Nmap 6.25 source code and binary packages for Linux, Windows, and Mac are available for free download from:
http://nmap.org/download.html
If you find any bugs, please let us know on nmap-dev as described at
http://nmap.org/book/man-bugs.
Here are the most important change since 6.01:
o Integrated all of your IPv4 OS fingerprint submissions since January
(more than 3,000 of them). Added 373 fingerprints, bringing the new
total to 3,946. Additions include Linux 3.6, Windows 8, Windows
Server 2012, Mac OS X 10.8, and a ton of new WAPs, printers,
routers, and other devices--including our first IP-enabled doorbell!
Many existing fingerprints were improved. [David Fifield]
o Integrated all of your service/version detection fingerprints
submitted since January (more than 1,500)! Our signature
count jumped by more than 400 to 8,645. We now detect 897
protocols, from extremely popular ones like http, ssh, smtp and imap
to the more obscure airdroid, gopher-proxy, and
enemyterritory. [David Fifield]
o Integrated your latest IPv6 OS submissions and corrections. We're
still low on IPv6 fingerprints, so please scan any IPv6 systems you
own or administer and submit them to http://nmap.org/submit/. Both
new fingerprints (if Nmap doesn't find a good match) and corrections
(if Nmap guesses wrong) are useful.
o Enabled support for IPv6 traceroute using UDP, SCTP, and IPProto
(Next Header) probes. [David Fifield]
o Scripts can now return a structured name-value table so that results
are query-able from XML output. Scripts can return a string as
before, or a table, or a table and a string. In this last case, the
table will go to XML output and the string will go to screen output.
See http://nmap.org/book/nse-api.
Miller, David Fifield, Patrick Donnelly]
o [Nsock] Added new poll and kqueue I/O engines for improved
performance on Windows and BSD-based systems including Mac OS X.
These are in addition to the epoll engine (used on Linux) and the
classic select engine fallback for other system. [Henri Doreau]
o [Ncat] Added support for Unix domain sockets. The new -U and
--unixsock options activate this mode. These provide compatibility
with Hobbit's original Netcat. [Tomas Hozza]
o Moved some Windows dependencies, including OpenSSL, libsvn, and the
vcredist files, into a new public Subversion directory
/nmap-mswin32-aux and moved it out of the source tarball. This
reduces the compressed tarball size from 22 MB to 8 MB and similarly
reduces the bandwidth and storage required for an svn checkout.
Folks who build Nmap on Windows will need to check out
/nmap-mswin32-aux along with /nmap as described at
http://nmap.org/book/inst-
o Many of the great features in this release were created by college
and grad students generously sponsored by Google's Summer of Code
program. Thanks, Google Open Source Department! This year's team
of five developers is introduced at
http://seclists.org/nmap-dev/
documented at http://seclists.org/nmap-dev/
o [NSE] Replaced old RPC grinder (RPC enumeration, performed as part
of version detection when a port seems to run a SunRPC service) with
a faster and easier to maintain NSE-based implementation. This also
allowed us to remove the crufty old pos_scan scan engine. [Hani
Benhabiles]
o Updated our Nmap Scripting Engine to use Lua 5.2 (and then 5.2.1)
rather than 5.1. See http://seclists.org/nmap-dev/
details. [Patrick Donnelly]
o [NSE] Added 85(!) NSE scripts, bringing the total up to 433. They
are all listed at http://nmap.org/nsedoc/, and the summaries are
below (authors are listed in brackets):
+ ajp-auth retrieves the authentication scheme and realm of an AJP
service (Apache JServ Protocol) that requires authentication. The
Apache JServ Protocol is commonly used by web servers to
communicate with back-end Java application server
containers. [Patrik Karlsson]
+ ajp-brute performs brute force passwords auditing against the
Apache JServ protocol. [Patrik Karlsson]
+ ajp-headers performs a HEAD or GET request against either the root
directory or any optional directory of an Apache JServ Protocol
server and returns the server response headers. [Patrik Karlsson]
