"Fossies" - the Fresh Open Source Software Archive

Member "nmap-7.91/CHANGELOG" (9 Oct 2020, 756783 Bytes) of package /linux/misc/nmap-7.91.tgz:


As a special service "Fossies" has tried to format the requested text file into HTML format (style: standard) with prefixed line numbers. Alternatively you can here view or download the uninterpreted source code file. See also the latest Fossies "Diffs" side-by-side code changes report for "CHANGELOG": 7.90_vs_7.91.

    1 #Nmap Changelog ($Id: CHANGELOG 38101 2020-10-09 22:43:50Z dmiller $); -*-text-*-
    2 
    3 Nmap 7.91 [2020-10-09]
    4 
    5 o [GH#2148][Zenmap] Fix a crash in the profile editor due to a missing import.
    6 
    7 o [GH#2139][Nsock][Windows] Demote the IOCP Nsock engine because of some known
    8   issues that will take longer to resolve. The previous default "poll" engine
    9   will be used instead.
   10 
   11 o [GH#2138][Nsock][Windows] Fix a crash in service scan due to a previously-unknown
   12   error being returned from the IOCP Nsock engine. [Daniel Miller]
   13 
   14 o [NSE][GH#2136][GH#2137] Fix several places where Lua's os.time was being used
   15   to represent dates prior to January 1, 1970, which fails on Windows. Notably,
   16   NSE refused to run in UTC+X timezones with the error "time result cannot be
   17   represented in this installation" [Clément Notin, nnposter, Daniel Miller]
   18 
   19 o [NSE][GH#2128] MySQL library was not properly parsing server responses,
   20   resulting in script crashes. [nnposter]
   21 
   22 o [GH#2135] Silence the irrelevant warning, "Your ports include 'T:' but you
   23   haven't specified any TCP scan type" when running nmap -sUV
   24 
   25 Nmap 7.90 [2020-10-02]
   26 
   27 o [Windows] Upgraded Npcap, our Windows packet capturing (and sending)
   28   library to the milestone 1.00 release! It's the culmination of 7 years of
   29   development with 170 public pre-releases. This includes dozens of
   30   performance improvements, bug fixes, and feature enhancements described
   31   at https://npcap.org/changelog.
   32 
   33 o Integrated over 800 service/version detection fingerprints submitted since
   34   August 2017. The signature count went up 1.8% to 11,878, including 17 new
   35   softmatches.  We now detect 1237 protocols from airmedia-audio, banner-ivu,
   36   and control-m to insteon-plm, pi-hole-stats, and ums-webviewer.  A
   37   significant number of submissions remain to be integrated in the next
   38   release.
   39 
   40 o Integrated over 330 of the most-frequently-submitted IPv4 OS fingerprints
   41   since August 2017. Added 26 fingerprints, bringing the new total to 5,678.
   42   Additions include iOS 12 & 13, macOS Catalina & Mojave, Linux 5.4, FreeBSD
   43   13, and more.
   44 
   45 o Integrated all 67 of your IPv6 OS fingerprint submissions from August 2017 to
   46   September 2020. Added new groups for FreeBSD 12, Linux 5.4, and Windows 10,
   47   and consolidated several weak groups to improve classification accuracy.
   48 
   49 o [NSE] Added 3 NSE scripts, from 2 authors, bringing the total up to 601!
   50   They are all listed at https://nmap.org/nsedoc/, and the summaries are
   51   below:
   52 
   53   + dicom-brute attempts to brute force the called Application Entity Title
   54     of DICOM servers. [Paulino Calderon]
   55 
   56   + dicom-ping discovers DICOM servers and determines if any Application
   57     Entity Title is allowed to connect. [Paulino Calderon]
   58 
   59   + uptime-agent-info collects system information from an Idera Uptime
   60     Infrastructure Monitor agent. [Daniel Miller]
   61 
   62 o [GH#1834] Addressed over 250 code quality issues identified by LGTM.com,
   63   improving our code quality score from "C" to "A+"
   64 
   65 o Released Npcap OEM Edition. For more than 20 years, the Nmap Project has
   66   been funded by selling licenses for companies to distribute Nmap with
   67   their products, along with commercial support. Hundreds of commercial
   68   products now use Nmap for network discovery tasks like port scanning,
   69   host discovery, OS detection, service/version detection, and of course
   70   the Nmap Scripting Engine (NSE). Until now they have just used standard
   71   Nmap, but this new OEM Edition is customized for use within other Windows
   72   software. Nmap OEM contains the OEM version of our Npcap driver, which
   73   allows for silent installation. It also removes the Zenmap GUI, which
   74   cuts the installer size by more than half. And it reports itself as Nmap
   75   OEM so customers know it's a properly licensed Nmap. See
   76   https://nmap.org/oem for more details. We will be reaching out to all
   77   existing licensees with Nmap OEM access credentials, but any licensees
   78   who wants it quicker should see https://nmap.org/oem.
   79 
   80 o Upgraded the Nmap license form a sort of hacked-up version of GPLv2 to a
   81   cleaner and better organized version (still based on GPLv2) now called the
   82   Nmap Public Source License to avoid confusion. See https://nmap.org/npsl/
   83   for more details and annotated license text. This NPSL project was started
   84   in 2006 (community discussion here:
   85   https://seclists.org/nmap-dev/2006/q4/126) and then it lost momentum for 7
   86   years until it was restarted in 2013
   87   (https://seclists.org/nmap-dev/2013/q1/399) and then we got distracted by
   88   development again. We still have some ideas for improving the NPSL, but
   89   it's already much better than the current license, so we're applying NPSL
   90   Version 0.92 to the code now and can make improvements later if
   91   needed. This does not change the license of previous Nmap releases.
   92 
   93 o Removed nmap-update. This program was intended to provide a way to update
   94   data files and NSE scripts, but the infrastructure was never fielded. It
   95   depended on Subversion version control and would have required maintaining
   96   separate versions of NSE scripts for compatibility.
   97 
   98 o Removed the silent-install command-line option (/S) from the Windows
   99   installer. It causes several problems and there were no objections when we
  100   proposed removing it in 2016 (https://seclists.org/nmap-dev/2016/q4/168).
  101   It will remain in Nmap OEM since its main use was for customers who
  102   redistribute Nmap with other software. If anyone else has a strong need
  103   for an Nmap silent installer, please contact sales@nmap.com and we'll see
  104   what we can do.
  105 
  106 o [GH#1860] 23 new UDP payloads and dozens more default ports for existing
  107   payloads developed for Rapid7's InsightVM scan engine. These speed up and
  108   ensure detection of open UDP services. [Paul Miseiko, Rapid7]
  109 
  110 o Added a UDP payload for STUN (Session Traversal Utilities for NAT).
  111   [David Fifield]
  112 
  113 o [NSE] Fixed an off-by-one bug in the stun.lua library that prevented
  114   parsing a server response. [David Fifield]
  115 
  116 o [GH#2051] Restrict Nmap's search path for scripts and data files.
  117   NMAPDATADIR, defined on Unix and Linux as ${prefix}/share/nmap, will not be
  118   searched on Windows, where it was previously defined as C:\Nmap .
  119   Additionally, the --script option will not interpret names as directory names
  120   unless they are followed by a '/'. [Daniel Miller]
  121 
  122 o [GH#1764] Fix an assertion failure when unsolicited ARP response is received:
  123     nmap: Target.cc:503: void Target::stopTimeOutClock(const timeval*): Assertion `htn.toclock_running == true' failed.
  124 
  125 o [NSE] New outlib library consolidates functions related to NSE output,
  126   both string formatting conventions and structured output. [Daniel Miller]
  127 
  128 o [NSE] New dicom library implements the DICOM protocol used for
  129   storing and transfering medical images. [Paulino Calderon]
  130 
  131 o [GH#92] Fix a regression in ARP host discovery left over from the move from
  132   massping to ultra_scan in Nmap 4.22SOC8 (2007) that sometimes resulted in
  133   missing ARP responses from targets near the end of a scan. Accuracy and speed
  134   are both improved. [Daniel Miller]
  135 
  136 o [GH#2051] Restrict Nmap's search path for scripts and data files.
  137   NMAPDATADIR, defined on Unix and Linux as ${prefix}/share/nmap, will not be
  138   searched on Windows, where it was previously defined as C:\Nmap .
  139   Additionally, the --script option will not interpret names as directory names
  140   unless they are followed by a '/'. [Daniel Miller]
  141 
  142 o [GH#2126] Fix the "iocp" Nsock engine for Windows to be able to correctly
  143   handle PCAP read events. This engine is now the default for Windows, which
  144   should greatly improve performance over the previous default, the "poll"
  145   engine. [Daniel Miller]
  146 
  147 o [GH#2050] Reduced CPU usage of OS scan by 50% by avoiding string copy
  148   operations and removing undocumented fingerprint syntax unused in nmap-os-db
  149   ('&' and '+' in expressions). [Daniel Miller]
  150 
  151 o [GH#1859] Allow multiple UDP payloads to be specified for a port in
  152   nmap-payloads. If the first payload does not get a response, the remaining
  153   payloads are tried round-robin. [Paul Miseiko, Rapid7]
  154 
  155 o [GH#1616] New option --discovery-ignore-rst tells Nmap to ignore TCP RST
  156   responses when determining if a target is up. Useful when firewalls are
  157   spoofing RST packets. [Tom Sellers, Rapid7]
  158 
  159 o [Ncat][GH#2087][GH#1927][GH#1928][GH#1974] It is now possible to override
  160   the value of TLS SNI via --ssl-servername [Hank Leininger, nnposter]
  161 
  162 o [GH#2104] Fixed parsing of TCP options which would hang (infinite loop) if an
  163   option had an explicit length of 0. Affects Nmap 7.80 only.
  164   [Daniel Miller, Imed Mnif]
  165 
  166 o [NSE][GH#1460] Script ssh2-enum-algos would fail if the server initiated
  167   the key exchange before completing the protocol version exchange
  168   [Scott Ellis, nnposter]
  169 
  170 o [NSE][GH#2105] Fetching of SSH2 keys might fail because of key exchange
  171   confusion [nnposter]
  172 
  173 o [NSE][GH#2098] Performance of script afp-ls has been dramatically improved
  174   [nnposter]
  175 
  176 o [NSE][GH#2091] Parsing of AFP FPGetFileDirParms and
  177   FPEnumerateExt2FPEnumerateExt2 responses was not working correctly [nnposter]
  178 
  179 o [NSE][GH#2089] Eliminated false positives in script http-shellshock caused by
  180   simple reflection of HTTP request data [Anders Kaseorg]
  181 
  182 o [NSE][GH#1473] SNMP scripts are now enabled on non-standard ports where SNMP
  183   has been detected [usd-markus, nnposter]
  184 
  185 o [NSE][GH#2084] MQTT library was using incorrect position when parsing
  186   received responses [tatulea]
  187 
  188 o [NSE][GH#2086] IPMI library was using incorrect position when parsing
  189   received responses [Star Salzman]
  190 
  191 o [NSE][GH#2086] Scripts ipmi-brute and deluge-rpc-brute were not capturing
  192   successfully brute-forced credentials [Star Salzman]
  193 
  194 o Allow resuming IPv6 scans with --resume. The address parsing was assuming IPv4
  195   addresses, leading to "Unable to parse ip" error. In a related fix, MAC addresses
  196   will not be parsed as IP addresses when resuming from XML. [Daniel Miller]
  197 
  198 o [GH#1622][GH#2068] Fix reverse-DNS handling of PTR records that are not lowercase.
  199   Nmap was failing to identify reverse-DNS names when the DNS server delivered
  200   them like ".IN-ADDR.ARPA". [Lucas Nussbaum, Richard Schütz, Daniel Miller]
  201 
  202 o [NSE][GH#1999][GH#2005] IKE library was not properly populating the protocol
  203   number in aggressive mode requests. [luc-x41]
  204 
  205 o [GH#1963] Added service fingerprinting for MySQL 8.x, Microsoft SQL
  206   Server 2019, MariaDB, and Crate.io CrateDB. Updated PostreSQL coverage and
  207   added specific detection of recent versions running in Docker. [Tom Sellers]
  208 
  209 o New XML output "hosthint" tag emitted during host discovery when a target is
  210   found to be up. This gives earlier notification than waiting for the
  211   hostgroup to finish all scan phases. [Paul Miseiko]
  212 
  213 o [GH#917] New UDP payloads for GPRS Tunneling Protocol (GTP) on ports 2123,
  214   2152, and 3386. [Guillaume Teissier]
  215 
  216 o [NSE][GH#1825] SSH scripts now run on several ports likely to be SSH based on
  217   empirical data from Shodan.io, as well as the netconf-ssh service.
  218   [Lim Shi Min Jonathan, Daniel Miller]
  219 
  220 o [Zenmap][GH#1777] Stop creating a debugging output file 'tmp.txt' on the
  221   desktop in macOS. [Roland Linder]
  222 
  223 o [Nping] Address build failure under libc++ due to "using namespace std;" in
  224   several headers, resulting in conflicting definitions of bind(). Reported by
  225   StormBytePP and Rosen Penev. [Daniel Miller]
  226 
  227 o [Ncat][GH#1868] Fix a fatal error when connecting to a Linux VM socket with
  228   verbose output enabled. [Stefano Garzarella]
  229 
  230 o [Ncat][GH#2060] Proxy credentials can be alternatively passed onto Ncat by
  231   setting environment variable NCAT_PROXY_AUTH, which reduces the risk of the
  232   credentials getting captured in process logs. [nnposter]
  233 
  234 o [NSE][GH#1723] Fixed a crash on Windows when processing a GZIP-encoded HTTP
  235   body. [Daniel Miller]
  236 
  237 o Upgrade libpcap to 1.9.1, which addresses several CVE vulnerabilities.
  238 
  239 o Upgrade libssh2 to 1.9.0, fixing compilation with OpenSSL 1.1.0 API.
  240 
  241 o [GH#1717][GH#1718] Processing of IP address CIDR blocks was not working
  242   correctly on ppc64, ppc64le, and s390x architectures. [rfrohl, nnposter]
  243 
  244 o [Windows] Add support for the new loopback behavior in Npcap 0.9983 and
  245   later. This enables Nmap to scan localhost on Windows without needing the
  246   Npcap Loopback Adapter to be installed, which was a source of problems for
  247   some users.  [Daniel Miller]
  248 
  249 o [NSE] MS SQL library has improved version resolution, from service pack level
  250   to individual cumulative updates [nnposter]
  251 
  252 o [NSE][GH#2077] With increased verbosity, script http-default-accounts now
  253   reports matched target fingerprints even if no default credentials were found
  254   [nnposter]
  255 
  256 o [NSE][GH#2063] IPP request object conversion to string was not working
  257   correctly [nnposter]
  258 
  259 o [NSE][GH#2063] IPP response parser was not correctly processing
  260   end-of-attributes-tag [nnposter]
  261 
  262 o [NSE] Script cups-info was failing due to erroneous double-decoding
  263   of the IPP printer status [nnposter]
  264 
  265 o [NSE][GH#2010] Oracle TNS parser was incorrectly unmarshalling DALC byte
  266   arrays [nnposter]
  267 
  268 o [NSE] The password hashing function for Oracle 10g was not working correctly
  269   for non-alphanumeric characters [nnposter]
  270 
  271 o [NSE] Virtual host probing list, vhosts-full.lst, was missing numerous
  272   entries present in vhosts-default.lst [nnposter]
  273 
  274 o [NSE][GH#1931][GH#1932] Script http-grep was not correctly calculating Luhn
  275   checksum [Colleen Li, nnposter]
  276 
  277 o [NSE][GH#1838] Scripts dhcp-discover and broadcast-dhcp-discover now support
  278   new argument "mac" to force a specific client MAC address [nnposter]
  279 
  280 o [NSE] Code improvements in RPC Dump, benefitting NFS-related scripts
  281   [nnposter]
  282 
  283 o [NSE] RPC code was using incorrect port range, which was causing some calls,
  284   such as NFS mountd, to fail intermittently [nnposter]
  285 
  286 o [NSE][GH#1876] XML output from script ssl-cert now includes RSA key modulus
  287   and exponent [nnposter]
  288 
  289 o [NSE][GH#1837] Nmap no longer crashes when SMB scripts, such as smb-ls, call
  290   smb.find_files [nnposter]
  291 
  292 o [NSE][GH#1802] The MongoDB library was causing errors when assembling protocol
  293   payloads. [nnposter]
  294 
  295 o [NSE][GH#1781][GH#1796] The RTSP library was not correctly generating request
  296   strings. [nnposter]
  297 
  298 o [NSE][GH#1706] VNC handshakes were failing with insert position out of bounds
  299   error. [nnposter]
  300 
  301 o [NSE][GH#1720] Function marshall_dom_sid2 in library msrpctypes was not
  302   correctly populating ID Authority. [nnposter]
  303 
  304 o [NSE][GH#1720] Unmarshalling functions in library msrpctypes were attempting
  305   arithmetic on a nil argument. [Ivan Ivanov, nnposter]
  306 
  307 o [NSE][GH#1720] Functions lsa_lookupnames2 and lsa_lookupsids2 in library
  308   msrpc were incorrectly referencing function strjoin when called with debug
  309   level 2 or higher. [Ivan Ivanov]
  310 
  311 o [NSE][GH#1755][GH#2096] Added HTTP default account fingerprints for Tomcat
  312   Host Manager and Dell iDRAC9. [Clément Notin]
  313 
  314 o [NSE][GH#1476][GH#1707] A MS-SMB spec non-compliance in Samba was causing
  315   protocol negotiation to fail with data string too short error.
  316   [Clément Notin, nnposter]
  317 
  318 o [NSE][GH#1480][GH#1713][GH#1714] A bug in SMB library was causing scripts to
  319   fail with bad format argument error. [Ivan Ivanov]
  320 
  321 o [NSE][GH#1665] The HTTP library no longer crashes when code requests digest
  322   authentication but the server does not provide the necessary authentication
  323   header. [nnposter]
  324 
  325 o [NSE] Fixed a bug in http-wordpress-users.nse that could cause
  326   extraneous output to be captured as part of a username. [Duarte Silva]
  327 
  328 Nmap 7.80 [2019-08-10]
  329 
  330 o [Windows] The Npcap Windows packet capturing library (https://npcap.org/)
  331   is faster and more stable than ever. Nmap 7.80 updates the bundled Npcap
  332   from version 0.99-r2 to 0.9982, including all of these changes from the
  333   last 15 Npcap releases: https://nmap.org/npcap/changelog
  334 
  335 o [NSE] Added 11 NSE scripts, from 8 authors, bringing the total up to 598!
  336   They are all listed at https://nmap.org/nsedoc/, and the summaries are
  337   below:
  338 
  339   + [GH#1232] broadcast-hid-discoveryd discovers HID devices on a LAN by
  340     sending a discoveryd network broadcast probe. [Brendan Coles]
  341 
  342   + [GH#1236] broadcast-jenkins-discover discovers Jenkins servers on a LAN
  343     by sending a discovery broadcast probe. [Brendan Coles]
  344 
  345   + [GH#1016][GH#1082] http-hp-ilo-info extracts information from HP
  346     Integrated Lights-Out (iLO) servers. [rajeevrmenon97]
  347 
  348   + [GH#1243] http-sap-netweaver-leak detects SAP Netweaver Portal with the
  349     Knowledge Management Unit enabled with anonymous access. [ArphanetX]
  350 
  351   + https-redirect detects HTTP servers that redirect to the same port, but
  352     with HTTPS. Some nginx servers do this, which made ssl-* scripts not run
  353     properly. [Daniel Miller]
  354 
  355   + [GH#1504] lu-enum enumerates Logical Units (LU) of TN3270E servers.
  356     [Soldier of Fortran]
  357 
  358   + [GH#1633] rdp-ntlm-info extracts Windows domain information from RDP
  359     services. [Tom Sellers]
  360 
  361   + smb-vuln-webexec checks whether the WebExService is installed and allows
  362     code execution. [Ron Bowes]
  363 
  364   + smb-webexec-exploit exploits the WebExService to run arbitrary commands
  365     with SYSTEM privileges. [Ron Bowes]
  366 
  367   + [GH#1457] ubiquiti-discovery extracts information from the Ubiquiti
  368     Discovery service and assists version detection. [Tom Sellers]
  369 
  370   + [GH#1126] vulners queries the Vulners CVE database API using CPE
  371     information from Nmap's service and application version detection.
  372     [GMedian, Daniel Miller]
  373 
  374 o [GH#1371] The macOS installer is now built for x86_64 architecture, not i386.
  375 
  376 o [GH#1396] Fixed the Windows installer, which would replace the entire PATH
  377   system variable with the path for Nmap if it exceeded 1024 bytes. This was
  378   fixed by using the "large strings" build of NSIS to build the new installer.
  379   [Daniel Miller]
  380 
  381 o Replaced the addrset matching code that is used by --exclude and
  382   --excludefile with a much faster implementation using a radix tree (trie).
  383   https://seclists.org/nmap-dev/2018/q4/13
  384 
  385 o [GH#1291][GH#34][GH#1339] Use pcap_create instead of pcap_live_open in
  386   Nmap, and set immediate mode on the pcap descriptor. This solves packet
  387   loss problems on Linux and may improve performance on other platforms.
  388   [Daniel Cater, Mike Pontillo, Daniel Miller]
  389 
  390 o [NSE][GH#1330] Fixed an infinite loop in tls-alpn when the server forces a
  391   particular protocol. [Daniel Miller]
  392 
  393 o [NSE] Collected utility functions for string processing into a new
  394   library, stringaux.lua. [Daniel Miller]
  395 
  396 o [NSE] New rand.lua library uses the best sources of random available on
  397   the system to generate random strings. [Daniel Miller]
  398 
  399 o [NSE] New library, oops.lua, makes reporting errors easy, with plenty of
  400   debugging detail when needed, and no clutter when not. [Daniel Miller]
  401 
  402 o [NSE] Collected utility functions for manipulating and searching tables
  403   into a new library, tableaux.lua. [Daniel Miller]
  404 
  405 o [NSE] New knx.lua library holds common functions and definitions for
  406   communicating with KNX/Konnex devices. [Daniel Miller]
  407 
  408 o [NSE][GH#1571] The HTTP library now provides transparent support for gzip-
  409   encoded response body. (See https://github.com/nmap/nmap/pull/1571 for an
  410   overview.) [nnposter]
  411 
  412 o [Nsock][Ncat][GH#1075] Add AF_VSOCK (Linux VM sockets) functionality to
  413   Nsock and Ncat. VM sockets are used for communication between virtual
  414   machines and the hypervisor. [Stefan Hajnoczi]
  415 
  416 o [Security][Windows] Address CVE-2019-1552 in OpenSSL by building with the
  417   prefix "C:\Program Files (x86)\Nmap\OpenSSL". This should prevent
  418   unauthorized users from modifying OpenSSL defaults by writing
  419   configuration to this directory.
  420 
  421 o [Security][GH#1147][GH#1108] Reduced LibPCRE resource limits so that
  422   version detection can't use as much of the stack. Previously Nmap could
  423   crash when run on low-memory systems against target services which are
  424   intentionally or accidentally difficult to match. Someone assigned
  425   CVE-2018-15173 for this issue. [Daniel Miller]
  426 
  427 o [GH#1361] Deprecate and disable the -PR (ARP ping) host discovery
  428   option. ARP ping is already used whenever possible, and the -PR option
  429   would not force it to be used in any other case. [Daniel Miller]
  430 
  431 o [NSE] bin.lua is officially deprecated. Lua 5.3, added 2 years ago in Nmap
  432   7.25BETA2, has native support for binary data packing via string.pack and
  433   string.unpack. All existing scripts and libraries have been updated.
  434   [Daniel Miller]
  435 
  436 o [NSE] Completely removed the bit.lua NSE library. All of its functions are
  437   replaced by native Lua bitwise operations, except for `arshift`
  438   (arithmetic shift) which has been moved to the bits.lua library. [Daniel
  439   Miller]
  440 
  441 o [NSE][GH#1571] The HTTP library is now enforcing a size limit on the
  442   received response body. The default limit can be adjusted with a script
  443   argument, which applies to all scripts, and can be overridden case-by-case
  444   with an HTTP request option. (See https://github.com/nmap/nmap/pull/1571
  445   for details.)  [nnposter]
  446 
  447 o [NSE][GH#1648] CR characters are no longer treated as illegal in script
  448   XML output. [nnposter]
  449 
  450 o [GH#1659] Allow resuming nmap scan with lengthy command line [Clément
  451   Notin]
  452 
  453 o [NSE][GH#1614] Add TLS support to rdp-enum-encryption. Enables determining
  454   protocol version against servers that require TLS and lays ground work for
  455   some NLA/CredSSP information collection. [Tom Sellers]
  456 
  457 o [NSE][GH#1611] Address two protocol parsing issues in rdp-enum-encryption
  458   and the RDP nse library which broke scanning of Windows XP. Clarify
  459   protocol types [Tom Sellers]
  460 
  461 o [NSE][GH#1608] Script http-fileupload-exploiter failed to locate its
  462   resource file unless executed from a specific working
  463   directory. [nnposter]
  464 
  465 o [NSE][GH#1467] Avoid clobbering the "severity" and "ignore_404" values of
  466   fingerprints in http-enum. None of the standard fingerprints uses these
  467   fields. [Kostas Milonas]
  468 
  469 o [NSE][GH#1077] Fix a crash caused by a double-free of libssh2 session data
  470   when running SSH NSE scripts against non-SSH services. [Seth Randall]
  471 
  472 o [NSE][GH#1565] Updates the execution rule of the mongodb scripts to be
  473   able to run on alternate ports. [Paulino Calderon]
  474 
  475 o [Ncat][GH#1560] Allow Ncat to connect to servers on port 0, provided that
  476   the socket implementation allows this. [Daniel Miller]
  477 
  478 o Update the included libpcap to 1.9.0. [Daniel Miller]
  479 
  480 o [NSE][GH#1544] Fix a logic error that resulted in scripts not honoring the
  481   smbdomain script-arg when the target provided a domain in the NTLM
  482   challenge.  [Daniel Miller]
  483 
  484 o [Nsock][GH#1543] Avoid a crash (Protocol not supported) caused by trying
  485   to reconnect with SSLv2 when an error occurs during DTLS connect. [Daniel
  486   Miller]
  487 
  488 o [NSE][GH#1534] Removed OSVDB references from scripts and replaced them
  489   with BID references where possible. [nnposter]
  490 
  491 o [NSE][GH#1504] Updates TN3270.lua and adds argument to disable TN3270E
  492   [Soldier of Fortran]
  493 
  494 o [GH#1504] RMI parser could crash when encountering invalid input [Clément
  495   Notin]
  496 
  497 o [GH#863] Avoid reporting negative latencies due to matching an ARP or ND
  498   response to a probe sent after it was recieved. [Daniel Miller]
  499 
  500 o [Ncat][GH#1441] To avoid confusion and to support non-default proxy ports,
  501   option --proxy now requires a literal IPv6 address to be specified using
  502   square-bracket notation, such as --proxy [2001:db8::123]:456. [nnposter]
  503 
  504 o [Ncat][GH#1214][GH#1230][GH#1439] New ncat option provides control over
  505   whether proxy destinations are resolved by the remote proxy server or
  506   locally, by Ncat itself. See option --proxy-dns. [nnposter]
  507 
  508 o [NSE][GH#1478] Updated script ftp-syst to prevent potential endless
  509   looping.  [nnposter]
  510 
  511 o [GH#1454] New service probes and match lines for v1 and v2 of the Ubiquiti
  512   Discovery protocol. Devices often leave the related service open and it
  513   exposes significant amounts of information as well as the risk of being
  514   used as part of a DDoS. New nmap-payload entry for v1 of the
  515   protocol. [Tom Sellers]
  516 
  517 o [NSE] Removed hostmap-ip2hosts.nse as the API has been broken for a while
  518   and the service was completely shutdown on Feb 17th, 2019. [Paulino
  519   Calderon]
  520 
  521 o [NSE][GH#1318] Adds TN3270E support and additional improvements to
  522   tn3270.lua and updates tn3270-screen.nse to display the new
  523   setting. [mainframed]
  524 
  525 o [NSE][GH#1346] Updates product codes and adds a check for response length
  526   in enip-info.nse. The script now uses string.unpack. [NothinRandom]
  527 
  528 o [Ncat][GH#1310][GH#1409] Temporary RSA keys are now 2048-bit to resolve a
  529   compatibility issue with OpenSSL library configured with security level 2,
  530   as seen on current Debian or Kali.  [Adrian Vollmer, nnposter]
  531 
  532 o [NSE][GH#1227] Fix a crash (double-free) when using SSH scripts against
  533   non-SSH services. [Daniel Miller]
  534 
  535 o [Zenmap] Fix a crash when Nmap executable cannot be found and the system
  536   PATH contains non-UTF-8 bytes, such as on Windows. [Daniel Miller]
  537 
  538 o [Zenmap] Fix a crash in results search when using the dir: operator:
  539     AttributeError: 'SearchDB' object has no attribute 'match_dir' [Daniel
  540     Miller]
  541 
  542 o [Ncat][GH#1372] Fixed an issue with Ncat -e on Windows that caused early
  543   termination of connections. [Alberto Garcia Illera]
  544 
  545 o [NSE][GH#1359] Fix a false-positive in http-phpmyadmin-dir-traversal when
  546   the server responds with 200 status to a POST request to any
  547   URI. [Francesco Soncina]
  548 
  549 o [NSE] New vulnerability state in vulns.lua, UNKNOWN, is used to indicate
  550   that testing could not rule out vulnerability. [Daniel Miller]
  551 
  552 o [GH#1355] When searching for Lua header files, actually use them where
  553   they are found instead of forcing /usr/include. [Fabrice Fontaine, Daniel
  554   Miller]
  555 
  556 o [NSE][GH#1331] Script traceroute-geolocation no longer crashes when
  557   www.GeoPlugin.net returns null coordinates [Michal Kubenka, nnposter]
  558 
  559 o Limit verbose -v and debugging -d levels to a maximum of 10. Nmap does not
  560   use higher levels internally. [Daniel Miller]
  561 
  562 o [NSE] tls.lua when creating a client_hello message will now only use a
  563   SSLv3 record layer if the protocol version is SSLv3. Some TLS
  564   implementations will not handshake with a client offering less than
  565   TLSv1.0. Scripts will have to manually fall back to SSLv3 to talk to
  566   SSLv3-only servers. [Daniel Miller]
  567 
  568 o [NSE][GH#1322] Fix a few false-positive conditions in
  569   ssl-ccs-injection. TLS implementations that responded with fatal alerts
  570   other than "unexpected message" had been falsely marked as
  571   vulnerable. [Daniel Miller]
  572 
  573 o Emergency fix to Nmap's birthday announcement so Nmap wishes itself a
  574   "Happy 21st Birthday" rather than "Happy 21th" in verbose mode (-v) on
  575   September 1, 2018. [Daniel Miller]
  576 
  577 o [GH#1150] Start host timeout clocks when the first probe is sent to a
  578   host, not when the hostgroup is started. Sometimes a host doesn't get
  579   probes until late in the hostgroup, increasing the chance it will time
  580   out. [jsiembida]
  581 
  582 o [NSE] Support for edns-client-subnet (ECS) in dns.lua has been improved by:
  583   - [GH#1271] Using ECS code compliant with RFC 7871 [John Bond]
  584   - Properly trimming ECS address, as mandated by RFC 7871 [nnposter]
  585   - Fixing a bug that prevented using the same ECS option table more than
  586     once [nnposter]
  587 
  588 o [Ncat][GH#1267] Fixed communication with commands launched with -e or -c
  589   on Windows, especially when --ssl is used. [Daniel Miller]
  590 
  591 o [NSE] Script http-default-accounts can now select more than one
  592   fingerprint category. It now also possible to select fingerprints by name
  593   to support very specific scanning. [nnposter]
  594 
  595 o [NSE] Script http-default-accounts was not able to run against more than
  596   one target host/port. [nnposter]
  597 
  598 o [NSE][GH#1251] New script-arg `http.host` allows users to force a
  599   particular value for the Host header in all HTTP requests.
  600 
  601 o [NSE][GH#1258] Use smtp.domain script arg or target's domain name instead
  602   of "example.com" in EHLO command used for STARTTLS. [gwire]
  603 
  604 o [NSE][GH#1233] Fix brute.lua's BruteSocket wrapper, which was crashing
  605   Nmap with an assertion failure due to socket mixup [Daniel Miller]: nmap:
  606   nse_nsock.cc:672: int receive_buf(lua_State*, int, lua_KContext):
  607   Assertion `lua_gettop(L) == 7' failed.
  608 
  609 o [NSE][GH#1254] Handle an error condition in smb-vuln-ms17-010 caused by
  610   IPS closing the connection. [Clément Notin]
  611 
  612 o [Ncat][GH#1237] Fixed literal IPv6 URL format for connecting through HTTP
  613   proxies. [Phil Dibowitz]
  614 
  615 o [NSE][GH#1212] Updates vendors from ODVA list for enip-info. [NothinRandom]
  616 
  617 o [NSE][GH#1191] Add two common error strings that improve MySQL detection
  618   by the script http-sql-injection. [Robert Taylor, Paulino Calderon]
  619 
  620 o [NSE][GH#1220] Fix bug in http-vuln-cve2006-3392 that prevented the script
  621   to generate the vulnerability report correctly. [rewardone]
  622 
  623 o [NSE][GH#1218] Fix bug related to screen rendering in NSE library
  624   tn3270. This patch also improves the brute force script
  625   tso-brute. [mainframed]
  626 
  627 o [NSE][GH#1209] Fix SIP, SASL, and HTTP Digest authentication when the
  628   algorithm contains lowercase characters. [Jeswin Mathai]
  629 
  630 o [GH#1204] Nmap could be fooled into ignoring TCP response packets if they
  631   used an unknown TCP Option, which would misalign the validation, causing
  632   it to fail. [Clément Notin, Daniel Miller]
  633 
  634 o [NSE]The HTTP response parser now tolerates status lines without a reason
  635   phrase, which improves compatibility with some HTTP servers. [nnposter]
  636 
  637 o [NSE][GH#1169][GH#1170][GH#1171]][GH#1198] Parser for HTTP Set-Cookie header
  638   is now more compliant with RFC 6265:
  639   - empty attributes are tolerated
  640   - double quotes in cookie and/or attribute values are treated literally
  641   - attributes with empty values and value-less attributes are parsed equally
  642   - attributes named "name" or "value" are ignored
  643   [nnposter]
  644 
  645 o [NSE][GH#1158] Fix parsing http-grep.match script-arg. [Hans van den
  646   Bogert]
  647 
  648 o [Zenmap][GH#1177] Avoid a crash when recent_scans.txt cannot be written
  649   to.  [Daniel Miller]
  650 
  651 o Fixed --resume when the path to Nmap contains spaces. Reported on Windows
  652   by Adriel Desautels. [Daniel Miller]
  653 
  654 o New service probe and match lines for adb, the Android Debug Bridge, which
  655   allows remote code execution and is left enabled by default on many
  656   devices. [Daniel Miller]
  657 
  658 Nmap 7.70 [2018-03-20]
  659 
  660 o [Windows] We made a ton of improvements to our Npcap Windows packet
  661   capturing library (https://nmap.org/npcap/) for greater performance and
  662   stability, as well as smoother installer and better 802.11 raw frame
  663   capturing support. Nmap 7.70 updates the bundled Npcap from version 0.93 to
  664   0.99-r2, including all these changes from the last seven Npcap releases:
  665   https://nmap.org/npcap/changelog
  666 
  667 o Integrated all of your service/version detection fingerprints submitted from
  668   March 2017 to August 2017 (728 of them). The signature count went up 1.02%
  669   to 11,672, including 26 new softmatches.  We now detect 1224 protocols from
  670   filenet-pch, lscp, and netassistant to sharp-remote, urbackup, and
  671   watchguard.  We will try to integrate the remaining submissions in the next
  672   release.
  673 
  674 o Integrated all of your IPv4 OS fingerprint submissions from September 2016
  675   to August 2017 (667 of them). Added 298 fingerprints, bringing the new total
  676   to 5,652. Additions include iOS 11, macOS Sierra, Linux 4.14, Android 7, and
  677   more.
  678 
  679 o Integrated all 33 of your IPv6 OS fingerprint submissions from September
  680   2016 to August 2017. New groups for OpenBSD 6.0 and FreeBSD 11.0 were added,
  681   as well as strengthened groups for Linux and OS X.
  682 
  683 o Added the --resolve-all option to resolve and scan all IP addresses of a
  684   host.  This essentially replaces the resolveall NSE script. [Daniel Miller]
  685 
  686 o [NSE][SECURITY] Nmap developer nnposter found a security flaw (directory
  687   traversal vulnerability) in the way the non-default http-fetch script
  688   sanitized URLs. If a user manualy ran this NSE script against a malicious
  689   web server, the server could potentially (depending on NSE arguments used)
  690   cause files to be saved outside the intended destination directory. Existing
  691   files couldn't be overwritten.  We fixed http-fetch, audited our other
  692   scripts to ensure they didn't make this mistake, and updated the httpspider
  693   library API to protect against this by default. [nnposter, Daniel Miller]
  694 
  695 o [NSE] Added 9 NSE scripts, from 8 authors, bringing the total up to 588!
  696   They are all listed at https://nmap.org/nsedoc/, and the summaries are
  697   below:
  698 
  699   + deluge-rpc-brute performs brute-force credential testing against Deluge
  700     BitTorrent RPC services, using the new zlib library. [Claudiu Perta]
  701 
  702   + hostmap-crtsh lists subdomains by querying Google's Certificate
  703     Transparency logs. [Paulino Calderon]
  704 
  705   + [GH#892] http-bigip-cookie decodes unencrypted F5 BIG-IP cookies and
  706     reports back the IP address and port of the actual server behind the
  707     load-balancer. [Seth Jackson]
  708 
  709   + http-jsonp-detection Attempts to discover JSONP endpoints in web servers.
  710     JSONP endpoints can be used to bypass Same-origin Policy restrictions in
  711     web browsers. [Vinamra Bhatia]
  712 
  713   + http-trane-info obtains information from Trane Tracer SC controllers and
  714     connected HVAC devices. [Pedro Joaquin]
  715 
  716   + [GH#609] nbd-info uses the new nbd.lua library to query Network Block
  717     Devices for protocol and file export information. [Mak Kolybabi]
  718 
  719   + rsa-vuln-roca checks for RSA keys generated by Infineon TPMs
  720     vulnerable to Return Of Coppersmith Attack (ROCA) (CVE-2017-15361). Checks
  721     SSH and TLS services. [Daniel Miller]
  722 
  723   + [GH#987] smb-enum-services retrieves the list of services running on a
  724     remote Windows machine. Modern Windows systems requires a privileged domain
  725     account in order to list the services. [Rewanth Cool]
  726 
  727   + tls-alpn checks TLS servers for Application Layer Protocol Negotiation
  728     (ALPN) support and reports supported protocols. ALPN largely replaces NPN,
  729     which tls-nextprotoneg was written for. [Daniel Miller]
  730 
  731 o [GH#978] Fixed Nsock on Windows giving errors when selecting on STDIN. This
  732   was causing Ncat 7.60 in connect mode to quit with error: libnsock
  733   select_loop(): nsock_loop error 10038: An operation was attempted on
  734   something that is not a socket.  [nnposter]
  735 
  736 o [Ncat][GH#197][GH#1049] Fix --ssl connections from dropping on
  737   renegotiation, the same issue that was partially fixed for server mode in
  738   [GH#773]. Reported on Windows with -e by pkreuzt and vinod272. [Daniel
  739   Miller]
  740 
  741 o [NSE][GH#1062][GH#1149] Some changes to brute.lua to better handle
  742   misbehaving or rate-limiting services. Most significantly,
  743   brute.killstagnated now defaults to true. Thanks to xp3s and Adamtimtim for
  744   reporing infinite loops and proposing changes.
  745 
  746 o [NSE] VNC scripts now support Apple Remote Desktop authentication (auth type
  747   30) [Daniel Miller]
  748 
  749 o [NSE][GH#1111] Fix a script crash in ftp.lua when PASV connection timed out.
  750   [Aniket Pandey]
  751 
  752 o [NSE][GH#1114] Update bitcoin-getaddr to receive more than one response
  753   message, since the first message usually only has one address in it. [h43z]
  754 
  755 o [Ncat][GH#1139] Ncat now selects the correct default port for a given proxy
  756   type. [Pavel Zhukov]
  757 
  758 o [NSE] memcached-info can now gather information from the UDP memcached
  759   service in addition to the TCP service. The UDP service is frequently used as
  760   a DDoS reflector and amplifier. [Daniel Miller]
  761 
  762 o [NSE][GH#1129] Changed url.absolute() behavior with respect to dot and
  763   dot-dot path segments to comply with RFC 3986, section 5.2. [nnposter]
  764 
  765 o Removed deprecated and undocumented aliases for several long options that
  766   used underscores instead of hyphens, such as --max_retries. [Daniel Miller]
  767 
  768 o Improved service scan's treatment of soft matches in two ways. First of all,
  769   any probes that could result in a full match with the soft matched service
  770   will now be sent, regardless of rarity.  This improves the chances of
  771   matching unusual services on non-standard ports.  Second, probes are now
  772   skipped if they don't contain any signatures for the soft matched service.
  773   Previously the probes would still be run as long as the target port number
  774   matched the probe's specification.  Together, these changes should make
  775   service/version detection faster and more accurate.  For more details on how
  776   it works, see https://nmap.org/book/vscan.html. [Daniel Miller]
  777 
  778 o --version-all now turns off the soft match optimization, ensuring that all
  779   probes really are sent, even if there aren't any existing match lines for
  780   the softmatched service. This is slower, but gives the most comprehensive
  781   results and produces better fingerprints for submission. [Daniel Miller]
  782 
  783 o [NSE][GH#1083] New set of Telnet softmatches for version detection based on
  784   Telnet DO/DON'T options offered, covering a wide variety of devices and
  785   operating systems. [D Roberson]
  786 
  787 o [GH#1112] Resolved crash opportunities caused by unexpected libpcap version
  788   string format. [Gisle Vanem, nnposter]
  789 
  790 o [NSE][GH#1090] Fix false positives in rexec-brute by checking responses for
  791   indications of login failure. [Daniel Miller]
  792 
  793 o [NSE][GH#1099] Fix http-fetch to keep downloaded files in separate
  794   destination directories. [Aniket Pandey]
  795 
  796 o [NSE] Added new fingerprints to http-default-accounts:
  797   - Hikvision DS-XXX Network Camera and NUOO DVR [Paulino Calderon]
  798   - [GH#1074] ActiveMQ, Purestorage, and Axis Network Cameras [Rob Fitzpatrick, Paulino Calderon]
  799 
  800 o Added a new service detection match for WatchGuard Authentication Gateway.
  801   [Paulino Calderon]
  802 
  803 o [NSE][GH#1038][GH#1037] Script qscan was not observing interpacket delays
  804   (parameter qscan.delay). [nnposter]
  805 
  806 o [NSE][GH#1046] Script http-headers now fails properly if the target does not
  807   return a valid HTTP response. [spacewander]
  808 
  809 o [Ncat][Nsock][GH#972] Remove RC4 from the list of TLS ciphers used by
  810   default, in accordance with RFC 7465. [Codarren Velvindron]
  811 
  812 o [NSE][GH#1022] Fix a false positive condition in ipmi-cipher-zero caused by
  813   not checking the error code in responses. Implementations which return an
  814   error are not vulnerable. [Juho Jokelainen]
  815 
  816 o [NSE][GH#958] Two new libraries for NSE.
  817   - idna - Support for internationalized domain names in applications (IDNA)
  818   - punycode (a transfer encoding syntax used in IDNA)
  819   [Rewanth Cool]
  820 
  821 o [NSE] New fingerprints for http-enum:
  822   - [GH#954] Telerik UI CVE-2017-9248 [Harrison Neal]
  823   - [GH#767] Many WordPress version detections [Rewanth Cool]
  824 
  825 o [GH#981][GH#984][GH#996][GH#975] Fixed Ncat proxy authentication issues:
  826   - Usernames and/or passwords could not be empty
  827   - Passwords could not contain colons
  828   - SOCKS5 authentication was not properly documented
  829   - SOCKS5 authentication had a memory leak
  830   [nnposter]
  831 
  832 o [GH#1009][GH#1013] Fixes to autoconf header files to allow autoreconf to be
  833   run. [Lukas Schwaighofer]
  834 
  835 o [GH#977] Improved DNS service version detection coverage and consistency
  836   by using data from a Project Sonar Internet wide survey. Numerouse false
  837   positives were removed and reliable softmatches added. Match lines for
  838   version.bind responses were also conslidated using the technique below.
  839   [Tom Sellers]
  840 
  841 o [GH#977] Changed version probe fallbacks so as to work cross protocol
  842   (TCP/UDP). This enables consolidating match lines for services where the
  843   responses on TCP and UDP are similar. [Tom Sellers]
  844 
  845 o [NSE][GH#532] Added the zlib library for NSE so scripts can easily
  846   handle compression. This work started during GSOC 2014, so we're
  847   particularly pleased to finally integrate it! [Claudiu Perta, Daniel
  848   Miller]
  849 
  850 o [NSE][GH#1004] Fixed handling of brute.retries variable. It was being treated
  851   as the number of tries, not retries, and a value of 0 would result in
  852   infinite retries. Instead, it is now the number of retries, defaulting to 2
  853   (3 total tries), with no option for infinite retries.
  854 
  855 o [NSE] http-devframework-fingerprints.lua supports Jenkins server detection
  856   and returns extra information when Jenkins is detected [Vinamra Bhatia]
  857 
  858 o [GH#926] The rarity level of MS SQL's service detection probe was decreased.
  859   Now we can find MS SQL in odd ports without increasing version intensity.
  860   [Paulino Calderon]
  861 
  862 o [GH#957] Fix reporting of zlib and libssh2 versions in "nmap --version". We
  863   were always reporting the version number of the included source, even when a
  864   different version was actually linked. [Pavel Zhukov]
  865 
  866 o Add a new helper function for nmap-service-probes match lines: $I(1,">") will
  867   unpack an unsigned big-endian integer value up to 8 bytes wide from capture
  868   1. The second option can be "<" for little-endian. [Daniel Miller]
  869 
  870 Nmap 7.60 [2017-07-31]
  871 
  872 o [Windows] Updated the bundled Npcap from 0.91 to 0.93, fixing several issues
  873   with installation and compatibility with the Windows 10 Creators Update.
  874 
  875 o [NSE][GH#910] NSE scripts now have complete SSH support via libssh2,
  876   including password brute-forcing and running remote commands, thanks to the
  877   combined efforts of three Summer of Code students: [Devin Bjelland, Sergey
  878   Khegay, Evangelos Deirmentzoglou]
  879 
  880 o [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 579!
  881   They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
  882 
  883   + ftp-syst sends SYST and STAT commands to FTP servers to get system version
  884     and connection information. [Daniel Miller]
  885 
  886   + [GH#916] http-vuln-cve2017-8917 checks for an SQL injection vulnerability affecting
  887     Joomla! 3.7.x before 3.7.1. [Wong Wai Tuck]
  888 
  889   + iec-identify probes for the IEC 60870-5-104 SCADA protocol. [Aleksandr
  890     Timorin, Daniel Miller]
  891 
  892   + [GH#915] openwebnet-discovery retrieves device identifying information and
  893     number of connected devices running on openwebnet protocol. [Rewanth Cool]
  894 
  895   + puppet-naivesigning checks for a misconfiguration in the Puppet CA where
  896     naive signing is enabled, allowing for any CSR to be automatically signed.
  897     [Wong Wai Tuck]
  898 
  899   + [GH#943] smb-protocols discovers if a server supports dialects NT LM 0.12
  900     (SMBv1), 2.02, 2.10, 3.00, 3.02 and 3.11. This replaces the old
  901     smbv2-enabled script. [Paulino Calderon]
  902 
  903   + [GH#943] smb2-capabilities lists the supported capabilities of SMB2/SMB3
  904     servers. [Paulino Calderon]
  905 
  906   + [GH#943] smb2-time determines the current date and boot date of SMB2
  907     servers. [Paulino Calderon]
  908 
  909   + [GH#943] smb2-security-mode determines the message signing configuration of
  910     SMB2/SMB3 servers. [Paulino Calderon]
  911 
  912   + [GH#943] smb2-vuln-uptime attempts to discover missing critical patches in
  913     Microsoft Windows systems based on the SMB2 server uptime. [Paulino Calderon]
  914 
  915   + ssh-auth-methods lists the authentication methods offered by an SSH server.
  916     [Devin Bjelland]
  917 
  918   + ssh-brute performs brute-forcing of SSH password credentials. [Devin Bjelland]
  919 
  920   + ssh-publickey-acceptance checks public or private keys to see if they could
  921     be used to log in to a target. A list of known-compromised key pairs is
  922     included and checked by default. [Devin Bjelland]
  923 
  924   + ssh-run uses user-provided credentials to run commands on targets via SSH.
  925     [Devin Bjelland]
  926 
  927 o [NSE] Removed smbv2-enabled, which was incompatible with the new SMBv2/3
  928   improvements. It was fully replaced by the smb-protocols script.
  929 
  930 o [Ncat][GH#446] Added Datagram TLS (DTLS) support to Ncat in connect (client)
  931   mode with --udp --ssl. Also added Application Layer Protocol Negotiation
  932   (ALPN) support with the --ssl-alpn option. [Denis Andzakovic, Daniel Miller]
  933 
  934 o Updated the default ciphers list for Ncat and the secure ciphers list for
  935   Nsock to use "!aNULL:!eNULL" instead of "!ADH". With the addition of ECDH
  936   ciphersuites, anonymous ECDH suites were being allowed. [Daniel Miller]
  937 
  938 o [NSE][GH#930] Fix ndmp-version and ndmp-fs-info when scanning Veritas Backup
  939   Exec Agent 15 or 16. [Andrew Orr]
  940 
  941 o [NSE][GH#943] Added new SMB2/3 library and related scripts. [Paulino Calderon]
  942 
  943 o [NSE][GH#950] Added wildcard detection to dns-brute. Only hostnames that
  944   resolve to unique addresses will be listed. [Aaron Heesakkers]
  945 
  946 o [NSE] FTP scripts like ftp-anon and ftp-brute now correctly handle
  947   TLS-protected FTP services and use STARTTLS when necessary. [Daniel Miller]
  948 
  949 o [NSE][GH#936] Function url.escape no longer encodes so-called "unreserved"
  950   characters, including hyphen, period, underscore, and tilde, as per RFC 3986.
  951   [nnposter]
  952 
  953 o [NSE][GH#935] Function http.pipeline_go no longer assumes that persistent
  954   connections are supported on HTTP 1.0 target (unless the target explicitly
  955   declares otherwise), as per RFC 7230. [nnposter]
  956 
  957 o [NSE][GH#934] The HTTP response object has a new member, version, which
  958   contains the HTTP protocol version string returned by the server, e.g. "1.0".
  959   [nnposter]
  960 
  961 o [NSE][GH#938] Fix handling of the objectSID Active Directory attribute
  962   by ldap.lua. [Tom Sellers]
  963 
  964 o [NSE] Fix line endings in the list of Oracle SIDs used by oracle-sid-brute.
  965   Carriage Return characters were being sent in the connection packets, likely
  966   resulting in failure of the script. [Anant Shrivastava]
  967 
  968 o [NSE][GH#141] http-useragent-checker now checks for changes in HTTP status
  969   (usually 403 Forbidden) in addition to redirects to indicate forbidden User
  970   Agents. [Gyanendra Mishra]
  971 
  972 Nmap 7.50 [2017-06-13]
  973 
  974 o [Windows] Updated the bundled Npcap from 0.78 to 0.91, with several bugfixes
  975   for WiFi connectivity problems and stability issues. [Daniel Miller, Yang Luo]
  976 
  977 o Integrated all of your service/version detection fingerprints submitted from
  978   September to March (855 of them). The signature count went up 2.9% to 11,418.
  979   We now detect 1193 protocols from apachemq, bro, and clickhouse to jmon,
  980   slmp, and zookeeper. Highlights: http://seclists.org/nmap-dev/2017/q2/140
  981 
  982 o [NSE] Added 14 NSE scripts from 12 authors, bringing the total up to 566!
  983   They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
  984 
  985   + [GH#743] broadcast-ospf2-discover discovers OSPF 2 routers and neighbors.
  986     OSPFv2 authentication is supported. [Emiliano Ticci]
  987 
  988   + [GH#671] cics-info checks IBM TN3270 services for CICS transaction services
  989     and extracts useful information. [Soldier of Fortran]
  990 
  991   + [GH#671] cics-user-brute does brute-force enumeration of CICS usernames on
  992     IBM TN3270 services. [Soldier of Fortran]
  993 
  994   + [GH#669] http-cookie-flags checks HTTP session cookies for HTTPOnly and
  995     Secure flags. [Steve Benson]
  996 
  997   + http-security-headers checks for the HTTP response headers related to
  998     security given in OWASP Secure Headers Project, giving a brief description
  999     of the header and its configuration value. [Vinamra Bhatia, Ícaro Torres]
 1000 
 1001   + [GH#740][GH#759] http-vuln-cve2017-5638 checks for the RCE bug in Apache
 1002     Struts2. [Seth Jackson]
 1003 
 1004   + [GH#876] http-vuln-cve2017-5689 detects a privilege escalation
 1005     vulnerability (INTEL-SA-00075) in Intel Active Management Technology (AMT)
 1006     capable systems. [Andrew Orr]
 1007 
 1008   + http-vuln-cve2017-1001000 detects a privilege escalation vulnerability in
 1009     Wordpress 4.7.0 and 4.7.1 (CVE-2017-1001000) [Vinamra Bhatia]
 1010 
 1011   + [GH#713] impress-remote-discover attempts to pair with the LibreOffice
 1012     Impress presentation remote service and extract version info.  Pairing is
 1013     PIN-protected, and the script can optionally brute-force the PIN.  New
 1014     service probe and match line also added. [Jeremy Hiebert]
 1015 
 1016   + [GH#854] smb-double-pulsar-backdoor detects the Shadow Brokers-leaked
 1017     Double Pulsar backdoor in Windows SMB servers. [Andrew Orr]
 1018 
 1019   + smb-vuln-cve-2017-7494 detects a remote code execution vulnerability
 1020     affecting Samba versions 3.5.0 and greater with writable shares.
 1021     [Wong Wai Tuck]
 1022 
 1023   + smb-vuln-ms17-010 detects a critical remote code execution vulnerability
 1024     affecting SMBv1 servers in Microsoft Windows systems (ms17-010).  The
 1025     script also reports patched systems. [Paulino Calderon]
 1026 
 1027   + [GH#686] tls-ticketbleed checks for the Ticketbleed vulnerability
 1028     (CVE-2016-9244) in F5 BIG-IP appliances. [Mak Kolybabi]
 1029 
 1030   + vmware-version queries VMWare SOAP API for version and product information.
 1031     Submitted in 2011, this was mistakenly turned into a service probe that was
 1032     unable to elicit any matches. [Aleksey Tyurin]
 1033 
 1034 o [Ncat] A series of changes and fixes based on feedback from the Red Hat community:
 1035 
 1036   + [GH#157] Ncat will now continue trying to connect to each resolved address
 1037     for a hostname before declaring the connection refused, allowing it to
 1038     fallback from IPv6 to IPv4 or to connect to names that use DNS failover.
 1039     [Jaromir Koncicky, Michal Hlavinka]
 1040 
 1041   + The --no-shutdown option now also works in connect mode, not only in listen mode.
 1042 
 1043   + Made -i/--idle-timeout not cause Ncat in server mode to close while
 1044     waiting for an initial connection. This was also causing -i to interfere
 1045     with the HTTP proxy server mode. [Carlos Manso, Daniel Miller]
 1046 
 1047   + [GH#773] Ncat in server mode properly handles TLS renegotiations and other
 1048     situations where SSL_read returns a non-fatal error. This was causing
 1049     SSL-over-TCP connections to be dropped. [Daniel Miller]
 1050 
 1051   + Enable --ssl-ciphers to be used with Ncat in client mode, not only in
 1052     server (listen) mode. [Daniel Miller]
 1053 
 1054 o [NSE] New fingerprints for http-enum:
 1055   - Endpoints for Spring MVC and Boot Actuator [Paulino Calderon]
 1056   - [GH#620][GH#715] 8 fingerprints for Hadoop infrastructure components
 1057     [Thomas Debize, Varunram Ganesh]
 1058 
 1059 o [NSE][GH#266][GH#704][GH#238][GH#883] NSE libraries smb and msrpc now use
 1060   fully qualified paths. SMB scripts now work against all modern versions
 1061   of Microsoft Windows. [Paulino Calderon]
 1062 
 1063 o [NSE] smb library's share_get_list now properly uses anonymous connections
 1064   first before falling back authenticating as a known user.
 1065 
 1066 o New service probes and matches for Apache HBase and Hadoop MapReduce.
 1067   [Paulino Calderon]
 1068 
 1069 o Extended Memcached service probe and added match for Apache ZooKeeper.
 1070   [Paulino Calderon]
 1071 
 1072 o [NSE] New script argument "vulns.short" will reduce vulns library script
 1073   output to a single line containing the target name or IP, the vulnerability
 1074   state, and the CVE ID or title of the vulnerability. [Daniel Miller]
 1075 
 1076 o [NSE][GH#862] SNMP scripts will now take a community string provided like
 1077   `--script-args creds.snmp=private`, which previously did not work because it
 1078   was interpreted as a username. [Daniel Miller]
 1079 
 1080 o [NSE] Resolved several issues in the default HTTP redirect rules:
 1081     - [GH#826] A redirect is now cancelled if the original URL contains
 1082       embedded credentials
 1083     - [GH#829] A redirect test is now more careful in determining whether
 1084       a redirect destination is related to the original host
 1085     - [GH#830] A redirect is now more strict in avoiding possible redirect
 1086       loops
 1087   [nnposter]
 1088 
 1089 o [NSE][GH#766] The HTTP Host header will now include the port unless it is
 1090   the default one for a given scheme. [nnposter]
 1091 
 1092 o [NSE] The HTTP response object has a new member, fragment, which contains
 1093   a partially received body (if any) when the overall request fails to
 1094   complete. [nnposter]
 1095 
 1096 o [NSE][GH#866] NSE now allows cookies to have arbitrary attributes, which
 1097   are silently ignored (in accordance with RFC 6265). Unrecognized attributes
 1098   were previously causing HTTP requests with such cookies to fail. [nnposter]
 1099 
 1100 o [NSE][GH#844] NSE now correctly parses a Set-Cookie header that has unquoted
 1101   whitespace in the cookie value (which is allowed per RFC 6265). [nnposter]
 1102 
 1103 o [NSE][GH#731] NSE is now able to process HTTP responses with a Set-Cookie
 1104   header that has an extraneous trailing semicolon. [nnposter]
 1105 
 1106 o [NSE][GH#708] TLS SNI now works correctly for NSE HTTP requests initiated
 1107   with option any_af. As an added benefit, option any_af is now available for
 1108   all connections via comm.lua, not just HTTP requests. [nnposter]
 1109 
 1110 o [NSE][GH#781] There is a new common function, url.get_default_port(),
 1111   to obtain the default port number for a given scheme. [nnposter]
 1112 
 1113 o [NSE][GH#833] Function url.parse() now returns the port part as a number,
 1114   not a string. [nnposter]
 1115 
 1116 o No longer allow ICMP Time Exceeded messages to mark a host as down during
 1117   host discovery. Running traceroute at the same time as Nmap was causing
 1118   interference. [David Fifield]
 1119 
 1120 o [NSE][GH#807] Fixed a JSON library issue that was causing long integers
 1121   to be expressed in the scientific/exponent notation. [nnposter]
 1122 
 1123 o [NSE] Fixed several potential hangs in NSE scripts that used
 1124   receive_buf(pattern), which will not return if the service continues to send
 1125   data that does not match pattern. A new function in match.lua, pattern_limit,
 1126   is introduced to limit the number of bytes consumed while searching for the
 1127   pattern. [Daniel Miller, Jacek Wielemborek]
 1128 
 1129 o [Nsock] Handle any and all socket connect errors the same: raise as an Nsock
 1130   error instead of fatal. This prevents Nmap and Ncat from quitting with
 1131   "Strange error from connect:" [Daniel Miller]
 1132 
 1133 o [NSE] Added several commands to redis-info to extract listening addresses,
 1134   connected clients, active channels, and cluster nodes. [Vasiliy Kulikov]
 1135 
 1136 o [NSE][GH#679][GH#681] Refreshed script http-robtex-reverse-ip, reflecting
 1137   changes at the source site (www.robtex.com). [aDoN]
 1138 
 1139 o [NSE][GH#629] Added two new fingerprints to http-default-accounts
 1140   (APC Management Card, older NetScreen ScreenOS) [Steve Benson, nnposter]
 1141 
 1142 o [NSE][GH#716] Fix for oracle-tns-version which was sending an invalid TNS
 1143   probe due to a string escaping mixup. [Alexandr Savca]
 1144 
 1145 o [NSE][GH#694] ike-version now outputs information about supported attributes
 1146   and unknown vendor ids. Also, a new fingerprint for FortiGate VPNs was
 1147   submitted by Alexis La Goutte. [Daniel Miller]
 1148 
 1149 o [GH#700] Enabled support for TLS SNI on the Windows platform. [nnposter]
 1150 
 1151 o [GH#649] New service probe and match lines for the JMON and RSE services of
 1152   IBM Explorer for z/OS. [Soldier of Fortran]
 1153 
 1154 o Removed a duplicate service probe for Memcached added in 2011 (the original
 1155   probe was added in 2008) and reported as duplicate in 2013 by Pavel Kankovsky.
 1156 
 1157 o New service probe and match line for NoMachine NX Server remote desktop.
 1158   [Justin Cacak]
 1159 
 1160 o [Zenmap] Fixed a recurring installation problem on OS X/macOS where Zenmap
 1161   was installed to /Applications/Applications/Zenmap.app instead of
 1162   /Applications/Zenmap.app.
 1163 
 1164 o [Zenmap][GH#639] Zenmap will no longer crash when no suitable temporary
 1165   directory is found. Patches contributed by [Varunram Ganesh] and [Sai Sundhar]
 1166 
 1167 o [Zenmap][GH#626] Zenmap now properly handles the -v0 (no output) option,
 1168   which was added in Nmap 7.10. Previously, this was treated the same as not
 1169   specifying -v at all. [lymanZerga11]
 1170 
 1171 o [GH#630] Updated or removed some OpenSSL library calls that were deprecated
 1172   in OpenSSL 1.1. [eroen]
 1173 
 1174 o [NSE] Script ssh-hostkey now recognizes and reports Ed25519 keys [nnposter]
 1175 
 1176 o [NSE][GH#627] Fixed script hang in several brute scripts due to the "threads"
 1177   script-arg not being converted to a number. Error message was
 1178   "nselib/brute.lua:1188: attempt to compare number with string" [Arne Beer]
 1179 
 1180 Nmap 7.40 [2016-12-20]
 1181 
 1182 o [Windows] Updated the bundled Npcap from 0.10r9 to 0.78r5, with an
 1183   improved installer experience, driver signing updates to work with
 1184   Windows 10 build 1607, and bugfixes for WiFi connectivity
 1185   problems. [Yang Luo, Daniel Miller]
 1186 
 1187 o Integrated all of your IPv4 OS fingerprint submissions from April to
 1188   September (568 of them). Added 149 fingerprints, bringing the new total to
 1189   5,336. Additions include Linux 4.6, macOS 10.12 Sierra, NetBSD 7.0, and more.
 1190   Highlights: http://seclists.org/nmap-dev/2016/q4/110 [Daniel Miller]
 1191 
 1192 o Integrated all of your service/version detection fingerprints submitted from
 1193   April to September (779 of them). The signature count went up 3.1% to 11,095.
 1194   We now detect 1161 protocols, from airserv-ng, domaintime, and mep to
 1195   nutcracker, rhpp, and usher. Highlights: http://seclists.org/nmap-dev/2016/q4/115
 1196   [Daniel Miller]
 1197 
 1198 o Fix reverse DNS on Windows which was failing with the message "mass_dns:
 1199   warning: Unable to determine any DNS servers." This was because the interface
 1200   GUID comparison needed to be case-insensitive. [Robert Croteau]
 1201 
 1202 o [NSE] Added 12 NSE scripts from 4 authors, bringing the total up to 552!
 1203   They are all listed at https://nmap.org/nsedoc/, and the summaries are below:
 1204 
 1205   + cics-enum enumerates CICS transaction IDs, mapping to screens in TN3270
 1206     services. [Soldier of Fortran]
 1207 
 1208   + cics-user-enum brute-forces usernames for CICS users on TN3270 services.
 1209     [Soldier of Fortran]
 1210 
 1211   + fingerprint-strings will print the ASCII strings it finds in the service
 1212     fingerprints that Nmap shows for unidentified services. [Daniel Miller]
 1213 
 1214   + [GH#606] ip-geolocation-map-bing renders IP geolocation data as an image
 1215     via Bing Maps API. [Mak Kolybabi]
 1216 
 1217   + [GH#606] ip-geolocation-map-google renders IP geolocation data as an image
 1218     via Google Maps API. [Mak Kolybabi]
 1219 
 1220   + [GH#606] ip-geolocation-map-kml records IP geolocation data in a KML file
 1221     for import into other mapping software [Mak Kolybabi]
 1222 
 1223   + nje-pass-brute brute-forces the password to a NJE node, given a valid RHOST
 1224     and OHOST. Helpfully, nje-node-brute can now brute force both of those
 1225     values. [Soldier of Fortran]
 1226 
 1227   + [GH#557] ssl-cert-intaddr will search for private IP addresses in TLS
 1228     certificate fields and extensions. [Steve Benson]
 1229 
 1230   + tn3270-screen shows the login screen from mainframe TN3270 Telnet services,
 1231     including any hidden fields. The script is accompanied by the new tn3270
 1232     library. [Soldier of Fortran]
 1233 
 1234   + tso-enum enumerates usernames for TN3270 Telnet services. [Soldier of Fortran]
 1235 
 1236   + tso-brute brute-forces passwords for TN3270 Telnet services. [Soldier of Fortran]
 1237 
 1238   + vtam-enum brute-forces VTAM application IDs for TN3270 services.
 1239     [Soldier of Fortran]
 1240 
 1241 o [NSE][GH#518] Brute scripts are faster and more accurate. New feedback and
 1242   adaptivity mechanisms in brute.lua help brute scripts use resources more
 1243   efficiently, dynamically changing number of threads based on protocol
 1244   messages like FTP 421 errors, network errors like timeouts, etc.
 1245   [Sergey Khegay]
 1246 
 1247 o [GH#353] New option --defeat-icmp-ratelimit dramatically reduces UDP scan
 1248   times in exchange for labeling unresponsive (and possibly open) ports as
 1249   "closed|filtered". Ports which give a UDP protocol response to one of Nmap's
 1250   scanning payloads will be marked "open". [Sergey Khegay]
 1251 
 1252 o [NSE][GH#533] Removed ssl-google-cert-catalog, since Google shut off that
 1253   service at some point. Reported by Brian Morin.
 1254 
 1255 o [NSE][GH#606] New NSE library, geoip.lua, provides a common framework for
 1256   storing and retrieving IP geolocation results. [Mak Kolybabi]
 1257 
 1258 o [Ncat] Restore the connection success message that Ncat prints with -v. This
 1259   was accidentally suppressed when not using -z.
 1260 
 1261 o [GH#316] Added scan resume from Nmap's XML output. Now you can --resume a
 1262   canceled scan from all 3 major output formats: -oN, -oG, and -oX.
 1263   [Tudor Emil Coman]
 1264 
 1265 o [Ndiff][GH#591] Fix a bug where hosts with the same IP but different
 1266   hostnames were shown as changing hostnames between scans. Made sort stable
 1267   with regard to hostnames. [Daniel Miller]
 1268 
 1269 o [NSE][GH#540] Add tls.servername script-arg for forcing a name to be used for
 1270   TLS Server Name Indication extension. The argument overrides the default use
 1271   of the host's targetname. [Bertrand Bonnefoy-Claudet]
 1272 
 1273 o [GH#505] Updated Russian translation of Zenmap by Alexander Kozlov.
 1274 
 1275 o [NSE][GH#588] Fix a crash in smb.lua when using smb-ls due to a
 1276   floating-point number being passed to os.time ("bad argument").
 1277   [Dallas Winger]
 1278 
 1279 o [NSE][GH#596] Fix a bug in mysql.lua that caused authentication failures in
 1280   mysql-brute and other scripts due to including a null terminator in the salt
 1281   value. This bug affects Nmap 7.25BETA2 and later releases.  [Daniel Miller]
 1282 
 1283 o The --open option now implies --defeat-rst-ratelimit. This may result in
 1284   inaccuracies in the numbers of "Not shown:" closed and filtered ports, but
 1285   only in situations where it also speeds up scan times. [Daniel Miller]
 1286 
 1287 o [NSE] Added known Diffie-Hellman parameters for haproxy, postfix, and
 1288   IronPort to ssl-dh-params. [Frank Bergmann]
 1289 
 1290 o Added service probe for ClamAV servers (clam),
 1291   an open source antivirus engine used in mail scanning. [Paulino Calderon]
 1292 
 1293 o Added service probe and UDP payload for Quick UDP Internet Connection (QUIC),
 1294   a secure transport developed by Google and used with HTTP/2. [Daniel Miller]
 1295 
 1296 o [NSE] Enabled resolveall to run against any target provided as a hostname, so
 1297   the resolveall.hosts script-arg is no longer required. [Daniel Miller]
 1298 
 1299 o [NSE] Revised script http-default-accounts in several ways [nnposter]:
 1300   - Added 21 new fingerprints, plus broadened 5 to cover more variants.
 1301   - [GH#577] It can now can test systems that return status 200 for
 1302     non-existent pages.
 1303   - [GH#604] Implemented XML output. Layout of the classic text output has also
 1304     changed, including reporting blank usernames or passwords as "<blank>",
 1305     instead of just empty strings.
 1306   - Added CPE entries to individual fingerprints (where known). They are
 1307     reported only in the XML output.
 1308 
 1309 o [NSE][GH#573] Updated http.lua to allow processing of HTTP responses with
 1310   malformed header names. Such header lines are still captured in the rawheader
 1311   list but skipped otherwise. [nnposter]
 1312 
 1313 o [GH#416] New service probe and match line for iperf3. [Eric Gershman]
 1314 
 1315 o [NSE][GH#555] Add Drupal to the set of web apps brute forced by
 1316   http-form-brute. [Nima Ghotbi]
 1317 
 1318 Nmap 7.31 [2016-10-20]
 1319 
 1320 o [Windows] Updated the bundled Npcap from 0.10r2 to 0.10r9, bringing
 1321   increased stability, bug fixes, and raw 802.11 WiFi capture (unused
 1322   by Nmap). Further details on these changes can be found at
 1323   https://github.com/nmap/npcap/releases. [Yang Luo]
 1324 
 1325 o Fixed the way Nmap handles scanning names that resolve to the same IP. Due to
 1326   changes in 7.30, the IP was only being scanned once, with bogus results
 1327   displayed for the other names. The previous behavior is now restored.
 1328   [Tudor Emil Coman]
 1329 
 1330 o [Nping][GH#559] Fix Nping's ability to use Npcap on Windows. A privilege
 1331   check was performed too late, so the Npcap loading code assumed the user had no
 1332   rights. [Yang Luo, Daniel Miller]
 1333 
 1334 o [GH#350] Fix an assertion failure due to floating point error in equality
 1335   comparison, which triggered mainly on OpenBSD:
 1336     assertion "diff <= interval" failed: file "timing.cc", line 440
 1337   This was reported earlier as [GH#472] but the assertion fixed there was a
 1338   different one. [David Carlier]
 1339 
 1340 o [Zenmap] Fix a crash in the About page in the Spanish translation due to a
 1341   missing format specifier:
 1342     File "zenmapGUI\About.pyo", line 217, in __init__
 1343     TypeError: not all arguments converted during string formatting
 1344   [Daniel Miller]
 1345 
 1346 o [Zenmap][GH#556] Better visual indication that display of hostname is tied to
 1347   address in the Topology page. You can show numeric addresses with hostnames
 1348   or without, but you can't show hostnames without numeric addresses when they
 1349   are not available. [Daniel Miller]
 1350 
 1351 o To increase the number of IPv6 fingerprint submissions, a prompt for
 1352   submission will be shown with some random chance for successful matches of OS
 1353   classes that are based on only a few submissions. Previously, only
 1354   unsuccessful matches produced such a prompt. [Daniel Miller]
 1355 
 1356 Nmap 7.30 [2016-09-29]
 1357 
 1358 o Integrated all 12 of your IPv6 OS fingerprint submissions from June to
 1359   September. No new groups, but several classifications were strengthened,
 1360   especially Windows localhost and OS X. [Daniel Miller]
 1361 
 1362 o [NSE] Added 7 NSE scripts, from 3 authors, bringing the total up to 541!
 1363   They are all listed at https://nmap.org/nsedoc/, and the summaries are below
 1364   (authors are listed in brackets):
 1365 
 1366   + [GH#369] coap-resources grabs the list of available resources from CoAP
 1367     endpoints. [Mak Kolybabi]
 1368 
 1369   + fox-info retrieves detailed version and configuration info from Tridium
 1370     Niagara Fox services. [Stephen Hilt]
 1371 
 1372   + ipmi-brute performs authentication brute-forcing on IPMI services.
