summaryrefslogtreecommitdiffstats
path: root/CHANGELOG
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--CHANGELOG16842
1 files changed, 16842 insertions, 0 deletions
diff --git a/CHANGELOG b/CHANGELOG
new file mode 100644
index 0000000..ee9ab92
--- /dev/null
+++ b/CHANGELOG
@@ -0,0 +1,16842 @@
+#Nmap Changelog ($Id$); -*-text-*-
+
+o [NSE] Fixed DNS TXT record parsing which caused asn-query to fail in Nmap
+ 7.80 and later. [David Fifield, Mike Pattrick]
+
+Nmap 7.94 [2023-05-19]
+
+o Zenmap and Ndiff now use Python 3! Thanks to the many contributors who made
+ this effort possible:
+ + [GH#2088][GH#1176][Zenmap] Updated Zenmap to Python 3 and PyGObject. [Jakub Kulík]
+
+ + [GH#1807][GH#1176][Ndiff] Updated Ndiff to Python 3. [Brian Quigley]
+
+ + Additional Python 3 update fixes by Sam James, Daniel Miller. Special thanks
+ to those who opened Python 3-related issues and pull requests: Eli
+ Schwartz, Romain Leonard, Varunram Ganesh, Pavel Zhukov, Carey Balboa,
+ Hasan Aliyev, and others.
+
+o [Windows] Upgraded Npcap (our Windows raw packet capturing and
+ transmission driver) from version 1.71 to the latest version 1.75. It
+ includes dozens of performance improvements, bug fixes and feature
+ enhancements described at https://npcap.com/changelog.
+
+o Nmap now prints vendor names based on MAC address for MA-S (24-bit), MA-M
+ (28-bit), and MA-L (36-bit) registrations instead of the fixed 3-byte MAC
+ prefix used previously for lookups.
+
+o Added partial silent-install support to the Nmap Windows
+ installer. It previously didn't offer silent mode (/S) because the
+ free/demo version of Npcap Windoes packet capturing driver that it
+ needs and ships with doesn't include a silent installer. Now with
+ the /S option, Nmap checks whether Npcap is already installed
+ (either the free version or OEM) and will silently install itself if
+ so. This is similar to how the Wireshark installer works and is
+ particularly helpful for organizations that want to fully automate
+ their Nmap (and Npcap) deployments. See
+ https://nmap.org/nmap-silent-install for more details.
+
+o Lots of profile-guided memory and processing improvements for Nmap, including
+ OS fingerprint matching, probe matching and retransmission lookups for large
+ hostgroups, and service name lookups. Overhauled Nmap's string interning and
+ several other startup-related procedures to speed up start times, especially
+ for scans using OS detection. [Daniel Miller]
+
+o Integrated many of the most-submitted IPv4 OS fingerprints for recent
+ versions of Windows, iOS, macOS, Linux, and BSD. Added 22 fingerprints,
+ bringing the new total to 5700!
+
+o [NSE][GH#548] Added the tftp-version script which requests a
+ nonexistent file from a TFTP server and matches the error message
+ to a database of known software. [Mak Kolybabi]
+
+o [Ncat][GH#1223] Ncat can now accept "connections" from multiple UDP hosts in
+ listen mode with the --keep-open option. This also enables --broker and
+ --chat via UDP. [Daniel Miller]
+
+o [GH#2575] Upgraded OpenSSL binaries (for the Windows builds and for
+ RPM's) to version 3.0.8. This resolves some CVE's (CVE-2022-3602;
+ CVE-2022-3786) which don't impact Nmap proper since it doesn't do
+ certificate validation, but could possibly impact Ncat when the
+ --ssl-verify option is used.
+
+o Upgrade included libraries: zlib 1.2.13, Lua 5.4.4, libpcap 1.10.4
+
+o [GH#2532] Removed the bogus OpenSSL message from the Windows Nmap
+ executable which looked like "NSOCK ERROR ssl_init_helper(): OpenSSL
+ legacy provider failed to load." We actually already have the legacy
+ provider built-in to our OpenSSL builds, and that's why loading the
+ external one fails.
+
+o [GH#2541] UDP port scan (-sU) and version scan (-sV) now both use the same
+ data source, nmap-service-probes, for data payloads. Previously, the
+ nmap-payloads file was used for port scan. Port scan responses will be used
+ to kick-start the version matching process. [Daniel Miller]
+
+o Nmap's service scan (-sV) can now probe the UDP service behind a DTLS tunnel,
+ the same as it already does for TCP services with SSL/TLS encryption. The
+ DTLSSessionReq probe has had its rarity lowered to 2 to allow it to be sent
+ sooner in the scan. [Daniel Miller]
+
+o [Ncat] Ncat in listen mode with --udp --ssl will use DTLS to secure incoming
+ connections. [Daniel Miller]
+
+o [GH#1023] Handle Internationalized Domain Names (IDN) like Яндекс.рф on
+ platforms where getaddrinfo supports the AI_IDN flag. [Daniel Miller]
+
+o [Ncat] Addressed an issue from the Debian bug tracker
+ (https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=969314) regarding data
+ received immediately after a SOCKS CONNECT response. Ncat can now be
+ correctly used in the ProxyCommand option of OpenSSH.
+
+o Improved DNS domain name parsing to avoid recursion and enforce name length
+ limits, avoiding a theoretical stack overflow issue with certain crafted DNS
+ server responses, reported by Philippe Antoine.
+
+o [GH#2338][NSE] Fix mpint packing in ssh2 library, which was causing OpenSSH
+ errors like "ssh_dispatch_run_fatal: bignum is negative" [Sami Loone]
+
+o [GH#2507] Updates to the Japanese manpage translation by Taichi Kotake.
+
+o [Ncat][GH#1026][GH#2426] Dramatically speed up Ncat transfers on
+ Windows by avoiding a 125ms wait for every read from
+ STDIN. [scriptjunkie]
+
+o [GH#1192][Windows] Periodically reset the system idle timer to keep the
+ system from going to sleep while scans are in process. This only affects port
+ scans and OS detection scans, since NSE and version scan do not rely on
+ timing data to adjust speed.
+
+o Updated the Nmap Public Source License (NPSL) to Version 0.95. This
+ just clarifies that the derivative works definition and all other
+ license clauses only apply to parties who choose to accept the
+ license in return for the special rights granted (such as Nmap
+ redistribution rights). If a party can do everything they need to
+ using copyright provisions outside of this license such as fair use,
+ we support that and aren't trying to claim any control over their
+ work. Versions of Nmap released under previous versions of the NPSL
+ may also be used under the NPSL 0.95 terms.
+
+o Avoid storing many small strings from IPv4 OS detection results in the global
+ string_pool. These were effectively leaked after a host is done being
+ scanned, since string_pool allocations are not freed until Nmap quits.
+
+Nmap 7.93 [2022-09-01]
+
+o This release commemorates Nmap's 25th anniversary! It all started with this
+ September 1, 1997 Phrack article by Fyodor: https://nmap.org/p51-11.html.
+
+o [Windows] Upgraded Npcap (our Windows raw packet capturing and
+ transmission driver) from version 1.50 to the latest version 1.71. It
+ includes dozens of performance improvements, bug fixes and feature
+ enhancements described at https://npcap.com/changelog.
+
+o Ensure Nmap builds with OpenSSL 3.0 using no deprecated API functions.
+ Binaries for this release include OpenSSL 3.0.5.
+
+o Upgrade included libraries: libssh2 1.10.0, zlib 1.2.12, Lua 5.3.6, libpcap 1.10.1
+
+o [GH#2416] Fix a bug that prevented Nmap from discovering interfaces on Linux
+ when no IPv4 addresses were configured. [Daniel Miller, nnposter]
+
+o [NSE][GH#2463] NSE "exception handling" with nmap.new_try() will no longer
+ result in a stack traceback in debug output nor a "ERROR: script execution
+ failed" message in script output, since the intended behavior has always been
+ to end the script immediately without output. [Daniel Miller]
+
+o [GH#2494] Update the Nmap output DTD to match actual output since the
+ `<hosthint>` element was added in Nmap 7.90.
+
+o [NSE][GH#2496] Fix newtargets support: since Nmap 7.92, scripts could not add
+ targets in script pre-scanning phase. [Daniel Miller]
+
+o [GH#2468] Scripts dhcp-discover and broadcast-dhcp-discover now support
+ setting a client identifier. [nnposter]
+
+o [GH#2331][GH#2471] Script oracle-tns-version was not reporting the version
+ correctly for Oracle 19c or newer [linholmes]
+
+o [GH#2296][GH#2342] Script redis-info was crashing or producing inaccurate
+ information about client connections and/or cluster nodes. [nnposter]
+
+o [GH#2379] Nmap and Nping were unable to obtain system routes on FreeBSD
+ [benpratt, nnposter]
+
+o [GH#2464] Script ipidseq was broken due to calling an unreachable library
+ function. [nnposter]
+
+o [GH#2420][GH#2436] Support for EC crypto was not properly enabled if Nmap
+ was compiled with OpenSSL in a custom location. [nnposter]
+
+o [NSE] Improvements to event handling and pcap socket garbage collection,
+ fixing potential hangs and crashes. [Daniel Miller]
+
+o We ceased creating the Nmap win32 binary zipfile. It was useful back when
+ you could just unzip it and run Nmap from there, but that hasn't worked well
+ for many years. The win32 self-installer handles Npcap installation and many
+ other dependencies and complexities. Anyone who needs the binaries for some
+ reason can still install Nmap on any system and retrieve them from there.
+ For now we're keeping the Win32 zipfile in the Nmap OEM Edition
+ (https://nmap.org/oem) for companies building Nmap into their own
+ products. But even in that case we believe that running the Nmap OEM
+ self-installer in silent mode is a better approach.
+
+o [GH#2388] Fix TDS7 password encoding for mssql.lua, which had been assuming
+ ASCII input even though other parts of the library had been passing it Unicode.
+
+o [GH#2402] Replace deprecated CPEs for IIS with their updated identifier,
+ cpe:/a:microsoft:internet_information_services [Esa Jokinen]
+
+o [NSE][GH#2393] Fix script-terminating error when unknown BSON data types are
+ encountered. Added parsers for most standard data types. [Daniel Miller]
+
+o [Ncat] Fix hostname/certificate comparison and matching to handle ASN.1
+ strings without null terminators, a similar bug to OpenSSL's CVE-2021-3712.
+
+o [Ncat][GH#2365] Added support for SOCKS5 proxies that return bind addresses
+ as hostnames, instead of IPv4/IPv6 addresses. [pomu0325]
+
+Nmap 7.92 [2021-08-07]
+
+o [Windows] Upgraded Npcap (our Windows raw packet capturing and
+ transmission driver) from version 1.00 to the latest version 1.50. You can
+ read about the dozens of performance improvements, bug fixes and feature
+ enhancements at https://npcap.com/changelog.
+
+o [Windows] Thanks to the Npcap 1.50 upgrade, Nmap now works on the Windows
+ ARM architecture so you can run it on lightweight and power-efficient
+ tablets like the Microsoft Surface Pro X and Samsung Galaxy Book Go. More
+ ARM devices are on the way along with the upcoming Windows 11 release. See
+ the Npcap on ARM announcement at
+ https://seclists.org/nmap-announce/2021/2.
+
+o [Windows] Updated our Windows builds to Visual Studio 2019, Windows 10
+ SDK, and the UCRT. This prevents Nmap from working on Windows Vista and
+ earlier, but they can still use older versions of Nmap on their ancient
+ operating system.
+
+o New Nmap option --unique will prevent Nmap from scanning the same IP
+ address twice, which can happen when different names resolve to the same
+ address. [Daniel Miller]
+
+o [NSE][GH#1691] TLS 1.3 now supported by most scripts for which it is
+ relevant, such as ssl-enum-ciphers. Some functions like ssl tunnel
+ connections and certificate parsing will require OpenSSL 1.1.1 or later to
+ fully support TLS 1.3. [Daniel Miller]
+
+o [NSE] Added 3 NSE scripts, from 4 authors, bringing the total up to 604!
+ They are all listed at https://nmap.org/nsedoc/, and the summaries are
+ below:
+ + [GH#2201] nbns-interfaces queries NetBIOS name service (NBNS) to gather
+ IP addresses of the target's network interfaces [Andrey Zhukov]
+
+ + [GH#711] openflow-info gathers preferred and supported protocol versions
+ from OpenFlow devices [Jay Smith, Mak Kolybabi]
+
+ + port-states prints a list of ports that were found in each state,
+ including states that were summarized as "Not shown: X closed ports"
+ [Daniel Miller]
+
+o Several changes to UDP payloads to improve accuracy:
+ + [GH#2269] Fix an issue with -sU where payload data went out-of-scope
+ before it was used, causing corrupted payloads to be sent. [Mariusz
+ Ziulek]
+
+ + Nmap's retransmission limits were preventing some UDP payloads from
+ being tried with -sU and -PU. Now, Nmap sends each payload for a
+ particular port at the same time without delay. [Daniel Miller]
+
+ + New UDP payloads:
+ - [GH#1279] TS3INIT1 for UDP 3389 [colcrunch]
+ - [GH#1895] DTLS for UDP 3391 (RD Gateway) [Arnim Rupp]
+
+o [NSE][GH#2208][GH#2203] SMB2 dialect handling has been
+ redesigned. Visible changes include:
+ * Notable improvement in speed of script smb-protocols and others
+ * Some SMB scripts are no longer using a hardcoded dialect, improving
+ target interoperability
+ * Dialect names are aligned with Microsoft, such as 3.0.2, instead of
+ 3.02 [nnposter]
+
+o [GH#2350] Upgraded OpenSSL to version 1.1.1k. This addresses some
+ CVE's which don't affect Nmap in a material way. Details:
+ https://github.com/nmap/nmap/issues/2350
+
+o Removed support for the ancient WinPcap library since we already include
+ our own Npcap library (https://npcap.com) supporting the same API. WinPcap
+ was abandoned years ago and it's official download page says that "WE
+ RECOMMEND USING Npcap INSTEAD" for security, stability, compatibility, and
+ support reasons.
+
+o [GH#2257] Fix an issue in addrset matching that was causing all targets to
+ be excluded if the --excludefile listed a CIDR range that contains an
+ earlier, smaller CIDR range. [Daniel Miller]
+
+o [GH#1922] Fix an issue that would cause Nmap to hang during scans
+ with a host timeout, such as -T5. Any active probes when a target timed out
+ were counting towards the global congestion window.
+
+o [GH#2153] Do not count host discovery phase time against the host timeout,
+ since Nmap may wait a long time between sending probes to a target while it
+ processes other targets instead.
+
+o [GH#2153] Fix issues with matching ICMP Time Exceeded messages that led to
+ ignored responses and long scan times when scanning distant targets.
+
+o Upgrade the Windows NSIS installer to use the latest NSIS 3 (version
+ 3.07) instead of the previous NSIS 2 generation.
+
+o Setting --host-timeout=0 will disable the host timeout, which is set by
+ -T5 to 15 minutes. Earlier versions of Nmap require the user to specify a
+ very long timeout instead.
+
+o Improvements to Nmap's XML output:
+ + If a host times out, the XML <host> element will have the attribute
+ timedout="true" and the host's timing info (srtt etc.) will still be
+ printed.
+
+ + The "extrareasons" element now includes a list of port numbers for each
+ "ignored" state. The "All X ports" and "Not shown:" lines in normal
+ output have been changed slightly to provide more detail. [Daniel
+ Miller]
+
+o [NSE][GH#2237] Prevent the ssl-* NSE scripts from probing ports that were
+ excluded from version scan, usually 9100-9107, since JetDirect will print
+ anything sent to these ports. [Daniel Miller]
+
+o [GH#2206] Nmap no longer produces cryptic message "Failed to convert
+ source address to presentation format" when unable to find useable route
+ to the target. [nnposter]
+
+o [Ncat][GH#2202] Use safety-checked versions of FD_* macros to abort early
+ if number of connections exceeds FD_SETSIZE. [Pavel Zhukov]
+
+o [Ncat] Connections proxied via SOCKS4/SOCKS5 were intermittently dropping
+ server data sent right after the connection got established, such as port
+ banners. [Sami Pönkänen]
+
+o [Ncat][GH#2149] Fixed a bug in proxy connect mode which would close the
+ connection as soon as it was opened in Nmap 7.90 and 7.91.
+
+o [NSE][GH#2175] Fixed NSE so it will not consolidate all port script output
+ for targets which share an IP (e.g. HTTP vhosts) under one target. [Daniel
+ Miller]
+
+o [Zenmap][GH#2157] Fixed an issue where a failure to execute Nmap would
+ result in a Zenmap crash with "TypeError: coercing to Unicode" exception.
+
+o Nmap no longer considers an ICMP Host Unreachable as confirmation that a
+ target is down, in accordance with RFC 1122 which says these errors may be
+ transient. Instead, the probe will be destroyed and other probes used to
+ determine aliveness. [Daniel Miller]
+
+o [Ncat][GH#2154] Ncat no longer crashes when used with Unix domain sockets.
+
+o [Ncat][GH#2167][GH#2168] Ncat is now again generating certificates with
+ the duration of one year. Due to a bug, recent versions of Ncat were using
+ only one minute. [Tobias Girstmair]
+
+o [NSE][GH#2281] URL/percent-encoding is now using uppercase hex digits to
+ align with RFC 3986, section 2.1, and to improve compatibility with some
+ real-world web servers. [nnposter]
+
+o [NSE][GH#2174] Script hostmap-crtsh got improved in several ways. The most
+ visible are that certificate SANs are properly split apart and that
+ identities that are syntactically incorrect to be hostnames are now
+ ignored. [Michel Le Bihan, nnposter]
+
+o [NSE] Loading of a Nikto database failed if the file was referenced
+ relative to the Nmap directory [nnposter]
+
+o We're no longer building and distributing 32-bit Linux binary RPMs since
+ the vast majority of users are on x64 systems now. Nmap still works on
+ 32-bit systems and so users can build it themselves from the source
+ RPMs or tarball, or obtain it from their distribution's repository.
+
+o [GH#2199] Updated Nmap's NPSL license to rewrite a poorly-worded clause
+ about "proprietary software companies". The new license version 0.93 is
+ still available from https://nmap.org/npsl/. As described on that page, we
+ are also still offering Nmap 7.90, 7.91, and 7.92 under the previous Nmap
+ 7.80 license. Finally, we still offer the Nmap OEM program for companies
+ who want a non-copyleft license allowing them to redistribute Nmap with
+ their products at https://nmap.org/oem/.
+
+o [NSE] Script smb2-vuln-uptime no longer reports false positives when the
+ target does not provide its boot time. [nnposter]
+
+o [NSE][GH#2197] Client packets composed by the DHCP library will now
+ contain option 51 (IP address lease time) only when requested. [nnposter]
+
+o [NSE][GH#2192] XML decoding in library citrixxml no longer crashes when
+ encountering a character reference with codepoint greater than 255. (These
+ references are now left unmodified.) [nnposter]
+
+o [NSE] Script mysql-audit now defaults to the bundled mysql-cis.audit for
+ the audit rule base. [nnposter]
+
+o [NSE][GH#1473] It is now possible to control whether the SNMP library uses
+ v1 (default) or v2c by setting script argument snmp.version. [nnposter]
+
+Nmap 7.91 [2020-10-09]
+
+o [NSE][GH#2136][GH#2137] Fix several places where Lua's os.time was being used
+ to represent dates prior to January 1, 1970, which fails on Windows. Notably,
+ NSE refused to run in UTC+X timezones with the error "time result cannot be
+ represented in this installation" [Clément Notin, nnposter, Daniel Miller]
+
+o [GH#2148][Zenmap] Fix a crash in the profile editor due to a missing import.
+
+o [GH#2139][Nsock][Windows] Demote the IOCP Nsock engine because of some known
+ issues that will take longer to resolve. The previous default "poll" engine
+ will be used instead.
+
+o [GH#2140][Nsock][Windows] Fix a crash in service scan due to a previously-unknown
+ error being returned from the IOCP Nsock engine. [Daniel Miller]
+
+o [NSE][GH#2128] MySQL library was not properly parsing server responses,
+ resulting in script crashes. [nnposter]
+
+o [GH#2135] Silence the irrelevant warning, "Your ports include 'T:' but you
+ haven't specified any TCP scan type" when running nmap -sUV
+
+Nmap 7.90 [2020-10-03]
+
+o [Windows] Upgraded Npcap, our Windows packet capturing (and sending)
+ library to the milestone 1.00 release! It's the culmination of 7 years of
+ development with 170 public pre-releases. This includes dozens of
+ performance improvements, bug fixes, and feature enhancements described
+ at https://npcap.com/changelog.
+
+o Integrated over 800 service/version detection fingerprints submitted since
+ August 2017. The signature count went up 1.8% to 11,878, including 17 new
+ softmatches. We now detect 1237 protocols from airmedia-audio, banner-ivu,
+ and control-m to insteon-plm, pi-hole-stats, and ums-webviewer. A
+ significant number of submissions remain to be integrated in the next
+ release.
+
+o Integrated over 330 of the most-frequently-submitted IPv4 OS fingerprints
+ since August 2017. Added 26 fingerprints, bringing the new total to 5,678.
+ Additions include iOS 12 & 13, macOS Catalina & Mojave, Linux 5.4, FreeBSD
+ 13, and more.
+
+o Integrated all 67 of your IPv6 OS fingerprint submissions from August 2017 to
+ September 2020. Added new groups for FreeBSD 12, Linux 5.4, and Windows 10,
+ and consolidated several weak groups to improve classification accuracy.
+
+o [NSE] Added 3 NSE scripts, from 2 authors, bringing the total up to 601!
+ They are all listed at https://nmap.org/nsedoc/, and the summaries are
+ below:
+
+ + dicom-brute attempts to brute force the called Application Entity Title
+ of DICOM servers. [Paulino Calderon]
+
+ + dicom-ping discovers DICOM servers and determines if any Application
+ Entity Title is allowed to connect. [Paulino Calderon]
+
+ + uptime-agent-info collects system information from an Idera Uptime
+ Infrastructure Monitor agent. [Daniel Miller]
+
+o [GH#1834] Addressed over 250 code quality issues identified by LGTM.com,
+ improving our code quality score from "C" to "A+"
+
+o Released Npcap OEM Edition. For more than 20 years, the Nmap Project has
+ been funded by selling licenses for companies to distribute Nmap with
+ their products, along with commercial support. Hundreds of commercial
+ products now use Nmap for network discovery tasks like port scanning,
+ host discovery, OS detection, service/version detection, and of course
+ the Nmap Scripting Engine (NSE). Until now they have just used standard
+ Nmap, but this new OEM Edition is customized for use within other Windows
+ software. Nmap OEM contains the OEM version of our Npcap driver, which
+ allows for silent installation. It also removes the Zenmap GUI, which
+ cuts the installer size by more than half. And it reports itself as Nmap
+ OEM so customers know it's a properly licensed Nmap. See
+ https://nmap.org/oem for more details. We will be reaching out to all
+ existing licensees with Nmap OEM access credentials, but any licensees
+ who wants it quicker should see https://nmap.org/oem.
+
+o Upgraded the Nmap license form a sort of hacked-up version of GPLv2 to a
+ cleaner and better organized version (still based on GPLv2) now called the
+ Nmap Public Source License to avoid confusion. See https://nmap.org/npsl/
+ for more details and annotated license text. This NPSL project was started
+ in 2006 (community discussion here:
+ https://seclists.org/nmap-dev/2006/q4/126) and then it lost momentum for 7
+ years until it was restarted in 2013
+ (https://seclists.org/nmap-dev/2013/q1/399) and then we got distracted by
+ development again. We still have some ideas for improving the NPSL, but
+ it's already much better than the current license, so we're applying NPSL
+ Version 0.92 to the code now and can make improvements later if
+ needed. This does not change the license of previous Nmap releases.
+
+o Removed nmap-update. This program was intended to provide a way to update
+ data files and NSE scripts, but the infrastructure was never fielded. It
+ depended on Subversion version control and would have required maintaining
+ separate versions of NSE scripts for compatibility.
+
+o Removed the silent-install command-line option (/S) from the Windows
+ installer. It causes several problems and there were no objections when we
+ proposed removing it in 2016 (https://seclists.org/nmap-dev/2016/q4/168).
+ It will remain in Nmap OEM since its main use was for customers who
+ redistribute Nmap with other software. If anyone else has a strong need
+ for an Nmap silent installer, please contact sales@nmap.com and we'll see
+ what we can do.
+
+o [GH#1860] 23 new UDP payloads and dozens more default ports for existing
+ payloads developed for Rapid7's InsightVM scan engine. These speed up and
+ ensure detection of open UDP services. [Paul Miseiko, Rapid7]
+
+o [GH#2051] Restrict Nmap's search path for scripts and data files.
+ NMAPDATADIR, defined on Unix and Linux as ${prefix}/share/nmap, will not be
+ searched on Windows, where it was previously defined as C:\Nmap .
+ Additionally, the --script option will not interpret names as directory names
+ unless they are followed by a '/'. [Daniel Miller]
+
+o [GH#1764] Fix an assertion failure when unsolicited ARP response is received:
+ nmap: Target.cc:503: void Target::stopTimeOutClock(const timeval*): Assertion `htn.toclock_running == true' failed.
+
+o [NSE] New outlib library consolidates functions related to NSE output,
+ both string formatting conventions and structured output. [Daniel Miller]
+
+o [NSE] New dicom library implements the DICOM protocol used for
+ storing and transfering medical images. [Paulino Calderon]
+
+o [GH#92] Fix a regression in ARP host discovery left over from the move from
+ massping to ultra_scan in Nmap 4.22SOC8 (2007) that sometimes resulted in
+ missing ARP responses from targets near the end of a scan. Accuracy and speed
+ are both improved. [Daniel Miller]
+
+o [GH#2126] Fix the "iocp" Nsock engine for Windows to be able to correctly
+ handle PCAP read events. This engine is now the default for Windows, which
+ should greatly improve performance over the previous default, the "poll"
+ engine. [Daniel Miller]
+
+o [GH#2050] Reduced CPU usage of OS scan by 50% by avoiding string copy
+ operations and removing undocumented fingerprint syntax unused in nmap-os-db
+ ('&' and '+' in expressions). [Daniel Miller]
+
+o [GH#1859] Allow multiple UDP payloads to be specified for a port in
+ nmap-payloads. If the first payload does not get a response, the remaining
+ payloads are tried round-robin. [Paul Miseiko, Rapid7]
+
+o [GH#1616] New option --discovery-ignore-rst tells Nmap to ignore TCP RST
+ responses when determining if a target is up. Useful when firewalls are
+ spoofing RST packets. [Tom Sellers, Rapid7]
+
+o [Ncat][GH#2087][GH#1927][GH#1928][GH#1974] It is now possible to override
+ the value of TLS SNI via --ssl-servername [Hank Leininger, nnposter]
+
+o [GH#2104] Fixed parsing of TCP options which would hang (infinite loop) if an
+ option had an explicit length of 0. Affects Nmap 7.80 only.
+ [Daniel Miller, Imed Mnif]
+
+o Added a UDP payload for STUN (Session Traversal Utilities for NAT).
+ [David Fifield]
+
+o [NSE] Fixed an off-by-one bug in the stun.lua library that prevented
+ parsing a server response. [David Fifield]
+
+o [NSE][GH#1460] Script ssh2-enum-algos would fail if the server initiated
+ the key exchange before completing the protocol version exchange
+ [Scott Ellis, nnposter]
+
+o [NSE][GH#2105] Fetching of SSH2 keys might fail because of key exchange
+ confusion [nnposter]
+
+o [NSE][GH#2098] Performance of script afp-ls has been dramatically improved
+ [nnposter]
+
+o [NSE][GH#2091] Parsing of AFP FPGetFileDirParms and
+ FPEnumerateExt2FPEnumerateExt2 responses was not working correctly [nnposter]
+
+o [NSE][GH#2089] Eliminated false positives in script http-shellshock caused by
+ simple reflection of HTTP request data [Anders Kaseorg]
+
+o [NSE][GH#1473] SNMP scripts are now enabled on non-standard ports where SNMP
+ has been detected [usd-markus, nnposter]
+
+o [NSE][GH#2084] MQTT library was using incorrect position when parsing
+ received responses [tatulea]
+
+o [NSE][GH#2086] IPMI library was using incorrect position when parsing
+ received responses [Star Salzman]
+
+o [NSE][GH#2086] Scripts ipmi-brute and deluge-rpc-brute were not capturing
+ successfully brute-forced credentials [Star Salzman]
+
+o Allow resuming IPv6 scans with --resume. The address parsing was assuming IPv4
+ addresses, leading to "Unable to parse ip" error. In a related fix, MAC addresses
+ will not be parsed as IP addresses when resuming from XML. [Daniel Miller]
+
+o [GH#1622][GH#2068] Fix reverse-DNS handling of PTR records that are not lowercase.
+ Nmap was failing to identify reverse-DNS names when the DNS server delivered
+ them like ".IN-ADDR.ARPA". [Lucas Nussbaum, Richard Schütz, Daniel Miller]
+
+o [NSE][GH#1999][GH#2005] IKE library was not properly populating the protocol
+ number in aggressive mode requests. [luc-x41]
+
+o [GH#1963] Added service fingerprinting for MySQL 8.x, Microsoft SQL
+ Server 2019, MariaDB, and Crate.io CrateDB. Updated PostreSQL coverage and
+ added specific detection of recent versions running in Docker. [Tom Sellers]
+
+o New XML output "hosthint" tag emitted during host discovery when a target is
+ found to be up. This gives earlier notification than waiting for the
+ hostgroup to finish all scan phases. [Paul Miseiko]
+
+o [GH#917] New UDP payloads for GPRS Tunneling Protocol (GTP) on ports 2123,
+ 2152, and 3386. [Guillaume Teissier]
+
+o [NSE][GH#1825] SSH scripts now run on several ports likely to be SSH based on
+ empirical data from Shodan.io, as well as the netconf-ssh service.
+ [Lim Shi Min Jonathan, Daniel Miller]
+
+o [Zenmap][GH#1777] Stop creating a debugging output file 'tmp.txt' on the
+ desktop in macOS. [Roland Linder]
+
+o [Nping] Address build failure under libc++ due to "using namespace std;" in
+ several headers, resulting in conflicting definitions of bind(). Reported by
+ StormBytePP and Rosen Penev. [Daniel Miller]
+
+o [Ncat][GH#1868] Fix a fatal error when connecting to a Linux VM socket with
+ verbose output enabled. [Stefano Garzarella]
+
+o [Ncat][GH#2060] Proxy credentials can be alternatively passed onto Ncat by
+ setting environment variable NCAT_PROXY_AUTH, which reduces the risk of the
+ credentials getting captured in process logs. [nnposter]
+
+o [NSE][GH#1723] Fixed a crash on Windows when processing a GZIP-encoded HTTP
+ body. [Daniel Miller]
+
+o Upgrade libpcap to 1.9.1, which addresses several CVE vulnerabilities.
+
+o Upgrade libssh2 to 1.9.0, fixing compilation with OpenSSL 1.1.0 API.
+
+o [GH#1717][GH#1718] Processing of IP address CIDR blocks was not working
+ correctly on ppc64, ppc64le, and s390x architectures. [rfrohl, nnposter]
+
+o [Windows] Add support for the new loopback behavior in Npcap 0.9983 and
+ later. This enables Nmap to scan localhost on Windows without needing the
+ Npcap Loopback Adapter to be installed, which was a source of problems for
+ some users. [Daniel Miller]
+
+o [NSE] MS SQL library has improved version resolution, from service pack level
+ to individual cumulative updates [nnposter]
+
+o [NSE][GH#2077] With increased verbosity, script http-default-accounts now
+ reports matched target fingerprints even if no default credentials were found
+ [nnposter]
+
+o [NSE][GH#2063] IPP request object conversion to string was not working
+ correctly [nnposter]
+
+o [NSE][GH#2063] IPP response parser was not correctly processing
+ end-of-attributes-tag [nnposter]
+
+o [NSE] Script cups-info was failing due to erroneous double-decoding
+ of the IPP printer status [nnposter]
+
+o [NSE][GH#2010] Oracle TNS parser was incorrectly unmarshalling DALC byte
+ arrays [nnposter]
+
+o [NSE] The password hashing function for Oracle 10g was not working correctly
+ for non-alphanumeric characters [nnposter]
+
+o [NSE] Virtual host probing list, vhosts-full.lst, was missing numerous
+ entries present in vhosts-default.lst [nnposter]
+
+o [NSE][GH#1931][GH#1932] Script http-grep was not correctly calculating Luhn
+ checksum [Colleen Li, nnposter]
+
+o [NSE][GH#1838] Scripts dhcp-discover and broadcast-dhcp-discover now support
+ new argument "mac" to force a specific client MAC address [nnposter]
+
+o [NSE] Code improvements in RPC Dump, benefitting NFS-related scripts
+ [nnposter]
+
+o [NSE] RPC code was using incorrect port range, which was causing some calls,
+ such as NFS mountd, to fail intermittently [nnposter]
+
+o [NSE][GH#1876] XML output from script ssl-cert now includes RSA key modulus
+ and exponent [nnposter]
+
+o [NSE][GH#1837] Nmap no longer crashes when SMB scripts, such as smb-ls, call
+ smb.find_files [nnposter]
+
+o [NSE][GH#1802] The MongoDB library was causing errors when assembling protocol
+ payloads. [nnposter]
+
+o [NSE][GH#1781][GH#1796] The RTSP library was not correctly generating request
+ strings. [nnposter]
+
+o [NSE][GH#1706] VNC handshakes were failing with insert position out of bounds
+ error. [nnposter]
+
+o [NSE][GH#1720] Function marshall_dom_sid2 in library msrpctypes was not
+ correctly populating ID Authority. [nnposter]
+
+o [NSE][GH#1720] Unmarshalling functions in library msrpctypes were attempting
+ arithmetic on a nil argument. [Ivan Ivanov, nnposter]
+
+o [NSE][GH#1720] Functions lsa_lookupnames2 and lsa_lookupsids2 in library
+ msrpc were incorrectly referencing function strjoin when called with debug
+ level 2 or higher. [Ivan Ivanov]
+
+o [NSE][GH#1755][GH#2096] Added HTTP default account fingerprints for Tomcat
+ Host Manager and Dell iDRAC9. [Clément Notin]
+
+o [NSE][GH#1476][GH#1707] A MS-SMB spec non-compliance in Samba was causing
+ protocol negotiation to fail with data string too short error.
+ [Clément Notin, nnposter]
+
+o [NSE][GH#1480][GH#1713][GH#1714] A bug in SMB library was causing scripts to
+ fail with bad format argument error. [Ivan Ivanov]
+
+o [NSE][GH#1665] The HTTP library no longer crashes when code requests digest
+ authentication but the server does not provide the necessary authentication
+ header. [nnposter]
+
+o [NSE] Fixed a bug in http-wordpress-users.nse that could cause
+ extraneous output to be captured as part of a username. [Duarte Silva]
+
+Nmap 7.80 [2019-08-10]
+
+o [Windows] The Npcap Windows packet capturing library (https://npcap.com/)
+ is faster and more stable than ever. Nmap 7.80 updates the bundled Npcap
+ from version 0.99-r2 to 0.9982, including all of these changes from the
+ last 15 Npcap releases: https://npcap.com/changelog
+
+o [NSE] Added 11 NSE scripts, from 8 authors, bringing the total up to 598!
+ They are all listed at https://nmap.org/nsedoc/, and the summaries are
+ below:
+
+ + [GH#1232] broadcast-hid-discoveryd discovers HID devices on a LAN by
+ sending a discoveryd network broadcast probe. [Brendan Coles]
+
+ + [GH#1236] broadcast-jenkins-discover discovers Jenkins servers on a LAN
+ by sending a discovery broadcast probe. [Brendan Coles]
+
+ + [GH#1016][GH#1082] http-hp-ilo-info extracts information from HP
+ Integrated Lights-Out (iLO) servers. [rajeevrmenon97]
+
+ + [GH#1243] http-sap-netweaver-leak detects SAP Netweaver Portal with the
+ Knowledge Management Unit enabled with anonymous access. [ArphanetX]
+
+ + https-redirect detects HTTP servers that redirect to the same port, but
+ with HTTPS. Some nginx servers do this, which made ssl-* scripts not run
+ properly. [Daniel Miller]
+
+ + [GH#1504] lu-enum enumerates Logical Units (LU) of TN3270E servers.
+ [Soldier of Fortran]
+
+ + [GH#1633] rdp-ntlm-info extracts Windows domain information from RDP
+ services. [Tom Sellers]
+
+ + smb-vuln-webexec checks whether the WebExService is installed and allows
+ code execution. [Ron Bowes]
+
+ + smb-webexec-exploit exploits the WebExService to run arbitrary commands
+ with SYSTEM privileges. [Ron Bowes]
+
+ + [GH#1457] ubiquiti-discovery extracts information from the Ubiquiti
+ Discovery service and assists version detection. [Tom Sellers]
+
+ + [GH#1126] vulners queries the Vulners CVE database API using CPE
+ information from Nmap's service and application version detection.
+ [GMedian, Daniel Miller]
+
+o [GH#1371] The macOS installer is now built for x86_64 architecture, not i386.
+
+o [GH#1396] Fixed the Windows installer, which would replace the entire PATH
+ system variable with the path for Nmap if it exceeded 1024 bytes. This was
+ fixed by using the "large strings" build of NSIS to build the new installer.
+ [Daniel Miller]
+
+o Replaced the addrset matching code that is used by --exclude and
+ --excludefile with a much faster implementation using a radix tree (trie).
+ https://seclists.org/nmap-dev/2018/q4/13
+
+o [GH#1291][GH#34][GH#1339] Use pcap_create instead of pcap_live_open in
+ Nmap, and set immediate mode on the pcap descriptor. This solves packet
+ loss problems on Linux and may improve performance on other platforms.
+ [Daniel Cater, Mike Pontillo, Daniel Miller]
+
+o [NSE][GH#1330] Fixed an infinite loop in tls-alpn when the server forces a
+ particular protocol. [Daniel Miller]
+
+o [NSE] Collected utility functions for string processing into a new
+ library, stringaux.lua. [Daniel Miller]
+
+o [NSE] New rand.lua library uses the best sources of random available on
+ the system to generate random strings. [Daniel Miller]
+
+o [NSE] New library, oops.lua, makes reporting errors easy, with plenty of
+ debugging detail when needed, and no clutter when not. [Daniel Miller]
+
+o [NSE] Collected utility functions for manipulating and searching tables
+ into a new library, tableaux.lua. [Daniel Miller]
+
+o [NSE] New knx.lua library holds common functions and definitions for
+ communicating with KNX/Konnex devices. [Daniel Miller]
+
+o [NSE][GH#1571] The HTTP library now provides transparent support for gzip-
+ encoded response body. (See https://github.com/nmap/nmap/pull/1571 for an
+ overview.) [nnposter]
+
+o [Nsock][Ncat][GH#1075] Add AF_VSOCK (Linux VM sockets) functionality to
+ Nsock and Ncat. VM sockets are used for communication between virtual
+ machines and the hypervisor. [Stefan Hajnoczi]
+
+o [Security][Windows] Address CVE-2019-1552 in OpenSSL by building with the
+ prefix "C:\Program Files (x86)\Nmap\OpenSSL". This should prevent
+ unauthorized users from modifying OpenSSL defaults by writing
+ configuration to this directory.
+
+o [Security][GH#1147][GH#1108] Reduced LibPCRE resource limits so that
+ version detection can't use as much of the stack. Previously Nmap could
+ crash when run on low-memory systems against target services which are
+ intentionally or accidentally difficult to match. Someone assigned
+ CVE-2018-15173 for this issue. [Daniel Miller]
+
+o [GH#1361] Deprecate and disable the -PR (ARP ping) host discovery
+ option. ARP ping is already used whenever possible, and the -PR option
+ would not force it to be used in any other case. [Daniel Miller]
+
+o [NSE] bin.lua is officially deprecated. Lua 5.3, added 2 years ago in Nmap
+ 7.25BETA2, has native support for binary data packing via string.pack and
+ string.unpack. All existing scripts and libraries have been updated.
+ [Daniel Miller]
+
+o [NSE] Completely removed the bit.lua NSE library. All of its functions are
+ replaced by native Lua bitwise operations, except for `arshift`
+ (arithmetic shift) which has been moved to the bits.lua library. [Daniel
+ Miller]
+
+o [NSE][GH#1571] The HTTP library is now enforcing a size limit on the
+ received response body. The default limit can be adjusted with a script
+ argument, which applies to all scripts, and can be overridden case-by-case
+ with an HTTP request option. (See https://github.com/nmap/nmap/pull/1571
+ for details.) [nnposter]
+
+o [NSE][GH#1648] CR characters are no longer treated as illegal in script
+ XML output. [nnposter]
+
+o [GH#1659] Allow resuming nmap scan with lengthy command line [Clément
+ Notin]
+
+o [NSE][GH#1614] Add TLS support to rdp-enum-encryption. Enables determining
+ protocol version against servers that require TLS and lays ground work for
+ some NLA/CredSSP information collection. [Tom Sellers]
+
+o [NSE][GH#1611] Address two protocol parsing issues in rdp-enum-encryption
+ and the RDP nse library which broke scanning of Windows XP. Clarify
+ protocol types [Tom Sellers]
+
+o [NSE][GH#1608] Script http-fileupload-exploiter failed to locate its
+ resource file unless executed from a specific working
+ directory. [nnposter]
+
+o [NSE][GH#1467] Avoid clobbering the "severity" and "ignore_404" values of
+ fingerprints in http-enum. None of the standard fingerprints uses these
+ fields. [Kostas Milonas]
+
+o [NSE][GH#1077] Fix a crash caused by a double-free of libssh2 session data
+ when running SSH NSE scripts against non-SSH services. [Seth Randall]
+
+o [NSE][GH#1565] Updates the execution rule of the mongodb scripts to be
+ able to run on alternate ports. [Paulino Calderon]
+
+o [Ncat][GH#1560] Allow Ncat to connect to servers on port 0, provided that
+ the socket implementation allows this. [Daniel Miller]
+
+o Update the included libpcap to 1.9.0. [Daniel Miller]
+
+o [NSE][GH#1544] Fix a logic error that resulted in scripts not honoring the
+ smbdomain script-arg when the target provided a domain in the NTLM
+ challenge. [Daniel Miller]
+
+o [Nsock][GH#1543] Avoid a crash (Protocol not supported) caused by trying
+ to reconnect with SSLv2 when an error occurs during DTLS connect. [Daniel
+ Miller]
+
+o [NSE][GH#1534] Removed OSVDB references from scripts and replaced them
+ with BID references where possible. [nnposter]
+
+o [NSE][GH#1504] Updates TN3270.lua and adds argument to disable TN3270E
+ [Soldier of Fortran]
+
+o [GH#1504] RMI parser could crash when encountering invalid input [Clément
+ Notin]
+
+o [GH#863] Avoid reporting negative latencies due to matching an ARP or ND
+ response to a probe sent after it was recieved. [Daniel Miller]
+
+o [Ncat][GH#1441] To avoid confusion and to support non-default proxy ports,
+ option --proxy now requires a literal IPv6 address to be specified using
+ square-bracket notation, such as --proxy [2001:db8::123]:456. [nnposter]
+
+o [Ncat][GH#1214][GH#1230][GH#1439] New ncat option provides control over
+ whether proxy destinations are resolved by the remote proxy server or
+ locally, by Ncat itself. See option --proxy-dns. [nnposter]
+
+o [NSE][GH#1478] Updated script ftp-syst to prevent potential endless
+ looping. [nnposter]
+
+o [GH#1454] New service probes and match lines for v1 and v2 of the Ubiquiti
+ Discovery protocol. Devices often leave the related service open and it
+ exposes significant amounts of information as well as the risk of being
+ used as part of a DDoS. New nmap-payload entry for v1 of the
+ protocol. [Tom Sellers]
+
+o [NSE] Removed hostmap-ip2hosts.nse as the API has been broken for a while
+ and the service was completely shutdown on Feb 17th, 2019. [Paulino
+ Calderon]
+
+o [NSE][GH#1318] Adds TN3270E support and additional improvements to
+ tn3270.lua and updates tn3270-screen.nse to display the new
+ setting. [mainframed]
+
+o [NSE][GH#1346] Updates product codes and adds a check for response length
+ in enip-info.nse. The script now uses string.unpack. [NothinRandom]
+
+o [Ncat][GH#1310][GH#1409] Temporary RSA keys are now 2048-bit to resolve a
+ compatibility issue with OpenSSL library configured with security level 2,
+ as seen on current Debian or Kali. [Adrian Vollmer, nnposter]
+
+o [NSE][GH#1227] Fix a crash (double-free) when using SSH scripts against
+ non-SSH services. [Daniel Miller]
+
+o [Zenmap] Fix a crash when Nmap executable cannot be found and the system
+ PATH contains non-UTF-8 bytes, such as on Windows. [Daniel Miller]
+
+o [Zenmap] Fix a crash in results search when using the dir: operator:
+ AttributeError: 'SearchDB' object has no attribute 'match_dir'
+ [Daniel Miller]
+
+o [Ncat][GH#1372] Fixed an issue with Ncat -e on Windows that caused early
+ termination of connections. [Alberto Garcia Illera]
+
+o [NSE][GH#1359] Fix a false-positive in http-phpmyadmin-dir-traversal when
+ the server responds with 200 status to a POST request to any
+ URI. [Francesco Soncina]
+
+o [NSE] New vulnerability state in vulns.lua, UNKNOWN, is used to indicate
+ that testing could not rule out vulnerability. [Daniel Miller]
+
+o [GH#1355] When searching for Lua header files, actually use them where
+ they are found instead of forcing /usr/include. [Fabrice Fontaine, Daniel
+ Miller]
+
+o [NSE][GH#1331] Script traceroute-geolocation no longer crashes when
+ www.GeoPlugin.net returns null coordinates [Michal Kubenka, nnposter]
+
+o Limit verbose -v and debugging -d levels to a maximum of 10. Nmap does not
+ use higher levels internally. [Daniel Miller]
+
+o [NSE] tls.lua when creating a client_hello message will now only use a
+ SSLv3 record layer if the protocol version is SSLv3. Some TLS
+ implementations will not handshake with a client offering less than
+ TLSv1.0. Scripts will have to manually fall back to SSLv3 to talk to
+ SSLv3-only servers. [Daniel Miller]
+
+o [NSE][GH#1322] Fix a few false-positive conditions in
+ ssl-ccs-injection. TLS implementations that responded with fatal alerts
+ other than "unexpected message" had been falsely marked as
+ vulnerable. [Daniel Miller]
+
+o Emergency fix to Nmap's birthday announcement so Nmap wishes itself a
+ "Happy 21st Birthday" rather than "Happy 21th" in verbose mode (-v) on
+ September 1, 2018. [Daniel Miller]
+
+o [GH#1150] Start host timeout clocks when the first probe is sent to a
+ host, not when the hostgroup is started. Sometimes a host doesn't get
+ probes until late in the hostgroup, increasing the chance it will time
+ out. [jsiembida]
+
+o [NSE] Support for edns-client-subnet (ECS) in dns.lua has been improved by:
+ - [GH#1271] Using ECS code compliant with RFC 7871 [John Bond]
+ - Properly trimming ECS address, as mandated by RFC 7871 [nnposter]
+ - Fixing a bug that prevented using the same ECS option table more than
+ once [nnposter]
+
+o [Ncat][GH#1267] Fixed communication with commands launched with -e or -c
+ on Windows, especially when --ssl is used. [Daniel Miller]
+
+o [NSE] Script http-default-accounts can now select more than one
+ fingerprint category. It now also possible to select fingerprints by name
+ to support very specific scanning. [nnposter]
+
+o [NSE] Script http-default-accounts was not able to run against more than
+ one target host/port. [nnposter]
+
+o [NSE][GH#1251] New script-arg `http.host` allows users to force a
+ particular value for the Host header in all HTTP requests.
+
+o [NSE][GH#1258] Use smtp.domain script arg or target's domain name instead
+ of "example.com" in EHLO command used for STARTTLS. [gwire]
+
+o [NSE][GH#1233] Fix brute.lua's BruteSocket wrapper, which was crashing
+ Nmap with an assertion failure due to socket mixup [Daniel Miller]: nmap:
+ nse_nsock.cc:672: int receive_buf(lua_State*, int, lua_KContext):
+ Assertion `lua_gettop(L) == 7' failed.
+
+o [NSE][GH#1254] Handle an error condition in smb-vuln-ms17-010 caused by
+ IPS closing the connection. [Clément Notin]
+
+o [Ncat][GH#1237] Fixed literal IPv6 URL format for connecting through HTTP
+ proxies. [Phil Dibowitz]
+
+o [NSE][GH#1212] Updates vendors from ODVA list for enip-info. [NothinRandom]
+
+o [NSE][GH#1191] Add two common error strings that improve MySQL detection
+ by the script http-sql-injection. [Robert Taylor, Paulino Calderon]
+
+o [NSE][GH#1220] Fix bug in http-vuln-cve2006-3392 that prevented the script
+ to generate the vulnerability report correctly. [rewardone]
+
+o [NSE][GH#1218] Fix bug related to screen rendering in NSE library
+ tn3270. This patch also improves the brute force script
+ tso-brute. [mainframed]
+
+o [NSE][GH#1209] Fix SIP, SASL, and HTTP Digest authentication when the
+ algorithm contains lowercase characters. [Jeswin Mathai]
+
+o [GH#1204] Nmap could be fooled into ignoring TCP response packets if they
+ used an unknown TCP Option, which would misalign the validation, causing
+ it to fail. [Clément Notin, Daniel Miller]
+
+o [NSE]The HTTP response parser now tolerates status lines without a reason
+ phrase, which improves compatibility with some HTTP servers. [nnposter]
+
+o [NSE][GH#1169][GH#1170][GH#1171]][GH#1198] Parser for HTTP Set-Cookie header
+ is now more compliant with RFC 6265:
+ - empty attributes are tolerated
+ - double quotes in cookie and/or attribute values are treated literally
+ - attributes with empty values and value-less attributes are parsed equally
+ - attributes named "name" or "value" are ignored
+ [nnposter]
+
+o [NSE][GH#1158] Fix parsing http-grep.match script-arg. [Hans van den
+ Bogert]
+
+o [Zenmap][GH#1177] Avoid a crash when recent_scans.txt cannot be written
+ to. [Daniel Miller]
+
+o Fixed --resume when the path to Nmap contains spaces. Reported on Windows
+ by Adriel Desautels. [Daniel Miller]
+
+o New service probe and match lines for adb, the Android Debug Bridge, which
+ allows remote code execution and is left enabled by default on many
+ devices. [Daniel Miller]
+
+Nmap 7.70 [2018-03-20]
+
+o [Windows] We made a ton of improvements to our Npcap Windows packet
+ capturing library (https://npcap.com/) for greater performance and
+ stability, as well as smoother installer and better 802.11 raw frame
+ capturing support. Nmap 7.70 updates the bundled Npcap from version 0.93 to
+ 0.99-r2, including all these changes from the last seven Npcap releases:
+ https://npcap.com/changelog
+
+o Integrated all of your service/version detection fingerprints submitted from
+ March 2017 to August 2017 (728 of them). The signature count went up 1.02%
+ to 11,672, including 26 new softmatches. We now detect 1224 protocols from
+ filenet-pch, lscp, and netassistant to sharp-remote, urbackup, and
+ watchguard. We will try to integrate the remaining submissions in the next
+ release.
+
+o Integrated all of your IPv4 OS fingerprint submissions from September 2016
+ to August 2017 (667 of them). Added 298 fingerprints, bringing the new total
+ to 5,652. Additions include iOS 11, macOS Sierra, Linux 4.14, Android 7, and
+ more.
+
+o Integrated all 33 of your IPv6 OS fingerprint submissions from September
+ 2016 to August 2017. New groups for OpenBSD 6.0 and FreeBSD 11.0 were added,
+ as well as strengthened groups for Linux and OS X.
+
+o Added the --resolve-all option to resolve and scan all IP addresses of a
+ host. This essentially replaces the resolveall NSE script. [Daniel Miller]
+
+o [NSE][SECURITY] Nmap developer nnposter found a security flaw (directory
+ traversal vulnerability) in the way the non-default http-fetch script
+ sanitized URLs. If a user manualy ran this NSE script against a malicious
+ web server, the server could potentially (depending on NSE arguments used)
+ cause files to be saved outside the intended destination directory. Existing
+ files couldn't be overwritten. We fixed http-fetch, audited our other
+ scripts to ensure they didn't make this mistake, and updated the httpspider
+ library API to protect against this by default. [nnposter, Daniel Miller]
+
+o [NSE] Added 9 NSE scripts, from 8 authors, bringing the total up to 588!
+ They are all listed at https://nmap.org/nsedoc/, and the summaries are
+ below:
+
+ + deluge-rpc-brute performs brute-force credential testing against Deluge
+ BitTorrent RPC services, using the new zlib library. [Claudiu Perta]
+
+ + hostmap-crtsh lists subdomains by querying Google's Certificate
+ Transparency logs. [Paulino Calderon]
+
+ + [GH#892] http-bigip-cookie decodes unencrypted F5 BIG-IP cookies and
+ reports back the IP address and port of the actual server behind the
+ load-balancer. [Seth Jackson]
+
+ + http-jsonp-detection Attempts to discover JSONP endpoints in web servers.
+ JSONP endpoints can be used to bypass Same-origin Policy restrictions in
+ web browsers. [Vinamra Bhatia]
+
+ + http-trane-info obtains information from Trane Tracer SC controllers and
+ connected HVAC devices. [Pedro Joaquin]
+
+ + [GH#609] nbd-info uses the new nbd.lua library to query Network Block
+ Devices for protocol and file export information. [Mak Kolybabi]
+
+ + rsa-vuln-roca checks for RSA keys generated by Infineon TPMs
+ vulnerable to Return Of Coppersmith Attack (ROCA) (CVE-2017-15361). Checks
+ SSH and TLS services. [Daniel Miller]
+
+ + [GH#987] smb-enum-services retrieves the list of services running on a
+ remote Windows machine. Modern Windows systems requires a privileged domain
+ account in order to list the services. [Rewanth Cool]
+
+ + tls-alpn checks TLS servers for Application Layer Protocol Negotiation
+ (ALPN) support and reports supported protocols. ALPN largely replaces NPN,
+ which tls-nextprotoneg was written for. [Daniel Miller]
+
+o [GH#978] Fixed Nsock on Windows giving errors when selecting on STDIN. This
+ was causing Ncat 7.60 in connect mode to quit with error: libnsock
+ select_loop(): nsock_loop error 10038: An operation was attempted on
+ something that is not a socket. [nnposter]
+
+o [Ncat][GH#197][GH#1049] Fix --ssl connections from dropping on
+ renegotiation, the same issue that was partially fixed for server mode in
+ [GH#773]. Reported on Windows with -e by pkreuzt and vinod272. [Daniel
+ Miller]
+
+o [NSE][GH#1062][GH#1149] Some changes to brute.lua to better handle
+ misbehaving or rate-limiting services. Most significantly,
+ brute.killstagnated now defaults to true. Thanks to xp3s and Adamtimtim for
+ reporing infinite loops and proposing changes.
+
+o [NSE] VNC scripts now support Apple Remote Desktop authentication (auth type
+ 30) [Daniel Miller]
+
+o [NSE][GH#1111] Fix a script crash in ftp.lua when PASV connection timed out.
+ [Aniket Pandey]
+
+o [NSE][GH#1114] Update bitcoin-getaddr to receive more than one response
+ message, since the first message usually only has one address in it. [h43z]
+
+o [Ncat][GH#1139] Ncat now selects the correct default port for a given proxy
+ type. [Pavel Zhukov]
+
+o [NSE] memcached-info can now gather information from the UDP memcached
+ service in addition to the TCP service. The UDP service is frequently used as
+ a DDoS reflector and amplifier. [Daniel Miller]
+
+o [NSE][GH#1129] Changed url.absolute() behavior with respect to dot and
+ dot-dot path segments to comply with RFC 3986, section 5.2. [nnposter]
+
+o Removed deprecated and undocumented aliases for several long options that
+ used underscores instead of hyphens, such as --max_retries. [Daniel Miller]
+
+o Improved service scan's treatment of soft matches in two ways. First of all,
+ any probes that could result in a full match with the soft matched service
+ will now be sent, regardless of rarity. This improves the chances of
+ matching unusual services on non-standard ports. Second, probes are now
+ skipped if they don't contain any signatures for the soft matched service.
+ Previously the probes would still be run as long as the target port number
+ matched the probe's specification. Together, these changes should make
+ service/version detection faster and more accurate. For more details on how
+ it works, see https://nmap.org/book/vscan.html. [Daniel Miller]
+
+o --version-all now turns off the soft match optimization, ensuring that all
+ probes really are sent, even if there aren't any existing match lines for
+ the softmatched service. This is slower, but gives the most comprehensive
+ results and produces better fingerprints for submission. [Daniel Miller]
+
+o [NSE][GH#1083] New set of Telnet softmatches for version detection based on
+ Telnet DO/DON'T options offered, covering a wide variety of devices and
+ operating systems. [D Roberson]
+
+o [GH#1112] Resolved crash opportunities caused by unexpected libpcap version
+ string format. [Gisle Vanem, nnposter]
+
+o [NSE][GH#1090] Fix false positives in rexec-brute by checking responses for
+ indications of login failure. [Daniel Miller]
+
+o [NSE][GH#1099] Fix http-fetch to keep downloaded files in separate
+ destination directories. [Aniket Pandey]
+
+o [NSE] Added new fingerprints to http-default-accounts:
+ - Hikvision DS-XXX Network Camera and NUOO DVR [Paulino Calderon]
+ - [GH#1074] ActiveMQ, Purestorage, and Axis Network Cameras [Rob Fitzpatrick, Paulino Calderon]
+
+o Added a new service detection match for WatchGuard Authentication Gateway.
+ [Paulino Calderon]
+
+o [NSE][GH#1038][GH#1037] Script qscan was not observing interpacket delays
+ (parameter qscan.delay). [nnposter]
+
+o [NSE][GH#1046] Script http-headers now fails properly if the target does not
+ return a valid HTTP response. [spacewander]
+
+o [Ncat][Nsock][GH#972] Remove RC4 from the list of TLS ciphers used by
+ default, in accordance with RFC 7465. [Codarren Velvindron]
+
+o [NSE][GH#1022] Fix a false positive condition in ipmi-cipher-zero caused by
+ not checking the error code in responses. Implementations which return an
+ error are not vulnerable. [Juho Jokelainen]
+
+o [NSE][GH#958] Two new libraries for NSE.
+ - idna - Support for internationalized domain names in applications (IDNA)
+ - punycode (a transfer encoding syntax used in IDNA)
+ [Rewanth Cool]
+
+o [NSE] New fingerprints for http-enum:
+ - [GH#954] Telerik UI CVE-2017-9248 [Harrison Neal]
+ - [GH#767] Many WordPress version detections [Rewanth Cool]
+
+o [GH#981][GH#984][GH#996][GH#975] Fixed Ncat proxy authentication issues:
+ - Usernames and/or passwords could not be empty
+ - Passwords could not contain colons
+ - SOCKS5 authentication was not properly documented
+ - SOCKS5 authentication had a memory leak
+ [nnposter]
+
+o [GH#1009][GH#1013] Fixes to autoconf header files to allow autoreconf to be
+ run. [Lukas Schwaighofer]
+
+o [GH#977] Improved DNS service version detection coverage and consistency
+ by using data from a Project Sonar Internet wide survey. Numerouse false
+ positives were removed and reliable softmatches added. Match lines for
+ version.bind responses were also conslidated using the technique below.
+ [Tom Sellers]
+
+o [GH#977] Changed version probe fallbacks so as to work cross protocol
+ (TCP/UDP). This enables consolidating match lines for services where the
+ responses on TCP and UDP are similar. [Tom Sellers]
+
+o [NSE][GH#532] Added the zlib library for NSE so scripts can easily
+ handle compression. This work started during GSOC 2014, so we're
+ particularly pleased to finally integrate it! [Claudiu Perta, Daniel
+ Miller]
+
+o [NSE][GH#1004] Fixed handling of brute.retries variable. It was being treated
+ as the number of tries, not retries, and a value of 0 would result in
+ infinite retries. Instead, it is now the number of retries, defaulting to 2
+ (3 total tries), with no option for infinite retries.
+
+o [NSE] http-devframework-fingerprints.lua supports Jenkins server detection
+ and returns extra information when Jenkins is detected [Vinamra Bhatia]
+
+o [GH#926] The rarity level of MS SQL's service detection probe was decreased.
+ Now we can find MS SQL in odd ports without increasing version intensity.
+ [Paulino Calderon]
+
+o [GH#957] Fix reporting of zlib and libssh2 versions in "nmap --version". We
+ were always reporting the version number of the included source, even when a
+ different version was actually linked. [Pavel Zhukov]
+
+o Add a new helper function for nmap-service-probes match lines: $I(1,">") will
+ unpack an unsigned big-endian integer value up to 8 bytes wide from capture
+ 1. The second option can be "<" for little-endian. [Daniel Miller]
+
+Nmap 7.60 [2017-07-31]
+
+o [Windows] Updated the bundled Npcap from 0.91 to 0.93, fixing several issues
+ with installation and compatibility with the Windows 10 Creators Update.
+
+o [NSE][GH#910] NSE scripts now have complete SSH support via libssh2,
+ including password brute-forcing and running remote commands, thanks to the
+ combined efforts of three Summer of Code students: [Devin Bjelland, Sergey
+ Khegay, Evangelos Deirmentzoglou]
+
+o [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 579!
+ They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
+
+ + ftp-syst sends SYST and STAT commands to FTP servers to get system version
+ and connection information. [Daniel Miller]
+
+ + [GH#916] http-vuln-cve2017-8917 checks for an SQL injection vulnerability affecting
+ Joomla! 3.7.x before 3.7.1. [Wong Wai Tuck]
+
+ + iec-identify probes for the IEC 60870-5-104 SCADA protocol. [Aleksandr
+ Timorin, Daniel Miller]
+
+ + [GH#915] openwebnet-discovery retrieves device identifying information and
+ number of connected devices running on openwebnet protocol. [Rewanth Cool]
+
+ + puppet-naivesigning checks for a misconfiguration in the Puppet CA where
+ naive signing is enabled, allowing for any CSR to be automatically signed.
+ [Wong Wai Tuck]
+
+ + [GH#943] smb-protocols discovers if a server supports dialects NT LM 0.12
+ (SMBv1), 2.02, 2.10, 3.00, 3.02 and 3.11. This replaces the old
+ smbv2-enabled script. [Paulino Calderon]
+
+ + [GH#943] smb2-capabilities lists the supported capabilities of SMB2/SMB3
+ servers. [Paulino Calderon]
+
+ + [GH#943] smb2-time determines the current date and boot date of SMB2
+ servers. [Paulino Calderon]
+
+ + [GH#943] smb2-security-mode determines the message signing configuration of
+ SMB2/SMB3 servers. [Paulino Calderon]
+
+ + [GH#943] smb2-vuln-uptime attempts to discover missing critical patches in
+ Microsoft Windows systems based on the SMB2 server uptime. [Paulino Calderon]
+
+ + ssh-auth-methods lists the authentication methods offered by an SSH server.
+ [Devin Bjelland]
+
+ + ssh-brute performs brute-forcing of SSH password credentials. [Devin Bjelland]
+
+ + ssh-publickey-acceptance checks public or private keys to see if they could
+ be used to log in to a target. A list of known-compromised key pairs is
+ included and checked by default. [Devin Bjelland]
+
+ + ssh-run uses user-provided credentials to run commands on targets via SSH.
+ [Devin Bjelland]
+
+o [NSE] Removed smbv2-enabled, which was incompatible with the new SMBv2/3
+ improvements. It was fully replaced by the smb-protocols script.
+
+o [Ncat][GH#446] Added Datagram TLS (DTLS) support to Ncat in connect (client)
+ mode with --udp --ssl. Also added Application Layer Protocol Negotiation
+ (ALPN) support with the --ssl-alpn option. [Denis Andzakovic, Daniel Miller]
+
+o Updated the default ciphers list for Ncat and the secure ciphers list for
+ Nsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDH
+ ciphersuites, anonymous ECDH suites were being allowed. [Daniel Miller]
+
+o [NSE][GH#930] Fix ndmp-version and ndmp-fs-info when scanning Veritas Backup
+ Exec Agent 15 or 16. [Andrew Orr]
+
+o [NSE][GH#943] Added new SMB2/3 library and related scripts. [Paulino Calderon]
+
+o [NSE][GH#950] Added wildcard detection to dns-brute. Only hostnames that
+ resolve to unique addresses will be listed. [Aaron Heesakkers]
+
+o [NSE] FTP scripts like ftp-anon and ftp-brute now correctly handle
+ TLS-protected FTP services and use STARTTLS when necessary. [Daniel Miller]
+
+o [NSE][GH#936] Function url.escape no longer encodes so-called "unreserved"
+ characters, including hyphen, period, underscore, and tilde, as per RFC 3986.
+ [nnposter]
+
+o [NSE][GH#935] Function http.pipeline_go no longer assumes that persistent
+ connections are supported on HTTP 1.0 target (unless the target explicitly
+ declares otherwise), as per RFC 7230. [nnposter]
+
+o [NSE][GH#934] The HTTP response object has a new member, version, which
+ contains the HTTP protocol version string returned by the server, e.g. "1.0".
+ [nnposter]
+
+o [NSE][GH#938] Fix handling of the objectSID Active Directory attribute
+ by ldap.lua. [Tom Sellers]
+
+o [NSE] Fix line endings in the list of Oracle SIDs used by oracle-sid-brute.
+ Carriage Return characters were being sent in the connection packets, likely
+ resulting in failure of the script. [Anant Shrivastava]
+
+o [NSE][GH#141] http-useragent-checker now checks for changes in HTTP status
+ (usually 403 Forbidden) in addition to redirects to indicate forbidden User
+ Agents. [Gyanendra Mishra]
+
+Nmap 7.50 [2017-06-13]
+
+o [Windows] Updated the bundled Npcap from 0.78 to 0.91, with several bugfixes
+ for WiFi connectivity problems and stability issues. [Daniel Miller, Yang Luo]
+
+o Integrated all of your service/version detection fingerprints submitted from
+ September to March (855 of them). The signature count went up 2.9% to 11,418.
+ We now detect 1193 protocols from apachemq, bro, and clickhouse to jmon,
+ slmp, and zookeeper. Highlights: http://seclists.org/nmap-dev/2017/q2/140
+
+o [NSE] Added 14 NSE scripts from 12 authors, bringing the total up to 566!
+ They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
+
+ + [GH#743] broadcast-ospf2-discover discovers OSPF 2 routers and neighbors.
+ OSPFv2 authentication is supported. [Emiliano Ticci]
+
+ + [GH#671] cics-info checks IBM TN3270 services for CICS transaction services
+ and extracts useful information. [Soldier of Fortran]
+
+ + [GH#671] cics-user-brute does brute-force enumeration of CICS usernames on
+ IBM TN3270 services. [Soldier of Fortran]
+
+ + [GH#669] http-cookie-flags checks HTTP session cookies for HTTPOnly and
+ Secure flags. [Steve Benson]
+
+ + http-security-headers checks for the HTTP response headers related to
+ security given in OWASP Secure Headers Project, giving a brief description
+ of the header and its configuration value. [Vinamra Bhatia, Ícaro Torres]
+
+ + [GH#740][GH#759] http-vuln-cve2017-5638 checks for the RCE bug in Apache
+ Struts2. [Seth Jackson]
+
+ + [GH#876] http-vuln-cve2017-5689 detects a privilege escalation
+ vulnerability (INTEL-SA-00075) in Intel Active Management Technology (AMT)
+ capable systems. [Andrew Orr]
+
+ + http-vuln-cve2017-1001000 detects a privilege escalation vulnerability in
+ Wordpress 4.7.0 and 4.7.1 (CVE-2017-1001000) [Vinamra Bhatia]
+
+ + [GH#713] impress-remote-discover attempts to pair with the LibreOffice
+ Impress presentation remote service and extract version info. Pairing is
+ PIN-protected, and the script can optionally brute-force the PIN. New
+ service probe and match line also added. [Jeremy Hiebert]
+
+ + [GH#854] smb-double-pulsar-backdoor detects the Shadow Brokers-leaked
+ Double Pulsar backdoor in Windows SMB servers. [Andrew Orr]
+
+ + smb-vuln-cve-2017-7494 detects a remote code execution vulnerability
+ affecting Samba versions 3.5.0 and greater with writable shares.
+ [Wong Wai Tuck]
+
+ + smb-vuln-ms17-010 detects a critical remote code execution vulnerability
+ affecting SMBv1 servers in Microsoft Windows systems (ms17-010). The
+ script also reports patched systems. [Paulino Calderon]
+
+ + [GH#686] tls-ticketbleed checks for the Ticketbleed vulnerability
+ (CVE-2016-9244) in F5 BIG-IP appliances. [Mak Kolybabi]
+
+ + vmware-version queries VMWare SOAP API for version and product information.
+ Submitted in 2011, this was mistakenly turned into a service probe that was
+ unable to elicit any matches. [Aleksey Tyurin]
+
+o [Ncat] A series of changes and fixes based on feedback from the Red Hat community:
+
+ + [GH#157] Ncat will now continue trying to connect to each resolved address
+ for a hostname before declaring the connection refused, allowing it to
+ fallback from IPv6 to IPv4 or to connect to names that use DNS failover.
+ [Jaromir Koncicky, Michal Hlavinka]
+
+ + The --no-shutdown option now also works in connect mode, not only in listen mode.
+
+ + Made -i/--idle-timeout not cause Ncat in server mode to close while
+ waiting for an initial connection. This was also causing -i to interfere
+ with the HTTP proxy server mode. [Carlos Manso, Daniel Miller]
+
+ + [GH#773] Ncat in server mode properly handles TLS renegotiations and other
+ situations where SSL_read returns a non-fatal error. This was causing
+ SSL-over-TCP connections to be dropped. [Daniel Miller]
+
+ + Enable --ssl-ciphers to be used with Ncat in client mode, not only in
+ server (listen) mode. [Daniel Miller]
+
+o [NSE] New fingerprints for http-enum:
+ - Endpoints for Spring MVC and Boot Actuator [Paulino Calderon]
+ - [GH#620][GH#715] 8 fingerprints for Hadoop infrastructure components
+ [Thomas Debize, Varunram Ganesh]
+
+o [NSE][GH#266][GH#704][GH#238][GH#883] NSE libraries smb and msrpc now use
+ fully qualified paths. SMB scripts now work against all modern versions
+ of Microsoft Windows. [Paulino Calderon]
+
+o [NSE] smb library's share_get_list now properly uses anonymous connections
+ first before falling back authenticating as a known user.
+
+o New service probes and matches for Apache HBase and Hadoop MapReduce.
+ [Paulino Calderon]
+
+o Extended Memcached service probe and added match for Apache ZooKeeper.
+ [Paulino Calderon]
+
+o [NSE] New script argument "vulns.short" will reduce vulns library script
+ output to a single line containing the target name or IP, the vulnerability
+ state, and the CVE ID or title of the vulnerability. [Daniel Miller]
+
+o [NSE][GH#862] SNMP scripts will now take a community string provided like
+ `--script-args creds.snmp=private`, which previously did not work because it
+ was interpreted as a username. [Daniel Miller]
+
+o [NSE] Resolved several issues in the default HTTP redirect rules:
+ - [GH#826] A redirect is now cancelled if the original URL contains
+ embedded credentials
+ - [GH#829] A redirect test is now more careful in determining whether
+ a redirect destination is related to the original host
+ - [GH#830] A redirect is now more strict in avoiding possible redirect
+ loops
+ [nnposter]
+
+o [NSE][GH#766] The HTTP Host header will now include the port unless it is
+ the default one for a given scheme. [nnposter]
+
+o [NSE] The HTTP response object has a new member, fragment, which contains
+ a partially received body (if any) when the overall request fails to
+ complete. [nnposter]
+
+o [NSE][GH#866] NSE now allows cookies to have arbitrary attributes, which
+ are silently ignored (in accordance with RFC 6265). Unrecognized attributes
+ were previously causing HTTP requests with such cookies to fail. [nnposter]
+
+o [NSE][GH#844] NSE now correctly parses a Set-Cookie header that has unquoted
+ whitespace in the cookie value (which is allowed per RFC 6265). [nnposter]
+
+o [NSE][GH#731] NSE is now able to process HTTP responses with a Set-Cookie
+ header that has an extraneous trailing semicolon. [nnposter]
+
+o [NSE][GH#708] TLS SNI now works correctly for NSE HTTP requests initiated
+ with option any_af. As an added benefit, option any_af is now available for
+ all connections via comm.lua, not just HTTP requests. [nnposter]
+
+o [NSE][GH#781] There is a new common function, url.get_default_port(),
+ to obtain the default port number for a given scheme. [nnposter]
+
+o [NSE][GH#833] Function url.parse() now returns the port part as a number,
+ not a string. [nnposter]
+
+o No longer allow ICMP Time Exceeded messages to mark a host as down during
+ host discovery. Running traceroute at the same time as Nmap was causing
+ interference. [David Fifield]
+
+o [NSE][GH#807] Fixed a JSON library issue that was causing long integers
+ to be expressed in the scientific/exponent notation. [nnposter]
+
+o [NSE] Fixed several potential hangs in NSE scripts that used
+ receive_buf(pattern), which will not return if the service continues to send
+ data that does not match pattern. A new function in match.lua, pattern_limit,
+ is introduced to limit the number of bytes consumed while searching for the
+ pattern. [Daniel Miller, Jacek Wielemborek]
+
+o [Nsock] Handle any and all socket connect errors the same: raise as an Nsock
+ error instead of fatal. This prevents Nmap and Ncat from quitting with
+ "Strange error from connect:" [Daniel Miller]
+
+o [NSE] Added several commands to redis-info to extract listening addresses,
+ connected clients, active channels, and cluster nodes. [Vasiliy Kulikov]
+
+o [NSE][GH#679][GH#681] Refreshed script http-robtex-reverse-ip, reflecting
+ changes at the source site (www.robtex.com). [aDoN]
+
+o [NSE][GH#629] Added two new fingerprints to http-default-accounts
+ (APC Management Card, older NetScreen ScreenOS) [Steve Benson, nnposter]
+
+o [NSE][GH#716] Fix for oracle-tns-version which was sending an invalid TNS
+ probe due to a string escaping mixup. [Alexandr Savca]
+
+o [NSE][GH#694] ike-version now outputs information about supported attributes
+ and unknown vendor ids. Also, a new fingerprint for FortiGate VPNs was
+ submitted by Alexis La Goutte. [Daniel Miller]
+
+o [GH#700] Enabled support for TLS SNI on the Windows platform. [nnposter]
+
+o [GH#649] New service probe and match lines for the JMON and RSE services of
+ IBM Explorer for z/OS. [Soldier of Fortran]
+
+o Removed a duplicate service probe for Memcached added in 2011 (the original
+ probe was added in 2008) and reported as duplicate in 2013 by Pavel Kankovsky.
+
+o New service probe and match line for NoMachine NX Server remote desktop.
+ [Justin Cacak]
+
+o [Zenmap] Fixed a recurring installation problem on OS X/macOS where Zenmap
+ was installed to /Applications/Applications/Zenmap.app instead of
+ /Applications/Zenmap.app.
+
+o [Zenmap][GH#639] Zenmap will no longer crash when no suitable temporary
+ directory is found. Patches contributed by [Varunram Ganesh] and [Sai Sundhar]
+
+o [Zenmap][GH#626] Zenmap now properly handles the -v0 (no output) option,
+ which was added in Nmap 7.10. Previously, this was treated the same as not
+ specifying -v at all. [lymanZerga11]
+
+o [GH#630] Updated or removed some OpenSSL library calls that were deprecated
+ in OpenSSL 1.1. [eroen]
+
+o [NSE] Script ssh-hostkey now recognizes and reports Ed25519 keys [nnposter]
+
+o [NSE][GH#627] Fixed script hang in several brute scripts due to the "threads"
+ script-arg not being converted to a number. Error message was
+ "nselib/brute.lua:1188: attempt to compare number with string" [Arne Beer]
+
+Nmap 7.40 [2016-12-20]
+
+o [Windows] Updated the bundled Npcap from 0.10r9 to 0.78r5, with an
+ improved installer experience, driver signing updates to work with
+ Windows 10 build 1607, and bugfixes for WiFi connectivity
+ problems. [Yang Luo, Daniel Miller]
+
+o Integrated all of your IPv4 OS fingerprint submissions from April to
+ September (568 of them). Added 149 fingerprints, bringing the new total to
+ 5,336. Additions include Linux 4.6, macOS 10.12 Sierra, NetBSD 7.0, and more.
+ Highlights: http://seclists.org/nmap-dev/2016/q4/110 [Daniel Miller]
+
+o Integrated all of your service/version detection fingerprints submitted from
+ April to September (779 of them). The signature count went up 3.1% to 11,095.
+ We now detect 1161 protocols, from airserv-ng, domaintime, and mep to
+ nutcracker, rhpp, and usher. Highlights: http://seclists.org/nmap-dev/2016/q4/115
+ [Daniel Miller]
+
+o Fix reverse DNS on Windows which was failing with the message "mass_dns:
+ warning: Unable to determine any DNS servers." This was because the interface
+ GUID comparison needed to be case-insensitive. [Robert Croteau]
+
+o [NSE] Added 12 NSE scripts from 4 authors, bringing the total up to 552!
+ They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
+
+ + cics-enum enumerates CICS transaction IDs, mapping to screens in TN3270
+ services. [Soldier of Fortran]
+
+ + cics-user-enum brute-forces usernames for CICS users on TN3270 services.
+ [Soldier of Fortran]
+
+ + fingerprint-strings will print the ASCII strings it finds in the service
+ fingerprints that Nmap shows for unidentified services. [Daniel Miller]
+
+ + [GH#606] ip-geolocation-map-bing renders IP geolocation data as an image
+ via Bing Maps API. [Mak Kolybabi]
+
+ + [GH#606] ip-geolocation-map-google renders IP geolocation data as an image
+ via Google Maps API. [Mak Kolybabi]
+
+ + [GH#606] ip-geolocation-map-kml records IP geolocation data in a KML file
+ for import into other mapping software [Mak Kolybabi]
+
+ + nje-pass-brute brute-forces the password to a NJE node, given a valid RHOST
+ and OHOST. Helpfully, nje-node-brute can now brute force both of those
+ values. [Soldier of Fortran]
+
+ + [GH#557] ssl-cert-intaddr will search for private IP addresses in TLS
+ certificate fields and extensions. [Steve Benson]
+
+ + tn3270-screen shows the login screen from mainframe TN3270 Telnet services,
+ including any hidden fields. The script is accompanied by the new tn3270
+ library. [Soldier of Fortran]
+
+ + tso-enum enumerates usernames for TN3270 Telnet services. [Soldier of Fortran]
+
+ + tso-brute brute-forces passwords for TN3270 Telnet services. [Soldier of Fortran]
+
+ + vtam-enum brute-forces VTAM application IDs for TN3270 services.
+ [Soldier of Fortran]
+
+o [NSE][GH#518] Brute scripts are faster and more accurate. New feedback and
+ adaptivity mechanisms in brute.lua help brute scripts use resources more
+ efficiently, dynamically changing number of threads based on protocol
+ messages like FTP 421 errors, network errors like timeouts, etc.
+ [Sergey Khegay]
+
+o [GH#353] New option --defeat-icmp-ratelimit dramatically reduces UDP scan
+ times in exchange for labeling unresponsive (and possibly open) ports as
+ "closed|filtered". Ports which give a UDP protocol response to one of Nmap's
+ scanning payloads will be marked "open". [Sergey Khegay]
+
+o [NSE][GH#533] Removed ssl-google-cert-catalog, since Google shut off that
+ service at some point. Reported by Brian Morin.
+
+o [NSE][GH#606] New NSE library, geoip.lua, provides a common framework for
+ storing and retrieving IP geolocation results. [Mak Kolybabi]
+
+o [Ncat] Restore the connection success message that Ncat prints with -v. This
+ was accidentally suppressed when not using -z.
+
+o [GH#316] Added scan resume from Nmap's XML output. Now you can --resume a
+ canceled scan from all 3 major output formats: -oN, -oG, and -oX.
+ [Tudor Emil Coman]
+
+o [Ndiff][GH#591] Fix a bug where hosts with the same IP but different
+ hostnames were shown as changing hostnames between scans. Made sort stable
+ with regard to hostnames. [Daniel Miller]
+
+o [NSE][GH#540] Add tls.servername script-arg for forcing a name to be used for
+ TLS Server Name Indication extension. The argument overrides the default use
+ of the host's targetname. [Bertrand Bonnefoy-Claudet]
+
+o [GH#505] Updated Russian translation of Zenmap by Alexander Kozlov.
+
+o [NSE][GH#588] Fix a crash in smb.lua when using smb-ls due to a
+ floating-point number being passed to os.time ("bad argument").
+ [Dallas Winger]
+
+o [NSE][GH#596] Fix a bug in mysql.lua that caused authentication failures in
+ mysql-brute and other scripts due to including a null terminator in the salt
+ value. This bug affects Nmap 7.25BETA2 and later releases. [Daniel Miller]
+
+o The --open option now implies --defeat-rst-ratelimit. This may result in
+ inaccuracies in the numbers of "Not shown:" closed and filtered ports, but
+ only in situations where it also speeds up scan times. [Daniel Miller]
+
+o [NSE] Added known Diffie-Hellman parameters for haproxy, postfix, and
+ IronPort to ssl-dh-params. [Frank Bergmann]
+
+o Added service probe for ClamAV servers (clam),
+ an open source antivirus engine used in mail scanning. [Paulino Calderon]
+
+o Added service probe and UDP payload for Quick UDP Internet Connection (QUIC),
+ a secure transport developed by Google and used with HTTP/2. [Daniel Miller]
+
+o [NSE] Enabled resolveall to run against any target provided as a hostname, so
+ the resolveall.hosts script-arg is no longer required. [Daniel Miller]
+
+o [NSE] Revised script http-default-accounts in several ways [nnposter]:
+ - Added 21 new fingerprints, plus broadened 5 to cover more variants.
+ - [GH#577] It can now can test systems that return status 200 for
+ non-existent pages.
+ - [GH#604] Implemented XML output. Layout of the classic text output has also
+ changed, including reporting blank usernames or passwords as "<blank>",
+ instead of just empty strings.
+ - Added CPE entries to individual fingerprints (where known). They are
+ reported only in the XML output.
+
+o [NSE][GH#573] Updated http.lua to allow processing of HTTP responses with
+ malformed header names. Such header lines are still captured in the rawheader
+ list but skipped otherwise. [nnposter]
+
+o [GH#416] New service probe and match line for iperf3. [Eric Gershman]
+
+o [NSE][GH#555] Add Drupal to the set of web apps brute forced by
+ http-form-brute. [Nima Ghotbi]
+
+Nmap 7.31 [2016-10-20]
+
+o [Windows] Updated the bundled Npcap from 0.10r2 to 0.10r9, bringing
+ increased stability, bug fixes, and raw 802.11 WiFi capture (unused
+ by Nmap). Further details on these changes can be found at
+ https://github.com/nmap/npcap/releases. [Yang Luo]
+
+o Fixed the way Nmap handles scanning names that resolve to the same IP. Due to
+ changes in 7.30, the IP was only being scanned once, with bogus results
+ displayed for the other names. The previous behavior is now restored.
+ [Tudor Emil Coman]
+
+o [Nping][GH#559] Fix Nping's ability to use Npcap on Windows. A privilege
+ check was performed too late, so the Npcap loading code assumed the user had no
+ rights. [Yang Luo, Daniel Miller]
+
+o [GH#350] Fix an assertion failure due to floating point error in equality
+ comparison, which triggered mainly on OpenBSD:
+ assertion "diff <= interval" failed: file "timing.cc", line 440
+ This was reported earlier as [GH#472] but the assertion fixed there was a
+ different one. [David Carlier]
+
+o [Zenmap] Fix a crash in the About page in the Spanish translation due to a
+ missing format specifier:
+ File "zenmapGUI\About.pyo", line 217, in __init__
+ TypeError: not all arguments converted during string formatting
+ [Daniel Miller]
+
+o [Zenmap][GH#556] Better visual indication that display of hostname is tied to
+ address in the Topology page. You can show numeric addresses with hostnames
+ or without, but you can't show hostnames without numeric addresses when they
+ are not available. [Daniel Miller]
+
+o To increase the number of IPv6 fingerprint submissions, a prompt for
+ submission will be shown with some random chance for successful matches of OS
+ classes that are based on only a few submissions. Previously, only
+ unsuccessful matches produced such a prompt. [Daniel Miller]
+
+Nmap 7.30 [2016-09-29]
+
+o Integrated all 12 of your IPv6 OS fingerprint submissions from June to
+ September. No new groups, but several classifications were strengthened,
+ especially Windows localhost and OS X. [Daniel Miller]
+
+o [NSE] Added 7 NSE scripts, from 3 authors, bringing the total up to 541!
+ They are all listed at https://nmap.org/nsedoc/, and the summaries are below
+ (authors are listed in brackets):
+
+ + [GH#369] coap-resources grabs the list of available resources from CoAP
+ endpoints. [Mak Kolybabi]
+
+ + fox-info retrieves detailed version and configuration info from Tridium
+ Niagara Fox services. [Stephen Hilt]
+
+ + ipmi-brute performs authentication brute-forcing on IPMI services.
+ [Claudiu Perta]
+
+ + ipmi-cipher-zero checks IPMI services for Cipher Zero support, which allows
+ connection without a password. [Claudiu Perta]
+
+ + ipmi-version retrieves protocol version and authentication options from
+ ASF-RMCP (IPMI) services. [Claudiu Perta]
+
+ + [GH#352] mqtt-subscribe connects to a MQTT broker, subscribes to topics,
+ and lists the messages received. [Mak Kolybabi]
+
+ + pcworx-info retrieves PLC model, firmware version, and date from Phoenix
+ Contact PLCs. [Stephen Hilt]
+
+o Upgraded Npcap, our new Windows packet capturing driver/library,
+ from version to 0.09 to 0.10r2. This includes many bug fixes, with a
+ particular on emphasis on concurrency issues discovered by running
+ hundreds of Nmap instances at a time. More details are available
+ from https://github.com/nmap/npcap/releases. [Yang Luo, Daniel
+ Miller, Fyodor]
+
+o New service probes and match lines for DTLS, IPMI-RMCP, MQTT, PCWorx,
+ ProConOS, and Tridium Fox, [Stephen Hilt, Mak Kolybabi, Daniel Miller]
+
+o Improved some output filtering to remove or escape carriage returns ('\r')
+ that could allow output spoofing by overwriting portions of the screen. Issue
+ reported by Adam Rutherford. [Daniel Miller]
+
+o [NSE] Fixed a few bad Lua patterns that could result in denial of service due
+ to excessive backtracking. [Adam Rutherford, Daniel Miller]
+
+o Fixed a discrepancy between the number of targets selected with -iR and the
+ number of hosts scanned, resulting in output like "Nmap done: 1033 IP
+ addresses" when the user specified -iR 1000. [Daniel Miller]
+
+o Fixed a bug in port specification parsing that could cause extraneous
+ 'T', 'U', 'S', and 'P' characters to be ignored when they should have
+ caused an error. [David Fifield]
+
+o [GH#543] Restored compatibility with LibreSSL, which was lost in adding
+ library version checks for OpenSSL 1.1. [Wonko7]
+
+o [Zenmap] Fixed a bug in the Compare Scans window of Zenmap on OS X resulting
+ in this message instead of Ndiff output:
+ ImportError: dlopen(/Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so, 2): no suitable image found. Did find:
+ /Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so: mach-o, but wrong architecture
+ Reported by Kyle Gustafson. [Daniel Miller]
+
+o [NSE] Fixed a bug in ssl-enum-ciphers and ssl-dh-params which caused them to
+ not output TLSv1.2 info with DHE ciphersuites or others involving
+ ServerKeyExchange messages. [Daniel Miller]
+
+o [NSE] Added X509v3 extension parsing to NSE's sslcert code. ssl-cert now
+ shows the Subject Alternative Name extension; all extensions are shown in the
+ XML output. [Daniel Miller]
+
+Nmap 7.25BETA2 [2016-09-01]
+
+o [GH#376] Windows binaries are now code-signed with our "Insecure.Com LLC"
+ SHA256 certificate. This should give our users extra peace-of-mind and avoid
+ triggering Microsoft's ever-increasing security warnings.
+
+o [NSE] Upgraded NSE to Lua 5.3, adding bitwise operators, integer data type, a
+ utf8 library, and native binary packing and unpacking functions. Removed bit
+ library, added bits.lua, replaced base32, base64, and bin libraries. [Patrick
+ Donnelly]
+
+o [NSE] Added 2 NSE scripts, bringing the total up to 534! They are both listed
+ at https://nmap.org/nsedoc/, and the summaries are below:
+
+ + oracle-tns-version decodes the version number from Oracle Database Server's
+ TNS listener. [Daniel Miller]
+
+ + clock-skew analyzes and reports clock skew between Nmap and services that
+ report timestamps, grouping hosts with similar skews. [Daniel Miller]
+
+o Integrated all of your service/version detection fingerprints submitted from
+ January to April (578 of them). The signature count went up 2.2% to 10760.
+ We now detect 1122 protocols, from elasticsearch, fhem, and goldengate to
+ ptcp, resin-watchdog, and siemens-logo. [Daniel Miller]
+
+o Upgraded Npcap, our new Windows packet capturing driver/library,
+ from version 0.07-r17 to 0.09. This includes many improvements you can
+ read about at https://github.com/nmap/npcap/releases.
+
+o [Nsock][GH#148] Added the new IOCP Nsock engine which uses the Windows
+ Overlapped I/O API to improve performance of version scan and NSE against
+ many targets on Windows. [Tudor Emil Coman]
+
+o [GH#376] Windows binaries are now code-signed with our "Insecure.Com LLC"
+ SHA256 certificate. This should give our users extra peace-of-mind and avoid
+ triggering Microsoft's ever-increasing security warnings.
+
+o Various performance improvements for large-scale high-rate scanning,
+ including increased ping host groups, faster probe matching, and ensuring
+ data types can handle an Internet's-worth of targets. [Tudor Emil Coman]
+
+o [Zenmap] Long-overdue Spanish language translation has been added! Muy bien!
+ [Vincent Dumont, Marta Garcia De La Paz, Paulino Calderon, Patricio Castagnaro]
+
+o [Zenmap][GH#449] Fix a crash when closing Zenmap due to a read-only
+ zenmap.conf. User will be warned that config cannot be saved and that they
+ should fix the file permissions. [Daniel Miller]
+
+o [NSE] Fix a crash when parsing TLS certificates that OpenSSL doesn't support,
+ like DH certificates or corrupted certs. When this happens, ssl-enum-ciphers
+ will label the ciphersuite strength as "unknown." Reported by Bertrand
+ Bonnefoy-Claudet. [Daniel Miller]
+
+o [NSE][GH#531] Fix two issues in sslcert.lua that prevented correct operations
+ against LDAP services when version detection or STARTTLS were used.
+ [Tom Sellers]
+
+o [GH#426] Remove a workaround for lack of selectable pcap file descriptors on
+ Windows, which required including pcap-int.h and locking us to a single
+ version of libpcap. The new method, using WaitForSingleObject should work
+ with all versions of both WinPcap and Npcap. [Daniel Miller]
+
+o [NSE][GH#234] Added a --script-timeout option for limiting run time for
+ every individual NSE script. [Abhishek Singh]
+
+o [Ncat][GH#444] Added a -z option to Ncat. Just like the -z option in
+ traditional netcat, it can be used to quickly check the status of a
+ port. Port ranges are not supported since we recommend a certain other tool
+ for port scanning. [Abhishek Singh]
+
+o Fix checking of Npcap/WinPcap presence on Windows so that "nmap -A" and
+ "nmap" with no options result in the same behaviors as on Linux (and no
+ crashes) [Daniel Miller]
+
+o [NSE] ssl-enum-ciphers will now warn about 64-bit block ciphers in CBC mode,
+ which are vulnerable to the SWEET32 attack.
+
+o [NSE][GH#117] tftp-enum now only brute-forces IP-address-based Cisco filenames when
+ the wordlist contains "{cisco}". Previously, custom wordlists would still end
+ up sending these extra 256 requests. [Sriram Raghunathan]
+
+o [GH#472] Avoid an unnecessary assert failure in timing.cc when printing estimated
+ completion time. Instead, we'll output a diagnostic error message:
+ Timing error: localtime(n) is NULL
+ where "n" is some number that is causing problems. [Jean-Guilhem Nousse]
+
+o [NSE][GH#519] Removed the obsolete script ip-geolocation-geobytes. [Paulino Calderon]
+
+o [NSE] Added 9 new fingerprints for script http-default-accounts.
+ (Motorola AP, Lantronix print server, Dell iDRAC6, HP StorageWorks, Zabbix,
+ Schneider controller, Xerox printer, Citrix NetScaler, ESXi hypervisor)
+ [nnposter]
+
+o [NSE] Completed a refresh and validation of almost all fingerprints for
+ script http-default-accounts. Also improved the script speed. [nnposter]
+
+o [GH#98] Added support for decoys in IPv6. Earlier we supported decoys only in
+ IPv4. [Abhishek Singh]
+
+o Various performance improvements for large-scale high-rate scanning,
+ including increased ping host groups, faster probe matching, and ensuring
+ data types can handle an Internet's-worth of targets. [Tudor Emil Coman]
+
+o [GH#484] Allow Nmap to compile on some older Red Hat distros that disable EC
+ crypto support in OpenSSL. [Jeroen Roovers, Vincent Dumont]
+
+o [GH#439] Nmap now supports OpenSSL 1.1.0-pre5 and previous versions. [Vincent Dumont]
+
+o [Ncat] Fix a crash ("add_fdinfo() failed.") when --exec was used with --ssl
+ and --max-conns, due to improper accounting of file descriptors. [Daniel
+ Miller]
+
+o FTP Bounce scan: improved some edge cases like anonymous login without
+ password, 500 errors used to indicate port closed, and timeouts for LIST
+ command. Also fixed a 1-byte array overrun (read) when checking for
+ privileged ports. [Daniel Miller]
+
+o [GH#140] Allow target DNS names up to 254 bytes. We previously imposed an
+ incorrect limit of 64 bytes in several parts of Nmap. [Vincent Dumont]
+
+o [NSE] The hard limit on number of concurrently running scripts can now
+ increase above 1000 to match a high user-set --min-parallelism value. [Tudor
+ Emil Coman]
+
+o [NSE] Solved a memory corruption issue that would happen if a socket connect
+ operation produced an error immediately, such as Network Unreachable. The
+ event handler was throwing a Lua error, preventing Nsock from cleaning up
+ properly, leaking events. [Abhishek Singh, Daniel Miller]
+
+o [NSE] Added the datetime library for performing date and time calculations,
+ and as a helper to the clock-skew script.
+
+o [GH#103][GH#364] Made Nmap's parallel reverse DNS resolver more robust, fully
+ handling truncated replies. If a response is too long, we now fall back to
+ using the system resolver to answer it. [Abhishek Singh]
+
+o [Zenmap][GH#279] Added a legend for the Topography window. [Suraj Hande]
+
+Nmap 7.25BETA1 [2016-07-15]
+
+o Nmap now ships with and uses Npcap, our new packet sniffing library
+ for Windows. It's based on WinPcap (unmaintained for years), but
+ uses modern Windows APIs for better performance. It also includes
+ security improvements and many bug fixes. See https://npcap.com. And
+ it enables Nmap to perform SYN scans and OS detection against
+ localhost, which we haven't been able to do on Windows since
+ Microsoft removed the raw sockets API in 2003. [Yang Luo, Daniel
+ Miller, Fyodor]
+
+o [NSE] Added 6 NSE scripts, from 5 authors, bringing the total up to 533!
+ They are all listed at https://nmap.org/nsedoc/, and the summaries are below
+ (authors are listed in brackets):
+
+ + clamav-exec detects ClamAV servers vulnerable to unauthorized clamav
+ command execution. [Paulino Calderon]
+
+ + http-aspnet-debug detects ASP.NET applications with debugging enabled.
+ [Josh Amishav-Zlatin]
+
+ + http-internal-ip-disclosure determines if the web server leaks its internal
+ IP address when sending an HTTP/1.0 request without a Host header. [Josh
+ Amishav-Zlatin]
+
+ + [GH#304] http-mcmp detects mod_cluster Management Protocol (MCMP) and dumps
+ its configuration. [Frank Spierings]
+
+ + [GH#365] sslv2-drown detects vulnerability to the DROWN attack, including
+ CVE-2016-0703 and CVE-2016-0704 that enable fast attacks on OpenSSL.
+ [Bertrand Bonnefoy-Claudet]
+
+ + vnc-title logs in to VNC servers and grabs the desktop title, geometry, and
+ color depth. [Daniel Miller]
+
+o Integrated all of your IPv4 OS fingerprint submissions from January
+ to April (539 of them). Added 98 fingerprints, bringing the new total
+ to 5187. Additions include Linux 4.4, Android 6.0, Windows Server
+ 2016, and more. [Daniel Miller]
+
+o Integrated all 31 of your IPv6 OS fingerprint submissions from January to
+ June. The classifier added 2 groups and expanded several others. Several
+ Apple OS X groups were consolidated, reducing the total number of groups to
+ 93. [Daniel Miller]
+
+o Update oldest supported Windows version to Vista (Windows 6.0). This enables
+ the use of the poll Nsock engine, which has significant performance and
+ accuracy advantages. Windows XP users can still use Nmap 7.12, available from
+ https://nmap.org/dist/?C=M&O=D [Daniel Miller]
+
+o [NSE] Fix a crash that happened when trying to print the percent done of 0
+ NSE script threads:
+ timing.cc:710 bool ScanProgressMeter::printStats(double, const timeval*): Assertion 'ltime' failed.
