Loading...
Tuesday, June 13, 2017

Nmap 7.50 released

Nmap ("Network Mapper") is a free and open source (license) utility for network discovery and security auditing. Many systems and network administrators also find it useful for tasks such as network inventory, managing service upgrade schedules, and monitoring host or service uptime. Nmap uses raw IP packets in novel ways to determine what hosts are available on the network, what services (application name and version) those hosts are offering, what operating systems (and OS versions) they are running, what type of packet filters/firewalls are in use, and dozens of other characteristics. It was designed to rapidly scan large networks, but works fine against single hosts. Nmap runs on all major computer operating systems, and official binary packages are available for Linux, Windows, and Mac OS X. In addition to the classic command-line Nmap executable, the Nmap suite includes an advanced GUI and results viewer (Zenmap), a flexible data transfer, redirection, and debugging tool (Ncat), a utility for comparing scan results (Ndiff), and a packet generation and response analysis tool (Nping).
Nmap was named “Security Product of the Year” by Linux Journal, Info World, LinuxQuestions.Org, and Codetalker Digest. It was even featured in twelve movies, including The Matrix ReloadedDie Hard 4Girl With the Dragon Tattoo, and The Bourne Ultimatum.
Nmap is ...
  • Flexible: Supports dozens of advanced techniques for mapping out networks filled with IP filters, firewalls, routers, and other obstacles. This includes many port scanning mechanisms (both TCP & UDP), OS detectionversion detection, ping sweeps, and more. See the documentation page.
  • Powerful: Nmap has been used to scan huge networks of literally hundreds of thousands of machines.
  • Portable: Most operating systems are supported, including LinuxMicrosoft WindowsFreeBSDOpenBSDSolarisIRIXMac OS XHP-UXNetBSDSun OSAmiga, and more.
  • Easy: While Nmap offers a rich set of advanced features for power users, you can start out as simply as "nmap -v -A targethost". Both traditional command line and graphical (GUI) versions are available to suit your preference. Binaries are available for those who do not wish to compile Nmap from source.
  • Free: The primary goals of the Nmap Project is to help make the Internet a little more secure and to provide administrators/auditors/hackers with an advanced tool for exploring their networks. Nmap is available for free download, and also comes with full source code that you may modify and redistribute under the terms of the license.
  • Well Documented: Significant effort has been put into comprehensive and up-to-date man pages, whitepapers, tutorials, and even a whole book! Find them in multiple languages here.
  • Supported: While Nmap comes with no warranty, it is well supported by a vibrant community of developers and users. Most of this interaction occurs on the Nmap mailing lists. Most bug reports and questions should be sent to the nmap-dev list, but only after you read the guidelines. We recommend that all users subscribe to the low-traffic nmap-hackers announcement list. You can also find Nmap on Facebook and Twitter. For real-time chat, join the #nmap channel on Freenode or EFNet.
  • Acclaimed: Nmap has won numerous awards, including "Information Security Product of the Year" by Linux Journal, Info World and Codetalker Digest. It has been featured in hundreds of magazine articles, several movies, dozens of books, and one comic book series. Visit the press page for further details.
  • Popular: Thousands of people download Nmap every day, and it is included with many operating systems (Redhat Linux, Debian Linux, Gentoo, FreeBSD, OpenBSD, etc). It is among the top ten (out of 30,000) programs at the Freshmeat.Net repository. This is important because it lends Nmap its vibrant development and user support communities.
Changelog 

