-
Notifications
You must be signed in to change notification settings - Fork 0
/
CHANGELOG
16031 lines (12374 loc) · 719 KB
/
CHANGELOG
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
455
456
457
458
459
460
461
462
463
464
465
466
467
468
469
470
471
472
473
474
475
476
477
478
479
480
481
482
483
484
485
486
487
488
489
490
491
492
493
494
495
496
497
498
499
500
501
502
503
504
505
506
507
508
509
510
511
512
513
514
515
516
517
518
519
520
521
522
523
524
525
526
527
528
529
530
531
532
533
534
535
536
537
538
539
540
541
542
543
544
545
546
547
548
549
550
551
552
553
554
555
556
557
558
559
560
561
562
563
564
565
566
567
568
569
570
571
572
573
574
575
576
577
578
579
580
581
582
583
584
585
586
587
588
589
590
591
592
593
594
595
596
597
598
599
600
601
602
603
604
605
606
607
608
609
610
611
612
613
614
615
616
617
618
619
620
621
622
623
624
625
626
627
628
629
630
631
632
633
634
635
636
637
638
639
640
641
642
643
644
645
646
647
648
649
650
651
652
653
654
655
656
657
658
659
660
661
662
663
664
665
666
667
668
669
670
671
672
673
674
675
676
677
678
679
680
681
682
683
684
685
686
687
688
689
690
691
692
693
694
695
696
697
698
699
700
701
702
703
704
705
706
707
708
709
710
711
712
713
714
715
716
717
718
719
720
721
722
723
724
725
726
727
728
729
730
731
732
733
734
735
736
737
738
739
740
741
742
743
744
745
746
747
748
749
750
751
752
753
754
755
756
757
758
759
760
761
762
763
764
765
766
767
768
769
770
771
772
773
774
775
776
777
778
779
780
781
782
783
784
785
786
787
788
789
790
791
792
793
794
795
796
797
798
799
800
801
802
803
804
805
806
807
808
809
810
811
812
813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
830
831
832
833
834
835
836
837
838
839
840
841
842
843
844
845
846
847
848
849
850
851
852
853
854
855
856
857
858
859
860
861
862
863
864
865
866
867
868
869
870
871
872
873
874
875
876
877
878
879
880
881
882
883
884
885
886
887
888
889
890
891
892
893
894
895
896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
923
924
925
926
927
928
929
930
931
932
933
934
935
936
937
938
939
940
941
942
943
944
945
946
947
948
949
950
951
952
953
954
955
956
957
958
959
960
961
962
963
964
965
966
967
968
969
970
971
972
973
974
975
976
977
978
979
980
981
982
983
984
985
986
987
988
989
990
991
992
993
994
995
996
997
998
999
1000
#Nmap Changelog ($Id$); -*-text-*-
o [GH#863] Avoid reporting negative latencies due to matching an ARP or ND
response to a probe sent after it was recieved. [Daniel Miller]
o [ncat][GH#1441] To avoid confusion and to support default proxy ports,
option --proxy now requires a literal IPv6 address to be specified using
square-bracket notation, such as --proxy [2001:db8::123]:456. [nnposter]
o [ncat][GH#1214][GH#1230][GH#1439] New ncat option provides control over
whether proxy destinations are resolved by the remote proxy server or
locally, by Ncat itself. See option --proxy-dns. [nnposter]
o [NSE][GH#1478] Updated script ftp-syst to prevent potential endless looping.
[nnposter]
o [NSE][GH#1457] New script, ubiquiti-discovery, which extracts information from
the Ubiquiti Discovery service and assists version detection. [Tom Sellers]
o [GH#1454] New service probes and match lines for v1 and v2 of the Ubiquiti
Discovery protocol. Devices often leave the related service open and it
exposes significant amounts of information as well as the risk of being used
as part of a DDoS. New nmap-payload entry for v1 of the protocol. [Tom Sellers]
o [NSE] Removes hostmap-ip2hosts.nse as the API has been broken for a while
and the service will be completely shutdown on Feb 17th. [Paulino Calderon]
o [NSE][GH#1318] Adds TN3270E support and additional improvements to tn3270.lua
and updates tn3270-screen.nse to display the new setting. [mainframed]
o [NSE][GH#1346] Updates product codes and adds a check for response length in
enip-info.nse. The script now uses string.unpack. [NothinRandom]
o [Ncat][GH#1310][GH#1409] Temporary RSA keys are now 2048-bit to resolve
a compatibility issue with OpenSSL library configured with security level 2,
as seen on current Debian or Kali.
[Adrian Vollmer, nnposter]
o [NSE][GH#1227] Fix a crash (double-free) when using SSH scripts against
non-SSH services. [Daniel Miller]
o [Zenmap] Fix a crash when Nmap executable cannot be found and the system PATH
contains non-UTF-8 bytes, such as on Windows. [Daniel Miller]
o [Zenmap] Fix a crash in results search when using the dir: operator:
AttributeError: 'SearchDB' object has no attribute 'match_dir'
[Daniel Miller]
o [Ncat][GH#1372] Fixed an issue with Ncat -e on Windows that caused early
termination of connections. [Alberto Garcia Illera]
o [GH#1361] Deprecate and disable the -PR (ARP ping) host discovery option. ARP
ping is already used whenever possible, and the -PR option would not force it
to be used in any other case. [Daniel Miller]
o [NSE][GH#1243] Added http-sap-netweaver-leak to detect SAP Netweaver Portal
with the Knowledge Management Unit enabled with anonymous access. [ArphanetX]
o [NSE] Collected utility functions for string processing into a new library,
stringaux.lua. [Daniel Miller]
o [NSE][GH#1359] Fix a false-positive in http-phpmyadmin-dir-traversal when the
server responds with 200 status to a POST request to any URI. [Francesco Soncina]
o [NSE] New vulnerability state in vulns.lua, UNKNOWN, is used to indicate that
testing could not rule out vulnerability. [Daniel Miller]
o [NSE] New rand.lua library uses the best sources of random available on the
system to generate random strings. [Daniel Miller]
o [NSE] Collected utility functions for manipulating and searching tables into
a new library, tableaux.lua. [Daniel Miller]
o [GH#1355] When searching for Lua header files, actually use them where they
are found instead of forcing /usr/include. [Fabrice Fontaine, Daniel Miller]
o [NSE][GH#1331] Script traceroute-geolocation no longer crashes when
www.GeoPlugin.net returns null coordinates [Michal Kubenka, nnposter]
o Limit verbose -v and debugging -d levels to a maximum of 10. Nmap does not
use higher levels internally. [Daniel Miller]
o [NSE] bin.lua is officially deprecated. Lua 5.3, added 2 years ago in Nmap
7.25BETA2, has native support for binary data packing via string.pack and
string.unpack. All existing scripts and libraries have been updated.