+ This would happen if no scripts were scheduled in a scan phase and the user
+ pressed a key or specified a short --stats-every interval. Reported by
+ Richard Petrie. [Daniel Miller]
+
+o [GH#283][Nsock] Avoid "unknown protocol:0" debug messages and an "Unknown
+ address family 0" crash on Windows and other platforms that do not set the
+ src_addr argument to recvfrom for TCP sockets. [Daniel Miller]
+
+o Retrieve the correct network prefix length for an adapter on Windows. If more
+ than one address was configured on an adapter, the same prefix length would
+ be used for both. This incorrect behavior is still used on Windows XP and
+ earlier. Reported by Niels Bohr. [Daniel Miller]
+
+o Changed libdnet-stripped to avoid bailing completely when an interface is
+ encountered with an unsupported hardware address type. Caused "INTERFACES:
+ NONE FOUND!" bugs in Nmap whenever Linux kernel added new hardware address
+ types. [Daniel Miller]
+
+o Improved service detection of Docker and fixed a bug in the output of
+ docker-version script. [Tom Sellers]
+
+o Fix detection of Microsoft Terminal Services (RDP). Our improved TLS service
+ probes were matching on port 3389 before our specific Terminal Services
+ probe, causing the port to be labeled as "ssl/unknown". Reported by Josh
+ Amishav-Zlatin.
+
+o [NSE] Update to enable smb-os-discovery to augment version detection
+ for certain SMB related services using data that the script discovers.
+ [Tom Sellers]
+
+o Improved version detection and descriptions for Microsoft and Samba
+ SMB services. Also addresses certain issues with OS identification.
+ [Tom Sellers]
+
+o [NSE] ssl-enum-ciphers will give a failing score to any server with an RSA
+ certificate whose public key uses an exponent of 1. It will also cap the
+ score of an RC4-ciphersuite handshake at C and output a warning referencing
+ RFC 7465. [Daniel Miller]
+
+o [NSE] Refactored some SSLv2 functionality into a new library, sslv2.lua .
+ [Daniel Miller]
+
+o [GH#399] Zenmap's authorization wrapper now uses an AppleScript method for
+ privilege escalation on OS X, avoiding the deprecated
+ AuthorizationExecuteWithPrivileges method previously used. [Vincent Dumont]
+
+o [GH#454] The OS X binary package is distributed in a .dmg disk image that now
+ features an instructive background image. [Vincent Dumont]
+
+o [GH#420] Our OS X build system now uses gtk-mac-bundler and jhbuild to
+ provide all dependencies. We no longer use Macports for this purpose.
+ [Vincent Dumont]
+
+o [GH#345][Zenmap] On Windows, save Zenmap's stderr output to a writeable
+ location (%LOCALAPPDATA%\zenmap.exe.log or %TEMP%\zenmap.exe.log) instead of
+ next to the zenmap.exe executable. This avoids a warning message when closing
+ Zenmap if it produced any stderr output. [Daniel Miller]
+
+o [GH#379][NSE] Fix http-iis-short-name-brute to report non vulnerable hosts.
+ Reported by alias1. [Paulino Calderon]
+
+o [NSE][GH#371] Fix mysql-audit by adding needed library requires to the
+ mysql-cis.audit file. The script would fail with "Failed to load rulebase"
+ message. [Paolo Perego]
+
+o [NSE][GH#362] Added support for LDAP over udp to ldap-rootdse.nse.
+ Also added version detection and information extraction to match the
+ new LDAP LDAPSearchReq and LDAPSearchReqUDP probes. [Tom Sellers]
+
+o [GH#354] Added new version detection Probes for LDAP services, LDAPSearchReq
+ and LDAPSearchReqUDP. The second is Microsoft Active Directory specific. The
+ Probes will elicit responses from target services that allow better finger
+ -printing and information extraction. Also added nmap-payload entry for
+ detecting LDAP on udp. [Tom Sellers]
+
+o [NSE] More VNC updates: Support for VeNCrypt and Tight auth types, output of
+ authentication sub-types in vnc-info, and all zero-authentication types are
+ recognized and reported. [Daniel Miller]
+
+Nmap 7.12 [2016-03-29]
+
+o [Zenmap] Avoid file corruption in zenmap.conf, reported as files containing
+ many null ("\x00") characters. Example exceptions:
+ TypeError: int() argument must be a string or a number, not 'list'
+ ValueError: unable to parse colour specification
+
+o [NSE] VNC updates including vnc-brute support for TLS security type and
+ negotiating a lower RFB version if the server sends an unknown higher
+ version. [Daniel Miller]
+
+o [NSE] Added STARTTLS support for VNC, NNTP, and LMTP [Daniel Miller]
+
+o Added new service probes and match lines for OpenVPN on UDP and TCP.
+
+Nmap 7.11 [2016-03-22]
+
+o [NSE][GH#341] Added support for diffie-hellman-group-exchange-* SSH key
+ exchange methods to ssh2.lua, allowing ssh-hostkey to run on servers that
+ only support custom Diffie-Hellman groups. [Sergey Khegay]
+
+o [NSE] Added support in sslcert.lua for Microsoft SQL Server's TDS protocol,
+ so you can now grab certs with ssl-cert or check ciphers with
+ ssl-enum-ciphers. [Daniel Miller]
+
+o [Zenmap] Fix a crash when setting default window geometry:
+ TypeError: argument of type 'int' is not iterable
+
+o [Zenmap] Fix a crash when displaying the date from an Nmap XML file due to an
+ empty or unknown locale:
+ File "zenmapCore/NmapParser.py", line 627, in get_formatted_date
+ locale.getpreferredencoding())
+ LookupError: unknown encoding:
+
+o [Zenmap] Fix a crash due to incorrect file paths when installing to
+ /usr/local prefix. Example:
+ Exception: File '/home/blah/.zenmap/scan_profile.usp' does not exist or could not be found!
+
+Nmap 7.10 [2016-03-17]
+
+o [NSE] Added 12 NSE scripts from 7 authors, bringing the total up to 527!
+ They are all listed at https://nmap.org/nsedoc/, and the summaries are below
+ (authors are listed in brackets):
+
+ + [GH#322] http-apache-server-status parses the server status page of
+ Apache's mod_status. [Eric Gershman]
+
+ + http-vuln-cve2013-6786 detects a XSS and URL redirection vulnerability in
+ Allegro RomPager web server. Also added a fingerprint for detecting
+ CVE-2014-4019 to http-fingerprints.lua. [Vlatko Kosturjak]
+
+ + [GH#226] http-vuln-cve2014-3704 detects and exploits the "Drupalgeddon"
+ pre-auth SQL Injection vulnerability in Drupal. [Mariusz Ziulek]
+
+ + imap-ntlm-info extracts hostname and sometimes OS version from
+ NTLM-auth-enabled IMAP services. [Justin Cacak]
+
+ + ipv6-multicast-mld-list discovers IPv6 multicast listeners with MLD probes.
+ The discovery is the same as targets-ipv6-multicast-mld, but the subscribed
+ addresses are decoded and listed. [Alexandru Geana, Daniel Miller]
+
+ + ms-sql-ntlm-info extracts OS version and sometimes hostname from MS SQL
+ Server instances via the NTLM challenge message. [Justin Cacak]
+
+ + nntp-ntlm-info extracts hostname and sometimes OS version from
+ NTLM-auth-enabled NNTP services. [Justin Cacak]
+
+ + pop3-ntlm-info extracts hostname and sometimes OS version from
+ NTLM-auth-enabled POP3 services. [Justin Cacak]
+
+ + rusers retrieves information about logged-on users from the rusersd RPC
+ service. [Daniel Miller]
+
+ + [GH#333] shodan-api queries the Shodan API (https://www.shodan.io) and
+ retrieves open port and service info from their Internet-wide scan data.
+ [Glenn Wilkinson]
+
+ + smtp-ntlm-info extracts hostname and sometimes OS version from
+ NTLM-auth-enabled SMTP and submission services. [Justin Cacak]
+
+ + telnet-ntlm-info extracts hostname and sometimes OS version from
+ NTLM-auth-enabled Telnet services. [Justin Cacak]
+
+o Updated the OpenSSL shipped with our binary builds (Windows, OS X, and Linux
+ RPM) to 1.0.2g with SSLv2 enabled.
+
+o Integrated all of your IPv4 OS fingerprint submissions from October to
+ January (536 of them). Added 104 fingerprints, bringing the new total to
+ 5089. Additions include Linux 4.2, more Windows 10, IBM i 7, and more.
+ Highlights: http://seclists.org/nmap-dev/2016/q1/270 [Daniel Miller]
+
+o Integrated all of your service/version detection fingerprints submitted from
+ October to January (508 of them). The signature count went up 2.2% to 10532.
+ We now detect 1108 protocols, from icy, finger, and rtsp to ipfs,
+ basestation, and minecraft-pe. Highlights:
+ http://seclists.org/nmap-dev/2016/q1/271 [Daniel Miller]
+
+o Integrated all 12 of your IPv6 OS fingerprint submissions from October to
+ January. The classifier added 3 new groups, including new and expanded groups
+ for OS X, bringing the new total to 96. Highlights:
+ http://seclists.org/nmap-dev/2016/q1/273 [Daniel Miller]
+
+o [NSE] Upgrade to http-form-brute allowing correct handling of token-based
+ CSRF protections and cookies. Also, a simple database of common login forms
+ supports Django, Wordpress, MediaWiki, Joomla, and others. [Daniel Miller]
+
+o [Zenmap] [GH#247] Remember window geometry (position and size) from the
+ previous time Zenmap was run. [isjing]
+
+o New service probe for CORBA GIOP (General Inter-ORB Protocol) detection
+ should elicit a not-found exception from GIOP services that do not respond to
+ non-GIOP probes. [Quentin Hardy]
+
+o [GH#284] Fix retrieval of route netmasks on FreeBSD. IPv6 routes were given
+ /32 netmasks regardless of actual netmask configured, resulting in failed
+ routing. Reported by Martin Gysi. [Daniel Miller]
+
+o [GH#272][GH#269] Give option parsing errors after the usage statement, or
+ avoid printing the usage statement in some cases. The options summary has
+ grown quite large, requiring users to scroll to the top to see the error
+ message. [Abhishek Singh]
+
+o [GH#249][Nsock] Avoid a crash on Windows reported by users using Zenmap's
+ Slow Comprehensive Scan profile. In the case of unknown OpenSSL errors,
+ ERR_reason_error_string would return NULL, which could not be printed with
+ the "%s" format string. Reported by Dan Baxter. [Gisle Vanem, Daniel Miller]
+
+o [GH#293][Zenmap] Fix a regression in our build that caused copy-and-paste to
+ not work in Zenmap on Windows.
+
+o Changed Nmap's idea of reserved and private IP addresses to include
+ 169.254/16 (RFC3927) and remove 6/8, 7/8, and 55/8 networks. This list, in
+ libnetutil's isipprivate function, is used to filter -iR randomly generated
+ targets. The newly-valid address ranges belong to the U.S. Department of
+ Defense, so users wanting to avoid those ranges should use their own
+ exclusion lists with --exclude or --exclude-file. [Bill Parker, Daniel
+ Miller]
+
+o Allow the -4 option for Nmap to indicate IPv4 address family. This is the
+ default, and using the option doesn't change anything, but does make it more
+ explicit which address family you want to scan. Using -4 with -6 is an error.
+ [Daniel Miller]
+
+o [GH#265] When provided a verbosity of 0 (-v0), Nmap will not output any text to the
+ screen. This happens at the time of argument parsing, so the usual meaning of
+ "verbosity 0" is preserved. [isjing]
+
+o [NSE][GH#314] Fix naming of SSL2_RC2_128_CBC_WITH_MD5 and
+ SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 ciphers in sslv2 in order to match the
+ draft specification from Mozilla. [Bertrand Bonnefoy-Claudet]
+
+o [NSE][GH#320] Add STARTTLS support to sslv2 to enable SSLv2 detection
+ against services that are not TLS encrypted by default but that support
+ post connection upgrade. This will enable more comprehensive detection
+ of SSLv2 and DROWN (CVE-2016-0800) attack oracles. [Tom Sellers]
+
+o [NSE][GH#301] Added default credential checks for RICOH Web Image Monitor and
+ BeEF to http-default-accounts. [nnposter]
+
+o Properly display Next-hop MTU value from ICMP Type 3 Code 4 Fragmentation
+ Required messages when tracing packets or in Nping output. Improper offset
+ meant we were printing the total IP length. [Sławomir Demeszko]
+
+o [NSE] Added support for DHCP options "TFTP server name" and "Bootfile name"
+ to dhcp.lua and enabled checking for options with a code above 61 by default.
+ [Mike Rykowski]
+
+o [NSE] whois-ip: Don't request a remote IANA assignments data file when the
+ local filesystem will not permit the file to cached in a local file. [jah]
+
+o [NSE] Updated http-php-version hash database to cover all versions from PHP
+ 4.1.0 to PHP 5.4.45. Based on scans of a few thousand PHP web servers pulled
+ from Shodan API (https://www.shodan.io/) [Daniel Miller]
+
+o Use the same ScanProgressMeter for FTP bounce scan (-b) as for the other scan
+ types, allowing periodic status updates with --stats-every or keypress
+ events. [Daniel Miller]
+
+o [GH#274] Use a shorter pcap_select timeout on OpenBSD, just as we do for OS
+ X, old FreeBSD, and Solaris, which use BPF for packet capture and do not have
+ properly select-able fds. Fix by OpenBSD port maintainer [David Carlier]
+
+o Print service info in grepable output for ports which are not listed in
+ nmap-services when a service tunnel (SSL) is detected. Previously, the
+ service info ("ssl|unknown") was not printed unless the service inside the
+ tunnel was positively identified. http://seclists.org/nmap-dev/2015/q4/260
+ [Daniel Miller]
+
+o [NSE] [GH#242] Fix multiple false-positive sources in http-backup-agent.
+ [Tom Sellers]
+
+Nmap 7.01 [2015-12-09]
+
+o Switch to using gtk-mac-bundler and jhbuild for building the OS X installer.
+ This promises to reduce a lot of the problems we've had with local paths and
+ dependencies using the py2app and macports build system. [Daniel Miller]
+
+o The Windows installer is now built with NSIS 2.47 which features LoadLibrary
+ security hardening to prevent DLL hijacking and other unsafe use of temporary
+ directories. Thanks to Stefan Kanthak for reporting the issue to NSIS and to
+ us and the many other projects that use it.
+
+o Updated the OpenSSL shipped with our binary builds (Windows, OS X, and RPM)
+ to 1.0.2e.
+
+o [Zenmap] [GH#235] Fix several failures to launch Zenmap on OS X. The new
+ build process eliminates these errors:
+ IOError: [Errno 2] No such file or directory: '/Applications/Zenmap.app/Contents/Resources/etc/pango/pangorc.in'
+ LSOpenURLsWithRole() failed for the application /Applications/Zenmap.app with error -10810.
+
+o [NSE] [GH#254] Update the TLSSessionRequest probe in ssl-enum-ciphers to
+ match the one in nmap-service-probes, which was fixed previously to correct a
+ length calculation error. [Daniel Miller]
+
+o [NSE] [GH#251] Correct false positives and unexpected behavior in http-*
+ scripts which used http.identify_404 to determine when a file was not found
+ on the target. The function was following redirects, which could be an
+ indication of a soft-404 response. [Tom Sellers]
+
+o [NSE] [GH#241] Fix a false-positive in hnap-info when the target responds
+ with 200 OK to any request. [Tom Sellers]
+
+o [NSE] [GH#244] Fix an error response in xmlrpc-methods when run against a
+ non-HTTP service. The expected behavior is no output. [Niklaus Schiess]
+
+o [NSE] Fix SSN validation function in http-grep, reported by Bruce Barnett.
+
+Nmap 7.00 [2015-11-19]
+
+o This is the most important release since Nmap 6.00 back in May 2012!
+ For a list of the most significant improvements and new features,
+ see the announcement at: https://nmap.org/7/
+
+o [NSE] Added 6 NSE scripts from 6 authors, bringing the total up to 515!
+ They are all listed at https://nmap.org/nsedoc/, and the summaries are below
+ (authors are listed in brackets):
+
+ + targets-xml extracts target addresses from previous Nmap XML results files.
+ [Daniel Miller]
+
+ + [GH#232] ssl-dh-params checks for problems with weak, non-safe, and
+ export-grade Diffie-Hellman parameters in TLS handshakes. This includes the
+ LOGJAM vulnerability (CVE-2015-4000). [Jacob Gajek]
+
+ + nje-node-brute does brute-forcing of z/OS JES Network Job Entry node names.
+ [Soldier of Fortran]
+
+ + ip-https-discover detectings support for Microsoft's IP over HTTPS
+ tunneling protocol. [Niklaus Schiess]
+
+ + [GH#165] broadcast-sonicwall-discover detects and extracts information from
+ SonicWall firewalls. [Raphael Hoegger]
+
+ + [GH#38] http-vuln-cve2014-8877 checks for and optionally exploits a
+ vulnerability in CM Download Manager plugin for Wordpress. [Mariusz Ziulek]
+
+o [Ncat] [GH#151] [GH#142] New option --no-shutdown prevents Ncat from shutting
+ down when it reads EOF on stdin. This is the same as traditional netcat's
+ "-d" option. [Adam Saponara]
+
+o [NSE] [GH#229] Improve parsing in http.lua for multiple Set-Cookie headers in
+ a single response. [nnposter]
+
+Nmap 6.49BETA6 [2015-11-03]
+
+o Integrated all of your IPv6 OS fingerprint submissions from April to October
+ (only 9 of them!). We are steadily improving the IPv6 database, but we need
+ your submissions. The classifier added 3 new groups, bringing the new total
+ to 93. Highlights: http://seclists.org/nmap-dev/2015/q4/61 [Daniel Miller]
+
+o Integrated all of your IPv4 OS fingerprint submissions from February to
+ October (1065 of them). Added 219 fingerprints, bringing the new total to
+ 4985. Additions include Linux 4.1, Windows 10, OS X 10.11, iOS 9, FreeBSD
+ 11.0, Android 5.1, and more. Highlights:
+ http://seclists.org/nmap-dev/2015/q4/60 [Daniel Miller]
+
+o Integrated all of your service/version detection fingerprints submitted from
+ February to October (800+ of them). The signature count went up 2.5% to
+ 10293. We now detect 1089 protocols, from afp, bitcoin, and caldav to
+ xml-rpc, yiff, and zebra. Highlights: http://seclists.org/nmap-dev/2015/q4/62
+ [Daniel Miller]
+
+o [NSE] Added 10 NSE scripts from 5 authors, bringing the total up to 509!
+ They are all listed at https://nmap.org/nsedoc/, and the summaries are below
+ (authors are listed in brackets):
+
+ + knx-gateway-discover and knx-gateway-info scripts gather information from
+ multicast and unicast KNX gateways, which connect home automation systems
+ to IP networks. [Niklaus Schiess, Dominik Schneider]
+
+ + http-ls parses web server directory index pages with optional recursion.
+ [Pierre Lalet]
+
+ + xmlrpc-methods perfoms introspection of xmlrpc services and lists methods
+ and their descriptions. [Gyanendra Mishra]
+
+ + http-fetch can be used like wget or curl to fetch all files, specific
+ filenames, or files that match a given pattern. [Gyanendra Mishra]
+
+ + http-svn-enum enumerates users of a Subversion repository by examining
+ commit logs. [Gyanendra Mishra]
+
+ + http-svn-info requests information from a Subversion repository, similar to
+ the "svn info" command. [Gyanendra Mishra]
+
+ + hnap-info detects and outputs info for Home Network Administration Protocol
+ devices. [Gyanendra Mishra]
+
+ + http-webdav-scan detects WebDAV servers and reports allowed methods and
+ directory listing. [Gyanendra Mishra]
+
+ + tor-consensus-checker checks the target's address with the Tor directory
+ authorities to determine if a target is a known Tor node. [Jiayi Ye]
+
+o [NSE] Several scripts have been split, combined, or renamed:
+
+ + [GH#171] smb-check-vulns has been split into:
+ * smb-vuln-conficker
+ * smb-vuln-cve2009-3103
+ * smb-vuln-ms06-025
+ * smb-vuln-ms07-029
+ * smb-vuln-regsvc-dos
+ * smb-vuln-ms08-067
+ The scripts now use the vulns library, and the "unsafe" script-arg has been
+ replaced by putting the scripts into the "dos" category. [Paulino Calderon]
+
+ + http-email-harvest was removed, as the new http-grep does email address
+ scraping by default. [Gyanendra Mishra]
+
+ + http-drupal-modules was renamed to http-drupal-enum. Extended to enumerate
+ both themes and modules of Drupal installaions. [Gyanendra Mishra]
+
+o [Ncat] [GH#193] Fix Ncat listen mode over Unix sockets (named pipes) on OS X.
+ This was crashing with the error:
+ Ncat: getnameinfo failed: Undefined error: 0 QUITTING.
+ Fixed by forcing the name to "localhost" [Michael Wallner]
+
+o [Zenmap] Fix a crash in Zenmap when using Compare Results:
+ AttributeError: 'NoneType' object has no attribute 'get_nmap_output'
+ [Daniel Miller]
+
+o [NSE] [GH#194] Add support for reading fragmented TLS messages to
+ ssl-enum-ciphers. [Jacob Gajek]
+
+o [GH#51] Added IPv6 support to nmap_mass_rdns, improved reverse DNS cache,
+ and refactored DNS code to improve readability and
+ extensibility. All in all, this makes the rDNS portion of IPv6 scans
+ much faster. [Gioacchino Mazzurco]
+
+o [NSE] Added NTLM brute support to http-brute. [Gyanendra Mishra]
+
+o [NSE] Added NTLM authentication support to http.lua and a related function to create
+ an ntlm v2 session response in smbauth.lua. [Gyanendra Mishra]
+
+o [NSE] [GH#106] Added a new NSE module, ls.lua, for accumulating and
+ outputting file and directory listings. The afp-ls, nfs-ls, and smb-ls
+ scripts have been converted to use this module. [Pierre Lalet]
+
+o [NSE] bacnet-info.nse and s7-info.nse were added to the version category.
+ [Paulino Calderon]
+
+o [NSE] Added 124 new identifiers to bacnet-info.nse vendor database.
+ [Paulino Calderon]
+
+o [NSE] Fixed bacnet-info.nse to bind to the service port detected
+ during scan instead of fixed port. [Paulino Calderon]
+
+o [NSE] Enhanced reporting of elliptic curve names and strengths in
+ ssl-enum-ciphers. The name of the curve is now reported instead of just "ec"
+ [Brandon Paulsen]
+
+o [GH#75] Normalize Makefile targets to use the same verb-project format, e.g.
+ build-ncat, check-zenmap, install-nping, clean-nsock [Gioacchino Mazzurco]
+
+o [NSE] Added builtin pattern and multiple pattern search to http-grep. [Gyanendra Mishra]
+
+o [NSE] http-crossdomainxml is now http-cross-domain-policy and supports client
+ access policies and uses the new SLAXML parser. [Gyanendra Mishra]
+
+o [NSE] Added a patch for vulns lib that allows list of tables to be submitted
+ to fields in the vulns report. [Jacob Gajek]
+
+o [NSE] Added additional checks for successful PUT request in http-put.
+ [Oleg Mitrofanov]
+
+o [NSE] Added an update for http-methods that checks all possible methods not in
+ Allow or Public header of OPTIONS response. [Gyanendra Mishra]
+
+o [NSE] Added SLAXML, an XML parser in Lua originally written by Gavin Kistner
+ (a.k.a. Phrogz). [Gyanendra Mishra]
+
+o [NSE] [GH#122] Update the snmp-brute and other snmp-* scripts to use the
+ creds library to store brute-forced snmp community strings. This allows Nmap
+ to use the correct brute-forced string for each host. [Gioacchino Mazzurco]
+
+o Several improvements to TLS/SSL detection in nmap-service-probes. A new
+ probe, TLSSessionReq, and improvements to default SSL ports should help speed
+ up -sV scans. http://seclists.org/nmap-dev/2015/q2/17 [Daniel Miller]
+
+o [Nsock] Clean up the API so that nsp_* calls are now nsock_pool_* and nsi_*
+ are nsock_iod_*. Simplify Nsock SSL init API, and make logging global to the
+ library instead of associated with a nspool. [Henri Doreau]
+
+o [GH#181] The configure script now prints a summary of configured options.
+ Most importantly, it warns if OpenSSL was not found, since most users will
+ want this library compiled in. [Gioacchino Mazzurco]
+
+o Define TCP Options for SYN scan in nmap.h instead of literally throughout.
+ This string is used by p0f and other IDS to detect Nmap scans, so having it a
+ compile-time option is a step towards better evasion. [Daniel Miller]
+
+o [GH#51] Nmap's parallel reverse-DNS resolver now handles IPv6 addresses. This
+ should result in faster -6 scans. The old behavior is available with
+ --system-dns. [Gioacchino Mazzurco]
+
+o [NSE] Fix a couple odd bugs in NSE command-line parsing. Most notably,
+ --script broadcast-* will now work (generally, wildcards with scripts whose
+ name begins with a category name were not working properly). [Daniel Miller]
+
+o [NSE] [GH#113] http-form-fuzzer will now stop increasing the size of a
+ request when an HTTP 413 or 414 error indicates the web server will not
+ accept a larger request. [Gioacchino Mazzurco]
+
+o [NSE] [GH#159] Add the ability to tag credentials in the creds library with
+ freeform text for easy retrieval. This gives necessary granularity to track
+ credentials to multiple web apps on a single host+port. [Gioacchino Mazzurco]
+
+Nmap 6.49BETA5 [2015-09-25]
+
+o Work around a bug which could cause Nmap to hang when running
+ multiple instances at once on Windows. The actual bug appears to be
+ in the WinPCAP driver in that it hanges when accessed via
+ OpenServiceA by multiple processes at once. So for now we have added
+ a mutex to prevent even multiple Nmap processes from making
+ concurrent calls to this part of WinPcap. We've received the reports
+ from multiple users on Windows 8.1 and Windows Server 2012 R2 and
+ this fix seems to resolve the hang for them. [Daniel Miller]
+
+o [GH#212][NSE] Fix http.get_url function which was wrongly attempting
+ non-SSL HTTP requests first when passed https URLs. [jah]
+
+o [GH#201] Fix Ndiff interpreter path problems in the OS X .dmg
+ installer which could prevent Ndiff (and the related Zenmap "compare
+ results" window) from working on OS X in some cases. [Daniel Miller]
+
+o Fix Nmap's DTD, which did not recognize that the script element
+ could contain character data when a script returns a number or a
+ boolean. [Jonathan Daugherty]
+
+o [GH#172][NSE] Fix reporting of DH parameter sizes by
+ ssl-enum-ciphers. The number shown was the length in bytes, not bits
+ as it should have been. Reported by Michael Staruch. [Brandon
+ Paulsen]
+
+o Our Windows Nmap packages are now compiled with the older platform
+ toolset (v120_xp rather than v120) and so they may work with Windows
+ XP again for the dwindling number of users still on that operating
+ system.
+
+o [GH#34] Disable TPACKET_V3 in our included libpcap. This version of
+ the Linux kernel packet ring API has problems that result in lots of
+ lost packets. This patch falls back to TPACKET_V2 or earlier
+ versions if available. [nnposter]
+
+o [NSE] Check for socket errors in iscsi.lua. This was causing the
+ iscsi-info script to crash against some services. [Daniel Miller]
+
+o [NSE] Fix http-useragent-tester, which was using cached HTTP
+ responses instead of testing new User-Agent strings. [Daniel Miller]
+
+o Output a warning when deprecated options are used, and suggest the
+ preferred option. Currently deprecated: -i -o -m -sP -P0 -PN -oM
+ -sR. The warning is only visible with -v. [Daniel Miller]
+
+o Add a fatal error for options like -oG- which is interpreted as the
+ deprecated -o option, outputting to a file named "G-", instead of
+ the expected behavior of -oG - (Grepable output to stdout). [Daniel
+ Miller]
+
+o [GH#196] Fix raw packet sending on FreeBSD 10.0 and later. FreeBSD
+ changed byte order of the IPv4 stack, so SYN scan and other raw
+ packet functions were broken. [Edward Napierała] Also reported in
+ [GH#50] by Olli Hauer.
+
+o [GH#183] Fix compilation on Visual Studio 2010, which failed with
+ error: "service_scan.cc(2559): error C2065: 'EOPNOTSUPP' :
+ undeclared identifier" [Daniel Miller]
+
+o [GH#115][NSE] ssl-enum-ciphers will still produce output if OpenSSL
+ (required for certificate parsing) is not available. In cases where
+ handshake strength depends on the certificate, it will be reported
+ as "unknown". [jrchamp]
+
+Nmap 6.49BETA4 [2015-07-06]
+
+o Fix a hang on OS X in Zenmap's Topology page with error
+ zenmap_wrapper.py[857]: GError: Couldn't recognize the image file format for file
+ '/Applications/Zenmap.app/Contents/MacOS/../Resources/share/zenmap/pixmaps/radialnet/padlock.png'
+ http://seclists.org/nmap-dev/2015/q3/8 [Daniel Miller]
+
+o Fix a small memory leak for each target specified as a hostname which fails
+ to resolve. [Daniel Miller]
+
+o Allow 'make check' to succeed when Nmap is configured without OpenSSL
+ support. This was broken due to our NSE unittest library expecting to be able
+ to load every library without error. [Daniel Miller]
+
+o [NSE] Enable ssl-enum-ciphers to safely scan servers with a long handshake
+ intolerance issue which resulted in incomplete results when the handshake was
+ greater than 255 bytes. [Jacob Gajek, Daniel Miller]
+
+o [Ncat] Fix a write overrun in Ncat that could cause a segfault if the -g
+ (source route) option was given too many times. [Daniel Miller]
+
+o [NSE] [GH#168] Allow ssl-enum-ciphers to run on non-typical ports when it is
+ selected by name. It will now send a service detection probe if the port is
+ not a typical SSL port and version scan (-sV) was not used. [Daniel Miller]
+
+Nmap 6.49BETA3 [2015-06-25]
+
+o [GH#166] Fix Ncat listen mode on Solaris and other platforms where struct sockaddr
+ does not have a sa_len member. This also affected use of the -p and -s
+ options. Brandon Haberfeld reported the crash. [Daniel Miller]
+
+o [GH#164] Fix a Zenmap failure ot open on OS X with the error:
+ "dyld: Symbol not found: _iconv Referenced from: /usr/lib/libcups.2.dylib"
+ We had to remove the DYLD_LIBRARY_PATH environment variable from
+ zenmap_wrapper.py. Reported by Robert Strom. [Daniel Miller]
+
+o Report our https URL (https://nmap.org) in more places rather than
+ our non-SSL one. [David Fifield]
+
+o [NSE] Fix Diffie-Hellman parameter extraction in tls.lua. [Jacob Gajek]
+
+Nmap 6.49BETA2 [2015-06-16]
+
+o [GH#154] Fix a crash (assertion error) when Nmap receives an ICMP Host
+ Unreachable message.
+
+o [GH#158] Fix a configure failure when Python is not present, but no Python
+ projects were requested. [Gioacchino Mazzurco]
+
+o [GH#161] [Zenmap] Fix Zenmap on OS X which was failing with
+ zipimport.ZipImportError due to architecture mismatch.
+
+o [NSE] Remove ahbl.org checks from dnsbl.lua, since the service was shut down.
+ [Forrest B.]
+
+Nmap 6.49BETA1 [2015-06-03]
+
+o Integrated all of your IPv4 OS fingerprint submissions from May 2014 to
+ February 2015 (1900+ of them). Added 281 fingerprints, bringing the new total
+ to 4766. Addtions include Linux 3.18, Windows 8.1, OS X 10.10, Android 5.0,
+ FreeBSD 10.1, OpenBSD 5.6, and more. Highlights:
+ http://seclists.org/nmap-dev/2015/q2/169 [Daniel Miller]
+
+o Integrated all of your service/version detection fingerprints submitted from
+ June 2013 to February 2015 (2500+ of them). The signature count soared over
+ the 10000 mark, a 12% increase. We now detect 1062 protocols, from http,
+ telnet, and ftp to jute, bgp, and slurm. Highlights:
+ http://seclists.org/nmap-dev/2015/q2/171 [Daniel Miller]
+
+o Integrated all of your IPv6 OS fingerprint submissions from June 2013 to
+ April 2015 (only 97 of them!). We are steadily improving the IPv6 database,
+ but we need your submissions. The classifier added 9 new groups, bringing the
+ new total to 90. Highlights: http://seclists.org/nmap-dev/2015/q2/170 [Daniel
+ Miller]
+
+o Nmap now has an official bug tracker! We are using Github Issues, which you
+ can reach from http://issues.nmap.org/. We welcome your bug reports,
+ enhancement requests, and code submissions via the Issues and Pull Request
+ features of Github (https://github.com/nmap/nmap), though the repository
+ itself is just a mirror of our authoritative Subversion repository.
+
+o [Zenmap] New Chinese-language (zh) translation from Jie Jiang, new Hindi (hi)
+ translation by Gyanendra Mishra, and updated translations for German (de,
+ Chris Leick), Italian (it, Jan Reister), Polish (pl, Jacek Wielemborek), and
+ French (fr, MaZ)
+
+o Added options --data <hex string> and --data-string <string> to send custom
+ payloads in scan packet data. [Jay Bosamiya]
+
+o --reason is enabled for verbosity > 2, and now includes the TTL of received
+ packets in Normal output (this was already present in XML) [Jay Bosamiya]
+
+o Fix ICMP Echo (-PE) host discovery for IPv6, broken since 6.45, caused by
+ failing to set the ICMP ID for outgoing packets which is used to match
+ incoming responses. [Andrew Waters]
+
+o Solve a crash on Windows (reported on Windows 8.1 on Surface Pro 3) caused by
+ passing a NULL pointer to a WinPcap function that then tries to write an
+ error message to it. [Peter Malecka]
+
+o Enhance Nmap's tcpwrapped service detection by using a shorter timeout for
+ the tcpwrapped designation. This prevents falsely labeling services as
+ tcpwrapped which merely have a read timeout shorter than 6 seconds. Full
+ discussion: http://issues.nmap.org/39 [nnposter, Daniel Miller]
+
+o All nmap.org pages are now available SSL-secured to improve privacy
+ and ensure your binaries can't be tampered with in transit. So be
+ sure to download from https://nmap.org/download.html . We will soon
+ remove the non-SSL version of the site. We still offer GPG-signed
+ binaries as well: https://nmap.org/book/install.html#inst-integrity
+
+o [NSE] Added 25 NSE scripts from 17 authors, bringing the total up to 494!
+ They are all listed at https://nmap.org/nsedoc/, and the summaries are below
+ (authors are listed in brackets):
+
+ + bacnet-info gets device information from SCADA/ICS devices via BACnet
+ (Building Automation and Control Networks) [Stephen Hilt, Michael Toecker]
+
+ + docker-version detects and fingerprints Docker [Claudio Criscione]
+
+ + enip-info gets device information from SCADA/ICS devices via EtherNet/IP
+ [Stephen Hilt]
+
+ + fcrdns performs a Forward-confirmed Reverse DNS lookup and reports
+ anomalous results. [Daniel Miller]
+
+ + http-avaya-ipoffice-users enumerates users in Avaya IP Office 7.x systems.
+ [Paulino Calderon]
+
+ + http-cisco-anyconnect gets version and tunnel information from Cisco SSL
+ VPNs. [Patrik Karlsson]
+
+ + http-crossdomainxml detects overly permissive crossdomain policies and
+ finds trusted domain names available for purchase. [Paulino Calderon]
+
+ + http-shellshock detects web applications vulnerable to Shellshock
+ (CVE-2014-6271). [Paulino Calderon]
+
+ + http-vuln-cve2006-3392 exploits a file disclosure vulnerability in Webmin.
+ [Paul AMAR]
+
+ + http-vuln-cve2014-2126, http-vuln-cve2014-2127, http-vuln-cve2014-2128 and
+ http-vuln-cve2014-2129 detect specific vulnerabilities in Cisco AnyConnect
+ SSL VPNs. [Patrik Karlsson]
+
+ + http-vuln-cve2015-1427 detects Elasticsearch servers vulnerable to remote
+ code execution. [Gyanendra Mishra]
+
+ + http-vuln-cve2015-1635 detects Microsoft Windows systems vulnerable to
+ MS15-034. [Paulino Calderon]
+
+ + http-vuln-misfortune-cookie detects the "Misfortune Cookie" vulnerability
+ in Allegro RomPager 4.07, commonly used in SOHO routers for TR-069 access.
+ [Andrew Orr]
+
+ + http-wordpress-plugins was renamed http-wordpress-enum and extended to
+ enumerate both plugins and themes of Wordpress installations and their
+ versions. http-wordpress-enum is now http-wordpress-users. [Paulino Calderon]
+
+ + mikrotik-routeros-brute performs password auditing attacks against
+ Mikrotik's RouterOS API. [Paulino Calderon]
+
+ + omron-info gets device information from Omron PLCs via the FINS service.
+ [Stephen Hilt]
+
+ + s7-info gets device information from Siemens PLCs via the S7 service,
+ tunneled over ISO-TSAP on TCP port 102. [Stephen Hilt]
+
+ + snmp-info gets the enterprise number and other information from the
+ snmpEngineID in an SNMPv3 response packet. [Daniel Miller]
+
+ + ssl-ccs-injection detects whether a server is vulnerable to the SSL/TLS
+ CCS Injection vulnerability (CVE-2014-0224) [Claudiu Perta]
+
+ + ssl-poodle detects the POODLE bug in SSLv3 (CVE-2014-3566) [Daniel Miller]
+
+ + supermicro-ipmi-conf exploits Supermicro IPMI/BMC controllers. [Paulino
+ Calderon]
+
+ + targets-ipv6-map4to6 generates target IPv6 addresses which correspond to
+ IPv4 addresses mapped within a particular IPv6 subnet. [Raúl Fuentes]
+
+ + targets-ipv6-wordlist generates target IPv6 addresses from a wordlist made
+ of hexadecimal characters. [Raúl Fuentes]
+
+o Update our Windows build system to VS 2013 on Windows 8.1. Also, we now build
+ our included OpenSSL with DEP, ASLR, and SafeSEH enabled. [Daniel Miller]
+
+o Our OS X installer is now built for a minimum supported version of 10.8
+ (Mountain Lion), a much-needed update from 10.5 (Leopard). Additionally,
+ OpenSSL is now statically linked, allowing us to distribute the latest from
+ Macports instead of being subjected to the 0.9.8 branch still in use as of
+ 10.9. [Daniel Miller]
+
+o Add 2 more ASCII-art configure splash images to be rotated randomly with the
+ traditional dragon image. New ideas for other images to use here may be sent
+ to dev@nmap.org. [Jay Bosamiya, Daniel Miller]
+
+o Solve a crash on Windows (reported on Windows 8.1 on Surface Pro 3) caused by
+ passing a NULL pointer to a WinPcap function that then tries to write an
+ error message to it. [Peter Malecka]
+
+o Fix compilation and several bugs on AIX. [Daniel Miller]
+
+o Fix a bug in libdnet-stripped on Solaris that resulted in the wrong MAC
+ address being detected for all interfaces.
+ http://seclists.org/nmap-dev/2015/q2/1 [Daniel Miller]
+
+o New features for the IPv6 OS detection engine allow for better classification
+ of systems: IPv6 guessed initial hop limit (TTL) and ratio of TCP initial
+ window size to maximum segment size. [Alexandru Geana]
+
+o [NSE] Rework ssl-enum-ciphers to actually score the strength of the SSL/TLS
+ handshake, including certificate key size and DH parameters if applicable.
+ This is similar to Qualys's SSL Labs scanner, and means that we no longer
+ maintain a list of scores per ciphersuite. [Daniel Miller]
+
+o [NSE] Improved http-form-brute autodetection and behavior to handle more
+ unusual-but-valid HTML syntax, non-POST forms, success/failure testing on
+ HTTP headers, and more. [nnposter]
+
+o [NSE] Reduce many NSE default timeouts and base them on Nmap's detected
+ timeouts for those hosts from the port scan phase. Scripts which take timeout
+ script-args can now handle 's' and 'ms' suffixes, just like Nmap's own
+ options. [Daniel Miller]
+
+o [NSE] Remove db2-discover, as its functionality was performed by service
+ version detection since the broadcast portion was separated into
+ broadcast-db2-discover. http://seclists.org/nmap-dev/2014/q3/415 [Daniel
+ Miller]
+
+o Cache dnet names not found on Windows when enumerating interfaces in the
+ Windows Registry. Reduces startup times. [Elon Natovich]
+
+o [NSE] Make smb-ls able to leverage results from smb-enum-shares or list of
+ shares specified on command line. [Pierre Lalet]
+
+o [NSE] Fix X509 cert date parsing for dates after 2049. Reported by Teppo
+ Turtiainen. [Daniel Miller]
+
+o Handle a bunch of socket errors that can result from odd ICMP Type 3
+ Destination Unreachable messages received during service scanning. The crash
+ reported was "Unexpected error in NSE_TYPE_READ callback. Error code: 92
+ (Protocol not available)" [Daniel Miller]
+
+o Fixed a crash (NULL pointer dereference) in PortList::isTCPwrapped when using
+ -sV and -O on an unknown service not listed in nmap-services. [Pierre Lalet]
+
+o Fixed a benign TOCTOU race between stat() and open() in mmapfile().
+ Reported by Camille Mougey. [Henri Doreau]
+
+o Reduce CPU consumption when using nsock poll engine with no registered FD,
+ by actually calling Poll() for the time until timeout, instead of directly
+ returning zero and entering the loop again. [Henri Doreau]
+
+o Change the URI for the fingerprint submitter to its new location at
+ https://nmap.org/cgi-bin/submit.cgi
+
+o [NSE] Added a check for Cisco ASA version disclosure, CVE-2014-3398, to
+ http-enum in the 'security' category [Daniel Miller]
+
+o Fixed a bug that caused Nmap to fail to find any network interface when a
+ Prism interface is in monitor mode. The fix was to define the
+ ARP_HRD_IEEE80211_PRISM header identifier in the libdnet-stripped code.
+ [Brad Johnson]
+
+o Added a version probe for Tor. [David Fifield]
+
+o [NSE] Add support to citrix-enum-apps-xml for reporting if Citrix
+ published applications in the list are enforcing/requiring the level
+ of ICA/session data encryption shown in the script result.
+ [Tom Sellers]
+
+o [NSE] Updated our Wordpress plugin list to improve the
+ http-wordpress-enum NSE script. We can now detect 34,077 plugins,
+ up from 18,570. [Danila Poyarkov]
+
+o [NSE] Add the signature algorithm that was used to sign the target port's
+ x509 certificate to the output of ssl-cert.nse [Tom Sellers]
+
+o [NSE] Fixed a bug in the sslcert.lua library that was triggered against
+ certain services when version detection was used. [Tom Sellers]
+
+o [NSE] vulns.Report:make_output() now generates XML structured output
+ reports automatically. [Paulino Calderon]
+
+o [NSE] Add port.reason_ttl, host.reason, host.reason_ttl for use in scripts
+ [Jay Bosamiya]
+
+o [NSE] If a version script is run by name, nmap.version_intensity() returns
+ the maximum value (9) for it [Jay Bosamiya]
+
+o [NSE] shortport.version_port_or_service() takes an optional rarity parameter
+ now to run only when version intensity > rarity [Jay Bosamiya]
+
+o [NSE] Added nmap.version_intensity() function so that NSE version scripts
+ can use the argument to --version-intensity (which can be overridden by the
+ script arg 'script-intensity') in order to decide whether to run or not
+ [Jay Bosamiya]
+
+o Improve OS detection; If a port is detected to be 'tcpwrapped', then it will
+ not be used for OS detection. This helps in cases where a firewall might be
+ the port to be 'tcpwrapped' [Jay Bosamiya]
+
+o [Zenmap] Reduce noise generated in Topology View due to anonymous
+ hops [Jay Bosamiya]
+
+o Added option --exclude-ports to Nmap so that some ports can be excluded from
+ scanning (for example, due to policy) [Jay Bosamiya]
+
+o [Zenmap] Catch the MemoryError caused in Zenmap due to large Nmap Output,
+ and display a more helpful error message [Jay Bosamiya]
+
+o Catch badly named output files (such as those unintentionally caused by
+ "-oX -sV logfile.xml") [Jay Bosamiya]
+
+o [Zenmap] Improved NmapParser to increase speed in opening scans. Large scans
+ now open in seconds instead of hours. [Jay Bosamiya]
+
+o Modify the included libpcap configure script to disable certain unused
+ features: bluetooth, usb, usb-can, and dbus sniffing. Dbus support caused a
+ build problem on CentOS 6.5. [Daniel Miller]
+
+o Updated the bundled libpcap from 1.2.1 to 1.5.3 [Jay Bosamiya]
+
+o Correct the Target MAC Address in Nmap's ARP discovery to conform to what IP
+ stacks in currently popular operating systems use. [Jay Bosamiya]
+
+o Fixed a bug which caused Nmap to be unable to have any runtime interaction
+ when called from sudo or from a shell script. [Jay Bosamiya]
+
+o Improvements to whois-ip.nse: fix an unhandled error when a referred-to
+ response could not be understood; add a new pattern to recognise a
+ LACNIC "record not found" type of response and update the way ARIN is
+ queried. [jah]
+
+Nmap 6.47 [2014-08-23]
+
+o Integrated all of your IPv4 OS fingerprint submissions since June 2013
+ (2700+ of them). Added 366 fingerprints, bringing the new total to 4485.
+ Additions include Linux 3.10 - 3.14, iOS 7, OpenBSD 5.4 - 5.5, FreeBSD 9.2,
+ OS X 10.9, Android 4.3, and more. Many existing fingerprints were improved.
+ Highlights: http://seclists.org/nmap-dev/2014/q3/325 [Daniel Miller]
+
+o (Windows, RPMs) Upgraded the included OpenSSL to version 1.0.1i. [Daniel Miller]
+
+o (Windows) Upgraded the included Python to version 2.7.8. [Daniel Miller]
+
+o Removed the External Entity Declaration from the DOCTYPE in Nmap's XML. This
+ was added in 6.45, and resulted in trouble for Nmap XML parsers without
+ network access, as well as increased traffic to Nmap's servers. The doctype
+ is now:
+ <!DOCTYPE nmaprun>
+
+o [Ndiff] Fixed the installation process on Windows, which was missing the
+ actual Ndiff Python module since we separated it from the driver script.
+ [Daniel Miller]
+
+o [Ndiff] Fixed the ndiff.bat wrapper in the zipfile Windows distribution,
+ which was giving the error, "\Microsoft was unexpected at this time." See
+ https://support.microsoft.com/kb/2524009 [Daniel Miller]
+
+o [Zenmap] Fixed the Zenmap .dmg installer for OS X. Zenmap failed to launch,
+ producing this error:
+ Could not import the zenmapGUI.App module:
+ 'dlopen(/Applications/Zenmap.app/Contents/Resources/lib/python2.6/lib-dynload/glib/_glib.so, 2):
+ Library not loaded: /Users/david/macports-10.5/lib/libffi.5.dylib\n
+ Referenced from:
+ /Applications/Zenmap.app/Contents/Resources/lib/python2.6/lib-dynload/glib/_glib.so\n
+ Reason: image not found'.
+
+o [Ncat] Fixed SOCKS5 username/password authentication. The password length was
+ being written in the wrong place, so authentication could not succeed.
+ Reported with patch by Pierluigi Vittori.
+
+o Avoid formatting NULL as "%s" when running nmap --iflist. GNU libc converts
+ this to the string "(null)", but it caused segfault on Solaris. [Daniel Miller]
+
+o [Zenmap][Ndiff] Avoid crashing when users have the antiquated PyXML package
+ installed. Python tries to be nice and loads it when we import xml, but it
+ isn't compatible. Instead, we force Python to use the standard library xml
+ module. [Daniel Miller]
+
+o Handle ICMP admin-prohibited messages when doing service version detection.
+ Crash reported by Nathan Stocks was: Unexpected error in NSE_TYPE_READ
+ callback. Error code: 101 (Network is unreachable) [David Fifield]
+
+o [NSE] Fix a bug causing http.head to not honor redirects. [Patrik Karlsson]
+
+o [Zenmap] Fix a bug in DiffViewer causing this crash:
+ TypeError: GtkTextBuffer.set_text() argument 1 must be string or read-only
+ buffer, not NmapParserSAX
+ Crash happened when trying to compare two scans within Zenmap. [Daniel Miller]
+
+Nmap 6.46 [2014-04-18]
+
+o [NSE] Made numerous improvements to ssl-heartbleed to provide
+ more reliable detection of the vulnerability.
+
+o [Zenmap] Fixed a bug which caused this crash message:
+ IOError: [Errno socket error] [Errno 10060] A connection attempt failed
+ because the connected party did not properly respond after a period of
+ time, or established connection failed because connected host has
+ failed to
+ respond
+ The bug was caused by us adding a DOCTYPE definition to Nmap's XML
+ output which caused Python's XML parser to try and fetch the DTD
+ every time it parses an XML file. We now override that DTD-fetching
+ behavior. [Daniel Miller]
+
+o [NSE] Fix some bugs which could cause snmp-ios-config and
+ snmp-sysdescr scripts to crash
+ (http://seclists.org/nmap-dev/2014/q2/120) [Patrik Karlsson]
+
+o [NSE] Improved performance of citrix.lua library when handling large XML
+ responses containing application lists. [Tom Sellers]
+
+Nmap 6.45 [2014-04-11]
+
+o Idle scan now supports IPv6. IPv6 packets don't usually come with
+ fragments identifiers like IPv4 packets do, so new techniques had to
+ be developed to make idle scan possible. The implementation is by
+ Mathias Morbitzer, who made it the subject of his master's thesis.
+
+o When doing a ping scan (-sn), the --open option will prevent down hosts from
+ being shown when -v is specified. This aligns with similar output for other
+ scan types. [Daniel Miller]
+
+o Fixed some syntax problems in nmap-os-db that were caused by some automated
+ merging of fingerprints (http://seclists.org/nmap-dev/2013/q4/68) [Daniel
+ Miller]
+
+o New service probes and fingerprints for Quake1, TeamSpeak3, xmlsysd,
+ Freelancer game server, All-Seeing Eye, AndroMouse, and AirHD.
+
+o Update included WinPcap to version 4.1.3 [Rob Nicholls]
+
+o [NSE] Convert many more scripts to emit structured XML output
+ (https://nmap.org/book/nse-api.html#nse-structured-output) [Daniel Miller]
+
+o [NSE] Added 24 NSE scripts from 12 authors, bringing the total up to 470.
+ They are all listed at https://nmap.org/nsedoc/, and the summaries are
+ below (authors are listed in brackets):
+
+ + allseeingeye-info gathers information from games using this query protocol.
+ A version detection probe was also added. [Marin Maržić]
+
+ + freelancer-info gathers information about the Freelancer game server. Also
+ added a related version detection probe and UDP protocol payload for
+ detecting the service. [Marin Maržić]
+
+ + http-csrf detects Cross Site Request Forgeries (CSRF) vulnerabilities by
+ searching for CSRF tokens in HTML forms. [George Chatzisofroniou]
+
+ + http-devframework finds out the technology behind the target website based
+ on HTTP headers, static URLs, and other content and resources. [George
+ Chatzisofroniou]
+
+ + http-dlink-backdoor detects DLink routers with firmware backdoor allowing
+ admin access over HTTP interface. [Patrik Karlsson]
+
+ + http-dombased-xss finds potential DOM-based Cross-site Scripting (XSS)
+ vulnerabilities by searching for specific patterns in JavaScript resources.
+ [George Chatzisofroniou]
+
+ + http-errors crawls for URIs that return error status codes (HTTP 400 and
+ above). [George Chatzisofroniou]
+
+ + http-feed crawls a web site for Atom and RSS feeds. [George Chatzisofroniou]
+
+ + http-iis-short-name-brute detects Microsoft IIS servers vulnerable to a
+ file/folder name disclosure and a denial of service vulnerability. The
+ script obtains the "shortnames" of the files and folders in the webroot
+ folder. [Paulino Calderon]
+
+ + http-mobileversion-checker checks for mobile versions of web pages by
+ setting an Android User-Agent header and checking for HTTP redirects.
+ [George Chatzisofroniou]
+
+ + http-ntlm-info gets server information from Web servers that require NTLM
+ authentication. [Justin Cacak]
+
+ + http-referer-checker finds JavaScript resources that are included from other
+ domains, increasing a website's attack surface. [George Chatzisofroniou]
+
+ + http-server-header grabs the Server header as a last-ditch effort to get a
+ software version. This can't be done as a softmatch because of the need to
+ match non-HTTP services that obey some HTTP requests. [Daniel Miller]
+
+ + http-useragent-tester checks for sites that redirect common Web spider
+ User-Agents to a different page than browsers get. [George Chatzisofroniou]
+
+ + http-vuln-cve2013-7091 (released as http-vuln-zimbra-lfi) looks for
+ CVE-2013-7091, a LFI vulnerability in Zimbra. [Paul AMAR, Ron Bowes]
+
+ + http-xssed searches the xssed.com database of Cross-site Scripting
+ vulnerabilities for previously-reported XSS vulnerabilities in the target.
+ [George Chatzisofroniou]
+
+ + qconn-exec tests the QNX QCONN service for remote command execution.
+ [Brendan Coles]
+
+ + quake1-info retrieves server and player information from Quake 1 game
+ servers. Reports potential DoS amplification factor. [Ulrik Haugen]
+
+ + rfc868-time gets the date and time from an RFC 868 Time server. [Daniel
+ Miller]
+
+ + ssl-heartbleed detects the Heartbleed bug in OpenSSL CVE-2014-0160 [Patrik
+ Karlsson]
+
+ + sstp-discover discovers Microsoft's Secure Socket Tunnelling Protocol
+ (http://msdn.microsoft.com/en-us/library/cc247338.aspx) [Niklaus Schiess]
+
+ + unittest runs unit tests found in NSE libraries. The corresponding
+ unittest.lua library has examples. Run `nmap --script=unittest
+ --script-args=unittest.run -d` to run the tests. [Daniel Miller]
+
+ + weblogic-t3-info detects the T3 RMI protocol used by Oracle/BEA Weblogic
+ and extracts the Weblogic version. [Alessandro Zanni, Daniel Miller]
+
+ + whois-ip and whois-domain replace the whois script, which previously could
+ only collect whois info for IP addresses. [George Chatzisofroniou]
+
+o [NSE] Fixed an error-handling bug in socks-open-proxy that caused it to fail
+ when scanning a SOCKS4-only proxy. Reported on IRC by Husky. [Daniel Miller]
+
+o [NSE] Improved ntp-info script to handle underscores in returned
+ data. [nnposter]
+
+o [NSE] Add unicode library for decoding and encoding UTF-8, UTF-16, CP437 and
+ other character sets to Unicode code points. Scripts that previously just
+ added or skipped nulls in UTF-16 data can use this to support non-ASCII
+ characters. [Daniel Miller]
+
+o Significant code and documentation cleanup effort, fixing file encodings,
+ trailing whitespace, indentation, spelling mistakes, NSEdoc formatting
+ issues, PEP 8 compliance for Python, deprecation cleanup under python -3,
+ cleanup of warnings from LLVM's AddressSanitizer. [Daniel Miller]
+
+o [Ncat] Added support for socks5 and corresponding regression tests.
+ [Marek Lukaszuk, Petr Stodulka]
+
+o Added TCP support to dns.lua. [John Bond]
+
+o Added safe fd_set operations. This makes nmap fail gracefully instead of
+ crashing when the number of file descriptors grows over FD_SETSIZE. Jacek
+ Wielemborek reported the crash. [Henri Doreau]
+
+o [NSE] Added tls library for functions related to SSLv3 and TLS messages.
+ Existing ssl-enum-ciphers, ssl-date, and tls-nextprotoneg scripts were
+ updated to use this library. [Daniel Miller]
+
+o Added NSE and Zenmap unit tests to "make check" [Daniel Miller]
+
+o [NSE] Enable http-enum to use the large Nikto fingerprint database at runtime
+ if provided by the user. For licensing reasons, we do not distribute this
+ database, but the integration effort has the blessing of the Nikto folks.
+ [George Chatzisofroniou]
+
+o Updated bundled liblua from 5.2.2 to 5.2.3 (bugfix release) [Daniel Miller]
+
+o Added version detection signatures and probes for a bunch of Android
+ remote mouse/keyboard servers, including AndroMouse, AirHID,
+ Wifi-mouse, and RemoteMouse. [Paul Hemberger]
+
+o [Ncat] Fixed compilation when --without-liblua is specified in
+ configure (an #include needed an ifdef guard). [Quentin Glidic]
+
+o Fixed a bug in libdnet with handling interfaces with AF_LINK addresses on
+ FreeBSD >9 reported by idwer on IRC. Likely affected other *BSDs. Handled by
+ skipping these non-network addresses. [Daniel Miller]
+
+o Fixed a bug with UDP checksum calculation. When the UDP checksum is zero
+ (0x0000), it must be transmitted as 1's-complement -0 (0xffff) to avoid
+ ambiguity with +0, which indicates no checksum was calculated. This affected
+ UDP on IPv4 only. Reported by Michael Weber. [Daniel Miller]
+
+o [NSE] Removed a fixed value (28428) which was being set for the Request ID in
+ the snmpWalk library function; a value based on nmap.clock_ms will now be set
+ instead. [jah]
+
+o The ICMP ID of ICMP probes is now matched against the sent ICMP ID,
+ to reduce the chance of false matches. Patch by Chris Johnson.
+
+o [NSE] Made telnet-brute support multiple parallel guessing threads,
+ reuse connections, and support password-only logins. [nnposter]
+
+o [NSE] Made the table returned by ssh1.fetch_host_key contain a "key"
+ element, like that of ssh2.fetch_host_key. This fixed a crash in the
+ ssh-hostkey script reported by Dan Farmer and Florian Pelgrim. The
+ "key" element of ssh2.fetch_host_key now is base64-encoded, to match
+ the format used by the known_hosts file. [David Fifield]
+
+o [Nsock] Handle timers and timeouts via a priority queue (using a heap)
+ for improved performance. Nsock now only iterates over events which are
+ completed or expired instead of inspecting the entire event set at each
+ iteration. [Henri Doreau]
+
+o [NSE] Update dns-cache-snoop script to use a new list of top 50
+ domains rather than a 2010 list. [Nicolle Neulist]
+
+o [Zenmap] Fixed a crash that would happen when you entered a search
+ term starting with a colon: "AttributeError:
+ 'FilteredNetworkInventory' object has no attribute 'match_'".
+ Reported by Kris Paernell. [David Fifield]
+
+o [Ncat] Added NCAT_PROTO, NCAT_REMOTE_ADDR, NCAT_REMOTE_PORT, NCAT_LOCAL_ADDR
+ and NCAT_LOCAL_PORT environment variables being set in all --*-exec child
+ processes.
+
+Nmap 6.40 [2013-07-29]
+
+o [Ncat] Added --lua-exec. This feature is basically the equivalent of 'ncat
+ --sh-exec "lua <scriptname>"' and allows you to run Lua scripts with Ncat,
+ redirecting all stdin and stdout operations to the socket connection. See
+ https://nmap.org/book/ncat-man-command-options.html [Jacek Wielemborek]
+
+o Integrated all of your IPv4 OS fingerprint submissions since January
+ (1,300 of them). Added 91 fingerprints, bringing the new total to 4,118.
+ Additions include Linux 3.7, iOS 6.1, OpenBSD 5.3, AIX 7.1, and more.
+ Many existing fingerprints were improved. Highlights:
+ http://seclists.org/nmap-dev/2013/q2/518. [David Fifield]
+
+o Integrated all of your service/version detection fingerprints submitted
+ since January (737 of them)! Our signature count jumped by 273 to 8,979.
+ We still detect 897 protocols, from extremely popular ones like http, ssh,
+ smtp and imap to the more obscure airdroid, gopher-proxy, and
+ enemyterritory. Highlights:
+ http://seclists.org/nmap-dev/2013/q3/80. [David Fifield]
+
+o Integrated your latest IPv6 OS submissions and corrections. We're still
+ low on IPv6 fingerprints, so please scan any IPv6 systems you own or
+ administer and submit them to https://nmap.org/submit/. Both new
+ fingerprints (if Nmap doesn't find a good match) and corrections (if Nmap
+ guesses wrong) are useful. [David Fifield]
+
+o [Nsock] Added initial proxy support to Nsock. Nmap version detection
+ and NSE can now establish TCP connections through chains of one or
+ more CONNECT or SOCKS4 proxies. Use the Nmap --proxies option with a
+ chain of one or more proxies as the argument (example:
+ http://localhost:8080,socks4://someproxy.example.com). Note that
+ only version detection and NSE are supported so far (no port
+ scanning or host discovery), and there are other limitations
+ described in the man page. [Henri Doreau]
+
+o [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 446.
+ They are all listed at https://nmap.org/nsedoc/, and the summaries are
+ below (authors are listed in brackets):
+
+ + hostmap-ip2hosts finds hostnames that resolve to the target's IP address
+ by querying the online database at http://www.ip2hosts.com (uses Bing
+ search results) [Paulino Calderon]
+
+ + http-adobe-coldfusion-apsa1301 attempts to exploit an authentication
+ bypass vulnerability in Adobe Coldfusion servers (APSA13-01:
+ http://www.adobe.com/support/security/advisories/apsa13-01.html) to
+ retrieve a valid administrator's session cookie. [Paulino Calderon]
+
+ + http-coldfusion-subzero attempts to retrieve version, absolute path of
+ administration panel and the file 'password.properties' from vulnerable
+ installations of ColdFusion 9 and 10. [Paulino Calderon]
+
+ + http-comments-displayer extracts and outputs HTML and JavaScript
+ comments from HTTP responses. [George Chatzisofroniou]
+
+ + http-fileupload-exploiter exploits insecure file upload forms in web
+ applications using various techniques like changing the Content-type
+ header or creating valid image files containing the payload in the
+ comment. [George Chatzisofroniou]
+
+ + http-phpmyadmin-dir-traversal exploits a directory traversal
+ vulnerability in phpMyAdmin 2.6.4-pl1 (and possibly other versions) to
+ retrieve remote files on the web server. [Alexey Meshcheryakov]
+
+ + http-stored-xss posts specially crafted strings to every form it
+ encounters and then searches through the website for those strings to
+ determine whether the payloads were successful. [George Chatzisofroniou]
+
+ + http-vuln-cve2013-0156 detects Ruby on Rails servers vulnerable to
+ object injection, remote command executions and denial of service
+ attacks. (CVE-2013-0156) [Paulino Calderon]
+
+ + ike-version obtains information (such as vendor and device type where
+ available) from an IKE service by sending four packets to the host.
+ This scripts tests with both Main and Aggressive Mode and sends multiple
+ transforms per request. [Jesper Kueckelhahn]
+
+ + murmur-version detects the Murmur service (server for the Mumble voice
+ communication client) versions 1.2.X. [Marin Maržić]
+
+ + mysql-enum performs valid-user enumeration against MySQL server using a
+ bug discovered and published by Kingcope
+ (http://seclists.org/fulldisclosure/2012/Dec/9). [Aleksandar Nikolic]
+
+ + teamspeak2-version detects the TeamSpeak 2 voice communication server
+ and attempts to determine version and configuration information. [Marin
+ Maržić]
+
+ + ventrilo-info detects the Ventrilo voice communication server service
+ versions 2.1.2 and above and tries to determine version and
+ configuration information. [Marin Maržić]
+
+o Updated the Nmap license agreement to close some loopholes and stop some
+ abusers. It's particularly targeted at companies which distribute
+ malware-laden Nmap installers as we caught Download.com doing last
+ year--http://insecure.org/news/download-com-fiasco.html . The updated
+ license is in the all the normal places, including
+ https://svn.nmap.org/nmap/COPYING.
+
+o [NSE][SECURITY] Oops, there was a vulnerability in one of our 437 NSE scripts. If
+ you ran the (fortunately non-default) http-domino-enum-passwords script
+ with the (fortunately also non-default) domino-enum-passwords.idpath
+ parameter against a malicious server, it could cause an arbitrarily named
+ file to to be written to the client system. Thanks to Trustwave researcher
+ Piotr Duszynski for discovering and reporting the problem. We've fixed
+ that script, and also updated several other scripts to use a new
+ stdnse.filename_escape function for extra safety. This breaks our record
+ of never having a vulnerability in the 16 years that Nmap has existed, but
+ that's still a fairly good run! [David, Fyodor]
+
+o Unicast CIDR-style IPv6 range scanning is now supported, so you can
+ specify targets such as en.wikipedia.org/120. Obviously it will take ages
+ if you specify a huge space. For example, a /64 contains
+ 18,446,744,073,709,551,616 addresses. [David Fifield]
+
+o It's now possible to mix IPv4 range notation with CIDR netmasks in target
+ specifications. For example, 192.168-170.4-100,200.5/16 is effectively the
+ same as 192.168.168-170.0-255.0-255. [David Fifield]
+
+o Timeout script-args are now standardized to use the timespec that Nmap's
+ command-line arguments take (5s, 5000ms, 1h, etc.). Some scripts that
+ previously took an integer number of milliseconds will now treat that as a
+ number of seconds if not explicitly denoted as ms. [Daniel Miller]
+
+o Nmap may now partially rearrange its target list for more efficient
+ host groups. Previously, a single target with a different interface,
+ or with an IP address the same as a that of a target already in the
+ group, would cause the group to be broken off at whatever size it
+ was. Now, we buffer a small number of such targets, and keep looking
+ through the input for more targets to fill out the current group.
+ [David Fifield]
+
+o [Ncat] The -i option (idle timeout) now works in listen mode as well as
+ connect mode. [Tomas Hozza]
+
+o [Ncat] Ncat now support chained certificates with the --ssl-cert
+ option. [Greg Bailey]
+
+o [Nping] Nping now checks for a matching ICMP ID on echo replies, to avoid
+ receiving crosstalk from other ping programs running at the same
+ time. [David Fifield]
+
+o [NSE] The ipOps.isPrivate library now considers the deprecated site-local
+ prefix fec0::/10 to be private. [Marek Majkowski]
+
+o Nmap's routing table is now sorted first by netmask, then by metric.
+ Previously it was the other way around, which could cause a very general
+ route with a low metric to be preferred over a specific route with a
+ higher metric.
+
+o Routes are now sorted to prefer those with a lower metric. Retrieval of
+ metrics is supported only on Linux and Windows. [David Fifield]
+
+o Fixed a byte-ordering problem on little-endian architectures when doing
+ idle scan with a zombie that uses broken ID increments. [David Fifield]
+
+o Stop parsing TCP options after reaching EOL in libnetutil. Bug reported by
+ Gustavo Moreira. [Henri Doreau]
+
+o [NSE] The dns-ip6-arpa-scan script now optionally accepts "/" syntax for a
+ network mask. Based on a patch by Indula Nayanamith.
+
+o [Ncat] Reduced the default --max-conns limit from 100 to 60 on Windows, to
+ stay within platform limitations. Suggested by Andrey Olkhin.
+
+o Fixed IPv6 routing table alignment on NetBSD.
+
+o Fixed our NSEDoc system so the author field uses UTF-8 and we can spell
+ people's name properly, even if they use crazy non-ASCII characters like
+ Marin Maržić. [David Fifield]
+
+o UDP protocol payloads were added for detecting the Murmer service (a
+ server for the Mumble voice communication client) and TeamSpeak 2 VoIP
+ software.
+
+o [NSE] Added http-phpmyadmin-dir-traversal by Alexey Meshcheryakov.
+
+o Updated libdnet to not SIOCIFNETMASK before SIOCIFADDR on OpenBSD. This
+ was reported to break on -current as of May 2013. [Giovanni Bechis]
+
+o Fixed address matching for SCTP (-PY) ping. [Marin Maržić]
+
+o Removed some non-ANSI-C strftime format strings ("%F") and
+ locale-dependent formats ("%c") from NSE scripts and libraries.
+ C99-specified %F was noticed by Alex Weber. [Daniel Miller]
+
+o [Zenmap] Improved internationalization support:
+ + Added Polish translation by Jacek Wielemborek.
+ + Updated the Italian translation. [Giacomo]
+
+o [Zenmap] Fixed internationalization files. Running in a language other
+ than the default English would result in the error "ValueError: too many
+ values to unpack". [David Fifield]
+
+o [NSE] Updated the included Liblua from version 5.2.1 to 5.2.2. [Patrick
+ Donnelly]
+
+o [Nsock] Added a minimal regression test suite for Nsock. [Henri Doreau]
+
+o [NSE] Updated the redis-brute and redis-info scripts to work against the
+ latest versions of redis server. [Henri Doreau]
+
+o [Ncat] Fixed errors in connecting to IPv6 proxies. [Joachim Henke]
+
+o [NSE] Updated hostmap-bfk to work with the latest version of their website
+ (bfk.de). [Paulino Calderon]
+
+o [NSE] Added XML structured output support to:
+ + xmpp-info, irc-info, sslv2, address-info [Daniel Miller]
+ + hostmap-bfk, hostmap-robtex, hostmap-ip2hosts. [Paulino Calderon]
+ + http-git.nse. [Alex Weber]
+
+o Added new service probes for:
+ + Erlang distribution nodes [Michael Schierl]
+ + Minecraft servers. [Eric Davisson]
+ + Hazelcast data grid. [Pavel Kankovsky]
+
+o [NSE] Rewrote telnet-brute for better compatibility with a variety of
+ telnet servers. [nnposter]
+
+o Fixed a regression that changed the number of delimiters in machine
+ output. [Daniel Miller]
+
+o Fixed a regression in broadcast-dropbox-listener which prevented it from
+ producing output. [Daniel Miller]
+
+o Handle ICMP type 11 (Time Exceeded) responses to port scan probes. Ports
+ will be reported as "filtered", to be consistent with existing Connect
+ scan results, and will have a reason of time-exceeded. DiabloHorn
+ reported this issue via IRC. [Daniel Miller]
+
+o Add new decoders (BROWSER, DHCP6 and LLMNR) to broadcast-listener and
+ changed output of some of the decoders slightly. [Patrik Karlsson]
+
+o The list of name servers on Windows now ignores those from inactive
+ interfaces. [David Fifield]
+
+o Namespace the pipes used to communicate with subprocesses by PID, to avoid
+ multiple instances of Ncat from interfering with each other. Patch by
+ Andrey Olkhin.
+
+o [NSE] Changed ip-geolocation-geoplugin to use the web service's new output
+ format. Reported by Robin Wood.
+
+o Limited the number of open sockets in ultra_scan to FD_SETSIZE. Very fast
+ connect scans could write past the end of an fd_set and cause a variety of
+ crashes:
+ nmap: scan_engine.cc:978: bool ConnectScanInfo::clearSD(int): Assertion `numSDs > 0' failed.
+ select failed in do_one_select_round(): Bad file descriptor (9)
+ [David Fifield]
+
+o Fixed a bug that prevented Nmap from finding any interfaces when one of
+ them had the type ARP_HDR_APPLETALK; this was the case for AppleTalk
+ interfaces. However, This support is not complete since AppleTalk
+ interfaces use different size hardware addresses than Ethernet. Nmap IP
+ level scans should work without any problem, please refer to the
+ '--send-ip' switch and to the following thread:
+ http://seclists.org/nmap-dev/2013/q1/214. This bug was reported by Steven
+ Gregory Johnson. [Daniel Miller]
+
+o [Nping] Nping on Windows now skips localhost targets for privileged pings
+ on (with an error message) because those generally don't work. [David
+ Fifield]
+
+o [Ncat] Ncat now keeps running in connect mode after receiving EOF from the
+ remote socket, unless --recv-only is in effect. [Tomas Hozza]
+
+o Packet trace of ICMP packets now include the ICMP ID and sequence number
+ by default. [David Fifield]
+
+o [NSE] Fixed various NSEDoc bugs found by David Matousek.
+
+o [Zenmap] Zenmap now understands the NMAP_PRIVILEGED and NMAP_UNPRIVILEGED
+ environment variables. [Tyler Wagner]
+
+o Added an ncat_assert macro. This is similar to assert(), but remains even
+ if NDEBUG is defined. Replaced all Ncat asserts with this. We also moved
+ operation with side effects outside of asserts as yet another layer of
+ bug-prevention [David Fifield].
+
+o Added nmap-fo.xsl, contributed by Tilik Ammon. This converts Nmap XML into
+ XSL-FO, which can be converted into PDF using tools suck as Apache FOP.
+
+o Increased the number of slack file descriptors not used during connect
+ scan. Previously, the calculation did not consider the descriptors used by
+ various open log files. Connect scans using a lot of sockets could fail
+ with the message "Socket creation in sendConnectScanProbe: Too many open
+ files". [David Fifield]
+
+o Changed the --webxml XSL stylesheet to point to the new location of
+ nmap.xsl in the new repository (https://svn.nmap.org/nmap/docs/nmap.xsl).
+ It still may not work in web browsers due to same origin policy (see
+ http://seclists.org/nmap-dev/2013/q1/58). [David Fifield, Simon John]
+
+o [NSE] The vulnerability library can now preserve vulnerability information
+ across multiple ports of the same host. The bug was reported by
+ iphelix. [Djalal Harouni]
+
+o Removed the undocumented -q option, which renamed the nmap process to
+ something like "pine".
+
+o Moved the Japanese man page from man1/jp to man1/ja. JP is a country code
+ while JA is a language code. Reported by Christian Neukirchen.
+
+o [Nsock] Reworked the logging infrastructure to make it more flexible and
+ consistent. Updated Nmap, Nping and Ncat accordingly. Nsock log level can
+ now be adjusted at runtime by pressing d/D in nmap. [Henri Doreau, David
+ Fifield]
+
+o [NSE] Fixed scripts using unconnected UDP sockets. The bug was reported by
+ Dhiru Kholia at http://seclists.org/nmap-dev/2012/q4/422. [David Fifield]
+
+o Made some changes to Ndiff to reduce parsing time when dealing with large
+ Nmap XML output files. [Henri Doreau]
+
+o Clean up the source code a bit to resolve some false positive issues
+ identified by the Parfait static code analysis program. Oracle apparently
+ runs this on programs (including Nmap) that they ship with Solaris. See
+ http://seclists.org/nmap-dev/2012/q4/504. [David Fifield]
+
+o [Zenmap] Fixed a crash that could be caused by opening the About dialog,
+ using the window manager to close it, and opening it again. This was
+ reported by Yashartha Chaturvedi and Jordan Schroeder. [David Fifield]
+
+o [Ncat] Made test-addrset.sh exit with nonzero status if any tests
+ fail. This in turn causes "make check" to fail if any tests fail.
+ [Andreas Stieger]
+
+o Fixed compilation with --without-liblua. The bug was reported by Rick
+ Farina, Nikos Chantziaras, and Alex Turbov. [David Fifield]
+
+o Fixed CRC32c calculation (as used in SCTP scans) on 64-bit
+ platforms. [Pontus Andersson]
+
+o [NSE] Added multicast group name output to
+ broadcast-igmp-discovery.nse. [Vasily Kulikov]
+
+o [NSE] Added new fingerprints for http-enum: Sitecore, Moodle, typo3,
+ SquirrelMail, RoundCube. [Jesper Kückelhahn]
+
+Nmap 6.25 [2012-11-29]
+
+o [NSE] Added CPE to smb-os-discovery output.
+
+o [Ncat] Fixed the printing of warning messages for large arguments to
+ the -i and -w options. [Michal Hlavinka]
+
+o [Ncat] Shut down the write part of connected sockets in listen mode
+ when stdin hits EOF, just as was already done in connect mode.
+ [Michal Hlavinka]
+
+o [Zenmap] Removed a crashing error that could happen when canceling a
+ "Print to File" on Windows:
+ Traceback (most recent call last):
+ File "zenmapGUI\MainWindow.pyo", line 831, in _print_cb
+ File "zenmapGUI\Print.pyo", line 156, in run_print_operation
+ GError: Error from StartDoc
+ This bug was reported by Imre Adácsi. [David Fifield]
+
+o Added some new checks for failed library calls. [Bill Parker]
+
+Nmap 6.20BETA1 [2012-11-16]
+
+o Integrated all of your IPv4 OS fingerprint submissions since January
+ (more than 3,000 of them). Added 373 fingerprints, bringing the new
+ total to 3,946. Additions include Linux 3.6, Windows 8, Windows
+ Server 2012, Mac OS X 10.8, and a ton of new WAPs, printers,
+ routers, and other devices--including our first IP-enabled doorbell!
+ Many existing fingerprints were improved. [David Fifield]
+
+o Integrated all of your service/version detection fingerprints
+ submitted since January (more than 1,500)! Our signature
+ count jumped by more than 400 to 8,645. We now detect 897
+ protocols, from extremely popular ones like http, ssh, smtp and imap
+ to the more obscure airdroid, gopher-proxy, and
+ enemyterritory. [David Fifield]
+
+o Integrated your latest IPv6 OS submissions and corrections. We're
+ still low on IPv6 fingerprints, so please scan any IPv6 systems you
+ own or administer and submit them to https://nmap.org/submit/. Both
+ new fingerprints (if Nmap doesn't find a good match) and corrections
+ (if Nmap guesses wrong) are useful.
+
+o Enabled support for IPv6 traceroute using UDP, SCTP, and IPProto
+ (Next Header) probes. Previously, only TCP and ICMP were
+ supported. [David Fifield]
+
+o Scripts can now return a structured name-value table so that results
+ are query-able from XML output. Scripts can return a string as
+ before, or a table, or a table and a string. In this last case, the
+ table will go to XML output and the string will go to screen output.
+ See https://nmap.org/book/nse-api.html#nse-structured-output [Daniel
+ Miller, David Fifield, Patrick Donnelly]
+
+o [Nsock] Added new poll and kqueue I/O engines for improved
+ performance on Windows and BSD-based systems including Mac OS X.
+ These are in addition to the epoll engine (used on Linux) and the
+ classic select engine fallback for other system. [Henri Doreau]
+
+o [Ncat] Added support for Unix domain sockets. The new -U and
+ --unixsock options activate this mode. These provide compatibility
+ with Hobbit's original Netcat. [Tomas Hozza]
+
+o Moved some Windows dependencies, including OpenSSL, libsvn, and the
+ vcredist files, into a new public Subversion directory
+ /nmap-mswin32-aux and moved it out of the source tarball. This
+ reduces the compressed tarball size from 22 MB to 8 MB and similarly
+ reduces the bandwidth and storage required for an svn checkout.
+ Folks who build Nmap on Windows will need to check out
+ /nmap-mswin32-aux along with /nmap as described at
+ https://nmap.org/book/inst-windows.html#inst-win-source.
+
+o Many of the great features in this release were created by college
+ and grad students generously sponsored by Google's Summer of Code
+ program. Thanks, Google Open Source Department! This year's team
+ of five developers is introduced at
+ http://seclists.org/nmap-dev/2012/q2/204 and their successes
+ documented at http://seclists.org/nmap-dev/2012/q4/138
+
+o [NSE] Replaced old RPC grinder (RPC enumeration, performed as part
+ of version detection when a port seems to run a SunRPC service) with
+ a faster and easier to maintain NSE-based implementation. This also
+ allowed us to remove the crufty old pos_scan scan engine. [Hani
+ Benhabiles]
+
+o Updated our Nmap Scripting Engine to use Lua 5.2 (and then 5.2.1)
+ rather than 5.1. See http://seclists.org/nmap-dev/2012/q2/34 for
+ details. [Patrick Donnelly]
+
+o [NSE] Added 85(!) NSE scripts, bringing the total up to 433. They
+ are all listed at https://nmap.org/nsedoc/, and the summaries are
+ below (authors are listed in brackets):
+
+ + ajp-auth retrieves the authentication scheme and realm of an AJP
+ service (Apache JServ Protocol) that requires authentication. The
+ Apache JServ Protocol is commonly used by web servers to
+ communicate with back-end Java application server
+ containers. [Patrik Karlsson]
+
+ + ajp-brute performs brute force passwords auditing against the
+ Apache JServ protocol. [Patrik Karlsson]
+
+ + ajp-headers performs a HEAD or GET request against either the root
+ directory or any optional directory of an Apache JServ Protocol
+ server and returns the server response headers. [Patrik Karlsson]
+
+ + ajp-methods discovers which options are supported by the AJP
+ (Apache JServ Protocol) server by sending an OPTIONS request and
+ lists potentially risky methods. [Patrik Karlsson]
+
+ + ajp-request requests a URI over the Apache JServ Protocol and
+ displays the result (or stores it in a file). Different AJP
+ methods such as; GET, HEAD, TRACE, PUT or DELETE may be
+ used. [Patrik Karlsson]
+
+ + bjnp-discover retrieves printer or scanner information from a
+ remote device supporting the BJNP protocol. The protocol is known
+ to be supported by network based Canon devices. [Patrik Karlsson]
+
+ + broadcast-ataoe-discover discovers servers supporting the ATA over
+ Ethernet protocol. ATA over Ethernet is an ethernet protocol
+ developed by the Brantley Coile Company and allows for simple,
+ high-performance access to SATA drives over Ethernet. [Patrik
+ Karlsson]
+
+ + broadcast-bjnp-discover attempts to discover Canon devices
+ (Printers/Scanners) supporting the BJNP protocol by sending BJNP
+ Discover requests to the network broadcast address for both ports
+ associated with the protocol. [Patrik Karlsson]
+
+ + broadcast-eigrp-discovery performs network discovery and routing
+ information gathering through Cisco's EIGRP protocol. [Hani
+ Benhabiles]
+
+ + broadcast-igmp-discovery discovers targets that have IGMP
+ Multicast memberships and grabs interesting information. [Hani
+ Benhabiles]
+
+ + broadcast-pim-discovery discovers routers that are running PIM
+ (Protocol Independent Multicast). [Hani Benhabiles]
+
+ + broadcast-tellstick-discover discovers Telldus Technologies
+ TellStickNet devices on the LAN. The Telldus TellStick is used to
+ wirelessly control electric devices such as lights, dimmers and
+ electric outlets. [Patrik Karlsson]
+
+ + cassandra-brute performs brute force password auditing against the
+ Cassandra database. [Vlatko Kosturjak]
+
+ + cassandra-info attempts to get basic info and server status from a
+ Cassandra database. [Vlatko Kosturjak]
+
+ + cups-info lists printers managed by the CUPS printing
+ service. [Patrik Karlsson]
+
+ + cups-queue-info Lists currently queued print jobs of the remote
+ CUPS service grouped by printer. [Patrik Karlsson]
+
+ + dict-info Connects to a dictionary server using the DICT protocol,
+ runs the SHOW SERVER command, and displays the result. [Patrik
+ Karlsson]
+
+ + distcc-cve2004-2687 detects and exploits a remote code execution
+ vulnerability in the distributed compiler daemon distcc. [Patrik
+ Karlsson]
+
+ + dns-check-zone checks DNS zone configuration against best
+ practices, including RFC 1912. The configuration checks are
+ divided into categories which each have a number of different
+ tests. [Patrik Karlsson]
+
+ + dns-ip6-arpa-scan performs a quick reverse DNS lookup of an IPv6
+ network using a technique which analyzes DNS server response codes
+ to dramatically reduce the number of queries needed to enumerate
+ large networks. [Patrik Karlsson]
+
+ + dns-nsec3-enum tries to enumerate domain names from the DNS server
+ that supports DNSSEC NSEC3 records. [Aleksandar Nikolic, John
+ Bond]
+
+ + eppc-enum-processes attempts to enumerate process info over the
+ Apple Remote Event protocol. When accessing an application over
+ the Apple Remote Event protocol the service responds with the uid
+ and pid of the application, if it is running, prior to requesting
+ authentication. [Patrik Karlsson]
+
+ + firewall-bypass detects a vulnerability in Netfilter and other
+ firewalls that use helpers to dynamically open ports for protocols
+ such as ftp and sip. [Hani Benhabiles]
+
+ + flume-master-info retrieves information from Flume master HTTP
+ pages. [John R. Bond]
+
+ + gkrellm-info queries a GKRellM service for monitoring
+ information. A single round of collection is made, showing a
+ snapshot of information at the time of the request. [Patrik
+ Karlsson]
+
+ + gpsd-info retrieves GPS time, coordinates and speed from the GPSD
+ network daemon. [Patrik Karlsson]
+
+ + hostmap-robtex discovers hostnames that resolve to the target's IP
+ address by querying the Robtex service at
+ http://www.robtex.com/dns/. [Arturo Busleiman]
+
+ + http-drupal-enum-users enumerates Drupal users by exploiting a an
+ information disclosure vulnerability in Views, Drupal's most
+ popular module. [Hani Benhabiles]
+
+ + http-drupal-modules enumerates the installed Drupal modules by
+ using a list of known modules. [Hani Benhabiles]
+
+ + http-exif-spider spiders a site's images looking for interesting
+ exif data embedded in .jpg files. Displays the make and model of
+ the camera, the date the photo was taken, and the embedded geotag
+ information. [Ron Bowes]
+
+ + http-form-fuzzer performs a simple form fuzzing against forms
+ found on websites. Tries strings and numbers of increasing length
+ and attempts to determine if the fuzzing was successful. [Piotr
+ Olma]
+
+ + http-frontpage-login checks whether target machines are vulnerable
+ to anonymous Frontpage login. [Aleksandar Nikolic]
+
+ + http-git checks for a Git repository found in a website's document
+ root (/.git/<something>) then retrieves as much repo
+ information as possible, including language/framework, Github
+ username, last commit message, and repository description. [Alex
+ Weber]
+
+ + http-gitweb-projects-enum retrieves a list of Git projects, owners
+ and descriptions from a gitweb (web interface to the Git revision
+ control system). [riemann]
+
+ + http-huawei-hg5xx-vuln detects Huawei modems models HG530x,
+ HG520x, HG510x (and possibly others...) vulnerable to a remote
+ credential and information disclosure vulnerability. It also
+ extracts the PPPoE credentials and other interesting configuration
+ values. [Paulino Calderon]
+
+ + http-icloud-findmyiphone retrieves the locations of all "Find my
+ iPhone" enabled iOS devices by querying the MobileMe web service
+ (authentication required). [Patrik Karlsson]
+
+ + http-icloud-sendmsg sends a message to a iOS device through the
+ Apple MobileMe web service. The device has to be registered with
+ an Apple ID using the Find My iPhone application. [Patrik
+ Karlsson]
+
+ + http-phpself-xss crawls a web server and attempts to find PHP
+ files vulnerable to reflected cross site scripting via the
+ variable $_SERVER["PHP_SELF"]. [Paulino Calderon]
+
+ + http-rfi-spider crawls webservers in search of RFI (remote file
+ inclusion) vulnerabilities. It tests every form field it finds and
+ every parameter of a URL containing a query. [Piotr Olma]
+
+ + http-robtex-shared-ns Finds up to 100 domain names which use the
+ same name server as the target by querying the Robtex service at
+ http://www.robtex.com/dns/. [Arturo Busleiman]
+
+ + http-sitemap-generator spiders a web server and displays its
+ directory structure along with number and types of files in each
+ folder. Note that files listed as having an 'Other' extension are
+ ones that have no extension or that are a root document. [Piotr
+ Olma]
+
+ + http-slowloris-check tests a web server for vulnerability to the
+ Slowloris DoS attack without actually launching a DoS
+ attack. [Aleksandar Nikolic]
+
+ + http-slowloris tests a web server for vulnerability to the
+ Slowloris DoS attack by launching a Slowloris attack. [Aleksandar
+ Nikolic, Ange Gutek]
+
+ + http-tplink-dir-traversal exploits a directory traversal
+ vulnerability existing in several TP-Link wireless
+ routers. Attackers may exploit this vulnerability to read any of
+ the configuration and password files remotely and without
+ authentication. [Paulino Calderon]
+
+ + http-traceroute exploits the Max-Forwards HTTP header to detect
+ the presence of reverse proxies. [Hani Benhabiles]
+
+ + http-virustotal checks whether a file has been determined as
+ malware by virustotal. Virustotal is a service that provides the
+ capability to scan a file or check a checksum against a number of
+ the major antivirus vendors. [Patrik Karlsson]
+
+ + http-vlcstreamer-ls connects to a VLC Streamer helper service and
+ lists directory contents. The VLC Streamer helper service is used
+ by the iOS VLC Streamer application to enable streaming of
+ multimedia content from the remote server to the device. [Patrik
+ Karlsson]
+
+ + http-vuln-cve2010-0738 tests whether a JBoss target is vulnerable
+ to jmx console authentication bypass (CVE-2010-0738). [Hani
+ Benhabiles]
+
+ + http-waf-fingerprint Tries to detect the presence of a web
+ application firewall and its type and version. [Hani Benhabiles]
+
+ + icap-info tests a list of known ICAP service names and prints
+ information about any it detects. The Internet Content Adaptation
+ Protocol (ICAP) is used to extend transparent proxy servers and is
+ generally used for content filtering and antivirus
+ scanning. [Patrik Karlsson]
+
+ + ip-forwarding detects whether the remote device has ip forwarding
+ or "Internet connection sharing" enabled, by sending an ICMP echo
+ request to a given target using the scanned host as default
+ gateway. [Patrik Karlsson]
+
+ + ipv6-ra-flood generates a flood of Router Advertisements (RA) with
+ random source MAC addresses and IPv6 prefixes. Computers, which
+ have stateless autoconfiguration enabled by default (every major
+ OS), will start to compute IPv6 suffix and update their routing
+ table to reflect the accepted announcement. This will cause 100%
+ CPU usage on Windows and platforms, preventing to process other
+ application requests. [Adam Stevko]
+
+ + irc-sasl-brute performs brute force password auditing against IRC
+ (Internet Relay Chat) servers supporting SASL
+ authentication. [Piotr Olma]
+
+ + isns-info lists portals and iSCSI nodes registered with the
+ Internet Storage Name Service (iSNS). [Patrik Karlsson]
+
+ + jdwp-exec attempts to exploit java's remote debugging port. When
+ remote debugging port is left open, it is possible to inject java
+ bytecode and achieve remote code execution. This script abuses
+ this to inject and execute a Java class file that executes the
+ supplied shell command and returns its output. [Aleksandar
+ Nikolic]
+
+ + jdwp-info attempts to exploit java's remote debugging port. When
+ remote debugging port is left open, it is possible to inject java
+ bytecode and achieve remote code execution. This script injects
+ and execute a Java class file that returns remote system
+ information. [Aleksandar Nikolic]
+
+ + jdwp-inject attempts to exploit java's remote debugging port.
+ When remote debugging port is left open, it is possible to inject
+ java bytecode and achieve remote code execution. This script
+ allows injection of arbitrary class files. [Aleksandar Nikolic]
+
+ + llmnr-resolve resolves a hostname by using the LLMNR (Link-Local
+ Multicast Name Resolution) protocol. [Hani Benhabiles]
+
+ + mcafee-epo-agent check if ePO agent is running on port 8081 or
+ port identified as ePO Agent port. [Didier Stevens and Daniel
+ Miller]
+
+ + metasploit-info gathers info from the Metasploit RPC service. It
+ requires a valid login pair. After authentication it tries to
+ determine Metasploit version and deduce the OS type. Then it
+ creates a new console and executes few commands to get additional
+ info. [Aleksandar Nikolic]
+
+ + metasploit-msgrpc-brute performs brute force username and password
+ auditing against Metasploit msgrpc interface. [Aleksandar Nikolic]
+
+ + mmouse-brute performs brute force password auditing against the
+ RPA Tech Mobile Mouse servers. [Patrik Karlsson]
+
+ + mmouse-exec connects to an RPA Tech Mobile Mouse server, starts an
+ application and sends a sequence of keys to it. Any application
+ that the user has access to can be started and the key sequence is
+ sent to the application after it has been started. [Patrik
+ Karlsson]
+
+ + mrinfo queries targets for multicast routing information. [Hani
+ Benhabiles]
+
+ + msrpc-enum queries an MSRPC endpoint mapper for a list of mapped
+ services and displays the gathered information. [Aleksandar
+ Nikolic]
+
+ + ms-sql-dac queries the Microsoft SQL Browser service for the DAC
+ (Dedicated Admin Connection) port of a given (or all) SQL Server
+ instance. The DAC port is used to connect to the database instance
+ when normal connection attempts fail, for example, when server is
+ hanging, out of memory or in other bad states. [Patrik Karlsson]
+
+ + mtrace queries for the multicast path from a source to a
+ destination host. [Hani Benhabiles]
+
+ + mysql-dump-hashes dumps the password hashes from an MySQL server
+ in a format suitable for cracking by tools such as John the
+ Ripper. Appropriate DB privileges (root) are required. [Patrik
+ Karlsson]
+
+ + mysql-query runs a query against a MySQL database and returns the
+ results as a table. [Patrik Karlsson]
+
+ + mysql-vuln-cve2012-2122 attempts to bypass authentication in MySQL
+ and MariaDB servers by exploiting CVE2012-2122. If its vulnerable,
+ it will also attempt to dump the MySQL usernames and password
+ hashes. [Paulino Calderon]
+
+ + oracle-brute-stealth exploits the CVE-2012-3137 vulnerability, a
+ weakness in Oracle's O5LOGIN authentication scheme. The
+ vulnerability exists in Oracle 11g R1/R2 and allows linking the
+ session key to a password hash. [Dhiru Kholia]
+
+ + pcanywhere-brute performs brute force password auditing against
+ the pcAnywhere remote access protocol. [Aleksandar Nikolic]
+
+ + rdp-enum-encryption determines which Security layer and Encryption
+ level is supported by the RDP service. It does so by cycling
+ through all existing protocols and ciphers. [Patrik Karlsson]
+
+ + rmi-vuln-classloader tests whether Java rmiregistry allows class
+ loading. The default configuration of rmiregistry allows loading
+ classes from remote URLs, which can lead to remote code
+ execution. The vendor (Oracle/Sun) classifies this as a design
+ feature. [Aleksandar Nikolic]
+
+ + rpc-grind fingerprints the target RPC port to extract the target
+ service, RPC number and version. [Hani Benhabiles]
+
+ + sip-call-spoof spoofs a call to a SIP phone and detects the action
+ taken by the target (busy, declined, hung up, etc.) [Hani
+ Benhabiles]
+
+ + sip-methods enumerates a SIP Server's allowed methods (INVITE,
+ OPTIONS, SUBSCRIBE, etc.) [Hani Benhabiles]
+
+ + smb-ls attempts to retrieve useful information about files shared
+ on SMB volumes. The output is intended to resemble the output of
+ the UNIX <code>ls</code> command. [Patrik Karlsson]
+
+ + smb-print-text attempts to print text on a shared printer by
+ calling Print Spooler Service RPC functions. [Aleksandar Nikolic]
+
+ + smb-vuln-ms10-054 tests whether target machines are vulnerable to
+ the ms10-054 SMB remote memory corruption
+ vulnerability. [Aleksandar Nikolic]
+
+ + smb-vuln-ms10-061 tests whether target machines are vulnerable to
+ ms10-061 Printer Spooler impersonation vulnerability. [Aleksandar
+ Nikolic]
+
+ + snmp-hh3c-logins attempts to enumerate Huawei / HP/H3C Locally
+ Defined Users through the hh3c-user.mib OID [Kurt Grutzmacher]
+
+ + ssl-date retrieves a target host's time and date from its TLS
+ ServerHello response. [Aleksandar Nikolic]
+
+ + tls-nextprotoneg enumerates a TLS server's supported protocols by
+ using the next protocol negotiation extension. [Hani Benhabiles]
+
+ + traceroute-geolocation lists the geographic locations of each hop
+ in a traceroute and optionally saves the results to a KML file,
+ plottable on Google earth and maps. [Patrik Karlsson]
+
+o [NSE] Added 12 new protocol libraries, bring our total to 105! Here
+ they are, with authors enclosed in brackets:
+ + ajp (Apache JServ Protocol) [Patrik Karlsson]
+ + base32 (Base32 encoding/decoding - RFC 4648) [Philip Pickering]
+ + bjnp (Canon BJNP printer/scanner discovery protocol) [Patrik Karlsson]
+ + cassandra (Cassandra database protocol) [Vlatko Kosturjak]
+ + eigrp (Cisco Enhanced Interior Gateway Routing Protocol) [Hani Benhabiles]
+ + gps (Global Positioning System - does GPRMC NMEA decoding) [Patrik Karlsson]
+ + ipp (CUPS Internet Printing Protocol) [Patrik Karlsson]
+ + isns (Internet Storage Name Service) [Patrik Karlsson]
+ + jdwp (Java Debug Wire Protocol) [Aleksandar Nikolic]
+ + mobileme (a service for managing Apple/Mac devices) [Patrik Karlsson]
+ + ospf (Open Shortest Path First routing protocol) [Patrik Karlsson]
+ + rdp (Remote Desktop Protocol) [Patrik Karlsson]
+
+o Added Common Platform Enumeration (CPE) identifiers to nearly 1,000
+ more OS detection signatures. Nmap 6.01 had them for 2,608 of 3,572
+ fingerprints (73%) and now we have them for 3,558 out of 3,946
+ (90%). [David Fifield]
+
+o Scans that use OS sockets (including TCP connect scan, version
+ detection, and script scan) now use the SO_BINDTODEVICE sockopt on
+ Linux, so that the -e (select network device) option is
+ honored. [David Fifield]
+
+o [Zenmap] Host filters can now do negative matching, for example you
+ can use "os:!linux" to match hosts NOT detected as Linux. [Daniel
+ Miller]
+
+o Fixed a bug that caused an incorrect source address to be set when
+ scanning certain addresses (apparently those ending in .0) on
+ Windows XP. The symptom of this bug was the messages
+ get_srcaddr: can't connect socket: The requested address is not valid in its context.