+ ajp-methods discovers which options are supported by the AJP
(Apache JServ Protocol) server by sending an OPTIONS request and
lists potentially risky methods. [Patrik Karlsson]
+ ajp-request requests a URI over the Apache JServ Protocol and
displays the result (or stores it in a file). Different AJP
methods such as; GET, HEAD, TRACE, PUT or DELETE may be
used. [Patrik Karlsson]
+ bjnp-discover retrieves printer or scanner information from a
remote device supporting the BJNP protocol. The protocol is known
to be supported by network based Canon devices. [Patrik Karlsson]
+ broadcast-ataoe-discover discovers servers supporting the ATA over
Ethernet protocol. ATA over Ethernet is an ethernet protocol
developed by the Brantley Coile Company and allows for simple,
high-performance access to SATA drives over Ethernet. [Patrik
Karlsson]
+ broadcast-bjnp-discover attempts to discover Canon devices
(Printers/Scanners) supporting the BJNP protocol by sending BJNP
Discover requests to the network broadcast address for both ports
associated with the protocol. [Patrik Karlsson]
+ broadcast-eigrp-discovery performs network discovery and routing
information gathering through Cisco's EIGRP protocol. [Hani
Benhabiles]
+ broadcast-igmp-discovery discovers targets that have IGMP
Multicast memberships and grabs interesting information. [Hani
Benhabiles]
+ broadcast-pim-discovery discovers routers that are running PIM
(Protocol Independent Multicast). [Hani Benhabiles]
+ broadcast-tellstick-discover discovers Telldus Technologies
TellStickNet devices on the LAN. The Telldus TellStick is used to
wirelessly control electric devices such as lights, dimmers and
electric outlets. [Patrik Karlsson]
+ cassandra-brute performs brute force password auditing against the
Cassandra database. [Vlatko Kosturjak]
+ cassandra-info attempts to get basic info and server status from a
Cassandra database. [Vlatko Kosturjak]
+ cups-info lists printers managed by the CUPS printing
service. [Patrik Karlsson]
+ cups-queue-info Lists currently queued print jobs of the remote
CUPS service grouped by printer. [Patrik Karlsson]
+ dict-info Connects to a dictionary server using the DICT protocol,
runs the SHOW SERVER command, and displays the result. [Patrik
Karlsson]
+ distcc-cve2004-2687 detects and exploits a remote code execution
vulnerability in the distributed compiler daemon distcc. [Patrik
Karlsson]
+ dns-check-zone checks DNS zone configuration against best
practices, including RFC 1912. The configuration checks are
divided into categories which each have a number of different
tests. [Patrik Karlsson]
+ dns-ip6-arpa-scan performs a quick reverse DNS lookup of an IPv6
network using a technique which analyzes DNS server response codes
to dramatically reduce the number of queries needed to enumerate
large networks. [Patrik Karlsson]
+ dns-nsec3-enum tries to enumerate domain names from the DNS server
that supports DNSSEC NSEC3 records. [Aleksandar Nikolic, John
Bond]
+ eppc-enum-processes attempts to enumerate process info over the
Apple Remote Event protocol. When accessing an application over
the Apple Remote Event protocol the service responds with the uid
and pid of the application, if it is running, prior to requesting
authentication. [Patrik Karlsson]
+ firewall-bypass detects a vulnerability in Netfilter and other
firewalls that use helpers to dynamically open ports for protocols
such as ftp and sip. [Hani Benhabiles]
+ flume-master-info retrieves information from Flume master HTTP
pages. [John R. Bond]
+ gkrellm-info queries a GKRellM service for monitoring
information. A single round of collection is made, showing a
snapshot of information at the time of the request. [Patrik
Karlsson]
+ gpsd-info retrieves GPS time, coordinates and speed from the GPSD
network daemon. [Patrik Karlsson]
+ hostmap-robtex discovers hostnames that resolve to the target's IP
address by querying the Robtex service at
http://www.robtex.com/dns/. [Arturo Busleiman]
+ http-drupal-enum-users enumerates Drupal users by exploiting a an
information disclosure vulnerability in Views, Drupal's most