[Daniel Miller]
o [NSE] tls.lua when creating a client_hello message will now only use a SSLv3
record layer if the protocol version is SSLv3. Some TLS implementations will
not handshake with a client offering less than TLSv1.0. Scripts will have to
manually fall back to SSLv3 to talk to SSLv3-only servers. [Daniel Miller]
o [NSE][GH#1322] Fix a few false-positive conditions in ssl-ccs-injection. TLS
implementations that responded with fatal alerts other than "unexpected
message" had been falsely marked as vulnerable. [Daniel Miller]
o Emergency fix to Nmap's birthday announcement so Nmap wishes itself
a "Happy 21st Birthday" rather than "Happy 21th" in verbose mode
(-v) on September 1, 2018. [Daniel Miller]
o [NSE] New knx.lua library holds common functions and definitions for
communicating with KNX/Konnex devices. [Daniel Miller]
o [NSE] Completely removed the bit.lua NSE library. All of its functions are
replaced by native Lua bitwise operations, except for `arshift` (arithmetic
shift) which has been moved to the bits.lua library. [Daniel Miller]
o [GH#1291][GH#34][GH#1339] Use pcap_create instead of pcap_live_open in Nmap,
and set immediate mode on the pcap descriptor. This solves packet loss
problems on Linux and may improve performance on other platforms.
[Daniel Cater, Mike Pontillo, Daniel Miller]
o [GH#1150] Start host timeout clocks when the first probe is sent to a host,
not when the hostgroup is started. Sometimes a host doesn't get probes until
late in the hostgroup, increasing the chance it will time out. [jsiembida]
o [GH#1147][GH#1108] Reduced LibPCRE resource limits so that version detection
can't use as much of the stack. Previously Nmap could crash when run on
low-memory systems against target services which are intentionally or
accidentally difficult to match. Someone assigned CVE-2018-15173 for this
issue. [Daniel Miller]
o [NSE] Support for edns-client-subnet (ECS) in dns.lua has been improved by:
- [GH#1271] Using ECS code compliant with RFC 7871 [John Bond]
- Properly trimming ECS address, as mandated by RFC 7871 [nnposter]
- Fixing a bug that prevented using the same ECS option table more than
once [nnposter]
o [Ncat][GH#1267] Fixed communication with commands launched with -e or -c on
Windows, especially when --ssl is used. [Daniel Miller]
o Upgraded included libpcap to 1.8.1 [Daniel Miller]
o [NSE] Script http-default-accounts can now select more than one fingerprint
category. It now also possible to select fingerprints by name to support very
specific scanning. [nnposter]
o [NSE] Script http-default-accounts was not able to run against more than one
target host/port. [nnposter]
o [NSE][GH#1251] New script-arg `http.host` allows users to force a particular
value for the Host header in all HTTP requests.
o [NSE][GH#1258] Use smtp.domain script arg or target's domain name instead of
"example.com" in EHLO command used for STARTTLS. [gwire]
o [NSE][GH#1233] Fix brute.lua's BruteSocket wrapper, which was crashing Nmap
with an assertion failure due to socket mixup [Daniel Miller]:
nmap: nse_nsock.cc:672: int receive_buf(lua_State*, int, lua_KContext): Assertion `lua_gettop(L) == 7' failed.
o [NSE][GH#1254] Handle an error condition in smb-vuln-ms17-010 caused by IPS
closing the connection. [Clément Notin]
o [NSE] https-redirect detects HTTP servers that redirect to the same port, but
with HTTPS. Some nginx servers do this, which made ssl-* scripts not run
properly. [Daniel Miller]
o [NSE][GH#1236] Added broadcast-jenkins-discover to discover Jenkins servers
on a LAN by sending a discovery broadcast probe. [Brendan Coles]
o [NSE][GH#1232] Added broadcast-hid-discoveryd to discover HID devices
on a LAN by sending a discoveryd network broadcast probe. [Brendan Coles]
o New service probe and match lines for adb, the Android Debug Bridge, which
allows remote code execution and is left enabled by default on many devices.
[Daniel Miller]
o [Ncat][GH#1237] Fixed literal IPv6 URL format for connecting through
HTTP proxies. [Phil Dibowitz]
o [NSE][GH#1212] Updates vendors from ODVA list for enip-info. [NothinRandom]
o [NSE][GH#1191] Add two common error strings that improve MySQL detection
by the script http-sql-injection. [Robert Taylor, Paulino Calderon]
o [NSE][GH#1220] Fix bug in http-vuln-cve2006-3392 that prevented the script to
generate the vulnerability report correctly. [rewardone]
o [NSE][GH#1218] Fix bug related to screen rendering in NSE library tn3270. This
patch also improves the brute force script tso-brute. [mainframed]
o [NSE][GH#1209] Fix SIP, SASL, and HTTP Digest authentication when
the algorithm contains lowercase characters. [Jeswin Mathai]
o [GH#1204] Nmap could be fooled into ignoring TCP response packets if they
used an unknown TCP Option, which would misalign the validation, causing it
to fail. [Clément Notin, Daniel Miller]
o [NSE]The HTTP response parser now tolerates status lines without a reason
phrase, which improves compatibility with some HTTP servers. [nnposter]
o [NSE][GH#1169][GH#1170][GH#1171]][GH#1198] Parser for HTTP Set-Cookie header
is now more compliant with RFC 6265:
- empty attributes are tolerated
- double quotes in cookie and/or attribute values are treated literally
- attributes with empty values and value-less attributes are parsed equally
- attributes named "name" or "value" are ignored
[nnposter]
o [NSE][GH#1158] Fix parsing http-grep.match script-arg. [Hans van den Bogert]
o [Zenmap][GH#1177] Avoid a crash when recent_scans.txt cannot be written to.