+ Failed to convert source address to presentation format!?! Error: Unknown error
+ Thanks to Robert Washam and Jorge Hernandez for reports and help
+ debugging. [David Fifield]
+
+o Upgraded the included OpenSSL to version 1.0.1c. [David Fifield]
+
+o [NSE] Added changes to brute and unpwdb libraries to allow more
+ flexible iterator specification and control. [Aleksandar Nikolic]
+
+o Tested that our WinPcap installer works on Windows 8 and Windows
+ Server 2012 build 8400. Updated to installer text to recommend that
+ users select the option to start 'NPF' at startup. [Rob Nicholls]
+
+o Changed libdnet's routing interface to return an interface name for
+ each route on the most common operating systems. This is used to
+ improve the quality of Nmap's matching of routes to interfaces,
+ which was previously done by matching routes to interface addresses.
+ [Djalal Harouni, David Fifield]
+
+o Fixed a bug that prevented Nmap from finding any interfaces when one
+ of them had the type ARPHDR_INFINIBAND; this was the case for
+ IP-over-InfiniBand interfaces. However, This support is not complete
+ since IPoIB interfaces use 20 bytes for the hardware address, and
+ currently we only report and handle 6 bytes.
+ Nmap IP level scans should work without any problem, please refer to
+ the '--send-ip' switch and to the following thread:
+ http://seclists.org/nmap-dev/2012/q3/642
+ This bug was reported by starlight.2012q3. [Djalal Harouni]
+
+o Fixed a bug that prevented Nmap from finding any interfaces when one
+ of them had the type ARPHDR_IEEE80211; this was the case for wireless
+ interfaces operating in access point mode. This bug was reported by
+ Sebastiaan Vileijn. [Djalal Harouni]
+
+o Updated the Zenmap desktop icons on Windows, Linux, and Mac with higher
+ resolution ones. [Sean Rivera, David Fifield]
+
+o [NSE] Script results for a host or service are now sorted
+ alphabetically by script name. [Sean Rivera]
+
+o Fixed a bug that prevented Nmap from finding any interfaces when any
+ interface had the type ARPHRD_VOID; this was the case for OpenVZ
+ venet interfaces. [Djalal Harouni, David Fifield]
+
+o Linux unreachable routes are now properly ignored. [David Fifield]
+
+o Added Dan Miller as an Nmap committer. He has done a ton of great
+ work on Nmap, as you can see by searching for him in this CHANGELOG
+ or reading the Nmap committers list at
+ https://svn.nmap.org/nmap/docs/committers.txt .
+
+o Added a new --disable-arp-ping option. This option prevents Nmap
+ from implicitly using ARP or ND host discovery for discovering
+ directly connected Ethernet targets. This is useful in networks
+ using proxy ARP, which make all addresses appear to be up using ARP
+ scan. The previously recommended workaround for this situation,
+ --send-ip, didn't work on Windows because that lame excuse for an
+ operating system is still missing raw socket support. [David
+ Fifield (editorializing added by Fyodor)]
+
+o Protocol scan (-sO) probes for TCP, UDP, and SCTP now go to ports
+ 80, 40125, and 80 respectively, instead of being randomly generated
+ or going to the same port as the source port. [David Fifield]
+
+o The Nmap --log-errors functionality (including errors and warnings
+ in the normal-format output file) is now always true, whether you
+ pass that option or not. [Sean Rivera]
+
+o [NSE] Rewrote ftp-brute script to use the brute library for
+ performing password auditing. [Aleksandar Nikolic]
+
+o Reduced the size of Port structures by about two thirds (from 176 to
+ 64 bytes on x86_64). They had accidentally grown during the IPv6
+ code merge. [David Fifield]
+
+o Made source port numbers (used to encode probe metadata) increment
+ so as not to overlap between different scanning phases. Previously
+ it was possible for an RST response to an ACK probe from host
+ discovery to be misinterpreted as a reply to a SYN probe from port
+ scanning. [Sean Rivera, David Fifield]
+
+o [NSE] Added support for ECDSA keys to ssh-hostkey.nse. [Adam Števko]
+
+o Changed the CPE for Linux from cpe:/o:linux:kernel to
+ cpe:/o:linux:linux_kernel to reflect deprecation in the official CPE
+ dictionary.
+
+o Added some additional CPE entries to nmap-service-probes.
+ [Dillon Graham]
+
+o Fixed an assertion failure with IPv6 traceroute trying to use an
+ unsupported protocol:
+ nmap: traceroute.cc:749: virtual unsigned char*
+ UDPProbe::build_packet(const sockaddr_storage*, u32*) const: Assertion
+ `source->ss_family == 2' failed.
+ This was reported by Pierre Emeriaud. [David Fifield]
+
+o Added version detection signatures for half a dozen new or changed
+ products. [Tom Sellers]
+
+o Fixed protocol number-to-name mapping. A patch was contributed by
+ hejianet.
+
+o [NSE] The nmap.ip_send function now takes a second argument, the
+ destination to send to. Previously the destination address was taken
+ from the packet buffer, but this failed for IPv6 link-local
+ addresses, because the scope ID is not part of the packet. Calling
+ ip_send without a destination address will continue to use the old
+ behavior, but this practice is deprecated.
+
+o Increased portability of configure scripts on systems using a libc
+ other than Glibc. Several problems were reported by John Spencer.
+
+o [NSE] Fixed a bug in rpc-grind.nse that would cause unresponsive UDP
+ ports to be wrongly marked open. This was reported by Christopher
+ Clements. [David Fifield]
+
+o [Ncat] Close connection endpoint when receiving EOF on
+ stdin. [Michal Hlavinka].
+
+o Fixed interface listing on NetBSD. The bug was first noticed by
+ Fredrik Pettai and diagnosed by Jan Schaumann. [David Fifield]
+
+o [Ncat] Applied a blocking-socket workaround for a bug that could
+ prevent some sends from working in listen mode. The problem was
+ reported by Jonas Wielicki. [Alex Weber, David Fifield]
+
+o [NSE] Updated mssql.lua library to support additional data types,
+ enhanced some of the existing data types, added the DoneProc
+ response token, and reordered code for maintainability. [Tom
+ Sellers]
+
+o [Nping] Nping now prints out an error and exists when the user tries to use
+ the -p flag for a scan option where that is meaningless. [Sean Rivera]
+
+o [NSE] Added spoolss functions and constants to msrpc.lua. [Aleksandar Nikolic]
+
+o [NSE] Reduced the number of names tried by http-vhosts by default.
+ [Vlatko Kosturjak]
+
+o [Zenmap] Fixed a crash when using the en_NG locale: "ValueError:
+ unknown locale: en_NG" [David Fifield]
+
+o [NSE] Fixed some bugs in snmp-interfaces which prevented the script from
+ outputting discovered interface info and caused it to abort in the
+ pre-scanning phase. [jah]
+
+o [NSE] Do a connect on rpc-grind (rpc.lua) UDP sockets so that socket_lock
+ is invoked. This is necessary to avoid "Too many open files" errors if
+ RPC grind creates an excessive number of sockets. We should have a
+ cleaner general solution for this, and not require scripts to "connect"
+ their unconnected UDP sockets. But there may be a good reason for
+ enforcing socket locking only on connect, not on creation. [David Fifield]
+
+o [NSE] lltd-discovery scripts now parses for hostnames and outputs network
+ card manufacturer. [Hani Benhabiles]
+
+o Added protocol specific payloads for IPv6 hop-by-hop (0x00), routing (0x2b),
+ fragment (0x2c), and destination (0x3c). [Sean Rivera]
+
+o [NSE] Added support for decoding OSPF Hello packets to broadcast-listener.
+ [Hani Benhabiles]
+
+o [NSE] Fixed a false positive in http-vuln-cve2011-3192.nse, which detected
+ Apache 2.2.22 as vulnerable. [Michael Meyer]
+
+o [NSE] Modified multiple scripts that operated against HTTP based services
+ so as to remove false positives that were generated when the target service
+ answers with a 200 response to all requests. [Tom Sellers]
+
+o [NSOCK] Fixed an epoll-engine-specific bug. The engine didn't recognized FDs
+ that were internally closed and replaced by other ones. This happened during
+ reconnect attempts. Also, the IOD flags were not properly cleared.
+ [Henri Doreau, Daniel Miller]
+
+o Added support for log type bitmasks in log_vwrite(). Also replaced a fatal()
+ statement by an assert(0) to get rid of a possible infinite call loop when
+ passed an invalid log type. [Henri Doreau]
+
+o Added handling for the unexpected error WSAENETRESET (10052). This error is
+ currently wrapped in the ifdef for WIN32 as there error appears to be unique
+ to windows [Sean Rivera]
+
+o [NSE] Added default values for Expires, Call-ID, Allow and Content-Length
+ headers in SIP requests and removed redundant code in sip library.
+ [Hani Benhabiles]
+
+o [NSE] Calling methods of unconnected sockets now causes the usual
+ error code return value, instead of raising a Lua error. The problem
+ was noticed by Daniel Miller. [David Fifield]
+
+o [NSE] Added AUTH_UNIX support to the rpc library and NFS scripts.
+ [Daniel Miller]
+
+o [Zenmap] Fixed a crash in the profile editor that would happen when
+ the nmap binary couldn't be found. [David Fifield]
+
+o Made the various Makefiles' treatment of makefile.dep uniform:
+ "make clean" keeps the file and "make distclean" deletes it.
+ [Michael McTernan]
+
+o [NSE] Fixed dozens of scripts and libraries to work better on
+ system which don't have OpenSSL available. [Patrik Karlsson]
+
+o [Ncat] --output logging now works in UDP mode. Thanks to Michal
+ Hlavinka for reporting the bug. [David Fifield]
+
+o [NSE] More Windows 7 and Windows 2008 fixes for the smb library and smb-ls
+ scripts. [Patrik Karlsson]
+
+o [NSE] Added SPNEGO authentication supporting Windows 7 and Windows 2008 to
+ the smb library. [Patrik Karlsson]
+
+o [NSE] Changed http-brute so that it works against the root path
+ ("/") by default rather than always requiring the http-brute.path
+ script argument. [Fyodor]
+
+o [NSE] Applied patch from Daniel Miller that fixes bug in several scripts and
+ libraries http://seclists.org/nmap-dev/2012/q2/593 [Daniel Miller]
+
+o [Zenmap] Added Italian translation by Francesco Tombolini and
+ Japanese translation by Yujiy Tounai. Some typos in the Japanese
+ translation were corrected by OKANO Takayoshi.
+
+o [NSE] Rewrote mysql-brute to use brute library [Aleksandar Nikolic]
+
+o Improved the mysql library to handle multiple columns with the same name,
+ added a formatResultset function to format a query response to a table
+ suitable for script output. [Patrik Karlsson]
+
+o The message "nexthost: failed to determine route to ..." is now a
+ warning rather than a fatal error. Addresses that are skipped in
+ this way are recorded in the XML output as "target" elements. [David
+ Fifield]
+
+o [NSE] targets-sniffer now is capable of sniffing IPv6 addresses.
+ [Daniel Miller]
+
+o [NSE] Ported the pop3-brute script to use the brute library.
+ [Piotr Olma]
+
+o [NSE] Added an error message indicating script failure, when Nmap is being
+ run in non verbose/debug mode. [Patrik Karlsson]
+
+o Service-scan information is now included in XML and grepable output
+ even if -sV wasn't used. This information can be set by scripts in the
+ absence of -sV. [Daniel Miller]
+
+Nmap 6.01 [2012-06-16]
+
+o [Zenmap] Fixed a hang that would occur on Mac OS X 10.7. A symptom
+ of the hang was this message in the system console:
+ Couldn't recognize the image file format for file
+ '/Applications/Zenmap.app/Contents/MacOS/../Resources/share/zenmap/pixmaps/radialnet/padlock.png'
+ [David Fifield]
+
+o [Zenmap] Fixed a crash that happened when activating the host filter.
+ File "zenmapCore\SearchResult.pyo", line 155, in match_os
+ KeyError: 'osmatches'
+ [jah]
+
+o Fixed an error that occurred when scanning certain addresses like
+ 192.168.0.0 on Windows XP:
+ get_srcaddr: can't connect socket: The requested address is not valid in its context.
+ nexthost: failed to determine route to 10.80.0.0
+ [David Fifield]
+
+o Fixed a bug that caused Nmap to fail to find any network interface when
+ at least one of them is in the monitor mode. The fix was to define the
+ ARP_HRD_IEEE80211_RADIOTAP 802.11 radiotap header identifier in the
+ libdnet-stripped code. Network interfaces that are in this mode are used
+ by radiotap for 802.11 frame injection and reception. The bug was
+ reported by Tom Eichstaedt and Henri Doreau.
+ http://seclists.org/nmap-dev/2012/q2/449
+ http://seclists.org/nmap-dev/2012/q2/478
+ [Djalal Harouni, Henri Doreau]
+
+o Fixed the greppable output of hosts that time-out (when --host-timeout was
+ used and the host timed-out after something was received from that host).
+ This issue was reported by Matthew Morgan. [jah]
+
+o [Zenmap] Updated the version of Python used to build the Windows
+ release from 2.7.1 to 2.7.3 to remove a false-positive security
+ alarm flagged by tools such as Secunia PSI. There was a minor
+ vulnerability in certain Python27.dll web functionality (which Nmap
+ doesn't use anyway) and Secunia was flagging all software which
+ includes that version of Python27.dll. This update should prevent
+ the false alarm.
+
+Nmap 6.00 [2012-05-21]
+
+o Most important release since Nmap 5.00 in July 2009! For a list of
+ the most significant improvements and new features, see the
+ announcement at: https://nmap.org/6/
+
+o In XML output, "osclass" elements are now child elements of the
+ "osmatch" they belong to. Old output was thus:
+ <os><osclass/><osclass/>...<osmatch/><osmatch/>...</os>
+ New output is:
+ <os><osmatch><osclass/><osclass/>...</osmatch>...</os>
+ The option --deprecated-xml-osclass restores the old output, in case
+ you use an Nmap XML parser that doesn't understand the new
+ structure. The xmloutputversion has been increased to 1.04.
+
+o Added a new "target" element to XML output that indicates when a
+ target specification was ignored, perhaps because of a syntax error
+ or DNS failure. It looks like this:
+ <target specification="1.2.3.4.5" status="skipped" reason="invalid"/>
+ [David Fifield]
+
+o [NSE] Added the script samba-vuln-cve-2012-1182 which detects the
+ SAMBA pre-auth remote root vulnerability (CVE-2012-1182).
+ [Aleksandar Nikolic]
+
+o [NSE] Added http-vuln-cve2012-1823.nse, which checks for PHP CGI
+ installations with a remote code execution vulnerability. [Paulino
+ Calderon]
+
+o [NSE] Added script targets-ipv6-mld that sends a malformed ICMP6 MLD Query
+ to discover IPv6 enabled hosts on the LAN. [Niteesh Kumar]
+
+o [NSE] Added rdp-vuln-ms12-020.nse by Aleksandar Nikolic. This tests
+ for two Remote Desktop vulnerabilities, including one allowing
+ remote code execution, that were fixed in the MS12-020 advisory.
+
+o [NSE] Added a stun library and the scripts stun-version and stun-info, which
+ extract version information and the external NAT:ed address.
+ [Patrik Karlsson]
+
+o [NSE] Added the script duplicates which attempts to determine duplicate
+ hosts by analyzing information collected by other scripts. [Patrik Karlsson]
+
+o Fixed the routing table loop on OS X so that on-link routes appear.
+ Previously, they were ignored so that things like ARP scan didn't
+ work. [Patrik Karlsson, David Fifield]
+
+o Upgraded included libpcap to version 1.2.1.
+
+o [NSE] Added ciphers from RFC 5932 and Fortezza-based ciphers to
+ ssl-enum-ciphers.nse. The patch was submitted by Darren McDonald.
+
+o [NSE] Renamed hostmap.nse to hostmap-bfk.nse.
+
+o Fixed a compilation problem on Solaris 9 caused by a missing
+ definition of IPV6_V6ONLY. Reported by Dagobert Michelsen.
+
+o Setting --min-parallelism by itself no longer forces the maximum
+ parallelism to the same value. [Chris Woodbury, David Fifield]
+
+o Changed XML output to show the "service" element whenever a tunnel
+ is discovered for a port, even if the service behind it was unknown.
+ [Matt Foster]
+
+o [Zenmap] Fixed a crash that would happen in the profile editor when
+ the script.db file doesn't exist. The bug was reported by Daniel
+ Miller.
+
+o [Zenmap] It is now possible to compare scans having the same name or
+ command line parameters. [Jah, David Fifield]
+
+o Fixed an error that could occur with ICMPv6 probes and -d4 debugging:
+ "Unexpected probespec2ascii type encountered" [David Fifield]
+
+o [NSE] Added new script http-chrono, which measures min, max and average
+ response times of web servers. [Ange Gutek]
+
+o Applied a workaround to make pcap captures work better on Solaris
+ 10. This involves peeking at the pcap buffer to ensure that captures
+ are not being lost. A symptom of the previous behavior was that,
+ when doing ARP host discovery against two targets, only one would be
+ reported as up. [David Fifield]
+
+o Fixed a bug that could cause Nsock timers to fire too early. This
+ could happen for the timed probes in IPv6 OS detection, causing an
+ incorrect measurement of the TCP_ISR feature. [David Fifield]
+
+o [Zenmap] We now build on Windows with a newer version of PyGTK, so
+ copy and paste should work again.
+
+o Changed the way timeout calculations are made in the IPv6 OS engine.
+ In rare cases a certain interleaving of probes and responses would
+ result in an assertion failure.
+
+Nmap 5.61TEST5 [2012-03-09]
+
+o Integrated all of your IPv4 OS fingerprint submissions since June
+ 2011 (about 1,900 of them). Added about 256 new fingerprints (and
+ deleted some bogus ones), bringing the new total to 3,572.
+ Additions include Apple iOS 5.01, OpenBSD 4.9 and 5.0, FreeBSD 7.0
+ through 9.0-PRERELEASE, and a ton of new WAPs, routers, and other
+ devices. Many existing fingerprints were improved. For more details,
+ see http://seclists.org/nmap-dev/2012/q1/431 [David Fifield]
+
+o Integrated all of your service/version detection fingerprints
+ submitted since November 2010--more than 2,500 of them! Our
+ signature count increased more than 10% to 7,423 covering 862
+ protocols. Some amusing and bizarre new services are described at
+ http://seclists.org/nmap-dev/2012/q1/359 [David Fifield]
+
+o Integrated your latest IPv6 OS submissions and corrections. We're
+ still low on IPv6 fingerprints, so please scan any IPv6 systems you
+ own or administer and submit them to https://nmap.org/submit/. Both
+ new fingerprints (if Nmap doesn't find a good match) and corrections
+ (if Nmap guesses wrong) are useful.
+
+o [NSE] Added a host-based registry which only persists (for the given
+ host) until all scripts have finished scanning that host. The normal
+ registry saves information until it is deleted or the Nmap scan
+ ends. That is a waste of memory for information which doesn't need
+ to persist that long. Use the host based registry instead if you
+ can. See https://nmap.org/book/nse-api.html#nse-api-registry. [Patrik
+ Karlsson]
+
+o IPv6 OS detection now includes a novelty detection system which
+ avoids printing a match when an observed fingerprint is too
+ different from fingerprints seen before. As the OS database is still
+ small, this helps to avoid making (essentially) wild guesses when
+ seeing a new operating system. [David Fifield]
+
+o Refactored the nsock library to add the nsock-engines system. This
+ allows system-specific scalable IO notification facilities to be
+ used while maintaining the portable Nsock API. This initial version
+ comes with an epoll-based engine for Linux and a select-based
+ fallback engine for all other operating systems. Also added the
+ --nsock-engine option to Nmap, Nping and Ncat to enforce use of a
+ specific Nsock IO engine. [Henri Doreau]
+
+o [NSE] Added 43(!) NSE scripts, bringing the total up to 340. They
+ are all listed at https://nmap.org/nsedoc/, and the summaries are
+ below (authors are listed in brackets):
+
+ + acarsd-info retrieves information from a listening acarsd
+ daemon. Acarsd decodes ACARS (Aircraft Communication Addressing
+ and Reporting System) data in real time. [Brendan Coles]
+
+ + asn-to-prefix produces a list of IP prefixes for a given AS number
+ (ASN). It uses the external Shadowserver API (with their
+ permission). [John Bond]
+
+ + broadcast-dhcp6-discover sends a DHCPv6 request (Solicit) to the
+ DHCPv6 multicast address, parses the response, then extracts and
+ prints the address along with any options returned by the
+ server. [Patrik Karlsson]
+
+ + broadcast-networker-discover discovers the EMC Networker backup
+ software server on a LAN by using network broadcasts. [Patrik Karlsson]
+
+ + broadcast-pppoe-discover discovers PPPoE servers using the PPPoE
+ Discovery protocol (PPPoED). [Patrik Karlsson]
+
+ + broadcast-ripng-discover discovers hosts and routing information
+ from devices running RIPng on the LAN by sending a RIPng Request
+ command and collecting the responses from all responsive
+ devices. [Patrik Karlsson]
+
+ + broadcast-versant-locate discovers Versant object databases using
+ the srvloc protocol. [Patrik Karlsson]
+
+ + broadcast-xdmcp-discover discovers servers running the X Display
+ Manager Control Protocol (XDMCP) by sending a XDMCP broadcast
+ request to the LAN. [Patrik Karlsson]
+
+ + cccam-version detects the CCcam service (software for sharing
+ subscription TV among multiple receivers). [David Fifield]
+
+ + dns-client-subnet-scan performs a domain lookup using the
+ edns-client-subnet option that adds support for adding subnet
+ information to the query describing where the query is
+ originating. The script uses this option to supply a number of
+ geographically distributed locations in an attempt to enumerate as
+ many different address records as possible. [John Bond]
+
+ + dns-nsid retrieves information from a DNS nameserver by requesting
+ its nameserver ID (nsid) and asking for its id.server and
+ version.bind values. [John Bond]
+
+ + dns-srv-enum enumerates various common service (SRV) records for a
+ given domain name. The service records contain the hostname, port
+ and priority of servers for a given service. [Patrik Karlsson]
+
+ + eap-info enumerates the authentication methods offered by an EAP
+ authenticator for a given identity or for the anonymous identity
+ if no argument is passed. [Riccardo Cecolin]
+
+ + http-auth-finder spiders a web site to find web pages requiring
+ form-based or HTTP-based authentication. [Patrik Karlsson]
+
+ + http-config-backup checks for backups and swap files of common
+ content management system and web server configuration
+ files. [Riccardo Cecolin]
+
+ + http-generator displays the contents of the "generator" meta tag
+ of a web page (default: /) if there is one. [Michael Kohl]
+
+ + http-proxy-brute performs brute force password guessing against a
+ HTTP proxy server. [Patrik Karlsson]
+
+ + http-qnap-nas-info attempts to retrieve the model, firmware
+ version, and enabled services from a QNAP Network Attached Storage
+ (NAS) device. [Brendan Coles]
+
+ + http-vuln-cve2009-3960 exploits cve-2009-3960 also known as Adobe
+ XML External Entity Injection. [Hani Benhabiles]
+
+ + http-vuln-cve2010-2861 executes a directory traversal attack
+ against a ColdFusion server and tries to grab the password hash
+ for the administrator user. It then uses the salt value (hidden in
+ the web page) to create the SHA1 HMAC hash that the web server
+ needs for authentication as admin. [Micah Hoffman]
+
+ + iax2-brute performs brute force password auditing against the
+ Asterisk IAX2 protocol. [Patrik Karlsson]
+
+ + membase-brute performs brute force password auditing against
+ Couchbase Membase servers. [Patrik Karlsson]
+
+ + membase-http-info retrieves information (hostname, OS, uptime,
+ etc.) from the CouchBase Web Administration port. [Patrik
+ Karlsson]
+
+ + memcached-info retrieves information (including system
+ architecture, process ID, and server time) from distributed memory
+ object caching system memcached. [Patrik Karlsson]
+
+ + mongodb-brute performs brute force password auditing against the
+ MongoDB database. [Patrik Karlsson]
+
+ + nat-pmp-mapport maps a WAN port on the router to a local port on
+ the client using the NAT Port Mapping Protocol (NAT-PMP). [Patrik
+ Karlsson]
+
+ + ndmp-fs-info lists remote file systems by querying the remote
+ device using the Network Data Management Protocol (ndmp). [Patrik
+ Karlsson]
+
+ + ndmp-version retrieves version information from the remote Network
+ Data Management Protocol (NDMP) service. [Patrik Karlsson]
+
+ + nessus-xmlrpc-brute performs brute force password auditing against
+ a Nessus vulnerability scanning daemon using the XMLRPC
+ protocol. [Patrik Karlsson]
+
+ + redis-brute performs brute force passwords auditing against a
+ Redis key-value store. [Patrik Karlsson]
+
+ + redis-info retrieves information (such as version number and
+ architecture) from a Redis key-value store. [Patrik Karlsson]
+
+ + riak-http-info retrieves information (such as node name and
+ architecture) from a Basho Riak distributed database using the
+ HTTP protocol. [Patrik Karlsson]
+
+ + rpcap-brute performs brute force password auditing against the
+ WinPcap Remote Capture Daemon (rpcap). [Patrik Karlsson]
+
+ + rpcap-info connects to the rpcap service (provides remote sniffing
+ capabilities through WinPcap) and retrieves interface
+ information. [Patrik Karlsson]
+
+ + rsync-brute performs brute force password auditing against the
+ rsync remote file syncing protocol. [Patrik Karlsson]
+
+ + rsync-list-modules lists modules available for rsync (remote file
+ sync) synchronization. [Patrik Karlsson]
+
+ + socks-auth-info determines the supported authentication mechanisms
+ of a remote SOCKS 5 proxy server. [Patrik Karlsson]
+
+ + socks-brute performs brute force password auditing against SOCKS 5
+ proxy servers. [Patrik Karlsson]
+
+ + url-snarf sniffs an interface for HTTP traffic and dumps any URLs, and their
+ originating IP address. [Patrik Karlsson]
+
+ + versant-info extracts information, including file paths, version
+ and database names from a Versant object database. [Patrik
+ Karlsson]
+
+ + vmauthd-brute performs brute force password auditing against the
+ VMWare Authentication Daemon (vmware-authd). [Patrik Karlsson]
+
+ + voldemort-info retrieves cluster and store information from the
+ Voldemort distributed key-value store using the Voldemort Native
+ Protocol. [Patrik Karlsson]
+
+ + xdmcp-discover requests an XDMCP (X display manager control
+ protocol) session and lists supported authentication and
+ authorization mechanisms. [Patrik Karlsson]
+
+o [NSE] Added 14 new protocol libraries! They were all written by
+ Patrik Karlsson, except for the EAP library by Riccardo Cecolin:
+ + dhcp6 (Dynamic Host Configuration Protocol for IPv6)
+ + eap (Extensible Authentication Protocol)
+ + iax2 (Inter-Asterisk eXchange v2 VoIP protocol)
+ + membase (Couchbase Membase TAP protocol)
+ + natpmp (NAT Port Mapping Protocol)
+ + ndmp (Network Data Management Protocol)
+ + pppoe (Point-to-point protocol over Ethernet)
+ + redis (in-memory key-value data store)
+ + rpcap (WinPcap Remote Capture Deamon)
+ + rsync (remote file sync)
+ + socks (SOCKS 5 proxy protocol)
+ + sslcert (for collecting SSL certificates and storing them in the
+ host-based registry)
+ + versant (an object database)
+ + xdmcp (X Display Manager Control Protocol)
+
+o CPE (Common Platform Enumeration) OS classification is now supported
+ for IPv6 OS detection. Previously it was only available for
+ IPv4. [David Fifield]
+
+o [NSE] The host.os table is now a structured array of table that
+ include OS class information and CPE. See
+ https://nmap.org/book/nse-api.html for documentation of the new
+ structure. [Henri Doreau, David]
+
+o [NSE] Service matches can now access CPE through the
+ port.version.cpe array. [Henri Doreau]
+
+o Added a new --script-args-file option which allows you to specify
+ the name of a file containing all of your desired NSE script
+ arguments. The arguments may be separated with commas or newlines
+ and may be overridden by arguments specified on the command-line
+ with --script-args. [Daniel Miller]
+
+o Audited the nmap-service-probes database to remove all unused
+ captures, fixing dozens of bugs with captures either being ignored
+ or two fields erroneously using the same capture. [Lauri Kokkonen,
+ David Fifield, and Rob Nicholls]
+
+o Added new version detection probes and match lines for:
+ + Erlang Port Mapper Daemon
+ + Couchbase Membase NoSQL database
+ + Basho Riak distributed database protocol buffers client (PBC)
+ + Tarantool in-memory data store
+ [Patrik Karlsson]
+
+o Split the nmap-update client into its own binary RPM to avoid the
+ Nmap RPM having a dependency on the Subversion and APR libraries.
+ We're not yet distributing this binary nmap-update RPM since the
+ system isn't complete, but the source code is available in the Nmap
+ tarball and source RPM. [David]
+
+o [NSE] Added authentication support to the MongoDB library and
+ modified existing scripts to support it. [Patrik Karlsson]
+
+o [NSE] Added support to broadcast-listener for extracting address, native VLAN
+ and management IP address from CDP packets. [Tom Sellers]
+
+o [NSE] Added RPC Call CALLIT to the RPC library and modified UDP sockets to be
+ unconnected in order to support broadcast. [Patrik Karlsson]
+
+o [NSE] Modified the ssl-cert and ssl-google-cert-catalog scripts to
+ take advantage of the new sslcert library which retrieves and caches
+ SSL certificates in the registry.
+
+o [NSE] Patch our bitcoin library to support recent changes in the
+ BitCoin protocol. [Andrew Orr, Patrik Karlsson]
+
+o Fixed an error where very long messages could cause an
+ assertion failure: "log_vwrite: vsnprintf failed. Even after
+ increasing bufferlen to ---, Vsnprintf returned -1 (logt == 1)."
+ This was reported by David Hingos.
+
+o Fixed an assertion failure that was printed when a fatal error
+ occurred while an XML tag was incomplete: "!xml.tag_open, file
+ ..\xml.cc, line 401". This was reported by David Hingos. [David
+ Fifield]
+
+o [NSE] Added support for decoding EIGRP broadcasts from Cisco routers
+ to broadcast-listener. [Tom Sellers]
+
+o [NSE] Added redirect support to the http library. All calls to
+ http.get and http.head now transparently handle any HTTP
+ redirects. The number and destination of redirects are limited by
+ default to avoid endless loops or unwanted follows of redirects to
+ different servers, but they can be configured. [Patrik Karlsson]
+
+o [NSE] Modified the sql-injection script to use the httpspider library.
+ [Lauri Kokkonen]
+
+o Added --with-apr and --with-subversion configuration options to
+ support systems where those libraries aren't in the usual places.
+ [David Fifield]
+
+o [NSE] Fixed a bunch of global access errors in various libraries reported by
+ the nse_check_globals script. [Patrik Karlsson]
+
+o Fixed an assertion failure which could occur when connecting to an
+ SSL server:
+ nsock_core.c:186: update_events: Assertion `(ev_inc & ev_dec) == 0' failed.
+ Thanks to Ron for reporting the bug and testing. [Henri Doreau]
+
+o [NSE] Added support to the DNS library for the CHAOS class and NSID
+ requests. [John Bond]
+
+o [NSE] Changed the dnsbl library to take a much faster threaded
+ approach to querying DNS blacklists. [Patrik Karlsson]
+
+o [NSE] Added new services and the ATTACK category to the dnsbl
+ script. [Duarte Silva]
+
+o [NSE] Fixed a memory leak in PortList::setServiceProbeResults()
+ which was noticed and reported by David Fifield. The leak was
+ triggered by set_port_version calls from NSE. [Henri Doreau]
+
+o [NSE] Fixed a race condition in broadcast-dhcp-discover.nse that
+ could cause responses to be missed on fast networks. It was noticed
+ by Vasiliy Kulikov. [David Fifield]
+
+o Fixed a bug in reverse name resolution: a name of "." would leave
+ the hostname unintialized and cause "Illegal character(s) in
+ hostname" warnings. [Gisle Vanem]
+
+o Allow overriding the AR variable to use a different version of the
+ ar library creation tool when creating the liblinear library. [Nuno
+ Gonçalves]
+
+o Added vcredist2008_x86.exe to the Windows zip file. This installer
+ from MS must be run on new Windows 2008 systems (those which don't
+ already have it) before running Nmap. The Nmap Windows installer
+ already takes care of this. [David Fifield]
+
+o Removed about 5MB of unnecessary DocBook XSL from the Nping docs
+ directory. [David Fifield]
+
+o The packet library now uses consistent naming of the address fields
+ for IPv4 and IPv6 packets (ip_bin_src, ip_bin_dst, ip_src, and
+ ip_dst). [Henri Doreau]
+
+o Update to the latest MAC address prefix assignments from IEEE as of
+ March 8, 2012. [Fyodor]
+
+o Fixed a problem in the ippackethdrinfo function which was leading to
+ warning messages like: "BOGUS! Can't parse supposed IP packet" during
+ certain IPv6 scans. [David Fifield]
+
+o Fixed building on Arch Linux. The PCAP_IS_SUITABLE test had to be
+ modified to ensure that -lnl was passed on the build line. See the
+ r28202 svn log for further information. [David Fifield]
+
+o Include net/if.h before net/if_arp.h in netutil.cc and tcpip.cc to
+ hopefully fix some build problems on AIX 5.3.
+
+o [NSE] Added IPv6 support to firewalk.nse. [Henri Doreau]
+
+Nmap 5.61TEST4 [2012-01-02]
+
+o [NSE] Added a new httpspider library which is used for recursively
+ crawling web sites for information. New scripts using this
+ functionality include http-backup-finder, http-email-harvest,
+ http-grep, http-open-redirect, and http-unsafe-output-escaping. See
+ https://nmap.org/nsedoc/ or the list later in this file for details
+ on these. [Patrik]
+
+o Our Mac OS X packages are now x86-only (rather than universal),
+ reducing the download size from 30 MB to about 17. If you still
+ need a PowerPC version (Apple stopped selling those machines in
+ 2006), you can use Nmap 5.51 or 5.61TEST2 from
+ https://nmap.org/dist/?C=M&O=D.
+
+o We set up a new SVN server for the Nmap codebase. This one uses SSL
+ for better security, WebDAV rather than svnserve for greater
+ functionality, is hosted on a faster (virtual) machine, provides
+ Nmap code history back to 1998 rather than 2005, and removes the
+ need for the special "guest" username. The new server is at
+ https://svn.nmap.org. More information:
+ http://seclists.org/nmap-dev/2011/q4/504.
+
+o [NSE] Added a vulnerability management library (vulns.lua) to store and to
+ report discovered vulnerabilities. Modified these scripts to use
+ the new library:
+ - ftp-libopie.nse
+ - http-vuln-cve2011-3192.nse
+ - ftp-vuln-cve2010-4221.nse
+ - ftp-vsftpd-backdoor.nse
+ - smtp-vuln-cve2011-1720.nse
+ - smtp-vuln-cve2011-1764.nse
+ - afp-path-vuln.nse
+ [Djalal, Henri]
+
+o [NSE] Added a new script force feature. You can force scripts to
+ run against target ports (even if the "wrong" service is detected)
+ by placing a plus in front of the script name passed to --script.
+ See
+ https://nmap.org/book/nse-usage.html#nse-script-selection. [Martin
+ Swende]
+
+o [NSE] Added 51(!) NSE scripts, bringing the total up to 297. They
+ are all listed at https://nmap.org/nsedoc/, and the summaries are
+ below (authors listed in brackets):
+
+ + amqp-info gathers information (a list of all server properties)
+ from an AMQP (advanced message queuing protocol)
+ server. [Sebastian Dragomir]
+
+ + bitcoin-getaddr queries a Bitcoin server for a list of known
+ Bitcoin nodes. [Patrik Karlsson]
+
+ + bitcoin-info extracts version and node information from a Bitcoin
+ server [Patrik Karlsson]
+
+ + bitcoinrpc-info obtains information from a Bitcoin server by
+ calling getinfo on its JSON-RPC interface. [Toni
+ Ruottu]
+
+ + broadcast-pc-anywhere sends a special broadcast probe to discover
+ PC-Anywhere hosts running on a LAN. [Patrik Karlsson]
+
+ + broadcast-pc-duo discovers PC-DUO remote control hosts and
+ gateways running on the LAN. [Patrik Karlsson]
+
+ + broadcast-rip-discover discovers hosts and routing information
+ from devices running RIPv2 on the LAN. It does so by sending a
+ RIPv2 Request command and collects the responses from all devices
+ responding to the request. [Patrik Karlsson]
+
+ + broadcast-sybase-asa-discover discovers Sybase Anywhere servers on
+ the LAN by sending broadcast discovery messages. [Patrik Karlsson]
+
+ + broadcast-wake-on-lan wakes a remote system up from sleep by
+ sending a Wake-On-Lan packet. [Patrik Karlsson]
+
+ + broadcast-wpad-discover Retrieves a list of proxy servers on the
+ LAN using the Web Proxy Autodiscovery Protocol (WPAD). [Patrik
+ Karlsson]
+
+ + dns-blacklist checks target IP addresses against multiple DNS
+ anti-spam and open proxy blacklists and returns a list of services
+ where the IP has been blacklisted. [Patrik Karlsson]
+
+ + dns-zeustracker checks if the target IP range is part of a Zeus
+ botnet by querying ZTDNS @ abuse.ch. [Mikael Keri]
+
+ + ganglia-info retrieves system information (OS version, available
+ memory, etc.) from a listening Ganglia Monitoring Daemon or
+ Ganglia Meta Daemon. [Brendan Coles]
+
+ + hadoop-datanode-info discovers information such as log directories
+ from an Apache Hadoop DataNode HTTP status page. [John R. Bond]
+
+ + hadoop-jobtracker-info retrieves information from an Apache Hadoop
+ JobTracker HTTP status page. [John R. Bond]
+
+ + hadoop-namenode-info retrieves information from an Apache Hadoop
+ NameNode HTTP status page. [John R. Bond]
+
+ + hadoop-secondary-namenode-info retrieves information from an
+ Apache Hadoop secondary NameNode HTTP status page. [John R. Bond]
+
+ + hadoop-tasktracker-info retrieves information from an Apache
+ Hadoop TaskTracker HTTP status page. [John R. Bond]
+
+ + hbase-master-info retrieves information from an Apache HBase
+ (Hadoop database) master HTTP status page. [John R. Bond]
+
+ + hbase-region-info retrieves information from an Apache HBase
+ (Hadoop database) region server HTTP status page. [John R. Bond]
+
+ + http-apache-negotiation checks if the target http server has
+ mod_negotiation enabled. This feature can be leveraged to find
+ hidden resources and spider a web site using fewer requests. [Hani
+ Benhabiles]
+
+ + http-backup-finder Spiders a website and attempts to identify
+ backup copies of discovered files. It does so by requesting a
+ number of different combinations of the filename (e.g. index.bak,
+ index.html~, copy of index.html). [Patrik Karlsson]
+
+ + http-cors tests an http server for Cross-Origin Resource Sharing
+ (CORS), a way for domains to explicitly opt in to having certain
+ methods invoked by another domain. [Toni Ruottu]
+
+ + http-email-harvest spiders a web site and collects e-mail
+ addresses. [Patrik Karlsson]
+
+ + http-grep spiders a website and attempts to match all pages and
+ urls against a given string. Matches are counted and grouped per
+ url under which they were discovered. [Patrik Karlsson]
+
+ + http-method-tamper tests whether a JBoss target is vulnerable to
+ jmx console authentication bypass (CVE-2010-0738). [Hani
+ Benhabiles]
+
+ + http-open-redirect spiders a website and attempts to identify open
+ redirects. Open redirects are handlers which commonly take a URL
+ as a parameter and responds with a http redirect (3XX) to the
+ target. [Martin Holst Swende]
+
+ + http-put uploads a local file to a remote web server using the
+ HTTP PUT method. You must specify the filename and URL path with
+ NSE arguments. [Patrik Karlsson]
+
+ + http-robtex-reverse-ip Obtains up to 100 forward DNS names for a
+ target IP address by querying the Robtex service
+ (http://www.robtex.com/ip/). [riemann]
+
+ + http-unsafe-output-escaping spiders a website and attempts to
+ identify output escaping problems where content is reflected back
+ to the user. [Martin Holst Swende]
+
+ + http-vuln-cve2011-3368 tests for the CVE-2011-3368 (Reverse Proxy
+ Bypass) vulnerability in Apache HTTP server's reverse proxy
+ mode. [Ange Gutek, Patrik Karlsson]
+
+ + ipv6-node-info obtains hostnames, IPv4 and IPv6 addresses through
+ IPv6 Node Information Queries. [David Fifield]
+
+ + irc-botnet-channels checks an IRC server for channels that are
+ commonly used by malicious botnets. [David Fifield, Ange Gutek]
+
+ + irc-brute performs brute force password auditing against IRC
+ (Internet Relay Chat) servers. [Patrik Karlsson]
+
+ + krb5-enum-users discovers valid usernames by brute force querying
+ likely usernames against a Kerberos service. [Patrik Karlsson]
+
+ + maxdb-info retrieves version and database information from a SAP
+ Max DB database. [Patrik Karlsson]
+
+ + metasploit-xmlrpc-brute performs brute force password auditing
+ against a Metasploit RPC server using the XMLRPC protocol. [Vlatko
+ Kosturjak]
+
+ + ms-sql-dump-hashes Dumps the password hashes from an MS-SQL server
+ in a format suitable for cracking by tools such as
+ John-the-ripper. In order to do so the user needs to have the
+ appropriate DB privileges. [Patrik Karlsson]
+
+ + nessus-brute performs brute force password auditing against a
+ Nessus vulnerability scanning daemon using the NTP 1.2
+ protocol. [Patrik Karlsson]
+
+ + nexpose-brute performs brute force password auditing against a
+ Nexpose vulnerability scanner using the API 1.1. [Vlatko
+ Kosturjak]
+
+ + openlookup-info parses and displays the banner information of an
+ OpenLookup (network key-value store) server. [Toni Ruottu]
+
+ + openvas-otp-brute performs brute force password auditing against a
+ OpenVAS vulnerability scanner daemon using the OTP 1.0
+ protocol. [Vlatko Kosturjak]
+
+ + reverse-index creates a reverse index at the end of scan output
+ showing which hosts run a particular service. [Patrik Karlsson]
+
+ + rexec-brute performs brute force password auditing against the
+ classic UNIX rexec (remote exec) service. [Patrik Karlsson]
+
+ + rlogin-brute performs brute force password auditing against the
+ classic UNIX rlogin (remote login) service. [Patrik Karlsson]
+
+ + rtsp-methods determines which methods are supported by the RTSP
+ (real time streaming protocol) server. [Patrik Karlsson]
+
+ + rtsp-url-brute attempts to enumerate RTSP media URLS by testing
+ for common paths on devices such as surveillance IP
+ cameras. [Patrik Karlsson]
+
+ + telnet-encryption determines whether the encryption option is
+ supported on a remote telnet server. Some systems (including
+ FreeBSD and the krb5 telnetd available in many Linux
+ distributions) implement this option incorrectly, leading to a
+ remote root vulnerability. [Patrik Karlsson, David Fifield,
+ Fyodor]
+
+ + tftp-enum enumerates TFTP (trivial file transfer protocol) filenames by testing
+ for a list of common ones. [Alexander Rudakov]
+
+ + unusual-port compares the detected service on a port against the
+ expected service for that port number (e.g. ssh on 22, http on 80)
+ and reports deviations. An early version of this same idea was
+ written by Daniel Miller. [Patrik Karlsson]
+
+ + vuze-dht-info retrieves some basic information, including protocol
+ version from a Vuze filesharing node. [Patrik Karlsson]
+
+o [NSE] Added some new protocol libraries
+ + amqp (advanced message queuing protocol) [Sebastian Dragomir]
+ + bitcoin crypto currency [Patrik Karlsson
+ + dnsbl for DNS-based blacklists [Patrik Karlsson
+ + rtsp (real time streaming protocol) [Patrik Karlsson]
+ + httpspider and vulns have separate entries in this CHANGELOG
+
+o Nmap now includes a nmap-update program for obtaining the latest
+ updates (new scripts, OS fingerprints, etc.) The system is
+ currently only available to a few developers for testing, but we
+ hope to enable a larger set of beta testers soon. [David]
+
+o On Windows, the directory [HOME]\AppData\Roaming\nmap is now
+ searched for data files. This is the equivalent of $HOME/.nmap on
+ POSIX. [David]
+
+o Improved OS detection performance by scaling congestion control
+ increments by the response rate during OS scan, just as was done
+ for port scan before. [David]
+
+o [NSE] The targets-ipv6-multicast-*.nse scripts now scan all
+ interfaces by default. They show the MAC address and interface name
+ now too. [David, Daniel Miller]
+
+o Added some new version detection probes:
+ + MongoDB service [Martin Holst Swende]
+ + Metasploit XMLRPC service [Vlatko Kosturjak]
+ + Vuze filesharing system [Patrik]
+ + Redis key-value store [Patrik]
+ + memcached [Patrik]
+ + Sybase SQL Anywhere [Patrik]
+ + VMware ESX Server [Aleksey Tyurin]
+ + TCP Kerberos [Patrik]
+ + PC-Duo [Patrik]
+ + PC Anywhere [Patrik]
+
+o Targets requiring different source addresses now go into different
+ hostgroups, not only for host discovery but also for port scanning.
+ Before, only responses to one of the source addresses would be
+ processed, and the others would be ignored. [David]
+
+o Tidied up the version detection DB (nmap-service-probes) with a new
+ cleanup/canonicalization program sv-tidy. In particular, this:
+ - Removes excess whitespace
+ - Sorts templates in the order m p v i d o h cpe:
+ - Canonicalizes template delimiters in the order: / | % = @ #.
+ [David]
+
+o The --exclude and --excludefile options for excluding targets can
+ now be used together. [David]
+
+o [NSE] Added support for detecting whether a http connection was established
+ using SSL or not to the http.lua library [Patrik]
+
+o [NSE] Added local port to BPF filter in snmp-brute to fix bug that would
+ prevent multiple scripts from receiving the correct responses. The bug was
+ discovered by Brendan Bird. [Patrik]
+
+o [NSE] Changed the dhcp-discover script to use the DHCPINFORM request
+ to query dhcp servers instead of DHCPDISCOVER. Also removed DoS code
+ from dhcp-discover and placed the script into the discovery and safe
+ categories. Added support for adding options to DHCP requests and
+ cleaned up some code in the dhcp library. [Patrik]
+
+o [NSE] Applied patch to snmp-brute that solves problems with handling
+ errors that occur during community list file parsing. [Duarte
+ Silva]
+
+o [NSE] Added new fingerprints to http-enum for:
+ - Subversion, CVS and Apache Archiva [Duarte Silva]
+ - DVCS systems Git, Mercurial and Bazaar [Hani Benhabiles].
+
+o [NSE] Applied some code cleanup to the snmp library. [Brendan Byrd]
+
+o [NSE] Fixed an undeclared variable bug in snmp-ios-config [Patrik]
+
+o [NSE] Add additional version information to Mongodb scripts [Martin
+ Swende]
+
+o [NSE] Added path argument to the http-auth script and update the
+ script to use stdnse.format_output. [Duarte Silva, Patrik]
+
+o [NSE] Fixed bug in the http library that would fail to parse
+ authentication headers if no parameters were present. [Patrik]
+
+o Made a syntax change in the zenmap.desktop file for compliance with
+ the XDG standard. [Frederik Schwarzer]
+
+o [NSE] Replaced a number of GET requests to HEAD in http-
+ fingerprints.lua. HEAD is quicker and sufficient when no matching
+ is performed on the returned contents. [Hani Benhabiles]
+
+o [NSE] Added support for retrieving SSL certificates from FTP
+ servers. [Matt Selsky]
+
+o [Nping] The --safe-payloads option is now the default. Added
+ --include-payloads for the special situations where payloads are
+ needed. [Colin Rice]
+
+o [NSE] Added new functionality and fixed some bugs in the brute library:
+ - Added support for restricting the number of guesses performed by the
+ brute library against users, to prevent account lockouts.
+ - Added support to guess the username as password. The documentation
+ previously suggested (wrongly) that this was the default behavior.
+ - Added support to guess an empty string as password if not
+ present in the dictionary. [Patrik]
+
+o [NSE] Re-enabled support for guessing the username in addition to password
+ that was incorrectly removed from the metasploit-xmlrpc-brute in previous
+ commit. [Patrik]
+
+o [NSE] Fixed bug that would prevent brute scripts from running if no service
+ field was present in the port table. [Patrik]
+
+o [NSE] Turned on promiscuous mode in targets-sniffer.nse so that it
+ finds packets not only from or to the scanning host. [David]
+
+o The Zenmap topology display feature is now disabled when there are
+ more than 1,000 target hosts. Those topology maps slow down the
+ interface and are generally too crowded to be of much use.
+
+o [NSE] Modified the http library to support servers that don't return valid
+ chunked encoded data, such as the Citrix XML service. [Patrik]
+
+o [NSE] Fixed a bug where the brute library would not abort even after all
+ retries were exhausted [Patrik]
+
+o Fixed a bug in the IPv6 OS probe called NI. The Node Information
+ Query didn't include the target address as the payload, so at least
+ OS X didn't respond. This differed from the probe sent by the
+ ipv6fp.py program from which some of our fingerprints were derived.
+ [David]
+
+o [NSE] Fixed an error in the mssql library that was causing the
+ broadcast-ms-sql-discover script to fail when trying to update port version
+ information. [Patrik]
+
+o [NSE] Added the missing broadcast category to the broadcast-listener script.
+ [Jasey DePriest]
+
+o [NSE] Made changes to the categories of the following scripts (new
+ categories shown) [Duarte Silva]:
+ - http-userdir-enum.nse (auth,intrusive)
+ - mysql-users.nse (auth,intrusive)
+ - http-wordpress-enum.nse (auth,intrusive,vuln)
+ - krb5-enum-users.nse (auth,intrusive)
+ - snmp-win32-users.nse (default,auth,safe)
+ - smtp-enum-users.nse (auth,external,intrusive)
+ - ncp-enum-users.nse (auth,safe)
+ - smb-enum-users.nse (auth,intrusive)
+
+o Made nbase compile with the clang compiler that is a part of Xcode
+ 4.2. [Daniel J. Luke]
+
+o [NSE] Fix a nil table index bug discovered in the mongodb
+ library. [Thomas Buchanan]
+
+o [NSE] Added XMPP support to ssl-cert.nse.
+
+o [NSE] Made http-wordpress-enum.nse able to get names of users who
+ have no posts. [Duarte Silva]
+
+o Increased hop distance estimates from OS detection by one. The
+ distance now counts the number of hops including the final one to
+ the target, not just the number of intermediate nodes. The IPv6
+ distance calculation already worked this way. [David]
+
+Nmap 5.61TEST2 [2011-09-30]
+
+o Added IPv6 OS detection system! The new system utilizes many tests
+ similar to IPv4, and also some IPv6-specific ones that we found to
+ be particularly effective. And it uses a machine learning approach
+ rather than the static classifier we use for IPv4. We hope to move
+ some of the IPv6 innovations back to our IPv4 system if they work
+ out well. The database is still very small, so please submit any
+ fingerprints that Nmap gives you to the specified URL (as long as
+ you are certain that you know what the target system is
+ running). Usage and results output are basically the same as with
+ IPv4, but we will soon document the internal mechanisms at
+ https://nmap.org/book/osdetect.html, just as we have for IPv4. For an
+ example, try "nmap -6 -O scanme.nmap.org". [David, Luis]
+
+o [NSE] Added 3 scripts, bringing the total to 246! You can learn
+ more about them at https://nmap.org/nsedoc/. Here they are (authors
+ listed in brackets):
+
+ + lltd-discovery uses the Microsoft LLTD protocol to discover hosts
+ on a local network. [Gorjan Petrovski]
+
+ + ssl-google-cert-catalog queries Google's Certificate Catalog for
+ the SSL certificates retrieved from target hosts. [Vasiliy Kulikov]
+
+ + quake3-info extracts information from a Quake3-like game
+ server. [Toni Ruottu]
+
+o Improved AIX support for raw scans. This includes some patches
+ originally written by Peter O'Gorman and Florian Schmid. It also
+ involved various build fixes found necessary on AIX 6.1 and 7.1. See
+ https://nmap.org/book/inst-other-platforms.html . [David]
+
+o Fixed Nmap so that it again compiles and runs on Solaris 10,
+ including IPv6 support. [David]
+
+o [NSE] Moved our brute force authentication cracking scripts
+ (*-brute) from the "auth" category into a new "brute"
+ category. Nmap's brute force capabilities have grown tremendously!
+ You can see all 32 of them at
+ https://nmap.org/nsedoc/categories/brute.html . It isn't clear
+ whether dns-brute should be in the brute category, so for now it
+ isn't. [Fyodor]
+
+o Made the interface gathering loop work on Linux when an interface
+ index is more than two digits in /proc/sys/if_inet6. Joe McEachern
+ tracked down the problem and provided the fix.
+
+o [NSE] Fixed a bug in dns.lua: ensure that dns.query() always return two values
+ (status, response) and replaced the workaround in asn-query.nse by the proper
+ use. [Henri]
+
+o [NSE] Made irc-info.nse handle the case where the MOTD is missing.
+ Patch by Sebastian Dragomir.
+
+o Updated nmap-mac-prefixes to include the latest IEEE assignments
+ as of 2011-09-29.
+
+Nmap 5.61TEST1 [2011-09-19]
+
+o Added Common Platform Enumeration (CPE, http://cpe.mitre.org/)
+ output for OS and service versions. This is a standard way to
+ identify operating systems and applications so that Nmap can
+ better interoperate with other software. Nmap's own (generally more
+ comprehensive) taxonomy/classification system is still supported as
+ well. Some OS and version detection results don't have CPE entries
+ yet. CPE entries show up in normal output with the headings "OS
+ CPE:" and "Service Info:":
+ OS CPE: cpe:/o:linux:kernel:2.6.39
+ Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
+ These also appear in XML output, which additionally has CPE entries
+ for service versions. [David, Henri]
+
+o Added IPv6 Neighbor Discovery ping. This is the IPv6 analog to IPv4
+ ARP scan. It is the default ping type for local IPv6 networks.
+ [Weilin]
+
+o Integrated your latest (IPv4) OS detection submissions and
+ corrections until June 22. New fingerprints include Linux 3, FreeBSD
+ 9, Mac OS X 10.7 (Lion), and 300+ more. The DB size increased 11% to
+ 3,308 fingerprints. See
+ http://seclists.org/nmap-dev/2011/q3/556. Please keep those
+ fingerprints coming! We now accept IPv4 and IPv6 OS fingerprints as
+ well as service fingerprints, plus corrections of all types if Nmap
+ guess wrong.
+
+o [NSE] Added 27 scripts, bringing the total to 243! You can learn
+ more about any of them at https://nmap.org/nsedoc/. Here are the new
+ ones (authors listed in brackets):
+
+ + address-info shows extra information about IPv6 addresses, such as
+ embedded MAC or IPv4 addresses when available. [David Fifield]
+
+ + bittorrent-discovery discovers bittorrent peers sharing a file
+ based on a user-supplied torrent file or magnet link. [Gorjan
+ Petrovski]
+
+ + broadcast-db2-discover attempts to discover DB2 servers on the
+ network by sending a broadcast request to port 523/udp. [Patrik
+ Karlsson]
+
+ + broadcast-dhcp-discover sends a DHCP request to the broadcast
+ address (255.255.255.255) and reports the results. [Patrik
+ Karlsson]
+
+ + broadcast-listener sniffs the network for incoming broadcast
+ communication and attempts to decode the received packets. It
+ supports protocols like CDP, HSRP, Spotify, DropBox, DHCP, ARP and
+ a few more. [Patrik Karlsson]
+
+ + broadcast-ping sends broadcast pings on a selected interface using
+ raw ethernet packets and outputs the responding hosts' IP and MAC
+ addresses or (if requested) adds them as targets. [Gorjan
+ Petrovski]
+
+ + cvs-brute performs brute force password auditing against CVS
+ pserver authentication. [Patrik Karlsson]
+
+ + cvs-brute-repository attempts to guess the name of the CVS
+ repositories hosted on the remote server. With knowledge of the
+ correct repository name, usernames and passwords can be
+ guessed. [Patrik Karlsson]
+
+ + ftp-vsftpd-backdoor tests for the presence of the vsFTPd 2.3.4
+ backdoor reported on 2011-07-04 (CVE-2011-2523). This script
+ attempts to exploit the backdoor using the innocuous 'id' command
+ by default, but that can be changed with the 'exploit.cmd' or
+ 'ftp-vsftpd-backdoor.cmd' script arguments. [Daniel Miller]
+
+ + ftp-vuln-cve2010-4221 checks for a stack-based buffer overflow in
+ the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. [Djalal
+ Harouni]
+
+ + http-awstatstotals-exec exploits a remote code execution
+ vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other
+ products based on it (CVE: 2008-3922). [Paulino Calderon]
+
+ + http-axis2-dir-traversal Exploits a directory traversal
+ vulnerability in Apache Axis2 version 1.4.1 by sending a specially
+ crafted request to the parameter 'xsd' (OSVDB-59001). By default
+ it will try to retrieve the configuration file of the Axis2
+ service '/conf/axis2.xml' using the path '/axis2/services/' to
+ return the username and password of the admin account. [Paulino
+ Calderon]
+
+ + http-default-accounts tests for access with default credentials
+ used by a variety of web applications and devices. [Paulino
+ Calderon]
+
+ + http-google-malware checks if hosts are on Google's blacklist of
+ suspected malware and phishing servers. These lists are constantly
+ updated and are part of Google's Safe Browsing service. [Paulino
+ Calderon]
+
+ + http-joomla-brute performs brute force password auditing against
+ Joomla web CMS installations. [Paulino Calderon]
+
+ + http-litespeed-sourcecode-download exploits a null-byte poisoning
+ vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to
+ retrieve the target script's source code by sending a HTTP request
+ with a null byte followed by a .txt file extension
+ (CVE-2010-2333). [Paulino Calderon]
+
+ + http-vuln-cve2011-3192 detects a denial of service vulnerability
+ in the way the Apache web server handles requests for multiple
+ overlapping/simple ranges of a page. [Duarte Silva]
+
+ + http-waf-detect attempts to determine whether a web server is
+ protected by an IPS (Intrusion Prevention System), IDS (Intrusion
+ Detection System) or WAF (Web Application Firewall) by probing the
+ web server with malicious payloads and detecting changes in the
+ response code and body. [Paulino Calderon]
+
+ + http-wordpress-brute performs brute force password auditing
+ against Wordpress CMS/blog installations. [Paulino Calderon]
+
+ + http-wordpress-enum enumerates usernames in Wordpress blog/CMS
+ installations by exploiting an information disclosure
+ vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and
+ 3.2-beta2 and possibly others. [Paulino Calderon]
+
+ + imap-brute performs brute force password auditing against IMAP
+ servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM
+ authentication. [Patrik Karlsson]
+
+ + smtp-brute performs brute force password auditing against SMTP
+ servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM
+ authentication. [Patrik Karlsson]
+
+ + smtp-vuln-cve2011-1764 checks for a format string vulnerability in
+ the Exim SMTP server (version 4.70 through 4.75) with DomainKeys
+ Identified Mail (DKIM) support (CVE-2011-1764). [Djalal Harouni]
+
+ + targets-ipv6-multicast-echo sends an ICMPv6 echo request packet to
+ the all-nodes link-local multicast address (ff02::1) to discover
+ responsive hosts on a LAN without needing to individually ping
+ each IPv6 address. [David Fifield, Xu Weilin]
+
+ + targets-ipv6-multicast-invalid-dst sends an ICMPv6 packet with an
+ invalid extension header to the all-nodes link-local multicast
+ address (ff02::1) to discover (some) available hosts on the
+ LAN. This works because some hosts will respond to this probe with
+ an ICMPv6 parameter problem packet. [David Fifield, Xu Weilin]
+
+ + targets-ipv6-multicast-slaac performs IPv6 host discovery by
+ triggering stateless address auto-configuration (SLAAC). [David
+ Fifield, Xu Weilin]
+
+ + xmpp-brute Performs brute force password auditing against XMPP
+ (Jabber) instant messaging servers. [Patrik Karlsson]
+
+o Fixed compilation on OS X 10.7 Lion. Thanks to Patrik Karlsson and
+ Babak Farroki for researching fixes.
+
+o [NSE] The script arguments which start with a script name
+ (e.g. http-brute.hostname or afp-ls.maxfiles) can now accept the
+ unqualified arguments as well (hostname, maxfiles). This lets you
+ use the generic version ("hostname") when you want to affect
+ multiple scripts, while using the qualified version to target
+ individual scripts. If both are specified, the qualified version
+ takes precedence for that particular script. This works for library
+ script arguments too (e.g. you can specify 'timelimit' rather than
+ unpwdb.timelimit). [Paulino]
+
+o [Ncat] Updated SSL certificate store (ca-bundle.crt), primarily to
+ remove the epic fail known as DigiNotar.
+
+o Nmap now defers options parsing until it has read through all the
+ command line arguments. This removes the few remaining cases where
+ option order mattered (for example, IPv6 users previously had to
+ specify -6 before -S). [Shinnok]
+
+o [NSE] Added a new default credential list for Oracle databases and
+ modified the oracle-brute script to make use of it. [Patrik]
+
+o [NSE] Our Packet library (packet.lua) now handles IPv6. This is used
+ by the new multicast IPv6 host discovery scripts
+ (targets-ipv6-*). [Weilin]
+
+o [NSE] Replaced xmpp.nse with an an overhauled version named
+ xmpp-info.nse which brings many new features and fixes. [Vasiliy Kulikov]
+
+o [NSE] Fixed SSL compressor names in ssl-enum-ciphers.nse, and
+ removed redundant multiple listings of the NULL compressor.
+ [Matt Selsky]
+
+o [NSE] Added cipher strength ratings to ssl-enum-ciphers.nse.
+ [Gabriel Lawrence]
+
+o [NSE] Fixed a bug in the ssh2-enum-algos script that would prevent it from
+ displaying any output unless run in debug mode. [Patrik]
+
+o [NSE] Added 4 more protocol libraries. You can learn more about any
+ of them at https://nmap.org/nsedoc/. Here are the new ones (authors
+ listed in brackets):
+
+ + bittorrent supports the BitTorrent file sharing protocol [Gorjan
+ Petrovski]
+
+ + cvs includes support for the Concurrent Versions System (CVS)
+ [Patrik Karlsson]
+
+ + sasl provides common code for "Simple Authentication and Security
+ Layer" to services supporting it. The algorithms supported by the
+ library are: PLAIN, CRAM-MD5, DIGEST-MD5 and NTLM. [Djalal
+ Harouni, Patrik Karlsson]
+
+ + xmpp handles XMPP (Jabber) IM servers [Patrik Karlsson]
+
+o [NSE] Removed the mac-geolocation script, which relied on a Google
+ database to determine strikingly accurate GPS coordinates for
+ anyone's wireless access points (based on their MAC address). It
+ was very powerful. Perhaps Google decided it was too powerful, as
+ they discontinued the service before our script was even 2 months
+ old.
+
+o [Ncat] Added an --append-output option which, when used along with
+ -o and/or -x, prevents clobbering (truncating) an existing
+ file. [Shinnok]
+
+o Fixed RPC scan (part of -sV) to work on the 64-bit machines where
+ "unsigned long" is 8 bytes rather than 4. We now use the more
+ portable u32 in the code. [David]
+
+o [NSE] Moved some scripts into the default category: giop-info,
+ vnc-info, ncp-serverinfo, smb-security-mode, and and
+ afp-serverinfo. [Djalal]
+
+o Relaxed the XML DTD to allow validation of files where the verbosity
+ level changed during the scan. Also made a service confidence of 8
+ (used when tcpwrapped) or any other number between 0 and 10
+ legal. [Daniel Miller]
+
+o [NSE] Fixed authentication problems in the TNS library that would prevent
+ authentication from working against Oracle 11.2.0.2.0 XE [Chris Woodbury]
+
+o [NSE] Added basic query support to the Oracle TNS library so that scripts
+ can now make SQL queries against database servers. Also improved
+ support for 64-bit database servers and improved the documentation. [Patrik]
+
+o Removed some restrictions on probe matching that, for example,
+ prevented a RST/ACK reply from being recognized in a NULL scan. This
+ was found and fixed by Matthew Stickney and Joe McEachern.
+
+o Rearranged some characters classes in service matches to avoid any
+ that look like POSIX collating symbols ("[.xyz.]"). John Hutchison
+ discovered this error caused by one of the match lines:
+ InitMatch: illegal regexp: POSIX collating elements are not supported
+ [Daniel Miller]
+
+o [NSE] Added more than 100 new signatures to http-enum (many for
+ known vulnerabilities). They are in the categories: general,
+ attacks, cms, security, management and database [Paulino]
+
+o [NSE] Updated account status text in brute force password discovery
+ scripts in an effort to make the reporting more consistent across
+ all scripts. This will have an impact on any code that parses these
+ values. [Tom Sellers]
+
+o Nmap now includes the Liblinear library for large linear
+ classification (http://www.csie.ntu.edu.tw/~cjlin/liblinear/). We
+ are using it for the upcoming IPv6 OS detection system, and (if that
+ works out well) may eventually use it for IPv4 too. It uses a
+ three-clause BSD license.
+
+o [NSE] Better error messages (including a traceback) are now provided
+ when script loading fails. [Patrick]
+
+o [Zenmap] Prevent Zenmap from deleting ports when merging scans
+ results based on newer scans which did not actually scan the ports
+ in question. Additionally Zenmap now only updates ports with new
+ information if the new information uses the same protocol--not just
+ the same port number. [Colin Rice]
+
+o [Ncat] Fixed a crash which would occur when --ssl-verify is combined
+ with -vvv on windows. [Colin Rice]
+
+o [Nping] Added new --safe-payloads option for echo mode which causes
+ returned packet payloads to be zeroed to reduce privacy risks if
+ Nping echo server was to accidentally (or through malicious intent)
+ return a packet which wasn't sent by the Nping echo client. We hope
+ to soon make this behavior the default. [Luis]
+
+o Fixed a bug that would make Nmap segfault if it failed to open an
+ interface using pcap. The bug details and patch are posted at
+ http://seclists.org/nmap-dev/2011/q3/365 [Patrik]
+
+o Ncat SCTP mode now supports connection brokering
+ (--sctp --broker). [Shinnok]
+
+o Consolidated a bunch of duplicate code between Ncat's listen
+ (ncat_listen.c) and broker (ncat_broker.c) modes to ease
+ maintenance. [Shinnok]
+
+o Added a 'nostore' nse argument to the brute force library which
+ prevents the brute force authentication cracking scripts from
+ storing found credentials in the creds library (they will still be
+ printed in script output).
+
+o [NSE] Fixed the nsedebug print_hex() function so it does not print an
+ empty line if there are no remaining characters, and improved its NSEDoc.
+ [Chris Woodbury].
+
+o [Ncat] Ncat no longer blocks while an ssl handshake is taking place
+ or waiting to complete. This could make listening Ncat instances
+ unavailable to other clients because one client was taking too long
+ to complete the SSL handshake. Our public Ncat chat server is now
+ much more reliable (connect with: ncat --ssl -v chat.nmap.org).
+ [Shinnok]
+
+o [NSE] Updated SMTP and IMAP libraries to support authentication
+ using both plain-text and the SASL library. [Patrik]
+
+o [Zenmap] The Zenmap crash handler now instructs users to mail in
+ crash information to nmap-dev rather than offering to create a
+ Sourceforge bug tracker entry. [Colin Rice]
+
+o [NSE] Applied patch from Chris Woodbury that adds the following
+ additional information to the output of smb-os-discovery: NetBIOS
+ computer name, NetBIOS domain name, FQDN, and forest name.
+
+o [NSE] Updated smb-brute to add detection for valid credentials where the
+ target account was expired or limited by time or login host constraints.
+ [Tom Sellers]
+
+o [Ncat] Ncat now supports IPV6 addresses by default without the -6 flag.
+ Additionally ncat listens on both ::1 and localhost when passed
+ -l, or any other listening mode unless a specific listening address is
+ supplied. [Colin Rice]
+
+o Fixed broken XML output in the case of timed-out hosts; the
+ enclosing host element was missing. The fix was suggested by Rémi
+ Mollon.
+
+o [NSE] Multiple ldap-brute changes by Tom Sellers:
+ + Added support for 2008 R2 functional level Active Directory instances
+ + Added detection for valid credentials where the target account was
+ expired or limited by time or login host constraints.
+ + Added support for specifying a UPN suffix to be appended to usernames
+ when brute forcing Microsoft Active Directory accounts.
+ + Added support for saving discovered credentials to a CSV file.
+ + Now reports valid credentials as they are discovered when the script
+ is run with -vv or higher.
+
+o [NSE] ldap-search.nse - Added support for saving search results to
+ CSV. This is done by using the ldap.savesearch script argument to
+ specify an output filename prefix. [Tom Sellers]
+
+o Handle an unconventional IPv6 internal link-local address convention
+ used by Mac OS X. See
+ http://seclists.org/nmap-dev/2011/q3/906. [David]
+
+o [NSE] Optimized stdnse.format_output (changing the data structures)
+ to improve performance for scripts which produce a lot of output. See
+ http://seclists.org/nmap-dev/2011/q3/623. [Djalal]
+
+o [NSE] Fix nping-brute so that it again works on IPv6. [Toni Ruottu]
+
+o [NSE] Added the make_array and make_object functions to our json
+ library, allowing LUA tables to be treated as JSON arrays or
+ objects. See http://seclists.org/nmap-dev/2011/q3/15 [Daniel Miller]
+
+o [NSE] The ip-geolocation-ipinfodb now allows you to specify an
+ IPInfoDB API key using the apikey NSE argument. [Gorjan]
+
+o [NSE] Renamed http-wp-plugins to http-wordpress-plugins script for
+ consistency with http-wordpress-brute and now
+ http-wordpress-enum. [Fyodor]
+
+Nmap 5.59BETA1 [2011-06-30]
+
+o [NSE] Added 40 scripts, bringing the total to 217! You can learn
+ more about any of them at https://nmap.org/nsedoc/. Here are the new
+ ones (authors listed in brackets):
+
+ + afp-ls: Lists files and their attributes from Apple Filing
+ Protocol (AFP) volumes. [Patrik Karlsson]
+
+ + backorifice-brute: Performs brute force password auditing against
+ the BackOrifice remote administration (trojan) service. [Gorjan
+ Petrovski]
+
+ + backorifice-info: Connects to a BackOrifice service and gathers
+ information about the host and the BackOrifice service
+ itself. [Gorjan Petrovski]
+
+ + broadcast-avahi-dos: Attempts to discover hosts in the local
+ network using the DNS Service Discovery protocol, then tests
+ whether each host is vulnerable to the Avahi NULL UDP packet
+ denial of service bug (CVE-2011-1002). [Djalal Harouni]
+
+ + broadcast-netbios-master-browser: Attempts to discover master
+ browsers and the Windows domains they manage. [Patrik Karlsson]
+
+ + broadcast-novell-locate: Attempts to use the Service Location
+ Protocol to discover Novell NetWare Core Protocol (NCP)
+ servers. [Patrik Karlsson]
+
+ + creds-summary: Lists all discovered credentials (e.g. from brute
+ force and default password checking scripts) at end of scan.
+ [Patrik Karlsson]
+
+ + dns-brute: Attempts to enumerate DNS hostnames by brute force
+ guessing of common subdomains. [Cirrus]
+
+ + dns-nsec-enum: Attempts to discover target hosts' services using
+ the DNS Service Discovery protocol. [Patrik Karlsson]
+
+ + dpap-brute: Performs brute force password auditing against an
+ iPhoto Library. [Patrik Karlsson]
+
+ + epmd-info: Connects to Erlang Port Mapper Daemon (epmd) and
+ retrieves a list of nodes with their respective port
+ numbers. [Toni Ruottu]
+
+ + http-affiliate-id: Grabs affiliate network IDs (e.g. Google
+ AdSense or Analytics, Amazon Associates, etc.) from a web
+ page. These can be used to identify pages with the same
+ owner. [Hani Benhabiles, Daniel Miller]
+
+ + http-barracuda-dir-traversal: Attempts to retrieve the
+ configuration settings from a Barracuda Networks Spam & Virus
+ Firewall device using the directory traversal vulnerability
+ described at
+ http://seclists.org/fulldisclosure/2010/Oct/119. [Brendan Coles]
+
+ + http-cakephp-version: Obtains the CakePHP version of a web
+ application built with the CakePHP framework by fingerprinting
+ default files shipped with the CakePHP framework. [Paulino
+ Calderon]
+
+ + http-majordomo2-dir-traversal: Exploits a directory traversal
+ vulnerability existing in the Majordomo2 mailing list manager to
+ retrieve remote files. (CVE-2011-0049). [Paulino Calderon]
+
+ + http-wp-plugins: Tries to obtain a list of installed WordPress
+ plugins by brute force testing for known plugins. [Ange Gutek]
+
+ + ip-geolocation-geobytes: Tries to identify the physical location
+ of an IP address using the Geobytes geolocation web service
+ (http://www.geobytes.com/iplocator.htm). [Gorjan Petrovski]
+
+ + ip-geolocation-geoplugin: Tries to identify the physical location
+ of an IP address using the Geoplugin geolocation web service
+ (http://www.geoplugin.com/). [Gorjan Petrovski]
+
+ + ip-geolocation-ipinfodb: Tries to identify the physical location
+ of an IP address using the IPInfoDB geolocation web service
+ (http://ipinfodb.com/ip_location_api.php). [Gorjan Petrovski]
+
+ + ip-geolocation-maxmind: Tries to identify the physical location of
+ an IP address using a Geolocation Maxmind database file (available
+ from http://www.maxmind.com/app/ip-location). [Gorjan Petrovski]
+
+ + ldap-novell-getpass: Attempts to retrieve the Novell Universal
+ Password for a user. You must already have (and include in script
+ arguments) the username and password for an eDirectory server
+ administrative account. [Patrik Karlsson]
+
+ + mac-geolocation: Looks up geolocation information for BSSID (MAC)
+ addresses of WiFi access points in the Google geolocation
+ database. [Gorjan Petrovski]
+
+ + mysql-audit: Audit MySQL database server security configuration
+ against parts of the CIS MySQL v1.0.2 benchmark (the engine can
+ also be used for other MySQL audits by creating appropriate audit
+ files). [Patrik Karlsson]
+
+ + ncp-enum-users: Retrieves a list of all eDirectory users from the
+ Novell NetWare Core Protocol (NCP) service. [Patrik Karlsson]
+
+ + ncp-serverinfo: Retrieves eDirectory server information (OS
+ version, server name, mounts, etc.) from the Novell NetWare Core
+ Protocol (NCP) service. [Patrik Karlsson]
+
+ + nping-brute: Performs brute force password auditing against an
+ Nping Echo service. [Toni Ruottu]
+
+ + omp2-brute: Performs brute force password auditing against the
+ OpenVAS manager using OMPv2. [Henri Doreau]
+
+ + omp2-enum-targets: Attempts to retrieve the list of target systems
+ and networks from an OpenVAS Manager server. [Henri Doreau]
+
+ + ovs-agent-version: Detects the version of an Oracle OVSAgentServer
+ by fingerprinting responses to an HTTP GET request and an XML-RPC
+ method call. [David Fifield]
+
+ + quake3-master-getservers: Queries Quake3-style master servers for
+ game servers (many games other than Quake 3 use this same
+ protocol). [Toni Ruottu]
+
+ + servicetags: Attempts to extract system information (OS, hardware,
+ etc.) from the Sun Service Tags service agent (UDP port
+ 6481). [Matthew Flanagan]
+
+ + sip-brute: Performs brute force password auditing against Session
+ Initiation Protocol (SIP -
+ http://en.wikipedia.org/wiki/Session_Initiation_Protocol)
+ accounts. This protocol is most commonly associated with VoIP
+ sessions. [Patrik Karlsson]
+
+ + sip-enum-users: Attempts to enumerate valid SIP user accounts.
+ Currently only the SIP server Asterisk is supported. [Patrik
+ Karlsson]
+
+ + smb-mbenum: Queries information managed by the Windows Master
+ Browser. [Patrik Karlsson]
+
+ + smtp-vuln-cve2010-4344: Checks for and/or exploits a heap overflow
+ within versions of Exim prior to version 4.69 (CVE-2010-4344) and
+ a privilege escalation vulnerability in Exim 4.72 and prior
+ (CVE-2010-4345). [Djalal Harouni]
+
+ + smtp-vuln-cve2011-1720: Checks for a memory corruption in the
+ Postfix SMTP server when it uses Cyrus SASL library authentication
+ mechanisms (CVE-2011-1720). This vulnerability can allow denial
+ of service and possibly remote code execution. [Djalal Harouni]
+
+ + snmp-ios-config: Attempts to downloads Cisco router IOS
+ configuration files using SNMP RW (v1) and display or save
+ them. [Vikas Singhal, Patrik Karlsson]
+
+ + ssl-known-key: Checks whether the SSL certificate used by a host
+ has a fingerprint that matches an included database of problematic
+ keys. [Mak Kolybabi]
+
+ + targets-sniffer: Sniffs the local network for a configurable
+ amount of time (10 seconds by default) and prints discovered
+ addresses. If the newtargets script argument is set, discovered
+ addresses are added to the scan queue. [Nick Nikolaou]
+
+ + xmpp: Connects to an XMPP server (port 5222) and collects server
+ information such as supported auth mechanisms, compression methods
+ and whether TLS is supported and mandatory. [Vasiliy Kulikov]
+
+o Nmap has long supported IPv6 for basic (connect) port scans, basic
+ host discovery, version detection, Nmap Scripting Engine. This
+ release dramatically expands and improves IPv6 support:
+ + IPv6 raw packet scans (including SYN scan, UDP scan, ACK scan,
+ etc.) are now supported. [David, Weilin]
+ + IPv6 raw packet host discovery (IPv6 echo requests, TCP/UDP
+ discovery packets, etc.) is now supported. [David, Weilin]
+ + IPv6 traceroute is now supported [David]
+ + IPv6 protocol scan (-sO) is now supported, including creating
+ realistic headers for many protocols. [David]
+ + IPv6 support to the wsdd, dnssd and upnp NSE libraries. [Daniel
+ Miller, Patrik]
+ + The --exclude and --excludefile now support IPV6 addresses with
+ netmasks. [Colin]
+
+o Scanme.Nmap.Org (the system anyone is allowed to scan for testing
+ purposes) is now dual-stacked (has an IPv6 address as well as IPv4)
+ so you can scan it during IPv6 testing. We also added a DNS record
+ for ScanmeV6.nmap.org which is IPv6-only. See
+ http://seclists.org/nmap-dev/2011/q2/428. [Fyodor]
+
+o The Nmap.Org website as well as sister sites Insecure.Org,
+ SecLists.Org, and SecTools.Org all have working IPv6 addresses now
+ (dual stacked). [Fyodor]
+
+o Nmap now determines the filesystem location it is being run from and
+ that path is now included early in the search path for data files
+ (such as nmap-services). This reduces the likelihood of needing to
+ specify --datadir or getting data files from a different version of
+ Nmap installed on the system. For full details, see
+ https://nmap.org/book/data-files-replacing-data-files.html . Thanks
+ to Solar Designer for implementation advice. [David]
+
+o Created a page on our SecWiki for collecting Nmap script ideas! If
+ you have a good idea, post it to the incoming section of the page.
+ Or if you're in a script writing mood but don't know what to write,
+ come here for inspiration: https://secwiki.org/w/Nmap_Script_Ideas.
+
+o The development pace has greatly increased because Google (again)
+ sponsored a 7 full-time college and graduate student programmer
+ interns this summer as part of their Summer of Code program!
+ Thanks, Google Open Source Department! We're delighted to introduce
+ the team: http://seclists.org/nmap-dev/2011/q2/312
+
+o [NSE] Added 7 new protocol libraries, bringing the total to 66. You
+ can read about them all at https://nmap.org/nsedoc/. Here are the new
+ ones (authors listed in brackets):
+
+ + creds: Handles storage and retrieval of discovered credentials
+ (such as passwords discovered by brute force scripts). [Patrik
+ Karlsson]
+
+ + ncp: A tiny implementation of Novell Netware Core Protocol
+ (NCP). [Patrik Karlsson]
+
+ + omp2: OpenVAS Management Protocol (OMP) version 2 support. [Henri
+ Doreau]
+
+ + sip: Supports a limited subset of SIP commands and
+ methods. [Patrik Karlsson]
+
+ + smtp: Simple Mail Transfer Protocol (SMTP) operations. [Djalal
+ Harouni]
+
+ + srvloc: A relatively small implementation of the Service Location
+ Protocol. [Patrik Karlsson]
+
+ + tftp: Implements a minimal TFTP server. It is used in
+ snmp-ios-config to obtain router config files.[Patrik Karlsson]
+
+o Improved Nmap's service/version detection database by adding:
+ + Apple iPhoto (DPAP) protocol probe [Patrik]
+ + Zend Java Bridge probe [Michael Schierl]
+ + BackOrifice probe [Gorjan Petrovski]
+ + GKrellM probe [Toni Ruottu]
+ + Signature improvements for a wide variety of services (we now have
+ 7,375 signatures)
+
+o [NSE] ssh-hostkey now additionally has a postrule that prints hosts
+ found during the scan which share the same hostkey. [Henri Doreau]
+
+o [NSE] Added 300+ new signatures to http-enum which look for admin
+ directories, JBoss, Tomcat, TikiWiki, Majordomo2, MS SQL, Wordpress,
+ and more. [Paulino]
+
+o Made the final IP address space assignment update as all available
+ IPv4 address blocks have now been allocated to the regional
+ registries. Our random IP generation (-iR) logic now only excludes
+ the various reserved blocks. Thanks to Kris for years of regular
+ updates to this function!
+
+o [NSE] Replaced http-trace with a new more effective version. [Paulino]
+
+o Performed some output cleanup work to remove unimportant status
+ lines so that it is easier to find the good stuff! [David]
+
+o [Zenmap] now properly kills Nmap scan subprocess when you cancel a
+ scan or quit Zenmap on Windows. [Shinnok]
+
+o [NSE] Banned scripts from being in both the "default" and
+ "intrusive" categories. We did this by removing dhcp-discover and
+ dns-zone-transfer from the set of scripts run by default (leaving
+ them "intrusive"), and reclassifying dns-recursion, ftp-bounce,
+ http-open-proxy, and socks-open-proxy as "safe" rather than
+ "intrusive" (keeping them in the "default" set).
+
+o [NSE] Added a credential storage library (creds.lua) and modified
+ the brute library and scripts to make use of it. [Patrik]
+
+o [Ncat] Created a portable version of ncat.exe that you can just drop
+ onto Microsoft Windows systems without having to run any installer
+ or copy over extra library files. See the Ncat page
+ (https://nmap.org/ncat/) for binary downloads and a link to build
+ instructions. [Shinnok]
+
+o Fix a segmentation fault which could occur when running Nmap on
+ various Android-based phones. The problem related to NULL being
+ passed to freeaddrinfo(). [David, Vlatko Kosturjak]
+
+o [NSE] The host.bin_ip and host.bin_ip_src entries now also work with
+ 16-byte IPv6 addresses. [David]
+
+o [Ncat] Updated the ca-bundle.crt list of trusted certificate
+ authority certificates. [David]
+
+o [NSE] Fixed a bug in the SMB Authentication library which could
+ prevent concurrently running scripts with valid credentials from
+ logging in. [Chris Woodbury]
+
+o [NSE] Re-worked http-form-brute.nse to better autodetect form
+ fields, allow brute force attempts where only the password (no
+ username) is needed, follow HTTP redirects, and better detect
+ incorrect login attempts. [Patrik, Daniel Miller]
+
+o [Zenmap] Changed the "slow comprehensive scan" profile's NSE script
+ selection from "all" to "default or (discovery and safe)"
+ categories. Except for testing and debugging, "--script all" is
+ rarely desirable.
+
+o [NSE] Added the stdnse.silent_require method which is used for
+ library requires that you know might fail (e.g. "openssl" fails if
+ Nmap was compiled without that library). If these libraries are
+ called with silent_require and fail to load, the script will cease
+ running but the user won't be presented with ugly failure messages
+ as would happen with a normal require. [Patrick Donnelly]
+
+o [Zenmap] Fixed a bug in topology mapper which caused endpoints
+ behind firewalls to sometimes show up in the wrong place (see
+ http://seclists.org/nmap-dev/2011/q2/733). [Colin Rice]
+
+o [Zenmap] If you scan a system twice, any open ports from the first
+ scan which are closed in the 2nd will be properly marked as
+ closed. [Colin Rice].
+
+o [Zenmap] Fixed an error that could cause a crash ("TypeError: an
+ integer is required") if a sort column in the ports table was unset.
+ [David]
+
+o [Ndiff] Added nmaprun element information (Nmap version, scan date,
+ etc.) to the diff. Also, the Nmap banner with version number and
+ data is now only printed if there were other differences in the
+ scan. [Daniel Miller, David, Dr. Jesus]
+
+o [NSE] Added nmap.get_interface and nmap.get_interface_info functions
+ so scripts can access characteristics of the scanning interface.
+ Removed nmap.get_interface_link. [Djalal]
+
+o Fixed an overflow in scan elapsed time display that caused negative
+ times to be printed after about 25 days. [Daniel Miller]
+
+o Updated nmap-rpc from the master list, now maintained by IANA.
+ [Daniel Miller, David]
+
+o [Zenmap] Fixed a bug in the option parser: -sN (null scan) was
+ interpreted as -sn (no port scan). This was reported by
+ Shitaneddine. [David]
+
+o [Ndiff] Fixed the Mac OS X packages to use the correct path for
+ Python: /usr/bin/python instead of /opt/local/bin/python. The bug
+ was reported by Wellington Castello. [David]
+
+o Removed the -sR (RPC scan) option--it is now an alias for -sV
+ (version scan), which always does RPC scan when an rpcinfo service
+ is detected.
+
+o [NSE] Improved the ms-sql scripts and library in several ways:
+ - Improved version detection and server discovery
+ - Added support for named pipes, integrated authentication, and
+ connecting to instances by name or port
+ - Improved script and library stability and documentation.
+ [Patrik Karlsson, Chris Woodbury]
+
+o [NSE] Fixed http.validate_options when handling a cookie table.
+ [Sebastian Prengel]
+
+o Added a Service Tags UDP probe for port 6481/udp. [David]
+
+o [NSE] Enabled firewalk.nse to automatically find the gateways at
+ which probes are dropped and fixed various bugs. [Henri Doreau]
+
+o [Zenmap] Worked around a pycairo bug that prevented saving the
+ topology graphic as PNG on Windows: "Error Saving Snapshot:
+ Surface.write_to_png takes one argument which must be a filename
+ (str), file object, or a file-like object which has a 'write' method
+ (like StringIO)". The problem was reported by Alex Kah. [David]
+
+o The -V and --version options now show the platform Nmap was compiled
+ on, which features are compiled in, the version numbers of libraries
+ it is linked against, and whether the libraries are the ones that
+ come with Nmap or the operating system. [Ambarisha B., David]
+
+o Fixed some inconsistencies in nmap-os-db reported by Xavier Sudre
+ from netVigilance.
+
+o The Nmap Win32 uninstaller now properly deletes nping.exe. [Fyodor]
+
+o [NSE] Added a shortport.ssl function which can be used as a script
+ portrule to match SSL services. It is similar in concept to our
+ existing shortport.http. [David]
+
+o Set up the RPM build to use the compat-glibc and compat-gcc-34-c++
+ packages (on CentOS 5.3) to resolve a report of Nmap failing to run
+ on old versions of Glibc. [David]
+
+o We no longer support Nmap on versions of Windows earlier than XP
+ SP2. Even Microsoft no longer supports Windows versions that old.
+ But if you must use Nmap on such systems anyway, please see
+ https://secwiki.org/w/Nmap_On_Old_Windows_Releases.
+
+o There were hundreds of other little bug fixes and improvements
+ (especially to NSE scripts). See the SVN logs for revisions 22,274
+ through 24,460 for details.
+
+Nmap 5.51 [2011-02-11]
+
+o [Ndiff] Added support for prerule and postrule scripts. [David]
+
+o [NSE] Fixed a bug which caused some NSE scripts to fail due to the
+ absence of the NSE SCRIPT_NAME environment variable when loaded.
+ Michael Pattrick reported the problem. [Djalal]
+
+o [Zenmap] Selecting one of the scan targets in the left pane is
+ supposed to jump to that host in the Nmap Output in the right pane
+ (but it wasn't). Brian Krebs reported this bug. [David]
+
+o Fixed an obscure bug in Windows interface matching. If the MAC
+ address of an interface couldn't be retrieved, it might have been
+ used instead of the correct interface. Alexander Khodyrev reported
+ the problem. [David]
+
+o [NSE] Fixed portrules in dns-zone-transfer and ftp-proftpd-backdoor
+ that used shortport functions incorrectly and always returned
+ true. [Jost Krieger]
+
+o [Ndiff] Fixed ndiff.dtd to include two elements that can be diffed:
+ status and address. [Daniel Miller]
+
+o [Ndiff] Fixed the ordering of hostscript-related elements in XML
+ output. [Daniel Miller]
+
+o [NSE] Fixed a bug in the nrpe-enum script that would make it run for
+ every port (when it was selected--it isn't by default). Daniel
+ Miller reported the bug. [Patrick]
+
+o [NSE] When an NSE script sets a negative socket timeout, it now
+ causes a controlled Lua stack trace instead of a fatal error.
+ Vlatko Kosturjak reported the bug. [David]
+
+o [Zenmap] Worked around an error that caused the py2app bootstrap
+ executable to be non-universal even when the rest of the application
+ was universal. This prevented the binary .dmg from working on
+ PowerPC. Yxynaxen reported the problem. [David]
+
+o [Ndiff] Fixed an output line that wasn't being redirected to a file
+ when all other output was. [Daniel Miller]
+
+Nmap 5.50 [2011-01-28]
+
+o [Zenmap] Added a new script selection interface, allowing you to
+ choose scripts and arguments from a list which includes descriptions
+ of every available script. Just click the "Scripting" tab in the
+ profile editor. [Kirubakaran]
+
+o [Nping] Added echo mode, a novel technique for discovering how your
+ packets are changed (or dropped) in transit between the host they
+ originated and a target machine. It can detect network address
+ translation, packet filtering, routing anomalies, and more. You can
+ try it out against our public Nping echo server using this command:
+ nping --echo-client "public" echo.nmap.org'
+ Or learn more about echo mode at
+ https://nmap.org/book/nping-man-echo-mode.html . [Luis]
+
+o [NSE] Added an amazing 46 scripts, bringing the total to 177! You
+ can learn more about any of them at https://nmap.org/nsedoc/. Here
+ are the new ones (authors listed in brackets):
+
+ + broadcast-dns-service-discovery: Attempts to discover hosts'
+ services using the DNS Service Discovery protocol. It sends a
+ multicast DNS-SD query and collects all the responses. [Patrik
+ Karlsson]
+
+ + broadcast-dropbox-listener: Listens for the LAN sync information
+ broadcasts that the Dropbox.com client broadcasts every 20
+ seconds, then prints all the discovered client IP addresses, port
+ numbers, version numbers, display names, and more. [Ron Bowes,
+ Mak Kolybabi, Andrew Orr, Russ Tait Milne]
+
+ + broadcast-ms-sql-discover: Discovers Microsoft SQL servers in the
+ same broadcast domain. [Patrik Karlsson]
+
+ + broadcast-upnp-info: Attempts to extract system information from the
+ UPnP service by sending a multicast query, then collecting,
+ parsing, and displaying all responses. [Patrik Karlsson]
+
+ + broadcast-wsdd-discover: Uses a multicast query to discover devices
+ supporting the Web Services Dynamic Discovery (WS-Discovery)
+ protocol. It also attempts to locate any published Windows
+ Communication Framework (WCF) web services (.NET 4.0 or
+ later). [Patrik Karlsson]
+
+ + db2-discover: Attempts to discover DB2 servers on the network by
+ querying open ibm-db2 UDP ports (normally port 523). [Patrik
+ Karlsson]
+
+ + dns-update.nse: Attempts to perform an unauthenticated dynamic DNS
+ update. [Patrik Karlsson]
+
+ + domcon-brute: Performs brute force password auditing against the
+ Lotus Domino Console. [Patrik Karlsson]
+
+ + domcon-cmd: Runs a console command on the Lotus Domino Console with
+ the given authentication credentials (see also: domcon-brute).
+ [Patrik Karlsson]
+
+ + domino-enum-users: Attempts to discover valid IBM Lotus Domino users
+ and download their ID files by exploiting the CVE-2006-5835
+ vulnerability. [Patrik Karlsson]
+
+ + firewalk: Tries to discover firewall rules using an IP TTL
+ expiration technique known as firewalking. [Henri Doreau]
+
+ + ftp-proftpd-backdoor: Tests for the presence of the ProFTPD 1.3.3c
+ backdoor reported as OSVDB-ID 69562. This script attempts to
+ exploit the backdoor using the innocuous id command by default,
+ but that can be changed with a script argument. [Mak Kolybabi]
+
+ + giop-info: Queries a CORBA naming server for a list of
+ objects. [Patrik Karlsson]
+
+ + gopher-ls: Lists files and directories at the root of a gopher
+ service. Remember those? [Toni Ruottu]
+
+ + hddtemp-info: Reads hard disk information (such as brand, model, and
+ sometimes temperature) from a listening hddtemp service. [Toni
+ Ruottu]
+
+ + hostmap: Tries to find hostnames that resolve to the target's IP
+ address by querying the online database at
+ http://www.bfk.de/bfk_dnslogger.html . [Ange Gutek]
+
+ + http-brute: Performs brute force password auditing against http
+ basic authentication. [Patrik Karlsson]
+
+ + http-domino-enum-passwords: Attempts to enumerate the hashed Domino
+ Internet Passwords that are (by default) accessible by all
+ authenticated users. This script can also download any Domino ID
+ Files attached to the Person document. [Patrik Karlsson]
+
+ + http-form-brute: Performs brute force password auditing against http
+ form-based authentication. [Patrik Karlsson]
+
+ + http-vhosts: Searches for web virtual hostnames by making a large
+ number of HEAD requests against http servers using common
+ hostnames. [Carlos Pantelides]
+
+ + informix-brute: Performs brute force password auditing against
+ IBM Informix Dynamic Server. [Patrik Karlsson]
+
+ + informix-query: Runs a query against IBM Informix Dynamic Server
+ using the given authentication credentials (see also:
+ informix-brute). [Patrik Karlsson]
+
+ + informix-tables: Retrieves a list of tables and column definitions
+ for each database on an Informix server. [Patrik Karlsson]
+
+ + iscsi-brute: Performs brute force password auditing against iSCSI
+ targets. [Patrik Karlsson]
+
+ + iscsi-info: Collects and displays information from remote iSCSI
+ targets. [Patrik Karlsson]
+
+ + modbus-discover: Enumerates SCADA Modbus slave ids (sids) and
+ collects their device information. [Alexander Rudakov]
+
+ + nat-pmp-info: Queries a NAT-PMP service for its external
+ address. [Patrik Karlsson]
+
+ + netbus-auth-bypass: Checks if a NetBus server is vulnerable to an
+ authentication bypass vulnerability which allows full access
+ without knowing the password. [Toni Ruottu]
+
+ + netbus-brute: Performs brute force password auditing against the
+ Netbus backdoor ("remote administration") service. [Toni Ruottu]
+
+ + netbus-info: Opens a connection to a NetBus server and extracts
+ information about the host and the NetBus service itself. [Toni
+ Ruottu]
+
+ + netbus-version: Extends version detection to detect NetBuster, a
+ honeypot service that mimes NetBus. [Toni Ruottu]
+
+ + nrpe-enum: Queries Nagios Remote Plugin Executor (NRPE) daemons to
+ obtain information such as load averages, process counts, logged in
+ user information, etc. [Mak Kolybabi]
+
+ + oracle-brute: Performs brute force password auditing against Oracle
+ servers. [Patrik Karlsson]
+
+ + oracle-enum-users: Attempts to enumerate valid Oracle user names
+ against unpatched Oracle 11g servers (this bug was fixed in
+ Oracle's October 2009 Critical Patch Update). [Patrik Karlsson]
+
+ + path-mtu: Performs simple Path MTU Discovery to target hosts. [Kris
+ Katterjohn]
+
+ + resolveall: Resolves hostnames and adds every address (IPv4 or IPv6,
+ depending on Nmap mode) to Nmap's target list. This differs from
+ Nmap's normal host resolution process, which only scans the first
+ address (A or AAAA record) returned for each host name. [Kris
+ Katterjohn]
+
+ + rmi-dumpregistry: Connects to a remote RMI registry and attempts to
+ dump all of its objects. [Martin Holst Swende]
+
+ + smb-flood: Exhausts a remote SMB server's connection limit by by
+ opening as many connections as we can. Most implementations of
+ SMB have a hard global limit of 11 connections for user accounts
+ and 10 connections for anonymous. Once that limit is reached,
+ further connections are denied. This script exploits that limit by
+ taking up all the connections and holding them. [Ron Bowes]
+
+ + ssh2-enum-algos: Reports the number of algorithms (for encryption,
+ compression, etc.) that the target SSH2 server offers. If
+ verbosity is set, the offered algorithms are each listed by
+ type. [Kris Katterjohn]
+
+ + stuxnet-detect: Detects whether a host is infected with the Stuxnet
+ worm (http://en.wikipedia.org/wiki/Stuxnet). [Mak Kolybabi]
+
+ + svn-brute: Performs brute force password auditing against Subversion
+ source code control servers. [Patrik Karlsson]
+
+ + targets-traceroute: Inserts traceroute hops into the Nmap scanning
+ queue. It only functions if Nmap's --traceroute option is used and
+ the newtargets script argument is given. [Henri Doreau]
+
+ + vnc-brute: Performs brute force password auditing against VNC
+ servers. [Patrik Karlsson]
+
+ + vnc-info: Queries a VNC server for its protocol version and
+ supported security types. [Patrik Karlsson]
+
+ + wdb-version: Detects vulnerabilities and gathers information (such
+ as version numbers and hardware support) from VxWorks Wind DeBug
+ agents. [Daniel Miller]
+
+ + wsdd-discover: Retrieves and displays information from devices
+ supporting the Web Services Dynamic Discovery (WS-Discovery)
+ protocol. It also attempts to locate any published Windows
+ Communication Framework (WCF) web services (.NET 4.0 or
+ later). [Patrik Karlsson]
+
+o [NSE] Added 12 new protocol libraries:
+ - dhcp.lua by Ron
+ - dnssd.lua (DNS Service Discovery) by Patrik
+ - ftp.lua by David
+ - giop.lua (CORBA naming service) by Patrik
+ - informix.lua (Informix database) by Patrik
+ - iscsi.lua (iSCSI - IP based SCSI data transfer) by Patrik
+ - nrpc.lua (Lotus Domino RPC) by Patrik
+ - rmi.lua (Java Remote Method Invocation) by Martin Holst Swende
+ - tns.lua (Oracle) by Patrik
+ - upnp.lua (UPnP support) by Thomas Buchanan and Patrik
+ - vnc.lua (Virtual Network Computing) by Patrik
+ - wsdd.lua (Web Service Dynamic Discovery) by Patrik
+
+o [NSE] Added a new brute library that provides a basic framework and logic
+ for brute force password auditing scripts. [Patrik]
+
+o [Zenmap] Greatly improved performance for large scans by
+ benchmarking intensively and then recoding dozens of slow parts.