 1373     [Claudiu Perta]
 1374 
 1375   + ipmi-cipher-zero checks IPMI services for Cipher Zero support, which allows
 1376     connection without a password. [Claudiu Perta]
 1377 
 1378   + ipmi-version retrieves protocol version and authentication options from
 1379     ASF-RMCP (IPMI) services. [Claudiu Perta]
 1380 
 1381   + [GH#352] mqtt-subscribe connects to a MQTT broker, subscribes to topics,
 1382     and lists the messages received. [Mak Kolybabi]
 1383 
 1384   + pcworx-info retrieves PLC model, firmware version, and date from Phoenix
 1385     Contact PLCs. [Stephen Hilt]
 1386 
 1387 o Upgraded Npcap, our new Windows packet capturing driver/library,
 1388   from version to 0.09 to 0.10r2. This includes many bug fixes, with a
 1389   particular on emphasis on concurrency issues discovered by running
 1390   hundreds of Nmap instances at a time. More details are available
 1391   from https://github.com/nmap/npcap/releases. [Yang Luo, Daniel
 1392   Miller, Fyodor]
 1393 
 1394 o New service probes and match lines for DTLS, IPMI-RMCP, MQTT, PCWorx,
 1395   ProConOS, and Tridium Fox, [Stephen Hilt, Mak Kolybabi, Daniel Miller]
 1396 
 1397 o Improved some output filtering to remove or escape carriage returns ('\r')
 1398   that could allow output spoofing by overwriting portions of the screen. Issue
 1399   reported by Adam Rutherford. [Daniel Miller]
 1400 
 1401 o [NSE] Fixed a few bad Lua patterns that could result in denial of service due
 1402   to excessive backtracking. [Adam Rutherford, Daniel Miller]
 1403 
 1404 o Fixed a discrepancy between the number of targets selected with -iR and the
 1405   number of hosts scanned, resulting in output like "Nmap done: 1033 IP
 1406   addresses" when the user specified -iR 1000. [Daniel Miller]
 1407 
 1408 o Fixed a bug in port specification parsing that could cause extraneous
 1409   'T', 'U', 'S', and 'P' characters to be ignored when they should have
 1410   caused an error. [David Fifield]
 1411 
 1412 o [GH#543] Restored compatibility with LibreSSL, which was lost in adding
 1413   library version checks for OpenSSL 1.1. [Wonko7]
 1414 
 1415 o [Zenmap] Fixed a bug in the Compare Scans window of Zenmap on OS X resulting
 1416   in this message instead of Ndiff output:
 1417     ImportError: dlopen(/Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so, 2): no suitable image found.  Did find:
 1418     /Applications/Zenmap.app/Contents/Resources/lib/python2.7/lib-dynload/datetime.so: mach-o, but wrong architecture
 1419   Reported by Kyle Gustafson. [Daniel Miller]
 1420 
 1421 o [NSE] Fixed a bug in ssl-enum-ciphers and ssl-dh-params which caused them to
 1422   not output TLSv1.2 info with DHE ciphersuites or others involving
 1423   ServerKeyExchange messages. [Daniel Miller]
 1424 
 1425 o [NSE] Added X509v3 extension parsing to NSE's sslcert code. ssl-cert now
 1426   shows the Subject Alternative Name extension; all extensions are shown in the
 1427   XML output. [Daniel Miller]
 1428 
 1429 Nmap 7.25BETA2 [2016-09-01]
 1430 
 1431 o [GH#376] Windows binaries are now code-signed with our "Insecure.Com LLC"
 1432   SHA256 certificate. This should give our users extra peace-of-mind and avoid
 1433   triggering Microsoft's ever-increasing security warnings.
 1434 
 1435 o [NSE] Upgraded NSE to Lua 5.3, adding bitwise operators, integer data type, a
 1436   utf8 library, and native binary packing and unpacking functions. Removed bit
 1437   library, added bits.lua, replaced base32, base64, and bin libraries. [Patrick
 1438   Donnelly]
 1439 
 1440 o [NSE] Added 2 NSE scripts, bringing the total up to 534!  They are both listed
 1441   at https://nmap.org/nsedoc/, and the summaries are below:
 1442 
 1443   + oracle-tns-version decodes the version number from Oracle Database Server's
 1444     TNS listener. [Daniel Miller]
 1445 
 1446   + clock-skew analyzes and reports clock skew between Nmap and services that
 1447     report timestamps, grouping hosts with similar skews. [Daniel Miller]
 1448 
 1449 o Integrated all of your service/version detection fingerprints submitted from
 1450   January to April (578 of them). The signature count went up 2.2% to 10760.
 1451   We now detect 1122 protocols, from elasticsearch, fhem, and goldengate to
 1452   ptcp, resin-watchdog, and siemens-logo. [Daniel Miller]
 1453 
 1454 o Upgraded Npcap, our new Windows packet capturing driver/library,
 1455   from version 0.07-r17 to 0.09. This includes many improvements you can
 1456   read about at https://github.com/nmap/npcap/releases.
 1457 
 1458 o [Nsock][GH#148] Added the new IOCP Nsock engine which uses the Windows
 1459   Overlapped I/O API to improve performance of version scan and NSE against
 1460   many targets on Windows. [Tudor Emil Coman]
 1461 
 1462 o [GH#376] Windows binaries are now code-signed with our "Insecure.Com LLC"
 1463   SHA256 certificate. This should give our users extra peace-of-mind and avoid
 1464   triggering Microsoft's ever-increasing security warnings.
 1465 
 1466 o Various performance improvements for large-scale high-rate scanning,
 1467   including increased ping host groups, faster probe matching, and ensuring
 1468   data types can handle an Internet's-worth of targets. [Tudor Emil Coman]
 1469 
 1470 o [NSE] Added the oracle-tns-version NSE script which decodes the version
 1471   number from Oracle Database Server's TNS
 1472   listener. https://nmap.org/nsedoc/scripts/oracle-tns-version.html [Daniel
 1473   Miller]
 1474 
 1475 o [NSE] Added the clock-skew NSE script which analyzes and reports clock skew
 1476   between Nmap and services that report timestamps, grouping hosts with
 1477   similar skews. https://nmap.org/nsedoc/scripts/clock-skew.html [Daniel
 1478   Miller]
 1479 
 1480 o [Zenmap] Long-overdue Spanish language translation has been added! Muy bien!
 1481   [Vincent Dumont, Marta Garcia De La Paz, Paulino Calderon, Patricio Castagnaro]
 1482 
 1483 o [Zenmap][GH#449] Fix a crash when closing Zenmap due to a read-only
 1484   zenmap.conf. User will be warned that config cannot be saved and that they
 1485   should fix the file permissions. [Daniel Miller]
 1486 
 1487 o [NSE] Fix a crash when parsing TLS certificates that OpenSSL doesn't support,
 1488   like DH certificates or corrupted certs. When this happens, ssl-enum-ciphers
 1489   will label the ciphersuite strength as "unknown." Reported by Bertrand
 1490   Bonnefoy-Claudet. [Daniel Miller]
 1491 
 1492 o [NSE][GH#531] Fix two issues in sslcert.lua that prevented correct operations
 1493   against LDAP services when version detection or STARTTLS were used.
 1494   [Tom Sellers]
 1495 
 1496 o [GH#426] Remove a workaround for lack of selectable pcap file descriptors on
 1497   Windows, which required including pcap-int.h and locking us to a single
 1498   version of libpcap. The new method, using WaitForSingleObject should work
 1499   with all versions of both WinPcap and Npcap. [Daniel Miller]
 1500 
 1501 o [NSE][GH#234] Added a --script-timeout option for limiting run time for
 1502   every individual NSE script. [Abhishek Singh]
 1503 
 1504 o [Ncat][GH#444] Added a -z option to Ncat. Just like the -z option in
 1505   traditional netcat, it can be used to quickly check the status of a
 1506   port. Port ranges are not supported since we recommend a certain other tool
 1507   for port scanning. [Abhishek Singh]
 1508 
 1509 o Fix checking of Npcap/WinPcap presence on Windows so that "nmap -A" and
 1510   "nmap" with no options result in the same behaviors as on Linux (and no
 1511   crashes) [Daniel Miller]
 1512 
 1513 o [NSE] ssl-enum-ciphers will now warn about 64-bit block ciphers in CBC mode,
 1514   which are vulnerable to the SWEET32 attack.
 1515 
 1516 o [NSE][GH#117] tftp-enum now only brute-forces IP-address-based Cisco filenames when
 1517   the wordlist contains "{cisco}". Previously, custom wordlists would still end
 1518   up sending these extra 256 requests. [Sriram Raghunathan]
 1519 
 1520 o [GH#472] Avoid an unnecessary assert failure in timing.cc when printing estimated
 1521   completion time. Instead, we'll output a diagnostic error message:
 1522     Timing error: localtime(n) is NULL
 1523   where "n" is some number that is causing problems. [Jean-Guilhem Nousse]
 1524 
 1525 o [NSE][GH#519] Removed the obsolete script ip-geolocation-geobytes. [Paulino Calderon]
 1526 
 1527 o [NSE] Added 9 new fingerprints for script http-default-accounts.
 1528   (Motorola AP, Lantronix print server, Dell iDRAC6, HP StorageWorks, Zabbix,
 1529   Schneider controller, Xerox printer, Citrix NetScaler, ESXi hypervisor)
 1530   [nnposter]
 1531 
 1532 o [NSE] Completed a refresh and validation of almost all fingerprints for
 1533   script http-default-accounts. Also improved the script speed. [nnposter]
 1534 
 1535 o [GH#98] Added support for decoys in IPv6. Earlier we supported decoys only in
 1536   IPv4. [Abhishek Singh]
 1537 
 1538 o Various performance improvements for large-scale high-rate scanning,
 1539   including increased ping host groups, faster probe matching, and ensuring
 1540   data types can handle an Internet's-worth of targets. [Tudor Emil Coman]
 1541 
 1542 o [GH#484] Allow Nmap to compile on some older Red Hat distros that disable EC
 1543   crypto support in OpenSSL. [Jeroen Roovers, Vincent Dumont]
 1544 
 1545 o [GH#439] Nmap now supports OpenSSL 1.1.0-pre5 and previous versions. [Vincent Dumont]
 1546 
 1547 o [Ncat] Fix a crash ("add_fdinfo() failed.") when --exec was used with --ssl
 1548   and --max-conns, due to improper accounting of file descriptors. [Daniel
 1549   Miller]
 1550 
 1551 o FTP Bounce scan: improved some edge cases like anonymous login without
 1552   password, 500 errors used to indicate port closed, and timeouts for LIST
 1553   command. Also fixed a 1-byte array overrun (read) when checking for
 1554   privileged ports. [Daniel Miller]
 1555 
 1556 o [GH#140] Allow target DNS names up to 254 bytes. We previously imposed an
 1557   incorrect limit of 64 bytes in several parts of Nmap. [Vincent Dumont]
 1558 
 1559 o [NSE] The hard limit on number of concurrently running scripts can now
 1560   increase above 1000 to match a high user-set --min-parallelism value. [Tudor
 1561   Emil Coman]
 1562 
 1563 o [NSE] Solved a memory corruption issue that would happen if a socket connect
 1564   operation produced an error immediately, such as Network Unreachable. The
 1565   event handler was throwing a Lua error, preventing Nsock from cleaning up
 1566   properly, leaking events. [Abhishek Singh, Daniel Miller]
 1567 
 1568 o [NSE] Added the datetime library for performing date and time calculations,
 1569   and as a helper to the clock-skew script.
 1570 
 1571 o [GH#103][GH#364] Made Nmap's parallel reverse DNS resolver more robust, fully
 1572   handling truncated replies. If a response is too long, we now fall back to
 1573   using the system resolver to answer it. [Abhishek Singh]
 1574 
 1575 o [Zenmap][GH#279] Added a legend for the Topography window. [Suraj Hande]
 1576 
 1577 Nmap 7.25BETA1 [2016-07-15]
 1578 
 1579 o Nmap now ships with and uses Npcap, our new packet sniffing library
 1580   for Windows. It's based on WinPcap (unmaintained for years), but
 1581   uses modern Windows APIs for better performance. It also includes
 1582   security improvements and many bug fixes. See https://npcap.org. And
 1583   it enables Nmap to perform SYN scans and OS detection against
 1584   localhost, which we haven't been able to do on Windows since
 1585   Microsoft removed the raw sockets API in 2003. [Yang Luo, Daniel
 1586   Miller, Fyodor]
 1587 
 1588 o [NSE] Added 6 NSE scripts, from 5 authors, bringing the total up to 533!
 1589   They are all listed at https://nmap.org/nsedoc/, and the summaries are below
 1590   (authors are listed in brackets):
 1591 
 1592   + clamav-exec detects ClamAV servers vulnerable to unauthorized clamav
 1593     command execution. [Paulino Calderon]
 1594 
 1595   + http-aspnet-debug detects ASP.NET applications with debugging enabled.
 1596     [Josh Amishav-Zlatin]
 1597 
 1598   + http-internal-ip-disclosure determines if the web server leaks its internal
 1599     IP address when sending an HTTP/1.0 request without a Host header. [Josh
 1600     Amishav-Zlatin]
 1601 
 1602   + [GH#304] http-mcmp detects mod_cluster Management Protocol (MCMP) and dumps
 1603     its configuration. [Frank Spierings]
 1604 
 1605   + [GH#365] sslv2-drown detects vulnerability to the DROWN attack, including
 1606     CVE-2016-0703 and CVE-2016-0704 that enable fast attacks on OpenSSL.
 1607     [Bertrand Bonnefoy-Claudet]
 1608 
 1609   + vnc-title logs in to VNC servers and grabs the desktop title, geometry, and
 1610     color depth. [Daniel Miller]
 1611 
 1612 o Integrated all of your IPv4 OS fingerprint submissions from January
 1613   to April (539 of them). Added 98 fingerprints, bringing the new total
 1614   to 5187. Additions include Linux 4.4, Android 6.0, Windows Server
 1615   2016, and more. [Daniel Miller]
 1616 
 1617 o Integrated all 31 of your IPv6 OS fingerprint submissions from January to
 1618   June. The classifier added 2 groups and expanded several others. Several
 1619   Apple OS X groups were consolidated, reducing the total number of groups to
 1620   93. [Daniel Miller]
 1621 
 1622 o Update oldest supported Windows version to Vista (Windows 6.0). This enables
 1623   the use of the poll Nsock engine, which has significant performance and
 1624   accuracy advantages. Windows XP users can still use Nmap 7.12, available from
 1625   https://nmap.org/dist/?C=M&O=D [Daniel Miller]
 1626 
 1627 o [NSE] Fix a crash that happened when trying to print the percent done of 0
 1628   NSE script threads:
 1629     timing.cc:710 bool ScanProgressMeter::printStats(double, const timeval*): Assertion 'ltime' failed.
 1630   This would happen if no scripts were scheduled in a scan phase and the user
 1631   pressed a key or specified a short --stats-every interval. Reported by
 1632   Richard Petrie. [Daniel Miller]
 1633 
 1634 o [GH#283][Nsock] Avoid "unknown protocol:0" debug messages and an "Unknown
 1635   address family 0" crash on Windows and other platforms that do not set the
 1636   src_addr argument to recvfrom for TCP sockets. [Daniel Miller]
 1637 
 1638 o Retrieve the correct network prefix length for an adapter on Windows. If more
 1639   than one address was configured on an adapter, the same prefix length would
 1640   be used for both. This incorrect behavior is still used on Windows XP and
 1641   earlier. Reported by Niels Bohr. [Daniel Miller]
 1642 
 1643 o Changed libdnet-stripped to avoid bailing completely when an interface is
 1644   encountered with an unsupported hardware address type. Caused "INTERFACES:
 1645   NONE FOUND!" bugs in Nmap whenever Linux kernel added new hardware address
 1646   types. [Daniel Miller]
 1647 
 1648 o Improved service detection of Docker and fixed a bug in the output of
 1649   docker-version script. [Tom Sellers]
 1650 
 1651 o Fix detection of Microsoft Terminal Services (RDP). Our improved TLS service
 1652   probes were matching on port 3389 before our specific Terminal Services
 1653   probe, causing the port to be labeled as "ssl/unknown". Reported by Josh
 1654   Amishav-Zlatin.
 1655 
 1656 o [NSE] Update to enable smb-os-discovery to augment version detection
 1657   for certain SMB related services using data that the script discovers.
 1658   [Tom Sellers]
 1659 
 1660 o Improved version detection and descriptions for Microsoft and Samba
 1661   SMB services. Also addresses certain issues with OS identification.
 1662   [Tom Sellers]
 1663 
 1664 o [NSE] ssl-enum-ciphers will give a failing score to any server with an RSA
 1665   certificate whose public key uses an exponent of 1. It will also cap the
 1666   score of an RC4-ciphersuite handshake at C and output a warning referencing
 1667   RFC 7465. [Daniel Miller]
 1668 
 1669 o [NSE] Refactored some SSLv2 functionality into a new library, sslv2.lua .
 1670   [Daniel Miller]
 1671 
 1672 o [GH#399] Zenmap's authorization wrapper now uses an AppleScript method for
 1673   privilege escalation on OS X, avoiding the deprecated
 1674   AuthorizationExecuteWithPrivileges method previously used. [Vincent Dumont]
 1675 
 1676 o [GH#454] The OS X binary package is distributed in a .dmg disk image that now
 1677   features an instructive background image. [Vincent Dumont]
 1678 
 1679 o [GH#420] Our OS X build system now uses gtk-mac-bundler and jhbuild to
 1680   provide all dependencies. We no longer use Macports for this purpose.
 1681   [Vincent Dumont]
 1682 
 1683 o [GH#345][Zenmap] On Windows, save Zenmap's stderr output to a writeable
 1684   location (%LOCALAPPDATA%\zenmap.exe.log or %TEMP%\zenmap.exe.log) instead of
 1685   next to the zenmap.exe executable. This avoids a warning message when closing
 1686   Zenmap if it produced any stderr output. [Daniel Miller]
 1687 
 1688 o [GH#379][NSE] Fix http-iis-short-name-brute to report non vulnerable hosts.
 1689   Reported by alias1. [Paulino Calderon]
 1690 
 1691 o [NSE][GH#371] Fix mysql-audit by adding needed library requires to the
 1692   mysql-cis.audit file. The script would fail with "Failed to load rulebase"
 1693   message. [Paolo Perego]
 1694 
 1695 o [NSE][GH#362] Added support for LDAP over udp to ldap-rootdse.nse.
 1696   Also added version detection and information extraction to match the
 1697   new LDAP LDAPSearchReq and LDAPSearchReqUDP probes. [Tom Sellers]
 1698 
 1699 o [GH#354] Added new version detection Probes for LDAP services, LDAPSearchReq
 1700   and LDAPSearchReqUDP. The second is Microsoft Active Directory specific. The
 1701   Probes will elicit responses from target services that allow better finger
 1702   -printing and information extraction. Also added nmap-payload entry for
 1703   detecting LDAP on udp. [Tom Sellers]
 1704 
 1705 o [NSE] More VNC updates: Support for VeNCrypt and Tight auth types, output of
 1706   authentication sub-types in vnc-info, and all zero-authentication types are
 1707   recognized and reported. [Daniel Miller]
 1708 
 1709 Nmap 7.12 [2016-03-29]
 1710 
 1711 o [Zenmap] Avoid file corruption in zenmap.conf, reported as files containing
 1712   many null ("\x00") characters. Example exceptions:
 1713     TypeError: int() argument must be a string or a number, not 'list'
 1714     ValueError: unable to parse colour specification
 1715 
 1716 o [NSE] VNC updates including vnc-brute support for TLS security type and
 1717   negotiating a lower RFB version if the server sends an unknown higher
 1718   version.  [Daniel Miller]
 1719 
 1720 o [NSE] Added STARTTLS support for VNC, NNTP, and LMTP [Daniel Miller]
 1721 
 1722 o Added new service probes and match lines for OpenVPN on UDP and TCP.
 1723 
 1724 Nmap 7.11 [2016-03-22]
 1725 
 1726 o [NSE][GH#341] Added support for diffie-hellman-group-exchange-* SSH key
 1727   exchange methods to ssh2.lua, allowing ssh-hostkey to run on servers that
 1728   only support custom Diffie-Hellman groups. [Sergey Khegay]
 1729 
 1730 o [NSE] Added support in sslcert.lua for Microsoft SQL Server's TDS protocol,
 1731   so you can now grab certs with ssl-cert or check ciphers with
 1732   ssl-enum-ciphers.  [Daniel Miller]
 1733 
 1734 o [Zenmap] Fix a crash when setting default window geometry:
 1735     TypeError: argument of type 'int' is not iterable
 1736 
 1737 o [Zenmap] Fix a crash when displaying the date from an Nmap XML file due to an
 1738   empty or unknown locale:
 1739     File "zenmapCore/NmapParser.py", line 627, in get_formatted_date
 1740       locale.getpreferredencoding())
 1741     LookupError: unknown encoding:
 1742 
 1743 o [Zenmap] Fix a crash due to incorrect file paths when installing to
 1744   /usr/local prefix. Example:
 1745     Exception: File '/home/blah/.zenmap/scan_profile.usp' does not exist or could not be found!
 1746 
 1747 Nmap 7.10 [2016-03-17]
 1748 
 1749 o [NSE] Added 12 NSE scripts from 7 authors, bringing the total up to 527!
 1750   They are all listed at https://nmap.org/nsedoc/, and the summaries are below
 1751   (authors are listed in brackets):
 1752 
 1753   + [GH#322] http-apache-server-status parses the server status page of
 1754     Apache's mod_status. [Eric Gershman]
 1755 
 1756   + http-vuln-cve2013-6786 detects a XSS and URL redirection vulnerability in
 1757     Allegro RomPager web server. Also added a fingerprint for detecting
 1758     CVE-2014-4019 to http-fingerprints.lua. [Vlatko Kosturjak]
 1759 
 1760   + [GH#226] http-vuln-cve2014-3704 detects and exploits the "Drupalgeddon"
 1761     pre-auth SQL Injection vulnerability in Drupal. [Mariusz Ziulek]
 1762 
 1763   + imap-ntlm-info extracts hostname and sometimes OS version from
 1764     NTLM-auth-enabled IMAP services. [Justin Cacak]
 1765 
 1766   + ipv6-multicast-mld-list discovers IPv6 multicast listeners with MLD probes.
 1767     The discovery is the same as targets-ipv6-multicast-mld, but the subscribed
 1768     addresses are decoded and listed.  [Alexandru Geana, Daniel Miller]
 1769 
 1770   + ms-sql-ntlm-info extracts OS version and sometimes hostname from MS SQL
 1771     Server instances via the NTLM challenge message. [Justin Cacak]
 1772 
 1773   + nntp-ntlm-info extracts hostname and sometimes OS version from
 1774     NTLM-auth-enabled NNTP services. [Justin Cacak]
 1775 
 1776   + pop3-ntlm-info extracts hostname and sometimes OS version from
 1777     NTLM-auth-enabled POP3 services. [Justin Cacak]
 1778 
 1779   + rusers retrieves information about logged-on users from the rusersd RPC
 1780     service. [Daniel Miller]
 1781 
 1782   + [GH#333] shodan-api queries the Shodan API (https://www.shodan.io) and
 1783     retrieves open port and service info from their Internet-wide scan data.
 1784     [Glenn Wilkinson]
 1785 
 1786   + smtp-ntlm-info extracts hostname and sometimes OS version from
 1787     NTLM-auth-enabled SMTP and submission services. [Justin Cacak]
 1788 
 1789   + telnet-ntlm-info extracts hostname and sometimes OS version from
 1790     NTLM-auth-enabled Telnet services. [Justin Cacak]
 1791 
 1792 o Updated the OpenSSL shipped with our binary builds (Windows, OS X, and Linux
 1793   RPM) to 1.0.2g with SSLv2 enabled.
 1794 
 1795 o Integrated all of your IPv4 OS fingerprint submissions from October to
 1796   January (536 of them). Added 104 fingerprints, bringing the new total to
 1797   5089. Additions include Linux 4.2, more Windows 10, IBM i 7, and more.
 1798   Highlights: http://seclists.org/nmap-dev/2016/q1/270 [Daniel Miller]
 1799 
 1800 o Integrated all of your service/version detection fingerprints submitted from
 1801   October to January (508 of them). The signature count went up 2.2% to 10532.
 1802   We now detect 1108 protocols, from icy, finger, and rtsp to ipfs,
 1803   basestation, and minecraft-pe. Highlights:
 1804   http://seclists.org/nmap-dev/2016/q1/271 [Daniel Miller]
 1805 
 1806 o Integrated all 12 of your IPv6 OS fingerprint submissions from October to
 1807   January. The classifier added 3 new groups, including new and expanded groups
 1808   for OS X, bringing the new total to 96. Highlights:
 1809   http://seclists.org/nmap-dev/2016/q1/273 [Daniel Miller]
 1810 
 1811 o [NSE] Upgrade to http-form-brute allowing correct handling of token-based
 1812   CSRF protections and cookies. Also, a simple database of common login forms
 1813   supports Django, Wordpress, MediaWiki, Joomla, and others. [Daniel Miller]
 1814 
 1815 o [Zenmap] [GH#247] Remember window geometry (position and size) from the
 1816   previous time Zenmap was run. [isjing]
 1817 
 1818 o New service probe for CORBA GIOP (General Inter-ORB Protocol) detection
 1819   should elicit a not-found exception from GIOP services that do not respond to
 1820   non-GIOP probes. [Quentin Hardy]
 1821 
 1822 o [GH#284] Fix retrieval of route netmasks on FreeBSD. IPv6 routes were given
 1823   /32 netmasks regardless of actual netmask configured, resulting in failed
 1824   routing. Reported by Martin Gysi. [Daniel Miller]
 1825 
 1826 o [GH#272][GH#269] Give option parsing errors after the usage statement, or
 1827   avoid printing the usage statement in some cases. The options summary has
 1828   grown quite large, requiring users to scroll to the top to see the error
 1829   message. [Abhishek Singh]
 1830 
 1831 o [GH#249][Nsock] Avoid a crash on Windows reported by users using Zenmap's
 1832   Slow Comprehensive Scan profile.  In the case of unknown OpenSSL errors,
 1833   ERR_reason_error_string would return NULL, which could not be printed with
 1834   the "%s" format string. Reported by Dan Baxter. [Gisle Vanem, Daniel Miller]
 1835 
 1836 o [GH#293][Zenmap] Fix a regression in our build that caused copy-and-paste to
 1837   not work in Zenmap on Windows.
 1838 
 1839 o Changed Nmap's idea of reserved and private IP addresses to include
 1840   169.254/16 (RFC3927) and remove 6/8, 7/8, and 55/8 networks. This list, in
 1841   libnetutil's isipprivate function, is used to filter -iR randomly generated
 1842   targets. The newly-valid address ranges belong to the U.S. Department of
 1843   Defense, so users wanting to avoid those ranges should use their own
 1844   exclusion lists with --exclude or --exclude-file.  [Bill Parker, Daniel
 1845   Miller]
 1846 
 1847 o Allow the -4 option for Nmap to indicate IPv4 address family. This is the
 1848   default, and using the option doesn't change anything, but does make it more
 1849   explicit which address family you want to scan. Using -4 with -6 is an error.
 1850   [Daniel Miller]
 1851 
 1852 o [GH#265] When provided a verbosity of 0 (-v0), Nmap will not output any text to the
 1853   screen. This happens at the time of argument parsing, so the usual meaning of
 1854   "verbosity 0" is preserved. [isjing]
 1855 
 1856 o [NSE][GH#314] Fix naming of SSL2_RC2_128_CBC_WITH_MD5 and
 1857   SSL2_RC2_128_CBC_EXPORT40_WITH_MD5 ciphers in sslv2 in order to match the
 1858   draft specification from Mozilla. [Bertrand Bonnefoy-Claudet]
 1859 
 1860 o [NSE][GH#320] Add STARTTLS support to sslv2 to enable SSLv2 detection
 1861   against services that are not TLS encrypted by default but that support
 1862   post connection upgrade. This will enable more comprehensive detection
 1863   of SSLv2 and DROWN (CVE-2016-0800) attack oracles. [Tom Sellers]
 1864 
 1865 o [NSE][GH#301] Added default credential checks for RICOH Web Image Monitor and
 1866   BeEF to http-default-accounts. [nnposter]
 1867 
 1868 o Properly display Next-hop MTU value from ICMP Type 3 Code 4 Fragmentation
 1869   Required messages when tracing packets or in Nping output. Improper offset
 1870   meant we were printing the total IP length. [Sławomir Demeszko]
 1871 
 1872 o [NSE] Added support for DHCP options "TFTP server name" and "Bootfile name"
 1873   to dhcp.lua and enabled checking for options with a code above 61 by default.
 1874   [Mike Rykowski]
 1875 
 1876 o [NSE] whois-ip: Don't request a remote IANA assignments data file when the
 1877   local filesystem will not permit the file to cached in a local file. [jah]
 1878 
 1879 o [NSE] Updated http-php-version hash database to cover all versions from PHP
 1880   4.1.0 to PHP 5.4.45. Based on scans of a few thousand PHP web servers pulled
 1881   from Shodan API (https://www.shodan.io/) [Daniel Miller]
 1882 
 1883 o Use the same ScanProgressMeter for FTP bounce scan (-b) as for the other scan
 1884   types, allowing periodic status updates with --stats-every or keypress
 1885   events.  [Daniel Miller]
 1886 
 1887 o [GH#274] Use a shorter pcap_select timeout on OpenBSD, just as we do for OS
 1888   X, old FreeBSD, and Solaris, which use BPF for packet capture and do not have
 1889   properly select-able fds. Fix by OpenBSD port maintainer [David Carlier]
 1890 
 1891 o Print service info in grepable output for ports which are not listed in
 1892   nmap-services when a service tunnel (SSL) is detected. Previously, the
 1893   service info ("ssl|unknown") was not printed unless the service inside the
 1894   tunnel was positively identified. http://seclists.org/nmap-dev/2015/q4/260
 1895   [Daniel Miller]
 1896 
 1897 o [NSE] [GH#242] Fix multiple false-positive sources in http-backup-agent.
 1898   [Tom Sellers]
 1899 
 1900 Nmap 7.01 [2015-12-09]
 1901 
 1902 o Switch to using gtk-mac-bundler and jhbuild for building the OS X installer.
 1903   This promises to reduce a lot of the problems we've had with local paths and
 1904   dependencies using the py2app and macports build system. [Daniel Miller]
 1905 
 1906 o The Windows installer is now built with NSIS 2.47 which features LoadLibrary
 1907   security hardening to prevent DLL hijacking and other unsafe use of temporary
 1908   directories. Thanks to Stefan Kanthak for reporting the issue to NSIS and to
 1909   us and the many other projects that use it.
 1910 
 1911 o Updated the OpenSSL shipped with our binary builds (Windows, OS X, and RPM)
 1912   to 1.0.2e.
 1913 
 1914 o [Zenmap] [GH#235] Fix several failures to launch Zenmap on OS X. The new
 1915   build process eliminates these errors:
 1916     IOError: [Errno 2] No such file or directory: '/Applications/Zenmap.app/Contents/Resources/etc/pango/pangorc.in'
 1917     LSOpenURLsWithRole() failed for the application /Applications/Zenmap.app with error -10810.
 1918 
 1919 o [NSE] [GH#254] Update the TLSSessionRequest probe in ssl-enum-ciphers to
 1920   match the one in nmap-service-probes, which was fixed previously to correct a
 1921   length calculation error. [Daniel Miller]
 1922 
 1923 o [NSE] [GH#251] Correct false positives and unexpected behavior in http-*
 1924   scripts which used http.identify_404 to determine when a file was not found
 1925   on the target. The function was following redirects, which could be an
 1926   indication of a soft-404 response. [Tom Sellers]
 1927 
 1928 o [NSE] [GH#241] Fix a false-positive in hnap-info when the target responds
 1929   with 200 OK to any request. [Tom Sellers]
 1930 
 1931 o [NSE] [GH#244] Fix an error response in xmlrpc-methods when run against a
 1932   non-HTTP service. The expected behavior is no output. [Niklaus Schiess]
 1933 
 1934 o [NSE] Fix SSN validation function in http-grep, reported by Bruce Barnett.
 1935 
 1936 Nmap 7.00 [2015-11-19]
 1937 
 1938 o This is the most important release since Nmap 6.00 back in May 2012!
 1939   For a list of the most significant improvements and new features,
 1940   see the announcement at: https://nmap.org/7/
 1941 
 1942 o [NSE] Added 6 NSE scripts from 6 authors, bringing the total up to 515!
 1943   They are all listed at https://nmap.org/nsedoc/, and the summaries are below
 1944   (authors are listed in brackets):
 1945 
 1946   + targets-xml extracts target addresses from previous Nmap XML results files.
 1947     [Daniel Miller]
 1948 
 1949   + [GH#232] ssl-dh-params checks for problems with weak, non-safe, and
 1950     export-grade Diffie-Hellman parameters in TLS handshakes. This includes the
 1951     LOGJAM vulnerability (CVE-2015-4000). [Jacob Gajek]
 1952 
 1953   + nje-node-brute does brute-forcing of z/OS JES Network Job Entry node names.
 1954     [Soldier of Fortran]
 1955 
 1956   + ip-https-discover detectings support for Microsoft's IP over HTTPS
 1957     tunneling protocol. [Niklaus Schiess]
 1958 
 1959   + [GH#165] broadcast-sonicwall-discover detects and extracts information from
 1960     SonicWall firewalls. [Raphael Hoegger]
 1961 
 1962   + [GH#38] http-vuln-cve2014-8877 checks for and optionally exploits a
 1963     vulnerability in CM Download Manager plugin for Wordpress. [Mariusz Ziulek]
 1964 
 1965 o [Ncat] [GH#151] [GH#142] New option --no-shutdown prevents Ncat from shutting
 1966   down when it reads EOF on stdin. This is the same as traditional netcat's
 1967   "-d" option. [Adam Saponara]
 1968 
 1969 o [NSE] [GH#229] Improve parsing in http.lua for multiple Set-Cookie headers in
 1970   a single response.  [nnposter]
 1971 
 1972 Nmap 6.49BETA6 [2015-11-03]
 1973 
 1974 o Integrated all of your IPv6 OS fingerprint submissions from April to October
 1975   (only 9 of them!). We are steadily improving the IPv6 database, but we need
 1976   your submissions. The classifier added 3 new groups, bringing the new total
 1977   to 93. Highlights: http://seclists.org/nmap-dev/2015/q4/61 [Daniel Miller]
 1978 
 1979 o Integrated all of your IPv4 OS fingerprint submissions from February to
 1980   October (1065 of them). Added 219 fingerprints, bringing the new total to
 1981   4985. Additions include Linux 4.1, Windows 10, OS X 10.11, iOS 9, FreeBSD
 1982   11.0, Android 5.1, and more. Highlights:
 1983   http://seclists.org/nmap-dev/2015/q4/60 [Daniel Miller]
 1984 
 1985 o Integrated all of your service/version detection fingerprints submitted from
 1986   February to October (800+ of them). The signature count went up 2.5% to
 1987   10293. We now detect 1089 protocols, from afp, bitcoin, and caldav to
 1988   xml-rpc, yiff, and zebra. Highlights: http://seclists.org/nmap-dev/2015/q4/62
 1989   [Daniel Miller]
 1990 
 1991 o [NSE] Added 10 NSE scripts from 5 authors, bringing the total up to 509!
 1992   They are all listed at https://nmap.org/nsedoc/, and the summaries are below
 1993   (authors are listed in brackets):
 1994 
 1995   + knx-gateway-discover and knx-gateway-info scripts gather information from
 1996     multicast and unicast KNX gateways, which connect home automation systems
 1997     to IP networks. [Niklaus Schiess, Dominik Schneider]
 1998 
 1999   + http-ls parses web server directory index pages with optional recursion.
 2000     [Pierre Lalet]
 2001 
 2002   + xmlrpc-methods perfoms introspection of xmlrpc services and lists methods
 2003     and their descriptions. [Gyanendra Mishra]
 2004 
 2005   + http-fetch can be used like wget or curl to fetch all files, specific
 2006     filenames, or files that match a given pattern. [Gyanendra Mishra]
 2007 
 2008   + http-svn-enum enumerates users of a Subversion repository by examining
 2009     commit logs. [Gyanendra Mishra]
 2010 
 2011   + http-svn-info requests information from a Subversion repository, similar to
 2012     the "svn info" command. [Gyanendra Mishra]
 2013 
 2014   + hnap-info detects and outputs info for Home Network Administration Protocol
 2015     devices. [Gyanendra Mishra]
 2016 
 2017   + http-webdav-scan detects WebDAV servers and reports allowed methods and
 2018     directory listing. [Gyanendra Mishra]
 2019 
 2020   + tor-consensus-checker checks the target's address with the Tor directory
 2021     authorities to determine if a target is a known Tor node. [Jiayi Ye]
 2022 
 2023 o [NSE] Several scripts have been split, combined, or renamed:
 2024 
 2025   + [GH#171] smb-check-vulns has been split into:
 2026     * smb-vuln-conficker
 2027     * smb-vuln-cve2009-3103
 2028     * smb-vuln-ms06-025
 2029     * smb-vuln-ms07-029
 2030     * smb-vuln-regsvc-dos
 2031     * smb-vuln-ms08-067
 2032     The scripts now use the vulns library, and the "unsafe" script-arg has been
 2033     replaced by putting the scripts into the "dos" category. [Paulino Calderon]
 2034 
 2035   + http-email-harvest was removed, as the new http-grep does email address
 2036     scraping by default. [Gyanendra Mishra]
 2037 
 2038   + http-drupal-modules was renamed to http-drupal-enum. Extended to enumerate
 2039     both themes and modules of Drupal installaions. [Gyanendra Mishra]
 2040 
 2041 o [Ncat] [GH#193] Fix Ncat listen mode over Unix sockets (named pipes) on OS X.
 2042   This was crashing with the error:
 2043     Ncat: getnameinfo failed: Undefined error: 0 QUITTING.
 2044   Fixed by forcing the name to "localhost" [Michael Wallner]
 2045 
 2046 o [Zenmap] Fix a crash in Zenmap when using Compare Results:
 2047     AttributeError: 'NoneType' object has no attribute 'get_nmap_output'
 2048   [Daniel Miller]
 2049 
 2050 o [NSE] [GH#194] Add support for reading fragmented TLS messages to
 2051   ssl-enum-ciphers. [Jacob Gajek]
 2052 
 2053 o [GH#51] Added IPv6 support to nmap_mass_rdns, improved reverse DNS cache,
 2054   and refactored DNS code to improve readability and
 2055   extensibility. All in all, this makes the rDNS portion of IPv6 scans
 2056   much faster. [Gioacchino Mazzurco]
 2057 
 2058 o [NSE] Added NTLM brute support to http-brute. [Gyanendra Mishra]
 2059 
 2060 o [NSE] Added NTLM authentication support to http.lua and a related function to create
 2061   an ntlm v2 session response in smbauth.lua. [Gyanendra Mishra]
 2062 
 2063 o [NSE] [GH#106] Added a new NSE module, ls.lua, for accumulating and
 2064   outputting file and directory listings. The afp-ls, nfs-ls, and smb-ls
 2065   scripts have been converted to use this module. [Pierre Lalet]
 2066 
 2067 o [NSE] bacnet-info.nse and s7-info.nse were added to the version category.
 2068   [Paulino Calderon]
 2069 
 2070 o [NSE] Added 124 new identifiers to bacnet-info.nse vendor database.
 2071   [Paulino Calderon]
 2072 
 2073 o [NSE] Fixed bacnet-info.nse to bind to the service port detected
 2074   during scan instead of fixed port. [Paulino Calderon]
 2075 
 2076 o [NSE] Enhanced reporting of elliptic curve names and strengths in
 2077   ssl-enum-ciphers. The name of the curve is now reported instead of just "ec"
 2078   [Brandon Paulsen]
 2079 
 2080 o [GH#75] Normalize Makefile targets to use the same verb-project format, e.g.
 2081   build-ncat, check-zenmap, install-nping, clean-nsock [Gioacchino Mazzurco]
 2082 
 2083 o [NSE] Added builtin pattern and multiple pattern search to http-grep. [Gyanendra Mishra]
 2084 
 2085 o [NSE] http-crossdomainxml is now http-cross-domain-policy and supports client
 2086   access policies and uses the new SLAXML parser. [Gyanendra Mishra]
 2087 
 2088 o [NSE] Added a patch for vulns lib that allows list of tables to be submitted
 2089   to fields in the vulns report. [Jacob Gajek]
 2090 
 2091 o [NSE] Added additional checks for successful PUT request in http-put.
 2092   [Oleg Mitrofanov]
 2093 
 2094 o [NSE] Added an update for http-methods that checks all possible methods not in
 2095   Allow or Public header of OPTIONS response. [Gyanendra Mishra]
 2096 
 2097 o [NSE] Added SLAXML, an XML parser in Lua originally written by Gavin Kistner
 2098   (a.k.a. Phrogz). [Gyanendra Mishra]
 2099 
 2100 o [NSE] [GH#122] Update the snmp-brute and other snmp-* scripts to use the
 2101   creds library to store brute-forced snmp community strings. This allows Nmap
 2102   to use the correct brute-forced string for each host. [Gioacchino Mazzurco]
 2103 
 2104 o Several improvements to TLS/SSL detection in nmap-service-probes. A new
 2105   probe, TLSSessionReq, and improvements to default SSL ports should help speed
 2106   up -sV scans. http://seclists.org/nmap-dev/2015/q2/17 [Daniel Miller]
 2107 
 2108 o [Nsock] Clean up the API so that nsp_* calls are now nsock_pool_* and nsi_*
 2109   are nsock_iod_*. Simplify Nsock SSL init API, and make logging global to the
 2110   library instead of associated with a nspool. [Henri Doreau]
 2111 
 2112 o [GH#181] The configure script now prints a summary of configured options.
 2113   Most importantly, it warns if OpenSSL was not found, since most users will
 2114   want this library compiled in. [Gioacchino Mazzurco]
 2115 
 2116 o Define TCP Options for SYN scan in nmap.h instead of literally throughout.
 2117   This string is used by p0f and other IDS to detect Nmap scans, so having it a
 2118   compile-time option is a step towards better evasion. [Daniel Miller]
 2119 
 2120 o [GH#51] Nmap's parallel reverse-DNS resolver now handles IPv6 addresses. This
 2121   should result in faster -6 scans. The old behavior is available with
 2122   --system-dns. [Gioacchino Mazzurco]
 2123 
 2124 o [NSE] Fix a couple odd bugs in NSE command-line parsing. Most notably,
 2125   --script broadcast-* will now work (generally, wildcards with scripts whose
 2126   name begins with a category name were not working properly). [Daniel Miller]
 2127 
 2128 o [NSE] [GH#113] http-form-fuzzer will now stop increasing the size of a
 2129   request when an HTTP 413 or 414 error indicates the web server will not
 2130   accept a larger request. [Gioacchino Mazzurco]
 2131 
 2132 o [NSE] [GH#159] Add the ability to tag credentials in the creds library with
 2133   freeform text for easy retrieval. This gives necessary granularity to track
 2134   credentials to multiple web apps on a single host+port. [Gioacchino Mazzurco]
 2135 
 2136 Nmap 6.49BETA5 [2015-09-25]
 2137 
 2138 o Work around a bug which could cause Nmap to hang when running
 2139   multiple instances at once on Windows. The actual bug appears to be
 2140   in the WinPCAP driver in that it hanges when accessed via
 2141   OpenServiceA by multiple processes at once. So for now we have added
 2142   a mutex to prevent even multiple Nmap processes from making
 2143   concurrent calls to this part of WinPcap. We've received the reports
 2144   from multiple users on Windows 8.1 and Windows Server 2012 R2 and
 2145   this fix seems to resolve the hang for them. [Daniel Miller]
 2146 
 2147 o [GH#212][NSE] Fix http.get_url function which was wrongly attempting
 2148   non-SSL HTTP requests first when passed https URLs. [jah]
 2149 
 2150 o [GH#201] Fix Ndiff interpreter path problems in the OS X .dmg
 2151   installer which could prevent Ndiff (and the related Zenmap "compare
 2152   results" window) from working on OS X in some cases. [Daniel Miller]
 2153 
 2154 o Fix Nmap's DTD, which did not recognize that the script element
 2155   could contain character data when a script returns a number or a
 2156   boolean.  [Jonathan Daugherty]
 2157 
 2158 o [GH#172][NSE] Fix reporting of DH parameter sizes by
 2159   ssl-enum-ciphers. The number shown was the length in bytes, not bits
 2160   as it should have been.  Reported by Michael Staruch. [Brandon
 2161   Paulsen]
 2162 
 2163 o Our Windows Nmap packages are now compiled with the older platform
 2164   toolset (v120_xp rather than v120) and so they may work with Windows
 2165   XP again for the dwindling number of users still on that operating
 2166   system.
 2167 
 2168 o [GH#34] Disable TPACKET_V3 in our included libpcap. This version of
 2169   the Linux kernel packet ring API has problems that result in lots of
 2170   lost packets. This patch falls back to TPACKET_V2 or earlier
 2171   versions if available. [nnposter]
 2172 
 2173 o [NSE] Check for socket errors in iscsi.lua. This was causing the
 2174   iscsi-info script to crash against some services. [Daniel Miller]
 2175 
 2176 o [NSE] Fix http-useragent-tester, which was using cached HTTP
 2177   responses instead of testing new User-Agent strings. [Daniel Miller]
 2178 
 2179 o Output a warning when deprecated options are used, and suggest the
 2180   preferred option. Currently deprecated: -i -o -m -sP -P0 -PN -oM
 2181   -sR. The warning is only visible with -v. [Daniel Miller]
 2182 
 2183 o Add a fatal error for options like -oG- which is interpreted as the
 2184   deprecated -o option, outputting to a file named "G-", instead of
 2185   the expected behavior of -oG - (Grepable output to stdout). [Daniel
 2186   Miller]
 2187 
 2188 o [GH#196] Fix raw packet sending on FreeBSD 10.0 and later. FreeBSD
 2189   changed byte order of the IPv4 stack, so SYN scan and other raw
 2190   packet functions were broken. [Edward Napierała] Also reported in
 2191   [GH#50] by Olli Hauer.
 2192 
 2193 o [GH#183] Fix compilation on Visual Studio 2010, which failed with
 2194   error: "service_scan.cc(2559): error C2065: 'EOPNOTSUPP' :
 2195   undeclared identifier" [Daniel Miller]
 2196 
 2197 o [GH#115][NSE] ssl-enum-ciphers will still produce output if OpenSSL
 2198   (required for certificate parsing) is not available. In cases where
 2199   handshake strength depends on the certificate, it will be reported
 2200   as "unknown". [jrchamp]
 2201 
 2202 Nmap 6.49BETA4 [2015-07-06]
 2203 
 2204 o Fix a hang on OS X in Zenmap's Topology page with error
 2205   "zenmap_wrapper.py[857]: GError: Couldn't recognize the image file format for
 2206   file '/Applications/Zenmap.app/Contents/MacOS/../Resources/share/zenmap/pixmaps/radialnet/padlock.png'
 2207   http://seclists.org/nmap-dev/2015/q3/8 [Daniel Miller]
 2208 
 2209 o Fix a small memory leak for each target specified as a hostname which fails
 2210   to resolve. [Daniel Miller]
 2211 
 2212 o Allow 'make check' to succeed when Nmap is configured without OpenSSL
 2213   support. This was broken due to our NSE unittest library expecting to be able
 2214   to load every library without error. [Daniel Miller]
 2215 
 2216 o [NSE] Enable ssl-enum-ciphers to safely scan servers with a long handshake
 2217   intolerance issue which resulted in incomplete results when the handshake was
 2218   greater than 255 bytes. [Jacob Gajek, Daniel Miller]
 2219 
 2220 o [Ncat] Fix a write overrun in Ncat that could cause a segfault if the -g
 2221   (source route) option was given too many times. [Daniel Miller]
 2222 
 2223 o [NSE] [GH#168] Allow ssl-enum-ciphers to run on non-typical ports when it is
 2224   selected by name. It will now send a service detection probe if the port is
 2225   not a typical SSL port and version scan (-sV) was not used. [Daniel Miller]
 2226 
 2227 Nmap 6.49BETA3 [2015-06-25]
 2228 
 2229 o [GH#166] Fix Ncat listen mode on Solaris and other platforms where struct sockaddr
 2230   does not have a sa_len member. This also affected use of the -p and -s
 2231   options. Brandon Haberfeld reported the crash. [Daniel Miller]
 2232 
 2233 o [GH#164] Fix a Zenmap failure ot open on OS X with the error:
 2234   "dyld: Symbol not found: _iconv Referenced from: /usr/lib/libcups.2.dylib"
 2235   We had to remove the DYLD_LIBRARY_PATH environment variable from
 2236   zenmap_wrapper.py. Reported by Robert Strom. [Daniel Miller]
 2237 
 2238 o Report our https URL (https://nmap.org) in more places rather than
 2239   our non-SSL one. [David Fifield]
 2240 
 2241 o [NSE] Fix Diffie-Hellman parameter extraction in tls.lua. [Jacob Gajek]
 2242 
 2243 Nmap 6.49BETA2 [2015-06-16]
 2244 
 2245 o [GH#154] Fix a crash (assertion error) when Nmap receives an ICMP Host
 2246   Unreachable message.
 2247 
 2248 o [GH#158] Fix a configure failure when Python is not present, but no Python
 2249   projects were requested. [Gioacchino Mazzurco]
 2250 
 2251 o [GH#161] [Zenmap] Fix Zenmap on OS X which was failing with
 2252   zipimport.ZipImportError due to architecture mismatch.
 2253 
 2254 o [NSE] Remove ahbl.org checks from dnsbl.lua, since the service was shut down.
 2255   [Forrest B.]
 2256 
 2257 Nmap 6.49BETA1 [2015-06-03]
 2258 
 2259 o Integrated all of your IPv4 OS fingerprint submissions from May 2014 to
 2260   February 2015 (1900+ of them). Added 281 fingerprints, bringing the new total
 2261   to 4766. Addtions include Linux 3.18, Windows 8.1, OS X 10.10, Android 5.0,
 2262   FreeBSD 10.1, OpenBSD 5.6, and more. Highlights:
 2263   http://seclists.org/nmap-dev/2015/q2/169 [Daniel Miller]
 2264 
 2265 o Integrated all of your service/version detection fingerprints submitted from
 2266   June 2013 to February 2015 (2500+ of them). The signature count soared over
 2267   the 10000 mark, a 12% increase. We now detect 1062 protocols, from http,
 2268   telnet, and ftp to jute, bgp, and slurm. Highlights:
 2269   http://seclists.org/nmap-dev/2015/q2/171 [Daniel Miller]
 2270 
 2271 o Integrated all of your IPv6 OS fingerprint submissions from June 2013 to
 2272   April 2015 (only 97 of them!). We are steadily improving the IPv6 database,
 2273   but we need your submissions. The classifier added 9 new groups, bringing the
 2274   new total to 90. Highlights: http://seclists.org/nmap-dev/2015/q2/170 [Daniel
 2275   Miller]
 2276 
 2277 o Nmap now has an official bug tracker! We are using Github Issues, which you
 2278   can reach from http://issues.nmap.org/. We welcome your bug reports,
 2279   enhancement requests, and code submissions via the Issues and Pull Request
 2280   features of Github (https://github.com/nmap/nmap), though the repository
 2281   itself is just a mirror of our authoritative Subversion repository.
 2282 
 2283 o [Zenmap] New Chinese-language (zh) translation from Jie Jiang, new Hindi (hi)
 2284   translation by Gyanendra Mishra, and updated translations for German (de,
 2285   Chris Leick), Italian (it, Jan Reister), Polish (pl, Jacek Wielemborek), and
 2286   French (fr, MaZ)
 2287 
 2288 o Added options --data <hex string> and --data-string <string> to send custom
 2289   payloads in scan packet data. [Jay Bosamiya]
 2290 
 2291 o --reason is enabled for verbosity > 2, and now includes the TTL of received
 2292   packets in Normal output (this was already present in XML) [Jay Bosamiya]
 2293 
 2294 o Fix ICMP Echo (-PE) host discovery for IPv6, broken since 6.45, caused by
 2295   failing to set the ICMP ID for outgoing packets which is used to match
 2296   incoming responses. [Andrew Waters]
 2297 
 2298 o Solve a crash on Windows (reported on Windows 8.1 on Surface Pro 3) caused by
 2299   passing a NULL pointer to a WinPcap function that then tries to write an
 2300   error message to it. [Peter Malecka]
 2301 
 2302 o Enhance Nmap's tcpwrapped service detection by using a shorter timeout for
 2303   the tcpwrapped designation. This prevents falsely labeling services as
 2304   tcpwrapped which merely have a read timeout shorter than 6 seconds. Full
 2305   discussion: http://issues.nmap.org/39 [nnposter, Daniel Miller]
 2306 
 2307 o All nmap.org pages are now available SSL-secured to improve privacy
 2308   and ensure your binaries can't be tampered with in transit. So be
 2309   sure to download from https://nmap.org/download.html . We will soon
 2310   remove the non-SSL version of the site. We still offer GPG-signed
 2311   binaries as well: https://nmap.org/book/install.html#inst-integrity
 2312 
 2313 o [NSE] Added 25 NSE scripts from 17 authors, bringing the total up to 494!
 2314   They are all listed at https://nmap.org/nsedoc/, and the summaries are below
 2315   (authors are listed in brackets):
 2316 
 2317   + bacnet-info gets device information from SCADA/ICS devices via BACnet
 2318     (Building Automation and Control Networks) [Stephen Hilt, Michael Toecker]
 2319 
 2320   + docker-version detects and fingerprints Docker [Claudio Criscione]
 2321 
 2322   + enip-info gets device information from SCADA/ICS devices via EtherNet/IP
 2323     [Stephen Hilt]
 2324 
 2325   + fcrdns performs a Forward-confirmed Reverse DNS lookup and reports
 2326     anomalous results. [Daniel Miller]
 2327 
 2328   + http-avaya-ipoffice-users enumerates users in Avaya IP Office 7.x systems.
 2329     [Paulino Calderon]
 2330 
 2331   + http-cisco-anyconnect gets version and tunnel information from Cisco SSL
 2332     VPNs. [Patrik Karlsson]
 2333 
 2334   + http-crossdomainxml detects overly permissive crossdomain policies and
 2335     finds trusted domain names available for purchase. [Paulino Calderon]
 2336 
 2337   + http-shellshock detects web applications vulnerable to Shellshock
 2338     (CVE-2014-6271). [Paulino Calderon]
 2339 
 2340   + http-vuln-cve2006-3392 exploits a file disclosure vulnerability in Webmin.
 2341     [Paul AMAR]
 2342 
 2343   + http-vuln-cve2014-2126, http-vuln-cve2014-2127, http-vuln-cve2014-2128 and
 2344     http-vuln-cve2014-2129 detect specific vulnerabilities in Cisco AnyConnect
 2345     SSL VPNs. [Patrik Karlsson]
 2346 
 2347   + http-vuln-cve2015-1427 detects Elasticsearch servers vulnerable to remote
 2348     code execution. [Gyanendra Mishra]
 2349 
 2350   + http-vuln-cve2015-1635 detects Microsoft Windows systems vulnerable to
 2351     MS15-034. [Paulino Calderon]
 2352 
 2353   + http-vuln-misfortune-cookie detects the "Misfortune Cookie" vulnerability
 2354     in Allegro RomPager 4.07, commonly used in SOHO routers for TR-069 access.
 2355     [Andrew Orr]
 2356 
 2357   + http-wordpress-plugins was renamed http-wordpress-enum and extended to
 2358     enumerate both plugins and themes of Wordpress installations and their
 2359     versions. http-wordpress-enum is now http-wordpress-users. [Paulino Calderon]
 2360 
 2361   + mikrotik-routeros-brute performs password auditing attacks against
 2362     Mikrotik's RouterOS API. [Paulino Calderon]
 2363 
 2364   + omron-info gets device information from Omron PLCs via the FINS service.
 2365     [Stephen Hilt]
 2366 
 2367   + s7-info gets device information from Siemens PLCs via the S7 service,
 2368     tunneled over ISO-TSAP on TCP port 102. [Stephen Hilt]
 2369 
 2370   + snmp-info gets the enterprise number and other information from the
 2371     snmpEngineID in an SNMPv3 response packet. [Daniel Miller]
 2372 
 2373   + ssl-ccs-injection detects whether a server is vulnerable to the SSL/TLS
 2374     CCS Injection vulnerability (CVE-2014-0224) [Claudiu Perta]
 2375 
 2376   + ssl-poodle detects the POODLE bug in SSLv3 (CVE-2014-3566) [Daniel Miller]
 2377 
 2378   + supermicro-ipmi-conf exploits Supermicro IPMI/BMC controllers. [Paulino
 2379     Calderon]
 2380 
 2381   + targets-ipv6-map4to6 generates target IPv6 addresses which correspond to
 2382     IPv4 addresses mapped within a particular IPv6 subnet. [Raúl Fuentes]
 2383 
 2384   + targets-ipv6-wordlist generates target IPv6 addresses from a wordlist made
 2385     of hexadecimal characters. [Raúl Fuentes]
 2386 
 2387 o Update our Windows build system to VS 2013 on Windows 8.1. Also, we now build
 2388   our included OpenSSL with DEP, ASLR, and SafeSEH enabled. [Daniel Miller]
 2389 
 2390 o Our OS X installer is now built for a minimum supported version of 10.8
 2391   (Mountain Lion), a much-needed update from 10.5 (Leopard). Additionally,
 2392   OpenSSL is now statically linked, allowing us to distribute the latest from
 2393   Macports instead of being subjected to the 0.9.8 branch still in use as of
 2394   10.9. [Daniel Miller]
 2395 
 2396 o Add 2 more ASCII-art configure splash images to be rotated randomly with the
 2397   traditional dragon image. New ideas for other images to use here may be sent
 2398   to dev@nmap.org. [Jay Bosamiya, Daniel Miller]
 2399 
 2400 o Solve a crash on Windows (reported on Windows 8.1 on Surface Pro 3) caused by
 2401   passing a NULL pointer to a WinPcap function that then tries to write an
 2402   error message to it. [Peter Malecka]
 2403 
 2404 o Fix compilation and several bugs on AIX. [Daniel Miller]
 2405 
 2406 o Fix a bug in libdnet-stripped on Solaris that resulted in the wrong MAC
 2407   address being detected for all interfaces.
 2408   http://seclists.org/nmap-dev/2015/q2/1 [Daniel Miller]
 2409 
 2410 o New features for the IPv6 OS detection engine allow for better classification
 2411   of systems: IPv6 guessed initial hop limit (TTL) and ratio of TCP initial
 2412   window size to maximum segment size. [Alexandru Geana]
 2413 
 2414 o [NSE] Rework ssl-enum-ciphers to actually score the strength of the SSL/TLS
 2415   handshake, including certificate key size and DH parameters if applicable.
 2416   This is similar to Qualys's SSL Labs scanner, and means that we no longer
 2417   maintain a list of scores per ciphersuite. [Daniel Miller]
 2418 
 2419 o [NSE] Improved http-form-brute autodetection and behavior to handle more
 2420   unusual-but-valid HTML syntax, non-POST forms, success/failure testing on
 2421   HTTP headers, and more. [nnposter]
 2422 
 2423 o [NSE] Reduce many NSE default timeouts and base them on Nmap's detected
 2424   timeouts for those hosts from the port scan phase. Scripts which take timeout
 2425   script-args can now handle 's' and 'ms' suffixes, just like Nmap's own
 2426   options. [Daniel Miller]
 2427 
 2428 o [NSE] Remove db2-discover, as its functionality was performed by service
 2429   version detection since the broadcast portion was separated into
 2430   broadcast-db2-discover. http://seclists.org/nmap-dev/2014/q3/415 [Daniel
 2431   Miller]
 2432 
 2433 o Cache dnet names not found on Windows when enumerating interfaces in the
 2434   Windows Registry. Reduces startup times. [Elon Natovich]
 2435 
 2436 o [NSE] Make smb-ls able to leverage results from smb-enum-shares or list of
 2437   shares specified on command line. [Pierre Lalet]
 2438 
 2439 o [NSE] Fix X509 cert date parsing for dates after 2049. Reported by Teppo
 2440   Turtiainen. [Daniel Miller]
 2441 
 2442 o Handle a bunch of socket errors that can result from odd ICMP Type 3
 2443   Destination Unreachable messages received during service scanning. The crash
 2444   reported was "Unexpected error in NSE_TYPE_READ callback.  Error code: 92
 2445   (Protocol not available)" [Daniel Miller]
 2446 
 2447 o Fixed a crash (NULL pointer dereference) in PortList::isTCPwrapped when using
 2448   -sV and -O on an unknown service not listed in nmap-services. [Pierre Lalet]
 2449 
 2450 o Fixed a benign TOCTOU race between stat() and open() in mmapfile().
 2451   Reported by Camille Mougey. [Henri Doreau]
 2452 
 2453 o Reduce CPU consumption when using nsock poll engine with no registered FD,
 2454   by actually calling Poll() for the time until timeout, instead of directly
 2455   returning zero and entering the loop again. [Henri Doreau]
 2456 
 2457 o Change the URI for the fingerprint submitter to its new location at
 2458   https://nmap.org/cgi-bin/submit.cgi
 2459 
 2460 o [NSE] Added a check for Cisco ASA version disclosure, CVE-2014-3398, to
 2461   http-enum in the 'security' category [Daniel Miller]
 2462 
 2463 o Fixed a bug that caused Nmap to fail to find any network interface when a
 2464   Prism interface is in monitor mode. The fix was to define the
 2465   ARP_HRD_IEEE80211_PRISM header identifier in the libdnet-stripped code.
 2466   [Brad Johnson]
 2467 
 2468 o Added a version probe for Tor. [David Fifield]
 2469 
 2470 o [NSE] Add support to citrix-enum-apps-xml for reporting if Citrix
 2471   published applications in the list are enforcing/requiring the level
 2472   of ICA/session data encryption shown in the script result.
 2473   [Tom Sellers]
 2474 
 2475 o [NSE] Updated our Wordpress plugin list to improve the
 2476   http-wordpress-enum NSE script. We can now detect 34,077 plugins,
 2477   up from 18,570. [Danila Poyarkov]
 2478 
 2479 o [NSE] Add the signature algorithm that was used to sign the target port's
 2480   x509 certificate to the output of ssl-cert.nse [Tom Sellers]
 2481 
 2482 o [NSE] Fixed a bug in the sslcert.lua library that was triggered against
 2483   certain services when version detection was used. [Tom Sellers]
 2484 
 2485 o [NSE] vulns.Report:make_output() now generates XML structured output
 2486   reports automatically. [Paulino Calderon]
 2487 
 2488 o [NSE] Add port.reason_ttl, host.reason, host.reason_ttl for use in scripts
 2489   [Jay Bosamiya]
 2490 
 2491 o [NSE] If a version script is run by name, nmap.version_intensity() returns
 2492   the maximum value (9) for it [Jay Bosamiya]
 2493 
 2494 o [NSE] shortport.version_port_or_service() takes an optional rarity parameter
 2495   now to run only when version intensity > rarity [Jay Bosamiya]
 2496 
 2497 o [NSE] Added nmap.version_intensity() function so that NSE version scripts
 2498   can use the argument to --version-intensity (which can be overridden by the
 2499   script arg 'script-intensity') in order to decide whether to run or not
 2500   [Jay Bosamiya]
 2501 
 2502 o Improve OS detection; If a port is detected to be 'tcpwrapped', then it will
 2503   not be used for OS detection. This helps in cases where a firewall might be
 2504   the port to be 'tcpwrapped' [Jay Bosamiya]
 2505 
 2506 o [Zenmap] Reduce noise generated in Topology View due to anonymous
 2507   hops [Jay Bosamiya]
 2508 
 2509 o Added option --exclude-ports to Nmap so that some ports can be excluded from
 2510   scanning (for example, due to policy) [Jay Bosamiya]
 2511 
 2512 o [Zenmap] Catch the MemoryError caused in Zenmap due to large Nmap Output,
 2513   and display a more helpful error message [Jay Bosamiya]
 2514 
 2515 o Catch badly named output files (such as those unintentionally caused by
 2516   "-oX -sV logfile.xml") [Jay Bosamiya]
 2517 
 2518 o [Zenmap] Improved NmapParser to increase speed in opening scans. Large scans
 2519   now open in seconds instead of hours. [Jay Bosamiya]
 2520 
 2521 o Modify the included libpcap configure script to disable certain unused
 2522   features: bluetooth, usb, usb-can, and dbus sniffing. Dbus support caused a
 2523   build problem on CentOS 6.5. [Daniel Miller]
 2524 
 2525 o Updated the bundled libpcap from 1.2.1 to 1.5.3 [Jay Bosamiya]
 2526 
 2527 o Correct the Target MAC Address in Nmap's ARP discovery to conform to what IP
 2528   stacks in currently popular operating systems use. [Jay Bosamiya]
 2529 
 2530 o Fixed a bug which caused Nmap to be unable to have any runtime interaction
 2531   when called from sudo or from a shell script. [Jay Bosamiya]
 2532 
 2533 o Improvements to whois-ip.nse: fix an unhandled error when a referred-to
 2534   response could not be understood; add a new pattern to recognise a
 2535   LACNIC "record not found" type of response and update the way ARIN is
 2536   queried. [jah]
 2537 
 2538 Nmap 6.47 [2014-08-23]
 2539 
 2540 o Integrated all of your IPv4 OS fingerprint submissions since June 2013
 2541   (2700+ of them). Added 366 fingerprints, bringing the new total to 4485.
 2542   Additions include Linux 3.10 - 3.14, iOS 7, OpenBSD 5.4 - 5.5, FreeBSD 9.2,
 2543   OS X 10.9, Android 4.3, and more. Many existing fingerprints were improved.
 2544   Highlights: http://seclists.org/nmap-dev/2014/q3/325 [Daniel Miller]
 2545 
 2546 o (Windows, RPMs) Upgraded the included OpenSSL to version 1.0.1i. [Daniel Miller]
 2547 
 2548 o (Windows) Upgraded the included Python to version 2.7.8. [Daniel Miller]
 2549 
 2550 o Removed the External Entity Declaration from the DOCTYPE in Nmap's XML. This
 2551   was added in 6.45, and resulted in trouble for Nmap XML parsers without
 2552   network access, as well as increased traffic to Nmap's servers. The doctype
 2553   is now:
 2554   <!DOCTYPE nmaprun>
 2555 
 2556 o [Ndiff] Fixed the installation process on Windows, which was missing the
 2557   actual Ndiff Python module since we separated it from the driver script.
 2558   [Daniel Miller]
 2559 
 2560 o [Ndiff] Fixed the ndiff.bat wrapper in the zipfile Windows distribution,
 2561   which was giving the error, "\Microsoft was unexpected at this time." See
 2562   https://support.microsoft.com/kb/2524009 [Daniel Miller]
 2563 
 2564 o [Zenmap] Fixed the Zenmap .dmg installer for OS X. Zenmap failed to launch,
 2565   producing this error:
 2566     Could not import the zenmapGUI.App module:
 2567     'dlopen(/Applications/Zenmap.app/Contents/Resources/lib/python2.6/lib-dynload/glib/_glib.so, 2):
 2568     Library not loaded: /Users/david/macports-10.5/lib/libffi.5.dylib\n
 2569     Referenced from:
 2570     /Applications/Zenmap.app/Contents/Resources/lib/python2.6/lib-dynload/glib/_glib.so\n
 2571     Reason: image not found'.
 2572 
 2573 o [Ncat] Fixed SOCKS5 username/password authentication. The password length was
 2574   being written in the wrong place, so authentication could not succeed.
 2575   Reported with patch by Pierluigi Vittori.
 2576 
 2577 o Avoid formatting NULL as "%s" when running nmap --iflist. GNU libc converts
 2578   this to the string "(null)", but it caused segfault on Solaris. [Daniel Miller]
 2579 
 2580 o [Zenmap][Ndiff] Avoid crashing when users have the antiquated PyXML package
 2581   installed. Python tries to be nice and loads it when we import xml, but it
 2582   isn't compatible. Instead, we force Python to use the standard library xml
 2583   module. [Daniel Miller]
 2584 
 2585 o Handle ICMP admin-prohibited messages when doing service version detection.
 2586   Crash reported by Nathan Stocks was: Unexpected error in NSE_TYPE_READ
 2587   callback.  Error code: 101 (Network is unreachable) [David Fifield]
 2588 
 2589 o [NSE] Fix a bug causing http.head to not honor redirects. [Patrik Karlsson]
 2590 
 2591 o [Zenmap] Fix a bug in DiffViewer causing this crash:
 2592      TypeError: GtkTextBuffer.set_text() argument 1 must be string or read-only
 2593      buffer, not NmapParserSAX
 2594   Crash happened when trying to compare two scans within Zenmap. [Daniel Miller]
 2595 
 2596 Nmap 6.46 [2014-04-18]
 2597 
 2598 o [NSE] Made numerous improvements to ssl-heartbleed to provide
 2599   more reliable detection of the vulnerability.
 2600 
 2601 o [Zenmap] Fixed a bug which caused this crash message:
 2602      IOError: [Errno socket error] [Errno 10060] A connection attempt failed
 2603      because the connected party did not properly respond after a period of
 2604      time, or established connection failed because connected host has
 2605      failed to
 2606      respond
 2607   The bug was caused by us adding a DOCTYPE definition to Nmap's XML
 2608   output which caused Python's XML parser to try and fetch the DTD
 2609   every time it parses an XML file.  We now override that DTD-fetching
 2610   behavior. [Daniel Miller]
 2611 
 2612 o [NSE] Fix some bugs which could cause snmp-ios-config and
 2613   snmp-sysdescr scripts to crash
 2614   (http://seclists.org/nmap-dev/2014/q2/120) [Patrik Karlsson]
 2615 
 2616 o [NSE] Improved performance of citrix.lua library when handling large XML
 2617   responses containing application lists. [Tom Sellers]
 2618 
 2619 Nmap 6.45 [2014-04-11]
 2620 
 2621 o Idle scan now supports IPv6. IPv6 packets don't usually come with
 2622   fragments identifiers like IPv4 packets do, so new techniques had to
 2623   be developed to make idle scan possible. The implementation is by
 2624   Mathias Morbitzer, who made it the subject of his master's thesis.
 2625 
 2626 o When doing a ping scan (-sn), the --open option will prevent down hosts from
 2627   being shown when -v is specified. This aligns with similar output for other
 2628   scan types. [Daniel Miller]
 2629 
 2630 o Fixed some syntax problems in nmap-os-db that were caused by some automated
 2631   merging of fingerprints (http://seclists.org/nmap-dev/2013/q4/68) [Daniel
 2632   Miller]
 2633 
 2634 o New service probes and fingerprints for Quake1, TeamSpeak3, xmlsysd,
 2635   Freelancer game server, All-Seeing Eye, AndroMouse, and AirHD.
 2636 
 2637 o Update included WinPcap to version 4.1.3 [Rob Nicholls]
 2638 
 2639 o [NSE] Convert many more scripts to emit structured XML output
 2640   (https://nmap.org/book/nse-api.html#nse-structured-output) [Daniel Miller]
 2641 
 2642 o [NSE] Added 24 NSE scripts from 12 authors, bringing the total up to 470.
 2643   They are all listed at https://nmap.org/nsedoc/, and the summaries are
 2644   below (authors are listed in brackets):
 2645 
 2646   + allseeingeye-info gathers information from games using this query protocol.
 2647     A version detection probe was also added. [Marin Maržić]
 2648 
 2649   + freelancer-info gathers information about the Freelancer game server. Also
 2650     added a related version detection probe and UDP protocol payload for
 2651     detecting the service. [Marin Maržić]
 2652 
 2653   + http-csrf detects Cross Site Request Forgeries (CSRF) vulnerabilities by
 2654     searching for CSRF tokens in HTML forms. [George Chatzisofroniou]
 2655 
 2656   + http-devframework finds out the technology behind the target website based
 2657     on HTTP headers, static URLs, and other content and resources. [George
 2658     Chatzisofroniou]
 2659 
 2660   + http-dlink-backdoor detects DLink routers with firmware backdoor allowing
 2661     admin access over HTTP interface. [Patrik Karlsson]
 2662 
 2663   + http-dombased-xss finds potential DOM-based Cross-site Scripting (XSS)
 2664     vulnerabilities by searching for specific patterns in JavaScript resources.
 2665     [George Chatzisofroniou]
 2666 
 2667   + http-errors crawls for URIs that return error status codes (HTTP 400 and
 2668     above). [George Chatzisofroniou]
 2669 
 2670   + http-feed crawls a web site for Atom and RSS feeds. [George Chatzisofroniou]
 2671 
 2672   + http-iis-short-name-brute detects Microsoft IIS servers vulnerable to a
 2673     file/folder name disclosure and a denial of service vulnerability. The
 2674     script obtains the "shortnames" of the files and folders in the webroot
 2675     folder. [Paulino Calderon]
 2676 
 2677   + http-mobileversion-checker checks for mobile versions of web pages by
 2678     setting an Android User-Agent header and checking for HTTP redirects.