[Daniel Miller]
o Fixed --resume when the path to Nmap contains spaces. Reported on Windows by
Adriel Desautels. [Daniel Miller]
Nmap 7.70 [2018-03-20]
o [Windows] We made a ton of improvements to our Npcap Windows packet
capturing library (https://nmap.org/npcap/) for greater performance and
stability, as well as smoother installer and better 802.11 raw frame
capturing support. Nmap 7.70 updates the bundled Npcap from version 0.93 to
0.99-r2, including all these changes from the last seven Npcap releases:
https://nmap.org/npcap/changelog
o Integrated all of your service/version detection fingerprints submitted from
March 2017 to August 2017 (728 of them). The signature count went up 1.02%
to 11,672, including 26 new softmatches. We now detect 1224 protocols from
filenet-pch, lscp, and netassistant to sharp-remote, urbackup, and
watchguard. We will try to integrate the remaining submissions in the next
release.
o Integrated all of your IPv4 OS fingerprint submissions from September 2016
to August 2017 (667 of them). Added 298 fingerprints, bringing the new total
to 5,652. Additions include iOS 11, macOS Sierra, Linux 4.14, Android 7, and
more.
o Integrated all 33 of your IPv6 OS fingerprint submissions from September
2016 to August 2017. New groups for OpenBSD 6.0 and FreeBSD 11.0 were added,
as well as strengthened groups for Linux and OS X.
o Added the --resolve-all option to resolve and scan all IP addresses of a
host. This essentially replaces the resolveall NSE script. [Daniel Miller]
o [NSE][SECURITY] Nmap developer nnposter found a security flaw (directory
traversal vulnerability) in the way the non-default http-fetch script
sanitized URLs. If a user manualy ran this NSE script against a malicious
web server, the server could potentially (depending on NSE arguments used)
cause files to be saved outside the intended destination directory. Existing
files couldn't be overwritten. We fixed http-fetch, audited our other
scripts to ensure they didn't make this mistake, and updated the httpspider
library API to protect against this by default. [nnposter, Daniel Miller]
o [NSE] Added 9 NSE scripts, from 8 authors, bringing the total up to 588!
They are all listed at https://nmap.org/nsedoc/, and the summaries are
below:
+ deluge-rpc-brute performs brute-force credential testing against Deluge
BitTorrent RPC services, using the new zlib library. [Claudiu Perta]
+ hostmap-crtsh lists subdomains by querying Google's Certificate
Transparency logs. [Paulino Calderon]
+ [GH#892] http-bigip-cookie decodes unencrypted F5 BIG-IP cookies and
reports back the IP address and port of the actual server behind the
load-balancer. [Seth Jackson]
+ http-jsonp-detection Attempts to discover JSONP endpoints in web servers.
JSONP endpoints can be used to bypass Same-origin Policy restrictions in
web browsers. [Vinamra Bhatia]
+ http-trane-info obtains information from Trane Tracer SC controllers and
connected HVAC devices. [Pedro Joaquin]
+ [GH#609] nbd-info uses the new nbd.lua library to query Network Block
Devices for protocol and file export information. [Mak Kolybabi]
+ rsa-vuln-roca checks for RSA keys generated by Infineon TPMs
vulnerable to Return Of Coppersmith Attack (ROCA) (CVE-2017-15361). Checks
SSH and TLS services. [Daniel Miller]
+ [GH#987] smb-enum-services retrieves the list of services running on a
remote Windows machine. Modern Windows systems requires a privileged domain
account in order to list the services. [Rewanth Cool]
+ tls-alpn checks TLS servers for Application Layer Protocol Negotiation
(ALPN) support and reports supported protocols. ALPN largely replaces NPN,
which tls-nextprotoneg was written for. [Daniel Miller]
o [GH#978] Fixed Nsock on Windows giving errors when selecting on STDIN. This
was causing Ncat 7.60 in connect mode to quit with error: libnsock
select_loop(): nsock_loop error 10038: An operation was attempted on
something that is not a socket. [nnposter]
o [Ncat][GH#197][GH#1049] Fix --ssl connections from dropping on
renegotiation, the same issue that was partially fixed for server mode in
[GH#773]. Reported on Windows with -e by pkreuzt and vinod272. [Daniel
Miller]
o [NSE][GH#1062][GH#1149] Some changes to brute.lua to better handle
misbehaving or rate-limiting services. Most significantly,
brute.killstagnated now defaults to true. Thanks to xp3s and Adamtimtim for
reporing infinite loops and proposing changes.
o [NSE] VNC scripts now support Apple Remote Desktop authentication (auth type
30) [Daniel Miller]
o [NSE][GH#1111] Fix a script crash in ftp.lua when PASV connection timed out.
[Aniket Pandey]
o [NSE][GH#1114] Update bitcoin-getaddr to receive more than one response
message, since the first message usually only has one address in it. [h43z]
o [Ncat][GH#1139] Ncat now selects the correct default port for a given proxy
type. [Pavel Zhukov]
o [NSE] memcached-info can now gather information from the UDP memcached
service in addition to the TCP service. The UDP service is frequently used as
a DDoS reflector and amplifier. [Daniel Miller]
o [NSE][GH#1129] Changed url.absolute() behavior with respect to dot and
dot-dot path segments to comply with RFC 3986, section 5.2. [nnposter]
o Removed deprecated and undocumented aliases for several long options that
used underscores instead of hyphens, such as --max_retries. [Daniel Miller]
o Improved service scan's treatment of soft matches in two ways. First of all,
any probes that could result in a full match with the soft matched service
will now be sent, regardless of rarity. This improves the chances of
matching unusual services on non-standard ports. Second, probes are now
skipped if they don't contain any signatures for the soft matched service.