+ Time taken to load our benchmark file (a scan of just over a million
+ IPs belonging to Microsoft corporation, with 74,293 hosts up) was
+ reduced from hours to less than two minutes. Memory consumption
+ decreased dramatically as well. [David]
+
+o Performed a major OS detection integration run. The database has
+ grown more than 14% to 2,982 fingerprints and many of the existing
+ fingerprints were improved. Highlights include Linux 2.6.37, iPhone
+ OS 4.2.1, Solaris 11, AmigaOS 3.1, GNU Hurd 0.3, and MINIX 2.0.4.
+ David posted highlights of his integration work at
+ http://seclists.org/nmap-dev/2010/q4/651
+
+o Performed a huge version detection integration run. The number of
+ signatures has grown by more than 11% to 7,355. More than a third
+ of our signatures are for http, but we also detect 743 other service
+ protocols, from abc, acap, access-remote-pc, and achat to zenworks,
+ zeo, and zmodem. David posted highlights at
+ http://seclists.org/nmap-dev/2010/q4/761.
+
+o [NSE] Added the target NSE library which allows scripts to add newly
+ discovered targets to Nmap's scanning queue. This allows Nmap to
+ support a wide range of target acquisition techniques. Scripts which
+ can now use this feature include dns-zone-transfer, hostmap,
+ ms-sql-info, snmp-interfaces, targets-traceroute, and several
+ more. [Djalal]
+
+o [NSE] Nmap has two new NSE script scanning phases. The new pre-scan
+ occurs before Nmap starts scanning. Some of the initial pre-scan
+ scripts use techniques like broadcast DNS service discovery or DNS
+ zone transfers to enumerate hosts which can optionally be treated as
+ targets. The other phase (post scan) runs after all of Nmap's
+ scanning is complete. We don't have any of these scripts yet, but
+ they could compile scan statistics or present the results in a
+ different way. One idea is a reverse index which provides a list of
+ services discovered during a network scan, along with a list of IPs
+ found to be running each service. See
+ https://nmap.org/book/nse-usage.html#nse-script-types. [Djalal]
+
+o [NSE] A new --script-help option describes all scripts matching a
+ given specification. It accepts the same specification format as
+ --script does. For example, try 'nmap --script-help "default or
+ http-*"'. [David, Martin Holst Swende]
+
+o Dramatically improved nmap.xsl (used for converting Nmap XML output
+ to HTML). In particular:
+ - Put verbose details behind expander buttons so you can see them if
+ you want, but they don't distract from the main output. In
+ particular, offline hosts and traceroute results are collapsed by
+ default.
+ - Improved the color scheme to be less garish.
+ - Added support for the new NSE pre-scan and post-scan phases.
+ - Changed script output to use 'pre' tags to keep even lengthy
+ output readable.
+ - Added a floating menu to the lower-right for toggling whether
+ closed/filtered ports are shown or not (they are now hidden by
+ default if Javascript is enabled).
+ Many smaller improvements were made as well. You can find the new
+ file at https://nmap.org/svn/docs/nmap.xsl, and here is an example
+ scan processed through it: https://nmap.org/book/output-formats-output-to-html.html . [Tom]
+
+o [NSE] Created a new "broadcast" script category for the broadcast-*
+ scripts. These perform network discovery by broadcasting on the
+ local network and listening for responses. Since they don't
+ directly relate to targets specified on the command line, these are
+ kept out of the default category (nor do they go in "discovery").
+
+o Integrated cracked passwords from the Gawker.com compromise
+ (http://seclists.org/nmap-dev/2010/q4/674) into Nmap's top-5000
+ password database. A team of Nmap developers lead by Brandon Enright
+ has cracked 635,546 out of 748,081 password hashes so far
+ (85%). Gawker doesn't exactly have the most sophisticated users on
+ the Internet--their top passwords are "123456", "password",
+ "12345678", "lifehack", "qwerty", "abc123", "12345", "monkey",
+ "111111", "consumer", and "letmein".
+
+o XML output now excludes output for down hosts when only doing host
+ discovery, unless verbosity (-v) was requested. This is how it
+ already worked for normal scans, but the ping-only case was
+ overlooked. [David]
+
+o Updated the Windows build process to work with (and require) Visual
+ C++ 2010 rather than 2008. If you want to build Zenmap too, you now
+ need Python 2.7 (rather than 2.6) and GTK+ 2.22. See
+ https://nmap.org/book/inst-windows.html#inst-win-source [David, Rob
+ Nicholls, KX]
+
+o Merged port names in the nmap-services file with allocated names
+ from the IANA (http://www.iana.org/assignments/port-numbers). We
+ only added IANA names which were "unknown" in our file--we didn't
+ deal with conflicting names. [David]
+
+o Enabled the ASLR and DEP security technologies for Nmap.exe,
+ Ncat.exe and Nping.exe on Windows Vista and above. Visual C++ will
+ set the /DYNAMICBASE and /NXCOMPAT flags in the PE
+ header. Executables generated using py2exe or NSIS and third party
+ binaries (OpenSSL, WinPcap) still don't support ASLR or DEP. Support
+ for DEP on XP SP3, using SetProcessDEPPolicy(), could still be
+ implemented. See http://seclists.org/nmap-dev/2010/q3/328. [Robert]
+
+o Investigated using the CPE (Common Platform Enumeration) standard
+ for describing operating systems, devices, and service names for
+ Nmap OS and service detection. You can read David's reports at
+ http://seclists.org/nmap-dev/2010/q3/278 and
+ http://seclists.org/nmap-dev/2010/q3/303.
+
+o [Zenmap] Improved the output viewer to show new output in constant
+ time. Previously it would get slower and slower as the output grew
+ longer, eventually making Zenmap appear to freeze with 100% CPU. Rob
+ Nicholls and Ray Middleton helped with testing. [David]
+
+o The Linux RPM builds of Nmap and related tools (ncat, nping, etc.)
+ now link to system libraries dynamically rather than statically.
+ They still link statically to dependency libraries such as OpenSSL,
+ Lua, LibPCRE, Libpcap, etc. We hope this will improve portability so
+ the RPMs will work on distributions with older software (like RHEL,
+ Debian stable) as well as more bleeding edge ones like
+ Fedora. [David]
+
+o [NSE] Added the ability to send and receive on unconnected sockets.
+ This can be used, for example, to receive UDP broadcasts without
+ having to use Libpcap. A number of scripts have been changed so that
+ they can work as prerule scripts to discover services by UDP
+ broadcasting, and optionally add the discovered targets to the
+ scanning queue:
+ - ms-sql-info
+ - upnp-info
+ - dns-service-discovery
+ The nmap.new_socket function can now optionally take a default
+ protocol and address family, which will be used if the socket is not
+ connected. There is a new nmap.sendto function to be used with
+ unconnected UDP sockets. [David, Patrik]
+
+o [Nping] Substantially improved the Nping man page. You can read it
+ online at https://nmap.org/book/nping-man.html . [Luis, David]
+
+o Documented the licenses of the third-party software used by Nmap and
+ its sibling tools:
+ https://svn.nmap.org/nmap/docs/3rd-party-licenses.txt . [David]
+
+o [NSE] Improved the SMB scripts so that they can run in parallel
+ rather than using a mutex to force serialization. This quadrupled
+ the SMB scan speed in one large scale test. See
+ http://seclists.org/nmap-dev/2010/q3/819. [Ron]
+
+o Added a simple Nmap NSE script template to make writing new scripts
+ easier: https://nmap.org/svn/docs/sample-script.nse. [Ron]
+
+o [Zenmap] Made the topology node radiuses grow logarithmically
+ instead of linearly, so that hosts with thousands of open ports
+ don't overwhelm the diagram. Also only open ports (not
+ open|filtered) are considered when calculating node sizes. Henri
+ Doreau found and fixed a bug in the implementation. [Daniel Miller]
+
+o [NSE] Added the get_script_args NSE function for parsing script
+ arguments in a clean and standardized way
+ (https://nmap.org/nsedoc/lib/stdnse.html#get_script_args). [Djalal]
+
+o Increased the initial RTT timeout for ARP scans from 100 ms to 200
+ ms. Some wireless and VPN links were taking around 300 ms to
+ respond. The default of one retransmission gives them 400 ms to be
+ detected.
+
+o Added new version detection probes and signatures from Patrik for:
+ - Lotus Domino Console running on tcp/2050 (shows OS and hostname)
+ - IBM Informix Dynamic Server running native protocol (shows hostname, and file path)
+ - Database servers running the DRDA protocol
+ - IBM Websphere MQ (shows name of queue-manager and channel)
+
+o Fix Nmap compilation on OpenSolaris (see
+ http://blogs.sun.com/sdaven/entry/nmap_5_35dc1_compile_on) [David]
+
+o [NSE] The http library's request functions now accept an additional
+ "auth" table within the option table, which causes Basic
+ authentication credentials to be sent. [David]
+
+o Improved IPv6 host output in that we now remember and report the
+ forward DNS name (given by the user) and any non-scanned addresses
+ (usually because of round robin DNS). We already did this for
+ IPv4. [David]
+
+o [Zenmap] Upgraded to the newer gtk.Tooltip API to avoid deprecation
+ messages about gtk.Tooltip. [Rob Nicholls]
+
+o [NSE] Made dns-zone-transfer script able to add new discovered DNS
+ records to the Nmap scanning queue. [Djalal]
+
+o [NSE] Enhance ssl-cert to also report the type and bit size of SSL
+ certificate public keys [Matt Selsky]
+
+o [Ncat] Make --exec and --idle-timeout work when connecting with
+ --proxy. Florian Roth reported the bug. [David]
+
+o [Nping] Fixed a bug which caused Nping to fail when targeting
+ broadcast addresses (see
+ http://seclists.org/nmap-dev/2010/q3/752). [Luis]
+
+o [Nping] Nping now limits concurrent open file descriptors properly
+ based on the resources available on the host (see
+ http://seclists.org/nmap-dev/2010/q4/2). [Luis]
+
+o [NSE] Improved ssh2's kex_init() parameters: all of the algorithm
+ and language lists can be set using new keys in the "options" table
+ argument. These all default to the same value used before. Also, the
+ required "cookie" argument is now replaced by an optional "cookie"
+ key in the "options" table, defaulting to random bytes as suggested
+ by the RFC. [Kris]
+
+o Ncat now logs Nsock debug output to stderr instead of stdout for
+ consistency with its other debug messages. [David]
+
+o [NSE] Added a new function, shortport.http, for HTTP script
+ portrules and changed 14 scripts to use it. [David]
+
+o Updated to the latest config.guess and config.sub. Thanks to Ty
+ Miller for a reminder. [David]
+
+o [NSE] Added prerule support to snmp-interfaces and the ability to
+ add the remote host's interface addresses to the scanning queue.
+ The new script arguments used for this functionality are "host"
+ (required) and "port" (optional). [Kris]
+
+o Fixed some inconsistencies in nmap-os-db and a small memory leak
+ that would happen where there was more than one round of OS
+ detection. These were reported by Xavier Sudre from
+ netVigilance. [David]
+
+o [NSE] Fixed a bug with worker threads calling the wrong destructors.
+ Fixing this allows better parallelism in http-brute.nse. The problem
+ was reported by Patrik Karlsson. [David, Patrick]
+
+o Upgraded the OpenSSL binaries shipped in our Windows installer to
+ version 1.0.0a. [David]
+
+o [NSE] Added prerule support to the dns-zone-transfer script,
+ allowing it to run early to discover IPs from DNS records and
+ optionally add those IPs to Nmap's target queue. You must specify
+ the DNS server and domain name to use with script
+ arguments. [Djalal]
+
+o Changed the name of libdnet's sctp_chunkhdr to avoid a conflict with
+ a struct of the same name in netinet/sctp.h. This caused a
+ compilation error when Nmap was compiled with an OpenSSL that had
+ SCTP support. [Olli Hauer, Daniel Roethlisberger]
+
+o [NSE] Implemented a big cleanup of the Nmap NSE Nsock library
+ binding code. [Patrick]
+
+o Added a bunch of Apple and Netatalk AFP service detection
+ signatures. These often provide extra details such as whether the
+ target is a MacBook Pro, Air, Mac Mini, iMac, etc. [Brandon]
+
+o [NSE] Host tables now have a host.traceroute member available when
+ --traceroute is used. This array contains the IP address, reverse
+ DNS name, and RTT for each traceroute hop. [Henri Doreau]
+
+o [NSE] Made the ftp-anon script return a directory listing when
+ anonymous login is allowed. [Gutek, David]
+
+o [NSE] Added the nmap.resolve() function. It takes a host name and
+ optionally an address family (such as "inet") and returns a table
+ containing all of its matching addresses. If no address family is
+ specified, all addresses for the name are returned. [Kris]
+
+o [NSE] Added the nmap.address_family() function which returns the address
+ family Nmap is using as a string (e.g., "inet6" is returned if Nmap is
+ called with the -6 option). [Kris]
+
+o [NSE] Scripts can now access the MTU of the host.interface device using
+ host.interface_mtu. [Kris]
+
+o Restrict the default Windows DLL search path by removing the current
+ directory. This adds extra protection against DLL hijacking attacks,
+ especially if we were to add file type associations to Nmap in the
+ future. We implement this with the SetDllDirectory function when
+ available (Windows XP SP1 and later). Otherwise, we call
+ SetCurrentDirectory with the directory containing the
+ executable. [David]
+
+o Nmap now prints the MTU for interfaces in --iflist output. [Kris]
+
+o [NSE] Removed references to the MD2 algorithm, which OpenSSL 1.x.x
+ no longer supports. [Alexandru]
+
+o [Ncat,NSE] Server Name Indication (SNI) is now supported by Ncat and
+ Nmap NSE, allowing them to connect to servers which run multiple SSL
+ websites on one IP address. To enable this for NSE, the nmap.connect
+ function has been changed to accept host and port tables (like those
+ provided to the action function) in place of a string and a
+ number. [David]
+
+o [NSE] Renamed db2-info and db2-brute scripts to drda-*. Added
+ support other DRDA based databases such as IBM Informix Dynamic
+ Server and Apache Derby. [Patrik]
+
+o [Nsock] Added a new function, nsi_set_hostname, to set the intended
+ hostname of the target. This allows the use of Server Name
+ Indication in SSL connections. [David]
+
+o [NSE] Limits the number of ports that qscan will scan (now up to 8
+ open ports and up to 1 closed port by default). These limits can be
+ controlled with the qscan.numopen and qscan.numclosed script
+ arguments. [David]
+
+o [NSE] Made sslv2.nse give special output when SSLv2 is supported,
+ but no SSLv2 ciphers are offered. This happened with a specific
+ Sendmail configuration. [Matt Selsky]
+
+o [NSE] Added a "times" table to the host table passed to scripts.
+ This table contains Nmap's timing data (srtt, the smoothed round
+ trip time; rttvar, the rtt variance; and timeout), all represented
+ as floating-point seconds. The ipidseq and qscan scripts were
+ updated to utilize the host's timeout value rather than using a
+ conservative guess of 3 seconds for read timeouts. [Kris]
+
+o Fixed the fragmentation options (-f in Nmap, --mtu in Nmap & Nping),
+ which were improperly sending whole packets in version
+ 5.35DC1. [Kris]
+
+o [NSE] When receiving raw packets from Pcap, the packet capture time
+ is now available to scripts as an additional return value from
+ pcap_receive(). It is returned as the floating point number of
+ seconds since the epoch. Also added the nmap.clock() function which
+ returns the current time (and convenience functions clock_ms() and
+ clock_us()). Qscan.nse was updated to use this more accurate timing
+ data. [Kris]
+
+o [Ncat,Nsock] Fixed some minor bugs discovered using the Smatch
+ source code analyzer (http://smatch.sourceforge.net/). [David]
+
+o [Zenmap] Fixed a crash that would happen after opening the search
+ window, entering a relative date criterion such as "after:-7", and
+ then clicking the "Expressions" button. The error message was
+ AttributeError: 'tuple' object has no attribute 'strftime'
+ [David]
+
+o Added a new packet payload--a NAT-PMP external address request for
+ port 5351/udp. Payloads help us elicit responses from listening UDP
+ services to better distinguish them from filtered ports. This
+ payload goes well with our new nat-pmp-info script. [David, Patrik]
+
+o Updated IANA IP address space assignment list for random IP (-iR)
+ generation. [Kris]
+
+o [Ncat] Ncat now uses case-insensitive string comparison when
+ checking authentication schemes and parameters. Florian Roth found a
+ server offering "BASIC" instead of "Basic", and the HTTP RFC
+ requires case-insensitive comparisons in most places. [David]
+
+o [NSE] There is now a limit of 1,000 concurrent running scripts,
+ instituted to keep memory under control when there are many open
+ ports. Nathan reported 3 GB of memory use (with an out-of-memory NSE
+ crash) for one host with tens of thousands of open ports. This limit
+ can be controlled with the variable CONCURRENCY_LIMIT in
+ nse_main.lua. [David]
+
+o The command line in XML output (/nmaprun/@args attribute) now does
+ quoting of whitespace using double quotes and backslashes. This
+ allows recovering the original command line array even when
+ arguments contain whitespace. [David]
+
+o Added a service detection probe for master servers of Quake 3 and
+ related games. [Toni Ruottu]
+
+o [Zenmap] Updated French translation. [Henri Doreau]
+
+o [Zenmap] Fixed an crash when printing a scan that had no output
+ (like a scan made by command-line Nmap). Henri Doreau noticed the
+ error. [David]
+
+Nmap 5.35DC1 [2010-07-16]
+
+o [NSE] Added 17 scripts, bringing the total to 131! They are
+ described individually in the CHANGELOG, but here is the list of new
+ ones:
+ afp-serverinfo, db2-brute, dns-cache-snoop, dns-fuzz, ftp-libopie
+ http-php-version, irc-unrealircd-backdoor, ms-sql-brute,
+ ms-sql-config, ms-sql-empty-password, ms-sql-hasdbaccess,
+ ms-sql-query, ms-sql-tables, ms-sql-xp-cmdshell, nfs-ls,
+ ntp-monlist .
+ Learn more about any of these at: https://nmap.org/nsedoc/
+
+o Performed a major OS detection integration run. The database has
+ grown to 2,608 fingerprints (an increase of 262) and many of the
+ existing fingerprints were improved. These include the Apple iPad
+ and Cisco IOS 15.X devices. We also received many fingerprints for
+ ancient Microsoft systems including MS-DOS with MS Networking Client
+ 3.0, Windows 3.1, and Windows NT 3.1. David posted highlights of his
+ integration work at http://seclists.org/nmap-dev/2010/q2/283.
+
+o Performed a large version detection integration run. The number of
+ signatures has grown to 6,622 (an increase of 279). New signatures
+ include a remote administrative backdoor that a school famously used
+ to spy on its students, an open source digital currency scheme named
+ Bitcoin, and game servers for EVE Online, l2emurt Lineage II, and
+ Frozen Bubble. You can read David's highlights at
+ http://seclists.org/nmap-dev/2010/q2/385.
+
+o [NSE] Added nfs-ls.nse, which lists NFS exported files and their
+ attributes. The nfs-acls and nfs-dirlist scripts were deleted
+ because all their features are supported by this script. [Djalal]
+
+o [NSE] Add new DB2 library and two scripts
+ - db2-brute.nse uses the unpwdb library to guess credentials for DB2
+ - db2-info.nse re-write of Tom Sellers script to use the new library
+ [Patrik]
+
+o [NSE] Added a library for Microsoft SQL Server and 7 new scripts. The new
+ scripts are:
+ - ms-sql-brute.nse uses the unpwdb library to guess credentials for MSSQL
+ - ms-sql-config retrieves various configuration details from the server
+ - ms-sql-empty-password checks if the sa account has an empty password
+ - ms-sql-hasdbaccess lists database access per user
+ - ms-sql-query add support for running custom queries against the database
+ - ms-sql-tables lists databases, tables, columns and datatypes with optional
+ keyword filtering
+ - ms-sql-xp-cmdshell adds support for OS command execution to privileged
+ users
+ [Patrik]
+
+o [NSE] Added the afp-serverinfo script that gets a hostname, IP
+ addresses, and other configuration information from an AFP server.
+ The script, and a patch to the afp library, were contributed by
+ Andrew Orr and subsequently enhanced by Patrik and David.
+
+o [NSE] Added additional vulnerability checks to smb-check-vulns.nse:
+ The Windows RAS RPC service vulnerability MS06-025
+ (http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx)
+ and the Windows DNS Server RPC vuln MS07-029
+ (http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx).
+ Note that these are only run if you specify the "unsafe" script arg
+ because the implemented test crashes vulnerable services. [Drazen]
+
+o [NSE] Added dns-cache-snoop.nse by Eugene Alexeev. This script performs
+ cache snooping by either sending non-recursive queries or by measuring
+ response times.
+
+o [Zenmap] Added the ability to print Nmap output to a
+ printer. [David]
+
+o [Nmap, Ncat, Nping] The default unit for time specifications is now
+ seconds, not milliseconds, and times may have a decimal point. 1000
+ now means 1000 seconds, or about 17 minutes, not 1000 milliseconds.
+ Floating point values such as 1.5 are now allowed. This affects the
+ following options:
+ Nmap:
+ --host-timeout
+ --max-rtt-timeout --min-rtt-timeout --initial-rtt-timeout
+ --scan-delay --max-scan-delay
+ --stats-every
+ Ncat:
+ -d --delay
+ -i --idle-timeout
+ -w --wait
+ Nping:
+ --delay
+ --host-timeout
+ --icmp-orig-time --icmp-recv-time --icmp-trans-time
+ Some sanity checks have been added to catch what looks like an
+ attempt to use the old millisecond defaults. For example,
+ --host-timeout 10000 yields
+ Since April 2010, the default unit for --host-timeout is seconds,
+ so your time of "10000" is 2.8 hours. If this is what you want,
+ use "10000s".
+ QUITTING!
+ You can always disable the warning by giving an explicit unit.
+
+o [NSE] Scripts which take an argument for a time duration can now
+ have the duration be a number followed by a unit, like elsewhere in
+ Nmap. An example is "10m" for 10 minutes. The units understood are
+ "ms" for milliseconds, "s" for seconds, "m" for minutes, and "h" for
+ hours. Seconds are the default if no unit is specified. The new
+ function stdnse.parse_timespec does the parsing of these
+ formats. The qscan.delay script argument, which formerly interpreted
+ its argument as being in milliseconds, now defaults to seconds;
+ append "ms" to continue using the same numbers. [David]
+
+o [NSE] Added irc-unrealircd-backdoor.nse, which detects a backdoor
+ that was in UnrealIRCd source code distributions between November
+ 2009 and June 2010. See http://seclists.org/nmap-dev/2010/q2/826.
+ [Vlatko Kosturjak, Ron, David]
+
+o Ports are now considered open during a SYN scan if a SYN packet
+ (without the ACK flag) is received in response. This can be due to
+ an extremely rare TCP feature known as a simultaneous open or split
+ handshake connection. see http://bit.ly/tcp-sh and
+ http://seclists.org/nmap-dev/2010/q2/723. [Jah]
+
+o [Ncat] In listen mode, the --exec and --sh-exec options now accept a
+ single connection and then exit, just like in normal listen mode.
+ Use the --keep-open option to get the old default inetd-like
+ behavior. This was suggested by David Millis. [David]
+
+o [NSE] Added ftp-libopie.nse by Gutek. This script checks for an
+ off-by-one stack overflow vulnerability in libopie by giving the FTP
+ service an overly long name. See
+ http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc for
+ details.
+
+o [NSE] Added ntp-monlist.nse which discovers NTP server, peer and
+ client hosts associated with a scanned target by sending NTPv2
+ Private Mode 'monitor' and 'peers' commands to the target. [Jah]
+
+o [NSE] Added http-php-version.nse from Gutek. This script retrieves
+ version-specific pages through a couple of magic PHP queries, which
+ can identify the PHP version even when a server doesn't advertise
+ it.
+
+o [NSE] New script dns-fuzz launches a fuzzing attack against DNS
+ servers. Added a new category - fuzzer - for scripts like this.
+ [Michael Pattrick]
+
+o David made many improvements to the NSEDoc for individual scripts,
+ including adding @output sections to scripts which didn't have them.
+ He also improved the generated HTML with features like
+ auto-generating usage strings if the scripts don't include their own
+ and allowing the giant sidebar lists of scripts/libraries to expand
+ and contract. See https://nmap.org/nsedoc/.
+
+o UDP payloads are now stored in an external data file, nmap-payloads,
+ instead of being hard-coded in the executable. This makes it easier
+ to add your own payloads or disable those you find problematic. [Jay
+ Fink, David]
+
+o The Windows executable installer now uses LZMA compression instead
+ of zlib, making it about 15% smaller. See
+ http://seclists.org/nmap-dev/2010/q2/1011 for test results. [David]
+
+o Open XML elements are now closed in case of a fatal error, so the
+ output should at least be well-formed. There are new attributes
+ "exit" and "errormsg" in the finished element. "exit" is "success"
+ or "error". When it is "error", the "errormsg" attribute contains
+ the error message. Thanks to Grant Bartlett, who found a typo in the
+ new output. [David]
+
+o Fixed name resolution in environments where gethostbyname can return
+ IPv6 (or other non-IPv4 addresses). In such an environment, Nmap
+ would wrongly use the first four bytes of the IPv6 address as an
+ IPv4 address. You could force this, at least on Debian, by adding
+ the line "options inet6" to /etc/resolv.conf or by running with
+ RES_OPTIONS=inet6 in the environment. This was reported by Mats Erik
+ Andersson, who also suggested the fix. [David]
+
+o Fixed the assignment of interface aliases to directly connected
+ routes on Linux, which was broken in 5.30BETA1 (it always assigned
+ the base interface instead of the alias). This was visible in the
+ host.interface variable passed to NSE scripts. The bug was reported
+ Victor Rudnev. [David]
+
+o When Nmap is passed a hostname such as google.com which resolves to
+ several IP addresses, Nmap now prints each IP address. It still
+ only scans the first one in the returned list. [David]
+
+o Nmap now works if you specify several target host names which
+ resolve to the same IP address. This can be useful when you are
+ scanning virtual-hosted web servers and want to see NSE results
+ specific to each site name even though they reside on the same
+ machine. [David]
+
+o Made a list of current Nmap SVN committers:
+ https://svn.nmap.org/nmap/docs/committers.txt
+
+o Added a new library, libnetutil, which contains about 2,700 lines of
+ networking related code which is now shared between Nmap and Nping
+ (it was previously duplicated by each tool). [Luis, David]
+
+o [NSE] http-passwd.nse now also checks for boot.ini to support
+ Windows targets. [Gutek]
+
+o Removed --interactive mode, a miniature shell whose primary purpose
+ was to hide command line arguments from the process list. It had
+ been broken (would segfault during the second scan) for at least 9
+ months and was rarely used. The fact that it was broken was reported
+ by Juan Carlos Castro. [David]
+
+o Added a version probe, match line, and UDP payload for the
+ serialnumberd service of Mac OS X Server. This service overrides
+ firewall settings to make itself visible, so it's useful for host
+ discovery. [Patrik]
+
+o Improved service detection match lines for:
+ - Oracle Enterprise Manager Agent and mupdate by Matt Selsky
+ - Twisted web server, Apple Filing Protocol, Apple Mac OS X Password
+ Server, XAVi XG6546p Wireless Gateway, Sun GlassFish
+ Communications Server, and Comdasys, SIParator and Glassfish SIP
+ by Patrik
+ - PostgreSQL, Cisco Site Selector ftpd, and LanSafe UPS monitoring
+ HTTPd by Tom Sellers
+
+o Improved our brute force password guessing list by mixing in some
+ data sent in by Solar Designer of John the Ripper fame.
+
+o [Zenmap] IP addresses are now sorted by octet rather than their
+ string representation. For example, 10.1.1.2 is now sorted before
+ 10.1.1.10. This problem was reported by Norris Carden. [David]
+
+o [NSE] Added UDP header parsing support to packet.lua. [jah]
+
+o Fixed a bug in Libpcap which lead to Nmap hanging forever in some
+ cases on 64-bit Mac OS X 10.6, 10.6.1, and 10.6.3. The fix was
+ actually already available in upstream Libpcap, just not released.
+ We also had to make Nmap build with its own Libpcap on 64-bit OS X
+ if an already-installed system Libpcap has this bug. [David]
+
+o Updated our WinPcap to the new 4.1.2 release. [Rob Nicholls]
+
+o [NSE] Fixed a bug in qscan.nse which gave an error if a confidence
+ level of 0.9995 was used. Thanks to Marcin Hoffmann for noticing
+ the problem. [Kris]
+
+o [libpcap] Added a --disable-packet-ring option to force the use of
+ an older, slower packet capture mechanism on Linux. Before Linux
+ 2.6.27, the packet ring mechanism uses different-sized kernel
+ structures on 32- and 64-bit architectures, so a 32-bit program will
+ not run correctly on a 64-bit kernel. The older mechanism does not
+ have this flaw.
+
+o Fixed some errors in nmap-os-db, probably caused by incorrect string
+ replacement during integration. This patch is from James Cook.
+
+o [Nsock, Ncat] Nsock has a new function, nsp_setbroadcast, that
+ allows setting the SO_BROADCAST option on sockets. Ncat now sets
+ this option unconditionally in connect mode to allow connections to
+ broadcast addresses (useful in UDP mode). [Daniel Miller]
+
+o Nmap now works with "teamed" network interfaces on Windows. In order
+ to distinguish the interfaces, their textual descriptions are now
+ compared in addition to their MAC addresses. Without this, Nmap
+ would send on the wrong interface and not receive any replies. A
+ symptom of this problem was all scans failing except when
+ --unprivileged was used. Norris Carden reported this bug. [David]
+
+o [Ncat] When receiving a connection/datagram in listen mode, Ncat now
+ prints the connecting source port along with the IP address (when
+ verbosity is enabled). [Rebellis]
+
+o Fixed a problem where the time variable used in some port scanning
+ algorithms (for probe timeouts, etc) could vary based on the
+ debugging level. [Kris]
+
+o Moved the parse_long function from ncat to nbase for better reuse,
+ and used it to simplify netmask parsing code. [William Pursell]
+
+o Added EPROTO to the list of known error codes in service scan. Daniel
+ Miller reported that an EPROTO was causing Nmap to exit after sending
+ the Sqlping probe during service scan. The error message was
+ "Unexpected error in NSE_TYPE_READ callback. Error code: 71 (Protocol
+ error)". We suspect this was caused by a forged ICMP packet sent by an
+ active firewall. [David]
+
+o [NSE] Improved smtp-commands.nse to work against more mail servers,
+ made it take an smtp-commands.domain script argument, and rewrote it
+ in the style of other smtp scripts. [Jasey DePriest]
+
+o [NSE] Made smtp-commands run for the services smtp, smtps,
+ submission rather than just smtp. The other smtp scripts already do
+ this. [David]
+
+o [NSE] The dns-recursion script now marks the port as open when it
+ gets a response. [Olivier M]
+
+o [Nping] A big correctness and code cleanliness audit was performed
+ which resulted in many bugs being fixed and much more code being
+ shared with Nmap rather than duplicated. A structured testing
+ script system was also created. [Luis, David]
+
+o [Nping] Now allows a --count value of zero to run almost
+ indefinitely (2^32 rounds). Suggested by Andreas Hubert. [Luis]
+
+o [Nping] Fixed --data argument parsing. The value passed was not
+ actually making it into outgoing packets. Reported by Tim
+ Poth. [Luis]
+
+o [Nping] When a RST packet is received in response to a connection
+ attempt in TCP-Connect mode, Nping now properly prints "Connection
+ refused" rather than "Operation now in progress". [Luis]
+
+o [Nping] Fixed a bug which caused failure when the first supplied
+ target was not resolvable (e.g.: nping bogushost.fkz scanme.insecure.com
+ tcpdump.com). [Luis]
+
+o [Nping] Fixed some bugs in the BPF filter creation to avoid capture
+ and printing of packets Nping sent or which are destined for another
+ process. [Luis]
+
+o [Nping] Fixed a bug which prevented ARP replies from being displayed
+ properly. [Luis]
+
+o [Nping] Fixed a bug that caused ICMP Router Advertisement entries to
+ be set in host byte order rather than proper network byte
+ order. [Luis]
+
+o [Nping] Fixed a segfault caused by bad --data values. [Greg Skoczek]
+
+o The Mac OS X installer is now built with MacPorts 1.9.1 rather than
+ 1.8.2. Among other changes, this fixes a segmentation fault reported
+ by some OS X 10.6.3 users.
+
+o Nsock now supports an option to remove its Pcap support. This
+ allows the same Nsock to be shared with Nmap (which needs that
+ support) and Ncrack (which doesn't.) Pcap support can be disabled by
+ specifying --disable-pcap at configure time on UNIX, or by selecting
+ the DebugNoPcap or ReleaseNoPcap configurations in Visual C++ on
+ Windows.
+
+o Sped up compilation by not building both shared and static libdnet
+ libraries--we only use the static one. [David]
+
+o [NSE] Improved error handling and reporting and re-designed communication
+ class in RPC library with patch from Djalal Harouni. [Patrik]
+
+o Upgraded the included libpcap to version 1.1.1. [David]
+
+o [NSE] Add some special-use IPv4 addresses to isPrivate which are
+ described in RFC 5736 and RFC 5737, published in Jan 2010. Improve
+ performance of isPrivate for IPv4 addresses by using ip_in_range
+ less frequently. Add an extra return value to isPrivate - when the
+ first return value is true, the second return value will now be a
+ string representing the special use assignment in which the supplied
+ address is located. [jah]
+
+o Fix compilation on OpenSolaris. We had to make the libdnet autoconf
+ check for PF_PACKET Linux-specific. Recent versions of OpenSolaris
+ support PF_PACKET, but not in a way which is entirely compatible
+ with the Linux approach. This problem was reported by Darren Reed. A
+ few other minor compatibility changes were made as well. [David]
+
+o [NSE] Added script arguments "username" and "password" to ftp-bounce
+ to override the default anonymous:IEUser@ login combination. [Kris]
+
+o [NSE] Added port number sorting to dns-service-discovery.nse. [Patrik]
+
+o [NSE] Added an snmpWalk() function to the SNMP library and updated
+ scripts to use it. [Patrik]
+
+o [NSE] Fixed this dns.lua error reported by Eugene Alexeev:
+ nselib/dns.lua:110: attempt to get length of field 'dtype' (a number value)
+ [Jah]
+
+o Updated nmap-mac-prefixes to the latest IEEE data as of 2010-07-13.
+
+o Updated IANA IP address space assignment list for random IP (-iR)
+ generation. [Kris]
+
+o Created a new directory for storing todo lists for Nmap and related
+ projects. You can see what we're working on and planning by
+ visiting https://nmap.org/svn/todo/.
+
+o [NSE] Removed explicit time limit checking from ms-sql-brute,
+ pgsql-brute, mysql-brute, ldap-brute, and afp-brute. The unpwdb
+ library does this automatically now. [David]
+
+o [NSE] Correct global access errors in afp.lua reported by Patrick Donnelly
+ [Patrik]
+
+o [NSE] Correct misspelled "Capabilities.IgnoreSpaceBeforeParanthesis"
+ name in the MySQL library. [Kris]
+
+o Cleaned up our Winpcap header file directory, and also updated to
+ the latest files from the official developer pack
+ (WpdPack_4_1_1.zip). [Fyodor]
+
+o [NSE] Fixed a bug which would prevent rpcinfo.nse from returning any
+ results for RPC programs which could not be matched to a
+ name. [Patrik]
+
+o [NSE] The ftp-anon script is now much smarter about parsing server
+ responses and detecting successful (or not) logins. It now knows
+ how to send the ACCT command where appropriate as well. [Rob
+ Nicholls]
+
+o Normalized a bunch of version detection entries with "webserver" in
+ the description. In most cases this was changed to "httpd".
+
+o [Ncat] Fixed the --crlf option not to insert an extra \r byte in the
+ case that one system read ends with \r and the next begins with \n
+ (should be rare). [David]
+
+o [NSE] Fixed bug in rpc.lua library that incorrectly required file handles
+ to be 32 octets when calling the ReadDir function. The bug was reported by
+ Djalal Harouni. [Patrik]
+
+Nmap 5.30BETA1 [2010-03-29]
+
+o [NSE] Added 37 scripts, bringing the total to 117! They are
+ described individually in the CHANGELOG, but here is the list of new
+ ones:
+ afp-brute afp-path-vuln afp-showmount couchdb-databases
+ couchdb-stats daap-get-library db2-das-info dns-service-discovery
+ http-methods http-vmware-path-vuln ipidseq jdwp-version ldap-brute
+ ldap-rootdse ldap-search lexmark-config mongodb-databases
+ mongodb-info mysql-brute mysql-databases mysql-empty-password
+ mysql-users mysql-variables nfs-acls nfs-dirlist nfs-statfs
+ pgsql-brute qscan smtp-enum-users snmp-interfaces snmp-netstat
+ snmp-processes snmp-win32-services snmp-win32-shares
+ snmp-win32-software snmp-win32-users ssl-enum-ciphers
+ .
+ Learn more about any of these at: https://nmap.org/nsedoc/
+
+o [NSE] New script afp-path-vuln detects and can exploit a major Mac
+ OS X AFP directory traversal vulnerability (CVE-2010-0533)
+ discovered by Nmap developer Patrik Karlsson. See
+ https://nmap.org/nsedoc/scripts/afp-path-vuln.html and
+ http://bit.ly/nmapafp.
+
+o An ALPHA TEST VERSION of Nping, a packet generator written by Luis
+ MartinGarcia and Fyodor last summer, is now included in the Nmap
+ distribution. While it works, we consider the application unfinished
+ and we hope to improve it greatly as a Summer of Code project this
+ summer and then do an official release. See https://nmap.org/nping/.
+
+o [NSE] Added RPC library and three new NFS scripts. Modified the
+ rpcinfo and nfs-showmount scripts to use the new library. The new
+ scripts are:
+ - nfs-acls shows the owner and directory mode of NFS exports
+ (https://nmap.org/nsedoc/scripts/nfs-acls.html).
+ - nfs-dirlist lists the contents of NFS exports
+ (https://nmap.org/nsedoc/scripts/nfs-dirlist.html)
+ - nfs-statfs shows file system statistics for NFS exports
+ (https://nmap.org/nsedoc/scripts/nfs-statfs.html).
+ [Patrik]
+
+o [NSE] Added the new dns-service-discovery script which uses DNS-SD
+ to identify services. DNS-SD is one part of automatic configuration
+ technologies known by names such as Bonjour, Rendezvous, and
+ Zeroconf. This one script can provide as much information as a full
+ port scan in some cases. See
+ https://nmap.org/nsedoc/scripts/dns-service-discovery.html . [Patrik
+ Karlsson]
+
+o [NSE] New script afp-brute for brute force authentication attempts
+ against the Apple AFP filesharing protocol. See
+ https://nmap.org/nsedoc/scripts/afp-brute.html . [Patrik]
+
+o [NSE] Added a new script afp-showmount which displays Apple AFP
+ shares and their permissions. See
+ https://nmap.org/nsedoc/scripts/afp-showmount.html . [Patrik]
+
+o [NSE] Added the qscan script to repeatedly probe ports on a host to
+ gather round-trip times for each port. The script then uses these
+ times to group together ports with statistically equivalent round
+ trip times. Ports in different groups could be the result of things
+ such as port forwarding to hosts behind a NAT. It is based on work
+ by Doug Hoyte. This script also utilizes the new NSE raw IP sending
+ functionality. See https://nmap.org/nsedoc/scripts/qscan.html . [Kris]
+
+o [NSE] Added a new script, db2-das-info.nse, that connects to the IBM
+ DB2 Administration Server (DAS) exports the server profile. No
+ authentication is required for this request. The script will also
+ set the port product and version if a version scan is requested. See
+ https://nmap.org/nsedoc/scripts/db2-das-info.html . [Patrik Karlsson,
+ Tom Sellers]
+
+o [NSE] Added a new library for ASN.1 parsing and adapted the SNMP
+ library to make use of it. Added 5 SNMP scripts that use the new
+ libraries:
+ - snmp-netstat shows listening and connected
+ sockets (https://nmap.org/nsedoc/scripts/snmp-netstat.html).
+ - snmp-processes shows process information including name, pid, path
+ & parameters (https://nmap.org/nsedoc/scripts/snmp-processes.html).
+ - snmp-win32-services shows the names of running Windows services
+ (https://nmap.org/nsedoc/scripts/snmp-win32-services.html).
+ - snmp-win32-shares shows the names and path of Windows shares
+ (https://nmap.org/nsedoc/scripts/snmp-win32-shares.html).
+ - snmp-win32-software shows a list of installed Windows software
+ (https://nmap.org/nsedoc/scripts/snmp-win32-software.html).
+ - snmp-win32-users shows a list of local Windows users
+ (https://nmap.org/nsedoc/scripts/snmp-win32-users.html).
+ [Patrik]
+
+o [NSE] Added the snmp-interfaces script by Thomas Buchanan, which
+ enumerates network interfaces over SNMP. See
+ https://nmap.org/nsedoc/scripts/snmp-interfaces.html .
+
+o [NSE] Added http-vmware-path-vuln.nse, which checks for a critical
+ and easy to exploit path-traversal vulnerability in VMWare
+ (CVE-2009-3733). See
+ https://nmap.org/nsedoc/scripts/http-vmware-path-vuln.html . [Ron]
+
+o [NSE] Added a new library for LDAP and three new scripts by Patrik:
+ - ldap-brute uses the unpwdb library to guess credentials for LDAP
+ (https://nmap.org/nsedoc/scripts/ldap-brute.html).
+ - ldap-rootdse retrieves the LDAP root DSA-specific Entry (DSE)
+ (https://nmap.org/nsedoc/scripts/ldap-rootdse.html).
+ - ldap-search queries a LDAP directory for either
+ all, or a number of pre-defined object types
+ (https://nmap.org/nsedoc/scripts/ldap-search.html).
+
+o [NSE] Added a new library for PostgreSQL and the script pgsql-brute
+ that uses it to guess credentials. See
+ https://nmap.org/nsedoc/scripts/pgsql-brute.html . [Patrik]
+
+o [NSE] Added 5 new MySQL NSE scripts and a MySQL library by Patrik Karlsson:
+ - mysql-brute uses the unpwdb library to guess credentials for MySQL
+ (https://nmap.org/nsedoc/scripts/mysql-brute.html).
+ - mysql-databases queries MySQL for a list of databases
+ (https://nmap.org/nsedoc/scripts/mysql-databases.html).
+ - mysql-empty-password attempts to authenticate anonymously or as
+ root with an empty password
+ (https://nmap.org/nsedoc/scripts/mysql-empty-password.html).
+ - mysql-users queries MySQL for a list of database users
+ (https://nmap.org/nsedoc/scripts/mysql-users.html).
+ - mysql-variables queries MySQL for its variables and their
+ settings (https://nmap.org/nsedoc/scripts/mysql-variables.html).
+
+o Improved the passwords.lst database used by NSE by combining several
+ leaked password databases collected by Ron Bowes. The size of the
+ database has been increased from 200 to 5000.
+
+o Zenmap's "slow comprehensive scan profile" has been modified to use
+ the best 7-probe host discovery combination we were able to find in
+ extensive empirical testing
+ (http://www.bamsoftware.com/wiki/nmap/EffectivenessOfPingProbes).
+ That combination is "-PE -PP -PS21,22,23,25,80,113,31339
+ -PA80,113,443,10042 -PO". [David]
+
+o Switched to -Pn and -sn and as the preferred syntax for skipping
+ ping scan and skipping port scan, respectively. Previously the -PN
+ and -sP options were recommended. This establishes a more regular
+ syntax for some options that disable phases of a scan:
+ + -n no reverse DNS
+ + -Pn no host discovery
+ + -sn no port scan
+ We also felt that the old -sP ("ping scan") option was a bit
+ misleading because current versions of Nmap can go much further
+ (including -sC and --traceroute) even with port scans disabled. We
+ will retain support for the previous option names for the foreseeable
+ future.
+
+o [NSE] Added the ipidseq script to classify a host's IP ID sequence
+ numbers in the same way Nmap does. This can be used to test hosts'
+ suitability for Nmap's Idle Scan (-sI), i.e. check if a host is an
+ idle zombie. This is the first script to use the new raw IP sending
+ functionality in NSE. See
+ https://nmap.org/nsedoc/scripts/ipidseq.html . [Kris]
+
+o [NSE] Added the ssl-enum-ciphers script by Mak Kolybabi. It lists
+ the ciphers and compressors supported by SSL/TLS servers. See
+ https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html .
+
+o [NSE] Added two new scripts for the MongoDB database from Martin
+ Holst Swende. mongodb-info
+ (https://nmap.org/nsedoc/scripts/mongodb-info.html) gets information
+ like the version number, memory use, and operating system, while
+ mongodb-databases
+ (https://nmap.org/nsedoc/scripts/mongodb-databases.html) lists the
+ databases and their size on disk.
+
+o [NSE] Added the scripts couchdb-databases and couchdb-stats, which
+ list CouchDB databases and show access statistics, and a new
+ json.lua library they depend on. See
+ https://nmap.org/nsedoc/scripts/couchdb-databases.html and
+ https://nmap.org/nsedoc/scripts/couchdb-stats.html [Martin Holst
+ Swende]
+
+o [NSE] Added the new lexmark-config script that lists product
+ information and configuration for Lexmark printers. See
+ https://nmap.org/nsedoc/scripts/lexmark-config.html . [Patrik
+ Karlsson]
+
+o [NSE] Added the new daap-get-library script which uses the Digital
+ Audio Access Protocol to enumerate the contents of a library. The
+ contents contain the name of the artist, album and song. See
+ https://nmap.org/nsedoc/scripts/daap-get-library.html . [Patrik]
+
+o [NSE] Added jdwp-version.nse, a script by Michael Schierl that finds
+ the version of a Java Debug Wire Protocol server. This is a
+ dangerous service to find running as it does not provide any
+ security against malicious attackers who can inject their own
+ bytecode into the debugged process. See
+ https://nmap.org/nsedoc/scripts/jdwp-version.html .
+
+o [NSE] Added the smtp-enum-users script from Duarte Silva, which
+ attempts to find user account names over SMTP by brute force testing
+ using RCPT, VRFY, and EXPN tests.
+
+o [NSE] The unpwdb library now has a default time limit on the
+ usernames and passwords iterators. This will prevent brute force
+ scripts from running for a long time when a service is slow. These
+ new script arguments control the limits:
+ - unpwdb.userlimit Limit on number of usernames.
+ - unpwdb.passlimit Limit on number of passwords.
+ - unpwdb.timelimit Time limit in seconds.
+ Pass 0 for any of these limits to disable it. For more details, see
+ https://nmap.org/nsedoc/lib/unpwdb.html . [David]
+
+o When --open is used, Nmap no longer prints output for hosts which
+ don't have any open ports. All output formats are treated the same
+ way, so if a host isn't shown in normal output, it won't be shown in
+ XML output either.
+
+o [NSE] Added the script http-methods from Bernd Stroessenreuther.
+ This script sends an HTTP OPTIONS request to get the methods
+ supported by the server, highlights potentially risky methods, and
+ optionally tests each method to see if they are restricted by IP
+ address or something similar. See
+ https://nmap.org/nsedoc/scripts/http-methods.html .
+
+o The -v and -d options are now handled in the same way. These three
+ forms are equivalent:
+ -v -v -v -vvv -v3
+ -d -d -d -ddd -d3
+ Formerly, the -ddd and -v3 forms didn't work. Mak Kolybabi submitted
+ a patch.
+
+o Fixed a libpcap compilation error on Solaris. This was actually
+ fixed in libpcap's source control back in 2008, but they haven't made
+ a release since then :(. They still seem to be actively developing
+ though, so let's hope for a release soon. Solaris compilation fixes
+ were made to Ncat and Nping as well.
+
+o Zenmap now lets you save scan results in normal Nmap text output
+ format or (as before) as XML. The XML format still has the text
+ version embedded inside it, and is still the only format Zenmap can
+ load again. The "Save to Directory" mode for saving multiple
+ aggregated scans at once still always saves XML results. [David]
+
+o Fixed the packaging of x64 versions of WinPcap drivers in the
+ winpcap-nmap installer to ensure that 64-bit applications (such as
+ 64-bit Wireshark) work properly. [Rob Nicholls]
+
+o Fixed the Idle Scan (-sI) so that scanning multiple hosts doesn't
+ retest the zombie proxy and reinitialize all of the associated data
+ at the beginning of each run. [Kris]
+
+o [NSE] Raw packet sending at the IP layer is now supported, in
+ addition to the existing Ethernet sending functionality. Packets to
+ send start with an IPv4 header and can be sent to arbitrary
+ hosts. For details, see
+ https://nmap.org/book/nse-api.html#nse-api-networkio-raw [Kris]
+
+o Added version detection match line for the Arucer backdoor, which was
+ found packaged with drivers for the Energizer USB recharger product
+ (see http://www.kb.cert.org/vuls/id/154421). [Ron]
+
+o Fixed --resume to work again despite our recent changes to the Nmap
+ output format. [jlanthea]
+
+o [Zenmap] Localized most of the remaining strings in the GUI
+ interface which were English-only. The actual textual Nmap results
+ are still in English since Nmap, but the GUI is now almost fully
+ localized. [David]
+
+o [Zenmap] Updated the localization files for the French
+ translation. [Gutek]
+
+o [Zenmap] Fixed an interface bug which could cause hostnames with
+ underscores like "host_a" to be rendered like "hosta" with the "a"
+ underlined. Thanks to Toralf F. for the report, and David for the
+ fix.
+
+o Nmap now honors routing table entries that override interface
+ addresses and netmasks. For example, with this configuration:
+ ************************INTERFACES************************
+ DEV (SHORT) IP/MASK TYPE UP MAC
+ eth0 (eth0) 192.168.0.21/24 ethernet up 00:00:00:00:00:00
+ .
+ **************************ROUTES**************************
+ DST/MASK DEV GATEWAY
+ 192.168.0.3/32 eth0 192.168.0.1
+ 192.168.0.0/24 eth0
+ Nmap will not consider 192.168.0.3 directly connected through eth0,
+ even though it matches the interface's netmask. It won't try to ARP
+ ping 192.168.0.3, but will route traffic through 192.168.0.1.
+
+o [Ncat] The HTTP proxy server now accepts client connections over
+ SSL. That means connections to the proxy can be encrypted and
+ authenticated. We haven't found any HTTP clients that directly
+ support SSL connections to proxies, but you can use Ncat as a tunnel
+ to an SSL-supporting Ncat proxy. This new feature was implemented by
+ Markus Klinik.
+
+o Updated our Mac OS X build system so that our binary packages are
+ built on Mac OS X 10.6 rather than 10.5. [David]
+
+o Fixed reading of the interface table on NetBSD. Running nmap
+ --iflist would report "INTERFACES: NONE FOUND(!)" and any scan done
+ as root would fail with "WARNING: Unable to find appropriate
+ interface for system route to...". This was first reported by Jay
+ Fink, and had already been patched in the NetBSD pkgsrc
+ tree. [David]
+
+o Fixed a bug in traceroute that could happen when directly connected
+ and routed targets were in the same hostgroup. If the first target
+ was directly connected, the traceroute for all targets in the group
+ would have a trace of one hop.
+
+o ARP requests now work with libpcap Linux "cooked" encapsulation.
+ According to http://wiki.wireshark.org/SLL, this encapsulation is
+ used on devices "where the native link layer header isn't available
+ or can't be used." Before this, attempting any ARP operation on such
+ an interface would fail with the error
+ read_arp_reply_pcap called on interfaces that is datatype 113
+ rather than DLT_EN10MB (1)
+ [David]
+
+o Fixed the display of route netmask bits in --iflist on little-endian
+ architectures. Formerly, any mask less than /24 was shown as /0, and
+ other masks were also wrong. [David]
+
+o Fixed an assertion failure which could occur when connecting to an
+ SSL server:
+ nsock_core.c:199: socket_count_write_dec: Assertion `(iod->writesd_count)
+> 0' failed.
+ This was observed when running the http-enum script but could
+ possibly have happened in other situations. Thanks to Brandon for
+ reporting the bug and testing. [David]
+
+o Added the function bignum_add to the nse_openssl library to support
+ BIGNUM addition [Patrik]
+
+o The redistributable Visual C++ runtime components installer
+ (vcredist_x86.exe) has been upgraded to version 9.0.30729.4148. Axel
+ Pettinger reported that the previous version 9.0.30729.17, caused a
+ Windows Update on Windows 7 because of Microsoft security advisory
+ MS09-035.
+
+o [Ncat] Fixed an error that could make programs run with --exec exit
+ prematurely on Windows. The problem was related to a program writing
+ too quickly into a non-blocking socket. A symptom was the message:
+ NCAT DEBUG: Subprocess ended with exit code 259.
+ Reported by David Millis. [David]
+
+o [Ncat] Fixed a bug that prevented detection of EOF from stdin on
+ Windows. Reported by Adrian Crenshaw and Andy Zwirko. [David]
+
+o [Nsock] WSAEACCES was added to the list of known connect error
+ codes. This error can happen on Windows when a port is blocked by
+ Windows Firewall. Thanks to Taemun for reporting this and
+ investigating.
+
+o XML output now only includes host elements for down hosts in verbose
+ mode. This makes it consistent with the other output formats.
+
+o [NSE] Fixed http-enum so it uses the full path name for the
+ fingerprints file. This prevents it from quitting with an error like
+ this:
+ NSE: http-enum: Attempting to parse fingerprint file
+ nselib/data/http-fingerprints NSE: http-enum against
+ 10.99.24.140:443 threw an error! C:\Program
+ Files\Nmap\scripts\http-enum.nse:198: bad argument #1 to 'lines'
+ (nselib/data/http-fingerprints: No such file or directory) stack
+ traceback:
+ [Kris, Brandon, Ron Meldau]
+
+o [NSE] Added a missing dirname function to http-favicon. Its absence
+ was causing this error message when a web page specified a relative
+ icon URL in a link element:
+ http-favicon.nse:141: variable 'dirname' is not declared
+ [David, Ron Meldau]
+
+o Fixed the parsing of libdnet DLPI interface names that contain more
+ than one string of digits. Joe Dietz reported that an interface with
+ the name e1000g0 was causing this error message on Solaris 9:
+ Warning: Unable to open interface e1000g0 -- skipping it.
+ [David]
+
+o [NSE] Added the function nmap.is_privileged() to tell a script if,
+ as far as Nmap's concerned, it can do privileged operations. For
+ instance, this can be used to determine whether a script can open a
+ raw socket or Ethernet interface. [Kris]
+
+o [NSE] Added the function nmap.get_ports() so scripts can iterate
+ over a host's port table entries matching a given protocol and
+ state. [Kris, Patrick]
+
+o [Ncat] Fixed a handle leak with --exec and --sh-exec on Windows,
+ found by Jon Greaves. One thread handle was being leaked per child
+ process invocation. [David]
+
+o [NSE] nbstat.nse can now look up the MAC prefix vendor string. Other
+ scripts can now do the same thing using the
+ datafiles.parse_mac_prefixes function. [Thomas Buchanan]
+
+o Remove the PYTHONPATH and PYTHONHOME variables from the environment
+ before executing a sub-ndiff if they exist and if Zenmap is running
+ in a py2app bundle. These variables are set by py2app to point
+ inside our application bundle. Having them set in the environment
+ makes Ndiff use the same settings because it is also a Python
+ application. Deleting the variables is somewhat wrong, because the
+ user may have set those outside of Zenmap expecting them to be used
+ with their system-installed Python programs. But this is at least no
+ worse than before our build system update, because previously py2app
+ was stomping on the variables anyway. [David]
+
+o [Ncat] Fixed a segmentation fault caused by access to freed memory.
+ It could be triggered by making multiple connections to a server
+ that was constantly sending in SSL mode, such as:
+ ncat -l -k --ssl < /dev/zero
+ This bug was reported by Mak Kolybabi. [David]
+
+o [NSE] Moved the smtp-open-relay.nse script out of the "demo"
+ category after improvements by Duarte Silva. We have now met the
+ goal of removing all scripts from that category.
+
+o [NSE] Fixed a bug which prevented smb-brute from properly detecting
+ account lockouts, which could lead to lockouts of many accounts on
+ the target machine. Now smb-brute tries to check the lockout policy
+ before starting and refuses to run (unless you force it to with the
+ smblockout variable) if lockouts are enabled or if it locks out an
+ account. [Ron]
+
+o [NSE] Rewrote smb-enum-domains to be more generalized and rely on
+ library functions which will eventually be shared with
+ smb-brute. [Ron]
+
+o Qualified an assertion to allow zero-byte sends in Nsock. Without
+ this, an NSE script could cause this assertion failure by doing
+ socket:send(""):
+ nmap: nsock_core.c:516: handle_write_result: Assertion `bytesleft > 0' failed.
+ [David]
+
+o Added a service probe for Logitech SqueezeCenter command line interface
+ [Patrik]
+
+o Improved PostgreSQL match lines by matching the line of the error to a
+ specific version [Patrik].
+
+o Added a mac_addr_next_hop member to the host tables used in NSE for
+ scripts which need to know the MAC address of the next hop router
+ for reaching a target host. [Michael Pattrick, KX].
+
+o Removed the nmap_service.exe helper program for smb-psexec, as it
+ was still being flagged by malware detection even after the
+ bit-flipping in the next release. In fact, the obfuscation backfired
+ and caused more false positives! You can now download it from
+ https://nmap.org/psexec/nmap_service.exe. (The script will remind you
+ if you run the script and it's not installed.)
+
+o Added service probes and UDP payloads for games based on the Quake 2
+ and Quake 3 engine, submitted by Mak Kolybabi.
+
+o [Ncat] Added support for HTTP digest authentication of proxies, as
+ both client and server. Previously only the less secure basic
+ authentication method was supported. [Venkat, David]
+
+o Improved the MIT Kerberos version detection signatures. [Matt Selsky]
+
+o [Ndiff] Show a nicer error message when an input file can't be
+ loaded. Suggested by Derril Lucci, who also contributed a patch.
+
+o [NSE] Added a new library afp.lua which handles the Apple Filing
+ Protocol (AFP) filesharing system. The library handles
+ authentication and many other protocol features, and enables the new
+ afp-path-vuln, afp-brute, and afp-showmount scripts. [Patrik]
+
+o Added an Apple Filing Protocol service probe that detects Netatalk
+ servers. (Apple's AFP servers are coincidentally triggered by the
+ SSLSessionReq probe.) [Patrik Karlsson]
+
+o [NSE] Fixed packet.lua so that functions used to set packet header
+ fields (e.g. ip_set_ttl) also set the appropriate variables used to
+ access the data (e.g. ip_ttl). [Kris]
+
+o Updated and corrected IANA assignment IP list for random IP (-iR)
+ generation. Now even 001/8 has been allocated. [Kris]
+
+Nmap 5.21 [2010-01-27]
+
+o [Zenmap] Added a workaround for a Ubuntu Python packaging idiosyncrasy.
+ As of version python2.6-2.6.4-0ubuntu3, Ubuntu's distutils modifies
+ self.prefix, a variable we use in the setup.py script. This would
+ cause Zenmap to look in the wrong place for its configuration files,
+ and show the dialog "Error creating the per-user configuration
+ directory" with the specific error "[Errno 2] No such file or
+ directory: '/usr/share/zenmap/config'". This problem was reported by
+ Chris Clements, who also helped debug. [David]
+
+o Fixed an error that occurred when UDP scan was combined with version
+ scan. UDP ports would appear in the state "unknown" at the end of
+ the scan, and in some cases an assertion failure would be raised.
+ This was an unintended side effect of the memory use reduction
+ changes in 5.20. The bug was reported by Jon Kibler. [David]
+
+o [NSE] Did some simple bit-flipping on the nmap_service.exe program
+ used by the smb-psexec script, to avoid its being falsely detected
+ as malware. [Ron]
+
+o [NSE] Fixed a bug in http.lua that could lead to an assertion
+ failure. It happened when there was an error getting the a response
+ at the beginning of a batch in http.pipeline. The symptoms of the
+ bug were:
+ NSE: Received only 0 of 1 expected reponses.
+ Decreasing max pipelined requests to 0.
+ NSOCK (0.1870s) Write request for 0 bytes...
+ nmap: nsock_core.c:516: handle_write_result: Assertion `bytesleft > 0' failed.
+ The error was reported by Brandon Enright and pyllyukko.
+
+o [NSE] Restored the ability of http.head to return a body if the
+ server returns one. This was lost in the http.lua overhaul from
+ 5.20. [David]
+
+o [NSE] Fixed the use of our strict.lua library on distributions that
+ install their own strict.lua. The error message was
+ nse_main.lua:97: attempt to call a boolean value
+ It was reported by Onur K. [Patrick]
+
+o Fixed handing of nameserver entries in /etc/resolv.conf so it could
+ handle entries containing more than 16 bytes, which can occur with
+ IPv6 addresses. Gunnar Lindberg reported the problem and
+ contributed an initial patch, then Brandon and Kris refined and
+ implemented it.
+
+o [NSE] Corrected a behavior change in http.request that was
+ accidentally made in 5.20: it could return nil instead of a table
+ indicating failure. [David]
+
+o [NSE] Fixed the use of an undefined variable in smb-enum-sessions,
+ reported by Brandon. [Ron]
+
+o Fixed a compiler error when --without-liblua is used. [Brandon]
+
+o [NSE] Fixed an error with running http-enum.nse along with the
+ --datadir option. The script would report the error
+ http-enum.nse:198: bad argument #1 to 'lines'
+ (nselib/data/http-fingerprints: No such file or directory)
+ The error was reported by Ron Meldau and Brandon. [Kris]
+
+o Added a function that was missing from http-favicon.nse. Its absence
+ would cause the error
+ http-favicon.nse:141: variable 'dirname' is not declared
+ when a web page specified an relative icon URL through the link
+ element. This bug was reported by Ron Meldau. [David]
+
+o Fixed a bug with the decoding of NMAP OID component values greater
+ than 127. [Patrik Karlsson, David]
+
+Nmap 5.20 [2010-01-20]
+
+o Dramatically improved the version detection database, integrating
+ 2,596 submissions that users contributed since February 3, 2009!
+ More than a thousand signatures were added, bringing the total to
+ 8,501. Many existing signatures were improved as well. Please keep
+ those submissions and corrections coming! Nmap prints a submission
+ URL and fingerprint when it receives responses it can't yet
+ interpret.
+
+o [NSE] Added a new script, oracle-sid-brute, which queries the Oracle
+ TNS-listener for default instance/sid names. The SID enumeration
+ list was prepared by Red Database security. See
+ https://nmap.org/nsedoc/scripts/oracle-sid-brute.html . [Patrik
+ Karlsson]
+
+o [Ncat] The --ssl, --output, and --hex-dump options now work with
+ --exec and --sh-exec. Among other things, this allows you to make a
+ program's I/O available over the network wrapped in SSL encryption
+ for security. It is implemented by forking a separate process to
+ handle network communications and relay the data to the
+ sub-process. [Venkat, David]
+
+o Nmap now tries start the WinPcap NPF service on Windows if it is not
+ already running. This is rare, since our WinPcap installer starts
+ NPF running at system boot time by default. Because starting NPF
+ requires administrator privileges, a UAC dialog for net.exe may
+ appear on Windows Vista and Windows 7 before NPF is loaded. Once
+ NPF is loaded, it generally stays loaded until you reboot or run
+ "net stop npf". [David, Michael Pattrick]
+
+o The Nmap Windows installer and our WinPcap installer now have an
+ option /NPFSTARTUP=NO, which inhibits the installer from setting the
+ WinPcap NPF service to start at system startup and at install-time.
+ This option only affects silent mode (/S) because existing GUI
+ checkboxes allow you to configure this behavior during interactive
+ installation. [David]
+
+o [NSE] Replaced our runlevel system for managing the order of script
+ execution with a much more powerful dependency system. This allows
+ scripts to specify which other scripts they depend on (e.g. a brute
+ force authentication script might depend on username enumeration
+ scripts) and NSE manages the order. Dependencies only enforce
+ ordering, they cannot pull in scripts which the user didn't
+ specify. See
+ https://nmap.org/book/nse-script-format.html#nse-format-dependencies
+ [Patrick]
+
+o [Ncat] For compatibility with Hobbit's original Netcat, The -p
+ option now works to set the listening port number in listen mode.
+ So "ncat -l 123" can now be expressed as "ncat -l -p 123"
+ too. [David]
+
+o A new script argument, http.useragent, lets you modify
+ the User-Agent header sent by NSE from its default of "Mozilla/5.0
+ (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)".
+ Set it to the empty string to disable the User-Agent
+ entirely. [David, Tom Sellers, Jah]
+
+o [Zenmap] The locale setting had been taken from the Windows locale,
+ which inadvertently made setting the locale with the LANG
+ environment variable stop working. Now the LANG variable is examined
+ first, and if that is not present, the system-wide setting is
+ used. This change allows users to keep Zenmap in its original
+ English (or any of Zenmap's other languages) even if their system is
+ set to use a different locale. [David]
+
+o [NSE] The http-favicon script is now better at finding "link
+ rel=icon" tags in pages, and uses that icon in preference to
+ /favicon.ico if found. If the favicon.uri script arg is given, only
+ that is tried. Meanwhile, a giant (10 million web servers) favicon
+ scan by Brandon allowed us to add about 40 more of the most popular
+ icons to the DB. [David, Brandon]
+
+o [NSE] smb-psexec now works against Windows XP (as well as
+ already-supported Win2K and Windows 2003). The solution involved
+ changing the seemingly irrelevant PID field in the SMB packet. See
+ http://seclists.org/nmap-dev/2010/q1/13. [Ron]
+
+o [NSE] Fixed a bug which kept the nselib/data/psexec subdirectory out
+ of the Windows packages. We needed to add the /s and /e options to
+ xcopy in our Visual C++ project file. [David]
+
+o [NSE] Overhauled our http library to centralize HTTP parsing and
+ make it more robust. The biggest user-visible change is that
+ http.request goes back to returning a parsed result table rather than raw
+ HTTP data. Also the http.pipeline function no longer accepts the
+ no-longer-used "raw" option. [David]
+
+o Fixed a bug in traceroute that could lead to a crash:
+ terminate called after throwing an instance of 'std::out_of_range'
+ what(): bitset::test
+ It happened when the preliminary distance guess for a target was
+ greater than 30, the size of an internal data structure. David and
+ Brandon tracked down the problem.
+
+o Fixed compilation of libdnet-stripped on platforms that don't have
+ socklen_t. [Michael Pattrick]
+
+o Added a service probe and match lines for the Logitech/SlimDevices
+ SqueezeCenter music server. [Patrik Karlsson]
+
+o Fixed the RTSPRequest version probe, which was accidentally modified
+ to say "RTSP/2.0" rather than "RTSP/1.0" in 5.10BETA2. [Matt Selsky]
+
+o [NSE] Our http library no longer allows cached responses from a GET
+ request to be returned for a HEAD request. This could cause problems
+ with at least the http-enum script. [David]
+
+o Fixed a bug in the WinPcap installer: If the "Start the WinPcap
+ service 'NPF' at startup" box was unchecked and the "Start the
+ WinPcap service 'NPF' now" box was checked, the second checkbox
+ would be ignored (the service would not be started now). [Rob
+ Nicholls]
+
+Nmap 5.10BETA2 [2009-12-24]
+
+o Added 7 new NSE scripts for a grand total of 79! You can learn about
+ them all at https://nmap.org/nsedoc/. Here are the new ones:
+
+ * nfs-showmount displays NFS exports like "showmount -e" does. See
+ https://nmap.org/nsedoc/scripts/nfs-showmount.html . [Patrik
+ Karlsson]
+
+ * ntp-info prints the time and configuration variables provided by
+ an NTP service. It may get such interesting information as the
+ operating system, server build date, and upstream time server IP
+ address. See
+ https://nmap.org/nsedoc/scripts/ntp-info.html . [Richard Sammet]
+
+ * citrix-brute-xml uses the unpwdb library to guess credentials for
+ the Citrix PN Web Agent Service. See
+ https://nmap.org/nsedoc/scripts/citrix-brute-xml.html . [Patrik Karlsson]
+
+ * citrix-enum-apps and citrix-enum-apps-xml print a list of published
+ applications from the Citrix ICA Browser or XML service,
+ respectively. See
+ https://nmap.org/nsedoc/scripts/citrix-enum-apps.html and
+ https://nmap.org/nsedoc/scripts/citrix-enum-apps-xml.html . [Patrik Karlsson]
+
+ * citrix-enum-servers and citrix-enum-servers-xml print a list
+ of Citrix servers from the Citrix ICA Browser or XML service,
+ respectively. See
+ https://nmap.org/nsedoc/scripts/citrix-enum-servers.html and
+ https://nmap.org/nsedoc/scripts/citrix-enum-servers-xml.html . [Patrik
+ Karlsson]
+
+o We performed a memory consumption audit and made changes to
+ dramatically reduce Nmap's footprint. This improves performance on
+ all systems, but is particularly important when running Nmap on
+ small embedded devices such as phones. Our intensive UDP scan
+ benchmark saw peak memory usage decrease from 34MB to 6MB, while OS
+ detection consumption was reduced from 67MB to 3MB. Read about the
+ changes at http://seclists.org/nmap-dev/2009/q4/663. Here are the
+ highlights:
+
+ * The size of the internal representation of nmap-os-db was reduced
+ more than 90%. Peak memory consumption in our OS detection
+ benchmark was reduced from 67MB to 3MB. [David]
+
+ * The size of individual Port structures without service scan
+ results was reduced about 70%. [Pavel Kankovsky]
+
+ * When a port receives no response, Nmap now avoids allocating a
+ Port structure at all, so scans against filtered hosts can be
+ light on memory. [David]
+
+o David started a major service detection submission integration
+ run. So far he has processed submissions since February for the
+ following services: imap, pop3, afp, sip, printer, transmission,
+ svnserve, vmware, domain, backdoor, finger, freeciv, hp, imaps, irc,
+ landesk, netbios-ssn, netsupport, nntp, oracle, radmin, routersetup,
+ rtorrent, serv-u, shoutcast, ssh, tcpmux, torrent, utorrent, vnc and
+ ipp. The rest will come in the next release, along with full stats
+ on the additions.
+
+o Added service detection probe for Kerberos (udp/88) and IBM DB2
+ DAS (523/UDP). [Patrik Karlsson]
+
+o Added a UDP payload and service detection probe for Citrix
+ MetaFrame, which typically runs on 1604/udp. [Thomas Buchanan]
+
+o Added a UDP SIPOptions service detection probe corresponding to the
+ TCP one. [Patrik Karlsson, Matt Selsky, David Fifield]
+
+o Updated service detection signatures for Microsoft SQL Server 2005
+ to detect recent Microsoft security update (MS09-062), and also
+ updated ms-sql-info.nse to support MS SQL Server 2008
+ detection. [Tom]
+
+o Nmap now provides Christmas greetings and a reminder of Xmas scan
+ (-sX) when run in verbose mode on December 25. [Fyodor]
+
+o Removed a limitation of snmp.lua which only allowed it to properly
+ encode OID component values up to 127. The bug was reported by
+ Victor Rudnev. [David]
+
+o Nmap script output now uses two spaces of indention rather than
+ three for the first level. This better aligns with the standard set by
+ the stdnse.format_output function added in the last release. Output
+ now looks like:
+ 8082/tcp open http Apache httpd 2.2.13 ((Fedora))
+ |_http-favicon: Apache Web Server (seen on SuSE, Linux Tux favicon)
+ |_html-title: Nmap - Free Security Scanner For Network Exploration & Securit...
+ ...
+ Host script results:
+ | smb-os-discovery:
+ | OS: Unix (Samba 3.4.2-0.42.fc11)
+ | Name: Unknown\Unknown
+ |_ System time: 2009-11-24 17:19:21 UTC-8
+ |_smbv2-enabled: Server doesn't support SMBv2 protocol
+ [Fyodor]
+
+o [NSE] Fixed (we hope) a deadlock we were seeing when doing a
+ favicon.nse survey against millions of hosts. We now restore all
+ threads that are waiting on a socket lock when a thread relinquishes
+ its lock. We expect only one of them to be able to grab the newly
+ freed lock, and the rest to go back to waiting. [David, Patrick]
+
+o [Zenmap] Fixed a crash when filtering with inroute: in scans without
+ traceroute data. (KeyError: 'hops') [David]
+
+o [NSE] Use a looser match pattern in auth-owners.nse for retrieving
+ the owner out of an identd response. See
+ http://seclists.org/nmap-dev/2009/q4/549. [Richard Sammet]
+
+o Improved some Cyrus pop3 and Polycom SoundStation sip match
+ lines. [Matt Selsky]
+
+o [Ncat] In the Windows version of netrun, we weren't noticing when a
+ command fails to be executed (when CreateProcess fails). We now see
+ the return value and close the socket to disconnect the
+ client. [David]
+
+o [NSE] Updated http-iis-webdav-vuln to run against SSL-enabled
+ servers [Ron]
+
+o [NSE] Improved db2-info to set port product and state (rather than
+ just port.version.name and confidence) when a DB2 service is
+ positively identified. Error reporting was improved as well. [Tom]
+
+Nmap 5.10BETA1 [2009-11-23]
+
+o Added 14 new NSE scripts for a grand total of 72! You can learn
+ about them all at https://nmap.org/nsedoc/. Here are the new ones:
+
+ + smb-psexec implements remote process execution similar to the
+ Sysinternals' psexec tool (or Metasploit's psexec "exploit"),
+ allowing a user to run a series of programs on a remote machine
+ and read the output. This is great for gathering information about
+ servers, running the same tool on a range of system, or even
+ installing a backdoor on a collection of computers. See
+ https://nmap.org/nsedoc/scripts/smb-psexec.html [Ron]
+
+ + dhcp-discover sends out DHCP probes on UDP/67 and displays all
+ interesting results (or, with verbosity, all results).
+ Optionally, multiple probes can be sent and the MAC address can be
+ randomized in an attempt to exhaust the DHCP server's address pool
+ and potentially create a denial of service condition. See
+ https://nmap.org/nsedoc/scripts/dhcp-discover.html . [Ron]
+
+ + http-enum enumerates URLs used by popular web applications and
+ servers and reports which ones exist on a target web server. See
+ https://nmap.org/nsedoc/scripts/http-enum.html . [Ron, Andrew Orr,
+ Rob Nicholls]
+
+ + ssl-cert retrieves and prints a target server's SSL
+ certificate. See
+ https://nmap.org/nsedoc/scripts/ssl-cert.html . [David]
+
+ + x11-access checks whether access to an X11 server is allowed (as
+ with "xhost +" for example). See
+ https://nmap.org/nsedoc/scripts/x11-access.html . [jlanthea]
+
+ + db2-info enhances DB2 database instance detection. It provides
+ detection when version probes fail, but will default to the
+ version detection probe value if that is more precise. It also
+ detects the server platform and database instance name. The DB2
+ version detection port ranges were broadened to 50000-50025 and
+ 60000-60025 as well. [Tom]
+
+ + smbv2-enabled checks if the smbv2 protocol is enabled on target
+ servers. SMBv2 has already suffered from at least one major
+ security vulnerability. See
+ https://nmap.org/nsedoc/scripts/smbv2-enabled.html . [Ron]
+
+ + http-favicon obtains the favicon file (/favicon.ico or whatever is
+ specified by the HTML link tag) and tries to identify its source
+ (such as a certain web application) using a database lookup. See
+ https://nmap.org/nsedoc/scripts/http-favicon.html . [Vladz]
+
+ + http-date obtains the Date: header field value from an HTTP server
+ then displays it along with how much it differs from local
+ time. See https://nmap.org/nsedoc/scripts/http-date.html . [David]
+
+ + http-userdir-enum attempts to enumerate users on a system by
+ trying URLs with common usernames in the Apache mod_userdir format
+ (e.g. http://target-server.com/~john). See
+ https://nmap.org/nsedoc/scripts/http-userdir-enum.html . [Jah]
+
+ + pjl-ready-message allows viewing and setting the status message on
+ printers which support the Printer Job Language (many HP printers
+ do). See https://nmap.org/nsedoc/scripts/pjl-ready-message.html .
+ [Aaron Leininger]
+
+ + http-headers performs a GET request for the root folder ("/") of a
+ web server and displays the HTTP headers returned. See
+ https://nmap.org/nsedoc/scripts/http-headers.html . [Ron]
+
+ + http-malware-host is designed to discover hosts that are serving
+ malware (perhaps because they were compromised), but so far it
+ only checks for one specific attack. See
+ https://nmap.org/nsedoc/scripts/http-malware-host.html . [Ron]
+
+ + smb-enum-groups displays a list of groups on the remote system
+ along with their membership (like enum.exe -G). See
+ https://nmap.org/nsedoc/scripts/smb-enum-users.html [Ron]
+
+o Nmap's --traceroute has been rewritten for better performance.
+ Probes are sent in parallel to individual hosts, not just across all
+ hosts as before. Trace consolidation is more sophisticated, allowing
+ common traces to be identified sooner and fewer probes to be sent.
+ The older traceroute could be very slow (taking minutes per target)
+ if the target did not respond to the trace probes, and this new
+ traceroute avoids that. In a trace of 110 hosts in a /24 over the
+ Internet, the number of probes sent dropped 50% from 1565 to 743,
+ and the time taken dropped 92% from 95 seconds to 7.6
+ seconds. Traceroute now uses an ICMP echo request probe if no
+ working probes against the target were discovered during
+ scanning. [David]
+
+o [Zenmap] After performing or loading a scan, you can now filter
+ results to just the hosts you are interested in by pressing Ctrl+L
+ (or the "Filter Hosts" button) to open the host filtering interface.
+ This makes it easy to select just Linux hosts, or those running a
+ certain version of Apache, or whatever interests you. You can easily
+ modify the filter or remove it to see the whole scan again. See
+ https://nmap.org/book/zenmap-filter.html . [Josh Marlow]
+
+o For some UDP ports, Nmap will now send a protocol-specific payload
+ that is more likely to get a response than an empty packet is. This
+ improves the effectiveness of probes to those ports for host
+ discovery, and also makes an open port more likely to be classified
+ open rather than open|filtered. The ports and payloads are defined
+ in payload.cc. The ports that have a payload are 7 (echo),
+ 53 (domain), 111 (rpcbind), 123 (ntp), 137 (netbios-ns), 161 (snmp),
+ 177 (xdmcp), 500 (isakmp), 520 (route), 1645 and 1812 (radius),
+ 2049 (nfs), 5353 (zeroconf), and 10080 (amanda). [David]
+
+o Integrated 1,349 fingerprints (and 81 corrections) submitted by Nmap
+ users! They resulted in 342 new fingerprints (a 17% increase),
+ including Google's Android Linux system for smart phones, Mac OS X
+ 10.6 (Snow Leopard), the Chumby, and a slew number of printers, broadband
+ routers, and other devices (40 new vendors). See
+ http://seclists.org/nmap-dev/2009/q4/416 [David]
+
+o [NSE] For all the services which are commonly tunneled over SSL
+ (pop3, http, imap, irc, smtp, etc.), we audited the scripts to
+ ensure they can support that tunneling. The com.tryssl function
+ was added for easy SSL detection. See
+ https://nmap.org/nsedoc/lib/comm.html [Joao]
+
+o Nmap now prefers to display the hostname supplied by the user instead
+ of the reverse-DNS name in most places. If a reverse DNS record
+ exists, and it differs from the user-supplied name, it is printed
+ like this:
+ Nmap scan report for www.google.com (74.125.53.103)
+ rDNS record for 74.125.53.103: pw-in-f103.1e100.net
+ And in XML it looks like:
+ <hostnames>
+ <hostname name="openbsd.org" type="user"/>
+ <hostname name="cvs.openbsd.org" type="PTR"/>
+ </hostnames>
+ Host latency is now printed more often. See
+ http://seclists.org/nmap-dev/2009/q4/199 for a summary of other
+ output changes. [David]
+
+o Ndiff now shows changes in script (NSE) output for each target
+ host (in both text output format and XML). [David]
+
+o We now print output for down hosts, even when doing scanning beyond
+ just a ping scan. This always prints to XML and grepable output,
+ and is printed to normal and interactive output in verbose mode. The
+ format for printing a down host has changed slightly: "Nmap scan
+ report for 1.1.1.1 [host down]" [David]
+
+o [NSE] Default socket parallelism has been doubled from 10 to 20,
+ which doubles speed in some situations. See
+ http://seclists.org/nmap-dev/2009/q3/161. [Patrick]
+
+o Version detection's maximum socket concurrency has been increased
+ from 10-20 based on timing level to 20-40. This can dramatically
+ speed up version detection when there are many open ports in a host
+ group being scanned. [Fyodor]
+
+o The Nmap source tarball (and RPMs) now included man page
+ translations (16 languages so far). Nmap always installs the English
+ man page, and installs the translations by default. If you only want
+ some of the translations, set the LINGUAS environmental variable to
+ the language codes you are interested in (e.g. "es de"). You can
+ specify the configure option --disable-nls or set LINGUAS to the
+ empty string to avoid installation of any man page translations. The
+ RPM always installs them. [David]
+
+o [NSE] Added a function for scripts to format their output in a
+ consistent way. See
+ https://nmap.org/nsedoc/lib/stdnse.html#format_output. [Ron]
+
+o [NSE] Now supports worker threads so that a single script can
+ perform multiple network operations concurrently. This patch also
+ includes condition variables for synchronization. See
+ https://nmap.org/nsedoc/lib/stdnse.html#new_thread,
+ https://nmap.org/nsedoc/lib/nmap.html#condvar, and
+ http://seclists.org/nmap-dev/2009/q4/294.
+
+o Fixed a problem in which the Nmap installer wrongly reported that
+ the Microsoft Visual C++ 2008 Redistributable Package (vcredist.exe)
+ failed to install. We had to update a registry key--see
+ http://seclists.org/nmap-dev/2009/q3/164. [Jah]
+
+o Added support for connecting to nameservers over IPv6. IPv6 addresses
+ can be used in /etc/resolv.conf or with the --dns-servers option. The
+ parallel reverse DNS resolver still only support IPv4 addresses, but
+ it can look them up over IPv6. [Ankur Nandwani]
+
+o Zenmap now includes ports in the services view whenever Nmap found
+ them "interesting," whatever their state. Previously they were only
+ included if the state was "open", "filtered", or "open|filtered",
+ which led to confusing behavior when a closed port showed up in the
+ Services column but clicking on the service showed no ports in the
+ display. [David]
+
+o [Ncat] Now has configure-time ASCII art just like Nmap does:
+ . .
+ \`-"'"-'/
+ } 6 6 {
+ ==. Y ,==
+ /^^^\ .
+ / \ ) Ncat: A modern interpretation of classic Netcat
+ ( )-( )/
+ -""---""--- /
+ / Ncat \_/
+ ( ____
+ \_.=|____E
+
+o [NSE] Added HTTP pipelining support to the HTTP library and and to
+ the http-enum, http-userdir-enum, and sql-injection.nse
+ scripts. Pipelining can increase speed dramatically for scripts
+ which make many requests.
+
+o [NSE] The HTTP library now caches responses from http.get or
+ http.head so that resources aren't requested multiple times during
+ the same Nmap run even if several scripts request them. See
+ http://seclists.org/nmap-dev/2009/q3/733. [Patrick]
+
+o [Ncat, Ndiff] The exit codes of these programs now reflect whether
+ they succeeded. For Ncat, 0 means the connection was successful, 1
+ indicates a network error, and 2 indicates any other error. For
+ Ndiff, 0 means the scans were equal, 1 means they were different,
+ and 2 indicates a runtime error. [David]
+
+o [Ncat] In verbose mode, Ncat now prints the number of bytes read and
+ written after the client connection is terminated. Ncat also now
+ prints elapsed time. For example, "Ncat finished: 16 bytes sent, 566
+ bytes received in 8.05 seconds." [Venkat]
+
+o [NSE] telnet-brute.nse now uses the unpw database instead of a
+ hard coded list. [Ron]
+
+o [NSE] ssl-cert.nse now supports TLS negotiation against SMTP ports
+ that support it. [Tom Sellers, David]
+
+o [NSE] Scripts that are listed by name with the --script option now
+ have their verbosity level automatically increased by one. Many
+ will print negative results ("no infection found") at a higher
+ verbosity level. The idea is that if you ask for a script
+ specifically, you are more interested in such results.
+ [David, Patrick]
+
+o Upgraded our Winpcap installer to use the new WinPcap version 4.1.1.
+ A bug which could prevent proper uninstallation of previous versions
+ was fixed at the same time. Later we made it set some registry keys
+ for compatibility with the official Winpcap project installer (see
+ http://seclists.org/nmap-dev/2009/q4/237). [Rob Nicholls]
+
+o [Ncat] Ncat now prints a message like "Connection refused." by
+ default when a socket error occurs. This used to require -v, but
+ printing no message at all could make a failed connection look like
+ success in a case like
+ ncat remote < short-file
+
+o Zenmap no longer displays down hosts in the GUI. [Josh]
+
+o The Ndiff man page was dramatically improved with examples and
+ sample output. See https://nmap.org/book/ndiff-man.html .
+ [David]
+
+o [NSE] At debug level 2 or higher (-d2), Nmap now prints all active
+ scripts (running & waiting) and a backtrace whenever a key is
+ pressed. This can be quite helpful in debugging deadlocks and other
+ script/NSE problems. [Patrick]
+
+o Nmap now allows you to specify --data-length 0, and that is now the
+ documented way to disable the new UDP protocol-specific probe
+ payload feature. [David]
+
+o Fixed compilation of our libdnet on Debian GNU/kFreeBSD (patch from
+ Petr Salinger).
+
+o Our Windows packages are now built on Windows 7, though they are
+ 32-bit binaries and should continue to work on Win2K and later.
+
+o Fixed a bug that could cause an infinite loop ("Unable to find
+ listening socket in get_rpc_results") in RPC scan. The loop would
+ happen when scanning a port that sent no responses, and there was at
+ least one other port to scan. Thanks to Lionel Cons for reporting
+ the problem. [David]
+
+o [NSE] The dns-zone-transfer and whois script argument table syntax has been
+ improved so you don't need curly braces.
+
+o [NSE] smb-enum-shares.nse now checks whether or not a share is
+ writable by attempting to write a file (and deleting it if it's
+ successful). Significantly cleaned up the code, as well. [Ron]
+
+o The nselib/data directory is now installed. It was not installed
+ before because of an error in the Makefile. The scripts that would
+ not have worked after installation because they were missing data
+ files are http-enum.nse, http-favicon.nse, http-iis-webdav-vuln.nse,
+ http-userdir-enum.nse, smb-pwdump.nse, pop3-brute.nse,
+ smb-brute.nse, and snmp-brute.nse. [David]
+
+o Upgraded the included libpcap to 1.0.0. [David]
+
+o Optimize MAC address prefix lookup by using an std::map rather than
+ a custom hash table. This increases performance and code simplicity
+ at the cost of some extra memory consumption. In one test, this
+ reduced the time of a single target ARP ping scan from 0.59 seconds
+ to 0.13. [David]
+
+o Added -Pn and -sn as aliases for -PN and -sP, respectively. They
+ will eventually become the recommended and documented way to disable
+ host discovery (ping scanning) and port scanning. They are more
+ consistent and also match the existing -n option for disabling
+ reverse DNS resolution. [David]
+
+o Fixed an error in the handling of exclude groups that used IPv4
+ ranges. Si Stransky reported the problem and provided a number of
+ useful test cases in http://seclists.org/nmap-dev/2009/q4/276. The
+ error caused various assertion failures along the lines of
+ TargetGroup.cc:465: int
+ TargetGroup::get_next_host(sockaddr_storage*, size_t*):
+ Assertion `ipsleft > 1' failed.
+ [David]
+
+o [NSE] Improved the authentication used by the smb-* scripts. Instead of
+ looking in a bunch of places (registry, command-line, etc) for the
+ usernames/passwords, a table is kept. This lets us store any number
+ of accounts for later use, and remove them if they stop working. This
+ also fixes a bug where typing in a password incorrectly would lock
+ out an account (since it wouldn't stop trying the account in question).
+ [Ron]
+
+o Removed IP ID matching in packet headers returned in ICMP errors.
+ This was already the case for some operating systems that are known
+ to mangle the IDs of sent IP packets. Requiring such a match could
+ occasionally cause valid replies to be ignored. See
+ http://seclists.org/nmap-dev/2009/q2/580 for an example of host
+ order affecting scan results due to this phenomenon. [David]
+
+o [NSE] The HTTP library now handles chunked transfer decoding more
+ robustly. See http://seclists.org/nmap-dev/2009/q3/13 [David]
+
+o [NSE] Unexpected error messages from scripts now include the target
+ host and port number. [David]
+
+o [NSE] Fixed many libraries which were inappropriately using global
+ variables, meaning that multiple scripts running concurrently could
+ overwrite each others values. NSE now automatically checks for this
+ problem at runtime, and we have a static code checker
+ (check_globals) available as well. See this whole thread
+ http://seclists.org/nmap-dev/2009/q3/70. [Patrick]
+
+o Added some additional matching rules to keep a reply to a SYN probe
+ from matching an ACK probe to the same port, or vice versa, in ping
+ scans that include both scan types. Such a mismatch could cause an
+ ineffective timing ping or traceroute probe to be selected. [David]
+
+o [Zenmap] There is a new command-line option, --confdir, which sets
+ the per-user configuration directory. Its value defaults to
+ $HOME/.zenmap. This was suggested by Jesse McCoppin. [David]
+
+o Open bpf devices in read/write mode, not read-only, in libdnet on
+ BSD. This is to work around a bug in Mac OS X 10.6 that causes
+ incoming traffic to become invisible. [David]
+
+o "make install" now removes from the Nmap script directory some
+ scripts which only existed in previous versions of Nmap but weren't
+ deleted during upgrades. [David]
+
+o [NSE] Added the reconnect_ssl method for sockets. We sometimes need
+ to reconnect a socket with SSL because the initial communication on
+ the socket is done without SSL. See this thread for more details:
+ http://seclists.org/nmap-dev/2009/q4/3 [Patrick, Tom Sellers]
+
+o [Zenmap] Fixed a crash that could occur when entering certain
+ characters in the target entry (those whose UTF-8 encoding contains
+ a byte that counts as whitespace in the Windows locale):
+ File "zenmapGUI\ScanNotebook.pyo", line 184, in _target_entry_changed
+ File "zenmapCore\NmapOptions.pyo", line 719, in render_string
+ UnicodeDecodeError: 'utf8' codec can't decode byte 0xc3 in position 1:
+ unexpected end of data
+ For more details on this curious problem, see
+ http://seclists.org/nmap-dev/2009/q4/82 [David]
+
+o [NSE] There is a new function, nmap.bind, to set the source address
+ of a socket. [David]
+
+o [Nsock] Made it a fatal error instead of silent memory corruption
+ when an attempt is made to use a file descriptor whose number is not
+ less than FD_SETSIZE. This applies only on non-Windows platforms
+ where FD_SETSIZE is a limit on the value of file descriptors as well
+ as a limit on the number of descriptors in the set. The error will
+ look like
+ nsock_core.c:186: Attempt to FD_SET fd 1024, which is not less
+ than FD_SETSIZE (1024). Try using a lower parallelism.
+ Thanks to Brandon Enright for discovering the problem and much help
+ debugging it, and to Jay Fink for submitting an initial patch. [David]
+
+o [Ncat] Fixed proxy connections in connect mode on Windows. Because
+ the dup function does not work on Windows, an assertion failure
+ would be raised reading
+ (fh >= 0 && (unsigned)fd < (unsigned)_nhandle)
+ [David]
+
+o [Ncat] Fixed the combination of --max-conns and --exec on Windows.
+ The count of connected clients was not decreased when the program
+ spawned by --exec finished. With --max-conns 5, for example, no more
+ connections would be allowed after the fifth, even if some of the
+ earlier ones had ended. Jon Greaves reported the problem and Venkat
+ contributed a patch.
+
+o [Ncat] The code that manages the count of connected clients has been
+ made robust with respect to signals. The code was contributed by
+ Solar Designer.
+
+o The files read by the -iL (input from file) and --excludefile
+ options now support comments that start with # and go to the end of
+ the line. [Tom Sellers]
+
+o [Zenmap] On Windows, Zenmap no longer uses the cmd.exe shell to run
+ Nmap sub-processes. This means that canceling a scan will kill the
+ Nmap process as it does on other platforms (previously it would just
+ kill the shell). It also means that that scanning will work as a
+ user whose name contains characters like '&' that are significant to
+ the shell. Mike Crawford and Nick Marsh reported bugs related to
+ this. [David]
+
+o [NSE] All scripts (except for those in "version" or "demo"
+ categories) are now classified in either the "safe" or "intrusive"
+ categories, based on how likely they are to cause problems when run
+ against other machines on the network. Those classifications already
+ existed, but weren't used consistently. [Fyodor]
+
+o Added a check for a SMBv2 vulnerability (CVE-2009-3103) to
+ smb-check-vulns. Due to its nature (it performs a DoS, then checks
+ if the system is still online), the script isn't run by default and
+ requires a special script-arg to work. [Ron]
+
+o Fixed an integer overflow in uptime calculation which could occur
+ when a target with a low TCP timestamp clock frequency uses large
+ timestamp values, such that a naive uptime calculation shows a boot
+ time before the epoch. Also fixed a printf format specifier mismatch
+ that was revealed by the bug. Toby Simmons reported the problem and
+ helped with the fix. [David]
+
+o [NSE] The HTTP library now supports HTTP cookies. [Joao Correa]
+
+o Fixed a compile error on NetBSD. It was
+ tcpip.cc:2948: error: pointer of type 'void *' used in arithmetic
+ Thanks to Jay Fink for reporting the problem and submitting a patch.
+
+o [Zenmap] If you have any hosts or services selected, they will
+ remain selected after aggregating another scan or running a filter
+ (as long as they are still up and visible). Previously the selection
+ was lost whenever the scan inventory was changed. This is
+ particularly important due to the new host filter system. [David]
+
+o [Zenmap] New translation: Russian (contributed by Alexander Khodyrev).
+ Updated translations: French and German.
+
+o Nmap now generates IP addresses without duplicates (until you cycle
+ through all the allowed IPs) thanks to a new collision-free 32-bit
+ number generator in nbase_rnd.c. See
+ http://seclists.org/nmap-dev/2009/q3/695 [Brandon]
+
+o There is a new OS detection pseudo-test, SCAN.DC, which records how
+ the network distance in SCAN.DS was calculated. Its value can be "L"
+ for localhost, "D" for a direct connection, "I" for an ICMP TTL
+ calculation, and "T" for a traceroute hop count. This is mainly for
+ the benefit of OS integration, when it is sometimes important to
+ distinguish between DS=1%DC=I (probably the result of forged TTLs)
+ and DS=1%DC=D (a true one-hop connection.) [David]
+
+o Canonicalized the list of OS detection device types to a smaller set
+ with descriptions: https://svn.nmap.org/nmap/docs/device-types.txt .
+ [David, Fyodor, Doug]
+
+o [Ncat] The --idle-timeout option now exits when *both* stdin and the
+ socket have been idle for the given time. Previously it would exit
+ when *either* of them had been idle, meaning that the program would
+ quit contrary to your expectation when downloading a large file
+ without sending anything, for example. [David]
+
+o [Ncat] Ncat now always prefixes its own output messages with "Ncat: "
+ or "NCAT DEBUG: " to make it clear that they are not coming from the
+ remote host. This only matters when output goes to a terminal, where
+ the standard output and standard error streams are mixed. [David]
+
+o Nmap's Nbase library now has a new hexdump() function which produces
+ output similar to Wireshark. nmap_hexdump() is a wrapper which
+ prints the output using Nmap's log_write facility. The old hdump()
+ and lamont_dump() functions have been removed. [Luis]
+
+o Added explicit casts to (int)(unsigned char) for arguments to ctype function
+ calls in nmap, ncat and nbase. Thanks to Solar Designer for pointing out
+ the need and fix for this. [Josh]
+
+o Ncat now supports wildcard SSL certificates. The wildcard character
+ (*) can be in commonname field or in DNS field of Subject
+ Alternative Name (SAN) Extension of SSL certificate. Matching Rules:
+ - '*' should be only on the leftmost component of FQDN. (*.example.com
+ but not www.*.com or www.example*.com).