 2679     [George Chatzisofroniou]
 2680 
 2681   + http-ntlm-info gets server information from Web servers that require NTLM
 2682     authentication. [Justin Cacak]
 2683 
 2684   + http-referer-checker finds JavaScript resources that are included from other
 2685     domains, increasing a website's attack surface. [George Chatzisofroniou]
 2686 
 2687   + http-server-header grabs the Server header as a last-ditch effort to get a
 2688     software version. This can't be done as a softmatch because of the need to
 2689     match non-HTTP services that obey some HTTP requests. [Daniel Miller]
 2690 
 2691   + http-useragent-tester checks for sites that redirect common Web spider
 2692     User-Agents to a different page than browsers get. [George Chatzisofroniou]
 2693 
 2694   + http-vuln-cve2013-7091 (released as http-vuln-zimbra-lfi) looks for
 2695     CVE-2013-7091, a LFI vulnerability in Zimbra. [Paul AMAR, Ron Bowes]
 2696 
 2697   + http-xssed searches the xssed.com database of Cross-site Scripting
 2698     vulnerabilities for previously-reported XSS vulnerabilities in the target.
 2699     [George Chatzisofroniou]
 2700 
 2701   + qconn-exec tests the QNX QCONN service for remote command execution.
 2702     [Brendan Coles]
 2703 
 2704   + quake1-info retrieves server and player information from Quake 1 game
 2705     servers. Reports potential DoS amplification factor.  [Ulrik Haugen]
 2706 
 2707   + rfc868-time gets the date and time from an RFC 868 Time server. [Daniel
 2708     Miller]
 2709 
 2710   + ssl-heartbleed detects the Heartbleed bug in OpenSSL CVE-2014-0160 [Patrik
 2711     Karlsson]
 2712 
 2713   + sstp-discover discovers Microsoft's Secure Socket Tunnelling Protocol
 2714     (http://msdn.microsoft.com/en-us/library/cc247338.aspx) [Niklaus Schiess]
 2715 
 2716   + unittest runs unit tests found in NSE libraries. The corresponding
 2717     unittest.lua library has examples. Run `nmap --script=unittest
 2718     --script-args=unittest.run -d` to run the tests. [Daniel Miller]
 2719 
 2720   + weblogic-t3-info detects the T3 RMI protocol used by Oracle/BEA Weblogic
 2721     and extracts the Weblogic version. [Alessandro Zanni, Daniel Miller]
 2722 
 2723   + whois-ip and whois-domain replace the whois script, which previously could
 2724     only collect whois info for IP addresses. [George Chatzisofroniou]
 2725 
 2726 o [NSE] Fixed an error-handling bug in socks-open-proxy that caused it to fail
 2727   when scanning a SOCKS4-only proxy. Reported on IRC by Husky. [Daniel Miller]
 2728 
 2729 o [NSE] Improved ntp-info script to handle underscores in returned
 2730   data. [nnposter]
 2731 
 2732 o [NSE] Add unicode library for decoding and encoding UTF-8, UTF-16, CP437 and
 2733   other character sets to Unicode code points. Scripts that previously just
 2734   added or skipped nulls in UTF-16 data can use this to support non-ASCII
 2735   characters. [Daniel Miller]
 2736 
 2737 o Significant code and documentation cleanup effort, fixing file encodings,
 2738   trailing whitespace, indentation, spelling mistakes, NSEdoc formatting
 2739   issues, PEP 8 compliance for Python, deprecation cleanup under python -3,
 2740   cleanup of warnings from LLVM's AddressSanitizer.  [Daniel Miller]
 2741 
 2742 o [Ncat] Added support for socks5 and corresponding regression tests.
 2743   [Marek Lukaszuk, Petr Stodulka]
 2744 
 2745 o Added TCP support to dns.lua. [John Bond]
 2746 
 2747 o Added safe fd_set operations. This makes nmap fail gracefully instead of
 2748   crashing when the number of file descriptors grows over FD_SETSIZE. Jacek
 2749   Wielemborek reported the crash. [Henri Doreau]
 2750 
 2751 o [NSE] Added tls library for functions related to SSLv3 and TLS messages.
 2752   Existing ssl-enum-ciphers, ssl-date, and tls-nextprotoneg scripts were
 2753   updated to use this library. [Daniel Miller]
 2754 
 2755 o Added NSE and Zenmap unit tests to "make check" [Daniel Miller]
 2756 
 2757 o [NSE] Enable http-enum to use the large Nikto fingerprint database at runtime
 2758   if provided by the user. For licensing reasons, we do not distribute this
 2759   database, but the integration effort has the blessing of the Nikto folks.
 2760   [George Chatzisofroniou]
 2761 
 2762 o Updated bundled liblua from 5.2.2 to 5.2.3 (bugfix release) [Daniel Miller]
 2763 
 2764 o Added version detection signatures and probes for a bunch of Android
 2765   remote mouse/keyboard servers, including AndroMouse, AirHID,
 2766   Wifi-mouse, and RemoteMouse. [Paul Hemberger]
 2767 
 2768 o [Ncat] Fixed compilation when --without-liblua is specified in
 2769   configure (an #include needed an ifdef guard). [Quentin Glidic]
 2770 
 2771 o Fixed a bug in libdnet with handling interfaces with AF_LINK addresses on
 2772   FreeBSD >9 reported by idwer on IRC. Likely affected other *BSDs. Handled by
 2773   skipping these non-network addresses. [Daniel Miller]
 2774 
 2775 o Fixed a bug with UDP checksum calculation. When the UDP checksum is zero
 2776   (0x0000), it must be transmitted as 1's-complement -0 (0xffff) to avoid
 2777   ambiguity with +0, which indicates no checksum was calculated. This affected
 2778   UDP on IPv4 only. Reported by Michael Weber. [Daniel Miller]
 2779 
 2780 o [NSE] Removed a fixed value (28428) which was being set for the Request ID in
 2781   the snmpWalk library function; a value based on nmap.clock_ms will now be set
 2782   instead. [jah]
 2783 
 2784 o The ICMP ID of ICMP probes is now matched against the sent ICMP ID,
 2785   to reduce the chance of false matches. Patch by Chris Johnson.
 2786 
 2787 o [NSE] Made telnet-brute support multiple parallel guessing threads,
 2788   reuse connections, and support password-only logins. [nnposter]
 2789 
 2790 o [NSE] Made the table returned by ssh1.fetch_host_key contain a "key"
 2791   element, like that of ssh2.fetch_host_key. This fixed a crash in the
 2792   ssh-hostkey script reported by Dan Farmer and Florian Pelgrim. The
 2793   "key" element of ssh2.fetch_host_key now is base64-encoded, to match
 2794   the format used by the known_hosts file. [David Fifield]
 2795 
 2796 o [Nsock] Handle timers and timeouts via a priority queue (using a heap)
 2797   for improved performance. Nsock now only iterates over events which are
 2798   completed or expired instead of inspecting the entire event set at each
 2799   iteration. [Henri Doreau]
 2800 
 2801 o [NSE] Update dns-cache-snoop script to use a new list of top 50
 2802   domains rather than a 2010 list. [Nicolle Neulist]
 2803 
 2804 o [Zenmap] Fixed a crash that would happen when you entered a search
 2805   term starting with a colon: "AttributeError:
 2806   'FilteredNetworkInventory' object has no attribute 'match_'".
 2807   Reported by Kris Paernell. [David Fifield]
 2808 
 2809 o [Ncat] Added NCAT_PROTO, NCAT_REMOTE_ADDR, NCAT_REMOTE_PORT, NCAT_LOCAL_ADDR
 2810   and NCAT_LOCAL_PORT environment variables being set in all --*-exec child
 2811   processes.
 2812 
 2813 Nmap 6.40 [2013-07-29]
 2814 
 2815 o [Ncat] Added --lua-exec. This feature is basically the equivalent of 'ncat
 2816   --sh-exec "lua <scriptname>"' and allows you to run Lua scripts with Ncat,
 2817   redirecting all stdin and stdout operations to the socket connection. See
 2818   https://nmap.org/book/ncat-man-command-options.html [Jacek Wielemborek]
 2819 
 2820 o Integrated all of your IPv4 OS fingerprint submissions since January
 2821   (1,300 of them). Added 91 fingerprints, bringing the new total to 4,118.
 2822   Additions include Linux 3.7, iOS 6.1, OpenBSD 5.3, AIX 7.1, and more.
 2823   Many existing fingerprints were improved. Highlights:
 2824   http://seclists.org/nmap-dev/2013/q2/518. [David Fifield]
 2825 
 2826 o Integrated all of your service/version detection fingerprints submitted
 2827   since January (737 of them)! Our signature count jumped by 273 to 8,979.
 2828   We still detect 897 protocols, from extremely popular ones like http, ssh,
 2829   smtp and imap to the more obscure airdroid, gopher-proxy, and
 2830   enemyterritory. Highlights:
 2831   http://seclists.org/nmap-dev/2013/q3/80. [David Fifield]
 2832 
 2833 o Integrated your latest IPv6 OS submissions and corrections. We're still
 2834   low on IPv6 fingerprints, so please scan any IPv6 systems you own or
 2835   administer and submit them to https://nmap.org/submit/.  Both new
 2836   fingerprints (if Nmap doesn't find a good match) and corrections (if Nmap
 2837   guesses wrong) are useful. [David Fifield]
 2838 
 2839 o [Nsock] Added initial proxy support to Nsock. Nmap version detection
 2840   and NSE can now establish TCP connections through chains of one or
 2841   more CONNECT or SOCKS4 proxies. Use the Nmap --proxies option with a
 2842   chain of one or more proxies as the argument (example:
 2843   http://localhost:8080,socks4://someproxy.example.com). Note that
 2844   only version detection and NSE are supported so far (no port
 2845   scanning or host discovery), and there are other limitations
 2846   described in the man page. [Henri Doreau]
 2847 
 2848 o [NSE] Added 14 NSE scripts from 6 authors, bringing the total up to 446.
 2849   They are all listed at https://nmap.org/nsedoc/, and the summaries are
 2850   below (authors are listed in brackets):
 2851 
 2852   + hostmap-ip2hosts finds hostnames that resolve to the target's IP address
 2853     by querying the online database at http://www.ip2hosts.com (uses Bing
 2854     search results) [Paulino Calderon]
 2855 
 2856   + http-adobe-coldfusion-apsa1301 attempts to exploit an authentication
 2857     bypass vulnerability in Adobe Coldfusion servers (APSA13-01:
 2858     http://www.adobe.com/support/security/advisories/apsa13-01.html) to
 2859     retrieve a valid administrator's session cookie. [Paulino Calderon]
 2860 
 2861   + http-coldfusion-subzero attempts to retrieve version, absolute path of
 2862     administration panel and the file 'password.properties' from vulnerable
 2863     installations of ColdFusion 9 and 10. [Paulino Calderon]
 2864 
 2865   + http-comments-displayer extracts and outputs HTML and JavaScript
 2866     comments from HTTP responses. [George Chatzisofroniou]
 2867 
 2868   + http-fileupload-exploiter exploits insecure file upload forms in web
 2869     applications using various techniques like changing the Content-type
 2870     header or creating valid image files containing the payload in the
 2871     comment. [George Chatzisofroniou]
 2872 
 2873   + http-phpmyadmin-dir-traversal exploits a directory traversal
 2874     vulnerability in phpMyAdmin 2.6.4-pl1 (and possibly other versions) to
 2875     retrieve remote files on the web server. [Alexey Meshcheryakov]
 2876 
 2877   + http-stored-xss posts specially crafted strings to every form it
 2878     encounters and then searches through the website for those strings to
 2879     determine whether the payloads were successful. [George Chatzisofroniou]
 2880 
 2881   + http-vuln-cve2013-0156 detects Ruby on Rails servers vulnerable to
 2882     object injection, remote command executions and denial of service
 2883     attacks. (CVE-2013-0156) [Paulino Calderon]
 2884 
 2885   + ike-version obtains information (such as vendor and device type where
 2886     available) from an IKE service by sending four packets to the host.
 2887     This scripts tests with both Main and Aggressive Mode and sends multiple
 2888     transforms per request. [Jesper Kueckelhahn]
 2889 
 2890   + murmur-version detects the Murmur service (server for the Mumble voice
 2891     communication client) versions 1.2.X. [Marin Maržić]
 2892 
 2893   + mysql-enum performs valid-user enumeration against MySQL server using a
 2894     bug discovered and published by Kingcope
 2895     (http://seclists.org/fulldisclosure/2012/Dec/9). [Aleksandar Nikolic]
 2896 
 2897   + teamspeak2-version detects the TeamSpeak 2 voice communication server
 2898     and attempts to determine version and configuration information. [Marin
 2899     Maržić]
 2900 
 2901   + ventrilo-info detects the Ventrilo voice communication server service
 2902     versions 2.1.2 and above and tries to determine version and
 2903     configuration information. [Marin Maržić]
 2904 
 2905 o Updated the Nmap license agreement to close some loopholes and stop some
 2906   abusers. It's particularly targeted at companies which distribute
 2907   malware-laden Nmap installers as we caught Download.com doing last
 2908   year--http://insecure.org/news/download-com-fiasco.html . The updated
 2909   license is in the all the normal places, including
 2910   https://svn.nmap.org/nmap/COPYING.
 2911 
 2912 o [NSE][SECURITY] Oops, there was a vulnerability in one of our 437 NSE scripts.  If
 2913   you ran the (fortunately non-default) http-domino-enum-passwords script
 2914   with the (fortunately also non-default) domino-enum-passwords.idpath
 2915   parameter against a malicious server, it could cause an arbitrarily named
 2916   file to to be written to the client system. Thanks to Trustwave researcher
 2917   Piotr Duszynski for discovering and reporting the problem.  We've fixed
 2918   that script, and also updated several other scripts to use a new
 2919   stdnse.filename_escape function for extra safety. This breaks our record
 2920   of never having a vulnerability in the 16 years that Nmap has existed, but
 2921   that's still a fairly good run! [David, Fyodor]
 2922 
 2923 o Unicast CIDR-style IPv6 range scanning is now supported, so you can
 2924   specify targets such as en.wikipedia.org/120.  Obviously it will take ages
 2925   if you specify a huge space.  For example, a /64 contains
 2926   18,446,744,073,709,551,616 addresses. [David Fifield]
 2927 
 2928 o It's now possible to mix IPv4 range notation with CIDR netmasks in target
 2929   specifications. For example, 192.168-170.4-100,200.5/16 is effectively the
 2930   same as 192.168.168-170.0-255.0-255. [David Fifield]
 2931 
 2932 o Timeout script-args are now standardized to use the timespec that Nmap's
 2933   command-line arguments take (5s, 5000ms, 1h, etc.). Some scripts that
 2934   previously took an integer number of milliseconds will now treat that as a
 2935   number of seconds if not explicitly denoted as ms. [Daniel Miller]
 2936 
 2937 o Nmap may now partially rearrange its target list for more efficient
 2938   host groups. Previously, a single target with a different interface,
 2939   or with an IP address the same as a that of a target already in the
 2940   group, would cause the group to be broken off at whatever size it
 2941   was. Now, we buffer a small number of such targets, and keep looking
 2942   through the input for more targets to fill out the current group.
 2943   [David Fifield]
 2944 
 2945 o [Ncat] The -i option (idle timeout) now works in listen mode as well as
 2946   connect mode. [Tomas Hozza]
 2947 
 2948 o [Ncat] Ncat now support chained certificates with the --ssl-cert
 2949   option. [Greg Bailey]
 2950 
 2951 o [Nping] Nping now checks for a matching ICMP ID on echo replies, to avoid
 2952   receiving crosstalk from other ping programs running at the same
 2953   time. [David Fifield]
 2954 
 2955 o [NSE] The ipOps.isPrivate library now considers the deprecated site-local
 2956   prefix fec0::/10 to be private. [Marek Majkowski]
 2957 
 2958 o Nmap's routing table is now sorted first by netmask, then by metric.
 2959   Previously it was the other way around, which could cause a very general
 2960   route with a low metric to be preferred over a specific route with a
 2961   higher metric.
 2962 
 2963 o Routes are now sorted to prefer those with a lower metric. Retrieval of
 2964   metrics is supported only on Linux and Windows. [David Fifield]
 2965 
 2966 o Fixed a byte-ordering problem on little-endian architectures when doing
 2967   idle scan with a zombie that uses broken ID increments.  [David Fifield]
 2968 
 2969 o Stop parsing TCP options after reaching EOL in libnetutil. Bug reported by
 2970   Gustavo Moreira. [Henri Doreau]
 2971 
 2972 o [NSE] The dns-ip6-arpa-scan script now optionally accepts "/" syntax for a
 2973   network mask. Based on a patch by Indula Nayanamith.
 2974 
 2975 o [Ncat] Reduced the default --max-conns limit from 100 to 60 on Windows, to
 2976   stay within platform limitations. Suggested by Andrey Olkhin.
 2977 
 2978 o Fixed IPv6 routing table alignment on NetBSD.
 2979 
 2980 o Fixed our NSEDoc system so the author field uses UTF-8 and we can spell
 2981   people's name properly, even if they use crazy non-ASCII characters like
 2982   Marin Maržić.  [David Fifield]
 2983 
 2984 o UDP protocol payloads were added for detecting the Murmer service (a
 2985   server for the Mumble voice communication client) and TeamSpeak 2 VoIP
 2986   software.
 2987 
 2988 o [NSE] Added http-phpmyadmin-dir-traversal by Alexey Meshcheryakov.
 2989 
 2990 o Updated libdnet to not SIOCIFNETMASK before SIOCIFADDR on OpenBSD. This
 2991   was reported to break on -current as of May 2013. [Giovanni Bechis]
 2992 
 2993 o Fixed address matching for SCTP (-PY) ping. [Marin Maržić]
 2994 
 2995 o Removed some non-ANSI-C strftime format strings ("%F") and
 2996   locale-dependent formats ("%c") from NSE scripts and libraries.
 2997   C99-specified %F was noticed by Alex Weber. [Daniel Miller]
 2998 
 2999 o [Zenmap] Improved internationalization support:
 3000   + Added Polish translation by Jacek Wielemborek.
 3001   + Updated the Italian translation. [Giacomo]
 3002 
 3003 o [Zenmap] Fixed internationalization files. Running in a language other
 3004   than the default English would result in the error "ValueError: too many
 3005   values to unpack". [David Fifield]
 3006 
 3007 o [NSE] Updated the included Liblua from version 5.2.1 to 5.2.2. [Patrick
 3008   Donnelly]
 3009 
 3010 o [Nsock] Added a minimal regression test suite for Nsock. [Henri Doreau]
 3011 
 3012 o [NSE] Updated the redis-brute and redis-info scripts to work against the
 3013   latest versions of redis server. [Henri Doreau]
 3014 
 3015 o [Ncat] Fixed errors in connecting to IPv6 proxies. [Joachim Henke]
 3016 
 3017 o [NSE] Updated hostmap-bfk to work with the latest version of their website
 3018   (bfk.de). [Paulino Calderon]
 3019 
 3020 o [NSE] Added XML structured output support to:
 3021   + xmpp-info, irc-info, sslv2, address-info [Daniel Miller]
 3022   + hostmap-bfk, hostmap-robtex, hostmap-ip2hosts. [Paulino Calderon]
 3023   + http-git.nse. [Alex Weber]
 3024 
 3025 o Added new service probes for:
 3026   + Erlang distribution nodes [Michael Schierl]
 3027   + Minecraft servers. [Eric Davisson]
 3028   + Hazelcast data grid. [Pavel Kankovsky]
 3029 
 3030 o [NSE] Rewrote telnet-brute for better compatibility with a variety of
 3031   telnet servers. [nnposter]
 3032 
 3033 o Fixed a regression that changed the number of delimiters in machine
 3034   output. [Daniel Miller]
 3035 
 3036 o Fixed a regression in broadcast-dropbox-listener which prevented it from
 3037   producing output. [Daniel Miller]
 3038 
 3039 o Handle ICMP type 11 (Time Exceeded) responses to port scan probes.  Ports
 3040   will be reported as "filtered", to be consistent with existing Connect
 3041   scan results, and will have a reason of time-exceeded.  DiabloHorn
 3042   reported this issue via IRC. [Daniel Miller]
 3043 
 3044 o Add new decoders (BROWSER, DHCP6 and LLMNR) to broadcast-listener and
 3045   changed output of some of the decoders slightly. [Patrik Karlsson]
 3046 
 3047 o The list of name servers on Windows now ignores those from inactive
 3048   interfaces. [David Fifield]
 3049 
 3050 o Namespace the pipes used to communicate with subprocesses by PID, to avoid
 3051   multiple instances of Ncat from interfering with each other.  Patch by
 3052   Andrey Olkhin.
 3053 
 3054 o [NSE] Changed ip-geolocation-geoplugin to use the web service's new output
 3055   format. Reported by Robin Wood.
 3056 
 3057 o Limited the number of open sockets in ultra_scan to FD_SETSIZE. Very fast
 3058   connect scans could write past the end of an fd_set and cause a variety of
 3059   crashes:
 3060     nmap: scan_engine.cc:978: bool ConnectScanInfo::clearSD(int): Assertion `numSDs > 0' failed.
 3061     select failed in do_one_select_round(): Bad file descriptor (9)
 3062   [David Fifield]
 3063 
 3064 o Fixed a bug that prevented Nmap from finding any interfaces when one of
 3065   them had the type ARP_HDR_APPLETALK; this was the case for AppleTalk
 3066   interfaces. However, This support is not complete since AppleTalk
 3067   interfaces use different size hardware addresses than Ethernet.  Nmap IP
 3068   level scans should work without any problem, please refer to the
 3069   '--send-ip' switch and to the following thread:
 3070   http://seclists.org/nmap-dev/2013/q1/214.  This bug was reported by Steven
 3071   Gregory Johnson. [Daniel Miller]
 3072 
 3073 o [Nping] Nping on Windows now skips localhost targets for privileged pings
 3074   on (with an error message) because those generally don't work.  [David
 3075   Fifield]
 3076 
 3077 o [Ncat] Ncat now keeps running in connect mode after receiving EOF from the
 3078   remote socket, unless --recv-only is in effect.  [Tomas Hozza]
 3079 
 3080 o Packet trace of ICMP packets now include the ICMP ID and sequence number
 3081   by default. [David Fifield]
 3082 
 3083 o [NSE] Fixed various NSEDoc bugs found by David Matousek.
 3084 
 3085 o [Zenmap] Zenmap now understands the NMAP_PRIVILEGED and NMAP_UNPRIVILEGED
 3086   environment variables. [Tyler Wagner]
 3087 
 3088 o Added an ncat_assert macro.  This is similar to assert(), but remains even
 3089   if NDEBUG is defined. Replaced all Ncat asserts with this. We also moved
 3090   operation with side effects outside of asserts as yet another layer of
 3091   bug-prevention [David Fifield].
 3092 
 3093 o Added nmap-fo.xsl, contributed by Tilik Ammon. This converts Nmap XML into
 3094   XSL-FO, which can be converted into PDF using tools suck as Apache FOP.
 3095 
 3096 o Increased the number of slack file descriptors not used during connect
 3097   scan. Previously, the calculation did not consider the descriptors used by
 3098   various open log files. Connect scans using a lot of sockets could fail
 3099   with the message "Socket creation in sendConnectScanProbe: Too many open
 3100   files". [David Fifield]
 3101 
 3102 o Changed the --webxml XSL stylesheet to point to the new location of
 3103   nmap.xsl in the new repository (https://svn.nmap.org/nmap/docs/nmap.xsl).
 3104   It still may not work in web browsers due to same origin policy (see
 3105   http://seclists.org/nmap-dev/2013/q1/58). [David Fifield, Simon John]
 3106 
 3107 o [NSE] The vulnerability library can now preserve vulnerability information
 3108   across multiple ports of the same host. The bug was reported by
 3109   iphelix. [Djalal Harouni]
 3110 
 3111 o Removed the undocumented -q option, which renamed the nmap process to
 3112   something like "pine".
 3113 
 3114 o Moved the Japanese man page from man1/jp to man1/ja. JP is a country code
 3115   while JA is a language code. Reported by Christian Neukirchen.
 3116 
 3117 o [Nsock] Reworked the logging infrastructure to make it more flexible and
 3118   consistent. Updated Nmap, Nping and Ncat accordingly. Nsock log level can
 3119   now be adjusted at runtime by pressing d/D in nmap.  [Henri Doreau, David
 3120   Fifield]
 3121 
 3122 o [NSE] Fixed scripts using unconnected UDP sockets. The bug was reported by
 3123   Dhiru Kholia at http://seclists.org/nmap-dev/2012/q4/422. [David Fifield]
 3124 
 3125 o Made some changes to Ndiff to reduce parsing time when dealing with large
 3126   Nmap XML output files. [Henri Doreau]
 3127 
 3128 o Clean up the source code a bit to resolve some false positive issues
 3129   identified by the Parfait static code analysis program. Oracle apparently
 3130   runs this on programs (including Nmap) that they ship with Solaris.  See
 3131   http://seclists.org/nmap-dev/2012/q4/504. [David Fifield]
 3132 
 3133 o [Zenmap] Fixed a crash that could be caused by opening the About dialog,
 3134   using the window manager to close it, and opening it again.  This was
 3135   reported by Yashartha Chaturvedi and Jordan Schroeder.  [David Fifield]
 3136 
 3137 o [Ncat] Made test-addrset.sh exit with nonzero status if any tests
 3138   fail. This in turn causes "make check" to fail if any tests fail.
 3139   [Andreas Stieger]
 3140 
 3141 o Fixed compilation with --without-liblua. The bug was reported by Rick
 3142   Farina, Nikos Chantziaras, and Alex Turbov. [David Fifield]
 3143 
 3144 o Fixed CRC32c calculation (as used in SCTP scans) on 64-bit
 3145   platforms. [Pontus Andersson]
 3146 
 3147 o [NSE] Added multicast group name output to
 3148   broadcast-igmp-discovery.nse. [Vasily Kulikov]
 3149 
 3150 o [NSE] Added new fingerprints for http-enum: Sitecore, Moodle, typo3,
 3151   SquirrelMail, RoundCube. [Jesper Kückelhahn]
 3152 
 3153 Nmap 6.25 [2012-11-29]
 3154 
 3155 o [NSE] Added CPE to smb-os-discovery output.
 3156 
 3157 o [Ncat] Fixed the printing of warning messages for large arguments to
 3158   the -i and -w options. [Michal Hlavinka]
 3159 
 3160 o [Ncat] Shut down the write part of connected sockets in listen mode
 3161   when stdin hits EOF, just as was already done in connect mode.
 3162   [Michal Hlavinka]
 3163 
 3164 o [Zenmap] Removed a crashing error that could happen when canceling a
 3165   "Print to File" on Windows:
 3166     Traceback (most recent call last):
 3167       File "zenmapGUI\MainWindow.pyo", line 831, in _print_cb
 3168       File "zenmapGUI\Print.pyo", line 156, in run_print_operation
 3169     GError: Error from StartDoc
 3170   This bug was reported by Imre Adácsi. [David Fifield]
 3171 
 3172 o Added some new checks for failed library calls. [Bill Parker]
 3173 
 3174 Nmap 6.20BETA1 [2012-11-16]
 3175 
 3176 o Integrated all of your IPv4 OS fingerprint submissions since January
 3177   (more than 3,000 of them).  Added 373 fingerprints, bringing the new
 3178   total to 3,946.  Additions include Linux 3.6, Windows 8, Windows
 3179   Server 2012, Mac OS X 10.8, and a ton of new WAPs, printers,
 3180   routers, and other devices--including our first IP-enabled doorbell!
 3181   Many existing fingerprints were improved. [David Fifield]
 3182 
 3183 o Integrated all of your service/version detection fingerprints
 3184   submitted since January (more than 1,500)!  Our signature
 3185   count jumped by more than 400 to 8,645.  We now detect 897
 3186   protocols, from extremely popular ones like http, ssh, smtp and imap
 3187   to the more obscure airdroid, gopher-proxy, and
 3188   enemyterritory. [David Fifield]
 3189 
 3190 o Integrated your latest IPv6 OS submissions and corrections. We're
 3191   still low on IPv6 fingerprints, so please scan any IPv6 systems you
 3192   own or administer and submit them to https://nmap.org/submit/.  Both
 3193   new fingerprints (if Nmap doesn't find a good match) and corrections
 3194   (if Nmap guesses wrong) are useful.
 3195 
 3196 o Enabled support for IPv6 traceroute using UDP, SCTP, and IPProto
 3197   (Next Header) probes.  Previously, only TCP and ICMP were
 3198   supported.  [David Fifield]
 3199 
 3200 o Scripts can now return a structured name-value table so that results
 3201   are query-able from XML output. Scripts can return a string as
 3202   before, or a table, or a table and a string. In this last case, the
 3203   table will go to XML output and the string will go to screen output.
 3204   See https://nmap.org/book/nse-api.html#nse-structured-output [Daniel
 3205   Miller, David Fifield, Patrick Donnelly]
 3206 
 3207 o [Nsock] Added new poll and kqueue I/O engines for improved
 3208   performance on Windows and BSD-based systems including Mac OS X.
 3209   These are in addition to the epoll engine (used on Linux) and the
 3210   classic select engine fallback for other system.  [Henri Doreau]
 3211 
 3212 o [Ncat] Added support for Unix domain sockets. The new -U and
 3213   --unixsock options activate this mode.  These provide compatibility
 3214   with Hobbit's original Netcat. [Tomas Hozza]
 3215 
 3216 o Moved some Windows dependencies, including OpenSSL, libsvn, and the
 3217   vcredist files, into a new public Subversion directory
 3218   /nmap-mswin32-aux and moved it out of the source tarball. This
 3219   reduces the compressed tarball size from 22 MB to 8 MB and similarly
 3220   reduces the bandwidth and storage required for an svn checkout.
 3221   Folks who build Nmap on Windows will need to check out
 3222   /nmap-mswin32-aux along with /nmap as described at
 3223   https://nmap.org/book/inst-windows.html#inst-win-source.
 3224 
 3225 o Many of the great features in this release were created by college
 3226   and grad students generously sponsored by Google's Summer of Code
 3227   program.  Thanks, Google Open Source Department!  This year's team
 3228   of five developers is introduced at
 3229   http://seclists.org/nmap-dev/2012/q2/204 and their successes
 3230   documented at http://seclists.org/nmap-dev/2012/q4/138
 3231 
 3232 o [NSE] Replaced old RPC grinder (RPC enumeration, performed as part
 3233   of version detection when a port seems to run a SunRPC service) with
 3234   a faster and easier to maintain NSE-based implementation.  This also
 3235   allowed us to remove the crufty old pos_scan scan engine. [Hani
 3236   Benhabiles]
 3237 
 3238 o Updated our Nmap Scripting Engine to use Lua 5.2 (and then 5.2.1)
 3239   rather than 5.1. See http://seclists.org/nmap-dev/2012/q2/34 for
 3240   details. [Patrick Donnelly]
 3241 
 3242 o [NSE] Added 85(!) NSE scripts, bringing the total up to 433.  They
 3243   are all listed at https://nmap.org/nsedoc/, and the summaries are
 3244   below (authors are listed in brackets):
 3245 
 3246   + ajp-auth retrieves the authentication scheme and realm of an AJP
 3247     service (Apache JServ Protocol) that requires authentication. The
 3248     Apache JServ Protocol is commonly used by web servers to
 3249     communicate with back-end Java application server
 3250     containers. [Patrik Karlsson]
 3251 
 3252   + ajp-brute performs brute force passwords auditing against the
 3253     Apache JServ protocol. [Patrik Karlsson]
 3254 
 3255   + ajp-headers performs a HEAD or GET request against either the root
 3256     directory or any optional directory of an Apache JServ Protocol
 3257     server and returns the server response headers. [Patrik Karlsson]
 3258 
 3259   + ajp-methods discovers which options are supported by the AJP
 3260     (Apache JServ Protocol) server by sending an OPTIONS request and
 3261     lists potentially risky methods. [Patrik Karlsson]
 3262 
 3263   + ajp-request requests a URI over the Apache JServ Protocol and
 3264     displays the result (or stores it in a file). Different AJP
 3265     methods such as; GET, HEAD, TRACE, PUT or DELETE may be
 3266     used. [Patrik Karlsson]
 3267 
 3268   + bjnp-discover retrieves printer or scanner information from a
 3269     remote device supporting the BJNP protocol. The protocol is known
 3270     to be supported by network based Canon devices. [Patrik Karlsson]
 3271 
 3272   + broadcast-ataoe-discover discovers servers supporting the ATA over
 3273     Ethernet protocol. ATA over Ethernet is an ethernet protocol
 3274     developed by the Brantley Coile Company and allows for simple,
 3275     high-performance access to SATA drives over Ethernet. [Patrik
 3276     Karlsson]
 3277 
 3278   + broadcast-bjnp-discover attempts to discover Canon devices
 3279     (Printers/Scanners) supporting the BJNP protocol by sending BJNP
 3280     Discover requests to the network broadcast address for both ports
 3281     associated with the protocol. [Patrik Karlsson]
 3282 
 3283   + broadcast-eigrp-discovery performs network discovery and routing
 3284     information gathering through Cisco's EIGRP protocol. [Hani
 3285     Benhabiles]
 3286 
 3287   + broadcast-igmp-discovery discovers targets that have IGMP
 3288     Multicast memberships and grabs interesting information. [Hani
 3289     Benhabiles]
 3290 
 3291   + broadcast-pim-discovery discovers routers that are running PIM
 3292     (Protocol Independent Multicast). [Hani Benhabiles]
 3293 
 3294   + broadcast-tellstick-discover discovers Telldus Technologies
 3295     TellStickNet devices on the LAN. The Telldus TellStick is used to
 3296     wirelessly control electric devices such as lights, dimmers and
 3297     electric outlets. [Patrik Karlsson]
 3298 
 3299   + cassandra-brute performs brute force password auditing against the
 3300     Cassandra database. [Vlatko Kosturjak]
 3301 
 3302   + cassandra-info attempts to get basic info and server status from a
 3303     Cassandra database. [Vlatko Kosturjak]
 3304 
 3305   + cups-info lists printers managed by the CUPS printing
 3306     service. [Patrik Karlsson]
 3307 
 3308   + cups-queue-info Lists currently queued print jobs of the remote
 3309     CUPS service grouped by printer. [Patrik Karlsson]
 3310 
 3311   + dict-info Connects to a dictionary server using the DICT protocol,
 3312     runs the SHOW SERVER command, and displays the result. [Patrik
 3313     Karlsson]
 3314 
 3315   + distcc-cve2004-2687 detects and exploits a remote code execution
 3316     vulnerability in the distributed compiler daemon distcc. [Patrik
 3317     Karlsson]
 3318 
 3319   + dns-check-zone checks DNS zone configuration against best
 3320     practices, including RFC 1912.  The configuration checks are
 3321     divided into categories which each have a number of different
 3322     tests. [Patrik Karlsson]
 3323 
 3324   + dns-ip6-arpa-scan performs a quick reverse DNS lookup of an IPv6
 3325     network using a technique which analyzes DNS server response codes
 3326     to dramatically reduce the number of queries needed to enumerate
 3327     large networks. [Patrik Karlsson]
 3328 
 3329   + dns-nsec3-enum tries to enumerate domain names from the DNS server
 3330     that supports DNSSEC NSEC3 records. [Aleksandar Nikolic, John
 3331     Bond]
 3332 
 3333   + eppc-enum-processes attempts to enumerate process info over the
 3334     Apple Remote Event protocol.  When accessing an application over
 3335     the Apple Remote Event protocol the service responds with the uid
 3336     and pid of the application, if it is running, prior to requesting
 3337     authentication. [Patrik Karlsson]
 3338 
 3339   + firewall-bypass detects a vulnerability in Netfilter and other
 3340     firewalls that use helpers to dynamically open ports for protocols
 3341     such as ftp and sip. [Hani Benhabiles]
 3342 
 3343   + flume-master-info retrieves information from Flume master HTTP
 3344     pages. [John R. Bond]
 3345 
 3346   + gkrellm-info queries a GKRellM service for monitoring
 3347     information. A single round of collection is made, showing a
 3348     snapshot of information at the time of the request. [Patrik
 3349     Karlsson]
 3350 
 3351   + gpsd-info retrieves GPS time, coordinates and speed from the GPSD
 3352     network daemon. [Patrik Karlsson]
 3353 
 3354   + hostmap-robtex discovers hostnames that resolve to the target's IP
 3355     address by querying the Robtex service at
 3356     http://www.robtex.com/dns/. [Arturo Busleiman]
 3357 
 3358   + http-drupal-enum-users enumerates Drupal users by exploiting a an
 3359     information disclosure vulnerability in Views, Drupal's most
 3360     popular module. [Hani Benhabiles]
 3361 
 3362   + http-drupal-modules enumerates the installed Drupal modules by
 3363     using a list of known modules. [Hani Benhabiles]
 3364 
 3365   + http-exif-spider spiders a site's images looking for interesting
 3366     exif data embedded in .jpg files. Displays the make and model of
 3367     the camera, the date the photo was taken, and the embedded geotag
 3368     information. [Ron Bowes]
 3369 
 3370   + http-form-fuzzer performs a simple form fuzzing against forms
 3371     found on websites.  Tries strings and numbers of increasing length
 3372     and attempts to determine if the fuzzing was successful. [Piotr
 3373     Olma]
 3374 
 3375   + http-frontpage-login checks whether target machines are vulnerable
 3376     to anonymous Frontpage login. [Aleksandar Nikolic]
 3377 
 3378   + http-git checks for a Git repository found in a website's document
 3379     root (/.git/<something>) then retrieves as much repo
 3380     information as possible, including language/framework, Github
 3381     username, last commit message, and repository description. [Alex
 3382     Weber]
 3383 
 3384   + http-gitweb-projects-enum retrieves a list of Git projects, owners
 3385     and descriptions from a gitweb (web interface to the Git revision
 3386     control system). [riemann]
 3387 
 3388   + http-huawei-hg5xx-vuln detects Huawei modems models HG530x,
 3389     HG520x, HG510x (and possibly others...) vulnerable to a remote
 3390     credential and information disclosure vulnerability. It also
 3391     extracts the PPPoE credentials and other interesting configuration
 3392     values. [Paulino Calderon]
 3393 
 3394   + http-icloud-findmyiphone retrieves the locations of all "Find my
 3395     iPhone" enabled iOS devices by querying the MobileMe web service
 3396     (authentication required). [Patrik Karlsson]
 3397 
 3398   + http-icloud-sendmsg sends a message to a iOS device through the
 3399     Apple MobileMe web service. The device has to be registered with
 3400     an Apple ID using the Find My iPhone application. [Patrik
 3401     Karlsson]
 3402 
 3403   + http-phpself-xss crawls a web server and attempts to find PHP
 3404     files vulnerable to reflected cross site scripting via the
 3405     variable $_SERVER["PHP_SELF"].  [Paulino Calderon]
 3406 
 3407   + http-rfi-spider crawls webservers in search of RFI (remote file
 3408     inclusion) vulnerabilities. It tests every form field it finds and
 3409     every parameter of a URL containing a query. [Piotr Olma]
 3410 
 3411   + http-robtex-shared-ns Finds up to 100 domain names which use the
 3412     same name server as the target by querying the Robtex service at
 3413     http://www.robtex.com/dns/. [Arturo Busleiman]
 3414 
 3415   + http-sitemap-generator spiders a web server and displays its
 3416     directory structure along with number and types of files in each
 3417     folder. Note that files listed as having an 'Other' extension are
 3418     ones that have no extension or that are a root document. [Piotr
 3419     Olma]
 3420 
 3421   + http-slowloris-check tests a web server for vulnerability to the
 3422     Slowloris DoS attack without actually launching a DoS
 3423     attack. [Aleksandar Nikolic]
 3424 
 3425   + http-slowloris tests a web server for vulnerability to the
 3426     Slowloris DoS attack by launching a Slowloris attack. [Aleksandar
 3427     Nikolic, Ange Gutek]
 3428 
 3429   + http-tplink-dir-traversal exploits a directory traversal
 3430     vulnerability existing in several TP-Link wireless
 3431     routers. Attackers may exploit this vulnerability to read any of
 3432     the configuration and password files remotely and without
 3433     authentication. [Paulino Calderon]
 3434 
 3435   + http-traceroute exploits the Max-Forwards HTTP header to detect
 3436     the presence of reverse proxies. [Hani Benhabiles]
 3437 
 3438   + http-virustotal checks whether a file has been determined as
 3439     malware by virustotal. Virustotal is a service that provides the
 3440     capability to scan a file or check a checksum against a number of
 3441     the major antivirus vendors. [Patrik Karlsson]
 3442 
 3443   + http-vlcstreamer-ls connects to a VLC Streamer helper service and
 3444     lists directory contents. The VLC Streamer helper service is used
 3445     by the iOS VLC Streamer application to enable streaming of
 3446     multimedia content from the remote server to the device. [Patrik
 3447     Karlsson]
 3448 
 3449   + http-vuln-cve2010-0738 tests whether a JBoss target is vulnerable
 3450     to jmx console authentication bypass (CVE-2010-0738). [Hani
 3451     Benhabiles]
 3452 
 3453   + http-waf-fingerprint Tries to detect the presence of a web
 3454     application firewall and its type and version. [Hani Benhabiles]
 3455 
 3456   + icap-info tests a list of known ICAP service names and prints
 3457     information about any it detects. The Internet Content Adaptation
 3458     Protocol (ICAP) is used to extend transparent proxy servers and is
 3459     generally used for content filtering and antivirus
 3460     scanning. [Patrik Karlsson]
 3461 
 3462   + ip-forwarding detects whether the remote device has ip forwarding
 3463     or "Internet connection sharing" enabled, by sending an ICMP echo
 3464     request to a given target using the scanned host as default
 3465     gateway. [Patrik Karlsson]
 3466 
 3467   + ipv6-ra-flood generates a flood of Router Advertisements (RA) with
 3468     random source MAC addresses and IPv6 prefixes. Computers, which
 3469     have stateless autoconfiguration enabled by default (every major
 3470     OS), will start to compute IPv6 suffix and update their routing
 3471     table to reflect the accepted announcement. This will cause 100%
 3472     CPU usage on Windows and platforms, preventing to process other
 3473     application requests. [Adam Stevko]
 3474 
 3475   + irc-sasl-brute performs brute force password auditing against IRC
 3476     (Internet Relay Chat) servers supporting SASL
 3477     authentication. [Piotr Olma]
 3478 
 3479   + isns-info lists portals and iSCSI nodes registered with the
 3480     Internet Storage Name Service (iSNS). [Patrik Karlsson]
 3481 
 3482   + jdwp-exec attempts to exploit java's remote debugging port. When
 3483     remote debugging port is left open, it is possible to inject java
 3484     bytecode and achieve remote code execution.  This script abuses
 3485     this to inject and execute a Java class file that executes the
 3486     supplied shell command and returns its output. [Aleksandar
 3487     Nikolic]
 3488 
 3489   + jdwp-info attempts to exploit java's remote debugging port.  When
 3490     remote debugging port is left open, it is possible to inject java
 3491     bytecode and achieve remote code execution.  This script injects
 3492     and execute a Java class file that returns remote system
 3493     information. [Aleksandar Nikolic]
 3494 
 3495   + jdwp-inject attempts to exploit java's remote debugging port.
 3496     When remote debugging port is left open, it is possible to inject
 3497     java bytecode and achieve remote code execution.  This script
 3498     allows injection of arbitrary class files. [Aleksandar Nikolic]
 3499 
 3500   + llmnr-resolve resolves a hostname by using the LLMNR (Link-Local
 3501     Multicast Name Resolution) protocol. [Hani Benhabiles]
 3502 
 3503   + mcafee-epo-agent check if ePO agent is running on port 8081 or
 3504     port identified as ePO Agent port. [Didier Stevens and Daniel
 3505     Miller]
 3506 
 3507   + metasploit-info gathers info from the Metasploit RPC service.  It
 3508     requires a valid login pair. After authentication it tries to
 3509     determine Metasploit version and deduce the OS type.  Then it
 3510     creates a new console and executes few commands to get additional
 3511     info. [Aleksandar Nikolic]
 3512 
 3513   + metasploit-msgrpc-brute performs brute force username and password
 3514     auditing against Metasploit msgrpc interface. [Aleksandar Nikolic]
 3515 
 3516   + mmouse-brute performs brute force password auditing against the
 3517     RPA Tech Mobile Mouse servers. [Patrik Karlsson]
 3518 
 3519   + mmouse-exec connects to an RPA Tech Mobile Mouse server, starts an
 3520     application and sends a sequence of keys to it. Any application
 3521     that the user has access to can be started and the key sequence is
 3522     sent to the application after it has been started. [Patrik
 3523     Karlsson]
 3524 
 3525   + mrinfo queries targets for multicast routing information. [Hani
 3526     Benhabiles]
 3527 
 3528   + msrpc-enum queries an MSRPC endpoint mapper for a list of mapped
 3529     services and displays the gathered information. [Aleksandar
 3530     Nikolic]
 3531 
 3532   + ms-sql-dac queries the Microsoft SQL Browser service for the DAC
 3533     (Dedicated Admin Connection) port of a given (or all) SQL Server
 3534     instance. The DAC port is used to connect to the database instance
 3535     when normal connection attempts fail, for example, when server is
 3536     hanging, out of memory or in other bad states. [Patrik Karlsson]
 3537 
 3538   + mtrace queries for the multicast path from a source to a
 3539     destination host. [Hani Benhabiles]
 3540 
 3541   + mysql-dump-hashes dumps the password hashes from an MySQL server
 3542     in a format suitable for cracking by tools such as John the
 3543     Ripper.  Appropriate DB privileges (root) are required. [Patrik
 3544     Karlsson]
 3545 
 3546   + mysql-query runs a query against a MySQL database and returns the
 3547     results as a table. [Patrik Karlsson]
 3548 
 3549   + mysql-vuln-cve2012-2122 attempts to bypass authentication in MySQL
 3550     and MariaDB servers by exploiting CVE2012-2122. If its vulnerable,
 3551     it will also attempt to dump the MySQL usernames and password
 3552     hashes. [Paulino Calderon]
 3553 
 3554   + oracle-brute-stealth exploits the CVE-2012-3137 vulnerability, a
 3555     weakness in Oracle's O5LOGIN authentication scheme.  The
 3556     vulnerability exists in Oracle 11g R1/R2 and allows linking the
 3557     session key to a password hash. [Dhiru Kholia]
 3558 
 3559   + pcanywhere-brute performs brute force password auditing against
 3560     the pcAnywhere remote access protocol. [Aleksandar Nikolic]
 3561 
 3562   + rdp-enum-encryption determines which Security layer and Encryption
 3563     level is supported by the RDP service. It does so by cycling
 3564     through all existing protocols and ciphers. [Patrik Karlsson]
 3565 
 3566   + rmi-vuln-classloader tests whether Java rmiregistry allows class
 3567     loading.  The default configuration of rmiregistry allows loading
 3568     classes from remote URLs, which can lead to remote code
 3569     execution. The vendor (Oracle/Sun) classifies this as a design
 3570     feature. [Aleksandar Nikolic]
 3571 
 3572   + rpc-grind fingerprints the target RPC port to extract the target
 3573     service, RPC number and version. [Hani Benhabiles]
 3574 
 3575   + sip-call-spoof spoofs a call to a SIP phone and detects the action
 3576     taken by the target (busy, declined, hung up, etc.) [Hani
 3577     Benhabiles]
 3578 
 3579   + sip-methods enumerates a SIP Server's allowed methods (INVITE,
 3580     OPTIONS, SUBSCRIBE, etc.) [Hani Benhabiles]
 3581 
 3582   + smb-ls attempts to retrieve useful information about files shared
 3583     on SMB volumes.  The output is intended to resemble the output of
 3584     the UNIX <code>ls</code> command. [Patrik Karlsson]
 3585 
 3586   + smb-print-text attempts to print text on a shared printer by
 3587     calling Print Spooler Service RPC functions. [Aleksandar Nikolic]
 3588 
 3589   + smb-vuln-ms10-054 tests whether target machines are vulnerable to
 3590     the ms10-054 SMB remote memory corruption
 3591     vulnerability. [Aleksandar Nikolic]
 3592 
 3593   + smb-vuln-ms10-061 tests whether target machines are vulnerable to
 3594     ms10-061 Printer Spooler impersonation vulnerability. [Aleksandar
 3595     Nikolic]
 3596 
 3597   + snmp-hh3c-logins attempts to enumerate Huawei / HP/H3C Locally
 3598     Defined Users through the hh3c-user.mib OID [Kurt Grutzmacher]
 3599 
 3600   + ssl-date retrieves a target host's time and date from its TLS
 3601     ServerHello response. [Aleksandar Nikolic]
 3602 
 3603   + tls-nextprotoneg enumerates a TLS server's supported protocols by
 3604     using the next protocol negotiation extension. [Hani Benhabiles]
 3605 
 3606   + traceroute-geolocation lists the geographic locations of each hop
 3607     in a traceroute and optionally saves the results to a KML file,
 3608     plottable on Google earth and maps. [Patrik Karlsson]
 3609 
 3610 o [NSE] Added 12 new protocol libraries, bring our total to 105!  Here
 3611   they are, with authors enclosed in brackets:
 3612   + ajp (Apache JServ Protocol) [Patrik Karlsson]
 3613   + base32 (Base32 encoding/decoding - RFC 4648) [Philip Pickering]
 3614   + bjnp (Canon BJNP printer/scanner discovery protocol) [Patrik Karlsson]
 3615   + cassandra (Cassandra database protocol) [Vlatko Kosturjak]
 3616   + eigrp (Cisco Enhanced Interior Gateway Routing Protocol) [Hani Benhabiles]
 3617   + gps (Global Positioning System - does GPRMC NMEA decoding) [Patrik Karlsson]
 3618   + ipp (CUPS Internet Printing Protocol) [Patrik Karlsson]
 3619   + isns (Internet Storage Name Service) [Patrik Karlsson]
 3620   + jdwp (Java Debug Wire Protocol) [Aleksandar Nikolic]
 3621   + mobileme (a service for managing Apple/Mac devices) [Patrik Karlsson]
 3622   + ospf (Open Shortest Path First routing protocol) [Patrik Karlsson]
 3623   + rdp (Remote Desktop Protocol) [Patrik Karlsson]
 3624 
 3625 o Added Common Platform Enumeration (CPE) identifiers to nearly 1,000
 3626   more OS detection signatures.  Nmap 6.01 had them for 2,608 of 3,572
 3627   fingerprints (73%) and now we have them for 3,558 out of 3,946
 3628   (90%). [David Fifield]
 3629 
 3630 o Scans that use OS sockets (including TCP connect scan, version
 3631   detection, and script scan) now use the SO_BINDTODEVICE sockopt on
 3632   Linux, so that the -e (select network device) option is
 3633   honored. [David Fifield]
 3634 
 3635 o [Zenmap] Host filters can now do negative matching, for example you
 3636   can use "os:!linux" to match hosts NOT detected as Linux. [Daniel
 3637   Miller]
 3638 
 3639 o Fixed a bug that caused an incorrect source address to be set when
 3640   scanning certain addresses (apparently those ending in .0) on
 3641   Windows XP. The symptom of this bug was the messages
 3642     get_srcaddr: can't connect socket: The requested address is not valid in its context.
 3643     Failed to convert source address to presentation format!?!  Error: Unknown error
 3644   Thanks to Robert Washam and Jorge Hernandez for reports and help
 3645   debugging. [David Fifield]
 3646 
 3647 o Upgraded the included OpenSSL to version 1.0.1c. [David Fifield]
 3648 
 3649 o [NSE] Added changes to brute and unpwdb libraries to allow more
 3650   flexible iterator specification and control. [Aleksandar Nikolic]
 3651 
 3652 o Tested that our WinPcap installer works on Windows 8 and Windows
 3653   Server 2012 build 8400.  Updated to installer text to recommend that
 3654   users select the option to start 'NPF' at startup. [Rob Nicholls]
 3655 
 3656 o Changed libdnet's routing interface to return an interface name for
 3657   each route on the most common operating systems. This is used to
 3658   improve the quality of Nmap's matching of routes to interfaces,
 3659   which was previously done by matching routes to interface addresses.
 3660   [Djalal Harouni, David Fifield]
 3661 
 3662 o Fixed a bug that prevented Nmap from finding any interfaces when one
 3663   of them had the type ARPHDR_INFINIBAND; this was the case for
 3664   IP-over-InfiniBand interfaces. However, This support is not complete
 3665   since IPoIB interfaces use 20 bytes for the hardware address, and
 3666   currently we only report and handle 6 bytes.
 3667   Nmap IP level scans should work without any problem, please refer to
 3668   the '--send-ip' switch and to the following thread:
 3669   http://seclists.org/nmap-dev/2012/q3/642
 3670   This bug was reported by starlight.2012q3. [Djalal Harouni]
 3671 
 3672 o Fixed a bug that prevented Nmap from finding any interfaces when one
 3673   of them had the type ARPHDR_IEEE80211; this was the case for wireless
 3674   interfaces operating in access point mode. This bug was reported by
 3675   Sebastiaan Vileijn. [Djalal Harouni]
 3676 
 3677 o Updated the Zenmap desktop icons on Windows, Linux, and Mac with higher
 3678   resolution ones. [Sean Rivera, David Fifield]
 3679 
 3680 o [NSE] Script results for a host or service are now sorted
 3681   alphabetically by script name. [Sean Rivera]
 3682 
 3683 o Fixed a bug that prevented Nmap from finding any interfaces when any
 3684   interface had the type ARPHRD_VOID; this was the case for OpenVZ
 3685   venet interfaces. [Djalal Harouni, David Fifield]
 3686 
 3687 o Linux unreachable routes are now properly ignored. [David Fifield]
 3688 
 3689 o Added Dan Miller as an Nmap committer.  He has done a ton of great
 3690   work on Nmap, as you can see by searching for him in this CHANGELOG
 3691   or reading the Nmap committers list at
 3692   https://svn.nmap.org/nmap/docs/committers.txt .
 3693 
 3694 o Added a new --disable-arp-ping option. This option prevents Nmap
 3695   from implicitly using ARP or ND host discovery for discovering
 3696   directly connected Ethernet targets. This is useful in networks
 3697   using proxy ARP, which make all addresses appear to be up using ARP
 3698   scan. The previously recommended workaround for this situation,
 3699   --send-ip, didn't work on Windows because that lame excuse for an
 3700   operating system is still missing raw socket support.  [David
 3701   Fifield (editorializing added by Fyodor)]
 3702 
 3703 o Protocol scan (-sO) probes for TCP, UDP, and SCTP now go to ports
 3704   80, 40125, and 80 respectively, instead of being randomly generated
 3705   or going to the same port as the source port. [David Fifield]
 3706 
 3707 o The Nmap --log-errors functionality (including errors and warnings
 3708   in the normal-format output file) is now always true, whether you
 3709   pass that option or not. [Sean Rivera]
 3710 
 3711 o [NSE] Rewrote ftp-brute script to use the brute library for
 3712   performing password auditing. [Aleksandar Nikolic]
 3713 
 3714 o Reduced the size of Port structures by about two thirds (from 176 to
 3715   64 bytes on x86_64). They had accidentally grown during the IPv6
 3716   code merge. [David Fifield]
 3717 
 3718 o Made source port numbers (used to encode probe metadata) increment
 3719   so as not to overlap between different scanning phases. Previously
 3720   it was possible for an RST response to an ACK probe from host
 3721   discovery to be misinterpreted as a reply to a SYN probe from port
 3722   scanning. [Sean Rivera, David Fifield]
 3723 
 3724 o [NSE] Added support for ECDSA keys to ssh-hostkey.nse. [Adam Števko]
 3725 
 3726 o Changed the CPE for Linux from cpe:/o:linux:kernel to
 3727   cpe:/o:linux:linux_kernel to reflect deprecation in the official CPE
 3728   dictionary.
 3729 
 3730 o Added some additional CPE entries to nmap-service-probes.
 3731   [Dillon Graham]
 3732 
 3733 o Fixed an assertion failure with IPv6 traceroute trying to use an
 3734   unsupported protocol:
 3735     nmap: traceroute.cc:749: virtual unsigned char*
 3736     UDPProbe::build_packet(const sockaddr_storage*, u32*) const: Assertion
 3737     `source->ss_family == 2' failed.
 3738   This was reported by Pierre Emeriaud. [David Fifield]
 3739 
 3740 o Added version detection signatures for half a dozen new or changed
 3741   products. [Tom Sellers]
 3742 
 3743 o Fixed protocol number-to-name mapping. A patch was contributed by
 3744   hejianet.
 3745 
 3746 o [NSE] The nmap.ip_send function now takes a second argument, the
 3747   destination to send to. Previously the destination address was taken
 3748   from the packet buffer, but this failed for IPv6 link-local
 3749   addresses, because the scope ID is not part of the packet. Calling
 3750   ip_send without a destination address will continue to use the old
 3751   behavior, but this practice is deprecated.
 3752 
 3753 o Increased portability of configure scripts on systems using a libc
 3754   other than Glibc. Several problems were reported by John Spencer.
 3755 
 3756 o [NSE] Fixed a bug in rpc-grind.nse that would cause unresponsive UDP
 3757   ports to be wrongly marked open. This was reported by Christopher
 3758   Clements. [David Fifield]
 3759 
 3760 o [Ncat] Close connection endpoint when receiving EOF on
 3761   stdin. [Michal Hlavinka].
 3762 
 3763 o Fixed interface listing on NetBSD. The bug was first noticed by
 3764   Fredrik Pettai and diagnosed by Jan Schaumann. [David Fifield]
 3765 
 3766 o [Ncat] Applied a blocking-socket workaround for a bug that could
 3767   prevent some sends from working in listen mode. The problem was
 3768   reported by Jonas Wielicki. [Alex Weber, David Fifield]
 3769 
 3770 o [NSE] Updated mssql.lua library to support additional data types,
 3771   enhanced some of the existing data types, added the DoneProc
 3772   response token, and reordered code for maintainability. [Tom
 3773   Sellers]
 3774 
 3775 o [Nping] Nping now prints out an error and exists when the user tries to use
 3776   the -p flag for a scan option where that is meaningless. [Sean Rivera]
 3777 
 3778 o [NSE] Added spoolss functions and constants to msrpc.lua. [Aleksandar Nikolic]
 3779 
 3780 o [NSE] Reduced the number of names tried by http-vhosts by default.
 3781   [Vlatko Kosturjak]
 3782 
 3783 o [Zenmap] Fixed a crash when using the en_NG locale: "ValueError:
 3784   unknown locale: en_NG" [David Fifield]
 3785 
 3786 o [NSE] Fixed some bugs in snmp-interfaces which prevented the script from
 3787   outputting discovered interface info and caused it to abort in the
 3788   pre-scanning phase. [jah]
 3789 
 3790 o [NSE] Do a connect on rpc-grind (rpc.lua) UDP sockets so that socket_lock
 3791   is invoked.  This is necessary to avoid "Too many open files" errors if
 3792   RPC grind creates an excessive number of sockets.  We should have a
 3793   cleaner general solution for this, and not require scripts to "connect"
 3794   their unconnected UDP sockets.  But there may be a good reason for
 3795   enforcing socket locking only on connect, not on creation. [David Fifield]
 3796 
 3797 o [NSE] lltd-discovery scripts now parses for hostnames and outputs network
 3798   card manufacturer. [Hani Benhabiles]
 3799 
 3800 o Added protocol specific payloads for IPv6 hop-by-hop (0x00), routing (0x2b),
 3801   fragment (0x2c), and destination (0x3c). [Sean Rivera]
 3802 
 3803 o [NSE] Added support for decoding OSPF Hello packets to broadcast-listener.
 3804   [Hani Benhabiles]
 3805 
 3806 o [NSE] Fixed a false positive in http-vuln-cve2011-3192.nse, which detected
 3807   Apache 2.2.22 as vulnerable. [Michael Meyer]
 3808 
 3809 o [NSE] Modified multiple scripts that operated against HTTP based services
 3810   so as to remove false positives that were generated when the target service
 3811   answers with a 200 response to all requests. [Tom Sellers]
 3812 
 3813 o [NSOCK] Fixed an epoll-engine-specific bug. The engine didn't recognized FDs
 3814   that were internally closed and replaced by other ones. This happened during
 3815   reconnect attempts. Also, the IOD flags were not properly cleared.
 3816   [Henri Doreau, Daniel Miller]
 3817 
 3818 o Added support for log type bitmasks in log_vwrite(). Also replaced a fatal()
 3819   statement by an assert(0) to get rid of a possible infinite call loop when
 3820   passed an invalid log type. [Henri Doreau]
 3821 
 3822 o Added handling for the unexpected error WSAENETRESET (10052). This error is
 3823   currently wrapped in the ifdef for WIN32 as there error appears to be unique
 3824   to windows [Sean Rivera]
 3825 
 3826 o [NSE] Added default values for Expires, Call-ID, Allow and Content-Length
 3827   headers in SIP requests and removed redundant code in sip library.
 3828   [Hani Benhabiles]
 3829 
 3830 o [NSE] Calling methods of unconnected sockets now causes the usual
 3831   error code return value, instead of raising a Lua error. The problem
 3832   was noticed by Daniel Miller. [David Fifield]
 3833 
 3834 o [NSE] Added AUTH_UNIX support to the rpc library and NFS scripts.
 3835   [Daniel Miller]
 3836 
 3837 o [Zenmap] Fixed a crash in the profile editor that would happen when
 3838   the nmap binary couldn't be found. [David Fifield]
 3839 
 3840 o Made the various Makefiles' treatment of makefile.dep uniform:
 3841   "make clean" keeps the file and "make distclean" deletes it.
 3842   [Michael McTernan]
 3843 
 3844 o [NSE] Fixed dozens of scripts and libraries to work better on
 3845   system which don't have OpenSSL available. [Patrik Karlsson]
 3846 
 3847 o [Ncat] --output logging now works in UDP mode. Thanks to Michal
 3848   Hlavinka for reporting the bug. [David Fifield]
 3849 
 3850 o [NSE] More Windows 7 and Windows 2008 fixes for the smb library and smb-ls
 3851   scripts. [Patrik Karlsson]
 3852 
 3853 o [NSE] Added SPNEGO authentication supporting Windows 7 and Windows 2008 to
 3854   the smb library. [Patrik Karlsson]
 3855 
 3856 o [NSE] Changed http-brute so that it works against the root path
 3857   ("/") by default rather than always requiring the http-brute.path
 3858   script argument. [Fyodor]
 3859 
 3860 o [NSE] Applied patch from Daniel Miller that fixes bug in several scripts and
 3861   libraries http://seclists.org/nmap-dev/2012/q2/593 [Daniel Miller]
 3862 
 3863 o [Zenmap] Added Italian translation by Francesco Tombolini and
 3864   Japanese translation by Yujiy Tounai.  Some typos in the Japanese
 3865   translation were corrected by OKANO Takayoshi.
 3866 
 3867 o [NSE] Rewrote mysql-brute to use brute library [Aleksandar Nikolic]
 3868 
 3869 o Improved the mysql library to handle multiple columns with the same name,
 3870   added a formatResultset function to format a query response to a table
 3871   suitable for script output. [Patrik Karlsson]
 3872 
 3873 o The message "nexthost: failed to determine route to ..." is now a
 3874   warning rather than a fatal error. Addresses that are skipped in
 3875   this way are recorded in the XML output as "target" elements. [David
 3876   Fifield]
 3877 
 3878 o [NSE] targets-sniffer now is capable of sniffing IPv6 addresses.
 3879   [Daniel Miller]
 3880 
 3881 o [NSE] Ported the pop3-brute script to use the brute library.
 3882   [Piotr Olma]
 3883 
 3884 o [NSE] Added an error message indicating script failure, when Nmap is being
 3885   run in non verbose/debug mode. [Patrik Karlsson]
 3886 
 3887 o Service-scan information is now included in XML and grepable output
 3888   even if -sV wasn't used. This information can be set by scripts in the
 3889   absence of -sV. [Daniel Miller]
 3890 
 3891 Nmap 6.01 [2012-06-16]
 3892 
 3893 o [Zenmap] Fixed a hang that would occur on Mac OS X 10.7. A symptom
 3894   of the hang was this message in the system console:
 3895   "Couldn't recognize the image file format for file
 3896   '/Applications/Zenmap.app/Contents/MacOS/../Resources/share/zenmap/pixmaps/radialnet/padlock.png'".
 3897   [David Fifield]
 3898 
 3899 o [Zenmap] Fixed a crash that happened when activating the host filter.
 3900       File "zenmapCore\SearchResult.pyo", line 155, in match_os
 3901     KeyError: 'osmatches'
 3902   [jah]
 3903 
 3904 o Fixed an error that occurred when scanning certain addresses like
 3905   192.168.0.0 on Windows XP:
 3906     get_srcaddr: can't connect socket: The requested address is not valid in its context.
 3907     nexthost: failed to determine route to 10.80.0.0
 3908   [David Fifield]
 3909 
 3910 o Fixed a bug that caused Nmap to fail to find any network interface when
 3911   at least one of them is in the monitor mode. The fix was to define the
 3912   ARP_HRD_IEEE80211_RADIOTAP 802.11 radiotap header identifier in the
 3913   libdnet-stripped code. Network interfaces that are in this mode are used
 3914   by radiotap for 802.11 frame injection and reception. The bug was
 3915   reported by Tom Eichstaedt and Henri Doreau.
 3916   http://seclists.org/nmap-dev/2012/q2/449
 3917   http://seclists.org/nmap-dev/2012/q2/478
 3918   [Djalal Harouni, Henri Doreau]
 3919 
 3920 o Fixed the greppable output of hosts that time-out (when --host-timeout was
 3921   used and the host timed-out after something was received from that host).
 3922   This issue was reported by Matthew Morgan. [jah]
 3923 
 3924 o [Zenmap] Updated the version of Python used to build the Windows
 3925   release from 2.7.1 to 2.7.3 to remove a false-positive security
 3926   alarm flagged by tools such as Secunia PSI. There was a minor
 3927   vulnerability in certain Python27.dll web functionality (which Nmap
 3928   doesn't use anyway) and Secunia was flagging all software which
 3929   includes that version of Python27.dll. This update should prevent
 3930   the false alarm.
 3931 
 3932 Nmap 6.00 [2012-05-21]
 3933 
 3934 o Most important release since Nmap 5.00 in July 2009! For a list of
 3935   the most significant improvements and new features, see the
 3936   announcement at: https://nmap.org/6/
 3937 
 3938 o In XML output, "osclass" elements are now child elements of the
 3939   "osmatch" they belong to. Old output was thus:
 3940     <os><osclass/><osclass/>...<osmatch/><osmatch/>...</os>
 3941   New output is:
 3942     <os><osmatch><osclass/><osclass/>...</osmatch>...</os>
 3943   The option --deprecated-xml-osclass restores the old output, in case
 3944   you use an Nmap XML parser that doesn't understand the new
 3945   structure. The xmloutputversion has been increased to 1.04.
 3946 
 3947 o Added a new "target" element to XML output that indicates when a
 3948   target specification was ignored, perhaps because of a syntax error
 3949   or DNS failure. It looks like this:
 3950     <target specification="1.2.3.4.5" status="skipped" reason="invalid"/>
 3951   [David Fifield]
 3952 
 3953 o [NSE] Added the script samba-vuln-cve-2012-1182 which detects the
 3954   SAMBA pre-auth remote root vulnerability (CVE-2012-1182).
 3955   [Aleksandar Nikolic]
 3956 
 3957 o [NSE] Added http-vuln-cve2012-1823.nse, which checks for PHP CGI
 3958   installations with a remote code execution vulnerability. [Paulino
 3959   Calderon]
 3960 
 3961 o [NSE] Added script targets-ipv6-mld that sends a malformed ICMP6 MLD Query
 3962   to discover IPv6 enabled hosts on the LAN. [Niteesh Kumar]
 3963 
 3964 o [NSE] Added rdp-vuln-ms12-020.nse by Aleksandar Nikolic. This tests
 3965   for two Remote Desktop vulnerabilities, including one allowing
 3966   remote code execution, that were fixed in the MS12-020 advisory.
 3967 
 3968 o [NSE] Added a stun library and the scripts stun-version and stun-info, which
 3969   extract version information and the external NAT:ed address.
 3970   [Patrik Karlsson]
 3971 
 3972 o [NSE] Added the script duplicates which attempts to determine duplicate
 3973   hosts by analyzing information collected by other scripts. [Patrik Karlsson]
 3974 
 3975 o Fixed the routing table loop on OS X so that on-link routes appear.
 3976   Previously, they were ignored so that things like ARP scan didn't
 3977   work. [Patrik Karlsson, David Fifield]
 3978 
 3979 o Upgraded included libpcap to version 1.2.1.
 3980 
 3981 o [NSE] Added ciphers from RFC 5932 and Fortezza-based ciphers to
 3982   ssl-enum-ciphers.nse. The patch was submitted by Darren McDonald.
 3983 
 3984 o [NSE] Renamed hostmap.nse to hostmap-bfk.nse.
 3985 
 3986 o Fixed a compilation problem on Solaris 9 caused by a missing
 3987   definition of IPV6_V6ONLY. Reported by Dagobert Michelsen.
 3988 
 3989 o Setting --min-parallelism by itself no longer forces the maximum
 3990   parallelism to the same value. [Chris Woodbury, David Fifield]
 3991 
 3992 o Changed XML output to show the "service" element whenever a tunnel
 3993   is discovered for a port, even if the service behind it was unknown.
 3994   [Matt Foster]
 3995 
 3996 o [Zenmap] Fixed a crash that would happen in the profile editor when
 3997   the script.db file doesn't exist. The bug was reported by Daniel
 3998   Miller.
 3999 
 4000 o [Zenmap] It is now possible to compare scans having the same name or
 4001   command line parameters. [Jah, David Fifield]
 4002 
 4003 o Fixed an error that could occur with ICMPv6 probes and -d4 debugging:
 4004   "Unexpected probespec2ascii type encountered" [David Fifield]
 4005 
 4006 o [NSE] Added new script http-chrono, which measures min, max and average
 4007   response times of web servers. [Ange Gutek]
 4008 
 4009 o Applied a workaround to make pcap captures work better on Solaris
 4010   10. This involves peeking at the pcap buffer to ensure that captures
 4011   are not being lost. A symptom of the previous behavior was that,
 4012   when doing ARP host discovery against two targets, only one would be
 4013   reported as up. [David Fifield]
 4014 
 4015 o Fixed a bug that could cause Nsock timers to fire too early. This
 4016   could happen for the timed probes in IPv6 OS detection, causing an
 4017   incorrect measurement of the TCP_ISR feature. [David Fifield]
 4018 
 4019 o [Zenmap] We now build on Windows with a newer version of PyGTK, so
 4020   copy and paste should work again.
 4021 
 4022 o Changed the way timeout calculations are made in the IPv6 OS engine.
 4023   In rare cases a certain interleaving of probes and responses would
 4024   result in an assertion failure.
 4025 
 4026 Nmap 5.61TEST5 [2012-03-09]
 4027 
 4028 o Integrated all of your IPv4 OS fingerprint submissions since June
 4029   2011 (about 1,900 of them).  Added about 256 new fingerprints (and
 4030   deleted some bogus ones), bringing the new total to 3,572.
 4031   Additions include Apple iOS 5.01, OpenBSD 4.9 and 5.0, FreeBSD 7.0
 4032   through 9.0-PRERELEASE, and a ton of new WAPs, routers, and other
 4033   devices. Many existing fingerprints were improved. For more details,
 4034   see http://seclists.org/nmap-dev/2012/q1/431 [David Fifield]
 4035 
 4036 o Integrated all of your service/version detection fingerprints
 4037   submitted since November 2010--more than 2,500 of them!  Our
 4038   signature count increased more than 10% to 7,423 covering 862
 4039   protocols. Some amusing and bizarre new services are described at
 4040   http://seclists.org/nmap-dev/2012/q1/359 [David Fifield]
 4041 
 4042 o Integrated your latest IPv6 OS submissions and corrections. We're
 4043   still low on IPv6 fingerprints, so please scan any IPv6 systems you
 4044   own or administer and submit them to https://nmap.org/submit/.  Both
 4045   new fingerprints (if Nmap doesn't find a good match) and corrections
 4046   (if Nmap guesses wrong) are useful.