Previously the probes would still be run as long as the target port number
matched the probe's specification. Together, these changes should make
service/version detection faster and more accurate. For more details on how
it works, see https://nmap.org/book/vscan.html. [Daniel Miller]
o --version-all now turns off the soft match optimization, ensuring that all
probes really are sent, even if there aren't any existing match lines for
the softmatched service. This is slower, but gives the most comprehensive
results and produces better fingerprints for submission. [Daniel Miller]
o [NSE][GH#1083] New set of Telnet softmatches for version detection based on
Telnet DO/DON'T options offered, covering a wide variety of devices and
operating systems. [D Roberson]
o [GH#1112] Resolved crash opportunities caused by unexpected libpcap version
string format. [Gisle Vanem, nnposter]
o [NSE][GH#1090] Fix false positives in rexec-brute by checking responses for
indications of login failure. [Daniel Miller]
o [NSE][GH#1099] Fix http-fetch to keep downloaded files in separate
destination directories. [Aniket Pandey]
o [NSE] Added new fingerprints to http-default-accounts:
- Hikvision DS-XXX Network Camera and NUOO DVR [Paulino Calderon]
- [GH#1074] ActiveMQ, Purestorage, and Axis Network Cameras [Rob Fitzpatrick, Paulino Calderon]
o Added a new service detection match for WatchGuard Authentication Gateway.
[Paulino Calderon]
o [NSE][GH#1038][GH#1037] Script qscan was not observing interpacket delays
(parameter qscan.delay). [nnposter]
o [NSE][GH#1046] Script http-headers now fails properly if the target does not
return a valid HTTP response. [spacewander]
o [Ncat][Nsock][GH#972] Remove RC4 from the list of TLS ciphers used by
default, in accordance with RFC 7465. [Codarren Velvindron]
o [NSE][GH#1022] Fix a false positive condition in ipmi-cipher-zero caused by
not checking the error code in responses. Implementations which return an
error are not vulnerable. [Juho Jokelainen]
o [NSE][GH#958] Two new libraries for NSE.
- idna - Support for internationalized domain names in applications (IDNA)
- punycode (a transfer encoding syntax used in IDNA)
[Rewanth Cool]
o [NSE] New fingerprints for http-enum:
- [GH#954] Telerik UI CVE-2017-9248 [Harrison Neal]
- [GH#767] Many WordPress version detections [Rewanth Cool]
o [GH#981][GH#984][GH#996][GH#975] Fixed Ncat proxy authentication issues:
- Usernames and/or passwords could not be empty
- Passwords could not contain colons
- SOCKS5 authentication was not properly documented
- SOCKS5 authentication had a memory leak
[nnposter]
o [GH#1009][GH#1013] Fixes to autoconf header files to allow autoreconf to be
run. [Lukas Schwaighofer]
o [GH#977] Improved DNS service version detection coverage and consistency
by using data from a Project Sonar Internet wide survey. Numerouse false
positives were removed and reliable softmatches added. Match lines for
version.bind responses were also conslidated using the technique below.
[Tom Sellers]
o [GH#977] Changed version probe fallbacks so as to work cross protocol
(TCP/UDP). This enables consolidating match lines for services where the
responses on TCP and UDP are similar. [Tom Sellers]
o [NSE][GH#532] Added the zlib library for NSE so scripts can easily
handle compression. This work started during GSOC 2014, so we're
particularly pleased to finally integrate it! [Claudiu Perta, Daniel
Miller]
o [NSE][GH#1004] Fixed handling of brute.retries variable. It was being treated
as the number of tries, not retries, and a value of 0 would result in
infinite retries. Instead, it is now the number of retries, defaulting to 2
(3 total tries), with no option for infinite retries.
o [NSE] http-devframework-fingerprints.lua supports Jenkins server detection
and returns extra information when Jenkins is detected [Vinamra Bhatia]
o [GH#926] The rarity level of MS SQL's service detection probe was decreased.
Now we can find MS SQL in odd ports without increasing version intensity.
[Paulino Calderon]
o [GH#957] Fix reporting of zlib and libssh2 versions in "nmap --version". We
were always reporting the version number of the included source, even when a
different version was actually linked. [Pavel Zhukov]
o Add a new helper function for nmap-service-probes match lines: $I(1,">") will
unpack an unsigned big-endian integer value up to 8 bytes wide from capture
1. The second option can be "<" for little-endian. [Daniel Miller]
Nmap 7.60 [2017-07-31]
o [Windows] Updated the bundled Npcap from 0.91 to 0.93, fixing several issues
with installation and compatibility with the Windows 10 Creators Update.
o [NSE][GH#910] NSE scripts now have complete SSH support via libssh2,
including password brute-forcing and running remote commands, thanks to the
combined efforts of three Summer of Code students: [Devin Bjelland, Sergey
Khegay, Evangelos Deirmentzoglou]
o [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 579!
They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
+ ftp-syst sends SYST and STAT commands to FTP servers to get system version
and connection information. [Daniel Miller]
+ [GH#916] http-vuln-cve2017-8917 checks for an SQL injection vulnerability affecting
Joomla! 3.7.x before 3.7.1. [Wong Wai Tuck]
+ iec-identify probes for the IEC 60870-5-104 SCADA protocol. [Aleksandr
Timorin, Daniel Miller]
+ [GH#915] openwebnet-discovery retrieves device identifying information and
number of connected devices running on openwebnet protocol. [Rewanth Cool]
+ puppet-naivesigning checks for a misconfiguration in the Puppet CA where
naive signing is enabled, allowing for any CSR to be automatically signed.
[Wong Wai Tuck]
+ [GH#943] smb-protocols discovers if a server supports dialects NT LM 0.12
(SMBv1), 2.02, 2.10, 3.00, 3.02 and 3.11. This replaces the old
smbv2-enabled script. [Paulino Calderon]
+ [GH#943] smb2-capabilities lists the supported capabilities of SMB2/SMB3
servers. [Paulino Calderon]
+ [GH#943] smb2-time determines the current date and boot date of SMB2
servers. [Paulino Calderon]
+ [GH#943] smb2-security-mode determines the message signing configuration of
SMB2/SMB3 servers. [Paulino Calderon]
+ [GH#943] smb2-vuln-uptime attempts to discover missing critical patches in
Microsoft Windows systems based on the SMB2 server uptime. [Paulino Calderon]
+ ssh-auth-methods lists the authentication methods offered by an SSH server.