+ - The leftmost component should contain only '*' and it should be
+ followed by '.' (*.example.com but not *w.example.com or
+ w*.example.com).
+ - There should be at least three components in FQDN. (*.example.com but
+ not *.com or *.com.). [venkat]
+
+o Nmap now handles the case when a primary network interface (venet0)
+ does not have an address assigned but its aliases do (venet0:1
+ etc.). This could result in the error messages
+ Failed to find device venet0 which was referenced in /proc/net/route
+ Failed to lookup subnet/netmask for device (venet0): venet0: no IPv4 address assigned
+ This was observed under OpenVZ. [Dmitry Levin]
+
+o [Ncat] The --ssl-cert, --ssl-key, and --ssl-trustfile options now
+ automatically turn on SSL mode. Previously they were ignored if
+ --ssl was not also used. [David]
+
+o [Nsock] Now Nsock supports pure TLSv1 and SSLv3 servers in addition
+ to the (already supported and far more common) SSLv2 and SSLv23
+ servers. Ncat currently never uses SSLv2 for security reasons, so
+ it is unaffected by this change.
+
+o [Ncat] Implemented basic SCTP client functionality (server already
+ exists). Only the default SCTP stream is used. This is also called
+ TCP compatible mode. While it allows Ncat to be used for manually
+ probing open SCTP ports, more complicated services making use of
+ multiple streams or depending on specific message boundaries cannot
+ be talked to successfully. [Daniel Roethlisberger]
+
+o [Ncat] Implemented SSL over SCTP in both client (connect) and server
+ (listen) modes. [Daniel Roethlisberger]
+
+o Nmap now filters received ARP packets based on their target address
+ address field, not the destination address in the enclosing ethernet
+ frame. Some operating systems, including Windows 7 and Solaris 10,
+ are known to at least sometimes send their ARP replies to the
+ broadcast address and Nmap wouldn't notice them. The symptom of this
+ was that root scans wouldn't work ("Host seems down") but non-root
+ scans would work. Thanks to Mike Calmus and Vijay Sankar for
+ reporting the problem, and Marcus Haebler for suggesting the
+ fix. [David]
+
+o The -fno-strict-aliasing option is now used unconditionally when
+ using GCC. It was already this way, in effect, because a test
+ against the GCC version number was reversed: <= 4 rather than >= 4.
+ Solar Designer reported the problem.
+
+o Nmap now prints a warning instead of a fatal error when the hardware
+ address of an interface can't be found. This is the case for
+ FireWire interfaces, which have a hardware address format not
+ supported by libdnet. Thanks to Julian Berdych for the bug report.
+ [David]
+
+o Zenmap's UI performance has improved significantly thanks to
+ optimization of the update_ui() function. In particular, this speeds
+ up the new host filter system. [Josh]
+
+o Add a service probe for DNS-based service discovery (DNS-SD). See
+ http://seclists.org/nmap-dev/2009/q3/0610.html . [David]
+
+o Made RPC grinding work from service detection again by changing the
+ looked-for service name from "rpc" to "rpcbind", the name it has in
+ nmap-service-probes. Also removed some dead code. [David]
+
+o Fixed a log_write call and a pfatal call to use a syntax which is
+ safer from format strings bugs. This allows Nmap to build with the
+ gcc -Wformat -Werror=format-security options. [Guillaume Rousse,
+ Dmitry Levin]
+
+o A bug in Nsock was fixed: On systems where a non-blocking connect
+ could succeed immediately, connections that were requested to be
+ tunneled through SSL would actually be plain text. This could be
+ verified with an Ncat client and server running on localhost. This
+ was observed to happen with localhost connections on FreeBSD 7.2.
+ Non-localhost connections were likely not affected. The bug was
+ reported by Daniel Roethlisberger. [David]
+
+o Ncat proxy now hides the proxy's response ("HTTP/1.0 200 OK" or
+ whatever it may be). Before, if you retrieved a file through a
+ proxy, it would have the "HTTP/1.0 200 OK" stuck to the top of
+ it. For this Ncat uses blocking sockets until the proxy negotiation
+ is done and once it is successful, Nsock takes over for rest of the
+ connection.[Venkat]
+
+o [NSE] socket garbage collection was rewritten for better performance
+ and to ensure that socket slots are immediately available to others
+ after a socket is closed. See
+ http://seclists.org/nmap-dev/2009/q2/0624.html . [Patrick]
+
+o [NSE] Fixed a rare but possible segfault which could occur if the
+ nsock binding attempted to push values on the stack of a thread
+ which had already ended due to an error, and if that internal Lua
+ stack was already completely full. This bug is very hard to
+ reproduce with a SEGFAULT but is usually visible when Lua assertion
+ checks are turned on. A socket handler routine must be called AFTER
+ a thread has ended in error. [Patrick]
+
+o [Ncat] Fixed an error that would cause Ncat to use 100% CPU in
+ broker mode after a client disconnected or a read error happened.
+ [Kris, David]
+
+o [NSE] --script-args may now have whitespace in unquoted strings (but
+ surrounding whitespace is ignored). For example,
+ --script-args 'greeting = This is a greeting' Becomes:
+ { ["greeting"] = "This is a greeting" } [Patrick]
+
+o [Ncat] Using --send-only in conjunction with the plain listen or
+ broker modes now behaves as it should: nothing will be read from the
+ network end. Ncat previously read and discarded any data
+ received. [Kris]
+
+o [Nsock] Added a socket_count abstraction that counts the number of
+ read or write events pending on a socket, for the purpose of
+ maintaining an fd_set. The bit is set in the fd_set whenever the
+ count is positive, and cleared when it is zero. The reason for doing
+ this was that write bits were not being properly cleared when using
+ Ncat with SSL in connect mode, such that a client send would cause
+ Ncat to use 100% CPU until it received something from the
+ server. See the thread at
+ http://seclists.org/nmap-dev/2009/q2/0413.html . This change will
+ also make it easier to use a different back end than select in the
+ future. [David]
+
+o [Nsock] Added compilation dependency generation (makefile.dep)
+ [David]
+
+o [Ncat] The --broker option now automatically implies --listen. [David]
+
+o Fixed a logic error in getinterfaces_siocgifconf. The check for
+ increasing the capacity of the list of interfaces was off by
+ one. This caused a crash on initialization for systems with more
+ than 16 network interfaces. [David]
+
+o Added Apache JServe protocol version detection probe and signatures
+ and some some other nmap-service-probes patches. [Tom Sellers]
+
+o Fixed two memory leaks in ncat_posix.c and a bug where an open file was not
+ being closed in libdnet-stripped/src/intf.c [Josh Marlow]
+
+o [Zenmap] Added profile editor support for the Nmap SCTP options:
+ -PY, -sY and -sZ. [Josh Marlow]
+
+o Fixed a bug in --data-length parsing which in some cases could
+ result in useless buffer allocations and unpredictable payload
+ lengths. See http://seclists.org/nmap-dev/2009/q2/0763.html [Luis]
+
+o The configure script now allows cross-compiling by assuming that
+ libpcap is recent enough to use rather than trying to compile and
+ run a test program. Libpcap will always be recent enough when Nmap's
+ included copy is used. [Mike Frysinger]
+
+o Updated the IANA assignment IP list for random IP (-iR)
+ generation. The Mac OS prefix file was updated as
+ well. [Kris, Fyodor]
+
+o [Zenmap] Fix a bug which could cause a crash in the (very rare) case
+ where Nmap would produce port tags in XML output without a state
+ attribute. [David]
+
+o Added a convenience top-level BSDmakefile which automatically
+ redirects BSD make to GNU make on BSD systems. The Nmap Makefile
+ relies on numerous GNU Make extensions. [Daniel Roethlisberger]
+
+Nmap 5.00 [2009-07-16]
+
+o Bumped up version number to 5.00!
+
+o [NSE] http-open-proxy script fixed to avoid false positives from bad
+ pattern matching and to properly declare some formerly-global
+ variables as local. [Joao]
+
+Nmap 4.90RC1 [2009-06-25]
+
+o [Zenmap] Fixed a display hanging problem on Mac OS X reported by
+ Christopher Caldwell at
+ http://seclists.org/nmap-dev/2009/q2/0721.html . This was done by
+ adding gtk2 back to macports-1.8.0-universal.diff and removing the
+ dependency on shared-mime-info so it doesn't expect /usr/share/mime
+ files at runtime. Also included GDK pixbuf loaders statically rather
+ than as external loadable modules. [David]
+
+o Fixed a memory bug (access of freed memory) when loading exclude
+ targets with --exclude. This was reported to occasionally cause a
+ crash. Will Cladek reported the bug and contributed an initial
+ patch. [David]
+
+o Zenmap application icons were regenerated using the newer SVG
+ representation of the Nmap eye. [David]
+
+Nmap 4.85BETA10 [2009-06-12]
+
+o The host discovery (ping probe) defaults have been enhanced to
+ include twice as many probes. The default is now "-PE -PS443 -PA80
+ -PP". In exhaustive testing of 90 different probes, this emerged as
+ the best four-probe combination, finding 14% more Internet hosts
+ than the previous default, "-PE -PA80". The default for non-root
+ users is -PS80,443, replacing the previous default of -PS80. In
+ addition, ping probes are now sent in order of effectiveness (-PE
+ first) so that less effective probes may not have to be sent. ARP
+ ping is still the default on local ethernet networks. [David,
+ Fyodor]
+
+o Added SCTP port scanning support to Nmap. SCTP is a layer 4 protocol
+ used mostly for telephony related applications. This brings the
+ following new features:
+ - SCTP INIT chunk port scan (-sY): open ports return an INIT-ACK
+ chunk, closed ones an ABORT chunk. This is the SCTP equivalent
+ of a TCP SYN stealth scan.
+ - SCTP COOKIE-ECHO chunk port scan (-sZ): open ports are silent,
+ closed ports return an ABORT chunk.
+ - SCTP INIT chunk ping probes (-PY): host discovery using SCTP
+ INIT chunk packets.
+ - SCTP-specific IP protocol scan (-sO -p sctp).
+ - SCTP-specific traceroute support (--traceroute).
+ - The ability to use the deprecated Adler32 algorithm as specified
+ in RFC 2960 instead of CRC32C from RFC 4960 (--adler32).
+ - 42 well-known SCTP ports were added to the nmap-services file.
+ - The server scanme.csnc.ch has been set up for your SCTP scan
+ testing pleasure. But note that SCTP doesn't pass through most
+ NAT devices. See http://seclists.org/nmap-dev/2009/q2/0669.html .
+ Part of the work on SCTP support was kindly sponsored by
+ Compass Security AG, Switzerland. [Daniel Roethlisberger]
+
+o [NSE] Added http-iis-webdav-vuln.nse, which detects the recently
+ discovered WebDAV unicode bug in MS IIS 5.1/6.0 web server which can
+ allow arbitrary users to access password protected folders without
+ authentication. See
+ https://nmap.org/svn/scripts/http-iis-webdav-vuln.nse. [Ron]
+
+o The Nmap Reference Guide has been translated to German by Open
+ Source Press and Indonesian by Tedi Heriyanto. You can now read it
+ in 16 languages at https://nmap.org/docs.html . We're always looking
+ for more translations of Nmap and its documentation--if you'd like
+ to help, see http://seclists.org/nmap-dev/2009/q2/0667.html .
+
+o Open Source Press completed and released the German translation of
+ the official Nmap book (Nmap Network Scanning). Learn more at
+ https://nmap.org/book/#translations.
+
+o [NSE] Added socks-open-proxy.nse for scanning networks for open
+ SOCKS proxy servers. See
+ https://nmap.org/nsedoc/scripts/socks-open-proxy.html . [Joao Correa]
+
+o [NSE] http-open-proxy.nse has been updated to attempt HEAD and
+ CONNECT methods as well as previously supported GET method. It
+ still tries to reach http://www.google.com through the proxy by
+ default, but now also offers an argument for specifying a different
+ URL. [Joao Correa]
+
+o [Ncat] There is a backwards-incompatible change in the way that
+ listen mode works. The new default behavior is to accept only one
+ connection, and quit when the connection ends. This was necessary to
+ prevent data loss in some situations; some programs require Ncat to
+ send an EOF before they flush their internal buffers and finish
+ processing the last bit of data. See
+ http://seclists.org/nmap-dev/2009/q2/0528.html for more information.
+ Use the new -k or --keep-open option to get the old behavior, in
+ which Ncat will accept multiple simultaneous connection, combine all
+ their input, and accept more connections after a disconnection.
+ [Daniel Roethlisberger, David]
+
+o Ncat handling of newlines on Windows has been improved. CRLF is
+ automatically converted to a bare LF when input is from the console,
+ but left untouched when it is from a pipe or a file. No newline
+ translation is done on output (where it was being done before). This
+ makes it possible to transfer binary files with Ncat on Windows
+ without any corruption, while still being able to interactively ncat
+ into UNIX shells and other processes which require bare
+ newlines. Ncat clients now work the same way on UNIX and Windows in
+ that respect. For cases where you do want \r\n line endings (such
+ as connections to web and email servers or Windows cmd.exe shells),
+ specify -C whether your client is running on UNIX or
+ Windows. [David]
+
+o Nmap RPM packages (x86 and x86-64) are now built with OpenSSL
+ support (statically linked in to avoid dependencies). They are also
+ now built on CentOS 5.3 for compatibility with RHEL, Fedora, and
+ other distributions. Please let us know if you discover any
+ compatibility problems (or other issues) with the new RPMs. [Fyodor]
+
+o [Zenmap] The Topology tab now has a "Save Graphic" button that
+ allows saving the current topology display as a PNG, postscript,
+ PDF, and SVG image. [Joao Medeiros, David]
+
+o Changed the default UDP ping (-PU) port from 31338 to 40125. This
+ appears to be a better port based on David's empirical testing.
+
+o [NSE] Added the imap-capabilities script, which uses the CAPABILITY
+ command to determine the capabilities of a target IMAP mail server.
+ A simple supporting IMAP library was added as well. See
+ https://nmap.org/nsedoc/scripts/imap-capabilities.html . [Brandon]
+
+o [NSE] Brandon Enright from UCSD reports that, thanks to all the NSE
+ fixes in this release, he no longer sees any Nmap crashes in his
+ large scale scans. See
+ http://seclists.org/nmap-dev/2009/q2/0639.html .
+
+o Zenmap now works on RHEL/CentOS since it no longer requires the
+ hashlib library (which was introduced in Python 2.5, but RHEL 5
+ still uses 2.4) and removing the pysqlite2 requirement (RHEL does
+ not offer that module). It is still desirable to have pysqlite2
+ when available, since it enables Zenmap searching and database
+ saving features. [David]
+
+o Ncat can now send SSL certificates in connect mode for client
+ authentication by using the --ssl-cert and --ssl-key options. The
+ specified certificates are only sent when requested by the
+ server. [Venkat]
+
+o Nmap can now handle -PS and -PA at the same time when running nmap
+ as non-root or using IPv6. It now combines the two port lists [Josh
+ Marlow]
+
+o [Ncat] SSL in listen mode now works on systems like BSD in which a
+ socket inherits its blocking or non-blocking status from the
+ listening socket. [David, Daniel Roethlisberger]
+
+o The --packet-trace/--version-trace options now shows the names of
+ version detection probes as they are sent, making the version
+ detection process easier to understand and debug. [Tom Sellers]
+
+o The GPG detached signatures for Nmap releases now use the more
+ standard .asc extension rather than .gpg.txt. They can still be
+ found at https://nmap.org/dist/sigs/ and the .gpg.txt versions for
+ previous releases are still available for compatibility reasons. For
+ instructions on verifying Nmap package integrity, see
+ https://nmap.org/book/install.html#inst-integrity. [Fyodor]
+
+o [Zenmap] Fixed two bugs: 1) When two scans are performed in Zenmap
+ and aggregated, the first one was being modified in the process,
+ preventing you from doing diffs in the "compare scans" dialogue or
+ properly saving the first scan individually. 2) If you start two
+ scans, then the faster one finishes and you cancel and remove the
+ slower one while still in progress, much of the results from both
+ scans are lost. [Josh Marlow]
+
+o [Ncat] When connecting to an SSL service in verbose mode, Ncat now
+ prints confirmation of the SSL connection, some certificate
+ information, and a cert fingerprint. For example:
+ SSL connection to 64.147.188.3:443. Electronic Frontier Foundation
+ SHA-1 fingerprint: 28BE B476 2E49 7ED5 3A9B 4D79 AD1E 69A9 82DB C75A
+
+o [NSE] Clean up output (generally reducing default verbosity) for the
+ p2p-conficker, smb-check-vulns, and http-iis-webdav-vuln scripts. In
+ general, we don't ask scripts to report that a host is clean unless
+ Nmap's verbosity level (-v) is at least one or two. [Ron, Fyodor]
+
+o [Zenmap] Added the -PS22,25,80 option found in the Quick Traceroute
+ profile to some of the Intense scan profiles for improved host
+ discovery. [Josh Marlow]
+
+o Fixed a bug with the --defeat-rst-ratelimit option which prevented
+ it from working properly. See this thread:
+ http://seclists.org/nmap-dev/2009/q2/0476.html . [Josh]
+
+o [Ndiff] Avoid printing a "Not shown:" line if there weren't any
+ ports in the non-shown (extraports) list. [David]
+
+o [Ncat] Fixed Ncat compilation with versions of OpenSSL before 0.9.7.
+ Previously it would fail in ncat_openssl.c with the message
+ "structure has no member named `it'". The problem was reported by
+ Jaroslav Fojtik. [David]
+
+o [NSE] Removed the packet.hextobin(str) and packet.bintohex(str)
+ functions. They are redundant since you get the same functionality
+ by calling bin.pack("H", str) and bin.unpack("H", str),
+ respectively. [Patrick]
+
+o [NSE] Fixed the parsing of --script-args, which was only accepting
+ alphanumeric characters and underscores in values. Now a key, value,
+ or array value may be a sequence of any characters except '{', '}',
+ ',', '=', and all space characters. You may overcome this
+ restriction by using quotes (single or double) to allow all
+ characters within the quotation marks. You may also use the quote
+ delimiter inside the sequence so long as it is escaped by a
+ backslash. See
+ http://seclists.org/nmap-dev/2009/q2/0211.html . [Patrick]
+
+o [NSE] When a script ends for any reason, all of its mutexes are now
+ unlocked. This prevents a permanent (and painful to debug) deadlock
+ when a script crashes without unlocking a mutex. See
+ http://seclists.org/nmap-dev/2009/q2/0533.html . [Patrick]
+
+o Fixed a bug wherein nmap would not display the post-scan count of
+ raw packets sent during a SYN ping scan (-sP -PS). [Josh Marlow]
+
+o Changed the ICMP ping probes to use a random non-zero ICMP id.
+ David's empirical testing found that some hosts drop probes when the
+ ICMP id is 0 [Josh Marlow]
+
+o [NSE] Fixed a --script argument processing bug in which Nmap would
+ abort when an expression matches a set of scripts which were loaded
+ by other expressions first (a simple example is "--script
+ default,DEFAULT". [Patrick]
+
+o [Zenmap] Operating system icons are now always loaded as PNGs, even on
+ platforms which support SVG images. That is much faster, and Zenmap
+ currently never scales the images anyway. [Josh]
+
+o [Ncat] The Nmap Windows uninstaller now removes the Ncat CA list
+ (ca-bundle.crt) which has been installed since 4.85BETA9. [Jah]
+
+o Optimized some Nmap version detection match lines for slightly
+ better performance. See
+ http://seclists.org/nmap-dev/2009/q2/0328.html . [Brandon]
+
+o [NSE] Upon connection failure, a socket now immediately unlocks its
+ "socket lock" to allow other pending socket connections to succeed
+ sooner. This slightly improves scan speeds by eliminating the wait
+ for garbage collection to free the resource. [Patrick]
+
+o [NSE] Corrected a bug in nse_nsock.cc that could result in a crash
+ from the use of an invalid Lua state if a thread is collected due to
+ timeout or other rare reasons. Essentially, the callbacks from the
+ nsock library were returning to an already-collected Lua state. We
+ now maintain a reference to the Lua State Thread in the nsock
+ userdata environment table to prevent early collection. This is a
+ temporary patch for the stable release pending a more detailed
+ review of the NSE nsock library binding. [Patrick]
+
+o [NSE] When an NSE script in the database (script.db) is requested
+ but not found on the filesystem, Nmap now prints a warning rather
+ than aborting. We accidentally shipped with such a phantom script
+ (smb-check-vulns-2.nse) in 4.85BETA8. [Patrick]
+
+o Fixed a bug where an ICMP echo, timestamp, or address mask reply
+ could be matched up with the wrong ICMP probe if more than one ICMP
+ probe type was being sent (as with the new default ping). This lead
+ to timing calculation problems. [David]
+
+o Improved the host expression parser to better handle a few cases
+ where invalid target specifiers would case Nmap to scan unintended
+ hosts. See http://seclists.org/nmap-dev/2009/q2/0319.html . [Jah]
+
+o [Zenmap] Fixed a crash, introduced in 4.85BETA4, that happened when
+ searching scan results by date. [David]
+ The error message was: File "zenmapGUI\SearchGUI.pyo", line 816, in
+ set_date TypeError: argument must be sequence of length 9, not 3
+
+o Patched configure.ac to detect Lua include and library files in
+ "lua5.1" subdirectories of /usr/include and the like. Debian
+ apparently puts them there. We still check the likes of
+ /usr/include/lua.h and /usr/include/lua/lua.h as well. [Jan
+ Christoph Nordholz]
+
+o Improved nsock's fselect() to be a more complete replacement for
+ select() on the Windows platform. In particularly, any or all of the
+ FD sets can be null or empty descriptor sets. This fixes an error
+ ("nsock_loop error 10022") which would occur when you ran ncat
+ --send-only on Windows. [David]
+
+o The --with-openssl= directive now works for specifying the SSL
+ location to the nsock library. It was previously not passing the
+ proper include file path to the compiler. [Fyodor]
+
+o The --traceroute feature is now properly disabled for IPv6 ping
+ scans (-6 -sP) since IPv6 traceroute is not currently
+ supported. [Jah]
+
+o Fixed an assertion failure which could occur on at least SPARC Linux
+ The error looked like "nsock_core.c:294: handle_connect_result:
+ Assertion `0' failed. Aborted". [David Fifield, Fabio Pedretti]
+
+o Nmap's make install target now uses $(INSTALL) rather than cp to
+ copy NSE scripts and libraries to ensure that file permissions are
+ set properly. [Fyodor]
+
+o Improved the Oracle DB version detection signatures. [Tom Sellers]
+
+o [NSE] Remove the old nse_macros.h header file. This involved
+ removing the SCRIPT_ENGINE_* status defines, moving the likes of
+ SCRIPT_ENGINE_LUA_DIR to nse_main.h, removing the last remaining use
+ of SCRIPT_ENGINE_TRY, and moving the FILES and DIRS defines to
+ nse_fs.h. [Patrick]
+
+o Cleaned up the libpcre build system a bit by removing Makefile.am
+ and modifying configure.ac to prevent unnecessary removal of
+ pcre_chartables.cc in some instances. [Fyodor]
+
+o Fixed a bug which would cause Nmap to sometimes miscount the number
+ of hosts scanned and produce warnings such as "WARNING: No targets
+ were specified, so 0 hosts scanned" when --traceroute and -sP were
+ combined. [Jah]
+
+o Changed Nmap and Ncat's configure.ac files to check in more
+ situations whether -ldl is required for compilation and add it where
+ necessary. [Fyodor]
+
+o When building Nmap RPMs using the spec file, you can now pass in an
+ openssl argument, the contents of which are passed to ./configure's
+ --with-openssl option. So you can pass rpmbuild an option such as
+ --define "openssl /usr/local/ssl". [Fyodor]
+
+o Fixed the make distclean target to avoid a failure which could occur
+ when you ran it right after a make clean (it might have failed in
+ other situations as well). [David]
+
+o Updated nmap-mac-prefixes with the latest MAC address prefix data
+ from http://standards.ieee.org/regauth/oui/oui.txt as of
+ 5/20/09. [Fyodor]
+
+o Ncat now makes sockets blocking before handing them off to another
+ program with --exec or --sh-exec. This is to resolve a failure where
+ the command "ncat --exec /usr/bin/yes localhost" would stop sending
+ because yes would send data so quickly that kernel send buffers
+ could not keep up and socket writes would start generating EAGAIN
+ errors. [Venkat]
+
+o Ncat now ignores SIGPIPE in listen mode. This fixes the command
+ "yes | ncat -l --keep-open --send-only", which was failing after the
+ first client disconnected due to a broken pipe signal when Ncat
+ would try to write more date before realizing that the client had
+ closed the connection.
+
+o Version detection can now detect Ncat's --chat mode. [David]
+
+Nmap 4.85BETA9 [2009-05-12]
+
+o Integrated all of your 1,156 of your OS detection submissions and
+ your 50 corrections since January 8. Please keep them coming! The
+ second generation OS detection DB has grown 14% to more than 2,000
+ fingerprints! That is more than we ever had with the first system.
+ The 243 new fingerprints include Microsoft Windows 7 beta, Linux
+ 2.6.28, and much more. See
+ http://seclists.org/nmap-dev/2009/q2/0335.html . [David]
+
+o [Ncat] A whole lot of work was done by David to improve SSL
+ security and functionality:
+ - Ncat now does certificate domain and trust validation against
+ trusted certificate lists if you specify --ssl-verify.
+ - [Ncat] To enable SSL certificate verification on systems whose
+ default trusted certificate stores aren't easily usable by
+ OpenSSL, we install a set of certificates extracted from Windows
+ in the file ca-bundle.crt. The trusted contents of this file are
+ added to whatever default trusted certificates the operating
+ system may provide. [David]
+ - Ncat now automatically generates a temporary keypair and
+ certificate in memory when you request it to act as an SSL server
+ but you don't specify your own key using --ssl-key and --ssl-cert
+ options. [David]
+ - [Ncat] In SSL mode, Ncat now always uses secure connections,
+ meaning that it uses only good ciphers and doesn't use
+ SSLv2. Certificates can optionally be verified with the
+ --ssl-verify and --ssl-trustfile options. Nsock provides the
+ option of making SSL connections that prioritize either speed or
+ security; Ncat uses security while version detection and NSE
+ continue to use speed. [David]
+
+o [NSE] Added Boolean Operators for --script. You may now use ("and",
+ "or", or "not") combined with categories, filenames, and wildcarded filenames
+ to match a set files. Parenthetical subexpressions are allowed for
+ precedence too. For example, you can now run:
+ nmap --script "(default or safe or intrusive) and not http-*" scanme.nmap.org
+ For more details, see
+ https://nmap.org/book/nse-usage.html#nse-args. [Patrick]
+
+o [Ncat] The HTTP proxy server now works on Windows too. [David]
+
+o [Zenmap] The command wizard has been removed. The profile editor has
+ the same capabilities with a better interface that doesn't require
+ clicking through many screens. The profile editor now has its own
+ "Scan" button that lets you run an edited command line immediately
+ without saving a new profile. The profile editor now comes up
+ showing the current command rather than being blank. [David]
+
+o [Zenmap] Added an small animated throbber which indicates that a
+ scan is still running (similar in concept to the one on the
+ upper-right Firefox corner which animates while a page is
+ loading). [David]
+
+o Regenerate script.db to remove references to non-existent
+ smb-check-vulns-2.nse. This caused the following error messages when
+ people used the --script=all option: "nse_main.lua:319:
+ smb-check-vulns-2.nse is not a file!" The script.db entries are now
+ sorted again to make diffs easier to read. [David, Patrick]
+
+o Fixed --script-updatedb on Windows--it was adding bogus backslashes
+ preceding file names in the generated script.db. Reported by
+ Michael Patrick at http://seclists.org/nmap-dev/2009/q2/0192.html,
+ and fixed by Jah. The error message was also improved.
+
+o The official Windows binaries are now compiled with MS Visual C++
+ 2008 Express Edition SP1 rather than the RTM version. We also now
+ distribute the matching SP1 version of the MS runtime components
+ (vcredist_x86.exe). A number of compiler warnings were fixed
+ too. [Fyodor,David]
+
+o Fixed a bug in the new NSE Lua core which caused it to round
+ fractional runlevel values to the next integer. This could cause
+ dependency problems for the smb-* scripts and others which rely on
+ floating point runlevel values (e.g. that smb-brute at runlevel 0.5
+ will run before smb-system-info at the default runlevel of 1).
+
+o The SEQ.CI OS detection test introduced in 4.85BETA4 now has some
+ examples in nmap-os-db and has been assigned a MatchPoints value of
+ 50. [David]
+
+o [Ncat] When using --send-only, Ncat will now close the network
+ connection and terminate after receiving EOF on standard input.
+ This is useful for, say, piping a file to a remote ncat where you
+ don't care to wait for any response. [Daniel Roethlisberger]
+
+o [Ncat] Fix hostname resolution on BSD systems where a recently
+ fixed libc bug caused getaddrinfo(3) to fail unless a socket type
+ hint is provided. Patch originally provided by Hajimu Umemoto of
+ FreeBSD. [Daniel Roethlisberger]
+
+o [NSE] Fixed bug in the DNS library which caused the error message
+ "nselib/dns.lua:54: 'for' limit must be a number". [Jah]
+
+o Fixed Solaris 10 compilation by renaming a yield structure which
+ conflicted with a yield function declared in unistd.h on that
+ platform. [Pieter Bowman, Patrick]
+
+o [Ncat] Minor code cleanup of Ncat memory allocation and string
+ duplication calls. [Ithilgore]
+
+o Fixed a bug which could cause -iR to only scan the first host group
+ and then terminate prematurely. The problem related to the way
+ hosts are counted by o.numhosts_scanned. [David]
+
+o Fixed a bug in the su-to-zenmap.sh script so that, in the cases
+ where it calls su, it uses the proper -c option rather than
+ -C. [Michal Januszewski, Henry Gebhardt]
+
+o Overhaul the NSE documentation "Usage and Examples" section and add
+ many more examples: https://nmap.org/book/nse-usage.html [David]
+
+o [NSE] Made hexify in nse_nsock.cc take an unsigned char * to work
+ around an assertion in Visual C++ in Debug mode. The isprint,
+ isalpha, etc. functions from ctype.h have an assertion that the
+ value of the character passed in is <= 255. If you pass a character
+ whose value is >= 128, it is cast to an unsigned int, making it a
+ large positive number and failing the assertion. This is the same
+ thing that was reported in
+ http://seclists.org/nmap-dev/2007/q2/0257.html, in regard to
+ non-ASCII characters in nmap-mac-prefixes. [David]
+
+o [NSE] Fixed a segmentation fault which could occur in scripts which
+ use the NSE pcap library. The problem was reported by Lionel Cons
+ and fixed by Patrick.
+
+o [NSE] Port script start/finish debug messages now show the target
+ port number as well as the host/IP. [Jah]
+
+o Updated IANA assignment IP list for random IP (-iR)
+ generation. [Kris]
+
+o [NSE] Fixed http.table_argument so that user-supplied HTTP headers
+ are now properly sent in HTTP requests. [Jah]
+
+Nmap 4.85BETA8 [2009-04-21]
+
+o Ncat's HTTP proxy now supports the GET, HEAD, and POST methods in
+ addition to the CONNECT tunneling method, so it can be used as a
+ proxy with an ordinary web browser.[David]
+
+o Ncat can now run as an authenticated proxy in HTTP proxy mode. Use
+ --proxy-auth to provide a username and password that will be required
+ of proxy users. Only the insecure (not encrypted) Basic authentication
+ method is supported. [David]
+
+o Ndiff's text output has been redone to look more like Nmap output
+ and be easier to read. See the Ndiff README file for an example. The
+ XML output is now based on Nmap's XML output as well. Zenmap's diff
+ viewer now shows the new output with syntax highlighting. [David]
+
+o The new versions of the Conficker Internet worm ban infected systems
+ from visiting Insecure.Org and Nmap.Org. We take that as a
+ compliment to the effectiveness of our remote Conficker scanner.
+ They also ban DNS substrings "honey" (for the Honeynet Project),
+ "doxpara" (for Dan Kaminsky's site), "tenablese" for Tenable
+ Security, "coresecur" for Core Security Technologies, and
+ "iv.cs.uni" for those meddlesome (to the Conficker authors)
+ researchers at the University of Bonn. For people who can't reach
+ nmap.org due to infection, I've mirrored this release at
+ http://sectools.org/nmap/. [Fyodor]
+
+o New Conficker versions eliminate the loophole we were using to
+ detect them with smb-check-vulns,nse, so we've added new methods
+ which work with the newest variants. Here are the Conficker-related
+ improvements since BETA7:
+ - Added new p2p-conficker script which detects Conficker using its
+ P2P update ports rather than MSRPC. This is based on some new
+ research by Symantec. See
+ https://nmap.org/nsedoc/scripts/p2p-conficker.html [Ron]
+ - Since new Conficker variants prevent detection by our previous
+ MSRPC check in smb-check-vulns, we've added a new check which still
+ works. It involves calling netpathcanonicalize on "\" rather than
+ "\..\" and checking for a different return value. It was discovered
+ by Felix Leder and Tillmann Werner. [Ron]
+ - Improved smb-check-vulns Conficker error message text to be more
+ useful. [David]
+ - smb-check-vulns now defaults to using basic login rather than
+ extended logins as this seems to work better on some
+ machines. [Ron]
+ - Recommended command for a fast Conficker scan (combine into 1 line):
+ nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns
+ --script-args checkconficker=1,safe=1 -T4 [target networks]
+ - Recommended command for a more comprehensive (but slower) scan:
+ nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p-
+ --script-args checkall=1,safe=1 -T4 [target networks]
+
+o [NSE] The Nmap Script Engine core (C++) was rewritten in Lua for
+ code simplicity and extensibility. See
+ http://seclists.org/nmap-dev/2009/q2/0090.html and
+ http://seclists.org/nmap-dev/2009/q1/0047.html . [Patrick]
+
+o [Zenmap] The "Cancel" button has been restored to the main screen.
+ It will cancel the scan that is currently being displayed. [David]
+
+o Fixed an SMB library bug which could case a nil-pointer exception
+ when scanning broken SMB implementations. Reported by Steve
+ Horejsi. [Ron]
+
+o [Ndiff] The setup.py installation script now suggests installing the
+ python-dev package in a certain error situation. Previously the
+ error message it printed was misleading:
+ error: invalid Python installation: unable to open
+ /usr/lib/python2.6/config/Makefile (No such file or directory)
+ The change was suggested by Aaron Leininger. [David]
+
+o [Nbase] The checksum functions now have an nbase_ prefix. This
+ should prevent name collisions with internal but exported functions
+ in shared libraries Nmap links against (e.g. adler32() in zlib).
+ Such collisions seem to confuse the runtime linker on some platforms.
+ [Daniel Roethlisberger]
+
+o Fixed banner.nse to remove surrounding whitespace from banners. For
+ example, this avoids a superfluous carriage return and newline at the
+ end of SSH greetings. [Patrick]
+
+o Expanded and tweaked the product/version/info of service scans in an
+ attempt to reduce the number of warnings like "Warning: Servicescan
+ failed to fill info_template...". Parts of this change include:
+ - Improved the text of the warning to be less confusing
+ - Increased the internal version info buffer to 256 chars from 128
+ - Increased the final version string length to 160 from 128 chars
+ - Changed the behavior when constructing the final version string so
+ that if it runs out of space, rather than dropping the output of that
+ template it truncates the template with ...
+ - Fixed the printing of unneeded spaces between templates when one of the
+ templates isn't going to be printed at all.
+ [Brandon]
+
+o Improved the service scan DB to remove certain problematic regex
+ patterns which could lead to PCRE_MATCHLIMIT errors. For example,
+ instances of ".*\r\n.*" and ".*\n.*\n" were generally collapsed to
+ ".*" as long as the DOTALL (/s) modifier was set. [Brandon]
+
+o Changed some error() calls (which were more informational than error
+ messages) to use log_write() instead, and changed a few f?printf()
+ calls into error() or log_write(). [Brandon]
+
+o [Ncat] Fixed a bug in the resolve() function which could cause Ncat
+ to resolve names using the wrong address family (such as AF_INET
+ rather than AF_INET6) in some rare cases. [Daniel Roethlisberger]
+
+o [Zenmap] Worked around a GTK+ bug on Windows reported by Henry Nymann.
+ It caused a crash when opening the Hosts Viewer on a host that had OS
+ information. A window appeared saying simply "Runtime Error!". [David]
+
+o [Zenmap] Gracefully handle unrecognized port states in the hosts
+ viewer. Apparently old versions of Nmap can return a state of
+ "unknown". This prevents this crash:
+ File "radialnet\gui\NodeNotebook.pyo", line 107, in __init__
+ File "radialnet\gui\NodeNotebook.pyo", line 257, in __create_widgets
+ KeyError: u'unknown'
+ [David]
+
+o Rewrote the debugging error message "Found whacked packet protocol
+ 17 in get_ping_pcap_result" because we decided that receiving a UDP
+ packet during TCP ping scan is not egregious enough to qualify as
+ "whacked". [David]
+
+Nmap 4.85BETA7 [2009-04-1]
+
+o Improvements to the Conficker detection script (smb-check-vulns):
+ - Reduce false negative rate. We (and all the other scanners) used
+ to require the 0x57 return code as well as a canonicalized path
+ string including 0x5c450000. Tenable confirmed an infected system
+ which returned a 0x00000000 path, so we now treat any hosting
+ returning code 0x57 as likely infected. [Ron]
+ - Add workaround for crash in older versions of OpenSSL which would
+ occur when we received a blank authentication challenge string
+ from the server. The error looked like: evp_enc.c(282): OpenSSL
+ internal error, assertion failed: inl > 0". [Ron]
+ - Add helpful text for the two most common errors seen in the
+ Conficker check in smb-check-vulns.nse. So instead of saying
+ things like "Error: NT_STATUS_ACCESS_DENIED", output is like:
+ | Conficker: Likely CLEAN; access was denied.
+ | | If you have a login, try using --script-args=smbuser=xxx,smbpass=yyy
+ | | (replace xxx and yyy with your username and password). Also try
+ | |_ smbdomain=zzz if you know the domain. (Error NT_STATUS_ACCESS_DENIED)
+ The other improved message is for
+ NT_STATUS_OBJECT_NAME_NOT_FOUND. [David]
+
+o The NSEDoc portal at https://nmap.org/nsedoc/ now provides download
+ links from the script and module pages to browse or download recent versions
+ of the code. It isn't quite as up-to-date as obtaining them from
+ svn directly, but may be more convenient. For an example, see
+ https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html . [David, Fyodor]
+
+o A copy of the Nmap public svn repository (/nmap, plus its zenmap,
+ nsock, nbase, and ncat externals) is now available at
+ https://nmap.org/svn/. We'll be updating this regularly, but it may
+ be slightly behind the SVN version. This is particularly useful
+ when you need to link to files in the tree, since browsers generally
+ don't handle svn:// repository links. [Fyodor]
+
+o Declare a couple msrpc.lua variables as local to avoid a potential
+ deadlock between smb-server-stats.nse instances. [Ron]
+
+Nmap 4.85BETA6 [2009-03-31]
+
+o Fixed some bugs with the Conficker detection script
+ (smb-check-vulns) [Ron]:
+ - SMB response timeout raised to 20s from 5s to compensate for
+ slow/overloaded systems and networks.
+ - MSRPC now only signs messages if OpenSSL is available (avoids an
+ error).
+ - Better error checking for MS08-067 patch
+ - Fixed forgotten endian-modifier (caused problems on big-endian
+ systems such as Solaris on SPARC).
+
+o Host status messages (up/down) are now uniform between ping scanning
+ and port scanning and include more information. They used to vary
+ slightly, but now all look like
+ Host <host> is up (Xs latency).
+ Host <host> is down.
+ The new latency information is Nmap's estimate of the round trip
+ time. In addition, the reason for a host being up is now printed for
+ port scans just as for ping scans, with the --reason option. [David]
+
+o Version detection now has a generic match line for SSLv3 servers,
+ which matches more servers than the already-existing set of specific
+ match lines. The match line found 13% more SSL servers in a test.
+ Note that Nmap will not be able to do SSL scan-through against a
+ small fraction of these servers, those that are SSLv3-only or
+ TLSv1-only, because that ability is not yet built into Nsock. There
+ is also a new version detection probe that works against SSLv2-only
+ servers. These have shown themselves to be very rare, so that probe
+ is not sent by default. Kristof Boeynaems provided the patch and did
+ the testing.
+
+o [Zenmap] A typo that led to a crash if the ndiff subprocess
+ terminated with an error was fixed. [David] The message was
+ File "zenmapGUI\DiffCompare.pyo", line 331, in check_ndiff_process
+ UnboundLocalError: local variable 'error_test' referenced before assignment
+
+o [Zenmap] A crash was fixed:
+ File "zenmapGUI\SearchGUI.pyo", line 582, in operator_changed
+ KeyError: "Syst\xc3\xa8me d'Exploitation"
+ The text could be different, because the error was caused by
+ translating a string that was also being used as an index into an
+ internal data structure. The string will be untranslated until that
+ part of the code can be rewritten. [David]
+
+o [Zenmap] A bug was fixed that caused a crash when doing a keyword:
+ or target: search over hosts that had a MAC address. [David]
+ The crash output was
+ File "zenmapCore\SearchResult.pyo", line 86, in match_keyword
+ File "zenmapCore\SearchResult.pyo", line 183, in match_target
+ TypeError: argument of type 'NoneType' is not iterable
+
+o Fixed a bug which prevented all comma-separated --script arguments
+ from being shown in Nmap normal and XML output files where they show
+ the original Nmap command. [David]
+
+o Fixed ping scanner's runtime statistics system so that instead of
+ saying "0 undergoing Ping Scan" it gives the actual number of hosts in
+ the group (e.g. 4096). [David]
+
+o [Zenmap] A crash was fixed in displaying the "Error creating the
+ per-user configuration directory" dialog:
+ File "zenmap", line 104, in <module>
+ File "zenmapGUI\App.pyo", line 129, in run
+ UnicodeDecodeError: 'utf8' codec can't decode bytes in position 43-45:
+ invalid data
+ The crash would only happen to users with paths containing
+ multibyte characters in a non-UTF-8 locale, who also had some error
+ preventing the creation of the directory. [David]
+
+Nmap 4.85BETA5 [2009-03-30]
+
+o Ron (in just a few hours of furious coding) added remote detection
+ of the Conficker worm to smb-check-vulns. It is based on new
+ research by Tillmann Werner and Felix Leder. You can scan your
+ network for Conficker with a command like: nmap -PN -T4 -p139,445 -n
+ -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
+
+o Ndiff now includes service (version detection) and OS detection
+ differences. [David]
+
+o [Ncat] The --exec and --sh-exec options now work in UDP mode like
+ they do in TCP mode: the server handles multiple concurrent clients
+ and doesn't have to be restarted after each one. Marius Sturm
+ provided the patch.
+
+o [Ncat] The -v option (used alone) no longer floods the screen with
+ debugging messages. With just -v, we now only print the most
+ important status messages such as "Connected to ...", a startup
+ banner, and error messages. At -vv, minor debugging messages are
+ enabled, such as what command is being executed by --sh-exec. With
+ -vvv you get detailed debugging messages. [David]
+
+o [Ncat] Chat mode now lets other participants know when someone
+ connects or disconnects, and it also broadcasts a current list of
+ participants at such times. [David]
+
+o [Ncat] Fixed a socket handling bug which could occur when you
+ redirect Ncat stdin, such as "ncat -l --chat < /dev/null". The next
+ user to connect would end up with file descriptor 0 (which is
+ normally stdin) and thus confuse Ncat. [David]
+
+o [Zenmap] The "Scan Output" expanders in the diff window now behave
+ more naturally. Some strange behavior on Windows was noted by Jah.
+ [David]
+
+o The following OS detection tests are no longer included in OS
+ fingerprints: U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI. URL, DLI,
+ and SI were found not be helpful in distinguishing operating systems
+ because they didn't vary. TOS and TOSI were disabled in 4.85BETA1
+ but now they are not included in prints at all. [David]
+
+o The compile-time Nmap ASCII dragon is now more ferocious thanks to
+ better teeth alignment. [David]
+
+o Version 4.85BETA4 had a bug in the implementation of the new SEQ.CI
+ test that could cause a closed-port IP ID to be written into the
+ array for the SEQ.TI test and cause erroneous results. The bug was
+ found and fixed by Guillaume Prigent.
+
+o Nbase has grown routines for calculating Adler32 and CRC32C
+ checksums. This is needed for future SCTP support. [Daniel
+ Roethlisberger]
+
+o [Zenmap] Zenmap no longer shows an error message when running Nmap
+ with options that cause a zero-length XML file to be produced (like
+ --iflist). [David]
+
+o Fixed an off-by-one error in printableSize() which could cause Nmap
+ to crash while reporting NSE results. Also, NmapOutputTable's memory
+ allocation strategy was improved to conserve memory. [Brandon,
+ Patrick]
+
+o [Zenmap] We now give the --force option to setup.py for installation
+ to ensure that it replaces all files. [David]
+
+o Nmap's --packet-trace, --version-trace, and --script-trace now use
+ an Nsock trace level of 2 rather than 5. This removes some
+ superfluous lines which can flood the screen. [David]
+
+o [Zenmap] Fixed a crash which could occur when loading the help URL
+ if the path contains multibyte characters. [David]
+
+o [Ncat] The version number is now matched to the Nmap release it came
+ with rather than always being 0.2. [David]
+
+o Fixed a strtok issue between load_exclude and
+ TargetGroup::parse_expr that caused only the first exclude on
+ a line to be loaded as well as an invalid read into free()'d
+ memory in load_exclude(). [Brandon, David]
+
+o NSE's garbage collection system (for cleaning up sockets from
+ completed threads, etc.) has been improved. [Patrick]
+
+Nmap 4.85BETA4 [2009-3-15]
+
+o Added two new SMB/MSRPC NSE scripts by Ron Bowes:
+ - smb-brute.nse: Bruteforce to discover SMB accounts. Has advanced
+ features, such as lockout detection, username validation, username
+ enumeration, and optimized case detection.
+ - smb-pwdump.nse: Uses executables from the Pwdump6 project to dump
+ password hashes from a remote machine (and optionally crack them
+ with Rainbow Crack). Pwdump6 files have to be downloaded
+ separately
+
+o [Ncat] The --exec and --sh-exec options now work on Windows. This
+ was a big job, considering that Windows doesn't even have a fork()
+ call and has all sorts of socket idiosyncrasies. [David]
+
+o Doug performed one of the largest version detection integration runs
+ ever, processing 1,746 submissions and 18 corrections. We are now
+ current with all submissions up to February 3. Keep them coming.
+ The version detection database has grown to 5,476 signatures for 510
+ application protocols. Doug posted his notes on the integration at
+ http://hcsw.org/blog.pl/37. We now have 1,868 http server
+ signatures, and the number of gopher signatures has bumped up from 5
+ to 6.
+
+o Released the new Ncat guide which contains practical real-life Ncat
+ usage examples for Ncat's major features. It complements the more
+ option-centric man page. Read it here: https://nmap.org/ncat/guide/
+ [David, Fyodor]
+
+o Ndiff is now included in the Windows zip distribution. For space
+ reasons, it is not an executable compiled with py2exe as in the
+ executable installer, rather it is the Ndiff source code (ndiff.py)
+ and a batch file wrapper (ndiff.bat). Because it's not precompiled,
+ it's necessary to have a Python interpreter installed. [David]
+
+o The new --stats-every option takes a time interval that controls how
+ often timing status updates are printed. It's intended to be used
+ when Nmap is run by another program as a subprocess. Thanks to
+ Aleksandar Petrinic for the initial implementation. [David]
+
+o [NSE] A new function stdnse.sleep allows a script to sleep for a
+ given time (and yield control to other scripts). [David]
+
+o [Ncat] In --chat mode (formerly --talk), the server now announces to
+ everyone when someone connects or disconnects. Besides letting you
+ know who's connected, this also informs you of your "user name" as
+ soon as you connect. [David]
+
+o [Ncat] Ncat now works interactively on Windows. Before,
+ peculiarities in the way Windows handles reading from the keyboard
+ meant that typing interactively into Ncat would cause it to quit
+ with a write timeout. [David]
+
+o Refactored SMB and MSRPC NSE scripts significantly, moving much of
+ the code into the smb.lua and msrpc.lua modules where it can be
+ leveraged by other scripts. For example, the user enumeration
+ functions are used by smb-brute.nse. [Ron Bowes]
+
+o [Ncat] The syntax accepted by the --allow, --deny, --allowfile, and
+ --denyfile options is now the same as Nmap's target specifications.
+ Additionally any errors in the allow or deny specifications are
+ reported when the program starts, not deferred until a connection is
+ received. [David]
+
+o You can now use '-' by itself in a target IP specification to mean
+ 0-255, so you could scan 192.168.-.-. An asterisk can also still be
+ used as an octet wildcard, but then you have to deal with shell
+ escaping on many platforms. [David]
+
+o Nmap was discovered in another movie! In the Russian film
+ Khottabych, teenage hacker Gena uses Nmap (and telnet) to hack
+ Microsoft. In response, MS sends a pretty female hacker to flush
+ him out. More details and screenshots: https://nmap.org/movies/#khottabych .
+
+o Improved operating system support for the smb-enum-sessions NSE
+ script; previous revisions worked on Windows 2003 or Windows 2000,
+ but never both. Currently, it is tested and working on both
+ versions. [Ron Bowes]
+
+o Implemented file-management functions in SMB, including file upload,
+ file download, and file delete. Only leverages by smb-pwdump.nse at
+ the moment, these functions give scripts the ability to perform
+ checks against the filesystem of a server. [Ron Bowes]
+
+o [Zenmap] A crash was fixed that occurred when you ran a scan
+ that didn't produce any host output (like "nmap --iflist") and then
+ tried to remove it from the inventory. [David]
+ The crash looked like
+ ValueError: list.remove(x): x not in list
+
+o [Ncat] In --chat mode, the server escapes potentially dangerous
+ control characters (in octal) before sending them to
+ clients. [David]
+
+o [Ndiff] Added a workaround for a bug in PyXML. The bug would cause a
+ crash that looked like "KeyError: 0". [David]
+
+o [Zenmap] Fixed a crash when something that looked like a format
+ specifier (like %y) appeared in a profile. The error message was
+ ValueError: unsupported format character 'y' (0x79)
+ [David]
+
+o A bug was fixed in route finding on BSD Unix. The libdnet function
+ addr_stob didn't handle the special case of the sa_len member of
+ struct sockaddr being equal to 0 and accessed unrelated memory past
+ the end of the sockaddr. A symptom of this was the fatal error
+ nexthost: failed to determine route to ...
+ which was caused by the default route being assigned a netmask other
+ than 0.0.0.0. [David]
+
+o Added bindings for the service control (SVCCTL) and at service (ATSVC)
+ services. These are both related to running processes on the remote
+ system (identical to how PsExec-style scripts work). These bindings
+ are used by smb-pwdump.nse. [Ron Bowes]
+
+o Refactored SMB authentication code into its own module, smbauth.lua.
+ Improved scripts' ability to store and retrieve login information
+ discovered by modules such as smb-brute.nse. [Ron Bowes]
+
+o Added message signing to SMB. Connections will no longer fail if the
+ server requires message signatures. This is a rare case, but comes up
+ on occasion. If a server allows but doesn't require message signing,
+ smb.lua will negotiate signing. This improves security by preventing
+ man in the middle attacks. [Ron Bowes]
+
+o Fixed the daytime.nse script to work for UDP again (it was checking
+ a "proto" field when the field name is actually "protocol"). [Jah]
+
+o Implemented extended security negotiations in the NSE SMB
+ module. Creates no noticeable change from the user's perspective,
+ but it's a more modern protocol. [Ron Bowes]
+
+o Nmap wins LinuxQuestions.Org Network Security Application of the
+ Year for the sixth year in a row! See
+ http://seclists.org/nmap-dev/2009/q1/0395.html .
+
+o [Zenmap] Removed some unnecessary (mostly GTK+-related) files from
+ the Windows installer--nmap-4.85BETA4-setup.exe is now smaller than
+ it has ever been since Nmap 4.22SOC6, which was released in August
+ 2007! [David]
+
+o Fixed the install-zenmap make target for Solaris portability.
+ Solaris /bin/sh does not have test(1) -e. [Daniel Roethlisberger]
+
+o Version detection used to omit the "ssl/" service name prefix if an
+ SSL-tunneled port didn't respond to any version probes. Now it keeps
+ "ssl/" as an indication that SSL was discovered, even if the service
+ behind it wasn't identified. Kristof Boeynaems reported the problem
+ and contributed a patch. [David]
+
+o [Ncat] The --talk option has been renamed --chat. --talk remains as an
+ undocumented alias.
+
+o There is a new OS detection test named SEQ.CI. Like TI and II, CI
+ classifies the target's IP ID sequence generation algorithm. CI is
+ based on the responses received to the probes sent to a closed port.
+ The algorithm for closed ports has been observed to differ from that
+ for open ports on some operating systems (though we don't yet know
+ which ones). The new test won't have an effect until new
+ fingerprints containing it are added to nmap-os-db. We got the idea
+ from some notes sent in by Dario Ciccarone. [David, Fyodor]
+
+o OS fingerprints now include the SEQ.II test (ICMP IP ID sequence
+ generation) even if there are no other SEQ test results. The
+ previous omission of SEQ.II in that case was a bug. [David]
+
+o [Ncat] The --send-only and --recv-only options now work in listen
+ mode as well as connect mode. [David]
+
+o [Ncat] An error in formatting bytes with the high bit set in hex
+ dump output was fixed. [David]
+
+o [Zenmap] New translation: Croatian (contributed by Vlatko Kosturjak).
+
+o Fixed a DNS decoding bug in dns-zone-transfer.nse that created
+ garbage output and could crash Zenmap by including 0x0C bytes in XML
+ files. The Zenmap crash looked like
+ SAXParseException: .../zenmap-XXXXXX.xml:39:290: not well-formed
+ (invalid token)
+ Thanks to Anino Belan and Eric Nickel for sending in affected log
+ files. [David]
+
+o [NSEDoc] Scripts that use modules automatically have the script
+ arguments defined by those modules included in their documentation.
+ It's no longer necessary to manually supply @args for the arguments
+ in the modules you use. For those who haven't seen the NSEDoc portal
+ yet, check out https://nmap.org/nsedoc/. [David]
+
+o An integer overflow in the scan progress meter was fixed. It caused
+ nonsense output like
+ UDP Scan Timing: About 11.34% done; ETC: 03:21 (-688:-41:-48 remaining)
+ during very long scans. [Henri Doreau]
+
+o [Zenmap] A better method of detecting the system locale is used, so
+ it should not be necessary to set the LANG environment variable on
+ Windows to get internationalized text. Thanks to Dirk Loss for the
+ suggestion. [David]
+
+o [Ncat] Added a number of automated tests for ensuring that Ncat is
+ working correctly. They are in /ncat/test in SVN. [David]
+
+o [Ncat] Now builds again when using the --without-openssl
+ option. [David]
+
+o [Zenmap] Fix auto-scroll behavior while Nmap is producing output, as
+ that previously failed in some cases involving wide lines in
+ output. [David]
+
+o [Zenmap] The network topology feature (Radialnet) has been
+ internationalized so its strings will be localized as well (as soon
+ as the relevant language's translation files are updated. To help
+ out, see https://nmap.org/book/zenmap-lang.html . Some remaining search
+ interface elements were internationalized as well. [David]
+
+o Improved the efficiency of the xml_convert() routine which handles
+ XML escaping. It was so inefficient that this stupid little routine
+ was noticeably slowing Nmap down in some cases. [David]
+
+o Removed 9 OS detection device types which only had one or two
+ instances in our whole database (ATM, TV, oscilloscope, etc.) and
+ made some other cleanups as well. We plan to enhance this even
+ further for the next release. [Fyodor, David, Doug]
+
+o [Zenmap] Removed some unnecessary GTK+ files from the files
+ installed by the Windows executable installer. [David]
+
+o [Zenmap] Tweaked the file format of the topology icons
+ (firewall.png, padlock.png, etc.) in an attempt to improve
+ compatibility with some versions of GTK+. This may fix a crash like
+ File "radialnet/gui/Image.py", line 53, in get_pixbuf
+ self.__cache[icon + image_type] = gtk.gdk.pixbuf_new_from_file(file)
+ GError: Couldn't recognize the image file format for file 'radialnet/padlock.png'
+ Thanks to Trevor Bain for a report and help debugging. [David]
+
+o Removed a bunch of unnecessary files (mostly GTK related) from the
+ Win32 exe installer to reduce its size. [David]
+
+o Fixed an NSE crash (assertion error) which looked like
+ "nsock_core.c:293: handle_connect_result: Assertion `0'
+ failed". Brandon reported the bug, which was fixed by Doug and
+ David. See http://seclists.org/nmap-dev/2009/q1/0546.html .
+
+Nmap 4.85BETA3 [2009-2-2]
+
+o Revert the temporary GTK DLL workaround (r11899) which added
+ duplicate DLL files to the distribution. David found that using a
+ different GTK download fixed the problem (see
+ docs/win32-installer-zenmap-buildguide.txt) and Fyodor was able to
+ reproduce and implement.
+
+o The conditions for printing OS fingerprints to XML output are now
+ the same as are used to decide whether to print them in the other
+ formats. So they will be printed if submission is desirable,
+ otherwise they are only printed if debugging is enabled or verbosity
+ is 2 or higher. [Tom Sellers]
+
+o Removed some Brazilian poetry/lyrics from Zenmap source code
+ (NmapOutputViewer.py). We've seen enough of it in the debug logs. "E
+ nao se entrega, nao".
+
+o Fix Ncat compilation with the MingW windows compiler. [Gisle Vanem]
+
+o Corrected some NSE libraries (datafiles, tab) which were using the
+ old arg table interface. [Patrick]
+
+o [Zenmap] Fixed a crash that happened when running a scan directly
+ from the command wizard without saving a profile [David]:
+ NmapParser.py", line 417, in set_target
+ self.ops.target_specs = target.split()
+ AttributeError: 'NoneType' object has no attribute 'split'
+
+o Fixed an NSE pop3 library error which gave a message such as:
+ SCRIPT ENGINE (506.424s): ./scripts/pop3-capabilities.nse against
+ a.b.1.47:995 ended with error: ./scripts/pop3-capabilities.nse:32:
+ bad argument #1 to 'pairs' (table expected, got string) [Jah]
+
+o Upgraded the OpenSSL binaries shipped in our Windows installer to
+ version 0.9.8j. [Kris]
+
+o Updated IANA assignment IP list for random IP (-iR)
+ generation. [Kris]
+
+Nmap 4.85BETA2 [2009-1-29]
+
+o Added some duplicate GTK DLLs to Windows installer, as a temporary
+ fix for this issue: http://seclists.org/nmap-dev/2009/q1/0207.html
+ The problem caused a warning message complaining of problems finding
+ librsvg-2-2.dll to pop up 32 times before Zenmap would start. We're
+ still looking for a better fix. [Fyodor, Rob, Jah]
+
+o Made a few improvements to nmap.xsl (details:
+ http://seclists.org/nmap-dev/2009/q1/0210.html) [Tom Sellers]
+
+o [Zenmap] New translation: French (contributed by Gutek)
+
+o Updated the mswin32 installer build guide and posted it to
+ https://svn.nmap.org/nmap/docs/win32-installer-zenmap-buildguide.txt [Fyodor]
+
+o The xampp-default-auth.nse script was renamed to ftp-brute.nse since
+ it has become more general.
+
+Nmap 4.85BETA1 [2009-1-23]
+
+o Added Ncat, a much-improved reimplementation of the venerable Netcat
+ tool which adds modern features and makes use of Nmap's efficient
+ networking libraries. Features include SSL support, proxy
+ connections (client or server, socks4 or connect-based, with or
+ without authentication, optionally chained), TCP and UDP connection
+ redirection, connection brokering (facilitating connections between
+ machines which are behind NAT gateways), and much more. It is
+ cross-platform (Linux, Windows, Mac, etc.) and supports IPv6 as well
+ as standard IPv4. See https://nmap.org/ncat/ for details. It is now
+ included in our binary packages (Windows, Linux, and Mac OS X), and
+ built by default. You can skip it with the --without-ncat configure
+ option. Thanks to Kris and David for their great work on this!
+
+o Added the Ndiff utility, which compares the results of two Nmap
+ scans and describes the new/removed hosts, newly open/closed ports,
+ changed operating systems, etc. This makes it trivial to scan your
+ networks on a regular basis and create a report (XML or text format)
+ on all the changes. See https://nmap.org/ndiff/ and ndiff/README for
+ more information. Ndiff is included in our binary packages and built
+ by default, though you can prevent it from being built by specifying
+ the --without-ndiff configure flag. Thanks to David and Michael
+ Pattrick for their great work on this.
+
+o Released Nmap Network Scanning: The Official Nmap Project Guide to
+ Network Discovery and Security Scanning. From explaining port
+ scanning basics for novices to detailing low-level packet crafting
+ methods used by advanced hackers, this book suits all levels of
+ security and networking professionals. A 42-page reference guide
+ documents every Nmap feature and option, while the rest of the book
+ demonstrates how to apply those features to quickly solve real-world
+ tasks. It was briefly the #1 selling computer book on Amazon.
+ Translations to the German, Korean, and Brazilian Portuguese
+ languages are forthcoming. More than half of the book is already
+ free online. For more, see https://nmap.org/book/.
+
+o David spent more than a month working on algorithms to improve port
+ scan performance while retaining or improving accuracy. The changes
+ are described at http://seclists.org/nmap-dev/2009/q1/0054.html . He
+ was able to reduce our "benchmark scan time" (which involves many
+ different scan types from many source networks to many targets) from
+ 1879 seconds to 1321 without harming accuracy. That is a 30% time
+ reduction!
+
+o Introduced the NSE documentation portal, which documents every NSE
+ script and library included with Nmap. See https://nmap.org/nsedoc/.
+ Script documentation was improved substantially in the process.
+ Scripts and libraries must use the new NSEDoc format, which is
+ described at https://nmap.org/book/nsedoc.html . Thanks to Patrick
+ and David for their great work on this.
+
+o The 2nd Generation OS Detection System was dramatically improved for
+ improved accuracy. After substantial testing, David and Fyodor made
+ the following changes:
+ - The "T" (TTL test) result ranges were widened to prevent minor
+ routing (and device hardware inconsistency) variations from causing
+ so many matches to fail.
+ - The TG (TTL guess) results were canonicalized. Nmap is only
+ capable of assigning the values 0x20, 0x40, 0x80, and 0xFF for
+ these tests, yet many fingerprints had different values. This was
+ due to bugs in our fingerprint integration tools.
+ - The U1.TOS and IE.TOSI tests (both having to do with the IP Type
+ of Service field) have been effectively eliminated (MatchPoints
+ set to 0). These proved particularly susceptible to false results
+ due to networking hardware along the packet route manipulating the
+ TOS header field.
+ - An important bug in OS detection's congestion control algorithms
+ was fixed. It could lead to Nmap sending packets much too quickly
+ in some cases, which hurt accuracy.
+
+o Integrated all of your OS detection fingerprint submissions and
+ corrections up to January 8. The DB has grown more than 17% to
+ 1,761 fingerprints. Newly detected services include Mac OS X
+ 10.5.6, Linux 2.6.28, iPhone 2.1, and all manner of WAPs, VoIP
+ phones, routers, oscilloscopes, employee timeclocks, etc. Keep those
+ submissions coming!
+
+o Ron Bowes embarked on a massive MSRPC/NETBIOS project to allow Nmap
+ to interrogate Windows machines much more completely. He added
+ three new nselib modules: msrpc, netbios, and smb. As the names
+ suggest, they contain common code for scripts using MSRPC, NetBIOS,
+ and SMB. These modules allow scripts to extract a great deal of
+ information from hosts running Windows, particularly Windows
+ 2000. New or updated scripts using the modules are:
+ - nbstat.nse: get NetBIOS names and MAC address.
+ - smb-enum-domains.nse: enumerate domains and policies.
+ - smb-enum-processes.nse: allows a user with administrator
+ credentials to view a tree of the processes running on the
+ remote system (uses HKEY_PERFORMANCE_DATA hive).
+ - smb-enum-sessions.nse: enumerate logins and SMB sessions.
+ - smb-enum-shares.nse: enumerate network shares.
+ - smb-enum-users.nse: enumerate users and information about them.
+ - smb-os-discovery.nse: get operating system over SMB (replaces
+ netbios-smb-os-discovery.nse).
+ - smb-security-mode.nse: determine if a host uses user-level or
+ share-level security, and what other security features it
+ supports.
+ - smb-server-stats.nse: grab statistics such as network traffic
+ counts.
+ - smb-system-info.nse: get lots of information from the registry.
+
+o A problem that caused OS detection to fail for most hosts in a
+ certain case was fixed. It happened when sending raw Ethernet frames
+ (by default on Windows or on other platforms with --send-eth) to
+ hosts on a switched LAN. The destination MAC address was wrong for
+ most targets. The symptom was that only one out of each scan group
+ of 20 or 30 hosts would have a meaningful OS fingerprint. Thanks go
+ to Michael Head for running tests and especially Trent Snyder for
+ testing and finding the cause of the problem. [David]
+
+o Zenmap now runs ndiff to for its "Compare Results" function. This
+ completely replaces the old diff view. The diff window size is now
+ more flexible for user resizing as well. [David]
+
+o Added a Russian translation of the Nmap Reference Guide by Guz
+ Alexander. We now have translations in 15 languages available from
+ https://nmap.org/docs.html . More volunteer translators are welcome,
+ as we are still missing some important languages. Translation
+ instructions are available from that docs.html page.
+
+o Update Windows installer to handle Windows 7 (tested with the Beta
+ build 7000) [Rob Nicholls]
+
+o Improved port scan performance by changing the list of high priority
+ ports which Nmap shifts closer to the beginning of scans because
+ they are more likely to be responsive. We based the change on
+ empirical data from large-scale scanning. The new port list is:
+ 21, 22, 23, 25, 53, 80, 110, 111, 113, 135, 139, 143, 199, 256,
+ 443, 445, 554, 587, 993, 995, 1025, 1720, 1723, 3306, 3389, 5900,
+ 8080, 8888
+ [Fyodor, David]
+
+o [NSE] Almost all scripts were renamed to be more consistent. They
+ are now all lowercase and most of them start with the name of the
+ service name they query. Words are separated by hyphens. [David,
+ Fyodor]
+
+o [NSE] Now that scripts are better named, the "Id" field has been
+ removed and the script name (sans the .nse or directory path
+ information) is used in script output instead. [David]
+
+o [NSE] Added banner.nse, a simple script which connects to open TCP
+ ports and prints out anything sent in the first five seconds by the
+ listening service. [Jah]
+
+o [NSE] Added a new OpenSSL library with functions for multiprecision
+ integer arithmetic, hashing, HMAC, symmetric encryption and
+ symmetric decryption. [Sven]
+
+o [Zenmap] Internationalization has been fixed [David]. Currently
+ Zenmap has two translations:
+ - German by Chris Leick
+ - Brazilian Portuguese by Adriano Monteiro Marques (partial)
+ For details on using an existing translation or localizing Zenmap
+ into your own native language, see
+ https://nmap.org/book/zenmap-lang.html . [David]
+
+o Zenmap no longer outputs XML elements and attributes that are not in
+ the Nmap XML DTD. This was done mostly by removing things from
+ Zenmap's output, and adding a few new optional things to the Nmap
+ DTD. A scan's profile name, host comments, and interactive text
+ output are what were added to nmap.dtd. The .usr filename extension
+ for saved Zenmap files is deprecated in favor of the .xml extension
+ commonly used with Nmap. Because of these changes the
+ xmloutputversion has been increased to 1.03. [David]
+
+o The NSE registry now persists across host groups so that values
+ stored in it will remain until they are explicitly removed or Nmap
+ execution ends. [David]
+
+o Enhanced the AS Numbers script (ASN.nse) to better consolidate
+ results and bail out if the DNS server doesn't support the ASN
+ queries. [Jah]
+
+o Complete re-write of the marshaling logic for Microsoft RPC calls.
+ [Ron Bowes]
+
+o Added a script that checks for ms08-067-vulnerable hosts
+ (smb-check-vulns.nse) using the smb nselib. It also checks for an
+ unfixed denial of service vulnerability Ron discovered in the
+ Windows 2000 registry service. [Ron Bowes]
+
+o [Zenmap] Text size is larger on Mac OS X thanks to a new included
+ gtkrc file. [David]
+
+o Reduced memory consumption for some longer-running scans by removing
+ completed hosts from the lists after two minutes. These hosts are
+ kept around in case there is a late response, but this draws the
+ line on how long we wait and hence keep this information in memory.
+ See http://seclists.org/nmap-dev/2008/q3/0902.html for more. [Kris]
+
+o The Windows installer now uses Zenmap binaries built using Python
+ 2.6.1 rather than 2.5.1 [Fyodor]
+
+o When a system route can't be matched up directly with an interface
+ by comparing addresses, Nmap now tries to match the route through
+ another route. This helps for instance with a PPP connection where
+ the default route's gateway address is routed through a different
+ route, the one associated with the address of the PPP device. The
+ problem would show itself as an inability to scan through the
+ default route and the error message
+ WARNING: Unable to find appropriate interface for system route to ...
+ [David]
+
+o Removed a code comment which simply declared /* WANKER ALERT! */ for
+ no good reason. [Fyodor]
+
+o NSE prints messages in debugging mode whenever a script starts or
+ finishes. [Patrick, David]
+
+o [Ncat] The -l option can now be specified w/o a port number to
+ listen on Ncat's default port number (31337).
+
+o [Zenmap] The Nmap output window now scrolls automatically as a scan
+ progresses. [David]
+
+o [NSE] We now have a canonical way for scripts to check for
+ dependency libraries such as OpenSSL. This allows them to handle
+ the issue gracefully (by exiting or doing some of their work if
+ possible) rather than flooding the console with error messages as
+ before. See https://nmap.org/nsedoc/lib/openssl.html . [Pattrick,
+ David, Fyodor]
+
+o Nmap now reports a proper error message when you combine an IPv6
+ scan (-6) with random IPv4 address selection (-iR). [Henri Doreau]
+
+o Nmap now builds with the _FORTIFY_SOURCE=2 define. With modern
+ versions of GCC, this adds extra buffer overflow protection and
+ other security checks. It is described at
+ http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html . [David,
+ Doug]
+
+o The --excludefile option correctly handles files with no terminating
+ newline instead of claiming "Exclude file line 0 was too long to
+ read." [Henri Doreau]
+
+o [NSE] Changed the datafiles library to remove constraining input
+ checks, move nmap.fetch_file() to read_from_file(), and make
+ get_array() and get_assoc_array() into normal functions. [Sven]
+
+o [NSE] Fixed some bugs and typos in the datafiles library. [Jah]
+
+o Nsock handles a certain Windows connect error, WSAEADDRNOTAVAIL
+ (errno 10049), preventing an assertion failure that looked like
+ Strange connect error from 203.65.42.255 (10049): No such file or directory
+ Assertion failed: 0, file .\src\nsock_core.c, line 290
+ The error could be seen by running a version scan against a
+ broadcast address. Thanks to Tilo Köppe and James Liu for reporting
+ the problem. [David]
+
+o An "elapsed" attribute has been added to the XML output (in the
+ "finished" tag), representing the total Nmap scanning time in
+ seconds (floating point). [Kris]
+
+o Fixed a division by zero error in the packet rate measuring code
+ that could cause a display of infinity packets per seconds near the
+ start of a scan. [Jah]
+
+o Substantially updated the Nmap Scripting Engine guide/chapter
+ (https://nmap.org/book/nse.html) so that it is up-to-date with all
+ the latest NSE improvements.
+
+o Fixed a bug in the IP validation code which would have let a specially
+ crafted reply sent from a host on the same LAN slip through and cause
+ Nmap to segfault. Thanks to ithilgore of sock-raw.homeunix.org for
+ the very detailed bug report. [Kris]
+
+o [Zenmap] The crash reporter further enhances user privacy by showing
+ all the information that will be submitted so you can edit it to
+ remove identifying information such as the name of your home
+ directory. If you provide an email address the report will be marked
+ private so it will not appear on the public bug tracker. [David]
+
+o [Zenmap] Zenmap now parses and records XSL stylesheet information
+ from Nmap XML files, so files saved by Zenmap will be viewable in a
+ web browser just like those produced by Nmap. [David]
+
+o A possible Lua stack overflow in the DNS module was fixed. Lua detects
+ these sorts of overflows and quits. [David]
+
+o [NSE] Improved html-title script to support http-alt and https-alt
+ (with SSL) and to handle a wider variety of redirects. [Jah]
+
+o NSE scripts that require a list of DNS servers (currently only
+ ASN.nse) now work when IPv6 scanning. Previously it gave an error
+ message: "Failed to send dns query. Response from dns.query(): 9".
+ [Jah, David]
+
+o [Zenmap] Added a workaround for a crash
+ GtkWarning: could not open display
+ on Mac OS X 10.5. The problem is caused by setting the DISPLAY
+ environment variable in one of your shell startup files; that
+ shouldn't be done under 10.5 and removing it will make other
+ X11-using applications work better. Zenmap will now handle the
+ situation automatically. [David]
+
+o http-auth.nse now properly checks for default authentication
+ credentials. A bug prevented it from working before. [Vlatko
+ Kosturjak]
+
+o Renamed irc-zombie.nse to auth-spoof and improved its description
+ and output a bit. [Fyodor]
+
+o Removed some unnecessary "demo" category NSE scripts: echoTest,
+ chargenTest, showHTTPVersion, and showSMTPVersion.nse. Moved
+ daytimeTest from the "demo" category to "discovery". Removed
+ showHTMLTitle from the "demo" category, but it remains in the
+ "default" and "safe" categories. This leaves just smtp-open-relay in
+ the undocumented "demo" category. [Fyodor]
+
+o [NSE] Removed ripeQuery.nse because we now have the much more robust
+ whois.nse which handles all the major registries. [Fyodor]
+
+o [NSE] Removed showSSHVersion.nse. Its only real claim to fame was
+ the ability to trick some SSH servers (including at least OpenSSH
+ 4.3p2-9etch3) into not logging the connection. This trick doesn't
+ seem to work with newer versions of OpenSSH, as my
+ openssh-server-4.7p1-4.fc8 does log the connection. Without the
+ stealth advantage, the script has no real benefit over version
+ detection or the upcoming banner grabbing script. [Fyodor]
+
+o [Zenmap] Profile updates: The -sS option was added to the "Intense
+ scan plus UDP" and "Slow comprehensive scan" profiles. The -PN (ping
+ only) option was added to "Quick traceroute". [David]
+
+o [NSE] The smtp-commands script output is now more compact. [Jasey
+ DePriest, David]
+
+o [Zenmap] Added a simple workaround for a bug in PyXML (an add-on
+ Python XML library) that caused a crash. The crash would happen when
+ loading an XML file and looked like "KeyError: 0". [David]
+
+o A crash caused by an incorrect test condition was fixed. It would
+ happen when running a ping scan other than a protocol ping, without
+ debugging enabled, if an ICMP packet was received referring to a
+ packet that was not TCP, UDP, or ICMP. Thanks to Brandon Enright and
+ Matt Castelein for reporting the problem. [David]
+
+o [Zenmap] The keyboard shortcut for "Save to Directory" has been
+ changed from Ctrl+v to Ctrl+Alt+s so as not to conflict with the
+ usual paste shortcut. [Jah, Michael]
+
+o Nmap now quits if you give a "backwards" port or protocol range like
+ -p 20-10. The issue was noted by Arturo "Buanzo" Busleiman. [David]
+
+o Fixed a bug which caused Nmap to infer an improper distance against
+ some hosts when performing OS detection against a group whose
+ distance varies between members. [David, Fyodor]
+
+o [Zenmap] Host information windows are now like any other windows,
+ and will not become unclosable by having their controls offscreen.
+ Thanks to Robert Mead for the bug report.
+
+o [NSE] showHTMLTitle can now follow (non-standard) relative
+ redirects, and may do a DNS lookup to find if the redirected-to host
+ has the same IP address as the scanned host. [Jah]
+
+o [NSE] Enhanced the tohex() function in the stdnse library to support
+ strings and added options to control the formatting. [Sven]
+
+o [NSE] The http module tries to deal with non-standards-compliant
+ HTTP traffic, particularly responses in which the header fields are
+ separated by plain LF rather than CRLF. [Jah, Sven]
+
+o [Zenmap] The help function now properly converts the pathname of the
+ local help file to a URL, for better compatibility with different
+ web browsers. [David]
+ This should fix the crash
+ WindowsError: [Error 2] The system cannot find the file specified:
+ 'file://C:\\Program Files\\Nmap\\zenmap\\share\\zenmap\\docs\\help.html'
+
+o [NSE] Fixed a number of small bugs in the Nmap library
+ (nse_nmaplib.cc), as described at
+ http://seclists.org/nmap-dev/2008/q4/0663.html [Patrick]
+
+o The HTTP_open_proxy.nse script was updated to match Google Web
+ Server's changed header field: "Server: gws" instead of
+ "Server: GWS/". [Vlatko Kosturjak]
+
+o Enhanced the ssh service detection signatures to properly
+ detect protocol version 2 services. [Matt Selsky]
+
+o Nsock now uses fselect() to work around problems with select() not
+ working properly on non-socket descriptors on Windows. This was
+ needed for Ncat to work properly on that platform. See
+ http://seclists.org/nmap-dev/2008/q3/0766.html . [Kris]
+
+o Removed trailing null bytes from Ncat's responses in HTTP proxy
+ mode. [David]
+
+o [NSE] daytime.nse now runs against TCP ports in addition to the UDP
+ ports it already handled. The output format was also
+ improved. [David]
+
+o XML output now contains the full path to nmap.xml on Windows. The
+ path is converted to a file:// URL to provide better compatibility
+ across browsers. [Jah]
+
+o Made DNS timeouts in NSE a bit more aggressive at higher timing
+ levels such as -T4 and -T5. [Jah]
+
+o A script could be executed twice if it was given with the --script
+ option, also in the "version" category, and version detection (-sV)
+ was requested. This has been fixed. [David]
+
+o Fixed port number representation in some Nmap and Nsock message
+ output. Incorrect conversion modifiers caused high ports to wrap
+ around and be shown as negative values. [Kris]
+
+o Upgraded the shipped libdnet library to version 1.12 (with our
+ modifications). [Kris]
+
+o Upgraded the OpenSSL binaries shipped in our Windows installer to
+ version 0.9.8i. [Kris]
+
+o [NSE] The SSLv2-support script no longer prints duplicate cyphers if
+ they exist in the server's supported cypher list. [Kris]
+
+o Fix compilation w/IPv6 support on Solaris by checking for inet_addr
+ in -lnsr before using APR_CHECK_WORKING_GETNAMEINFO in
+ configure. [David]
+
+o Removed the nbase_md5.* and nbase_sha1.* files because our
+ new nse_openssl library includes that functionality. [David]
+
+o The robots.txt NSE script is now silent when there are no
+ interesting results, rather than printing that robots.txt "is empty
+ or has no disallowed entries". [Kris]
+
+o Fixed a file (socket) descriptor leak which could occur when connect
+ scan probes receive certain unusual error messages (including
+ EHOSTUNREACH, and EHOSTDOWN). This led to error messages such as
+ "Socket creation in sendConnectScanProbe: Too many open files (24)"
+ [David]
+
+o [Zenmap] Made floating host details windows into normal top-level
+ windows. This avoids a problem where the edge of a window could be
+ off the edge of a screen and it would not be closable. The bug was
+ reported by Robert Mead. [David]
+
+o Use TIMEVAL_AFTER(...) instead of TIMEVAL_SUBTRACT(...) > 0 when
+ deciding whether a probe response counts as a drop for scan delay
+ purposes. This prevents an integer overflow which could
+ substantially degrade scan performance. [David]
+
+o Reorganized macosx/Makefile to make it easier to add in new packages
+ such as Ncat and Ndiff. Also removed the bogus clean-nmap and
+ clean-zenmap targets. [David]
+
+o [Zenmap] Fixed a crash related to the use of NmapOptions in
+ ScanNotebook.py using the old interface (ops.num_random_targes,
+ ops.input_filename) rather than the newer dict-style
+ interface. [Jah]
+
+o Split parallel DNS resolution and system DNS resolution into
+ separate functions. Previously system DNS resolution was encapsulated
+ inside the parallel DNS function, inside a big if block. Now the if
+ is on the outside and decides which of the two functions to
+ call. [David]
+
+o [NSE] Remove "\r\r" in script output. If you print "\r\n", the
+ Windows C library will transform it to "\r\r\n". So we just print
+ "\n" with no special case for Windows. Also fixed
+ showSMTPversion.nse so that it doesn't print "\r\r" in the first
+ place. [David]
+
+o Updated IANA assignment IP list for random IP (-iR)
+ generation. [Kris]
+
+o OS scan point matching code can now handle tests worth zero
+ points. We now assign zero points to ignore a couple tests which
+ proved ineffective. [David]
+
+o [Zenmap] Catch the exceptions that are caused when there's no XML
+ output file, an empty one, or one that's half-complete. You can
+ cause these three situations, respectively, with: "nmap -V", "nmap
+ --iflist", or "nmap 0". Also remove the target requirement for scans
+ because you should be able to run commands such as "nmap --iflist"
+ from Zenmap. [David]
+
+o [Zenmap] Guard against the topology graph becoming empty in the
+ middle of an animation. This could happen if you removed a scan
+ from the list of scans during an animation. The error looked like:
+ File "usr/lib/python2.5/site-packages/radialnet/gui/RadialNet.py",
+ line 1533, in __livens_up AttributeError: 'NoneType' object has no
+ attribute 'get_nodes'
+ [David]
+
+o [Zenmap] Fixed a crash which could occur when you entered a command
+ containing only whitespace. David fixed various other possible
+ crashes found in the crash report tracker too. Zenmap users really
+ are capable of finding every possible edge case which could cause a
+ crash :).
+
+Nmap 4.76 [2008-9-12]
+
+o There is a new "external" script category, for NSE scripts which
+ rely on a third-party network resource. Scripts that send data to
+ anywhere other than the target are placed in this category. Initial
+ members are ASN.nse, dns-safe-recursion-port.nse,
+ dns-safe-recursion-txid.nse, ripeQuery.nse, HTTP_open_proxy.nse, and
+ whois.nse [David]
+
+o [Zenmap] A crash was fixed that affected Windows users with
+ non-ASCII characters in their user names. [David]
+ The error looked like this (with many variations):
+ UnicodeDecodeError: 'utf8' codec can't decode byte 0x9c in position 28:
+ unexpected code byte
+
+o [Zenmap] Several corner-case crashes were fixed: [David]
+ File "radialnet\gui\NodeNotebook.pyo", line 429, in __create_widgets
+ KeyError: 'tcp'
+ File "radialnet\gui\RadialNet.pyo", line 1531, in __livens_up
+ AttributeError: 'NoneType' object has no attribute 'get_nodes'
+ File "zenmapGUI\MainWindow.pyo", line 308, in _create_ui_manager
+ GError: Odd character '\'
+ File "radialnet/gui/ControlWidget.py", line 104, in __create_widgets
+ AttributeError: 'module' object has no attribute 'STOCK_INFO'
+ File "radialnet\util\integration.pyo", line 385, in make_graph_from_hosts
+ KeyError: 'hops'
+
+o [Zenmap] A crash was fixed that happened when opening the Hosts
+ Viewer with an empty list of hosts. [David]
+ The error message was
+ File "radialnet\gui\HostsViewer.pyo", line 167, in __cursor_callback
+ TypeError: GtkTreeModel.get_iter requires a tree path as its argument
+
+o Improved rpcinfo.nse to correctly parse a wider variety of server
+ responses. [Sven Klemm]
+
+o [Zenmap] Fixed a data encoding bug which could cause the crash
+ reporter itself to crash! [David]
+
+o Nmap's Windows self-installer now correctly registers/deletes the
+ npf (WinPcap) service during install/uninstall. Also the silent
+ install mode was improved to avoid a case where the WinPcap
+ uninstaller was (non-silently) shown. [Rob Nicholls]
+
+o Nmap's Windows self-installer now checks whether the MS Visual C++
+ runtime components have already been installed to avoid running it
+ again (which doesn't hurt anything, but slows down
+ installation). [Rob Nicholls]
+
+o Fixed an assertion failure where raw TCP timing ping probes were
+ wrongly used during a TCP connect scan:
+ nmap: scan_engine.cc:2843: UltraProbe* sendIPScanProbe(UltraScanInfo*,
+ HostScanStats*, const probespec*, u8, u8):
+ Assertion `USI->scantype != CONNECT_SCAN' failed.
+ Thanks to LevelZero for the report. [David]
+
+o Update the NSE bit library to replace deprecated use of
+ luaL_openlib() with luaL_register(). This fixes a build error which
+ occurred on systems which have Lua libraries installed but
+ LUA_COMPAT_OPENLIB not defined [Sven]
+
+o [Zenmap] The automatic crash reporter no longer requires an email
+ address. [David]
+
+o [Zenmap] Highlighting of hostnames was improved to avoid wrongful
+ highlighting of certain elapsed times, byte counts, and other
+ non-hostname data. The blue highlight effects are now more subtle
+ (no longer bold, underlined, or italic) [David]
+
+o [Zenmap] A warning that would occur when a host had the same service
+ running on more than one port was removed. Thanks to Toralf Förster
+ for the bug report. [David]
+ GtkWarning: gtk_box_pack_start: assertion `child->parent == NULL' failed
+ self.pack_start(widget, expand=False, fill=False)
+
+Nmap 4.75 [2008-9-7]
+
+o [Zenmap] Added a new Scan Topology system. The idea is that if we
+ are going to call Nmap the "Network Mapper", it should at least be
+ able to draw you a map of the network! And that is what this new
+ system does. It was achieved by integrating the RadialNet Nmap
+ visualization tool (http://www.dca.ufrn.br/~joaomedeiros/radialnet),
+ into Zenmap. Joao Medeiros has been developing RadialNet for more
+ than a year. For details, complete with some of the most beautiful
+ Zenmap screen shots ever, visit
+ https://nmap.org/book/zenmap-topology.html . The integration work was
+ done by SoC student Vladimir Mitrovic and his mentor David Fifield.
+
+o [Zenmap] Another exciting new Zenmap feature is Scan Aggregation.
+ This allows you to visualize and analyze the results of multiple
+ scans at once, as if they were from one Nmap execution. So you might
+ scan one network, analyze the results a bit, then scan some of the
+ machines more intensely or add a completely new subnet to the
+ scan. The new results are seamlessly added to the old, as described
+ at https://nmap.org/book/zenmap-scanning.html#aggregation. [David,
+ Vladimir]
+
+o Expanded nmap-services to include information on how frequently each
+ port number is found open. The results were generated by scanning
+ tens of millions of IPs on the Internet this summer, and augmented
+ with internal network data contributed by some large
+ organizations. [Fyodor]
+
+o Nmap now scans the most common 1,000 ports by default in either
+ protocol (UDP scan is still optional). This is a decrease from
+ 1,715 TCP ports and 1,488 UDP ports in Nmap 4.68. So Nmap is faster
+ by default and, since the port selection is better thanks to the
+ port frequency data, it often finds more open ports as
+ well. [Fyodor]
+
+o Nmap fast scan (-F) now scans the top 100 ports by default in either
+ protocol. This is a decrease from 1,276 (TCP) and 1,017 (UDP) in
+ Nmap 4.68. Port scanning time with -F is generally an order of
+ magnitude faster than before, making -F worthy of its "fast scan"
+ moniker. [Fyodor]
+
+o The --top-ports option lets you specify the number of ports you wish
+ to scan in each protocol, and will pick the most popular ports for
+ you based on the new frequency data. For both TCP and UDP, the top
+ 10 ports gets you roughly half of the open ports. The top 1,000
+ (out of 65,536 possible) finds roughly 93% of the open TCP ports and
+ more than 95% of the open UDP ports. [Fyodor, Doug Hoyte]
+
+o David integrated all of your OS detection fingerprint and correction
+ submissions from March 11 until mid-July. In the process, we
+ reached the 1500-signature milestone for the 2nd generation OS
+ detection system. We can now detect the newest iPhones, Linux
+ 2.6.25, OS X Darwin 9.2.2, Windows Vista SP1, and even the Nintendo
+ Wii. Nmap now has 1,503 signatures, vs. 1,320 in 4.68. Integration
+ is now faster and more pleasant thanks to the new OSassist
+ application developed by Nmap SoC student Michael Pattrick. See
+ http://seclists.org/nmap-dev/2008/q3/0089.html and
+ http://seclists.org/nmap-dev/2008/q3/0139.html for more details.
+
+o Nmap now works with Windows 2000 again, after being broken by our
+ IPv6 support improvements in version 4.65. A couple new dependencies
+ are required to run on Win2K, as described at
+ https://nmap.org/book/inst-windows.html#inst-win2k .
+
+o [Zenmap] Added a context-sensitive help system to the Profile
+ Editor. You can now mouse-over options to learn more about what
+ they are used for and their proper argument syntax. [Jurand Nogiec]
+
+o When Nmap finds a probe during ping scan which elicits a response,
+ it now saves that information for the port scan and later phases.
+ It can then "ping" the host with that probe as necessary to collect
+ timing information even if the host is not responding to the normal
+ port scan packets. Previously, Nmap's port scan timing pings could
+ only use information gathered during that port scan itself. A
+ number of other "port scan ping" system improvements were made at
+ the same time to improve performance against firewalled hosts. For
+ full details, see http://seclists.org/nmap-dev/2008/q3/0647.html
+ [David, Michael, Fyodor]
+
+o --traceroute now uses the timing ping probe saved from host
+ discovery and port scanning instead of finding its own probe. The
+ timing ping probe is always the best probe Nmap knows about for
+ eliciting a response from a target. This will have the most effect
+ on traceroute after a ping scan, where traceroute would sometimes
+ pick an ineffective probe and traceroute would fail even though the
+ target was up. [David]
+
+o Added dns-safe-recursion-port and dns-safe-recursion-txid
+ (non-default NSE scripts) which use the 3rd party dns-oarc.net
+ lookup to test the source port and transaction ID randomness of
+ discovered DNS servers (assuming they allow recursion at all).
+ These scripts, which test for the "Kaminsky" DNS bugs, were
+ contributed by Brandon Enright.
+
+o Added whois.nse, which queries the Regional Internet Registries
+ (RIRs) to determine who the target IP addresses are assigned
+ to. [Jah]
+
+o [Zenmap] Overhauled the default list of scan profiles based on
+ nmap-dev discussion. Users now have a much more diverse and useful
+ set of default profile options. And if they don't like any of those
+ canned scan commands, they can easily create their own in the
+ Profile Editor! [David]
+
+o Fyodor made a number of performance tweaks, such as:
+ - increase host group sizes in many cases, so Nmap will now commonly
+ scan 64 hosts at a time rather than 30
+ - align host groups with common network boundaries, such as /24 or
+ /25
+ - Increase maximum per-target port-scan ping frequency to one every
+ 1.25 seconds rather than every five. Port scan pings happen
+ against heavily firewalled hosts and the like when Nmap is not
+ receiving enough responses to normal scan to properly calculate
+ timing variables and detect packet drops.
+
+o Added a new NSE binlib library, which offers bin.pack() and
+ bin.unpack() functions for dealing with storing values in and
+ extracting them from binary strings. For details, see
+ https://nmap.org/book/nse-library.html#nse-binlib . [Philip
+ Pickering]
+
+o Added a new NSE DNS library. See this thread:
+ http://seclists.org/nmap-dev/2008/q3/0310.html [Philip Pickering]
+
+o Added new NSE libraries for base64 encoding, SNMP, and POP3 mail
+ operations. They are described at
+ http://seclists.org/nmap-dev/2008/q3/0233.html . [Philip Pickering]
+
+o Added NSE scripts popcapa (retrieves POP3 server capabilities) and
+ brutePOP3 (brute force POP3 authentication cracker) which make use
+ of the new POP3 library. [Philip Pickering]
+
+o Added the SNMPcommunitybrute NSE script, which is a brute force
+ community string cracker. Also modified SNMPsysdescr to use the new
+ SNMP library. [Philip Pickering]
+
+o Fixed the SMTPcommands script so that it can't return multiple
+ values (which was causing problems). Thanks to Jah for tracking down
+ the problem and sending a fix for SMTPcommands. Then Patrick fixed
+ NSE so it can handle misbehaving scripts like this without causing
+ mysterious side effects.
+
+o Added a new NSE Unpwdb (username/password database) library for
+ easily obtaining usernames or passwords from a list. The functions
+ usernames() and passwords() return a closure which returns a new
+ list entry with every call, or nil when the list is exhausted. You
+ can specify your own username and/or password lists via the script
+ arguments userdb and passdb, respectively. [Kris]
+
+o Nmap's Nsock-utilizing subsystems (DNS, NSE, version detection) have
+ been updated to support the -S and --ip-options flags. [Kris]
+
+o A new --max-rate option was added, which complements --min-rate. It
+ allows you to specify the maximum byte rate that Nmap is allowed to
+ send packets. [David]
+
+o Added --ip-options support for the connect() scan (-sT). [Kris]
+
+o Nsock now supports binding to a local address and setting IPv4
+ options with nsi_set_localaddr() and nsi_set_ipoptions(),
+ respectively. [Kris]
+
+o Added IPProto Ping (-PO) support to Traceroute, and fixed support for
+ IPProto Scan (-sO) and the ICMP Pings (-PE, -PP, -PM) in Traceroute
+ as well. These could cause Nmap to hang during Traceroute. [Kris]
+
+o [Zenmap] Added a "Cancel" button for cancelling a scan in progress
+ without losing any Nmap output obtained so far. [Jurand Nogiec]
+
+o Improve the netbios-smb-os-discovery NSE script to improve target
+ port selection and to also decode the system's timestamp from an SMB
+ response. [Ron at SkullSecurity]
+
+o Nmap now avoids collapsing large numbers of ports in open|filtered
+ state (e.g. just printing that 500 ports are in that state rather
+ than listing them individually) if verbosity or debugging levels are
+ greater than two. See this thread:
+ http://seclists.org/nmap-dev/2008/q3/0312.html . [Fyodor]
+
+o The NSE http library now supports chunked encoding. [Sven Klemm]
+
+o The NSE datafiles library now has generic file parsing routines, and
+ the parsing of the standard nmap data files (e.g. nmap-services,
+ nmap-protocols, etc.) now uses those generic routines. NSE scripts
+ and libraries may find them useful for dealing with their own data
+ files, such as password lists. [Jah]
+
+o Passed the big revision 10,000 milestone in the Nmap project SVN
+ server: http://seclists.org/nmap-dev/2008/q3/0682.html
+
+o Added some Windows and MinGW compatibility patches submitted by
+ Gisle Vanem.
+
+o Improved nse_init so that compilation/runtime errors in NSE scripts
+ no longer cause the script engine to abort. [Patrick]
+
+o Fix a cosmetic bug in --script-trace hex dump output which resulting
+ in bytes with the highest bit set being prefixed with ffffff. [Sven
+ Klemm]
+
+o Removed the nselib-bin directory. The last remaining shared NSE
+ module, bit, has been made static by Patrick. Shared modules were
+ broken for static builds of Nmap, such as those in the RPMS. We also
+ had the compilation problems (particularly on OpenBSD) with shared
+ modules which lead us to make PCRE static a while back. [David]
+
+o Updated rpcinfo NSE script to use the new pack/unpack (binlib)
+ functions, use the new tab library, include better documentation, and
+ fix some bugs. [Sven Klemm]
+
+o Add useful details to the error message printed when an NSE script
+ fails to load (due to syntax error, etc.) [Patrick]
+
+o Fix a bug in the NSE http library which would cause some scripts to
+ give the error: SCRIPT ENGINE: C:\Program
+ Files\Nmap\nselib/http.lua:77: attempt to call field 'parse' (a nil
+ value) [Jah]
+
+o Fixed a couple of Makefile problems (race condition) which could
+ lead to build failures when launching make in parallel mode (e.g.
+ -j4). [Michal Januszewski, Chris Clements]
+
+o Added new addrow() function to NSE tab library. It allows
+ developers to add a whole row at once rather than doing a separate
+ add() call for each column in a row. [Sven Klemm]
+
+o Completion time estimates provided in verbose mode or when you hit a
+ key during scanning are now more accurate thanks to algorithm
+ improvements by David.
+
+o Fixed a number of NSE scripts which used print_debug()
+ incorrectly. See
+ http://seclists.org/nmap-dev/2008/q3/0470.html . [Sven Klemm]
+
+o [Zenmap] The Ports/Hosts view now provides full version detection
+ values rather than just a simple summary. [Jurand Nogiec]
+
+o [Zenmap] When you edit the command-entry field, then change the
+ target selection, Nmap no longer blows away your edits in favor of
+ using your current profile. [Jurand Nogiec]
+
+o Nsock now returns data from UDP packets individually, preserving the
+ packet boundary, rather than concatenating the data from multiple
+ packets into a single buffer. This fixes a problem related to our
+ reverse-DNS system, which can only handle one DNS packet at a time.
+ Thanks to Tim Adam of ManageSoft for debugging the problem and
+ sending the patch. Doug Hoyte helped with testing, and it was
+ applied by Fyodor.