 4047 
 4048 o [NSE] Added a host-based registry which only persists (for the given
 4049   host) until all scripts have finished scanning that host. The normal
 4050   registry saves information until it is deleted or the Nmap scan
 4051   ends. That is a waste of memory for information which doesn't need
 4052   to persist that long. Use the host based registry instead if you
 4053   can. See https://nmap.org/book/nse-api.html#nse-api-registry. [Patrik
 4054   Karlsson]
 4055 
 4056 o IPv6 OS detection now includes a novelty detection system which
 4057   avoids printing a match when an observed fingerprint is too
 4058   different from fingerprints seen before. As the OS database is still
 4059   small, this helps to avoid making (essentially) wild guesses when
 4060   seeing a new operating system. [David Fifield]
 4061 
 4062 o Refactored the nsock library to add the nsock-engines system. This
 4063   allows system-specific scalable IO notification facilities to be
 4064   used while maintaining the portable Nsock API. This initial version
 4065   comes with an epoll-based engine for Linux and a select-based
 4066   fallback engine for all other operating systems. Also added the
 4067   --nsock-engine option to Nmap, Nping and Ncat to enforce use of a
 4068   specific Nsock IO engine. [Henri Doreau]
 4069 
 4070 o [NSE] Added 43(!) NSE scripts, bringing the total up to 340.  They
 4071   are all listed at https://nmap.org/nsedoc/, and the summaries are
 4072   below (authors are listed in brackets):
 4073 
 4074   + acarsd-info retrieves information from a listening acarsd
 4075     daemon. Acarsd decodes ACARS (Aircraft Communication Addressing
 4076     and Reporting System) data in real time. [Brendan Coles]
 4077 
 4078   + asn-to-prefix produces a list of IP prefixes for a given AS number
 4079     (ASN). It uses the external Shadowserver API (with their
 4080     permission). [John Bond]
 4081 
 4082   + broadcast-dhcp6-discover sends a DHCPv6 request (Solicit) to the
 4083     DHCPv6 multicast address, parses the response, then extracts and
 4084     prints the address along with any options returned by the
 4085     server. [Patrik Karlsson]
 4086 
 4087   + broadcast-networker-discover discovers the EMC Networker backup
 4088     software server on a LAN by using network broadcasts. [Patrik Karlsson]
 4089 
 4090   + broadcast-pppoe-discover discovers PPPoE servers using the PPPoE
 4091     Discovery protocol (PPPoED). [Patrik Karlsson]
 4092 
 4093   + broadcast-ripng-discover discovers hosts and routing information
 4094     from devices running RIPng on the LAN by sending a RIPng Request
 4095     command and collecting the responses from all responsive
 4096     devices. [Patrik Karlsson]
 4097 
 4098   + broadcast-versant-locate discovers Versant object databases using
 4099     the srvloc protocol. [Patrik Karlsson]
 4100 
 4101   + broadcast-xdmcp-discover discovers servers running the X Display
 4102     Manager Control Protocol (XDMCP) by sending a XDMCP broadcast
 4103     request to the LAN. [Patrik Karlsson]
 4104 
 4105   + cccam-version detects the CCcam service (software for sharing
 4106     subscription TV among multiple receivers). [David Fifield]
 4107 
 4108   + dns-client-subnet-scan performs a domain lookup using the
 4109     edns-client-subnet option that adds support for adding subnet
 4110     information to the query describing where the query is
 4111     originating. The script uses this option to supply a number of
 4112     geographically distributed locations in an attempt to enumerate as
 4113     many different address records as possible. [John Bond]
 4114 
 4115   + dns-nsid retrieves information from a DNS nameserver by requesting
 4116     its nameserver ID (nsid) and asking for its id.server and
 4117     version.bind values. [John Bond]
 4118 
 4119   + dns-srv-enum enumerates various common service (SRV) records for a
 4120     given domain name.  The service records contain the hostname, port
 4121     and priority of servers for a given service. [Patrik Karlsson]
 4122 
 4123   + eap-info enumerates the authentication methods offered by an EAP
 4124     authenticator for a given identity or for the anonymous identity
 4125     if no argument is passed. [Riccardo Cecolin]
 4126 
 4127   + http-auth-finder spiders a web site to find web pages requiring
 4128     form-based or HTTP-based authentication. [Patrik Karlsson]
 4129 
 4130   + http-config-backup checks for backups and swap files of common
 4131     content management system and web server configuration
 4132     files. [Riccardo Cecolin]
 4133 
 4134   + http-generator displays the contents of the "generator" meta tag
 4135     of a web page (default: /) if there is one. [Michael Kohl]
 4136 
 4137   + http-proxy-brute performs brute force password guessing against a
 4138     HTTP proxy server. [Patrik Karlsson]
 4139 
 4140   + http-qnap-nas-info attempts to retrieve the model, firmware
 4141     version, and enabled services from a QNAP Network Attached Storage
 4142     (NAS) device. [Brendan Coles]
 4143 
 4144   + http-vuln-cve2009-3960 exploits cve-2009-3960 also known as Adobe
 4145     XML External Entity Injection. [Hani Benhabiles]
 4146 
 4147   + http-vuln-cve2010-2861 executes a directory traversal attack
 4148     against a ColdFusion server and tries to grab the password hash
 4149     for the administrator user. It then uses the salt value (hidden in
 4150     the web page) to create the SHA1 HMAC hash that the web server
 4151     needs for authentication as admin. [Micah Hoffman]
 4152 
 4153   + iax2-brute performs brute force password auditing against the
 4154     Asterisk IAX2 protocol. [Patrik Karlsson]
 4155 
 4156   + membase-brute performs brute force password auditing against
 4157     Couchbase Membase servers. [Patrik Karlsson]
 4158 
 4159   + membase-http-info retrieves information (hostname, OS, uptime,
 4160     etc.) from the CouchBase Web Administration port. [Patrik
 4161     Karlsson]
 4162 
 4163   + memcached-info retrieves information (including system
 4164     architecture, process ID, and server time) from distributed memory
 4165     object caching system memcached. [Patrik Karlsson]
 4166 
 4167   + mongodb-brute performs brute force password auditing against the
 4168     MongoDB database. [Patrik Karlsson]
 4169 
 4170   + nat-pmp-mapport maps a WAN port on the router to a local port on
 4171     the client using the NAT Port Mapping Protocol (NAT-PMP). [Patrik
 4172     Karlsson]
 4173 
 4174   + ndmp-fs-info lists remote file systems by querying the remote
 4175     device using the Network Data Management Protocol (ndmp). [Patrik
 4176     Karlsson]
 4177 
 4178   + ndmp-version retrieves version information from the remote Network
 4179     Data Management Protocol (NDMP) service. [Patrik Karlsson]
 4180 
 4181   + nessus-xmlrpc-brute performs brute force password auditing against
 4182     a Nessus vulnerability scanning daemon using the XMLRPC
 4183     protocol. [Patrik Karlsson]
 4184 
 4185   + redis-brute performs brute force passwords auditing against a
 4186     Redis key-value store. [Patrik Karlsson]
 4187 
 4188   + redis-info retrieves information (such as version number and
 4189     architecture) from a Redis key-value store. [Patrik Karlsson]
 4190 
 4191   + riak-http-info retrieves information (such as node name and
 4192     architecture) from a Basho Riak distributed database using the
 4193     HTTP protocol. [Patrik Karlsson]
 4194 
 4195   + rpcap-brute performs brute force password auditing against the
 4196     WinPcap Remote Capture Daemon (rpcap). [Patrik Karlsson]
 4197 
 4198   + rpcap-info connects to the rpcap service (provides remote sniffing
 4199     capabilities through WinPcap) and retrieves interface
 4200     information. [Patrik Karlsson]
 4201 
 4202   + rsync-brute performs brute force password auditing against the
 4203     rsync remote file syncing protocol. [Patrik Karlsson]
 4204 
 4205   + rsync-list-modules lists modules available for rsync (remote file
 4206     sync) synchronization. [Patrik Karlsson]
 4207 
 4208   + socks-auth-info determines the supported authentication mechanisms
 4209     of a remote SOCKS 5 proxy server. [Patrik Karlsson]
 4210 
 4211   + socks-brute performs brute force password auditing against SOCKS 5
 4212     proxy servers. [Patrik Karlsson]
 4213 
 4214   + url-snarf sniffs an interface for HTTP traffic and dumps any URLs, and their
 4215     originating IP address. [Patrik Karlsson]
 4216 
 4217   + versant-info extracts information, including file paths, version
 4218     and database names from a Versant object database. [Patrik
 4219     Karlsson]
 4220 
 4221   + vmauthd-brute performs brute force password auditing against the
 4222     VMWare Authentication Daemon (vmware-authd). [Patrik Karlsson]
 4223 
 4224   + voldemort-info retrieves cluster and store information from the
 4225     Voldemort distributed key-value store using the Voldemort Native
 4226     Protocol. [Patrik Karlsson]
 4227 
 4228   + xdmcp-discover requests an XDMCP (X display manager control
 4229     protocol) session and lists supported authentication and
 4230     authorization mechanisms. [Patrik Karlsson]
 4231 
 4232 o [NSE] Added 14 new protocol libraries! They were all written by
 4233   Patrik Karlsson, except for the EAP library by Riccardo Cecolin:
 4234   + dhcp6 (Dynamic Host Configuration Protocol for IPv6)
 4235   + eap (Extensible Authentication Protocol)
 4236   + iax2 (Inter-Asterisk eXchange v2 VoIP protocol)
 4237   + membase (Couchbase Membase TAP protocol)
 4238   + natpmp (NAT Port Mapping Protocol)
 4239   + ndmp (Network Data Management Protocol)
 4240   + pppoe (Point-to-point protocol over Ethernet)
 4241   + redis (in-memory key-value data store)
 4242   + rpcap (WinPcap Remote Capture Deamon)
 4243   + rsync (remote file sync)
 4244   + socks (SOCKS 5 proxy protocol)
 4245   + sslcert (for collecting SSL certificates and storing them in the
 4246     host-based registry)
 4247   + versant (an object database)
 4248   + xdmcp (X Display Manager Control Protocol)
 4249 
 4250 o CPE (Common Platform Enumeration) OS classification is now supported
 4251   for IPv6 OS detection. Previously it was only available for
 4252   IPv4. [David Fifield]
 4253 
 4254 o [NSE] The host.os table is now a structured array of table that
 4255   include OS class information and CPE. See
 4256   https://nmap.org/book/nse-api.html for documentation of the new
 4257   structure. [Henri Doreau, David]
 4258 
 4259 o [NSE] Service matches can now access CPE through the
 4260   port.version.cpe array. [Henri Doreau]
 4261 
 4262 o Added a new --script-args-file option which allows you to specify
 4263   the name of a file containing all of your desired NSE script
 4264   arguments. The arguments may be separated with commas or newlines
 4265   and may be overridden by arguments specified on the command-line
 4266   with --script-args. [Daniel Miller]
 4267 
 4268 o Audited the nmap-service-probes database to remove all unused
 4269   captures, fixing dozens of bugs with captures either being ignored
 4270   or two fields erroneously using the same capture. [Lauri Kokkonen,
 4271   David Fifield, and Rob Nicholls]
 4272 
 4273 o Added new version detection probes and match lines for:
 4274   + Erlang Port Mapper Daemon
 4275   + Couchbase Membase NoSQL database
 4276   + Basho Riak distributed database protocol buffers client (PBC)
 4277   + Tarantool in-memory data store
 4278   [Patrik Karlsson]
 4279 
 4280 o Split the nmap-update client into its own binary RPM to avoid the
 4281   Nmap RPM having a dependency on the Subversion and APR libraries.
 4282   We're not yet distributing this binary nmap-update RPM since the
 4283   system isn't complete, but the source code is available in the Nmap
 4284   tarball and source RPM. [David]
 4285 
 4286 o [NSE] Added authentication support to the MongoDB library and
 4287   modified existing scripts to support it. [Patrik Karlsson]
 4288 
 4289 o [NSE] Added support to broadcast-listener for extracting address, native VLAN
 4290   and management IP address from CDP packets. [Tom Sellers]
 4291 
 4292 o [NSE] Added RPC Call CALLIT to the RPC library and modified UDP sockets to be
 4293   unconnected in order to support broadcast. [Patrik Karlsson]
 4294 
 4295 o [NSE] Modified the ssl-cert and ssl-google-cert-catalog scripts to
 4296   take advantage of the new sslcert library which retrieves and caches
 4297   SSL certificates in the registry.
 4298 
 4299 o [NSE] Patch our bitcoin library to support recent changes in the
 4300   BitCoin protocol. [Andrew Orr, Patrik Karlsson]
 4301 
 4302 o Fixed an error where very long messages could cause an
 4303   assertion failure: "log_vwrite: vsnprintf failed.  Even after
 4304   increasing bufferlen to ---, Vsnprintf returned -1 (logt == 1)."
 4305   This was reported by David Hingos.
 4306 
 4307 o Fixed an assertion failure that was printed when a fatal error
 4308   occurred while an XML tag was incomplete: "!xml.tag_open, file
 4309   ..\xml.cc, line 401". This was reported by David Hingos. [David
 4310   Fifield]
 4311 
 4312 o [NSE] Added support for decoding EIGRP broadcasts from Cisco routers
 4313   to broadcast-listener. [Tom Sellers]
 4314 
 4315 o [NSE] Added redirect support to the http library. All calls to
 4316   http.get and http.head now transparently handle any HTTP
 4317   redirects. The number and destination of redirects are limited by
 4318   default to avoid endless loops or unwanted follows of redirects to
 4319   different servers, but they can be configured. [Patrik Karlsson]
 4320 
 4321 o [NSE] Modified the sql-injection script to use the httpspider library.
 4322   [Lauri Kokkonen]
 4323 
 4324 o Added --with-apr and --with-subversion configuration options to
 4325   support systems where those libraries aren't in the usual places.
 4326   [David Fifield]
 4327 
 4328 o [NSE] Fixed a bunch of global access errors in various libraries reported by
 4329   the nse_check_globals script. [Patrik Karlsson]
 4330 
 4331 o Fixed an assertion failure which could occur when connecting to an
 4332   SSL server:
 4333   nsock_core.c:186: update_events: Assertion `(ev_inc & ev_dec) == 0' failed.
 4334   Thanks to Ron for reporting the bug and testing. [Henri Doreau]
 4335 
 4336 o [NSE] Added support to the DNS library for the CHAOS class and NSID
 4337   requests. [John Bond]
 4338 
 4339 o [NSE] Changed the dnsbl library to take a much faster threaded
 4340   approach to querying DNS blacklists. [Patrik Karlsson]
 4341 
 4342 o [NSE] Added new services and the ATTACK category to the dnsbl
 4343   script. [Duarte Silva]
 4344 
 4345 o [NSE] Fixed a memory leak in PortList::setServiceProbeResults()
 4346   which was noticed and reported by David Fifield. The leak was
 4347   triggered by set_port_version calls from NSE.  [Henri Doreau]
 4348 
 4349 o [NSE] Fixed a race condition in broadcast-dhcp-discover.nse that
 4350   could cause responses to be missed on fast networks. It was noticed
 4351   by Vasiliy Kulikov. [David Fifield]
 4352 
 4353 o Fixed a bug in reverse name resolution: a name of "." would leave
 4354   the hostname unintialized and cause "Illegal character(s) in
 4355   hostname" warnings. [Gisle Vanem]
 4356 
 4357 o Allow overriding the AR variable to use a different version of the
 4358   ar library creation tool when creating the liblinear library. [Nuno
 4359   Gonçalves]
 4360 
 4361 o Added vcredist2008_x86.exe to the Windows zip file. This installer
 4362   from MS must be run on new Windows 2008 systems (those which don't
 4363   already have it) before running Nmap.  The Nmap Windows installer
 4364   already takes care of this. [David Fifield]
 4365 
 4366 o Removed about 5MB of unnecessary DocBook XSL from the Nping docs
 4367   directory. [David Fifield]
 4368 
 4369 o The packet library now uses consistent naming of the address fields
 4370   for IPv4 and IPv6 packets (ip_bin_src, ip_bin_dst, ip_src, and
 4371   ip_dst). [Henri Doreau]
 4372 
 4373 o Update to the latest MAC address prefix assignments from IEEE as of
 4374   March 8, 2012. [Fyodor]
 4375 
 4376 o Fixed a problem in the ippackethdrinfo function which was leading to
 4377   warning messages like: "BOGUS!  Can't parse supposed IP packet" during
 4378   certain IPv6 scans. [David Fifield]
 4379 
 4380 o Fixed building on Arch Linux. The PCAP_IS_SUITABLE test had to be
 4381   modified to ensure that -lnl was passed on the build line. See the
 4382   r28202 svn log for further information. [David Fifield]
 4383 
 4384 o Include net/if.h before net/if_arp.h in netutil.cc and tcpip.cc to
 4385   hopefully fix some build problems on AIX 5.3.
 4386 
 4387 o [NSE] Added IPv6 support to firewalk.nse. [Henri Doreau]
 4388 
 4389 Nmap 5.61TEST4 [2012-01-02]
 4390 
 4391 o [NSE] Added a new httpspider library which is used for recursively
 4392   crawling web sites for information.  New scripts using this
 4393   functionality include http-backup-finder, http-email-harvest,
 4394   http-grep, http-open-redirect, and http-unsafe-output-escaping. See
 4395   https://nmap.org/nsedoc/ or the list later in this file for details
 4396   on these. [Patrik]
 4397 
 4398 o Our Mac OS X packages are now x86-only (rather than universal),
 4399   reducing the download size from 30 MB to about 17.  If you still
 4400   need a PowerPC version (Apple stopped selling those machines in
 4401   2006), you can use Nmap 5.51 or 5.61TEST2 from
 4402   https://nmap.org/dist/?C=M&O=D.
 4403 
 4404 o We set up a new SVN server for the Nmap codebase.  This one uses SSL
 4405   for better security, WebDAV rather than svnserve for greater
 4406   functionality, is hosted on a faster (virtual) machine, provides
 4407   Nmap code history back to 1998 rather than 2005, and removes the
 4408   need for the special "guest" username.  The new server is at
 4409   https://svn.nmap.org.  More information:
 4410   http://seclists.org/nmap-dev/2011/q4/504.
 4411 
 4412 o [NSE] Added a vulnerability management library (vulns.lua) to store and to
 4413   report discovered vulnerabilities.  Modified these scripts to use
 4414   the new library:
 4415   - ftp-libopie.nse
 4416   - http-vuln-cve2011-3192.nse
 4417   - ftp-vuln-cve2010-4221.nse
 4418   - ftp-vsftpd-backdoor.nse
 4419   - smtp-vuln-cve2011-1720.nse
 4420   - smtp-vuln-cve2011-1764.nse
 4421   - afp-path-vuln.nse
 4422   [Djalal, Henri]
 4423 
 4424 o [NSE] Added a new script force feature.  You can force scripts to
 4425   run against target ports (even if the "wrong" service is detected)
 4426   by placing a plus in front of the script name passed to --script.
 4427   See
 4428   https://nmap.org/book/nse-usage.html#nse-script-selection. [Martin
 4429   Swende]
 4430 
 4431 o [NSE] Added 51(!) NSE scripts, bringing the total up to 297.  They
 4432   are all listed at https://nmap.org/nsedoc/, and the summaries are
 4433   below (authors listed in brackets):
 4434 
 4435   + amqp-info gathers information (a list of all server properties)
 4436     from an AMQP (advanced message queuing protocol)
 4437     server. [Sebastian Dragomir]
 4438 
 4439   + bitcoin-getaddr queries a Bitcoin server for a list of known
 4440     Bitcoin nodes. [Patrik Karlsson]
 4441 
 4442   + bitcoin-info extracts version and node information from a Bitcoin
 4443     server [Patrik Karlsson]
 4444 
 4445   + bitcoinrpc-info obtains information from a Bitcoin server by
 4446     calling getinfo on its JSON-RPC interface. [Toni
 4447     Ruottu]
 4448 
 4449   + broadcast-pc-anywhere sends a special broadcast probe to discover
 4450     PC-Anywhere hosts running on a LAN. [Patrik Karlsson]
 4451 
 4452   + broadcast-pc-duo discovers PC-DUO remote control hosts and
 4453     gateways running on the LAN. [Patrik Karlsson]
 4454 
 4455   + broadcast-rip-discover discovers hosts and routing information
 4456     from devices running RIPv2 on the LAN. It does so by sending a
 4457     RIPv2 Request command and collects the responses from all devices
 4458     responding to the request. [Patrik Karlsson]
 4459 
 4460   + broadcast-sybase-asa-discover discovers Sybase Anywhere servers on
 4461     the LAN by sending broadcast discovery messages. [Patrik Karlsson]
 4462 
 4463   + broadcast-wake-on-lan wakes a remote system up from sleep by
 4464     sending a Wake-On-Lan packet. [Patrik Karlsson]
 4465 
 4466   + broadcast-wpad-discover Retrieves a list of proxy servers on the
 4467     LAN using the Web Proxy Autodiscovery Protocol (WPAD). [Patrik
 4468     Karlsson]
 4469 
 4470   + dns-blacklist checks target IP addresses against multiple DNS
 4471     anti-spam and open proxy blacklists and returns a list of services
 4472     where the IP has been blacklisted. [Patrik Karlsson]
 4473 
 4474   + dns-zeustracker checks if the target IP range is part of a Zeus
 4475     botnet by querying ZTDNS @ abuse.ch. [Mikael Keri]
 4476 
 4477   + ganglia-info retrieves system information (OS version, available
 4478     memory, etc.) from a listening Ganglia Monitoring Daemon or
 4479     Ganglia Meta Daemon. [Brendan Coles]
 4480 
 4481   + hadoop-datanode-info discovers information such as log directories
 4482     from an Apache Hadoop DataNode HTTP status page. [John R. Bond]
 4483 
 4484   + hadoop-jobtracker-info retrieves information from an Apache Hadoop
 4485     JobTracker HTTP status page. [John R. Bond]
 4486 
 4487   + hadoop-namenode-info retrieves information from an Apache Hadoop
 4488     NameNode HTTP status page. [John R. Bond]
 4489 
 4490   + hadoop-secondary-namenode-info retrieves information from an
 4491     Apache Hadoop secondary NameNode HTTP status page. [John R. Bond]
 4492 
 4493   + hadoop-tasktracker-info retrieves information from an Apache
 4494     Hadoop TaskTracker HTTP status page. [John R. Bond]
 4495 
 4496   + hbase-master-info retrieves information from an Apache HBase
 4497     (Hadoop database) master HTTP status page. [John R. Bond]
 4498 
 4499   + hbase-region-info retrieves information from an Apache HBase
 4500     (Hadoop database) region server HTTP status page. [John R. Bond]
 4501 
 4502   + http-apache-negotiation checks if the target http server has
 4503     mod_negotiation enabled.  This feature can be leveraged to find
 4504     hidden resources and spider a web site using fewer requests. [Hani
 4505     Benhabiles]
 4506 
 4507   + http-backup-finder Spiders a website and attempts to identify
 4508     backup copies of discovered files.  It does so by requesting a
 4509     number of different combinations of the filename (e.g. index.bak,
 4510     index.html~, copy of index.html). [Patrik Karlsson]
 4511 
 4512   + http-cors tests an http server for Cross-Origin Resource Sharing
 4513     (CORS), a way for domains to explicitly opt in to having certain
 4514     methods invoked by another domain. [Toni Ruottu]
 4515 
 4516   + http-email-harvest spiders a web site and collects e-mail
 4517     addresses. [Patrik Karlsson]
 4518 
 4519   + http-grep spiders a website and attempts to match all pages and
 4520     urls against a given string. Matches are counted and grouped per
 4521     url under which they were discovered. [Patrik Karlsson]
 4522 
 4523   + http-method-tamper tests whether a JBoss target is vulnerable to
 4524     jmx console authentication bypass (CVE-2010-0738). [Hani
 4525     Benhabiles]
 4526 
 4527   + http-open-redirect spiders a website and attempts to identify open
 4528     redirects. Open redirects are handlers which commonly take a URL
 4529     as a parameter and responds with a http redirect (3XX) to the
 4530     target. [Martin Holst Swende]
 4531 
 4532   + http-put uploads a local file to a remote web server using the
 4533     HTTP PUT method. You must specify the filename and URL path with
 4534     NSE arguments. [Patrik Karlsson]
 4535 
 4536   + http-robtex-reverse-ip Obtains up to 100 forward DNS names for a
 4537     target IP address by querying the Robtex service
 4538     (http://www.robtex.com/ip/). [riemann]
 4539 
 4540   + http-unsafe-output-escaping spiders a website and attempts to
 4541     identify output escaping problems where content is reflected back
 4542     to the user. [Martin Holst Swende]
 4543 
 4544   + http-vuln-cve2011-3368 tests for the CVE-2011-3368 (Reverse Proxy
 4545     Bypass) vulnerability in Apache HTTP server's reverse proxy
 4546     mode. [Ange Gutek, Patrik Karlsson]
 4547 
 4548   + ipv6-node-info obtains hostnames, IPv4 and IPv6 addresses through
 4549     IPv6 Node Information Queries. [David Fifield]
 4550 
 4551   + irc-botnet-channels checks an IRC server for channels that are
 4552     commonly used by malicious botnets. [David Fifield, Ange Gutek]
 4553 
 4554   + irc-brute performs brute force password auditing against IRC
 4555     (Internet Relay Chat) servers. [Patrik Karlsson]
 4556 
 4557   + krb5-enum-users discovers valid usernames by brute force querying
 4558     likely usernames against a Kerberos service. [Patrik Karlsson]
 4559 
 4560   + maxdb-info retrieves version and database information from a SAP
 4561     Max DB database. [Patrik Karlsson]
 4562 
 4563   + metasploit-xmlrpc-brute performs brute force password auditing
 4564     against a Metasploit RPC server using the XMLRPC protocol. [Vlatko
 4565     Kosturjak]
 4566 
 4567   + ms-sql-dump-hashes Dumps the password hashes from an MS-SQL server
 4568     in a format suitable for cracking by tools such as
 4569     John-the-ripper. In order to do so the user needs to have the
 4570     appropriate DB privileges. [Patrik Karlsson]
 4571 
 4572   + nessus-brute performs brute force password auditing against a
 4573     Nessus vulnerability scanning daemon using the NTP 1.2
 4574     protocol. [Patrik Karlsson]
 4575 
 4576   + nexpose-brute performs brute force password auditing against a
 4577     Nexpose vulnerability scanner using the API 1.1. [Vlatko
 4578     Kosturjak]
 4579 
 4580   + openlookup-info parses and displays the banner information of an
 4581     OpenLookup (network key-value store) server. [Toni Ruottu]
 4582 
 4583   + openvas-otp-brute performs brute force password auditing against a
 4584     OpenVAS vulnerability scanner daemon using the OTP 1.0
 4585     protocol. [Vlatko Kosturjak]
 4586 
 4587   + reverse-index creates a reverse index at the end of scan output
 4588     showing which hosts run a particular service. [Patrik Karlsson]
 4589 
 4590   + rexec-brute performs brute force password auditing against the
 4591     classic UNIX rexec (remote exec) service. [Patrik Karlsson]
 4592 
 4593   + rlogin-brute performs brute force password auditing against the
 4594     classic UNIX rlogin (remote login) service. [Patrik Karlsson]
 4595 
 4596   + rtsp-methods determines which methods are supported by the RTSP
 4597     (real time streaming protocol) server. [Patrik Karlsson]
 4598 
 4599   + rtsp-url-brute attempts to enumerate RTSP media URLS by testing
 4600     for common paths on devices such as surveillance IP
 4601     cameras. [Patrik Karlsson]
 4602 
 4603   + telnet-encryption determines whether the encryption option is
 4604     supported on a remote telnet server.  Some systems (including
 4605     FreeBSD and the krb5 telnetd available in many Linux
 4606     distributions) implement this option incorrectly, leading to a
 4607     remote root vulnerability. [Patrik Karlsson, David Fifield,
 4608     Fyodor]
 4609 
 4610   + tftp-enum enumerates TFTP (trivial file transfer protocol) filenames by testing
 4611     for a list of common ones. [Alexander Rudakov]
 4612 
 4613   + unusual-port compares the detected service on a port against the
 4614     expected service for that port number (e.g. ssh on 22, http on 80)
 4615     and reports deviations. An early version of this same idea was
 4616     written by Daniel Miller. [Patrik Karlsson]
 4617 
 4618   + vuze-dht-info retrieves some basic information, including protocol
 4619     version from a Vuze filesharing node. [Patrik Karlsson]
 4620 
 4621 o [NSE] Added some new protocol libraries
 4622   + amqp (advanced message queuing protocol) [Sebastian Dragomir]
 4623   + bitcoin crypto currency [Patrik Karlsson
 4624   + dnsbl for DNS-based blacklists [Patrik Karlsson
 4625   + rtsp (real time streaming protocol) [Patrik Karlsson]
 4626   + httpspider and vulns have separate entries in this CHANGELOG
 4627 
 4628 o Nmap now includes a nmap-update program for obtaining the latest
 4629   updates (new scripts, OS fingerprints, etc.)  The system is
 4630   currently only available to a few developers for testing, but we
 4631   hope to enable a larger set of beta testers soon. [David]
 4632 
 4633 o On Windows, the directory [HOME]\AppData\Roaming\nmap is now
 4634   searched for data files. This is the equivalent of $HOME/.nmap on
 4635   POSIX. [David]
 4636 
 4637 o Improved OS detection performance by scaling congestion control
 4638   increments by the response rate during OS scan, just as was done
 4639   for port scan before. [David]
 4640 
 4641 o [NSE] The targets-ipv6-multicast-*.nse scripts now scan all
 4642   interfaces by default. They show the MAC address and interface name
 4643   now too. [David, Daniel Miller]
 4644 
 4645 o Added some new version detection probes:
 4646   + MongoDB service [Martin Holst Swende]
 4647   + Metasploit XMLRPC service [Vlatko Kosturjak]
 4648   + Vuze filesharing system [Patrik]
 4649   + Redis key-value store [Patrik]
 4650   + memcached [Patrik]
 4651   + Sybase SQL Anywhere [Patrik]
 4652   + VMware ESX Server [Aleksey Tyurin]
 4653   + TCP Kerberos [Patrik]
 4654   + PC-Duo [Patrik]
 4655   + PC Anywhere [Patrik]
 4656 
 4657 o Targets requiring different source addresses now go into different
 4658   hostgroups, not only for host discovery but also for port scanning.
 4659   Before, only responses to one of the source addresses would be
 4660   processed, and the others would be ignored. [David]
 4661 
 4662 o Tidied up the version detection DB (nmap-service-probes) with a new
 4663   cleanup/canonicalization program sv-tidy.  In particular, this:
 4664   - Removes excess whitespace
 4665   - Sorts templates in the order m p v i d o h cpe:
 4666   - Canonicalizes template delimiters in the order: / | % = @ #.
 4667   [David]
 4668 
 4669 o The --exclude and --excludefile options for excluding targets can
 4670   now be used together. [David]
 4671 
 4672 o [NSE] Added support for detecting whether a http connection was established
 4673   using SSL or not to the http.lua library [Patrik]
 4674 
 4675 o [NSE] Added local port to BPF filter in snmp-brute to fix bug that would
 4676   prevent multiple scripts from receiving the correct responses. The bug was
 4677   discovered by Brendan Bird. [Patrik]
 4678 
 4679 o [NSE] Changed the dhcp-discover script to use the DHCPINFORM request
 4680   to query dhcp servers instead of DHCPDISCOVER. Also removed DoS code
 4681   from dhcp-discover and placed the script into the discovery and safe
 4682   categories. Added support for adding options to DHCP requests and
 4683   cleaned up some code in the dhcp library. [Patrik]
 4684 
 4685 o [NSE] Applied patch to snmp-brute that solves problems with handling
 4686   errors that occur during community list file parsing. [Duarte
 4687   Silva]
 4688 
 4689 o [NSE] Added new fingerprints to http-enum for:
 4690   - Subversion, CVS and Apache Archiva [Duarte Silva]
 4691   - DVCS systems Git, Mercurial and Bazaar [Hani Benhabiles].
 4692 
 4693 o [NSE] Applied some code cleanup to the snmp library. [Brendan Byrd]
 4694 
 4695 o [NSE] Fixed an undeclared variable bug in snmp-ios-config [Patrik]
 4696 
 4697 o [NSE] Add additional version information to Mongodb scripts [Martin
 4698   Swende]
 4699 
 4700 o [NSE] Added path argument to the http-auth script and update the
 4701   script to use stdnse.format_output. [Duarte Silva, Patrik]
 4702 
 4703 o [NSE] Fixed bug in the http library that would fail to parse
 4704   authentication headers if no parameters were present. [Patrik]
 4705 
 4706 o Made a syntax change in the zenmap.desktop file for compliance with
 4707   the XDG standard. [Frederik Schwarzer]
 4708 
 4709 o [NSE] Replaced a number of GET requests to HEAD in http-
 4710   fingerprints.lua.  HEAD is quicker and sufficient when no matching
 4711   is performed on the returned contents.  [Hani Benhabiles]
 4712 
 4713 o [NSE] Added support for retrieving SSL certificates from FTP
 4714   servers. [Matt Selsky]
 4715 
 4716 o [Nping] The --safe-payloads option is now the default. Added
 4717   --include-payloads for the special situations where payloads are
 4718   needed. [Colin Rice]
 4719 
 4720 o [NSE] Added new functionality and fixed some bugs in the brute library:
 4721   - Added support for restricting the number of guesses performed by the
 4722     brute library against users, to prevent account lockouts.
 4723   - Added support to guess the username as password. The documentation
 4724     previously suggested (wrongly) that this was the default behavior.
 4725   - Added support to guess an empty string as password if not
 4726     present in the dictionary. [Patrik]
 4727 
 4728 o [NSE] Re-enabled support for guessing the username in addition to password
 4729   that was incorrectly removed from the metasploit-xmlrpc-brute in previous
 4730   commit. [Patrik]
 4731 
 4732 o [NSE] Fixed bug that would prevent brute scripts from running if no service
 4733   field was present in the port table. [Patrik]
 4734 
 4735 o [NSE] Turned on promiscuous mode in targets-sniffer.nse so that it
 4736   finds packets not only from or to the scanning host. [David]
 4737 
 4738 o The Zenmap topology display feature is now disabled when there are
 4739   more than 1,000 target hosts.  Those topology maps slow down the
 4740   interface and are generally too crowded to be of much use.
 4741 
 4742 o [NSE] Modified the http library to support servers that don't return valid
 4743   chunked encoded data, such as the Citrix XML service. [Patrik]
 4744 
 4745 o [NSE] Fixed a bug where the brute library would not abort even after all
 4746   retries were exhausted [Patrik]
 4747 
 4748 o Fixed a bug in the IPv6 OS probe called NI. The Node Information
 4749   Query didn't include the target address as the payload, so at least
 4750   OS X didn't respond. This differed from the probe sent by the
 4751   ipv6fp.py program from which some of our fingerprints were derived.
 4752   [David]
 4753 
 4754 o [NSE] Fixed an error in the mssql library that was causing the
 4755   broadcast-ms-sql-discover script to fail when trying to update port version
 4756   information. [Patrik]
 4757 
 4758 o [NSE] Added the missing broadcast category to the broadcast-listener script.
 4759   [Jasey DePriest]
 4760 
 4761 o [NSE] Made changes to the categories of the following scripts (new
 4762   categories shown) [Duarte Silva]:
 4763   - http-userdir-enum.nse (auth,intrusive)
 4764   - mysql-users.nse (auth,intrusive)
 4765   - http-wordpress-enum.nse (auth,intrusive,vuln)
 4766   - krb5-enum-users.nse (auth,intrusive)
 4767   - snmp-win32-users.nse (default,auth,safe)
 4768   - smtp-enum-users.nse (auth,external,intrusive)
 4769   - ncp-enum-users.nse (auth,safe)
 4770   - smb-enum-users.nse (auth,intrusive)
 4771 
 4772 o Made nbase compile with the clang compiler that is a part of Xcode
 4773   4.2. [Daniel J. Luke]
 4774 
 4775 o [NSE] Fix a nil table index bug discovered in the mongodb
 4776   library. [Thomas Buchanan]
 4777 
 4778 o [NSE] Added XMPP support to ssl-cert.nse.
 4779 
 4780 o [NSE] Made http-wordpress-enum.nse able to get names of users who
 4781   have no posts. [Duarte Silva]
 4782 
 4783 o Increased hop distance estimates from OS detection by one. The
 4784   distance now counts the number of hops including the final one to
 4785   the target, not just the number of intermediate nodes. The IPv6
 4786   distance calculation already worked this way. [David]
 4787 
 4788 Nmap 5.61TEST2 [2011-09-30]
 4789 
 4790 o Added IPv6 OS detection system! The new system utilizes many tests
 4791   similar to IPv4, and also some IPv6-specific ones that we found to
 4792   be particularly effective. And it uses a machine learning approach
 4793   rather than the static classifier we use for IPv4. We hope to move
 4794   some of the IPv6 innovations back to our IPv4 system if they work
 4795   out well. The database is still very small, so please submit any
 4796   fingerprints that Nmap gives you to the specified URL (as long as
 4797   you are certain that you know what the target system is
 4798   running). Usage and results output are basically the same as with
 4799   IPv4, but we will soon document the internal mechanisms at
 4800   https://nmap.org/book/osdetect.html, just as we have for IPv4. For an
 4801   example, try "nmap -6 -O scanme.nmap.org". [David, Luis]
 4802 
 4803 o [NSE] Added 3 scripts, bringing the total to 246!  You can learn
 4804   more about them at https://nmap.org/nsedoc/. Here they are (authors
 4805   listed in brackets):
 4806 
 4807   + lltd-discovery uses the Microsoft LLTD protocol to discover hosts
 4808     on a local network. [Gorjan Petrovski]
 4809 
 4810   + ssl-google-cert-catalog queries Google's Certificate Catalog for
 4811     the SSL certificates retrieved from target hosts. [Vasiliy Kulikov]
 4812 
 4813   + quake3-info extracts information from a Quake3-like game
 4814     server. [Toni Ruottu]
 4815 
 4816 o Improved AIX support for raw scans. This includes some patches
 4817   originally written by Peter O'Gorman and Florian Schmid. It also
 4818   involved various build fixes found necessary on AIX 6.1 and 7.1. See
 4819   https://nmap.org/book/inst-other-platforms.html . [David]
 4820 
 4821 o Fixed Nmap so that it again compiles and runs on Solaris 10,
 4822   including IPv6 support. [David]
 4823 
 4824 o [NSE] Moved our brute force authentication cracking scripts
 4825   (*-brute) from the "auth" category into a new "brute"
 4826   category. Nmap's brute force capabilities have grown tremendously!
 4827   You can see all 32 of them at
 4828   https://nmap.org/nsedoc/categories/brute.html .  It isn't clear
 4829   whether dns-brute should be in the brute category, so for now it
 4830   isn't. [Fyodor]
 4831 
 4832 o Made the interface gathering loop work on Linux when an interface
 4833   index is more than two digits in /proc/sys/if_inet6. Joe McEachern
 4834   tracked down the problem and provided the fix.
 4835 
 4836 o [NSE] Fixed a bug in dns.lua: ensure that dns.query() always return two values
 4837   (status, response) and replaced the workaround in asn-query.nse by the proper
 4838   use. [Henri]
 4839 
 4840 o [NSE] Made irc-info.nse handle the case where the MOTD is missing.
 4841   Patch by Sebastian Dragomir.
 4842 
 4843 o Updated nmap-mac-prefixes to include the latest IEEE assignments
 4844   as of 2011-09-29.
 4845 
 4846 Nmap 5.61TEST1 [2011-09-19]
 4847 
 4848 o Added Common Platform Enumeration (CPE, http://cpe.mitre.org/)
 4849   output for OS and service versions. This is a standard way to
 4850   identify operating systems and applications so that Nmap can
 4851   better interoperate with other software. Nmap's own (generally more
 4852   comprehensive) taxonomy/classification system is still supported as
 4853   well. Some OS and version detection results don't have CPE entries
 4854   yet. CPE entries show up in normal output with the headings "OS
 4855   CPE:" and "Service Info:":
 4856     OS CPE: cpe:/o:linux:kernel:2.6.39
 4857     Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
 4858   These also appear in XML output, which additionally has CPE entries
 4859   for service versions. [David, Henri]
 4860 
 4861 o Added IPv6 Neighbor Discovery ping. This is the IPv6 analog to IPv4
 4862   ARP scan. It is the default ping type for local IPv6 networks.
 4863   [Weilin]
 4864 
 4865 o Integrated your latest (IPv4) OS detection submissions and
 4866   corrections until June 22. New fingerprints include Linux 3, FreeBSD
 4867   9, Mac OS X 10.7 (Lion), and 300+ more. The DB size increased 11% to
 4868   3,308 fingerprints. See
 4869   http://seclists.org/nmap-dev/2011/q3/556. Please keep those
 4870   fingerprints coming! We now accept IPv4 and IPv6 OS fingerprints as
 4871   well as service fingerprints, plus corrections of all types if Nmap
 4872   guess wrong.
 4873 
 4874 o [NSE] Added 27 scripts, bringing the total to 243!  You can learn
 4875   more about any of them at https://nmap.org/nsedoc/. Here are the new
 4876   ones (authors listed in brackets):
 4877 
 4878   + address-info shows extra information about IPv6 addresses, such as
 4879     embedded MAC or IPv4 addresses when available. [David Fifield]
 4880 
 4881   + bittorrent-discovery discovers bittorrent peers sharing a file
 4882     based on a user-supplied torrent file or magnet link. [Gorjan
 4883     Petrovski]
 4884 
 4885   + broadcast-db2-discover attempts to discover DB2 servers on the
 4886     network by sending a broadcast request to port 523/udp. [Patrik
 4887     Karlsson]
 4888 
 4889   + broadcast-dhcp-discover sends a DHCP request to the broadcast
 4890     address (255.255.255.255) and reports the results. [Patrik
 4891     Karlsson]
 4892 
 4893   + broadcast-listener sniffs the network for incoming broadcast
 4894     communication and attempts to decode the received packets. It
 4895     supports protocols like CDP, HSRP, Spotify, DropBox, DHCP, ARP and
 4896     a few more. [Patrik Karlsson]
 4897 
 4898   + broadcast-ping sends broadcast pings on a selected interface using
 4899     raw ethernet packets and outputs the responding hosts' IP and MAC
 4900     addresses or (if requested) adds them as targets. [Gorjan
 4901     Petrovski]
 4902 
 4903   + cvs-brute performs brute force password auditing against CVS
 4904     pserver authentication. [Patrik Karlsson]
 4905 
 4906   + cvs-brute-repository attempts to guess the name of the CVS
 4907     repositories hosted on the remote server.  With knowledge of the
 4908     correct repository name, usernames and passwords can be
 4909     guessed. [Patrik Karlsson]
 4910 
 4911   + ftp-vsftpd-backdoor tests for the presence of the vsFTPd 2.3.4
 4912     backdoor reported on 2011-07-04 (CVE-2011-2523). This script
 4913     attempts to exploit the backdoor using the innocuous 'id' command
 4914     by default, but that can be changed with the 'exploit.cmd' or
 4915     'ftp-vsftpd-backdoor.cmd' script arguments. [Daniel Miller]
 4916 
 4917   + ftp-vuln-cve2010-4221 checks for a stack-based buffer overflow in
 4918     the ProFTPD server, version between 1.3.2rc3 and 1.3.3b. [Djalal
 4919     Harouni]
 4920 
 4921   + http-awstatstotals-exec exploits a remote code execution
 4922     vulnerability in Awstats Totals 1.0 up to 1.14 and possibly other
 4923     products based on it (CVE: 2008-3922). [Paulino Calderon]
 4924 
 4925   + http-axis2-dir-traversal Exploits a directory traversal
 4926     vulnerability in Apache Axis2 version 1.4.1 by sending a specially
 4927     crafted request to the parameter 'xsd' (OSVDB-59001). By default
 4928     it will try to retrieve the configuration file of the Axis2
 4929     service '/conf/axis2.xml' using the path '/axis2/services/' to
 4930     return the username and password of the admin account. [Paulino
 4931     Calderon]
 4932 
 4933   + http-default-accounts tests for access with default credentials
 4934     used by a variety of web applications and devices. [Paulino
 4935     Calderon]
 4936 
 4937   + http-google-malware checks if hosts are on Google's blacklist of
 4938     suspected malware and phishing servers. These lists are constantly
 4939     updated and are part of Google's Safe Browsing service. [Paulino
 4940     Calderon]
 4941 
 4942   + http-joomla-brute performs brute force password auditing against
 4943     Joomla web CMS installations. [Paulino Calderon]
 4944 
 4945   + http-litespeed-sourcecode-download exploits a null-byte poisoning
 4946     vulnerability in Litespeed Web Servers 4.0.x before 4.0.15 to
 4947     retrieve the target script's source code by sending a HTTP request
 4948     with a null byte followed by a .txt file extension
 4949     (CVE-2010-2333). [Paulino Calderon]
 4950 
 4951   + http-vuln-cve2011-3192 detects a denial of service vulnerability
 4952     in the way the Apache web server handles requests for multiple
 4953     overlapping/simple ranges of a page. [Duarte Silva]
 4954 
 4955   + http-waf-detect attempts to determine whether a web server is
 4956     protected by an IPS (Intrusion Prevention System), IDS (Intrusion
 4957     Detection System) or WAF (Web Application Firewall) by probing the
 4958     web server with malicious payloads and detecting changes in the
 4959     response code and body. [Paulino Calderon]
 4960 
 4961   + http-wordpress-brute performs brute force password auditing
 4962     against Wordpress CMS/blog installations. [Paulino Calderon]
 4963 
 4964   + http-wordpress-enum enumerates usernames in Wordpress blog/CMS
 4965     installations by exploiting an information disclosure
 4966     vulnerability existing in versions 2.6, 3.1, 3.1.1, 3.1.3 and
 4967     3.2-beta2 and possibly others. [Paulino Calderon]
 4968 
 4969   + imap-brute performs brute force password auditing against IMAP
 4970     servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM
 4971     authentication. [Patrik Karlsson]
 4972 
 4973   + smtp-brute performs brute force password auditing against SMTP
 4974     servers using either LOGIN, PLAIN, CRAM-MD5, DIGEST-MD5 or NTLM
 4975     authentication. [Patrik Karlsson]
 4976 
 4977   + smtp-vuln-cve2011-1764 checks for a format string vulnerability in
 4978     the Exim SMTP server (version 4.70 through 4.75) with DomainKeys
 4979     Identified Mail (DKIM) support (CVE-2011-1764). [Djalal Harouni]
 4980 
 4981   + targets-ipv6-multicast-echo sends an ICMPv6 echo request packet to
 4982     the all-nodes link-local multicast address (ff02::1) to discover
 4983     responsive hosts on a LAN without needing to individually ping
 4984     each IPv6 address. [David Fifield, Xu Weilin]
 4985 
 4986   + targets-ipv6-multicast-invalid-dst sends an ICMPv6 packet with an
 4987     invalid extension header to the all-nodes link-local multicast
 4988     address (ff02::1) to discover (some) available hosts on the
 4989     LAN. This works because some hosts will respond to this probe with
 4990     an ICMPv6 parameter problem packet. [David Fifield, Xu Weilin]
 4991 
 4992   + targets-ipv6-multicast-slaac performs IPv6 host discovery by
 4993     triggering stateless address auto-configuration (SLAAC). [David
 4994     Fifield, Xu Weilin]
 4995 
 4996   + xmpp-brute Performs brute force password auditing against XMPP
 4997     (Jabber) instant messaging servers. [Patrik Karlsson]
 4998 
 4999 o Fixed compilation on OS X 10.7 Lion. Thanks to Patrik Karlsson and
 5000   Babak Farroki for researching fixes.
 5001 
 5002 o [NSE] The script arguments which start with a script name
 5003   (e.g. http-brute.hostname or afp-ls.maxfiles) can now accept the
 5004   unqualified arguments as well (hostname, maxfiles). This lets you
 5005   use the generic version ("hostname") when you want to affect
 5006   multiple scripts, while using the qualified version to target
 5007   individual scripts. If both are specified, the qualified version
 5008   takes precedence for that particular script. This works for library
 5009   script arguments too (e.g. you can specify 'timelimit' rather than
 5010   unpwdb.timelimit). [Paulino]
 5011 
 5012 o [Ncat] Updated SSL certificate store (ca-bundle.crt), primarily to
 5013   remove the epic fail known as DigiNotar.
 5014 
 5015 o Nmap now defers options parsing until it has read through all the
 5016   command line arguments.  This removes the few remaining cases where
 5017   option order mattered (for example, IPv6 users previously had to
 5018   specify -6 before -S). [Shinnok]
 5019 
 5020 o [NSE] Added a new default credential list for Oracle databases and
 5021   modified the oracle-brute script to make use of it. [Patrik]
 5022 
 5023 o [NSE] Our Packet library (packet.lua) now handles IPv6. This is used
 5024   by the new multicast IPv6 host discovery scripts
 5025   (targets-ipv6-*). [Weilin]
 5026 
 5027 o [NSE] Replaced xmpp.nse with an an overhauled version named
 5028   xmpp-info.nse which brings many new features and fixes. [Vasiliy Kulikov]
 5029 
 5030 o [NSE] Fixed SSL compressor names in ssl-enum-ciphers.nse, and
 5031   removed redundant multiple listings of the NULL compressor.
 5032   [Matt Selsky]
 5033 
 5034 o [NSE] Added cipher strength ratings to ssl-enum-ciphers.nse.
 5035   [Gabriel Lawrence]
 5036 
 5037 o [NSE] Fixed a bug in the ssh2-enum-algos script that would prevent it from
 5038   displaying any output unless run in debug mode. [Patrik]
 5039 
 5040 o [NSE] Added 4 more protocol libraries. You can learn more about any
 5041   of them at https://nmap.org/nsedoc/. Here are the new ones (authors
 5042   listed in brackets):
 5043 
 5044   + bittorrent supports the BitTorrent file sharing protocol [Gorjan
 5045     Petrovski]
 5046 
 5047   + cvs includes support for the Concurrent Versions System (CVS)
 5048     [Patrik Karlsson]
 5049 
 5050   + sasl provides common code for "Simple Authentication and Security
 5051     Layer" to services supporting it. The algorithms supported by the
 5052     library are: PLAIN, CRAM-MD5, DIGEST-MD5 and NTLM. [Djalal
 5053     Harouni, Patrik Karlsson]
 5054 
 5055   + xmpp handles XMPP (Jabber) IM servers [Patrik Karlsson]
 5056 
 5057 o [NSE] Removed the mac-geolocation script, which relied on a Google
 5058   database to determine strikingly accurate GPS coordinates for
 5059   anyone's wireless access points (based on their MAC address).  It
 5060   was very powerful.  Perhaps Google decided it was too powerful, as
 5061   they discontinued the service before our script was even 2 months
 5062   old.
 5063 
 5064 o [Ncat] Added an --append-output option which, when used along with
 5065   -o and/or -x, prevents clobbering (truncating) an existing
 5066   file. [Shinnok]
 5067 
 5068 o Fixed RPC scan (part of -sV) to work on the 64-bit machines where
 5069   "unsigned long" is 8 bytes rather than 4.  We now use the more
 5070   portable u32 in the code. [David]
 5071 
 5072 o [NSE] Moved some scripts into the default category: giop-info,
 5073   vnc-info, ncp-serverinfo, smb-security-mode, and and
 5074   afp-serverinfo. [Djalal]
 5075 
 5076 o Relaxed the XML DTD to allow validation of files where the verbosity
 5077   level changed during the scan.  Also made a service confidence of 8
 5078   (used when tcpwrapped) or any other number between 0 and 10
 5079   legal. [Daniel Miller]
 5080 
 5081 o [NSE] Fixed authentication problems in the TNS library that would prevent
 5082   authentication from working against Oracle 11.2.0.2.0 XE [Chris Woodbury]
 5083 
 5084 o [NSE] Added basic query support to the Oracle TNS library so that scripts
 5085   can now make SQL queries against database servers.  Also improved
 5086   support for 64-bit database servers and improved the documentation. [Patrik]
 5087 
 5088 o Removed some restrictions on probe matching that, for example,
 5089   prevented a RST/ACK reply from being recognized in a NULL scan. This
 5090   was found and fixed by Matthew Stickney and Joe McEachern.
 5091 
 5092 o Rearranged some characters classes in service matches to avoid any
 5093   that look like POSIX collating symbols ("[.xyz.]"). John Hutchison
 5094   discovered this error caused by one of the match lines:
 5095     InitMatch: illegal regexp: POSIX collating elements are not supported
 5096   [Daniel Miller]
 5097 
 5098 o [NSE] Added more than 100 new signatures to http-enum (many for
 5099   known vulnerabilities). They are in the categories: general,
 5100   attacks, cms, security, management and database [Paulino]
 5101 
 5102 o [NSE] Updated account status text in brute force password discovery
 5103   scripts in an effort to make the reporting more consistent across
 5104   all scripts.  This will have an impact on any code that parses these
 5105   values.  [Tom Sellers]
 5106 
 5107 o Nmap now includes the Liblinear library for large linear
 5108   classification (http://www.csie.ntu.edu.tw/~cjlin/liblinear/). We
 5109   are using it for the upcoming IPv6 OS detection system, and (if that
 5110   works out well) may eventually use it for IPv4 too.  It uses a
 5111   three-clause BSD license.
 5112 
 5113 o [NSE] Better error messages (including a traceback) are now provided
 5114   when script loading fails. [Patrick]
 5115 
 5116 o [Zenmap] Prevent Zenmap from deleting ports when merging scans
 5117   results based on newer scans which did not actually scan the ports
 5118   in question. Additionally Zenmap now only updates ports with new
 5119   information if the new information uses the same protocol--not just
 5120   the same port number. [Colin Rice]
 5121 
 5122 o [Ncat] Fixed a crash which would occur when --ssl-verify is combined
 5123   with -vvv on windows. [Colin Rice]
 5124 
 5125 o [Nping] Added new --safe-payloads option for echo mode which causes
 5126   returned packet payloads to be zeroed to reduce privacy risks if
 5127   Nping echo server was to accidentally (or through malicious intent)
 5128   return a packet which wasn't sent by the Nping echo client.  We hope
 5129   to soon make this behavior the default. [Luis]
 5130 
 5131 o Fixed a bug that would make Nmap segfault if it failed to open an
 5132   interface using pcap. The bug details and patch are posted at
 5133   http://seclists.org/nmap-dev/2011/q3/365 [Patrik]
 5134 
 5135 o Ncat SCTP mode now supports connection brokering
 5136   (--sctp --broker). [Shinnok]
 5137 
 5138 o Consolidated a bunch of duplicate code between Ncat's listen
 5139   (ncat_listen.c) and broker (ncat_broker.c) modes to ease
 5140   maintenance. [Shinnok]
 5141 
 5142 o Added a 'nostore' nse argument to the brute force library which
 5143   prevents the brute force authentication cracking scripts from
 5144   storing found credentials in the creds library (they will still be
 5145   printed in script output).
 5146 
 5147 o [NSE] Fixed the nsedebug print_hex() function so it does not print an
 5148   empty line if there are no remaining characters, and improved its NSEDoc.
 5149   [Chris Woodbury].
 5150 
 5151 o [Ncat] Ncat no longer blocks while an ssl handshake is taking place
 5152   or waiting to complete.  This could make listening Ncat instances
 5153   unavailable to other clients because one client was taking too long
 5154   to complete the SSL handshake.  Our public Ncat chat server is now
 5155   much more reliable (connect with: ncat --ssl -v chat.nmap.org).
 5156   [Shinnok]
 5157 
 5158 o [NSE] Updated SMTP and IMAP libraries to support authentication
 5159   using both plain-text and the SASL library. [Patrik]
 5160 
 5161 o [Zenmap] The Zenmap crash handler now instructs users to mail in
 5162   crash information to nmap-dev rather than offering to create a
 5163   Sourceforge bug tracker entry. [Colin Rice]
 5164 
 5165 o [NSE] Applied patch from Chris Woodbury that adds the following
 5166   additional information to the output of smb-os-discovery: NetBIOS
 5167   computer name, NetBIOS domain name, FQDN, and forest name.
 5168 
 5169 o [NSE] Updated smb-brute to add detection for valid credentials where the
 5170   target account was expired or limited by time or login host constraints.
 5171   [Tom Sellers]
 5172 
 5173 o [Ncat] Ncat now supports IPV6 addresses by default without the -6 flag.
 5174   Additionally ncat listens on both ::1 and localhost when passed
 5175   -l, or any other listening mode unless a specific listening address is
 5176   supplied. [Colin Rice]
 5177 
 5178 o Fixed broken XML output in the case of timed-out hosts; the
 5179   enclosing host element was missing. The fix was suggested by Rémi
 5180   Mollon.
 5181 
 5182 o [NSE] Multiple ldap-brute changes by Tom Sellers:
 5183   + Added support for 2008 R2 functional level Active Directory instances
 5184   + Added detection for valid credentials where the target account was
 5185     expired or limited by time or login host constraints.
 5186   + Added support for specifying a UPN suffix to be appended to usernames
 5187     when brute forcing Microsoft Active Directory accounts.
 5188   + Added support for saving discovered credentials to a CSV file.
 5189   + Now reports valid credentials as they are discovered when the script
 5190     is run with -vv or higher.
 5191 
 5192 o [NSE] ldap-search.nse - Added support for saving search results to
 5193   CSV.  This is done by using the ldap.savesearch script argument to
 5194   specify an output filename prefix.  [Tom Sellers]
 5195 
 5196 o Handle an unconventional IPv6 internal link-local address convention
 5197   used by Mac OS X. See
 5198   http://seclists.org/nmap-dev/2011/q3/906. [David]
 5199 
 5200 o [NSE] Optimized stdnse.format_output (changing the data structures)
 5201   to improve performance for scripts which produce a lot of output. See
 5202   http://seclists.org/nmap-dev/2011/q3/623. [Djalal]
 5203 
 5204 o [NSE] Fix nping-brute so that it again works on IPv6. [Toni Ruottu]
 5205 
 5206 o [NSE] Added the make_array and make_object functions to our json
 5207   library, allowing LUA tables to be treated as JSON arrays or
 5208   objects. See http://seclists.org/nmap-dev/2011/q3/15 [Daniel Miller]
 5209 
 5210 o [NSE] The ip-geolocation-ipinfodb now allows you to specify an
 5211   IPInfoDB API key using the apikey NSE argument. [Gorjan]
 5212 
 5213 o [NSE] Renamed http-wp-plugins to http-wordpress-plugins script for
 5214   consistency with http-wordpress-brute and now
 5215   http-wordpress-enum. [Fyodor]
 5216 
 5217 Nmap 5.59BETA1 [2011-06-30]
 5218 
 5219 o [NSE] Added 40 scripts, bringing the total to 217!  You can learn
 5220   more about any of them at https://nmap.org/nsedoc/. Here are the new
 5221   ones (authors listed in brackets):
 5222 
 5223   + afp-ls: Lists files and their attributes from Apple Filing
 5224     Protocol (AFP) volumes. [Patrik Karlsson]
 5225 
 5226   + backorifice-brute: Performs brute force password auditing against
 5227     the BackOrifice remote administration (trojan) service. [Gorjan
 5228     Petrovski]
 5229 
 5230   + backorifice-info: Connects to a BackOrifice service and gathers
 5231     information about the host and the BackOrifice service
 5232     itself. [Gorjan Petrovski]
 5233 
 5234   + broadcast-avahi-dos: Attempts to discover hosts in the local
 5235     network using the DNS Service Discovery protocol, then tests
 5236     whether each host is vulnerable to the Avahi NULL UDP packet
 5237     denial of service bug (CVE-2011-1002). [Djalal Harouni]
 5238 
 5239   + broadcast-netbios-master-browser: Attempts to discover master
 5240     browsers and the Windows domains they manage. [Patrik Karlsson]
 5241 
 5242   + broadcast-novell-locate: Attempts to use the Service Location
 5243     Protocol to discover Novell NetWare Core Protocol (NCP)
 5244     servers. [Patrik Karlsson]
 5245 
 5246   + creds-summary: Lists all discovered credentials (e.g. from brute
 5247     force and default password checking scripts) at end of scan.
 5248     [Patrik Karlsson]
 5249 
 5250   + dns-brute: Attempts to enumerate DNS hostnames by brute force
 5251     guessing of common subdomains. [Cirrus]
 5252 
 5253   + dns-nsec-enum: Attempts to discover target hosts' services using
 5254     the DNS Service Discovery protocol. [Patrik Karlsson]
 5255 
 5256   + dpap-brute: Performs brute force password auditing against an
 5257     iPhoto Library. [Patrik Karlsson]
 5258 
 5259   + epmd-info: Connects to Erlang Port Mapper Daemon (epmd) and
 5260     retrieves a list of nodes with their respective port
 5261     numbers. [Toni Ruottu]
 5262 
 5263   + http-affiliate-id: Grabs affiliate network IDs (e.g. Google
 5264     AdSense or Analytics, Amazon Associates, etc.) from a web
 5265     page. These can be used to identify pages with the same
 5266     owner. [Hani Benhabiles, Daniel Miller]
 5267 
 5268   + http-barracuda-dir-traversal: Attempts to retrieve the
 5269     configuration settings from a Barracuda Networks Spam & Virus
 5270     Firewall device using the directory traversal vulnerability
 5271     described at
 5272     http://seclists.org/fulldisclosure/2010/Oct/119. [Brendan Coles]
 5273 
 5274   + http-cakephp-version: Obtains the CakePHP version of a web
 5275     application built with the CakePHP framework by fingerprinting
 5276     default files shipped with the CakePHP framework. [Paulino
 5277     Calderon]
 5278 
 5279   + http-majordomo2-dir-traversal: Exploits a directory traversal
 5280     vulnerability existing in the Majordomo2 mailing list manager to
 5281     retrieve remote files. (CVE-2011-0049). [Paulino Calderon]
 5282 
 5283   + http-wp-plugins: Tries to obtain a list of installed WordPress
 5284     plugins by brute force testing for known plugins. [Ange Gutek]
 5285 
 5286   + ip-geolocation-geobytes: Tries to identify the physical location
 5287     of an IP address using the Geobytes geolocation web service
 5288     (http://www.geobytes.com/iplocator.htm). [Gorjan Petrovski]
 5289 
 5290   + ip-geolocation-geoplugin: Tries to identify the physical location
 5291     of an IP address using the Geoplugin geolocation web service
 5292     (http://www.geoplugin.com/). [Gorjan Petrovski]
 5293 
 5294   + ip-geolocation-ipinfodb: Tries to identify the physical location
 5295     of an IP address using the IPInfoDB geolocation web service
 5296     (http://ipinfodb.com/ip_location_api.php). [Gorjan Petrovski]
 5297 
 5298   + ip-geolocation-maxmind: Tries to identify the physical location of
 5299     an IP address using a Geolocation Maxmind database file (available
 5300     from http://www.maxmind.com/app/ip-location). [Gorjan Petrovski]
 5301 
 5302   + ldap-novell-getpass: Attempts to retrieve the Novell Universal
 5303     Password for a user. You must already have (and include in script
 5304     arguments) the username and password for an eDirectory server
 5305     administrative account. [Patrik Karlsson]
 5306 
 5307   + mac-geolocation: Looks up geolocation information for BSSID (MAC)
 5308     addresses of WiFi access points in the Google geolocation
 5309     database. [Gorjan Petrovski]
 5310 
 5311   + mysql-audit: Audit MySQL database server security configuration
 5312     against parts of the CIS MySQL v1.0.2 benchmark (the engine can
 5313     also be used for other MySQL audits by creating appropriate audit
 5314     files).  [Patrik Karlsson]
 5315 
 5316   + ncp-enum-users: Retrieves a list of all eDirectory users from the
 5317     Novell NetWare Core Protocol (NCP) service. [Patrik Karlsson]
 5318 
 5319   + ncp-serverinfo: Retrieves eDirectory server information (OS
 5320     version, server name, mounts, etc.) from the Novell NetWare Core
 5321     Protocol (NCP) service. [Patrik Karlsson]
 5322 
 5323   + nping-brute: Performs brute force password auditing against an
 5324     Nping Echo service. [Toni Ruottu]
 5325 
 5326   + omp2-brute: Performs brute force password auditing against the
 5327     OpenVAS manager using OMPv2. [Henri Doreau]
 5328 
 5329   + omp2-enum-targets: Attempts to retrieve the list of target systems
 5330     and networks from an OpenVAS Manager server. [Henri Doreau]
 5331 
 5332   + ovs-agent-version: Detects the version of an Oracle OVSAgentServer
 5333     by fingerprinting responses to an HTTP GET request and an XML-RPC
 5334     method call. [David Fifield]
 5335 
 5336   + quake3-master-getservers: Queries Quake3-style master servers for
 5337     game servers (many games other than Quake 3 use this same
 5338     protocol). [Toni Ruottu]
 5339 
 5340   + servicetags: Attempts to extract system information (OS, hardware,
 5341     etc.) from the Sun Service Tags service agent (UDP port
 5342     6481). [Matthew Flanagan]
 5343 
 5344   + sip-brute: Performs brute force password auditing against Session
 5345     Initiation Protocol (SIP -
 5346     http://en.wikipedia.org/wiki/Session_Initiation_Protocol)
 5347     accounts.  This protocol is most commonly associated with VoIP
 5348     sessions. [Patrik Karlsson]
 5349 
 5350   + sip-enum-users: Attempts to enumerate valid SIP user accounts.
 5351     Currently only the SIP server Asterisk is supported. [Patrik
 5352     Karlsson]
 5353 
 5354   + smb-mbenum: Queries information managed by the Windows Master
 5355     Browser. [Patrik Karlsson]
 5356 
 5357   + smtp-vuln-cve2010-4344: Checks for and/or exploits a heap overflow
 5358     within versions of Exim prior to version 4.69 (CVE-2010-4344) and
 5359     a privilege escalation vulnerability in Exim 4.72 and prior
 5360     (CVE-2010-4345). [Djalal Harouni]
 5361 
 5362   + smtp-vuln-cve2011-1720: Checks for a memory corruption in the
 5363     Postfix SMTP server when it uses Cyrus SASL library authentication
 5364     mechanisms (CVE-2011-1720).  This vulnerability can allow denial
 5365     of service and possibly remote code execution. [Djalal Harouni]
 5366 
 5367   + snmp-ios-config: Attempts to downloads Cisco router IOS
 5368     configuration files using SNMP RW (v1) and display or save
 5369     them. [Vikas Singhal, Patrik Karlsson]
 5370 
 5371   + ssl-known-key: Checks whether the SSL certificate used by a host
 5372     has a fingerprint that matches an included database of problematic
 5373     keys. [Mak Kolybabi]
 5374 
 5375   + targets-sniffer: Sniffs the local network for a configurable
 5376     amount of time (10 seconds by default) and prints discovered
 5377     addresses. If the newtargets script argument is set, discovered
 5378     addresses are added to the scan queue. [Nick Nikolaou]
 5379 
 5380   + xmpp: Connects to an XMPP server (port 5222) and collects server
 5381     information such as supported auth mechanisms, compression methods
 5382     and whether TLS is supported and mandatory. [Vasiliy Kulikov]
 5383 
 5384 o Nmap has long supported IPv6 for basic (connect) port scans, basic
 5385   host discovery, version detection, Nmap Scripting Engine.  This
 5386   release dramatically expands and improves IPv6 support:
 5387   + IPv6 raw packet scans (including SYN scan, UDP scan, ACK scan,
 5388     etc.) are now supported. [David, Weilin]
 5389   + IPv6 raw packet host discovery (IPv6 echo requests, TCP/UDP
 5390     discovery packets, etc.) is now supported. [David, Weilin]
 5391   + IPv6 traceroute is now supported [David]
 5392   + IPv6 protocol scan (-sO) is now supported, including creating
 5393     realistic headers for many protocols. [David]
 5394   + IPv6 support to the wsdd, dnssd and upnp NSE libraries. [Daniel
 5395     Miller, Patrik]
 5396   + The --exclude and --excludefile now support IPV6 addresses with
 5397     netmasks.  [Colin]
 5398 
 5399 o Scanme.Nmap.Org (the system anyone is allowed to scan for testing
 5400   purposes) is now dual-stacked (has an IPv6 address as well as IPv4)
 5401   so you can scan it during IPv6 testing.  We also added a DNS record
 5402   for ScanmeV6.nmap.org which is IPv6-only. See
 5403   http://seclists.org/nmap-dev/2011/q2/428. [Fyodor]
 5404 
 5405 o The Nmap.Org website as well as sister sites Insecure.Org,
 5406   SecLists.Org, and SecTools.Org all have working IPv6 addresses now
 5407   (dual stacked). [Fyodor]
 5408 
 5409 o Nmap now determines the filesystem location it is being run from and
 5410   that path is now included early in the search path for data files
 5411   (such as nmap-services).  This reduces the likelihood of needing to
 5412   specify --datadir or getting data files from a different version of
 5413   Nmap installed on the system.  For full details, see
 5414   https://nmap.org/book/data-files-replacing-data-files.html .  Thanks
 5415   to Solar Designer for implementation advice. [David]
 5416 
 5417 o Created a page on our SecWiki for collecting Nmap script ideas! If
 5418   you have a good idea, post it to the incoming section of the page.
 5419   Or if you're in a script writing mood but don't know what to write,
 5420   come here for inspiration: https://secwiki.org/w/Nmap_Script_Ideas.
 5421 
 5422 o The development pace has greatly increased because Google (again)
 5423   sponsored a 7 full-time college and graduate student programmer
 5424   interns this summer as part of their Summer of Code program!
 5425   Thanks, Google Open Source Department!  We're delighted to introduce
 5426   the team: http://seclists.org/nmap-dev/2011/q2/312
 5427 
 5428 o [NSE] Added 7 new protocol libraries, bringing the total to 66.  You
 5429   can read about them all at https://nmap.org/nsedoc/. Here are the new
 5430   ones (authors listed in brackets):
 5431 
 5432   + creds: Handles storage and retrieval of discovered credentials
 5433     (such as passwords discovered by brute force scripts). [Patrik
 5434     Karlsson]
 5435 
 5436   + ncp: A tiny implementation of Novell Netware Core Protocol
 5437     (NCP). [Patrik Karlsson]
 5438 
 5439   + omp2: OpenVAS Management Protocol (OMP) version 2 support. [Henri
 5440     Doreau]
 5441 
 5442   + sip: Supports a limited subset of SIP commands and
 5443     methods. [Patrik Karlsson]
 5444 
 5445   + smtp: Simple Mail Transfer Protocol (SMTP) operations. [Djalal
 5446     Harouni]
 5447 
 5448   + srvloc: A relatively small implementation of the Service Location
 5449     Protocol. [Patrik Karlsson]
 5450 
 5451   + tftp: Implements a minimal TFTP server. It is used in
 5452     snmp-ios-config to obtain router config files.[Patrik Karlsson]
 5453 
 5454 o Improved Nmap's service/version detection database by adding:
 5455   + Apple iPhoto (DPAP) protocol probe [Patrik]
 5456   + Zend Java Bridge probe [Michael Schierl]
 5457   + BackOrifice probe [Gorjan Petrovski]
 5458   + GKrellM probe [Toni Ruottu]
 5459   + Signature improvements for a wide variety of services (we now have
 5460     7,375 signatures)
 5461 
 5462 o [NSE] ssh-hostkey now additionally has a postrule that prints hosts
 5463   found during the scan which share the same hostkey. [Henri Doreau]
 5464 
 5465 o [NSE] Added 300+ new signatures to http-enum which look for admin
 5466   directories, JBoss, Tomcat, TikiWiki, Majordomo2, MS SQL, Wordpress,
 5467   and more. [Paulino]
 5468 
 5469 o Made the final IP address space assignment update as all available
 5470   IPv4 address blocks have now been allocated to the regional
 5471   registries.  Our random IP generation (-iR) logic now only excludes
 5472   the various reserved blocks.  Thanks to Kris for years of regular
 5473   updates to this function!
 5474 
 5475 o [NSE] Replaced http-trace with a new more effective version. [Paulino]
 5476 
 5477 o Performed some output cleanup work to remove unimportant status
 5478   lines so that it is easier to find the good stuff! [David]
 5479 
 5480 o [Zenmap] now properly kills Nmap scan subprocess when you cancel a
 5481   scan or quit Zenmap on Windows. [Shinnok]
 5482 
 5483 o [NSE] Banned scripts from being in both the "default" and
 5484   "intrusive" categories.  We did this by removing dhcp-discover and
 5485   dns-zone-transfer from the set of scripts run by default (leaving
 5486   them "intrusive"), and reclassifying dns-recursion, ftp-bounce,
 5487   http-open-proxy, and socks-open-proxy as "safe" rather than
 5488   "intrusive" (keeping them in the "default" set).
 5489 
 5490 o [NSE] Added a credential storage library (creds.lua) and modified
 5491   the brute library and scripts to make use of it. [Patrik]
 5492 
 5493 o [Ncat] Created a portable version of ncat.exe that you can just drop
 5494   onto Microsoft Windows systems without having to run any installer
 5495   or copy over extra library files. See the Ncat page
 5496   (https://nmap.org/ncat/) for binary downloads and a link to build
 5497   instructions. [Shinnok]
 5498 
 5499 o Fix a segmentation fault which could occur when running Nmap on
 5500   various Android-based phones.  The problem related to NULL being
 5501   passed to freeaddrinfo(). [David, Vlatko Kosturjak]
 5502 
 5503 o [NSE] The host.bin_ip and host.bin_ip_src entries now also work with
 5504   16-byte IPv6 addresses. [David]
 5505 
 5506 o [Ncat] Updated the ca-bundle.crt list of trusted certificate
 5507   authority certificates. [David]
 5508 
 5509 o [NSE] Fixed a bug in the SMB Authentication library which could
 5510   prevent concurrently running scripts with valid credentials from
 5511   logging in. [Chris Woodbury]
 5512 
 5513 o [NSE] Re-worked http-form-brute.nse to better autodetect form
 5514   fields, allow brute force attempts where only the password (no
 5515   username) is needed, follow HTTP redirects, and better detect
 5516   incorrect login attempts. [Patrik, Daniel Miller]
 5517 
 5518 o [Zenmap] Changed the "slow comprehensive scan" profile's NSE script
 5519   selection from "all" to "default or (discovery and safe)"
 5520   categories.  Except for testing and debugging, "--script all" is
 5521   rarely desirable.
 5522 
 5523 o [NSE] Added the stdnse.silent_require method which is used for
 5524   library requires that you know might fail (e.g. "openssl" fails if
 5525   Nmap was compiled without that library).  If these libraries are
 5526   called with silent_require and fail to load, the script will cease
 5527   running but the user won't be presented with ugly failure messages
 5528   as would happen with a normal require. [Patrick Donnelly]
 5529 
 5530 o [Zenmap] Fixed a bug in topology mapper which caused endpoints
 5531   behind firewalls to sometimes show up in the wrong place (see
 5532   http://seclists.org/nmap-dev/2011/q2/733).  [Colin Rice]
 5533 
 5534 o [Zenmap] If you scan a system twice, any open ports from the first
 5535   scan which are closed in the 2nd will be properly marked as
 5536   closed. [Colin Rice].