popular module. [Hani Benhabiles]
+ http-drupal-modules enumerates the installed Drupal modules by
using a list of known modules. [Hani Benhabiles]
+ http-exif-spider spiders a site's images looking for interesting
exif data embedded in .jpg files. Displays the make and model of
the camera, the date the photo was taken, and the embedded geotag
information. [Ron Bowes]
+ http-form-fuzzer performs a simple form fuzzing against forms
found on websites. Tries strings and numbers of increasing length
and attempts to determine if the fuzzing was successful. [Piotr
Olma]
+ http-frontpage-login checks whether target machines are vulnerable
to anonymous Frontpage login. [Aleksandar Nikolic]
+ http-git checks for a Git repository found in a website's document
root (/.git/<something>) then retrieves as much repo
information as possible, including language/framework, Github
username, last commit message, and repository description. [Alex
Weber]
+ http-gitweb-projects-enum retrieves a list of Git projects, owners
and descriptions from a gitweb (web interface to the Git revision
control system). [riemann]
+ http-huawei-hg5xx-vuln detects Huawei modems models HG530x,
HG520x, HG510x (and possibly others...) vulnerable to a remote
credential and information disclosure vulnerability. It also
extracts the PPPoE credentials and other interesting configuration
values. [Paulino Calderon]
+ http-icloud-findmyiphone retrieves the locations of all "Find my
iPhone" enabled iOS devices by querying the MobileMe web service
(authentication required). [Patrik Karlsson]
+ http-icloud-sendmsg sends a message to a iOS device through the
Apple MobileMe web service. The device has to be registered with
an Apple ID using the Find My iPhone application. [Patrik
Karlsson]
+ http-phpself-xss crawls a web server and attempts to find PHP
files vulnerable to reflected cross site scripting via the
variable $_SERVER["PHP_SELF"]. [Paulino Calderon]
+ http-rfi-spider crawls webservers in search of RFI (remote file
inclusion) vulnerabilities. It tests every form field it finds and
every parameter of a URL containing a query. [Piotr Olma]
+ http-robtex-shared-ns Finds up to 100 domain names which use the
same name server as the target by querying the Robtex service at
http://www.robtex.com/dns/. [Arturo Busleiman]
+ http-sitemap-generator spiders a web server and displays its
directory structure along with number and types of files in each
folder. Note that files listed as having an 'Other' extension are
ones that have no extension or that are a root document. [Piotr
Olma]
+ http-slowloris-check tests a web server for vulnerability to the
Slowloris DoS attack without actually launching a DoS
attack. [Aleksandar Nikolic]
+ http-slowloris tests a web server for vulnerability to the
Slowloris DoS attack by launching a Slowloris attack. [Aleksandar
Nikolic, Ange Gutek]
+ http-tplink-dir-traversal exploits a directory traversal
vulnerability existing in several TP-Link wireless
routers. Attackers may exploit this vulnerability to read any of
the configuration and password files remotely and without
authentication. [Paulino Calderon]
+ http-traceroute exploits the Max-Forwards HTTP header to detect
the presence of reverse proxies. [Hani Benhabiles]
+ http-virustotal checks whether a file has been determined as
malware by virustotal. Virustotal is a service that provides the
capability to scan a file or check a checksum against a number of
the major antivirus vendors. [Patrik Karlsson]
+ http-vlcstreamer-ls connects to a VLC Streamer helper service and
lists directory contents. The VLC Streamer helper service is used
by the iOS VLC Streamer application to enable streaming of
multimedia content from the remote server to the device. [Patrik
Karlsson]
+ http-vuln-cve2010-0738 tests whether a JBoss target is vulnerable
to jmx console authentication bypass (CVE-2010-0738). [Hani
Benhabiles]
+ http-waf-fingerprint Tries to detect the presence of a web
application firewall and its type and version. [Hani Benhabiles]
+ icap-info tests a list of known ICAP service names and prints
information about any it detects. The Internet Content Adaptation