Nmap 7.50 [2017-06-13] §

  • [Windows] Updated the bundled Npcap from 0.78 to 0.91, with several bugfixes for WiFi connectivity problems and stability issues. [Daniel Miller, Yang Luo]
  • Integrated all of your service/version detection fingerprints submitted from September to March (855 of them). The signature count went up 2.9% to 11,418. We now detect 1193 protocols from apachemq, bro, and clickhouse to jmon, slmp, and zookeeper. Highlights: http://seclists.org/nmap-dev/2017/q2/140
  • [NSE] Added 14 NSE scripts from 12 authors, bringing the total up to 566! They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
    • [GH#743] broadcast-ospf2-discover discovers OSPF 2 routers and neighbors. OSPFv2 authentication is supported. [Emiliano Ticci]
    • [GH#671] cics-info checks IBM TN3270 services for CICS transaction services and extracts useful information. [Soldier of Fortran]
    • [GH#671] cics-user-brute does brute-force enumeration of CICS usernames on IBM TN3270 services. [Soldier of Fortran]
    • [GH#669] http-cookie-flags checks HTTP session cookies for HTTPOnly and Secure flags. [Steve Benson]
    • http-security-headers checks for the HTTP response headers related to security given in OWASP Secure Headers Project, giving a brief description of the header and its configuration value. [Vinamra Bhatia, Ícaro Torres]
    • [GH#740][GH#759] http-vuln-cve2017-5638 checks for the RCE bug in Apache Struts2. [Seth Jackson]
    • [GH#876] http-vuln-cve2017-5689 detects a privilege escalation vulnerability (INTEL-SA-00075) in Intel Active Management Technology (AMT) capable systems. [Andrew Orr]
    • http-vuln-cve2017-1001000 detects a privilege escalation vulnerability in Wordpress 4.7.0 and 4.7.1 (CVE-2017-1001000) [Vinamra Bhatia]
    • [GH#713] impress-remote-discover attempts to pair with the LibreOffice Impress presentation remote service and extract version info. Pairing is PIN-protected, and the script can optionally brute-force the PIN. New service probe and match line also added. [Jeremy Hiebert]
    • [GH#854] smb-double-pulsar-backdoor detects the Shadow Brokers-leaked Double Pulsar backdoor in Windows SMB servers. [Andrew Orr]
    • smb-vuln-cve-2017-7494 detects a remote code execution vulnerability affecting Samba versions 3.5.0 and greater with writable shares. [Wong Wai Tuck]
    • smb-vuln-ms17-010 detects a critical remote code execution vulnerability affecting SMBv1 servers in Microsoft Windows systems (ms17-010). The script also reports patched systems. [Paulino Calderon]
    • [GH#686] tls-ticketbleed checks for the Ticketbleed vulnerability (CVE-2016-9244) in F5 BIG-IP appliances. [Mak Kolybabi]
    • vmware-version queries VMWare SOAP API for version and product information. Submitted in 2011, this was mistakenly turned into a service probe that was unable to elicit any matches. [Aleksey Tyurin]
  • [Ncat] A series of changes and fixes based on feedback from the Red Hat community:
    • [GH#157] Ncat will now continue trying to connect to each resolved address for a hostname before declaring the connection refused, allowing it to fallback from IPv6 to IPv4 or to connect to names that use DNS failover. [Jaromir Koncicky, Michal Hlavinka]
    • The --no-shutdown option now also works in connect mode, not only in listen mode.
    • Made -i/--idle-timeout not cause Ncat in server mode to close while waiting for an initial connection. This was also causing -i to interfere with the HTTP proxy server mode. [Carlos Manso, Daniel Miller]
    • [GH#773] Ncat in server mode properly handles TLS renegotiations and other situations where SSL_read returns a non-fatal error. This was causing SSL-over-TCP connections to be dropped. [Daniel Miller]
    • Enable --ssl-ciphers to be used with Ncat in client mode, not only in server (listen) mode. [Daniel Miller]
  • [NSE][GH#266][GH#704][GH#238][GH#883] NSE libraries smb and msrpc now use fully qualified paths. SMB scripts now work against all modern versions of Microsoft Windows. [Paulino Calderon]
  • [NSE] smb library's share_get_list now properly uses anonymous connections first before falling back authenticating as a known user.
  • New service probes and matches for Apache HBase and Hadoop MapReduce. [Paulino Calderon]
  • Extended Memcached service probe and added match for Apache ZooKeeper. [Paulino Calderon]
  • [NSE] New script argument "vulns.short" will reduce vulns library script output to a single line containing the target name or IP, the vulnerability state, and the CVE ID or title of the vulnerability. [Daniel Miller]
  • [NSE][GH#862] SNMP scripts will now take a community string provided like `--script-args creds.snmp=private`, which previously did not work because it was interpreted as a username. [Daniel Miller]
  • [NSE] Resolved several issues in the default HTTP redirect rules:
    • [GH#826] A redirect is now cancelled if the original URL contains embedded credentials
    • [GH#829] A redirect test is now more careful in determining whether a redirect destination is related to the original host
    • [GH#830] A redirect is now more strict in avoiding possible redirect loops
    [nnposter]
  • [NSE][GH#766] The HTTP Host header will now include the port unless it is the default one for a given scheme. [nnposter]
  • [NSE] The HTTP response object has a new member, fragment, which contains a partially received body (if any) when the overall request fails to complete. [nnposter]
  • [NSE][GH#866] NSE now allows cookies to have arbitrary attributes, which are silently ignored (in accordance with RFC 6265). Unrecognized attributes were previously causing HTTP requests with such cookies to fail. [nnposter]
  • [NSE][GH#844] NSE now correctly parses a Set-Cookie header that has unquoted whitespace in the cookie value (which is allowed per RFC 6265). [nnposter]
  • [NSE][GH#731] NSE is now able to process HTTP responses with a Set-Cookie header that has an extraneous trailing semicolon. [nnposter]
  • [NSE][GH#708] TLS SNI now works correctly for NSE HTTP requests initiated with option any_af. As an added benefit, option any_af is now available for all connections via comm.lua, not just HTTP requests. [nnposter]
  • [NSE][GH#781] There is a new common function, url.get_default_port(), to obtain the default port number for a given scheme. [nnposter]
  • [NSE][GH#833] Function url.parse() now returns the port part as a number, not a string. [nnposter]
  • No longer allow ICMP Time Exceeded messages to mark a host as down during host discovery. Running traceroute at the same time as Nmap was causing interference. [David Fifield]
  • [NSE][GH#807] Fixed a JSON library issue that was causing long integers to be expressed in the scientific/exponent notation. [nnposter]
  • [NSE] Fixed several potential hangs in NSE scripts that used receive_buf(pattern), which will not return if the service continues to send data that does not match pattern. A new function in match.lua, pattern_limit, is introduced to limit the number of bytes consumed while searching for the pattern. [Daniel Miller, Jacek Wielemborek]
  • [Nsock] Handle any and all socket connect errors the same: raise as an Nsock error instead of fatal. This prevents Nmap and Ncat from quitting with "Strange error from connect:" [Daniel Miller]
  • [NSE] Added several commands to redis-info to extract listening addresses, connected clients, active channels, and cluster nodes. [Vasiliy Kulikov]
  • [NSE][GH#679][GH#681] Refreshed script http-robtex-reverse-ip, reflecting changes at the source site (www.robtex.com). [aDoN]
  • [NSE][GH#620][GH#715] Added 8 new http-enum fingerprints for Hadoop infrastructure components. [Thomas Debize, Varunram Ganesh]
  • [NSE][GH#629] Added two new fingerprints to http-default-accounts (APC Management Card, older NetScreen ScreenOS) [Steve Benson, nnposter]
  • [NSE][GH#716] Fix for oracle-tns-version which was sending an invalid TNS probe due to a string escaping mixup. [Alexandr Savca]
  • [NSE][GH#694] ike-version now outputs information about supported attributes and unknown vendor ids. Also, a new fingerprint for FortiGate VPNs was submitted by Alexis La Goutte. [Daniel Miller]
  • [GH#700] Enabled support for TLS SNI on the Windows platform. [nnposter]
  • [GH#649] New service probe and match lines for the JMON and RSE services of IBM Explorer for z/OS. [Soldier of Fortran]
  • Removed a duplicate service probe for Memcached added in 2011 (the original probe was added in 2008) and reported as duplicate in 2013 by Pavel Kankovsky.
  • New service probe and match line for NoMachine NX Server remote desktop. [Justin Cacak]
  • [Zenmap] Fixed a recurring installation problem on OS X/macOS where Zenmap was installed to /Applications/Applications/Zenmap.app instead of /Applications/Zenmap.app.
  • [Zenmap][GH#639] Zenmap will no longer crash when no suitable temporary directory is found. Patches contributed by [Varunram Ganesh] and [Sai Sundhar]
  • [Zenmap][GH#626] Zenmap now properly handles the -v0 (no output) option, which was added in Nmap 7.10. Previously, this was treated the same as not specifying -v at all. [lymanZerga11]
  • [GH#630] Updated or removed some OpenSSL library calls that were deprecated in OpenSSL 1.1. [eroen]
  • [NSE] Script ssh-hostkey now recognizes and reports Ed25519 keys [nnposter]
  • [NSE][GH#627] Fixed script hang in several brute scripts due to the "threads" script-arg not being converted to a number. Error message was "nselib/brute.lua:1188: attempt to compare number with string" [Arne Beer]


Next
This is the most recent post.
Older Post

0 comments:

Post a Comment

 
TOP