Defcon 18

Ben Trussell azlobo73 at gmail.com
Fri Jul 23 11:59:32 MST 2010


I'm indeed giving a trip to Vegas that weekend some serious thought =)

BTW I bought Fyodor's Nmap book and love it.

Ben

On Sun, Jul 18, 2010 at 6:32 AM, Lisa Kachold <lisakachold at obnosis.com> wrote:
> Opps, I did it.  I read the list of presentations, so now I HAVE to go to
> Defcon 18:
>
> https://www.defcon.org/html/defcon-18/dc-18-news.html
>
> Who else is going?
>
> ---------- Forwarded message ----------
> From: Fyodor <fyodor at insecure.org>
> Date: Fri, Jul 16, 2010 at 10:50 AM
> Subject: Nmap Defcon Release: Version 5.35DC1
> To: nmap-hackers at insecure.org
>
>
> Hi folks.  It has been 3.5 months since the last Nmap release
> (5.30BETA1 on March 29), and anyone following the nmap-dev list knows
> that we've been very busy during that time.  So I'm pleased to release
> Nmap version 5.35DC1 containing the fruits of that labor.  The Defcon
> name is because that conference is awesome!  And also because David
> Fifield and I have an exciting Nmap talk planned there and at Black
> Hat in a couple weeks (see http://seclists.org/nmap-dev/2010/q3/108).
>
> This release includes 131 NSE scripts (17 new), 6,622 version
> detection signatures, 2,608 OS fingerprints, and more.  I'm
> particularly excited about the new db2 and ms-sql scripts, and nfs-ls
> really makes NFS discovery easy!  We also added Eugene Alexeev's
> clever new dns-cache-snoop script.  Nping and Ncat were significantly
> improved as well.
>
> The Nmap 5.35DC1 source code and packages for Linux, Mac OS X, and
> Windows are available for download at the usual place:
>
> http://nmap.org/download.html
>
> This is a BETA release, but we hope it works well for you. If not (or
> if you have any suggestions for improvement), please let us know on
> nmap-dev as described at http://nmap.org/book/man-bugs.html.
>
> Here are the 83 most significant changes in this release:
>
> o [NSE] Added 17 scripts, bringing the total to 131! They are
>  described individually in the CHANGELOG, but here is the list of new
>  ones:
>   afp-serverinfo, db2-brute, dns-cache-snoop, dns-fuzz, ftp-libopie
>   http-php-version, irc-unrealircd-backdoor, ms-sql-brute,
>   ms-sql-config, ms-sql-empty-password, ms-sql-hasdbaccess,
>   ms-sql-query, ms-sql-tables ms-sql-xp-cmdshell, nfs-ls ntp-monlist
>  Learn more about any of these at: http://nmap.org/nsedoc/
>
> o Performed a major OS detection integration run. The database has
>  grown to 2,608 fingerprints (an increase of 262) and many of the
>  existing fingerprints were improved. These include the Apple iPad
>  and Cisco IOS 15.X devices. We also received many fingerprints for
>  ancient Microsoft systems including MS-DOS with MS Networking Client
>  3.0, Windows 3.1, and Windows NT 3.1. David posted highlights of his
>  integration work at http://seclists.org/nmap-dev/2010/q2/283.
>
> o Performed a large version detection integration run. The number of
>  signatures has grown to 6,622 (an increase of 279). New signatures
>  include a remote administrative backdoor that a school famously used
>  to spy on its students, an open source digital currency scheme named
>  Bitcoin, and game servers for EVE Online, l2emurt Lineage II, and
>  Frozen Bubble. You can read David's highlights at
>  http://seclists.org/nmap-dev/2010/q2/385.
>
> o [NSE] Added nfs-ls.nse, which lists NFS exported files and their
>  attributes. The nfs-acls and nfs-dirlist scripts were deleted
>  because all their features are supported by this script. [Djalal]
>
> o [NSE] Add new DB2 library and two scripts
>  - db2-brute.nse uses the unpwdb library to guess credentials for DB2
>  - db2-info.nse re-write of Tom Sellers script to use the new library
>  [Patrik]
>
> o [NSE] Added a library for Microsoft SQL Server and 7 new scripts. The new
>  scripts are:
>  - ms-sql-brute.nse uses the unpwdb library to guess credentials for MSSQL
>  - ms-sql-config retrieves various configuration details from the server
>  - ms-sql-empty-password checks if the sa account has an empty password
>  - ms-sql-hasdbaccess lists database access per user
>  - ms-sql-query add support for running custom queries against the database
>  - ms-sql-tables lists databases, tables, columns and datatypes with
> optional
>    keyword filtering
>  - ms-sql-xp-cmdshell adds support for OS command execution to privileged
>    users
>  [Patrik]
>
> o [NSE] Added the afp-serverinfo script that gets a hostname, IP
>  addresses, and other configuration information from an AFP server.