[Devin Bjelland]
+ ssh-brute performs brute-forcing of SSH password credentials. [Devin Bjelland]
+ ssh-publickey-acceptance checks public or private keys to see if they could
be used to log in to a target. A list of known-compromised key pairs is
included and checked by default. [Devin Bjelland]
+ ssh-run uses user-provided credentials to run commands on targets via SSH.
[Devin Bjelland]
o [NSE] Removed smbv2-enabled, which was incompatible with the new SMBv2/3
improvements. It was fully replaced by the smb-protocols script.
o [Ncat][GH#446] Added Datagram TLS (DTLS) support to Ncat in connect (client)
mode with --udp --ssl. Also added Application Layer Protocol Negotiation
(ALPN) support with the --ssl-alpn option. [Denis Andzakovic, Daniel Miller]
o Updated the default ciphers list for Ncat and the secure ciphers list for
Nsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDH
ciphersuites, anonymous ECDH suites were being allowed. [Daniel Miller]
o [NSE][GH#930] Fix ndmp-version and ndmp-fs-info when scanning Veritas Backup
Exec Agent 15 or 16. [Andrew Orr]
o [NSE][GH#943] Added new SMB2/3 library and related scripts. [Paulino Calderon]
o [NSE][GH#950] Added wildcard detection to dns-brute. Only hostnames that
resolve to unique addresses will be listed. [Aaron Heesakkers]
o [NSE] FTP scripts like ftp-anon and ftp-brute now correctly handle
TLS-protected FTP services and use STARTTLS when necessary. [Daniel Miller]
o [NSE][GH#936] Function url.escape no longer encodes so-called "unreserved"
characters, including hyphen, period, underscore, and tilde, as per RFC 3986.
[nnposter]
o [NSE][GH#935] Function http.pipeline_go no longer assumes that persistent
connections are supported on HTTP 1.0 target (unless the target explicitly
declares otherwise), as per RFC 7230. [nnposter]
o [NSE][GH#934] The HTTP response object has a new member, version, which
contains the HTTP protocol version string returned by the server, e.g. "1.0".
[nnposter]
o [NSE][GH#938] Fix handling of the objectSID Active Directory attribute
by ldap.lua. [Tom Sellers]
o [NSE] Fix line endings in the list of Oracle SIDs used by oracle-sid-brute.
Carriage Return characters were being sent in the connection packets, likely
resulting in failure of the script. [Anant Shrivastava]
o [NSE][GH#141] http-useragent-checker now checks for changes in HTTP status
(usually 403 Forbidden) in addition to redirects to indicate forbidden User
Agents. [Gyanendra Mishra]
Nmap 7.50 [2017-06-13]
o [Windows] Updated the bundled Npcap from 0.78 to 0.91, with several bugfixes
for WiFi connectivity problems and stability issues. [Daniel Miller, Yang Luo]
o Integrated all of your service/version detection fingerprints submitted from
September to March (855 of them). The signature count went up 2.9% to 11,418.
We now detect 1193 protocols from apachemq, bro, and clickhouse to jmon,
slmp, and zookeeper. Highlights: http://seclists.org/nmap-dev/2017/q2/140
o [NSE] Added 14 NSE scripts from 12 authors, bringing the total up to 566!
They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
+ [GH#743] broadcast-ospf2-discover discovers OSPF 2 routers and neighbors.
OSPFv2 authentication is supported. [Emiliano Ticci]
+ [GH#671] cics-info checks IBM TN3270 services for CICS transaction services
and extracts useful information. [Soldier of Fortran]
+ [GH#671] cics-user-brute does brute-force enumeration of CICS usernames on
IBM TN3270 services. [Soldier of Fortran]
+ [GH#669] http-cookie-flags checks HTTP session cookies for HTTPOnly and
Secure flags. [Steve Benson]
+ http-security-headers checks for the HTTP response headers related to
security given in OWASP Secure Headers Project, giving a brief description
of the header and its configuration value. [Vinamra Bhatia, Ícaro Torres]
+ [GH#740][GH#759] http-vuln-cve2017-5638 checks for the RCE bug in Apache
Struts2. [Seth Jackson]
+ [GH#876] http-vuln-cve2017-5689 detects a privilege escalation
vulnerability (INTEL-SA-00075) in Intel Active Management Technology (AMT)
capable systems. [Andrew Orr]
+ http-vuln-cve2017-1001000 detects a privilege escalation vulnerability in
Wordpress 4.7.0 and 4.7.1 (CVE-2017-1001000) [Vinamra Bhatia]
+ [GH#713] impress-remote-discover attempts to pair with the LibreOffice
Impress presentation remote service and extract version info. Pairing is
PIN-protected, and the script can optionally brute-force the PIN. New
service probe and match line also added. [Jeremy Hiebert]
+ [GH#854] smb-double-pulsar-backdoor detects the Shadow Brokers-leaked
Double Pulsar backdoor in Windows SMB servers. [Andrew Orr]
+ smb-vuln-cve-2017-7494 detects a remote code execution vulnerability
affecting Samba versions 3.5.0 and greater with writable shares.
[Wong Wai Tuck]
+ smb-vuln-ms17-010 detects a critical remote code execution vulnerability
affecting SMBv1 servers in Microsoft Windows systems (ms17-010). The
script also reports patched systems. [Paulino Calderon]
+ [GH#686] tls-ticketbleed checks for the Ticketbleed vulnerability
(CVE-2016-9244) in F5 BIG-IP appliances. [Mak Kolybabi]
+ vmware-version queries VMWare SOAP API for version and product information.
Submitted in 2011, this was mistakenly turned into a service probe that was
unable to elicit any matches. [Aleksey Tyurin]
o [Ncat] A series of changes and fixes based on feedback from the Red Hat community:
+ [GH#157] Ncat will now continue trying to connect to each resolved address
for a hostname before declaring the connection refused, allowing it to
fallback from IPv6 to IPv4 or to connect to names that use DNS failover.
[Jaromir Koncicky, Michal Hlavinka]
+ The --no-shutdown option now also works in connect mode, not only in listen mode.