 5537 
 5538 o [Zenmap] Fixed an error that could cause a crash ("TypeError: an
 5539   integer is required") if a sort column in the ports table was unset.
 5540   [David]
 5541 
 5542 o [Ndiff] Added nmaprun element information (Nmap version, scan date,
 5543   etc.) to the diff.  Also, the Nmap banner with version number and
 5544   data is now only printed if there were other differences in the
 5545   scan. [Daniel Miller, David, Dr. Jesus]
 5546 
 5547 o [NSE] Added nmap.get_interface and nmap.get_interface_info functions
 5548   so scripts can access characteristics of the scanning interface.
 5549   Removed nmap.get_interface_link. [Djalal]
 5550 
 5551 o Fixed an overflow in scan elapsed time display that caused negative
 5552   times to be printed after about 25 days. [Daniel Miller]
 5553 
 5554 o Updated nmap-rpc from the master list, now maintained by IANA.
 5555   [Daniel Miller, David]
 5556 
 5557 o [Zenmap] Fixed a bug in the option parser: -sN (null scan) was
 5558   interpreted as -sn (no port scan). This was reported by
 5559   Shitaneddine. [David]
 5560 
 5561 o [Ndiff] Fixed the Mac OS X packages to use the correct path for
 5562   Python: /usr/bin/python instead of /opt/local/bin/python. The bug
 5563   was reported by Wellington Castello. [David]
 5564 
 5565 o Removed the -sR (RPC scan) option--it is now an alias for -sV
 5566   (version scan), which always does RPC scan when an rpcinfo service
 5567   is detected.
 5568 
 5569 o [NSE] Improved the ms-sql scripts and library in several ways:
 5570   - Improved version detection and server discovery
 5571   - Added support for named pipes, integrated authentication, and
 5572     connecting to instances by name or port
 5573   - Improved script and library stability and documentation.
 5574   [Patrik Karlsson, Chris Woodbury]
 5575 
 5576 o [NSE] Fixed http.validate_options when handling a cookie table.
 5577   [Sebastian Prengel]
 5578 
 5579 o Added a Service Tags UDP probe for port 6481/udp. [David]
 5580 
 5581 o [NSE] Enabled firewalk.nse to automatically find the gateways at
 5582   which probes are dropped and fixed various bugs. [Henri Doreau]
 5583 
 5584 o [Zenmap] Worked around a pycairo bug that prevented saving the
 5585   topology graphic as PNG on Windows: "Error Saving Snapshot:
 5586   Surface.write_to_png takes one argument which must be a filename
 5587   (str), file object, or a file-like object which has a 'write' method
 5588   (like StringIO)". The problem was reported by Alex Kah. [David]
 5589 
 5590 o The -V and --version options now show the platform Nmap was compiled
 5591   on, which features are compiled in, the version numbers of libraries
 5592   it is linked against, and whether the libraries are the ones that
 5593   come with Nmap or the operating system.  [Ambarisha B., David]
 5594 
 5595 o Fixed some inconsistencies in nmap-os-db reported by Xavier Sudre
 5596   from netVigilance.
 5597 
 5598 o The Nmap Win32 uninstaller now properly deletes nping.exe. [Fyodor]
 5599 
 5600 o [NSE] Added a shortport.ssl function which can be used as a script
 5601   portrule to match SSL services.  It is similar in concept to our
 5602   existing shortport.http. [David]
 5603 
 5604 o Set up the RPM build to use the compat-glibc and compat-gcc-34-c++
 5605   packages (on CentOS 5.3) to resolve a report of Nmap failing to run
 5606   on old versions of Glibc. [David]
 5607 
 5608 o We no longer support Nmap on versions of Windows earlier than XP
 5609   SP2.  Even Microsoft no longer supports Windows versions that old.
 5610   But if you must use Nmap on such systems anyway, please see
 5611   https://secwiki.org/w/Nmap_On_Old_Windows_Releases.
 5612 
 5613 o There were hundreds of other little bug fixes and improvements
 5614   (especially to NSE scripts).  See the SVN logs for revisions 22,274
 5615   through 24,460 for details.
 5616 
 5617 Nmap 5.51 [2011-02-11]
 5618 
 5619 o [Ndiff] Added support for prerule and postrule scripts. [David]
 5620 
 5621 o [NSE] Fixed a bug which caused some NSE scripts to fail due to the
 5622   absence of the NSE SCRIPT_NAME environment variable when loaded.
 5623   Michael Pattrick reported the problem. [Djalal]
 5624 
 5625 o [Zenmap] Selecting one of the scan targets in the left pane is
 5626   supposed to jump to that host in the Nmap Output in the right pane
 5627   (but it wasn't).  Brian Krebs reported this bug. [David]
 5628 
 5629 o Fixed an obscure bug in Windows interface matching. If the MAC
 5630   address of an interface couldn't be retrieved, it might have been
 5631   used instead of the correct interface. Alexander Khodyrev reported
 5632   the problem.  [David]
 5633 
 5634 o [NSE] Fixed portrules in dns-zone-transfer and ftp-proftpd-backdoor
 5635   that used shortport functions incorrectly and always returned
 5636   true. [Jost Krieger]
 5637 
 5638 o [Ndiff] Fixed ndiff.dtd to include two elements that can be diffed:
 5639   status and address. [Daniel Miller]
 5640 
 5641 o [Ndiff] Fixed the ordering of hostscript-related elements in XML
 5642   output. [Daniel Miller]
 5643 
 5644 o [NSE] Fixed a bug in the nrpe-enum script that would make it run for
 5645   every port (when it was selected--it isn't by default).  Daniel
 5646   Miller reported the bug. [Patrick]
 5647 
 5648 o [NSE] When an NSE script sets a negative socket timeout, it now
 5649   causes a controlled Lua stack trace instead of a fatal error.
 5650   Vlatko Kosturjak reported the bug. [David]
 5651 
 5652 o [Zenmap] Worked around an error that caused the py2app bootstrap
 5653   executable to be non-universal even when the rest of the application
 5654   was universal. This prevented the binary .dmg from working on
 5655   PowerPC. Yxynaxen reported the problem. [David]
 5656 
 5657 o [Ndiff] Fixed an output line that wasn't being redirected to a file
 5658   when all other output was. [Daniel Miller]
 5659 
 5660 Nmap 5.50 [2011-01-28]
 5661 
 5662 o [Zenmap] Added a new script selection interface, allowing you to
 5663   choose scripts and arguments from a list which includes descriptions
 5664   of every available script. Just click the "Scripting" tab in the
 5665   profile editor. [Kirubakaran]
 5666 
 5667 o [Nping] Added echo mode, a novel technique for discovering how your
 5668   packets are changed (or dropped) in transit between the host they
 5669   originated and a target machine. It can detect network address
 5670   translation, packet filtering, routing anomalies, and more.  You can
 5671   try it out against our public Nping echo server using this command:
 5672     nping --echo-client "public" echo.nmap.org'
 5673   Or learn more about echo mode at
 5674   https://nmap.org/book/nping-man-echo-mode.html . [Luis]
 5675 
 5676 o [NSE] Added an amazing 46 scripts, bringing the total to 177! You
 5677   can learn more about any of them at https://nmap.org/nsedoc/. Here
 5678   are the new ones (authors listed in brackets):
 5679 
 5680   + broadcast-dns-service-discovery: Attempts to discover hosts'
 5681     services using the DNS Service Discovery protocol.  It sends a
 5682     multicast DNS-SD query and collects all the responses. [Patrik
 5683     Karlsson]
 5684 
 5685   + broadcast-dropbox-listener: Listens for the LAN sync information
 5686     broadcasts that the Dropbox.com client broadcasts every 20
 5687     seconds, then prints all the discovered client IP addresses, port
 5688     numbers, version numbers, display names, and more.  [Ron Bowes,
 5689     Mak Kolybabi, Andrew Orr, Russ Tait Milne]
 5690 
 5691   + broadcast-ms-sql-discover: Discovers Microsoft SQL servers in the
 5692     same broadcast domain. [Patrik Karlsson]
 5693 
 5694   + broadcast-upnp-info: Attempts to extract system information from the
 5695     UPnP service by sending a multicast query, then collecting,
 5696     parsing, and displaying all responses. [Patrik Karlsson]
 5697 
 5698   + broadcast-wsdd-discover: Uses a multicast query to discover devices
 5699     supporting the Web Services Dynamic Discovery (WS-Discovery)
 5700     protocol. It also attempts to locate any published Windows
 5701     Communication Framework (WCF) web services (.NET 4.0 or
 5702     later). [Patrik Karlsson]
 5703 
 5704   + db2-discover: Attempts to discover DB2 servers on the network by
 5705     querying open ibm-db2 UDP ports (normally port 523). [Patrik
 5706     Karlsson]
 5707 
 5708   + dns-update.nse: Attempts to perform an unauthenticated dynamic DNS
 5709     update. [Patrik Karlsson]
 5710 
 5711   + domcon-brute: Performs brute force password auditing against the
 5712     Lotus Domino Console. [Patrik Karlsson]
 5713 
 5714   + domcon-cmd: Runs a console command on the Lotus Domino Console with
 5715     the given authentication credentials (see also: domcon-brute).
 5716     [Patrik Karlsson]
 5717 
 5718   + domino-enum-users: Attempts to discover valid IBM Lotus Domino users
 5719     and download their ID files by exploiting the CVE-2006-5835
 5720     vulnerability. [Patrik Karlsson]
 5721 
 5722   + firewalk: Tries to discover firewall rules using an IP TTL
 5723     expiration technique known as firewalking. [Henri Doreau]
 5724 
 5725   + ftp-proftpd-backdoor: Tests for the presence of the ProFTPD 1.3.3c
 5726     backdoor reported as OSVDB-ID 69562. This script attempts to
 5727     exploit the backdoor using the innocuous id command by default,
 5728     but that can be changed with a script argument. [Mak Kolybabi]
 5729 
 5730   + giop-info: Queries a CORBA naming server for a list of
 5731     objects. [Patrik Karlsson]
 5732 
 5733   + gopher-ls: Lists files and directories at the root of a gopher
 5734     service. Remember those? [Toni Ruottu]
 5735 
 5736   + hddtemp-info: Reads hard disk information (such as brand, model, and
 5737     sometimes temperature) from a listening hddtemp service. [Toni
 5738     Ruottu]
 5739 
 5740   + hostmap: Tries to find hostnames that resolve to the target's IP
 5741     address by querying the online database at
 5742     http://www.bfk.de/bfk_dnslogger.html . [Ange Gutek]
 5743 
 5744   + http-brute: Performs brute force password auditing against http
 5745     basic authentication. [Patrik Karlsson]
 5746 
 5747   + http-domino-enum-passwords: Attempts to enumerate the hashed Domino
 5748     Internet Passwords that are (by default) accessible by all
 5749     authenticated users. This script can also download any Domino ID
 5750     Files attached to the Person document. [Patrik Karlsson]
 5751 
 5752   + http-form-brute: Performs brute force password auditing against http
 5753     form-based authentication. [Patrik Karlsson]
 5754 
 5755   + http-vhosts: Searches for web virtual hostnames by making a large
 5756     number of HEAD requests against http servers using common
 5757     hostnames. [Carlos Pantelides]
 5758 
 5759   + informix-brute: Performs brute force password auditing against
 5760     IBM Informix Dynamic Server. [Patrik Karlsson]
 5761 
 5762   + informix-query: Runs a query against IBM Informix Dynamic Server
 5763     using the given authentication credentials (see also:
 5764     informix-brute). [Patrik Karlsson]
 5765 
 5766   + informix-tables: Retrieves a list of tables and column definitions
 5767     for each database on an Informix server. [Patrik Karlsson]
 5768 
 5769   + iscsi-brute: Performs brute force password auditing against iSCSI
 5770     targets. [Patrik Karlsson]
 5771 
 5772   + iscsi-info: Collects and displays information from remote iSCSI
 5773     targets. [Patrik Karlsson]
 5774 
 5775   + modbus-discover: Enumerates SCADA Modbus slave ids (sids) and
 5776     collects their device information. [Alexander Rudakov]
 5777 
 5778   + nat-pmp-info: Queries a NAT-PMP service for its external
 5779     address. [Patrik Karlsson]
 5780 
 5781   + netbus-auth-bypass: Checks if a NetBus server is vulnerable to an
 5782     authentication bypass vulnerability which allows full access
 5783     without knowing the password. [Toni Ruottu]
 5784 
 5785   + netbus-brute: Performs brute force password auditing against the
 5786     Netbus backdoor ("remote administration") service. [Toni Ruottu]
 5787 
 5788   + netbus-info: Opens a connection to a NetBus server and extracts
 5789     information about the host and the NetBus service itself. [Toni
 5790     Ruottu]
 5791 
 5792   + netbus-version: Extends version detection to detect NetBuster, a
 5793     honeypot service that mimes NetBus. [Toni Ruottu]
 5794 
 5795   + nrpe-enum: Queries Nagios Remote Plugin Executor (NRPE) daemons to
 5796     obtain information such as load averages, process counts, logged in
 5797     user information, etc. [Mak Kolybabi]
 5798 
 5799   + oracle-brute: Performs brute force password auditing against Oracle
 5800     servers. [Patrik Karlsson]
 5801 
 5802   + oracle-enum-users: Attempts to enumerate valid Oracle user names
 5803     against unpatched Oracle 11g servers (this bug was fixed in
 5804     Oracle's October 2009 Critical Patch Update). [Patrik Karlsson]
 5805 
 5806   + path-mtu: Performs simple Path MTU Discovery to target hosts. [Kris
 5807     Katterjohn]
 5808 
 5809   + resolveall: Resolves hostnames and adds every address (IPv4 or IPv6,
 5810     depending on Nmap mode) to Nmap's target list.  This differs from
 5811     Nmap's normal host resolution process, which only scans the first
 5812     address (A or AAAA record) returned for each host name. [Kris
 5813     Katterjohn]
 5814 
 5815   + rmi-dumpregistry: Connects to a remote RMI registry and attempts to
 5816     dump all of its objects. [Martin Holst Swende]
 5817 
 5818   + smb-flood: Exhausts a remote SMB server's connection limit by by
 5819     opening as many connections as we can.  Most implementations of
 5820     SMB have a hard global limit of 11 connections for user accounts
 5821     and 10 connections for anonymous. Once that limit is reached,
 5822     further connections are denied. This script exploits that limit by
 5823     taking up all the connections and holding them. [Ron Bowes]
 5824 
 5825   + ssh2-enum-algos: Reports the number of algorithms (for encryption,
 5826     compression, etc.) that the target SSH2 server offers. If
 5827     verbosity is set, the offered algorithms are each listed by
 5828     type. [Kris Katterjohn]
 5829 
 5830   + stuxnet-detect: Detects whether a host is infected with the Stuxnet
 5831     worm (http://en.wikipedia.org/wiki/Stuxnet). [Mak Kolybabi]
 5832 
 5833   + svn-brute: Performs brute force password auditing against Subversion
 5834     source code control servers. [Patrik Karlsson]
 5835 
 5836   + targets-traceroute: Inserts traceroute hops into the Nmap scanning
 5837     queue. It only functions if Nmap's --traceroute option is used and
 5838     the newtargets script argument is given. [Henri Doreau]
 5839 
 5840   + vnc-brute: Performs brute force password auditing against VNC
 5841     servers. [Patrik Karlsson]
 5842 
 5843   + vnc-info: Queries a VNC server for its protocol version and
 5844     supported security types. [Patrik Karlsson]
 5845 
 5846   + wdb-version: Detects vulnerabilities and gathers information (such
 5847     as version numbers and hardware support) from VxWorks Wind DeBug
 5848     agents. [Daniel Miller]
 5849 
 5850   + wsdd-discover: Retrieves and displays information from devices
 5851     supporting the Web Services Dynamic Discovery (WS-Discovery)
 5852     protocol. It also attempts to locate any published Windows
 5853     Communication Framework (WCF) web services (.NET 4.0 or
 5854     later). [Patrik Karlsson]
 5855 
 5856 o [NSE] Added 12 new protocol libraries:
 5857   - dhcp.lua by Ron
 5858   - dnssd.lua (DNS Service Discovery) by Patrik
 5859   - ftp.lua by David
 5860   - giop.lua (CORBA naming service) by Patrik
 5861   - informix.lua (Informix database) by Patrik
 5862   - iscsi.lua (iSCSI - IP based SCSI data transfer) by Patrik
 5863   - nrpc.lua (Lotus Domino RPC) by Patrik
 5864   - rmi.lua (Java Remote Method Invocation) by Martin Holst Swende
 5865   - tns.lua (Oracle) by Patrik
 5866   - upnp.lua (UPnP support) by Thomas Buchanan and Patrik
 5867   - vnc.lua (Virtual Network Computing) by Patrik
 5868   - wsdd.lua (Web Service Dynamic Discovery) by Patrik
 5869 
 5870 o [NSE] Added a new brute library that provides a basic framework and logic
 5871   for brute force password auditing scripts. [Patrik]
 5872 
 5873 o [Zenmap] Greatly improved performance for large scans by
 5874   benchmarking intensively and then recoding dozens of slow parts.
 5875   Time taken to load our benchmark file (a scan of just over a million
 5876   IPs belonging to Microsoft corporation, with 74,293 hosts up) was
 5877   reduced from hours to less than two minutes. Memory consumption
 5878   decreased dramatically as well. [David]
 5879 
 5880 o Performed a major OS detection integration run. The database has
 5881   grown more than 14% to 2,982 fingerprints and many of the existing
 5882   fingerprints were improved. Highlights include Linux 2.6.37, iPhone
 5883   OS 4.2.1, Solaris 11, AmigaOS 3.1, GNU Hurd 0.3, and MINIX 2.0.4.
 5884   David posted highlights of his integration work at
 5885   http://seclists.org/nmap-dev/2010/q4/651
 5886 
 5887 o Performed a huge version detection integration run. The number of
 5888   signatures has grown by more than 11% to 7,355.  More than a third
 5889   of our signatures are for http, but we also detect 743 other service
 5890   protocols, from abc, acap, access-remote-pc, and achat to zenworks,
 5891   zeo, and zmodem.  David posted highlights at
 5892   http://seclists.org/nmap-dev/2010/q4/761.
 5893 
 5894 o [NSE] Added the target NSE library which allows scripts to add newly
 5895   discovered targets to Nmap's scanning queue. This allows Nmap to
 5896   support a wide range of target acquisition techniques. Scripts which
 5897   can now use this feature include dns-zone-transfer, hostmap,
 5898   ms-sql-info, snmp-interfaces, targets-traceroute, and several
 5899   more. [Djalal]
 5900 
 5901 o [NSE] Nmap has two new NSE script scanning phases. The new pre-scan
 5902   occurs before Nmap starts scanning. Some of the initial pre-scan
 5903   scripts use techniques like broadcast DNS service discovery or DNS
 5904   zone transfers to enumerate hosts which can optionally be treated as
 5905   targets. The other phase (post scan) runs after all of Nmap's
 5906   scanning is complete. We don't have any of these scripts yet, but
 5907   they could compile scan statistics or present the results in a
 5908   different way. One idea is a reverse index which provides a list of
 5909   services discovered during a network scan, along with a list of IPs
 5910   found to be running each service. See
 5911   https://nmap.org/book/nse-usage.html#nse-script-types. [Djalal]
 5912 
 5913 o [NSE] A new --script-help option describes all scripts matching a
 5914   given specification. It accepts the same specification format as
 5915   --script does. For example, try 'nmap --script-help "default or
 5916   http-*"'. [David, Martin Holst Swende]
 5917 
 5918 o Dramatically improved nmap.xsl (used for converting Nmap XML output
 5919   to HTML). In particular:
 5920   - Put verbose details behind expander buttons so you can see them if
 5921     you want, but they don't distract from the main output.  In
 5922     particular, offline hosts and traceroute results are collapsed by
 5923     default.
 5924   - Improved the color scheme to be less garish.
 5925   - Added support for the new NSE pre-scan and post-scan phases.
 5926   - Changed script output to use 'pre' tags to keep even lengthy
 5927     output readable.
 5928   - Added a floating menu to the lower-right for toggling whether
 5929     closed/filtered ports are shown or not (they are now hidden by
 5930     default if Javascript is enabled).
 5931   Many smaller improvements were made as well. You can find the new
 5932   file at https://nmap.org/svn/docs/nmap.xsl, and here is an example
 5933   scan processed through it: https://nmap.org/book/output-formats-output-to-html.html . [Tom]
 5934 
 5935 o [NSE] Created a new "broadcast" script category for the broadcast-*
 5936   scripts.  These perform network discovery by broadcasting on the
 5937   local network and listening for responses.  Since they don't
 5938   directly relate to targets specified on the command line, these are
 5939   kept out of the default category (nor do they go in "discovery").
 5940 
 5941 o Integrated cracked passwords from the Gawker.com compromise
 5942   (http://seclists.org/nmap-dev/2010/q4/674) into Nmap's top-5000
 5943   password database. A team of Nmap developers lead by Brandon Enright
 5944   has cracked 635,546 out of 748,081 password hashes so far
 5945   (85%). Gawker doesn't exactly have the most sophisticated users on
 5946   the Internet--their top passwords are "123456", "password",
 5947   "12345678", "lifehack", "qwerty", "abc123", "12345", "monkey",
 5948   "111111", "consumer", and "letmein".
 5949 
 5950 o XML output now excludes output for down hosts when only doing host
 5951   discovery, unless verbosity (-v) was requested. This is how it
 5952   already worked for normal scans, but the ping-only case was
 5953   overlooked.  [David]
 5954 
 5955 o Updated the Windows build process to work with (and require) Visual
 5956   C++ 2010 rather than 2008.  If you want to build Zenmap too, you now
 5957   need Python 2.7 (rather than 2.6) and GTK+ 2.22. See
 5958   https://nmap.org/book/inst-windows.html#inst-win-source [David, Rob
 5959   Nicholls, KX]
 5960 
 5961 o Merged port names in the nmap-services file with allocated names
 5962   from the IANA (http://www.iana.org/assignments/port-numbers). We
 5963   only added IANA names which were "unknown" in our file--we didn't
 5964   deal with conflicting names. [David]
 5965 
 5966 o Enabled the ASLR and DEP security technologies for Nmap.exe,
 5967   Ncat.exe and Nping.exe on Windows Vista and above. Visual C++ will
 5968   set the /DYNAMICBASE and /NXCOMPAT flags in the PE
 5969   header. Executables generated using py2exe or NSIS and third party
 5970   binaries (OpenSSL, WinPcap) still don't support ASLR or DEP. Support
 5971   for DEP on XP SP3, using SetProcessDEPPolicy(), could still be
 5972   implemented. See http://seclists.org/nmap-dev/2010/q3/328. [Robert]
 5973 
 5974 o Investigated using the CPE (Common Platform Enumeration) standard
 5975   for describing operating systems, devices, and service names for
 5976   Nmap OS and service detection. You can read David's reports at
 5977   http://seclists.org/nmap-dev/2010/q3/278 and
 5978   http://seclists.org/nmap-dev/2010/q3/303.
 5979 
 5980 o [Zenmap] Improved the output viewer to show new output in constant
 5981   time. Previously it would get slower and slower as the output grew
 5982   longer, eventually making Zenmap appear to freeze with 100% CPU. Rob
 5983   Nicholls and Ray Middleton helped with testing. [David]
 5984 
 5985 o The Linux RPM builds of Nmap and related tools (ncat, nping, etc.)
 5986   now link to system libraries dynamically rather than statically.
 5987   They still link statically to dependency libraries such as OpenSSL,
 5988   Lua, LibPCRE, Libpcap, etc. We hope this will improve portability so
 5989   the RPMs will work on distributions with older software (like RHEL,
 5990   Debian stable) as well as more bleeding edge ones like
 5991   Fedora. [David]
 5992 
 5993 o [NSE] Added the ability to send and receive on unconnected sockets.
 5994   This can be used, for example, to receive UDP broadcasts without
 5995   having to use Libpcap. A number of scripts have been changed so that
 5996   they can work as prerule scripts to discover services by UDP
 5997   broadcasting, and optionally add the discovered targets to the
 5998   scanning queue:
 5999     - ms-sql-info
 6000     - upnp-info
 6001     - dns-service-discovery
 6002   The nmap.new_socket function can now optionally take a default
 6003   protocol and address family, which will be used if the socket is not
 6004   connected. There is a new nmap.sendto function to be used with
 6005   unconnected UDP sockets. [David, Patrik]
 6006 
 6007 o [Nping] Substantially improved the Nping man page. You can read it
 6008   online at https://nmap.org/book/nping-man.html . [Luis, David]
 6009 
 6010 o Documented the licenses of the third-party software used by Nmap and
 6011   its sibling tools:
 6012   https://svn.nmap.org/nmap/docs/3rd-party-licenses.txt . [David]
 6013 
 6014 o [NSE] Improved the SMB scripts so that they can run in parallel
 6015   rather than using a mutex to force serialization.  This quadrupled
 6016   the SMB scan speed in one large scale test.  See
 6017   http://seclists.org/nmap-dev/2010/q3/819. [Ron]
 6018 
 6019 o Added a simple Nmap NSE script template to make writing new scripts
 6020   easier: https://nmap.org/svn/docs/sample-script.nse. [Ron]
 6021 
 6022 o [Zenmap] Made the topology node radiuses grow logarithmically
 6023   instead of linearly, so that hosts with thousands of open ports
 6024   don't overwhelm the diagram. Also only open ports (not
 6025   open|filtered) are considered when calculating node sizes. Henri
 6026   Doreau found and fixed a bug in the implementation. [Daniel Miller]
 6027 
 6028 o [NSE] Added the get_script_args NSE function for parsing script
 6029   arguments in a clean and standardized way
 6030   (https://nmap.org/nsedoc/lib/stdnse.html#get_script_args). [Djalal]
 6031 
 6032 o Increased the initial RTT timeout for ARP scans from 100 ms to 200
 6033   ms. Some wireless and VPN links were taking around 300 ms to
 6034   respond. The default of one retransmission gives them 400 ms to be
 6035   detected.
 6036 
 6037 o Added new version detection probes and signatures from Patrik for:
 6038   - Lotus Domino Console running on tcp/2050 (shows OS and hostname)
 6039   - IBM Informix Dynamic Server running native protocol (shows hostname, and file path)
 6040   - Database servers running the DRDA protocol
 6041   - IBM Websphere MQ (shows name of queue-manager and channel)
 6042 
 6043 o Fix Nmap compilation on OpenSolaris (see
 6044   http://blogs.sun.com/sdaven/entry/nmap_5_35dc1_compile_on) [David]
 6045 
 6046 o [NSE] The http library's request functions now accept an additional
 6047   "auth" table within the option table, which causes Basic
 6048   authentication credentials to be sent. [David]
 6049 
 6050 o Improved IPv6 host output in that we now remember and report the
 6051   forward DNS name (given by the user) and any non-scanned addresses
 6052   (usually because of round robin DNS).  We already did this for
 6053   IPv4. [David]
 6054 
 6055 o [Zenmap] Upgraded to the newer gtk.Tooltip API to avoid deprecation
 6056   messages about gtk.Tooltip. [Rob Nicholls]
 6057 
 6058 o [NSE] Made dns-zone-transfer script able to add new discovered DNS
 6059   records to the Nmap scanning queue. [Djalal]
 6060 
 6061 o [NSE] Enhance ssl-cert to also report the type and bit size of SSL
 6062   certificate public keys [Matt Selsky]
 6063 
 6064 o [Ncat] Make --exec and --idle-timeout work when connecting with
 6065   --proxy. Florian Roth reported the bug. [David]
 6066 
 6067 o [Nping] Fixed a bug which caused Nping to fail when targeting
 6068   broadcast addresses (see
 6069   http://seclists.org/nmap-dev/2010/q3/752). [Luis]
 6070 
 6071 o [Nping] Nping now limits concurrent open file descriptors properly
 6072   based on the resources available on the host (see
 6073   http://seclists.org/nmap-dev/2010/q4/2). [Luis]
 6074 
 6075 o [NSE] Improved ssh2's kex_init() parameters: all of the algorithm
 6076   and language lists can be set using new keys in the "options" table
 6077   argument. These all default to the same value used before. Also, the
 6078   required "cookie" argument is now replaced by an optional "cookie"
 6079   key in the "options" table, defaulting to random bytes as suggested
 6080   by the RFC. [Kris]
 6081 
 6082 o Ncat now logs Nsock debug output to stderr instead of stdout for
 6083   consistency with its other debug messages. [David]
 6084 
 6085 o [NSE] Added a new function, shortport.http, for HTTP script
 6086   portrules and changed 14 scripts to use it. [David]
 6087 
 6088 o Updated to the latest config.guess and config.sub. Thanks to Ty
 6089   Miller for a reminder. [David]
 6090 
 6091 o [NSE] Added prerule support to snmp-interfaces and the ability to
 6092   add the remote host's interface addresses to the scanning queue.
 6093   The new script arguments used for this functionality are "host"
 6094   (required) and "port" (optional). [Kris]
 6095 
 6096 o Fixed some inconsistencies in nmap-os-db and a small memory leak
 6097   that would happen where there was more than one round of OS
 6098   detection. These were reported by Xavier Sudre from
 6099   netVigilance. [David]
 6100 
 6101 o [NSE] Fixed a bug with worker threads calling the wrong destructors.
 6102   Fixing this allows better parallelism in http-brute.nse. The problem
 6103   was reported by Patrik Karlsson. [David, Patrick]
 6104 
 6105 o Upgraded the OpenSSL binaries shipped in our Windows installer to
 6106   version 1.0.0a. [David]
 6107 
 6108 o [NSE] Added prerule support to the dns-zone-transfer script,
 6109   allowing it to run early to discover IPs from DNS records and
 6110   optionally add those IPs to Nmap's target queue.  You must specify
 6111   the DNS server and domain name to use with script
 6112   arguments. [Djalal]
 6113 
 6114 o Changed the name of libdnet's sctp_chunkhdr to avoid a conflict with
 6115   a struct of the same name in netinet/sctp.h. This caused a
 6116   compilation error when Nmap was compiled with an OpenSSL that had
 6117   SCTP support. [Olli Hauer, Daniel Roethlisberger]
 6118 
 6119 o [NSE] Implemented a big cleanup of the Nmap NSE Nsock library
 6120   binding code. [Patrick]
 6121 
 6122 o Added a bunch of Apple and Netatalk AFP service detection
 6123   signatures.  These often provide extra details such as whether the
 6124   target is a MacBook Pro, Air, Mac Mini, iMac, etc. [Brandon]
 6125 
 6126 o [NSE] Host tables now have a host.traceroute member available when
 6127   --traceroute is used. This array contains the IP address, reverse
 6128   DNS name, and RTT for each traceroute hop. [Henri Doreau]
 6129 
 6130 o [NSE] Made the ftp-anon script return a directory listing when
 6131   anonymous login is allowed. [Gutek, David]
 6132 
 6133 o [NSE] Added the nmap.resolve() function. It takes a host name and
 6134   optionally an address family (such as "inet") and returns a table
 6135   containing all of its matching addresses. If no address family is
 6136   specified, all addresses for the name are returned. [Kris]
 6137 
 6138 o [NSE] Added the nmap.address_family() function which returns the address
 6139   family Nmap is using as a string (e.g., "inet6" is returned if Nmap is
 6140   called with the -6 option). [Kris]
 6141 
 6142 o [NSE] Scripts can now access the MTU of the host.interface device using
 6143   host.interface_mtu. [Kris]
 6144 
 6145 o Restrict the default Windows DLL search path by removing the current
 6146   directory. This adds extra protection against DLL hijacking attacks,
 6147   especially if we were to add file type associations to Nmap in the
 6148   future. We implement this with the SetDllDirectory function when
 6149   available (Windows XP SP1 and later). Otherwise, we call
 6150   SetCurrentDirectory with the directory containing the
 6151   executable. [David]
 6152 
 6153 o Nmap now prints the MTU for interfaces in --iflist output. [Kris]
 6154 
 6155 o [NSE] Removed references to the MD2 algorithm, which OpenSSL 1.x.x
 6156   no longer supports. [Alexandru]
 6157 
 6158 o [Ncat,NSE] Server Name Indication (SNI) is now supported by Ncat and
 6159   Nmap NSE, allowing them to connect to servers which run multiple SSL
 6160   websites on one IP address. To enable this for NSE, the nmap.connect
 6161   function has been changed to accept host and port tables (like those
 6162   provided to the action function) in place of a string and a
 6163   number. [David]
 6164 
 6165 o [NSE] Renamed db2-info and db2-brute scripts to drda-*. Added
 6166   support other DRDA based databases such as IBM Informix Dynamic
 6167   Server and Apache Derby.  [Patrik]
 6168 
 6169 o [Nsock] Added a new function, nsi_set_hostname, to set the intended
 6170   hostname of the target. This allows the use of Server Name
 6171   Indication in SSL connections. [David]
 6172 
 6173 o [NSE] Limits the number of ports that qscan will scan (now up to 8
 6174   open ports and up to 1 closed port by default). These limits can be
 6175   controlled with the qscan.numopen and qscan.numclosed script
 6176   arguments. [David]
 6177 
 6178 o [NSE] Made sslv2.nse give special output when SSLv2 is supported,
 6179   but no SSLv2 ciphers are offered. This happened with a specific
 6180   Sendmail configuration. [Matt Selsky]
 6181 
 6182 o [NSE] Added a "times" table to the host table passed to scripts.
 6183   This table contains Nmap's timing data (srtt, the smoothed round
 6184   trip time; rttvar, the rtt variance; and timeout), all represented
 6185   as floating-point seconds.  The ipidseq and qscan scripts were
 6186   updated to utilize the host's timeout value rather than using a
 6187   conservative guess of 3 seconds for read timeouts. [Kris]
 6188 
 6189 o Fixed the fragmentation options (-f in Nmap, --mtu in Nmap & Nping),
 6190   which were improperly sending whole packets in version
 6191   5.35DC1. [Kris]
 6192 
 6193 o [NSE] When receiving raw packets from Pcap, the packet capture time
 6194   is now available to scripts as an additional return value from
 6195   pcap_receive().  It is returned as the floating point number of
 6196   seconds since the epoch.  Also added the nmap.clock() function which
 6197   returns the current time (and convenience functions clock_ms() and
 6198   clock_us()).  Qscan.nse was updated to use this more accurate timing
 6199   data. [Kris]
 6200 
 6201 o [Ncat,Nsock] Fixed some minor bugs discovered using the Smatch
 6202   source code analyzer (http://smatch.sourceforge.net/). [David]
 6203 
 6204 o [Zenmap] Fixed a crash that would happen after opening the search
 6205   window, entering a relative date criterion such as "after:-7", and
 6206   then clicking the "Expressions" button. The error message was
 6207     AttributeError: 'tuple' object has no attribute 'strftime'
 6208   [David]
 6209 
 6210 o Added a new packet payload--a NAT-PMP external address request for
 6211   port 5351/udp.  Payloads help us elicit responses from listening UDP
 6212   services to better distinguish them from filtered ports.  This
 6213   payload goes well with our new nat-pmp-info script. [David, Patrik]
 6214 
 6215 o Updated IANA IP address space assignment list for random IP (-iR)
 6216   generation. [Kris]
 6217 
 6218 o [Ncat] Ncat now uses case-insensitive string comparison when
 6219   checking authentication schemes and parameters. Florian Roth found a
 6220   server offering "BASIC" instead of "Basic", and the HTTP RFC
 6221   requires case-insensitive comparisons in most places. [David]
 6222 
 6223 o [NSE] There is now a limit of 1,000 concurrent running scripts,
 6224   instituted to keep memory under control when there are many open
 6225   ports. Nathan reported 3 GB of memory use (with an out-of-memory NSE
 6226   crash) for one host with tens of thousands of open ports. This limit
 6227   can be controlled with the variable CONCURRENCY_LIMIT in
 6228   nse_main.lua. [David]
 6229 
 6230 o The command line in XML output (/nmaprun/@args attribute) now does
 6231   quoting of whitespace using double quotes and backslashes. This
 6232   allows recovering the original command line array even when
 6233   arguments contain whitespace. [David]
 6234 
 6235 o Added a service detection probe for master servers of Quake 3 and
 6236   related games.  [Toni Ruottu]
 6237 
 6238 o [Zenmap] Updated French translation. [Henri Doreau]
 6239 
 6240 o [Zenmap] Fixed an crash when printing a scan that had no output
 6241   (like a scan made by command-line Nmap). Henri Doreau noticed the
 6242   error. [David]
 6243 
 6244 Nmap 5.35DC1 [2010-07-16]
 6245 
 6246 o [NSE] Added 17 scripts, bringing the total to 131! They are
 6247   described individually in the CHANGELOG, but here is the list of new
 6248   ones:
 6249   afp-serverinfo, db2-brute, dns-cache-snoop, dns-fuzz, ftp-libopie
 6250   http-php-version, irc-unrealircd-backdoor, ms-sql-brute,
 6251   ms-sql-config, ms-sql-empty-password, ms-sql-hasdbaccess,
 6252   ms-sql-query, ms-sql-tables, ms-sql-xp-cmdshell, nfs-ls,
 6253   ntp-monlist .
 6254   Learn more about any of these at: https://nmap.org/nsedoc/
 6255 
 6256 o Performed a major OS detection integration run. The database has
 6257   grown to 2,608 fingerprints (an increase of 262) and many of the
 6258   existing fingerprints were improved. These include the Apple iPad
 6259   and Cisco IOS 15.X devices. We also received many fingerprints for
 6260   ancient Microsoft systems including MS-DOS with MS Networking Client
 6261   3.0, Windows 3.1, and Windows NT 3.1. David posted highlights of his
 6262   integration work at http://seclists.org/nmap-dev/2010/q2/283.
 6263 
 6264 o Performed a large version detection integration run. The number of
 6265   signatures has grown to 6,622 (an increase of 279). New signatures
 6266   include a remote administrative backdoor that a school famously used
 6267   to spy on its students, an open source digital currency scheme named
 6268   Bitcoin, and game servers for EVE Online, l2emurt Lineage II, and
 6269   Frozen Bubble. You can read David's highlights at
 6270   http://seclists.org/nmap-dev/2010/q2/385.
 6271 
 6272 o [NSE] Added nfs-ls.nse, which lists NFS exported files and their
 6273   attributes. The nfs-acls and nfs-dirlist scripts were deleted
 6274   because all their features are supported by this script. [Djalal]
 6275 
 6276 o [NSE] Add new DB2 library and two scripts
 6277   - db2-brute.nse uses the unpwdb library to guess credentials for DB2
 6278   - db2-info.nse re-write of Tom Sellers script to use the new library
 6279   [Patrik]
 6280 
 6281 o [NSE] Added a library for Microsoft SQL Server and 7 new scripts. The new
 6282   scripts are:
 6283   - ms-sql-brute.nse uses the unpwdb library to guess credentials for MSSQL
 6284   - ms-sql-config retrieves various configuration details from the server
 6285   - ms-sql-empty-password checks if the sa account has an empty password
 6286   - ms-sql-hasdbaccess lists database access per user
 6287   - ms-sql-query add support for running custom queries against the database
 6288   - ms-sql-tables lists databases, tables, columns and datatypes with optional
 6289     keyword filtering
 6290   - ms-sql-xp-cmdshell adds support for OS command execution to privileged
 6291     users
 6292   [Patrik]
 6293 
 6294 o [NSE] Added the afp-serverinfo script that gets a hostname, IP
 6295   addresses, and other configuration information from an AFP server.
 6296   The script, and a patch to the afp library, were contributed by
 6297   Andrew Orr and subsequently enhanced by Patrik and David.
 6298 
 6299 o [NSE] Added additional vulnerability checks to smb-check-vulns.nse:
 6300   The Windows RAS RPC service vulnerability MS06-025
 6301   (http://www.microsoft.com/technet/security/bulletin/ms06-025.mspx)
 6302   and the Windows DNS Server RPC vuln MS07-029
 6303   (http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx).
 6304   Note that these are only run if you specify the "unsafe" script arg
 6305   because the implemented test crashes vulnerable services. [Drazen]
 6306 
 6307 o [NSE] Added dns-cache-snoop.nse by Eugene Alexeev. This script performs
 6308   cache snooping by either sending non-recursive queries or by measuring
 6309   response times.
 6310 
 6311 o [Zenmap] Added the ability to print Nmap output to a
 6312   printer. [David]
 6313 
 6314 o [Nmap, Ncat, Nping] The default unit for time specifications is now
 6315   seconds, not milliseconds, and times may have a decimal point. 1000
 6316   now means 1000 seconds, or about 17 minutes, not 1000 milliseconds.
 6317   Floating point values such as 1.5 are now allowed.  This affects the
 6318   following options:
 6319   Nmap:
 6320     --host-timeout
 6321     --max-rtt-timeout --min-rtt-timeout --initial-rtt-timeout
 6322     --scan-delay --max-scan-delay
 6323     --stats-every
 6324   Ncat:
 6325     -d --delay
 6326     -i --idle-timeout
 6327     -w --wait
 6328   Nping:
 6329     --delay
 6330     --host-timeout
 6331     --icmp-orig-time --icmp-recv-time --icmp-trans-time
 6332   Some sanity checks have been added to catch what looks like an
 6333   attempt to use the old millisecond defaults. For example,
 6334   --host-timeout 10000 yields
 6335     Since April 2010, the default unit for --host-timeout is seconds,
 6336     so your time of "10000" is 2.8 hours. If this is what you want,
 6337     use "10000s".
 6338     QUITTING!
 6339   You can always disable the warning by giving an explicit unit.
 6340 
 6341 o [NSE] Scripts which take an argument for a time duration can now
 6342   have the duration be a number followed by a unit, like elsewhere in
 6343   Nmap. An example is "10m" for 10 minutes. The units understood are
 6344   "ms" for milliseconds, "s" for seconds, "m" for minutes, and "h" for
 6345   hours.  Seconds are the default if no unit is specified. The new
 6346   function stdnse.parse_timespec does the parsing of these
 6347   formats. The qscan.delay script argument, which formerly interpreted
 6348   its argument as being in milliseconds, now defaults to seconds;
 6349   append "ms" to continue using the same numbers. [David]
 6350 
 6351 o [NSE] Added irc-unrealircd-backdoor.nse, which detects a backdoor
 6352   that was in UnrealIRCd source code distributions between November
 6353   2009 and June 2010. See http://seclists.org/nmap-dev/2010/q2/826.
 6354   [Vlatko Kosturjak, Ron, David]
 6355 
 6356 o Ports are now considered open during a SYN scan if a SYN packet
 6357   (without the ACK flag) is received in response. This can be due to
 6358   an extremely rare TCP feature known as a simultaneous open or split
 6359   handshake connection. see http://bit.ly/tcp-sh and
 6360   http://seclists.org/nmap-dev/2010/q2/723. [Jah]
 6361 
 6362 o [Ncat] In listen mode, the --exec and --sh-exec options now accept a
 6363   single connection and then exit, just like in normal listen mode.
 6364   Use the --keep-open option to get the old default inetd-like
 6365   behavior. This was suggested by David Millis. [David]
 6366 
 6367 o [NSE] Added ftp-libopie.nse by Gutek. This script checks for an
 6368   off-by-one stack overflow vulnerability in libopie by giving the FTP
 6369   service an overly long name. See
 6370   http://security.freebsd.org/advisories/FreeBSD-SA-10:05.opie.asc for
 6371   details.
 6372 
 6373 o [NSE] Added ntp-monlist.nse which discovers NTP server, peer and
 6374   client hosts associated with a scanned target by sending NTPv2
 6375   Private Mode 'monitor' and 'peers' commands to the target. [Jah]
 6376 
 6377 o [NSE] Added http-php-version.nse from Gutek. This script retrieves
 6378   version-specific pages through a couple of magic PHP queries, which
 6379   can identify the PHP version even when a server doesn't advertise
 6380   it.
 6381 
 6382 o [NSE] New script dns-fuzz launches a fuzzing attack against DNS
 6383   servers. Added a new category - fuzzer - for scripts like this.
 6384   [Michael Pattrick]
 6385 
 6386 o David made many improvements to the NSEDoc for individual scripts,
 6387   including adding @output sections to scripts which didn't have them.
 6388   He also improved the generated HTML with features like
 6389   auto-generating usage strings if the scripts don't include their own
 6390   and allowing the giant sidebar lists of scripts/libraries to expand
 6391   and contract.  See https://nmap.org/nsedoc/.
 6392 
 6393 o UDP payloads are now stored in an external data file, nmap-payloads,
 6394   instead of being hard-coded in the executable. This makes it easier
 6395   to add your own payloads or disable those you find problematic. [Jay
 6396   Fink, David]
 6397 
 6398 o The Windows executable installer now uses LZMA compression instead
 6399   of zlib, making it about 15% smaller. See
 6400   http://seclists.org/nmap-dev/2010/q2/1011 for test results. [David]
 6401 
 6402 o Open XML elements are now closed in case of a fatal error, so the
 6403   output should at least be well-formed. There are new attributes
 6404   "exit" and "errormsg" in the finished element. "exit" is "success"
 6405   or "error". When it is "error", the "errormsg" attribute contains
 6406   the error message. Thanks to Grant Bartlett, who found a typo in the
 6407   new output. [David]
 6408 
 6409 o Fixed name resolution in environments where gethostbyname can return
 6410   IPv6 (or other non-IPv4 addresses). In such an environment, Nmap
 6411   would wrongly use the first four bytes of the IPv6 address as an
 6412   IPv4 address. You could force this, at least on Debian, by adding
 6413   the line "options inet6" to /etc/resolv.conf or by running with
 6414   RES_OPTIONS=inet6 in the environment. This was reported by Mats Erik
 6415   Andersson, who also suggested the fix. [David]
 6416 
 6417 o Fixed the assignment of interface aliases to directly connected
 6418   routes on Linux, which was broken in 5.30BETA1 (it always assigned
 6419   the base interface instead of the alias). This was visible in the
 6420   host.interface variable passed to NSE scripts. The bug was reported
 6421   Victor Rudnev. [David]
 6422 
 6423 o When Nmap is passed a hostname such as google.com which resolves to
 6424   several IP addresses, Nmap now prints each IP address.  It still
 6425   only scans the first one in the returned list. [David]
 6426 
 6427 o Nmap now works if you specify several target host names which
 6428   resolve to the same IP address.  This can be useful when you are
 6429   scanning virtual-hosted web servers and want to see NSE results
 6430   specific to each site name even though they reside on the same
 6431   machine. [David]
 6432 
 6433 o Made a list of current Nmap SVN committers:
 6434   https://svn.nmap.org/nmap/docs/committers.txt
 6435 
 6436 o Added a new library, libnetutil, which contains about 2,700 lines of
 6437   networking related code which is now shared between Nmap and Nping
 6438   (it was previously duplicated by each tool). [Luis, David]
 6439 
 6440 o [NSE] http-passwd.nse now also checks for boot.ini to support
 6441   Windows targets. [Gutek]
 6442 
 6443 o Removed --interactive mode, a miniature shell whose primary purpose
 6444   was to hide command line arguments from the process list. It had
 6445   been broken (would segfault during the second scan) for at least 9
 6446   months and was rarely used. The fact that it was broken was reported
 6447   by Juan Carlos Castro. [David]
 6448 
 6449 o Added a version probe, match line, and UDP payload for the
 6450   serialnumberd service of Mac OS X Server. This service overrides
 6451   firewall settings to make itself visible, so it's useful for host
 6452   discovery. [Patrik]
 6453 
 6454 o Improved service detection match lines for:
 6455   - Oracle Enterprise Manager Agent and mupdate by Matt Selsky
 6456   - Twisted web server, Apple Filing Protocol, Apple Mac OS X Password
 6457     Server, XAVi XG6546p Wireless Gateway, Sun GlassFish
 6458     Communications Server, and Comdasys, SIParator and Glassfish SIP
 6459     by Patrik
 6460   - PostgreSQL, Cisco Site Selector ftpd, and LanSafe UPS monitoring
 6461     HTTPd by Tom Sellers
 6462 
 6463 o Improved our brute force password guessing list by mixing in some
 6464   data sent in by Solar Designer of John the Ripper fame.
 6465 
 6466 o [Zenmap] IP addresses are now sorted by octet rather than their
 6467   string representation. For example, 10.1.1.2 is now sorted before
 6468   10.1.1.10. This problem was reported by Norris Carden. [David]
 6469 
 6470 o [NSE] Added UDP header parsing support to packet.lua. [jah]
 6471 
 6472 o Fixed a bug in Libpcap which lead to Nmap hanging forever in some
 6473   cases on 64-bit Mac OS X 10.6, 10.6.1, and 10.6.3.  The fix was
 6474   actually already available in upstream Libpcap, just not released.
 6475   We also had to make Nmap build with its own Libpcap on 64-bit OS X
 6476   if an already-installed system Libpcap has this bug. [David]
 6477 
 6478 o Updated our WinPcap to the new 4.1.2 release. [Rob Nicholls]
 6479 
 6480 o [NSE] Fixed a bug in qscan.nse which gave an error if a confidence
 6481   level of 0.9995 was used.  Thanks to Marcin Hoffmann for noticing
 6482   the problem. [Kris]
 6483 
 6484 o [libpcap] Added a --disable-packet-ring option to force the use of
 6485   an older, slower packet capture mechanism on Linux. Before Linux
 6486   2.6.27, the packet ring mechanism uses different-sized kernel
 6487   structures on 32- and 64-bit architectures, so a 32-bit program will
 6488   not run correctly on a 64-bit kernel. The older mechanism does not
 6489   have this flaw.
 6490 
 6491 o Fixed some errors in nmap-os-db, probably caused by incorrect string
 6492   replacement during integration. This patch is from James Cook.
 6493 
 6494 o [Nsock, Ncat] Nsock has a new function, nsp_setbroadcast, that
 6495   allows setting the SO_BROADCAST option on sockets. Ncat now sets
 6496   this option unconditionally in connect mode to allow connections to
 6497   broadcast addresses (useful in UDP mode). [Daniel Miller]
 6498 
 6499 o Nmap now works with "teamed" network interfaces on Windows. In order
 6500   to distinguish the interfaces, their textual descriptions are now
 6501   compared in addition to their MAC addresses. Without this, Nmap
 6502   would send on the wrong interface and not receive any replies. A
 6503   symptom of this problem was all scans failing except when
 6504   --unprivileged was used. Norris Carden reported this bug. [David]
 6505 
 6506 o [Ncat] When receiving a connection/datagram in listen mode, Ncat now
 6507   prints the connecting source port along with the IP address (when
 6508   verbosity is enabled). [Rebellis]
 6509 
 6510 o Fixed a problem where the time variable used in some port scanning
 6511   algorithms (for probe timeouts, etc) could vary based on the
 6512   debugging level. [Kris]
 6513 
 6514 o Moved the parse_long function from ncat to nbase for better reuse,
 6515   and used it to simplify netmask parsing code. [William Pursell]
 6516 
 6517 o Added EPROTO to the list of known error codes in service scan. Daniel
 6518   Miller reported that an EPROTO was causing Nmap to exit after sending
 6519   the Sqlping probe during service scan. The error message was
 6520   "Unexpected error in NSE_TYPE_READ callback. Error code: 71 (Protocol
 6521   error)". We suspect this was caused by a forged ICMP packet sent by an
 6522   active firewall. [David]
 6523 
 6524 o [NSE] Improved smtp-commands.nse to work against more mail servers,
 6525   made it take an smtp-commands.domain script argument, and rewrote it
 6526   in the style of other smtp scripts. [Jasey DePriest]
 6527 
 6528 o [NSE] Made smtp-commands run for the services smtp, smtps,
 6529   submission rather than just smtp.  The other smtp scripts already do
 6530   this. [David]
 6531 
 6532 o [NSE] The dns-recursion script now marks the port as open when it
 6533   gets a response. [Olivier M]
 6534 
 6535 o [Nping] A big correctness and code cleanliness audit was performed
 6536   which resulted in many bugs being fixed and much more code being
 6537   shared with Nmap rather than duplicated. A structured testing
 6538   script system was also created. [Luis, David]
 6539 
 6540 o [Nping] Now allows a --count value of zero to run almost
 6541   indefinitely (2^32 rounds). Suggested by Andreas Hubert. [Luis]
 6542 
 6543 o [Nping] Fixed --data argument parsing. The value passed was not
 6544   actually making it into outgoing packets. Reported by Tim
 6545   Poth. [Luis]
 6546 
 6547 o [Nping] When a RST packet is received in response to a connection
 6548   attempt in TCP-Connect mode, Nping now properly prints "Connection
 6549   refused" rather than "Operation now in progress". [Luis]
 6550 
 6551 o [Nping] Fixed a bug which caused failure when the first supplied
 6552   target was not resolvable (e.g.: nping bogushost.fkz scanme.insecure.com
 6553   tcpdump.com). [Luis]
 6554 
 6555 o [Nping] Fixed some bugs in the BPF filter creation to avoid capture
 6556   and printing of packets Nping sent or which are destined for another
 6557   process. [Luis]
 6558 
 6559 o [Nping] Fixed a bug which prevented ARP replies from being displayed
 6560   properly. [Luis]
 6561 
 6562 o [Nping] Fixed a bug that caused ICMP Router Advertisement entries to
 6563   be set in host byte order rather than proper network byte
 6564   order. [Luis]
 6565 
 6566 o [Nping] Fixed a segfault caused by bad --data values. [Greg Skoczek]
 6567 
 6568 o The Mac OS X installer is now built with MacPorts 1.9.1 rather than
 6569   1.8.2. Among other changes, this fixes a segmentation fault reported
 6570   by some OS X 10.6.3 users.
 6571 
 6572 o Nsock now supports an option to remove its Pcap support.  This
 6573   allows the same Nsock to be shared with Nmap (which needs that
 6574   support) and Ncrack (which doesn't.) Pcap support can be disabled by
 6575   specifying --disable-pcap at configure time on UNIX, or by selecting
 6576   the DebugNoPcap or ReleaseNoPcap configurations in Visual C++ on
 6577   Windows.
 6578 
 6579 o Sped up compilation by not building both shared and static libdnet
 6580   libraries--we only use the static one. [David]
 6581 
 6582 o [NSE] Improved error handling and reporting and re-designed communication
 6583   class in RPC library with patch from Djalal Harouni. [Patrik]
 6584 
 6585 o Upgraded the included libpcap to version 1.1.1. [David]
 6586 
 6587 o [NSE] Add some special-use IPv4 addresses to isPrivate which are
 6588   described in RFC 5736 and RFC 5737, published in Jan 2010. Improve
 6589   performance of isPrivate for IPv4 addresses by using ip_in_range
 6590   less frequently. Add an extra return value to isPrivate - when the
 6591   first return value is true, the second return value will now be a
 6592   string representing the special use assignment in which the supplied
 6593   address is located. [jah]
 6594 
 6595 o Fix compilation on OpenSolaris.  We had to make the libdnet autoconf
 6596   check for PF_PACKET Linux-specific.  Recent versions of OpenSolaris
 6597   support PF_PACKET, but not in a way which is entirely compatible
 6598   with the Linux approach. This problem was reported by Darren Reed. A
 6599   few other minor compatibility changes were made as well. [David]
 6600 
 6601 o [NSE] Added script arguments "username" and "password" to ftp-bounce
 6602   to override the default anonymous:IEUser@ login combination. [Kris]
 6603 
 6604 o [NSE] Added port number sorting to dns-service-discovery.nse. [Patrik]
 6605 
 6606 o [NSE] Added an snmpWalk() function to the SNMP library and updated
 6607   scripts to use it.  [Patrik]
 6608 
 6609 o [NSE] Fixed this dns.lua error reported by Eugene Alexeev:
 6610   nselib/dns.lua:110: attempt to get length of field 'dtype' (a number value)
 6611   [Jah]
 6612 
 6613 o Updated nmap-mac-prefixes to the latest IEEE data as of 2010-07-13.
 6614 
 6615 o Updated IANA IP address space assignment list for random IP (-iR)
 6616   generation. [Kris]
 6617 
 6618 o Created a new directory for storing todo lists for Nmap and related
 6619   projects.  You can see what we're working on and planning by
 6620   visiting https://nmap.org/svn/todo/.
 6621 
 6622 o [NSE] Removed explicit time limit checking from ms-sql-brute,
 6623   pgsql-brute, mysql-brute, ldap-brute, and afp-brute. The unpwdb
 6624   library does this automatically now. [David]
 6625 
 6626 o [NSE] Correct global access errors in afp.lua reported by Patrick Donnelly
 6627   [Patrik]
 6628 
 6629 o [NSE] Correct misspelled "Capabilities.IgnoreSpaceBeforeParanthesis"
 6630   name in the MySQL library. [Kris]
 6631 
 6632 o Cleaned up our Winpcap header file directory, and also updated to
 6633   the latest files from the official developer pack
 6634   (WpdPack_4_1_1.zip). [Fyodor]
 6635 
 6636 o [NSE] Fixed a bug which would prevent rpcinfo.nse from returning any
 6637   results for RPC programs which could not be matched to a
 6638   name. [Patrik]
 6639 
 6640 o [NSE] The ftp-anon script is now much smarter about parsing server
 6641   responses and detecting successful (or not) logins.  It now knows
 6642   how to send the ACCT command where appropriate as well. [Rob
 6643   Nicholls]
 6644 
 6645 o Normalized a bunch of version detection entries with "webserver" in
 6646   the description.  In most cases this was changed to "httpd".
 6647 
 6648 o [Ncat] Fixed the --crlf option not to insert an extra \r byte in the
 6649   case that one system read ends with \r and the next begins with \n
 6650   (should be rare). [David]
 6651 
 6652 o [NSE] Fixed bug in rpc.lua library that incorrectly required file handles
 6653   to be 32 octets when calling the ReadDir function. The bug was reported by
 6654   Djalal Harouni. [Patrik]
 6655 
 6656 Nmap 5.30BETA1 [2010-03-29]
 6657 
 6658 o [NSE] Added 37 scripts, bringing the total to 117! They are
 6659   described individually in the CHANGELOG, but here is the list of new
 6660   ones:
 6661   afp-brute afp-path-vuln afp-showmount couchdb-databases
 6662   couchdb-stats daap-get-library db2-das-info dns-service-discovery
 6663   http-methods http-vmware-path-vuln ipidseq jdwp-version ldap-brute
 6664   ldap-rootdse ldap-search lexmark-config mongodb-databases
 6665   mongodb-info mysql-brute mysql-databases mysql-empty-password
 6666   mysql-users mysql-variables nfs-acls nfs-dirlist nfs-statfs
 6667   pgsql-brute qscan smtp-enum-users snmp-interfaces snmp-netstat
 6668   snmp-processes snmp-win32-services snmp-win32-shares
 6669   snmp-win32-software snmp-win32-users ssl-enum-ciphers
 6670   .
 6671   Learn more about any of these at: https://nmap.org/nsedoc/
 6672 
 6673 o [NSE] New script afp-path-vuln detects and can exploit a major Mac
 6674   OS X AFP directory traversal vulnerability (CVE-2010-0533)
 6675   discovered by Nmap developer Patrik Karlsson. See
 6676   https://nmap.org/nsedoc/scripts/afp-path-vuln.html and
 6677   http://bit.ly/nmapafp.
 6678 
 6679 o An ALPHA TEST VERSION of Nping, a packet generator written by Luis
 6680   MartinGarcia and Fyodor last summer, is now included in the Nmap
 6681   distribution. While it works, we consider the application unfinished
 6682   and we hope to improve it greatly as a Summer of Code project this
 6683   summer and then do an official release. See https://nmap.org/nping/.
 6684 
 6685 o [NSE] Added RPC library and three new NFS scripts. Modified the
 6686   rpcinfo and nfs-showmount scripts to use the new library. The new
 6687   scripts are:
 6688   - nfs-acls shows the owner and directory mode of NFS exports
 6689     (https://nmap.org/nsedoc/scripts/nfs-acls.html).
 6690   - nfs-dirlist lists the contents of NFS exports
 6691     (https://nmap.org/nsedoc/scripts/nfs-dirlist.html)
 6692   - nfs-statfs shows file system statistics for NFS exports
 6693     (https://nmap.org/nsedoc/scripts/nfs-statfs.html).
 6694   [Patrik]
 6695 
 6696 o [NSE] Added the new dns-service-discovery script which uses DNS-SD
 6697   to identify services. DNS-SD is one part of automatic configuration
 6698   technologies known by names such as Bonjour, Rendezvous, and
 6699   Zeroconf. This one script can provide as much information as a full
 6700   port scan in some cases. See
 6701   https://nmap.org/nsedoc/scripts/dns-service-discovery.html . [Patrik
 6702   Karlsson]
 6703 
 6704 o [NSE] New script afp-brute for brute force authentication attempts
 6705   against the Apple AFP filesharing protocol. See
 6706   https://nmap.org/nsedoc/scripts/afp-brute.html . [Patrik]
 6707 
 6708 o [NSE] Added a new script afp-showmount which displays Apple AFP
 6709   shares and their permissions.  See
 6710   https://nmap.org/nsedoc/scripts/afp-showmount.html . [Patrik]
 6711 
 6712 o [NSE] Added the qscan script to repeatedly probe ports on a host to
 6713   gather round-trip times for each port. The script then uses these
 6714   times to group together ports with statistically equivalent round
 6715   trip times.  Ports in different groups could be the result of things
 6716   such as port forwarding to hosts behind a NAT. It is based on work
 6717   by Doug Hoyte. This script also utilizes the new NSE raw IP sending
 6718   functionality. See https://nmap.org/nsedoc/scripts/qscan.html . [Kris]
 6719 
 6720 o [NSE] Added a new script, db2-das-info.nse, that connects to the IBM
 6721   DB2 Administration Server (DAS) exports the server profile. No
 6722   authentication is required for this request. The script will also
 6723   set the port product and version if a version scan is requested. See
 6724   https://nmap.org/nsedoc/scripts/db2-das-info.html . [Patrik Karlsson,
 6725   Tom Sellers]
 6726 
 6727 o [NSE] Added a new library for ASN.1 parsing and adapted the SNMP
 6728   library to make use of it. Added 5 SNMP scripts that use the new
 6729   libraries:
 6730   - snmp-netstat shows listening and connected
 6731     sockets (https://nmap.org/nsedoc/scripts/snmp-netstat.html).
 6732   - snmp-processes shows process information including name, pid, path
 6733     & parameters (https://nmap.org/nsedoc/scripts/snmp-processes.html).
 6734   - snmp-win32-services shows the names of running Windows services
 6735     (https://nmap.org/nsedoc/scripts/snmp-win32-services.html).
 6736   - snmp-win32-shares shows the names and path of Windows shares
 6737     (https://nmap.org/nsedoc/scripts/snmp-win32-shares.html).
 6738   - snmp-win32-software shows a list of installed Windows software
 6739     (https://nmap.org/nsedoc/scripts/snmp-win32-software.html).
 6740   - snmp-win32-users shows a list of local Windows users
 6741     (https://nmap.org/nsedoc/scripts/snmp-win32-users.html).
 6742   [Patrik]
 6743 
 6744 o [NSE] Added the snmp-interfaces script by Thomas Buchanan, which
 6745   enumerates network interfaces over SNMP. See
 6746   https://nmap.org/nsedoc/scripts/snmp-interfaces.html .
 6747 
 6748 o [NSE] Added http-vmware-path-vuln.nse, which checks for a critical
 6749   and easy to exploit path-traversal vulnerability in VMWare
 6750   (CVE-2009-3733). See
 6751   https://nmap.org/nsedoc/scripts/http-vmware-path-vuln.html . [Ron]
 6752 
 6753 o [NSE] Added a new library for LDAP and three new scripts by Patrik:
 6754   - ldap-brute uses the unpwdb library to guess credentials for LDAP
 6755     (https://nmap.org/nsedoc/scripts/ldap-brute.html).
 6756   - ldap-rootdse retrieves the LDAP root DSA-specific Entry (DSE)
 6757     (https://nmap.org/nsedoc/scripts/ldap-rootdse.html).
 6758   - ldap-search queries a LDAP directory for either
 6759     all, or a number of pre-defined object types
 6760     (https://nmap.org/nsedoc/scripts/ldap-search.html).
 6761 
 6762 o [NSE] Added a new library for PostgreSQL and the script pgsql-brute
 6763   that uses it to guess credentials. See
 6764   https://nmap.org/nsedoc/scripts/pgsql-brute.html . [Patrik]
 6765 
 6766 o [NSE] Added 5 new MySQL NSE scripts and a MySQL library by Patrik Karlsson:
 6767   - mysql-brute uses the unpwdb library to guess credentials for MySQL
 6768     (https://nmap.org/nsedoc/scripts/mysql-brute.html).
 6769   - mysql-databases queries MySQL for a list of databases
 6770     (https://nmap.org/nsedoc/scripts/mysql-databases.html).
 6771   - mysql-empty-password attempts to authenticate anonymously or as
 6772     root with an empty password
 6773     (https://nmap.org/nsedoc/scripts/mysql-empty-password.html).
 6774   - mysql-users queries MySQL for a list of database users
 6775     (https://nmap.org/nsedoc/scripts/mysql-users.html).
 6776   - mysql-variables queries MySQL for its variables and their
 6777     settings (https://nmap.org/nsedoc/scripts/mysql-variables.html).
 6778 
 6779 o Improved the passwords.lst database used by NSE by combining several
 6780   leaked password databases collected by Ron Bowes. The size of the
 6781   database has been increased from 200 to 5000.
 6782 
 6783 o Zenmap's "slow comprehensive scan profile" has been modified to use
 6784   the best 7-probe host discovery combination we were able to find in
 6785   extensive empirical testing
 6786   (http://www.bamsoftware.com/wiki/nmap/EffectivenessOfPingProbes).
 6787   That combination is "-PE -PP -PS21,22,23,25,80,113,31339
 6788   -PA80,113,443,10042 -PO". [David]
 6789 
 6790 o Switched to -Pn and -sn and as the preferred syntax for skipping
 6791   ping scan and skipping port scan, respectively. Previously the -PN
 6792   and -sP options were recommended. This establishes a more regular
 6793   syntax for some options that disable phases of a scan:
 6794   + -n  no reverse DNS
 6795   + -Pn no host discovery
 6796   + -sn no port scan
 6797   We also felt that the old -sP ("ping scan") option was a bit
 6798   misleading because current versions of Nmap can go much further
 6799   (including -sC and --traceroute) even with port scans disabled. We
 6800   will retain support for the previous option names for the foreseeable
 6801   future.
 6802 
 6803 o [NSE] Added the ipidseq script to classify a host's IP ID sequence
 6804   numbers in the same way Nmap does.  This can be used to test hosts'
 6805   suitability for Nmap's Idle Scan (-sI), i.e. check if a host is an
 6806   idle zombie.  This is the first script to use the new raw IP sending
 6807   functionality in NSE. See
 6808   https://nmap.org/nsedoc/scripts/ipidseq.html . [Kris]
 6809 
 6810 o [NSE] Added the ssl-enum-ciphers script by Mak Kolybabi. It lists
 6811   the ciphers and compressors supported by SSL/TLS servers. See
 6812   https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html .
 6813 
 6814 o [NSE] Added two new scripts for the MongoDB database from Martin
 6815   Holst Swende. mongodb-info
 6816   (https://nmap.org/nsedoc/scripts/mongodb-info.html) gets information
 6817   like the version number, memory use, and operating system, while
 6818   mongodb-databases
 6819   (https://nmap.org/nsedoc/scripts/mongodb-databases.html) lists the
 6820   databases and their size on disk.
 6821 
 6822 o [NSE] Added the scripts couchdb-databases and couchdb-stats, which
 6823   list CouchDB databases and show access statistics, and a new
 6824   json.lua library they depend on. See
 6825   https://nmap.org/nsedoc/scripts/couchdb-databases.html and
 6826   https://nmap.org/nsedoc/scripts/couchdb-stats.html [Martin Holst
 6827   Swende]
 6828 
 6829 o [NSE] Added the new lexmark-config script that lists product
 6830   information and configuration for Lexmark printers. See
 6831   https://nmap.org/nsedoc/scripts/lexmark-config.html . [Patrik
 6832   Karlsson]
 6833 
 6834 o [NSE] Added the new daap-get-library script which uses the Digital
 6835   Audio Access Protocol to enumerate the contents of a library. The
 6836   contents contain the name of the artist, album and song. See
 6837   https://nmap.org/nsedoc/scripts/daap-get-library.html . [Patrik]
 6838 
 6839 o [NSE] Added jdwp-version.nse, a script by Michael Schierl that finds
 6840   the version of a Java Debug Wire Protocol server. This is a
 6841   dangerous service to find running as it does not provide any
 6842   security against malicious attackers who can inject their own
 6843   bytecode into the debugged process. See
 6844   https://nmap.org/nsedoc/scripts/jdwp-version.html .
 6845 
 6846 o [NSE] Added the smtp-enum-users script from Duarte Silva, which
 6847   attempts to find user account names over SMTP by brute force testing
 6848   using RCPT, VRFY, and EXPN tests.
 6849 
 6850 o [NSE] The unpwdb library now has a default time limit on the
 6851   usernames and passwords iterators. This will prevent brute force
 6852   scripts from running for a long time when a service is slow. These
 6853   new script arguments control the limits:
 6854   - unpwdb.userlimit  Limit on number of usernames.
 6855   - unpwdb.passlimit  Limit on number of passwords.
 6856   - unpwdb.timelimit  Time limit in seconds.
 6857   Pass 0 for any of these limits to disable it. For more details, see
 6858   https://nmap.org/nsedoc/lib/unpwdb.html . [David]
 6859 
 6860 o When --open is used, Nmap no longer prints output for hosts which
 6861   don't have any open ports. All output formats are treated the same
 6862   way, so if a host isn't shown in normal output, it won't be shown in
 6863   XML output either.
 6864 
 6865 o [NSE] Added the script http-methods from Bernd Stroessenreuther.
 6866   This script sends an HTTP OPTIONS request to get the methods
 6867   supported by the server, highlights potentially risky methods, and
 6868   optionally tests each method to see if they are restricted by IP
 6869   address or something similar. See
 6870   https://nmap.org/nsedoc/scripts/http-methods.html .
 6871 
 6872 o The -v and -d options are now handled in the same way. These three
 6873   forms are equivalent:
 6874     -v -v -v    -vvv    -v3
 6875     -d -d -d    -ddd    -d3
 6876   Formerly, the -ddd and -v3 forms didn't work. Mak Kolybabi submitted
 6877   a patch.
 6878 
 6879 o Fixed a libpcap compilation error on Solaris. This was actually
 6880   fixed in libpcap's source control back in 2008, but they haven't made
 6881   a release since then :(. They still seem to be actively developing
 6882   though, so let's hope for a release soon. Solaris compilation fixes
 6883   were made to Ncat and Nping as well.
 6884 
 6885 o Zenmap now lets you save scan results in normal Nmap text output
 6886   format or (as before) as XML. The XML format still has the text
 6887   version embedded inside it, and is still the only format Zenmap can
 6888   load again. The "Save to Directory" mode for saving multiple
 6889   aggregated scans at once still always saves XML results. [David]
 6890 
 6891 o Fixed the packaging of x64 versions of WinPcap drivers in the
 6892   winpcap-nmap installer to ensure that 64-bit applications (such as
 6893   64-bit Wireshark) work properly. [Rob Nicholls]
 6894 
 6895 o Fixed the Idle Scan (-sI) so that scanning multiple hosts doesn't
 6896   retest the zombie proxy and reinitialize all of the associated data
 6897   at the beginning of each run. [Kris]
 6898 
 6899 o [NSE] Raw packet sending at the IP layer is now supported, in
 6900   addition to the existing Ethernet sending functionality.  Packets to
 6901   send start with an IPv4 header and can be sent to arbitrary
 6902   hosts. For details, see
 6903   https://nmap.org/book/nse-api.html#nse-api-networkio-raw [Kris]
 6904 
 6905 o Added version detection match line for the Arucer backdoor, which was
 6906   found packaged with drivers for the Energizer USB recharger product
 6907   (see http://www.kb.cert.org/vuls/id/154421). [Ron]
 6908 
 6909 o Fixed --resume to work again despite our recent changes to the Nmap
 6910   output format. [jlanthea]
 6911 
 6912 o [Zenmap] Localized most of the remaining strings in the GUI
 6913   interface which were English-only. The actual textual Nmap results
 6914   are still in English since Nmap, but the GUI is now almost fully
 6915   localized. [David]
 6916 
 6917 o [Zenmap] Updated the localization files for the French
 6918   translation. [Gutek]
 6919 
 6920 o [Zenmap] Fixed an interface bug which could cause hostnames with
 6921   underscores like "host_a" to be rendered like "hosta" with the "a"
 6922   underlined. Thanks to Toralf F. for the report, and David for the
 6923   fix.
 6924 
 6925 o Nmap now honors routing table entries that override interface
 6926   addresses and netmasks. For example, with this configuration:
 6927     ************************INTERFACES************************
 6928     DEV  (SHORT) IP/MASK         TYPE     UP MAC
 6929     eth0 (eth0)  192.168.0.21/24 ethernet up 00:00:00:00:00:00
 6930     .