>  The script, and a patch to the afp library, were contributed by
>  Andrew Orr and subsequently enhanced by Patrik and David.
>
> o [NSE] Added additional vulnerability checks to smb-check-vulns.nse:
>  The Windows RAS RPC service vulnerability MS06-025
>  (http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx)
>  and the Windows DNS Server RPC vuln MS07-029
>  (http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx).
>  Note that these are only run if you specify the "unsafe" script arg
>  because the implemented test crashes vulnerable services. [Drazen]
>
> o [NSE] Added dns-cache-snoop.nse by Eugene Alexeev. This script performs
>  cache snooping by either sending non-recursive queries or by measuring
>  response times.
>
> o [Zenmap] Added the ability to print Nmap output to a
>  printer. [David]
>
> o [Nmap, Ncat, Nping] The default unit for time specifications is now
>  seconds, not milliseconds, and times may have a decimal point. 1000
>  now means 1000 seconds, or about 17 minutes, not 1000 milliseconds.
>  Floating point values such as 1.5 are now allowed.  This affects the
>  following options:
>  Nmap:
>    --host-timeout
>    --max-rtt-timeout --min-rtt-timeout --initial-rtt-timeout
>    --scan-delay --max-scan-delay
>    --stats-every
>  Ncat:
>    -d --delay
>    -i --idle-timeout
>    -w --wait
>  Nping:
>    --delay
>    --host-timeout
>    --icmp-orig-time --icmp-recv-time --icmp-trans-time
>  Some sanity checks have been added to catch what looks like an
>  attempt to use the old millisecond defaults. For example,
>  --host-timeout 10000 yields
>    Since April 2010, the default unit for --host-timeout is seconds,
>    so your time of "10000" is 2.8 hours. If this is what you want,
>    use "10000s".
>    QUITTING!
>  You can always disable the warning by giving an explicit unit.
>
> o [NSE] Scripts which take an argument for a time duration can now
>  have the duration be a number followed by a unit, like elsewhere in
>  Nmap. An example is "10m" for 10 minutes. The units understood are
>  "ms" for milliseconds, "s" for seconds, "m" for minutes, and "h" for
>  hours.  Seconds are the default if no unit is specified. The new
>  function stdnse.parse_timespec does the parsing of these
>  formats. The qscan.delay script argument, which formerly interpreted
>  its argument as being in milliseconds, now defaults to seconds;
>  append "ms" to continue using the same numbers. [David]
>
> o [NSE] Added irc-unrealircd-backdoor.nse, which detects a backdoor
>  that was in UnrealIRCd source code distributions between November
>  2009 and June 2010. See http://seclists.org/nmap-dev/2010/q2/826.
>  [Vlatko Kosturjak, Ron, David]
>
> o Ports are now considered open during a SYN scan if a SYN packet
>  (without the ACK flag) is received in response. This can be due to
>  an extremely rare TCP feature known as a simultaneous open or split
>  handshake connection. see http://bit.ly/tcp-sh and
>  http://seclists.org/nmap-dev/2010/q2/723. [Jah]
>
> o [Ncat] In listen mode, the --exec and --sh-exec options now accept a
>  single connection and then exit, just like in normal listen mode.
>  Use the --keep-open option to get the old default inetd-like
>  behavior. This was suggested by David Millis. [David]
>
> o [NSE] Added ftp-libopie.nse by Gutek. This script checks for an
>  off-by-one stack overflow vulnerability in libopie by giving the FTP
>  service an overly long name. See
>  http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc for
>  details.
>
> o [NSE] Added ntp-monlist.nse which discovers NTP server, peer and
>  client hosts associated with a scanned target by sending NTPv2
>  Private Mode 'monitor' and 'peers' commands to the target. [Jah]
>
> o [NSE] Added http-php-version.nse from Gutek. This script retrieves
>  version-specific pages through a couple of magic PHP queries, which
>  can identify the PHP version even when a server doesn't advertise
>  it.
>
> o [NSE] New script dns-fuzz launches a fuzzing attack against DNS
>  servers. Added a new category - fuzzer - for scripts like this.