+ Made -i/--idle-timeout not cause Ncat in server mode to close while
waiting for an initial connection. This was also causing -i to interfere
with the HTTP proxy server mode. [Carlos Manso, Daniel Miller]
+ [GH#773] Ncat in server mode properly handles TLS renegotiations and other
situations where SSL_read returns a non-fatal error. This was causing
SSL-over-TCP connections to be dropped. [Daniel Miller]
+ Enable --ssl-ciphers to be used with Ncat in client mode, not only in
server (listen) mode. [Daniel Miller]
o [NSE] New fingerprints for http-enum:
- Endpoints for Spring MVC and Boot Actuator [Paulino Calderon]
- [GH#620][GH#715] 8 fingerprints for Hadoop infrastructure components
[Thomas Debize, Varunram Ganesh]
o [NSE][GH#266][GH#704][GH#238][GH#883] NSE libraries smb and msrpc now use
fully qualified paths. SMB scripts now work against all modern versions
of Microsoft Windows. [Paulino Calderon]
o [NSE] smb library's share_get_list now properly uses anonymous connections
first before falling back authenticating as a known user.
o New service probes and matches for Apache HBase and Hadoop MapReduce.
[Paulino Calderon]
o Extended Memcached service probe and added match for Apache ZooKeeper.
[Paulino Calderon]
o [NSE] New script argument "vulns.short" will reduce vulns library script
output to a single line containing the target name or IP, the vulnerability
state, and the CVE ID or title of the vulnerability. [Daniel Miller]
o [NSE][GH#862] SNMP scripts will now take a community string provided like
`--script-args creds.snmp=private`, which previously did not work because it
was interpreted as a username. [Daniel Miller]
o [NSE] Resolved several issues in the default HTTP redirect rules:
- [GH#826] A redirect is now cancelled if the original URL contains
embedded credentials
- [GH#829] A redirect test is now more careful in determining whether
a redirect destination is related to the original host
- [GH#830] A redirect is now more strict in avoiding possible redirect
loops
[nnposter]
o [NSE][GH#766] The HTTP Host header will now include the port unless it is
the default one for a given scheme. [nnposter]
o [NSE] The HTTP response object has a new member, fragment, which contains
a partially received body (if any) when the overall request fails to
complete. [nnposter]
o [NSE][GH#866] NSE now allows cookies to have arbitrary attributes, which
are silently ignored (in accordance with RFC 6265). Unrecognized attributes
were previously causing HTTP requests with such cookies to fail. [nnposter]
o [NSE][GH#844] NSE now correctly parses a Set-Cookie header that has unquoted
whitespace in the cookie value (which is allowed per RFC 6265). [nnposter]
o [NSE][GH#731] NSE is now able to process HTTP responses with a Set-Cookie
header that has an extraneous trailing semicolon. [nnposter]
o [NSE][GH#708] TLS SNI now works correctly for NSE HTTP requests initiated
with option any_af. As an added benefit, option any_af is now available for
all connections via comm.lua, not just HTTP requests. [nnposter]
o [NSE][GH#781] There is a new common function, url.get_default_port(),
to obtain the default port number for a given scheme. [nnposter]
o [NSE][GH#833] Function url.parse() now returns the port part as a number,
not a string. [nnposter]
o No longer allow ICMP Time Exceeded messages to mark a host as down during
host discovery. Running traceroute at the same time as Nmap was causing
interference. [David Fifield]
o [NSE][GH#807] Fixed a JSON library issue that was causing long integers
to be expressed in the scientific/exponent notation. [nnposter]
o [NSE] Fixed several potential hangs in NSE scripts that used
receive_buf(pattern), which will not return if the service continues to send
data that does not match pattern. A new function in match.lua, pattern_limit,
is introduced to limit the number of bytes consumed while searching for the
pattern. [Daniel Miller, Jacek Wielemborek]
o [Nsock] Handle any and all socket connect errors the same: raise as an Nsock
error instead of fatal. This prevents Nmap and Ncat from quitting with
"Strange error from connect:" [Daniel Miller]
o [NSE] Added several commands to redis-info to extract listening addresses,
connected clients, active channels, and cluster nodes. [Vasiliy Kulikov]
o [NSE][GH#679][GH#681] Refreshed script http-robtex-reverse-ip, reflecting
changes at the source site (www.robtex.com). [aDoN]
o [NSE][GH#629] Added two new fingerprints to http-default-accounts
(APC Management Card, older NetScreen ScreenOS) [Steve Benson, nnposter]
o [NSE][GH#716] Fix for oracle-tns-version which was sending an invalid TNS
probe due to a string escaping mixup. [Alexandr Savca]
o [NSE][GH#694] ike-version now outputs information about supported attributes
and unknown vendor ids. Also, a new fingerprint for FortiGate VPNs was
submitted by Alexis La Goutte. [Daniel Miller]
o [GH#700] Enabled support for TLS SNI on the Windows platform. [nnposter]
o [GH#649] New service probe and match lines for the JMON and RSE services of
IBM Explorer for z/OS. [Soldier of Fortran]
o Removed a duplicate service probe for Memcached added in 2011 (the original
probe was added in 2008) and reported as duplicate in 2013 by Pavel Kankovsky.
o New service probe and match line for NoMachine NX Server remote desktop.
[Justin Cacak]
o [Zenmap] Fixed a recurring installation problem on OS X/macOS where Zenmap
was installed to /Applications/Applications/Zenmap.app instead of
/Applications/Zenmap.app.
o [Zenmap][GH#639] Zenmap will no longer crash when no suitable temporary
directory is found. Patches contributed by [Varunram Ganesh] and [Sai Sundhar]
o [Zenmap][GH#626] Zenmap now properly handles the -v0 (no output) option,
which was added in Nmap 7.10. Previously, this was treated the same as not
specifying -v at all. [lymanZerga11]
o [GH#630] Updated or removed some OpenSSL library calls that were deprecated
in OpenSSL 1.1. [eroen]
o [NSE] Script ssh-hostkey now recognizes and reports Ed25519 keys [nnposter]
o [NSE][GH#627] Fixed script hang in several brute scripts due to the "threads"
script-arg not being converted to a number. Error message was
"nselib/brute.lua:1188: attempt to compare number with string" [Arne Beer]
Nmap 7.40 [2016-12-20]
o [Windows] Updated the bundled Npcap from 0.10r9 to 0.78r5, with an
improved installer experience, driver signing updates to work with
Windows 10 build 1607, and bugfixes for WiFi connectivity
problems. [Yang Luo, Daniel Miller]
o Integrated all of your IPv4 OS fingerprint submissions from April to
September (568 of them). Added 149 fingerprints, bringing the new total to
5,336. Additions include Linux 4.6, macOS 10.12 Sierra, NetBSD 7.0, and more.