Protocol (ICAP) is used to extend transparent proxy servers and is
generally used for content filtering and antivirus
scanning. [Patrik Karlsson]
+ ip-forwarding detects whether the remote device has ip forwarding
or "Internet connection sharing" enabled, by sending an ICMP echo
request to a given target using the scanned host as default
gateway. [Patrik Karlsson]
+ ipv6-ra-flood generates a flood of Router Advertisements (RA) with
random source MAC addresses and IPv6 prefixes. Computers, which
have stateless autoconfiguration enabled by default (every major
OS), will start to compute IPv6 suffix and update their routing
table to reflect the accepted announcement. This will cause 100%
CPU usage on Windows and platforms, preventing to process other
application requests. [Adam Stevko]
+ irc-sasl-brute performs brute force password auditing against IRC
(Internet Relay Chat) servers supporting SASL
authentication. [Piotr Olma]
+ isns-info lists portals and iSCSI nodes registered with the
Internet Storage Name Service (iSNS). [Patrik Karlsson]
+ jdwp-exec attempts to exploit java's remote debugging port. When
remote debugging port is left open, it is possible to inject java
bytecode and achieve remote code execution. This script abuses
this to inject and execute a Java class file that executes the
supplied shell command and returns its output. [Aleksandar
Nikolic]
+ jdwp-info attempts to exploit java's remote debugging port. When
remote debugging port is left open, it is possible to inject java
bytecode and achieve remote code execution. This script injects
and execute a Java class file that returns remote system
information. [Aleksandar Nikolic]
+ jdwp-inject attempts to exploit java's remote debugging port.
When remote debugging port is left open, it is possible to inject
java bytecode and achieve remote code execution. This script
allows injection of arbitrary class files. [Aleksandar Nikolic]
+ llmnr-resolve resolves a hostname by using the LLMNR (Link-Local
Multicast Name Resolution) protocol. [Hani Benhabiles]
+ mcafee-epo-agent check if ePO agent is running on port 8081 or
port identified as ePO Agent port. [Didier Stevens and Daniel
Miller]
+ metasploit-info gathers info from the Metasploit RPC service. It
requires a valid login pair. After authentication it tries to
determine Metasploit version and deduce the OS type. Then it
creates a new console and executes few commands to get additional
info. [Aleksandar Nikolic]
+ metasploit-msgrpc-brute performs brute force username and password
auditing against Metasploit msgrpc interface. [Aleksandar Nikolic]
+ mmouse-brute performs brute force password auditing against the
RPA Tech Mobile Mouse servers. [Patrik Karlsson]
+ mmouse-exec connects to an RPA Tech Mobile Mouse server, starts an
application and sends a sequence of keys to it. Any application
that the user has access to can be started and the key sequence is
sent to the application after it has been started. [Patrik
Karlsson]
+ mrinfo queries targets for multicast routing information. [Hani
Benhabiles]
+ msrpc-enum queries an MSRPC endpoint mapper for a list of mapped
services and displays the gathered information. [Aleksandar
Nikolic]
+ ms-sql-dac queries the Microsoft SQL Browser service for the DAC
(Dedicated Admin Connection) port of a given (or all) SQL Server
instance. The DAC port is used to connect to the database instance
when normal connection attempts fail, for example, when server is
hanging, out of memory or in other bad states. [Patrik Karlsson]
+ mtrace queries for the multicast path from a source to a
destination host. [Hani Benhabiles]
+ mysql-dump-hashes dumps the password hashes from an MySQL server
in a format suitable for cracking by tools such as John the
Ripper. Appropriate DB privileges (root) are required. [Patrik
Karlsson]
+ mysql-query runs a query against a MySQL database and returns the
results as a table. [Patrik Karlsson]
+ mysql-vuln-cve2012-2122 attempts to bypass authentication in MySQL
and MariaDB servers by exploiting CVE2012-2122. If its vulnerable,
it will also attempt to dump the MySQL usernames and password