 6931     **************************ROUTES**************************
 6932     DST/MASK       DEV  GATEWAY
 6933     192.168.0.3/32 eth0 192.168.0.1
 6934     192.168.0.0/24 eth0
 6935   Nmap will not consider 192.168.0.3 directly connected through eth0,
 6936   even though it matches the interface's netmask. It won't try to ARP
 6937   ping 192.168.0.3, but will route traffic through 192.168.0.1.
 6938 
 6939 o [Ncat] The HTTP proxy server now accepts client connections over
 6940   SSL. That means connections to the proxy can be encrypted and
 6941   authenticated. We haven't found any HTTP clients that directly
 6942   support SSL connections to proxies, but you can use Ncat as a tunnel
 6943   to an SSL-supporting Ncat proxy. This new feature was implemented by
 6944   Markus Klinik.
 6945 
 6946 o Updated our Mac OS X build system so that our binary packages are
 6947   built on Mac OS X 10.6 rather than 10.5. [David]
 6948 
 6949 o Fixed reading of the interface table on NetBSD. Running nmap
 6950   --iflist would report "INTERFACES: NONE FOUND(!)" and any scan done
 6951   as root would fail with "WARNING: Unable to find appropriate
 6952   interface for system route to...". This was first reported by Jay
 6953   Fink, and had already been patched in the NetBSD pkgsrc
 6954   tree. [David]
 6955 
 6956 o Fixed a bug in traceroute that could happen when directly connected
 6957   and routed targets were in the same hostgroup. If the first target
 6958   was directly connected, the traceroute for all targets in the group
 6959   would have a trace of one hop.
 6960 
 6961 o ARP requests now work with libpcap Linux "cooked" encapsulation.
 6962   According to http://wiki.wireshark.org/SLL, this encapsulation is
 6963   used on devices "where the native link layer header isn't available
 6964   or can't be used." Before this, attempting any ARP operation on such
 6965   an interface would fail with the error
 6966     read_arp_reply_pcap called on interfaces that is datatype 113
 6967       rather than DLT_EN10MB (1)
 6968   [David]
 6969 
 6970 o Fixed the display of route netmask bits in --iflist on little-endian
 6971   architectures. Formerly, any mask less than /24 was shown as /0, and
 6972   other masks were also wrong. [David]
 6973 
 6974 o Fixed an assertion failure which could occur when connecting to an
 6975   SSL server:
 6976     nsock_core.c:199: socket_count_write_dec: Assertion `(iod->writesd_count)
 6977 > 0' failed.
 6978   This was observed when running the http-enum script but could
 6979   possibly have happened in other situations. Thanks to Brandon for
 6980   reporting the bug and testing. [David]
 6981 
 6982 o Added the function bignum_add to the nse_openssl library to support
 6983   BIGNUM addition [Patrik]
 6984 
 6985 o The redistributable Visual C++ runtime components installer
 6986   (vcredist_x86.exe) has been upgraded to version 9.0.30729.4148. Axel
 6987   Pettinger reported that the previous version 9.0.30729.17, caused a
 6988   Windows Update on Windows 7 because of Microsoft security advisory
 6989   MS09-035.
 6990 
 6991 o [Ncat] Fixed an error that could make programs run with --exec exit
 6992   prematurely on Windows. The problem was related to a program writing
 6993   too quickly into a non-blocking socket. A symptom was the message:
 6994     NCAT DEBUG: Subprocess ended with exit code 259.
 6995   Reported by David Millis. [David]
 6996 
 6997 o [Ncat] Fixed a bug that prevented detection of EOF from stdin on
 6998   Windows. Reported by Adrian Crenshaw and Andy Zwirko. [David]
 6999 
 7000 o [Nsock] WSAEACCES was added to the list of known connect error
 7001   codes. This error can happen on Windows when a port is blocked by
 7002   Windows Firewall. Thanks to Taemun for reporting this and
 7003   investigating.
 7004 
 7005 o XML output now only includes host elements for down hosts in verbose
 7006   mode. This makes it consistent with the other output formats.
 7007 
 7008 o [NSE] Fixed http-enum so it uses the full path name for the
 7009   fingerprints file. This prevents it from quitting with an error like
 7010   this:
 7011     NSE: http-enum: Attempting to parse fingerprint file
 7012     nselib/data/http-fingerprints NSE: http-enum against
 7013     10.99.24.140:443 threw an error! C:\Program
 7014     Files\Nmap\scripts\http-enum.nse:198: bad argument #1 to 'lines'
 7015     (nselib/data/http-fingerprints: No such file or directory) stack
 7016     traceback:
 7017   [Kris, Brandon, Ron Meldau]
 7018 
 7019 o [NSE] Added a missing dirname function to http-favicon. Its absence
 7020   was causing this error message when a web page specified a relative
 7021   icon URL in a link element:
 7022    http-favicon.nse:141: variable 'dirname' is not declared
 7023   [David, Ron Meldau]
 7024 
 7025 o Fixed the parsing of libdnet DLPI interface names that contain more
 7026   than one string of digits. Joe Dietz reported that an interface with
 7027   the name e1000g0 was causing this error message on Solaris 9:
 7028     Warning: Unable to open interface e1000g0 -- skipping it.
 7029   [David]
 7030 
 7031 o [NSE] Added the function nmap.is_privileged() to tell a script if,
 7032   as far as Nmap's concerned, it can do privileged operations. For
 7033   instance, this can be used to determine whether a script can open a
 7034   raw socket or Ethernet interface. [Kris]
 7035 
 7036 o [NSE] Added the function nmap.get_ports() so scripts can iterate
 7037   over a host's port table entries matching a given protocol and
 7038   state. [Kris, Patrick]
 7039 
 7040 o [Ncat] Fixed a handle leak with --exec and --sh-exec on Windows,
 7041   found by Jon Greaves. One thread handle was being leaked per child
 7042   process invocation. [David]
 7043 
 7044 o [NSE] nbstat.nse can now look up the MAC prefix vendor string. Other
 7045   scripts can now do the same thing using the
 7046   datafiles.parse_mac_prefixes function. [Thomas Buchanan]
 7047 
 7048 o Remove the PYTHONPATH and PYTHONHOME variables from the environment
 7049   before executing a sub-ndiff if they exist and if Zenmap is running
 7050   in a py2app bundle. These variables are set by py2app to point
 7051   inside our application bundle. Having them set in the environment
 7052   makes Ndiff use the same settings because it is also a Python
 7053   application. Deleting the variables is somewhat wrong, because the
 7054   user may have set those outside of Zenmap expecting them to be used
 7055   with their system-installed Python programs. But this is at least no
 7056   worse than before our build system update, because previously py2app
 7057   was stomping on the variables anyway. [David]
 7058 
 7059 o [Ncat] Fixed a segmentation fault caused by access to freed memory.
 7060   It could be triggered by making multiple connections to a server
 7061   that was constantly sending in SSL mode, such as:
 7062     ncat -l -k --ssl < /dev/zero
 7063   This bug was reported by Mak Kolybabi. [David]
 7064 
 7065 o [NSE] Moved the smtp-open-relay.nse script out of the "demo"
 7066   category after improvements by Duarte Silva. We have now met the
 7067   goal of removing all scripts from that category.
 7068 
 7069 o [NSE] Fixed a bug which prevented smb-brute from properly detecting
 7070   account lockouts, which could lead to lockouts of many accounts on
 7071   the target machine. Now smb-brute tries to check the lockout policy
 7072   before starting and refuses to run (unless you force it to with the
 7073   smblockout variable) if lockouts are enabled or if it locks out an
 7074   account. [Ron]
 7075 
 7076 o [NSE] Rewrote smb-enum-domains to be more generalized and rely on
 7077   library functions which will eventually be shared with
 7078   smb-brute. [Ron]
 7079 
 7080 o Qualified an assertion to allow zero-byte sends in Nsock. Without
 7081   this, an NSE script could cause this assertion failure by doing
 7082   socket:send(""):
 7083     nmap: nsock_core.c:516: handle_write_result: Assertion `bytesleft > 0' failed.
 7084   [David]
 7085 
 7086 o Added a service probe for Logitech SqueezeCenter command line interface
 7087   [Patrik]
 7088 
 7089 o Improved PostgreSQL match lines by matching the line of the error to a
 7090   specific version [Patrik].
 7091 
 7092 o Added a mac_addr_next_hop member to the host tables used in NSE for
 7093   scripts which need to know the MAC address of the next hop router
 7094   for reaching a target host. [Michael Pattrick, KX].
 7095 
 7096 o Removed the nmap_service.exe helper program for smb-psexec, as it
 7097   was still being flagged by malware detection even after the
 7098   bit-flipping in the next release. In fact, the obfuscation backfired
 7099   and caused more false positives! You can now download it from
 7100   https://nmap.org/psexec/nmap_service.exe. (The script will remind you
 7101   if you run the script and it's not installed.)
 7102 
 7103 o Added service probes and UDP payloads for games based on the Quake 2
 7104   and Quake 3 engine, submitted by Mak Kolybabi.
 7105 
 7106 o [Ncat] Added support for HTTP digest authentication of proxies, as
 7107   both client and server. Previously only the less secure basic
 7108   authentication method was supported. [Venkat, David]
 7109 
 7110 o Improved the MIT Kerberos version detection signatures. [Matt Selsky]
 7111 
 7112 o [Ndiff] Show a nicer error message when an input file can't be
 7113   loaded. Suggested by Derril Lucci, who also contributed a patch.
 7114 
 7115 o [NSE] Added a new library afp.lua which handles the Apple Filing
 7116   Protocol (AFP) filesharing system. The library handles
 7117   authentication and many other protocol features, and enables the new
 7118   afp-path-vuln, afp-brute, and afp-showmount scripts. [Patrik]
 7119 
 7120 o Added an Apple Filing Protocol service probe that detects Netatalk
 7121   servers. (Apple's AFP servers are coincidentally triggered by the
 7122   SSLSessionReq probe.) [Patrik Karlsson]
 7123 
 7124 o [NSE] Fixed packet.lua so that functions used to set packet header
 7125   fields (e.g. ip_set_ttl) also set the appropriate variables used to
 7126   access the data (e.g. ip_ttl). [Kris]
 7127 
 7128 o Updated and corrected IANA assignment IP list for random IP (-iR)
 7129   generation.  Now even 001/8 has been allocated. [Kris]
 7130 
 7131 Nmap 5.21 [2010-01-27]
 7132 
 7133 o [Zenmap] Added a workaround for a Ubuntu Python packaging idiosyncrasy.
 7134   As of version python2.6-2.6.4-0ubuntu3, Ubuntu's distutils modifies
 7135   self.prefix, a variable we use in the setup.py script. This would
 7136   cause Zenmap to look in the wrong place for its configuration files,
 7137   and show the dialog "Error creating the per-user configuration
 7138   directory" with the specific error "[Errno 2] No such file or
 7139   directory: '/usr/share/zenmap/config'". This problem was reported by
 7140   Chris Clements, who also helped debug. [David]
 7141 
 7142 o Fixed an error that occurred when UDP scan was combined with version
 7143   scan. UDP ports would appear in the state "unknown" at the end of
 7144   the scan, and in some cases an assertion failure would be raised.
 7145   This was an unintended side effect of the memory use reduction
 7146   changes in 5.20. The bug was reported by Jon Kibler. [David]
 7147 
 7148 o [NSE] Did some simple bit-flipping on the nmap_service.exe program
 7149   used by the smb-psexec script, to avoid its being falsely detected
 7150   as malware. [Ron]
 7151 
 7152 o [NSE] Fixed a bug in http.lua that could lead to an assertion
 7153   failure. It happened when there was an error getting the a response
 7154   at the beginning of a batch in http.pipeline. The symptoms of the
 7155   bug were:
 7156     NSE: Received only 0 of 1 expected reponses.
 7157     Decreasing max pipelined requests to 0.
 7158     NSOCK (0.1870s) Write request for 0 bytes...
 7159     nmap: nsock_core.c:516: handle_write_result: Assertion `bytesleft > 0' failed.
 7160   The error was reported by Brandon Enright and pyllyukko.
 7161 
 7162 o [NSE] Restored the ability of http.head to return a body if the
 7163   server returns one. This was lost in the http.lua overhaul from
 7164   5.20. [David]
 7165 
 7166 o [NSE] Fixed the use of our strict.lua library on distributions that
 7167   install their own strict.lua. The error message was
 7168     nse_main.lua:97: attempt to call a boolean value
 7169   It was reported by Onur K. [Patrick]
 7170 
 7171 o Fixed handing of nameserver entries in /etc/resolv.conf so it could
 7172   handle entries containing more than 16 bytes, which can occur with
 7173   IPv6 addresses.  Gunnar Lindberg reported the problem and
 7174   contributed an initial patch, then Brandon and Kris refined and
 7175   implemented it.
 7176 
 7177 o [NSE] Corrected a behavior change in http.request that was
 7178   accidentally made in 5.20: it could return nil instead of a table
 7179   indicating failure. [David]
 7180 
 7181 o [NSE] Fixed the use of an undefined variable in smb-enum-sessions,
 7182   reported by Brandon. [Ron]
 7183 
 7184 o Fixed a compiler error when --without-liblua is used. [Brandon]
 7185 
 7186 o [NSE] Fixed an error with running http-enum.nse along with the
 7187   --datadir option. The script would report the error
 7188     http-enum.nse:198: bad argument #1 to 'lines'
 7189       (nselib/data/http-fingerprints: No such file or directory)
 7190   The error was reported by Ron Meldau and Brandon. [Kris]
 7191 
 7192 o Added a function that was missing from http-favicon.nse. Its absence
 7193   would cause the error
 7194     http-favicon.nse:141: variable 'dirname' is not declared
 7195   when a web page specified an relative icon URL through the link
 7196   element. This bug was reported by Ron Meldau. [David]
 7197 
 7198 o Fixed a bug with the decoding of NMAP OID component values greater
 7199   than 127. [Patrik Karlsson, David]
 7200 
 7201 Nmap 5.20 [2010-01-20]
 7202 
 7203 o Dramatically improved the version detection database, integrating
 7204   2,596 submissions that users contributed since February 3, 2009!
 7205   More than a thousand signatures were added, bringing the total to
 7206   8,501. Many existing signatures were improved as well. Please keep
 7207   those submissions and corrections coming! Nmap prints a submission
 7208   URL and fingerprint when it receives responses it can't yet
 7209   interpret.
 7210 
 7211 o [NSE] Added a new script, oracle-sid-brute, which queries the Oracle
 7212   TNS-listener for default instance/sid names. The SID enumeration
 7213   list was prepared by Red Database security. See
 7214   https://nmap.org/nsedoc/scripts/oracle-sid-brute.html . [Patrik
 7215   Karlsson]
 7216 
 7217 o [Ncat] The --ssl, --output, and --hex-dump options now work with
 7218   --exec and --sh-exec. Among other things, this allows you to make a
 7219   program's I/O available over the network wrapped in SSL encryption
 7220   for security.  It is implemented by forking a separate process to
 7221   handle network communications and relay the data to the
 7222   sub-process. [Venkat, David]
 7223 
 7224 o Nmap now tries start the WinPcap NPF service on Windows if it is not
 7225   already running. This is rare, since our WinPcap installer starts
 7226   NPF running at system boot time by default. Because starting NPF
 7227   requires administrator privileges, a UAC dialog for net.exe may
 7228   appear on Windows Vista and Windows 7 before NPF is loaded.  Once
 7229   NPF is loaded, it generally stays loaded until you reboot or run
 7230   "net stop npf". [David, Michael Pattrick]
 7231 
 7232 o The Nmap Windows installer and our WinPcap installer now have an
 7233   option /NPFSTARTUP=NO, which inhibits the installer from setting the
 7234   WinPcap NPF service to start at system startup and at install-time.
 7235   This option only affects silent mode (/S) because existing GUI
 7236   checkboxes allow you to configure this behavior during interactive
 7237   installation. [David]
 7238 
 7239 o [NSE] Replaced our runlevel system for managing the order of script
 7240   execution with a much more powerful dependency system. This allows
 7241   scripts to specify which other scripts they depend on (e.g. a brute
 7242   force authentication script might depend on username enumeration
 7243   scripts) and NSE manages the order. Dependencies only enforce
 7244   ordering, they cannot pull in scripts which the user didn't
 7245   specify. See
 7246   https://nmap.org/book/nse-script-format.html#nse-format-dependencies
 7247   [Patrick]
 7248 
 7249 o [Ncat] For compatibility with Hobbit's original Netcat, The -p
 7250   option now works to set the listening port number in listen mode.
 7251   So "ncat -l 123" can now be expressed as "ncat -l -p 123"
 7252   too. [David]
 7253 
 7254 o A new script argument, http.useragent, lets you modify
 7255   the User-Agent header sent by NSE from its default of "Mozilla/5.0
 7256   (compatible; Nmap Scripting Engine; https://nmap.org/book/nse.html)".
 7257   Set it to the empty string to disable the User-Agent
 7258   entirely. [David, Tom Sellers, Jah]
 7259 
 7260 o [Zenmap] The locale setting had been taken from the Windows locale,
 7261   which inadvertently made setting the locale with the LANG
 7262   environment variable stop working. Now the LANG variable is examined
 7263   first, and if that is not present, the system-wide setting is
 7264   used. This change allows users to keep Zenmap in its original
 7265   English (or any of Zenmap's other languages) even if their system is
 7266   set to use a different locale.  [David]
 7267 
 7268 o [NSE] The http-favicon script is now better at finding "link
 7269   rel=icon" tags in pages, and uses that icon in preference to
 7270   /favicon.ico if found. If the favicon.uri script arg is given, only
 7271   that is tried.  Meanwhile, a giant (10 million web servers) favicon
 7272   scan by Brandon allowed us to add about 40 more of the most popular
 7273   icons to the DB. [David, Brandon]
 7274 
 7275 o [NSE] smb-psexec now works against Windows XP (as well as
 7276   already-supported Win2K and Windows 2003). The solution involved
 7277   changing the seemingly irrelevant PID field in the SMB packet. See
 7278   http://seclists.org/nmap-dev/2010/q1/13. [Ron]
 7279 
 7280 o [NSE] Fixed a bug which kept the nselib/data/psexec subdirectory out
 7281   of the Windows packages. We needed to add the /s and /e options to
 7282   xcopy in our Visual C++ project file. [David]
 7283 
 7284 o [NSE] Overhauled our http library to centralize HTTP parsing and
 7285   make it more robust. The biggest user-visible change is that
 7286   http.request goes back to returning a parsed result table rather than raw
 7287   HTTP data. Also the http.pipeline function no longer accepts the
 7288   no-longer-used "raw" option. [David]
 7289 
 7290 o Fixed a bug in traceroute that could lead to a crash:
 7291     terminate called after throwing an instance of 'std::out_of_range'
 7292       what():  bitset::test
 7293   It happened when the preliminary distance guess for a target was
 7294   greater than 30, the size of an internal data structure. David and
 7295   Brandon tracked down the problem.
 7296 
 7297 o Fixed compilation of libdnet-stripped on platforms that don't have
 7298   socklen_t. [Michael Pattrick]
 7299 
 7300 o Added a service probe and match lines for the Logitech/SlimDevices
 7301   SqueezeCenter music server. [Patrik Karlsson]
 7302 
 7303 o Fixed the RTSPRequest version probe, which was accidentally modified
 7304   to say "RTSP/2.0" rather than "RTSP/1.0" in 5.10BETA2. [Matt Selsky]
 7305 
 7306 o [NSE] Our http library no longer allows cached responses from a GET
 7307   request to be returned for a HEAD request. This could cause problems
 7308   with at least the http-enum script. [David]
 7309 
 7310 o Fixed a bug in the WinPcap installer: If the "Start the WinPcap
 7311   service 'NPF' at startup" box was unchecked and the "Start the
 7312   WinPcap service 'NPF' now" box was checked, the second checkbox
 7313   would be ignored (the service would not be started now). [Rob
 7314   Nicholls]
 7315 
 7316 Nmap 5.10BETA2 [2009-12-24]
 7317 
 7318 o Added 7 new NSE scripts for a grand total of 79! You can learn about
 7319   them all at https://nmap.org/nsedoc/.  Here are the new ones:
 7320 
 7321   * nfs-showmount displays NFS exports like "showmount -e" does. See
 7322     https://nmap.org/nsedoc/scripts/nfs-showmount.html . [Patrik
 7323     Karlsson]
 7324 
 7325   * ntp-info prints the time and configuration variables provided by
 7326     an NTP service. It may get such interesting information as the
 7327     operating system, server build date, and upstream time server IP
 7328     address. See
 7329     https://nmap.org/nsedoc/scripts/ntp-info.html . [Richard Sammet]
 7330 
 7331   * citrix-brute-xml uses the unpwdb library to guess credentials for
 7332     the Citrix PN Web Agent Service. See
 7333     https://nmap.org/nsedoc/scripts/citrix-brute-xml.html . [Patrik Karlsson]
 7334 
 7335   * citrix-enum-apps and citrix-enum-apps-xml print a list of published
 7336     applications from the Citrix ICA Browser or XML service,
 7337     respectively. See
 7338     https://nmap.org/nsedoc/scripts/citrix-enum-apps.html and
 7339     https://nmap.org/nsedoc/scripts/citrix-enum-apps-xml.html . [Patrik Karlsson]
 7340 
 7341   * citrix-enum-servers and citrix-enum-servers-xml print a list
 7342     of Citrix servers from the Citrix ICA Browser or XML service,
 7343     respectively. See
 7344     https://nmap.org/nsedoc/scripts/citrix-enum-servers.html and
 7345     https://nmap.org/nsedoc/scripts/citrix-enum-servers-xml.html . [Patrik
 7346     Karlsson]
 7347 
 7348 o We performed a memory consumption audit and made changes to
 7349   dramatically reduce Nmap's footprint.  This improves performance on
 7350   all systems, but is particularly important when running Nmap on
 7351   small embedded devices such as phones.  Our intensive UDP scan
 7352   benchmark saw peak memory usage decrease from 34MB to 6MB, while OS
 7353   detection consumption was reduced from 67MB to 3MB.  Read about the
 7354   changes at http://seclists.org/nmap-dev/2009/q4/663.  Here are the
 7355   highlights:
 7356 
 7357   * The size of the internal representation of nmap-os-db was reduced
 7358     more than 90%. Peak memory consumption in our OS detection
 7359     benchmark was reduced from 67MB to 3MB. [David]
 7360 
 7361   * The size of individual Port structures without service scan
 7362     results was reduced about 70%. [Pavel Kankovsky]
 7363 
 7364   * When a port receives no response, Nmap now avoids allocating a
 7365     Port structure at all, so scans against filtered hosts can be
 7366     light on memory. [David]
 7367 
 7368 o David started a major service detection submission integration
 7369   run. So far he has processed submissions since February for the
 7370   following services: imap, pop3, afp, sip, printer, transmission,
 7371   svnserve, vmware, domain, backdoor, finger, freeciv, hp, imaps, irc,
 7372   landesk, netbios-ssn, netsupport, nntp, oracle, radmin, routersetup,
 7373   rtorrent, serv-u, shoutcast, ssh, tcpmux, torrent, utorrent, vnc and
 7374   ipp. The rest will come in the next release, along with full stats
 7375   on the additions.
 7376 
 7377 o Added service detection probe for Kerberos (udp/88) and IBM DB2
 7378   DAS (523/UDP). [Patrik Karlsson]
 7379 
 7380 o Added a UDP payload and service detection probe for Citrix
 7381   MetaFrame, which typically runs on 1604/udp. [Thomas Buchanan]
 7382 
 7383 o Added a UDP SIPOptions service detection probe corresponding to the
 7384   TCP one. [Patrik Karlsson, Matt Selsky, David Fifield]
 7385 
 7386 o Updated service detection signatures for Microsoft SQL Server 2005
 7387   to detect recent Microsoft security update (MS09-062), and also
 7388   updated ms-sql-info.nse to support MS SQL Server 2008
 7389   detection. [Tom]
 7390 
 7391 o Nmap now provides Christmas greetings and a reminder of Xmas scan
 7392   (-sX) when run in verbose mode on December 25. [Fyodor]
 7393 
 7394 o Removed a limitation of snmp.lua which only allowed it to properly
 7395   encode OID component values up to 127. The bug was reported by
 7396   Victor Rudnev. [David]
 7397 
 7398 o Nmap script output now uses two spaces of indention rather than
 7399   three for the first level. This better aligns with the standard set by
 7400   the stdnse.format_output function added in the last release. Output
 7401   now looks like:
 7402   8082/tcp open  http        Apache httpd 2.2.13 ((Fedora))
 7403   |_http-favicon: Apache Web Server (seen on SuSE, Linux Tux favicon)
 7404   |_html-title: Nmap - Free Security Scanner For Network Exploration & Securit...
 7405   ...
 7406   Host script results:
 7407   | smb-os-discovery:
 7408   |   OS: Unix (Samba 3.4.2-0.42.fc11)
 7409   |   Name: Unknown\Unknown
 7410   |_  System time: 2009-11-24 17:19:21 UTC-8
 7411   |_smbv2-enabled: Server doesn't support SMBv2 protocol
 7412   [Fyodor]
 7413 
 7414 o [NSE] Fixed (we hope) a deadlock we were seeing when doing a
 7415   favicon.nse survey against millions of hosts. We now restore all
 7416   threads that are waiting on a socket lock when a thread relinquishes
 7417   its lock. We expect only one of them to be able to grab the newly
 7418   freed lock, and the rest to go back to waiting. [David, Patrick]
 7419 
 7420 o [Zenmap] Fixed a crash when filtering with inroute: in scans without
 7421   traceroute data. (KeyError: 'hops') [David]
 7422 
 7423 o [NSE] Use a looser match pattern in auth-owners.nse for retrieving
 7424   the owner out of an identd response. See
 7425   http://seclists.org/nmap-dev/2009/q4/549. [Richard Sammet]
 7426 
 7427 o Improved some Cyrus pop3 and Polycom SoundStation sip match
 7428   lines. [Matt Selsky]
 7429 
 7430 o [Ncat] In the Windows version of netrun, we weren't noticing when a
 7431   command fails to be executed (when CreateProcess fails). We now see
 7432   the return value and close the socket to disconnect the
 7433   client. [David]
 7434 
 7435 o [NSE] Updated http-iis-webdav-vuln to run against SSL-enabled
 7436   servers [Ron]
 7437 
 7438 o [NSE] Improved db2-info to set port product and state (rather than
 7439   just port.version.name and confidence) when a DB2 service is
 7440   positively identified. Error reporting was improved as well. [Tom]
 7441 
 7442 Nmap 5.10BETA1 [2009-11-23]
 7443 
 7444 o Added 14 new NSE scripts for a grand total of 72! You can learn
 7445   about them all at https://nmap.org/nsedoc/. Here are the new ones:
 7446 
 7447   + smb-psexec implements remote process execution similar to the
 7448     Sysinternals' psexec tool (or Metasploit's psexec "exploit"),
 7449     allowing a user to run a series of programs on a remote machine
 7450     and read the output. This is great for gathering information about
 7451     servers, running the same tool on a range of system, or even
 7452     installing a backdoor on a collection of computers. See
 7453     https://nmap.org/nsedoc/scripts/smb-psexec.html [Ron]
 7454 
 7455   + dhcp-discover sends out DHCP probes on UDP/67 and displays all
 7456     interesting results (or, with verbosity, all results).
 7457     Optionally, multiple probes can be sent and the MAC address can be
 7458     randomized in an attempt to exhaust the DHCP server's address pool
 7459     and potentially create a denial of service condition. See
 7460     https://nmap.org/nsedoc/scripts/dhcp-discover.html . [Ron]
 7461 
 7462   + http-enum enumerates URLs used by popular web applications and
 7463     servers and reports which ones exist on a target web server. See
 7464     https://nmap.org/nsedoc/scripts/http-enum.html . [Ron, Andrew Orr,
 7465     Rob Nicholls]
 7466 
 7467   + ssl-cert retrieves and prints a target server's SSL
 7468     certificate. See
 7469     https://nmap.org/nsedoc/scripts/ssl-cert.html . [David]
 7470 
 7471   + x11-access checks whether access to an X11 server is allowed (as
 7472     with "xhost +" for example). See
 7473     https://nmap.org/nsedoc/scripts/x11-access.html . [jlanthea]
 7474 
 7475   + db2-info enhances DB2 database instance detection. It provides
 7476     detection when version probes fail, but will default to the
 7477     version detection probe value if that is more precise. It also
 7478     detects the server platform and database instance name. The DB2
 7479     version detection port ranges were broadened to 50000-50025 and
 7480     60000-60025 as well. [Tom]
 7481 
 7482   + smbv2-enabled checks if the smbv2 protocol is enabled on target
 7483     servers. SMBv2 has already suffered from at least one major
 7484     security vulnerability. See
 7485     https://nmap.org/nsedoc/scripts/smbv2-enabled.html . [Ron]
 7486 
 7487   + http-favicon obtains the favicon file (/favicon.ico or whatever is
 7488     specified by the HTML link tag) and tries to identify its source
 7489     (such as a certain web application) using a database lookup. See
 7490     https://nmap.org/nsedoc/scripts/http-favicon.html . [Vladz]
 7491 
 7492   + http-date obtains the Date: header field value from an HTTP server
 7493     then displays it along with how much it differs from local
 7494     time. See https://nmap.org/nsedoc/scripts/http-date.html . [David]
 7495 
 7496   + http-userdir-enum attempts to enumerate users on a system by
 7497     trying URLs with common usernames in the Apache mod_userdir format
 7498     (e.g. http://target-server.com/~john). See
 7499     https://nmap.org/nsedoc/scripts/http-userdir-enum.html . [Jah]
 7500 
 7501   + pjl-ready-message allows viewing and setting the status message on
 7502     printers which support the Printer Job Language (many HP printers
 7503     do). See https://nmap.org/nsedoc/scripts/pjl-ready-message.html .
 7504     [Aaron Leininger]
 7505 
 7506   + http-headers performs a GET request for the root folder ("/") of a
 7507     web server and displays the HTTP headers returned. See
 7508     https://nmap.org/nsedoc/scripts/http-headers.html . [Ron]
 7509 
 7510   + http-malware-host is designed to discover hosts that are serving
 7511     malware (perhaps because they were compromised), but so far it
 7512     only checks for one specific attack. See
 7513     https://nmap.org/nsedoc/scripts/http-malware-host.html . [Ron]
 7514 
 7515   + smb-enum-groups displays a list of groups on the remote system
 7516     along with their membership (like enum.exe -G). See
 7517     https://nmap.org/nsedoc/scripts/smb-enum-users.html [Ron]
 7518 
 7519 o Nmap's --traceroute has been rewritten for better performance.
 7520   Probes are sent in parallel to individual hosts, not just across all
 7521   hosts as before. Trace consolidation is more sophisticated, allowing
 7522   common traces to be identified sooner and fewer probes to be sent.
 7523   The older traceroute could be very slow (taking minutes per target)
 7524   if the target did not respond to the trace probes, and this new
 7525   traceroute avoids that. In a trace of 110 hosts in a /24 over the
 7526   Internet, the number of probes sent dropped 50% from 1565 to 743,
 7527   and the time taken dropped 92% from 95 seconds to 7.6
 7528   seconds. Traceroute now uses an ICMP echo request probe if no
 7529   working probes against the target were discovered during
 7530   scanning. [David]
 7531 
 7532 o [Zenmap] After performing or loading a scan, you can now filter
 7533   results to just the hosts you are interested in by pressing Ctrl+L
 7534   (or the "Filter Hosts" button) to open the host filtering interface.
 7535   This makes it easy to select just Linux hosts, or those running a
 7536   certain version of Apache, or whatever interests you. You can easily
 7537   modify the filter or remove it to see the whole scan again. See
 7538   https://nmap.org/book/zenmap-filter.html . [Josh Marlow]
 7539 
 7540 o For some UDP ports, Nmap will now send a protocol-specific payload
 7541   that is more likely to get a response than an empty packet is. This
 7542   improves the effectiveness of probes to those ports for host
 7543   discovery, and also makes an open port more likely to be classified
 7544   open rather than open|filtered. The ports and payloads are defined
 7545   in payload.cc. The ports that have a payload are 7 (echo),
 7546   53 (domain), 111 (rpcbind), 123 (ntp), 137 (netbios-ns), 161 (snmp),
 7547   177 (xdmcp), 500 (isakmp), 520 (route), 1645 and 1812 (radius),
 7548   2049 (nfs), 5353 (zeroconf), and 10080 (amanda). [David]
 7549 
 7550 o Integrated 1,349 fingerprints (and 81 corrections) submitted by Nmap
 7551   users! They resulted in 342 new fingerprints (a 17% increase),
 7552   including Google's Android Linux system for smart phones, Mac OS X
 7553   10.6 (Snow Leopard), the Chumby, and a slew number of printers, broadband
 7554   routers, and other devices (40 new vendors). See
 7555   http://seclists.org/nmap-dev/2009/q4/416 [David]
 7556 
 7557 o [NSE] For all the services which are commonly tunneled over SSL
 7558   (pop3, http, imap, irc, smtp, etc.), we audited the scripts to
 7559   ensure they can support that tunneling. The com.tryssl function
 7560   was added for easy SSL detection. See
 7561   https://nmap.org/nsedoc/lib/comm.html [Joao]
 7562 
 7563 o Nmap now prefers to display the hostname supplied by the user instead
 7564   of the reverse-DNS name in most places. If a reverse DNS record
 7565   exists, and it differs from the user-supplied name, it is printed
 7566   like this:
 7567     Nmap scan report for www.google.com (74.125.53.103)
 7568     rDNS record for 74.125.53.103: pw-in-f103.1e100.net
 7569   And in XML it looks like:
 7570     <hostnames>
 7571       <hostname name="openbsd.org" type="user"/>
 7572       <hostname name="cvs.openbsd.org" type="PTR"/>
 7573     </hostnames>
 7574   Host latency is now printed more often. See
 7575   http://seclists.org/nmap-dev/2009/q4/199 for a summary of other
 7576   output changes. [David]
 7577 
 7578 o Ndiff now shows changes in script (NSE) output for each target
 7579   host (in both text output format and XML). [David]
 7580 
 7581 o We now print output for down hosts, even when doing scanning beyond
 7582   just a ping scan.  This always prints to XML and grepable output,
 7583   and is printed to normal and interactive output in verbose mode. The
 7584   format for printing a down host has changed slightly: "Nmap scan
 7585   report for 1.1.1.1 [host down]" [David]
 7586 
 7587 o [NSE] Default socket parallelism has been doubled from 10 to 20,
 7588   which doubles speed in some situations. See
 7589   http://seclists.org/nmap-dev/2009/q3/161. [Patrick]
 7590 
 7591 o Version detection's maximum socket concurrency has been increased
 7592   from 10-20 based on timing level to 20-40. This can dramatically
 7593   speed up version detection when there are many open ports in a host
 7594   group being scanned. [Fyodor]
 7595 
 7596 o The Nmap source tarball (and RPMs) now included man page
 7597   translations (16 languages so far). Nmap always installs the English
 7598   man page, and installs the translations by default. If you only want
 7599   some of the translations, set the LINGUAS environmental variable to
 7600   the language codes you are interested in (e.g. "es de"). You can
 7601   specify the configure option --disable-nls or set LINGUAS to the
 7602   empty string to avoid installation of any man page translations. The
 7603   RPM always installs them. [David]
 7604 
 7605 o [NSE] Added a function for scripts to format their output in a
 7606   consistent way. See
 7607   https://nmap.org/nsedoc/lib/stdnse.html#format_output. [Ron]
 7608 
 7609 o [NSE] Now supports worker threads so that a single script can
 7610   perform multiple network operations concurrently. This patch also
 7611   includes condition variables for synchronization. See
 7612   https://nmap.org/nsedoc/lib/stdnse.html#new_thread,
 7613   https://nmap.org/nsedoc/lib/nmap.html#condvar, and
 7614   http://seclists.org/nmap-dev/2009/q4/294.
 7615 
 7616 o Fixed a problem in which the Nmap installer wrongly reported that
 7617   the Microsoft Visual C++ 2008 Redistributable Package (vcredist.exe)
 7618   failed to install. We had to update a registry key--see
 7619   http://seclists.org/nmap-dev/2009/q3/164. [Jah]
 7620 
 7621 o Added support for connecting to nameservers over IPv6. IPv6 addresses
 7622   can be used in /etc/resolv.conf or with the --dns-servers option. The
 7623   parallel reverse DNS resolver still only support IPv4 addresses, but
 7624   it can look them up over IPv6. [Ankur Nandwani]
 7625 
 7626 o Zenmap now includes ports in the services view whenever Nmap found
 7627   them "interesting," whatever their state. Previously they were only
 7628   included if the state was "open", "filtered", or "open|filtered",
 7629   which led to confusing behavior when a closed port showed up in the
 7630   Services column but clicking on the service showed no ports in the
 7631   display. [David]
 7632 
 7633 o [Ncat] Now has configure-time ASCII art just like Nmap does:
 7634             .       .
 7635             \`-"'"-'/
 7636              } 6 6 {
 7637             ==. Y ,==
 7638               /^^^\  .
 7639              /     \  )  Ncat: A modern interpretation of classic Netcat
 7640             (  )-(  )/
 7641             -""---""---   /
 7642            /   Ncat    \_/
 7643           (     ____
 7644            \_.=|____E
 7645 
 7646 o [NSE] Added HTTP pipelining support to the HTTP library and and to
 7647   the http-enum, http-userdir-enum, and sql-injection.nse
 7648   scripts. Pipelining can increase speed dramatically for scripts
 7649   which make many requests.
 7650 
 7651 o [NSE] The HTTP library now caches responses from http.get or
 7652   http.head so that resources aren't requested multiple times during
 7653   the same Nmap run even if several scripts request them. See
 7654   http://seclists.org/nmap-dev/2009/q3/733. [Patrick]
 7655 
 7656 o [Ncat, Ndiff] The exit codes of these programs now reflect whether
 7657   they succeeded. For Ncat, 0 means the connection was successful, 1
 7658   indicates a network error, and 2 indicates any other error. For
 7659   Ndiff, 0 means the scans were equal, 1 means they were different,
 7660   and 2 indicates a runtime error. [David]
 7661 
 7662 o [Ncat] In verbose mode, Ncat now prints the number of bytes read and
 7663   written after the client connection is terminated. Ncat also now
 7664   prints elapsed time. For example, "Ncat finished: 16 bytes sent, 566
 7665   bytes received in 8.05 seconds." [Venkat]
 7666 
 7667 o [NSE] telnet-brute.nse now uses the unpw database instead of a
 7668   hard coded list. [Ron]
 7669 
 7670 o [NSE] ssl-cert.nse now supports TLS negotiation against SMTP ports
 7671   that support it. [Tom Sellers, David]
 7672 
 7673 o [NSE] Scripts that are listed by name with the --script option now
 7674   have their verbosity level automatically increased by one. Many
 7675   will print negative results ("no infection found") at a higher
 7676   verbosity level. The idea is that if you ask for a script
 7677   specifically, you are more interested in such results.
 7678   [David, Patrick]
 7679 
 7680 o Upgraded our Winpcap installer to use the new WinPcap version 4.1.1.
 7681   A bug which could prevent proper uninstallation of previous versions
 7682   was fixed at the same time. Later we made it set some registry keys
 7683   for compatibility with the official Winpcap project installer (see
 7684   http://seclists.org/nmap-dev/2009/q4/237). [Rob Nicholls]
 7685 
 7686 o [Ncat] Ncat now prints a message like "Connection refused." by
 7687   default when a socket error occurs. This used to require -v, but
 7688   printing no message at all could make a failed connection look like
 7689   success in a case like
 7690     ncat remote < short-file
 7691 
 7692 o Zenmap no longer displays down hosts in the GUI. [Josh]
 7693 
 7694 o The Ndiff man page was dramatically improved with examples and
 7695   sample output. See https://nmap.org/book/ndiff-man.html .
 7696   [David]
 7697 
 7698 o [NSE] At debug level 2 or higher (-d2), Nmap now prints all active
 7699   scripts (running & waiting) and a backtrace whenever a key is
 7700   pressed. This can be quite helpful in debugging deadlocks and other
 7701   script/NSE problems. [Patrick]
 7702 
 7703 o Nmap now allows you to specify --data-length 0, and that is now the
 7704   documented way to disable the new UDP protocol-specific probe
 7705   payload feature. [David]
 7706 
 7707 o Fixed compilation of our libdnet on Debian GNU/kFreeBSD (patch from
 7708   Petr Salinger).
 7709 
 7710 o Our Windows packages are now built on Windows 7, though they are
 7711   32-bit binaries and should continue to work on Win2K and later.
 7712 
 7713 o Fixed a bug that could cause an infinite loop ("Unable to find
 7714   listening socket in get_rpc_results") in RPC scan. The loop would
 7715   happen when scanning a port that sent no responses, and there was at
 7716   least one other port to scan. Thanks to Lionel Cons for reporting
 7717   the problem. [David]
 7718 
 7719 o [NSE] The dns-zone-transfer and whois script argument table syntax has been
 7720   improved so you don't need curly braces.
 7721 
 7722 o [NSE] smb-enum-shares.nse now checks whether or not a share is
 7723   writable by attempting to write a file (and deleting it if it's
 7724   successful).  Significantly cleaned up the code, as well. [Ron]
 7725 
 7726 o The nselib/data directory is now installed. It was not installed
 7727   before because of an error in the Makefile. The scripts that would
 7728   not have worked after installation because they were missing data
 7729   files are http-enum.nse, http-favicon.nse, http-iis-webdav-vuln.nse,
 7730   http-userdir-enum.nse, smb-pwdump.nse, pop3-brute.nse,
 7731   smb-brute.nse, and snmp-brute.nse. [David]
 7732 
 7733 o Upgraded the included libpcap to 1.0.0. [David]
 7734 
 7735 o Optimize MAC address prefix lookup by using an std::map rather than
 7736   a custom hash table. This increases performance and code simplicity
 7737   at the cost of some extra memory consumption. In one test, this
 7738   reduced the time of a single target ARP ping scan from 0.59 seconds
 7739   to 0.13. [David]
 7740 
 7741 o Added -Pn and -sn as aliases for -PN and -sP, respectively. They
 7742   will eventually become the recommended and documented way to disable
 7743   host discovery (ping scanning) and port scanning. They are more
 7744   consistent and also match the existing -n option for disabling
 7745   reverse DNS resolution. [David]
 7746 
 7747 o Fixed an error in the handling of exclude groups that used IPv4
 7748   ranges. Si Stransky reported the problem and provided a number of
 7749   useful test cases in http://seclists.org/nmap-dev/2009/q4/276. The
 7750   error caused various assertion failures along the lines of
 7751     TargetGroup.cc:465: int
 7752     TargetGroup::get_next_host(sockaddr_storage*, size_t*):
 7753     Assertion `ipsleft > 1' failed.
 7754   [David]
 7755 
 7756 o [NSE] Improved the authentication used by the smb-* scripts. Instead of
 7757   looking in a bunch of places (registry, command-line, etc) for the
 7758   usernames/passwords, a table is kept. This lets us store any number
 7759   of accounts for later use, and remove them if they stop working. This
 7760   also fixes a bug where typing in a password incorrectly would lock
 7761   out an account (since it wouldn't stop trying the account in question).
 7762   [Ron]
 7763 
 7764 o Removed IP ID matching in packet headers returned in ICMP errors.
 7765   This was already the case for some operating systems that are known
 7766   to mangle the IDs of sent IP packets. Requiring such a match could
 7767   occasionally cause valid replies to be ignored. See
 7768   http://seclists.org/nmap-dev/2009/q2/580 for an example of host
 7769   order affecting scan results due to this phenomenon. [David]
 7770 
 7771 o [NSE] The HTTP library now handles chunked transfer decoding more
 7772   robustly. See http://seclists.org/nmap-dev/2009/q3/13 [David]
 7773 
 7774 o [NSE] Unexpected error messages from scripts now include the target
 7775   host and port number. [David]
 7776 
 7777 o [NSE] Fixed many libraries which were inappropriately using global
 7778   variables, meaning that multiple scripts running concurrently could
 7779   overwrite each others values. NSE now automatically checks for this
 7780   problem at runtime, and we have a static code checker
 7781   (check_globals) available as well. See this whole thread
 7782   http://seclists.org/nmap-dev/2009/q3/70. [Patrick]
 7783 
 7784 o Added some additional matching rules to keep a reply to a SYN probe
 7785   from matching an ACK probe to the same port, or vice versa, in ping
 7786   scans that include both scan types. Such a mismatch could cause an
 7787   ineffective timing ping or traceroute probe to be selected. [David]
 7788 
 7789 o [Zenmap] There is a new command-line option, --confdir, which sets
 7790   the per-user configuration directory. Its value defaults to
 7791   $HOME/.zenmap. This was suggested by Jesse McCoppin. [David]
 7792 
 7793 o Open bpf devices in read/write mode, not read-only, in libdnet on
 7794   BSD. This is to work around a bug in Mac OS X 10.6 that causes
 7795   incoming traffic to become invisible. [David]
 7796 
 7797 o "make install" now removes from the Nmap script directory some
 7798   scripts which only existed in previous versions of Nmap but weren't
 7799   deleted during upgrades. [David]
 7800 
 7801 o [NSE] Added the reconnect_ssl method for sockets. We sometimes need
 7802   to reconnect a socket with SSL because the initial communication on
 7803   the socket is done without SSL. See this thread for more details:
 7804   http://seclists.org/nmap-dev/2009/q4/3 [Patrick, Tom Sellers]
 7805 
 7806 o [Zenmap] Fixed a crash that could occur when entering certain
 7807   characters in the target entry (those whose UTF-8 encoding contains
 7808   a byte that counts as whitespace in the Windows locale):
 7809     File "zenmapGUI\ScanNotebook.pyo", line 184, in _target_entry_changed
 7810     File "zenmapCore\NmapOptions.pyo", line 719, in render_string
 7811     UnicodeDecodeError: 'utf8' codec can't decode byte 0xc3 in position 1:
 7812       unexpected end of data
 7813   For more details on this curious problem, see
 7814   http://seclists.org/nmap-dev/2009/q4/82 [David]
 7815 
 7816 o [NSE] There is a new function, nmap.bind, to set the source address
 7817   of a socket. [David]
 7818 
 7819 o [Nsock] Made it a fatal error instead of silent memory corruption
 7820   when an attempt is made to use a file descriptor whose number is not
 7821   less than FD_SETSIZE. This applies only on non-Windows platforms
 7822   where FD_SETSIZE is a limit on the value of file descriptors as well
 7823   as a limit on the number of descriptors in the set. The error will
 7824   look like
 7825     nsock_core.c:186: Attempt to FD_SET fd 1024, which is not less
 7826     than FD_SETSIZE (1024). Try using a lower parallelism.
 7827   Thanks to Brandon Enright for discovering the problem and much help
 7828   debugging it, and to Jay Fink for submitting an initial patch. [David]
 7829 
 7830 o [Ncat] Fixed proxy connections in connect mode on Windows. Because
 7831   the dup function does not work on Windows, an assertion failure
 7832   would be raised reading
 7833     (fh >= 0 && (unsigned)fd < (unsigned)_nhandle)
 7834   [David]
 7835 
 7836 o [Ncat] Fixed the combination of --max-conns and --exec on Windows.
 7837   The count of connected clients was not decreased when the program
 7838   spawned by --exec finished. With --max-conns 5, for example, no more
 7839   connections would be allowed after the fifth, even if some of the
 7840   earlier ones had ended. Jon Greaves reported the problem and Venkat
 7841   contributed a patch.
 7842 
 7843 o [Ncat] The code that manages the count of connected clients has been
 7844   made robust with respect to signals. The code was contributed by
 7845   Solar Designer.
 7846 
 7847 o The files read by the -iL (input from file) and --excludefile
 7848   options now support comments that start with # and go to the end of
 7849   the line. [Tom Sellers]
 7850 
 7851 o [Zenmap] On Windows, Zenmap no longer uses the cmd.exe shell to run
 7852   Nmap sub-processes. This means that canceling a scan will kill the
 7853   Nmap process as it does on other platforms (previously it would just
 7854   kill the shell). It also means that that scanning will work as a
 7855   user whose name contains characters like '&' that are significant to
 7856   the shell.  Mike Crawford and Nick Marsh reported bugs related to
 7857   this. [David]
 7858 
 7859 o [NSE] All scripts (except for those in "version" or "demo"
 7860   categories) are now classified in either the "safe" or "intrusive"
 7861   categories, based on how likely they are to cause problems when run
 7862   against other machines on the network. Those classifications already
 7863   existed, but weren't used consistently. [Fyodor]
 7864 
 7865 o Added a check for a SMBv2 vulnerability (CVE-2009-3103) to
 7866   smb-check-vulns. Due to its nature (it performs a DoS, then checks
 7867   if the system is still online), the script isn't run by default and
 7868   requires a special script-arg to work. [Ron]
 7869 
 7870 o Fixed an integer overflow in uptime calculation which could occur
 7871   when a target with a low TCP timestamp clock frequency uses large
 7872   timestamp values, such that a naive uptime calculation shows a boot
 7873   time before the epoch. Also fixed a printf format specifier mismatch
 7874   that was revealed by the bug. Toby Simmons reported the problem and
 7875   helped with the fix.  [David]
 7876 
 7877 o [NSE] The HTTP library now supports HTTP cookies. [Joao Correa]
 7878 
 7879 o Fixed a compile error on NetBSD. It was
 7880     tcpip.cc:2948: error: pointer of type 'void *' used in arithmetic
 7881   Thanks to Jay Fink for reporting the problem and submitting a patch.
 7882 
 7883 o [Zenmap] If you have any hosts or services selected, they will
 7884   remain selected after aggregating another scan or running a filter
 7885   (as long as they are still up and visible). Previously the selection
 7886   was lost whenever the scan inventory was changed. This is
 7887   particularly important due to the new host filter system. [David]
 7888 
 7889 o [Zenmap] New translation: Russian (contributed by Alexander Khodyrev).
 7890   Updated translations: French and German.
 7891 
 7892 o Nmap now generates IP addresses without duplicates (until you cycle
 7893   through all the allowed IPs) thanks to a new collision-free 32-bit
 7894   number generator in nbase_rnd.c. See
 7895   http://seclists.org/nmap-dev/2009/q3/695 [Brandon]
 7896 
 7897 o There is a new OS detection pseudo-test, SCAN.DC, which records how
 7898   the network distance in SCAN.DS was calculated. Its value can be "L"
 7899   for localhost, "D" for a direct connection, "I" for an ICMP TTL
 7900   calculation, and "T" for a traceroute hop count. This is mainly for
 7901   the benefit of OS integration, when it is sometimes important to
 7902   distinguish between DS=1%DC=I (probably the result of forged TTLs)
 7903   and DS=1%DC=D (a true one-hop connection.) [David]
 7904 
 7905 o Canonicalized the list of OS detection device types to a smaller set
 7906   with descriptions: https://svn.nmap.org/nmap/docs/device-types.txt .
 7907   [David, Fyodor, Doug]
 7908 
 7909 o [Ncat] The --idle-timeout option now exits when *both* stdin and the
 7910   socket have been idle for the given time. Previously it would exit
 7911   when *either* of them had been idle, meaning that the program would
 7912   quit contrary to your expectation when downloading a large file
 7913   without sending anything, for example. [David]
 7914 
 7915 o [Ncat] Ncat now always prefixes its own output messages with "Ncat: "
 7916   or "NCAT DEBUG: " to make it clear that they are not coming from the
 7917   remote host. This only matters when output goes to a terminal, where
 7918   the standard output and standard error streams are mixed. [David]
 7919 
 7920 o Nmap's Nbase library now has a new hexdump() function which produces
 7921   output similar to Wireshark. nmap_hexdump() is a wrapper which
 7922   prints the output using Nmap's log_write facility. The old hdump()
 7923   and lamont_dump() functions have been removed. [Luis]
 7924 
 7925 o Added explicit casts to (int)(unsigned char) for arguments to ctype function
 7926   calls in nmap, ncat and nbase.  Thanks to Solar Designer for pointing out
 7927   the need and fix for this. [Josh]
 7928 
 7929 o Ncat now supports wildcard SSL certificates.  The wildcard character
 7930   (*) can be in commonname field or in DNS field of Subject
 7931   Alternative Name (SAN) Extension of SSL certificate. Matching Rules:
 7932   - '*' should be only on the leftmost component of FQDN. (*.example.com
 7933     but not www.*.com or www.example*.com).
 7934   - The leftmost component should contain only '*' and it should be
 7935     followed by '.' (*.example.com but not *w.example.com or
 7936     w*.example.com).
 7937   - There should be at least three components in FQDN. (*.example.com but
 7938     not *.com or *.com.). [venkat]
 7939 
 7940 o Nmap now handles the case when a primary network interface (venet0)
 7941   does not have an address assigned but its aliases do (venet0:1
 7942   etc.). This could result in the error messages
 7943     Failed to find device venet0 which was referenced in /proc/net/route
 7944     Failed to lookup subnet/netmask for device (venet0): venet0: no IPv4 address assigned
 7945   This was observed under OpenVZ. [Dmitry Levin]
 7946 
 7947 o [Ncat] The --ssl-cert, --ssl-key, and --ssl-trustfile options now
 7948   automatically turn on SSL mode. Previously they were ignored if
 7949   --ssl was not also used. [David]
 7950 
 7951 o [Nsock] Now Nsock supports pure TLSv1 and SSLv3 servers in addition
 7952   to the (already supported and far more common) SSLv2 and SSLv23
 7953   servers.  Ncat currently never uses SSLv2 for security reasons, so
 7954   it is unaffected by this change.
 7955 
 7956 o [Ncat] Implemented basic SCTP client functionality (server already
 7957   exists).  Only the default SCTP stream is used.  This is also called
 7958   TCP compatible mode.  While it allows Ncat to be used for manually
 7959   probing open SCTP ports, more complicated services making use of
 7960   multiple streams or depending on specific message boundaries cannot
 7961   be talked to successfully.  [Daniel Roethlisberger]
 7962 
 7963 o [Ncat] Implemented SSL over SCTP in both client (connect) and server
 7964   (listen) modes. [Daniel Roethlisberger]
 7965 
 7966 o Nmap now filters received ARP packets based on their target address
 7967   address field, not the destination address in the enclosing ethernet
 7968   frame. Some operating systems, including Windows 7 and Solaris 10,
 7969   are known to at least sometimes send their ARP replies to the
 7970   broadcast address and Nmap wouldn't notice them. The symptom of this
 7971   was that root scans wouldn't work ("Host seems down") but non-root
 7972   scans would work. Thanks to Mike Calmus and Vijay Sankar for
 7973   reporting the problem, and Marcus Haebler for suggesting the
 7974   fix. [David]
 7975 
 7976 o The -fno-strict-aliasing option is now used unconditionally when
 7977   using GCC. It was already this way, in effect, because a test
 7978   against the GCC version number was reversed: <= 4 rather than >= 4.
 7979   Solar Designer reported the problem.
 7980 
 7981 o Nmap now prints a warning instead of a fatal error when the hardware
 7982   address of an interface can't be found. This is the case for
 7983   FireWire interfaces, which have a hardware address format not
 7984   supported by libdnet. Thanks to Julian Berdych for the bug report.
 7985   [David]
 7986 
 7987 o Zenmap's UI performance has improved significantly thanks to
 7988   optimization of the update_ui() function. In particular, this speeds
 7989   up the new host filter system. [Josh]
 7990 
 7991 o Add a service probe for DNS-based service discovery (DNS-SD). See
 7992   http://seclists.org/nmap-dev/2009/q3/0610.html . [David]
 7993 
 7994 o Made RPC grinding work from service detection again by changing the
 7995   looked-for service name from "rpc" to "rpcbind", the name it has in
 7996   nmap-service-probes. Also removed some dead code. [David]
 7997 
 7998 o Fixed a log_write call and a pfatal call to use a syntax which is
 7999   safer from format strings bugs.  This allows Nmap to build with the
 8000   gcc -Wformat -Werror=format-security options. [Guillaume Rousse,
 8001   Dmitry Levin]
 8002 
 8003 o A bug in Nsock was fixed: On systems where a non-blocking connect
 8004   could succeed immediately, connections that were requested to be
 8005   tunneled through SSL would actually be plain text. This could be
 8006   verified with an Ncat client and server running on localhost. This
 8007   was observed to happen with localhost connections on FreeBSD 7.2.
 8008   Non-localhost connections were likely not affected. The bug was
 8009   reported by Daniel Roethlisberger. [David]
 8010 
 8011 o Ncat proxy now hides the proxy's response ("HTTP/1.0 200 OK" or
 8012   whatever it may be). Before, if you retrieved a file through a
 8013   proxy, it would have the "HTTP/1.0 200 OK" stuck to the top of
 8014   it. For this Ncat uses blocking sockets until the proxy negotiation
 8015   is done and once it is successful, Nsock takes over for rest of the
 8016   connection.[Venkat]
 8017 
 8018 o [NSE] socket garbage collection was rewritten for better performance
 8019   and to ensure that socket slots are immediately available to others
 8020   after a socket is closed.  See
 8021   http://seclists.org/nmap-dev/2009/q2/0624.html . [Patrick]
 8022 
 8023 o [NSE] Fixed a rare but possible segfault which could occur if the
 8024   nsock binding attempted to push values on the stack of a thread
 8025   which had already ended due to an error, and if that internal Lua
 8026   stack was already completely full. This bug is very hard to
 8027   reproduce with a SEGFAULT but is usually visible when Lua assertion
 8028   checks are turned on. A socket handler routine must be called AFTER
 8029   a thread has ended in error. [Patrick]
 8030 
 8031 o [Ncat] Fixed an error that would cause Ncat to use 100% CPU in
 8032   broker mode after a client disconnected or a read error happened.
 8033   [Kris, David]
 8034 
 8035 o [NSE] --script-args may now have whitespace in unquoted strings (but
 8036   surrounding whitespace is ignored). For example,
 8037   --script-args 'greeting = This is a greeting' Becomes:
 8038   { ["greeting"] = "This is a greeting" } [Patrick]
 8039 
 8040 o [Ncat] Using --send-only in conjunction with the plain listen or
 8041   broker modes now behaves as it should: nothing will be read from the
 8042   network end.  Ncat previously read and discarded any data
 8043   received. [Kris]
 8044 
 8045 o [Nsock] Added a socket_count abstraction that counts the number of
 8046   read or write events pending on a socket, for the purpose of
 8047   maintaining an fd_set. The bit is set in the fd_set whenever the
 8048   count is positive, and cleared when it is zero. The reason for doing
 8049   this was that write bits were not being properly cleared when using
 8050   Ncat with SSL in connect mode, such that a client send would cause
 8051   Ncat to use 100% CPU until it received something from the
 8052   server. See the thread at
 8053   http://seclists.org/nmap-dev/2009/q2/0413.html . This change will
 8054   also make it easier to use a different back end than select in the
 8055   future. [David]
 8056 
 8057 o [Nsock] Added compilation dependency generation (makefile.dep)
 8058   [David]
 8059 
 8060 o [Ncat] The --broker option now automatically implies --listen. [David]
 8061 
 8062 o Fixed a logic error in getinterfaces_siocgifconf. The check for
 8063   increasing the capacity of the list of interfaces was off by
 8064   one. This caused a crash on initialization for systems with more
 8065   than 16 network interfaces. [David]
 8066 
 8067 o Added Apache JServe protocol version detection probe and signatures
 8068   and some some other nmap-service-probes patches. [Tom Sellers]
 8069 
 8070 o Fixed two memory leaks in ncat_posix.c and a bug where an open file was not
 8071   being closed in libdnet-stripped/src/intf.c [Josh Marlow]
 8072 
 8073 o [Zenmap] Added profile editor support for the Nmap SCTP options:
 8074   -PY, -sY and -sZ. [Josh Marlow]
 8075 
 8076 o Fixed a bug in --data-length parsing which in some cases could
 8077   result in useless buffer allocations and unpredictable payload
 8078   lengths. See http://seclists.org/nmap-dev/2009/q2/0763.html [Luis]
 8079 
 8080 o The configure script now allows cross-compiling by assuming that
 8081   libpcap is recent enough to use rather than trying to compile and
 8082   run a test program. Libpcap will always be recent enough when Nmap's
 8083   included copy is used. [Mike Frysinger]
 8084 
 8085 o Updated the IANA assignment IP list for random IP (-iR)
 8086   generation. The Mac OS prefix file was updated as
 8087   well. [Kris, Fyodor]
 8088 
 8089 o [Zenmap] Fix a bug which could cause a crash in the (very rare) case
 8090   where Nmap would produce port tags in XML output without a state
 8091   attribute. [David]
 8092 
 8093 o Added a convenience top-level BSDmakefile which automatically
 8094   redirects BSD make to GNU make on BSD systems. The Nmap Makefile
 8095   relies on numerous GNU Make extensions. [Daniel Roethlisberger]
 8096 
 8097 Nmap 5.00 [2009-07-16]
 8098 
 8099 o Bumped up version number to 5.00!
 8100 
 8101 o [NSE] http-open-proxy script fixed to avoid false positives from bad
 8102   pattern matching and to properly declare some formerly-global
 8103   variables as local. [Joao]
 8104 
 8105 Nmap 4.90RC1 [2009-06-25]
 8106 
 8107 o [Zenmap] Fixed a display hanging problem on Mac OS X reported by
 8108   Christopher Caldwell at
 8109   http://seclists.org/nmap-dev/2009/q2/0721.html .  This was done by
 8110   adding gtk2 back to macports-1.8.0-universal.diff and removing the
 8111   dependency on shared-mime-info so it doesn't expect /usr/share/mime
 8112   files at runtime. Also included GDK pixbuf loaders statically rather
 8113   than as external loadable modules.  [David]
 8114 
 8115 o Fixed a memory bug (access of freed memory) when loading exclude
 8116   targets with --exclude. This was reported to occasionally cause a
 8117   crash. Will Cladek reported the bug and contributed an initial
 8118   patch. [David]
 8119 
 8120 o Zenmap application icons were regenerated using the newer SVG
 8121   representation of the Nmap eye. [David]
 8122 
 8123 Nmap 4.85BETA10 [2009-06-12]
 8124 
 8125 o The host discovery (ping probe) defaults have been enhanced to
 8126   include twice as many probes.  The default is now "-PE -PS443 -PA80
 8127   -PP". In exhaustive testing of 90 different probes, this emerged as
 8128   the best four-probe combination, finding 14% more Internet hosts
 8129   than the previous default, "-PE -PA80". The default for non-root
 8130   users is -PS80,443, replacing the previous default of -PS80. In
 8131   addition, ping probes are now sent in order of effectiveness (-PE
 8132   first) so that less effective probes may not have to be sent. ARP
 8133   ping is still the default on local ethernet networks. [David,
 8134   Fyodor]
 8135 
 8136 o Added SCTP port scanning support to Nmap. SCTP is a layer 4 protocol
 8137   used mostly for telephony related applications.  This brings the
 8138   following new features:
 8139   - SCTP INIT chunk port scan (-sY): open ports return an INIT-ACK
 8140     chunk, closed ones an ABORT chunk.  This is the SCTP equivalent
 8141     of a TCP SYN stealth scan.
 8142   - SCTP COOKIE-ECHO chunk port scan (-sZ): open ports are silent,
 8143     closed ports return an ABORT chunk.
 8144   - SCTP INIT chunk ping probes (-PY): host discovery using SCTP
 8145     INIT chunk packets.
 8146   - SCTP-specific IP protocol scan (-sO -p sctp).
 8147   - SCTP-specific traceroute support (--traceroute).
 8148   - The ability to use the deprecated Adler32 algorithm as specified
 8149     in RFC 2960 instead of CRC32C from RFC 4960 (--adler32).
 8150   - 42 well-known SCTP ports were added to the nmap-services file.
 8151   - The server scanme.csnc.ch has been set up for your SCTP scan
 8152     testing pleasure. But note that SCTP doesn't pass through most
 8153     NAT devices. See http://seclists.org/nmap-dev/2009/q2/0669.html .
 8154   Part of the work on SCTP support was kindly sponsored by
 8155   Compass Security AG, Switzerland. [Daniel Roethlisberger]
 8156 
 8157 o [NSE] Added http-iis-webdav-vuln.nse, which detects the recently
 8158   discovered WebDAV unicode bug in MS IIS 5.1/6.0 web server which can
 8159   allow arbitrary users to access password protected folders without
 8160   authentication. See
 8161   https://nmap.org/svn/scripts/http-iis-webdav-vuln.nse. [Ron]
 8162 
 8163 o The Nmap Reference Guide has been translated to German by Open
 8164   Source Press and Indonesian by Tedi Heriyanto. You can now read it
 8165   in 16 languages at https://nmap.org/docs.html . We're always looking
 8166   for more translations of Nmap and its documentation--if you'd like
 8167   to help, see http://seclists.org/nmap-dev/2009/q2/0667.html .
 8168 
 8169 o Open Source Press completed and released the German translation of
 8170   the official Nmap book (Nmap Network Scanning). Learn more at
 8171   https://nmap.org/book/#translations.
 8172 
 8173 o [NSE] Added socks-open-proxy.nse for scanning networks for open
 8174   SOCKS proxy servers. See
 8175   https://nmap.org/nsedoc/scripts/socks-open-proxy.html . [Joao Correa]
 8176 
 8177 o [NSE] http-open-proxy.nse has been updated to attempt HEAD and
 8178   CONNECT methods as well as previously supported GET method.  It
 8179   still tries to reach http://www.google.com through the proxy by
 8180   default, but now also offers an argument for specifying a different
 8181   URL. [Joao Correa]
 8182 
 8183 o [Ncat] There is a backwards-incompatible change in the way that
 8184   listen mode works. The new default behavior is to accept only one
 8185   connection, and quit when the connection ends. This was necessary to
 8186   prevent data loss in some situations; some programs require Ncat to
 8187   send an EOF before they flush their internal buffers and finish
 8188   processing the last bit of data. See
 8189   http://seclists.org/nmap-dev/2009/q2/0528.html for more information.
 8190   Use the new -k or --keep-open option to get the old behavior, in
 8191   which Ncat will accept multiple simultaneous connection, combine all
 8192   their input, and accept more connections after a disconnection.
 8193   [Daniel Roethlisberger, David]
 8194 
 8195 o Ncat handling of newlines on Windows has been improved. CRLF is
 8196   automatically converted to a bare LF when input is from the console,
 8197   but left untouched when it is from a pipe or a file. No newline
 8198   translation is done on output (where it was being done before). This
 8199   makes it possible to transfer binary files with Ncat on Windows
 8200   without any corruption, while still being able to interactively ncat
 8201   into UNIX shells and other processes which require bare
 8202   newlines. Ncat clients now work the same way on UNIX and Windows in
 8203   that respect.  For cases where you do want \r\n line endings (such
 8204   as connections to web and email servers or Windows cmd.exe shells),
 8205   specify -C whether your client is running on UNIX or
 8206   Windows. [David]
 8207 
 8208 o Nmap RPM packages (x86 and x86-64) are now built with OpenSSL
 8209   support (statically linked in to avoid dependencies).  They are also
 8210   now built on CentOS 5.3 for compatibility with RHEL, Fedora, and
 8211   other distributions. Please let us know if you discover any
 8212   compatibility problems (or other issues) with the new RPMs. [Fyodor]
 8213 
 8214 o [Zenmap] The Topology tab now has a "Save Graphic" button that
 8215   allows saving the current topology display as a PNG, postscript,
 8216   PDF, and SVG image.  [Joao Medeiros, David]
 8217 
 8218 o Changed the default UDP ping (-PU) port from 31338 to 40125.  This
 8219   appears to be a better port based on David's empirical testing.
 8220 
 8221 o [NSE] Added the imap-capabilities script, which uses the CAPABILITY
 8222   command to determine the capabilities of a target IMAP mail server.
 8223   A simple supporting IMAP library was added as well. See
 8224   https://nmap.org/nsedoc/scripts/imap-capabilities.html . [Brandon]
 8225 
 8226 o [NSE] Brandon Enright from UCSD reports that, thanks to all the NSE
 8227   fixes in this release, he no longer sees any Nmap crashes in his
 8228   large scale scans. See
 8229   http://seclists.org/nmap-dev/2009/q2/0639.html .
 8230 
 8231 o Zenmap now works on RHEL/CentOS since it no longer requires the
 8232   hashlib library (which was introduced in Python 2.5, but RHEL 5
 8233   still uses 2.4) and removing the pysqlite2 requirement (RHEL does
 8234   not offer that module).  It is still desirable to have pysqlite2
 8235   when available, since it enables Zenmap searching and database
 8236   saving features. [David]
 8237 
 8238 o Ncat can now send SSL certificates in connect mode for client
 8239   authentication by using the --ssl-cert and --ssl-key options.  The
 8240   specified certificates are only sent when requested by the
 8241   server. [Venkat]
 8242 
 8243 o Nmap can now handle -PS and -PA at the same time when running nmap
 8244   as non-root or using IPv6.  It now combines the two port lists [Josh
 8245   Marlow]
 8246 
 8247 o [Ncat] SSL in listen mode now works on systems like BSD in which a
 8248   socket inherits its blocking or non-blocking status from the
 8249   listening socket. [David, Daniel Roethlisberger]
 8250 
 8251 o The --packet-trace/--version-trace options now shows the names of
 8252   version detection probes as they are sent, making the version
 8253   detection process easier to understand and debug. [Tom Sellers]
 8254 
 8255 o The GPG detached signatures for Nmap releases now use the more
 8256   standard .asc extension rather than .gpg.txt.  They can still be
 8257   found at https://nmap.org/dist/sigs/ and the .gpg.txt versions for
 8258   previous releases are still available for compatibility reasons. For
 8259   instructions on verifying Nmap package integrity, see
 8260   https://nmap.org/book/install.html#inst-integrity. [Fyodor]
 8261 
 8262 o [Zenmap] Fixed two bugs: 1) When two scans are performed in Zenmap
 8263   and aggregated, the first one was being modified in the process,
 8264   preventing you from doing diffs in the "compare scans" dialogue or
 8265   properly saving the first scan individually. 2) If you start two
 8266   scans, then the faster one finishes and you cancel and remove the
 8267   slower one while still in progress, much of the results from both
 8268   scans are lost. [Josh Marlow]
 8269 
 8270 o [Ncat] When connecting to an SSL service in verbose mode, Ncat now
 8271   prints confirmation of the SSL connection, some certificate
 8272   information, and a cert fingerprint. For example:
 8273   SSL connection to 64.147.188.3:443. Electronic Frontier Foundation
 8274   SHA-1 fingerprint: 28BE B476 2E49 7ED5 3A9B 4D79 AD1E 69A9 82DB C75A
 8275 
 8276 o [NSE] Clean up output (generally reducing default verbosity) for the
 8277   p2p-conficker, smb-check-vulns, and http-iis-webdav-vuln scripts. In
 8278   general, we don't ask scripts to report that a host is clean unless
 8279   Nmap's verbosity level (-v) is at least one or two. [Ron, Fyodor]
 8280 
 8281 o [Zenmap] Added the -PS22,25,80 option found in the Quick Traceroute
 8282   profile to some of the Intense scan profiles for improved host
 8283   discovery. [Josh Marlow]
 8284 
 8285 o Fixed a bug with the --defeat-rst-ratelimit option which prevented
 8286   it from working properly.  See this thread:
 8287   http://seclists.org/nmap-dev/2009/q2/0476.html . [Josh]
 8288 
 8289 o [Ndiff] Avoid printing a "Not shown:" line if there weren't any
 8290   ports in the non-shown (extraports) list. [David]
 8291 
 8292 o [Ncat] Fixed Ncat compilation with versions of OpenSSL before 0.9.7.
 8293   Previously it would fail in ncat_openssl.c with the message
 8294   "structure has no member named `it'". The problem was reported by
 8295   Jaroslav Fojtik. [David]
 8296 
 8297 o [NSE] Removed the packet.hextobin(str) and packet.bintohex(str)
 8298   functions. They are redundant since you get the same functionality
 8299   by calling bin.pack("H", str) and bin.unpack("H", str),
 8300   respectively. [Patrick]
 8301 
 8302 o [NSE] Fixed the parsing of --script-args, which was only accepting
 8303   alphanumeric characters and underscores in values. Now a key, value,
 8304   or array value may be a sequence of any characters except '{', '}',
 8305   ',', '=', and all space characters. You may overcome this
 8306   restriction by using quotes (single or double) to allow all
 8307   characters within the quotation marks. You may also use the quote
 8308   delimiter inside the sequence so long as it is escaped by a
 8309   backslash. See
 8310   http://seclists.org/nmap-dev/2009/q2/0211.html . [Patrick]
 8311 
 8312 o [NSE] When a script ends for any reason, all of its mutexes are now
 8313   unlocked.  This prevents a permanent (and painful to debug) deadlock
 8314   when a script crashes without unlocking a mutex. See
 8315   http://seclists.org/nmap-dev/2009/q2/0533.html . [Patrick]
 8316 
 8317 o Fixed a bug wherein nmap would not display the post-scan count of
 8318   raw packets sent during a SYN ping scan (-sP -PS). [Josh Marlow]
 8319 
 8320 o Changed the ICMP ping probes to use a random non-zero ICMP id.