+
+o [Zenmap] Fixed a crash which would occur when you try to compare two
+ files, either of which has more than one extraports element. [David]
+
+o Added the undocumented (except here) --nogcc option which disables
+ global/group congestion control algorithms and so each member of a
+ scan group of machines is treated separately. This is just an
+ experimental option for now. [Fyodor]
+
+o [Zenmap] The Ports/Hosts display now has different colors for open
+ and closed ports. [Vladimir]
+
+o Fixed Zenmap so that it displays all Nmap errors. Previously, only
+ stdout was redirected into the window, and not stderr. Now they are
+ both redirected. [Vladimir]
+
+o NSE can now be used in combination with ping scan (e.g. "-sP
+ --script") so that you can execute host scripts without needing to
+ perform a port scan. [Kris]
+
+o [NSE] Category names are now case insensitive. [Patrick]
+
+o [NSE] Each thread for a script now gets its own action closure (and
+ upvalues). See: http://seclists.org/nmap-dev/2008/q2/0549.html
+ [Patrick]
+
+o [NSE] The script_scan_result structure has been changed to a class,
+ ScriptResult, which now holds a Script's output in an std::string.
+ This removes the need to use malloc and free to manage this memory.
+ A similar change was made to the run_record structure. [Patrick]
+
+o [NSE] Fixed a socket exhaustion deadlock which could prevent a
+ script scan from ever finishing. Now, rather than limit the total
+ number of sockets which can be open, we limit the number of scripts
+ which can have sockets open at once. And once a script has one
+ socket opened, it is permitted to open as many more as it
+ needs. [Patrick]
+
+o A hashing library (code from OpenSSL) was added to NSE. hashlib
+ contains md5 and sha1 routines. [Philip Pickering]
+
+o Fixed host discovery probe matching when looking at the returned TCP
+ data in an ICMP error message. This could formerly lead to
+ incorrectly discarded responses and the debugging error message:
+ "Bogus trynum or sequence number in ICMP error message" [Kris]
+
+o Fixed a segmentation fault in Nsock which occurred when calling
+ nsock_write() with a data length of -1 (which means the data is a
+ NUL-terminated string and Nsock should take the length itself) and
+ the Nsock trace level was at least 2. [Kris]
+
+o The NSE Comm library now defaults to trying to read as many bytes as
+ are available rather than lines if neither the "bytes" nor "lines"
+ options are given. Thanks to Brandon for reporting a problem which
+ he noticed in the dns-test-open-recursion script. [Kris]
+
+o Updated zoneTrans.nse to replace length bytes in returned domain
+ names to periods itself rather than relying on NSE's old behavior of
+ replacing non-printable characters with periods. Thanks to Rob
+ Nicholls for reporting the problem. [Kris]
+
+o Some Zenmap crashes have been fixed: trying to "refresh" the output
+ of a scan loaded from a file, and trying to re-save a file loaded
+ from the command line in some circumstances. [David]
+
+o [Zenmap] The file selector now remembers what directory it was last
+ looking at. [David]
+
+o Added an extra layer of validity checking to received packets
+ (readip_pcap), just to be extra safe. See
+ http://seclists.org/nmap-dev/2008/q3/0644.html . [Kris]
+
+o Zenmap defaults to showing files matching both *.xml and *.usr in
+ the file selector. Previously it only showed those matching *.usr.
+ The new combined format will be XML and .usr will be deprecated.
+ See http://seclists.org/nmap-dev/2008/q3/0093.html .
+
+o Nmap avoids printing the sending rate in bytes per second during a
+ TCP connect scan. Because the number of bytes per probe is not
+ known, it used to print current sending rates: 11248.85 packets / s,
+ 0.00 bytes / s. Now it will print simply print rates like "11248.85
+ packets / s". [David]
+
+o [Zenmap] Nmap's installation process now include .desktop files
+ which install menu items for launching Zenmap as a privileged or
+ non-privileged process on Linux. This will mainly affect people who
+ install nmap and Zenmap directly from the source code. [Michael]
+
+o Improved performance of IP protocol scan by fixing a bug related to
+ timing calculations on ICMP probe responses. See r8754 svn log for
+ full details. [David]
+
+o Nmap --reason output no longer falsely reports a localhost-response
+ during -PN scans. See
+ http://seclists.org/nmap-dev/2008/q3/0188.html . [Michael]
+
+o [Zenmap] The higwidgets Python package has moved so it is now a
+ subpackage of zenmapGUI. This avoids naming conflicts with Umit,
+ which uses a slightly different version of higwidgets. [David]
+
+o A bug that could cause some host discovery probes to be incorrectly
+ interpreted as drops was fixed. This occurred only when the IP
+ protocol ping (-PO) option was combined with other ping
+ types. [David]
+
+o A new scanflags attribute has been added to XML output, which lists
+ all user specified --scanflags for the scan. nmap.dtd has been
+ modified to account for this. [Michael]
+
+o The loading of the nmap-services file has been made much
+ faster--roughly 9 times faster in common cases. This is important
+ for the new (much larger) frequency augmented nmap-services
+ file. [David]
+
+o Added a script (ASN.nse) which uses Team Cymru's DNS interface to
+ determine the routing AS numbers of scanned IP addresses. They even
+ set up a special domain just for Nmap queries. The script is still
+ experimental and non-default. [Jah, Michael]
+
+o [Zenmap] Clicking "Cancel" in a file chooser in the diff interface
+ no longer causes a crash. [David]
+
+o The shtool build helper script has been updated to version 2.0.8. An
+ older version of shutil caused installation to fail when the locale
+ was set to et_EE. Thanks to Michal Januszewski for the bug
+ report. [David]
+
+o [Zenmap] Removed services.dmp and os_dmp.dmp and all the files that
+ referred to them. They are not needed with the new search
+ interface. Also removed an unused search progress bar. And some
+ broken fingerprint submission code. Yay for de-bloating! [David]
+
+o [Zenmap] Added "%F" to the Exec link in the new Zenmap desktop
+ file. We expect (hope) that this will allow dragging and dropping
+ XML files onto the icon. [David]
+
+o [Zenmap] The -o[XGASN] options can now be specified, just as you can
+ at the console. [Vladimir]
+
+o [Zenmap] You can now shrink the scan window below its default
+ size thanks to NmapOutputViewer code enhancements. [David]
+
+o [Zenmap] Removed optional use of the Psyco Python optimizer since
+ Zenmap is not the kind of CPU-bound application which benefits from
+ Psyco.
+
+o [Zenmap] You can now select more than one host in the "Ports /
+ Hosts" view by control-clicking them in the column at left.
+
+o [Zenmap] The profile editor now offers the --traceroute option.
+
+o Zenmap now uses Unicode objects pervasively when dealing with Nmap
+ text output, though the only internationalized text Nmap currently
+ outputs is the user's time zone. [David]
+
+o Unprintable characters in NSE script output (which really shouldn't
+ happen anyway) are now printed like \xHH, where HH is the
+ hexadecimal representation of the character. See
+ http://seclists.org/nmap-dev/2008/q3/0180.html . [Patrick]
+
+o Nmap sometimes sent packets with incorrect IP checksums,
+ particularly when sending the UDP probes in OS detection. This has
+ been fixed. Thanks to Gisle Vanem for reporting and investigating the
+ bug. [David]
+
+o Fixed the --without-liblua configure option so that it works
+ again. [David]
+
+o In the interest of forward compatibility, the xmloutputversion
+ attribute in Nmap XML output is no longer constrained to be a
+ certain string ("1.02"). The xmloutputversion should be taken as
+ merely advisory by authors of parsers.
+
+o Zenmap no longer leaves any temporary files lying around. [David]
+
+o Nmap only prints an uptime guess in verbose mode now, because in
+ some situations it can be very inaccurate. See the discussion at
+ http://seclists.org/nmap-dev/2008/q3/0392.html . [David]
+
+Nmap 4.68 [2008-6-28]
+
+o Doug integrated all of your version detection submissions and
+ corrections for the year up to May 31. There were more than 1,000
+ new submissions and 18 corrections. Please keep them coming! And
+ don't forget that corrections are very important, so do submit them
+ if you ever catch Nmap making a version detection or OS detection
+ mistake. The version detection DB has grown to 5,054 signatures
+ representing 486 service protocols. Protocols span the gamut from
+ abc, acap, access-remote-pc, activefax, and activemq, to zebedee,
+ zebra, zenimaging, and zenworks. The most popular protocols are
+ http (1,672 signatures), telnet (519), ftp (459), smtp (344), and
+ pop3 (201).
+
+o Nmap compilation on Windows is now done with Visual C++ Express 2008
+ rather than 2005. Windows compilation instructions have been
+ updated at https://nmap.org/book/inst-windows.html#inst-win-source .
+ [Kris]
+
+o The Nmap Windows self-installer now automatically installs the MS
+ Visual C++ 2008 runtime components if they aren't already installed
+ on a system. These are some reasonably small DLLs that are
+ generally necessary for applications compiled with Visual C++ (with
+ dynamic linking). Many or most systems already have these installed
+ from other software packages. The lack of these components led to
+ the error message "The Application failed to initialize properly
+ (0xc0150002)." with Nmap 4.65. A related change is that Nmap on
+ Windows is now compiled with /MD rather than /MT so that it
+ consistently uses these runtime libraries. The patch was created by
+ Rob Nicholls.
+
+o Added advanced search functionality to Zenmap so that you can locate
+ previous scans using criteria such as which ports were open, keywords
+ in the target names, OS detection results, etc. Try it out with
+ Ctrl-F or "Tools->Search Scan Results". [Vladimir]
+
+o Nmap's special WinPcap installer now handles 64-bit Windows machines
+ by installing the proper 64-bit npf.sys. [Rob Nicholls]
+
+o Added a new NSE Comm (common communication) library for common
+ network discovery tasks such as banner-grabbing (get_banner()) and
+ making a quick exchange of data (exchange()). 16 scripts were
+ updated to use this library. [Kris]
+
+o The Nmap Scripting Engine now supports mutexes for gracefully
+ handling concurrency issues. Mutexes are documented at
+ https://nmap.org/book/nse-api.html#nse-mutex . [Patrick]
+
+o Added a UDP SNMPv3 probe to version detection, along with 9 vendor
+ match lines. The patch was from Tom Sellers, who contributed other
+ probes and match lines to this release as well.
+
+o Added a new timing_level() function to NSE which reports the Nmap
+ timing level from 0 to 5, as set by the Nmap -T option. The default
+ is 3. [Thomas Buchanan]
+
+o Update the HTTP library to use the new timing_level functionality to
+ set connection and response timeouts. An error preventing the new
+ timing_level feature from working was also fixed. [Jah]
+
+o Optimized the doAnyOutstandingProbes() function to make Nmap a bit
+ faster and more efficient. This makes a particularly big difference
+ in cases where --min-rate is being used to specify a very high
+ packet sending rate. [David]
+
+o Fixed an integer overflow which prevented a target specification of
+ "*.*.*.*" from working. Support for the CIDR /0 is now also
+ available for those times you wish to scan the entire
+ Internet. [Kris]
+
+o The robots.nse script has been improved to print output more
+ compactly and limit the number of entries of large robots.txt files
+ based on Nmap verbosity and debugging levels. [Eddie Bell]
+
+o The Nmap NSE scripts have been re-categorized in a more logical
+ fashion. The new categories are described at
+ https://nmap.org/book/nse-usage.html#nse-categories . [Kris]
+
+o Improve AIX support by linking against -lodm and -lcfg on that
+ platform. [David]
+
+o Updated showHTMLTitle NSE script to follow one HTTP redirect if
+ necessary as long as it is on the same server. [Jah]
+
+o Michael Pattrick and David created a new OSassist application which
+ streamlines the OS fingerprint submission integration process and
+ prevents certain previously common errors. OSassist isn't part of
+ Nmap, but the system was used to integrate some submissions for this
+ release. 13 fingerprints were added during OSassist testing, and
+ some existing fingerprints were improved as well. Expect many more
+ fingerprints coming soon.
+
+o Improved the mapping from dnet device names (like eth0) and WinPcap
+ names (like \Device\NPF_{28700713...}). You can see this mapping
+ with --iflist, and the change should make Nmap more likely to work
+ on Windows machines with unusual networking configurations. [David]
+
+o Service fingerprints in XML output are no longer be truncated to
+ 2kb. [Michael]
+
+o Some laptops report the IP Family as NULL for disabled WiFi cards.
+ This could lead to a crash with the "sin->sin_family == AF_INET6"
+ assertion failure. Nmap no longer quits when this is
+ encountered. [Michael]
+
+o On systems without the GNU getopt_long_only() function, Nmap has its
+ own replacement. That replacement used to call the system's
+ getopt() function if it exists. But the AIX and Solaris getopt()
+ functions proved insufficient/buggy, so Nmap now always calls its
+ own internal getopt() now from its getopt_long_only()
+ replacement. [David]
+
+o Integrated several service match lines from Tom Sellers.
+
+o An error was fixed where Zenmap would crash when trying to load from
+ the recent scans database a file containing non-ASCII
+ characters. The error looked like
+ pysqlite2.dbapi2.OperationalError: Could not decode to UTF-8 column
+ 'nmap_xml_output' with text
+ '<?xml version="1.0" encoding="iso-8859-1"?>
+ <nmaprun profile="nmap -T Aggressive -n -v %s" scanner="nmap" hint=""
+ The error would be seen when such a scan was found in using the
+ search interface. [David]
+
+o Fix a Zenmap crash which occurred when local.getpreferredencoding()
+ returns "None". Similarly, deal with the case when a "X-MAC-KOREAN"
+ is returned by this function. Both problems were found with the
+ Zenmap crash reporter. [David]
+
+o A whole bunch of internal Zenmap cleanup was done by David to make
+ the code more logical and remove dead code.
+
+o Install icons and pixmaps under /usr/share/zenmap/{icons,pixmaps} so
+ they don't get mixed in with the files in
+ /usr/share/{icons,pixmaps}. [Jurand Nogiec]
+
+o Fixed a Zenmap command entry problem where Zenmap would lose a
+ custom command you had entered into the command entry field if you
+ changed the target field after entering the custom command. [Jurand
+ Nogiec]
+
+o The Zenmap crash reporter now includes a stack trace rather than
+ just the exception name. [David]
+
+o Zenmap now executes the proper Nmap command by honoring the
+ nmap_command_path variable in zenmap.conf. [Jurand Nogiec]
+
+o Fixed a bug which caused -PN to erroneously bail out for
+ unprivileged users. Thanks to Jabra (jabra(a)spl0it.org) for the
+ report. [Kris]
+
+o Fixed several Nmap NSE memory leaks found with Valgrind. [Kris]
+
+o Migrated some stray malloc()/realloc() calls to the Nbase
+ safe_malloc()/safe_realloc() versions which guard against certain
+ errors.
+
+o Fixed a bunch of subtle bugs, some of which could have resulted in
+ a crash, reported by Ilja van Sprundel. [Kris]
+
+o Fixed several byte-order bugs in Traceroute. [Kris]
+
+o Fixed a crash in RateMeter::update() which could lead to an error
+ saying "diff >= 0.0" assertion failed. I think the problem was
+ actually caused by SMP machines which didn't sync the clock time
+ perfectly. This lead to gettimeofday() sometimes reporting that
+ time decreased by some microseconds. Now Nmap is willing to
+ tolerate decreases of up to 1 millisecond in this function. [Fyodor]
+
+o Nmap now returns correct values for --iflist in windows even
+ if interface aliases have been set. Previously it would misreport
+ the windevices and not list all interfaces. [Michael]
+
+o Nmap no longer crashes with an 'assert' error when its told to
+ access a disabled WiFi NIC on some laptops. [Michael]
+
+o Upgraded the OpenSSL shipped for Windows to 0.9.8h. [Kris]
+
+o The NSE http library was updated to gracefully handle certain bogus
+ (non-)http responses. [Jah]
+
+o The zoneTrans.nse script now takes a "domain" script argument to
+ specify the desired domain name to transfer. You can narrow the
+ scope down with the form "zoneTrans={domain=xxx}". [Kris]
+
+o Increase write buffer length for Nmap output on Windows. This should
+ prevent error messages like: "log_vwrite: vsnprintf failed. Even
+ after increasing bufferlen to 819200, Vsnprintf returned -1 (logt ==
+ 1)." Thanks to prozente0 for the report. [Fyodor]
+
+o Fixed the --script-updatedb command, which was claiming to be
+ "Aborting database update" even when the update was performed
+ perfectly. See http://seclists.org/nmap-dev/2008/q2/0623.html .
+ Thanks to Jah for the report.
+
+Nmap 4.65 [2008-6-1]
+
+o A Mac OS X Nmap/Zenmap installer is now available from the Nmap
+ download page! It is rather straightforward, but detailed
+ instructions are available anyway at
+ https://nmap.org/book/inst-macosx.html . As a universal installer,
+ it works on both Intel and PPC Macs. It is distributed as a disk
+ image file (.dmg) containing an mpkg package. The installed Nmap
+ does include OpenSSL support. It also supports Authorization
+ Services so that Zenmap can run as root. David created this
+ installer. He wants to thank Benson Kalahar and Vlad Alexa for
+ extensive testing of the nine test releases.
+
+o The Windows version of Nmap now supports OpenSSL just as the UNIX
+ versions have for years. Both the .zip and executable installer
+ binary packages we ship from the Nmap download page now include
+ OpenSSL. [Kris, Thomas Buchanan]
+
+o We now compile in IPv6 support on Windows. In order to use this,
+ you need to have IPv6 set up. It is installed by default on Vista,
+ but must be downloaded from Microsoft for XP. See
+ http://www.microsoft.com/technet/network/ipv6/ipv6faq.mspx . [Kris]
+
+o Seven Google-sponsored Summer of Code students began working on
+ exciting Nmap projects full times. The winning students and their
+ Nmap development projects are described at
+ http://seclists.org/nmap-dev/2008/q2/0132.html .
+
+o Our WinPcap installer now starts the NPF driver running as a
+ service immediately upon installation and after restarts. You can
+ disable this with new check-boxes. This behavior is important for
+ Vista and Windows Server 2008 machines when User Account
+ Control (UAC) is enabled. [Rob Nicholls]
+
+o Nmap and Nmap-WinPcap silent installation now works. Nmap can
+ be silently installed with the /S option to the installer.
+ If you install Nmap from the zip file, you can install just
+ WinPcap silently with the /S option to that
+ installer. [Rob Nicholls]
+
+o Our WinPcap installer is now included with the Nmap Win32 zip
+ file. [Fyodor]
+
+o Numerous miscellaneous improvements were made to our Win32
+ installer, such as using the "Modern" NSIS UI for WinPcap,
+ improving the option description labels, and showing a finish
+ page in all cases. [Rob Nicholls]
+
+o The nmap-dev and nmap-hackers mailing list RSS feeds at seclists.org
+ now include message excerpts to make it easier to identify
+ interesting messages and speed the process of reading through the
+ list. Feeds for all other mailing lists archived at SecLists.Org
+ have been similarly augmented. For details, see
+ http://seclists.org/nmap-dev/2008/q2/0333.html . [David]
+
+o A new "default" Nmap Scripting Engine category was added. Only
+ scripts in this category now run by default (except for "version"
+ scripts which run when version detection was requested).
+ Previously, any scripts in the "safe" or "intrusive" categories were
+ run. 21 scripts are now in this default category. [Kris]
+
+o The NSE HTTP library now uses the host name specified on the command
+ line when making requests, which improves script scanning against
+ web servers with virtual hosts. Thanks to Sven Klemm for the patch.
+
+o Added some new and improved version detection signatures. [Brandon]
+
+o Fixed an OS detection bug that prevented the R1.UID test result from
+ being recorded properly when scanning certain printers from
+ little-endian computers. Updated nmap-os-db to compensate for
+ signatures that had an incorrect U1.RID value. [Michael]
+
+o Updated to include the latest MAC Address prefixes from the IEEE in
+ nmap-mac-prefixes [Fyodor]
+
+o Updated the SMTPcommands NSE script to work better against Postfix
+ and reduce verbosity. [Jasey DePriest, Fyodor]
+
+o Reorganized the way ping probes are handled internally. Rather than
+ being stored in the NmapOps structure, they are now stored within
+ the individual scan_lists structures. This is a cleaner
+ organization. [Michael]
+
+o Fix grepable output's "Ignored State" reporting. Only one ignored
+ state (the one with the highest numbers of ports) is shown. [David]
+
+o Update to Lua version 5.1.3 [Patrick]
+
+o Add NSE stdnse library to include tobinary, tooctal, and tohex
+ functions. [Patrick]
+
+o Fixed a bug which caused the Zenmap crash reporter to, uh,
+ crash. [David]
+
+o NSE engine was cleaned up significantly. nse_auxiliar was removed,
+ and file system manipulation functions were moved from nse_init.cc
+ into a new nse_fs.cc file. Numerous interfaces between Nmap and Lua
+ were improved. Most of these functions are now callable directly by
+ Lua. [Patrick]
+
+o Fixed a bug in the showOwner NSE script which caused it to try UDP
+ ports instead of just TCP ports. This made it very slow in the
+ common case where there are many UDP ports in the open|filtered
+ state. Thanks to Jasey DePriest for reporting the problem and Jah
+ for tracking it down and fixing it.
+
+o Nbase now generates pseudo-random numbers itself rather than using
+ /dev/urandom on Linux and the terrible rand() function on Windows.
+ The new system uses ARC4 based on libdnet's
+ implementation. [Brandon]
+
+o Made a number of updates and improvements to the Zenmap Users' Guide
+ at https://nmap.org/book/zenmap.html . [David]
+
+o Fixed the way Zenmap handles command-line entry to prevent your
+ custom command-line to be overwritten with the current profile's
+ command just because you edited the target field. [Jurand]
+
+o Nsock was improved to better support reading from non-network
+ descriptors such as stdin. This is important for the upcoming Ncat
+ project Mixter is working on. [Mixter]
+
+o A bug was fixed that could cause Zenmap to crash when loading a
+ results file that had multibyte characters in it. The error looked
+ like:
+ Gtk-ERROR **: file gtktextsegment.c: line 196
+ (_gtk_char_segment_new): assertion failed:
+ (gtk_text_byte_begins_utf8_char (text))
+ [David]
+
+o Removed a superfluous test for the existence of the C++ compiler in
+ the configure script. The test was not robust when configured with
+ CXX="ccache g++". Thanks to Rainer Müller for the report.
+
+o Optimized cached DNS lookups so they are equally efficient when
+ running on big-endian or little-endian systems. [Michael]
+
+o Fixed the nmap_command_path Zenmap configuration variable so that it
+ is actually used to start the specified Nmap executable
+ path. [Jurand Nogiec]
+
+o Nmap now reports scan start and end times for individual hosts
+ within a larger scan. The information is added to the XML host
+ element like so: <host starttime="1198292349" endtime="1198292370">
+ It is also printed in normal output if -d or "-v -v" are
+ specified. [Brandon, Kris, Fyodor]
+
+o "make uninstall" now uninstalls Zenmap as well as Nmap. The
+ uninstall_zenmap script now deletes directories that were
+ installed. [David]
+
+o Fixed a bug which caused Nmap to send bad checksums on Solaris 10
+ x86. This was due to a workaround for an Ancient Solaris 2.1 bug
+ which activated when the OS string matched "solaris2.1*". The
+ problem has now been resolved until Solaris 20 comes out and hits
+ our "solaris2.2*" bug workarounds. Thanks to Nathan Bills for the
+ problem report. Fixed by Fyodor.
+
+o Fixed a minor memory leak in getpts_simple which occurs when no
+ ports are to be added to 'list'. 'porttbl' is now free'd regardless
+ of how the function returns. [Michael]
+
+o Nmap now understands the RFC 4007 percent syntax for IPv6 Zone IDs.
+ On Windows, this ID has to be a numeric index. On Linux and some
+ other OS's, this ID can instead be an interface name. Some examples
+ of this syntax:
+ fe80::20f:b0ff:fec6:15af%2
+ fe80::20f:b0ff:fec6:15af%eth0
+ [Kris]
+
+o The Zenmap installer and uninstaller are more careful about escaping
+ filenames and dealing with an installation root (DESTDIR). [David]
+
+o Since assert() calls are used for various security-related tests,
+ their safety is now ensured by keeping NDEBUG undefined throughout
+ Nmap, Nbase and Nsock. [Kris]
+
+o Fix a couple bugs in the way the Nmap build system checked for an
+ existing LUA library. A bashism caused one test to fail on system
+ which don't use bash as /bin/sh, and another bug fixed --with-liblua
+ configure option for specifying your own liblua. [Daniel
+ Roethlisberger]
+
+o The NSE nmap.registry.args table is now available, albeit empty,
+ when --script-args isn't used. Now scripts don't need to check if
+ it's nil before attempting to index it. [Kris]
+
+o Changed SSLv2-support.nse so that it only enumerates the list of
+ available ciphers with a verbosity level of at least two or with
+ debugging enabled. [Kris]
+
+o Replaced kibuvDetection.nse with version detection match lines which
+ work better than the script. [Kris, Brandon]
+
+o Removed mswindowsShell.nse as there is a version detection NULL
+ probe match which does the same thing. [Brandon, Fyodor, Kris]
+
+o Updated IANA assignment IP list for random IP (-iR)
+ generation. [Kris]
+
+Nmap 4.62 [2008-5-3]
+
+o Added a new --min-rate option that allows specifying a minimum rate
+ at which to send packets. This allows you to override Nmap's
+ congestion control algorithms and request that Nmap try to keep at
+ least the rate you specify. The rate is given in packets per
+ second. Read more in the Nmap man page
+ (https://nmap.org/book/man-performance.html) [David]
+
+o Create /nmap/macosx directory in SVN with files necessary to build
+ binary Mac OS X Nmap/Zenmap packages. We are trying to create
+ binary installer packages which are as useful and easy to use as the
+ Windows installer. This has involved a lot of work by David. We
+ aren't quite yet distributing the results on the Nmap download page,
+ but testing our beta versions is useful. You can find the latest
+ universal (PPC and Intel) binary test version by looking at David
+ Fifield's posts at http://seclists.org/nmap-dev/2008/q2/author.html .
+ You can also read /nmap/macosx/README in svn for more info.
+
+o Nmap 2008 Summer of Code students have began working (though full
+ time doesn't start until late May). Learn about the winners and
+ their projects at http://seclists.org/nmap-dev/2008/q2/0132.html .
+
+o Brandon added/modified a whole bunch of version detection signatures
+ based on systems discovered when scanning UCSD's network.
+
+o Reformat Nmap COPYING file (e.g. remove C comment markers, reduce
+ line length) during Nmap windows build so that it looks much better
+ when presented by the Windows executable (NSIS) installer. Thanks
+ to Jah for the patch, which was modified slightly by Fyodor.
+
+o Added NSE Datafiles library which reads and parses Nmap's nmap-*
+ data files for scripts. The functions (parse_protocols(),
+ parse_rpc() and parse_services()) return tables with numbers
+ (e.g. port numbers) indexing names (e.g. service names). The
+ rpcinfo.nse script was also updated to use this library. [Kris]
+
+o Fixed a bug in the nbase random number generator (and the way it
+ interacted with Nmap and MS Windows) which caused duplicates in some
+ instances. Thanks to Jah for reporting the problem and working with
+ Brandon Enright, Fyodor and Kris to fix it.
+
+o It turns out that hours contain 60 minutes, not 24. Fixed a scan
+ status message which was rolling over the hours column
+ prematurely. [David]
+
+o Added scripting options to Zenmap profile editor and command wizard
+ to make use of NSE. [David]
+
+o Zenmap now prints an exception message rather than segfaulting when
+ it can't open a display (such as when trying to connect to an X
+ server as an unauthorized user). Thanks to Aaron Leininger for the
+ initial report and Guilherme Polo for suggesting the fix.
+
+o Now ports in the "unfiltered" state can be selected for attention by
+ NSE scripts. [Kris]
+
+o Nbase random number generation system now avoids having a high-bit
+ of zero in every other byte on Windows due to Windows having such a
+ low RAND_MAX. [Jah]
+
+o Added release dates for each Nmap version to this CHANGELOG going
+ back to Nmap 3.00 (July 31, 2002). Dates are in MM/DD/YY format.
+ If someone wants to track down dates for the last 22% of the file
+ (pre-3.00), you are welcome to do so and send a patch. Searching
+ Google for the version number and site:seclists.org seems to work
+ well. [Fyodor]
+
+o Nmap RPM builds now use the versions of libdnet, libpcap, libpcre,
+ and liblua included with Nmap rather than whatever happens to be
+ installed on the build system. [David]
+
+o Zenmap can now be installed in and run in directories with a space
+ in the name. [David]
+
+o Fixed an assertion failure ("Target.cc:396: void
+ Target::stopTimeOutClock(const timeval*): Assertion
+ 'htn.toclock_running == true' failed.") caused when a host had NSE
+ scripts in multiple runlevels. This also fixes --host-timeout
+ behavior in NSE. [Kris]
+
+o Reduce the maximum number of socket descriptors which Nmap is
+ allowed to open concurrently. This resoles a bug which could cause
+ "Too many open files" error on Mac OS X when not running as
+ root. [David]
+
+o Canonicalized service names between nmap-service-probes (version
+ detection DB) and nmap-services (port scanning DB). [Kris]
+
+o Removed the "class" attribute from the tcpsequence element in XML
+ output. For a long time it had always been "unknown class" because
+ Nmap doesn't calculate a class anymore. The XML output version has
+ been increased from 1.01 to 1.02. [David]
+
+o Fixed a bug on Win32 which caused an infinite loop when Nmap
+ encountered certain broadcast addresses. [Dudi Itzhakov]
+
+o Fix MingW compilation by adding a signal.h include to
+ main.cc. [Gisle Vanem]
+
+o Fix the test in our build system to determine if liblua is already
+ available or not. For example, the test needed to link with -lm
+ since some systems require that. [David]
+
+o Added TIMEVAL_BEFORE and TIMEVAL_AFTER macros to test whether one
+ timeval is earlier than another while avoiding possible integer
+ overflows in a naive approach we were using previously. [David]
+
+o Adjusted a bunch of code to avoid compilation warning messages on
+ some Linux machines. [Andrew J. Bennieston]
+
+o Fixed the NmapArpCache so that it actually works. Previously, Nmap
+ was always falling back to the system ARP cache. Of course this
+ raises the question of whether NmapArpCache is needed in the first
+ place. [Daniel Roethlisberger]
+
+o Fix a Zenmap bug which could cause the error message
+ "zenmapCore.NmapOptions.OptionNotFound: No option named '' found!"
+ if you create a new profile without checking any options then try to
+ edit it. [David]
+
+o Zenmap now shows a more helpful error message when there is an error
+ in executing Nmap. [David]
+
+o Zenmap now creates the directory ~/.zenmap-etc to store
+ automatically generated GTK+ and Pango files. They used to go in the
+ application bundle but that doesn't work on a read-only file system
+ or disk image. This is what Wireshark does (~/.wireshark-etc),
+ although the directory could be called anything. It doesn't have to
+ persist across sessions.
+
+o Added a mechanism in Zenmap for including extra executable search
+ paths on specific platforms, so we can include /usr/local/bin in
+ PATH on Mac OS X by default and add the Nmap install directory on
+ Windows. [David]
+
+o We now use --no-strip when building Zenmap Mac OS X packages to
+ prevent many mysterious warnings which occur when the binary is
+ stripped. [David]
+
+o When Zenmap invokes Nmap, it now copies the whole environment for
+ the Nmap invocation rather than just providing $PATH. Windows may
+ need this to do proper name resolution. [David]
+
+o Corrected uptime parsing and reporting in SNMPsysdesr.nse for an
+ uptime of less than 46 hours. [Kris]
+
+o Modified the use of CXXFLAGS, CFLAGS, and CPPFLAGS in Nmap build
+ system to work better when building Mac OS X universal
+ binaries. [David]
+
+o Added many additional PCRE option flags to the list returned by the
+ NSE pcre.flags() function. [Kris]
+
+o Changed the NSE function nmap.set_port_state() so that it checks to
+ see if the requested port is already in the requested state. This
+ prevents "Duplicate port" messages during the script scan and the
+ inaccurate "script-set" state reason. [Kris]
+
+o Canonicalize NSE script license text--more than half did not even
+ spell license correctly. They all still say that they are under
+ Nmap's license, just with consistent capitalization and spelling,
+ and now a link to Nmap legal page at
+ https://nmap.org/book/man-legal.html .
+
+o Updated ripeQuery.nse to not print extraneous whitespace. [Kris]
+
+o Switched telnet brute force password cracking NSE (bruteTelnet.nse)
+ to vulnerability category so it isn't executed by default. It can
+ take too long to run. [Eddie]
+
+o NSE status messages now print host name and IP, rather than just the
+ host name (which was blank when Nmap didn't know it). [Jah]
+
+o Allocate 128 characters for the idle scan ScanProgressMeter
+ title. Previously it was 32 characters. The "idle scan against " and
+ the \0 terminator take up 19 characters, leaving only 13, which
+ isn't enough to represent all IP addresses, let alone host
+ names. Bug reported by Stephan Fijneman, fixed by David.
+
+Nmap 4.60 [2008-3-15]
+
+o Nmap has moved. Everything at http://insecure.org/nmap/ can now be
+ found at https://nmap.org . That should save your fingers from a
+ little bit of typing. Even though transparent redirectors are in
+ place for the old URLs, please update your links and bookmarks. And
+ if you don't have a link to Nmap on your web site, now is a good
+ time to add one :).
+
+o All of your OS detection fingerprints up until March 10, 2008 have
+ now been integrated by David. The second generation database has
+ grown from 1,085 fingerprints representing 421 operating
+ systems/devices, to 1,304 fingerprints representing 478 systems.
+ That is an increase of more than 20%. New fingerprints were added
+ for Mac OS X Tiger, iPod Touch, the La Fonera WAP, FreeBSD 7.0,
+ Linux 2.6.24, Windows 2008, Vista, OpenBSD 4.2, and of course
+ hundreds of broadband routers, VoIP phones, printers, some crazy
+ oscilloscope, etc. We get a ton of new fingerprint submissions, but
+ not as many corrections. Please remember to visit
+ https://nmap.org/submit/ if Nmap gives you bad results, whether they
+ are completely wrong or just a slight mistake (like Nmap says Linux
+ 2.6.20-2.6.23, but you're running 2.6.24). Of course you need to be
+ certain you know exactly what is running on the target before you do
+ this.
+
+o All of your service fingerprints and corrections submitted until
+ January 14, 2008 have now been integrated by Doug. As usual, he has
+ documented his adventures at http://hcsw.org/blog.pl/33 . More than
+ a hundred signatures were added, growing the database to 4,645
+ signatures for 457 services. Corrections are welcome for service
+ detection too -- visit https://nmap.org/submit/ if you get incorrect results.
+
+o Nmap now saves the target name (if any) specified on the command
+ line, since this can differ from the reverse DNS results. It can be
+ particularly important when doing HTTP tests against virtual hosts.
+ The data can be accessed from target->TargetName() from Nmap proper
+ and host.targetname from NSE scripts. The NSE HTTP library now uses
+ this for the Host header. Thanks to Sven Klemm for adding this
+ useful feature.
+
+o Added NSE HTTP library which allows scripts to easily fetch URLs
+ with http.get_url() or create more complex requests with
+ http.request(). There is also an http.get() function which takes
+ components (hostname, port, and path) rather than a URL. The
+ HTTPAuth, robots, and showHTMLTitle NSE scripts have been updated to
+ use this library. Sven Klemm wrote all of this code.
+
+o Fixed an integer overflow in the DNS caching code that caused nmap
+ to loop infinitely once it had expunging the cache of older
+ entries. Thanks to David Moore for the report, and Eddie Bell for
+ the fix.
+
+o Fixed another integer overflow in the DNS caching code which caused
+ infinite loops. [David]
+
+o Added IPv6 host support to the RPC scan. Attempting this before
+ (via -sV) caused a segmentation fault. Thanks to Will Cladek for
+ the report. [Kris]
+
+o Fixed an event handling bug in NSE that could cause execution of
+ some in-progress scripts to be excessively delayed. [Marek]
+
+o A new NSE table library (tab.lua) allows scripts to deliver better
+ formatted output. The Zone transfer script (zoneTrans.nse) has been
+ updated to use this new facility. [Eddie]
+
+o Rewrote HTTPpasswd.nse to use Sven's excellent HTTP library and to
+ do some much-needed cleaning up. [Kris]
+
+o Added a new MsSQL version detection probe and a bunch of match lines
+ developed by Tom Sellers.
+
+o Added a new service detection probe and signatures for the memcached
+ service [Doug]
+
+o Added new service detection probes and signatures for the Beast
+ Trojan and Firebird RDBMS. [Brandon Enright]
+
+o Fixed a crash in Zenmap which occurred when attempting to edit or
+ create a new profile based on an existing one when there wasn't one
+ selected. The error message was:
+ 'NoneType' object has no attribute 'toolbar'
+ Now a new Profile Editor is opened. Thanks to D1N (d1n@inbox.com)
+ for the report. [Kris]
+
+o Fixed another crash in Zenmap which occurred when exiting the
+ Profile Editor (while editing an existing profile) by clicking the
+ "X", then going to edit the same profile again. The error message
+ was: "No option named '' found!". Now the same window that appears
+ when clicking Cancel comes up when clicking "X". Thanks to David
+ for reporting this bug. [Kris]
+
+o Another Zenmap bug was fixed: ports consolidated into "extra ports"
+ groups are now counted and shown in the "Host Details" tab. The
+ closed, filtered and scanned port counts in this tab didn't contain
+ this information before so they were usually very inaccurate. [Kris]
+
+o Another Zenmap bug was fixed: the --scan-delay and --max-scan-delay
+ buttons ("amount of time between probes") under the Advanced tab in
+ the Profile Editor were backwards. [Kris]
+
+o Added the UDP Scan (-sU) and IPProto Ping (-PO) to Zenmap's Profile
+ Editor and Command Wizard. [Kris]
+
+o Reordered the UDP port selection for Traceroute: a closed port is
+ now chosen before an open one. This is because an open UDP port is
+ usually due to running version detection (-sV), so a Traceroute
+ probe wouldn't elicit a response. [Kris]
+
+o Add Famtech Radmin remote control software probe and signatures to
+ the Nmap version detection DB. [Tom Sellers, Fyodor]
+
+o Add "Connection: Close" header to requests from HTTP NSE scripts so
+ that they finish faster. [Sven Klemm]
+
+o Update SSLv2-support NSE script to run against more services which
+ are likely SSL. [Sven Klemm]
+
+o A bunch of service name canonicalization was done in the Nmap
+ version detection file by Brandon Enright (e.g. capitalizing D-Link
+ and Netgear consistently).
+
+o Upgraded the shipped LibPCRE from version 7.4 to 7.6. [Kris]
+
+o Updated to latest (as of 3/15) autoconf config.sub/config.guess
+ files from http://cvs.savannah.gnu.org/viewvc/config/?root=config.
+ [Fyodor]
+
+o We now escape newlines, carriage returns, and tabs (\n\r\t) in XML
+ output. While those are allowed in XML attributes, they get
+ normalized which can make formatting the output difficult for
+ applications which parse Nmap XML. [Joao Medeiros, David, Fyodor]
+
+o The Zenmap man page is now installed on Unix when "make install" is
+ run. This was supposed to work before, but didn't. [Kris]
+
+o Fixed a man page bug related to our DocBook to Nroff translation
+ software producing incorrect Nroff output. The man page no longer
+ uses the ".nse" string which was being confused with the Nroff
+ no-space mode command. [Fyodor]
+
+o Fixed a bug in which some NSE error messages were improperly escaped
+ so that a message including "c:\nmap" would end up with a newline
+ between "c:" and "map".
+
+o Updated IANA assignment IP list for random IP (-iR)
+ generation. [Kris]
+
+o The DocBook XML source code to the Nmap Scripting Engine docs
+ (https://nmap.org/book/nse.html) is now in SVN under docs/scripting.xml .
+
+Nmap 4.53 [2008-1-12]
+
+o Improved Windows executable installer by making uninstall work better
+ on systems which changed the default install path. The shortcut is
+ also now deleted properly on Vista. [Rob Nicholls]
+
+o Windows installer is now generated using NSIS 2.34 rather than
+ 2.13. [Fyodor]
+
+o Added UPnP-info NSE script by Thomas Buchanan. It gathers
+ information from the UPnP service (UDP port 1900) which listens on
+ many network devices such as routers, printers, and networked media
+ players.
+
+o Fixed a --traceroute bug (assertion failure crash) which occurred
+ when the first hop of the first host in a tracegroup (reference
+ trace) times out. Thanks to Sebastián García for the bug report and
+ testing, and Eddie for the patch.
+
+o Fix a problem which prevented proper port number matching in
+ NSE scripts (port_or_service function) due to a variable
+ shadowing bug. [Sven Klemm]
+
+o Improved rpcinfo.nse to better sort and display available RPC
+ services. [Sven Klemm]
+
+Nmap 4.52 [2008-1-1]
+
+o Fixed Nmap WinPcap installer to use CurrentVersion registry key on
+ Windows rather than VersionNumber to more reliably detect Vista
+ machines. This should prevent the XP version of Packet.dll from
+ being installed on Vista. [Rob Nicholls]
+
+o The Nmap Scripting Engine (NSE) now supports run-time interaction
+ and the Nmap --host-timeout option. [Doug]
+
+o Added nmap.fetchfile() function for scripts so they can easily find
+ Nmap's nmap-* data files (such as the OS/version detection DBs, port
+ number mapping, etc.) [Kris]
+
+o Updated rpcinfo.nse to use nmap.fetchfile() to read from nmap-rpc
+ instead of having a huge table of RPC numbers. This reduced the
+ script's size by nearly 75%. [Kris]
+
+o Fixed multiple NSE scripts that weren't always properly closing their
+ sockets. The error message was:
+ "bad argument #1 to 'close' (nsock expected, got no value)" [Kris]
+
+o Added a new version detection probe for the Trend Micro OfficeScan
+ product line. [Tom Sellers, Doug]
+
+Nmap 4.51BETA [2007-12-21]
+
+o David wrote a detailed Zenmap guide: https://nmap.org/book/zenmap.html
+
+o Added rpcinfo.nse script, which contacts a listening RPC portmapper
+ and reports the listening services and port information (like
+ rpcinfo -p does). The script was written by Sven Klemm. Fyodor
+ then enhanced the RPC number list with all of the entries from
+ nmap-rpc.
+
+o Added a new NSE script (MySQLinfo) which prints MySQL server information
+ such as the protocol and version numbers, status, thread id, capabilities,
+ and password salt. [Kris]
+
+o Nmap's output options (-oA, -oX, etc.) now support strftime()-like
+ conversions in the filename. %H, %M, %S, %m, %d, %y, and %Y are
+ all the same as in strftime(). %T is the same as %H%M%S, %R is the
+ same as %H%M, and %D is the same as %m%d%y. A % followed by any
+ other character just yields that character (%% yields a %). This
+ means that "-oX 'scan-%T-%D.xml'" uses an XML file in the form of
+ "scan-144840-121307.xml". [Kris]
+
+o Fixed WinPcap installer to install the right version of Packet.dll
+ on Windows Vista. [Fyodor]
+
+o Fixed our WinPcap installer so that it waits for a WinPcap uninstall
+ (if needed) to complete before trying to install the new WinPcap.
+ [Jah]
+
+o Fix a bunch of warning/error messages which contained an extra
+ newline. [Brandon Enright]
+
+o Fixed an error when attempting to scan localhost as an unprivileged
+ user on Windows (nmap --unprivileged localhost). The error was:
+ Skipping SYN Stealth Scan against localhost (127.0.0.1) because
+ Windows does not support scanning your own machine (localhost) this
+ way.
+ Now connect scan is used instead of SYN scan. [David]
+
+o Fixed a bug that prevented the --resume option from working on
+ Windows. The error message was:
+ ..\utils.cc(996): CreateFileMapping(), file 'testresume', length 103,
+ mflags 000 00006: The parameter is incorrect.(87)
+ [Fixed by David, reported by Rob Nicholls]
+
+o Zenmap's new web page (https://nmap.org/zenmap/) is now shown in the
+ Zenmap about dialogue.
+
+o On Windows, paths beginning with \ are now considered absolute when
+ used with the --script option. jah (jah(a)zadkiel.plus.com) suggested
+ this. [David]
+
+o Zenmap no longer double-spaces its output (by inadvertently
+ duplicating newlines) when viewing scan results that were saved to a
+ file. [Joao Medeiros]
+
+o Upgraded the shipped LibPCRE from version 7.2 to 7.4. [Kris]
+
+o Fixed Zenmap crash that occurred when selecting Help from the Compare
+ Results window. [Kris]
+
+o Updated robots.nse to prevent printing robots.txt comments. [Kris]
+
+o Many version detection match lines were improved to match even when
+ newlines appear in binary data returned by the service. [Fixed by
+ Doug, suggested by Lionel Cons]
+
+Nmap 4.50 [2007-12-13]
+
+o Bumped up the version number to the big 10th anniversary 4.50
+ release! See http://insecure.org/stf/Nmap-4.50-Release.html .
+
+Nmap 4.49RC7 [2007-12-10]
+
+o A Zenmap crash was fixed. Scanning once, then scanning another target
+ on the same scan tab caused an ImportError ("list index out of range")
+ in zenmapGUI/ScanNotebook.py. Joao Medeiros reported the
+ bug. [David]
+
+o Updated a couple of version detection signatures due to problem
+ reports by Lionel Cons. [Doug]
+
+Nmap 4.49RC6 [2007-12-8]
+
+o NSE scripts can now be specified by absolute path to the --script
+ option. This was supposed to work before, but didn't. [David]
+
+o Insert a path separator in returned paths in init_scandir on
+ Windows. Otherwise options such as "--scripts=scripts" (where
+ scripts is a directory) were failing with error messages about being
+ unable to access things like "C:\Nmap\scriptsanonFTP.nse" (should be
+ "C:\Nmap\scripts\anonFTP.nse"). [David]
+
+o Add some "local" declarations to xamppDefaultPass.nse to avoid
+ errors like: "SCRIPT ENGINE: [string "Global Access"]:1: Attempted
+ to change the global 'socket' ..." [David]
+
+o NSE "shortports" function now by default matches ports in the
+ "open|filtered" state as well as "open" ones. [Diman]
+
+o Nsock msevent_new and msevent_delete calls fixed to handle NULL I/O
+ descriptors. This should fix a reported bus error crash. [Diman]
+
+o Prevent old bit.dll and pcre.dll files from being installed in
+ nselib directory by Windows executable installer. Bit.dll is still
+ installed in nselib-bin where it belongs. Thanks to Rob Nicholls for
+ reporting the problem. [Fyodor]
+
+
+Nmap 4.49RC5 [2007-12-8]
+
+o Don't install the orphaned and incomplete Zenmap HTML documentation.
+ Instead point to the Nmap documentation site, which is provides more
+ comprehensive and up-to-date Nmap docs. We're rapidly improving the
+ online Zenmap docs as well. Of course the Nmap and (new!) Zenmap
+ man pages are still installed on Unix. [Fyodor]
+
+o Fix mswin32/Makefile so that the new nselib-bin directory is
+ properly included in the Nmap win32 zipfile distribution. Thanks
+ to Rob Nicholls for reporting the problem. [Fyodor]
+
+o Fix host reason reported when the target is found to be "down" due
+ to no response. Nmap now reports "no-response" rather than
+ "unknown-reason" [Kris]
+
+Nmap 4.49RC4 [2007-12-7]
+
+o David did a huge OS fingerprint integration marathon, going through
+ all of your submissions (more than 1600) since August 20. The 2nd
+ generation database has grown more than 30% to 1,085 entries! Many
+ of the existing fingerprints were improved as well. Notable new or
+ greatly improved entries include the iPhone, iPod Touch, Mac OS X
+ Leopard FreeBSD 7.0, Linux 2.6.23, Nokia cell phones (E61, E65, E70,
+ E90, N95), and OpenBSD 4.2. Of course there were all manner of new
+ printers, cable/DSL routers, switches, enterprise routers, IP
+ phones, cell phones and a heap of obscure equipment such as the
+ BeaconMedaes medical gas alarm. Windows Vista fingerprints were
+ also improved significantly. Please keep those OS fingerprint
+ submissions and corrections coming!
+
+o Doug integrated all of your version detection fingerprints and
+ corrections since October 4. The DB now has an incredible 4,542
+ signatures for 449 service protocols. The service protocols with
+ the most signatures are http (1,473), telnet (459), ftp (423), smtp
+ (327), pop3 (188), http-proxy (111), ssh (104), imap (103), irc (46)
+ and nntp (44).
+
+o Included the netbios-smb-os-discovery.nse script which uses NetBIOS
+ and SMB queries to guess OS version. This script was written by
+ Judy Novak and contributed by Sourcefire.
+
+o Canonicalized the interface type numbers used internally by
+ libdnet. Also Libdnet now recognizes devices with type
+ INTF_TYPE_IEEE80211 as Ethernet devices. This ought to make
+ wireless network scanning work on Windows Vista. For more background
+ see http://seclists.org/nmap-dev/2007/q4/0391.html . [David]
+
+o Documented the "--script all" option in the man page and NSE
+ article. This option executes all scripts in the NSE database
+ regardless of category. [Fyodor]
+
+o NSE scripts can now be specified by name without the .nse
+ extension. So instead of using "--script
+ bruteTelnet.nse,HTTPpasswd.nse,SQLInject.nse,robots.nse", you can
+ just pass "--script bruteTelnet,HTTPpasswd,SQLInject,robots". [Kris]
+
+o Removed some auto-generated files from the new nselib-bin directory
+ as they could cause compatibility problems. Also updated
+ mswin32/Makefile to reflect the new nselib-bin DLL location [David]
+
+o ripeQuery.nse was updated to avoid printing some useless
+ information. [Kris]
+
+o Compatibility with systems that have the pcre.h header file in its
+ own pcre directory should now be fixed for real. [Fyodor]
+
+o Enhanced the radmind service detection signature and added a
+ deprecated radmind port to nmap-services. [Matt Selsky]
+
+o Zenmap now gives better errors to stdout when it can't even pop up a
+ dialog box (such as when PyGTK can't be loaded). [David]
+
+o Fixed a Zenmap crash which occurred on Mac OS X and possibly other
+ platforms. The error message said: "object of type
+ 'ScanHostDetailsPage' has no len()". [David]
+
+o Fixed a crash which occurred when an NSE script called
+ set_port_version() at times that version scanning was not
+ enabled. [Diman]
+
+o Fixed the NSIS installer so that it does not include some excess
+ files (mswin32/* and .svn). Thanks to Alan Jones for reporting the
+ problem. [Fyodor]
+
+o Renamed some Zenmap Python packages to allow Zenmap and Umit to be
+ installed at the same time. [David]
+
+o Updated nmap-mac-prefixes with the latest IEEE data. Also added
+ back Cooperative Linux virtual NIC which was inadvertently removed in
+ a previous release. [Fyodor]
+
+Nmap 4.23RC3 [2007-11-27]
+
+o Zenmap now has a man page! It isn't very long yet, but covers the
+ basics. Thanks to David for writing this.
+
+o A new NSE script, promiscuous.nse, scans devices on a local network
+ looking for sniffers (devices running in promiscuous mode). This
+ script is from Marek Majkowski and is the first to use the NSE pcap
+ extension system (which he also wrote). The script is only in the
+ discovery category for now so it does not run by default. Specify
+ it by name for now. We may make it default after the upcoming
+ stable release.
+
+o Nmap can now handle IP aliases on Windows. A given device such as
+ eth0 might have several IP addresses. Nmap will use the primary
+ address, so you need to use -S if you want to specify a different
+ one. [David]
+
+o An exception (rather than luaL_argerror) is now thrown when an SSL
+ connection is attempted but OpenSSL isn't available. [David]
+
+o There is now an nmap.have_ssl NSE function so you can avoid doing
+ NSE probes when SSL isn't available. [David]
+
+o Zenmap gives clearer error messages when an import error occurs or
+ Zenmap's dump files aren't found. [David]
+
+o Zenmap now looks for its data files relative to the directory of the
+ zenmap script to allow running from the build/svn directory. [David]
+
+o NSE C modules are now installed into an nselib-bin directory. This
+ was needed to make the dns-test-open-recursion and zoneTrans NSE
+ scripts work properly, since they use the NSE bit library
+ (bit.so). [Diman, Fyodor]
+
+o Axillary autoconf scripts such as config.guess, config.sub,
+ depcomp, install-sh, and ltmain.sh were deleted from Nmap
+ subdirectories because configure is smart enough to use the ones from
+ the parent directory. This decreases the Nmap source tarball and svn
+ checkout sizes. [David]
+
+o Nmap now compiles on systems which have the libPCRE include file in
+ pcre/pcre.h rather than just pcre.h. Thanks to Lionel Cons for the
+ report. [Fyodor]
+
+o Nmap binary is now stripped again, but it now uses -x to avoid
+ stripping dynamically loaded NSE functions on Mac OS X. [David]
+
+o Normalized Zenmap's handling of results files specified on the
+ command line. In some cases, Zenmap would ignore specified results
+ files just because some unrelated options were used. [David]
+
+o configure.ac now uses literal directory names rather than variable
+ references in calls to AC_CONFIG_SUBDIRS. This removes an annoying
+ warning message which has existed for years when you regenerate
+ configure. [David]
+
+o Fixed a configure.ac error which prevented you from specifying an
+ alternative libnsock directory. [David]
+
+o Check for Python in configure only if Zenmap is requested, and bail
+ out if Zenmap is explicitly requested (--with-zenmap) and Python is
+ not available. [David]
+
+o Removed some unimplemented Zenmap command-line options and function
+ calls. [David]
+
+Nmap 4.23RC2 [2007-11-18]
+
+o Static code analysis company Coverity generously offered to scan the
+ Nmap code base for flaws, and Kris volunteered to go through their
+ report and fix the ones which were actual/possible problems rather
+ than false positives. Their system proved quite useful, and about a
+ dozen potential problems were fixed. For details, see Kris'
+ 11/15/07 SVN commits.
+
+o Improved the Zenmap RPM file so that it should work on either Python
+ 2.4 or Python 2.5 machines. It should also work on any platform (x86,
+ x86_64, etc.) [David]
+
+o WinPcap updated from version 4.0.1 to the new 4.0.2 release. [David]
+
+o Added PPTP version detection NSE script (PPTPversion.nse) from
+ Thomas Buchanan. Nmap now ships with 38 NSE scripts.
+
+o A number of Solaris compilation fixes were added. Hopefully it
+ works for more Solaris users now. We also fixed an alignment issue
+ which could cause a bus error on Solaris. [David]
+
+o When an NSE script changes the state of a port (e.g. from
+ open|filtered to open), the --reason flag is now changed to
+ "script-set". Also, the port state reason is now available to NSE
+ scripts through a "reason" element in the port-table. Thanks to
+ Matthew Boyle for the patch.
+
+o When version detection changes the state of a port, the reason field
+ is now updated as well (to udp-response or tcp-response as
+ applicable). Thanks to Thomas Buchanan for the patch.
+
+o Reworded an error message after a woman reported that it was "highly
+ offensive and sexist". She also noted that "times have changed and
+ many women now use your software" and "a sexist remark like the one
+ above should have no place in software." The message was: "TCP/IP
+ fingerprinting (for OS scan) requires root privileges. Sorry,
+ dude.". I checked svn blame to call out the insensitive,
+ chauvinistic jerk who wrote that error message, but it was me :).
+
+o We received a bug report through Debian entitled "Nmap is a
+ clairvoyant" because when you run it with -v on September 1 1970, it
+ reports "Happy -27th Birthday to Nmap, may it live to be 73!". We
+ have decided that clairvoyance is a feature and ignored the report.
+
+o We no longer strip the Nmap binary before installing it, as that was
+ leading to a runtime error on Mac OS X: "lazy symbol binding failed:
+ Symbol not found: _luaL_openlib". Unfortunately, the unstripped
+ Nmap binary can be much larger (e.g. 4MB vs. 800KB) so we are
+ working on a better fix which allows us to continue stripping the
+ binary on other platforms.
+
+o Zenmap configuration/customization files renamed from ~/.umit to
+ ~/.zenmap and umit.conf to zenmap.conf, etc. [David]
+
+o Fixed a Zenmap bug where if you try to edit a profile and then
+ click cancel, that profile ends up deleted. [Luis A. Bastiao]
+
+o The NSE shortport rules now allow for multiple matching states
+ (e.g. open or open|filtered) to be specified. This silently failed
+ before. [Eddie]
+
+o Regenerate configure scripts with Autoconf 2.61 and update
+ config.guess and config.sub files with the latest versions from
+ http://cvs.savannah.gnu.org/viewvc/config/?root=config . [David]
+
+Nmap 4.23RC1 [2007-11-10]
+
+o NmapFE is now gone. It had a good run as the default Nmap GUI
+ for more than 8 years (since April 1999). But after two years of
+ development, Zenmap is ready to take its place. Zenmap is portable
+ and provides a much better interface to executing and (especially)
+ viewing and analyzing Nmap results. David did the honors of
+ removing NmapFE.
+
+o We have lost another old friend as well: 1st generation OS
+ detection system. Nmap revolutionized OS detection when this was
+ released in October 1998 and it served us well for more than 9 years
+ as the database grew to 1,684 fingerprints. But the 2nd generation
+ system incorporates everything we learned during all those years and
+ has proven itself even more effective. I couldn't bear to kill this
+ myself, so David did the dirty work.
+
+o There is no longer any artificial limit on the number of ports or
+ protocols that can be used for host discovery. Port lists for ping
+ scan now use the same syntax as the -p option except that T:, U:,
+ and P: are not allowed. This means that you can do
+ nmap -PS1-1000 target
+ nmap -PAhttp,https target
+ nmap -PU'[-]' target
+ [David]
+
+o Zenmap is now available packaged in RPM format. Since Zenmap is
+ written in Python, we no longer have to have separate x86 and x86_64
+ versions like we did with NmapFE (and like we still do with
+ Nmap). [David]
+
+o Fixed a crash (assertion failure) which could occur during ARP Ping
+ scan [Kris]
+
+o Fixed Zenmap so that it can handle asterisks in the command line
+ (e.g. "nmap 192.168.*.*" or "nmap -phttp* localhost") [David]
+
+o Change the Zenmap bug report dialogue to now give instructions for
+ reporting issues to nmap-dev. [David]
+
+o Modified higwidgets/higdialogs.py for compatibility with old
+ versions of PyGTK. [David]
+
+o Updated IANA assignment IP list for random IP (-iR)
+ generation. [Kris]
+
+o Fixed a number of spelling errors in the Reference Guide (man page)
+ [Doug]
+
+Nmap 4.22SOC8 [2007-10-28]
+
+o Removed the old massping() system, since the functionality has now
+ been migrated into the existing ultra_scan() system (which is used
+ for port scanning too). Thanks to David for doing the migration,
+ which involved a lot of work and testing. The new system is
+ frequently faster and more accurate than massping(), and some of the
+ new algorithms benefit port scans too.
+
+o Renamed Umit to Zenmap to reduce confusion between the version we
+ ship with Nmap as the integrated GUI and the version maintained
+ separately at umit.sourceforge.net. We are excited about Zenmap and
+ expect to remove NmapFE in the near future
+
+o Integrated all of your Q3 service detection submissions! We have
+ now surpassed 4500 signatures and are approaching 500 service
+ protocols. Wow! Thanks to Doug for doing the integration. His
+ notes on the crazy and interesting services discovered this quarter
+ are at http://hcsw.org/blog.pl/31 .
+
+o Added a new ping type: IPProto Ping. Use -PO (that is the letter O
+ as in prOtOcOl, not a zero). This is similar to protocol scan (-sO)
+ in that it sends IP headers with different protocols in the hope of
+ eliciting a response from targets. The default is to send with
+ protocols 1 (ICMP), 2 (IGMP), and 4 (IP-in-IP tunnel), but you can
+ specify different protocol numbers on the command line the same way
+ you specify TCP/UDP ports to -PS or -PU. To reduce confusion, we now
+ recommend that -PN be used when you don't want pings done rather
+ than using the old -P0 (zero). [Kris]
+
+o The SMTPcommands.nse script was updated to support the HELP query in
+ addition to EHLO [Jasey DePriest]
+
+o Added --ttl support for connect() scans (-sT). [Kris]
+
+o Combine the Zenmap setup scripts into one portable setup.py rather
+ than having separate versions for Windows, Unix, and Mac OS X.
+
+o Removed a bunch of unnecessary/incomplete code and data files from
+ Zenmap. [David]
+
+o In Nbase, switched from GNU's getopt() replacement functions to
+ Ben Sittler's BSD-licensed (but GNU compatible) functions. [Kris]
+
+o Include nmap.h in portreasons.h. This fixes a compilation problem
+ reported on OpenBSD. [David]
+
+o Change PCRE from an NSELib module back to statically linked code due
+ to OpenBSD compilation problems. See
+ http://seclists.org/nmap-dev/2007/q4/0085.html [David]
+
+o Fix a problem with --reason printing the wrong host discovery
+ reasons when ICMP destination unreachable packets arrived. [Kris]
+
+o Nmap has better dependency tracking now such that it no longer
+ builds the executable every time you type 'make'. This was causing
+ problems where 'make; sudo make install' would create a root-owned
+ nmap executable because it was rebuilt as part of 'make
+ install'. [David]
+
+Nmap 4.22SOC7 [2007-10-11]
+
+o Integrated all of your OS detection new fingerprint submissions and
+ correction reports. The grew more DB more than 18% to 825
+ fingerprints. Keep those submissions coming! [David]
+
+o Made a number of significant improvements to host discovery
+ algorithms for better performance and reliability. [David]
+
+o Fixed a bug which prevented the first OS detection guess from being
+ included in XML output. This only applies when no exact matches
+ were found. Thanks to Martyn Tovey of Netcraft for reporting the
+ problem and helping to track it down in the code.
+
+o Improve the script scan scheduling system to prevent the system from
+ running out of sockets by executing too many scripts concurrently
+ during large scans. Thanks to Brandon Enright for finding the bug
+ and Stoiko for fixing it.
+
+o Added nmap.verbosity() and nmap.debugging() functions for scripts to
+ determine the Nmap verbosity/debugging level. [Kris]
+
+o Fixed a crash (assertion error) which occurred when the first hop of
+ the first system (reference trace) times out. [Eddie]
+
+o UMIT no longer rewrites a bunch of script files to replace variables
+ such as VERSION and REVISION in the SVN working directory. [David,
+ Adriano]
+
+o UMIT icon loading code simplified and made platform
+ independent. [David]
+
+o Removed PIL dependency from UMIT package generation system. We now
+ use GTK to put the version number in the splash screen. [Adriano]
+
+o UMIT no longer crashes just because documentation files are
+ missing. [Adriano]
+
+o Removed unnecessary recent_scans.txt and target_list.txt files from
+ UMIT. Some unnecessary copies of Nmap data files were removed as
+ well. [David, Adriano]
+
+o Updated the *.dmp preprocessed Nmap data files used by UMIT, and
+ also updated the scripts used to create them. [David]
+
+o WinPcap installer was updated so that on Windows Vista it uses a
+ different Packet.dll and omits WanPacket.dll. [Eddie]
+
+o Unix installation now places NSELib dynamic libraries in 'libexec'
+ rather than 'share' directories, since they are architecture
+ dependent. Thanks to Christoph J. Thompson for the patch.
+
+o Fix bug related to users providing custom libpcre location to
+ configure (reported by Daniel Johnson, fixed by Stoiko). A patch
+ from Marek Majkowski which caps the number of sockets opened by NSE
+ scripts was also applied.
+
+o The UMIT version number is automatically updated to be the same as
+ the Nmap version number rather than always being 0.9.4. [David]
+
+o UMIT now sorts port numbers numerically rather than alphabetically
+ [Adriano]
+
+o Three UMIT data files (options.xml, profile_editor.xml, and
+ wizard.xml) are installed in the shared UMIT data directory
+ (e.g. /usr/share/umit/misc) rather than in every user's ~/.umit
+ directory. [David]
+
+o Added HTTPtrace demo NSE script by Kris, who also updated his
+ HTTPpasswd script.
+
+o A bunch of capitalization/spelling canonicalization changes were
+ made to Nmap output. For example: ftp to FTP and idlescan to
+ idle scan.
+
+o Made some improvements to the nmap.xsl stylesheet for converting
+ Nmap XML results to HTML reports. It now does a better job at
+ removing empty sections and headers. Thanks to Henrik Lund Kramshoej
+ for the patch.
+
+o Updated nmap-mac-prefixes with the latest IEEE data.
+
+o Disabled auto-generation of libpcre/pcre_chartables.c because that
+ was useless for our purposes and could also cause some version
+ control related problems. [David]
+
+o Updated IANA assignment IP list for random IP (-iR)
+ generation. [Kris]
+
+Nmap 4.22SOC6 [2007-8-29]
+
+o Included David's major massping migration project. The same
+ underlying engine is now used for ping scanning as for port
+ scanning. We hope this will lead to better performance and
+ accuracy, as well as helping to de-bloat Nmap. Please test it out
+ and report your results to nmap-dev! For more details, see
+ http://seclists.org/nmap-dev/2007/q3/0277.html
+
+o Fixed UMIT bug which occurred when installing to a non-standard
+ directory (e.g. a home directory). This caused Python to not be able
+ to find the necessary files. [Kris]
+
+o Added an NSE script (HTTPpasswd.nse) for finding directory traversal
+ problems and /etc/password files on web servers. [Kris]
+
+o Fixed an error related to version scans against SSL services on
+ UNIX. The error said "nsock_connect_ssl called - but nsock was
+ built w/o SSL support. QUITTING". Thanks to Jasey DePriest for
+ tracking down the problem and David Fifield for fixing it.
+
+o Removed win_dependencies cruft from UMIT directory. [Kris]
+
+o Upgraded Libpcap from version 0.9.4 to 0.9.7 [Kris]
+
+o Removed the effectively empty XML elements for traceroute hops which
+ timed out. [Eddie]
+
+o Fixed (I hope) a problem with running Nmap on Mac OS X machines with
+ VMWare Fusion running. The error message started with:
+ "getinterfaces: Failed to open ethernet interface (vmnet8). A
+ possible cause on BSD operating systems is running out of BPF
+ devices ...." For more details, see
+ http://seclists.org/nmap-dev/2007/q3/0254.html .
+
+o Check that --script arguments are reasonable when Nmap starts rather
+ than potentially waiting for a bunch of port scanning to finish
+ first. [Stoiko]
+
+o Fixed (we hope) a UMIT problem which resulted in the error message:
+ "NameError: global name 'S_IRUSR' is not defined". [Adriano]
+
+o Removed an error message which used to appear when you quit UMIT on
+ Windows. The message used to say "Errors occurred - See the logfile
+ [filename] for details." [Adriano]
+
+o Fix permissions on files installed by Umit so that it should work
+ even if you do 'make install' from an account with a 077 umask.
+
+o Add a feature to Umit that lets you search your unsaved
+ scans. [Eddie]
+
+o Added back a previously removed feature which allows you to specify
+ 'rnd' as one of your decoys (-D option) to let Nmap choose a random
+ IP. You also use a format such as rnd:5 to generate five random
+ decoys. [Kris]
+
+o Reference guide (man page) updates to the NSE section, and some
+ general cleanup.
+
+o When Nmap finishes, it now says "Nmap done" rather than "Nmap run
+ completed". No need to waste pixels on excess verbiage.
+
+Nmap 4.22SOC5 [2007-8-18]
+
+o The Windows installer should actually install UMIT properly now.
+
+o Remove umit.db from the installation process. Let Umit create a new
+ one on its own when needed.
+
+o Fixed the UMIT portion of the Windows installer build system to
+ detect certain heinous errors (like not being able to find Python)
+ and bail out. [Kris]
+
+o Prevent scripts directory from containing .svn cruft when using the
+ Win32 installer (thanks to David Fifield for the patch).
+
+Nmap 4.22SOC3 [2007-8-16]
+
+o Umit is now included in the Nmap Windows executable installer.
+ Please give it a try and let us know what you think! Kris put a lot
+ of work into getting this set up.
+
+o Added four new NSE scripts: HTTP proxy detection (Arturo 'Buanzo'
+ Busleiman), DNS zone transfer attempt (Eddie), detecting SQL
+ injection vulnerabilities on web sites (Eddie), and fetching and
+ displaying portions of /robots.txt from web servers (Eddie).
+
+o All of your 2nd Quarter 2007 Nmap version detection fingerprints
+ were integrated by Doug. The DB now contains 4,347 signatures for
+ 439 service protocols. Doug describes the highlights (craziest
+ services found) in his integration report at
+ http://hcsw.org/blog.pl/29 .
+
+o NSE now supports raw IP packet sending and receiving thanks to a
+ patch from Marek Majkowski. Diman handled testing and applied the
+ patch.
+
+o Nmap now has Snprintf() and Vsnprintf() as safer alternatives to the
+ standard version. The problem is that the Windows version of these
+ functions (_snprintf, _vsnprintf) doesn't properly terminate strings
+ when it has to truncate them. These wrappers ensure that the string
+ written is always truncated. Thanks to Kris for doing the work.
+
+o Upgraded libpcre from version 6.7 to 7.2 [Kris]
+
+o Merged various Umit bug fixes from SourceForge trunk: "missing import
+ webbrowser on umit", "Missing markup in 'OS Class' on
+ HostDetailsPage", "some command line options are now working
+ (target, profile, verbose, open result file and run an nmap
+ command)", "removing unused functions import from os.path",
+ "verbosity works on command line"
+
+o Eddie fixed several Umit bugs. Umit now sets the file save
+ extension to .usr unless the user specifies something else. The
+ details highlight regular expression was improved and an error message was added
+ when no target was specified and -iR and -iL aren't used.
+
+o reason.cc/reason.h renamed to portreasons.cc/.h because a reason.h
+ in the Windows platform SDK was causing conflicts. [Kris]
+
+o Fixed a bug in --iflist which would lead to crashes. Thanks to
+ Michael Lawler for the report, and Eddie for the fix.
+
+o Finished updating WinPcap to 4.01 (a few static libraries were
+ missed) [Eddie]
+
+o Added NSE support for buffered data reads. [Stoiko]
+
+o Added new --script-args option for passing arguments to NSE scripts
+ [Stoiko]
+
+o Performed a bunch of OS fingerprint text canonicalization thanks to
+ reports of dozens of capitalization inconsistencies from Suicidal Bob.
+
+o Fixed an assertion failure which could be experienced when script
+ scan was requested without also requesting version scan. [Stoiko]
+
+o Fixed an output bug on systems like Windows which return -1 when
+ vsnprintf is passed a too-small buffer rather than returning the
+ size needed. Thanks to jah (jah(a)zadkiel.plus.com) for the report.
+
+o Added sys/types.h include to portreasons.h to help OpenBSD compilation.
+ Thanks to Olivier Meyer for the patch.
+
+o Many hard coded function names and instances of __FUNCTION__ were
+ changed to __func__ [Kris]
+
+o Configure scripts for Nmap, Nbase, and Nsock were optimized to
+ remove redundant checks. This improves compilation time
+ performance. [Eddie]
+
+o Updated IANA assignment IP list for random IP (-iR)
+ generation. [Kris]
+
+Nmap 4.22SOC2 [2007-7-11]
+
+o NSE compilation fixes by Stoiko and Kris
+
+Nmap 4.22SOC1 [2007-7-8]
+
+o The UMIT graphical Nmap frontend is now included (as an ALPHA TEST
+ release) with the Nmap tarball distribution. It isn't yet in the
+ RPMs or the Windows distributions. UMIT is written with Python/GTK
+ and has many huge advantages over NmapFE. It installs from the Nmap
+ source tarballs as part of the "make install" process unless you
+ specify --without-umit to configure. Please give UMIT a try (the
+ executable is named umit) and let us know the results! We hope to
+ include UMIT in the Windows Nmap distributions soon.
+
+o Added more Nmap Scripting Engine scripts, bringing the total to 31.
+ The new ones are bruteTelnet (Eddie Bell), SMTPcommands (Jasey
+ DePriest), iax2Detect (Jasey), nbstat (Brandon Enright),
+ SNMPsysdescr (Thomas Buchanan), HTTPAuth (Thomas), finger (Eddie),
+ ircServerInfo (Doug Hoyte), and MSSQLm (Thomas Buchanan).
+
+o Added the --reason option which explains WHY Nmap assigned a port
+ status. For example, a port could be listed as "filtered" because
+ no response was received, or because an ICMP network unreachable
+ message was received. [Eddie]
+
+o Integrated all of your 2nd generation OS detection submissions,
+ increasing the database size by 68% since 4.21ALPHA4 to 699
+ fingerprints. The 2nd generation database is now nearly half (42%)
+ the size of the original. Please keep those submissions coming so
+ that we can do another integration round before the SoC program ends
+ on August 20! Thanks to David Fifield for doing most of the
+ integration work!
+
+o Integrated version detection submissions. The database has grown by
+ more than 350 signatures since 4.21ALPHA4. Nmap now has 4,236
+ signatures for 432 service protocols. As usual, Doug Hoyte deserves
+ credit for the integration marathon, which he describes at
+ http://hcsw.org/blog.pl .
+
+o Added the NSE library (NSELib) which is a library of useful
+ functions (which can be implemented in LUA or as loadable C/C++
+ modules) for use by NSE scripts. We already have libraries for bit
+ operations (bit), list operations (listop), URL fetching and
+ manipulation (url), activation rules (shortport), and miscellaneous
+ commonly useful functions (stdnse). Stoiko added the underlying
+ functionality, though numerous people contributed to the library
+ routines.
+
+o Added --servicedb and --versiondb command-line options which allow
+ you to specify a custom Nmap services (port to port number translation
+ and port frequency) file or version detection database. [David
+ Fifield]
+
+o The build dependencies were dramatically reduced by removing
+ unnecessary header includes and moving header includes from .h
+ files to .cc as well as adding some forward declarations. This
+ reduced the number of makefile.dep dependencies from 1469 to 605.
+ This should make Nmap compilation faster and prevent some
+ portability problems. [David Fifield]
+
+o Upgraded from WinPcap 3.1 to WinPcap 4.01 and fixed a WinPcap installer
+ error. [Eddie]
+
+o In verbose mode, Nmap now reports where it obtains data files (such as
+ nmap-services) from. [David Fifield]
+
+o Canonicalized a bunch of OS classes, device types, etc. in the OS
+ detection and version scanning databases so they are named
+ consistently. [Doug]
+
+o If we get a ICMP Protocol Unreachable from a host other than our
+ target during a port scan, we set the state to 'filtered' rather than
+ 'closed'. This is consistent with how port unreachable errors work for
+ udp scan. [Kris]
+
+o Relocated OSScan warning message (could not find 1 closed and 1 open
+ port). Now output.cc prints the warning along with a targets OSScan
+ results. [Eddie]
+
+o Fixed a bug which caused port 0 to be improperly used for gen1 OS
+ detection in some cases when your scan includes port 0 (it isn't
+ included by default). Thanks to Sebastian Wolfgarten for the report
+ and Kris Katterjohn for the fix.
+
+o The --iflist table now provides WinPcap device names on
+ Windows. [Eddie]
+
+o The Nmap reference guide (man page) DocBook XML source is now in the
+ SVN repository at svn://svn.insecure.org/nmap/docs/refguide.xml .
+
+o NSE now has garbage collection so that if you forget to close a
+ socket before exiting a script, it is closed for you. [Stoiko]
+
+o The <portused> tag in XML output now provides the open TCP port used
+ for OS detection as well as the closed TCP and UDP ports which were
+ reported previously. [Kris]
+
+o XML output now has a <times> tag for reporting final time
+ information which was already printed in normal output in verbose
+ mode (round trip time, rtt variance, timeout, etc.) [Kris]
+
+o Changed the XML output format so that the <extrareasons> tag (part
+ of Eddie's --reason patch) falls within the <extraports> tag. [Kris]
+
+o Nmap now provides more concise OS fingerprints for submission thanks
+ to better merging. [David Fifield]
+
+o A number of changes were made to the Windows build system to handle
+ version numbers, publisher field, add/remove program support,
+ etc. [Eddie]
+
+o The Nmap -A option now enables the traceroute option too [Eddie]
+
+o Improved how the Gen1 OS Detection system selects which UDP ports to
+ send probes to. [Kris]
+
+o Updated nmap-mac-prefixes to latest IEEE data as of 5/18/07. Also
+ removed some high (greater than 0x80) characters from some company
+ names because they were causing this error on Windows when Nmap is
+ compiled in Debug mode:
+ isctype.c Line 56: Expression: (unsigned)(c + 1) <= 256".
+ Thanks to Sina Bahram for the initial report and Thomas Buchanan for
+ tracking down the problem.
+
+o Added a SIP (IP phone) probe from Matt Selsky to nmap-service-probes.
+
+o Fixed a bug which prevented the NSE scripts directory from appearing
+ in the Win32 .zip version of Nmap.
+
+o Fixed a bug in --traceroute output. It occurred when a traced host could
+ be fully consolidated, but only the first hop number was outputted. [Kris]
+
+o The new "rnd" option to -D allows you to ask Nmap to generate random
+ decoy IPs rather having to specify them all yourself. [Kris]
+
+o Fixed a Traceroute bug relating to scanning through the localhost
+ interface on Windows (which previously caused a crash). Thanks to
+ Alan Jones for the report and Eddie Bell for the fix.
+
+o Fixed a traceroute bug related to tracing between interfaces of a
+ multi-homed host. Thanks to David Fifield for reporting the problem
+ and Eddie Bell for the fix.
+
+o Service detection (-sV) and OS detection (-O) are now (rightfully)
+ disabled when used with the IPProto Scan (-sO). Using the Service
+ Scan like this led to premature exiting, and the OS Scan led to gross
+ inaccuracies. [Kris]
+
+o Updated IANA assignment IP list for random IP (-iR) generation. [Kris]
+
+Nmap 4.21ALPHA4 [2007-3-20]
+
+o Performed another big OS detection run. The DB has grown almost 10%
+ to 417 fingerprints. All submissions up to February 6 have been
+ processed. Please keep them coming!
+
+o Fixed XML output so that the opening <os> tag is printed again. The
+ line which prints this was somehow removed when NSE was integrated.
+ Thanks to Joshua Abraham for reporting the problem.
+
+o Fixed a small bug in traceroute progress output which didn't
+ properly indicate completion. [Kris]
+
+o Fixed a portability problem related to the new traceroute
+ functionality so that it compiles on Mac OS X. Thanks to Christophe
+ Thil for reporting the problem and sending the 1-line fix.
+
+o Updated nmap-mac-prefixes to include the latest MAC prefix (OUI)
+ data from the IEEE as of March 20, 2007.
+
+Nmap 4.21ALPHA3 [2007-3-16]
+
+o Just fixed a packaging problem with the 4.21ALPHA2 release (thanks
+ to Alan Jones for reporting it).
+
+Nmap 4.21ALPHA2 [2007-3-15]
+
+o Performed a huge OS detection submission integration marathon. More
+ than 500 submissions were processed, increasing the 2nd generation
+ OS DB size 65% to 381 fingerprints. And many of the existing ones
+ were improved. We still have a bit more than 500 submissions (sent
+ after January 16) to process. Please keep those submissions coming!
+
+o Integrated all of your Q32006 service fingerprint submissions. The
+ nmap-service-probe DB grew from 3,671 signatures representing 415
+ service protocols to 3,877 signatures representing 426 services. Big
+ thanks to version detection czar Doug Hoyte for doing this. Notable
+ changes are described at http://hcsw.org/blog.pl?a=20&b=20 .
+
+o Nmap now has traceroute support, thanks to an excellent patch by
+ Eddie Bell. The new system uses Nmap data to determine which sort of
+ packets are most likely to slip through the target network and
+ produce useful results. The system is well optimized for speed and
+ bandwidth efficiency, and the clever output system avoids repeating
+ the same initial hops for each target system. Enable this
+ functionality by specifying --traceroute.
+
+o Nmap now has a public Subversion (SVN) source code repository. See
+ the announcement at http://seclists.org/nmap-dev/2006/q4/0253.html
+ and then the updated usage instructions at
+ http://seclists.org/nmap-dev/2006/q4/0281.html .
+
+o Fixed a major accuracy bug in gen1 OS detection (some debugging code
+ was accidentally left in). Thanks to Richard van den Berg for finding
+ the problem.
+
+o Changed the IP protocol scan so that it sends proper IGMP headers when
+ scanning that protocol. This makes it much more likely that the host
+ will respond, proving that it's "open". [Kris]
+
+o Improved the algorithm for classifying the TCP timestamp frequency
+ for OS detection. The new algorithm is described at
+ https://nmap.org/book/osdetect-methods.html#osdetect-ts .
+
+o Fixed the way Nmap detects whether one of its data files (such as
+ nmap-services) exists and has permissions which allow it to be read.
+
+o Added a bunch of nmap-services port listings from Stephanie Wen.
+
+o Update IANA assignment IP list for random IP (-iR) generation.
+ Thanks to Kris Katterjohn for the patch.
+
+o Fix nmap.xsl (the transform for rendering Nmap XML results as HTML)
+ to fix some bugs related to OS detection output. Thanks to Tom
+ Sellers for the patch.
+
+o Fixed a bug which prevented the --without-liblua compilation option
+ from working. Thanks to Kris Katterjohn for the patch.
+
+o Fixed a bug which caused nmap --iflist to crash (and might have
+ caused crashes in other circumstances too). Thanks to Kris
+ Katterjohn for the report and Diman Todorov for the fix.
+
+o Applied a bunch of code cleanup patches from Kris Katterjohn.
+
+o Some scan types were fixed when used against localhost. The UDP Scan
+ doesn't find its own port, the TCP Scan won't print a message (with -d)
+ about an unexpected packet (for the same reason), and the IPProto Scan
+ won't list every port as "open" when using --data-length >= 8. [Kris]
+
+o The IPProto Scan should be more accurate when scanning protocol 17 (UDP).
+ ICMP Port Unreachables are now checked for, and UDP is listed as "open"
+ if it receives one rather than "open|filtered" or "filtered". [Kris]
+
+o The --scanflags option now also accepts "ECE", "CWR", "ALL" and "NONE" as
+ arguments. [Kris]
+
+o The --packet-trace option was added to NmapFE. The Ordered Ports (-r)
+ option in now available to non-root users on NmapFE as well. [Kris]
+
+Nmap 4.21ALPHA1 [2006-12-10]
+
+o Integrated the Nmap Scripting Engine (NSE) into mainline Nmap.
+ Diman Todorov and I have been working on this for more than six months, and
+ we hope it will expand Nmap's capabilities in many cool ways. We're
+ accepting (and writing) general purpose scripts to put into Nmap
+ proper, and you can also write personal scripts to deal with issues
+ specific to your environment. The system is documented at
+ https://nmap.org/book/nse.html .
+
+o Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE
+ (http://standards.ieee.org/regauth/oui/oui.txt) as of December 7.
+
+Nmap 4.20 [2006-12-7]
+
+o Integrated the latest OS fingerprint submissions. The 2nd
+ generation DB size has grown to 231 fingerprints. Please keep them
+ coming! New fingerprints include Mac OS X Server 10.5 pre-release,
+ NetBSD 4.99.4, Windows NT, and much more.
+
+o Fixed a segmentation fault in the new OS detection system
+ which was reported by Craig Humphrey and Sebastian Garcia.
+
+o Fixed a TCP sequence prediction difficulty indicator bug. The index
+ is supposed to go from 0 ("trivial joke") to about 260 (OpenBSD).
+ But some systems generated ISNs so insecurely that Nmap went
+ berserk and reported a negative difficulty index. This generally
+ only affects some printers, crappy cable modems, and Microsoft
+ Windows (old versions). Thanks to Sebastian Garcia for helping me
+ track down the problem.
+
+Nmap 4.20RC2 [2006-12-2]
+
+o Integrated all of your OS detection submissions since RC1. The DB
+ has increased 13% to 214 fingerprints. Please keep them coming!
+ New fingerprints include versions of z/OS, OpenBSD, Linux, AIX,
+ FreeBSD, Cisco CatOS, IPSO firewall, and a slew of printers and
+ misc. devices. We also got our first Windows 95 fingerprint,
+ submitted anonymously of course :).
+
+o Fixed (I hope) the "getinterfaces: intf_loop() failed" error which
+ was seen on Windows Vista. The problem was apparently in
+ intf-win32.c of libdnet (need to define MIB_IF_TYPE_MAX to
+ MAX_IF_TYPE rather than 32). Thanks to Dan Griffin
+ (dan(a)jwsecure.com) for tracking this down!
+
+o Applied a couple minor bug fixes for IP options
+ support and packet tracing. Thanks to Michal Luczaj
+ (regenrecht(a)o2.pl) for reporting them.
+
+o Incorporated SLNP (Simple Library Network Protocol) version
+ detection support. Thanks to Tibor Csogor (tibi(a)tiborius.net) for
+ the patch.
+
+Nmap 4.20RC1 [2006-11-20]
+
+o Fixed (I hope) a bug related to Pcap capture on Mac OS X. Thanks to
+ Christophe Thil for reporting the problem and to Kurt Grutzmacher
+ and Diman Todorov for helping to track it down.
+
+o Integrated all of your OS detection submissions since ALPHA11. The
+ DB has increased 27% to 189 signatures. Notable additions include
+ the Apple Airport Express, Windows Vista RC1, OpenBSD 4.0, a Sony
+ TiVo device, and tons of broadband routers, printers, switches, and
+ Linux kernels. Keep those submissions coming!
+
+o Upgraded the included LibPCRE from version 6.4 to 6.7. Thanks to
+ Jochen Voss (voss(a)seehuhn.de) for the suggestion (he found some bugs
+ in 6.4)
+
+Nmap 4.20ALPHA11 [2006-11-2]
+
+o Integrated all of your OS detection submissions, bringing the
+ database up to 149 fingerprints. This is an increase of 28% from
+ ALPHA10. Notable additions include FreeBSD 6.1, a bunch of HP
+ LaserJet printers, and HP-UX 11.11. We also got a bunch of more
+ obscure submissions like Minix 3.1.2a and "Ember InSight Adapter for
+ programming EM2XX-family embedded devices". Who doesn't have a few
+ of those laying around? I'm hoping that all the obscure submissions
+ mean that more of the mainstream systems are being detected out of
+ the box! Please keep those submissions (obscure or otherwise)
+ coming!
+
+Nmap 4.20ALPHA10 [2006-10-23]
+
+o Integrated tons of new OS fingerprints. The DB now contains 116
+ fingerprints, which is up 63% since the previous version. Please keep
+ the submissions coming!
+
+Nmap 4.20ALPHA9 [2006-10-13]
+
+o Integrated the newly submitted OS fingerprints. The DB now contains
+ 71 fingerprints, up 27% from 56 in ALPHA8. Please keep them coming!
+ We still only have 4.2% as many fingerprints as the gen1 database.
+
+o Added the --open option, which causes Nmap to show only open ports.
+ Ports in the states "open|closed" and "unfiltered" might be open, so
+ those are shown unless the host has an overwhelming number of them.
+
+o Nmap gen2 OS detection used to always do 2 retries if it fails to
+ find a match. Now it normally does just 1 retry, but does 4 retries
+ if conditions are good enough to warrant fingerprint submission.
+ This should speed things up on average. A new --max-os-tries option
+ lets you specify a higher lower maximum number of tries.
+
+o Added --unprivileged option, which is the opposite of --privileged.
+ It tells Nmap to treat the user as lacking network raw socket and
+ sniffing privileges. This is useful for testing, debugging, or when
+ the raw network functionality of your operating system is somehow
+ broken.
+
+o Fixed a confusing error message which occurred when you specified a
+ ping scan or list scan, but also specified -p (which is only used for
+ port scans). Thanks to Thomas Buchanan for the patch.
+
+o Applied some small cleanup patches from Kris Katterjohn
+
+Nmap 4.20ALPHA8 [2006-9-30]
+
+o Integrated the newly submitted OS fingerprints. The DB now contains
+ 56, up 33% from 42 in ALPHA7. Please keep them coming! We still only
+ have 3.33% as many signatures as the gen1 database.
+
+o Nmap 2nd generation OS detection now has a more sophisticated
+ mechanism for guessing a target OS when there is no exact match in the
+ database (see https://nmap.org/book/osdetect-guess.html )
+
+o Rewrote mswin32/nmap.rc to remove cruft and hopefully reduce some
+ MFC-related compilation problems we've seen. Thanks to KX
+ (kxmail(a)gmail.com) for doing this.
+
+o NmapFE now uses a spin button for verbosity and debugging options so
+ that you can specify whatever verbosity (-v) or debugging (-d) level
+ you desire. The --randomize-hosts option was also added to NmapFE.
+ Thanks to Kris Katterjohn for the patches.
+
+o A dozen or so small patches to Nmap and NmapFE by Kris Katterjohn.
+
+o Removed libpcap/Win32 and libpcap/msdos as Nmap doesn't use them.
+ This reduces the Nmap tar.bz2 by about 50K. Thanks to Kris Katterjohn
+ for the suggestion.
+
+Nmap 4.20ALPHA7 [2006-9-12]
+
+o Did a bunch of Nmap 2nd generation fingerprint integration work.
+ Thanks to everyone who sent some in, though we still need a lot more.
+ Also thanks to Zhao for a bunch of help with the integration tools.
+ 4.20ALPHA6 had 12 fingerprints, this new version has 42. The old DB
+ (still included) has 1,684.
+
+o Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE
+ (http://standards.ieee.org/regauth/oui/oui.txt) as of September 6, 2006.
+ Also added the unregistered PearPC virtual NIC prefix, as suggested
+ by Robert Millan (rmh(a)aybabtu.com).
+
+o Applied some small internal cleanup patches by Kris Katterjohn.
+
+Nmap 4.20ALPHA6 [2006-9-2]
+
+o Fixed a bug in 2nd generation OS detection which would (usually) prevent
+ fingerprints from being printed when systems don't respond to the 1st
+ ICMP echo probe (the one with bogus code value of 9). Thanks to
+ Brandon Enright for reporting and helping me debug the problem.
+
+o Fixed some problematic Nmap version detection signatures which could
+ cause warning messages. Thanks to Brandon Enright for the initial patch.
+
+Nmap 4.20ALPHA5 [2006-8-31]
+
+o Worked with Zhao to improve the new OS detection system with
+ better algorithms, probe changes, and bug fixes. We're
+ now ready to start growing the new database! If Nmap gives you
+ fingerprints, please submit them at the given URL. The DB is still
+ extremely small. The new system is extensively documented at
+ https://nmap.org/book/osdetect.html .
+
+o Nmap now supports IP options with the new --ip-options flag. You
+ can specify any options in hex, or use "R" (record route), "T"
+ (record timestamp), "U") (record route & timestamp), "S [route]"
+ (strict source route), or "L [route]" (loose source route). Specify
+ --packet-trace to display IP options of responses. For further
+ information and examples, see https://nmap.org/book/man.html and
+ http://seclists.org/nmap-dev/2006/q3/0052.html . Thanks to Marek
+ Majkowski for writing and sending the patch.
+
+o Integrated all 2nd quarter service detection fingerprint
+ submissions. Please keep them coming! We now have 3,671 signatures
+ representing 415 protocols. Thanks to version detection czar Doug
+ Hoyte for doing this.
+
+o Nmap now uses the (relatively) new libpcap pcap_get_selectable_fd
+ API on systems which support it. This means that we no longer need
+ to hack the included Pcap to better support Linux. So Nmap will now
+ link with an existing system libpcap by default on that platform if
+ one is detected. Thanks to Doug Hoyte for the patch.
+
+o Updated the included libpcap from 0.9.3 to 0.9.4. The changes I
+ made are in libpcap/NMAP_MODIFICATIONS . By default, Nmap will now
+ use the included libpcap unless version 0.9.4 or greater is already
+ installed on the system.
+
+o Applied some nsock bugfixes from Diman Todorov. These don't affect
+ the current version of Nmap, but are important for his Nmap
+ Scripting Engine, which I hope to integrate into mainline Nmap in
+ September.
+
+o Fixed a bug which would occasionally cause Nmap to crash with the
+ message "log_vwrite: write buffer not large enough". I thought I
+ conquered it in a previous release -- thanks to Doug Hoyte for finding a
+ corner case which proved me wrong.
+
+o Fixed a bug in the rDNS system which prevented us from querying
+ certain authoritative DNS servers which have recursion explicitly
+ disabled. Thanks to Doug Hoyte for the patch.
+
+o --packet-trace now reports TCP options (thanks to Zhao Lei for the
+ patch). Thanks to the --ip-options addition also found in this
+ release, IP options are printed too.
+
+o Cleaned up Nmap DNS reporting to be a little more useful and
+ concise. Thanks to Doug Hoyte for the patch.
+
+o Applied a bunch of small internal cleanup patches by Kris Katterjohn
+ (katterjohn(a)gmail.com).
+
+o Fixed the 'distclean' make target to be more comprehensive. Thanks
+ to Thomas Buchanan (Thomas.Buchanan(a)thecompassgrp.net) for the
+ patch.
+
+Nmap 4.20ALPHA4 [2006-7-4]
+
+o Nmap now provides progress statistics in the XML output in verbose
+ mode. Here are some examples of the format (etc is "estimated time
+ until completion) and times are in UNIX time_t (seconds since 1970) format.
+ <taskbegin task="SYN Stealth Scan" time="1151384685" />
+ <taskprogress task="SYN Stealth Scan" time="1151384715"
+ percent="13.85" remaining="187" etc="1151384902" />
+ <taskend task="SYN Stealth Scan" time="1151384776" />
+ <taskbegin task="Service scan" time="1151384776" />
+ <taskend task="Service scan" time="1151384788" />
+ Thanks to Adam Vartanian (flooey(a)gmail.com) for the patch.
+
+o Updated the Windows installer to give an option checkbox for
+ performing the Nmap performance registry changes. The default is to
+ do so. Thanks to Adam Vartanian (flooey(a)gmail.com) for the patch.
+
+o Applied several code cleanup patches from Marek Majkowski.
+
+o Added --release-memory option, which causes Nmap to release all
+ accessible memory buffers before quitting (rather than let the OS do
+ it). This is only useful for debugging memory leaks.
+
+o Fixed a bug related to bogus completion time estimates when you
+ request an estimate (through runtime interaction) right when Nmap is
+ starting a subsystem (such as a port scan or version detection).
+ Thanks to Diman Todorov for reporting the problem and Doug Hoyte for
+ writing a fix.
+
+o Nmap no longer gets random numbers from OpenSSL when it is available
+ because that turned out to be slower than Nmap's other methods
+ (e.g. /dev/urandom on Linux, /dev/arandom on OpenBSD, etc.). Thanks
+ to Marek Majkowski for reporting the problem.
+
+o Updated the Windows binary distributions (self-installer and .zip)
+ to include the new 2nd generation OS detection DB (nmap-os-db).
+ Thanks to Sina Bahram for reporting the problem.
+
+o Fixed the --max-retries option, which wasn't being honored. Thanks
+ to Jon Passki (jon.passki(a)hursk.com) for the patch.
+
+Nmap 4.20ALPHA3 [2006-6-29]
+
+o Added back Win32 support thanks to a patch by KX
+
+o Fixed the English translation of TCP sequence difficulty reported by
+ Brandon Enright, and also removed fingerprint printing for 1st
+ generation fingerprints (I don't really want to deal with those
+ anymore). Thanks to Zhao Lei for writing this patch.
+
+o Fix a problem which caused OS detection to be done in some cases
+ even if the user didn't request it. Thanks to Diman Todorov for the
+ fix.
+
+Nmap 4.20ALPHA2 [2006-6-24]
+
+o Included nmap-os-db (the new OS detection DB) within the release.
+ Oops! Thanks to Brandon Enright (bmenrigh(a)ucsd.edu) for catching
+ this problem with 4.20ALPHA1.
+
+o Added a fix for the crash in the new OS detection which would come
+ with the message "Probe doesn't exist! Probe type: 1. Probe subid: 1"
+
+Nmap 4.20ALPHA1 [2006-6-24]
+
+o Integrated initial 2nd generation OS detection patch! The system is
+ documented at https://nmap.org/book/osdetect.html . Thanks to Zhao Lei
+ for helping with the coding and design.
+
+o portlist.cc was refactored to remove some code duplication. Thanks
+ to Diman Todorov for the patch.
+
+Nmap 4.11 [2006-6-23]
+
+o Added a dozens of more detailed SSH version detection signatures, thanks
+ to a SSH huge survey and integration effort by Doug Hoyte. The
+ results of his large-scale SSH scan are posted at
+ http://seclists.org/nmap-dev/2006/Apr-Jun/0393.html .
+
+o Fixed the Nmap Makefile (actually Makefile.in) to correctly handle
+ include file dependencies. So if a .h file is changed, all of the
+ .cc files which depend on it will be recompiled. Thanks to Diman
+ Todorov (diman(a)xover.mud.at) for the patch.
+
+o Fixed a compilation problem on solaris and possibly other platforms.
+ The error message looked like "No rule to make target `inet_aton.o',
+ needed by `libnbase.a'". Thanks to Matt Selsky
+ (selsky(a)columbia.edu) for the patch.
+
+o Applied a patch which helps with HP-UX compilation by linking in the
+ nm library (-lnm). Thanks to Zakharov Mikhail
+ (zmey20000(a)yahoo.com) for the patch.
+
+o Added version detection probes for detecting the Nessus daemon.
+ Thanks to Adam Vartanian (flooey(a)gmail.com) for sending the patch.
+
+Nmap 4.10 [2006-6-12]
+
+o Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE
+ (http://standards.ieee.org/regauth/oui/oui.txt) as of May 31, 2006.
+ Also added a couple unregistered OUI's (for QEMU and Bochs)
+ suggested by Robert Millan (rmh(a)aybabtu.com).
+
+o Fixed a bug which could cause false "open" ports when doing a UDP
+ scan of localhost. This usually only happened when you scan tens of
+ thousands of ports (e.g. -p- option).