hashes. [Paulino Calderon]
+ oracle-brute-stealth exploits the CVE-2012-3137 vulnerability, a
weakness in Oracle's O5LOGIN authentication scheme. The
vulnerability exists in Oracle 11g R1/R2 and allows linking the
session key to a password hash. [Dhiru Kholia]
+ pcanywhere-brute performs brute force password auditing against
the pcAnywhere remote access protocol. [Aleksandar Nikolic]
+ rdp-enum-encryption determines which Security layer and Encryption
level is supported by the RDP service. It does so by cycling
through all existing protocols and ciphers. [Patrik Karlsson]
+ rmi-vuln-classloader tests whether Java rmiregistry allows class
loading. The default configuration of rmiregistry allows loading
classes from remote URLs, which can lead to remote code
execution. The vendor (Oracle/Sun) classifies this as a design
feature. [Aleksandar Nikolic]
+ rpc-grind fingerprints the target RPC port to extract the target
service, RPC number and version. [Hani Benhabiles]
+ sip-call-spoof spoofs a call to a SIP phone and detects the action
taken by the target (busy, declined, hung up, etc.) [Hani
Benhabiles]
+ sip-methods enumerates a SIP Server's allowed methods (INVITE,
OPTIONS, SUBSCRIBE, etc.) [Hani Benhabiles]
+ smb-ls attempts to retrieve useful information about files shared
on SMB volumes. The output is intended to resemble the output of
the UNIX <code>ls</code> command. [Patrik Karlsson]
+ smb-print-text attempts to print text on a shared printer by
calling Print Spooler Service RPC functions. [Aleksandar Nikolic]
+ smb-vuln-ms10-054 tests whether target machines are vulnerable to
the ms10-054 SMB remote memory corruption
vulnerability. [Aleksandar Nikolic]
+ smb-vuln-ms10-061 tests whether target machines are vulnerable to
ms10-061 Printer Spooler impersonation vulnerability. [Aleksandar
Nikolic]
+ snmp-hh3c-logins attempts to enumerate Huawei / HP/H3C Locally
Defined Users through the hh3c-user.mib OID [Kurt Grutzmacher]
+ ssl-date retrieves a target host's time and date from its TLS
ServerHello response. [Aleksandar Nikolic]
+ tls-nextprotoneg enumerates a TLS server's supported protocols by
using the next protocol negotiation extension. [Hani Benhabiles]
+ traceroute-geolocation lists the geographic locations of each hop
in a traceroute and optionally saves the results to a KML file,
plottable on Google earth and maps. [Patrik Karlsson]
o [NSE] Added 12 new protocol libraries, bring our total to 105! Here
they are, with authors enclosed in brackets:
+ ajp (Apache JServ Protocol) [Patrik Karlsson]
+ base32 (Base32 encoding/decoding - RFC 4648) [Philip Pickering]
+ bjnp (Canon BJNP printer/scanner discovery protocol) [Patrik Karlsson]
+ cassandra (Cassandra database protocol) [Vlatko Kosturjak]
+ eigrp (Cisco Enhanced Interior Gateway Routing Protocol) [Hani Benhabiles]
+ gps (Global Positioning System - does GPRMC NMEA decoding) [Patrik Karlsson]
+ ipp (CUPS Internet Printing Protocol) [Patrik Karlsson]
+ isns (Internet Storage Name Service) [Patrik Karlsson]
+ jdwp (Java Debug Wire Protocol) [Aleksandar Nikolic]
+ mobileme (a service for managing Apple/Mac devices) [Patrik Karlsson]
+ ospf (Open Shortest Path First routing protocol) [Patrik Karlsson]
+ rdp (Remote Desktop Protocol) [Patrik Karlsson]
o Added Common Platform Enumeration (CPE) identifiers to nearly 1,000
more OS detection signatures. Nmap 6.01 had them for 2,608 of 3,572
fingerprints (73%) and now we have them for 3,558 out of 3,946
(90%). [David Fifield]
o Scans that use OS sockets (including TCP connect scan, version
detection, and script scan) now use the SO_BINDTODEVICE sockopt on
Linux, so that the -e (select network device) option is
honored. [David Fifield]
o [Zenmap] Host filters can now do negative matching, for example you
can use "os:!linux" to match hosts NOT detected as Linux. [Daniel
Miller]
o Fixed a bug that caused an incorrect source address to be set when
scanning certain addresses (apparently those ending in .0) on
Windows XP. The symptom of this bug was the messages
get_srcaddr: can't connect socket: The requested address is not
valid in its context.