 8321   David's empirical testing found that some hosts drop probes when the
 8322   ICMP id is 0 [Josh Marlow]
 8323 
 8324 o [NSE] Fixed a --script argument processing bug in which Nmap would
 8325   abort when an expression matches a set of scripts which were loaded
 8326   by other expressions first (a simple example is "--script
 8327   default,DEFAULT". [Patrick]
 8328 
 8329 o [Zenmap] Operating system icons are now always loaded as PNGs, even on
 8330   platforms which support SVG images. That is much faster, and Zenmap
 8331   currently never scales the images anyway. [Josh]
 8332 
 8333 o [Ncat] The Nmap Windows uninstaller now removes the Ncat CA list
 8334   (ca-bundle.crt) which has been installed since 4.85BETA9. [Jah]
 8335 
 8336 o Optimized some Nmap version detection match lines for slightly
 8337   better performance. See
 8338   http://seclists.org/nmap-dev/2009/q2/0328.html . [Brandon]
 8339 
 8340 o [NSE] Upon connection failure, a socket now immediately unlocks its
 8341   "socket lock" to allow other pending socket connections to succeed
 8342   sooner. This slightly improves scan speeds by eliminating the wait
 8343   for garbage collection to free the resource. [Patrick]
 8344 
 8345 o [NSE] Corrected a bug in nse_nsock.cc that could result in a crash
 8346   from the use of an invalid Lua state if a thread is collected due to
 8347   timeout or other rare reasons. Essentially, the callbacks from the
 8348   nsock library were returning to an already-collected Lua state. We
 8349   now maintain a reference to the Lua State Thread in the nsock
 8350   userdata environment table to prevent early collection.  This is a
 8351   temporary patch for the stable release pending a more detailed
 8352   review of the NSE nsock library binding. [Patrick]
 8353 
 8354 o [NSE] When an NSE script in the database (script.db) is requested
 8355   but not found on the filesystem, Nmap now prints a warning rather
 8356   than aborting. We accidentally shipped with such a phantom script
 8357   (smb-check-vulns-2.nse) in 4.85BETA8. [Patrick]
 8358 
 8359 o Fixed a bug where an ICMP echo, timestamp, or address mask reply
 8360   could be matched up with the wrong ICMP probe if more than one ICMP
 8361   probe type was being sent (as with the new default ping). This lead
 8362   to timing calculation problems. [David]
 8363 
 8364 o Improved the host expression parser to better handle a few cases
 8365   where invalid target specifiers would case Nmap to scan unintended
 8366   hosts. See http://seclists.org/nmap-dev/2009/q2/0319.html . [Jah]
 8367 
 8368 o [Zenmap] Fixed a crash, introduced in 4.85BETA4, that happened when
 8369   searching scan results by date. [David]
 8370   The error message was: File "zenmapGUI\SearchGUI.pyo", line 816, in
 8371   set_date TypeError: argument must be sequence of length 9, not 3
 8372 
 8373 o Patched configure.ac to detect Lua include and library files in
 8374   "lua5.1" subdirectories of /usr/include and the like. Debian
 8375   apparently puts them there. We still check the likes of
 8376   /usr/include/lua.h and /usr/include/lua/lua.h as well. [Jan
 8377   Christoph Nordholz]
 8378 
 8379 o Improved nsock's fselect() to be a more complete replacement for
 8380   select() on the Windows platform. In particularly, any or all of the
 8381   FD sets can be null or empty descriptor sets. This fixes an error
 8382   ("nsock_loop error 10022") which would occur when you ran ncat
 8383   --send-only on Windows. [David]
 8384 
 8385 o The --with-openssl= directive now works for specifying the SSL
 8386   location to the nsock library.  It was previously not passing the
 8387   proper include file path to the compiler. [Fyodor]
 8388 
 8389 o The --traceroute feature is now properly disabled for IPv6 ping
 8390   scans (-6 -sP) since IPv6 traceroute is not currently
 8391   supported. [Jah]
 8392 
 8393 o Fixed an assertion failure which could occur on at least SPARC Linux
 8394   The error looked like "nsock_core.c:294: handle_connect_result:
 8395   Assertion `0' failed. Aborted". [David Fifield, Fabio Pedretti]
 8396 
 8397 o Nmap's make install target now uses $(INSTALL) rather than cp to
 8398   copy NSE scripts and libraries to ensure that file permissions are
 8399   set properly. [Fyodor]
 8400 
 8401 o Improved the Oracle DB version detection signatures. [Tom Sellers]
 8402 
 8403 o [NSE] Remove the old nse_macros.h header file. This involved
 8404   removing the SCRIPT_ENGINE_* status defines, moving the likes of
 8405   SCRIPT_ENGINE_LUA_DIR to nse_main.h, removing the last remaining use
 8406   of SCRIPT_ENGINE_TRY, and moving the FILES and DIRS defines to
 8407   nse_fs.h. [Patrick]
 8408 
 8409 o Cleaned up the libpcre build system a bit by removing Makefile.am
 8410   and modifying configure.ac to prevent unnecessary removal of
 8411   pcre_chartables.cc in some instances. [Fyodor]
 8412 
 8413 o Fixed a bug which would cause Nmap to sometimes miscount the number
 8414   of hosts scanned and produce warnings such as "WARNING: No targets
 8415   were specified, so 0 hosts scanned" when --traceroute and -sP were
 8416   combined. [Jah]
 8417 
 8418 o Changed Nmap and Ncat's configure.ac files to check in more
 8419   situations whether -ldl is required for compilation and add it where
 8420   necessary. [Fyodor]
 8421 
 8422 o When building Nmap RPMs using the spec file, you can now pass in an
 8423   openssl argument, the contents of which are passed to ./configure's
 8424   --with-openssl option. So you can pass rpmbuild an option such as
 8425   --define "openssl /usr/local/ssl". [Fyodor]
 8426 
 8427 o Fixed the make distclean target to avoid a failure which could occur
 8428   when you ran it right after a make clean (it might have failed in
 8429   other situations as well). [David]
 8430 
 8431 o Updated nmap-mac-prefixes with the latest MAC address prefix data
 8432   from http://standards.ieee.org/regauth/oui/oui.txt as of
 8433   5/20/09. [Fyodor]
 8434 
 8435 o Ncat now makes sockets blocking before handing them off to another
 8436   program with --exec or --sh-exec. This is to resolve a failure where
 8437   the command "ncat --exec /usr/bin/yes localhost" would stop sending
 8438   because yes would send data so quickly that kernel send buffers
 8439   could not keep up and socket writes would start generating EAGAIN
 8440   errors. [Venkat]
 8441 
 8442 o Ncat now ignores SIGPIPE in listen mode.  This fixes the command
 8443   "yes | ncat -l --keep-open --send-only", which was failing after the
 8444   first client disconnected due to a broken pipe signal when Ncat
 8445   would try to write more date before realizing that the client had
 8446   closed the connection.
 8447 
 8448 o Version detection can now detect Ncat's --chat mode. [David]
 8449 
 8450 Nmap 4.85BETA9 [2009-05-12]
 8451 
 8452 o Integrated all of your 1,156 of your OS detection submissions and
 8453   your 50 corrections since January 8.  Please keep them coming!  The
 8454   second generation OS detection DB has grown 14% to more than 2,000
 8455   fingerprints!  That is more than we ever had with the first system.
 8456   The 243 new fingerprints include Microsoft Windows 7 beta, Linux
 8457   2.6.28, and much more.  See
 8458   http://seclists.org/nmap-dev/2009/q2/0335.html . [David]
 8459 
 8460 o [Ncat] A whole lot of work was done by David to improve SSL
 8461   security and functionality:
 8462   - Ncat now does certificate domain and trust validation against
 8463     trusted certificate lists if you specify --ssl-verify.
 8464   - [Ncat] To enable SSL certificate verification on systems whose
 8465     default trusted certificate stores aren't easily usable by
 8466     OpenSSL, we install a set of certificates extracted from Windows
 8467     in the file ca-bundle.crt. The trusted contents of this file are
 8468     added to whatever default trusted certificates the operating
 8469     system may provide. [David]
 8470   - Ncat now automatically generates a temporary keypair and
 8471     certificate in memory when you request it to act as an SSL server
 8472     but you don't specify your own key using --ssl-key and --ssl-cert
 8473     options. [David]
 8474   - [Ncat] In SSL mode, Ncat now always uses secure connections,
 8475     meaning that it uses only good ciphers and doesn't use
 8476     SSLv2. Certificates can optionally be verified with the
 8477     --ssl-verify and --ssl-trustfile options. Nsock provides the
 8478     option of making SSL connections that prioritize either speed or
 8479     security; Ncat uses security while version detection and NSE
 8480     continue to use speed. [David]
 8481 
 8482 o [NSE] Added Boolean Operators for --script. You may now use ("and",
 8483   "or", or "not") combined with categories, filenames, and wildcarded filenames
 8484   to match a set files.  Parenthetical subexpressions are allowed for
 8485   precedence too.  For example, you can now run:
 8486     nmap --script "(default or safe or intrusive) and not http-*" scanme.nmap.org
 8487   For more details, see
 8488   https://nmap.org/book/nse-usage.html#nse-args. [Patrick]
 8489 
 8490 o [Ncat] The HTTP proxy server now works on Windows too. [David]
 8491 
 8492 o [Zenmap] The command wizard has been removed. The profile editor has
 8493   the same capabilities with a better interface that doesn't require
 8494   clicking through many screens. The profile editor now has its own
 8495   "Scan" button that lets you run an edited command line immediately
 8496   without saving a new profile. The profile editor now comes up
 8497   showing the current command rather than being blank. [David]
 8498 
 8499 o [Zenmap] Added an small animated throbber which indicates that a
 8500   scan is still running (similar in concept to the one on the
 8501   upper-right Firefox corner which animates while a page is
 8502   loading). [David]
 8503 
 8504 o Regenerate script.db to remove references to non-existent
 8505   smb-check-vulns-2.nse. This caused the following error messages when
 8506   people used the --script=all option: "nse_main.lua:319:
 8507   smb-check-vulns-2.nse is not a file!"  The script.db entries are now
 8508   sorted again to make diffs easier to read. [David, Patrick]
 8509 
 8510 o Fixed --script-updatedb on Windows--it was adding bogus backslashes
 8511   preceding file names in the generated script.db. Reported by
 8512   Michael Patrick at http://seclists.org/nmap-dev/2009/q2/0192.html,
 8513   and fixed by Jah.  The error message was also improved.
 8514 
 8515 o The official Windows binaries are now compiled with MS Visual C++
 8516   2008 Express Edition SP1 rather than the RTM version. We also now
 8517   distribute the matching SP1 version of the MS runtime components
 8518   (vcredist_x86.exe). A number of compiler warnings were fixed
 8519   too. [Fyodor,David]
 8520 
 8521 o Fixed a bug in the new NSE Lua core which caused it to round
 8522   fractional runlevel values to the next integer. This could cause
 8523   dependency problems for the smb-* scripts and others which rely on
 8524   floating point runlevel values (e.g. that smb-brute at runlevel 0.5
 8525   will run before smb-system-info at the default runlevel of 1).
 8526 
 8527 o The SEQ.CI OS detection test introduced in 4.85BETA4 now has some
 8528   examples in nmap-os-db and has been assigned a MatchPoints value of
 8529   50. [David]
 8530 
 8531 o [Ncat] When using --send-only, Ncat will now close the network
 8532   connection and terminate after receiving EOF on standard input.
 8533   This is useful for, say, piping a file to a remote ncat where you
 8534   don't care to wait for any response.  [Daniel Roethlisberger]
 8535 
 8536 o [Ncat] Fix hostname resolution on BSD systems where a recently
 8537   fixed libc bug caused getaddrinfo(3) to fail unless a socket type
 8538   hint is provided. Patch originally provided by Hajimu Umemoto of
 8539   FreeBSD. [Daniel Roethlisberger]
 8540 
 8541 o [NSE] Fixed bug in the DNS library which caused the error message
 8542   "nselib/dns.lua:54: 'for' limit must be a number". [Jah]
 8543 
 8544 o Fixed Solaris 10 compilation by renaming a yield structure which
 8545   conflicted with a yield function declared in unistd.h on that
 8546   platform. [Pieter Bowman, Patrick]
 8547 
 8548 o [Ncat] Minor code cleanup of Ncat memory allocation and string
 8549   duplication calls. [Ithilgore]
 8550 
 8551 o Fixed a bug which could cause -iR to only scan the first host group
 8552   and then terminate prematurely.  The problem related to the way
 8553   hosts are counted by o.numhosts_scanned. [David]
 8554 
 8555 o Fixed a bug in the su-to-zenmap.sh script so that, in the cases
 8556   where it calls su, it uses the proper -c option rather than
 8557   -C. [Michal Januszewski, Henry Gebhardt]
 8558 
 8559 o Overhaul the NSE documentation "Usage and Examples" section and add
 8560   many more examples: https://nmap.org/book/nse-usage.html [David]
 8561 
 8562 o [NSE] Made hexify in nse_nsock.cc take an unsigned char * to work
 8563   around an assertion in Visual C++ in Debug mode. The isprint,
 8564   isalpha, etc. functions from ctype.h have an assertion that the
 8565   value of the character passed in is <= 255. If you pass a character
 8566   whose value is >= 128, it is cast to an unsigned int, making it a
 8567   large positive number and failing the assertion. This is the same
 8568   thing that was reported in
 8569   http://seclists.org/nmap-dev/2007/q2/0257.html, in regard to
 8570   non-ASCII characters in nmap-mac-prefixes. [David]
 8571 
 8572 o [NSE] Fixed a segmentation fault which could occur in scripts which
 8573   use the NSE pcap library. The problem was reported by Lionel Cons
 8574   and fixed by Patrick.
 8575 
 8576 o [NSE] Port script start/finish debug messages now show the target
 8577   port number as well as the host/IP. [Jah]
 8578 
 8579 o Updated IANA assignment IP list for random IP (-iR)
 8580   generation. [Kris]
 8581 
 8582 o [NSE] Fixed http.table_argument so that user-supplied HTTP headers
 8583   are now properly sent in HTTP requests. [Jah]
 8584 
 8585 Nmap 4.85BETA8 [2009-04-21]
 8586 
 8587 o Ncat's HTTP proxy now supports the GET, HEAD, and POST methods in
 8588   addition to the CONNECT tunneling method, so it can be used as a
 8589   proxy with an ordinary web browser.[David]
 8590 
 8591 o Ncat can now run as an authenticated proxy in HTTP proxy mode. Use
 8592   --proxy-auth to provide a username and password that will be required
 8593   of proxy users. Only the insecure (not encrypted) Basic authentication
 8594   method is supported. [David]
 8595 
 8596 o Ndiff's text output has been redone to look more like Nmap output
 8597   and be easier to read. See the Ndiff README file for an example. The
 8598   XML output is now based on Nmap's XML output as well. Zenmap's diff
 8599   viewer now shows the new output with syntax highlighting. [David]
 8600 
 8601 o The new versions of the Conficker Internet worm ban infected systems
 8602   from visiting Insecure.Org and Nmap.Org.  We take that as a
 8603   compliment to the effectiveness of our remote Conficker scanner.
 8604   They also ban DNS substrings "honey" (for the Honeynet Project),
 8605   "doxpara" (for Dan Kaminsky's site), "tenablese" for Tenable
 8606   Security, "coresecur" for Core Security Technologies, and
 8607   "iv.cs.uni" for those meddlesome (to the Conficker authors)
 8608   researchers at the University of Bonn.  For people who can't reach
 8609   nmap.org due to infection, I've mirrored this release at
 8610   http://sectools.org/nmap/. [Fyodor]
 8611 
 8612 o New Conficker versions eliminate the loophole we were using to
 8613   detect them with smb-check-vulns,nse, so we've added new methods
 8614   which work with the newest variants. Here are the Conficker-related
 8615   improvements since BETA7:
 8616   - Added new p2p-conficker script which detects Conficker using its
 8617     P2P update ports rather than MSRPC.  This is based on some new
 8618     research by Symantec. See
 8619     https://nmap.org/nsedoc/scripts/p2p-conficker.html [Ron]
 8620   - Since new Conficker variants prevent detection by our previous
 8621     MSRPC check in smb-check-vulns, we've added a new check which still
 8622     works. It involves calling netpathcanonicalize on "\" rather than
 8623     "\..\" and checking for a different return value.  It was discovered
 8624     by Felix Leder and Tillmann Werner. [Ron]
 8625   - Improved smb-check-vulns Conficker error message text to be more
 8626     useful. [David]
 8627   - smb-check-vulns now defaults to using basic login rather than
 8628     extended logins as this seems to work better on some
 8629     machines. [Ron]
 8630   - Recommended command for a fast Conficker scan (combine into 1 line):
 8631     nmap -p139,445 --script p2p-conficker,smb-os-discovery,smb-check-vulns
 8632     --script-args checkconficker=1,safe=1 -T4 [target networks]
 8633   - Recommended command for a more comprehensive (but slower) scan:
 8634     nmap --script p2p-conficker,smb-os-discovery,smb-check-vulns -p-
 8635     --script-args checkall=1,safe=1 -T4 [target networks]
 8636 
 8637 o [NSE] The Nmap Script Engine core (C++) was rewritten in Lua for
 8638   code simplicity and extensibility. See
 8639   http://seclists.org/nmap-dev/2009/q2/0090.html and
 8640   http://seclists.org/nmap-dev/2009/q1/0047.html . [Patrick]
 8641 
 8642 o [Zenmap] The "Cancel" button has been restored to the main screen.
 8643   It will cancel the scan that is currently being displayed. [David]
 8644 
 8645 o Fixed an SMB library bug which could case a nil-pointer exception
 8646   when scanning broken SMB implementations. Reported by Steve
 8647   Horejsi. [Ron]
 8648 
 8649 o [Ndiff] The setup.py installation script now suggests installing the
 8650   python-dev package in a certain error situation. Previously the
 8651   error message it printed was misleading:
 8652     error: invalid Python installation: unable to open
 8653     /usr/lib/python2.6/config/Makefile (No such file or directory)
 8654   The change was suggested by Aaron Leininger. [David]
 8655 
 8656 o [Nbase] The checksum functions now have an nbase_ prefix.  This
 8657   should prevent name collisions with internal but exported functions
 8658   in shared libraries Nmap links against (e.g. adler32() in zlib).
 8659   Such collisions seem to confuse the runtime linker on some platforms.
 8660   [Daniel Roethlisberger]
 8661 
 8662 o Fixed banner.nse to remove surrounding whitespace from banners. For
 8663   example, this avoids a superfluous carriage return and newline at the
 8664   end of SSH greetings. [Patrick]
 8665 
 8666 o Expanded and tweaked the product/version/info of service scans in an
 8667   attempt to reduce the number of warnings like "Warning: Servicescan
 8668   failed to fill info_template...".  Parts of this change include:
 8669   - Improved the text of the warning to be less confusing
 8670   - Increased the internal version info buffer to 256 chars from 128
 8671   - Increased the final version string length to 160 from 128 chars
 8672   - Changed the behavior when constructing the final version string so
 8673     that if it runs out of space, rather than dropping the output of that
 8674     template it truncates the template with ...
 8675   - Fixed the printing of unneeded spaces between templates when one of the
 8676     templates isn't going to be printed at all.
 8677   [Brandon]
 8678 
 8679 o Improved the service scan DB to remove certain problematic regex
 8680   patterns which could lead to PCRE_MATCHLIMIT errors. For example,
 8681   instances of ".*\r\n.*" and ".*\n.*\n" were generally collapsed to
 8682   ".*" as long as the DOTALL (/s) modifier was set. [Brandon]
 8683 
 8684 o Changed some error() calls (which were more informational than error
 8685   messages) to use log_write() instead, and changed a few f?printf()
 8686   calls into error() or log_write(). [Brandon]
 8687 
 8688 o [Ncat] Fixed a bug in the resolve() function which could cause Ncat
 8689   to resolve names using the wrong address family (such as AF_INET
 8690   rather than AF_INET6) in some rare cases. [Daniel Roethlisberger]
 8691 
 8692 o [Zenmap] Worked around a GTK+ bug on Windows reported by Henry Nymann.
 8693   It caused a crash when opening the Hosts Viewer on a host that had OS
 8694   information. A window appeared saying simply "Runtime Error!". [David]
 8695 
 8696 o [Zenmap] Gracefully handle unrecognized port states in the hosts
 8697   viewer. Apparently old versions of Nmap can return a state of
 8698   "unknown". This prevents this crash:
 8699       File "radialnet\gui\NodeNotebook.pyo", line 107, in __init__
 8700       File "radialnet\gui\NodeNotebook.pyo", line 257, in __create_widgets
 8701     KeyError: u'unknown'
 8702   [David]
 8703 
 8704 o Rewrote the debugging error message "Found whacked packet protocol
 8705   17 in get_ping_pcap_result" because we decided that receiving a UDP
 8706   packet during TCP ping scan is not egregious enough to qualify as
 8707   "whacked". [David]
 8708 
 8709 Nmap 4.85BETA7 [2009-04-1]
 8710 
 8711 o Improvements to the Conficker detection script (smb-check-vulns):
 8712   - Reduce false negative rate.  We (and all the other scanners) used
 8713     to require the 0x57 return code as well as a canonicalized path
 8714     string including 0x5c450000.  Tenable confirmed an infected system
 8715     which returned a 0x00000000 path, so we now treat any hosting
 8716     returning code 0x57 as likely infected. [Ron]
 8717   - Add workaround for crash in older versions of OpenSSL which would
 8718     occur when we received a blank authentication challenge string
 8719     from the server.  The error looked like: evp_enc.c(282): OpenSSL
 8720     internal error, assertion failed: inl > 0". [Ron]
 8721   - Add helpful text for the two most common errors seen in the
 8722     Conficker check in smb-check-vulns.nse.  So instead of saying
 8723     things like "Error: NT_STATUS_ACCESS_DENIED", output is like:
 8724     |  Conficker: Likely CLEAN; access was denied.
 8725     |  |  If you have a login, try using --script-args=smbuser=xxx,smbpass=yyy
 8726     |  |  (replace xxx and yyy with your username and password). Also try
 8727     |  |_ smbdomain=zzz if you know the domain. (Error NT_STATUS_ACCESS_DENIED)
 8728     The other improved message is for
 8729     NT_STATUS_OBJECT_NAME_NOT_FOUND. [David]
 8730 
 8731 o The NSEDoc portal at https://nmap.org/nsedoc/ now provides download
 8732   links from the script and module pages to browse or download recent versions
 8733   of the code.  It isn't quite as up-to-date as obtaining them from
 8734   svn directly, but may be more convenient. For an example, see
 8735   https://nmap.org/nsedoc/scripts/ssl-enum-ciphers.html . [David, Fyodor]
 8736 
 8737 o A copy of the Nmap public svn repository (/nmap, plus its zenmap,
 8738   nsock, nbase, and ncat externals) is now available at
 8739   https://nmap.org/svn/.  We'll be updating this regularly, but it may
 8740   be slightly behind the SVN version.  This is particularly useful
 8741   when you need to link to files in the tree, since browsers generally
 8742   don't handle svn:// repository links. [Fyodor]
 8743 
 8744 o Declare a couple msrpc.lua variables as local to avoid a potential
 8745   deadlock between smb-server-stats.nse instances. [Ron]
 8746 
 8747 Nmap 4.85BETA6 [2009-03-31]
 8748 
 8749 o Fixed some bugs with the Conficker detection script
 8750   (smb-check-vulns) [Ron]:
 8751   - SMB response timeout raised to 20s from 5s to compensate for
 8752     slow/overloaded systems and networks.
 8753   - MSRPC now only signs messages if OpenSSL is available (avoids an
 8754     error).
 8755   - Better error checking for MS08-067 patch
 8756   - Fixed forgotten endian-modifier (caused problems on big-endian
 8757     systems such as Solaris on SPARC).
 8758 
 8759 o Host status messages (up/down) are now uniform between ping scanning
 8760   and port scanning and include more information. They used to vary
 8761   slightly, but now all look like
 8762     Host <host> is up (Xs latency).
 8763     Host <host> is down.
 8764   The new latency information is Nmap's estimate of the round trip
 8765   time. In addition, the reason for a host being up is now printed for
 8766   port scans just as for ping scans, with the --reason option. [David]
 8767 
 8768 o Version detection now has a generic match line for SSLv3 servers,
 8769   which matches more servers than the already-existing set of specific
 8770   match lines. The match line found 13% more SSL servers in a test.
 8771   Note that Nmap will not be able to do SSL scan-through against a
 8772   small fraction of these servers, those that are SSLv3-only or
 8773   TLSv1-only, because that ability is not yet built into Nsock. There
 8774   is also a new version detection probe that works against SSLv2-only
 8775   servers. These have shown themselves to be very rare, so that probe
 8776   is not sent by default. Kristof Boeynaems provided the patch and did
 8777   the testing.
 8778 
 8779 o [Zenmap] A typo that led to a crash if the ndiff subprocess
 8780   terminated with an error was fixed. [David] The message was
 8781       File "zenmapGUI\DiffCompare.pyo", line 331, in check_ndiff_process
 8782     UnboundLocalError: local variable 'error_test' referenced before assignment
 8783 
 8784 o [Zenmap] A crash was fixed:
 8785       File "zenmapGUI\SearchGUI.pyo", line 582, in operator_changed
 8786     KeyError: "Syst\xc3\xa8me d'Exploitation"
 8787   The text could be different, because the error was caused by
 8788   translating a string that was also being used as an index into an
 8789   internal data structure. The string will be untranslated until that
 8790   part of the code can be rewritten. [David]
 8791 
 8792 o [Zenmap] A bug was fixed that caused a crash when doing a keyword:
 8793   or target: search over hosts that had a MAC address. [David]
 8794   The crash output was
 8795       File "zenmapCore\SearchResult.pyo", line 86, in match_keyword
 8796       File "zenmapCore\SearchResult.pyo", line 183, in match_target
 8797     TypeError: argument of type 'NoneType' is not iterable
 8798 
 8799 o Fixed a bug which prevented all comma-separated --script arguments
 8800   from being shown in Nmap normal and XML output files where they show
 8801   the original Nmap command. [David]
 8802 
 8803 o Fixed ping scanner's runtime statistics system so that instead of
 8804   saying "0 undergoing Ping Scan" it gives the actual number of hosts in
 8805   the group (e.g. 4096). [David]
 8806 
 8807 o [Zenmap] A crash was fixed in displaying the "Error creating the
 8808   per-user configuration directory" dialog:
 8809       File "zenmap", line 104, in <module>
 8810       File "zenmapGUI\App.pyo", line 129, in run
 8811     UnicodeDecodeError: 'utf8' codec can't decode bytes in position 43-45:
 8812                         invalid data
 8813   The crash would only happen to users with paths containing
 8814   multibyte characters in a non-UTF-8 locale, who also had some error
 8815   preventing the creation of the directory. [David]
 8816 
 8817 Nmap 4.85BETA5 [2009-03-30]
 8818 
 8819 o Ron (in just a few hours of furious coding) added remote detection
 8820   of the Conficker worm to smb-check-vulns. It is based on new
 8821   research by Tillmann Werner and Felix Leder.  You can scan your
 8822   network for Conficker with a command like: nmap -PN -T4 -p139,445 -n
 8823   -v --script=smb-check-vulns --script-args safe=1 [targetnetworks]
 8824 
 8825 o Ndiff now includes service (version detection) and OS detection
 8826   differences. [David]
 8827 
 8828 o [Ncat] The --exec and --sh-exec options now work in UDP mode like
 8829   they do in TCP mode: the server handles multiple concurrent clients
 8830   and doesn't have to be restarted after each one. Marius Sturm
 8831   provided the patch.
 8832 
 8833 o [Ncat] The -v option (used alone) no longer floods the screen with
 8834   debugging messages. With just -v, we now only print the most
 8835   important status messages such as "Connected to ...", a startup
 8836   banner, and error messages.  At -vv, minor debugging messages are
 8837   enabled, such as what command is being executed by --sh-exec.  With
 8838   -vvv you get detailed debugging messages. [David]
 8839 
 8840 o [Ncat] Chat mode now lets other participants know when someone
 8841   connects or disconnects, and it also broadcasts a current list of
 8842   participants at such times. [David]
 8843 
 8844 o [Ncat] Fixed a socket handling bug which could occur when you
 8845   redirect Ncat stdin, such as "ncat -l --chat < /dev/null".  The next
 8846   user to connect would end up with file descriptor 0 (which is
 8847   normally stdin) and thus confuse Ncat. [David]
 8848 
 8849 o [Zenmap] The "Scan Output" expanders in the diff window now behave
 8850   more naturally. Some strange behavior on Windows was noted by Jah.
 8851   [David]
 8852 
 8853 o The following OS detection tests are no longer included in OS
 8854   fingerprints: U1.RUL, U1.TOS, IE.DLI, IE.SI, and IE.TOSI. URL, DLI,
 8855   and SI were found not be helpful in distinguishing operating systems
 8856   because they didn't vary. TOS and TOSI were disabled in 4.85BETA1
 8857   but now they are not included in prints at all. [David]
 8858 
 8859 o The compile-time Nmap ASCII dragon is now more ferocious thanks to
 8860   better teeth alignment. [David]
 8861 
 8862 o Version 4.85BETA4 had a bug in the implementation of the new SEQ.CI
 8863   test that could cause a closed-port IP ID to be written into the
 8864   array for the SEQ.TI test and cause erroneous results. The bug was
 8865   found and fixed by Guillaume Prigent.
 8866 
 8867 o Nbase has grown routines for calculating Adler32 and CRC32C
 8868   checksums. This is needed for future SCTP support. [Daniel
 8869   Roethlisberger]
 8870 
 8871 o [Zenmap] Zenmap no longer shows an error message when running Nmap
 8872   with options that cause a zero-length XML file to be produced (like
 8873   --iflist). [David]
 8874 
 8875 o Fixed an off-by-one error in printableSize() which could cause Nmap
 8876   to crash while reporting NSE results. Also, NmapOutputTable's memory
 8877   allocation strategy was improved to conserve memory. [Brandon,
 8878   Patrick]
 8879 
 8880 o [Zenmap] We now give the --force option to setup.py for installation
 8881   to ensure that it replaces all files. [David]
 8882 
 8883 o Nmap's --packet-trace, --version-trace, and --script-trace now use
 8884   an Nsock trace level of 2 rather than 5.  This removes some
 8885   superfluous lines which can flood the screen. [David]
 8886 
 8887 o [Zenmap] Fixed a crash which could occur when loading the help URL
 8888   if the path contains multibyte characters. [David]
 8889 
 8890 o [Ncat] The version number is now matched to the Nmap release it came
 8891   with rather than always being 0.2. [David]
 8892 
 8893 o Fixed a strtok issue between load_exclude and
 8894   TargetGroup::parse_expr that caused only the first exclude on
 8895   a line to be loaded as well as an invalid read into free()'d
 8896   memory in load_exclude(). [Brandon, David]
 8897 
 8898 o NSE's garbage collection system (for cleaning up sockets from
 8899   completed threads, etc.) has been improved. [Patrick]
 8900 
 8901 Nmap 4.85BETA4 [2009-3-15]
 8902 
 8903 o Added two new SMB/MSRPC NSE scripts by Ron Bowes:
 8904   - smb-brute.nse: Bruteforce to discover SMB accounts. Has advanced
 8905     features, such as lockout detection, username validation, username
 8906     enumeration, and optimized case detection.
 8907   - smb-pwdump.nse: Uses executables from the Pwdump6 project to dump
 8908     password hashes from a remote machine (and optionally crack them
 8909     with Rainbow Crack). Pwdump6 files have to be downloaded
 8910     separately
 8911 
 8912 o [Ncat] The --exec and --sh-exec options now work on Windows. This
 8913   was a big job, considering that Windows doesn't even have a fork()
 8914   call and has all sorts of socket idiosyncrasies. [David]
 8915 
 8916 o Doug performed one of the largest version detection integration runs
 8917   ever, processing 1,746 submissions and 18 corrections.  We are now
 8918   current with all submissions up to February 3.  Keep them coming.
 8919   The version detection database has grown to 5,476 signatures for 510
 8920   application protocols. Doug posted his notes on the integration at
 8921   http://hcsw.org/blog.pl/37.  We now have 1,868 http server
 8922   signatures, and the number of gopher signatures has bumped up from 5
 8923   to 6.
 8924 
 8925 o Released the new Ncat guide which contains practical real-life Ncat
 8926   usage examples for Ncat's major features.  It complements the more
 8927   option-centric man page.  Read it here: https://nmap.org/ncat/guide/
 8928   [David, Fyodor]
 8929 
 8930 o Ndiff is now included in the Windows zip distribution. For space
 8931   reasons, it is not an executable compiled with py2exe as in the
 8932   executable installer, rather it is the Ndiff source code (ndiff.py)
 8933   and a batch file wrapper (ndiff.bat). Because it's not precompiled,
 8934   it's necessary to have a Python interpreter installed. [David]
 8935 
 8936 o The new --stats-every option takes a time interval that controls how
 8937   often timing status updates are printed. It's intended to be used
 8938   when Nmap is run by another program as a subprocess. Thanks to
 8939   Aleksandar Petrinic for the initial implementation. [David]
 8940 
 8941 o [NSE] A new function stdnse.sleep allows a script to sleep for a
 8942   given time (and yield control to other scripts). [David]
 8943 
 8944 o [Ncat] In --chat mode (formerly --talk), the server now announces to
 8945   everyone when someone connects or disconnects. Besides letting you
 8946   know who's connected, this also informs you of your "user name" as
 8947   soon as you connect. [David]
 8948 
 8949 o [Ncat] Ncat now works interactively on Windows. Before,
 8950   peculiarities in the way Windows handles reading from the keyboard
 8951   meant that typing interactively into Ncat would cause it to quit
 8952   with a write timeout. [David]
 8953 
 8954 o Refactored SMB and MSRPC NSE scripts significantly, moving much of
 8955   the code into the smb.lua and msrpc.lua modules where it can be
 8956   leveraged by other scripts. For example, the user enumeration
 8957   functions are used by smb-brute.nse. [Ron Bowes]
 8958 
 8959 o [Ncat] The syntax accepted by the --allow, --deny, --allowfile, and
 8960   --denyfile options is now the same as Nmap's target specifications.
 8961   Additionally any errors in the allow or deny specifications are
 8962   reported when the program starts, not deferred until a connection is
 8963   received. [David]
 8964 
 8965 o You can now use '-' by itself in a target IP specification to mean
 8966   0-255, so you could scan 192.168.-.-.  An asterisk can also still be
 8967   used as an octet wildcard, but then you have to deal with shell
 8968   escaping on many platforms. [David]
 8969 
 8970 o Nmap was discovered in another movie!  In the Russian film
 8971   Khottabych, teenage hacker Gena uses Nmap (and telnet) to hack
 8972   Microsoft.  In response, MS sends a pretty female hacker to flush
 8973   him out.  More details and screenshots: https://nmap.org/movies/#khottabych .
 8974 
 8975 o Improved operating system support for the smb-enum-sessions NSE
 8976   script; previous revisions worked on Windows 2003 or Windows 2000,
 8977   but never both.  Currently, it is tested and working on both
 8978   versions.  [Ron Bowes]
 8979 
 8980 o Implemented file-management functions in SMB, including file upload,
 8981   file download, and file delete. Only leverages by smb-pwdump.nse at
 8982   the moment, these functions give scripts the ability to perform
 8983   checks against the filesystem of a server. [Ron Bowes]
 8984 
 8985 o [Zenmap] A crash was fixed that occurred when you ran a scan
 8986   that didn't produce any host output (like "nmap --iflist") and then
 8987   tried to remove it from the inventory. [David]
 8988   The crash looked like
 8989     ValueError: list.remove(x): x not in list
 8990 
 8991 o [Ncat] In --chat mode, the server escapes potentially dangerous
 8992   control characters (in octal) before sending them to
 8993   clients. [David]
 8994 
 8995 o [Ndiff] Added a workaround for a bug in PyXML. The bug would cause a
 8996   crash that looked like "KeyError: 0". [David]
 8997 
 8998 o [Zenmap] Fixed a crash when something that looked like a format
 8999   specifier (like %y) appeared in a profile. The error message was
 9000     ValueError: unsupported format character 'y' (0x79)
 9001   [David]
 9002 
 9003 o A bug was fixed in route finding on BSD Unix. The libdnet function
 9004   addr_stob didn't handle the special case of the sa_len member of
 9005   struct sockaddr being equal to 0 and accessed unrelated memory past
 9006   the end of the sockaddr. A symptom of this was the fatal error
 9007     nexthost: failed to determine route to ...
 9008   which was caused by the default route being assigned a netmask other
 9009   than 0.0.0.0. [David]
 9010 
 9011 o Added bindings for the service control (SVCCTL) and at service (ATSVC)
 9012   services. These are both related to running processes on the remote
 9013   system (identical to how PsExec-style scripts work). These bindings
 9014   are used by smb-pwdump.nse. [Ron Bowes]
 9015 
 9016 o Refactored SMB authentication code into its own module, smbauth.lua.
 9017   Improved scripts' ability to store and retrieve login information
 9018   discovered by modules such as smb-brute.nse. [Ron Bowes]
 9019 
 9020 o Added message signing to SMB. Connections will no longer fail if the
 9021   server requires message signatures. This is a rare case, but comes up
 9022   on occasion. If a server allows but doesn't require message signing,
 9023   smb.lua will negotiate signing. This improves security by preventing
 9024   man in the middle attacks. [Ron Bowes]
 9025 
 9026 o Fixed the daytime.nse script to work for UDP again (it was checking
 9027   a "proto" field when the field name is actually "protocol"). [Jah]
 9028 
 9029 o Implemented extended security negotiations in the NSE SMB
 9030   module. Creates no noticeable change from the user's perspective,
 9031   but it's a more modern protocol. [Ron Bowes]
 9032 
 9033 o Nmap wins LinuxQuestions.Org Network Security Application of the
 9034   Year for the sixth year in a row! See
 9035   http://seclists.org/nmap-dev/2009/q1/0395.html .
 9036 
 9037 o [Zenmap] Removed some unnecessary (mostly GTK+-related) files from
 9038   the Windows installer--nmap-4.85BETA4-setup.exe is now smaller than
 9039   it has ever been since Nmap 4.22SOC6, which was released in August
 9040   2007! [David]
 9041 
 9042 o Fixed the install-zenmap make target for Solaris portability.
 9043   Solaris /bin/sh does not have test(1) -e. [Daniel Roethlisberger]
 9044 
 9045 o Version detection used to omit the "ssl/" service name prefix if an
 9046   SSL-tunneled port didn't respond to any version probes. Now it keeps
 9047   "ssl/" as an indication that SSL was discovered, even if the service
 9048   behind it wasn't identified. Kristof Boeynaems reported the problem
 9049   and contributed a patch. [David]
 9050 
 9051 o [Ncat] The --talk option has been renamed --chat. --talk remains as an
 9052   undocumented alias.
 9053 
 9054 o There is a new OS detection test named SEQ.CI. Like TI and II, CI
 9055   classifies the target's IP ID sequence generation algorithm. CI is
 9056   based on the responses received to the probes sent to a closed port.
 9057   The algorithm for closed ports has been observed to differ from that
 9058   for open ports on some operating systems (though we don't yet know
 9059   which ones).  The new test won't have an effect until new
 9060   fingerprints containing it are added to nmap-os-db. We got the idea
 9061   from some notes sent in by Dario Ciccarone. [David, Fyodor]
 9062 
 9063 o OS fingerprints now include the SEQ.II test (ICMP IP ID sequence
 9064   generation) even if there are no other SEQ test results. The
 9065   previous omission of SEQ.II in that case was a bug. [David]
 9066 
 9067 o [Ncat] The --send-only and --recv-only options now work in listen
 9068   mode as well as connect mode. [David]
 9069 
 9070 o [Ncat] An error in formatting bytes with the high bit set in hex
 9071   dump output was fixed. [David]
 9072 
 9073 o [Zenmap] New translation: Croatian (contributed by Vlatko Kosturjak).
 9074 
 9075 o Fixed a DNS decoding bug in dns-zone-transfer.nse that created
 9076   garbage output and could crash Zenmap by including 0x0C bytes in XML
 9077   files. The Zenmap crash looked like
 9078     SAXParseException: .../zenmap-XXXXXX.xml:39:290: not well-formed
 9079     (invalid token)
 9080   Thanks to Anino Belan and Eric Nickel for sending in affected log
 9081   files. [David]
 9082 
 9083 o [NSEDoc] Scripts that use modules automatically have the script
 9084   arguments defined by those modules included in their documentation.
 9085   It's no longer necessary to manually supply @args for the arguments
 9086   in the modules you use. For those who haven't seen the NSEDoc portal
 9087   yet, check out https://nmap.org/nsedoc/. [David]
 9088 
 9089 o An integer overflow in the scan progress meter was fixed. It caused
 9090   nonsense output like
 9091     UDP Scan Timing: About 11.34% done; ETC: 03:21 (-688:-41:-48 remaining)
 9092   during very long scans. [Henri Doreau]
 9093 
 9094 o [Zenmap] A better method of detecting the system locale is used, so
 9095   it should not be necessary to set the LANG environment variable on
 9096   Windows to get internationalized text. Thanks to Dirk Loss for the
 9097   suggestion. [David]
 9098 
 9099 o [Ncat] Added a number of automated tests for ensuring that Ncat is
 9100   working correctly.  They are in /ncat/test in SVN. [David]
 9101 
 9102 o [Ncat] Now builds again when using the --without-openssl
 9103   option. [David]
 9104 
 9105 o [Zenmap] Fix auto-scroll behavior while Nmap is producing output, as
 9106   that previously failed in some cases involving wide lines in
 9107   output. [David]
 9108 
 9109 o [Zenmap] The network topology feature (Radialnet) has been
 9110   internationalized so its strings will be localized as well (as soon
 9111   as the relevant language's translation files are updated.  To help
 9112   out, see https://nmap.org/book/zenmap-lang.html . Some remaining search
 9113   interface elements were internationalized as well. [David]
 9114 
 9115 o Improved the efficiency of the xml_convert() routine which handles
 9116   XML escaping.  It was so inefficient that this stupid little routine
 9117   was noticeably slowing Nmap down in some cases. [David]
 9118 
 9119 o Removed 9 OS detection device types which only had one or two
 9120   instances in our whole database (ATM, TV, oscilloscope, etc.) and
 9121   made some other cleanups as well. We plan to enhance this even
 9122   further for the next release. [Fyodor, David, Doug]
 9123 
 9124 o [Zenmap] Removed some unnecessary GTK+ files from the files
 9125   installed by the Windows executable installer. [David]
 9126 
 9127 o [Zenmap] Tweaked the file format of the topology icons
 9128   (firewall.png, padlock.png, etc.) in an attempt to improve
 9129   compatibility with some versions of GTK+. This may fix a crash like
 9130     File "radialnet/gui/Image.py", line 53, in get_pixbuf
 9131       self.__cache[icon + image_type] = gtk.gdk.pixbuf_new_from_file(file)
 9132     GError: Couldn't recognize the image file format for file 'radialnet/padlock.png'
 9133   Thanks to Trevor Bain for a report and help debugging. [David]
 9134 
 9135 o Removed a bunch of unnecessary files (mostly GTK related) from the
 9136   Win32 exe installer to reduce its size. [David]
 9137 
 9138 o Fixed an NSE crash (assertion error) which looked like
 9139   "nsock_core.c:293: handle_connect_result: Assertion `0'
 9140   failed". Brandon reported the bug, which was fixed by Doug and
 9141   David.  See http://seclists.org/nmap-dev/2009/q1/0546.html .
 9142 
 9143 Nmap 4.85BETA3 [2009-2-2]
 9144 
 9145 o Revert the temporary GTK DLL workaround (r11899) which added
 9146   duplicate DLL files to the distribution.  David found that using a
 9147   different GTK download fixed the problem (see
 9148   docs/win32-installer-zenmap-buildguide.txt) and Fyodor was able to
 9149   reproduce and implement.
 9150 
 9151 o The conditions for printing OS fingerprints to XML output are now
 9152   the same as are used to decide whether to print them in the other
 9153   formats. So they will be printed if submission is desirable,
 9154   otherwise they are only printed if debugging is enabled or verbosity
 9155   is 2 or higher. [Tom Sellers]
 9156 
 9157 o Removed some Brazilian poetry/lyrics from Zenmap source code
 9158   (NmapOutputViewer.py). We've seen enough of it in the debug logs. "E
 9159   nao se entrega, nao".
 9160 
 9161 o Fix Ncat compilation with the MingW windows compiler. [Gisle Vanem]
 9162 
 9163 o Corrected some NSE libraries (datafiles, tab) which were using the
 9164   old arg table interface. [Patrick]
 9165 
 9166 o [Zenmap] Fixed a crash that happened when running a scan directly
 9167   from the command wizard without saving a profile [David]:
 9168     NmapParser.py", line 417, in set_target
 9169       self.ops.target_specs = target.split()
 9170     AttributeError: 'NoneType' object has no attribute 'split'
 9171 
 9172 o Fixed an NSE pop3 library error which gave a message such as:
 9173   SCRIPT ENGINE (506.424s): ./scripts/pop3-capabilities.nse against
 9174   a.b.1.47:995 ended with error: ./scripts/pop3-capabilities.nse:32:
 9175   bad argument #1 to 'pairs' (table expected, got string) [Jah]
 9176 
 9177 o Upgraded the OpenSSL binaries shipped in our Windows installer to
 9178   version 0.9.8j. [Kris]
 9179 
 9180 o Updated IANA assignment IP list for random IP (-iR)
 9181   generation. [Kris]
 9182 
 9183 Nmap 4.85BETA2 [2009-1-29]
 9184 
 9185 o Added some duplicate GTK DLLs to Windows installer, as a temporary
 9186   fix for this issue: http://seclists.org/nmap-dev/2009/q1/0207.html
 9187   The problem caused a warning message complaining of problems finding
 9188   librsvg-2-2.dll to pop up 32 times before Zenmap would start.  We're
 9189   still looking for a better fix. [Fyodor, Rob, Jah]
 9190 
 9191 o Made a few improvements to nmap.xsl (details:
 9192   http://seclists.org/nmap-dev/2009/q1/0210.html) [Tom Sellers]
 9193 
 9194 o [Zenmap] New translation: French (contributed by Gutek)
 9195 
 9196 o Updated the mswin32 installer build guide and posted it to
 9197   https://svn.nmap.org/nmap/docs/win32-installer-zenmap-buildguide.txt [Fyodor]
 9198 
 9199 o The xampp-default-auth.nse script was renamed to ftp-brute.nse since
 9200   it has become more general.
 9201 
 9202 Nmap 4.85BETA1 [2009-1-23]
 9203 
 9204 o Added Ncat, a much-improved reimplementation of the venerable Netcat
 9205   tool which adds modern features and makes use of Nmap's efficient
 9206   networking libraries.  Features include SSL support, proxy
 9207   connections (client or server, socks4 or connect-based, with or
 9208   without authentication, optionally chained), TCP and UDP connection
 9209   redirection, connection brokering (facilitating connections between
 9210   machines which are behind NAT gateways), and much more.  It is
 9211   cross-platform (Linux, Windows, Mac, etc.) and supports IPv6 as well
 9212   as standard IPv4.  See https://nmap.org/ncat/ for details.  It is now
 9213   included in our binary packages (Windows, Linux, and Mac OS X), and
 9214   built by default.  You can skip it with the --without-ncat configure
 9215   option.  Thanks to Kris and David for their great work on this!
 9216 
 9217 o Added the Ndiff utility, which compares the results of two Nmap
 9218   scans and describes the new/removed hosts, newly open/closed ports,
 9219   changed operating systems, etc.  This makes it trivial to scan your
 9220   networks on a regular basis and create a report (XML or text format)
 9221   on all the changes.  See https://nmap.org/ndiff/ and ndiff/README for
 9222   more information. Ndiff is included in our binary packages and built
 9223   by default, though you can prevent it from being built by specifying
 9224   the --without-ndiff configure flag.  Thanks to David and Michael
 9225   Pattrick for their great work on this.
 9226 
 9227 o Released Nmap Network Scanning: The Official Nmap Project Guide to
 9228   Network Discovery and Security Scanning.  From explaining port
 9229   scanning basics for novices to detailing low-level packet crafting
 9230   methods used by advanced hackers, this book suits all levels of
 9231   security and networking professionals. A 42-page reference guide
 9232   documents every Nmap feature and option, while the rest of the book
 9233   demonstrates how to apply those features to quickly solve real-world
 9234   tasks.  It was briefly the #1 selling computer book on Amazon.
 9235   Translations to the German, Korean, and Brazilian Portuguese
 9236   languages are forthcoming.  More than half of the book is already
 9237   free online.  For more, see https://nmap.org/book/.
 9238 
 9239 o David spent more than a month working on algorithms to improve port
 9240   scan performance while retaining or improving accuracy.  The changes
 9241   are described at http://seclists.org/nmap-dev/2009/q1/0054.html . He
 9242   was able to reduce our "benchmark scan time" (which involves many
 9243   different scan types from many source networks to many targets) from
 9244   1879 seconds to 1321 without harming accuracy.  That is a 30% time
 9245   reduction!
 9246 
 9247 o Introduced the NSE documentation portal, which documents every NSE
 9248   script and library included with Nmap. See https://nmap.org/nsedoc/.
 9249   Script documentation was improved substantially in the process.
 9250   Scripts and libraries must use the new NSEDoc format, which is
 9251   described at https://nmap.org/book/nsedoc.html .  Thanks to Patrick
 9252   and David for their great work on this.
 9253 
 9254 o The 2nd Generation OS Detection System was dramatically improved for
 9255   improved accuracy.  After substantial testing, David and Fyodor made
 9256   the following changes:
 9257   - The "T" (TTL test) result ranges were widened to prevent minor
 9258     routing (and device hardware inconsistency) variations from causing
 9259     so many matches to fail.
 9260   - The TG (TTL guess) results were canonicalized. Nmap is only
 9261     capable of assigning the values 0x20, 0x40, 0x80, and 0xFF for
 9262     these tests, yet many fingerprints had different values.  This was
 9263     due to bugs in our fingerprint integration tools.
 9264   - The U1.TOS and IE.TOSI tests (both having to do with the IP Type
 9265     of Service field) have been effectively eliminated (MatchPoints
 9266     set to 0).  These proved particularly susceptible to false results
 9267     due to networking hardware along the packet route manipulating the
 9268     TOS header field.
 9269   - An important bug in OS detection's congestion control algorithms
 9270     was fixed.  It could lead to Nmap sending packets much too quickly
 9271     in some cases, which hurt accuracy.
 9272 
 9273 o Integrated all of your OS detection fingerprint submissions and
 9274   corrections up to January 8.  The DB has grown more than 17% to
 9275   1,761 fingerprints.  Newly detected services include Mac OS X
 9276   10.5.6, Linux 2.6.28, iPhone 2.1, and all manner of WAPs, VoIP
 9277   phones, routers, oscilloscopes, employee timeclocks, etc. Keep those
 9278   submissions coming!
 9279 
 9280 o Ron Bowes embarked on a massive MSRPC/NETBIOS project to allow Nmap
 9281   to interrogate Windows machines much more completely.  He added
 9282   three new nselib modules: msrpc, netbios, and smb. As the names
 9283   suggest, they contain common code for scripts using MSRPC, NetBIOS,
 9284   and SMB. These modules allow scripts to extract a great deal of
 9285   information from hosts running Windows, particularly Windows
 9286   2000. New or updated scripts using the modules are:
 9287   - nbstat.nse: get NetBIOS names and MAC address.
 9288   - smb-enum-domains.nse: enumerate domains and policies.
 9289   - smb-enum-processes.nse: allows a user with administrator
 9290     credentials to view a tree of the processes running on the
 9291     remote system (uses HKEY_PERFORMANCE_DATA hive).
 9292   - smb-enum-sessions.nse: enumerate logins and SMB sessions.
 9293   - smb-enum-shares.nse: enumerate network shares.
 9294   - smb-enum-users.nse: enumerate users and information about them.
 9295   - smb-os-discovery.nse: get operating system over SMB (replaces
 9296     netbios-smb-os-discovery.nse).
 9297   - smb-security-mode.nse: determine if a host uses user-level or
 9298     share-level security, and what other security features it
 9299     supports.
 9300   - smb-server-stats.nse: grab statistics such as network traffic
 9301     counts.
 9302   - smb-system-info.nse: get lots of information from the registry.
 9303 
 9304 o A problem that caused OS detection to fail for most hosts in a
 9305   certain case was fixed. It happened when sending raw Ethernet frames
 9306   (by default on Windows or on other platforms with --send-eth) to
 9307   hosts on a switched LAN. The destination MAC address was wrong for
 9308   most targets. The symptom was that only one out of each scan group
 9309   of 20 or 30 hosts would have a meaningful OS fingerprint. Thanks go
 9310   to Michael Head for running tests and especially Trent Snyder for
 9311   testing and finding the cause of the problem. [David]
 9312 
 9313 o Zenmap now runs ndiff to for its "Compare Results" function. This
 9314   completely replaces the old diff view. The diff window size is now
 9315   more flexible for user resizing as well. [David]
 9316 
 9317 o Added a Russian translation of the Nmap Reference Guide by Guz
 9318   Alexander. We now have translations in 15 languages available from
 9319   https://nmap.org/docs.html . More volunteer translators are welcome,
 9320   as we are still missing some important languages. Translation
 9321   instructions are available from that docs.html page.
 9322 
 9323 o Update Windows installer to handle Windows 7 (tested with the Beta
 9324   build 7000) [Rob Nicholls]
 9325 
 9326 o Improved port scan performance by changing the list of high priority
 9327   ports which Nmap shifts closer to the beginning of scans because
 9328   they are more likely to be responsive.  We based the change on
 9329   empirical data from large-scale scanning.  The new port list is:
 9330     21, 22, 23, 25, 53, 80, 110, 111, 113, 135, 139, 143, 199, 256,
 9331     443, 445, 554, 587, 993, 995, 1025, 1720, 1723, 3306, 3389, 5900,
 9332     8080, 8888
 9333   [Fyodor, David]
 9334 
 9335 o [NSE] Almost all scripts were renamed to be more consistent.  They
 9336   are now all lowercase and most of them start with the name of the
 9337   service name they query.  Words are separated by hyphens. [David,
 9338   Fyodor]
 9339 
 9340 o [NSE] Now that scripts are better named, the "Id" field has been
 9341   removed and the script name (sans the .nse or directory path
 9342   information) is used in script output instead. [David]
 9343 
 9344 o [NSE] Added banner.nse, a simple script which connects to open TCP
 9345   ports and prints out anything sent in the first five seconds by the
 9346   listening service. [Jah]
 9347 
 9348 o [NSE] Added a new OpenSSL library with functions for multiprecision
 9349   integer arithmetic, hashing, HMAC, symmetric encryption and
 9350   symmetric decryption. [Sven]
 9351 
 9352 o [Zenmap] Internationalization has been fixed [David]. Currently
 9353   Zenmap has two translations:
 9354     - German by Chris Leick
 9355     - Brazilian Portuguese by Adriano Monteiro Marques (partial)
 9356   For details on using an existing translation or localizing Zenmap
 9357   into your own native language, see
 9358   https://nmap.org/book/zenmap-lang.html . [David]
 9359 
 9360 o Zenmap no longer outputs XML elements and attributes that are not in
 9361   the Nmap XML DTD. This was done mostly by removing things from
 9362   Zenmap's output, and adding a few new optional things to the Nmap
 9363   DTD. A scan's profile name, host comments, and interactive text
 9364   output are what were added to nmap.dtd. The .usr filename extension
 9365   for saved Zenmap files is deprecated in favor of the .xml extension
 9366   commonly used with Nmap. Because of these changes the
 9367   xmloutputversion has been increased to 1.03. [David]
 9368 
 9369 o The NSE registry now persists across host groups so that values
 9370   stored in it will remain until they are explicitly removed or Nmap
 9371   execution ends. [David]
 9372 
 9373 o Enhanced the AS Numbers script (ASN.nse) to better consolidate
 9374   results and bail out if the DNS server doesn't support the ASN
 9375   queries. [Jah]
 9376 
 9377 o Complete re-write of the marshaling logic for Microsoft RPC calls.
 9378   [Ron Bowes]
 9379 
 9380 o Added a script that checks for ms08-067-vulnerable hosts
 9381   (smb-check-vulns.nse) using the smb nselib. It also checks for an
 9382   unfixed denial of service vulnerability Ron discovered in the
 9383   Windows 2000 registry service. [Ron Bowes]
 9384 
 9385 o [Zenmap] Text size is larger on Mac OS X thanks to a new included
 9386   gtkrc file. [David]
 9387 
 9388 o Reduced memory consumption for some longer-running scans by removing
 9389   completed hosts from the lists after two minutes.  These hosts are
 9390   kept around in case there is a late response, but this draws the
 9391   line on how long we wait and hence keep this information in memory.
 9392   See http://seclists.org/nmap-dev/2008/q3/0902.html for more. [Kris]
 9393 
 9394 o The Windows installer now uses Zenmap binaries built using Python
 9395   2.6.1 rather than 2.5.1 [Fyodor]
 9396 
 9397 o When a system route can't be matched up directly with an interface
 9398   by comparing addresses, Nmap now tries to match the route through
 9399   another route. This helps for instance with a PPP connection where
 9400   the default route's gateway address is routed through a different
 9401   route, the one associated with the address of the PPP device. The
 9402   problem would show itself as an inability to scan through the
 9403   default route and the error message
 9404     WARNING: Unable to find appropriate interface for system route to ...
 9405   [David]
 9406 
 9407 o Removed a code comment which simply declared /* WANKER ALERT! */ for
 9408   no good reason. [Fyodor]
 9409 
 9410 o NSE prints messages in debugging mode whenever a script starts or
 9411   finishes. [Patrick, David]
 9412 
 9413 o [Ncat] The -l option can now be specified w/o a port number to
 9414   listen on Ncat's default port number (31337).
 9415 
 9416 o [Zenmap] The Nmap output window now scrolls automatically as a scan
 9417   progresses. [David]
 9418 
 9419 o [NSE] We now have a canonical way for scripts to check for
 9420   dependency libraries such as OpenSSL.  This allows them to handle
 9421   the issue gracefully (by exiting or doing some of their work if
 9422   possible) rather than flooding the console with error messages as
 9423   before. See https://nmap.org/nsedoc/lib/openssl.html . [Pattrick,
 9424   David, Fyodor]
 9425 
 9426 o Nmap now reports a proper error message when you combine an IPv6
 9427   scan (-6) with random IPv4 address selection (-iR). [Henri Doreau]
 9428 
 9429 o Nmap now builds with the _FORTIFY_SOURCE=2 define.  With modern
 9430   versions of GCC, this adds extra buffer overflow protection and
 9431   other security checks.  It is described at
 9432   http://gcc.gnu.org/ml/gcc-patches/2004-09/msg02055.html . [David,
 9433   Doug]
 9434 
 9435 o The --excludefile option correctly handles files with no terminating
 9436   newline instead of claiming "Exclude file line 0 was too long to
 9437   read." [Henri Doreau]
 9438 
 9439 o [NSE] Changed the datafiles library to remove constraining input
 9440   checks, move nmap.fetch_file() to read_from_file(), and make
 9441   get_array() and get_assoc_array() into normal functions. [Sven]
 9442 
 9443 o [NSE] Fixed some bugs and typos in the datafiles library. [Jah]
 9444 
 9445 o Nsock handles a certain Windows connect error, WSAEADDRNOTAVAIL
 9446   (errno 10049), preventing an assertion failure that looked like
 9447     Strange connect error from 203.65.42.255 (10049): No such file or directory
 9448     Assertion failed: 0, file .\src\nsock_core.c, line 290
 9449   The error could be seen by running a version scan against a
 9450   broadcast address. Thanks to Tilo Köppe and James Liu for reporting
 9451   the problem. [David]
 9452 
 9453 o An "elapsed" attribute has been added to the XML output (in the
 9454   "finished" tag), representing the total Nmap scanning time in
 9455   seconds (floating point). [Kris]
 9456 
 9457 o Fixed a division by zero error in the packet rate measuring code
 9458   that could cause a display of infinity packets per seconds near the
 9459   start of a scan. [Jah]
 9460 
 9461 o Substantially updated the Nmap Scripting Engine guide/chapter
 9462   (https://nmap.org/book/nse.html) so that it is up-to-date with all
 9463   the latest NSE improvements.
 9464 
 9465 o Fixed a bug in the IP validation code which would have let a specially
 9466   crafted reply sent from a host on the same LAN slip through and cause
 9467   Nmap to segfault.  Thanks to ithilgore of sock-raw.homeunix.org for
 9468   the very detailed bug report. [Kris]
 9469 
 9470 o [Zenmap] The crash reporter further enhances user privacy by showing
 9471   all the information that will be submitted so you can edit it to
 9472   remove identifying information such as the name of your home
 9473   directory. If you provide an email address the report will be marked
 9474   private so it will not appear on the public bug tracker. [David]
 9475 
 9476 o [Zenmap] Zenmap now parses and records XSL stylesheet information
 9477   from Nmap XML files, so files saved by Zenmap will be viewable in a
 9478   web browser just like those produced by Nmap. [David]
 9479 
 9480 o A possible Lua stack overflow in the DNS module was fixed. Lua detects
 9481   these sorts of overflows and quits. [David]
 9482 
 9483 o [NSE] Improved html-title script to support http-alt and https-alt
 9484   (with SSL) and to handle a wider variety of redirects. [Jah]
 9485 
 9486 o NSE scripts that require a list of DNS servers (currently only
 9487   ASN.nse) now work when IPv6 scanning. Previously it gave an error
 9488   message: "Failed to send dns query.  Response from dns.query(): 9".
 9489   [Jah, David]
 9490 
 9491 o [Zenmap] Added a workaround for a crash
 9492     GtkWarning: could not open display
 9493   on Mac OS X 10.5. The problem is caused by setting the DISPLAY
 9494   environment variable in one of your shell startup files; that
 9495   shouldn't be done under 10.5 and removing it will make other
 9496   X11-using applications work better. Zenmap will now handle the
 9497   situation automatically. [David]
 9498 
 9499 o http-auth.nse now properly checks for default authentication
 9500   credentials. A bug prevented it from working before. [Vlatko
 9501   Kosturjak]
 9502 
 9503 o Renamed irc-zombie.nse to auth-spoof and improved its description
 9504   and output a bit. [Fyodor]
 9505 
 9506 o Removed some unnecessary "demo" category NSE scripts: echoTest,
 9507   chargenTest, showHTTPVersion, and showSMTPVersion.nse.  Moved
 9508   daytimeTest from the "demo" category to "discovery".  Removed
 9509   showHTMLTitle from the "demo" category, but it remains in the
 9510   "default" and "safe" categories. This leaves just smtp-open-relay in
 9511   the undocumented "demo" category. [Fyodor]
 9512 
 9513 o [NSE] Removed ripeQuery.nse because we now have the much more robust
 9514   whois.nse which handles all the major registries. [Fyodor]
 9515 
 9516 o [NSE] Removed showSSHVersion.nse. Its only real claim to fame was
 9517   the ability to trick some SSH servers (including at least OpenSSH
 9518   4.3p2-9etch3) into not logging the connection.  This trick doesn't
 9519   seem to work with newer versions of OpenSSH, as my
 9520   openssh-server-4.7p1-4.fc8 does log the connection. Without the
 9521   stealth advantage, the script has no real benefit over version
 9522   detection or the upcoming banner grabbing script. [Fyodor]
 9523 
 9524 o [Zenmap] Profile updates: The -sS option was added to the "Intense
 9525   scan plus UDP" and "Slow comprehensive scan" profiles.  The -PN (ping
 9526   only) option was added to "Quick traceroute". [David]
 9527 
 9528 o [NSE] The smtp-commands script output is now more compact. [Jasey
 9529   DePriest, David]
 9530 
 9531 o [Zenmap] Added a simple workaround for a bug in PyXML (an add-on
 9532   Python XML library) that caused a crash. The crash would happen when
 9533   loading an XML file and looked like "KeyError: 0". [David]
 9534 
 9535 o A crash caused by an incorrect test condition was fixed. It would
 9536   happen when running a ping scan other than a protocol ping, without
 9537   debugging enabled, if an ICMP packet was received referring to a
 9538   packet that was not TCP, UDP, or ICMP. Thanks to Brandon Enright and
 9539   Matt Castelein for reporting the problem. [David]
 9540 
 9541 o [Zenmap] The keyboard shortcut for "Save to Directory" has been
 9542   changed from Ctrl+v to Ctrl+Alt+s so as not to conflict with the
 9543   usual paste shortcut. [Jah, Michael]
 9544 
 9545 o Nmap now quits if you give a "backwards" port or protocol range like
 9546   -p 20-10. The issue was noted by Arturo "Buanzo" Busleiman. [David]
 9547 
 9548 o Fixed a bug which caused Nmap to infer an improper distance against
 9549   some hosts when performing OS detection against a group whose
 9550   distance varies between members. [David, Fyodor]
 9551 
 9552 o [Zenmap] Host information windows are now like any other windows,
 9553   and will not become unclosable by having their controls offscreen.
 9554   Thanks to Robert Mead for the bug report.
 9555 
 9556 o [NSE] showHTMLTitle can now follow (non-standard) relative
 9557   redirects, and may do a DNS lookup to find if the redirected-to host
 9558   has the same IP address as the scanned host. [Jah]
 9559 
 9560 o [NSE] Enhanced the tohex() function in the stdnse library to support
 9561   strings and added options to control the formatting. [Sven]
 9562 
 9563 o [NSE] The http module tries to deal with non-standards-compliant
 9564   HTTP traffic, particularly responses in which the header fields are
 9565   separated by plain LF rather than CRLF. [Jah, Sven]
 9566 
 9567 o [Zenmap] The help function now properly converts the pathname of the
 9568   local help file to a URL, for better compatibility with different
 9569   web browsers. [David]
 9570   This should fix the crash
 9571   WindowsError: [Error 2] The system cannot find the file specified:
 9572   'file://C:\\Program Files\\Nmap\\zenmap\\share\\zenmap\\docs\\help.html'
 9573 
 9574 o [NSE] Fixed a number of small bugs in the Nmap library
 9575   (nse_nmaplib.cc), as described at
 9576   http://seclists.org/nmap-dev/2008/q4/0663.html [Patrick]
 9577 
 9578 o The HTTP_open_proxy.nse script was updated to match Google Web
 9579   Server's changed header field: "Server: gws" instead of
 9580   "Server: GWS/".  [Vlatko Kosturjak]
 9581 
 9582 o Enhanced the ssh service detection signatures to properly
 9583   detect protocol version 2 services. [Matt Selsky]
 9584 
 9585 o Nsock now uses fselect() to work around problems with select() not
 9586   working properly on non-socket descriptors on Windows.  This was
 9587   needed for Ncat to work properly on that platform. See
 9588   http://seclists.org/nmap-dev/2008/q3/0766.html . [Kris]
 9589 
 9590 o Removed trailing null bytes from Ncat's responses in HTTP proxy
 9591   mode. [David]
 9592 
 9593 o [NSE] daytime.nse now runs against TCP ports in addition to the UDP
 9594   ports it already handled. The output format was also
 9595   improved. [David]
 9596 
 9597 o XML output now contains the full path to nmap.xml on Windows. The
 9598   path is converted to a file:// URL to provide better compatibility
 9599   across browsers. [Jah]
 9600 
 9601 o Made DNS timeouts in NSE a bit more aggressive at higher timing
 9602   levels such as -T4 and -T5. [Jah]
 9603 
 9604 o A script could be executed twice if it was given with the --script
 9605   option, also in the "version" category, and version detection (-sV)
 9606   was requested. This has been fixed. [David]
 9607 
 9608 o Fixed port number representation in some Nmap and Nsock message
 9609   output.  Incorrect conversion modifiers caused high ports to wrap
 9610   around and be shown as negative values. [Kris]
 9611 
 9612 o Upgraded the shipped libdnet library to version 1.12 (with our
 9613   modifications). [Kris]
 9614 
 9615 o Upgraded the OpenSSL binaries shipped in our Windows installer to
 9616   version 0.9.8i. [Kris]
 9617 
 9618 o [NSE] The SSLv2-support script no longer prints duplicate cyphers if
 9619   they exist in the server's supported cypher list. [Kris]
 9620 
 9621 o Fix compilation w/IPv6 support on Solaris by checking for inet_addr
 9622   in -lnsr before using APR_CHECK_WORKING_GETNAMEINFO in
 9623   configure. [David]
 9624 
 9625 o Removed the nbase_md5.* and nbase_sha1.* files because our
 9626   new nse_openssl library includes that functionality. [David]
 9627 
 9628 o The robots.txt NSE script is now silent when there are no
 9629   interesting results, rather than printing that robots.txt "is empty
 9630   or has no disallowed entries". [Kris]
 9631 
 9632 o Fixed a file (socket) descriptor leak which could occur when connect
 9633   scan probes receive certain unusual error messages (including
 9634   EHOSTUNREACH, and EHOSTDOWN). This led to error messages such as
 9635   "Socket creation in sendConnectScanProbe: Too many open files (24)"
 9636   [David]
 9637 
 9638 o [Zenmap] Made floating host details windows into normal top-level
 9639   windows. This avoids a problem where the edge of a window could be
 9640   off the edge of a screen and it would not be closable. The bug was
 9641   reported by Robert Mead. [David]
 9642 
 9643 o Use TIMEVAL_AFTER(...) instead of TIMEVAL_SUBTRACT(...) > 0 when
 9644   deciding whether a probe response counts as a drop for scan delay
 9645   purposes.  This prevents an integer overflow which could
 9646   substantially degrade scan performance. [David]
 9647 
 9648 o Reorganized macosx/Makefile to make it easier to add in new packages
 9649   such as Ncat and Ndiff. Also removed the bogus clean-nmap and
 9650   clean-zenmap targets. [David]
 9651 
 9652 o [Zenmap] Fixed a crash related to the use of NmapOptions in
 9653   ScanNotebook.py using the old interface (ops.num_random_targes,
 9654   ops.input_filename) rather than the newer dict-style
 9655   interface. [Jah]
 9656 
 9657 o Split parallel DNS resolution and system DNS resolution into
 9658   separate functions. Previously system DNS resolution was encapsulated
 9659   inside the parallel DNS function, inside a big if block. Now the if
 9660   is on the outside and decides which of the two functions to
 9661   call. [David]
 9662 
 9663 o [NSE] Remove "\r\r" in script output. If you print "\r\n", the
 9664   Windows C library will transform it to "\r\r\n". So we just print
 9665   "\n" with no special case for Windows.  Also fixed
 9666   showSMTPversion.nse so that it doesn't print "\r\r" in the first
 9667   place. [David]
 9668 
 9669 o Updated IANA assignment IP list for random IP (-iR)
 9670   generation. [Kris]
 9671 
 9672 o OS scan point matching code can now handle tests worth zero
 9673   points. We now assign zero points to ignore a couple tests which
 9674   proved ineffective. [David]
 9675 
 9676 o [Zenmap] Catch the exceptions that are caused when there's no XML
 9677   output file, an empty one, or one that's half-complete. You can
 9678   cause these three situations, respectively, with: "nmap -V", "nmap
 9679   --iflist", or "nmap 0".  Also remove the target requirement for scans
 9680   because you should be able to run commands such as "nmap --iflist"
 9681   from Zenmap. [David]
 9682 
 9683 o [Zenmap] Guard against the topology graph becoming empty in the
 9684   middle of an animation.  This could happen if you removed a scan
 9685   from the list of scans during an animation. The error looked like:
 9686     File "usr/lib/python2.5/site-packages/radialnet/gui/RadialNet.py",
 9687     line 1533, in __livens_up AttributeError: 'NoneType' object has no
 9688     attribute 'get_nodes'
 9689   [David]
 9690 
 9691 o [Zenmap] Fixed a crash which could occur when you entered a command
 9692   containing only whitespace.  David fixed various other possible
 9693   crashes found in the crash report tracker too.  Zenmap users really
 9694   are capable of finding every possible edge case which could cause a
 9695   crash :).