+
+o Fixed a bug in service detection which could lead to a crash when
+ "--version-intensity 0" was used with a UDP scan. Thanks to Makoto
+ Shiotsuki (shio(a)st.rim.or.jp) for reporting the problem and Doug
+ Hoyte for producing a patch.
+
+o Made some AIX and HP-UX portability fixes to Libdnet and NmapFE.
+ These were sent in by Peter O'Gorman
+ (nmap-dev(a)mlists.thewrittenword.com).
+
+o When you do a UDP+TCP scan, the TCP ports are now shown first (in
+ numerical order), followed by the UDP ports (also in order). This
+ contrasts with the old format which showed all ports together in
+ numerical order, regardless of protocol. This was at first a "bug",
+ but then I started thinking this behavior may be better. If you
+ have a preference for one format or the other, please post your
+ reasons to nmap-dev.
+
+o Changed mass_dns system to print a warning if it can't find any
+ available DNS servers, but not quit like it used to. Thanks to Doug
+ Hoyte for the patch.
+
+Nmap 4.04BETA1 [2006-5-31]
+
+o Integrated all of your submissions (about a thousand) from the first
+ quarter of this year! Please keep 'em coming! The DB has increased
+ from 3,153 signatures representing 381 protocols in 4.03 to 3,441
+ signatures representing 401 protocols. No other tool comes close!
+ Many of the already existing match lines were improved too. Thanks
+ to Version Detection Czar Doug Hoyte for doing this.
+
+o Nmap now allows multiple ignored port states. If a 65K-port scan
+ had, 64K filtered ports, 1K closed ports, and a few dozen open
+ ports, Nmap used to list the dozen open ones among a thousand lines
+ of closed ports. Now Nmap will give reports like "Not shown: 64330
+ filtered ports, 1000 closed ports" or "All 2051 scanned ports on
+ 192.168.0.69 are closed (1051) or filtered (1000)", and omit all of
+ those ports from the table. Open ports are never ignored. XML
+ output can now have multiple <extraports> directive (one for each
+ ignored state). The number of ports in a single state before it is
+ consolidated defaults to 26 or more, though that number increases as
+ you add -v or -d options. With -d3 or higher, no ports will be
+ consolidated. The XML output should probably be augmented to give
+ the extraports directive 'ip', 'tcp', and 'udp' attributes which
+ specify the corresponding port numbers in the given state in the
+ same listing format as the nmaprun.scaninfo.services attribute, but
+ that part hasn't yet been implemented. If you absolutely need the
+ exact port numbers for each state in the XML, use -d3 for now.
+
+o Nmap now ignores certain ICMP error message rate limiting (rather
+ than slowing down to accommodate it) in cases such as SYN scan where
+ an ICMP message and no response mean the same thing (port filtered).
+ This is currently only done at timing level Aggressive (-T4) or
+ higher, though we may make it the default if we don't hear problems
+ with it. In addition, the --defeat-rst-ratelimit option has been
+ added, which causes Nmap not to slow down to accommodate RST rate
+ limits when encountered. For a SYN scan, this may cause closed
+ ports to be labeled 'filtered' because Nmap refused to slow down
+ enough to correspond to the rate limiting. Learn more about this
+ new option at https://nmap.org/book/man.html . Thanks to Martin
+ Macok (martin.macok(a)underground.cz) for writing the patch that
+ these changes were based on.
+
+o Moved my Nmap development environment to Visual C++ 2005 Express
+ edition. In typical "MS Upgrade Treadmill" fashion, Visual Studio
+ 2003 users will no longer be able to compile Nmap using the new
+ solution files. The compilation, installation, and execution
+ instructions at https://nmap.org/book/inst-windows.html have been
+ upgraded.
+
+o Automated my Windows build system so that I just have to type a
+ single make command in the mswin32 directory. Thanks to Scott
+ Worley (smw(a)pobox.com>, Shane & Jenny Walters
+ (yfisaqt(a)waltersinamerica.com), and Alex Prinsier
+ (aphexer(a)mailhaven.com) for reading my appeal in the 4.03
+ CHANGELOG and assisting.
+
+o Changed the PortList class to use much more efficient data
+ structures and algorithms which take advantage of Nmap-specific
+ behavior patterns. Thanks to Marek Majkowski
+ (majek(a)forest.one.pl) for the patch.
+
+o Fixed a bug which prevented certain TCP+UDP scan commands, such as
+ "nmap -sSU -p1-65535 localhost" from scanning both TCP and UDP.
+ Instead they gave the error message "WARNING: UDP scan was requested,
+ but no udp ports were specified. Skipping this scan type". Thanks to
+ Doug Hoyte for the patch.
+
+o Nmap has traditionally required you to specify -T* timing options
+ before any more granular options like --max-rtt-timeout, otherwise the
+ general timing option would overwrite the value from your more
+ specific request. This has now been fixed so that the more specific
+ options always have precedence. Thanks to Doug Hoyte for this patch.
+
+o Fixed a couple possible memory leaks reported by Ted Kremenek
+ (kremenek(a)cs.stanford.edu) from the Stanford University software
+ static analysis lab ("Checker" project).
+
+o Nmap now prints a warning when you specify a target name which
+ resolves to multiple IP addresses. Nmap proceeds to scan only the
+ first of those addresses (as it always has done). Thanks to Doug
+ Hoyte for the patch. The warning looks like this:
+ Warning: Hostname google.com resolves to 3 IPs. Using 66.102.7.99.
+
+o Disallow --host-timeout values of less than 1500ms, print a warning
+ for values less than 15s.
+
+o Changed all instances of inet_aton() into calls to inet_pton()
+ instead. This allowed us to remove inet_aton.c from nbase. Thanks to
+ KX (kxmail(a)gmail.com) for the patch.
+
+o When debugging (-d) is specified, Nmap now prints a report on the
+ timing variables in use. Thanks to Doug Hoyte for the patch. The
+ report loos like this:
+ ---------- Timing report ----------
+ hostgroups: min 1, max 100000
+ rtt-timeouts: init 250, min 50, max 300
+ scan-delay: TCP 5, UDP 1000
+ parallelism: min 0, max 0
+ max-retries: 2, host-timeout 900000
+ -----------------------------------
+
+o Modified the WinPcap installer file to explicitly uninstall an
+ existing WinPcap (if you select that you wish to replace it) rather
+ than just overwriting the old version. Thanks to Doug Hoyte for
+ making this change.
+
+o Added some P2P application ports to the nmap-services file. Thanks
+ to Martin Macok for the patch.
+
+o The write buffer length increased in 4.03 was increased even further
+ when the debugging or verbosity levels are more than 2 (e.g. -d3).
+ Thanks to Brandon Enright (bmenrigh(a)ucsd.edu) for the patch. The
+ goal is to prevent you from ever seeing the fatal error:
+ "log_vwrite: write buffer not large enough -- need to increase"
+
+o Added a note to the Nmap configure dragon that people sick of him
+ can submit their own ASCII art to dev@nmap.org . If you
+ are wondering WTF I am talking about, it is probably because only
+ most elite Nmap users -- the ones who compile from source on UNIX --
+ get to see the 'l33t ASCII Art.
+
+Nmap 4.03 [2006-4-22]
+
+o Updated the LibPCRE build system to add the -fno-thread-jumps option
+ to gcc when compiling on the new Intel-based Apple Mac OS X systems.
+ Hopefully this resolves the version detection crashes that several
+ people have reported on such systems. Thanks to Kurt Grutzmacher
+ (grutz(a)jingojango.net) for sending the configure.ac patch.
+
+o Made some portability fixes to keep Nmap compiling with the newest
+ Visual Studio 2005. Thanks to KX (kxmail(a)gmail.com) for
+ suggesting them.
+
+o Service fingerprints are now provided in the XML output whenever
+ they would appear in the interactive output (i.e. when a service
+ response with data but is unrecognized). They are shown in a new
+ 'servicefp' attribute to the 'service' tag. Thanks to Brandon Enright
+ (bmenrigh(a)ucsd.edu) for sending the patch.
+
+o Improved the Windows build system -- mswin32/Makefile now takes care
+ of packaging Nmap and creating the installers once Visual Studio (GUI)
+ is done building the Release version of mswin32/nmap.sln. If someone
+ knows how to do this (build) step on the command line (using the
+ Makefile), please let me know. Or if you know how to at least make
+ 'Release' (rather than Debug) the default configuration, that would be
+ valuable.
+
+o WinPcap 3.1 binaries are now shipped in the Nmap tarball, along with
+ a customized installer written by Doug Hoyte. That new WinPcap
+ installer is now used by the Nmap self-installer (if you request
+ WinPcap installation). Some Nmap users were uncomfortable with a
+ "phone home" feature of the official WinPcap installer. It connects
+ back to CACE Technologies, ostensibly to display news and (more
+ recently) advertisements. Our new installer omits that feature, but
+ should be otherwise perfectly compatible with WinPcap 3.1.
+
+o Fixed (I hope) a problem where aggressive --min-parallelization
+ option values could cause Nmap to quit with the message "box(300, 100,
+ 15) called (min,max,num)". Thanks to Richard van den Berg
+ (richard.vandenberg(a)ins.com) for reporting the problem.
+
+o Fixed a rare crash bug thanks to a report and patch from Ganga
+ Bhavani (GBhavani(a)everdreamcorp.com)
+
+o Increased a write buffer length to keep Nmap from quitting with the
+ message "log_vwrite: write buffer not large enough -- need to
+ increase". Thanks to Dave (dmarcher(a)pobox.com) for reporting the
+ issue.
+
+Nmap 4.02ALPHA2 [2006-3-8]
+
+o Updated to a newer XSL stylesheet (for XML to HTML output
+ transformation) by Benjamin Erb. This new version includes IP
+ address sorting, removal of javascript requirements, some new
+ address, hostname, and Nmap version information, and various minor
+ tweaks and fixes.
+
+o Cleaned up the Amiga port code to use atexit() rather than the
+ previous macro hack. Thanks to Kris Katterjohn (katterjohn(a)gmail.com)
+ for the patch. Applied maybe half a dozen new other code cleanup
+ patches from him as well.
+
+o Made some changes to various Nmap initialization functions which
+ help ALT Linux (altlinux.org) and Owl (openwall.com) developers run
+ Nmap in a chroot environment. Thanks to Dmitry V. Levin
+ (ldv(a)altlinux.org) for the patch.
+
+o Cleaned up the code a bit by making a bunch (nearly 100) global
+ symbols (mostly function calls) static. I was also able to removed
+ some unused functions and superfluous config.h.in defines. Thanks
+ to Dmitry V. Levin (ldv(a)altlinux.org) for sending a list of
+ candidate symbols.
+
+o Nmap now tests for the existence of data files using stat(2) rather
+ than testing whether they can be opened for reading (with fopen).
+ This is because some device files (tape drives, etc.) may react badly
+ to being opened at all. Thanks to Dmitry V. Levin
+ (ldv(a)altlinux.org) for the suggestion.
+
+o Changed Nmap to cache interface information rather than opening and
+ closing it (with dnet's eth_open and eth_close functions) all the
+ time.
+
+o Applied a one-character Visual Studio 2005 compatibility patch from
+ kx (kxmail(a)gmail.com). It changed getch() into _getch() on Windows.
+
+Nmap 4.02ALPHA1 [2006-3-13]
+
+o Added the --log-errors option, which causes most warnings and error
+ messages that are printed to interactive-mode output (stdout/stderr)
+ to also be printed to the normal-format output file (if you
+ specified one). This will not work for most errors related to bad
+ command-line arguments, as Nmap may not have initialized its output
+ files yet. In addition, some Nmap error/warning messages use a
+ different system that does not yet support this option.
+
+o Rewrote much of the Nmap results output functions to be more
+ efficient and support --log-errors.
+
+o Fixed a flaw in the scan engine which could (in rare cases)
+ lead to a deadlock situation that prevents a scan from completing.
+ Thanks to Ganga Bhavani (GBhavani(a)everdreamcorp.com) for reporting
+ and helping to debug the problem.
+
+o If the pcap_open_live() call (initiates sniffing) fails, Nmap now
+ tries up to two more times after waiting a little while. This is
+ attempt to work around a rare bug on Windows in which the
+ pcap_open_live() fails for unknown reasons.
+
+o Fixed a flaw in the runtime interaction in which Nmap would include
+ hosts currently being scanned in the number of hosts "completed"
+ statistic.
+
+o Fixed a crash in OS scan which could occur on Windows when a DHCP
+ lease issue causes the system to lose its IP address. Nmap still
+ quits, but at least it gives a proper error message now. Thanks to
+ Ganga Bhavani (GBhavani(a)everdreamcorp.com) for the patch.
+
+o Applied more than half a dozen small code cleanup patches from
+ Kris Katterjohn (katterjohn(a)gmail.com).
+
+o Modified the configure script to accept CXX when specified as an
+ absolute path rather than just the executable name. Thanks to
+ Daniel Roethlisberger (daniel(a)roe.ch) for this patch.
+
+Nmap 4.01 [2006-2-9]
+
+o Fixed a bug that would cause bogus reverse-DNS resolution on
+ big-endian machines. Thanks to Doug Hoyte, Seth Miller, Tony Doan,
+ and Andrew Lutomirsky for helping to debug and patch the problem.
+
+o Fixed an important memory leak in the raw ethernet sending system.
+ Thanks to Ganga Bhavani (GBhavani(a)everdreamcorp.com) for
+ identifying the bug and sending a patch.
+
+o Fixed --system-dns option so that --system_dns works too. Error
+ messages were changed to reflect the former (preferred) name.
+ Thanks to Sean Swift (sean.swift(a)bradford.gov.uk) and Peter
+ VanEeckhoutte (Peter.VanEeckhoutte(a)saraleefoodseurope.com) for
+ reporting the problem.
+
+o Fixed a crash which would report this message:
+ "NmapOutputTable.cc:143: void NmapOutputTable::addItem(unsigned int,
+ unsigned int, bool, const char*, int): Assertion `row < numRows'
+ failed." Thanks to Jake Schneider (Jake.Schneider(a)dynetics.com) for
+ reporting and helping to debug the problem.
+
+o Whenever Nmap sends packets with the SYN bit set (except for OS
+ detection), it now includes the maximum segment size (MSS) tcp
+ option with a value of 1460. This makes it stand out less as almost
+ all hosts set at least this option. Thanks to Juergen Schmidt
+ (ju(a)heisec.de) for the suggestion.
+
+o Applied a patch for a Windows interface reading bug in the aDNS
+ subsystem from Doug Hoyte.
+
+o Minor changes to recognize DragonFly BSD in configure
+ scripts. Thanks to Joerg Sonnenberger (joerg(a)britannica.bec.de)
+ for sending the patch.
+
+o Fixed a minor bug in an error message starting with "eth_send of ARP
+ packet returned". Thanks to J.W. Hoogervorst
+ (J.W.Hoogervorst(a)uva.nl) for finding this.
+
+Nmap 4.00 [2006-1-31]
+
+o Added the '?' command to the runtime interaction system. It prints a
+ list of accepted commands. Thanks to Andrew Lutomirski
+ (luto(a)myrealbox.com) for the patch.
+
+o See the announcement at
+ http://www.insecure.org/stf/Nmap-4.00-Release.html for high-level
+ changes since 3.50.
+
+Nmap 3.9999 [2006-1-28]
+
+o Generated a new libpcre/configure to cope with changes in LibPCRE
+ 6.4
+
+o Updated nmap-mac-prefixes to reflect the latest OUI DB from the IEEE
+ (http://standards.ieee.org/regauth/oui/oui.txt)
+
+o Updated nmap-protocols with the latest IEEE internet protocols
+ assignments (http://www.iana.org/assignments/protocol-numbers).
+
+o Updated the Nmap version number and related fields that MS Visual
+ Studio places in the binary. This was done by editing
+ mswin32/nmap.rc.
+
+Nmap 3.999 [2006-1-26]
+
+o Added runtime interaction support to Windows, thanks to patches from
+ Andrew Lutomirski (luto(a)myrealbox.com) and Gisle Vanem (giva(a)bgnett.no).
+
+o Changed a couple lines of tcpip.cc (put certain IP header fields in
+ host byte order rather than NBO) to (hopefully) support Mac OS X on
+ Intel. Thanks to Kurt Grutzmacher (grutz(a)jingojango.net) for the
+ patch.
+
+o Upgraded the included LibPCRE from version 6.3 to 6.4. There was a
+ report of version detection crashes on the new Intel-based MACs with
+ 6.3.
+
+o Fixed an issue in which the installer would malfunction in rare
+ issues when installing to a directory with spaces in it. Thanks to
+ Thierry Zoller (Thierry(a)Zoller.lu) for the report.
+
+Nmap 3.99 [2006-1-25]
+
+o Integrated all remaining 2005 service submissions. The DB now has
+ surpassed 3,000 signatures for the first time. There now are 3,153
+ signatures for 381 service protocols. Those protocols span the
+ gamut from abc, acap, afp, and afs to zebedee, zebra, and
+ zenimaging. It even covers obscure protocols such as http, ftp,
+ smtp, and ssh :). Thanks to Version Detection Czar Doug Hoyte for
+ his excellent work on this.
+
+o Created a Windows executable installer using the open source NSIS
+ (Nullsoft Scriptable Install System). It handles Pcap installation,
+ registry performance changes, and adding Nmap to your cmd.exe
+ executable path. The installer source files are in mswin32/nsis/ .
+ Thanks to Google SoC student Bo Jiang (jiangbo(a)brandeis.edu) for
+ creating the initial version.
+
+o Fixed a backward compatibility bug in which Nmap didn't recognize
+ the --min_rtt_timeout option (it only recognized the newly
+ hyphenated --min-rtt-timeout). Thanks to Joshua D. Abraham
+ (jabra(a)ccs.neu.edu) for the bug report.
+
+o Fixed compilation to again work with gcc-derivatives such as
+ MingW. Thanks to Gisle Vanem (giva(a)bgnett.no) for sending the
+ patches
+
+Nmap 3.98BETA1 [2006-1-22]
+
+o Added run time interaction as documented at
+ https://nmap.org/book/man-runtime-interaction.html .
+ While Nmap is running, you can now press 'v' to increase verbosity,
+ 'd' to increase the debugging level, 'p' to enable packet tracing,
+ or the capital versions (V,D,P) to do the opposite. Any other key
+ (such as enter) will print out a status message giving the estimated
+ time until scan completion. This only works on UNIX for now. Do we
+ have any volunteers to add Windows support? You would need to
+ change a handful of UNIX-specific termio calls with the Windows
+ equivalents. This feature was created by Paul Tarjan
+ (ptarjan(a)stanford.edu) as part of the Google Summer of Code.
+
+o Reverse DNS resolution is now done in parallel rather than one at a
+ time. All scans of large networks (particularly list, ping and
+ just-a-few-ports scans) should benefit substantially from this
+ change. If you encounter any problems, please let us know. The new
+ --system_dns option was added so you can use the (slow) system
+ resolver if you prefer that for some reason. You can specify a
+ comma separated list of DNS server IP addresses for Nmap to use with
+ the new --dns_servers option. Otherwise, Nmap looks in
+ /etc/resolve.conf (UNIX) or the system registry (Windows) to obtain
+ the nameservers already configured for your system. This excellent
+ patch was written by Doug Hoyte (doug(a)hcsw.org).
+
+o Added the --badsum option, which causes Nmap to use invalid TCP or
+ UDP checksums for packets sent to target hosts. Since virtually all
+ host IP stacks properly drop these packets, any responses received
+ are likely coming from a firewall or IDS that didn't bother to
+ verify the checksum. For more details on this technique, see
+ http://www.phrack.org/phrack/60/p60-0x0c.txt . The author of that
+ paper, Ed3f (ed3f(a)antifork.org), is also the author of this patch
+ (which I changed it a bit).
+
+o The 26 Nmap commands that previously included an underscore
+ (--max_rtt_timeout, --send_eth, --host_timeout, etc.) have been
+ renamed to use a hyphen in the preferred format
+ (i.e. --max-rtt-timeout). Underscores are still supported for
+ backward compatibility.
+
+o More excellent NmapFE patches from Priit Laes (amd(a)store20.com)
+ were applied to remove all deprecated GTK API calls. This also
+ eliminates the annoying Gtk-Critical and Gtk-WARNING runtime messages.
+
+o Changed the way the __attribute__ compiler extension is detected so
+ that it works with the latest Fedora Core 4 updates (and perhaps other
+ systems). Thanks to Duilio Protti (dprotti(a)fceia.unr.edu.ar) for
+ writing the patch. The compilation error message this fixes was
+ usually something like: "nmap.o(.rodata+0x17c): undefined reference
+ to `__gthrw_pthread_cancel(unsigned long)"
+
+o Added some exception handling code to mswin32/winfix.cc to prevent
+ Nmap from crashing mysteriously when you have WinPcap 3.0 or earlier
+ (instead of the required 3.1). It now prints an error message instead
+ asking you to upgrade, then reduces functionality to connect()-only
+ mode. I couldn't get it working with the C++ standard try/catch()
+ blocks, but as soon as I used the nonstandard MS conventions
+ (__try/__except(), everything worked fine. Shrug.
+
+o Stripped the firewall API out of the libdnet included with Nmap
+ because Nmap doesn't use it anyway. This saves space and reduces the
+ likelihood of compilation errors and warnings.
+
+o Modified the previously useless --noninteractive option so that it
+ deactivates runtime interaction.
+
+Nmap 3.96BETA1 [2005-12-29]
+
+o Added --max_retries option for capping the maximum number of
+ retransmissions the port scan engine will do. The value may be as low
+ as 0 (no retransmits). A low value can increase speed, though at the
+ risk of losing accuracy. The -T4 option now allows up to 6 retries,
+ and -T5 allows 2. Thanks to Martin Macok
+ (martin.macok(a)underground.cz) for writing the initial patch, which I
+ changed quite a bit. I also updated the docs to reflect this neat
+ new option.
+
+o Many of the Nmap low-level timing options take a value in
+ milliseconds. You can now append an 's', 'm', or 'h' to the value
+ to give it in seconds, minutes, or hours instead. So you can specify a
+ 45 minute host timeout with --host_timeout 45m rather than specifying
+ --host_timeout 2700000 and hoping you did the math right and have the
+ correct number of zeros. This also now works for the
+ --min_rtt_timeout, --max_rtt_timeout, --initial_rtt_timeout,
+ --scan_delay, and --max_scan_delay options.
+
+o Improved the NmapFE port to GTK2 so it better-conforms to the new
+ API and you don't get as many annoying messages in your terminal
+ window. GTK2 is prettier and more functional too. Thanks to Priit
+ Laes (amd(a)store20.com) for writing these
+ excellent patches.
+
+o Fixed a problem which led to the error message "Failed to determine
+ dst MAC address for target" when you try to run Nmap using a
+ dialup/PPP adapter on Windows rather than a real ethernet card. Due
+ to Microsoft breaking raw sockets, Nmap no longer supports dialup
+ adapters, but it should now give you a clearer error message than
+ the "dst MAC address" nonsense.
+
+o Debian GNU/kFreeBSD is now supported thanks to a patch to libdnet's
+ configure.in by Petr Salinger (Petr.Salinger(a)t-systems.cz).
+
+o Tried to update to the latest autoconf only to find that there
+ hasn't been a new version in more than two years :(. I was able to
+ find new config.sub and config.guess files at
+ http://cvs.savannah.gnu.org/viewcvs/config/config/ , so I updated to
+ those.
+
+o Fixed a problem with the -e option when run on Windows (or UNIX with
+ --send_eth) when run on an ethernet network against an external
+ (routed) host. You would get the message "NmapArpCache() can only
+ take IPv4 addresses. Sorry". Thanks to KX (kxmail(a)gmail.com) for
+ helping to track down the problem.
+
+o Made some changes to allow source port zero scans (-g0). Nmap used
+ to refuse to do this, but now it just gives a warning that it may not
+ work on all systems. It seems to work fine on my Linux box. Thanks
+ to Bill Dale (bill_dale(a)bellsouth.net) for suggesting this feature.
+
+o Made a change to libdnet so that Windows interfaces are listed as
+ down if they are disconnected, unplugged, or otherwise unavailable.
+
+o Ceased including foreign translations in the Nmap tarball as they
+ take up too much space. HTML versions can be found at
+ https://nmap.org/docs.html , while XML and NROFF versions
+ are available from https://svn.nmap.org/nmap/docs/man-xlate/ .
+
+o Changed INSTALL and README-WIN32 files to mostly just reference the
+ new Nmap Install Guide at https://nmap.org/book/install.html .
+
+o Included docs/nmap-man.xml in the tarball distribution, which is the
+ DocBook XML source for the Nmap man page. Patches to Nmap that are
+ user-visible should include patches to the man page XML source rather
+ than to the generated Nroff.
+
+o Fixed Nmap so it doesn't crash when you ask it to resume a previous
+ scan, but pass in a bogus file rather than actual Nmap output. Thanks
+ to Piotr Sobolewski (piotr_sobolewski(a)o2.pl) for the fix.
+
+Nmap 3.95 [2005-12-8]
+
+o Fixed a crash in IPID Idle scan. Thanks to Ron
+ (iago(a)valhallalegends.com>, Bakeman (bakeman(a)physics.unr.edu),
+ and others for reporting the problem.
+
+o Fixed an inefficiency in RPC scan that could slow things down and
+ also sometimes resulted in the spurious warning message: "Unable to
+ find listening socket in get_rpc_results"
+
+o Fixed a 3.94ALPHA3 bug that caused UDP scan results to be listed as
+ TCP ports instead. Thanks to Justin M Cacak (jcacak(a)nebraska.edu)
+ for reporting the problem.
+
+Nmap 3.94ALPHA3 [2005-12-6]
+
+o Updated NmapFE to build with GTK2 rather than obsolete GTK1. Thanks
+ to Mike Basinger (dbasinge(a)speakeasy.net) and Meethune Bhowmick
+ (meethune(a)oss-institute.org) for developing the
+ patch. I made some changes as well to prevent compilation warnings.
+ The new NmapFE now seems to work, though I do get "Gtk-CRITICAL"
+ assertion error messages. If someone has time to look into this, that
+ would be appreciated.
+
+o Fixed a compilation problem on Mac OS X and perhaps other platforms
+ with a one-line fix to scan_engine.cc. Thanks to Felix Gröbert
+ (felix(a)groebert.org) for notifying me of the problem.
+
+o Fixed a problem that prevented the command "nmap -sT -PT [targets]"
+ from working from a non-privileged user account. The -PT option
+ doesn't change default behavior in this case, but Nmap should (and now
+ does) allow it.
+
+o Applied another VS 2005 compatibility patch from KX (kxmail(a)gmail.com).
+
+o Define INET_ADDRSTRLEN in tcpip.h if the system doesn't define it
+ for us. This apparently aids compilation on Solaris 2.6 and 7.
+ Thanks to Albert Chin (nmap-hackers(a)mlists.thewrittenword.com) for
+ sending the patch..
+
+Nmap 3.94ALPHA2 [2005-12-4]
+
+o Put Nmap on a diet, with changes to the core port scanning routine
+ (ultra_scan) to substantially reduce memory consumption, particularly
+ when tens of thousands of ports are scanned.
+
+o Fixed a problem with the -S and option on Windows reporting "Failed
+ to resolve/decode supposed IPv4 source address". The -D (decoy)
+ option was probably broken on that platform too. Thanks to KX
+ (kxmail(a)gmail.com) for reporting the problem and tracking down a
+ potential solution.
+
+o Better handle ICMP type 3, code 0 (network unreachable) responses to
+ port scan packets. These are rarely seen when scanning hosts that
+ are actually online, but are still worth handling.
+
+o Applied some small fixes so that Nmap compiles with Visual C++
+ 2005 Express, which is free from Microsoft at
+ http://msdn.microsoft.com/vstudio/express/visualc/ . Thanks to KX
+ (kxmail(a)gmail.com) and Sina Bahram (sbahram(a)nc.rr.com)
+
+o Removed foreign translations of the old man page from the
+ distribution. Included the following contributed translations
+ (nroff format) of the new man page:
+ - Brazilian Portuguese by Lucien Raven (lucienraven(a)yahoo.com.br)
+ - Portuguese (Portugal) by José Domingos (jd_pt(a)yahoo.com) and
+ Andreia Gaita (shana.ufie(a)gmail.com).
+
+o Added --thc option (undocumented)
+
+o Modified libdnet-stripped/src/eth-bsd.c to allow for up to 128 bpf
+ devices rather than 32. This prevents errors like "Failed to open
+ ethernet interface (fxp0)" when there are more than 32 interface
+ aliases. Thanks to Krok (krok(a)void.ru) for reporting the problem
+ and even sending a patch.
+
+Nmap 3.94ALPHA1 [2005-11-27]
+
+o Wrote a new man page from scratch. It is much more comprehensive
+ (more than twice as long) and (IMHO) better organized than the
+ previous one. Read it online at https://nmap.org/book/man.html
+ or docs/nmap.1 from the Nmap distribution. Let me know if you have
+ any ideas for improving it.
+
+o Wrote a new "help screen", which you get when running Nmap without
+ arguments. It is also reproduced in the man page and at
+ https://svn.nmap.org/nmap/docs/nmap.usage.txt . I gave up trying
+ to fit it within a 25-line, 80-column terminal window. It is now 78
+ lines and summarizes all but the most obscure Nmap options.
+
+o Version detection softmatches (when Nmap determines the service
+ protocol such as smtp but isn't able to determine the app name such as
+ Postfix) can now parse out the normal match line fields such as
+ hostname, device type, and extra info. For example, we may not know
+ what vendor created an sshd, but we can still parse out the protocol
+ number. This was a patch from Doug Hoyte (doug(a)hcsw.org).
+
+o Fixed a problem which caused UDP version scanning to fail to print
+ the matched service. Thanks to Martin Macok
+ (martin.macok(a)underground.cz) for reporting the problem and Doug
+ Hoyte (doug(a)hcsw.org) for fixing it.
+
+o Made the version detection "ports" directive (in
+ nmap-service-probes) more comprehensive. This should speed up scans a
+ bit. The patch was done by Doug Hoyte (doug(a)hcsw.org).
+
+o Added the --webxml option, which does the same thing as
+ --stylesheet https://svn.nmap.org/nmap/docs/nmap.xsl , without
+ requiring you to remember the exact URL or type that whole thing.
+
+o Fixed a crash occurred when the --exclude option was used with
+ netmasks on certain platforms. Thanks to Adam
+ (nmapuser(a)globalmegahost.com) for reporting the problem and to
+ Greg Darke (starstuff(a)optusnet.com.au) for sending a patch (I
+ modified the patch a bit to make it more efficient).
+
+o Fixed a problem with the -S and -e options (spoof/set
+ source address, and set interface by name, respectively). The problem
+ report and a partial patch were sent by Richard Birkett
+ (richard(a)musicbox.net).
+
+o Fixed a possible aliasing problem in tcpip.cc by applying a patch sent in by
+ Gwenole Beauchesne (gbeauchesne(a)mandriva.com). This problem
+ shouldn't have had any effect on users since we already include the
+ -fno-strict-aliasing option whenever gcc 4 is detected, but it
+ brings us closer to being able to remove that option.
+
+o Fixed a bug that caused Nmap to crash if an nmap-service-probes file
+ was used which didn't contain the Exclude directive.
+
+o Fixed a bunch of typos and misspellings throughout the Nmap source
+ code (mostly in comments). This was a 625-line patch by Saint Xavier
+ (skyxav(a)skynet.be).
+
+o Nmap now accepts target list files in Windows end-of-line format (\r\n)
+ as well as standard UNIX format (\n) on all platforms. Passing a
+ Windows style file to Nmap on UNIX didn't work before unless you ran
+ dos2unix first.
+
+o Removed Identd scan support from NmapFE since Nmap no longer
+ supports it. Thanks to Jonathan Dieter (jdieter99(a)gmx.net) for the
+ patch.
+
+o Integrated all of the September version detection fingerprint
+ submissions. This was done by Version Detection Czar Doug Hoyte
+ (doug(a)hcsw.org) and resulted in 86 new match lines. Please keep
+ those submissions coming!
+
+o Fixed a divide-by-zero crash when you specify rather bogus
+ command-line arguments (a TCP scan with zero tcp ports). Thanks to
+ Bart Dopheide (dopheide(a)fmf.nl) for identifying the problem and
+ sending a patch.
+
+o Fixed a minor syntax error in tcpip.h that was causing problems with
+ GCC 4.1. Thanks to Dirk Mueller (dmuell(a)gmx.net) for reporting
+ the problem and sending a fix.
+
+Nmap 3.93 [2005-9-12]
+
+o Modified Libpcap's configure.ac to compile with the
+ -fno-strict-aliasing option if gcc 4.X is used. This prevents
+ crashes when said compiler is used. This was done for Nmap in 3.90, but is
+ apparently needed for pcap too. Thanks to Craig Humphrey
+ (Craig.Humphrey(a)chapmantripp.com) for the discovery.
+
+o Patched libdnet to include sys/uio.h in src/tun-linux.c. This is
+ apparently necessary on some Glibc 2.1 systems. Thanks to Rob Foehl
+ (rwf(a)loonybin.net) for the patch.
+
+o Fixed a crash which could occur when a ridiculously short
+ --host_timeout was specified on Windows (or on UNIX if --send_eth was
+ specified). Nmap now also prints a warning if you specify a
+ host_timeout of less than 1 second. Thanks to Ole Morten Grodaas
+ (grodaas(a)gmail.com) for discovering the problem.
+
+Nmap 3.91 [2005-9-11]
+
+o Fixed a crash on Windows when you -P0 scan an unused IP on a local
+ network (or a range that contains unused IPs). This could also
+ happen on UNIX if you specified the new --send_eth option. Thanks
+ to Jim Carras (JFCECL(a)engr.psu.edu) for reporting the problem.
+
+o Fixed compilation on OpenBSD by applying a patch from Okan Demirmen
+ (okan(a)demirmen.com), who maintains Nmap in the OpenBSD Ports
+ collection.
+
+o Updated nmap-mac-prefixes to include OUIs assigned by the IEEE since
+ April.
+
+o Updated the included libpcre (used for version detection) from
+ version 4.3 to 6.3. A libpcre security issue was fixed in 6.3, but
+ that issue never affected Nmap.
+
+o Updated the included libpcap from 0.8.3 to 0.9.3. I also changed
+ the directory name in the Nmap tarball from libpcap-possiblymodified
+ to just libpcap. As usual, the modifications are described in the
+ NMAP_MODIFICATIONS in that directory.
+
+Nmap 3.90 [2005-9-8]
+
+o Added the ability for Nmap to send and properly route raw ethernet
+ packets containing IP datagrams rather than always sending the
+ packets via raw sockets. This is particularly useful for Windows,
+ since Microsoft has disabled raw socket support in XP for no good
+ reason. Nmap tries to choose the best method at runtime based on
+ platform, though you can override it with the new --send_eth and
+ --send_ip options.
+
+o Added ARP scanning (-PR). Nmap can now send raw ethernet ARP requests to
+ determine whether hosts on a LAN are up, rather than relying on
+ higher-level IP packets (which can only be sent after a successful
+ ARP request and reply anyway). This is much faster and more
+ reliable (not subject to IP-level firewalling) than IP-based probes.
+ The downside is that it only works when the target machine is on the
+ same LAN as the scanning machine. It is now used automatically for
+ any hosts that are detected to be on a local ethernet network,
+ unless --send_ip was specified. Example usage: nmap -sP -PR
+ 192.168.0.0/16 .
+
+o Added the --spoof_mac option, which asks Nmap to use the given MAC
+ address for all of the raw ethernet frames it sends. The MAC given
+ can take several formats. If it is simply the string "0", Nmap
+ chooses a completely random MAC for the session. If the given
+ string is an even number of hex digits (with the pairs optionally
+ separated by a colon), Nmap will use those as the MAC. If less than
+ 12 hex digits are provided, Nmap fills in the remainder of the 6
+ bytes with random values. If the argument isn't a 0 or hex string,
+ Nmap looks through the nmap-mac-prefixes to find a vendor name
+ containing the given string (it is case insensitive). If a match is
+ found, Nmap uses the vendor's OUI (3-byte prefix) and fills out the
+ remaining 3 bytes randomly. Valid --spoof_mac argument examples are
+ "Apple", "0", "01:02:03:04:05:06", "deadbeefcafe", "0020F2", and
+ "Cisco".
+
+o Applied an enormous nmap-service-probes (version detection) update
+ from SoC student Doug Hoyte (doug(a)hcsw.org). Version 3.81 had
+ 1064 match lines covering 195 service protocols. Now we have 2865
+ match lines covering 359 protocols! So the database size has nearly
+ tripled! This should make your -sV scans quicker and more
+ accurate. Thanks also go to the (literally) thousands of you who
+ submitted service fingerprints. Keep them coming!
+
+o Applied a massive OS fingerprint update from Zhao Lei
+ (zhaolei(a)gmail.com). About 350 fingerprints were added, and many
+ more were updated. Notable additions include Mac OS X 10.4 (Tiger),
+ OpenBSD 3.7, FreeBSD 5.4, Windows Server 2003 SP1, Sony AIBO (along
+ with a new "robotic pet" device type category), the latest Linux 2.6
+ kernels Cisco routers with IOS 12.4, a ton of VoIP devices, Tru64
+ UNIX 5.1B, new Fortinet firewalls, AIX 5.3, NetBSD 2.0, Nokia IPSO
+ 3.8.X, and Solaris 10. Of course there are also tons of new
+ broadband routers, printers, WAPs and pretty much any other device
+ you can coax an ethernet cable (or wireless card) into!
+
+o Added 'leet ASCII art to the configurator! ARTIST NOTE: If you think
+ the ASCII art sucks, feel free to send me alternatives. Note that
+ only people compiling the UNIX source code get this (ASCII artist
+ unknown).
+
+o Added OS, device type, and hostname detection using the service
+ detection framework. Many services print a hostname, which may be
+ different than DNS. The services often give more away as well. If
+ Nmap detects IIS, it reports an OS family of "Windows". If it sees
+ HP JetDirect telnetd, it reports a device type of "printer". Rather
+ than try to combine TCP/IP stack fingerprinting and service OS
+ fingerprinting, they are both printed. After all, they could
+ legitimately be different. An IP that gives a stack fingerprint
+ match of "Linksys WRT54G broadband router" and a service fingerprint
+ of Windows based on Kazaa running is likely a common NAT setup rather
+ than an Nmap mistake.
+
+o Nmap on Windows now compiles/links with the new WinPcap 3.1
+ header/lib files. So please upgrade to 3.1 from
+ http://www.winpcap.org before installing this version of Nmap.
+ While older versions may still work, they aren't supported with Nmap.
+
+o The official Nmap RPM files are now compiled statically for better
+ compatibility with other systems. X86_64 (AMD Athlon64/Opteron)
+ binaries are now available in addition to the standard i386. NmapFE
+ RPMs are no longer distributed by Insecure.Org.
+
+o Nmap distribution signing has changed. Release files are now signed
+ with a new Nmap Project GPG key (KeyID 6B9355D0). Fyodor has also
+ generated a new key for himself (KeyID 33599B5F). The Nmap key has
+ been signed by Fyodor's new key, which has been signed by Fyodor's
+ old key so that you know they are legit. The new keys are available
+ at https://svn.nmap.org/nmap/docs/nmap_gpgkeys.txt , as
+ docs/nmap_gpgkeys.txt in the Nmap source tarball, and on the public
+ keyserver network. Here are the fingerprints:
+ pub 1024D/33599B5F 2005-04-24
+ Key fingerprint = BB61 D057 C0D7 DCEF E730 996C 1AF6 EC50 3359 9B5F
+ uid Fyodor <fyodor@insecure.org>
+ sub 2048g/D3C2241C 2005-04-24
+ .
+ pub 1024D/6B9355D0 2005-04-24
+ Key fingerprint = 436D 66AB 9A79 8425 FDA0 E3F8 01AF 9F03 6B93 55D0
+ uid Nmap Project Signing Key (http://www.insecure.org/)
+ sub 2048g/A50A6A94 2005-04-24
+
+o Fixed a crash problem related to non-portable varargs (vsnprintf)
+ usage. Reports of this crash came from Alan William Somers
+ (somers(a)its.caltech.edu) and Christophe (chris.branch(a)gmx.de).
+ This patch was prevalent on Linux boxes running an Opteron/Athlon64
+ CPU in 64-bit mode.
+
+o Fixed crash when Nmap is compiled using gcc 4.X by adding the
+ -fno-strict-aliasing option when that compiler is detected. Thanks
+ to Greg Darke (starstuff(a)optusnet.com.au) for discovering that
+ this option fixes (hides) the problem and to Duilio J. Protti
+ (dprotti(a)flowgate.net) for writing the configure patch to detect
+ gcc 4 and add the option. A better fix is to identify and rewrite
+ lines that violate C99 alias rules, and we are looking into that.
+
+o Added "rarity" feature to Nmap version detection. This causes
+ obscure probes to be skipped when they are unlikely to help. Each
+ probe now has a "rarity" value. Probes that detect dozens of
+ services such as GenericLines and GetRequest have rarity values of
+ 1, while the WWWOFFLEctrlstat and mydoom probes have a rarity of 9.
+ When interrogating a port, Nmap always tries probes registered to
+ that port number. So even WWWOFFLEctrlstat will be tried against
+ port 8081 and mydoom will be tried against open ports between 3127
+ and 3198. If none of the registered ports find a match, Nmap tries
+ probes that have a rarity less than or equal to its current
+ intensity level. The intensity level defaults to 7 (so that most of
+ the probes are done). You can set the intensity level with the new
+ --version_intensity option. Alternatively, you can just use
+ --version_light or --version_all which set the intensity to 2 (only
+ try the most important probes and ones registered to the port
+ number) and 9 (try all probes), respectively. --version_light is
+ much faster than default version detection, but also a bit less
+ likely to find a match. This feature was designed and implemented
+ by Doug Hoyte (doug(a)hcsw.org).
+
+o Added a "fallback" feature to the nmap-service-probes database.
+ This allows a probe to "inherit" match lines from other probes. It
+ is currently only used for the HTTPOptions, RTSPRequest, and
+ SSLSessionReq probes to inherit all of the match lines from
+ GetRequest. Some servers don't respond to the Nmap GetRequest (for
+ example because it doesn't include a Host: line) but they do respond
+ to some of those other 3 probes in ways that GetRequest match lines
+ are general enough to match. The fallback construct allows us to
+ benefit from these matches without repeating hundreds of signatures
+ in the file. This is another feature designed and implemented
+ by Doug Hoyte (doug(a)hcsw.org).
+
+o Fixed crash with certain --excludefile or
+ --exclude arguments. Thanks to Kurt Grutzmacher
+ (grutz(a)jingojango.net) and pijn trein (ptrein(a)gmail.com) for
+ reporting the problem, and to Duilio J. Protti
+ (dprotti(a)flowgate.net) for debugging the issue and sending the
+ patch.
+
+o Updated random scan (ip_is_reserved()) to reflect the latest IANA
+ assignments. This patch was sent in by Felix Groebert
+ (felix(a)groebert.org).
+
+o Included new Russian man page translation by
+ locco_bozi(a)Safe-mail.net
+
+o Applied patch from Steve Martin (smartin(a)stillsecure.com) which
+ standardizes many OS names and corrects typos in nmap-os-fingerprints.
+
+o Fixed a crash found during certain UDP version scans. The crash was
+ discovered and reported by Ron (iago(a)valhallalegends.com) and fixed
+ by Doug Hoyte (doug(a)hcsw.com).
+
+o Added --iflist argument which prints a list of system interfaces and
+ routes detected by Nmap.
+
+o Fixed a protocol scan (-sO) problem which led to the error message:
+ "Error compiling our pcap filter: syntax error". Thanks to Michel
+ Arboi (michel(a)arboi.fr.eu.org) for reporting the problem.
+
+o Fixed an Nmap version detection crash on Windows which led to the
+ error message "Unexpected error in NSE_TYPE_READ callback. Error
+ code: 10053 (Unknown error)". Thanks to Srivatsan
+ (srivatsanp(a)adventnet.com) for reporting the problem.
+
+o Fixed some misspellings in docs/nmap.xml reported by Tom Sellers.
+
+o Applied some changes from Gisle Vanem (giva(a)bgnett.no) to make
+ Nmap compile with Cygwin.
+
+o XML "osmatch" element now has a "line" attribute giving the
+ reference fingerprint line number in nmap-os-fingerprints.
+
+o Added a distcc probes and a bunch of smtp matches from Dirk Mueller
+ (mueller(a)kde.org) to nmap-service-probes. Also added AFS version
+ probe and matches from Lionel Cons (lionel.cons(a)cern.ch). And
+ even more probes and matches from Martin Macok
+ (martin.macok(a)underground.cz)
+
+o Fixed a problem where Nmap compilation would use header files from
+ the libpcap included with Nmap even when it was linking to a system
+ libpcap. Thanks to Solar Designer (solar(a)openwall.com) and Okan
+ Demirmen (okan(a)demirmen.com) for reporting the problem.
+
+o Added configure option --with-libpcap=included to tell Nmap to use
+ the version of libpcap it ships with rather than any that may already be
+ installed on the system. You can still use --with-libpcap=[dir] to
+ specify that a system libpcap be installed rather than the shipped
+ one. By default, Nmap looks at both and decides which one is likely
+ to work best. If you are having problems on Solaris, try
+ --with-libpcap=included .
+
+o Changed the --no-stylesheet option to --no_stylesheet to be
+ consistent with all of the other Nmap options. Though I'm starting to
+ like hyphens a bit better than underscores and may change all of the
+ options to use hyphens instead at some point.
+
+o Added "Exclude" directive to nmap-service-probes grammar which
+ causes version detection to skip listed ports. This is helpful for
+ ports such as 9100. Some printers simply print any data sent to
+ that port, leading to pages of HTTP requests, SMB queries, X Windows
+ probes, etc. If you really want to scan all ports, specify
+ --allports. This patch came from Doug Hoyte (doug(a)hcsw.org).
+
+o Added a stripped-down and heavily modified version of Dug Song's
+ libdnet networking library (v. 1.10). This helps with the new raw
+ ethernet features. My (extensive) changes are described in
+ libdnet-stripped/NMAP_MODIFICATIONS
+
+o Removed WinIP library (and all Windows raw sockets code) since MS
+ has gone and broken raw sockets. Maybe packet receipt via raw
+ sockets will come back at some point. As part of this removal, the
+ Windows-specific --win_help, --win_list_interfaces, --win_norawsock,
+ --win_forcerawsock, --win_nopcap, --win_nt4route, --win_noiphlpapi,
+ and --win_trace options have been removed.
+
+o Changed the interesting ports array from a 65K-member array of
+ pointers into an STL list. This noticeable reduces memory usage in
+ some cases, and should also give a slight runtime performance
+ boost. This patch was written by Paul Tarjan (ptarjan(a)gmail.com).
+
+o Removed the BSDFIX/BSDUFIX macros. The underlying bug in
+ FreeBSD/NetBSD is still there though. When an IP packet is sent
+ through a raw socket, these platforms require the total length and
+ fragmentation offset fields of an IP packet to be in host byte order
+ rather than network byte order, even though all the other fields
+ must be in NBO. I believe that OpenBSD fixed this a while back.
+ Other platforms, such as Linux, Solaris, Mac OS X, and Windows take
+ all of the fields in network byte order. While I removed the macro,
+ I still do the munging where required so that Nmap still works on
+ FreeBSD.
+
+o Integrated many nmap-service-probes changes from Bo Jiang
+ (jiangbo(a)brandeis.edu)
+
+o Added a bunch of RPC numbers from nmap-rpc maintainer Eilon Gishri
+ (eilon(a)aristo.tau.ac.il)
+
+o Added some new RPC services to nmap-rpc thanks to a patch from
+ vlad902 (vlad902(a)gmail.com).
+
+o Fixed a bug where Nmap would quit on Windows whenever it encountered
+ a raw scan of localhost (including the local ethernet interface
+ address), even when that was just one address out of a whole network
+ being scanned. Now Nmap just warns that it is skipping raw scans when
+ it encounters the local IP, but continues on to scan the rest of the
+ network. Raw scans do not currently work against local IP addresses
+ because WinPcap doesn't support reading/writing localhost interfaces
+ due to limitations of Windows.
+
+o The OS fingerprint is now provided in XML output if debugging is
+ enabled (-d) or verbosity is at least 2 (-v -v). This patch was
+ sent by Okan Demirmen (okan(a)demirmen.com)
+
+o Fixed the way tcp connect scan (-sT) response to ICMP network
+ unreachable responses (patch by Richard Moore
+ (rich(a)westpoint.ltd.uk).
+
+o Update random host scan (-iR) to support the latest IANA-allocated
+ ranges, thanks to patch by Chad Loder (cloder(a)loder.us).
+
+o Updated GNU shtool (a helper program used during 'make install' to
+ version 2.0.2, which fixes a predictable temporary filename
+ weakness discovered by Eric Raymond.
+
+o Removed addport element from XML DTD, since it is no longer used
+ (suggested by Lionel Cons (lionel.cons(a)cern.ch)
+
+o Added new --privileged command-line option and NMAP_PRIVILEGED
+ environmental variable. Either of these tell Nmap to assume that
+ the user has full privileges to execute raw packet scans, OS
+ detection and the like. This can be useful when Linux kernel
+ capabilities or other systems are used that allow non-root users to
+ perform raw packet or ethernet frame manipulation. Without this
+ flag or variable set, Nmap bails on UNIX if geteuid() is
+ nonzero.
+
+o Changed the RPM spec file so that if you define "static" to 1 (by
+ passing --define "static 1" to rpmbuild), static binaries are built.
+
+o Fixed Nmap compilation on Solaris x86 thanks to a patch from Simon
+ Burr (simes(a)bpfh.net).
+
+o ultra_scan() now sets pseudo-random ACK values (rather than 0) for
+ any TCP scans in which the initial probe packet has the ACK flag set.
+ This would be the ACK, Xmas, Maimon, and Window scans.
+
+o Updated the Nmap version number, description, and similar fields
+ that MS Visual Studio places in the binary. This was done by editing
+ mswin32/nmap.rc as suggested by Chris Paget (chrisp(a)ngssoftware.com)
+
+o Fixed Nmap compilation on DragonFly BSD (and perhaps some other
+ systems) by applying a short patch by Joerg Sonnenberger which omits
+ the declaration of errno if it is a #define.
+
+o Fixed an integer overflow that prevented Nmap from scanning
+ 2,147,483,648 hosts in one expression (e.g. 0.0.0.0/1). Problem
+ noted by Justin Cranford (jcranford(a)n-able.com). While /1 scans
+ are now possible, don't expect them to finish during your bathroom
+ break. No matter how constipated you are.
+
+o Increased the buffer size allocated for fingerprints to prevent Nmap
+ from running out and quitting (error message: "Assertion
+ `servicefpalloc - servicefplen > 8' failed". Thanks to Mike Hatz
+ (mhatz(a)blackcat.com) for the report. (Actually this was done in a
+ previous version, but I forgot which one.)
+
+o Changed from CVS to Subversion source control system (which
+ rocks!). Neither repository is public (I'm paranoid because both CVS
+ and SVN have had remotely exploitable security holes), so the main
+ change users will see is that "Id" tags in file headers use the SVN
+ format for version numbering and such.
+
+Nmap 3.81 [2005-2-7]
+
+o Nmap now ships with and installs (in the same directory as other
+ data files such as nmap-os-fingerprints) an XSL stylesheet for
+ rendering the XML output as HTML. This stylesheet was written by
+ Benjamin Erb ( see http://www.benjamin-erb.de/nmap/ for examples).
+ It supports tables, version detection, color-coded port states, and
+ more. The XML output has been augmented to include an
+ xml-stylesheet directive pointing to nmap.xsl on the local
+ file system. You can point to a different XSL file by providing the
+ filename or URL to the new --stylesheet argument. Omit the
+ xml-stylesheet directive entirely by specifying --no-stylesheet.
+ The XML to HTML conversion can be done with an XSLT processor such
+ as Saxon, Sablot, or Xalan, but modern browsers can do this on the
+ fly -- simply load the XML output file in IE or Firefox. Some
+ features don't currently work with Firefox's on-the-fly rendering.
+ Perhaps some Mozilla wizard can fix that in either the XSL or the
+ browser itself. I hate having things work better in IE :). It is
+ often more convenient to have the stylesheet loaded from a URL
+ rather than the local file system, allowing the XML to be rendered on
+ any machine regardless of whether/where the XSL is installed. For
+ privacy reasons (avoid loading of an external URL when you view
+ results), Nmap uses the local file system by default. If you would
+ like the latest version of the stylesheet loaded from the web when
+ rendering, specify --stylesheet https://svn.nmap.org/nmap/docs/nmap.xsl .
+
+o Fixed fragmentation option (-f). One -f now sets sends fragments
+ with just 8 bytes after the IP header, while -ff sends 16 bytes to
+ reduce the number of fragments needed. You can specify your own
+ fragmentation offset (must be a multiple of 8) with the new --mtu
+ flag. Don't also specify -f if you use --mtu. Remember that some
+ systems (such as Linux with connection tracking) will defragment in
+ the kernel anyway -- so test first while sniffing with ethereal.
+ These changes are from a patch by Martin Macok
+ (martin.macok(a)underground.cz).
+
+o Nmap now prints the number (and total bytes) of raw IP packets sent
+ and received when it completes, if verbose mode (-v) is enabled. The
+ report looks like:
+ Nmap finished: 256 IP addresses (3 hosts up) scanned in 30.632 seconds
+ Raw packets sent: 7727 (303KB) | Rcvd: 6944 (304KB)
+
+o Fixed (I hope) an error which would cause the Windows version of
+ Nmap to abort under some circumstances with the error message
+ "Unexpected error in NSE_TYPE_READ callback. Error code: 10053
+ (Unknown error)". Problem reported by "Tony Golding"
+ (biz(a)tonygolding.com).
+
+o Added new "closed|filtered" state. This is used for Idle scan, since
+ that scan method can't distinguish between those two states. Nmap
+ previously just used "closed", but this is more accurate.
+
+o Null, FIN, Maimon, and Xmas scans now mark ports as "open|filtered"
+ instead of "open" when they fail to receive any response from the
+ target port. After all, it could just as easily be filtered as open.
+ This is the same change that was made to UDP scan in 3.70. Also as
+ with UDP scan, adding version detection (-sV) will change the state
+ from open|filtered to open if it confirms that they really are open.
+
+o Fixed a bug in ACK scan that could cause Nmap to crash with the
+ message "Unexpected port state: 6" in some cases. Thanks to Glyn
+ Geoghegan (glyng(a)corsaire.com) for reporting the problem.
+
+o Change IP protocol scan (-sO) so that a response from the target
+ host in any protocol at all will prove that protocol is open. As
+ before, no response means "open|filtered", an ICMP protocol
+ unreachable means "closed", and most other ICMP error messages mean
+ "filtered".
+
+o Patched a libpcap issue that prevented read timeouts from being
+ honored on Solaris (thus slowing down Nmap substantially). The
+ problem report and patch were sent in by Ben Harris
+ (bjh21(a)cam.ac.uk).
+
+o Changed IP protocol scan (-sO) so that it sends valid ICMP, TCP, and
+ UDP headers when scanning protocols 1, 6, and 17, respectively. An
+ empty IP header is still sent for all other protocols. This should
+ prevent the error messages such as "sendto in send_ip_packet:
+ sendto(3, packet, 20, 0, 192.31.33.7, 16) => Operation not
+ permitted" that Linux (and perhaps other systems) would give when
+ they try to interpret the raw packet. This also makes it more
+ likely that these protocols will elicit a response, proving that the
+ protocol is "open".
+
+o The windows build now uses header and static library files from
+ WinPcap 3.1Beta4. It also now prints out the DLL version you are
+ using when run with -d. I would recommend upgrading to 3.1Beta4 if
+ you have an older WinPcap installed.
+
+o Nmap now prints a warning message on Windows if WinPcap is not found
+ (it then reverts to raw sockets mode if available, as usual).
+
+o Added an NTP probe and matches to the version detection database
+ (nmap-service-probes) thanks to a submission from Martin
+ Macok (martin.macok(a)underground.cz).
+
+o Applied several Nmap service detection database updates sent in by
+ Martin Macok (martin.macok(a)underground.cz).
+
+o The XML nmaprun element now has a startstr attribute which gives the
+ human readable calendar time format that a scan started. Similarly
+ the finished element now has a timestr attribute describing when the
+ scan finished. These are in addition to the existing nmaprun/start
+ and finished/time attributes that provided the start and finish time
+ in UNIX time_t notation. This should help in development of
+ XSLT stylesheets for Nmap XML output.
+
+o Fixed a memory leak that would generally consume several hundred
+ bytes per down host scanned. While the effect for most scans is
+ negligible, it was overwhelming when Scott Carlson
+ (Scott.Carlson(a)schwab.com) tried to scan 16.8 million IPs
+ (10.0.0.0/8). Thanks to him for reporting the problem. Also thanks
+ to Valgrind ( http://valgrind.kde.org ) for making it easy to debug.
+
+o Fixed a crash on Windows systems that don't include the iphlpapi
+ DLL. This affects Win95 and perhaps other variants. Thanks to Ganga
+ Bhavani (GBhavani(a)everdreamcorp.com) for reporting the problem and
+ sending the patch.
+
+o Ensured that the device type, os vendor, and os family OS
+ fingerprinting classification values are scrubbed for XML compliance
+ in the XML output. Thanks to Matthieu Verbert
+ (mve(a)zurich.ibm.com) for reporting the problem and sending a patch.
+
+o Rewrote the host IP (target specification) parser for easier
+ maintenance and to fix a bug found by Netris (netris(a)ok.kz)
+
+o Changed to Nmap XML DTD to use the same xmloutputversion (1.01) as
+ newer versions of Nmap. Thanks to Laurent Estieux
+ (laurent.estieux(a)free.fr) for reporting the problem.
+
+o Fixed compilation on some HP-UX 11 boxes thanks to a patch by Petter
+ Reinholdtsen (pere(a)hungry.com).
+
+o Fixed a portability problem on some OpenBSD and FreeBSD machines
+ thanks to a patch by Okan Demirmen (okan(a)demirmen.com).
+
+o Applied Martin Macok's (martin.macok(a)underground.cz) "cosmetics
+ patch", which fixes a few typos and minor problems.
+
+Nmap 3.75 [2004-10-18]
+
+o Implemented a huge OS fingerprint database update. The number of
+ fingerprints increased more than 20% to 1,353 and many of the
+ existing ones are much improved. Notable updates include the fourth
+ edition of Bell Lab's Plan9, Grandstream's BugeTone 101 IP Phone,
+ and Bart's Network Boot Disk 2.7 (which runs MS-DOS). Oh, and Linux
+ kernels up to 2.6.8, dozens of new Windows fingerprints including XP
+ SP2, the latest Longhorn warez, and many modified Xboxes, OpenBSD
+ 3.6, NetBSD up to 2.0RC4, Apple's AirPort Express WAP and OS X
+ 10.3.3 (Panther) release, Novell Netware 6.5, FreeBSD 5.3-BETA, a
+ bunch of Linksys and D-Link consumer junk, the latest Cisco IOS 12.2
+ releases, a ton of miscellaneous broadband routers and printers, and
+ much more.
+
+o Updated nmap-mac-prefixes with the latest OUIs from the IEEE.
+
+o Updated nmap-protocols with the latest IP protocols from IANA
+
+o Added a few new Nmap version detection signatures thanks to a patch
+ from Martin Macok (martin.macok(a)underground.cz).
+
+o Fixed a crash problem in the Windows version of Nmap, thanks to a
+ patch from Ganga Bhavani GBhavani(a)everdreamcorp.com).
+
+o Fixed Windows service scan crashes that occur with the error message
+ "Unexpected nsock_loop error. Error code 10022 (Unknown error)". It
+ turns out that Windows does not allow select() calls with all three
+ FD sets empty. Lame. The Linux select() man page even suggests
+ calling "select with all three sets empty, n zero, and a non-null
+ timeout as a fairly portable way to sleep with subsecond precision."
+ Thanks to Gisle Vanem (giva(a)bgnett.no) for debugging help.
+
+o Added --max_scan_delay parameter. Nmap will sometimes increase the
+ delay itself when it detects many dropped packets. For example,
+ Solaris systems tend to respond with only one ICMP port unreachable
+ packet per second during a UDP scan. So Nmap will try to detect
+ this and lower its rate of UDP probes to one per second. This can
+ provide more accurate results while reducing network congestion, but
+ it can slow the scans down substantially. By default (with no -T
+ options specified), Nmap allows this delay to grow to one second per
+ probe. This option allows you to set a lower or higher maximum.
+ The -T4 and -T5 scan modes now limit the maximum scan delay for TCP
+ scans to 10 and 5 ms, respectively.
+
+o Fixed a bug that prevented RPC scan (-sR) from working for UDP ports
+ unless service detection (-sV) was used. -sV is still usually a
+ better approach than -sR, as the latter ONLY handles RPC. Thanks to
+ Stephen Bishop (sbishop(a)idsec.co.uk) for reporting the problem and
+ sending a patch.
+
+o Fixed nmap_fetchfile() to better find custom versions of data files
+ such as nmap-services. Note that the implicitly read directory
+ should be ~/.nmap rather than ~/nmap . So you may have to move any
+ customized files you now have in ~/nmap . Thanks to nnposter
+ (nnposter(a)users.sourceforge.net) for reporting the problem and
+ sending a patch.
+
+o Changed XML output so that the MAC address <address> element comes
+ right after the IPv4/IPv6 <address> element. Apparently this is
+ needed to comply with the DTD ( https://svn.nmap.org/nmap/docs/nmap.dtd ).
+ Thanks to Adam Morgan (adam.morgan(a)Q1Labs.com) and Florian Ebner
+ (Florian.Ebner(a)e-bros.de) for the problem reports.
+
+o Fixed an error in the Nmap RPM spec file reported by Pascal Trouvin
+ (pascal.trouvin(a)wanadoo.fr)
+
+o Fixed a timing problem in which a specified large --send_delay would
+ sometimes be reduced to 1 second during a scan. Thanks to Martin
+ Macok (martin.macok(a)underground.cz) for reporting the problem.
+
+o Fixed a timing problem with sneaky and paranoid modes (-T1 and -T0)
+ which would cause Nmap to continually scan the same port and never
+ hit other ports when scanning certain firewalled hosts. Thanks to
+ Curtis Doty (Curtis(a)GreenKey.net) for reporting the problem.
+
+o Fixed a bug in the build system that caused most Nmap subdirectories
+ to be configured twice. Changing the variable holding the name of
+ subdirs from $subdirs to $nmap_cfg_subdirs resolved the problem --
+ configure must have been using that variable name for its own internal
+ operations. Anyway, this should reduce compile time significantly.
+
+o Made a trivial change to nsock/src/nsock_event.c to work around a "a
+ bug in GCC 3.3.1 on FreeBSD/sparc64". I found the patch by digging
+ around the FreeBSD ports tree repository. It would be nice if the
+ FreeBSD Nmap port maintainers would report such things to me, rather
+ than fixing it in their own Nmap tree and then applying the patch to
+ every future version. On the other hand, they deserve some sort of
+ "most up-to-date" award. I stuck Nmap 3.71-PRE1 in the dist
+ directory for a few people to test, and made no announcement or
+ direct link. The FreeBSD crew found it and upgraded anyway :). The
+ gcc-workaround patch was apparently submitted to the FreeBSD folks
+ by Marius Strobl (marius(a)alchemy.franken.de).
+
+o Fixed (I hope) an OS detection timing issue which would in some
+ cases lead to the warning that "insufficient responses for TCP
+ sequencing (3), OS detection may be less accurate." Thanks to Adam
+ Kerrison (adam(a)tideway.com) for reporting the problem.
+
+o Modified the warning given when files such as nmap-services exist in
+ both the compiled in NMAPDATADIR and the current working directory.
+ That message should now only appear once and is more clear.
+
+o Fixed ping scan subsystem to work a little bit better when
+ --scan_delay (or some of the slower -T templates which include a scan
+ delay) is specified. Thanks to Shahid Khan (khan(a)asia.apple.com)
+ for suggestions.
+
+o Taught connect() scan to properly interpret ICMP protocol
+ unreachable messages. Thanks to Alan Bishoff
+ (abishoff(a)arc.nasa.gov) for the report.
+
+o Improved the nmapfe.desktop file to better comply with standards.
+ Thanks to Stephane Loeuillet (stephane.loeuillet(a)tiscali.fr) for
+ sending the patch.
+
+Nmap 3.70 [2004-8-31]
+
+o Rewrote core port scanning engine, which is now named ultra_scan().
+ Improved algorithms make this faster (often dramatically so) in
+ almost all cases. Not only is it superior against single hosts, but
+ ultra_scan() can scan many hosts (sometimes hundreds) in parallel.
+ This offers many efficiency/speed advantages. For example, hosts
+ often limit the ICMP port unreachable packets used by UDP scans to
+ 1/second. That made those scans extraordinarily slow in previous
+ versions of Nmap. But if you are scanning 100 hosts at once,
+ suddenly you can receive 100 responses per second. Spreading the
+ scan amongst hosts is also gentler toward the target hosts. Nmap
+ can still scan many ports at the same time, as well. If you find
+ cases where ultra_scan is slower or less accurate, please send a
+ report (including exact command-lines, versions used, and output, if
+ possible) to Fyodor.
+
+o Added --max_hostgroup option which specifies the maximum number of
+ hosts that Nmap is allowed to scan in parallel.
+
+o Added --min_hostgroup option which specifies the minimum number of
+ hosts that Nmap should scan in parallel (there are some exceptions
+ where Nmap will still scan smaller groups -- see man page). Of
+ course, Nmap will try to choose efficient values even if you don't
+ specify hostgroup restrictions explicitly.
+
+o Rewrote TCP SYN, ACK, Window, and Connect() scans to use
+ ultra_scan() framework, rather than the old pos_scan().
+
+o Rewrote FIN, Xmas, NULL, Maimon, UDP, and IP Protocol scans to use
+ ultra_scan(), rather than the old super_scan().
+
+o Overhauled UDP scan. Ports that don't respond are now classified as
+ "open|filtered" (open or filtered) rather than "open". The (somewhat
+ rare) ports that actually respond with a UDP packet to the empty
+ probe are considered open. If version detection is requested, it
+ will be performed on open|filtered ports. Any that respond to any of
+ the UDP probes will have their status changed to open. This avoids a
+ the false-positive problem where filtered UDP ports appear to be
+ open, leading to terrified newbies thinking their machine is
+ infected by back orifice.
+
+o Nmap now estimates completion times for almost all port scan types
+ (any that use ultra_scan()) as well as service scan (version
+ detection). These are only shown in verbose mode (-v). On scans
+ that take more than a minute or two, you will see occasional updates
+ like:
+ SYN Stealth Scan Timing: About 30.01% done; ETC: 16:04 (0:01:09 remaining)
+ New updates are given if the estimates change significantly.
+
+o Added --exclude option, which lets you specify a comma-separated
+ list of targets (hosts, ranges, netblocks) that should be excluded
+ from the scan. This is useful to keep from scanning yourself, your
+ ISP, particularly sensitive hosts, etc. The new --excludefile reads
+ the list (newline-delimited) from a given file. All the work was
+ done by Mark-David McLaughlin (mdmcl(a)cisco.com> and William McVey
+ ( wam(a)cisco.com ), who sent me a well-designed and well-tested
+ patch.
+
+o Nmap now has a "port scan ping" system. If it has received at least
+ one response from any port on the host, but has not received
+ responses lately (usually due to filtering), Nmap will "ping" that
+ known-good port occasionally to detect latency, packet drop rate,
+ etc.
+
+o Service/version detection now handles multiple hosts at once for
+ more efficient and less-intrusive operation.
+
+o Nmap now wishes itself a happy birthday when run on September 1 in
+ verbose mode! The first public release was on that date in 1997.
+
+o The port randomizer now has a bias toward putting
+ commonly-accessible ports (80, 22, etc.) near the beginning of the
+ list. Getting a response early helps Nmap calculate response times and
+ detect packet loss, so the scan goes faster.
+
+o Host timeout system (--host_timeout) overhauled to support host
+ parallelization. Hosts times are tracked separately, so a host that
+ finishes a SYN scan quickly is not penalized for an exceptionally
+ slow host being scanned at the same time.
+
+o When Nmap has not received any responses from a host, it can now
+ use certain timing values from other hosts from the same scan
+ group. This way Nmap doesn't have to use absolute-worst-case
+ (300bps SLIP link to Uzbekistan) round trip timeouts and such.
+
+o Enabled MAC address reporting when using the Windows version
+ of Nmap. Thanks to Andy Lutomirski (luto(a)stanford.edu) for
+ writing and sending the patch.
+
+o Workaround crippled raw sockets on Microsoft Windows XP SP2 scans.
+ I applied a patch by Andy Lutomirski (luto(a)stanford.edu) which
+ causes Nmap to default to WinPcap sends instead. The WinPcap send
+ functionality was already there for versions of Windows such as NT and
+ Win98 that never supported Raw Sockets in the first place.
+
+o Changed how Nmap sends ARP requests on Windows to use the iphlpapi
+ SendARP() function rather than creating it raw and reading the
+ response from the Windows ARP cache. This works around a
+ (reasonable) feature of Windows Firewall which ignored such
+ unsolicited responses. The firewall is turned on by default as of
+ Windows XP SP2. This change was implemented by Dana Epp
+ (dana(a)vulscan.com).
+
+o Fixed some Windows portability issues discovered by Gisle Vanem
+ (giva(a)bgnett.no).
+
+o Upgraded libpcap from version 0.7.2 to 0.8.3. This was an attempt
+ to fix an annoying bug, which I then found was actually in my code
+ rather than libpcap :).
+
+o Removed Ident scan (-I). It was rarely useful, and the
+ implementation would have to be rewritten for the new ultra_scan()
+ system. If there is significant demand, perhaps I'll put it back in
+ sometime.
+
+o Documented the --osscan_limit option, which saves time by skipping
+ OS detection if at least one open and one closed port are not found on
+ the remote hosts. OS detection is much less reliable against such
+ hosts anyway, and skipping it can save some time.
+
+o Updated nmapfe.desktop file to provide better NmapFE desktop support
+ under Fedora Core and other systems. Thanks to Mephisto
+ (mephisto(a)mephisto.ma.cx) for sending the patch.
+
+o Further nmapfe.desktop changes to better fit the freedesktop
+ standard. The patch came from Murphy (m3rf(a)swimmingnoodle.com).
+
+o Fixed capitalization (with a Perl script) of many over-capitalized
+ vendor names in nmap-mac-prefixes.
+
+o Ensured that MAC address vendor names are always escaped in XML
+ output if they contain illegal characters (particularly '&'). Thanks
+ to Matthieu Verbert (mve(a)zurich.ibm.com) for the report and a patch.
+
+o Changed xmloutputversion in XML output from 1.0 to 1.01 to note that
+ there was a slight change (which was actually the MAC stuff in 3.55).
+ Thanks to Lionel CONS (lionel.cons(a)cern.ch) for the suggestion.
+
+o Many Windows portability fix and bug fixes, thanks to patch from
+ Gisle Vanem (giva(a)bgnett.no). With these changes, he was able to
+ compile Nmap on Windows using MingW + gcc 3.4 C++ rather than MS
+ Visual Studio.
+
+o Removed (addport) tags from XML output. They used to provide open
+ ports as they were discovered, but don't work now that the port
+ scanners scan many hosts at once. They did not specify an IP
+ address. Of course the appropriate (port) tags are still printed
+ once scanning of a target is complete.
+
+o Configure script now detects GNU/k*BSD systems (whatever those are),
+ thanks to patch from Robert Millan (rmh(a)debian.org)
+
+o Fixed various crashes and assertion failures related to the new
+ ultra_scan() system, that were found by Arturo "Buanzo" Busleiman
+ (buanzo(a)buanzo.com.ar), Eric (catastrophe.net), and Bill Petersen
+ (bill.petersen(a)alcatel.com).
+
+o Fixed some minor memory leaks relating to ping and list scanning as
+ well as the Nmap output table. These were found with Valgrind (
+ http://valgrind.kde.org/ ).
+
+o Provide limited --packet_trace support for TCP connect() (-sT)
+ scans.
+
+o Fixed compilation on certain Solaris machines thanks to a patch by
+ Tom Duffy (tduffy(a)sun.com)
+
+o Fixed some warnings that crop up when compiling Nbase C files with a
+ C++ compiler. Thanks to Gisle Vanem (giva(a)bgnett.no) for sending
+ the patch.
+
+o Tweaked the License blurb on source files and in the man page. It
+ clarifies some issues and includes a new GPL exception that
+ explicitly allows linking with the OpenSSL library. Some people
+ believe that the GPL and OpenSSL licenses are incompatible without
+ this special exception.
+
+o Fixed some serious runtime portability issues on *BSD systems.
+ Thanks to Eric (catastrophe.net) for reporting the problem.
+
+o Changed the argument parser to better detect bogus arguments to the
+ -iR option.
+
+o Removed a spurious warning message relating to the Windows ARP cache
+ being empty. Patch by Gisle Vanem (giva(a)bgnett.no).
+
+o Removed some C++-style line comments (//) from nbase, because some C
+ compilers (particularly on Solaris) barf on those. Problem reported
+ by Raju Alluri <Raju.Alluri(a)Sun.COM>
+
+Nmap 3.55 [2004-7-7]
+
+o Added MAC address printing. If Nmap receives packet from a target
+ machine which is on an Ethernet segment directly connected to the
+ scanning machine, Nmap will print out the target MAC address. Nmap
+ also now contains a database (derived from the official IEEE
+ version) which it uses to determine the vendor name of the target
+ ethernet interface. The Windows version of Nmap does not yet have
+ this capability. If any Windows developer types are interesting in
+ adding it, you just need to implement IPisDirectlyConnected() in
+ tcpip.cc and then please send me the patch. Here are examples from
+ normal and XML output:
+ MAC Address: 08:00:20:8F:6B:2F (SUN Microsystems)
+ <address addr="00:A0:CC:63:85:4B" vendor="Lite-on Communications" addrtype="mac" />
+
+o Updated the XML DTD to support the newly printed MAC addresses.
+ Thanks to Thorsten Holz (thorsten.holz(a)mmweg.rwth-aachen.de) for
+ sending this patch.
+
+o Added a bunch of new and fixed service fingerprints for version
+ detection. These are from Martin Macok
+ (martin.macok(a)underground.cz).
+
+o Normalized many of the OS names in nmap-os-fingerprints (fixed
+ capitalization, typos, etc.). Thanks to Royce Williams
+ (royce(a)alaska.net) and Ping Huang (pshuang(a)alum.mit.edu) for
+ sending patches.
+
+o Modified the mswine32/nmap_performance.reg Windows registry file to
+ use an older and more compatible version. It also now includes the
+ value "StrictTimeWaitSeqCheck"=dword:00000001 , as suggested by Jim
+ Harrison (jmharr(a)microsoft.com). Without that latter value, the
+ TcpTimedWaitDelay value apparently isn't checked. Windows users
+ should apply the new registry changes by clicking on the .reg file.
+ Or do it manually as described in README-WIN32. This file is also
+ now available in the data directory at
+ https://svn.nmap.org/nmap/docs/nmap_performance.reg
+
+o Applied patch from Gisle Vanem (giva(a)bgnett.no) which allows the
+ Windows version of Nmap to work with WinPCAP 3.1BETA (and probably
+ future releases). The WinPcap folks apparently changed the encoding
+ of adapter names in this release.
+
+o Fixed a ping scanning bug that would cause this error message: "nmap:
+ targets.cc:196: int hostupdate (Target **, Target *, int, int, int,
+ timeout_info *, timeval *, timeval *, pingtune *, tcpqueryinfo *,
+ pingstyle): Assertion `pt->down_this_block > 0' failed." Thanks to
+ Beirne Konarski (beirne(a)neo.rr.com) for reporting the problem.
+
+o If a user attempts -PO (the letter O), print an error suggesting
+ that they probably mean -P0 (Zero) to disable ping scanning.
+
+o Applied a couple patches (with minor changes) from Oliver Eikemeier
+ (eikemeier(a)fillmore-labs.com) which fix an edge case relating to
+ decoy scanning IP ranges that must be sent through different
+ interfaces, and improves the Nmap response to certain error codes
+ returned by the FreeBSD firewall system. The patches are from
+ http://cvsweb.freebsd.org/ports/security/nmap/files/ .
+
+o Many people have reported this error: "checking for type of 6th
+ argument to recvfrom()... configure: error: Cannot find type for 6th
+ argument to recvfrom()". In most cases, the cause was a missing or
+ broken C++ compiler. That should now be detected earlier with a
+ clearer message.
+
+o Fixed the FTP bounce scan to better detect filtered ports on the
+ target network.
+
+o Fixed some minor bugs related to the new MAC address printing
+ feature.
+
+o Fixed a problem with UDP-scanning port 0, which was reported by
+ Sebastian Wolfgarten (sebastian(a)wolfgarten.com).
+
+o Applied patch from Ruediger Rissmann (RRI(a)zurich.ibm.com), which
+ helps Nmap understand an EACCESS error, which can happen at least
+ during IPv6 scans from certain platforms to some firewalled targets.
+
+o Renamed ACK ping scan option from -PT to -PA in the documentation.
+ Nmap has accepted both names for years and will continue to do
+ so.
+
+o Removed the notice that Nmap is reading target specifications from a
+ file or stdin when you specify the -iL option. It was sometimes
+ printed to stdout even when you wanted to redirect XML or grepable
+ output there, because it was printed during options processing before
+ output files were handled. This change was suggested by Anders Thulin
+ (ath(a)algonet.se).
+
+o Added --source_port as a longer, but hopefully easier to remember,
+ alias for -g. In other words, it tries to use the constant source
+ port number you specify for probes. This can help against poorly
+ configured firewalls that trust source port 20, 53, and the like.
+
+o Removed undocumented (and useless) -N option.
+
+o Fixed a version detection crash reported in excellent detail by
+ Jedi/Sector One (j(a)pureftpd.org).
+
+o Applied patch from Matt Selsky (selsky(a)columbia.edu) which helps
+ Nmap build with OpenSSL.
+
+o Modified the configure/build system to fix library ordering problems
+ that prevented Nmap from building on certain platforms. Thanks to
+ Greg A. Woods (woods(a)weird.com) and Saravanan
+ (saravanan_kovai(a)HotPop.com) for the suggestions.
+
+o Applied a patch to Makefile.in from Scott Mansfield
+ (thephantom(a)mac.com) which enables the use of a DESTDIR variable
+ to install the whole Nmap directory structure under a different root
+ directory. The configure --prefix option would do the same thing in
+ this case, but DESTDIR is apparently a standard that package
+ maintainers like Scott are used to. An example usage is
+ "make DESTDIR=/tmp/packageroot".
+
+o Removed unnecessary banner printing in the non-root connect() ping
+ scan. Thanks to Tom Rune Flo (tom(a)x86.no) for the suggestion and
+ a patch.
+
+o Updated the headers at the top of each source file (mostly to
+ advance the copyright year to 2004 and note that Nmap is a registered
+ trademark).
+
+o The SInfo line of submitted fingerprints now provides the target's
+ OUI (first three bytes of the MAC address) if available. Example:
+ "M=00A0CC". To save a couple bytes, the "Time" field in SInfo has
+ been renamed to "Tm". The OUI helps identify the device vendor, and
+ is only available when the source and target machines are on the
+ same ethernet network.
+
+Nmap 3.50 [2004-1-18]
+
+o Integrated a ton of service fingerprints, increasing the number of
+ signatures more than 50%. It has now exceeded 1,000 for the first
+ time, and represents 180 unique service protocols from acap, afp,
+ and aim to xml-rpc, zebedee, and zebra.
+
+o Implemented a huge OS fingerprint update. The number of
+ fingerprints has increased more than 13% to 1,121. This is the first
+ time it has exceeded 1000. Notable updates include Linux 2.6.0, Mac
+ OS X up to 10.3.2 (Panther), OpenBSD 3.4 (normal and pf "scrub all"),
+ FreeBSD 5.2, the latest Windows Longhorn warez, and Cisco PIX 6.3.3.
+ As usual, there are a ton of new consumer devices from ubiquitous
+ D-Link, Linksys, and Netgear broadband routers to a number of new IP
+ phones including the Cisco devices commonly used by Vonage. Linksys
+ has apparently gone special-purpose with some of their devices, such
+ as their WGA54G "Wireless Game Adapter" and WPS54GU2 wireless print
+ server. A cute little MP3 player called the Rio Karma was submitted
+ multiple times and I also received and integrated fingerprints for the
+ Handspring Treo 600 (PalmOS).
+
+o Applied some man page fixes from Eric S. Raymond
+ (esr(a)snark.thyrsus.com).
+
+o Added version scan information to grepable output between the last
+ two '/' delimiters (that space was previously unused). So the format
+ is now "portnum/state/protocol/owner/servicename/rpcinfo/versioninfo"
+ as in "53/open/tcp//domain//ISC Bind 9.2.1/" and
+ "22/open/tcp//ssh//OpenSSH 3.5p1 (protocol 1.99)/". Thanks to
+ MadHat (madhat(a)unspecific.com) for sending a patch (although I did
+ it differently). Note that any '/' characters in the
+ version (or owner) field are replaced with '|' to keep awk/cut
+ parsing simple. The service name field has been updated so that it
+ is the same as in normal output (except for the same sort of
+ escaping discussed above).
+
+o Integrated an Oracle TNS service probe and match lines contributed
+ by Frank Berger (fm.berger(a)gmx.de). New probe contributions are
+ always appreciated!
+
+o Fixed a crash that could happen during SSL version detection due to
+ SSL session ID cache reference counting issues.
+
+o Applied patch from Rob Foehl (rwf(a)loonybin.net) which fixes the
+ --with_openssl=DIR configure argument.
+
+o Applied patch to nmap XML dtd (nmap.dtd) from Mario Manno
+ (mm(a)koeln.ccc.de). This accounts for the new version scanning
+ functionality.
+
+o Updated the Windows build system so that you don't have to manually
+ copy nmap-service-probes to the output directory. I also updated
+ the README-WIN32 to elaborate further on the build process.
+
+o Added configure option --with-libpcre=included which causes Nmap to
+ build with its included version of libpcre even if an acceptable
+ version is available on the system.
+
+o Upgraded to Autoconf 2.59 (from 2.57). This should help HP-UX
+ compilation problems reported by Petter Reinholdtsen
+ (pere(a)hungry.com) and may have other benefits as well.
+
+o Applied patch from Przemek Galczewski (sako(a)avet.com.pl) which
+ adds spaces to the XML output in places that apparently help certain
+ older XML parsers.
+
+o Made Ident-scan (-I) limits on the length and type of responses
+ stricter so that rogue servers can't flood your screen with 1024
+ characters. The new length limit is 32. Thanks to Tom Rune Flo
+ (tom(a)x86.no) for the suggestion and a patch.
+
+o Fingerprints for unrecognized services can now be a bit longer to
+ avoid truncating as much useful response information. While the
+ fingerprints can be longer now, I hope they will be less frequent
+ because of all the newly recognized services in this version.
+
+o The nmap-service-probes "match" directive can now take a service
+ name like "ssl/vmware-auth". The service will then be reported as
+ vmware-auth (or whatever follows "ssl/") tunneled by SSL, yet Nmap
+ won't actually bother initiating an SSL connection. This is useful
+ for SSL services which can be fully recognized without the overhead
+ of making an SSL connection.
+
+o Version scan now chops commas and whitespace from the end of
+ vendorproductname, version, and info fields. This makes it easier to
+ write templates incorporating lists. For example, the tcpmux service
+ (TCP port 1) gives a list of supported services separated by CRLF.
+ Nmap uses this new feature to print them comma separated without
+ having an annoying trailing comma as so (linewrapped):
+ match tcpmux m|^(sgi_[-.\w]+\r\n([-.\w]+\r\n)*)$|
+ v/SGI IRIX tcpmux//Available services: $SUBST(1, "\r\n", ",")/
+
+Nmap 3.48 [2003-10-6]
+
+o Integrated an enormous number of version detection service
+ submissions. The database has almost doubled in size to 663
+ signatures representing the following 130 services:
+ 3dm-http afp apcnisd arkstats bittorent chargen citrix-ica
+ cvspserver cvsup dantzretrospect daytime dict directconnect domain
+ echo eggdrop exec finger flexlm font-service ftp ftp-proxy gnats
+ gnutella-http hddtemp hp-gsg http http-proxy hylafax icecast ident
+ imap imaps imsp ipp irc ircbot irc-proxy issrealsecure jabber
+ kazaa-http kerberos-sec landesk-rc ldap linuxconf lmtp lotusnotes
+ lpd lucent-fwadm meetingmaker melange microsoft-ds microsoft-rdp
+ mldonkey msactivesync msdtc msrpc ms-sql-m mstask mud mysql
+ napster ncacn_http ncp netbios-ns netbios-ssn netrek netsaint
+ netstat netwareip networkaudio nntp nsclient nsunicast ntop-http
+ omniback oracle-mts oracle-tns pcanywheredata pksd pmud pop2 pop3
+ pop3s poppass postgresql powerchute printer qotd redcarpet
+ rendezvous rlogind rpc rsync rtsp sdmsvc sftp shell shivahose
+ sieve slimp3 smtp smux snpp sourceoffice spamd ssc-agent ssh ssl
+ svrloc symantec-av symantec-esm systat telnet time tinyfw upnp
+ uucp veritasnetbackup vnc vnc-http vtun webster whois wins
+ winshell wms X11 xfce zebra
+
+o Added the ability to execute "helper functions" in version
+ templates, to help clean up/manipulate data captured from a server
+ response. The first defined function is P() which includes only
+ printable characters in a captured string. The main impetus for
+ this is to deal with Unicode strings like
+ "W\0O\0R\0K\0G\0R\0O\0U\0P\0" that many MS protocols send. Nmap can
+ now decode that into "WORKGROUP".
+
+o Added SUBST() helper function, which replaces strings in matched
+ appname/version/extrainfo strings with something else. For example,
+ VanDyke Vshell gives a banner that includes
+ "SSH-2\.0-VShell_2_2_0_528". A substring match is used to pick out
+ the string "2_2_0_528", and then SUB21ST(1,"_",".") is called on that
+ match to form the version number 2.2.0.528.
+
+o If responses to a probe fail to match any of the registered match
+ strings for that probe, Nmap will now try against the registered "null
+ probe" match strings. This helps in the case that the NULL probe
+ initially times out (perhaps because of initial DNS lookup) but the
+ banner appears in later responses.
+
+o Applied some portability fixes (particularly for OpenBSD) from Chad
+ Loder (cloder(a)loder.us), who is also now the OpenBSD Nmap port
+ maintainer.
+
+o Applied some portability fixes from Marius Strobl
+ (marius(a)alchemy.franken.de).
+
+o The tarball distribution of Nmap now strips the binary at install
+ time thanks to a patch from Marius Strobl
+ (marius(a)alchemy.franken.de).
+
+o Fixed a problem related to building Nmap on systems that lack PCRE
+ libs (and thus have to use the ones included by Nmap). Thanks to Remi
+ Denis-Courmont (deniscr6(a)cti.ecp.fr) for the report and patch.
+
+o Alphabetized the service names in each Probe section in
+ nmap-service-probes (makes them easier to find and add to).
+
+o Fixed the problem several people reported where Nmap would quit with
+ a "broken pipe" error during service scanning. Thanks to Jari Ruusu
+ (jari.ruusu(a)pp.inet.fi) for sending a patch. The actual error
+ message was "Unexpected error in NSE_TYPE_READ callback. Error
+ code: 32 (Broken pipe)"
+
+o Fixed protocol scan (-sO), which I had broken when adding the new
+ output table format. It would complain "NmapOutputTable.cc:128:
+ failed assertion `row < numRows'". Thanks to Matt Burnett
+ (marukka(a)mac.com) for notifying me of the problem.
+
+o Upgraded Libpcap to the latest tcpdump.org version (0.7.2) from
+ 0.7.1
+
+o Applied a patch from Peter Marschall (peter(a)adpm.de) which adds
+ version detection support to nmapfe.
+
+o Fixed a problem with XML output being invalid when service detection
+ was done on SSL-tunneled ports. Thanks to the several people who
+ reported this - it means that folks are actually using the XML
+ output :).
+
+o Fixed (I hope) some Solaris Sun ONE compiler compilation problems
+ reported (w/patches) by Mikael Mannstrom (candyman(a)penti.org)
+
+o Fixed the --with-openssl configure option for people who have
+ OpenSSL installed in a path not automatically found by their
+ compilers. Thanks to Marius Strobl (marius(a)alchemy.franken.de) for
+ the patch.
+
+o Made some portability changes for HP-UX and possibly other types of
+ machines, thanks to a patch from Petter Reinholdtsen (pere(a)hungry.com)
+
+o Applied a patch from Matt Selsky (selsky(a)columbia.edu) which fixes
+ compilation on some Solaris boxes, and maybe others. The error said
+ "cannot compute sizeof (char)"
+
+o Applied some patches from the NetBSD ports tree that Hubert Feyrer
+ (hubert.feyrer(a)informatik.fh-regensburg.de) sent me. The NetBSD
+ Nmap ports page is at http://www.NetBSD.org/packages/net/nmap/ .
+
+o Applied some Makefile patches from the FreeBSD ports tree that I
+ found at http://www.freebsd.org/cgi/cvsweb.cgi/ports/security/nmap/files/
+
+Nmap 3.45 [2003-9-15]
+
+o Integrated more service signatures from MadHat
+ (madhat(a)unspecific.com), Brian Hatch (bri(a)ifokr.org), Niels
+ Heinen (zillion(a)safemode.org), Solar Designer
+ (solar(a)openwall.com), Seth Master
+ (smaster(a)stanford.edu), and Curt Wilson
+ (netw3_security(a)hushmail.com). We now have 378 signatures
+ recognizing 86 unique service protocols.
+
+o Added new HTTPOptions and RTSPRequest probes suggested by MadHat
+ (madhat(a)unspecific.com)
+
+o Changed the .spec file to compile Nmap RPMs without SSL support to
+ improve compatibility (Some users might not have OpenSSL, and even
+ those who do might not have the right version (libopenssl.so.2 vs
+ libopenssl.so.4, etc).
+
+o Applied a patch from Solar Eclipse (solareclipse(a)phreedom.org)
+ which increases the allowed size of the 'extrainfo' version field from
+ 80 characters to 128. The main benefit is to allow longer apache module
+ version strings.
+
+o Fixed Windows compilation and improved the Windows port slightly (no
+ more macro to redefine read().
+
+o Applied some updates to README-WIN32 sent in by Kirby Kuehl
+ (kkuehl(a)cisco.com). He improved the list of suggested registry
+ changes and also fixed a typo or two. He also attached a .reg file
+ automate the Nmap connect() scan performance enhancing registry
+ changes. I am now including that with the Nmap Windows binary .zip
+ distribution (and in mswin32/ of the source distro).
+
+o Applied a one-line patch from Dmitry V. Levin (ldv(a)altlinux.org)
+ which fixes a test Nmap does during compilation to see if an existing
+ libpcap installation is recent enough.
+
+Nmap 3.40PVT17 [2003-9-12]
+
+o Wrote and posted a new paper on version scanning to
+ https://nmap.org/book/vscan.html . Updated nmap-service-probes and
+ the Nmap man page to simply refer to this URL.
+
+o Integrated more service signatures from my own scanning as well as
+ contributions from Brian Hatch (bri(a)ifokr.org), MadHat
+ (madhat(a)unspecific.com), Max Vision (vision(a)whitehats.com), HD
+ Moore (hdm(a)digitaloffense.net), Seth Master
+ (smaster(a)stanford.edu), and Niels Heinen (zillion(a)safemode.org).
+ MadHat also contributed a new probe for Windows Media Service. Many
+ people set a LOT of signatures, which has allowed
+ nmap-service-probes to grow from 295 to 356 signatures representing
+ 85 service protocols!
+
+o Applied a patch (with slight changes) from Brian Hatch
+ (bri(a)ifokr.org) which enables caching of SSL sessions so that
+ negotiation doesn't have to be repeated when Nmap reconnects to the same
+ between probes.
+
+o Applied a patch from Brian Hatch (bri(a)ifokr.org) which optimizes the
+ requested SSL ciphers for speed rather than security. The list was
+ based on empirical evidence from substantial benchmarking he did with
+ tests that resemble nmap-service-scanning.
+
+o Updated the Nmap man page to discuss the new version scanning
+ options (-sV, -A).
+
+o I now include nmap-version/aclocal.m4 in the distribution as this is
+ required to rebuild the configure script (thanks to Dmitry V. Levin
+ (ldv(a)altlinux.org) for notifying me of the problem).
+
+o Applied a patch from Dmitry V. Levin (ldv(a)altlinux.org) which
+ detects whether the PCRE include file is <pcre.h> or <pcre
+
+o Applied a patch from Dmitry V. Levin (ldv(a)altlinux.org) which
+ fixes typos in some error messages. The patch apparently came from
+ the highly-secure and stable Owl and Alt Linux distributions. Check
+ them out at http://www.openwall.com/Owl/ and
+ http://www.altlinux.com/
+
+o Fixed compilation on Mac OS X - thanks to Brian Hatch
+ (bri(a)ifokr.org> and Ryan Lowe (rlowe(a)pablowe.net) for giving me
+ access to Mac OS X boxes.
+
+o Stripped down libpcre build system to remove libtool dependency and
+ other cruft that Nmap doesn't need (this was mostly a response to
+ libtool-related issues on Mac OS X).
+
+o Added a new --version_trace option which causes Nmap to print out extensive
+ debugging info about what version scanning is doing (this is a subset
+ of what you would get with --packet_trace). You should usually use
+ this in combination with at least one -d option.
+
+o Fixed a port number printing bug that would cause Nmap service
+ fingerprints to give a negative port number when the actual port was
+ above 32K. Thanks to Seth Master (smaster(a)stanford.edu) for finding
+ this.
+
+o Updated all the header text again to clarify our interpretation of
+ "derived works" after some suggestions from Brian Hatch
+ (bri(a)ifokr.org)
+
+o Updated the Nsock config.sub/config.guess to the same newer versions
+ that Nmap uses (for Mac OS X compilation).
+
+Nmap 3.40PVT16 [2003-9-6]
+
+o Fixed a compilation problem on systems w/o OpenSSL that was
+ discovered by Solar Designer. I also fixed some compilation
+ problems on non-IPv6 systems. It now compiles and runs on my
+ Solaris and ancient OpenBSD systems.
+
+o Integrated more services thanks to submissions from Niels Heinen
+ (zillion(a)safemode.org).
+
+o Canonicalized the headers at the top of each Nmap/Nsock header source
+ file. This included clarifying our interpretation of derived works,
+ updating the copyright date to 2003, making the header a bit wider,
+ and a few other light changes. I've been putting this off for a
+ while, because it required editing about a hundred !#$# files!
+
+Nmap 3.40PVT15 [2003-9-5]
+
+o Fixed a major bug in the Nsock time caching system. This could
+ cause service detection to inexplicably fail against certain ports in
+ the second or later machines scanned. Thanks to Solar Designer and HD
+ Moore for helping me track this down.
+
+o Fixed some *BSD compilation bugs found by
+ Zillion (zillion(a)safemode.org).
+
+o Integrated more services thanks to submissions from Fyodor Yarochkin
+ (fygrave(a)tigerteam.net), and Niels Heinen
+ (zillion(a)safemode.org), and some of my own exploring. There are
+ now 295 signatures.
+
+o Fixed a compilation bug found by Solar Designer on machines that
+ don't have struct sockaddr_storage. Nsock now just uses "struct
+ sockaddr *" like connect() does.
+
+o Fixed a bug found by Solar Designer which would cause the Nmap
+ portscan table to be truncated in -oN output files if the results are
+ very long.
+
+o Changed a bunch of large stack arrays (e.g. int portlookup[65536])
+ into dynamically allocated heap pointers. The large stack variables
+ apparently caused problems on some architectures. This issue was
+ reported by osamah abuoun (osamah_abuoun(a)hotmail.com).
+
+Nmap 3.40PVT14 [2003-9-4]
+
+o Added IPv6 support for service scan.
+
+o Added an 'sslports' directive to nmap-service-probes. This tells
+ Nmap which service checks to try first for SSL-wrapped ports. The
+ syntax is the same as the normal 'ports' directive for non-ssl ports.
+ For example, the HTTP probe has an 'sslports 443' line and
+ SMTP-detecting probes have and 'sslports 465' line.
+
+o Integrated more services thanks to submissions from MadHat
+ (madhat(a)unspecific.com), Solar Designer (solar(a)openwall.com), Dug
+ Song (dugsong(a)monkey.org), pope(a)undersec.com, and Brian Hatch
+ (bri(a)ifokr.org). There are now 288 signatures, matching these 65
+ service protocols:
+ chargen cvspserver daytime domain echo exec finger font-service
+ ftp ftp-proxy http http-proxy hylafax ident ident imap imaps ipp
+ ircbot ircd irc-proxy issrealsecure landesk-rc ldap meetingmaker
+ microsoft-ds msrpc mud mysql ncacn_http ncp netbios-ns netbios-ssn
+ netsaint netwareip nntp nsclient oracle-tns pcanywheredata pop3
+ pop3s postgres printer qotd redcarpet rlogind rpc rsync rtsp shell
+ smtp snpp spamd ssc-agent ssh ssl telnet time upnp uucp vnc
+ vnc-http webster whois winshell X11
+
+o Added a Lotus Notes probe from Fyodor Yarochkin
+ (fygrave(a)tigerteam.net).
+
+o Dug Song wins the "award" for most obscure service fingerprint
+ submission. Nmap now detects Dave Curry's Webster dictionary server
+ from 1986 :).
+
+o Service fingerprints now include a 'T=SSL' attribute when SSL
+ tunneling was used.
+
+o More portability enhancements thanks to Solar Designer and his Linux
+ 2.0 libc5 boxes.