Failed to convert source address to presentation format!?! Error:
Unknown error
Thanks to Robert Washam and Jorge Hernandez for reports and help
debugging. [David Fifield]
o Upgraded the included OpenSSL to version 1.0.1c. [David Fifield]
o [NSE] Added changes to brute and unpwdb libraries to allow more
flexible iterator specification and control. [Aleksandar Nikolic]
o Tested that our WinPcap installer works on Windows 8 and Windows
Server 2012 build 8400. Updated to installer text to recommend that
users select the option to start 'NPF' at startup. [Rob Nicholls]
o [NSE] Added CPE to smb-os-discovery output.
o [Ncat] Fixed the printing of warning messages for large arguments to
the -i and -w options. [Michal Hlavinka]
o [Ncat] Shut down the write part of connected sockets in listen mode
when stdin hits EOF, just as was already done in connect mode.
[Michal Hlavinka]
o [Zenmap] Removed a crashing error that could happen when canceling a
"Print to File" on Windows:
Traceback (most recent call last):
File "zenmapGUI\MainWindow.pyo", line 831, in _print_cb
File "zenmapGUI\Print.pyo", line 156, in run_print_operation
GError: Error from StartDoc
This bug was reported by Imre Adácsi. [David Fifield]
o [NSE] Added new fingerprints for http-enum: Sitecore, Moodle, typo3,
SquirrelMail, RoundCube. [Jesper Kückelhahn]
o Changed libdnet's routing interface to return an interface name for
each route on the most common operating systems. This is used to
improve the quality of Nmap's matching of routes to interfaces,
which was previously done by matching routes to interface addresses.
[Djalal Harouni, David Fifield]
o Fixed a bug that prevented Nmap from finding any interfaces when one
of them had the type ARPHDR_INFINIBAND; this was the case for
IP-over-InfiniBand interfaces. However, This support is not complete
since IPoIB interfaces use 20 bytes for the hardware address, and
currently we only report and handle 6 bytes.
Nmap IP level scans should work without any problem, please refer to
the '--send-ip' switch and to the following thread:
http://seclists.org/nmap-dev/
This bug was reported by starlight.2012q3. [Djalal Harouni]
o Fixed a bug that prevented Nmap from finding any interfaces when one
of them had the type ARPHDR_IEEE80211; this was the case for wireless
interfaces operating in access point mode. This bug was reported by
Sebastiaan Vileijn. [Djalal Harouni]
o Updated the Zenmap desktop icons on Windows, Linux, and Mac with higher
resolution ones. [Sean Rivera, David Fifield]
o [NSE] Script results for a host or service are now sorted
alphabetically by script name. [Sean Rivera]
o Fixed a bug that prevented Nmap from finding any interfaces when any
interface had the type ARPHRD_VOID; this was the case for OpenVZ
venet interfaces. [Djalal Harouni, David Fifield]
o Linux unreachable routes are now properly ignored. [David Fifield]
o Added Dan Miller as an Nmap committer. He has done a ton of great
work on Nmap, as you can see by searching for him in this CHANGELOG
or reading the Nmap committers list at
https://svn.nmap.org/nmap/
o Added a new --disable-arp-ping option. This option prevents Nmap
from implicitly using ARP or ND host discovery for discovering
directly connected Ethernet targets. This is useful in networks
using proxy ARP, which make all addresses appear to be up using ARP
scan. The previously recommended workaround for this situation,
--send-ip, didn't work on Windows because that lame excuse for an
operating system is still missing raw socket support. [David
Fifield (editorializing added by Fyodor)]
o Protocol scan (-sO) probes for TCP, UDP, and SCTP now go to ports
80, 40125, and 80 respectively, instead of being randomly generated