 9696 
 9697 Nmap 4.76 [2008-9-12]
 9698 
 9699 o There is a new "external" script category, for NSE scripts which
 9700   rely on a third-party network resource. Scripts that send data to
 9701   anywhere other than the target are placed in this category. Initial
 9702   members are ASN.nse, dns-safe-recursion-port.nse,
 9703   dns-safe-recursion-txid.nse, ripeQuery.nse, HTTP_open_proxy.nse, and
 9704   whois.nse [David]
 9705 
 9706 o [Zenmap] A crash was fixed that affected Windows users with
 9707   non-ASCII characters in their user names. [David]
 9708   The error looked like this (with many variations):
 9709     UnicodeDecodeError: 'utf8' codec can't decode byte 0x9c in position 28:
 9710     unexpected code byte
 9711 
 9712 o [Zenmap] Several corner-case crashes were fixed: [David]
 9713     File "radialnet\gui\NodeNotebook.pyo", line 429, in __create_widgets
 9714     KeyError: 'tcp'
 9715     File "radialnet\gui\RadialNet.pyo", line 1531, in __livens_up
 9716     AttributeError: 'NoneType' object has no attribute 'get_nodes'
 9717     File "zenmapGUI\MainWindow.pyo", line 308, in _create_ui_manager
 9718     GError: Odd character '\'
 9719     File "radialnet/gui/ControlWidget.py", line 104, in __create_widgets
 9720     AttributeError: 'module' object has no attribute 'STOCK_INFO'
 9721     File "radialnet\util\integration.pyo", line 385, in make_graph_from_hosts
 9722     KeyError: 'hops'
 9723 
 9724 o [Zenmap] A crash was fixed that happened when opening the Hosts
 9725   Viewer with an empty list of hosts. [David]
 9726   The error message was
 9727     File "radialnet\gui\HostsViewer.pyo", line 167, in __cursor_callback
 9728     TypeError: GtkTreeModel.get_iter requires a tree path as its argument
 9729 
 9730 o Improved rpcinfo.nse to correctly parse a wider variety of server
 9731   responses. [Sven Klemm]
 9732 
 9733 o [Zenmap] Fixed a data encoding bug which could cause the crash
 9734   reporter itself to crash! [David]
 9735 
 9736 o Nmap's Windows self-installer now correctly registers/deletes the
 9737   npf (WinPcap) service during install/uninstall. Also the silent
 9738   install mode was improved to avoid a case where the WinPcap
 9739   uninstaller was (non-silently) shown. [Rob Nicholls]
 9740 
 9741 o Nmap's Windows self-installer now checks whether the MS Visual C++
 9742   runtime components have already been installed to avoid running it
 9743   again (which doesn't hurt anything, but slows down
 9744   installation). [Rob Nicholls]
 9745 
 9746 o Fixed an assertion failure where raw TCP timing ping probes were
 9747   wrongly used during a TCP connect scan:
 9748   nmap: scan_engine.cc:2843: UltraProbe* sendIPScanProbe(UltraScanInfo*,
 9749     HostScanStats*, const probespec*, u8, u8):
 9750     Assertion `USI->scantype != CONNECT_SCAN' failed.
 9751   Thanks to LevelZero for the report. [David]
 9752 
 9753 o Update the NSE bit library to replace deprecated use of
 9754   luaL_openlib() with luaL_register(). This fixes a build error which
 9755   occurred on systems which have Lua libraries installed but
 9756   LUA_COMPAT_OPENLIB not defined [Sven]
 9757 
 9758 o [Zenmap] The automatic crash reporter no longer requires an email
 9759   address. [David]
 9760 
 9761 o [Zenmap] Highlighting of hostnames was improved to avoid wrongful
 9762   highlighting of certain elapsed times, byte counts, and other
 9763   non-hostname data. The blue highlight effects are now more subtle
 9764   (no longer bold, underlined, or italic) [David]
 9765 
 9766 o [Zenmap] A warning that would occur when a host had the same service
 9767   running on more than one port was removed. Thanks to Toralf Förster
 9768   for the bug report. [David]
 9769     GtkWarning: gtk_box_pack_start: assertion `child->parent == NULL' failed
 9770       self.pack_start(widget, expand=False, fill=False)
 9771 
 9772 Nmap 4.75 [2008-9-7]
 9773 
 9774 o [Zenmap] Added a new Scan Topology system. The idea is that if we
 9775   are going to call Nmap the "Network Mapper", it should at least be
 9776   able to draw you a map of the network!  And that is what this new
 9777   system does. It was achieved by integrating the RadialNet Nmap
 9778   visualization tool (http://www.dca.ufrn.br/~joaomedeiros/radialnet),
 9779   into Zenmap. Joao Medeiros has been developing RadialNet for more
 9780   than a year. For details, complete with some of the most beautiful
 9781   Zenmap screen shots ever, visit
 9782   https://nmap.org/book/zenmap-topology.html . The integration work was
 9783   done by SoC student Vladimir Mitrovic and his mentor David Fifield.
 9784 
 9785 o [Zenmap] Another exciting new Zenmap feature is Scan Aggregation.
 9786   This allows you to visualize and analyze the results of multiple
 9787   scans at once, as if they were from one Nmap execution. So you might
 9788   scan one network, analyze the results a bit, then scan some of the
 9789   machines more intensely or add a completely new subnet to the
 9790   scan. The new results are seamlessly added to the old, as described
 9791   at https://nmap.org/book/zenmap-scanning.html#aggregation. [David,
 9792   Vladimir]
 9793 
 9794 o Expanded nmap-services to include information on how frequently each
 9795   port number is found open.  The results were generated by scanning
 9796   tens of millions of IPs on the Internet this summer, and augmented
 9797   with internal network data contributed by some large
 9798   organizations. [Fyodor]
 9799 
 9800 o Nmap now scans the most common 1,000 ports by default in either
 9801   protocol (UDP scan is still optional).  This is a decrease from
 9802   1,715 TCP ports and 1,488 UDP ports in Nmap 4.68.  So Nmap is faster
 9803   by default and, since the port selection is better thanks to the
 9804   port frequency data, it often finds more open ports as
 9805   well. [Fyodor]
 9806 
 9807 o Nmap fast scan (-F) now scans the top 100 ports by default in either
 9808   protocol.  This is a decrease from 1,276 (TCP) and 1,017 (UDP) in
 9809   Nmap 4.68. Port scanning time with -F is generally an order of
 9810   magnitude faster than before, making -F worthy of its "fast scan"
 9811   moniker. [Fyodor]
 9812 
 9813 o The --top-ports option lets you specify the number of ports you wish
 9814   to scan in each protocol, and will pick the most popular ports for
 9815   you based on the new frequency data.  For both TCP and UDP, the top
 9816   10 ports gets you roughly half of the open ports.  The top 1,000
 9817   (out of 65,536 possible) finds roughly 93% of the open TCP ports and
 9818   more than 95% of the open UDP ports. [Fyodor, Doug Hoyte]
 9819 
 9820 o David integrated all of your OS detection fingerprint and correction
 9821   submissions from March 11 until mid-July.  In the process, we
 9822   reached the 1500-signature milestone for the 2nd generation OS
 9823   detection system. We can now detect the newest iPhones, Linux
 9824   2.6.25, OS X Darwin 9.2.2, Windows Vista SP1, and even the Nintendo
 9825   Wii. Nmap now has 1,503 signatures, vs. 1,320 in 4.68. Integration
 9826   is now faster and more pleasant thanks to the new OSassist
 9827   application developed by Nmap SoC student Michael Pattrick. See
 9828   http://seclists.org/nmap-dev/2008/q3/0089.html and
 9829   http://seclists.org/nmap-dev/2008/q3/0139.html for more details.
 9830 
 9831 o Nmap now works with Windows 2000 again, after being broken by our
 9832   IPv6 support improvements in version 4.65. A couple new dependencies
 9833   are required to run on Win2K, as described at
 9834   https://nmap.org/book/inst-windows.html#inst-win2k .
 9835 
 9836 o [Zenmap] Added a context-sensitive help system to the Profile
 9837   Editor.  You can now mouse-over options to learn more about what
 9838   they are used for and their proper argument syntax. [Jurand Nogiec]
 9839 
 9840 o When Nmap finds a probe during ping scan which elicits a response,
 9841   it now saves that information for the port scan and later phases.
 9842   It can then "ping" the host with that probe as necessary to collect
 9843   timing information even if the host is not responding to the normal
 9844   port scan packets. Previously, Nmap's port scan timing pings could
 9845   only use information gathered during that port scan itself.  A
 9846   number of other "port scan ping" system improvements were made at
 9847   the same time to improve performance against firewalled hosts. For
 9848   full details, see http://seclists.org/nmap-dev/2008/q3/0647.html
 9849   [David, Michael, Fyodor]
 9850 
 9851 o --traceroute now uses the timing ping probe saved from host
 9852   discovery and port scanning instead of finding its own probe. The
 9853   timing ping probe is always the best probe Nmap knows about for
 9854   eliciting a response from a target. This will have the most effect
 9855   on traceroute after a ping scan, where traceroute would sometimes
 9856   pick an ineffective probe and traceroute would fail even though the
 9857   target was up. [David]
 9858 
 9859 o Added dns-safe-recursion-port and dns-safe-recursion-txid
 9860   (non-default NSE scripts) which use the 3rd party dns-oarc.net
 9861   lookup to test the source port and transaction ID randomness of
 9862   discovered DNS servers (assuming they allow recursion at all).
 9863   These scripts, which test for the "Kaminsky" DNS bugs, were
 9864   contributed by Brandon Enright.
 9865 
 9866 o Added whois.nse, which queries the Regional Internet Registries
 9867   (RIRs) to determine who the target IP addresses are assigned
 9868   to. [Jah]
 9869 
 9870 o [Zenmap] Overhauled the default list of scan profiles based on
 9871   nmap-dev discussion.  Users now have a much more diverse and useful
 9872   set of default profile options. And if they don't like any of those
 9873   canned scan commands, they can easily create their own in the
 9874   Profile Editor! [David]
 9875 
 9876 o Fyodor made a number of performance tweaks, such as:
 9877   - increase host group sizes in many cases, so Nmap will now commonly
 9878     scan 64 hosts at a time rather than 30
 9879   - align host groups with common network boundaries, such as /24 or
 9880     /25
 9881   - Increase maximum per-target port-scan ping frequency to one every
 9882     1.25 seconds rather than every five. Port scan pings happen
 9883     against heavily firewalled hosts and the like when Nmap is not
 9884     receiving enough responses to normal scan to properly calculate
 9885     timing variables and detect packet drops.
 9886 
 9887 o Added a new NSE binlib library, which offers bin.pack() and
 9888   bin.unpack() functions for dealing with storing values in and
 9889   extracting them from binary strings.  For details, see
 9890   https://nmap.org/book/nse-library.html#nse-binlib . [Philip
 9891   Pickering]
 9892 
 9893 o Added a new NSE DNS library. See this thread:
 9894   http://seclists.org/nmap-dev/2008/q3/0310.html [Philip Pickering]
 9895 
 9896 o Added new NSE libraries for base64 encoding, SNMP, and POP3 mail
 9897   operations.  They are described at
 9898   http://seclists.org/nmap-dev/2008/q3/0233.html . [Philip Pickering]
 9899 
 9900 o Added NSE scripts popcapa (retrieves POP3 server capabilities) and
 9901   brutePOP3 (brute force POP3 authentication cracker) which make use
 9902   of the new POP3 library. [Philip Pickering]
 9903 
 9904 o Added the SNMPcommunitybrute NSE script, which is a brute force
 9905   community string cracker. Also modified SNMPsysdescr to use the new
 9906   SNMP library. [Philip Pickering]
 9907 
 9908 o Fixed the SMTPcommands script so that it can't return multiple
 9909   values (which was causing problems). Thanks to Jah for tracking down
 9910   the problem and sending a fix for SMTPcommands. Then Patrick fixed
 9911   NSE so it can handle misbehaving scripts like this without causing
 9912   mysterious side effects.
 9913 
 9914 o Added a new NSE Unpwdb (username/password database) library for
 9915   easily obtaining usernames or passwords from a list.  The functions
 9916   usernames() and passwords() return a closure which returns a new
 9917   list entry with every call, or nil when the list is exhausted.  You
 9918   can specify your own username and/or password lists via the script
 9919   arguments userdb and passdb, respectively. [Kris]
 9920 
 9921 o Nmap's Nsock-utilizing subsystems (DNS, NSE, version detection) have
 9922   been updated to support the -S and --ip-options flags. [Kris]
 9923 
 9924 o A new --max-rate option was added, which complements --min-rate. It
 9925   allows you to specify the maximum byte rate that Nmap is allowed to
 9926   send packets. [David]
 9927 
 9928 o Added --ip-options support for the connect() scan (-sT). [Kris]
 9929 
 9930 o Nsock now supports binding to a local address and setting IPv4
 9931   options with nsi_set_localaddr() and nsi_set_ipoptions(),
 9932   respectively. [Kris]
 9933 
 9934 o Added IPProto Ping (-PO) support to Traceroute, and fixed support for
 9935   IPProto Scan (-sO) and the ICMP Pings (-PE, -PP, -PM) in Traceroute
 9936   as well.  These could cause Nmap to hang during Traceroute. [Kris]
 9937 
 9938 o [Zenmap] Added a "Cancel" button for cancelling a scan in progress
 9939   without losing any Nmap output obtained so far. [Jurand Nogiec]
 9940 
 9941 o Improve the netbios-smb-os-discovery NSE script to improve target
 9942   port selection and to also decode the system's timestamp from an SMB
 9943   response. [Ron at SkullSecurity]
 9944 
 9945 o Nmap now avoids collapsing large numbers of ports in open|filtered
 9946   state (e.g. just printing that 500 ports are in that state rather
 9947   than listing them individually) if verbosity or debugging levels are
 9948   greater than two.  See this thread:
 9949   http://seclists.org/nmap-dev/2008/q3/0312.html . [Fyodor]
 9950 
 9951 o The NSE http library now supports chunked encoding. [Sven Klemm]
 9952 
 9953 o The NSE datafiles library now has generic file parsing routines, and
 9954   the parsing of the standard nmap data files (e.g. nmap-services,
 9955   nmap-protocols, etc.) now uses those generic routines.  NSE scripts
 9956   and libraries may find them useful for dealing with their own data
 9957   files, such as password lists. [Jah]
 9958 
 9959 o Passed the big revision 10,000 milestone in the Nmap project SVN
 9960   server: http://seclists.org/nmap-dev/2008/q3/0682.html
 9961 
 9962 o Added some Windows and MinGW compatibility patches submitted by
 9963   Gisle Vanem.
 9964 
 9965 o Improved nse_init so that compilation/runtime errors in NSE scripts
 9966   no longer cause the script engine to abort. [Patrick]
 9967 
 9968 o Fix a cosmetic bug in --script-trace hex dump output which resulting
 9969   in bytes with the highest bit set being prefixed with ffffff. [Sven
 9970   Klemm]
 9971 
 9972 o Removed the nselib-bin directory. The last remaining shared NSE
 9973   module, bit, has been made static by Patrick. Shared modules were
 9974   broken for static builds of Nmap, such as those in the RPMS. We also
 9975   had the compilation problems (particularly on OpenBSD) with shared
 9976   modules which lead us to make PCRE static a while back. [David]
 9977 
 9978 o Updated rpcinfo NSE script to use the new pack/unpack (binlib)
 9979   functions, use the new tab library, include better documentation, and
 9980   fix some bugs. [Sven Klemm]
 9981 
 9982 o Add useful details to the error message printed when an NSE script
 9983   fails to load (due to syntax error, etc.) [Patrick]
 9984 
 9985 o Fix a bug in the NSE http library which would cause some scripts to
 9986   give the error: SCRIPT ENGINE: C:\Program
 9987   Files\Nmap\nselib/http.lua:77: attempt to call field 'parse' (a nil
 9988   value) [Jah]
 9989 
 9990 o Fixed a couple of Makefile problems (race condition) which could
 9991   lead to build failures when launching make in parallel mode (e.g.
 9992   -j4). [Michal Januszewski, Chris Clements]
 9993 
 9994 o Added new addrow() function to NSE tab library.  It allows
 9995   developers to add a whole row at once rather than doing a separate
 9996   add() call for each column in a row. [Sven Klemm]
 9997 
 9998 o Completion time estimates provided in verbose mode or when you hit a
 9999   key during scanning are now more accurate thanks to algorithm
10000   improvements by David.
10001 
10002 o Fixed a number of NSE scripts which used print_debug()
10003   incorrectly. See
10004   http://seclists.org/nmap-dev/2008/q3/0470.html . [Sven Klemm]
10005 
10006 o [Zenmap] The Ports/Hosts view now provides full version detection
10007   values rather than just a simple summary. [Jurand Nogiec]
10008 
10009 o [Zenmap] When you edit the command-entry field, then change the
10010   target selection, Nmap no longer blows away your edits in favor of
10011   using your current profile. [Jurand Nogiec]
10012 
10013 o Nsock now returns data from UDP packets individually, preserving the
10014   packet boundary, rather than concatenating the data from multiple
10015   packets into a single buffer.  This fixes a problem related to our
10016   reverse-DNS system, which can only handle one DNS packet at a time.
10017   Thanks to Tim Adam of ManageSoft for debugging the problem and
10018   sending the patch.  Doug Hoyte helped with testing, and it was
10019   applied by Fyodor.
10020 
10021 o [Zenmap] Fixed a crash which would occur when you try to compare two
10022   files, either of which has more than one extraports element. [David]
10023 
10024 o Added the undocumented (except here) --nogcc option which disables
10025   global/group congestion control algorithms and so each member of a
10026   scan group of machines is treated separately.  This is just an
10027   experimental option for now. [Fyodor]
10028 
10029 o [Zenmap] The Ports/Hosts display now has different colors for open
10030   and closed ports. [Vladimir]
10031 
10032 o Fixed Zenmap so that it displays all Nmap errors.  Previously, only
10033   stdout was redirected into the window, and not stderr.  Now they are
10034   both redirected. [Vladimir]
10035 
10036 o NSE can now be used in combination with ping scan (e.g. "-sP
10037   --script") so that you can execute host scripts without needing to
10038   perform a port scan. [Kris]
10039 
10040 o [NSE] Category names are now case insensitive. [Patrick]
10041 
10042 o [NSE] Each thread for a script now gets its own action closure (and
10043   upvalues). See: http://seclists.org/nmap-dev/2008/q2/0549.html
10044   [Patrick]
10045 
10046 o [NSE] The script_scan_result structure has been changed to a class,
10047   ScriptResult, which now holds a Script's output in an std::string.
10048   This removes the need to use malloc and free to manage this memory.
10049   A similar change was made to the run_record structure. [Patrick]
10050 
10051 o [NSE] Fixed a socket exhaustion deadlock which could prevent a
10052   script scan from ever finishing. Now, rather than limit the total
10053   number of sockets which can be open, we limit the number of scripts
10054   which can have sockets open at once.  And once a script has one
10055   socket opened, it is permitted to open as many more as it
10056   needs. [Patrick]
10057 
10058 o A hashing library (code from OpenSSL) was added to NSE.  hashlib
10059   contains md5 and sha1 routines. [Philip Pickering]
10060 
10061 o Fixed host discovery probe matching when looking at the returned TCP
10062   data in an ICMP error message.  This could formerly lead to
10063   incorrectly discarded responses and the debugging error message:
10064   "Bogus trynum or sequence number in ICMP error message" [Kris]
10065 
10066 o Fixed a segmentation fault in Nsock which occurred when calling
10067   nsock_write() with a data length of -1 (which means the data is a
10068   NUL-terminated string and Nsock should take the length itself) and
10069   the Nsock trace level was at least 2. [Kris]
10070 
10071 o The NSE Comm library now defaults to trying to read as many bytes as
10072   are available rather than lines if neither the "bytes" nor "lines"
10073   options are given.  Thanks to Brandon for reporting a problem which
10074   he noticed in the dns-test-open-recursion script. [Kris]
10075 
10076 o Updated zoneTrans.nse to replace length bytes in returned domain
10077   names to periods itself rather than relying on NSE's old behavior of
10078   replacing non-printable characters with periods.  Thanks to Rob
10079   Nicholls for reporting the problem. [Kris]
10080 
10081 o Some Zenmap crashes have been fixed: trying to "refresh" the output
10082   of a scan loaded from a file, and trying to re-save a file loaded
10083   from the command line in some circumstances. [David]
10084 
10085 o [Zenmap] The file selector now remembers what directory it was last
10086   looking at. [David]
10087 
10088 o Added an extra layer of validity checking to received packets
10089   (readip_pcap), just to be extra safe. See
10090   http://seclists.org/nmap-dev/2008/q3/0644.html . [Kris]
10091 
10092 o Zenmap defaults to showing files matching both *.xml and *.usr in
10093   the file selector. Previously it only showed those matching *.usr.
10094   The new combined format will be XML and .usr will be deprecated.
10095   See http://seclists.org/nmap-dev/2008/q3/0093.html .
10096 
10097 o Nmap avoids printing the sending rate in bytes per second during a
10098   TCP connect scan. Because the number of bytes per probe is not
10099   known, it used to print current sending rates: 11248.85 packets / s,
10100   0.00 bytes / s.  Now it will print simply print rates like "11248.85
10101   packets / s". [David]
10102 
10103 o [Zenmap] Nmap's installation process now include .desktop files
10104   which install menu items for launching Zenmap as a privileged or
10105   non-privileged process on Linux. This will mainly affect people who
10106   install nmap and Zenmap directly from the source code. [Michael]
10107 
10108 o Improved performance of IP protocol scan by fixing a bug related to
10109   timing calculations on ICMP probe responses.  See r8754 svn log for
10110   full details. [David]
10111 
10112 o Nmap --reason output no longer falsely reports a localhost-response
10113   during -PN scans. See
10114   http://seclists.org/nmap-dev/2008/q3/0188.html . [Michael]
10115 
10116 o [Zenmap] The higwidgets Python package has moved so it is now a
10117   subpackage of zenmapGUI. This avoids naming conflicts with Umit,
10118   which uses a slightly different version of higwidgets. [David]
10119 
10120 o A bug that could cause some host discovery probes to be incorrectly
10121   interpreted as drops was fixed. This occurred only when the IP
10122   protocol ping (-PO) option was combined with other ping
10123   types. [David]
10124 
10125 o A new scanflags attribute has been added to XML output, which lists
10126   all user specified --scanflags for the scan. nmap.dtd has been
10127   modified to account for this. [Michael]
10128 
10129 o The loading of the nmap-services file has been made much
10130   faster--roughly 9 times faster in common cases.  This is important
10131   for the new (much larger) frequency augmented nmap-services
10132   file. [David]
10133 
10134 o Added a script (ASN.nse) which uses Team Cymru's DNS interface to
10135   determine the routing AS numbers of scanned IP addresses.  They even
10136   set up a special domain just for Nmap queries.  The script is still
10137   experimental and non-default. [Jah, Michael]
10138 
10139 o [Zenmap] Clicking "Cancel" in a file chooser in the diff interface
10140   no longer causes a crash. [David]
10141 
10142 o The shtool build helper script has been updated to version 2.0.8. An
10143   older version of shutil caused installation to fail when the locale
10144   was set to et_EE. Thanks to Michal Januszewski for the bug
10145   report. [David]
10146 
10147 o [Zenmap] Removed services.dmp and os_dmp.dmp and all the files that
10148   referred to them. They are not needed with the new search
10149   interface. Also removed an unused search progress bar.  And some
10150   broken fingerprint submission code.  Yay for de-bloating! [David]
10151 
10152 o [Zenmap] Added "%F" to the Exec link in the new Zenmap desktop
10153   file. We expect (hope) that this will allow dragging and dropping
10154   XML files onto the icon. [David]
10155 
10156 o [Zenmap] The -o[XGASN] options can now be specified, just as you can
10157   at the console. [Vladimir]
10158 
10159 o [Zenmap] You can now shrink the scan window below its default
10160   size thanks to NmapOutputViewer code enhancements. [David]
10161 
10162 o [Zenmap] Removed optional use of the Psyco Python optimizer since
10163   Zenmap is not the kind of CPU-bound application which benefits from
10164   Psyco.
10165 
10166 o [Zenmap] You can now select more than one host in the "Ports /
10167   Hosts" view by control-clicking them in the column at left.
10168 
10169 o [Zenmap] The profile editor now offers the --traceroute option.
10170 
10171 o Zenmap now uses Unicode objects pervasively when dealing with Nmap
10172   text output, though the only internationalized text Nmap currently
10173   outputs is the user's time zone. [David]
10174 
10175 o Unprintable characters in NSE script output (which really shouldn't
10176   happen anyway) are now printed like \xHH, where HH is the
10177   hexadecimal representation of the character. See
10178   http://seclists.org/nmap-dev/2008/q3/0180.html . [Patrick]
10179 
10180 o Nmap sometimes sent packets with incorrect IP checksums,
10181   particularly when sending the UDP probes in OS detection. This has
10182   been fixed. Thanks to Gisle Vanem for reporting and investigating the
10183   bug. [David]
10184 
10185 o Fixed the --without-liblua configure option so that it works
10186   again. [David]
10187 
10188 o In the interest of forward compatibility, the xmloutputversion
10189   attribute in Nmap XML output is no longer constrained to be a
10190   certain string ("1.02"). The xmloutputversion should be taken as
10191   merely advisory by authors of parsers.
10192 
10193 o Zenmap no longer leaves any temporary files lying around. [David]
10194 
10195 o Nmap only prints an uptime guess in verbose mode now, because in
10196   some situations it can be very inaccurate. See the discussion at
10197   http://seclists.org/nmap-dev/2008/q3/0392.html . [David]
10198 
10199 Nmap 4.68 [2008-6-28]
10200 
10201 o Doug integrated all of your version detection submissions and
10202   corrections for the year up to May 31.  There were more than 1,000
10203   new submissions and 18 corrections.  Please keep them coming!  And
10204   don't forget that corrections are very important, so do submit them
10205   if you ever catch Nmap making a version detection or OS detection
10206   mistake.  The version detection DB has grown to 5,054 signatures
10207   representing 486 service protocols.  Protocols span the gamut from
10208   abc, acap, access-remote-pc, activefax, and activemq, to zebedee,
10209   zebra, zenimaging, and zenworks.  The most popular protocols are
10210   http (1,672 signatures), telnet (519), ftp (459), smtp (344), and
10211   pop3 (201).
10212 
10213 o Nmap compilation on Windows is now done with Visual C++ Express 2008
10214   rather than 2005.  Windows compilation instructions have been
10215   updated at https://nmap.org/book/inst-windows.html#inst-win-source .
10216   [Kris]
10217 
10218 o The Nmap Windows self-installer now automatically installs the MS
10219   Visual C++ 2008 runtime components if they aren't already installed
10220   on a system.  These are some reasonably small DLLs that are
10221   generally necessary for applications compiled with Visual C++ (with
10222   dynamic linking).  Many or most systems already have these installed
10223   from other software packages.  The lack of these components led to
10224   the error message "The Application failed to initialize properly
10225   (0xc0150002)." with Nmap 4.65.  A related change is that Nmap on
10226   Windows is now compiled with /MD rather than /MT so that it
10227   consistently uses these runtime libraries.  The patch was created by
10228   Rob Nicholls.
10229 
10230 o Added advanced search functionality to Zenmap so that you can locate
10231   previous scans using criteria such as which ports were open, keywords
10232   in the target names, OS detection results, etc.  Try it out with
10233   Ctrl-F or "Tools->Search Scan Results". [Vladimir]
10234 
10235 o Nmap's special WinPcap installer now handles 64-bit Windows machines
10236   by installing the proper 64-bit npf.sys. [Rob Nicholls]
10237 
10238 o Added a new NSE Comm (common communication) library for common
10239   network discovery tasks such as banner-grabbing (get_banner()) and
10240   making a quick exchange of data (exchange()).  16 scripts were
10241   updated to use this library. [Kris]
10242 
10243 o The Nmap Scripting Engine now supports mutexes for gracefully
10244   handling concurrency issues.  Mutexes are documented at
10245   https://nmap.org/book/nse-api.html#nse-mutex . [Patrick]
10246 
10247 o Added a UDP SNMPv3 probe to version detection, along with 9 vendor
10248   match lines. The patch was from Tom Sellers, who contributed other
10249   probes and match lines to this release as well.
10250 
10251 o Added a new timing_level() function to NSE which reports the Nmap
10252   timing level from 0 to 5, as set by the Nmap -T option.  The default
10253   is 3. [Thomas Buchanan]
10254 
10255 o Update the HTTP library to use the new timing_level functionality to
10256   set connection and response timeouts. An error preventing the new
10257   timing_level feature from working was also fixed.  [Jah]
10258 
10259 o Optimized the doAnyOutstandingProbes() function to make Nmap a bit
10260   faster and more efficient.  This makes a particularly big difference
10261   in cases where --min-rate is being used to specify a very high
10262   packet sending rate. [David]
10263 
10264 o Fixed an integer overflow which prevented a target specification of
10265   "*.*.*.*" from working.  Support for the CIDR /0 is now also
10266   available for those times you wish to scan the entire
10267   Internet. [Kris]
10268 
10269 o The robots.nse script has been improved to print output more
10270   compactly and limit the number of entries of large robots.txt files
10271   based on Nmap verbosity and debugging levels. [Eddie Bell]
10272 
10273 o The Nmap NSE scripts have been re-categorized in a more logical
10274   fashion.  The new categories are described at
10275   https://nmap.org/book/nse-usage.html#nse-categories . [Kris]
10276 
10277 o Improve AIX support by linking against -lodm and -lcfg on that
10278   platform. [David]
10279 
10280 o Updated showHTMLTitle NSE script to follow one HTTP redirect if
10281   necessary as long as it is on the same server. [Jah]
10282 
10283 o Michael Pattrick and David created a new OSassist application which
10284   streamlines the OS fingerprint submission integration process and
10285   prevents certain previously common errors.  OSassist isn't part of
10286   Nmap, but the system was used to integrate some submissions for this
10287   release.  13 fingerprints were added during OSassist testing, and
10288   some existing fingerprints were improved as well.  Expect many more
10289   fingerprints coming soon.
10290 
10291 o Improved the mapping from dnet device names (like eth0) and WinPcap
10292   names (like \Device\NPF_{28700713...}).  You can see this mapping
10293   with --iflist, and the change should make Nmap more likely to work
10294   on Windows machines with unusual networking configurations. [David]
10295 
10296 o Service fingerprints in XML output are no longer be truncated to
10297   2kb.  [Michael]
10298 
10299 o Some laptops report the IP Family as NULL for disabled WiFi cards.
10300   This could lead to a crash with the "sin->sin_family == AF_INET6"
10301   assertion failure.  Nmap no longer quits when this is
10302   encountered. [Michael]
10303 
10304 o On systems without the GNU getopt_long_only() function, Nmap has its
10305   own replacement.  That replacement used to call the system's
10306   getopt() function if it exists.  But the AIX and Solaris getopt()
10307   functions proved insufficient/buggy, so Nmap now always calls its
10308   own internal getopt() now from its getopt_long_only()
10309   replacement. [David]
10310 
10311 o Integrated several service match lines from Tom Sellers.
10312 
10313 o An error was fixed where Zenmap would crash when trying to load from
10314   the recent scans database a file containing non-ASCII
10315   characters. The error looked like
10316     pysqlite2.dbapi2.OperationalError: Could not decode to UTF-8 column
10317       'nmap_xml_output' with text
10318     '<?xml version="1.0" encoding="iso-8859-1"?>
10319     <nmaprun profile="nmap -T Aggressive -n -v %s" scanner="nmap" hint=""
10320   The error would be seen when such a scan was found in using the
10321   search interface. [David]
10322 
10323 o Fix a Zenmap crash which occurred when local.getpreferredencoding()
10324   returns "None".  Similarly, deal with the case when a "X-MAC-KOREAN"
10325   is returned by this function.  Both problems were found with the
10326   Zenmap crash reporter. [David]
10327 
10328 o A whole bunch of internal Zenmap cleanup was done by David to make
10329   the code more logical and remove dead code.
10330 
10331 o Install icons and pixmaps under /usr/share/zenmap/{icons,pixmaps} so
10332   they don't get mixed in with the files in
10333   /usr/share/{icons,pixmaps}.  [Jurand Nogiec]
10334 
10335 o Fixed a Zenmap command entry problem where Zenmap would lose a
10336   custom command you had entered into the command entry field if you
10337   changed the target field after entering the custom command. [Jurand
10338   Nogiec]
10339 
10340 o The Zenmap crash reporter now includes a stack trace rather than
10341   just the exception name. [David]
10342 
10343 o Zenmap now executes the proper Nmap command by honoring the
10344   nmap_command_path variable in zenmap.conf. [Jurand Nogiec]
10345 
10346 o Fixed a bug which caused -PN to erroneously bail out for
10347   unprivileged users.  Thanks to Jabra (jabra(a)spl0it.org) for the
10348   report. [Kris]
10349 
10350 o Fixed several Nmap NSE memory leaks found with Valgrind. [Kris]
10351 
10352 o Migrated some stray malloc()/realloc() calls to the Nbase
10353   safe_malloc()/safe_realloc() versions which guard against certain
10354   errors.
10355 
10356 o Fixed a bunch of subtle bugs, some of which could have resulted in
10357   a crash, reported by Ilja van Sprundel. [Kris]
10358 
10359 o Fixed several byte-order bugs in Traceroute. [Kris]
10360 
10361 o Fixed a crash in RateMeter::update() which could lead to an error
10362   saying "diff >= 0.0" assertion failed.  I think the problem was
10363   actually caused by SMP machines which didn't sync the clock time
10364   perfectly.  This lead to gettimeofday() sometimes reporting that
10365   time decreased by some microseconds.  Now Nmap is willing to
10366   tolerate decreases of up to 1 millisecond in this function. [Fyodor]
10367 
10368 o Nmap now returns correct values for --iflist in windows even
10369   if interface aliases have been set. Previously it would misreport
10370   the windevices and not list all interfaces. [Michael]
10371 
10372 o Nmap no longer crashes with an 'assert' error when its told to
10373   access a disabled WiFi NIC on some laptops. [Michael]
10374 
10375 o Upgraded the OpenSSL shipped for Windows to 0.9.8h. [Kris]
10376 
10377 o The NSE http library was updated to gracefully handle certain bogus
10378   (non-)http responses. [Jah]
10379 
10380 o The zoneTrans.nse script now takes a "domain" script argument to
10381   specify the desired domain name to transfer.  You can narrow the
10382   scope down with the form "zoneTrans={domain=xxx}". [Kris]
10383 
10384 o Increase write buffer length for Nmap output on Windows. This should
10385   prevent error messages like: "log_vwrite: vsnprintf failed.  Even
10386   after increasing bufferlen to 819200, Vsnprintf returned -1 (logt ==
10387   1)."  Thanks to prozente0 for the report. [Fyodor]
10388 
10389 o Fixed the --script-updatedb command, which was claiming to be
10390   "Aborting database update" even when the update was performed
10391   perfectly.  See http://seclists.org/nmap-dev/2008/q2/0623.html .
10392   Thanks to Jah for the report.
10393 
10394 Nmap 4.65 [2008-6-1]
10395 
10396 o A Mac OS X Nmap/Zenmap installer is now available from the Nmap
10397   download page!  It is rather straightforward, but detailed
10398   instructions are available anyway at
10399   https://nmap.org/book/inst-macosx.html .  As a universal installer,
10400   it works on both Intel and PPC Macs. It is distributed as a disk
10401   image file (.dmg) containing an mpkg package.  The installed Nmap
10402   does include OpenSSL support.  It also supports Authorization
10403   Services so that Zenmap can run as root.  David created this
10404   installer.  He wants to thank Benson Kalahar and Vlad Alexa for
10405   extensive testing of the nine test releases.
10406 
10407 o The Windows version of Nmap now supports OpenSSL just as the UNIX
10408   versions have for years.  Both the .zip and executable installer
10409   binary packages we ship from the Nmap download page now include
10410   OpenSSL. [Kris, Thomas Buchanan]
10411 
10412 o We now compile in IPv6 support on Windows.  In order to use this,
10413   you need to have IPv6 set up.  It is installed by default on Vista,
10414   but must be downloaded from Microsoft for XP.  See
10415   http://www.microsoft.com/technet/network/ipv6/ipv6faq.mspx . [Kris]
10416 
10417 o Seven Google-sponsored Summer of Code students began working on
10418   exciting Nmap projects full times.  The winning students and their
10419   Nmap development projects are described at
10420   http://seclists.org/nmap-dev/2008/q2/0132.html .
10421 
10422 o Our WinPcap installer now starts the NPF driver running as a
10423   service immediately upon installation and after restarts. You can
10424   disable this with new check-boxes. This behavior is important for
10425   Vista and Windows Server 2008 machines when User Account
10426   Control (UAC) is enabled. [Rob Nicholls]
10427 
10428 o Nmap and Nmap-WinPcap silent installation now works.  Nmap can
10429   be silently installed with the /S option to the installer.
10430   If you install Nmap from the zip file, you can install just
10431   WinPcap silently with the /S option to that
10432   installer. [Rob Nicholls]
10433 
10434 o Our WinPcap installer is now included with the Nmap Win32 zip
10435   file. [Fyodor]
10436 
10437 o Numerous miscellaneous improvements were made to our Win32
10438   installer, such as using the "Modern" NSIS UI for WinPcap,
10439   improving the option description labels, and showing a finish
10440   page in all cases. [Rob Nicholls]
10441 
10442 o The nmap-dev and nmap-hackers mailing list RSS feeds at seclists.org
10443   now include message excerpts to make it easier to identify
10444   interesting messages and speed the process of reading through the
10445   list.  Feeds for all other mailing lists archived at SecLists.Org
10446   have been similarly augmented.  For details, see
10447   http://seclists.org/nmap-dev/2008/q2/0333.html . [David]
10448 
10449 o A new "default" Nmap Scripting Engine category was added.  Only
10450   scripts in this category now run by default (except for "version"
10451   scripts which run when version detection was requested).
10452   Previously, any scripts in the "safe" or "intrusive" categories were
10453   run.  21 scripts are now in this default category. [Kris]
10454 
10455 o The NSE HTTP library now uses the host name specified on the command
10456   line when making requests, which improves script scanning against
10457   web servers with virtual hosts. Thanks to Sven Klemm for the patch.
10458 
10459 o Added some new and improved version detection signatures. [Brandon]
10460 
10461 o Fixed an OS detection bug that prevented the R1.UID test result from
10462   being recorded properly when scanning certain printers from
10463   little-endian computers. Updated nmap-os-db to compensate for
10464   signatures that had an incorrect U1.RID value.  [Michael]
10465 
10466 o Updated to include the latest MAC Address prefixes from the IEEE in
10467   nmap-mac-prefixes [Fyodor]
10468 
10469 o Updated the SMTPcommands NSE script to work better against Postfix
10470   and reduce verbosity. [Jasey DePriest, Fyodor]
10471 
10472 o Reorganized the way ping probes are handled internally.  Rather than
10473   being stored in the NmapOps structure, they are now stored within
10474   the individual scan_lists structures.  This is a cleaner
10475   organization. [Michael]
10476 
10477 o Fix grepable output's "Ignored State" reporting.  Only one ignored
10478   state (the one with the highest numbers of ports) is shown. [David]
10479 
10480 o Update to Lua version 5.1.3 [Patrick]
10481 
10482 o Add NSE stdnse library to include tobinary, tooctal, and tohex
10483   functions. [Patrick]
10484 
10485 o Fixed a bug which caused the Zenmap crash reporter to, uh,
10486   crash. [David]
10487 
10488 o NSE engine was cleaned up significantly.  nse_auxiliar was removed,
10489   and file system manipulation functions were moved from nse_init.cc
10490   into a new nse_fs.cc file.  Numerous interfaces between Nmap and Lua
10491   were improved.  Most of these functions are now callable directly by
10492   Lua. [Patrick]
10493 
10494 o Fixed a bug in the showOwner NSE script which caused it to try UDP
10495   ports instead of just TCP ports.  This made it very slow in the
10496   common case where there are many UDP ports in the open|filtered
10497   state.  Thanks to Jasey DePriest for reporting the problem and Jah
10498   for tracking it down and fixing it.
10499 
10500 o Nbase now generates pseudo-random numbers itself rather than using
10501   /dev/urandom on Linux and the terrible rand() function on Windows.
10502   The new system uses ARC4 based on libdnet's
10503   implementation. [Brandon]
10504 
10505 o Made a number of updates and improvements to the Zenmap Users' Guide
10506   at https://nmap.org/book/zenmap.html . [David]
10507 
10508 o Fixed the way Zenmap handles command-line entry to prevent your
10509   custom command-line to be overwritten with the current profile's
10510   command just because you edited the target field. [Jurand]
10511 
10512 o Nsock was improved to better support reading from non-network
10513   descriptors such as stdin.  This is important for the upcoming Ncat
10514   project Mixter is working on. [Mixter]
10515 
10516 o A bug was fixed that could cause Zenmap to crash when loading a
10517   results file that had multibyte characters in it. The error looked
10518   like:
10519   Gtk-ERROR **: file gtktextsegment.c: line 196
10520   (_gtk_char_segment_new): assertion failed:
10521   (gtk_text_byte_begins_utf8_char (text))
10522   [David]
10523 
10524 o Removed a superfluous test for the existence of the C++ compiler in
10525   the configure script. The test was not robust when configured with
10526   CXX="ccache g++". Thanks to Rainer Müller for the report.
10527 
10528 o Optimized cached DNS lookups so they are equally efficient when
10529   running on big-endian or little-endian systems. [Michael]
10530 
10531 o Fixed the nmap_command_path Zenmap configuration variable so that it
10532   is actually used to start the specified Nmap executable
10533   path. [Jurand Nogiec]
10534 
10535 o Nmap now reports scan start and end times for individual hosts
10536   within a larger scan. The information is added to the XML host
10537   element like so: <host starttime="1198292349" endtime="1198292370">
10538   It is also printed in normal output if -d or "-v -v" are
10539   specified. [Brandon, Kris, Fyodor]
10540 
10541 o "make uninstall" now uninstalls Zenmap as well as Nmap. The
10542   uninstall_zenmap script now deletes directories that were
10543   installed. [David]
10544 
10545 o Fixed a bug which caused Nmap to send bad checksums on Solaris 10
10546   x86.  This was due to a workaround for an Ancient Solaris 2.1 bug
10547   which activated when the OS string matched "solaris2.1*".  The
10548   problem has now been resolved until Solaris 20 comes out and hits
10549   our "solaris2.2*" bug workarounds. Thanks to Nathan Bills for the
10550   problem report.  Fixed by Fyodor.
10551 
10552 o Fixed a minor memory leak in getpts_simple which occurs when no
10553   ports are to be added to 'list'. 'porttbl' is now free'd regardless
10554   of how the function returns. [Michael]
10555 
10556 o Nmap now understands the RFC 4007 percent syntax for IPv6 Zone IDs.
10557   On Windows, this ID has to be a numeric index.  On Linux and some
10558   other OS's, this ID can instead be an interface name.  Some examples
10559   of this syntax:
10560     fe80::20f:b0ff:fec6:15af%2
10561     fe80::20f:b0ff:fec6:15af%eth0
10562   [Kris]
10563 
10564 o The Zenmap installer and uninstaller are more careful about escaping
10565   filenames and dealing with an installation root (DESTDIR). [David]
10566 
10567 o Since assert() calls are used for various security-related tests,
10568   their safety is now ensured by keeping NDEBUG undefined throughout
10569   Nmap, Nbase and Nsock. [Kris]
10570 
10571 o Fix a couple bugs in the way the Nmap build system checked for an
10572   existing LUA library.  A bashism caused one test to fail on system
10573   which don't use bash as /bin/sh, and another bug fixed --with-liblua
10574   configure option for specifying your own liblua. [Daniel
10575   Roethlisberger]
10576 
10577 o The NSE nmap.registry.args table is now available, albeit empty,
10578   when --script-args isn't used.  Now scripts don't need to check if
10579   it's nil before attempting to index it. [Kris]
10580 
10581 o Changed SSLv2-support.nse so that it only enumerates the list of
10582   available ciphers with a verbosity level of at least two or with
10583   debugging enabled. [Kris]
10584 
10585 o Replaced kibuvDetection.nse with version detection match lines which
10586   work better than the script. [Kris, Brandon]
10587 
10588 o Removed mswindowsShell.nse as there is a version detection NULL
10589   probe match which does the same thing. [Brandon, Fyodor, Kris]
10590 
10591 o Updated IANA assignment IP list for random IP (-iR)
10592   generation. [Kris]
10593 
10594 Nmap 4.62 [2008-5-3]
10595 
10596 o Added a new --min-rate option that allows specifying a minimum rate
10597   at which to send packets. This allows you to override Nmap's
10598   congestion control algorithms and request that Nmap try to keep at
10599   least the rate you specify.  The rate is given in packets per
10600   second. Read more in the Nmap man page
10601   (https://nmap.org/book/man-performance.html) [David]
10602 
10603 o Create /nmap/macosx directory in SVN with files necessary to build
10604   binary Mac OS X Nmap/Zenmap packages.  We are trying to create
10605   binary installer packages which are as useful and easy to use as the
10606   Windows installer.  This has involved a lot of work by David.  We
10607   aren't quite yet distributing the results on the Nmap download page,
10608   but testing our beta versions is useful.  You can find the latest
10609   universal (PPC and Intel) binary test version by looking at David
10610   Fifield's posts at http://seclists.org/nmap-dev/2008/q2/author.html .
10611   You can also read /nmap/macosx/README in svn for more info.
10612 
10613 o Nmap 2008 Summer of Code students have began working (though full
10614   time doesn't start until late May).  Learn about the winners and
10615   their projects at http://seclists.org/nmap-dev/2008/q2/0132.html .
10616 
10617 o Brandon added/modified a whole bunch of version detection signatures
10618   based on systems discovered when scanning UCSD's network.
10619 
10620 o Reformat Nmap COPYING file (e.g. remove C comment markers, reduce
10621   line length) during Nmap windows build so that it looks much better
10622   when presented by the Windows executable (NSIS) installer.  Thanks
10623   to Jah for the patch, which was modified slightly by Fyodor.
10624 
10625 o Added NSE Datafiles library which reads and parses Nmap's nmap-*
10626   data files for scripts.  The functions (parse_protocols(),
10627   parse_rpc() and parse_services()) return tables with numbers
10628   (e.g. port numbers) indexing names (e.g. service names).  The
10629   rpcinfo.nse script was also updated to use this library. [Kris]
10630 
10631 o Fixed a bug in the nbase random number generator (and the way it
10632   interacted with Nmap and MS Windows) which caused duplicates in some
10633   instances.  Thanks to Jah for reporting the problem and working with
10634   Brandon Enright, Fyodor and Kris to fix it.
10635 
10636 o It turns out that hours contain 60 minutes, not 24.  Fixed a scan
10637   status message which was rolling over the hours column
10638   prematurely. [David]
10639 
10640 o Added scripting options to Zenmap profile editor and command wizard
10641   to make use of NSE. [David]
10642 
10643 o Zenmap now prints an exception message rather than segfaulting when
10644   it can't open a display (such as when trying to connect to an X
10645   server as an unauthorized user). Thanks to Aaron Leininger for the
10646   initial report and Guilherme Polo for suggesting the fix.
10647 
10648 o Now ports in the "unfiltered" state can be selected for attention by
10649   NSE scripts. [Kris]
10650 
10651 o Nbase random number generation system now avoids having a high-bit
10652   of zero in every other byte on Windows due to Windows having such a
10653   low RAND_MAX. [Jah]
10654 
10655 o Added release dates for each Nmap version to this CHANGELOG going
10656   back to Nmap 3.00 (July 31, 2002).  Dates are in MM/DD/YY format.
10657   If someone wants to track down dates for the last 22% of the file
10658   (pre-3.00), you are welcome to do so and send a patch.  Searching
10659   Google for the version number and site:seclists.org seems to work
10660   well. [Fyodor]
10661 
10662 o Nmap RPM builds now use the versions of libdnet, libpcap, libpcre,
10663   and liblua included with Nmap rather than whatever happens to be
10664   installed on the build system. [David]
10665 
10666 o Zenmap can now be installed in and run in directories with a space
10667   in the name. [David]
10668 
10669 o Fixed an assertion failure ("Target.cc:396: void
10670   Target::stopTimeOutClock(const timeval*): Assertion
10671   'htn.toclock_running == true' failed.") caused when a host had NSE
10672   scripts in multiple runlevels.  This also fixes --host-timeout
10673   behavior in NSE. [Kris]
10674 
10675 o Reduce the maximum number of socket descriptors which Nmap is
10676   allowed to open concurrently.  This resoles a bug which could cause
10677   "Too many open files" error on Mac OS X when not running as
10678   root. [David]
10679 
10680 o Canonicalized service names between nmap-service-probes (version
10681   detection DB) and nmap-services (port scanning DB). [Kris]
10682 
10683 o Removed the "class" attribute from the tcpsequence element in XML
10684   output. For a long time it had always been "unknown class" because
10685   Nmap doesn't calculate a class anymore. The XML output version has
10686   been increased from 1.01 to 1.02. [David]
10687 
10688 o Fixed a bug on Win32 which caused an infinite loop when Nmap
10689   encountered certain broadcast addresses. [Dudi Itzhakov]
10690 
10691 o Fix MingW compilation by adding a signal.h include to
10692   main.cc. [Gisle Vanem]
10693 
10694 o Fix the test in our build system to determine if liblua is already
10695   available or not. For example, the test needed to link with -lm
10696   since some systems require that. [David]
10697 
10698 o Added TIMEVAL_BEFORE and TIMEVAL_AFTER macros to test whether one
10699   timeval is earlier than another while avoiding possible integer
10700   overflows in a naive approach we were using previously. [David]
10701 
10702 o Adjusted a bunch of code to avoid compilation warning messages on
10703   some Linux machines. [Andrew J. Bennieston]
10704 
10705 o Fixed the NmapArpCache so that it actually works. Previously, Nmap
10706   was always falling back to the system ARP cache. Of course this
10707   raises the question of whether NmapArpCache is needed in the first
10708   place. [Daniel Roethlisberger]
10709 
10710 o Fix a Zenmap bug which could cause the error message
10711   "zenmapCore.NmapOptions.OptionNotFound: No option named '' found!"
10712   if you create a new profile without checking any options then try to
10713   edit it. [David]
10714 
10715 o Zenmap now shows a more helpful error message when there is an error
10716   in executing Nmap. [David]
10717 
10718 o Zenmap now creates the directory ~/.zenmap-etc to store
10719   automatically generated GTK+ and Pango files. They used to go in the
10720   application bundle but that doesn't work on a read-only file system
10721   or disk image. This is what Wireshark does (~/.wireshark-etc),
10722   although the directory could be called anything. It doesn't have to
10723   persist across sessions.
10724 
10725 o Added a mechanism in Zenmap for including extra executable search
10726   paths on specific platforms, so we can include /usr/local/bin in
10727   PATH on Mac OS X by default and add the Nmap install directory on
10728   Windows. [David]
10729 
10730 o We now use --no-strip when building Zenmap Mac OS X packages to
10731   prevent many mysterious warnings which occur when the binary is
10732   stripped. [David]
10733 
10734 o When Zenmap invokes Nmap, it now copies the whole environment for
10735   the Nmap invocation rather than just providing $PATH.  Windows may
10736   need this to do proper name resolution. [David]
10737 
10738 o Corrected uptime parsing and reporting in SNMPsysdesr.nse for an
10739   uptime of less than 46 hours. [Kris]
10740 
10741 o Modified the use of CXXFLAGS, CFLAGS, and CPPFLAGS in Nmap build
10742   system to work better when building Mac OS X universal
10743   binaries. [David]
10744 
10745 o Added many additional PCRE option flags to the list returned by the
10746   NSE pcre.flags() function. [Kris]
10747 
10748 o Changed the NSE function nmap.set_port_state() so that it checks to
10749   see if the requested port is already in the requested state.  This
10750   prevents "Duplicate port" messages during the script scan and the
10751   inaccurate "script-set" state reason. [Kris]
10752 
10753 o Canonicalize NSE script license text--more than half did not even
10754   spell license correctly. They all still say that they are under
10755   Nmap's license, just with consistent capitalization and spelling,
10756   and now a link to Nmap legal page at
10757   https://nmap.org/book/man-legal.html .
10758 
10759 o Updated ripeQuery.nse to not print extraneous whitespace. [Kris]
10760 
10761 o Switched telnet brute force password cracking NSE (bruteTelnet.nse)
10762   to vulnerability category so it isn't executed by default.  It can
10763   take too long to run. [Eddie]
10764 
10765 o NSE status messages now print host name and IP, rather than just the
10766   host name (which was blank when Nmap didn't know it). [Jah]
10767 
10768 o Allocate 128 characters for the idle scan ScanProgressMeter
10769   title. Previously it was 32 characters. The "idle scan against " and
10770   the \0 terminator take up 19 characters, leaving only 13, which
10771   isn't enough to represent all IP addresses, let alone host
10772   names. Bug reported by Stephan Fijneman, fixed by David.
10773 
10774 Nmap 4.60 [2008-3-15]
10775 
10776 o Nmap has moved.  Everything at http://insecure.org/nmap/ can now be
10777   found at https://nmap.org .  That should save your fingers from a
10778   little bit of typing.  Even though transparent redirectors are in
10779   place for the old URLs, please update your links and bookmarks. And
10780   if you don't have a link to Nmap on your web site, now is a good
10781   time to add one :).
10782 
10783 o All of your OS detection fingerprints up until March 10, 2008 have
10784   now been integrated by David.  The second generation database has
10785   grown from 1,085 fingerprints representing 421 operating
10786   systems/devices, to 1,304 fingerprints representing 478 systems.
10787   That is an increase of more than 20%.  New fingerprints were added
10788   for Mac OS X Tiger, iPod Touch, the La Fonera WAP, FreeBSD 7.0,
10789   Linux 2.6.24, Windows 2008, Vista, OpenBSD 4.2, and of course
10790   hundreds of broadband routers, VoIP phones, printers, some crazy
10791   oscilloscope, etc.  We get a ton of new fingerprint submissions, but
10792   not as many corrections.  Please remember to visit
10793   https://nmap.org/submit/ if Nmap gives you bad results, whether they
10794   are completely wrong or just a slight mistake (like Nmap says Linux
10795   2.6.20-2.6.23, but you're running 2.6.24).  Of course you need to be
10796   certain you know exactly what is running on the target before you do
10797   this.
10798 
10799 o All of your service fingerprints and corrections submitted until
10800   January 14, 2008 have now been integrated by Doug.  As usual, he has
10801   documented his adventures at http://hcsw.org/blog.pl/33 .  More than
10802   a hundred signatures were added, growing the database to 4,645
10803   signatures for 457 services.  Corrections are welcome for service
10804   detection too -- visit https://nmap.org/submit/ if you get incorrect results.
10805 
10806 o Nmap now saves the target name (if any) specified on the command
10807   line, since this can differ from the reverse DNS results.  It can be
10808   particularly important when doing HTTP tests against virtual hosts.
10809   The data can be accessed from target->TargetName() from Nmap proper
10810   and host.targetname from NSE scripts.  The NSE HTTP library now uses
10811   this for the Host header.  Thanks to Sven Klemm for adding this
10812   useful feature.
10813 
10814 o Added NSE HTTP library which allows scripts to easily fetch URLs
10815   with http.get_url() or create more complex requests with
10816   http.request().  There is also an http.get() function which takes
10817   components (hostname, port, and path) rather than a URL.  The
10818   HTTPAuth, robots, and showHTMLTitle NSE scripts have been updated to
10819   use this library. Sven Klemm wrote all of this code.
10820 
10821 o Fixed an integer overflow in the DNS caching code that caused nmap
10822   to loop infinitely once it had expunging the cache of older
10823   entries.  Thanks to David Moore for the report, and Eddie Bell for
10824   the fix.
10825 
10826 o Fixed another integer overflow in the DNS caching code which caused
10827   infinite loops. [David]
10828 
10829 o Added IPv6 host support to the RPC scan.  Attempting this before
10830   (via -sV) caused a segmentation fault.  Thanks to Will Cladek for
10831   the report. [Kris]
10832 
10833 o Fixed an event handling bug in NSE that could cause execution of
10834   some in-progress scripts to be excessively delayed. [Marek]
10835 
10836 o A new NSE table library (tab.lua) allows scripts to deliver better
10837   formatted output.  The Zone transfer script (zoneTrans.nse) has been
10838   updated to use this new facility. [Eddie]
10839 
10840 o Rewrote HTTPpasswd.nse to use Sven's excellent HTTP library and to
10841   do some much-needed cleaning up. [Kris]
10842 
10843 o Added a new MsSQL version detection probe and a bunch of match lines
10844   developed by Tom Sellers.
10845 
10846 o Added a new service detection probe and signatures for the memcached
10847   service [Doug]
10848 
10849 o Added new service detection probes and signatures for the Beast
10850   Trojan and Firebird RDBMS. [Brandon Enright]
10851 
10852 o Fixed a crash in Zenmap which occurred when attempting to edit or
10853   create a new profile based on an existing one when there wasn't one
10854   selected.  The error message was:
10855     'NoneType' object has no attribute 'toolbar'
10856   Now a new Profile Editor is opened.  Thanks to D1N (d1n@inbox.com)
10857   for the report. [Kris]
10858 
10859 o Fixed another crash in Zenmap which occurred when exiting the
10860   Profile Editor (while editing an existing profile) by clicking the
10861   "X", then going to edit the same profile again.  The error message
10862   was: "No option named '' found!".  Now the same window that appears
10863   when clicking Cancel comes up when clicking "X".  Thanks to David
10864   for reporting this bug. [Kris]
10865 
10866 o Another Zenmap bug was fixed: ports consolidated into "extra ports"
10867   groups are now counted and shown in the "Host Details" tab.  The
10868   closed, filtered and scanned port counts in this tab didn't contain
10869   this information before so they were usually very inaccurate. [Kris]
10870 
10871 o Another Zenmap bug was fixed: the --scan-delay and --max-scan-delay
10872   buttons ("amount of time between probes") under the Advanced tab in
10873   the Profile Editor were backwards. [Kris]
10874 
10875 o Added the UDP Scan (-sU) and IPProto Ping (-PO) to Zenmap's Profile
10876   Editor and Command Wizard. [Kris]
10877 
10878 o Reordered the UDP port selection for Traceroute: a closed port is
10879   now chosen before an open one.  This is because an open UDP port is
10880   usually due to running version detection (-sV), so a Traceroute
10881   probe wouldn't elicit a response. [Kris]
10882 
10883 o Add Famtech Radmin remote control software probe and signatures to
10884   the Nmap version detection DB. [Tom Sellers, Fyodor]
10885 
10886 o Add "Connection: Close" header to requests from HTTP NSE scripts so
10887   that they finish faster. [Sven Klemm]
10888 
10889 o Update SSLv2-support NSE script to run against more services which
10890   are likely SSL. [Sven Klemm]
10891 
10892 o A bunch of service name canonicalization was done in the Nmap
10893   version detection file by Brandon Enright (e.g. capitalizing D-Link
10894   and Netgear consistently).
10895 
10896 o Upgraded the shipped LibPCRE from version 7.4 to 7.6. [Kris]
10897 
10898 o Updated to latest (as of 3/15) autoconf config.sub/config.guess
10899   files from http://cvs.savannah.gnu.org/viewvc/config/?root=config.
10900   [Fyodor]
10901 
10902 o We now escape newlines, carriage returns, and tabs (\n\r\t) in XML
10903   output.  While those are allowed in XML attributes, they get
10904   normalized which can make formatting the output difficult for
10905   applications which parse Nmap XML. [Joao Medeiros, David, Fyodor]
10906 
10907 o The Zenmap man page is now installed on Unix when "make install" is
10908   run.  This was supposed to work before, but didn't. [Kris]
10909 
10910 o Fixed a man page bug related to our DocBook to Nroff translation
10911   software producing incorrect Nroff output.  The man page no longer
10912   uses the ".nse" string which was being confused with the Nroff
10913   no-space mode command. [Fyodor]
10914 
10915 o Fixed a bug in which some NSE error messages were improperly escaped
10916   so that a message including "c:\nmap" would end up with a newline
10917   between "c:" and "map".
10918 
10919 o Updated IANA assignment IP list for random IP (-iR)
10920   generation. [Kris]
10921 
10922 o The DocBook XML source code to the Nmap Scripting Engine docs
10923   (https://nmap.org/book/nse.html) is now in SVN under docs/scripting.xml .
10924 
10925 Nmap 4.53 [2008-1-12]
10926 
10927 o Improved Windows executable installer by making uninstall work better
10928   on systems which changed the default install path.  The shortcut is
10929   also now deleted properly on Vista. [Rob Nicholls]
10930 
10931 o Windows installer is now generated using NSIS 2.34 rather than
10932   2.13. [Fyodor]
10933 
10934 o Added UPnP-info NSE script by Thomas Buchanan. It gathers
10935   information from the UPnP service (UDP port 1900) which listens on
10936   many network devices such as routers, printers, and networked media
10937   players.
10938 
10939 o Fixed a --traceroute bug (assertion failure crash) which occurred
10940   when the first hop of the first host in a tracegroup (reference
10941   trace) times out.  Thanks to Sebastián García for the bug report and
10942   testing, and Eddie for the patch.
10943 
10944 o Fix a problem which prevented proper port number matching in
10945   NSE scripts (port_or_service function) due to a variable
10946   shadowing bug. [Sven Klemm]
10947 
10948 o Improved rpcinfo.nse to better sort and display available RPC
10949   services. [Sven Klemm]
10950 
10951 Nmap 4.52 [2008-1-1]
10952 
10953 o Fixed Nmap WinPcap installer to use CurrentVersion registry key on
10954   Windows rather than VersionNumber to more reliably detect Vista
10955   machines.  This should prevent the XP version of Packet.dll from
10956   being installed on Vista. [Rob Nicholls]
10957 
10958 o The Nmap Scripting Engine (NSE) now supports run-time interaction
10959   and the Nmap --host-timeout option. [Doug]
10960 
10961 o Added nmap.fetchfile() function for scripts so they can easily find
10962   Nmap's nmap-* data files (such as the OS/version detection DBs, port
10963   number mapping, etc.) [Kris]
10964 
10965 o Updated rpcinfo.nse to use nmap.fetchfile() to read from nmap-rpc
10966   instead of having a huge table of RPC numbers.  This reduced the
10967   script's size by nearly 75%. [Kris]
10968 
10969 o Fixed multiple NSE scripts that weren't always properly closing their
10970   sockets.  The error message was:
10971   "bad argument #1 to 'close' (nsock expected, got no value)" [Kris]
10972 
10973 o Added a new version detection probe for the Trend Micro OfficeScan
10974   product line. [Tom Sellers, Doug]
10975 
10976 Nmap 4.51BETA [2007-12-21]
10977 
10978 o David wrote a detailed Zenmap guide: https://nmap.org/book/zenmap.html
10979 
10980 o Added rpcinfo.nse script, which contacts a listening RPC portmapper
10981   and reports the listening services and port information (like
10982   rpcinfo -p does).  The script was written by Sven Klemm.  Fyodor
10983   then enhanced the RPC number list with all of the entries from
10984   nmap-rpc.
10985 
10986 o Added a new NSE script (MySQLinfo) which prints MySQL server information
10987   such as the protocol and version numbers, status, thread id, capabilities,
10988   and password salt. [Kris]
10989 
10990 o Nmap's output options (-oA, -oX, etc.) now support strftime()-like
10991   conversions in the filename.  %H, %M, %S, %m, %d, %y, and %Y are
10992   all the same as in strftime().  %T is the same as %H%M%S, %R is the
10993   same as %H%M, and %D is the same as %m%d%y.  A % followed by any
10994   other character just yields that character (%% yields a %).  This
10995   means that "-oX 'scan-%T-%D.xml'" uses an XML file in the form of
10996   "scan-144840-121307.xml". [Kris]
10997 
10998 o Fixed WinPcap installer to install the right version of Packet.dll
10999   on Windows Vista. [Fyodor]
11000 
11001 o Fixed our WinPcap installer so that it waits for a WinPcap uninstall
11002   (if needed) to complete before trying to install the new WinPcap.
11003   [Jah]
11004 
11005 o Fix a bunch of warning/error messages which contained an extra
11006   newline. [Brandon Enright]
11007 
11008 o Fixed an error when attempting to scan localhost as an unprivileged
11009   user on Windows (nmap --unprivileged localhost). The error was:
11010     Skipping SYN Stealth Scan against localhost (127.0.0.1) because
11011     Windows does not support scanning your own machine (localhost) this
11012     way.
11013   Now connect scan is used instead of SYN scan. [David]
11014 
11015 o Fixed a bug that prevented the --resume option from working on
11016   Windows. The error message was:
11017   ..\utils.cc(996): CreateFileMapping(), file 'testresume', length 103,
11018   mflags 000 00006: The parameter is incorrect.(87)
11019   [Fixed by David, reported by Rob Nicholls]
11020 
11021 o Zenmap's new web page (https://nmap.org/zenmap/) is now shown in the
11022   Zenmap about dialogue.
11023 
11024 o On Windows, paths beginning with \ are now considered absolute when
11025   used with the --script option. jah (jah(a)zadkiel.plus.com) suggested
11026   this. [David]
11027 
11028 o Zenmap no longer double-spaces its output (by inadvertently
11029   duplicating newlines) when viewing scan results that were saved to a
11030   file. [Joao Medeiros]
11031 
11032 o Upgraded the shipped LibPCRE from version 7.2 to 7.4. [Kris]
11033 
11034 o Fixed Zenmap crash that occurred when selecting Help from the Compare
11035   Results window. [Kris]
11036 
11037 o Updated robots.nse to prevent printing robots.txt comments. [Kris]
11038 
11039 o Many version detection match lines were improved to match even when
11040   newlines appear in binary data returned by the service. [Fixed by
11041   Doug, suggested by Lionel Cons]
11042 
11043 Nmap 4.50 [2007-12-13]
11044 
11045 o Bumped up the version number to the big 10th anniversary 4.50
11046   release!  See http://insecure.org/stf/Nmap-4.50-Release.html .
11047 
11048 Nmap 4.49RC7 [2007-12-10]
11049 
11050 o A Zenmap crash was fixed. Scanning once, then scanning another target
11051   on the same scan tab caused an ImportError ("list index out of range")
11052   in zenmapGUI/ScanNotebook.py. Joao Medeiros reported the
11053   bug. [David]
11054 
11055 o Updated a couple of version detection signatures due to problem
11056   reports by Lionel Cons. [Doug]
11057 
11058 Nmap 4.49RC6 [2007-12-8]
11059 
11060 o NSE scripts can now be specified by absolute path to the --script
11061   option.  This was supposed to work before, but didn't. [David]
11062 
11063 o Insert a path separator in returned paths in init_scandir on
11064   Windows.  Otherwise options such as "--scripts=scripts" (where
11065   scripts is a directory) were failing with error messages about being
11066   unable to access things like "C:\Nmap\scriptsanonFTP.nse" (should be
11067   "C:\Nmap\scripts\anonFTP.nse"). [David]
11068 
11069 o Add some "local" declarations to xamppDefaultPass.nse to avoid
11070   errors like: "SCRIPT ENGINE: [string "Global Access"]:1: Attempted
11071   to change the global 'socket' ..." [David]
11072 
11073 o NSE "shortports" function now by default matches ports in the
11074   "open|filtered" state as well as "open" ones. [Diman]
11075 
11076 o Nsock msevent_new and msevent_delete calls fixed to handle NULL I/O
11077   descriptors.  This should fix a reported bus error crash. [Diman]
11078 
11079 o Prevent old bit.dll and pcre.dll files from being installed in
11080   nselib directory by Windows executable installer.  Bit.dll is still
11081   installed in nselib-bin where it belongs.  Thanks to Rob Nicholls for
11082   reporting the problem. [Fyodor]
11083 
11084 
11085 Nmap 4.49RC5 [2007-12-8]
11086 
11087 o Don't install the orphaned and incomplete Zenmap HTML documentation.
11088   Instead point to the Nmap documentation site, which is provides more
11089   comprehensive and up-to-date Nmap docs.  We're rapidly improving the
11090   online Zenmap docs as well.  Of course the Nmap and (new!) Zenmap
11091   man pages are still installed on Unix. [Fyodor]
11092 
11093 o Fix mswin32/Makefile so that the new nselib-bin directory is
11094   properly included in the Nmap win32 zipfile distribution.  Thanks
11095   to Rob Nicholls for reporting the problem. [Fyodor]
11096 
11097 o Fix host reason reported when the target is found to be "down" due
11098   to no response. Nmap now reports "no-response" rather than
11099   "unknown-reason" [Kris]
11100 
11101 Nmap 4.49RC4 [2007-12-7]
11102 
11103 o David did a huge OS fingerprint integration marathon, going through
11104   all of your submissions (more than 1600) since August 20.  The 2nd
11105   generation database has grown more than 30% to 1,085 entries!  Many
11106   of the existing fingerprints were improved as well.  Notable new or
11107   greatly improved entries include the iPhone, iPod Touch, Mac OS X
11108   Leopard FreeBSD 7.0, Linux 2.6.23, Nokia cell phones (E61, E65, E70,
11109   E90, N95), and OpenBSD 4.2.  Of course there were all manner of new
11110   printers, cable/DSL routers, switches, enterprise routers, IP
11111   phones, cell phones and a heap of obscure equipment such as the
11112   BeaconMedaes medical gas alarm.  Windows Vista fingerprints were
11113   also improved significantly.  Please keep those OS fingerprint
11114   submissions and corrections coming!
11115 
11116 o Doug integrated all of your version detection fingerprints and
11117   corrections since October 4.  The DB now has an incredible 4,542
11118   signatures for 449 service protocols.  The service protocols with
11119   the most signatures are http (1,473), telnet (459), ftp (423), smtp
11120   (327), pop3 (188), http-proxy (111), ssh (104), imap (103), irc (46)
11121   and nntp (44).
11122 
11123 o Included the netbios-smb-os-discovery.nse script which uses NetBIOS
11124   and SMB queries to guess OS version.  This script was written by
11125   Judy Novak and contributed by Sourcefire.
11126 
11127 o Canonicalized the interface type numbers used internally by
11128   libdnet. Also Libdnet now recognizes devices with type
11129   INTF_TYPE_IEEE80211 as Ethernet devices.  This ought to make
11130   wireless network scanning work on Windows Vista. For more background
11131   see http://seclists.org/nmap-dev/2007/q4/0391.html . [David]
11132 
11133 o Documented the "--script all" option in the man page and NSE
11134   article.  This option executes all scripts in the NSE database
11135   regardless of category. [Fyodor]
11136 
11137 o NSE scripts can now be specified by name without the .nse
11138   extension.  So instead of using "--script
11139   bruteTelnet.nse,HTTPpasswd.nse,SQLInject.nse,robots.nse", you can
11140   just pass "--script bruteTelnet,HTTPpasswd,SQLInject,robots". [Kris]
11141 
11142 o Removed some auto-generated files from the new nselib-bin directory
11143   as they could cause compatibility problems. Also updated
11144   mswin32/Makefile to reflect the new nselib-bin DLL location [David]
11145 
11146 o ripeQuery.nse was updated to avoid printing some useless
11147   information. [Kris]
11148 
11149 o Compatibility with systems that have the pcre.h header file in its
11150   own pcre directory should now be fixed for real. [Fyodor]
11151 
11152 o Enhanced the radmind service detection signature and added a
11153   deprecated radmind port to nmap-services. [Matt Selsky]
11154 
11155 o Zenmap now gives better errors to stdout when it can't even pop up a
11156   dialog box (such as when PyGTK can't be loaded). [David]
11157 
11158 o Fixed a Zenmap crash which occurred on Mac OS X and possibly other
11159   platforms.  The error message said: "object of type
11160   'ScanHostDetailsPage' has no len()". [David]
11161 
11162 o Fixed a crash which occurred when an NSE script called
11163   set_port_version() at times that version scanning was not
11164   enabled. [Diman]
11165 
11166 o Fixed the NSIS installer so that it does not include some excess
11167   files (mswin32/* and .svn).  Thanks to Alan Jones for reporting the
11168   problem. [Fyodor]
11169 
11170 o Renamed some Zenmap Python packages to allow Zenmap and Umit to be
11171   installed at the same time. [David]
11172 
11173 o Updated nmap-mac-prefixes with the latest IEEE data.  Also added
11174   back Cooperative Linux virtual NIC which was inadvertently removed in
11175   a previous release. [Fyodor]
11176 
11177 Nmap 4.23RC3 [2007-11-27]
11178 
11179 o Zenmap now has a man page!  It isn't very long yet, but covers the
11180   basics.  Thanks to David for writing this.
11181 
11182 o A new NSE script, promiscuous.nse, scans devices on a local network
11183   looking for sniffers (devices running in promiscuous mode).  This
11184   script is from Marek Majkowski and is the first to use the NSE pcap
11185   extension system (which he also wrote).  The script is only in the
11186   discovery category for now so it does not run by default.  Specify
11187   it by name for now.  We may make it default after the upcoming
11188   stable release.
11189 
11190 o Nmap can now handle IP aliases on Windows.  A given device such as
11191   eth0 might have several IP addresses.  Nmap will use the primary
11192   address, so you need to use -S if you want to specify a different
11193   one. [David]
11194 
11195 o An exception (rather than luaL_argerror) is now thrown when an SSL
11196   connection is attempted but OpenSSL isn't available. [David]
11197 
11198 o There is now an nmap.have_ssl NSE function so you can avoid doing
11199   NSE probes when SSL isn't available. [David]
11200 
11201 o Zenmap gives clearer error messages when an import error occurs or
11202   Zenmap's dump files aren't found. [David]
11203 
11204 o Zenmap now looks for its data files relative to the directory of the
11205   zenmap script to allow running from the build/svn directory. [David]
11206 
11207 o NSE C modules are now installed into an nselib-bin directory.  This
11208   was needed to make the dns-test-open-recursion and zoneTrans NSE
11209   scripts work properly, since they use the NSE bit library
11210   (bit.so). [Diman, Fyodor]
11211 
11212 o Axillary autoconf scripts such as config.guess, config.sub,
11213   depcomp, install-sh, and ltmain.sh were deleted from Nmap
11214   subdirectories because configure is smart enough to use the ones from
11215   the parent directory.  This decreases the Nmap source tarball and svn
11216   checkout sizes. [David]
11217 
11218 o Nmap now compiles on systems which have the libPCRE include file in
11219   pcre/pcre.h rather than just pcre.h.  Thanks to Lionel Cons for the
11220   report. [Fyodor]
11221 
11222 o Nmap binary is now stripped again, but it now uses -x to avoid
11223   stripping dynamically loaded NSE functions on Mac OS X. [David]
11224 
11225 o Normalized Zenmap's handling of results files specified on the
11226   command line.  In some cases, Zenmap would ignore specified results
11227   files just because some unrelated options were used. [David]
11228 
11229 o configure.ac now uses literal directory names rather than variable
11230   references in calls to AC_CONFIG_SUBDIRS.  This removes an annoying
11231   warning message which has existed for years when you regenerate
11232   configure. [David]
11233 
11234 o Fixed a configure.ac error which prevented you from specifying an
11235   alternative libnsock directory. [David]