Highlights: http://seclists.org/nmap-dev/2016/q4/110 [Daniel Miller]
o Integrated all of your service/version detection fingerprints submitted from
April to September (779 of them). The signature count went up 3.1% to 11,095.
We now detect 1161 protocols, from airserv-ng, domaintime, and mep to
nutcracker, rhpp, and usher. Highlights: http://seclists.org/nmap-dev/2016/q4/115
[Daniel Miller]
o Fix reverse DNS on Windows which was failing with the message "mass_dns:
warning: Unable to determine any DNS servers." This was because the interface
GUID comparison needed to be case-insensitive. [Robert Croteau]
o [NSE] Added 12 NSE scripts from 4 authors, bringing the total up to 552!
They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
+ cics-enum enumerates CICS transaction IDs, mapping to screens in TN3270
services. [Soldier of Fortran]
+ cics-user-enum brute-forces usernames for CICS users on TN3270 services.
[Soldier of Fortran]
+ fingerprint-strings will print the ASCII strings it finds in the service
fingerprints that Nmap shows for unidentified services. [Daniel Miller]
+ [GH#606] ip-geolocation-map-bing renders IP geolocation data as an image
via Bing Maps API. [Mak Kolybabi]
+ [GH#606] ip-geolocation-map-google renders IP geolocation data as an image
via Google Maps API. [Mak Kolybabi]
+ [GH#606] ip-geolocation-map-kml records IP geolocation data in a KML file
for import into other mapping software [Mak Kolybabi]
+ nje-pass-brute brute-forces the password to a NJE node, given a valid RHOST
and OHOST. Helpfully, nje-node-brute can now brute force both of those
values. [Soldier of Fortran]
+ [GH#557] ssl-cert-intaddr will search for private IP addresses in TLS
certificate fields and extensions. [Steve Benson]
+ tn3270-screen shows the login screen from mainframe TN3270 Telnet services,
including any hidden fields. The script is accompanied by the new tn3270
library. [Soldier of Fortran]
+ tso-enum enumerates usernames for TN3270 Telnet services. [Soldier of Fortran]
+ tso-brute brute-forces passwords for TN3270 Telnet services. [Soldier of Fortran]
+ vtam-enum brute-forces VTAM application IDs for TN3270 services.
[Soldier of Fortran]
o [NSE][GH#518] Brute scripts are faster and more accurate. New feedback and
adaptivity mechanisms in brute.lua help brute scripts use resources more
efficiently, dynamically changing number of threads based on protocol
messages like FTP 421 errors, network errors like timeouts, etc.
[Sergey Khegay]
o [GH#353] New option --defeat-icmp-ratelimit dramatically reduces UDP scan
times in exchange for labeling unresponsive (and possibly open) ports as
"closed|filtered". Ports which give a UDP protocol response to one of Nmap's
scanning payloads will be marked "open". [Sergey Khegay]
o [NSE][GH#533] Removed ssl-google-cert-catalog, since Google shut off that
service at some point. Reported by Brian Morin.
o [NSE][GH#606] New NSE library, geoip.lua, provides a common framework for
storing and retrieving IP geolocation results. [Mak Kolybabi]
o [Ncat] Restore the connection success message that Ncat prints with -v. This
was accidentally suppressed when not using -z.
o [GH#316] Added scan resume from Nmap's XML output. Now you can --resume a
canceled scan from all 3 major output formats: -oN, -oG, and -oX.
[Tudor Emil Coman]
o [Ndiff][GH#591] Fix a bug where hosts with the same IP but different
hostnames were shown as changing hostnames between scans. Made sort stable
with regard to hostnames. [Daniel Miller]
o [NSE][GH#540] Add tls.servername script-arg for forcing a name to be used for
TLS Server Name Indication extension. The argument overrides the default use
of the host's targetname. [Bertrand Bonnefoy-Claudet]
o [GH#505] Updated Russian translation of Zenmap by Alexander Kozlov.
o [NSE][GH#588] Fix a crash in smb.lua when using smb-ls due to a
floating-point number being passed to os.time ("bad argument").
[Dallas Winger]
o [NSE][GH#596] Fix a bug in mysql.lua that caused authentication failures in
mysql-brute and other scripts due to including a null terminator in the salt
value. This bug affects Nmap 7.25BETA2 and later releases. [Daniel Miller]
o The --open option now implies --defeat-rst-ratelimit. This may result in
inaccuracies in the numbers of "Not shown:" closed and filtered ports, but
only in situations where it also speeds up scan times. [Daniel Miller]
o [NSE] Added known Diffie-Hellman parameters for haproxy, postfix, and
IronPort to ssl-dh-params. [Frank Bergmann]
o Added service probe for ClamAV servers (clam),
an open source antivirus engine used in mail scanning. [Paulino Calderon]
o Added service probe and UDP payload for Quick UDP Internet Connection (QUIC),
a secure transport developed by Google and used with HTTP/2. [Daniel Miller]
o [NSE] Enabled resolveall to run against any target provided as a hostname, so
the resolveall.hosts script-arg is no longer required. [Daniel Miller]
o [NSE] Revised script http-default-accounts in several ways [nnposter]:
- Added 21 new fingerprints, plus broadened 5 to cover more variants.
- [GH#577] It can now can test systems that return status 200 for
non-existent pages.
- [GH#604] Implemented XML output. Layout of the classic text output has also
changed, including reporting blank usernames or passwords as "<blank>",
instead of just empty strings.