or going to the same port as the source port. [David Fifield]
o The Nmap --log-errors functionality (including errors and warnings
in the normal-format output file) is now always true, whether you
pass that option or not. [Sean Rivera]
o [NSE] Rewrote ftp-brute script to use the brute library for
performing password auditing. [Aleksandar Nikolic]
o Reduced the size of Port structures by about two thirds (from 176 to
64 bytes on x86_64). They had accidentally grown during the IPv6
code merge. [David Fifield]
o Made source port numbers (used to encode probe metadata) increment
so as not to overlap between different scanning phases. Previously
it was possible for an RST response to an ACK probe from host
discovery to be misinterpreted as a reply to a SYN probe from port
scanning. [Sean Rivera, David Fifield]
o [NSE] Added support for ECDSA keys to ssh-hostkey.nse. [Adam Å tevko]
o Changed the CPE for Linux from cpe:/o:linux:kernel to
cpe:/o:linux:linux_kernel to reflect deprecation in the official CPE
dictionary.
o Added some additional CPE entries to nmap-service-probes.
[Dillon Graham]
o Fixed an assertion failure with IPv6 traceroute trying to use an
unsupported protocol:
nmap: traceroute.cc:749: virtual unsigned char*
UDPProbe::build_packet(const sockaddr_storage*, u32*) const: Assertion
`source->ss_family == 2' failed.
This was reported by Pierre Emeriaud. [David Fifield]
o Added version detection signatures for half a dozen new or changed
products. [Tom Sellers]
o Fixed protocol number-to-name mapping. A patch was contributed by
hejianet.
o [NSE] The nmap.ip_send function now takes a second argument, the
destination to send to. Previously the destination address was taken
from the packet buffer, but this failed for IPv6 link-local
addresses, because the scope ID is not part of the packet. Calling
ip_send without a destination address will continue to use the old
behavior, but this practice is deprecated.
o Increased portability of configure scripts on systems using a libc
other than Glibc. Several problems were reported by John Spencer.
o [NSE] Fixed a bug in rpc-grind.nse that would cause unresponsive UDP
ports to be wrongly marked open. This was reported by Christopher
Clements. [David Fifield]
o [Ncat] Close connection endpoint when receiving EOF on
stdin. [Michal Hlavinka].
o Fixed interface listing on NetBSD. The bug was first noticed by
Fredrik Pettai and diagnosed by Jan Schaumann. [David Fifield]
o [Ncat] Applied a blocking-socket workaround for a bug that could
prevent some sends from working in listen mode. The problem was
reported by Jonas Wielicki. [Alex Weber, David Fifield]
o [NSE] Updated mssql.lua library to support additional data types,
enhanced some of the existing data types, added the DoneProc
response token, and reordered code for maintainability. [Tom
Sellers]
o [Nping] Nping now prints out an error and exists when the user tries to use
the -p flag for a scan option where that is meaningless. [Sean Rivera]
o [NSE] Added spoolss functions and constants to msrpc.lua. [Aleksandar Nikolic]
o [NSE] Reduced the number of names tried by http-vhosts by default.
[Vlatko Kosturjak]
o [Zenmap] Fixed a crash when using the en_NG locale: "ValueError:
unknown locale: en_NG" [David Fifield]
o [NSE] Fixed some bugs in snmp-interfaces which prevented the script from
outputting discovered interface info and caused it to abort in the
pre-scanning phase. [jah]
o [NSE] lltd-discovery scripts now parses for hostnames and outputs network
card manufacturer. [Hani Benhabiles]
o Added protocol specific payloads for IPv6 hop-by-hop (0x00), routing (0x2b),
fragment (0x2c), and destination (0x3c). [Sean Rivera]
o [NSE] Added support for decoding OSPF Hello packets to broadcast-listener.