>  [Michael Pattrick]
>
> o David made many improvements to the NSEDoc for individual scripts,
>  including adding @output sections to scripts which didn't have them.
>  He also improved the generated HTML with features like
>  auto-generating usage strings if the scripts don't include their own
>  and allowing the giant sidebar lists of scripts/libraries to expand
>  and contract.  See http://nmap.org/nsedoc/.
>
> o UDP payloads are now stored in an external data file, nmap-payloads,
>  instead of being hard-coded in the executable. This makes it easier
>  to add your own payloads or disable those you find problematic. [Jay
>  Fink, David]
>
> o The Windows executable installer now uses LZMA compression instead
>  of zlib, making it about 15% smaller. See
>  http://seclists.org/nmap-dev/2010/q2/1011 for test results. [David]
>
> o Open XML elements are now closed in case of a fatal error, so the
>  output should at least be well-formed. There are new attributes
>  "exit" and "errormsg" in the finished element. "exit" is "success"
>  or "error". When it is "error", the "errormsg" attribute contains
>  the error message. Thanks to Grant Bartlett, who found a typo in the
>  new output. [David]
>
> o Fixed name resolution in environments where gethostbyname can return
>  IPv6 (or other non-IPv4 addresses). In such an environment, Nmap
>  would wrongly use the first four bytes of the IPv6 address as an
>  IPv4 address. You could force this, at least on Debian, by adding
>  the line "options inet6" to /etc/resolv.conf or by running with
>  RES_OPTIONS=inet6 in the environment. This was reported by Mats Erik
>  Andersson, who also suggested the fix. [David]
>
> o Fixed the assignment of interface aliases to directly connected
>  routes on Linux, which was broken in 5.30BETA1 (it always assigned
>  the base interface instead of the alias). This was visible in the
>  host.interface variable passed to NSE scripts. The bug was reported
>  Victor Rudnev. [David]
>
> o When Nmap is passed a hostname such as google.com which resolves to
>  several IP addresses, Nmap now prints each IP address.  It still
>  only scans the first one in the returned list. [David]
>
> o Nmap now works if you specify several target host names which
>  resolve to the same IP address.  This can be useful when you are
>  scanning virtual-hosted web servers and want to see NSE results
>  specific to each site name even though they reside on the same
>  machine. [David]
>
> o Made a list of current Nmap SVN committers:
>  http://nmap.org/svn/docs/committers.txt
>
> o Added a new library, libnetutil, which contains about 2,700 lines of
>  networking related code which is now shared between Nmap and Nping
>  (it was previously duplicated by each tool). [Luis, David]
>
> o [NSE] http-passwd.nse now also checks for boot.ini to support
>  Windows targets. [Gutek]
>
> o Removed --interactive mode, a miniature shell whose primary purpose
>  was to hide command line arguments from the process list. It had
>  been broken (would segfault during the second scan) for at least 9
>  months and was rarely used. The fact that it was broken was reported
>  by Juan Carlos Castro. [David]
>
> o Added a version probe, match line, and UDP payload for the
>  serialnumberd service of Mac OS X Server. This service overrides
>  firewall settings to make itself visible, so it's useful for host
>  discovery. [Patrik]
>
> o Improved service detection match lines for:
>  o Oracle Enterprise Manager Agent and mupdate by Matt Selsky
>  o Twisted web server, Apple Filing Protocol, Apple Mac OS X Password
>    Server, XAVi XG6546p Wireless Gateway, Sun GlassFish
>    Communications Server, and Comdasys, SIParator and Glassfish SIP
>    by Patrik
>  o PostgreSQL, Cisco Site Selector ftpd, and LanSafe UPS monitoring
>    HTTPd by Tom Sellers
>
> o Improved our brute force password guessing list by mixing in some
>  data sent in by Solar Designer of John the Ripper fame.
>
> o [Zenmap] IP addresses are now sorted by octet rather than their
>  string representation. For example, 10.1.1.2 is now sorted before
>  10.1.1.10. This problem was reported by Norris Carden. [David]
>
> o [NSE] Added UDP header parsing support to packet.lua. [jah]
>
> o Fixed a bug in Libpcap which lead to Nmap hanging forever in some
>  cases on 64-bit Mac OS X 10.6, 10.6.1, and 10.6.3.  The fix was
>  actually already available in upstream Libpcap, just not released.