- Added CPE entries to individual fingerprints (where known). They are
reported only in the XML output.
o [NSE][GH#573] Updated http.lua to allow processing of HTTP responses with
malformed header names. Such header lines are still captured in the rawheader
list but skipped otherwise. [nnposter]
o [GH#416] New service probe and match line for iperf3. [Eric Gershman]
o [NSE][GH#555] Add Drupal to the set of web apps brute forced by
http-form-brute. [Nima Ghotbi]
Nmap 7.31 [2016-10-20]
o [Windows] Updated the bundled Npcap from 0.10r2 to 0.10r9, bringing
increased stability, bug fixes, and raw 802.11 WiFi capture (unused
by Nmap). Further details on these changes can be found at
https://github.com/nmap/npcap/releases. [Yang Luo]
o Fixed the way Nmap handles scanning names that resolve to the same IP. Due to
changes in 7.30, the IP was only being scanned once, with bogus results
displayed for the other names. The previous behavior is now restored.
[Tudor Emil Coman]
o [Nping][GH#559] Fix Nping's ability to use Npcap on Windows. A privilege
check was performed too late, so the Npcap loading code assumed the user had no
rights. [Yang Luo, Daniel Miller]
o [GH#350] Fix an assertion failure due to floating point error in equality
comparison, which triggered mainly on OpenBSD:
assertion "diff <= interval" failed: file "timing.cc", line 440
This was reported earlier as [GH#472] but the assertion fixed there was a
different one. [David Carlier]
o [Zenmap] Fix a crash in the About page in the Spanish translation due to a
missing format specifier:
File "zenmapGUI\About.pyo", line 217, in __init__
TypeError: not all arguments converted during string formatting
[Daniel Miller]
o [Zenmap][GH#556] Better visual indication that display of hostname is tied to
address in the Topology page. You can show numeric addresses with hostnames
or without, but you can't show hostnames without numeric addresses when they
are not available. [Daniel Miller]
o To increase the number of IPv6 fingerprint submissions, a prompt for
submission will be shown with some random chance for successful matches of OS
classes that are based on only a few submissions. Previously, only
unsuccessful matches produced such a prompt. [Daniel Miller]
Nmap 7.30 [2016-09-29]
o Integrated all 12 of your IPv6 OS fingerprint submissions from June to
September. No new groups, but several classifications were strengthened,
especially Windows localhost and OS X. [Daniel Miller]
o [NSE] Added 7 NSE scripts, from 3 authors, bringing the total up to 541!
They are all listed at https://nmap.org/nsedoc/, and the summaries are below
(authors are listed in brackets):
+ [GH#369] coap-resources grabs the list of available resources from CoAP
endpoints. [Mak Kolybabi]
+ fox-info retrieves detailed version and configuration info from Tridium
Niagara Fox services. [Stephen Hilt]
+ ipmi-brute performs authentication brute-forcing on IPMI services.
[Claudiu Perta]
+ ipmi-cipher-zero checks IPMI services for Cipher Zero support, which allows
connection without a password. [Claudiu Perta]
+ ipmi-version retrieves protocol version and authentication options from
ASF-RMCP (IPMI) services. [Claudiu Perta]
+ [GH#352] mqtt-subscribe connects to a MQTT broker, subscribes to topics,
and lists the messages received. [Mak Kolybabi]
+ pcworx-info retrieves PLC model, firmware version, and date from Phoenix
Contact PLCs. [Stephen Hilt]
o Upgraded Npcap, our new Windows packet capturing driver/library,
from version to 0.09 to 0.10r2. This includes many bug fixes, with a
particular on emphasis on concurrency issues discovered by running
hundreds of Nmap instances at a time. More details are available
from https://github.com/nmap/npcap/releases. [Yang Luo, Daniel
Miller, Fyodor]
o New service probes and match lines for DTLS, IPMI-RMCP, MQTT, PCWorx,
ProConOS, and Tridium Fox, [Stephen Hilt, Mak Kolybabi, Daniel Miller]
o Improved some output filtering to remove or escape carriage returns ('\r')
that could allow output spoofing by overwriting portions of the screen. Issue
reported by Adam Rutherford. [Daniel Miller]
o [NSE] Fixed a few bad Lua patterns that could result in denial of service due
to excessive backtracking. [Adam Rutherford, Daniel Miller]
o Fixed a discrepancy between the number of targets selected with -iR and the
number of hosts scanned, resulting in output like "Nmap done: 1033 IP
addresses" when the user specified -iR 1000. [Daniel Miller]
o Fixed a bug in port specification parsing that could cause extraneous
'T', 'U', 'S', and 'P' characters to be ignored when they should have
caused an error. [David Fifield]
o [GH#543] Restored compatibility with LibreSSL, which was lost in adding
library version checks for OpenSSL 1.1. [Wonko7]
o [Zenmap] Fixed a bug in the Compare Scans window of Zenmap on OS X resulting
in this message instead of Ndiff output:
ImportError: dlopen(/Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so, 2): no suitable image found. Did find:
/Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so: mach-o, but wrong architecture
Reported by Kyle Gustafson. [Daniel Miller]
o [NSE] Fixed a bug in ssl-enum-ciphers and ssl-dh-params which caused them to
not output TLSv1.2 info with DHE ciphersuites or others involving
ServerKeyExchange messages. [Daniel Miller]
o [NSE] Added X509v3 extension parsing to NSE's sslcert code. ssl-cert now
shows the Subject Alternative Name extension; all extensions are shown in the
XML output. [Daniel Miller]
Nmap 7.25BETA2 [2016-09-01]
o [GH#376] Windows binaries are now code-signed with our "Insecure.Com LLC"
SHA256 certificate. This should give our users extra peace-of-mind and avoid
triggering Microsoft's ever-increasing security warnings.
o [NSE] Upgraded NSE to Lua 5.3, adding bitwise operators, integer data type, a
utf8 library, and native binary packing and unpacking functions. Removed bit
library, added bits.lua, replaced base32, base64, and bin libraries. [Patrick
Donnelly]
o [NSE] Added 2 NSE scripts, bringing the total up to 534! They are both listed
at https://nmap.org/nsedoc/, and the summaries are below:
+ oracle-tns-version decodes the version number from Oracle Database Server's
TNS listener. [Daniel Miller]
+ clock-skew analyzes and reports clock skew between Nmap and services that
report timestamps, grouping hosts with similar skews. [Daniel Miller]
o Integrated all of your service/version detection fingerprints submitted from
January to April (578 of them). The signature count went up 2.2% to 10760.