[Hani Benhabiles]
o [NSE] Fixed a false positive in http-vuln-cve2011-3192.nse, which detected
Apache 2.2.22 as vulnerable. [Michael Meyer]
o [NSE] Modified multiple scripts that operated against HTTP based services
so as to remove false positives that were generated when the target service
answers with a 200 response to all requests. [Tom Sellers]
o [NSOCK] Fixed an epoll-engine-specific bug. The engine didn't recognized FDs
that were internally closed and replaced by other ones. This happened during
reconnect attempts. Also, the IOD flags were not properly cleared.
[Henri Doreau, Daniel Miller]
o Added support for log type bitmasks in log_vwrite(). Also replaced a fatal()
statement by an assert(0) to get rid of a possible infinite call loop when
passed an invalid log type. [Henri Doreau]
o Added handling for the unexpected error WSAENETRESET (10052). This error is
currently wrapped in the ifdef for WIN32 as there error appears to be unique
to windows [Sean Rivera]
o [NSE] Added default values for Expires, Call-ID, Allow and Content-Length
headers in SIP requests and removed redundant code in sip library.
[Hani Benhabiles]
o [NSE] Calling methods of unconnected sockets now causes the usual
error code return value, instead of raising a Lua error. The problem
was noticed by Daniel Miller. [David Fifield]
o [NSE] Added AUTH_UNIX support to the rpc library and NFS scripts.
[Daniel Miller]
o [Zenmap] Fixed a crash in the profile editor that would happen when
the nmap binary couldn't be found. [David Fifield]
o Made the various Makefiles' treatment of makefile.dep uniform:
"make clean" keeps the file and "make distclean" deletes it.
[Michael McTernan]
o [NSE] Fixed dozens of scripts and libraries to work better on
system which don't have OpenSSL available. [Patrik Karlsson]
o [Ncat] --output logging now works in UDP mode. Thanks to Michal
Hlavinka for reporting the bug. [David Fifield]
o [NSE] More Windows 7 and Windows 2008 fixes for the smb library and smb-ls
scripts. [Patrik Karlsson]
o [NSE] Added SPNEGO authentication supporting Windows 7 and Windows 2008 to
the smb library. [Patrik Karlsson]
o [NSE] Changed http-brute so that it works against the root path
("/") by default rather than always requiring the http-brute.path
script argument. [Fyodor]
o [NSE] Applied patch from Daniel Miller that fixes bug in several scripts and
libraries http://seclists.org/nmap-dev/
o [Zenmap] Added Italian translation by Francesco Tombolini and
Japanese translation by Yujiy Tounai. Some typos in the Japanese
translation were corrected by OKANO Takayoshi.
o [NSE] Rewrote mysql-brute to use brute library [Aleksandar Nikolic]
o Improved the mysql library to handle multiple columns with the same name,
added a formatResultset function to format a query response to a table
suitable for script output. [Patrik Karlsson]
o The message "nexthost: failed to determine route to ..." is now a
warning rather than a fatal error. Addresses that are skipped in
this way are recorded in the XML output as "target" elements. [David
Fifield]
o [NSE] targets-sniffer now is capable of sniffing IPv6 addresses.
[Daniel Miller]
o [NSE] Ported the pop3-brute script to use the brute library.
[Piotr Olma]
o [NSE] Added an error message indicating script failure, when Nmap is being
run in non verbose/debug mode. [Patrik Karlsson]
o Service-scan information is now included in XML and grepable output
even if -sV wasn't used. This information can be set by scripts in the
absence of -sV. [Daniel Miller]
Enjoy the new release!
Download Nmap 6.25:
Nmap 6.25 – nmap-6.25-setup.exe /nmap-6.25.tgz
source-
http://seclists.org/nmap-hackers/2012/4
0 comments:
Post a Comment