+
+o Applied a patch from Gisle Vanem (giva(a)bgnett.no) which improves
+ Windows emulation of the UNIX mmap() and munmap() memory mapping calls.
+
+Nmap 3.40PVT13 [2003-9-1]
+
+o Added SSL-scan-through support. If service detection finds a port to be
+ SSL, it will transparently connect to the port using OpenSSL and use
+ version detection to determine what service lies beneath. This
+ feature is only enabled if OpenSSL is available at build time. A
+ new --with-openssl=DIR configure option is available if OpenSSL is
+ not in your default compiler paths. You can use --without-openssl
+ to disable this functionality. Thanks to Brian Hatch
+ (bri(a)ifokr.org) for sample code and other assistance. Make sure
+ you use a version without known exploitable overflows. In
+ particular, versions up to and including OpenSSL 0.9.6d and
+ 0.9.7-beta2 contained serious vulnerabilities described at
+ http://www.openssl.org/news/secadv_20020730.txt . Note that these
+ vulnerabilities are well over a year old at the time of this
+ writing.
+
+o Integrated many more services thanks to submissions from Brian
+ Hatch, HellNBack ( hellnbak(a)nmrc.org ), MadHat, Solar Designer,
+ Simple Nomad, and Shawn Wallis (swallis(a)ku.edu). The number of
+ signatures has grown from 242 to 271. Thanks!
+
+o Integrated Novell Netware NCP and MS Terminal Server probes from
+ Simple Nomad (thegnome(a)nmrc.org).
+
+o Fixed a segfault found by Solar Designer that could occur when
+ scanning certain "evil" services.
+
+o Fixed a problem reported by Solar Designer and MadHat (
+ madhat(a)unspecific.com ) where Nmap would bail when certain Apache
+ version/info responses were particularly long. It could happen in
+ other cases as well. Now Nmap just prints a warning.
+
+o Fixed some portability issues reported by Solar Designer
+ ( solar(a)openwall.com )
+
+Nmap 3.40PVT12 [2003-8-24]
+
+o I added probes for SSL (session startup request) and microsoft-ds
+ (SMB Negotiate Protocol request).
+
+o I changed the default read timeout for a service probe from 7.5s to 5s.
+
+o Fixed a one-character bug that broke many scans when -sV was NOT
+ given. Thanks to Blue Boar (BlueBoar(a)thievco.com) for the report.
+
+Nmap 3.40PVT11 [2003-8-23]
+
+o Integrated many more services thanks to submissions from Simple
+ Nomad, Solar Designer, jerickson(a)inphonic.com, Curt Wilson, and
+ Marco Ivaldi. Thanks! The match line count has risen from 201 to 242.
+
+o Implemented a service classification scheme to separate the
+ vendor/product name from the version number and any extra info that
+ is provided. Instead of v/[big version string]/, the new match
+ lines include v/[vendor/productname]/[version]/[extrainfo]/ . See
+ the docs at the top of nmap-service-probes for more info. This
+ doesn't change the normal output (which lumps them together anyway),
+ but they are separate in the XML so that higher-level programs can
+ easily match against just a product name. Here are a few examples
+ of the improved service element:
+ <service name="ssh" product="OpenSSH" version="3.1p1"
+ extrainfo="protocol 1.99" method="probed" conf="10" />
+ <service name="domain" product="ISC Bind" version="9.2.1"
+ method="probed" conf="10" />
+ <state state="open" /><service name="rpcbind" version="2"
+ extrainfo="rpc #100000" method="probed" conf="10" />
+ <service name="rndc" method="table" conf="3" />
+
+o I went through nmap-service-probes and added the vendor name to more
+ entries. I also added the service name where the product name
+ itself didn't make that completely obvious.
+
+o SCO Corporation of Lindon, Utah (formerly Caldera) has lately taken
+ to an extortion campaign of demanding license fees from Linux users
+ for code that they themselves knowingly distributed under the terms
+ of the GNU GPL. They have also refused to accept the GPL, claiming
+ that some preposterous theory of theirs makes it invalid. Meanwhile
+ they have distributed GPL-licensed Nmap in (at least) their
+ "Supplemental Open Source CD". In response to these blatant
+ violations, and in accordance with section 4 of the GPL, we hereby
+ terminate SCO's rights to redistribute any versions of Nmap in any
+ of their products, including (without limitation) OpenLinux,
+ Skunkware, OpenServer, and UNIXWare.
+
+Nmap 3.40PVT10 [2003-8-18]
+
+o Added "soft matches". These are similar to normal match lines in
+ that they provide a regex for recognizing a service (but no version).
+ But instead of stopping at softmatch service recognition, the scan
+ continues looking for more info. It only launches probes that are
+ known-capable of matching the softmatched service. If no version
+ number is found, at least the determined service is printed. A
+ service print for submission is also provided in that case. So this
+ provides more informative results and improves efficiency.
+
+o Cleaned up the Windows support a bit and did more testing and
+ fixing. Windows service detection seems to be working fine for me
+ now, although my testing is still pretty limited. This release
+ includes a Windows binary distribution and the README-WIN32 has been
+ updated to reflect new compilation instructions.
+
+o More service fingerprints! Thanks to Solar Designer, Max Vision,
+ Frank Denis (Jedi/Sector One) for the submissions. I also added a
+ bunch from my own testing. The number of match lines went from 179
+ to 201.
+
+o Updated XML output to handle new version and service detection
+ information. Here are a few examples of the new output:
+ <port protocol="tcp" portid="22"><state state="open" /><service
+ name="ssh" version="OpenSSH 3.1p1 (protocol 1.99)" method="probed"
+ conf="10" /></port>
+ <port protocol="tcp" portid="111"><state state="open" /><service
+ name="rpcbind" version="2 (rpc #100000)" method="probed" conf="10" /></port>
+ <port protocol="tcp" portid="953"><state state="open" /><service
+ name="rndc" method="table" conf="3" /></port>
+
+o Fixed issue where Nmap would quit when ECONNREFUSED was returned
+ when we try to read from an already-connected TCP socket. FreeBSD
+ does this for some reason instead of giving ECONNRESET. Thanks to
+ Will Saxon (WillS(a)housing.ufl.edu) for the report.
+
+o Removed the SERVICEMATCH_STATIC match type from
+ nmap-service-probes. There wasn't much benefit of this over regular
+ expressions, so it isn't worth maintaining the extra code.
+
+Nmap 3.40PVT9 [2003-8-16]
+
+o Added/fixed numerous service fingerprints thanks to submissions from
+ Max Vision, MadHat, Seth Master. Match lines went
+ from 164 to 179.
+
+o The WinPcap libraries used in the Windows build process have been
+ upgraded to version 3.0.
+
+o Most of the Windows port is complete. It compiles and service scan
+ works (I didn't test very deeply) on my WinXP box with VS.Net 2003.
+ I try to work out remaining kinks and do some cleanup for the next
+ version. The Windows code was restructured and improved quite a bit,
+ but much more work remains to be done in that area. I'll probably
+ do a Windows binary .zip release of the next version.
+
+o Various minor fixes
+
+Nmap 3.40PVT8 [2003-8-12]
+
+o Service scan is now OFF by default. You can activate it with -sV.
+ Or use the snazzy new -A (for "All recommended features" or
+ "Aggressive") option which turns on both OS detection and service
+ detection.
+
+o Fixed compilation on my ancient OpenBSD 2.3 machine (a Pentium 60 :)
+
+o Added/fixed numerous service fingerprints thanks to submissions from
+ Brian Hatch, HD Moore, Anand R., and some of my own testing. The
+ number of match lines in this version grows from 137 to 164! Please
+ keep 'em coming!
+
+o Various important and not-so-important fixes for bugs I encountered
+ while test scanning.
+
+o The RPC grinder no longer prints a startup message if it has no
+ RPC-detected ports to scan.
+
+o Some of the service fingerprint length limitations are relaxed a bit
+ if you enable debugging (-d).
+
+Nmap 3.40PVT7 [2003-8-10]
+
+o Added a whole bunch of services submitted by Brian Hatch
+ (bri(a)ifokr.org). I also added a few Windows-related probes.
+ Nmap-service-probes has gone from 101 match strings to 137. Please
+ keep the submissions coming.
+
+o The question mark now only appears for ports in the OPEN state and
+ when service detection was requested.
+
+o I now print a separator bar between service fingerprints when Nmap
+ prints more than one for a given host so that users understand to
+ submit them individually (suggested by Brian Hatch (bri(a)ifokr.org))
+
+o Fixed a bug that would cause Nmap to print "empty" service
+ fingerprints consisting of just a semi-colon. Thanks to Brian Hatch
+ (bri(a)ifokr.org) for reporting this.
+
+Nmap 3.40PVT6 [2003-8-8]
+
+o Banner-scanned hundreds of thousands of machines for ports
+ 21,23,25,110,3306 to collect default banners. Where the banner made
+ the service name/version obvious, I integrated them into
+ nmap-service-probes. This increased the number of 'match' lines from
+ 27 to more than 100.
+
+o Created the service fingerprint submission page at
+ http://www.insecure.org/cgi-bin/servicefp-submit.cgi
+
+o Changed the service fingerprint format slightly for easier
+ processing by scripts.
+
+o Applied a large portability patch from Albert Chin-A-Young
+ (china(a)thewrittenword.com). This cleans up a number of things,
+ particularly for IRIX, Tru64, and Solaris.
+
+o Applied NmapFE patch from Peter Marschall (peter(a)adpm.de) which
+ "makes sure changes in the relay host and scanned port entry fields
+ are displayed immediately, and also keeps the fields editable after
+ de- and reactivating them."
+
+Nmap 3.40PVT4 [2003-7-28]
+
+o Limited the size of service fingerprints to roughly 1024 bytes.
+ This was suggested by Niels Heinen (niels(a)heinen.ws), because the previous
+ limit was excessive. The number of fingerprints printed is also now
+ limited to 10.
+
+o Fixed a segmentation fault that could occur when ping-scanning large
+ networks.
+
+o Fixed service scan to gracefully handle host_timeout occurrences when
+ they happen during a service scan.
+
+o Fixed a service_scan bug that would cause an error when hosts send
+ data and then close() during the NULL probe (when we haven't sent
+ anything).
+
+o Applied a patch from Solar Designer (solar(a)openwall.com) which
+ corrects some errors in the Russian man page translation and also a
+ couple typos in the regular man page. Then I spell-checked the man
+ page to reduce future instances of foreigners sending in diffs to
+ correct my English :).
+
+Nmap 3.40PVT3 [2003-7-28]
+
+o Nmap now prints a "service fingerprint" for services that it is
+ unable to match despite returning data. The web submission page it
+ references is not yet available.
+
+o Service detection now does RPC grinding on ports it detects to be
+ running RPC.
+
+o Fixed a bug that would cause Nmap to quit with an Nsock error when
+ --host_timeout was used (or when -T5 was used, which sets it
+ implicitly).
+
+o Fixed a bug that would cause Nmap to fail to print the OS
+ fingerprint in certain cases. Thanks to Ste Jones
+ (root(a)networkpenetration.com) for the problem report.
+
+Nmap 3.40PVT2 [2003-7-26]
+
+o Nmap now has a simple VERSION detection scheme. The 'match' lines in
+ nmap-service-probes can specify a template version string
+ (referencing subexpression matches from the regex in a Perl-like
+ manner) so that the version is determined at the same time as the
+ service. This handles many common services in a highly efficient
+ manner. A more complex form of version detection (that initiates
+ further communication w/the target service) may be necessary
+ eventually to handle services that aren't as forthcoming with
+ version details.
+
+o The Nmap port state table now wastes less whitespace due to using a new
+ and stingy NmapOutputTable class. This makes it easier to read, and
+ also leaves more room for version info and possibly other enhancements.
+
+o Added 's' option to match lines in nmap-service-probes. Just as
+ with the Perl 's' option, this one causes '.' in the regular
+ expression to match any character INCLUDING newline.
+
+o The WinPcap header timestamp is no longer used on Windows as it
+ sometimes can be a couple seconds different than gettimeofday() (which
+ is really _ftime() on Windows) for some reason. Thanks to Scott
+ Egbert (scott.egbert(a)citigroup.com) for the report.
+
+o Applied a patch by Matt Selsky (selsky(a)columbia.edu) which fixes
+ configure.in in such a way that the annoying header file "present but
+ cannot be compiled" warning for Solaris.
+
+o Applied another patch from Matt that (we hope) fixes the "present
+ but cannot be compiled" warning -- this time for Mac OS X.
+
+o Port table header names are now capitalized ("SERVICE", "PORT", etc)
+
+Nmap 3.40PVT1 [2003-7-17]
+
+o Initial implementation of service detection. Nmap will now probe
+ ports to determine what is listening, rather than guessing based on
+ the nmap-services table lookup. This can be very useful for
+ services on unidentified ports and for UDP services where it is not
+ always clear (without these probes) whether the port is really open
+ or just firewalled. It is also handy for when services are run on
+ the well-known-port of another protocol -- this is happening more
+ and more as users try to circumvent increasingly strict firewall
+ policies.
+
+o Nmap now uses the excellent libpcre (Perl Compatible Regular
+ Expressions) library from http://www.pcre.org/ . Many systems
+ already have this, otherwise Nmap will use the copy it now includes.
+ If your libpcre is hidden away in some nonstandard place, give
+ ./configure the new --with-libpcre=DIR directive.
+
+o Nmap now uses the C++ Standard Template Library (STL). This makes
+ programming easier, but if it causes major portability or bloat
+ problems, I'll reluctantly remove it.
+
+o Applied a patch from Javier Kohen (jkohen(a)coresecurity.com) which
+ normalizes the names of many Microsoft entries in the
+ nmap-os-fingerprints file.
+
+o Applied a patch by Florin Andrei (florin(a)sgi.com) to the Nmap RPM
+ spec file. This uses the 'Epoch' flag to prevent the Redhat Network
+ tool from marking my RPMs as "obsolete" and "upgrading" to earlier
+ Redhat-built versions. A compilation flag problem is also fixed.
+
+Nmap 3.30 [2003-6-28]
+
+o Implemented the largest-ever OS fingerprint update! Roughly 300
+ fingerprints were added/modified. These massive changes span the
+ gamut from AIX 5.1 to the ZyXEL Prestige broadband router line.
+ Notable updates include OpenBSD 3.3, FreeBSD 5.1, Mac OS X 10.2.6,
+ Windows 2003 server, and more WAPs and broadband routers than you
+ can shake a stick at. Someone even submitted a fingerprint for
+ Debian Linux running on the Microsoft Xbox. You have to love that
+ irony :). Thanks to everyone who submitted fingerprints using the
+ URL Nmap gives you when it gets a clean reading but is stumped. The
+ fingerprint DB now contains almost 1000 fingerprints.
+
+o Went through every one of the fingerprints to normalize the
+ descriptions a bit. I also looked up what all of the devices are
+ (thanks E*Bay and Google!). Results like "Nexland ISB Pro800 Turbo"
+ and "Siemens 300E Release 6.5" are much more useful when you add the
+ words "cable modem" and "business phone system"
+
+o Added a new classification system to nmap-os-fingerprints. In
+ addition to the standard text description, each entry is now
+ classified by vendor name (e.g. Sun), underlying OS (e.g. Solaris),
+ OS generation (e.g. 7), and device type ("general purpose", router,
+ switch, game console, etc). This can be useful if you want to (say)
+ locate and eliminate the SCO systems on a network, or find the
+ wireless access points (WAPs) by scanning from the wired side.
+
+o Classification system described above is now used to print out a
+ "device type" line and OS categories for matches. The free-form
+ English details are still printed as well. Nmap can sometimes
+ provide classifications even where it used to provide nothing
+ because of "too many matches". These have been added to XML output
+ as well. They are not printed for the "grepable output", as I
+ consider that format deprecated.
+
+o Nmap will now sometimes guess in the "no exact matches" case, even
+ if you don't use the secret --osscan_guess or -fuzzy options.
+
+o Applied another huge NmapFE patch from Peter Marschall
+ (peter(a)adpm.de). This revamps the interface to use a tabbed
+ format that allows for many more Nmap options to be used. It also
+ cleans up some crufty parts of the code. Let me and Peter know what
+ you think (and if you encounter any problems).
+
+o Windows and Amiga ports now use packet receive times from libpcap.
+ Let me know if you get any "time computation problem" errors.
+
+o Updated version of the Russian man page translation from Alex Volkov
+ (alex(a)cherepovets-city.ru).
+
+Nmap 3.28 [2003-6-14]
+
+o Fixed (I hope) an issue that would cause Nmap to print "Serious time
+ computation problem in adjust_timeout ..." and quit. The ultimate
+ cause was demonstrated by this --packet_trace snippet that Russel
+ Miller (rmiller(a)duskglow.com) sent me:
+ SENT (0.0500s) ICMP 0.0.0.0 > 127.0.0.1 Echo request (type=8/code=0) ...
+ RCVD (0.0450s) ICMP 127.0.0.1 > 127.0.0.1 Echo reply (type=0/code=0) ...
+ As you can see, the ping reply appears to come BEFORE the request
+ was sent(!). This sort of thing happens on at least Linux and
+ Windows. The send time is obtained from gettimeofday(timeval, NULL),
+ while receive time libpcap packet header. If anyone knows why this
+ occurs, or (even better) knows a good way to fix it, let me know.
+ For now, I am allowing the response to come up to .05s "before" the
+ request. That is gross.
+
+o For years, Nmap has added -I/usr/local/include and -L/usr/local/lib
+ to the compiler line to grab local libraries. I have removed this
+ behavior by default, and added a '--with-localdirs' configure option
+ that adds it back. If Nmap fails to compile now without the above
+ option, please let me know. I can change the default back if this
+ change causes more problems than it solves. People (such as certain
+ ports tree packagers) who know they don't want /usr/local should
+ specify --without-localdirs rather than relying on that always being
+ the default.
+
+o Fixed (I hope) a problem that led to the error message "Assertion
+ `tqi->sockets[probe_port_num][seq] == -1' failed".
+
+o Fixed a problem that would cause Nmap on Windows to send ICMP ping
+ packets from 0.0.0.0 instead of the appropriate source IP. Thanks
+ to Yeti (boxed(a)blueyonder.co.uk) for the report.
+
+o Applied some changes from Solar Designer (solar(a)openwall.com)
+ which fix some typos and also suggest safer /tmp/ behavior in the
+ HACKING file and Lithuanian man page. These changes are for the
+ Nmap package of his Openwall GNU/*/Linux (Owl) distribution.
+ (http://www.openwall.com/Owl/)
+
+o For Solaris, I now define NET_SIZE_T to size_t rather than socklen_t
+ in nmap.h. Isn't that exciting?!!! Hopefully this will help
+ compilation on Solaris 2.6 (and perhaps earlier). If any Solaris
+ users notice new compilation problems, please let me know. Thanks to
+ Al Smith (Al.Smith(a)aeschi.ch.eu.org) for reporting the issue.
+
+o Removed an errant getopt() prototype in nbase/getopt.h which should
+ hopefully improve compilation on certain Solaris boxes and BSD
+ variants.
+
+o SCO operating systems are no longer supported due to their recent
+ (and absurd) attacks against Linux and IBM. Bug reports relating to
+ UnixWare will be ignored, or possibly even laughed at derisively.
+ Note that I have no reason to believe anyone has ever used Nmap on
+ SCO systems. UnixWare and OpenServer suck.
+
+o Fixed a problem with small --max_parallelism values when non-root ping
+ scanning that would cause Nmap to say "sendconnecttcpquery: Could
+ not scavenge a free socket!" and quit. Problem was reported by
+ Justin A (justin(a)bouncybouncy.net) as Debian Bug #195463.
+
+o Applied (with a few modifications) a large NmapFE patch from Peter
+ Marschall (peter(a)adpm.de). This patch adds a bunch more scan/ping
+ options and cleans up some redundant NmapFE code.
+
+o Included new Russian man page translation by Alex Volkov
+ (alex(a)cherepovets-city.ru)
+
+o Changed many single-quotes (') into double quotes (") in the man
+ page due to a disagreement over whether to represent them as (') or
+ (\') in nroff.
+
+o Included --packet_trace support for Explicit Congestion Notification
+ (RFC 2481/3168) flags thanks to a patch sent in by Maik Pfeil
+ (root(a)bundesspionageministerium.de)
+
+o Included --packet_trace support for a few (unusual) ICMP types in
+ case Nmap receives them. The patch was also sent by Maik Pfeil.
+
+o Fixed a problem with redirecting XML/Grep/Machine output to stdout
+ on Windows (e.g. -oX - ). Problem was reported by Wei Jiang
+ (Wei.Jiang(a)bindview.com)
+
+o Made "-g -Wall" compiler flags dependent on availability of gcc/g++
+ sine some other compilers do not support them.
+
+o I spam-protected the email addresses in this file. I fervently hope
+ that within 5 years we will be able to defeat this scourge through
+ technology and laws, so that we may again list our email addresses
+ openly without fear of abuse by criminal spammers. Oh, and it would
+ be a shame if the spiders went through this whole page and only
+ found uce@ftc.gov, rhundt@fcc.gov, jquello@fcc.gov, sness@fcc.gov,
+ president@whitehouse.gov, haesslich@loyalty.org, and rchong@fcc.gov.
+
+Nmap 3.27 [2003-4-28]
+
+o Nmap now compiles under Amiga thanks to patches sent by Diego
+ Casorran (dcr8520(a)amiga.org).
+
+o Fixed a backwards WIN32 ifdef that broke UDP and small-fragment
+ scans for some operating systems other than Linux and Windows.
+ Thanks to Guido van Rooij (guido(a)gvr.org) for reporting the problem
+ and sending a patch.
+
+o Applied patch from Marius Strobl (marius(a)alchemy.franken.de) which improves
+ the definition of NET_SIZE_T on FreeBSD so that it compiles on
+ 64-bit platforms.
+
+Nmap 3.26 [2003-4-24]
+
+o Fixed Mac OS X Compilation (at least on most of the machines
+ tested). You will probably need to type
+ "./configure CPP=/usr/bin/cpp" instead of simply "./configure". If
+ you still have trouble, drop me an email. Thanks to everyone who
+ provided or offered shell accounts!
+
+o Fixed a segmentation fault several people reported that was
+ introduced in 3.25. This problem manifests itself intermittently
+ in many normal situations involving large-network scanning. So all
+ 3.25 users are urged to upgrade. Pre-3.25 users should upgrade too,
+ since 3.25 included so many improvements :).
+
+Nmap 3.25 [2003-4-19]
+
+o I added UDP-based "ping" scanning. The -PU option can take an
+ optional portlist like the TCP "ping" options (-PS, -PA), but it sends
+ a UDP packet to the targets and expects hosts that are up to reply
+ with a port unreachable (or possibly a UDP response if the port is
+ open). This one is likely to work best against closed ports, since
+ many open ports don't respond to empty requests.
+
+o Fixed (I hope) problem where Nmap would abort, complaining that
+ "Assertion `pt->down_this_block > 0' failed". Thanks to
+ ray(a)24hoursecurity.org and mugz(a)x-mafia.com for reporting and
+ helping me debug this problem.
+
+o Fixed a GCC dependency reported by Ayamura Kikuchi
+ (ayamura(a)keio.net)
+
+o Fixed an "assertion failure" which would cause Nmap to exit when you
+ specify a --max_rtt_timeout below 3000. Thanks to Tammy Rathbun
+ (rathbun2(a)llnl.gov) and Jan Roger Wilkens (jrw(a)proseq.net) for
+ reporting this.
+
+o Packet receive times are now obtained from libpcap rather than
+ simply using the time the packets are passed to Nmap. This should
+ improve performance slightly. I was not able to get this to work
+ properly on Windows (either pcap or raw) -- join the nmap-dev list
+ if you have ideas.
+
+o Fixed bug that caused Nmap to ignore certain RST responses when you
+ do both -PS and -PA.
+
+o Modified ping scan to work better when many instances of Nmap are
+ executed concurrently.
+
+o I'm now linking directly to the gzip compressed version of Nmap on
+ the homepage as well as the .bz2.
+
+o Fixed a portability problem that caused BSD Make to bail out.
+
+o Fixed a divide by zero error caused when non-root users (on UNIX)
+ explicitly request ICMP pings (which require root privileges). Now it
+ prints a warning and uses the normal non-root TCP connect() ping.
+ Jaroslav Sladek (jup(a)matfyz.cz) found the bug and provided the patch.
+
+o Made Nmap more tolerant of corrupt nmap-services and nmap-protocols
+ files thanks to report & patch sent by Phix (phix(a)hush.com)
+
+o Added some more port numbers sent in by Seth Master
+ (smaster(a)stanford.edu). He has been a frequent nmap-services
+ contributor in the last couple months.
+
+o Added --packet_trace support to Windows
+
+o Removed superfluous "addport" line in the XML output (patch from Max
+ Schubert (nmap(a)webwizarddesign.com)).
+
+o Merged wintcpip.cc into tcpip.cc to avoid the headache of
+ maintaining many nearly-identical functions.
+
+o Fixed an assertion failure crash related to combining port 0 scans
+ and OS scan. Thanks to A.Jones(a)mvv.de for reporting this.
+
+o Fixed some compilation problems on systems without IPv6 support --
+ patch sent by Jochen Erwied (Jochen.Erwied(a)mbs-software.info)
+
+o Applied patch from Jochen Erwied (Jochen.Erwied(a)mbs-software.info)
+ which fixes the format strings used for printing certain timestamps.
+
+o Upgraded to autoconf 2.57, including the latest config.guess/config.sub
+
+o Renamed configure.ac files to configure.in as recommended by the
+ latest autoconf documentation.
+
+o Changed the wording of NmapFE Gnome entries to better-comply with
+ Gnome's Human Interface Guidelines (HIG). Suggested by Axel Krauth
+ (krauth(a)fmi.uni-passau.de)
+
+Nmap 3.20 [2003-3-18]
+
+o The random IP input option (-iR) now takes an argument specifying
+ how many IPs you want to scan (e.g. -iR 1000). Specify 0 for the old
+ never-ending scan behavior.
+
+o Fixed a tricky memory leak discovered by Mugz (mugz(a)x-mafia.com).
+
+o Fixed output truncation problem noted by Lionel CONS (lionel.cons(a)cern.ch)
+
+o Fixed a bug that would cause certain incoming ICMP error messages to
+ be improperly ignored.
+
+Nmap 3.15BETA3 [2003-3-16]
+
+o Made numerous improvements to the timing behavior of "-T Aggressive"
+ (same as -T4) scans. It is now recommended for regular use by
+ impatient people with a fast connection. "-T Insane" mode has also
+ been updated, but we only recommend that for, well, insane people.
+
+o Made substantial changes to the SYN/connect()/Window scanning
+ algorithms for improved speeds, especially against heavily filtered
+ hosts. If you notice any timing problems (misidentified ports,
+ etc.), please send me the details (including full Nmap output and a
+ description of what is wrong). Reports of any timing problems with
+ -T4 would be helpful as well.
+
+o Changed Nmap such that ALL syn scan packets are sent from the port
+ you specify with -g. Retransmissions used to utilize successively
+ higher ports. This change has a downside in that some operating
+ systems (such as Linux) often won't reply to the retransmissions
+ because they reuse the same connection specifier quad
+ (srcip:srcport:dstip:dstport). Overall I think this is a win.
+
+o Added timestamps to "Starting nmap" line and each host port scan in
+ verbose (-v) mode. These are in ISO 8601 standard format because
+ unlike President Bush, we actually care about International
+ consensus :).
+
+o Nmap now comes by default in .tar.bz2 format, which compresses about
+ 20% further. You can still find .tgz in the dist directory at
+ http://download.insecure.org/nmap/dist/?M=D .
+
+o Various other minor bug fixes, new services, fingerprints, etc.
+
+Nmap 3.15BETA2 [2003-2-26]
+
+o I added support for a brand new "port" that many of you may have
+ never scanned before! UDP & TCP "port 0" (and IP protocol 0) are now
+ permitted if you specify 0 explicitly. An argument like "-p -40"
+ would still scan ports 1-40. Unlike ports, protocol 0 IS now scanned
+ by default. This now works for ping probes too (e.g., -PS, -PA).
+
+o Applied patch by Martin Kluge (martin(a)elxsi.info) which adds --ttl
+ option, which sets the outgoing IPv4 TTL field in packets sent via
+ all raw scan types (including ping scans and OS detection). The
+ patch "should work" on Windows, but hasn't been tested. A TTL of 0
+ is supported, and even tends to work on a LAN:
+ 14:17:19.474293 192.168.0.42.60214 > 192.168.0.40.135: S 326:326(0) [ttl 0]
+ 14:17:19.474456 192.168.0.40.135 > 192.168.0.42.60214: S 280:280(0) ack 326 (ttl 128)
+
+o Applied patch by Gabriel L. Somlo ( somlo(a)acns.colostate.edu ) which
+ extends the multi-ping-port functionality to nonroot and IPv6
+ connect() users.
+
+o I added a new --datadir command line option which allows you to
+ specify the highest priority directory for Nmap data files
+ nmap-services, nmap-os-fingerprints, and nmap-rpc. Any files which
+ aren't in the given dir, will be searched for in the $NMAPDIR
+ environmental variable, ~/nmap/, a compiled in data directory
+ (e.g. /usr/share/nmap), and finally the current directory.
+
+o Fixed Windows (VC++ 6) compilation, thanks to patches from Kevin
+ Davis (computerguy(a)cfl.rr.com) and Andy Lutomirski
+ (luto(a)stanford.edu)
+
+o Included new Latvian man page translation by
+ "miscelerious options" (misc(a)inbox.lv)
+
+o Fixed Solaris compilation when Sun make is used rather than GNU
+ make. Thanks to Tom Duffy (tduffy(a)sun.com) for assistance.
+
+o Applied patch from Stephen Bishop (sbishop(a)idsec.co.uk) which
+ prevents certain false-positive responses when Nmap raw TCP ping scans
+ are being run in parallel.
+
+o To emphasize the highly professional nature of Nmap, I changed all
+ instances of "fucked up" in error message text into "b0rked".
+
+o Fixed a problem with nmap-frontend RPMs that would cause a bogus
+ /bin/xnmap link to be created (it should only create
+ /usr/bin/xnmap). Thanks to Juho Schultz
+ (juho.schultz(a)astro.helsinki.fi) for reporting the problem.
+
+o I made the maximum number of allowed routes and interfaces allowed
+ on the scanning machine dynamic rather than hardcoded #defines of 1024
+ and 128. You never know -- some wacko probably has that many :).
+
+Nmap 3.15BETA1 [2003-2-19]
+
+o Integrated the largest OS fingerprint DB updates ever! Thanks to
+ everyone who contributed signatures! New or substantially modified
+ fingerprints included the latest Windows 2K/XP changes, Cisco IOS
+ 12.2-based routers and PIX 6.3 firewalls, FreeBSD 5.0, AIX 5.1,
+ OpenBSD 3.2, Tru64 5.1A, IBM OS/400 V5R1M0, dozens of wireless APs,
+ VOIP devices, firewalls, printers, print servers, cable modems,
+ webcams, etc. We've even got some mod-chipped Xbox fingerprints
+ now!
+
+o Applied NetBSD portability patch by Darren Reed
+ (darrenr(a)reed.wattle.id.au)
+
+o Updated Makefile to better-detect if it can't make nmapfe and
+ provide a clearer error message. Also fixed a couple compiler
+ warnings on some *BSD platforms.
+
+o Applied patch from "Max" (nmap(a)webwizarddesign.com) which adds the
+ port owner to the "addport" XML output lines which are printed (only
+ in verbose mode, I think) as each open port is discovered.
+
+o I killed the annoying whitespace that is normally appended after the
+ service name. Now it is only there when an owner was found via -sI
+ (in which case there is a fourth column and so "service" must be
+ exactly 24 characters).
+
+Nmap 3.10ALPHA9 [2002-12-25]
+
+o Reworked the "ping scan" algorithm (used for any scan except -P0 or
+ -sL) to be more robust in the face of low-bandwidth and congested
+ connections. This also improves reliability in the multi-port and
+ multi-type ping cases described below.
+
+o "Ping types" are no longer exclusive -- you can now do combinations
+ such as "-PS22,53,80 -PT113 -PN -PE" in order to increase your odds of
+ passing through strict filters. The "PB" flag is now deprecated
+ since you can achieve the same result via "PE" and "PT" options.
+
+o Applied patch (with modest changes) by Gabriel L. Somlo
+ (somlo(a)acns.colostate.edu), which allows multiple TCP probe ports in
+ raw (root) mode. See the previous item for an example.
+
+o Fixed a libpcap compilation issue noted by Josef 'Jupp' Schugt
+ (deusxmachina(a)webmail.co.za) which relates to the definition (or
+ lack thereof) of ARPHRD_HDLC (used for Cisco HDLC frames).
+
+o Tweaked the version number (-V) output slightly.
+
+Nmap 3.10ALPHA7 [2002-12-18]
+
+o Upgraded libpcap from version 0.6.2 to 0.7.1. Updated the
+ libpcap-possiblymodified/NMAP_MODIFICATIONS file to give a much
+ more extensive list (including diffs) of the changes included
+ in the Nmap bundled version of Libpcap.
+
+o Applied patch to fix a libpcap alignment bug found by Tom Duffy
+ (tduffy(a)sun.com).
+
+o Fixed Windows compilation.
+
+o Applied patch by Chad Loder (cloder(a)loder.us) of Rapid7 which
+ fixes OpenBSD compilation. I believe Chad is now the official
+ OpenBSD Nmap "port" maintainer. His patch also adjusted
+ random-scan (-iR) to include the recently allocated 82.0.0.0/8
+ space.
+
+o Fixed (I hope) a few compilation problems on
+ non-IPv6-enabled machines which were noted by Josef 'Jupp'
+ Schugt (jupp(a)gmx.de)
+
+o Included some man page translations which were inadvertently
+ missed in previous tarballs.
+
+o Applied patch from Matthieu Verbert (mve(a)zurich.ibm.com) which
+ places the Nmap man pages under ${prefix}/share/man rather than
+ ${prefix}/man when installed via RPM. Maybe the tarball
+ install should do this too? Opinions?
+
+o Applied patch from R Anderson (listbox(a)pole-position.org) which
+ improves the way ICMP port unreachables from intermediate hosts
+ are handled during UDP scans.
+
+o Added note to man page related to Nmap US export control. I
+ believe Nmap falls under ECCN 5D992, which has no special
+ restrictions beyond the standard export denial to a handful of
+ rogue nations such as Iraq and North Korea.
+
+o Added a warning that some hosts may be skipped and/or repeated
+ when someone tries to --resume a --randomize_hosts scan. This
+ was suggested by Crayden Mantelium (crayden(a)sensewave.com)
+
+o Fixed a minor memory leak noted by Michael Davis
+ (mike(a)datanerds.net).
+
+Nmap 3.10ALPHA4 [2002-11-11]
+
+o Applied patch by Max Schubert (nmap(a)webwizarddesign.com) which adds
+ an add-port XML tag whenever a new port is found open when Nmap is
+ running in verbose mode. The new tag looks like:
+ <addport state="open" portid="22" protocol="tcp"/>
+ I also updated docs/nmap.dtd to recognize this new tag.
+
+o Added German translation of Nmap man page by Marc Ruef
+ (marc.ruef(a)computec.ch). It is also available at
+ https://nmap.org/man/de/
+
+o Includes a brand new French translation of the man page by Sebastien
+ Blanchet. You could probably guess that it is available at
+ https://nmap.org/man/fr/
+
+o Applied some patches from Chad Loder (cloder(a)loder.us) which update
+ the random IP allocation pool and improve OpenBSD support. Some
+ were from the OBSD Nmap patchlist.
+
+o Fixed a compile problem on machines without PF_INET6. Thanks to
+ Josef 'Jupp' Schugt (deusxmachina(a)webmail.co.za) for noting this.
+
+Nmap 3.10ALPHA3 [2002-9-15]
+
+o Added --min_parallelism option, which makes scans more aggressive
+ and MUCH faster in certain situations -- especially against
+ firewalled hosts. It is basically the opposite of --max_parallelism
+ (-M). Note that reliability can be lost if you push it too far.
+
+o Added --packet_trace option, which tells Nmap to display all of the
+ packets it sends and receives in a format similar to tcpdump. I
+ mostly added this for debugging purposes, but people wishing to learn
+ how Nmap works or for experts wanting to ensure Nmap is doing
+ exactly what they expect. If you want this feature supported under
+ Windows, please send me a patch :).
+
+o Fixed a segmentation fault in Idlescan (-sI).
+
+o Made Idlescan timing more conservative when -P0 is specified to
+ improve accuracy.
+
+o Fixed an infinite-loop condition that could occur during certain
+ dropped-packet scenarios in an Idle scan.
+
+o Nmap now reports execution times to millisecond precision (rather
+ than rounding to the nearest second).
+
+o Fixed an infinite loop caused by invalid port arguments. Problem
+ noted by fejed (fejed(a)uddf.net).
+
+Nmap 3.10ALPHA2 [2002-8-31]
+
+o Fixed compilation and IPv6 support on FreeBSD (tested on
+ 4.6-STABLE). Thanks to Niels Heinen (niels.heinen(a)ubizen.com) for
+ suggestions.
+
+o Made some portability changes based on suggestions by Josef 'Jupp'
+ Schugt (jupp(a)gmx.de)
+
+o Fixed compilation and IPv6 support on Solaris 9 (haven't tested
+ earlier versions).
+
+Nmap 3.10ALPHA1 [2002-8-28]
+
+o IPv6 is now supported for TCP scan (-sT), connect()-style ping
+ scan (-sP), and list scan (-sL)! Just specify the -6 option and the
+ IPv6 numbers or DNS names. Netmask notation is not currently
+ supported -- I'm not sure how useful it is for IPv6, where even petty
+ end users may be allocated trillions of addresses (/80). If you
+ need one of the scan types that hasn't been ported yet, give
+ Sebastien Peterson's patch a try at http://nmap6.sourceforge.net/ .
+ If there is demand, I may integrate more of that into Nmap.
+
+o Major code restructuring, which included conversion to C++ -- so
+ you'll need g++ or another C++ compiler. I accidentally let a C++
+ requirement slip in a while back and found that almost everyone has
+ such a compiler. Windows (VC++) users: see the README-WIN32 for new
+ compilation instructions.
+
+o Applied patch from Axel Nennker (Axel.Nennker(a)t-systems.com) which
+ adds a --without-nmapfe option to the configure script. This is
+ useful if your system doesn't have the proper libraries (e.g. GTK) or
+ if you think GUIs are for sissies :).
+
+o Removed arbitrary max_parallelism (-M) limitations, as suggested by
+ William McVey ( wam(a)cisco.com ).
+
+o Added DEC OSF to the platforms that require the BSDFIX() macro due
+ to taking IP length and offset fields in host rather than network byte
+ order. Suggested by Dean Bennett (deanb(a)gbtn.net)
+
+o Fixed an debug statement C ambiguity discovered by Kronos
+ (kronos(a)kronoz.cjb.net)
+
+Nmap 3.00 [2002-07-31]
+
+o Woohoo! :)
+
+Nmap 2.99RC2 [2002-07-27]
+
+o Fixed an important memory initialization bug which was causing
+ crashes on Mac OS X (and possibly other platforms). The problem was
+ located by Pieter ten Pierick (P.tenPierick(a)chello.nl)
+
+o Various minor bugfixes/cleanup
+
+Nmap 2.99RC1 [2002-07-20]
+
+o Implemented the biggest OS fingerprint update since December 1999!
+ More than 200 fingerprints were added/modified. This includes
+ OpenBSD 3.1, Solaris 9, Mac OS 10.1.5, OS/400, FreeBSD 4.6, The
+ latest MS WinXP changes, new CISCO equiptment, and loads of network
+ devices such as VoIP phones, switches, printers, WAPs, etc.
+
+o Updated build system to work on MacOS X.
+
+o I removed "credit" lines from the nmap-os-fingerprints file out of
+ concern that evil spammers might harvest the 602 addresses. Plus
+ those took up 28K and the size of nmap-os-fingerprints has already
+ caused trouble for some handheld devices. If anyone actually cares
+ about the "fame" of being listed, let me know and I'll put you back
+ in. I still appreciate everyone who submits fingerprints! I just
+ don't want you to be spammed when the fingerprint file goes online.
+
+o Minor usage screen (nmap -h) fix suggested by Martin Kluge
+ ( martin(a)elxsi.info )
+
+o Insured that the initial pound (#) in C preprocessor directives is
+ always in column 1 (portability fix). Problem noted by Shamsher
+ Sran (ssran(a)bechtel.com)
+
+Nmap 2.54BETA37 [2002-07-10]
+
+o Made SYN scan the default for privileged (root) users. This offers
+ far better performance for Windows users due to their broken
+ connect() call, and is usually even preferred on UNIX because it is
+ more stealthy and less likely to crash applications listening on the
+ target host.
+
+o Fixed a problem noted by Ping Huang (pshuang(a)alum.mit.edu) relating
+ to -PI scans of a machine's own non-localhost interfaces (eg
+ scanning your ethernet address).
+
+o Applied patch from Patrice Goetghebeur (pgoetghebeur(a)mac.com) which
+ fixes PPP/SLIP support on Mac OS X.
+
+o Applied dozens of nmap-services portnumber mapping updates
+ researched and sent by palante(a)subterrain.net
+
+o Updated nmap-rpc to the latest version from Eilon Gishri
+ (eilon(a)aristo.tau.ac.il)
+
+o Fixed --resume option to better detect all of the previously scanned
+ hosts in an -oN file (bug report from Adam.Scott(a)predictive.com )
+
+o Adjusted random IP generator (for -iR) to account for newly
+ allocated ip space from
+ http://www.iana.org/assignments/ipv4-address-space as noted by Chad
+ Loder (cloder(a)acm.org)
+
+o Updated config.sub and config.guess to the versions in
+ automake-1.6.2 .
+
+o Applied patch from Markus A. Nonym (g17m0(a)lycos.com) which checks
+ for a recent version of GTK+ in ./configure before even trying to
+ build NmapFE (avoids the previous ugly compiler errors).
+
+o Applied patch from benkj(a)gmx.it which fixes misbehavior when Nmap
+ would receive EOF (including ^D) in interactive mode.
+
+o Fixed format string bugs (not the security-related kind) found by
+ Takehiro YONEKURA (yonekura(a)obliguard.com) and Kuk-hyeon Lee
+ (errai(a)inzen.com)
+
+o Applied patch from Greg Steuck (greg-nmap-dev(a)nest.cx) which fixes
+ an alignment problem in charpool.c that could cause bus errors on
+ 64-bit platforms.
+
+o Applied portability fix patch from Matt Christian (mattc(a)visi.com)
+
+Nmap 2.54BETA36 [2002-06-13]
+
+o Fixed major connect scan problem introduced in BETA35
+
+o Changed NmapFE to use the version number 2.54BETA36 rather than
+ 0.2.54BETA36. I had to do this because RedHat took the liberty of
+ releasing a so-called "2.54BETA31" version of nmap-frontend in their
+ 7.3 distribution. Thus my upgrades were failing to install on such
+ systems because a "later" version is already installed.
+
+Nmap 2.54BETA35 [2002-06-13]
+
+o Fixed an issue that could cause the abort message "Serious time
+ computation problem in adjust_timeout ...". If you still see this,
+ please let me know.
+
+o Fixed Windows compilation (and I really mean it this time -- tested
+ myself).
+
+o Applied configure script patch to recognize Solaris 2.10 when it
+ eventually becomes available (from James Carlson
+ (james.d.carlson(a)east.sun.com)
+
+o Applied some portability fixes from Albert Chin
+ (china(a)thewrittenword.com)
+
+o Applied libpcap aclocal.m4 patch to enable debugging (-g) when
+ compiling libpcap with gcc. Patch from Ping Huang
+ (pshuang(a)alum.mit.edu)
+
+o Restructured "TCP probe port" output message a bit as suggested by
+ Ping Huang (pshuang(a)alum.mit.edu)
+
+Nmap 2.54BETA34 [2002-05-02]
+
+o Windows compilation fixed thanks to new VC++ project file (nmap.dsp) sent
+ by Evan Sparks (gmplague(a)sdf.lonestar.org) (I had forgotten to include
+ the new main.c).
+
+o Various nmap-services updates
+
+o Fixed a bunch of typos and capitalization issues in
+ nmap-os-fingerprints by applying patch sent in by Royce Williams
+ (royce(a)alaska.net).
+
+Nmap 2.54BETA33 [2002-04-26]
+
+o Tons of OS fingerprint updates. More than 100 fingerprints added or
+ changed, including OpenBSD 3, FreeBSD 4.5, Solaris 9 pre-release,
+ Commodor 64 (with the TFE Ethernet Card and uIP stack), Compaq iPAQ,
+ Cisco IOS 12.2(8), AIX 5.1, IRIX 6.5.15, various
+ Redback/Racal/Juniper/BigIP/HP/Siemens/Brocade/Quantum devices,
+ numerous printers/switches, KRONOS network clock, WTI Network Power
+ Switch, Windows XP, and many more. Thanks to everyone who
+ contributed!
+
+o Applied fix for an important RPC scanning bug sent in by Pasi Eronen
+ (pasi.eronen(a)nixu.com)
+
+o Applied fix for nasty OS fingerprinting bug found by William
+ Robertson (wkr(a)cs.ucsb.edu)
+
+o Do not show uptime when obviously spoofed (eg OpenBSD 3.0)
+
+o Slightly changed (I hope improved) the whitespace in Nmap output so
+ that messages relating to the same host are kept together (and
+ different hosts different separated by newlines).
+
+o Moved main() function into a new file, cleverly named main.c.
+
+Nmap 2.54BETA32 [2002-04-01]
+
+o Applied Windows pinging fix and from Andy Lutomirski
+ (Luto(a)myrealbox.com)
+
+o Applied a few more Windows fixes from Andy.
+
+o Fixed a flaw in several error-checking statements noted by Giacomo
+ Cariello (jwk(a)bug.it)
+
+o Applied Win32 compilation fixes sent by Kirby Kuehl (kkuehl(a)cisco.com)
+ and jens.vogt(a)bluewin.ch
+
+Nmap 2.54BETA31 [2002-03-20]
+
+o Added ICMP Timestamp and Netmask ping types (-PP and -PM). These
+ (especially timestamp) can be useful against some hosts that do not
+ respond to normal ping (-PI) packets.
+
+o Documented the --data_length option and made it work with all the
+ ICMP ping types (echo request, netmask, and timestamp).
+
+o Added check for strings.h before including it in portlist.c . This
+ fixes a compilation problem on some versions of Windows. Problem
+ first noted by Michael Vorin (mvorin(a)hotmail.com)
+
+o Applied patch from Andy Lutomirski (Luto(a)myrealbox.com) which fixes
+ a crash on some Windows platforms when timeouts occur.
+
+o Fixed "grepable output" (-oG) so that it prints IPID sequence class
+ rather than printing the TCP ISN sequence index twice. Problem
+ noted by Russell Fulton (r.fulton(a)auckland.ac.nz)
+
+o Added mysterious, undocumented --scanflags option.
+
+o Applied patch from Andy Lutomirski (Luto(a)myrealbox.com) which fixes
+ some important Windows bugs. Apparently this can cause a dramatic
+ speedup in some circumstances. The patch had other misc. changes
+ too.
+
+o Fix bug noted by Chris V (iselldrugstokidsonline(a)yahoo.com) in which
+ Nmap could segmentation fault with the (bogus) command: './nmap -sO
+ -p 1-65535 hostname' (protocol only can go up to 255). That being
+ said, Nmap should never segfault just because of bogus options.
+
+o Fixed problem noted by Maximiliano (emax25(a)arnet.com.ar) where Nmap
+ would get stuck in a (nearly) infinite loop when you try to "resume"
+ a random host (-iR) scan.
+
+o Included a number of fingerprint updates, but I still have many more
+ web submissions to go through. Also made some nmap-services
+ portlist updates.
+
+o Included a bunch of fixes (mostly to prevent compiler warnings) from
+ William McVey (wam(a)cisco.com)
+
+Nmap 2.54BETA30 [2001-10-14]
+
+o Added a Document Type Definition (DTD) for the Nmap XML output
+ format (-oX) to the docs directory. This allows validating parsers
+ to check nmap XML output files for correctness. It is also useful
+ for application programmers to understand the XML output structure.
+ The DTD was written by William McVey (wam(a)cisco.com) of Cisco Secure
+ Consulting Services ( http://www.cisco.com/go/securityconsulting ).
+
+o Merged in a number of Windows fixes/updates from Andy Lutomirski
+ (Luto(a)myrealbox.com)
+
+o Merged in fixes/updates (mostly to the Windows functionality) from
+ Matt Hargett (matt(a)use.net)
+
+o Applied patch by Colin Phipps (cph(a)netcraft.com) which correctly
+ encodes special characters in the XML output.
+
+o Applied patch by William McVey (wam(a)cisco.com) which adds the uptime
+ information printed with -O to the XML output format.
+
+o Fixed byte-order bug in Windows packet matching code which caused
+ -PS and -PT to fail. Bug found and patch sent by Tim Adam.
+
+o Fixed segfault problem with "-sU -F". Nobody reported this until I
+ noticed it :(. Anytime you see "Segmentation Fault" in the latest
+ version of Nmap, it is probably a bug -- please mail me the command
+ you used, the OS/platform you are running on, and whether it is
+ reproducable.
+
+o Added a convenience option "-oA (basefilename)". This tells Nmap to
+ log in ALL the major formats (normal, grepable, and XML). You give
+ a base for the filename, and the output files will be base.nmap,
+ base.gnmap, and base.xml.
+
+o Documented the --append_output option which tells Nmap to append
+ scan results to any output files you have specified rather than
+ overwriting the files.
+
+o Integrate TIMEVAL_SEC_SUBTRACT() fix by Scott Renfro (scott(a)renfro.org)
+ which improves timing accuracy.
+
+Nmap 2.54BETA29 [2001-08-10]
+
+o Integrated William McVey's multi-portlist patch. This allows you to
+ specify different port numbers when scanning both TCP & UDP. For
+ example, if you want to UDP for 53,111 and 137 while TCP scanning
+ for 21-25,80,139,515,6000,8080 you could do: nmap -sSU -p
+ U:53,111,137,T:21-25,80,139,515,6000,8080 target.com . Prior to
+ this patch, you had to either use different Nmap executions or scan
+ both UDP & TCP of each port. See the man page for more usage info.
+
+o Added/updated a bunch of fingerprints, including Windows XP release
+ candidates #1 & #2, OpenBSD 2.9, various home gateways/cable modem,
+ MacOS X 10.0.4, Linux 2.4.7, Guantlet Firewall 4.0a, a few Cisco
+ routers, and, most importantly, the Alcatel Advanced Reflexes IP
+ Phone :). Many other fingerprints were updated as well.
+
+o Found and fixed some relatively major memory leaks based on reports
+ sent in by H D Moore (hdm(a)secureaustin.com), mugz
+ (mugz(a)x-mafia.org), and Steven Van Acker (deepstar(a)ulyssis.org)
+
+o Applied patch from Chad Loder (chad_loder(a)rapid7.com) which improves
+ random target host selection (-iR) by excluding more undesirable
+ addresses.
+
+o Fixed portscan timing bug found by H D Moore (hdm(a)secureaustin.com).
+ This bug can occur when you specify a --max_rtt_timeout but not
+ --initial_rtt_timeout and then scan certain firewalled hosts.
+
+o Fixed port number printing bug found by "Stephen Leavitt"
+ (stephen_j_leavitt(a)hotmail.com)
+
+o The Nmap source tarball now extracts with more lenient permissions
+ (sometimes world-readable or world-executable, but never
+ world-writable). If you don't want this, set your umask to 077
+ (which is what I do). Suggested by Line Printer (lps(a)rahul.net)
+
+Nmap 2.54BETA28 [2001-07-28]
+
+o I hope that I have fixed the Libpcap "Unknown datalink type" problem that
+ many people reported. If you still receive this error, please send
+ me the following info:
+ - Full output of Nmap including the command you typed
+ - What OS/OS version you are using
+ - What type of interface is the scan going through (PPP, ISDN, ethernet,
+ PPPoE, etc)
+ - Whether you compiled from source or used the RPM version
+
+o Hopefully fixed Libpcap lex/yacc generated file problem that
+ plagued a few folks.
+
+o Various minor fixes/changes/updates
+
+Nmap 2.54BETA27 [2001-07-20]
+
+o Fixed bug that caused "adding open port" messages to be printed even
+ when verbose mode was not specified (patch sent by Doug Hoyte).
+
+o Fixed bug in zombie:port option parsing in Idlescan as well a few
+ other bugs in patch sent by Germano Caronni (gec(a)acm.org)
+
+o Fixed Windows compilation (I broke it when I added Idlescan).
+
+o Fixed a (Win32 only) port identification bug which would cause some
+ ports to be listed as "unknown" even when Nmap should know their
+ name. This was found at patched by David Griffiths
+ (davidg(a)intrinsica.co.uk).
+
+o Fixed more nmap-os-fingerprints syntax/grammar violations found by
+ Raymond Mercier of VIGILANTe
+
+o Fixed a memory leak in Nbase str*casecmp() functions by applying
+ patch sent by Matt (matt(a)use.net). I plan to kill this whole
+ strcasecmp.c file as soon as possible (it is a mess).
+
+Nmap 2.54BETA26 [2001-07-09]
+
+o Added Idlescan (IPID blind scan). The usage syntax is
+ "-sI [zombie]".
+
+o Fixed a bunch of fingerprints that were corrupt due to violations of
+ the fingerprint syntax/grammar (problems were found by Raymond
+ Mercier of VIGILANTe )
+
+o Fixed command-line option parsing bug found
+ by "m r rao" (mrrao(a)del3.vsnl.net.in )
+
+o Fixed an OS fingerprinting bug that caused many extra packets to be
+ sent if you request a lot of decoys.
+
+o Added some debug code to help diagnose the "Unknown datalink type"
+ error. If Nmap is giving you this error, please send the following
+ info to fyodor@insecure.org : 1) The full output from Nmap
+ (including the command arguments) 2) What OS and OS version are you
+ using 3) What type of adaptor are you using (modem, ethernet, FDDI,
+ etc)
+
+o Added a bunch of IDS sensor/console/agent port numbers from
+ Patrick Mueller (pmueller(a)neohapsis.com)
+
+Nmap 2.54BETA25 [2001-06-04]
+
+o Added a whole bunch of new OS fingerprints (and adjustments) ranging
+ from big important ones (Linux 2.4.X, OpenBSD 2.9, FreeBSD 4.3,
+ Cisco 12.2.1, MacOS X, etc) to some that are more obscure ( such as
+ Apple Color LaserWriter 12/660 PS and VirtualAccess LinxpeedPro 120 )
+
+o Upgraded Libpcap to the latest version (0.6.2) from tcpdump.org. I
+ modified the build system slightly by shipping pre-generated
+ scanner.c/grammer.c (instead of using lex/yacc) and I also upgraded
+ to the newest config.sub/config.guess .
+
+o Fixed some issues with the new Libpcap under Linux (patches will be
+ sent to the developers).
+
+o Added "All zeros" IP.ID sequence classification to account for the
+ new Linux 2.4 scheme which seems to use 0 whenever the DF bit is set
+ (probably a good idea).
+
+o Tweaked TCP Timestamp and IP.ID sequence classification algorithms
+
+Nmap 2.54BETA24 [2001-06-02]
+
+o Fixed compilation problems on MacOS X publis release. Thanks to
+ Nicolas Dawson (nizcolas(a)myrealbox.com) for securing an account for
+ me.
+
+o On the suggestion of the ever-helpful LaMont Jones (lamont(a)hp.com),
+ I obtained the newest config.guess/config.sub from
+ http://subversions.gnu.org/cgi-bin/cvsweb/config and made
+ libpcap/nbase use symlinks rather than copeis of the file
+
+o Applied patch from LaMont Jones (lamont(a)hp.com) which makes Nmap
+ compatible with gcc 3.0 (apparently printf() is a macro in that
+ version)
+
+o Applied patch from Colin Phipps (cph(a)netcraft.com) which fixes a
+ problem that kept UDP RPC scanning from working unless you were also
+ doing a TCP scan.
+
+o Applied a patch from Chris Eagle (cseagle(a)redshift.com) which fixes
+ Windows compilation (I broke it with a recent change).
+
+o Updated Lithuanian translation of man page based on a newer version sent
+ by Aurimas Mikalauskas (inner(a)crazy.lt)
+
+o Killed carriage returns in nmap.c and nmapfe.c, which caused
+ problems for some (SGI) compilers. Problem noted by Artur
+ Niederstebruch (artur(a)sgi.com)
+
+o Updated to latest version of rpc program number list, maintained by
+ Eilon Gishri (eilon(a)aristo.tau.ac.il)
+
+o Fixed a quoting bug in the Nmap man page found by
+ Rasmus Andersson (rasmus(a)pole-position.org)
+
+o Applied RPM spec file changes from "Benjamin Reed"
+ (ranger(a)befunk.com) which allows you to avoid building the frontend
+ by adding "--define frontend 0" to the build command (eg --rebuild,
+ --ba, etc).
+
+Nmap 2.54BETA22 [2001-03-10]
+
+o Eliminated usage of u_int32_t (was causing compilation errors on
+ some Sun and HP boxes). Problem first noted by Nick Munger
+ (nmunger(a)Oswego.EDU) and Ralf Hildebrandt
+ (Ralf.Hildebrandt(a)innominate.com) and Antonin Sprinzl
+ (Antonin.Sprinzl(a)tuwien.ac.at)
+
+o Defined integer-width typedefs such as u32/s32/u16/etc. in Nbase.
+ Went through much of the Nmap code and substituted these in where
+ correct lengths are important (port numbers, IP addresses, etc).
+
+Nmap 2.54BETA21 [2001-03-09]
+
+o Cleaned up a few build/distribution issues that were reported by
+ LaMont Jones (lamont(a)hp.com)
+
+o Fixed compiler warning noted by Gabor Z. Papp (gzp(a)papp.hu) )
+
+Nmap 2.54BETA20 [2001-03-05]
+
+o Added TCP Timestamp sequence checking for OS detection and
+ Netcraft-style uptime tests.
+
+o Found and fixed (I hope) byte alignment problem which was causing
+ bus errors on SPARC64 ( reported by H D Moore
+ (hdm(a)secureaustin.com) and Matthew Franz (mfranz(a)cisco.com) )
+
+o Apple Darwin (Mac OS X) 1.2 portability patch from Rob Braun
+ (bbraun(a)synack.net)
+
+o Added IPID sequence number predictability report (also now used in
+ OS detection).
+
+o Show actual IPID, TCP ISN, and TCP timestamp values in XML format
+ output rather than just the cooked results.
+
+o Suppress IPID and TCP ISN predictability report unless you use -v
+ (you need -O as well).
+
+o Applied Solaris 8 compilation fixes from Germano Caronni (
+ gec(a)acm.org )
+
+o Applied configure.in variable name typo fixes from Christian
+ Weisgerber (naddy(a)openbsd.org)
+
+o Applied some more changes from Andy Lutomirski
+ (Luto(a)mailandnews.com) which provides better detection and
+ reporting from some heinous errors.
+
+o Added -n and -R (always/never DNS resolve) options to the man page.
+
+Nmap 2.54BETA19 [2001-01-02]
+
+o I ported NmapFE to Windows so that Win32 users can use the graphical
+ interface. It generally works, although I haven't tested much.
+ Patches welcome!
+
+o Various little fixes and cleanups, especially to the Windows port.
+
+o Applied patch from Andy Lutomirski (Luto(a)mailandnews.com) which
+ enhances some of the Win* error messages and adds the --win_trace
+ debugging option.
+
+o Applied some patches from Jay Freeman (saurik(a)saurik.com)
+ - New --data_length option adds indicated number of random data
+ bytes to send with scan packet and tcp ping packet (does not
+ currently work with ICMP ping packet). Does not affect OS
+ detection, RPC, or connect() scan packets.
+ - Windows portability fixes
+ - Various other little fixes.
+
+o Renamed rpc.h and error.h because they conflict with Windows include
+ files. By the way, this was a pain to figure out because VC++ is
+ such a crappy compiler! It basically just says problem in
+ "foobar.h" without giving you any idea how foobar.h got included!
+ gcc gives you a nice message tracing the chain of include files!
+
+Nmap 2.54BETA16 [2000-12-07]
+
+o Upgraded to latest version of WinPcap ( 2.1-beta )
+
+o Merged in Windows port code from Ryan Permeh ( ryan(a)eeye.com) and
+ Andy Lutomirski ( Luto(a)mailandnews.com ).
+
+o Took out C++ compiler test from nbase configure script. It was
+ inserted accidently, but I found it interesting that only 2 people
+ complained about this causing them problems. I guess most everyone
+ already has C++ compilers.
+
+o Applied patch from Steve Bleazard (steve(a)bleazard.com) which fixed
+ bug in internal Smoothed Round Trim Time calculations.
+
+o Fixed CFLAGS computation error in configure. Problem discovered and
+ patched by Fredrik Lundholm (exce7(a)ce.chalmers.se)
+
+o Added more debugging code for "Unknown datalink type" error -- if
+ you get this, please send me the full error msg including hex
+ values.
+
+o Added Portuguese man page translations from Antonio Pires de Castro
+ Junior (apcastro(a)ic.unicamp.br).
+
+o Capitalized all references to God in error messages.
+
+Nmap 2.54BETA7 [2000-10-08]
+
+o Applied patch from Hubert Feyrer
+ (hubert.feyrer(a)informatik.fh-regensburg.de) which adds support for
+ the new NetBSD DLT_PPP_* types.
+
+o Updated to Eilon Gishri's (eilon(a)aristo.tau.ac.il) newest version
+ of nmap-rpc at ftp://ftp.tau.ac.il/pub/users/eilon/rpc/rpc
+
+o Moved a bunch of the scanning engine related functions to new files
+ (scan_engine.c and scan_engine.h ). Timing functions were moved to
+ the new timing.c/timing.h . Other stuff was shifted to
+ tcpip.c/tcpip.h. At some point, nmap.c will only contain the Nmap
+ command line UI.
+
+o Updated Russian version of man page from Alex Volkov (topcat(a)nm.ru)
+
+Nmap 2.54BETA6 [2000-10-08]
+
+o Added XML output (-oX). Hopefully this will help those of you
+ writing Nmap front ends and other tools that utilize Nmap. The
+ "machine-readable" output has been renamed "grepable" (-oG) to
+ emphasize that XML is now the preferred machine-readable output
+ format. But don't worry if your tool uses -oM , that format (and
+ the deprecated -oM flag) won't go away any time soon (if ever).
+ Thanks to Stou Sandalski (tangui(a)cell2000.net) and Fredrick Paul
+ Eisele (phreed(a)gmail.com) for sending proposals that inspired the
+ format used.
+
+o Applied patch from Stefan Rapp (s.rapp(a)hrz.uni-dortmund.de) which
+ fixes a variable argument integer promotion problem in the new
+ snprintf compatibility file. This is important for Redhat 7
+ systems.
+
+o Reorganized output-related routines so that they now reside in
+ output.c & output.h. Let me know if I accidently screwed up the
+ behavior of any scan types in the process.
+
+Nmap 2.54BETA5 [2000-09-17]
+
+o Revamped the 'compatibility libraries' subsystem. Moved all of that
+ to a new library called 'libnbase' and changed Nmap and NmapFE to
+ use that. I included a better version of *snprintf and some other
+ compatibility files. Obviously I cannot test these changes on every
+ whacked OS that needs this compatibility cruft, so please let me
+ know if you run into compilation problems.
+
+o Fixed a problem found by Martyn Tovey (martyn(a)netcraft.com) when
+ using Nmap on platforms that dislike division by zero.
+
+o Removed 128.210.*.* addresses from Nmap man page due to complaints
+ from Purdue security staff.
+
+o Fixed FreeBSD (some versions) compilation problem found by Martyn
+ Tovey (martyn(a)netcraft.com)
+
+Nmap 2.54BETA4 [2000-09-04]
+
+o Upgraded to the very latest Libpcap version ( the 9/3/00 CVS
+ snapshot ). This version is from the tcpdump.org group rather than
+ the Lawrence Livermore crew. The most important advantage is Linux
+ Socket Filter support (so you won't have that annoying syslog
+ message about Nmap using the obsolete SOCK_PACKET interface).
+
+o I tried to install Nmap on yet another machine without lex/yacc or
+ flex/bison. That was the last straw! I am now shipping the
+ generated C files, which eliminates the lex/yacc requirement.
+
+o Applied patch by Jay Freeman (saurik) (saurik(a)saurik.com) to make
+ Nmap C++-clean (this was lot of tedious work! Thanks!). Note that
+ Nmap still uses a normal C compiler by default, but Nmap derivatives
+ may appreciate C++ compatibility. Note that this only applies to
+ "Nmap proper", not libpcap.
+
+o Added a HACKING file for people who want to help with Nmap
+ development. It describes preferred patch formats, development
+ resources, and offers a number of useful changes that would likely
+ be accepted into the main tree.
+
+o Fixed a configure.in error found by Vacuum
+ (vacuum(a)technotronic.com) which could cause compilation errors.
+
+o Fingerprint file adjustments for better Win* detection
+
+o Ensure libpcap is not configured and/or installed if you already
+ have a "new enough" version (0.4a6+) installed.
+
+o Included Italian translation of Nmap man page from Giorgio Zoppi
+ (deneb(a)supereva.it) .
+
+o Fixed a SYN scan problem that could cause a major slowdown on some
+ busy networks.
+
+o Fixed a crash problem in NmapFE reported by sverre ( sverre(a)gmx.net )
+
+o Added an "SInfo" line to most printed fingerprints. It looks
+ similar to this:
+ SInfo(V=2.54BETA4%P=i686-pc-linux-gnu%D=9/4%Time=9681031%O=7%C=1)
+ and contains information useful when fingerprints are reported (Nmap
+ version/platform, scan date, and open/closed ports used)
+
+o Fixed RPCGrind (-sR) scan. It has been almost completely broken
+ since 2.54BETA2 (which has been out for two weeks) and nobody
+ reported it! I noticed the problem myself during testing of
+ something else. I am disappointed that nobody bothered to even let
+ me know that this was broken. Does anyone even use RPC Scan?
+
+o Various other small fixes/improvements
+
+Nmap 2.54BETA3 [2000-08-14]
+
+o Went through and added/adjusted a bunch of fingerprints. A lot of
+ people submitted Windows Millenium Edition (WinME) beta
+ fingerprints, but nobody submitted IPs for them. So please let me
+ know if this version detects your WinME boxes.
+
+o Applied NmapFE patch from Michael Fischer v. Mollard (mfvm(a)gmx.de)
+ which made did the following:
+ - Added delete event so that NmapFE always quits when you kill it
+ with your window manager
+ - added the menubar to the vbox instead to the fixed widget
+
+o Various small fixes/improvements
+
+Nmap 2.54BETA2 [2000-08-01]
+
+o Added a shortcut which can make single port SYN scans of a network
+ much faster. For example, if a new sendmail vulnerability is found,
+ this reduces the time it takes to scan your whole network for port
+ 25. This shortcut takes effect when you do "-PS[port] -sS
+ -p[port]". For example 'nmap -n -sS -p25 -PS25 24.0.0.0/8". This
+ optimization doubled the scan speed in a 30,000 IP test I performed.
+
+o Added -sL (List scan). Just as ping scan (-sP) allows you to short
+ circuit the scan right after pinging, -sL allows you to short
+ circuit the scan right after target selection. This allows you to
+ see what hosts WOULD be scanned without actually doing it. The
+ hosts will be resolved unles you use -n. Primary uses:
+ - Get all the IPs in a network (like A.B.C.D/16) and take out
+ machines that are too fragile to be scanned safely before
+ calling Nmap with the new list (using -iL).
+ - Test that a complex spec like 128.4,5,7-9.*.7 does what you
+ expect before actual scanning.
+ - When all you want to do is resolve a bunch of IPs.
+ - You just want results of a zone transfer (if it is implemented).
+
+o Added some new fingerprints and adjusted some others based on
+ submissions to the DB (I still have a lot more to go through so
+ don't worry if your submission is still not detected).
+
+o Added a warning when you scan 0 hosts (eg "nmap -v"). There are
+ various other output tweaks as well.
+
+o Ensured that 0.0.0.0 can be scanned by nmap (although on some OSs,
+ like Linux, it won't work due to what seem to be kernel bugs). Oh
+ well. I'll look into it later.
+
+Nmap 2.54BETA1 [2000-05-29]
+
+o Added an extremely cool scan type by Gerhard Rieger ( rieger at
+ iue.tuwien.ac.at ) -- IP Protocol scanning. Basically it sends a
+ bunch of IP headers (no data) with different "protocol" fields to
+ the host. The host then (usually) sends back a protocol unreachable
+ for those that it does not support. By exclusion, nmap can make a
+ list of those that are supported. This is similar in concept to
+ (and is implemented using most of the same scanning routines as) UDP
+ scanning. Note that some hosts do not send back protocol
+ unreachables -- in that case all protocols will appear "open".
+
+o Fixed an uninitialized variable problem in NmapFE (found by Alvin
+ Starr (alvin at iplink.net )
+
+o Fixed a packaging problem that lead to the Nmap man page being
+ included twice in the .tgz .
+
+o Fixed dangling nroff include in xnmap man page (noted by Debian Nmap
+ package maintainer LaMont Jones (lamont(a)security.hp.com)
+
+o Give a warning when no targets at all are specified
+
+o Updated 'make uninstall' so that it deletes all relevant files
+
+o Included latest nmap-rpc from Eilon Gishri (eilon at aristo.tau.ac.il)
+
+o Eliminated -I. from Nmap's and NmapFE's makefiles (suggested by "Jay
+ Freeman (saurik)" (saurik at saurik.com)
+
+o Added Russian documentation by Alex Volkov
+
+o Added Lithuanian documentation from Aurimas Mikalauskas (inner(a)dammit.lt)
+
+Nmap 2.53 [2000-05-08]
+
+o Fixed a commenting issue that could cause trouble for non-GNU
+ compilers (first found by Jan-Frode Myklebust (janfrode at
+ parallab.uib.no))
+
+o A few new services to nmap-services
+
+Nmap 2.52 [2000-05-03]
+
+o Added very simple man pages for xnmap/nmapfe (lack of man pages for
+ these was noticed by LaMont Jones (lamont(a)hp.com), the Debian Nmap
+ package maintainer, based on bug report by Adrian Bunk
+ (bunk(a)fs.tum.de ).
+
+o Fixed a "Status: Down" machine name output problem in machine
+ parseable logs found by Alek O. Komarnitsky (alek(a)ast.lmco.com)
+
+o Took some wierd files out of the doc directory (cd, grep, vi, and
+ .swp)
+
+o Fixed some typos found by Thomas Klausner (wiz(a)danbala.ifoer.tuwien.ac.at)
+
+o Updated nmap-rpc with new entries found in the latest version of
+ Eilon Gishri's rpc list.
+
+Nmap 2.51 [2000-04-29]
+
+o Fixed target parsing bug found by Steve Horsburgh (shorsburgh(a)horsburgh.com).
+
+o Changed makefile/rpm to store fingerprint, rpc, and services file in
+ $prefix/share/nmap rather than $prefix/lib/nmap , since these files
+ are architecture independent. You should now use ./configure
+ --datadir instead of ./configure --libdir to change the default
+ location. Suggested by Thomas Klausner
+ (wiz(a)danbala.ifoer.tuwien.ac.at).
+
+o I am now including Eilon Gishri's (eilon(a)aristo.tau.ac.il) rpc
+ number list (which he recently merged with the Nmap 2.50 rpc list).
+
+o Included Spanish and French HTML versions of the Nmap man page (may
+ not always be up to date).
+
+Nmap 2.50 [2000-04-28]
+
+o Fixed an IP calculation error which could occur in some cases where
+ you scan machines on different devices (like lo and eth0). This
+ problem was discoved by Jonathan Fine (jfine(a)psu.edu).
+
+o Fixed a problem that could, in rare cases, cause a SYN scan scan to
+ crash (the error message was "attempt to add port number X with
+ illegal state 0"). This problem was reported by Erik Benner
+ (erik(a)xyzzy.net)
+
+o Changed the .spec file so that RPM versions create a xnmap link to
+ nmapfe ( the normal make install has done this for a long time ).
+
+Nmap 2.3BETA21 [2000-04-24]
+
+o A number of people reported problems with nmapfe in various
+ environments (specifically gdk errors, hangs, and crashes). I think
+ that is now fixed. Let me know if you still have the problem (make
+ sure the title bar says BETA21).
+
+o Added a bunch of OS fingerprints based on all the contributions in
+ the last month or so.
+
+o Fixed a bug that completely broke RPC scanning in BETA19.
+
+o Added list of ports scanned near the top of each machine log WHEN
+ -v was specified. Here is an example of the format:
+ # Ports scanned: TCP(13;1-10,22,25) UDP(0;)
+ The "13" above is the number of TCP ports being scanned.
+
+o Got rid of a snprintf() from nmapfe sine some systems don't have it
+ :( and I'm to lazy to integrate in the snprintf that comes with nmap
+ right now.
+
+o Fixed important target IP range parsing bug found by Jean-Yves Simon
+ ( lethalwp(a)linuxbe.org ).
+
+o Applied patch by albert chin (china at thewrittenword.com) which
+ adds --with-libpcap[=DIR] option to configure and and adds an
+ elegant approach for -lnsl and -lsocket checking to configure .
+
+o Fixed a bug which could cause Nmap to mark a port filtered based on
+ ICMP dest. unreachable packets relating to a different host than the
+ one being scanned.
+
+o Fixed output problem relating to ident scan noted by Peter Marschall
+ ( peter.marschall at mayn.de )
+
+o Applied patch to services.c by Andrew Brown (atatat(a)atatdot.net)
+ which prevents some useless debugging (-d) output when reading some
+ kindss of /etc/services files.
+
+o Added "Host: [machinename] (ip) Status: Down" to machine logs when
+ the verbose option is given (just like down hosts are reported to
+ stdout when verbose is given). Suggested by Alek Komarnitsky.
+
+o Applied NetBSD compatibility patch provided by Mipam (reinoud at
+ ibbnet.org) which changes an autoconf macro to check for
+ getopt_long_only instead of getopt_long.
+
+o Nmap used to print an inaccuracy warning when no open TCP ports were
+ found on the target machine. Due to a bug, this was not always
+ being printed. Problem found by Matt (matt at use.net) and Ajay
+ Gupta2 (Ajay.Gupta2 at ey.com).
+
+o Added the number of ports in the ignored state right after the state
+ name in machine parseable logs. It used to looke like: "Ignored
+ State: closed" whereas now it looks like: "Ignored State: closed
+ (1508)" Meaning that 1508 ports were closed and thus are not
+ specifically enumerated.
+
+o Changed all nmapfe calls to gdk_font_load into gdk_fontset_load .
+ Bennett Feitell (bfeitell at panix.com) suggested that this fixed
+ some nmapfe font problems.
+
+Nmap 2.3BETA20 [2000-04-10]
+
+o Applied patch sent in by s.rapp(a)hrz.uni-dortmund.de which fixes a
+ memory alignment bug in osscan.c which could cause core dumps on
+ machines which require aligned access (like SPARC).
+
+o Fixed a compilation problem on machines that do not have MAP_FAILED
+ defined (as a return value to mmap). Problem noted by Phil
+ Stracchino (alaric(a)babcom.com).
+
+Nmap 2.3BETA19 [2000-04-10]
+
+o Tweaked the output so that it now tells how many ports are not shown
+ and what state the ignored ports are in. This info could be
+ inferred before by people who had studied the manpage, but now the
+ info is explicitly available. I cleaned up a bunch of stuff
+ internally to make this happen. I hope I didn't break anything!
+
+o Changed NmapFE so that it always kills any running Nmap process when
+ you press exit. Problem noted by Marc Renner
+ (mrenner(a)ci.marysville.wa.us)
+
+o Apparently some Linux (glibc) systems now come with a "strcasestr"
+ function. So I have made autoconf look for this and use the native
+ version if supported (problem noted by Sami Farin
+ (sfarin(a)ratol.fi)).
+
+o Added a new attribute "Ignored State: xxx" to the machine parseable
+ logs, where xxx is the state (closed, filtered, or UNfiltered) that
+ is being ignored. Ports in that state are not listed (they weren't
+ listed in earlier versions either). Perhaps I should list ALL ports
+ for machine parseable output. Opinions?
+
+o Merged in a patch sent in by Mipam (reinoud(a)ibbnet.org) which is
+ apparently part of the OpenBSD Nmap "port". Although Nmap seems to
+ work fine for me on my OpenBSD 2.4 box, a couple OpenBSD users have
+ complained of problems. Hopefully this will help (it adds DLT_LOOP
+ and DLT_ENC offset cases when reading from libpcap).
+
+o A few really minor bugfixes.
+
+Nmap 2.3BETA18 [2000-04-06]
+
+o Fixed a very important bug that occurred when SYN scanning
+ localhost. Many thanks to Dries Schellekens (
+ gwyllion(a)ace.ulyssis.student.kuleuven.ac.be ) for first reporting
+ the problem.
+
+o Uros Prestor from TurboLinux informed us that the latest versions of
+ Nmap work with Linux on the upcoming Intel Merced/Itanium IA-64
+ processors. He also said that the TurboLinux distribution includes
+ Nmap. Kudos to them! As well as the other distros that support
+ Nmap (Debian, Red Hat, Suse, Trinux) and of course FreeBSD, NetBSD,
+ & OpenBSD. Does anyone know if Nmap ships with the latest from
+ Mandrake or Corel? The latest Solaris includes some Free software.
+ If anyone can get them to ship Nmap, I will buy you a case of beer
+ :).
+
+o Added a #define to change vsnprintf to vsprintf on machines which do
+ not support the former (mostly Solaris 2.5.1 and earlier). This
+ function is less safe. For people who care about security, we
+ recommend an upgrade to Solaris 8 (or Linux/*BSD).
+
+o Changed the NmapFE version to 0.[nmap_version] rather than always
+ leaving it at 0.9.5 (which was confusing). Thanks to J.D.K. Chipps
+ (jdkc(a)woptura.com) for noticing this.
+
+o Added support for "-vv" (means the same as "-v -v"). Older versions
+ of Nmap supported it (noted by George Kurtz).
+
+Nmap 2.3BETA17 [2000-03-26]
+
+o Added ACK scanning. This scan technique (which van Houser and
+ others have been bugging me to add for years :), is great for
+ testing firewall rulesets. It can NOT find open ports, but it can
+ distinguish between filtered/unfilterd by sending an ACK packet to
+ each port and waiting for a RST to come back. Filtered ports will
+ not send back a RST (or will send ICMP unreachables). This scan
+ type is activated with -sA .
+
+o Documented the Window scan (-sW) which Lamont Granquist added in
+ September 99.
+
+o Added a whole bunch of OS fingerprints that people have submitted.
+
+o "Protocol" field in output eliminated. It is now printed right next
+ to the number (/etc/services style). Like "22/tcp". I wonder what
+ I should put in the extra white space this leaves on the report :).
+
+o Added --resume option to continue a large network scan where you
+ left off. This is useful for recovering from errors (modem drops
+ carrier, network outage, etc). It also allows you to start and stop
+ for policy reasons (like if a client only wants you to scan on
+ weekends or at night) or if you want to run the scan on a different
+ host. Usage is 'nmap --resume logfile' where logfile can be either
+ normal (-oN) or machine parseable (-oM) logfile from the scan that
+ was aborted. No other options can be given (the options in the
+ logfile from the original scan will be used). Nmap will start off
+ with the host after the last one successfully scanned in the log
+ file.
+
+o Added --append_output option which causes -oN/-oM/-oS to APPEND to
+ the output file you specify rather than overwriting it.
+
+o Various internal code cleanup, makefile fixes, etc.
+
+o Changed version number from 2.3BETA* to 2.30BETA* to appease various
+ packaging systems that thought 2.3BETA was < 2.12 .
+
+o Nmap output to files now correctly flushes output after scanning for
+ each host is finished.
+
+o Fixed compiler -L flags error found by Ralf Hildebrandt
+ (R.Hildebrandt(a)tu-bs.de)
+
+o Fixed configure scripts so that options you give to the Nmap
+ configure (like --prefix ) are also passed to the nmapfe configure
+ script. This problem was noted by Ralf Hildebrandt
+ (R.Hildebrandt(a)tu-bs.de). While I was at it, I added some other
+ cleanups to the system.
+
+o Added --noninteractive option for when nmap is called from scripts
+ (where stuff like prompting users for info is unacceptable). It
+ does not currently do anything (Nmap never prompts) and script
+ writers should probably wait until at least May '2000 so their
+ scripts still work with earlier versions of Nmap.
+
+o Updated to the latest config.guess and config.sub from Autoconf 2.13
+
+o Applied patch by Sven (s.carstens(a)gmx.de> which fixes a
+ segmentation fault problem in Nmapfe colored mode as well as some
+ output niceties.
+
+o Changed some C++ comments to C-style for portability (noticed by
+ "Sergei V. Rousakov" (sergei(a)cas.Vanderbilt.Edu) )
+
+Nmap 2.3BETA14 [2000-01-28]
+
+o Peter Kosinar (goober(a)gjh.sk) performed some cleanup of the output
+ routines and as a bonus he added skript kiddie output mode!!! Try
+ it out by adding "-oS - " to your nmap command line. Note that
+ using '-' to represent stdout instead of a filename is something you
+ can do with any of the output modes.
+
+o Ensured that Nmap always gives up on ident scan after the first port
+ attempt finds it to be closed (problem noticed by Matt
+ (matt(a)use.net))
+
+o Changed strsep's in nmapfe to more portable strtok's (should
+ especially help Nmapfe compiles on Solaris)
+
+o Changed permutation algorithm to make port order and host order
+ shuffling more random.
+
+o Various minor changes and internal code cleanup.
+
+o Fixed integer overflow that was limiting the max --host_timeout
+ value to about 2,000,000 milliseconds (~1/2 hour). The limit is now
+ about 4,000,000,000 milliseconds (~1 month). I really hope you
+ don't need more than that :).
+
+Nmap 2.3BETA13 [2000-01-17]
+
+o I made Nmap smarter about detecting filtering during UDP, Xmas,
+ NULL, and FIN scans.
+
+o Updated Nmapfe to 0.9.5 (+ a patch from NmapFE author Zach Smith)
+
+o Fixed a problem where NmapFE would fail to honor $PATH (Noticed by
+ K. Scott Rowe (kscott(a)nmt.edu)
+
+o Added a couple ICMP unreachable messages Nmap was missing (found by
+ Bifrost (bifrost(a)minions.com)).
+
+o Internal cleanup that improves the way some port lists are stored.
+
+o Added some more RPC numbers from (mmmorris(a)netscape.net)
+
+o Relaxed the dependency requirements of nmapfe rpm (now will accept
+ any version of Nmap).
+
+Nmap 2.3BETA12 [2000-01-01]
+
+o Added interactive mode which adds convenience for managing nmap
+ sessions and also enhances privacy. Get to it with --interactive
+ and then type 'h' for help.
+
+o Added/modified many fingerprints including the latest 2.3.X Linux
+ releases, the latest Win2000 builds, the Apple Airport Wireless
+ device, and several dozen more.
+
+o Migrated to RPM .spec file sent in by Tim Powers
+ (timp(a)redhat.com). That is the file they will be using to package
+ Nmap with the power tools CD in the next Redhat release. The most
+ important changes are that Nmap (only the RPM version) now installs
+ in /usr/* instead of /usr/local/* and the frontend is now
+ dynamically linked with GTK and comes in a separate rpm.
+
+o The -i (input from list) option has been deprecated. From now on
+ you should use -iL [filename] to read from a list or -iR to have
+ Nmap generate random IPs to scan. This -iR option is new.
+
+o The -o and -m options have been deprecated. From now on, you should
+ use -oN for normal (human readable) output and -oM for machine
+ parseable output. At some point I might add -oH (HTML output) or
+ -oSK (sKr|pt kiDdi3 0uTPut).
+
+o Added --randomize_hosts option, which causes hosts be be scanned in
+ non-sequential order. This makes scans less conspicuous. For
+ efficiency reasons, the hosts are chopped into groups of 2048 and
+ then each group is internally shuffled (the groups still go in
+ order).
+
+o Rearranged the help ('nmap -h' or 'nmap' or 'nmap --help') screen to
+ be shorter (37 -> 23 lines!) and include some of the new features of
+ this release. The man page was updated as well.
+
+o Fixed longstanding bug where nmap -sS mylocalnetwork/24 would not
+ successfully scan the host running nmap.
+
+o Internal improvements to make scanning faster with -i (input list)
+ or when you specify multiple machines on the command line.
+
+o Uses faster GCD algorithm and fixed several typos (sent in by Peter
+ Kosinar).
+
+o Provide more information in machine/human readable output files
+ (start time, end time, RPC program name, Nmap version number)
+
+o Killed the -A option (if you don't know what that is then you won't
+ miss it. In fact, even if you do know what it is you won't miss
+ it.)
+
+Nmap 2.3BETA10 [1999-12-12]
+
+o Added about 70 new OS fingerprints so that Nmap can detect more
+ systems. The most important new fingerprints are probably:
+ * The new SP5+ NT boxes -- After all these years MS FINALLY made
+ sequence prediction harder (on NT anyway).
+ * Solaris 8 Pre-Release
+ * Sega Dreamcast (Hack that!)
+ * Latest Windows 2000 builds
+ * OpenBSD 2.6
+
+Nmap 2.3BETA9 [1999-12-07]
+
+o Applied patch by Mark Abene (Phiber Optik) to fix several type
+ length issues so that it works on Linux/Alpha.
+
+o Applied patch by Matthieu Verbert (mve(a)zurich.ibm.com) to speed up OSScan
+
+Nmap 2.3BETA8 [1999-11-21]
+
+o Added "firewall mode" timing optimizations which can decrease the
+ ammount of time neccessary to SYN or connect scan some heavily
+ filtered hosts.
+
+o Added min_rtt_timeout timing option (see man page for details)
+
+o Changed "TCP Ping" to use a random ACK value rather than 0 (an IDS
+ called Snort was using this to detect Nmap TCP Pings).
+
+o Some changes for better Alpha/Linux support based on investigation
+ by Bill Beers (wbeers(a)carolina.rr.com)
+
+o Applied changes for FDDI support by Tobias J. Nijweide (tobias(a)mesa.nl)
+
+o Applied a socket binding patch from LaMont Jones
+ (lamont(a)security.hp.com) which can be useful when using -S to
+ specify one of multiple interfaces on a machine.
+
+o Made OS detection smart enough to first check scan results for a
+ known closed port instead of immediately resorting to a random one.
+ This improves OS detection against some machines behind packet
+ filters (suggested by van Hauser).
+
+o Applied a shortcut suggestion by Thomas Reinke which can lead to a
+ tremendous speedup against some firewalled hosts.
+
+o Added some ports commonly used for RPC to nmap-services
+
+o Fixed a problem with the timing of an RPC scan (could come before
+ the UDP scans they rely on)
+
+o Added a number of new ports to nmap-services
+
+Nmap 2.3BETA6 [1999-09-19]
+
+o Added sophisticated timing controls to give the user much more
+ control over Nmap's speed. This allows you to make Nmap much more
+ aggressive to scan hosts faster, or you can make Nmap more "polite"
+ -- slower but less likely to wreak havoc on your Network. You can
+ even enforce large delays between sending packets to sneak under IDS
+ thresholds and prevent detection. See the new "Timing Options"
+ section of the Nmap man page for more information on using this.
+
+o Applied Lamont Granquist's (lamontg(a)u.washington.edu) Window scan
+ patch (I changed the name from ACK scan to Window scan since I may
+ add another scan that uses ACK packets and I don't want them to be
+ confused). -sW activates this scan type. It is mostly effective
+ against BSD, AIX, Digital UNIX, and various older HP/UX, SunOS, and
+ VAX (See nmap-hackers mailing list archives for an extensive list).
+
+o Added various long options people expect to see like --version ,
+ --help , --usage , etc. Some of the new timing options are also long.
+ I had to add getopt_long C files since most non-Linux boxes don't
+ support getopt_long in libc.
+
+o Human readable (-o) output changed to include the time/date of the
+ scan. Suggested by van Hauser.
+
+Nmap 2.3BETA5 [1999-09-07]
+
+o Changed RPC output based on suggestions by David O'Brien
+ (obrien(a)NUXI.com) and Lance Spitzner (lance(a)spitzner.net). I
+ got rid of the "(Non-RPC)" unnecessary clutter which appeared after
+ each non RPC port and the "(untested)" that appeard after each
+ "filtered" port.
+
+o Added a ton of new OS fingerprints people submitted. I had about
+ 400 in my inbox. Of course, almost 100 of them were submissions for
+ www.windows2000test.com :).
+
+o Changed the machine parseable output of RPC information to include
+ the version information. If we figured out the RPC info, it is now
+ provided as "program-num*lowversion-highversion". If we didn't get
+ the number, but we think the port is RPC, the field simply contains
+ "R". If we believe the port is NOT RPC, then the field contains
+ "N". If the field is empty, we did not RPC scan the port. Thanks
+ to H D Moore (nlog(a)ings.com) for making me aware how much the
+ earlier machine parseable RPC logging sucked :).
+
+Nmap 2.3BETA4 [1999-08-30]
+
+o Added direct (non-portmapper) RPC scanning to determine what RPC
+ program is listening on a particular port. This works for UDP and
+ TCP ports and is currently implemented using sockets (which means
+ you can't use decoys, but on the other hand you don't have to be
+ root). Thanks go to ga (ga(a)capyork.com) for writing sample code
+ to demonstrate the technique. The RPC services list included with
+ nmap was compiled by Vik Bajaj (vbajaj(a)sas.upenn.edu) with help
+ from various members of the nmap-hackers list.
+
+o Fixed a problem that could cause freezes when you scan machines on
+ at least two different types of interfaces as part of the same
+ command.
+
+o Identified and found workaround for Linux kernel bug which allows
+ connect() to sometimes succeed inapropriately when scanning closed
+ ports on localhost.
+
+o Fixed problems relating to people who specify the same port more
+ than once on the command line. While the right answer is "well,
+ don't do that!", I decided to fix nmap to handle this gracefully.
+
+o Tweaked UDP scanning to be more effective against Solaris ICMP error
+ limiting.
+
+o Fixed strtol() integer overflow problem found by Renaud Deraison
+ (deraison(a)cvs.nessus.org)
+
+o The HTML translation of the Man page at
+ https://nmap.org/book/man.html should now be
+ complete (man2html was dropping lines before).
+
+o Added a note in the man page that Nmap 2.0+ is believed to be
+ COMPLETELY Y2K COMPLIANT! I've been getting a lot of letters from
+ laywers about that recently. You should still be able to port scan
+ on Jan 1st (well ... as long as you have electricity and gangs of
+ looting thugs haven't stolen your computers :)
+
+Nmap 2.2-Beta4 [1999-05-07]
+
+o Integrated nmapfe code from Zach Smith to allow the nmapfe output
+ window to resize when you resize the nmapfe window.
+
+o Integrated patch sent in by Stefan Erben (stefan(a)erben.com) which
+ allows nmap to recognize and ignore null interfaces. If you were
+ getting a bogus error like "eth0 not found in /proc/net/route" then
+ this should solve your problem.
+
+o Applied patch from Alexander Savelyev (fano(a)ham.kiev.ua) which
+ gives nmap the parameters necessary to support SLIP and PPP on BSDI
+ systems.
+
+o Upgraded to a new version of shtool (1.2.3)
+
+Nmap 2.2-Beta3 [1999-05-02]
+
+o Adopted Ralf S. Engelschall's excellent shtool script for
+ simplifying the nmap makefile and making it more portable
+
+o Various other minor changes to nmapfe.
+
+Nmap 2.2-Beta2
+
+o Cleaned up build environment more, fixed up RPM and Makefile.in,
+ eliminated the automake stuff.
+
+o Added nmapfe feature to show nmap command as you change options
+
+o Changed nmapfe to use a global MyWidgets struct rather than tons of
+ global vars all over the place.
+
+o Made nmapfe much smarter about rejecting stupid option attempts. It
+ now tries to correct things when you specify illegal options.
+
+o GTK+ 1.0 compatibility fixes
+
+o Integrated nmapfe changes from Zach
+
+Nmap 2.2-BETA1
+
+o Integrated in nmapfe -- a cool front end wrottem by Zach Smith (matrxweb(a)hotmail.com)
+
+Nmap 2.12 [1999-04-04]
+
+o Changed the way tcp connect() scan determines the results of a
+ connect() call. Hopefully this will make nmap a little more
+ portable.
+
+o Got rid of the security warning message for people who are missing
+ /dev/random and /dev/urandom due to complaints about the warning.
+ This only silences the warnings -- it still uses relatively weak
+ random number generation under Solaris and other systems that lack
+ this functionality.
+
+o Eliminated pow() calls on Linux boxes. I think some sort of glibc
+ bug was causing nmap to sigsegv in some cases inside of pow(). Most
+ people weren't affected, but those who were would almost always
+ SIGSEGV with -O.
+
+o Fixed an rpm problem noted by Mark Smith (marks(a)senet.com.au)
+
+Nmap 2.11 [1999-04-03]
+
+o Many new fingerprints added. I received more than 300 submissions
+ between this release and the last one.
+
+o Fixed IRIX problems which prevented OS scanning from working on that
+ platform. The problem was researched and solution found by Lamont
+ Granquist (lamontg(a)u.washington.edu). You can also thank him for
+ porting nmap to almost every UNIX around.
+
+o Added support for '-m -' to redirect machine readable logs to stdout
+ for shell pipelining, etc. I also changed machine readable output
+ to show service names now that we use a nmap specific services file
+ rather than /etc/services. These features were suggested by Dan
+ Farmer. You can also thank him for SATAN (the auditing tool).
+
+o Fixed a link-list bug that could cause hangs in UDP,FIN,NULL, and
+ XMAS scans. Also fixed a ptr problem that could cause SIGSEGV.
+ These problem were discovered and tracked down by Ben Laurie
+ (ben(a)algroup.co.uk). You can also thank him for Apache, OpenSSL,
+ and Apache-SSL.
+
+o Fixed installation problem for people without a /usr/local/man/man1
+ directory. Found by Jeffrey Robertson (a-jeffro(a)microsoft.com).
+ I guess you can thank him for Win98 ;).
+
+o Several other little fixes to the installation script and minor
+ scanner tweaks.
+
+Nmap 2.10
+
+o Private test release
+
+Nmap 2.09
+
+o Private test release
+
+Nmap 2.08 [1999-02-16]
+
+o Bugfix for problem that can cause nmap to appear to "freeze up" for
+ long periods of time when run on some busy networks (found by
+ Lamont Granquist).
+
+Nmap 2.07 [1999-02-08]
+
+o Fixed a lockup on Solaris (and perhaps other proprietary UNIX
+ systems) caused by a lack of /dev/random & /dev/urandom and a rand()
+ that only returns values up to 65535. Users of Free operating
+ systems like Linux, FreeBSD, or OpenBSD probably shouldn't bother
+ upgrading.
+
+Nmap 2.06 [1999-02-08]
+
+o Fixed compile problems on machines which lack snprintf() (found by
+ Ken Williams (jkwilli2(a)unity.ncsu.edu))
+
+o Added the squid proxy to nmap-services (suggested by Holger Heimann)
+
+o Fixed a problem where the new memory allocation system was handing
+ out misaligned pointers.
+
+o Fixed another memory allocation bug which probably doesn't cause any
+ real-life problems.
+
+o Made nmap look in more places for nmap-os-fingerprints
+
+Nmap 2.05 [1999-02-08]
+
+o Tons of new fingerprints. The number has grown by more than 25%.
+ In particular, Charles M. Hannum (root(a)ihack.net) fixed several
+ problems with NetBSD that made it easy to fingerprint and he sent me
+ a huge new batch of fingerprints for various NetBSD releases down to
+ 1.2. Other people sent NetBSD fingerprints down to 1.0. I finally
+ got some early Linux fingerprints in (down to 1.09).
+
+o Nmap now comes with its own nmap-services which I created by merging
+ the /etc/services from a bunch of OS' and then adding Netbus, Back
+ Orifice, etc.
+
+o Random number generation now takes advantage of the /dev/urandom or
+ /dev/random that most Free operating systems offer.
+
+o Increased the maximum number of OS guesses nmap will make, told nmap
+ never to give you two matches where the OS names are byte-to-byte
+ equivalent. Fixed nmap to differentiate between "no OS matches
+ found" and "too many OS matches to list".
+
+o Fixed an information leak in the packet TTL values (found by HD
+ Moore (hdmoore(a)usa.net))
+
+o Fixed the problem noted by Savva Uspensky about offsets used for
+ various operating systems' PPP/SLIP headers. Due to lack of
+ responses regarding other operating systems, I have made assumptions
+ about what works for BSDI, NetBSD, and SOLARIS. If this version no
+ longer works on your modem, please let me know (and tell me whether
+ you are using SLIP/PPP and what OS you are running).
+
+o Machine parseable logs are now more machine parseable (I now use a
+ tab to seperate test result fields rather than the more ambiguous
+ spaces. This may break a few things which rely on the old format.
+ Sorry. They should be easy to fix.
+
+o Added my nmap-fingerprintinting-article.txt to the distribution in
+ the docs directory.
+
+o Fixed problem where nmap -sS (my_ethernet_or_ppp_ip_address) would
+ not correctly scan localhost (due to the kernel rerouting the
+ traffic through localhost). Nmap should now detect and work around
+ this behavior.
+
+o Applied patch sent to my by Bill Fenner (fenner(a)parc.xerox.com)
+ which fixes various SunOS compatibility problems.
+
+o Changed the makefile 'all' target to use install-sh rather than
+ mkdir -p (doesn't work on some systems)
+
+o Documentation updated and clarified slightly.
+
+o Added this CHANGELOG file to the distribution.