commands run for the services smtp, smtps,
 submission rather than just smtp.  The other smtp scripts already do
 this. [David]

o [NSE] The dns-recursion script now marks the port as open when it
 gets a response. [Olivier M]

o [Nping] A big correctness and code cleanliness audit was performed
 which resulted in many bugs being fixed and much more code being
 shared with Nmap rather than duplicated. A structured testing
 script system was also created. [Luis, David]

o [Nping] A big correctness and code cleanliness audit was performed
 which resulted in many bugs being fixed and much more code being
 shared with Nmap rather than duplicated. A structured testing
 script system was also created. [Luis, David]

o [Nping] Now allows a --count value of zero to run almost
 indefinitely (2^32 rounds). Suggested by Andreas Hubert. [Luis]

o [Nping] Fixed --data argument parsing. The value passed was not
 actually making it into outgoing packets. Reported by Tim
 Poth. [Luis]

o [Nping] When a RST packet is received in response to a connection
 attempt in TCP-Connect mode, Nping now properly prints "Connection
 refused" rather than "Operation now in progress". [Luis]

o [Nping] Fixed a bug which caused failure when the first supplied
 target was not resolvable (e.g.: nping bogushost.fkz scanme.insecure.com
 tcpdump.com). [Luis]

o [Nping] Fixed some bugs in the BPF filter creation to avoid capture
 and printing of packets Nping sent or which are destined for another
 process. [Luis]

o [Nping] Fixed a bug which prevented ARP replies from being displayed
 properly. [Luis]

o [Nping] Fixed a bug that caused ICMP Router Advertisement entries to
 be set in host byte order rather than proper network byte
 order. [Luis]

o [Nping] Fixed a segfault caused by bad --data values. [Greg Skoczek]

o The Mac OS X installer is now built with MacPorts 1.9.1 rather than
 1.8.2. Among other changes, this fixes a segmentation fault reported
 by some OS X 10.6.3 users.

o Nsock now supports an option to remove its Pcap support.  This
 allows the same Nsock to be shared with Nmap (which needs that
 support) and Ncrack (which doesn't.) Pcap support can be disabled by
 specifying --disable-pcap at configure time on UNIX, or by selecting
 the DebugNoPcap or ReleaseNoPcap configurations in Visual C++ on
 Windows.

o Sped up compilation by not building both shared and static libdnet
 libraries--we only use the static one. [David]

o [NSE] Improved error handling and reporting and re-designed communication
 class in RPC library with patch from Djalal Harouni. [Patrik]

o Upgraded the included libpcap to version 1.1.1. [David]

o [NSE] Add some special-use IPv4 addresses to isPrivate which are
 described in RFC 5736 and RFC 5737, published in Jan 2010. Improve
 performance of isPrivate for IPv4 addresses by using ip_in_range
 less frequently. Add an extra return value to isPrivate - when the
 first return value is true, the second return value will now be a
 string representing the special use assignment in which the supplied
 address is located. [jah]

o Fix compilation on OpenSolaris.  We had to make the libdnet autoconf
 check for PF_PACKET Linux-specific.  Recent versions of OpenSolaris
 support PF_PACKET, but not in a way which is entirely compatible
 with the Linux approach. This problem was reported by Darren Reed. A
 few other minor compatibility changes were made as well. [David]

o [NSE] Added script arguments "username" and "password" to ftp-bounce
 to override the default anonymous:IEUser@ login combination. [Kris]

o [NSE] Added port number sorting to dns-service-discovery.nse. [Patrik]

o [NSE] Added an snmpWalk() function to the SNMP library and updated
 scripts to use it.  [Patrik]

o [NSE] Fixed this dns.lua error reported by Eugene Alexeev:
 nselib/dns.lua:110: attempt to get length of field 'dtype' (a number value)
 [Jah]

o Updated nmap-mac-prefixes to the latest IEEE data as of 2010-07-13.

o Updated IANA IP address space assignment list for random IP (-iR)
 generation. [Kris]

o Created a new directory for storing todo lists for Nmap and related
 projects.  You can see what we're working on and planning by
 visiting http://nmap.org/svn/todo/.

o [NSE] Removed explicit time limit checking from ms-sql-brute,
 pgsql-brute, mysql-brute, ldap-brute, and afp-brute. The unpwdb
 library does this automatically now. [David]

o [NSE] Correct global access errors in afp.lua reported by Patrick Donnelly
 [Patrik]

o [NSE] Correct misspelled "Capabilities.IgnoreSpaceBeforeParanthesis"
 name in the MySQL library. [Kris]

o Cleaned up our Winpcap header file directory, and also updated to
 the latest files from the official developer pack
 (WpdPack_4_1_1.zip). [Fyodor]

o [NSE] Fixed a bug which would prevent rpcinfo.nse from returning any
 results for RPC programs which could not be matched to a
 name. [Patrik]

o [NSE] The ftp-anon script is now much smarter about parsing server
 responses and detecting successful (or not) logins.  It now knows
 how to send the ACCT command where appropriate as well. [Rob
 Nicholls]

o Normalized a bunch of version detection entries with "webserver" in
 the description.  In most cases this was changed to "httpd".

o [Ncat] Fixed the --crlf option not to insert an extra \r byte in the
 case that one system read ends with \r and the next begins with \n
 (should be rare). [David]

o [NSE] Fixed bug in rpc.lua library that incorrectly required file handles
 to be 32 octets when calling the ReadDir function. The bug was reported by
 Djalal Harouni. [Patrik]

Enjoy the new release, and I hope to see you at Defcon!
-Fyodor


_______________________________________________
Sent through the nmap-hackers mailing list
http://cgi.insecure.org/mailman/listinfo/nmap-hackers
Archived at http://seclists.org/nmap-hackers/



-- 
Office: (480)307-8712
AT&T: (503)754-4452
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.PLUG.phoenix.az.us/pipermail/plug-discuss/attachments/20100718/1acdc66b/attachment.html>


More information about the PLUG-discuss mailing list