>  We also had to make Nmap build with its own Libpcap on 64-bit OS X
>  if an already-installed system Libpcap has this bug. [David]
>
> o Updated our Winpcap to the new 4.1.2 release [Rob Nicholls]
>
> o [NSE] Fixed a bug in qscan.nse which gave an error if a confidence
>  level of 0.9995 was used.  Thanks to Marcin Hoffmann for noticing
>  the problem. [Kris]
>
> o [libpcap] Added a --disable-packet-ring option to force the use of
>  an older, slower packet capture mechanism on Linux. Before Linux
>  2.6.27, the packet ring mechanism uses different-sized kernel
>  structures on 32- and 64-bit architectures, so a 32-bit program will
>  not run correctly on a 64-bit kernel. The older mechanism does not
>  have this flaw.
>
> o Fixed some errors in nmap-os-db, probably caused by incorrect string
>  replacement during integration. This patch is from James Cook.
>
> o [Nsock, Ncat] Nsock has a new function, nsp_setbroadcast, that
>  allows setting the SO_BROADCAST option on sockets. Ncat now sets
>  this option unconditionally in connect mode to allow connections to
>  broadcast addresses (useful in UDP mode). [Daniel Miller]
>
> o Nmap now works with "teamed" network interfaces on Windows. In order
>  to distinguish the interfaces, their textual descriptions are now
>  compared in addition to their MAC addresses. Without this, Nmap
>  would send on the wrong interface and not receive any replies. A
>  symptom of this problem was all scans failing except when
>  --unprivileged was used. Norris Carden reported this bug. [David]
>
> o [Ncat] When receiving a connection/datagram in listen mode, Ncat now
>  prints the connecting source port along with the IP address (when
>  verbosity is enabled). [Rebellis]
>
> o Fixed a problem where the time variable used in some port scanning
>  algorithms (for probe timeouts, etc) could vary based on the
>  debugging level. [Kris]
>
> o Moved the parse_long function from ncat to nbase for better reuse,
>  and used it to simplify netmask parsing code. [William Pursell]
>
> o Added EPROTO to the list of known error codes in service scan. Daniel
>  Miller reported that an EPROTO was causing Nmap to exit after sending
>  the Sqlping probe during service scan. The error message was
>  "Unexpected error in NSE_TYPE_READ callback. Error code: 71 (Protocol
>  error)". We suspect this was caused by a forged ICMP packet sent by an
>  active firewall. [David]
>
> o [NSE] Improved smtp-commands.nse to work against more mail servers,
>  made it take an smtp-commands.domain script argument, and rewrote it
>  in the style of other smtp scripts. [Jason DePriest]
>
> o [NSE] Made smtp-commands run for the services smtp, smtps,
>  submission rather than just smtp.  The other smtp scripts already do
>  this. [David]
>
> o [NSE] The dns-recursion script now marks the port as open when it
>  gets a response. [Olivier M]
>
> o [Nping] A big correctness and code cleanliness audit was performed
>  which resulted in many bugs being fixed and much more code being
>  shared with Nmap rather than duplicated. A structured testing
>  script system was also created. [Luis, David]
>
> o [Nping] A big correctness and code cleanliness audit was performed
>  which resulted in many bugs being fixed and much more code being
>  shared with Nmap rather than duplicated. A structured testing
>  script system was also created. [Luis, David]
>
> o [Nping] Now allows a --count value of zero to run almost
>  indefinitely (2^32 rounds). Suggested by Andreas Hubert. [Luis]
>
> o [Nping] Fixed --data argument parsing. The value passed was not
>  actually making it into outgoing packets. Reported by Tim
>  Poth. [Luis]
>
> o [Nping] When a RST packet is received in response to a connection
>  attempt in TCP-Connect mode, Nping now properly prints "Connection
>  refused" rather than "Operation now in progress". [Luis]
>
> o [Nping] Fixed a bug which caused failure when the first supplied
>  target was not resolvable (e.g.: nping bogushost.fkz scanme.insecure.com
>  tcpdump.com). [Luis]
>
> o [Nping] Fixed some bugs in the BPF filter creation to avoid capture
>  and printing of packets Nping sent or which are destined for another
>  process. [Luis]
>
> o [Nping] Fixed a bug which prevented ARP replies from being displayed
>  properly. [Luis]
>
> o [Nping] Fixed a bug that caused ICMP Router Advertisement entries to
>  be set in host byte order rather than proper network byte
>  order. [Luis]
>
> o [Nping] Fixed a segfault caused by bad --data values. [Greg Skoczek]
>
> o The Mac OS X installer is now built with MacPorts 1.9.1 rather than
>  1.8.2. Among other changes, this fixes a segmentation fault reported
>  by some OS X 10.6.3 users.
>
> o Nsock now supports an option to remove its Pcap support.  This
>  allows the same Nsock to be shared with Nmap (which needs that
>  support) and Ncrack (which doesn't.) Pcap support can be disabled by
>  specifying --disable-pcap at configure time on UNIX, or by selecting
>  the DebugNoPcap or ReleaseNoPcap configurations in Visual C++ on
>  Windows.
>
> o Sped up compilation by not building both shared and static libdnet
>  libraries--we only use the static one. [David]
>
> o [NSE] Improved error handling and reporting and re-designed communication
>  class in RPC library with patch from Djalal Harouni. [Patrik]
>
> o Upgraded the included libpcap to version 1.1.1. [David]
>
> o [NSE] Add some special-use IPv4 addresses to isPrivate which are
>  described in RFC 5736 and RFC 5737, published in Jan 2010. Improve
>  performance of isPrivate for IPv4 addresses by using ip_in_range
>  less frequently. Add an extra return value to isPrivate - when the
>  first return value is true, the second return value will now be a
>  string representing the special use assignment in which the supplied
>  address is located. [jah]
>
> o Fix compilation on OpenSolaris.  We had to make the libdnet autoconf
>  check for PF_PACKET Linux-specific.  Recent versions of OpenSolaris
>  support PF_PACKET, but not in a way which is entirely compatible
>  with the Linux approach. This problem was reported by Darren Reed. A
>  few other minor compatibility changes were made as well. [David]
>
> o [NSE] Added script arguments "username" and "password" to ftp-bounce
>  to override the default anonymous:IEUser@ login combination. [Kris]
>
> o [NSE] Added port number sorting to dns-service-discovery.nse. [Patrik]
>
> o [NSE] Added an snmpWalk() function to the SNMP library and updated
>  scripts to use it.  [Patrik]
>
> o [NSE] Fixed this dns.lua error reported by Eugene Alexeev:
>  nselib/dns.lua:110: attempt to get length of field 'dtype' (a number value)
>  [Jah]
>
> o Updated nmap-mac-prefixes to the latest IEEE data as of 2010-07-13.
>
> o Updated IANA IP address space assignment list for random IP (-iR)
>  generation. [Kris]
>
> o Created a new directory for storing todo lists for Nmap and related
>  projects.  You can see what we're working on and planning by
>  visiting http://nmap.org/svn/todo/.
>
> o [NSE] Removed explicit time limit checking from ms-sql-brute,
>  pgsql-brute, mysql-brute, ldap-brute, and afp-brute. The unpwdb
>  library does this automatically now. [David]
>
> o [NSE] Correct global access errors in afp.lua reported by Patrick Donnelly
>  [Patrik]
>
> o [NSE] Correct misspelled "Capabilities.IgnoreSpaceBeforeParanthesis"
>  name in the MySQL library. [Kris]
>
> o Cleaned up our Winpcap header file directory, and also updated to
>  the latest files from the official developer pack
>  (WpdPack_4_1_1.zip). [Fyodor]
>
> o [NSE] Fixed a bug which would prevent rpcinfo.nse from returning any
>  results for RPC programs which could not be matched to a
>  name. [Patrik]
>
> o [NSE] The ftp-anon script is now much smarter about parsing server
>  responses and detecting successful (or not) logins.  It now knows
>  how to send the ACCT command where appropriate as well. [Rob
>  Nicholls]
>
> o Normalized a bunch of version detection entries with "webserver" in
>  the description.  In most cases this was changed to "httpd".
>
> o [Ncat] Fixed the --crlf option not to insert an extra \r byte in the
>  case that one system read ends with \r and the next begins with \n
>  (should be rare). [David]
>
> o [NSE] Fixed bug in rpc.lua library that incorrectly required file handles
>  to be 32 octets when calling the ReadDir function. The bug was reported by
>  Djalal Harouni. [Patrik]
>
> Enjoy the new release, and I hope to see you at Defcon!
> -Fyodor
>
>
> _______________________________________________
> Sent through the nmap-hackers mailing list
> http://cgi.insecure.org/mailman/listinfo/nmap-hackers
> Archived at http://seclists.org/nmap-hackers/
>
>
>
> --
> Office: (480)307-8712
> AT&T: (503)754-4452
>
>
>
>
>
>
>
>
>
>
>
>
>
>
>
> ---------------------------------------------------
> PLUG-discuss mailing list - PLUG-discuss at lists.plug.phoenix.az.us
> To subscribe, unsubscribe, or to change your mail settings:
> http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
>


More information about the PLUG-discuss mailing list